]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blame - net/bluetooth/hci_conn.c
projects / mirror_ubuntu-zesty-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix LE connection timeout deadlock
[mirror_ubuntu-zesty-kernel.git] / net / bluetooth / hci_conn.c
CommitLineData
8e87d142 1/*
1da177e4 2 BlueZ - Bluetooth protocol stack for Linux
2d0a0346 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
1da177e4
LT		 4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth HCI connection handling. */
26
8c520a59 27#include <linux/export.h>
1da177e4
LT		 28
29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h>
4bc58f51 31#include <net/bluetooth/l2cap.h>
1da177e4 32
ac4b7236 33#include "smp.h"
7024728e
MH		 34#include "a2mp.h"
35
2dea632f
FD		 36struct sco_param {
37 u16 pkt_type;
38 u16 max_latency;
c7da5797 39 u8 retrans_effort;
2dea632f
FD		 40};
41
48e68ff5 42static const struct sco_param esco_param_cvsd[] = {
c7da5797
JH		 43 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
44 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
45 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
46 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
47 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
2dea632f
FD		 48};
49
48e68ff5 50static const struct sco_param sco_param_cvsd[] = {
c7da5797
JH		 51 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
52 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
48e68ff5
BT		 53};
54
565766b0 55static const struct sco_param esco_param_msbc[] = {
c7da5797
JH		 56 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
57 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
2dea632f
FD		 58};
59
1aef8669 60static void hci_le_create_connection_cancel(struct hci_conn *conn)
fcd89c09
VT		 61{
62 hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
63}
64
1aef8669 65static void hci_acl_create_connection(struct hci_conn *conn)
1da177e4
LT		 66{
67 struct hci_dev *hdev = conn->hdev;
68 struct inquiry_entry *ie;
69 struct hci_cp_create_conn cp;
70
42d2d87c 71 BT_DBG("hcon %p", conn);
1da177e4
LT		 72
73 conn->state = BT_CONNECT;
a0c808b3 74 conn->out = true;
40bef302 75 conn->role = HCI_ROLE_MASTER;
1da177e4 76
4c67bc74
MH		 77 conn->attempt++;
78
e4e8e37c
MH		 79 conn->link_policy = hdev->link_policy;
80
1da177e4
LT		 81 memset(&cp, 0, sizeof(cp));
82 bacpy(&cp.bdaddr, &conn->dst);
83 cp.pscan_rep_mode = 0x02;
84
70f23020
AE		 85 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
86 if (ie) {
41a96212
MH		 87 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
88 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
89 cp.pscan_mode = ie->data.pscan_mode;
90 cp.clock_offset = ie->data.clock_offset |
dcf4adbf 91 cpu_to_le16(0x8000);
41a96212
MH		 92 }
93
1da177e4 94 memcpy(conn->dev_class, ie->data.dev_class, 3);
58a681ef
JH		 95 if (ie->data.ssp_mode > 0)
96 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
1da177e4
LT		 97 }
98
a8746417 99 cp.pkt_type = cpu_to_le16(conn->pkt_type);
1da177e4 100 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
b6a0dc82 101 cp.role_switch = 0x01;
1da177e4 102 else
b6a0dc82 103 cp.role_switch = 0x00;
4c67bc74 104
a9de9248 105 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
1da177e4
LT		 106}
107
1aef8669 108static void hci_acl_create_connection_cancel(struct hci_conn *conn)
6ac59344
MH		 109{
110 struct hci_cp_create_conn_cancel cp;
111
38b3fef1 112 BT_DBG("hcon %p", conn);
6ac59344 113
d095c1eb 114 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
6ac59344
MH		 115 return;
116
117 bacpy(&cp.bdaddr, &conn->dst);
a9de9248 118 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
6ac59344
MH		 119}
120
93796fa6
CT		 121static void hci_reject_sco(struct hci_conn *conn)
122{
123 struct hci_cp_reject_sync_conn_req cp;
124
d41c15cf 125 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
93796fa6
CT		 126 bacpy(&cp.bdaddr, &conn->dst);
127
128 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
129}
130
e3b679d5 131int hci_disconnect(struct hci_conn *conn, __u8 reason)
1da177e4
LT		 132{
133 struct hci_cp_disconnect cp;
134
38b3fef1 135 BT_DBG("hcon %p", conn);
1da177e4 136
839035a7
JH		 137 /* When we are master of an established connection and it enters
138 * the disconnect timeout, then go ahead and try to read the
139 * current clock offset. Processing of the result is done
140 * within the event handling and hci_clock_offset_evt function.
141 */
142 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER) {
143 struct hci_dev *hdev = conn->hdev;
4f639ede 144 struct hci_cp_read_clock_offset clkoff_cp;
839035a7 145
4f639ede
FF		 146 clkoff_cp.handle = cpu_to_le16(conn->handle);
147 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
148 &clkoff_cp);
839035a7
JH		 149 }
150
1da177e4
LT		 151 conn->state = BT_DISCONN;
152
aca3192c 153 cp.handle = cpu_to_le16(conn->handle);
1da177e4 154 cp.reason = reason;
e3b679d5 155 return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
1da177e4
LT		 156}
157
a2b1976b 158static void hci_amp_disconn(struct hci_conn *conn)
53502d69
AE		 159{
160 struct hci_cp_disconn_phy_link cp;
161
162 BT_DBG("hcon %p", conn);
163
164 conn->state = BT_DISCONN;
165
166 cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
a2b1976b 167 cp.reason = hci_proto_disconn_ind(conn);
53502d69
AE		 168 hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
169 sizeof(cp), &cp);
170}
171
57f5d0d1 172static void hci_add_sco(struct hci_conn *conn, __u16 handle)
1da177e4
LT		 173{
174 struct hci_dev *hdev = conn->hdev;
175 struct hci_cp_add_sco cp;
176
38b3fef1 177 BT_DBG("hcon %p", conn);
1da177e4
LT		 178
179 conn->state = BT_CONNECT;
a0c808b3 180 conn->out = true;
1da177e4 181
efc7688b
MH		 182 conn->attempt++;
183
aca3192c 184 cp.handle = cpu_to_le16(handle);
a8746417 185 cp.pkt_type = cpu_to_le16(conn->pkt_type);
1da177e4 186
a9de9248 187 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
1da177e4
LT		 188}
189
2dea632f 190bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
b6a0dc82
MH		 191{
192 struct hci_dev *hdev = conn->hdev;
193 struct hci_cp_setup_sync_conn cp;
2dea632f 194 const struct sco_param *param;
b6a0dc82 195
38b3fef1 196 BT_DBG("hcon %p", conn);
b6a0dc82
MH		 197
198 conn->state = BT_CONNECT;
a0c808b3 199 conn->out = true;
b6a0dc82 200
efc7688b
MH		 201 conn->attempt++;
202
b6a0dc82 203 cp.handle = cpu_to_le16(handle);
b6a0dc82 204
dcf4adbf
JP		 205 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
206 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
10c62ddc
FD		 207 cp.voice_setting = cpu_to_le16(conn->setting);
208
209 switch (conn->setting & SCO_AIRMODE_MASK) {
210 case SCO_AIRMODE_TRANSP:
565766b0 211 if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
2dea632f 212 return false;
565766b0 213 param = &esco_param_msbc[conn->attempt - 1];
10c62ddc
FD		 214 break;
215 case SCO_AIRMODE_CVSD:
48e68ff5
BT		 216 if (lmp_esco_capable(conn->link)) {
217 if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
218 return false;
48e68ff5
BT		 219 param = &esco_param_cvsd[conn->attempt - 1];
220 } else {
221 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
222 return false;
48e68ff5
BT		 223 param = &sco_param_cvsd[conn->attempt - 1];
224 }
10c62ddc 225 break;
2dea632f
FD		 226 default:
227 return false;
10c62ddc 228 }
b6a0dc82 229
c7da5797 230 cp.retrans_effort = param->retrans_effort;
2dea632f
FD		 231 cp.pkt_type = __cpu_to_le16(param->pkt_type);
232 cp.max_latency = __cpu_to_le16(param->max_latency);
233
234 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
235 return false;
236
237 return true;
b6a0dc82
MH		 238}
239
7d6ca693
JH		 240u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
241 u16 to_multiplier)
2ce603eb 242{
2ce603eb 243 struct hci_dev *hdev = conn->hdev;
f044eb05
MH		 244 struct hci_conn_params *params;
245 struct hci_cp_le_conn_update cp;
2ce603eb 246
f044eb05 247 hci_dev_lock(hdev);
2ce603eb 248
f044eb05
MH		 249 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
250 if (params) {
251 params->conn_min_interval = min;
252 params->conn_max_interval = max;
253 params->conn_latency = latency;
254 params->supervision_timeout = to_multiplier;
255 }
256
257 hci_dev_unlock(hdev);
258
259 memset(&cp, 0, sizeof(cp));
2ce603eb
CT		 260 cp.handle = cpu_to_le16(conn->handle);
261 cp.conn_interval_min = cpu_to_le16(min);
262 cp.conn_interval_max = cpu_to_le16(max);
263 cp.conn_latency = cpu_to_le16(latency);
264 cp.supervision_timeout = cpu_to_le16(to_multiplier);
dcf4adbf
JP		 265 cp.min_ce_len = cpu_to_le16(0x0000);
266 cp.max_ce_len = cpu_to_le16(0x0000);
2ce603eb
CT		 267
268 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
7d6ca693
JH		 269
270 if (params)
271 return 0x01;
272
273 return 0x00;
2ce603eb 274}
2ce603eb 275
fe39c7b2 276void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
5974e4c4 277 __u8 ltk[16])
a7a595f6
VCG		 278{
279 struct hci_dev *hdev = conn->hdev;
280 struct hci_cp_le_start_enc cp;
281
38b3fef1 282 BT_DBG("hcon %p", conn);
a7a595f6
VCG		 283
284 memset(&cp, 0, sizeof(cp));
285
286 cp.handle = cpu_to_le16(conn->handle);
fe39c7b2 287 cp.rand = rand;
a7a595f6 288 cp.ediv = ediv;
fe39c7b2 289 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
a7a595f6
VCG		 290
291 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
292}
a7a595f6 293
e73439d8
MH		 294/* Device _must_ be locked */
295void hci_sco_setup(struct hci_conn *conn, __u8 status)
296{
297 struct hci_conn *sco = conn->link;
298
e73439d8
MH		 299 if (!sco)
300 return;
301
38b3fef1
AE		 302 BT_DBG("hcon %p", conn);
303
e73439d8
MH		 304 if (!status) {
305 if (lmp_esco_capable(conn->hdev))
306 hci_setup_sync(sco, conn->handle);
307 else
308 hci_add_sco(sco, conn->handle);
309 } else {
310 hci_proto_connect_cfm(sco, status);
311 hci_conn_del(sco);
312 }
313}
314
19c40e3b 315static void hci_conn_timeout(struct work_struct *work)
1da177e4 316{
19c40e3b 317 struct hci_conn *conn = container_of(work, struct hci_conn,
5974e4c4 318 disc_work.work);
1d56dc4f 319 int refcnt = atomic_read(&conn->refcnt);
1da177e4 320
38b3fef1 321 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
1da177e4 322
1d56dc4f
LR		 323 WARN_ON(refcnt < 0);
324
325 /* FIXME: It was observed that in pairing failed scenario, refcnt
326 * drops below 0. Probably this is because l2cap_conn_del calls
327 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
328 * dropped. After that loop hci_chan_del is called which also drops
329 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
330 * otherwise drop it.
331 */
332 if (refcnt > 0)
1da177e4
LT		 333 return;
334
6ac59344
MH		 335 switch (conn->state) {
336 case BT_CONNECT:
769be974 337 case BT_CONNECT2:
fcd89c09
VT		 338 if (conn->out) {
339 if (conn->type == ACL_LINK)
1aef8669 340 hci_acl_create_connection_cancel(conn);
fcd89c09 341 else if (conn->type == LE_LINK)
1aef8669 342 hci_le_create_connection_cancel(conn);
93796fa6
CT		 343 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
344 hci_reject_sco(conn);
fcd89c09 345 }
6ac59344 346 break;
769be974 347 case BT_CONFIG:
8e87d142 348 case BT_CONNECTED:
40051e46
MH		 349 if (conn->type == AMP_LINK) {
350 hci_amp_disconn(conn);
351 } else {
352 __u8 reason = hci_proto_disconn_ind(conn);
353 hci_disconnect(conn, reason);
354 }
6ac59344
MH		 355 break;
356 default:
1da177e4 357 conn->state = BT_CLOSED;
6ac59344
MH		 358 break;
359 }
1da177e4
LT		 360}
361
416dc94b 362/* Enter sniff mode */
a74a84f6 363static void hci_conn_idle(struct work_struct *work)
416dc94b 364{
a74a84f6
JH		 365 struct hci_conn *conn = container_of(work, struct hci_conn,
366 idle_work.work);
416dc94b
GP		 367 struct hci_dev *hdev = conn->hdev;
368
38b3fef1 369 BT_DBG("hcon %p mode %d", conn, conn->mode);
416dc94b 370
416dc94b
GP		 371 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
372 return;
373
374 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
375 return;
376
377 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
378 struct hci_cp_sniff_subrate cp;
379 cp.handle = cpu_to_le16(conn->handle);
dcf4adbf
JP		 380 cp.max_latency = cpu_to_le16(0);
381 cp.min_remote_timeout = cpu_to_le16(0);
382 cp.min_local_timeout = cpu_to_le16(0);
416dc94b
GP		 383 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
384 }
385
51a8efd7 386 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
416dc94b
GP		 387 struct hci_cp_sniff_mode cp;
388 cp.handle = cpu_to_le16(conn->handle);
389 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
390 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
dcf4adbf
JP		 391 cp.attempt = cpu_to_le16(4);
392 cp.timeout = cpu_to_le16(1);
416dc94b
GP		 393 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
394 }
395}
396
7bc18d9d 397static void hci_conn_auto_accept(struct work_struct *work)
9f61656a 398{
7bc18d9d
JH		 399 struct hci_conn *conn = container_of(work, struct hci_conn,
400 auto_accept_work.work);
9f61656a 401
7bc18d9d 402 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
5974e4c4 403 &conn->dst);
9f61656a
JH		 404}
405
9489eca4
JH		 406static void le_conn_timeout(struct work_struct *work)
407{
408 struct hci_conn *conn = container_of(work, struct hci_conn,
409 le_conn_timeout.work);
3c857757 410 struct hci_dev *hdev = conn->hdev;
9489eca4
JH		 411
412 BT_DBG("");
413
3c857757
JH		 414 /* We could end up here due to having done directed advertising,
415 * so clean up the state if necessary. This should however only
416 * happen with broken hardware or if low duty cycle was used
417 * (which doesn't have a timeout of its own).
418 */
419 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
420 u8 enable = 0x00;
421 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
422 &enable);
423 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
424 return;
425 }
426
9489eca4
JH		 427 hci_le_create_connection_cancel(conn);
428}
429
a5c4e309
JH		 430struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
431 u8 role)
1da177e4
LT		 432{
433 struct hci_conn *conn;
434
6ed93dc6 435 BT_DBG("%s dst %pMR", hdev->name, dst);
1da177e4 436
27f70f3e 437 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
04837f64 438 if (!conn)
1da177e4 439 return NULL;
1da177e4
LT		 440
441 bacpy(&conn->dst, dst);
662e8820 442 bacpy(&conn->src, &hdev->bdaddr);
a8746417
MH		 443 conn->hdev = hdev;
444 conn->type = type;
a5c4e309 445 conn->role = role;
a8746417
MH		 446 conn->mode = HCI_CM_ACTIVE;
447 conn->state = BT_OPEN;
93f19c9f 448 conn->auth_type = HCI_AT_GENERAL_BONDING;
17fa4b9d 449 conn->io_capability = hdev->io_capability;
a9583556 450 conn->remote_auth = 0xff;
13d39315 451 conn->key_type = 0xff;
5a134fae 452 conn->tx_power = HCI_TX_POWER_INVALID;
d0455ed9 453 conn->max_tx_power = HCI_TX_POWER_INVALID;
1da177e4 454
58a681ef 455 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
052b30b0 456 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
04837f64 457
a5c4e309
JH		 458 if (conn->role == HCI_ROLE_MASTER)
459 conn->out = true;
460
a8746417
MH		 461 switch (type) {
462 case ACL_LINK:
463 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
464 break;
9c84d1da
JH		 465 case LE_LINK:
466 /* conn->src should reflect the local identity address */
467 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
468 break;
a8746417
MH		 469 case SCO_LINK:
470 if (lmp_esco_capable(hdev))
efc7688b
MH		 471 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
472 (hdev->esco_type & EDR_ESCO_MASK);
a8746417
MH		 473 else
474 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
475 break;
476 case ESCO_LINK:
efc7688b 477 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
a8746417
MH		 478 break;
479 }
480
1da177e4 481 skb_queue_head_init(&conn->data_q);
04837f64 482
70c1f20b 483 INIT_LIST_HEAD(&conn->chan_list);
73d80deb 484
19c40e3b 485 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
7bc18d9d 486 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
a74a84f6 487 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
9489eca4 488 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1da177e4
LT		 489
490 atomic_set(&conn->refcnt, 0);
491
492 hci_dev_hold(hdev);
493
1da177e4 494 hci_conn_hash_add(hdev, conn);
3c54711c 495 if (hdev->notify)
1da177e4
LT		 496 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
497
a67e899c
MH		 498 hci_conn_init_sysfs(conn);
499
1da177e4
LT		 500 return conn;
501}
502
503int hci_conn_del(struct hci_conn *conn)
504{
505 struct hci_dev *hdev = conn->hdev;
506
38b3fef1 507 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1da177e4 508
19c40e3b 509 cancel_delayed_work_sync(&conn->disc_work);
7bc18d9d 510 cancel_delayed_work_sync(&conn->auto_accept_work);
a74a84f6 511 cancel_delayed_work_sync(&conn->idle_work);
9f61656a 512
5b7f9909 513 if (conn->type == ACL_LINK) {
1da177e4
LT		 514 struct hci_conn *sco = conn->link;
515 if (sco)
516 sco->link = NULL;
517
518 /* Unacked frames */
519 hdev->acl_cnt += conn->sent;
6ed58ec5 520 } else if (conn->type == LE_LINK) {
980ffc0a 521 cancel_delayed_work(&conn->le_conn_timeout);
9489eca4 522
6ed58ec5
VT		 523 if (hdev->le_pkts)
524 hdev->le_cnt += conn->sent;
525 else
526 hdev->acl_cnt += conn->sent;
5b7f9909
MH		 527 } else {
528 struct hci_conn *acl = conn->link;
529 if (acl) {
530 acl->link = NULL;
76a68ba0 531 hci_conn_drop(acl);
5b7f9909 532 }
1da177e4
LT		 533 }
534
2c33c06a 535 hci_chan_list_flush(conn);
73d80deb 536
9740e49d
AE		 537 if (conn->amp_mgr)
538 amp_mgr_put(conn->amp_mgr);
539
1da177e4 540 hci_conn_hash_del(hdev, conn);
3c54711c 541 if (hdev->notify)
1da177e4 542 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
7d0db0a3 543
1da177e4 544 skb_queue_purge(&conn->data_q);
1da177e4 545
fc225c3f 546 hci_conn_del_sysfs(conn);
2ae9a6be 547
89cbb063
AA		 548 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
549 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
550
384943ec
MH		 551 hci_dev_put(hdev);
552
8d12356f 553 hci_conn_put(conn);
163f4dab 554
1da177e4
LT		 555 return 0;
556}
557
558struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
559{
560 int use_src = bacmp(src, BDADDR_ANY);
8035ded4 561 struct hci_dev *hdev = NULL, *d;
1da177e4 562
6ed93dc6 563 BT_DBG("%pMR -> %pMR", src, dst);
1da177e4 564
f20d09d5 565 read_lock(&hci_dev_list_lock);
1da177e4 566
8035ded4 567 list_for_each_entry(d, &hci_dev_list, list) {
8fc9ced3 568 if (!test_bit(HCI_UP, &d->flags) ||
af750e94 569 test_bit(HCI_USER_CHANNEL, &d->dev_flags) ||
d300fa9b 570 d->dev_type != HCI_BREDR)
1da177e4
LT		 571 continue;
572
8e87d142 573 /* Simple routing:
1da177e4
LT		 574 * No source address - find interface with bdaddr != dst
575 * Source address - find interface with bdaddr == src
576 */
577
578 if (use_src) {
579 if (!bacmp(&d->bdaddr, src)) {
580 hdev = d; break;
581 }
582 } else {
583 if (bacmp(&d->bdaddr, dst)) {
584 hdev = d; break;
585 }
586 }
587 }
588
589 if (hdev)
590 hdev = hci_dev_hold(hdev);
591
f20d09d5 592 read_unlock(&hci_dev_list_lock);
1da177e4
LT		 593 return hdev;
594}
595EXPORT_SYMBOL(hci_get_route);
596
9bb3c01f 597/* This function requires the caller holds hdev->lock */
06c053fb 598void hci_le_conn_failed(struct hci_conn *conn, u8 status)
9bb3c01f
AG		 599{
600 struct hci_dev *hdev = conn->hdev;
f161dd41
JH		 601 struct hci_conn_params *params;
602
603 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
604 conn->dst_type);
605 if (params && params->conn) {
606 hci_conn_drop(params->conn);
f8aaf9b6 607 hci_conn_put(params->conn);
f161dd41
JH		 608 params->conn = NULL;
609 }
9bb3c01f
AG		 610
611 conn->state = BT_CLOSED;
612
613 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
614 status);
615
616 hci_proto_connect_cfm(conn, status);
617
618 hci_conn_del(conn);
a4790dbd
AG		 619
620 /* Since we may have temporarily stopped the background scanning in
621 * favor of connection establishment, we should restart it.
622 */
623 hci_update_background_scan(hdev);
3c857757
JH		 624
625 /* Re-enable advertising in case this was a failed connection
626 * attempt as a peripheral.
627 */
628 mgmt_reenable_advertising(hdev);
9bb3c01f
AG		 629}
630
1d399ae5
AG		 631static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
632{
633 struct hci_conn *conn;
634
635 if (status == 0)
636 return;
637
638 BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
639 status);
640
641 hci_dev_lock(hdev);
642
643 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
644 if (!conn)
645 goto done;
646
06c053fb 647 hci_le_conn_failed(conn, status);
1d399ae5
AG		 648
649done:
650 hci_dev_unlock(hdev);
651}
652
2acf3d90
AG		 653static void hci_req_add_le_create_conn(struct hci_request *req,
654 struct hci_conn *conn)
655{
656 struct hci_cp_le_create_conn cp;
657 struct hci_dev *hdev = conn->hdev;
658 u8 own_addr_type;
659
660 memset(&cp, 0, sizeof(cp));
661
662 /* Update random address, but set require_privacy to false so
663 * that we never connect with an unresolvable address.
664 */
665 if (hci_update_random_address(req, false, &own_addr_type))
666 return;
667
2acf3d90
AG		 668 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
669 cp.scan_window = cpu_to_le16(hdev->le_scan_window);
670 bacpy(&cp.peer_addr, &conn->dst);
671 cp.peer_addr_type = conn->dst_type;
672 cp.own_address_type = own_addr_type;
673 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
674 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
037fc415
MH		 675 cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
676 cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
dcf4adbf
JP		 677 cp.min_ce_len = cpu_to_le16(0x0000);
678 cp.max_ce_len = cpu_to_le16(0x0000);
2acf3d90
AG		 679
680 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
b46e0030
JH		 681
682 conn->state = BT_CONNECT;
2acf3d90
AG		 683}
684
3c857757
JH		 685static void hci_req_directed_advertising(struct hci_request *req,
686 struct hci_conn *conn)
687{
688 struct hci_dev *hdev = req->hdev;
689 struct hci_cp_le_set_adv_param cp;
690 u8 own_addr_type;
691 u8 enable;
692
5ce194c4 693 /* Clear the HCI_LE_ADV bit temporarily so that the
3c857757
JH		 694 * hci_update_random_address knows that it's safe to go ahead
695 * and write a new random address. The flag will be set back on
696 * as soon as the SET_ADV_ENABLE HCI command completes.
697 */
5ce194c4 698 clear_bit(HCI_LE_ADV, &hdev->dev_flags);
3c857757
JH		 699
700 /* Set require_privacy to false so that the remote device has a
701 * chance of identifying us.
702 */
703 if (hci_update_random_address(req, false, &own_addr_type) < 0)
704 return;
705
706 memset(&cp, 0, sizeof(cp));
707 cp.type = LE_ADV_DIRECT_IND;
708 cp.own_address_type = own_addr_type;
709 cp.direct_addr_type = conn->dst_type;
710 bacpy(&cp.direct_addr, &conn->dst);
711 cp.channel_map = hdev->le_adv_channel_map;
712
713 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
714
715 enable = 0x01;
716 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
717
718 conn->state = BT_CONNECT;
719}
720
04a6c589 721struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
cdd6275e 722 u8 dst_type, u8 sec_level, u16 conn_timeout,
e804d25d 723 u8 role)
1da177e4 724{
4292f1f3 725 struct hci_conn_params *params;
f1e5d547 726 struct hci_conn *conn;
1ebfcc1f 727 struct smp_irk *irk;
2acf3d90 728 struct hci_request req;
1d399ae5 729 int err;
1da177e4 730
620ad521
AG		 731 /* Some devices send ATT messages as soon as the physical link is
732 * established. To be able to handle these ATT messages, the user-
733 * space first establishes the connection and then starts the pairing
734 * process.
735 *
736 * So if a hci_conn object already exists for the following connection
737 * attempt, we simply update pending_sec_level and auth_type fields
738 * and return the object found.
739 */
f1e5d547 740 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
620ad521
AG		 741 if (conn) {
742 conn->pending_sec_level = sec_level;
620ad521
AG		 743 goto done;
744 }
dfc94dbd 745
620ad521
AG		 746 /* Since the controller supports only one LE connection attempt at a
747 * time, we return -EBUSY if there is any connection attempt running.
748 */
749 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
750 if (conn)
751 return ERR_PTR(-EBUSY);
46a190cb 752
edb4b466
MH		 753 /* When given an identity address with existing identity
754 * resolving key, the connection needs to be established
755 * to a resolvable random address.
756 *
757 * This uses the cached random resolvable address from
758 * a previous scan. When no cached address is available,
759 * try connecting to the identity address instead.
760 *
761 * Storing the resolvable random address is required here
762 * to handle connection failures. The address will later
763 * be resolved back into the original identity address
764 * from the connect request.
765 */
1ebfcc1f
JH		 766 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
767 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
768 dst = &irk->rpa;
769 dst_type = ADDR_LE_DEV_RANDOM;
770 }
771
a5c4e309 772 conn = hci_conn_add(hdev, LE_LINK, dst, role);
620ad521
AG		 773 if (!conn)
774 return ERR_PTR(-ENOMEM);
9f0caeb1 775
1ebfcc1f 776 conn->dst_type = dst_type;
620ad521 777 conn->sec_level = BT_SECURITY_LOW;
f1e5d547 778 conn->pending_sec_level = sec_level;
09ae260b 779 conn->conn_timeout = conn_timeout;
4292f1f3 780
3c857757
JH		 781 hci_req_init(&req, hdev);
782
376f54c1
JH		 783 /* Disable advertising if we're active. For master role
784 * connections most controllers will refuse to connect if
785 * advertising is enabled, and for slave role connections we
786 * anyway have to disable it in order to start directed
787 * advertising.
788 */
789 if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) {
790 u8 enable = 0x00;
791 hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
792 &enable);
793 }
794
cdd6275e 795 /* If requested to connect as slave use directed advertising */
e804d25d 796 if (conn->role == HCI_ROLE_SLAVE) {
e8bb6b97
JH		 797 /* If we're active scanning most controllers are unable
798 * to initiate advertising. Simply reject the attempt.
799 */
800 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags) &&
801 hdev->le_scan_type == LE_SCAN_ACTIVE) {
802 skb_queue_purge(&req.cmd_q);
803 hci_conn_del(conn);
804 return ERR_PTR(-EBUSY);
805 }
806
3c857757
JH		 807 hci_req_directed_advertising(&req, conn);
808 goto create_conn;
809 }
810
4292f1f3
AG		 811 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
812 if (params) {
813 conn->le_conn_min_interval = params->conn_min_interval;
814 conn->le_conn_max_interval = params->conn_max_interval;
037fc415
MH		 815 conn->le_conn_latency = params->conn_latency;
816 conn->le_supv_timeout = params->supervision_timeout;
4292f1f3
AG		 817 } else {
818 conn->le_conn_min_interval = hdev->le_conn_min_interval;
819 conn->le_conn_max_interval = hdev->le_conn_max_interval;
04fb7d90
MH		 820 conn->le_conn_latency = hdev->le_conn_latency;
821 conn->le_supv_timeout = hdev->le_supv_timeout;
4292f1f3 822 }
eda42b50 823
2acf3d90 824 /* If controller is scanning, we stop it since some controllers are
81ad6fd9
JH		 825 * not able to scan and connect at the same time. Also set the
826 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
827 * handler for scan disabling knows to set the correct discovery
828 * state.
2acf3d90
AG		 829 */
830 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
831 hci_req_add_le_scan_disable(&req);
81ad6fd9 832 set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
2acf3d90
AG		 833 }
834
81ad6fd9
JH		 835 hci_req_add_le_create_conn(&req, conn);
836
3c857757 837create_conn:
81ad6fd9 838 err = hci_req_run(&req, create_le_conn_complete);
2acf3d90
AG		 839 if (err) {
840 hci_conn_del(conn);
620ad521 841 return ERR_PTR(err);
2acf3d90 842 }
fcd89c09 843
620ad521
AG		 844done:
845 hci_conn_hold(conn);
f1e5d547 846 return conn;
d04aef4c 847}
fcd89c09 848
04a6c589
AG		 849struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
850 u8 sec_level, u8 auth_type)
1da177e4
LT		 851{
852 struct hci_conn *acl;
fcd89c09 853
56f87901 854 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
beb19e4c 855 return ERR_PTR(-EOPNOTSUPP);
56f87901 856
70f23020
AE		 857 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
858 if (!acl) {
a5c4e309 859 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
70f23020 860 if (!acl)
48c7aba9 861 return ERR_PTR(-ENOMEM);
1da177e4
LT		 862 }
863
864 hci_conn_hold(acl);
865
09ab6f4c 866 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
765c2a96
JH		 867 acl->sec_level = BT_SECURITY_LOW;
868 acl->pending_sec_level = sec_level;
09ab6f4c 869 acl->auth_type = auth_type;
1aef8669 870 hci_acl_create_connection(acl);
09ab6f4c 871 }
1da177e4 872
db474275
VCG		 873 return acl;
874}
875
10c62ddc
FD		 876struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
877 __u16 setting)
db474275
VCG		 878{
879 struct hci_conn *acl;
880 struct hci_conn *sco;
881
e660ed6c 882 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
db474275 883 if (IS_ERR(acl))
5b7f9909 884 return acl;
1da177e4 885
70f23020
AE		 886 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
887 if (!sco) {
a5c4e309 888 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
70f23020 889 if (!sco) {
76a68ba0 890 hci_conn_drop(acl);
48c7aba9 891 return ERR_PTR(-ENOMEM);
1da177e4 892 }
5b7f9909 893 }
1da177e4 894
5b7f9909
MH		 895 acl->link = sco;
896 sco->link = acl;
1da177e4 897
5b7f9909 898 hci_conn_hold(sco);
1da177e4 899
10c62ddc
FD		 900 sco->setting = setting;
901
5b7f9909 902 if (acl->state == BT_CONNECTED &&
5974e4c4 903 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
58a681ef 904 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
14b12d0b 905 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
c390216b 906
51a8efd7 907 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
e73439d8 908 /* defer SCO setup until mode change completed */
51a8efd7 909 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
e73439d8
MH		 910 return sco;
911 }
912
913 hci_sco_setup(acl, 0x00);
b6a0dc82 914 }
5b7f9909
MH		 915
916 return sco;
1da177e4 917}
1da177e4 918
e7c29cb1
MH		 919/* Check link security requirement */
920int hci_conn_check_link_mode(struct hci_conn *conn)
921{
38b3fef1 922 BT_DBG("hcon %p", conn);
e7c29cb1 923
40b552aa
MH		 924 /* In Secure Connections Only mode, it is required that Secure
925 * Connections is used and the link is encrypted with AES-CCM
926 * using a P-256 authenticated combination key.
927 */
928 if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) {
929 if (!hci_conn_sc_enabled(conn) ||
930 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
931 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
932 return 0;
933 }
934
4dae2798
JH		 935 if (hci_conn_ssp_enabled(conn) &&
936 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
e7c29cb1
MH		 937 return 0;
938
939 return 1;
940}
e7c29cb1 941
1da177e4 942/* Authenticate remote device */
0684e5f9 943static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
1da177e4 944{
38b3fef1 945 BT_DBG("hcon %p", conn);
1da177e4 946
765c2a96
JH		 947 if (conn->pending_sec_level > sec_level)
948 sec_level = conn->pending_sec_level;
949
96a31833 950 if (sec_level > conn->sec_level)
765c2a96 951 conn->pending_sec_level = sec_level;
4dae2798 952 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
1da177e4
LT		 953 return 1;
954
65cf686e
JH		 955 /* Make sure we preserve an existing MITM requirement*/
956 auth_type |= (conn->auth_type & 0x01);
957
96a31833
MH		 958 conn->auth_type = auth_type;
959
51a8efd7 960 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1da177e4 961 struct hci_cp_auth_requested cp;
b7d05bad 962
aca3192c 963 cp.handle = cpu_to_le16(conn->handle);
40be492f 964 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
5974e4c4 965 sizeof(cp), &cp);
09da1f34
JH		 966
967 /* If we're already encrypted set the REAUTH_PEND flag,
968 * otherwise set the ENCRYPT_PEND.
969 */
4dae2798 970 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
51a8efd7 971 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
09da1f34
JH		 972 else
973 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1da177e4 974 }
8c1b2355 975
1da177e4
LT		 976 return 0;
977}
1da177e4 978
13d39315
WR		 979/* Encrypt the the link */
980static void hci_conn_encrypt(struct hci_conn *conn)
981{
38b3fef1 982 BT_DBG("hcon %p", conn);
13d39315 983
51a8efd7 984 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
13d39315
WR		 985 struct hci_cp_set_conn_encrypt cp;
986 cp.handle = cpu_to_le16(conn->handle);
987 cp.encrypt = 0x01;
988 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
5974e4c4 989 &cp);
13d39315
WR		 990 }
991}
992
8c1b2355 993/* Enable security */
e7cafc45
JH		 994int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
995 bool initiator)
1da177e4 996{
38b3fef1 997 BT_DBG("hcon %p", conn);
1da177e4 998
d8343f12
VCG		 999 if (conn->type == LE_LINK)
1000 return smp_conn_security(conn, sec_level);
1001
13d39315 1002 /* For sdp we don't need the link key. */
8c1b2355
MH		 1003 if (sec_level == BT_SECURITY_SDP)
1004 return 1;
1005
13d39315
WR		 1006 /* For non 2.1 devices and low security level we don't need the link
1007 key. */
aa64a8b5 1008 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
3fdca1e1 1009 return 1;
8c1b2355 1010
13d39315 1011 /* For other security levels we need the link key. */
4dae2798 1012 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
13d39315
WR		 1013 goto auth;
1014
7b5a9241
MH		 1015 /* An authenticated FIPS approved combination key has sufficient
1016 * security for security level 4. */
1017 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1018 sec_level == BT_SECURITY_FIPS)
1019 goto encrypt;
1020
1021 /* An authenticated combination key has sufficient security for
1022 security level 3. */
1023 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1024 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1025 sec_level == BT_SECURITY_HIGH)
13d39315
WR		 1026 goto encrypt;
1027
1028 /* An unauthenticated combination key has sufficient security for
1029 security level 1 and 2. */
66138ce8
MH		 1030 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1031 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
5974e4c4 1032 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
13d39315
WR		 1033 goto encrypt;
1034
1035 /* A combination key has always sufficient security for the security
1036 levels 1 or 2. High security level requires the combination key
1037 is generated using maximum PIN code length (16).
1038 For pre 2.1 units. */
1039 if (conn->key_type == HCI_LK_COMBINATION &&
7b5a9241
MH		 1040 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1041 conn->pin_length == 16))
13d39315
WR		 1042 goto encrypt;
1043
1044auth:
51a8efd7 1045 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1da177e4
LT		 1046 return 0;
1047
977f8fce
JH		 1048 if (initiator)
1049 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1050
6fdf658c
LAD		 1051 if (!hci_conn_auth(conn, sec_level, auth_type))
1052 return 0;
13d39315
WR		 1053
1054encrypt:
4dae2798 1055 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
13d39315 1056 return 1;
8c1b2355 1057
13d39315 1058 hci_conn_encrypt(conn);
1da177e4
LT		 1059 return 0;
1060}
8c1b2355 1061EXPORT_SYMBOL(hci_conn_security);
1da177e4 1062
b3b1b061
WR		 1063/* Check secure link requirement */
1064int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1065{
38b3fef1 1066 BT_DBG("hcon %p", conn);
b3b1b061 1067
9cb2e030
MH		 1068 /* Accept if non-secure or higher security level is required */
1069 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1070 return 1;
b3b1b061 1071
9cb2e030
MH		 1072 /* Accept if secure or higher security level is already present */
1073 if (conn->sec_level == BT_SECURITY_HIGH ||
1074 conn->sec_level == BT_SECURITY_FIPS)
b3b1b061
WR		 1075 return 1;
1076
9cb2e030
MH		 1077 /* Reject not secure link */
1078 return 0;
b3b1b061
WR		 1079}
1080EXPORT_SYMBOL(hci_conn_check_secure);
1081
1da177e4
LT		 1082/* Change link key */
1083int hci_conn_change_link_key(struct hci_conn *conn)
1084{
38b3fef1 1085 BT_DBG("hcon %p", conn);
1da177e4 1086
51a8efd7 1087 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1da177e4 1088 struct hci_cp_change_conn_link_key cp;
aca3192c 1089 cp.handle = cpu_to_le16(conn->handle);
40be492f 1090 hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
5974e4c4 1091 sizeof(cp), &cp);
1da177e4 1092 }
8c1b2355 1093
1da177e4
LT		 1094 return 0;
1095}
1da177e4
LT		 1096
1097/* Switch role */
8c1b2355 1098int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1da177e4 1099{
38b3fef1 1100 BT_DBG("hcon %p", conn);
1da177e4 1101
40bef302 1102 if (role == conn->role)
1da177e4
LT		 1103 return 1;
1104
51a8efd7 1105 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1da177e4
LT		 1106 struct hci_cp_switch_role cp;
1107 bacpy(&cp.bdaddr, &conn->dst);
1108 cp.role = role;
a9de9248 1109 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1da177e4 1110 }
8c1b2355 1111
1da177e4
LT		 1112 return 0;
1113}
1114EXPORT_SYMBOL(hci_conn_switch_role);
1115
04837f64 1116/* Enter active mode */
14b12d0b 1117void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
04837f64
MH		 1118{
1119 struct hci_dev *hdev = conn->hdev;
1120
38b3fef1 1121 BT_DBG("hcon %p mode %d", conn, conn->mode);
04837f64 1122
14b12d0b
JG		 1123 if (conn->mode != HCI_CM_SNIFF)
1124 goto timer;
1125
58a681ef 1126 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
04837f64
MH		 1127 goto timer;
1128
51a8efd7 1129 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
04837f64 1130 struct hci_cp_exit_sniff_mode cp;
aca3192c 1131 cp.handle = cpu_to_le16(conn->handle);
a9de9248 1132 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
04837f64
MH		 1133 }
1134
1135timer:
1136 if (hdev->idle_timeout > 0)
a74a84f6
JH		 1137 queue_delayed_work(hdev->workqueue, &conn->idle_work,
1138 msecs_to_jiffies(hdev->idle_timeout));
04837f64
MH		 1139}
1140
1da177e4
LT		 1141/* Drop all connection on the device */
1142void hci_conn_hash_flush(struct hci_dev *hdev)
1143{
1144 struct hci_conn_hash *h = &hdev->conn_hash;
3c4e0df0 1145 struct hci_conn *c, *n;
1da177e4
LT		 1146
1147 BT_DBG("hdev %s", hdev->name);
1148
3c4e0df0 1149 list_for_each_entry_safe(c, n, &h->list, list) {
1da177e4
LT		 1150 c->state = BT_CLOSED;
1151
9f5a0d7b 1152 hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1da177e4
LT		 1153 hci_conn_del(c);
1154 }
1155}
1156
a9de9248
MH		 1157/* Check pending connect attempts */
1158void hci_conn_check_pending(struct hci_dev *hdev)
1159{
1160 struct hci_conn *conn;
1161
1162 BT_DBG("hdev %s", hdev->name);
1163
1164 hci_dev_lock(hdev);
1165
1166 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1167 if (conn)
1aef8669 1168 hci_acl_create_connection(conn);
a9de9248
MH		 1169
1170 hci_dev_unlock(hdev);
1171}
1172
4dae2798
JH		 1173static u32 get_link_mode(struct hci_conn *conn)
1174{
1175 u32 link_mode = 0;
1176
40bef302 1177 if (conn->role == HCI_ROLE_MASTER)
4dae2798
JH		 1178 link_mode |= HCI_LM_MASTER;
1179
1180 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1181 link_mode |= HCI_LM_ENCRYPT;
1182
1183 if (test_bit(HCI_CONN_AUTH, &conn->flags))
1184 link_mode |= HCI_LM_AUTH;
1185
1186 if (test_bit(HCI_CONN_SECURE, &conn->flags))
1187 link_mode |= HCI_LM_SECURE;
1188
1189 if (test_bit(HCI_CONN_FIPS, &conn->flags))
1190 link_mode |= HCI_LM_FIPS;
1191
1192 return link_mode;
1193}
1194
1da177e4
LT		 1195int hci_get_conn_list(void __user *arg)
1196{
fc5fef61 1197 struct hci_conn *c;
1da177e4
LT		 1198 struct hci_conn_list_req req, *cl;
1199 struct hci_conn_info *ci;
1200 struct hci_dev *hdev;
1da177e4
LT		 1201 int n = 0, size, err;
1202
1203 if (copy_from_user(&req, arg, sizeof(req)))
1204 return -EFAULT;
1205
1206 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1207 return -EINVAL;
1208
1209 size = sizeof(req) + req.conn_num * sizeof(*ci);
1210
70f23020
AE		 1211 cl = kmalloc(size, GFP_KERNEL);
1212 if (!cl)
1da177e4
LT		 1213 return -ENOMEM;
1214
70f23020
AE		 1215 hdev = hci_dev_get(req.dev_id);
1216 if (!hdev) {
1da177e4
LT		 1217 kfree(cl);
1218 return -ENODEV;
1219 }
1220
1221 ci = cl->conn_info;
1222
09fd0de5 1223 hci_dev_lock(hdev);
8035ded4 1224 list_for_each_entry(c, &hdev->conn_hash.list, list) {
1da177e4
LT		 1225 bacpy(&(ci + n)->bdaddr, &c->dst);
1226 (ci + n)->handle = c->handle;
1227 (ci + n)->type = c->type;
1228 (ci + n)->out = c->out;
1229 (ci + n)->state = c->state;
4dae2798 1230 (ci + n)->link_mode = get_link_mode(c);
1da177e4
LT		 1231 if (++n >= req.conn_num)
1232 break;
1233 }
09fd0de5 1234 hci_dev_unlock(hdev);
1da177e4
LT		 1235
1236 cl->dev_id = hdev->id;
1237 cl->conn_num = n;
1238 size = sizeof(req) + n * sizeof(*ci);
1239
1240 hci_dev_put(hdev);
1241
1242 err = copy_to_user(arg, cl, size);
1243 kfree(cl);
1244
1245 return err ? -EFAULT : 0;
1246}
1247
1248int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1249{
1250 struct hci_conn_info_req req;
1251 struct hci_conn_info ci;
1252 struct hci_conn *conn;
1253 char __user *ptr = arg + sizeof(req);
1254
1255 if (copy_from_user(&req, arg, sizeof(req)))
1256 return -EFAULT;
1257
09fd0de5 1258 hci_dev_lock(hdev);
1da177e4
LT		 1259 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1260 if (conn) {
1261 bacpy(&ci.bdaddr, &conn->dst);
1262 ci.handle = conn->handle;
1263 ci.type = conn->type;
1264 ci.out = conn->out;
1265 ci.state = conn->state;
4dae2798 1266 ci.link_mode = get_link_mode(conn);
1da177e4 1267 }
09fd0de5 1268 hci_dev_unlock(hdev);
1da177e4
LT		 1269
1270 if (!conn)
1271 return -ENOENT;
1272
1273 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1274}
40be492f
MH		 1275
1276int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1277{
1278 struct hci_auth_info_req req;
1279 struct hci_conn *conn;
1280
1281 if (copy_from_user(&req, arg, sizeof(req)))
1282 return -EFAULT;
1283
09fd0de5 1284 hci_dev_lock(hdev);
40be492f
MH		 1285 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1286 if (conn)
1287 req.type = conn->auth_type;
09fd0de5 1288 hci_dev_unlock(hdev);
40be492f
MH		 1289
1290 if (!conn)
1291 return -ENOENT;
1292
1293 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1294}
73d80deb
LAD		 1295
1296struct hci_chan *hci_chan_create(struct hci_conn *conn)
1297{
1298 struct hci_dev *hdev = conn->hdev;
1299 struct hci_chan *chan;
1300
38b3fef1 1301 BT_DBG("%s hcon %p", hdev->name, conn);
73d80deb 1302
f94b665d
JH		 1303 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1304 BT_DBG("Refusing to create new hci_chan");
1305 return NULL;
1306 }
1307
27f70f3e 1308 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
73d80deb
LAD		 1309 if (!chan)
1310 return NULL;
1311
6c388d32 1312 chan->conn = hci_conn_get(conn);
73d80deb 1313 skb_queue_head_init(&chan->data_q);
168df8e5 1314 chan->state = BT_CONNECTED;
73d80deb 1315
8192edef 1316 list_add_rcu(&chan->list, &conn->chan_list);
73d80deb
LAD		 1317
1318 return chan;
1319}
1320
9472007c 1321void hci_chan_del(struct hci_chan *chan)
73d80deb
LAD		 1322{
1323 struct hci_conn *conn = chan->conn;
1324 struct hci_dev *hdev = conn->hdev;
1325
38b3fef1 1326 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
73d80deb 1327
8192edef
GP		 1328 list_del_rcu(&chan->list);
1329
1330 synchronize_rcu();
73d80deb 1331
bcbb655a 1332 /* Prevent new hci_chan's to be created for this hci_conn */
f94b665d 1333 set_bit(HCI_CONN_DROP, &conn->flags);
b3ff670a 1334
6c388d32 1335 hci_conn_put(conn);
e9b02748 1336
73d80deb
LAD		 1337 skb_queue_purge(&chan->data_q);
1338 kfree(chan);
73d80deb
LAD		 1339}
1340
2c33c06a 1341void hci_chan_list_flush(struct hci_conn *conn)
73d80deb 1342{
2a5a5ec6 1343 struct hci_chan *chan, *n;
73d80deb 1344
38b3fef1 1345 BT_DBG("hcon %p", conn);
73d80deb 1346
2a5a5ec6 1347 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
73d80deb
LAD		 1348 hci_chan_del(chan);
1349}
42c4e53e
AE		 1350
1351static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1352 __u16 handle)
1353{
1354 struct hci_chan *hchan;
1355
1356 list_for_each_entry(hchan, &hcon->chan_list, list) {
1357 if (hchan->handle == handle)
1358 return hchan;
1359 }
1360
1361 return NULL;
1362}
1363
1364struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1365{
1366 struct hci_conn_hash *h = &hdev->conn_hash;
1367 struct hci_conn *hcon;
1368 struct hci_chan *hchan = NULL;
1369
1370 rcu_read_lock();
1371
1372 list_for_each_entry_rcu(hcon, &h->list, list) {
1373 hchan = __hci_chan_lookup_handle(hcon, handle);
1374 if (hchan)
1375 break;
1376 }
1377
1378 rcu_read_unlock();
1379
1380 return hchan;
1381}
ubuntu-zesty-kernel mirror