LXR linux/net/bluetooth/hci

   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
   4
   5   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7   This program is free software; you can redistribute it and/or modify
   8   it under the terms of the GNU General Public License version 2 as
   9   published by the Free Software Foundation;
  10
  11   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22   SOFTWARE IS DISCLAIMED.
  23*/
  24
  25/* Bluetooth HCI connection handling. */
  26
  27#include <linux/export.h>
  28#include <linux/debugfs.h>
  29
  30#include <net/bluetooth/bluetooth.h>
  31#include <net/bluetooth/hci_core.h>
  32#include <net/bluetooth/l2cap.h>
  33
  34#include "hci_request.h"
  35#include "smp.h"
  36#include "a2mp.h"
  37
  38struct sco_param {
  39        u16 pkt_type;
  40        u16 max_latency;
  41        u8  retrans_effort;
  42};
  43
  44static const struct sco_param esco_param_cvsd[] = {
  45        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,   0x01 }, /* S3 */
  46        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,   0x01 }, /* S2 */
  47        { EDR_ESCO_MASK | ESCO_EV3,   0x0007,   0x01 }, /* S1 */
  48        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0x01 }, /* D1 */
  49        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0x01 }, /* D0 */
  50};
  51
  52static const struct sco_param sco_param_cvsd[] = {
  53        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0xff }, /* D1 */
  54        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0xff }, /* D0 */
  55};
  56
  57static const struct sco_param esco_param_msbc[] = {
  58        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,   0x02 }, /* T2 */
  59        { EDR_ESCO_MASK | ESCO_EV3,   0x0008,   0x02 }, /* T1 */
  60};
  61
  62/* This function requires the caller holds hdev->lock */
  63static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
  64{
  65        struct hci_conn_params *params;
  66        struct hci_dev *hdev = conn->hdev;
  67        struct smp_irk *irk;
  68        bdaddr_t *bdaddr;
  69        u8 bdaddr_type;
  70
  71        bdaddr = &conn->dst;
  72        bdaddr_type = conn->dst_type;
  73
  74        /* Check if we need to convert to identity address */
  75        irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
  76        if (irk) {
  77                bdaddr = &irk->bdaddr;
  78                bdaddr_type = irk->addr_type;
  79        }
  80
  81        params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
  82                                           bdaddr_type);
  83        if (!params || !params->explicit_connect)
  84                return;
  85
  86        /* The connection attempt was doing scan for new RPA, and is
  87         * in scan phase. If params are not associated with any other
  88         * autoconnect action, remove them completely. If they are, just unmark
  89         * them as waiting for connection, by clearing explicit_connect field.
  90         */
  91        params->explicit_connect = false;
  92
  93        list_del_init(&params->action);
  94
  95        switch (params->auto_connect) {
  96        case HCI_AUTO_CONN_EXPLICIT:
  97                hci_conn_params_del(hdev, bdaddr, bdaddr_type);
  98                /* return instead of break to avoid duplicate scan update */
  99                return;
 100        case HCI_AUTO_CONN_DIRECT:
 101        case HCI_AUTO_CONN_ALWAYS:
 102                list_add(&params->action, &hdev->pend_le_conns);
 103                break;
 104        case HCI_AUTO_CONN_REPORT:
 105                list_add(&params->action, &hdev->pend_le_reports);
 106                break;
 107        default:
 108                break;
 109        }
 110
 111        hci_update_background_scan(hdev);
 112}
 113
 114static void hci_conn_cleanup(struct hci_conn *conn)
 115{
 116        struct hci_dev *hdev = conn->hdev;
 117
 118        if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
 119                hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
 120
 121        hci_chan_list_flush(conn);
 122
 123        hci_conn_hash_del(hdev, conn);
 124
 125        if (hdev->notify)
 126                hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
 127
 128        hci_conn_del_sysfs(conn);
 129
 130        debugfs_remove_recursive(conn->debugfs);
 131
 132        hci_dev_put(hdev);
 133
 134        hci_conn_put(conn);
 135}
 136
 137static void le_scan_cleanup(struct work_struct *work)
 138{
 139        struct hci_conn *conn = container_of(work, struct hci_conn,
 140                                             le_scan_cleanup);
 141        struct hci_dev *hdev = conn->hdev;
 142        struct hci_conn *c = NULL;
 143
 144        BT_DBG("%s hcon %p", hdev->name, conn);
 145
 146        hci_dev_lock(hdev);
 147
 148        /* Check that the hci_conn is still around */
 149        rcu_read_lock();
 150        list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
 151                if (c == conn)
 152                        break;
 153        }
 154        rcu_read_unlock();
 155
 156        if (c == conn) {
 157                hci_connect_le_scan_cleanup(conn);
 158                hci_conn_cleanup(conn);
 159        }
 160
 161        hci_dev_unlock(hdev);
 162        hci_dev_put(hdev);
 163        hci_conn_put(conn);
 164}
 165
 166static void hci_connect_le_scan_remove(struct hci_conn *conn)
 167{
 168        BT_DBG("%s hcon %p", conn->hdev->name, conn);
 169
 170        /* We can't call hci_conn_del/hci_conn_cleanup here since that
 171         * could deadlock with another hci_conn_del() call that's holding
 172         * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
 173         * Instead, grab temporary extra references to the hci_dev and
 174         * hci_conn and perform the necessary cleanup in a separate work
 175         * callback.
 176         */
 177
 178        hci_dev_hold(conn->hdev);
 179        hci_conn_get(conn);
 180
 181        /* Even though we hold a reference to the hdev, many other
 182         * things might get cleaned up meanwhile, including the hdev's
 183         * own workqueue, so we can't use that for scheduling.
 184         */
 185        schedule_work(&conn->le_scan_cleanup);
 186}
 187
 188static void hci_acl_create_connection(struct hci_conn *conn)
 189{
 190        struct hci_dev *hdev = conn->hdev;
 191        struct inquiry_entry *ie;
 192        struct hci_cp_create_conn cp;
 193
 194        BT_DBG("hcon %p", conn);
 195
 196        conn->state = BT_CONNECT;
 197        conn->out = true;
 198        conn->role = HCI_ROLE_MASTER;
 199
 200        conn->attempt++;
 201
 202        conn->link_policy = hdev->link_policy;
 203
 204        memset(&cp, 0, sizeof(cp));
 205        bacpy(&cp.bdaddr, &conn->dst);
 206        cp.pscan_rep_mode = 0x02;
 207
 208        ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
 209        if (ie) {
 210                if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
 211                        cp.pscan_rep_mode = ie->data.pscan_rep_mode;
 212                        cp.pscan_mode     = ie->data.pscan_mode;
 213                        cp.clock_offset   = ie->data.clock_offset |
 214                                            cpu_to_le16(0x8000);
 215                }
 216
 217                memcpy(conn->dev_class, ie->data.dev_class, 3);
 218                if (ie->data.ssp_mode > 0)
 219                        set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
 220        }
 221
 222        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 223        if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
 224                cp.role_switch = 0x01;
 225        else
 226                cp.role_switch = 0x00;
 227
 228        hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
 229}
 230
 231int hci_disconnect(struct hci_conn *conn, __u8 reason)
 232{
 233        BT_DBG("hcon %p", conn);
 234
 235        /* When we are master of an established connection and it enters
 236         * the disconnect timeout, then go ahead and try to read the
 237         * current clock offset.  Processing of the result is done
 238         * within the event handling and hci_clock_offset_evt function.
 239         */
 240        if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
 241            (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
 242                struct hci_dev *hdev = conn->hdev;
 243                struct hci_cp_read_clock_offset clkoff_cp;
 244
 245                clkoff_cp.handle = cpu_to_le16(conn->handle);
 246                hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
 247                             &clkoff_cp);
 248        }
 249
 250        return hci_abort_conn(conn, reason);
 251}
 252
 253static void hci_add_sco(struct hci_conn *conn, __u16 handle)
 254{
 255        struct hci_dev *hdev = conn->hdev;
 256        struct hci_cp_add_sco cp;
 257
 258        BT_DBG("hcon %p", conn);
 259
 260        conn->state = BT_CONNECT;
 261        conn->out = true;
 262
 263        conn->attempt++;
 264
 265        cp.handle   = cpu_to_le16(handle);
 266        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 267
 268        hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
 269}
 270
 271bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
 272{
 273        struct hci_dev *hdev = conn->hdev;
 274        struct hci_cp_setup_sync_conn cp;
 275        const struct sco_param *param;
 276
 277        BT_DBG("hcon %p", conn);
 278
 279        conn->state = BT_CONNECT;
 280        conn->out = true;
 281
 282        conn->attempt++;
 283
 284        cp.handle   = cpu_to_le16(handle);
 285
 286        cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
 287        cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
 288        cp.voice_setting  = cpu_to_le16(conn->setting);
 289
 290        switch (conn->setting & SCO_AIRMODE_MASK) {
 291        case SCO_AIRMODE_TRANSP:
 292                if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
 293                        return false;
 294                param = &esco_param_msbc[conn->attempt - 1];
 295                break;
 296        case SCO_AIRMODE_CVSD:
 297                if (lmp_esco_capable(conn->link)) {
 298                        if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
 299                                return false;
 300                        param = &esco_param_cvsd[conn->attempt - 1];
 301                } else {
 302                        if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
 303                                return false;
 304                        param = &sco_param_cvsd[conn->attempt - 1];
 305                }
 306                break;
 307        default:
 308                return false;
 309        }
 310
 311        cp.retrans_effort = param->retrans_effort;
 312        cp.pkt_type = __cpu_to_le16(param->pkt_type);
 313        cp.max_latency = __cpu_to_le16(param->max_latency);
 314
 315        if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
 316                return false;
 317
 318        return true;
 319}
 320
 321u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
 322                      u16 to_multiplier)
 323{
 324        struct hci_dev *hdev = conn->hdev;
 325        struct hci_conn_params *params;
 326        struct hci_cp_le_conn_update cp;
 327
 328        hci_dev_lock(hdev);
 329
 330        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 331        if (params) {
 332                params->conn_min_interval = min;
 333                params->conn_max_interval = max;
 334                params->conn_latency = latency;
 335                params->supervision_timeout = to_multiplier;
 336        }
 337
 338        hci_dev_unlock(hdev);
 339
 340        memset(&cp, 0, sizeof(cp));
 341        cp.handle               = cpu_to_le16(conn->handle);
 342        cp.conn_interval_min    = cpu_to_le16(min);
 343        cp.conn_interval_max    = cpu_to_le16(max);
 344        cp.conn_latency         = cpu_to_le16(latency);
 345        cp.supervision_timeout  = cpu_to_le16(to_multiplier);
 346        cp.min_ce_len           = cpu_to_le16(0x0000);
 347        cp.max_ce_len           = cpu_to_le16(0x0000);
 348
 349        hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
 350
 351        if (params)
 352                return 0x01;
 353
 354        return 0x00;
 355}
 356
 357void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
 358                      __u8 ltk[16], __u8 key_size)
 359{
 360        struct hci_dev *hdev = conn->hdev;
 361        struct hci_cp_le_start_enc cp;
 362
 363        BT_DBG("hcon %p", conn);
 364
 365        memset(&cp, 0, sizeof(cp));
 366
 367        cp.handle = cpu_to_le16(conn->handle);
 368        cp.rand = rand;
 369        cp.ediv = ediv;
 370        memcpy(cp.ltk, ltk, key_size);
 371
 372        hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
 373}
 374
 375/* Device _must_ be locked */
 376void hci_sco_setup(struct hci_conn *conn, __u8 status)
 377{
 378        struct hci_conn *sco = conn->link;
 379
 380        if (!sco)
 381                return;
 382
 383        BT_DBG("hcon %p", conn);
 384
 385        if (!status) {
 386                if (lmp_esco_capable(conn->hdev))
 387                        hci_setup_sync(sco, conn->handle);
 388                else
 389                        hci_add_sco(sco, conn->handle);
 390        } else {
 391                hci_connect_cfm(sco, status);
 392                hci_conn_del(sco);
 393        }
 394}
 395
 396static void hci_conn_timeout(struct work_struct *work)
 397{
 398        struct hci_conn *conn = container_of(work, struct hci_conn,
 399                                             disc_work.work);
 400        int refcnt = atomic_read(&conn->refcnt);
 401
 402        BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 403
 404        WARN_ON(refcnt < 0);
 405
 406        /* FIXME: It was observed that in pairing failed scenario, refcnt
 407         * drops below 0. Probably this is because l2cap_conn_del calls
 408         * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
 409         * dropped. After that loop hci_chan_del is called which also drops
 410         * conn. For now make sure that ACL is alive if refcnt is higher then 0,
 411         * otherwise drop it.
 412         */
 413        if (refcnt > 0)
 414                return;
 415
 416        /* LE connections in scanning state need special handling */
 417        if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
 418            test_bit(HCI_CONN_SCANNING, &conn->flags)) {
 419                hci_connect_le_scan_remove(conn);
 420                return;
 421        }
 422
 423        hci_abort_conn(conn, hci_proto_disconn_ind(conn));
 424}
 425
 426/* Enter sniff mode */
 427static void hci_conn_idle(struct work_struct *work)
 428{
 429        struct hci_conn *conn = container_of(work, struct hci_conn,
 430                                             idle_work.work);
 431        struct hci_dev *hdev = conn->hdev;
 432
 433        BT_DBG("hcon %p mode %d", conn, conn->mode);
 434
 435        if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
 436                return;
 437
 438        if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
 439                return;
 440
 441        if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
 442                struct hci_cp_sniff_subrate cp;
 443                cp.handle             = cpu_to_le16(conn->handle);
 444                cp.max_latency        = cpu_to_le16(0);
 445                cp.min_remote_timeout = cpu_to_le16(0);
 446                cp.min_local_timeout  = cpu_to_le16(0);
 447                hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
 448        }
 449
 450        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
 451                struct hci_cp_sniff_mode cp;
 452                cp.handle       = cpu_to_le16(conn->handle);
 453                cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
 454                cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
 455                cp.attempt      = cpu_to_le16(4);
 456                cp.timeout      = cpu_to_le16(1);
 457                hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
 458        }
 459}
 460
 461static void hci_conn_auto_accept(struct work_struct *work)
 462{
 463        struct hci_conn *conn = container_of(work, struct hci_conn,
 464                                             auto_accept_work.work);
 465
 466        hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
 467                     &conn->dst);
 468}
 469
 470static void le_conn_timeout(struct work_struct *work)
 471{
 472        struct hci_conn *conn = container_of(work, struct hci_conn,
 473                                             le_conn_timeout.work);
 474        struct hci_dev *hdev = conn->hdev;
 475
 476        BT_DBG("");
 477
 478        /* We could end up here due to having done directed advertising,
 479         * so clean up the state if necessary. This should however only
 480         * happen with broken hardware or if low duty cycle was used
 481         * (which doesn't have a timeout of its own).
 482         */
 483        if (conn->role == HCI_ROLE_SLAVE) {
 484                u8 enable = 0x00;
 485                hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 486                             &enable);
 487                hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
 488                return;
 489        }
 490
 491        hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
 492}
 493
 494struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
 495                              u8 role)
 496{
 497        struct hci_conn *conn;
 498
 499        BT_DBG("%s dst %pMR", hdev->name, dst);
 500
 501        conn = kzalloc(sizeof(*conn), GFP_KERNEL);
 502        if (!conn)
 503                return NULL;
 504
 505        bacpy(&conn->dst, dst);
 506        bacpy(&conn->src, &hdev->bdaddr);
 507        conn->hdev  = hdev;
 508        conn->type  = type;
 509        conn->role  = role;
 510        conn->mode  = HCI_CM_ACTIVE;
 511        conn->state = BT_OPEN;
 512        conn->auth_type = HCI_AT_GENERAL_BONDING;
 513        conn->io_capability = hdev->io_capability;
 514        conn->remote_auth = 0xff;
 515        conn->key_type = 0xff;
 516        conn->rssi = HCI_RSSI_INVALID;
 517        conn->tx_power = HCI_TX_POWER_INVALID;
 518        conn->max_tx_power = HCI_TX_POWER_INVALID;
 519
 520        set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
 521        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
 522
 523        if (conn->role == HCI_ROLE_MASTER)
 524                conn->out = true;
 525
 526        switch (type) {
 527        case ACL_LINK:
 528                conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
 529                break;
 530        case LE_LINK:
 531                /* conn->src should reflect the local identity address */
 532                hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
 533                break;
 534        case SCO_LINK:
 535                if (lmp_esco_capable(hdev))
 536                        conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
 537                                        (hdev->esco_type & EDR_ESCO_MASK);
 538                else
 539                        conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
 540                break;
 541        case ESCO_LINK:
 542                conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
 543                break;
 544        }
 545
 546        skb_queue_head_init(&conn->data_q);
 547
 548        INIT_LIST_HEAD(&conn->chan_list);
 549
 550        INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
 551        INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
 552        INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
 553        INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
 554        INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
 555
 556        atomic_set(&conn->refcnt, 0);
 557
 558        hci_dev_hold(hdev);
 559
 560        hci_conn_hash_add(hdev, conn);
 561        if (hdev->notify)
 562                hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
 563
 564        hci_conn_init_sysfs(conn);
 565
 566        return conn;
 567}
 568
 569int hci_conn_del(struct hci_conn *conn)
 570{
 571        struct hci_dev *hdev = conn->hdev;
 572
 573        BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
 574
 575        cancel_delayed_work_sync(&conn->disc_work);
 576        cancel_delayed_work_sync(&conn->auto_accept_work);
 577        cancel_delayed_work_sync(&conn->idle_work);
 578
 579        if (conn->type == ACL_LINK) {
 580                struct hci_conn *sco = conn->link;
 581                if (sco)
 582                        sco->link = NULL;
 583
 584                /* Unacked frames */
 585                hdev->acl_cnt += conn->sent;
 586        } else if (conn->type == LE_LINK) {
 587                cancel_delayed_work(&conn->le_conn_timeout);
 588
 589                if (hdev->le_pkts)
 590                        hdev->le_cnt += conn->sent;
 591                else
 592                        hdev->acl_cnt += conn->sent;
 593        } else {
 594                struct hci_conn *acl = conn->link;
 595                if (acl) {
 596                        acl->link = NULL;
 597                        hci_conn_drop(acl);
 598                }
 599        }
 600
 601        if (conn->amp_mgr)
 602                amp_mgr_put(conn->amp_mgr);
 603
 604        skb_queue_purge(&conn->data_q);
 605
 606        /* Remove the connection from the list and cleanup its remaining
 607         * state. This is a separate function since for some cases like
 608         * BT_CONNECT_SCAN we *only* want the cleanup part without the
 609         * rest of hci_conn_del.
 610         */
 611        hci_conn_cleanup(conn);
 612
 613        return 0;
 614}
 615
 616struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
 617{
 618        int use_src = bacmp(src, BDADDR_ANY);
 619        struct hci_dev *hdev = NULL, *d;
 620
 621        BT_DBG("%pMR -> %pMR", src, dst);
 622
 623        read_lock(&hci_dev_list_lock);
 624
 625        list_for_each_entry(d, &hci_dev_list, list) {
 626                if (!test_bit(HCI_UP, &d->flags) ||
 627                    hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
 628                    d->dev_type != HCI_PRIMARY)
 629                        continue;
 630
 631                /* Simple routing:
 632                 *   No source address - find interface with bdaddr != dst
 633                 *   Source address    - find interface with bdaddr == src
 634                 */
 635
 636                if (use_src) {
 637                        bdaddr_t id_addr;
 638                        u8 id_addr_type;
 639
 640                        if (src_type == BDADDR_BREDR) {
 641                                if (!lmp_bredr_capable(d))
 642                                        continue;
 643                                bacpy(&id_addr, &d->bdaddr);
 644                                id_addr_type = BDADDR_BREDR;
 645                        } else {
 646                                if (!lmp_le_capable(d))
 647                                        continue;
 648
 649                                hci_copy_identity_address(d, &id_addr,
 650                                                          &id_addr_type);
 651
 652                                /* Convert from HCI to three-value type */
 653                                if (id_addr_type == ADDR_LE_DEV_PUBLIC)
 654                                        id_addr_type = BDADDR_LE_PUBLIC;
 655                                else
 656                                        id_addr_type = BDADDR_LE_RANDOM;
 657                        }
 658
 659                        if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
 660                                hdev = d; break;
 661                        }
 662                } else {
 663                        if (bacmp(&d->bdaddr, dst)) {
 664                                hdev = d; break;
 665                        }
 666                }
 667        }
 668
 669        if (hdev)
 670                hdev = hci_dev_hold(hdev);
 671
 672        read_unlock(&hci_dev_list_lock);
 673        return hdev;
 674}
 675EXPORT_SYMBOL(hci_get_route);
 676
 677/* This function requires the caller holds hdev->lock */
 678void hci_le_conn_failed(struct hci_conn *conn, u8 status)
 679{
 680        struct hci_dev *hdev = conn->hdev;
 681        struct hci_conn_params *params;
 682
 683        params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
 684                                           conn->dst_type);
 685        if (params && params->conn) {
 686                hci_conn_drop(params->conn);
 687                hci_conn_put(params->conn);
 688                params->conn = NULL;
 689        }
 690
 691        conn->state = BT_CLOSED;
 692
 693        /* If the status indicates successful cancellation of
 694         * the attempt (i.e. Unkown Connection Id) there's no point of
 695         * notifying failure since we'll go back to keep trying to
 696         * connect. The only exception is explicit connect requests
 697         * where a timeout + cancel does indicate an actual failure.
 698         */
 699        if (status != HCI_ERROR_UNKNOWN_CONN_ID ||
 700            (params && params->explicit_connect))
 701                mgmt_connect_failed(hdev, &conn->dst, conn->type,
 702                                    conn->dst_type, status);
 703
 704        hci_connect_cfm(conn, status);
 705
 706        hci_conn_del(conn);
 707
 708        /* Since we may have temporarily stopped the background scanning in
 709         * favor of connection establishment, we should restart it.
 710         */
 711        hci_update_background_scan(hdev);
 712
 713        /* Re-enable advertising in case this was a failed connection
 714         * attempt as a peripheral.
 715         */
 716        hci_req_reenable_advertising(hdev);
 717}
 718
 719static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
 720{
 721        struct hci_conn *conn;
 722
 723        hci_dev_lock(hdev);
 724
 725        conn = hci_lookup_le_connect(hdev);
 726
 727        if (!status) {
 728                hci_connect_le_scan_cleanup(conn);
 729                goto done;
 730        }
 731
 732        BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
 733               status);
 734
 735        if (!conn)
 736                goto done;
 737
 738        hci_le_conn_failed(conn, status);
 739
 740done:
 741        hci_dev_unlock(hdev);
 742}
 743
 744static bool conn_use_rpa(struct hci_conn *conn)
 745{
 746        struct hci_dev *hdev = conn->hdev;
 747
 748        return hci_dev_test_flag(hdev, HCI_PRIVACY);
 749}
 750
 751static void hci_req_add_le_create_conn(struct hci_request *req,
 752                                       struct hci_conn *conn)
 753{
 754        struct hci_cp_le_create_conn cp;
 755        struct hci_dev *hdev = conn->hdev;
 756        u8 own_addr_type;
 757
 758        /* Update random address, but set require_privacy to false so
 759         * that we never connect with an non-resolvable address.
 760         */
 761        if (hci_update_random_address(req, false, conn_use_rpa(conn),
 762                                      &own_addr_type))
 763                return;
 764
 765        memset(&cp, 0, sizeof(cp));
 766
 767        /* Set window to be the same value as the interval to enable
 768         * continuous scanning.
 769         */
 770        cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
 771        cp.scan_window = cp.scan_interval;
 772
 773        bacpy(&cp.peer_addr, &conn->dst);
 774        cp.peer_addr_type = conn->dst_type;
 775        cp.own_address_type = own_addr_type;
 776        cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
 777        cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
 778        cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
 779        cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
 780        cp.min_ce_len = cpu_to_le16(0x0000);
 781        cp.max_ce_len = cpu_to_le16(0x0000);
 782
 783        hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
 784
 785        conn->state = BT_CONNECT;
 786        clear_bit(HCI_CONN_SCANNING, &conn->flags);
 787}
 788
 789static void hci_req_directed_advertising(struct hci_request *req,
 790                                         struct hci_conn *conn)
 791{
 792        struct hci_dev *hdev = req->hdev;
 793        struct hci_cp_le_set_adv_param cp;
 794        u8 own_addr_type;
 795        u8 enable;
 796
 797        /* Clear the HCI_LE_ADV bit temporarily so that the
 798         * hci_update_random_address knows that it's safe to go ahead
 799         * and write a new random address. The flag will be set back on
 800         * as soon as the SET_ADV_ENABLE HCI command completes.
 801         */
 802        hci_dev_clear_flag(hdev, HCI_LE_ADV);
 803
 804        /* Set require_privacy to false so that the remote device has a
 805         * chance of identifying us.
 806         */
 807        if (hci_update_random_address(req, false, conn_use_rpa(conn),
 808                                      &own_addr_type) < 0)
 809                return;
 810
 811        memset(&cp, 0, sizeof(cp));
 812        cp.type = LE_ADV_DIRECT_IND;
 813        cp.own_address_type = own_addr_type;
 814        cp.direct_addr_type = conn->dst_type;
 815        bacpy(&cp.direct_addr, &conn->dst);
 816        cp.channel_map = hdev->le_adv_channel_map;
 817
 818        hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
 819
 820        enable = 0x01;
 821        hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
 822
 823        conn->state = BT_CONNECT;
 824}
 825
 826struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
 827                                u8 dst_type, u8 sec_level, u16 conn_timeout,
 828                                u8 role)
 829{
 830        struct hci_conn_params *params;
 831        struct hci_conn *conn;
 832        struct smp_irk *irk;
 833        struct hci_request req;
 834        int err;
 835
 836        /* Let's make sure that le is enabled.*/
 837        if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
 838                if (lmp_le_capable(hdev))
 839                        return ERR_PTR(-ECONNREFUSED);
 840
 841                return ERR_PTR(-EOPNOTSUPP);
 842        }
 843
 844        /* Since the controller supports only one LE connection attempt at a
 845         * time, we return -EBUSY if there is any connection attempt running.
 846         */
 847        if (hci_lookup_le_connect(hdev))
 848                return ERR_PTR(-EBUSY);
 849
 850        /* If there's already a connection object but it's not in
 851         * scanning state it means it must already be established, in
 852         * which case we can't do anything else except report a failure
 853         * to connect.
 854         */
 855        conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
 856        if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
 857                return ERR_PTR(-EBUSY);
 858        }
 859
 860        /* When given an identity address with existing identity
 861         * resolving key, the connection needs to be established
 862         * to a resolvable random address.
 863         *
 864         * Storing the resolvable random address is required here
 865         * to handle connection failures. The address will later
 866         * be resolved back into the original identity address
 867         * from the connect request.
 868         */
 869        irk = hci_find_irk_by_addr(hdev, dst, dst_type);
 870        if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
 871                dst = &irk->rpa;
 872                dst_type = ADDR_LE_DEV_RANDOM;
 873        }
 874
 875        if (conn) {
 876                bacpy(&conn->dst, dst);
 877        } else {
 878                conn = hci_conn_add(hdev, LE_LINK, dst, role);
 879                if (!conn)
 880                        return ERR_PTR(-ENOMEM);
 881                hci_conn_hold(conn);
 882                conn->pending_sec_level = sec_level;
 883        }
 884
 885        conn->dst_type = dst_type;
 886        conn->sec_level = BT_SECURITY_LOW;
 887        conn->conn_timeout = conn_timeout;
 888
 889        hci_req_init(&req, hdev);
 890
 891        /* Disable advertising if we're active. For master role
 892         * connections most controllers will refuse to connect if
 893         * advertising is enabled, and for slave role connections we
 894         * anyway have to disable it in order to start directed
 895         * advertising.
 896         */
 897        if (hci_dev_test_flag(hdev, HCI_LE_ADV)) {
 898                u8 enable = 0x00;
 899                hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 900                            &enable);
 901        }
 902
 903        /* If requested to connect as slave use directed advertising */
 904        if (conn->role == HCI_ROLE_SLAVE) {
 905                /* If we're active scanning most controllers are unable
 906                 * to initiate advertising. Simply reject the attempt.
 907                 */
 908                if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
 909                    hdev->le_scan_type == LE_SCAN_ACTIVE) {
 910                        skb_queue_purge(&req.cmd_q);
 911                        hci_conn_del(conn);
 912                        return ERR_PTR(-EBUSY);
 913                }
 914
 915                hci_req_directed_advertising(&req, conn);
 916                goto create_conn;
 917        }
 918
 919        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 920        if (params) {
 921                conn->le_conn_min_interval = params->conn_min_interval;
 922                conn->le_conn_max_interval = params->conn_max_interval;
 923                conn->le_conn_latency = params->conn_latency;
 924                conn->le_supv_timeout = params->supervision_timeout;
 925        } else {
 926                conn->le_conn_min_interval = hdev->le_conn_min_interval;
 927                conn->le_conn_max_interval = hdev->le_conn_max_interval;
 928                conn->le_conn_latency = hdev->le_conn_latency;
 929                conn->le_supv_timeout = hdev->le_supv_timeout;
 930        }
 931
 932        /* If controller is scanning, we stop it since some controllers are
 933         * not able to scan and connect at the same time. Also set the
 934         * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
 935         * handler for scan disabling knows to set the correct discovery
 936         * state.
 937         */
 938        if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
 939                hci_req_add_le_scan_disable(&req);
 940                hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
 941        }
 942
 943        hci_req_add_le_create_conn(&req, conn);
 944
 945create_conn:
 946        err = hci_req_run(&req, create_le_conn_complete);
 947        if (err) {
 948                hci_conn_del(conn);
 949                return ERR_PTR(err);
 950        }
 951
 952        return conn;
 953}
 954
 955static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
 956{
 957        struct hci_conn *conn;
 958
 959        conn = hci_conn_hash_lookup_le(hdev, addr, type);
 960        if (!conn)
 961                return false;
 962
 963        if (conn->state != BT_CONNECTED)
 964                return false;
 965
 966        return true;
 967}
 968
 969/* This function requires the caller holds hdev->lock */
 970static int hci_explicit_conn_params_set(struct hci_dev *hdev,
 971                                        bdaddr_t *addr, u8 addr_type)
 972{
 973        struct hci_conn_params *params;
 974
 975        if (is_connected(hdev, addr, addr_type))
 976                return -EISCONN;
 977
 978        params = hci_conn_params_lookup(hdev, addr, addr_type);
 979        if (!params) {
 980                params = hci_conn_params_add(hdev, addr, addr_type);
 981                if (!params)
 982                        return -ENOMEM;
 983
 984                /* If we created new params, mark them to be deleted in
 985                 * hci_connect_le_scan_cleanup. It's different case than
 986                 * existing disabled params, those will stay after cleanup.
 987                 */
 988                params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
 989        }
 990
 991        /* We're trying to connect, so make sure params are at pend_le_conns */
 992        if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
 993            params->auto_connect == HCI_AUTO_CONN_REPORT ||
 994            params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
 995                list_del_init(&params->action);
 996                list_add(&params->action, &hdev->pend_le_conns);
 997        }
 998
 999        params->explicit_connect = true;
1000

1001        BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1002               params->auto_connect);
1003
1004        return 0;
1005}
1006
1007/* This function requires the caller holds hdev->lock */
1008struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1009                                     u8 dst_type, u8 sec_level,
1010                                     u16 conn_timeout)
1011{
1012        struct hci_conn *conn;
1013
1014        /* Let's make sure that le is enabled.*/
1015        if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1016                if (lmp_le_capable(hdev))
1017                        return ERR_PTR(-ECONNREFUSED);
1018
1019                return ERR_PTR(-EOPNOTSUPP);
1020        }
1021
1022        /* Some devices send ATT messages as soon as the physical link is
1023         * established. To be able to handle these ATT messages, the user-
1024         * space first establishes the connection and then starts the pairing
1025         * process.
1026         *
1027         * So if a hci_conn object already exists for the following connection
1028         * attempt, we simply update pending_sec_level and auth_type fields
1029         * and return the object found.
1030         */
1031        conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1032        if (conn) {
1033                if (conn->pending_sec_level < sec_level)
1034                        conn->pending_sec_level = sec_level;
1035                goto done;
1036        }
1037
1038        BT_DBG("requesting refresh of dst_addr");
1039
1040        conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1041        if (!conn)
1042                return ERR_PTR(-ENOMEM);
1043
1044        if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0)
1045                return ERR_PTR(-EBUSY);
1046
1047        conn->state = BT_CONNECT;
1048        set_bit(HCI_CONN_SCANNING, &conn->flags);
1049        conn->dst_type = dst_type;
1050        conn->sec_level = BT_SECURITY_LOW;
1051        conn->pending_sec_level = sec_level;
1052        conn->conn_timeout = conn_timeout;
1053
1054        hci_update_background_scan(hdev);
1055
1056done:
1057        hci_conn_hold(conn);
1058        return conn;
1059}
1060
1061struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1062                                 u8 sec_level, u8 auth_type)
1063{
1064        struct hci_conn *acl;
1065
1066        if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1067                if (lmp_bredr_capable(hdev))
1068                        return ERR_PTR(-ECONNREFUSED);
1069
1070                return ERR_PTR(-EOPNOTSUPP);
1071        }
1072
1073        acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1074        if (!acl) {
1075                acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1076                if (!acl)
1077                        return ERR_PTR(-ENOMEM);
1078        }
1079
1080        hci_conn_hold(acl);
1081
1082        if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1083                acl->sec_level = BT_SECURITY_LOW;
1084                acl->pending_sec_level = sec_level;
1085                acl->auth_type = auth_type;
1086                hci_acl_create_connection(acl);
1087        }
1088
1089        return acl;
1090}
1091
1092struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1093                                 __u16 setting)
1094{
1095        struct hci_conn *acl;
1096        struct hci_conn *sco;
1097
1098        acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
1099        if (IS_ERR(acl))
1100                return acl;
1101
1102        sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1103        if (!sco) {
1104                sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1105                if (!sco) {
1106                        hci_conn_drop(acl);
1107                        return ERR_PTR(-ENOMEM);
1108                }
1109        }
1110
1111        acl->link = sco;
1112        sco->link = acl;
1113
1114        hci_conn_hold(sco);
1115
1116        sco->setting = setting;
1117
1118        if (acl->state == BT_CONNECTED &&
1119            (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1120                set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1121                hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1122
1123                if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1124                        /* defer SCO setup until mode change completed */
1125                        set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1126                        return sco;
1127                }
1128
1129                hci_sco_setup(acl, 0x00);
1130        }
1131
1132        return sco;
1133}
1134
1135/* Check link security requirement */
1136int hci_conn_check_link_mode(struct hci_conn *conn)
1137{
1138        BT_DBG("hcon %p", conn);
1139
1140        /* In Secure Connections Only mode, it is required that Secure
1141         * Connections is used and the link is encrypted with AES-CCM
1142         * using a P-256 authenticated combination key.
1143         */
1144        if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
1145                if (!hci_conn_sc_enabled(conn) ||
1146                    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
1147                    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
1148                        return 0;
1149        }
1150
1151        if (hci_conn_ssp_enabled(conn) &&
1152            !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1153                return 0;
1154
1155        return 1;
1156}
1157
1158/* Authenticate remote device */
1159static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
1160{
1161        BT_DBG("hcon %p", conn);
1162
1163        if (conn->pending_sec_level > sec_level)
1164                sec_level = conn->pending_sec_level;
1165
1166        if (sec_level > conn->sec_level)
1167                conn->pending_sec_level = sec_level;
1168        else if (test_bit(HCI_CONN_AUTH, &conn->flags))
1169                return 1;
1170
1171        /* Make sure we preserve an existing MITM requirement*/
1172        auth_type |= (conn->auth_type & 0x01);
1173
1174        conn->auth_type = auth_type;
1175
1176        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1177                struct hci_cp_auth_requested cp;
1178
1179                cp.handle = cpu_to_le16(conn->handle);
1180                hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
1181                             sizeof(cp), &cp);
1182
1183                /* If we're already encrypted set the REAUTH_PEND flag,
1184                 * otherwise set the ENCRYPT_PEND.
1185                 */
1186                if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1187                        set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
1188                else
1189                        set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1190        }
1191
1192        return 0;
1193}
1194
1195/* Encrypt the the link */
1196static void hci_conn_encrypt(struct hci_conn *conn)
1197{
1198        BT_DBG("hcon %p", conn);
1199
1200        if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
1201                struct hci_cp_set_conn_encrypt cp;
1202                cp.handle  = cpu_to_le16(conn->handle);
1203                cp.encrypt = 0x01;
1204                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1205                             &cp);
1206        }
1207}
1208
1209/* Enable security */
1210int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1211                      bool initiator)
1212{
1213        BT_DBG("hcon %p", conn);
1214
1215        if (conn->type == LE_LINK)
1216                return smp_conn_security(conn, sec_level);
1217
1218        /* For sdp we don't need the link key. */
1219        if (sec_level == BT_SECURITY_SDP)
1220                return 1;
1221
1222        /* For non 2.1 devices and low security level we don't need the link
1223           key. */
1224        if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1225                return 1;
1226
1227        /* For other security levels we need the link key. */
1228        if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1229                goto auth;
1230
1231        /* An authenticated FIPS approved combination key has sufficient
1232         * security for security level 4. */
1233        if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1234            sec_level == BT_SECURITY_FIPS)
1235                goto encrypt;
1236
1237        /* An authenticated combination key has sufficient security for
1238           security level 3. */
1239        if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1240             conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1241            sec_level == BT_SECURITY_HIGH)
1242                goto encrypt;
1243
1244        /* An unauthenticated combination key has sufficient security for
1245           security level 1 and 2. */
1246        if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1247             conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
1248            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
1249                goto encrypt;
1250
1251        /* A combination key has always sufficient security for the security
1252           levels 1 or 2. High security level requires the combination key
1253           is generated using maximum PIN code length (16).
1254           For pre 2.1 units. */
1255        if (conn->key_type == HCI_LK_COMBINATION &&
1256            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1257             conn->pin_length == 16))
1258                goto encrypt;
1259
1260auth:
1261        if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1262                return 0;
1263
1264        if (initiator)
1265                set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1266
1267        if (!hci_conn_auth(conn, sec_level, auth_type))
1268                return 0;
1269
1270encrypt:
1271        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1272                return 1;
1273
1274        hci_conn_encrypt(conn);
1275        return 0;
1276}
1277EXPORT_SYMBOL(hci_conn_security);
1278
1279/* Check secure link requirement */
1280int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1281{
1282        BT_DBG("hcon %p", conn);
1283
1284        /* Accept if non-secure or higher security level is required */
1285        if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1286                return 1;
1287
1288        /* Accept if secure or higher security level is already present */
1289        if (conn->sec_level == BT_SECURITY_HIGH ||
1290            conn->sec_level == BT_SECURITY_FIPS)
1291                return 1;
1292
1293        /* Reject not secure link */
1294        return 0;
1295}
1296EXPORT_SYMBOL(hci_conn_check_secure);
1297
1298/* Switch role */
1299int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1300{
1301        BT_DBG("hcon %p", conn);
1302
1303        if (role == conn->role)
1304                return 1;
1305
1306        if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1307                struct hci_cp_switch_role cp;
1308                bacpy(&cp.bdaddr, &conn->dst);
1309                cp.role = role;
1310                hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1311        }
1312
1313        return 0;
1314}
1315EXPORT_SYMBOL(hci_conn_switch_role);
1316
1317/* Enter active mode */
1318void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1319{
1320        struct hci_dev *hdev = conn->hdev;
1321
1322        BT_DBG("hcon %p mode %d", conn, conn->mode);
1323
1324        if (conn->mode != HCI_CM_SNIFF)
1325                goto timer;
1326
1327        if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1328                goto timer;
1329
1330        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1331                struct hci_cp_exit_sniff_mode cp;
1332                cp.handle = cpu_to_le16(conn->handle);
1333                hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1334        }
1335
1336timer:
1337        if (hdev->idle_timeout > 0)
1338                queue_delayed_work(hdev->workqueue, &conn->idle_work,
1339                                   msecs_to_jiffies(hdev->idle_timeout));
1340}
1341
1342/* Drop all connection on the device */
1343void hci_conn_hash_flush(struct hci_dev *hdev)
1344{
1345        struct hci_conn_hash *h = &hdev->conn_hash;
1346        struct hci_conn *c, *n;
1347
1348        BT_DBG("hdev %s", hdev->name);
1349
1350        list_for_each_entry_safe(c, n, &h->list, list) {
1351                c->state = BT_CLOSED;
1352
1353                hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1354                hci_conn_del(c);
1355        }
1356}
1357
1358/* Check pending connect attempts */
1359void hci_conn_check_pending(struct hci_dev *hdev)
1360{
1361        struct hci_conn *conn;
1362
1363        BT_DBG("hdev %s", hdev->name);
1364
1365        hci_dev_lock(hdev);
1366
1367        conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1368        if (conn)
1369                hci_acl_create_connection(conn);
1370
1371        hci_dev_unlock(hdev);
1372}
1373
1374static u32 get_link_mode(struct hci_conn *conn)
1375{
1376        u32 link_mode = 0;
1377
1378        if (conn->role == HCI_ROLE_MASTER)
1379                link_mode |= HCI_LM_MASTER;
1380
1381        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1382                link_mode |= HCI_LM_ENCRYPT;
1383
1384        if (test_bit(HCI_CONN_AUTH, &conn->flags))
1385                link_mode |= HCI_LM_AUTH;
1386
1387        if (test_bit(HCI_CONN_SECURE, &conn->flags))
1388                link_mode |= HCI_LM_SECURE;
1389
1390        if (test_bit(HCI_CONN_FIPS, &conn->flags))
1391                link_mode |= HCI_LM_FIPS;
1392
1393        return link_mode;
1394}
1395
1396int hci_get_conn_list(void __user *arg)
1397{
1398        struct hci_conn *c;
1399        struct hci_conn_list_req req, *cl;
1400        struct hci_conn_info *ci;
1401        struct hci_dev *hdev;
1402        int n = 0, size, err;
1403
1404        if (copy_from_user(&req, arg, sizeof(req)))
1405                return -EFAULT;
1406
1407        if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1408                return -EINVAL;
1409
1410        size = sizeof(req) + req.conn_num * sizeof(*ci);
1411
1412        cl = kmalloc(size, GFP_KERNEL);
1413        if (!cl)
1414                return -ENOMEM;
1415
1416        hdev = hci_dev_get(req.dev_id);
1417        if (!hdev) {
1418                kfree(cl);
1419                return -ENODEV;
1420        }
1421
1422        ci = cl->conn_info;
1423
1424        hci_dev_lock(hdev);
1425        list_for_each_entry(c, &hdev->conn_hash.list, list) {
1426                bacpy(&(ci + n)->bdaddr, &c->dst);
1427                (ci + n)->handle = c->handle;
1428                (ci + n)->type  = c->type;
1429                (ci + n)->out   = c->out;
1430                (ci + n)->state = c->state;
1431                (ci + n)->link_mode = get_link_mode(c);
1432                if (++n >= req.conn_num)
1433                        break;
1434        }
1435        hci_dev_unlock(hdev);
1436
1437        cl->dev_id = hdev->id;
1438        cl->conn_num = n;
1439        size = sizeof(req) + n * sizeof(*ci);
1440
1441        hci_dev_put(hdev);
1442
1443        err = copy_to_user(arg, cl, size);
1444        kfree(cl);
1445
1446        return err ? -EFAULT : 0;
1447}
1448
1449int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1450{
1451        struct hci_conn_info_req req;
1452        struct hci_conn_info ci;
1453        struct hci_conn *conn;
1454        char __user *ptr = arg + sizeof(req);
1455
1456        if (copy_from_user(&req, arg, sizeof(req)))
1457                return -EFAULT;
1458
1459        hci_dev_lock(hdev);
1460        conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1461        if (conn) {
1462                bacpy(&ci.bdaddr, &conn->dst);
1463                ci.handle = conn->handle;
1464                ci.type  = conn->type;
1465                ci.out   = conn->out;
1466                ci.state = conn->state;
1467                ci.link_mode = get_link_mode(conn);
1468        }
1469        hci_dev_unlock(hdev);
1470
1471        if (!conn)
1472                return -ENOENT;
1473
1474        return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1475}
1476
1477int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1478{
1479        struct hci_auth_info_req req;
1480        struct hci_conn *conn;
1481
1482        if (copy_from_user(&req, arg, sizeof(req)))
1483                return -EFAULT;
1484
1485        hci_dev_lock(hdev);
1486        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1487        if (conn)
1488                req.type = conn->auth_type;
1489        hci_dev_unlock(hdev);
1490
1491        if (!conn)
1492                return -ENOENT;
1493
1494        return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1495}
1496
1497struct hci_chan *hci_chan_create(struct hci_conn *conn)
1498{
1499        struct hci_dev *hdev = conn->hdev;
1500        struct hci_chan *chan;
1501
1502        BT_DBG("%s hcon %p", hdev->name, conn);
1503
1504        if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1505                BT_DBG("Refusing to create new hci_chan");
1506                return NULL;
1507        }
1508
1509        chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1510        if (!chan)
1511                return NULL;
1512
1513        chan->conn = hci_conn_get(conn);
1514        skb_queue_head_init(&chan->data_q);
1515        chan->state = BT_CONNECTED;
1516
1517        list_add_rcu(&chan->list, &conn->chan_list);
1518
1519        return chan;
1520}
1521
1522void hci_chan_del(struct hci_chan *chan)
1523{
1524        struct hci_conn *conn = chan->conn;
1525        struct hci_dev *hdev = conn->hdev;
1526
1527        BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1528
1529        list_del_rcu(&chan->list);
1530
1531        synchronize_rcu();
1532
1533        /* Prevent new hci_chan's to be created for this hci_conn */
1534        set_bit(HCI_CONN_DROP, &conn->flags);
1535
1536        hci_conn_put(conn);
1537
1538        skb_queue_purge(&chan->data_q);
1539        kfree(chan);
1540}
1541
1542void hci_chan_list_flush(struct hci_conn *conn)
1543{
1544        struct hci_chan *chan, *n;
1545
1546        BT_DBG("hcon %p", conn);
1547
1548        list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1549                hci_chan_del(chan);
1550}
1551
1552static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1553                                                 __u16 handle)
1554{
1555        struct hci_chan *hchan;
1556
1557        list_for_each_entry(hchan, &hcon->chan_list, list) {
1558                if (hchan->handle == handle)
1559                        return hchan;
1560        }
1561
1562        return NULL;
1563}
1564
1565struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1566{
1567        struct hci_conn_hash *h = &hdev->conn_hash;
1568        struct hci_conn *hcon;
1569        struct hci_chan *hchan = NULL;
1570
1571        rcu_read_lock();
1572
1573        list_for_each_entry_rcu(hcon, &h->list, list) {
1574                hchan = __hci_chan_lookup_handle(hcon, handle);
1575                if (hchan)
1576                        break;
1577        }
1578
1579        rcu_read_unlock();
1580
1581        return hchan;
1582}
1583