LXR linux/net/bluetooth/hci

   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
   4
   5   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7   This program is free software; you can redistribute it and/or modify
   8   it under the terms of the GNU General Public License version 2 as
   9   published by the Free Software Foundation;
  10
  11   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22   SOFTWARE IS DISCLAIMED.
  23*/
  24
  25/* Bluetooth HCI connection handling. */
  26
  27#include <linux/export.h>
  28#include <linux/debugfs.h>
  29
  30#include <net/bluetooth/bluetooth.h>
  31#include <net/bluetooth/hci_core.h>
  32#include <net/bluetooth/l2cap.h>
  33
  34#include "hci_request.h"
  35#include "smp.h"
  36#include "a2mp.h"
  37
  38struct sco_param {
  39        u16 pkt_type;
  40        u16 max_latency;
  41        u8  retrans_effort;
  42};
  43
  44static const struct sco_param esco_param_cvsd[] = {
  45        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,   0x01 }, /* S3 */
  46        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,   0x01 }, /* S2 */
  47        { EDR_ESCO_MASK | ESCO_EV3,   0x0007,   0x01 }, /* S1 */
  48        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0x01 }, /* D1 */
  49        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0x01 }, /* D0 */
  50};
  51
  52static const struct sco_param sco_param_cvsd[] = {
  53        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0xff }, /* D1 */
  54        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0xff }, /* D0 */
  55};
  56
  57static const struct sco_param esco_param_msbc[] = {
  58        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,   0x02 }, /* T2 */
  59        { EDR_ESCO_MASK | ESCO_EV3,   0x0008,   0x02 }, /* T1 */
  60};
  61
  62static void hci_le_create_connection_cancel(struct hci_conn *conn)
  63{
  64        hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
  65}
  66
  67static void hci_acl_create_connection(struct hci_conn *conn)
  68{
  69        struct hci_dev *hdev = conn->hdev;
  70        struct inquiry_entry *ie;
  71        struct hci_cp_create_conn cp;
  72
  73        BT_DBG("hcon %p", conn);
  74
  75        conn->state = BT_CONNECT;
  76        conn->out = true;
  77        conn->role = HCI_ROLE_MASTER;
  78
  79        conn->attempt++;
  80
  81        conn->link_policy = hdev->link_policy;
  82
  83        memset(&cp, 0, sizeof(cp));
  84        bacpy(&cp.bdaddr, &conn->dst);
  85        cp.pscan_rep_mode = 0x02;
  86
  87        ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
  88        if (ie) {
  89                if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
  90                        cp.pscan_rep_mode = ie->data.pscan_rep_mode;
  91                        cp.pscan_mode     = ie->data.pscan_mode;
  92                        cp.clock_offset   = ie->data.clock_offset |
  93                                            cpu_to_le16(0x8000);
  94                }
  95
  96                memcpy(conn->dev_class, ie->data.dev_class, 3);
  97                if (ie->data.ssp_mode > 0)
  98                        set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
  99        }
 100
 101        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 102        if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
 103                cp.role_switch = 0x01;
 104        else
 105                cp.role_switch = 0x00;
 106
 107        hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
 108}
 109
 110static void hci_acl_create_connection_cancel(struct hci_conn *conn)
 111{
 112        struct hci_cp_create_conn_cancel cp;
 113
 114        BT_DBG("hcon %p", conn);
 115
 116        if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
 117                return;
 118
 119        bacpy(&cp.bdaddr, &conn->dst);
 120        hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
 121}
 122
 123static void hci_reject_sco(struct hci_conn *conn)
 124{
 125        struct hci_cp_reject_sync_conn_req cp;
 126
 127        cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
 128        bacpy(&cp.bdaddr, &conn->dst);
 129
 130        hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
 131}
 132
 133int hci_disconnect(struct hci_conn *conn, __u8 reason)
 134{
 135        struct hci_cp_disconnect cp;
 136
 137        BT_DBG("hcon %p", conn);
 138
 139        /* When we are master of an established connection and it enters
 140         * the disconnect timeout, then go ahead and try to read the
 141         * current clock offset.  Processing of the result is done
 142         * within the event handling and hci_clock_offset_evt function.
 143         */
 144        if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER) {
 145                struct hci_dev *hdev = conn->hdev;
 146                struct hci_cp_read_clock_offset clkoff_cp;
 147
 148                clkoff_cp.handle = cpu_to_le16(conn->handle);
 149                hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
 150                             &clkoff_cp);
 151        }
 152
 153        conn->state = BT_DISCONN;
 154
 155        cp.handle = cpu_to_le16(conn->handle);
 156        cp.reason = reason;
 157        return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
 158}
 159
 160static void hci_amp_disconn(struct hci_conn *conn)
 161{
 162        struct hci_cp_disconn_phy_link cp;
 163
 164        BT_DBG("hcon %p", conn);
 165
 166        conn->state = BT_DISCONN;
 167
 168        cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
 169        cp.reason = hci_proto_disconn_ind(conn);
 170        hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
 171                     sizeof(cp), &cp);
 172}
 173
 174static void hci_add_sco(struct hci_conn *conn, __u16 handle)
 175{
 176        struct hci_dev *hdev = conn->hdev;
 177        struct hci_cp_add_sco cp;
 178
 179        BT_DBG("hcon %p", conn);
 180
 181        conn->state = BT_CONNECT;
 182        conn->out = true;
 183
 184        conn->attempt++;
 185
 186        cp.handle   = cpu_to_le16(handle);
 187        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 188
 189        hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
 190}
 191
 192bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
 193{
 194        struct hci_dev *hdev = conn->hdev;
 195        struct hci_cp_setup_sync_conn cp;
 196        const struct sco_param *param;
 197
 198        BT_DBG("hcon %p", conn);
 199
 200        conn->state = BT_CONNECT;
 201        conn->out = true;
 202
 203        conn->attempt++;
 204
 205        cp.handle   = cpu_to_le16(handle);
 206
 207        cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
 208        cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
 209        cp.voice_setting  = cpu_to_le16(conn->setting);
 210
 211        switch (conn->setting & SCO_AIRMODE_MASK) {
 212        case SCO_AIRMODE_TRANSP:
 213                if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
 214                        return false;
 215                param = &esco_param_msbc[conn->attempt - 1];
 216                break;
 217        case SCO_AIRMODE_CVSD:
 218                if (lmp_esco_capable(conn->link)) {
 219                        if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
 220                                return false;
 221                        param = &esco_param_cvsd[conn->attempt - 1];
 222                } else {
 223                        if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
 224                                return false;
 225                        param = &sco_param_cvsd[conn->attempt - 1];
 226                }
 227                break;
 228        default:
 229                return false;
 230        }
 231
 232        cp.retrans_effort = param->retrans_effort;
 233        cp.pkt_type = __cpu_to_le16(param->pkt_type);
 234        cp.max_latency = __cpu_to_le16(param->max_latency);
 235
 236        if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
 237                return false;
 238
 239        return true;
 240}
 241
 242u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
 243                      u16 to_multiplier)
 244{
 245        struct hci_dev *hdev = conn->hdev;
 246        struct hci_conn_params *params;
 247        struct hci_cp_le_conn_update cp;
 248
 249        hci_dev_lock(hdev);
 250
 251        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 252        if (params) {
 253                params->conn_min_interval = min;
 254                params->conn_max_interval = max;
 255                params->conn_latency = latency;
 256                params->supervision_timeout = to_multiplier;
 257        }
 258
 259        hci_dev_unlock(hdev);
 260
 261        memset(&cp, 0, sizeof(cp));
 262        cp.handle               = cpu_to_le16(conn->handle);
 263        cp.conn_interval_min    = cpu_to_le16(min);
 264        cp.conn_interval_max    = cpu_to_le16(max);
 265        cp.conn_latency         = cpu_to_le16(latency);
 266        cp.supervision_timeout  = cpu_to_le16(to_multiplier);
 267        cp.min_ce_len           = cpu_to_le16(0x0000);
 268        cp.max_ce_len           = cpu_to_le16(0x0000);
 269
 270        hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
 271
 272        if (params)
 273                return 0x01;
 274
 275        return 0x00;
 276}
 277
 278void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
 279                      __u8 ltk[16])
 280{
 281        struct hci_dev *hdev = conn->hdev;
 282        struct hci_cp_le_start_enc cp;
 283
 284        BT_DBG("hcon %p", conn);
 285
 286        memset(&cp, 0, sizeof(cp));
 287
 288        cp.handle = cpu_to_le16(conn->handle);
 289        cp.rand = rand;
 290        cp.ediv = ediv;
 291        memcpy(cp.ltk, ltk, sizeof(cp.ltk));
 292
 293        hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
 294}
 295
 296/* Device _must_ be locked */
 297void hci_sco_setup(struct hci_conn *conn, __u8 status)
 298{
 299        struct hci_conn *sco = conn->link;
 300
 301        if (!sco)
 302                return;
 303
 304        BT_DBG("hcon %p", conn);
 305
 306        if (!status) {
 307                if (lmp_esco_capable(conn->hdev))
 308                        hci_setup_sync(sco, conn->handle);
 309                else
 310                        hci_add_sco(sco, conn->handle);
 311        } else {
 312                hci_connect_cfm(sco, status);
 313                hci_conn_del(sco);
 314        }
 315}
 316
 317static void hci_conn_timeout(struct work_struct *work)
 318{
 319        struct hci_conn *conn = container_of(work, struct hci_conn,
 320                                             disc_work.work);
 321        int refcnt = atomic_read(&conn->refcnt);
 322
 323        BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 324
 325        WARN_ON(refcnt < 0);
 326
 327        /* FIXME: It was observed that in pairing failed scenario, refcnt
 328         * drops below 0. Probably this is because l2cap_conn_del calls
 329         * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
 330         * dropped. After that loop hci_chan_del is called which also drops
 331         * conn. For now make sure that ACL is alive if refcnt is higher then 0,
 332         * otherwise drop it.
 333         */
 334        if (refcnt > 0)
 335                return;
 336
 337        switch (conn->state) {
 338        case BT_CONNECT:
 339        case BT_CONNECT2:
 340                if (conn->out) {
 341                        if (conn->type == ACL_LINK)
 342                                hci_acl_create_connection_cancel(conn);
 343                        else if (conn->type == LE_LINK)
 344                                hci_le_create_connection_cancel(conn);
 345                } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
 346                        hci_reject_sco(conn);
 347                }
 348                break;
 349        case BT_CONFIG:
 350        case BT_CONNECTED:
 351                if (conn->type == AMP_LINK) {
 352                        hci_amp_disconn(conn);
 353                } else {
 354                        __u8 reason = hci_proto_disconn_ind(conn);
 355                        hci_disconnect(conn, reason);
 356                }
 357                break;
 358        default:
 359                conn->state = BT_CLOSED;
 360                break;
 361        }
 362}
 363
 364/* Enter sniff mode */
 365static void hci_conn_idle(struct work_struct *work)
 366{
 367        struct hci_conn *conn = container_of(work, struct hci_conn,
 368                                             idle_work.work);
 369        struct hci_dev *hdev = conn->hdev;
 370
 371        BT_DBG("hcon %p mode %d", conn, conn->mode);
 372
 373        if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
 374                return;
 375
 376        if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
 377                return;
 378
 379        if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
 380                struct hci_cp_sniff_subrate cp;
 381                cp.handle             = cpu_to_le16(conn->handle);
 382                cp.max_latency        = cpu_to_le16(0);
 383                cp.min_remote_timeout = cpu_to_le16(0);
 384                cp.min_local_timeout  = cpu_to_le16(0);
 385                hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
 386        }
 387
 388        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
 389                struct hci_cp_sniff_mode cp;
 390                cp.handle       = cpu_to_le16(conn->handle);
 391                cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
 392                cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
 393                cp.attempt      = cpu_to_le16(4);
 394                cp.timeout      = cpu_to_le16(1);
 395                hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
 396        }
 397}
 398
 399static void hci_conn_auto_accept(struct work_struct *work)
 400{
 401        struct hci_conn *conn = container_of(work, struct hci_conn,
 402                                             auto_accept_work.work);
 403
 404        hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
 405                     &conn->dst);
 406}
 407
 408static void le_conn_timeout(struct work_struct *work)
 409{
 410        struct hci_conn *conn = container_of(work, struct hci_conn,
 411                                             le_conn_timeout.work);
 412        struct hci_dev *hdev = conn->hdev;
 413
 414        BT_DBG("");
 415
 416        /* We could end up here due to having done directed advertising,
 417         * so clean up the state if necessary. This should however only
 418         * happen with broken hardware or if low duty cycle was used
 419         * (which doesn't have a timeout of its own).
 420         */
 421        if (conn->role == HCI_ROLE_SLAVE) {
 422                u8 enable = 0x00;
 423                hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 424                             &enable);
 425                hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
 426                return;
 427        }
 428
 429        hci_le_create_connection_cancel(conn);
 430}
 431
 432struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
 433                              u8 role)
 434{
 435        struct hci_conn *conn;
 436
 437        BT_DBG("%s dst %pMR", hdev->name, dst);
 438
 439        conn = kzalloc(sizeof(*conn), GFP_KERNEL);
 440        if (!conn)
 441                return NULL;
 442
 443        bacpy(&conn->dst, dst);
 444        bacpy(&conn->src, &hdev->bdaddr);
 445        conn->hdev  = hdev;
 446        conn->type  = type;
 447        conn->role  = role;
 448        conn->mode  = HCI_CM_ACTIVE;
 449        conn->state = BT_OPEN;
 450        conn->auth_type = HCI_AT_GENERAL_BONDING;
 451        conn->io_capability = hdev->io_capability;
 452        conn->remote_auth = 0xff;
 453        conn->key_type = 0xff;
 454        conn->rssi = HCI_RSSI_INVALID;
 455        conn->tx_power = HCI_TX_POWER_INVALID;
 456        conn->max_tx_power = HCI_TX_POWER_INVALID;
 457
 458        set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
 459        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
 460
 461        if (conn->role == HCI_ROLE_MASTER)
 462                conn->out = true;
 463
 464        switch (type) {
 465        case ACL_LINK:
 466                conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
 467                break;
 468        case LE_LINK:
 469                /* conn->src should reflect the local identity address */
 470                hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
 471                break;
 472        case SCO_LINK:
 473                if (lmp_esco_capable(hdev))
 474                        conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
 475                                        (hdev->esco_type & EDR_ESCO_MASK);
 476                else
 477                        conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
 478                break;
 479        case ESCO_LINK:
 480                conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
 481                break;
 482        }
 483
 484        skb_queue_head_init(&conn->data_q);
 485
 486        INIT_LIST_HEAD(&conn->chan_list);
 487
 488        INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
 489        INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
 490        INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
 491        INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
 492
 493        atomic_set(&conn->refcnt, 0);
 494
 495        hci_dev_hold(hdev);
 496
 497        hci_conn_hash_add(hdev, conn);
 498        if (hdev->notify)
 499                hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
 500
 501        hci_conn_init_sysfs(conn);
 502
 503        return conn;
 504}
 505
 506int hci_conn_del(struct hci_conn *conn)
 507{
 508        struct hci_dev *hdev = conn->hdev;
 509
 510        BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
 511
 512        cancel_delayed_work_sync(&conn->disc_work);
 513        cancel_delayed_work_sync(&conn->auto_accept_work);
 514        cancel_delayed_work_sync(&conn->idle_work);
 515
 516        if (conn->type == ACL_LINK) {
 517                struct hci_conn *sco = conn->link;
 518                if (sco)
 519                        sco->link = NULL;
 520
 521                /* Unacked frames */
 522                hdev->acl_cnt += conn->sent;
 523        } else if (conn->type == LE_LINK) {
 524                cancel_delayed_work(&conn->le_conn_timeout);
 525
 526                if (hdev->le_pkts)
 527                        hdev->le_cnt += conn->sent;
 528                else
 529                        hdev->acl_cnt += conn->sent;
 530        } else {
 531                struct hci_conn *acl = conn->link;
 532                if (acl) {
 533                        acl->link = NULL;
 534                        hci_conn_drop(acl);
 535                }
 536        }
 537
 538        hci_chan_list_flush(conn);
 539
 540        if (conn->amp_mgr)
 541                amp_mgr_put(conn->amp_mgr);
 542
 543        hci_conn_hash_del(hdev, conn);
 544        if (hdev->notify)
 545                hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
 546
 547        skb_queue_purge(&conn->data_q);
 548
 549        hci_conn_del_sysfs(conn);
 550
 551        debugfs_remove_recursive(conn->debugfs);
 552
 553        if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
 554                hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
 555
 556        hci_dev_put(hdev);
 557
 558        hci_conn_put(conn);
 559
 560        return 0;
 561}
 562
 563struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
 564{
 565        int use_src = bacmp(src, BDADDR_ANY);
 566        struct hci_dev *hdev = NULL, *d;
 567
 568        BT_DBG("%pMR -> %pMR", src, dst);
 569
 570        read_lock(&hci_dev_list_lock);
 571
 572        list_for_each_entry(d, &hci_dev_list, list) {
 573                if (!test_bit(HCI_UP, &d->flags) ||
 574                    hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
 575                    d->dev_type != HCI_BREDR)
 576                        continue;
 577
 578                /* Simple routing:
 579                 *   No source address - find interface with bdaddr != dst
 580                 *   Source address    - find interface with bdaddr == src
 581                 */
 582
 583                if (use_src) {
 584                        if (!bacmp(&d->bdaddr, src)) {
 585                                hdev = d; break;
 586                        }
 587                } else {
 588                        if (bacmp(&d->bdaddr, dst)) {
 589                                hdev = d; break;
 590                        }
 591                }
 592        }
 593
 594        if (hdev)
 595                hdev = hci_dev_hold(hdev);
 596
 597        read_unlock(&hci_dev_list_lock);
 598        return hdev;
 599}
 600EXPORT_SYMBOL(hci_get_route);
 601
 602/* This function requires the caller holds hdev->lock */
 603void hci_le_conn_failed(struct hci_conn *conn, u8 status)
 604{
 605        struct hci_dev *hdev = conn->hdev;
 606        struct hci_conn_params *params;
 607
 608        params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
 609                                           conn->dst_type);
 610        if (params && params->conn) {
 611                hci_conn_drop(params->conn);
 612                hci_conn_put(params->conn);
 613                params->conn = NULL;
 614        }
 615
 616        conn->state = BT_CLOSED;
 617
 618        mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
 619                            status);
 620
 621        hci_connect_cfm(conn, status);
 622
 623        hci_conn_del(conn);
 624
 625        /* Since we may have temporarily stopped the background scanning in
 626         * favor of connection establishment, we should restart it.
 627         */
 628        hci_update_background_scan(hdev);
 629
 630        /* Re-enable advertising in case this was a failed connection
 631         * attempt as a peripheral.
 632         */
 633        mgmt_reenable_advertising(hdev);
 634}
 635
 636static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
 637{
 638        struct hci_conn *conn;
 639
 640        if (status == 0)
 641                return;
 642
 643        BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
 644               status);
 645
 646        hci_dev_lock(hdev);
 647
 648        conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
 649        if (!conn)
 650                goto done;
 651
 652        hci_le_conn_failed(conn, status);
 653
 654done:
 655        hci_dev_unlock(hdev);
 656}
 657
 658static void hci_req_add_le_create_conn(struct hci_request *req,
 659                                       struct hci_conn *conn)
 660{
 661        struct hci_cp_le_create_conn cp;
 662        struct hci_dev *hdev = conn->hdev;
 663        u8 own_addr_type;
 664
 665        memset(&cp, 0, sizeof(cp));
 666
 667        /* Update random address, but set require_privacy to false so
 668         * that we never connect with an non-resolvable address.
 669         */
 670        if (hci_update_random_address(req, false, &own_addr_type))
 671                return;
 672
 673        cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
 674        cp.scan_window = cpu_to_le16(hdev->le_scan_window);
 675        bacpy(&cp.peer_addr, &conn->dst);
 676        cp.peer_addr_type = conn->dst_type;
 677        cp.own_address_type = own_addr_type;
 678        cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
 679        cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
 680        cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
 681        cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
 682        cp.min_ce_len = cpu_to_le16(0x0000);
 683        cp.max_ce_len = cpu_to_le16(0x0000);
 684
 685        hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
 686
 687        conn->state = BT_CONNECT;
 688}
 689
 690static void hci_req_directed_advertising(struct hci_request *req,
 691                                         struct hci_conn *conn)
 692{
 693        struct hci_dev *hdev = req->hdev;
 694        struct hci_cp_le_set_adv_param cp;
 695        u8 own_addr_type;
 696        u8 enable;
 697
 698        /* Clear the HCI_LE_ADV bit temporarily so that the
 699         * hci_update_random_address knows that it's safe to go ahead
 700         * and write a new random address. The flag will be set back on
 701         * as soon as the SET_ADV_ENABLE HCI command completes.
 702         */
 703        hci_dev_clear_flag(hdev, HCI_LE_ADV);
 704
 705        /* Set require_privacy to false so that the remote device has a
 706         * chance of identifying us.
 707         */
 708        if (hci_update_random_address(req, false, &own_addr_type) < 0)
 709                return;
 710
 711        memset(&cp, 0, sizeof(cp));
 712        cp.type = LE_ADV_DIRECT_IND;
 713        cp.own_address_type = own_addr_type;
 714        cp.direct_addr_type = conn->dst_type;
 715        bacpy(&cp.direct_addr, &conn->dst);
 716        cp.channel_map = hdev->le_adv_channel_map;
 717
 718        hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
 719
 720        enable = 0x01;
 721        hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
 722
 723        conn->state = BT_CONNECT;
 724}
 725
 726struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
 727                                u8 dst_type, u8 sec_level, u16 conn_timeout,
 728                                u8 role)
 729{
 730        struct hci_conn_params *params;
 731        struct hci_conn *conn;
 732        struct smp_irk *irk;
 733        struct hci_request req;
 734        int err;
 735
 736        /* Let's make sure that le is enabled.*/
 737        if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
 738                if (lmp_le_capable(hdev))
 739                        return ERR_PTR(-ECONNREFUSED);
 740
 741                return ERR_PTR(-EOPNOTSUPP);
 742        }
 743
 744        /* Some devices send ATT messages as soon as the physical link is
 745         * established. To be able to handle these ATT messages, the user-
 746         * space first establishes the connection and then starts the pairing
 747         * process.
 748         *
 749         * So if a hci_conn object already exists for the following connection
 750         * attempt, we simply update pending_sec_level and auth_type fields
 751         * and return the object found.
 752         */
 753        conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
 754        if (conn) {
 755                conn->pending_sec_level = sec_level;
 756                goto done;
 757        }
 758
 759        /* Since the controller supports only one LE connection attempt at a
 760         * time, we return -EBUSY if there is any connection attempt running.
 761         */
 762        conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
 763        if (conn)
 764                return ERR_PTR(-EBUSY);
 765
 766        /* When given an identity address with existing identity
 767         * resolving key, the connection needs to be established
 768         * to a resolvable random address.
 769         *
 770         * This uses the cached random resolvable address from
 771         * a previous scan. When no cached address is available,
 772         * try connecting to the identity address instead.
 773         *
 774         * Storing the resolvable random address is required here
 775         * to handle connection failures. The address will later
 776         * be resolved back into the original identity address
 777         * from the connect request.
 778         */
 779        irk = hci_find_irk_by_addr(hdev, dst, dst_type);
 780        if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
 781                dst = &irk->rpa;
 782                dst_type = ADDR_LE_DEV_RANDOM;
 783        }
 784
 785        conn = hci_conn_add(hdev, LE_LINK, dst, role);
 786        if (!conn)
 787                return ERR_PTR(-ENOMEM);
 788
 789        conn->dst_type = dst_type;
 790        conn->sec_level = BT_SECURITY_LOW;
 791        conn->pending_sec_level = sec_level;
 792        conn->conn_timeout = conn_timeout;
 793
 794        hci_req_init(&req, hdev);
 795
 796        /* Disable advertising if we're active. For master role
 797         * connections most controllers will refuse to connect if
 798         * advertising is enabled, and for slave role connections we
 799         * anyway have to disable it in order to start directed
 800         * advertising.
 801         */
 802        if (hci_dev_test_flag(hdev, HCI_LE_ADV)) {
 803                u8 enable = 0x00;
 804                hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 805                            &enable);
 806        }
 807
 808        /* If requested to connect as slave use directed advertising */
 809        if (conn->role == HCI_ROLE_SLAVE) {
 810                /* If we're active scanning most controllers are unable
 811                 * to initiate advertising. Simply reject the attempt.
 812                 */
 813                if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
 814                    hdev->le_scan_type == LE_SCAN_ACTIVE) {
 815                        skb_queue_purge(&req.cmd_q);
 816                        hci_conn_del(conn);
 817                        return ERR_PTR(-EBUSY);
 818                }
 819
 820                hci_req_directed_advertising(&req, conn);
 821                goto create_conn;
 822        }
 823
 824        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 825        if (params) {
 826                conn->le_conn_min_interval = params->conn_min_interval;
 827                conn->le_conn_max_interval = params->conn_max_interval;
 828                conn->le_conn_latency = params->conn_latency;
 829                conn->le_supv_timeout = params->supervision_timeout;
 830        } else {
 831                conn->le_conn_min_interval = hdev->le_conn_min_interval;
 832                conn->le_conn_max_interval = hdev->le_conn_max_interval;
 833                conn->le_conn_latency = hdev->le_conn_latency;
 834                conn->le_supv_timeout = hdev->le_supv_timeout;
 835        }
 836
 837        /* If controller is scanning, we stop it since some controllers are
 838         * not able to scan and connect at the same time. Also set the
 839         * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
 840         * handler for scan disabling knows to set the correct discovery
 841         * state.
 842         */
 843        if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
 844                hci_req_add_le_scan_disable(&req);
 845                hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
 846        }
 847
 848        hci_req_add_le_create_conn(&req, conn);
 849
 850create_conn:
 851        err = hci_req_run(&req, create_le_conn_complete);
 852        if (err) {
 853                hci_conn_del(conn);
 854                return ERR_PTR(err);
 855        }
 856
 857done:
 858        hci_conn_hold(conn);
 859        return conn;
 860}
 861
 862struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
 863                                 u8 sec_level, u8 auth_type)
 864{
 865        struct hci_conn *acl;
 866
 867        if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
 868                if (lmp_bredr_capable(hdev))
 869                        return ERR_PTR(-ECONNREFUSED);
 870
 871                return ERR_PTR(-EOPNOTSUPP);
 872        }
 873
 874        acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
 875        if (!acl) {
 876                acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
 877                if (!acl)
 878                        return ERR_PTR(-ENOMEM);
 879        }
 880
 881        hci_conn_hold(acl);
 882
 883        if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
 884                acl->sec_level = BT_SECURITY_LOW;
 885                acl->pending_sec_level = sec_level;
 886                acl->auth_type = auth_type;
 887                hci_acl_create_connection(acl);
 888        }
 889
 890        return acl;
 891}
 892
 893struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
 894                                 __u16 setting)
 895{
 896        struct hci_conn *acl;
 897        struct hci_conn *sco;
 898
 899        acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
 900        if (IS_ERR(acl))
 901                return acl;
 902
 903        sco = hci_conn_hash_lookup_ba(hdev, type, dst);
 904        if (!sco) {
 905                sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
 906                if (!sco) {
 907                        hci_conn_drop(acl);
 908                        return ERR_PTR(-ENOMEM);
 909                }
 910        }
 911
 912        acl->link = sco;
 913        sco->link = acl;
 914
 915        hci_conn_hold(sco);
 916
 917        sco->setting = setting;
 918
 919        if (acl->state == BT_CONNECTED &&
 920            (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
 921                set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
 922                hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
 923
 924                if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
 925                        /* defer SCO setup until mode change completed */
 926                        set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
 927                        return sco;
 928                }
 929
 930                hci_sco_setup(acl, 0x00);
 931        }
 932
 933        return sco;
 934}
 935
 936/* Check link security requirement */
 937int hci_conn_check_link_mode(struct hci_conn *conn)
 938{
 939        BT_DBG("hcon %p", conn);
 940
 941        /* In Secure Connections Only mode, it is required that Secure
 942         * Connections is used and the link is encrypted with AES-CCM
 943         * using a P-256 authenticated combination key.
 944         */
 945        if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
 946                if (!hci_conn_sc_enabled(conn) ||
 947                    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
 948                    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
 949                        return 0;
 950        }
 951
 952        if (hci_conn_ssp_enabled(conn) &&
 953            !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
 954                return 0;
 955
 956        return 1;
 957}
 958
 959/* Authenticate remote device */
 960static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
 961{
 962        BT_DBG("hcon %p", conn);
 963
 964        if (conn->pending_sec_level > sec_level)
 965                sec_level = conn->pending_sec_level;
 966
 967        if (sec_level > conn->sec_level)
 968                conn->pending_sec_level = sec_level;
 969        else if (test_bit(HCI_CONN_AUTH, &conn->flags))
 970                return 1;
 971
 972        /* Make sure we preserve an existing MITM requirement*/
 973        auth_type |= (conn->auth_type & 0x01);
 974
 975        conn->auth_type = auth_type;
 976
 977        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
 978                struct hci_cp_auth_requested cp;
 979
 980                cp.handle = cpu_to_le16(conn->handle);
 981                hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
 982                             sizeof(cp), &cp);
 983
 984                /* If we're already encrypted set the REAUTH_PEND flag,
 985                 * otherwise set the ENCRYPT_PEND.
 986                 */
 987                if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
 988                        set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
 989                else
 990                        set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
 991        }
 992
 993        return 0;
 994}
 995
 996/* Encrypt the the link */
 997static void hci_conn_encrypt(struct hci_conn *conn)
 998{
 999        BT_DBG("hcon %p", conn);
1000

1001        if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
1002                struct hci_cp_set_conn_encrypt cp;
1003                cp.handle  = cpu_to_le16(conn->handle);
1004                cp.encrypt = 0x01;
1005                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1006                             &cp);
1007        }
1008}
1009
1010/* Enable security */
1011int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1012                      bool initiator)
1013{
1014        BT_DBG("hcon %p", conn);
1015
1016        if (conn->type == LE_LINK)
1017                return smp_conn_security(conn, sec_level);
1018
1019        /* For sdp we don't need the link key. */
1020        if (sec_level == BT_SECURITY_SDP)
1021                return 1;
1022
1023        /* For non 2.1 devices and low security level we don't need the link
1024           key. */
1025        if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1026                return 1;
1027
1028        /* For other security levels we need the link key. */
1029        if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1030                goto auth;
1031
1032        /* An authenticated FIPS approved combination key has sufficient
1033         * security for security level 4. */
1034        if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1035            sec_level == BT_SECURITY_FIPS)
1036                goto encrypt;
1037
1038        /* An authenticated combination key has sufficient security for
1039           security level 3. */
1040        if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1041             conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1042            sec_level == BT_SECURITY_HIGH)
1043                goto encrypt;
1044
1045        /* An unauthenticated combination key has sufficient security for
1046           security level 1 and 2. */
1047        if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1048             conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
1049            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
1050                goto encrypt;
1051
1052        /* A combination key has always sufficient security for the security
1053           levels 1 or 2. High security level requires the combination key
1054           is generated using maximum PIN code length (16).
1055           For pre 2.1 units. */
1056        if (conn->key_type == HCI_LK_COMBINATION &&
1057            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1058             conn->pin_length == 16))
1059                goto encrypt;
1060
1061auth:
1062        if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1063                return 0;
1064
1065        if (initiator)
1066                set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1067
1068        if (!hci_conn_auth(conn, sec_level, auth_type))
1069                return 0;
1070
1071encrypt:
1072        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1073                return 1;
1074
1075        hci_conn_encrypt(conn);
1076        return 0;
1077}
1078EXPORT_SYMBOL(hci_conn_security);
1079
1080/* Check secure link requirement */
1081int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1082{
1083        BT_DBG("hcon %p", conn);
1084
1085        /* Accept if non-secure or higher security level is required */
1086        if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1087                return 1;
1088
1089        /* Accept if secure or higher security level is already present */
1090        if (conn->sec_level == BT_SECURITY_HIGH ||
1091            conn->sec_level == BT_SECURITY_FIPS)
1092                return 1;
1093
1094        /* Reject not secure link */
1095        return 0;
1096}
1097EXPORT_SYMBOL(hci_conn_check_secure);
1098
1099/* Switch role */
1100int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1101{
1102        BT_DBG("hcon %p", conn);
1103
1104        if (role == conn->role)
1105                return 1;
1106
1107        if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1108                struct hci_cp_switch_role cp;
1109                bacpy(&cp.bdaddr, &conn->dst);
1110                cp.role = role;
1111                hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1112        }
1113
1114        return 0;
1115}
1116EXPORT_SYMBOL(hci_conn_switch_role);
1117
1118/* Enter active mode */
1119void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1120{
1121        struct hci_dev *hdev = conn->hdev;
1122
1123        BT_DBG("hcon %p mode %d", conn, conn->mode);
1124
1125        if (conn->mode != HCI_CM_SNIFF)
1126                goto timer;
1127
1128        if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1129                goto timer;
1130
1131        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1132                struct hci_cp_exit_sniff_mode cp;
1133                cp.handle = cpu_to_le16(conn->handle);
1134                hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1135        }
1136
1137timer:
1138        if (hdev->idle_timeout > 0)
1139                queue_delayed_work(hdev->workqueue, &conn->idle_work,
1140                                   msecs_to_jiffies(hdev->idle_timeout));
1141}
1142
1143/* Drop all connection on the device */
1144void hci_conn_hash_flush(struct hci_dev *hdev)
1145{
1146        struct hci_conn_hash *h = &hdev->conn_hash;
1147        struct hci_conn *c, *n;
1148
1149        BT_DBG("hdev %s", hdev->name);
1150
1151        list_for_each_entry_safe(c, n, &h->list, list) {
1152                c->state = BT_CLOSED;
1153
1154                hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1155                hci_conn_del(c);
1156        }
1157}
1158
1159/* Check pending connect attempts */
1160void hci_conn_check_pending(struct hci_dev *hdev)
1161{
1162        struct hci_conn *conn;
1163
1164        BT_DBG("hdev %s", hdev->name);
1165
1166        hci_dev_lock(hdev);
1167
1168        conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1169        if (conn)
1170                hci_acl_create_connection(conn);
1171
1172        hci_dev_unlock(hdev);
1173}
1174
1175static u32 get_link_mode(struct hci_conn *conn)
1176{
1177        u32 link_mode = 0;
1178
1179        if (conn->role == HCI_ROLE_MASTER)
1180                link_mode |= HCI_LM_MASTER;
1181
1182        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1183                link_mode |= HCI_LM_ENCRYPT;
1184
1185        if (test_bit(HCI_CONN_AUTH, &conn->flags))
1186                link_mode |= HCI_LM_AUTH;
1187
1188        if (test_bit(HCI_CONN_SECURE, &conn->flags))
1189                link_mode |= HCI_LM_SECURE;
1190
1191        if (test_bit(HCI_CONN_FIPS, &conn->flags))
1192                link_mode |= HCI_LM_FIPS;
1193
1194        return link_mode;
1195}
1196
1197int hci_get_conn_list(void __user *arg)
1198{
1199        struct hci_conn *c;
1200        struct hci_conn_list_req req, *cl;
1201        struct hci_conn_info *ci;
1202        struct hci_dev *hdev;
1203        int n = 0, size, err;
1204
1205        if (copy_from_user(&req, arg, sizeof(req)))
1206                return -EFAULT;
1207
1208        if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1209                return -EINVAL;
1210
1211        size = sizeof(req) + req.conn_num * sizeof(*ci);
1212
1213        cl = kmalloc(size, GFP_KERNEL);
1214        if (!cl)
1215                return -ENOMEM;
1216
1217        hdev = hci_dev_get(req.dev_id);
1218        if (!hdev) {
1219                kfree(cl);
1220                return -ENODEV;
1221        }
1222
1223        ci = cl->conn_info;
1224
1225        hci_dev_lock(hdev);
1226        list_for_each_entry(c, &hdev->conn_hash.list, list) {
1227                bacpy(&(ci + n)->bdaddr, &c->dst);
1228                (ci + n)->handle = c->handle;
1229                (ci + n)->type  = c->type;
1230                (ci + n)->out   = c->out;
1231                (ci + n)->state = c->state;
1232                (ci + n)->link_mode = get_link_mode(c);
1233                if (++n >= req.conn_num)
1234                        break;
1235        }
1236        hci_dev_unlock(hdev);
1237
1238        cl->dev_id = hdev->id;
1239        cl->conn_num = n;
1240        size = sizeof(req) + n * sizeof(*ci);
1241
1242        hci_dev_put(hdev);
1243
1244        err = copy_to_user(arg, cl, size);
1245        kfree(cl);
1246
1247        return err ? -EFAULT : 0;
1248}
1249
1250int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1251{
1252        struct hci_conn_info_req req;
1253        struct hci_conn_info ci;
1254        struct hci_conn *conn;
1255        char __user *ptr = arg + sizeof(req);
1256
1257        if (copy_from_user(&req, arg, sizeof(req)))
1258                return -EFAULT;
1259
1260        hci_dev_lock(hdev);
1261        conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1262        if (conn) {
1263                bacpy(&ci.bdaddr, &conn->dst);
1264                ci.handle = conn->handle;
1265                ci.type  = conn->type;
1266                ci.out   = conn->out;
1267                ci.state = conn->state;
1268                ci.link_mode = get_link_mode(conn);
1269        }
1270        hci_dev_unlock(hdev);
1271
1272        if (!conn)
1273                return -ENOENT;
1274
1275        return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1276}
1277
1278int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1279{
1280        struct hci_auth_info_req req;
1281        struct hci_conn *conn;
1282
1283        if (copy_from_user(&req, arg, sizeof(req)))
1284                return -EFAULT;
1285
1286        hci_dev_lock(hdev);
1287        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1288        if (conn)
1289                req.type = conn->auth_type;
1290        hci_dev_unlock(hdev);
1291
1292        if (!conn)
1293                return -ENOENT;
1294
1295        return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1296}
1297
1298struct hci_chan *hci_chan_create(struct hci_conn *conn)
1299{
1300        struct hci_dev *hdev = conn->hdev;
1301        struct hci_chan *chan;
1302
1303        BT_DBG("%s hcon %p", hdev->name, conn);
1304
1305        if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1306                BT_DBG("Refusing to create new hci_chan");
1307                return NULL;
1308        }
1309
1310        chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1311        if (!chan)
1312                return NULL;
1313
1314        chan->conn = hci_conn_get(conn);
1315        skb_queue_head_init(&chan->data_q);
1316        chan->state = BT_CONNECTED;
1317
1318        list_add_rcu(&chan->list, &conn->chan_list);
1319
1320        return chan;
1321}
1322
1323void hci_chan_del(struct hci_chan *chan)
1324{
1325        struct hci_conn *conn = chan->conn;
1326        struct hci_dev *hdev = conn->hdev;
1327
1328        BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1329
1330        list_del_rcu(&chan->list);
1331
1332        synchronize_rcu();
1333
1334        /* Prevent new hci_chan's to be created for this hci_conn */
1335        set_bit(HCI_CONN_DROP, &conn->flags);
1336
1337        hci_conn_put(conn);
1338
1339        skb_queue_purge(&chan->data_q);
1340        kfree(chan);
1341}
1342
1343void hci_chan_list_flush(struct hci_conn *conn)
1344{
1345        struct hci_chan *chan, *n;
1346
1347        BT_DBG("hcon %p", conn);
1348
1349        list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1350                hci_chan_del(chan);
1351}
1352
1353static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1354                                                 __u16 handle)
1355{
1356        struct hci_chan *hchan;
1357
1358        list_for_each_entry(hchan, &hcon->chan_list, list) {
1359                if (hchan->handle == handle)
1360                        return hchan;
1361        }
1362
1363        return NULL;
1364}
1365
1366struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1367{
1368        struct hci_conn_hash *h = &hdev->conn_hash;
1369        struct hci_conn *hcon;
1370        struct hci_chan *hchan = NULL;
1371
1372        rcu_read_lock();
1373
1374        list_for_each_entry_rcu(hcon, &h->list, list) {
1375                hchan = __hci_chan_lookup_handle(hcon, handle);
1376                if (hchan)
1377                        break;
1378        }
1379
1380        rcu_read_unlock();
1381
1382        return hchan;
1383}
1384