1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI connection handling. */ 26 27 #include <linux/export.h> 28 #include <linux/debugfs.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/l2cap.h> 33 34 #include "hci_request.h" 35 #include "smp.h" 36 #include "a2mp.h" 37 38 struct sco_param { 39 u16 pkt_type; 40 u16 max_latency; 41 u8 retrans_effort; 42 }; 43 44 static const struct sco_param esco_param_cvsd[] = { 45 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 46 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 47 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 48 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 49 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 50 }; 51 52 static const struct sco_param sco_param_cvsd[] = { 53 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 54 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 55 }; 56 57 static const struct sco_param esco_param_msbc[] = { 58 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 59 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 60 }; 61 62 static void hci_le_create_connection_cancel(struct hci_conn *conn) 63 { 64 hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL); 65 } 66 67 /* This function requires the caller holds hdev->lock */ 68 static void hci_connect_le_scan_cleanup(struct hci_conn *conn) 69 { 70 struct hci_conn_params *params; 71 struct smp_irk *irk; 72 bdaddr_t *bdaddr; 73 u8 bdaddr_type; 74 75 bdaddr = &conn->dst; 76 bdaddr_type = conn->dst_type; 77 78 /* Check if we need to convert to identity address */ 79 irk = hci_get_irk(conn->hdev, bdaddr, bdaddr_type); 80 if (irk) { 81 bdaddr = &irk->bdaddr; 82 bdaddr_type = irk->addr_type; 83 } 84 85 params = hci_explicit_connect_lookup(conn->hdev, bdaddr, bdaddr_type); 86 if (!params) 87 return; 88 89 /* The connection attempt was doing scan for new RPA, and is 90 * in scan phase. If params are not associated with any other 91 * autoconnect action, remove them completely. If they are, just unmark 92 * them as waiting for connection, by clearing explicit_connect field. 93 */ 94 params->explicit_connect = false; 95 96 list_del_init(¶ms->action); 97 98 switch (params->auto_connect) { 99 case HCI_AUTO_CONN_EXPLICIT: 100 hci_conn_params_del(conn->hdev, bdaddr, bdaddr_type); 101 /* return instead of break to avoid duplicate scan update */ 102 return; 103 case HCI_AUTO_CONN_DIRECT: 104 case HCI_AUTO_CONN_ALWAYS: 105 list_add(¶ms->action, &conn->hdev->pend_le_conns); 106 break; 107 case HCI_AUTO_CONN_REPORT: 108 list_add(¶ms->action, &conn->hdev->pend_le_reports); 109 break; 110 default: 111 break; 112 } 113 114 hci_update_background_scan(conn->hdev); 115 } 116 117 static void hci_conn_cleanup(struct hci_conn *conn) 118 { 119 struct hci_dev *hdev = conn->hdev; 120 121 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 122 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 123 124 hci_chan_list_flush(conn); 125 126 hci_conn_hash_del(hdev, conn); 127 128 if (hdev->notify) 129 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 130 131 hci_conn_del_sysfs(conn); 132 133 debugfs_remove_recursive(conn->debugfs); 134 135 hci_dev_put(hdev); 136 137 hci_conn_put(conn); 138 } 139 140 /* This function requires the caller holds hdev->lock */ 141 static void hci_connect_le_scan_remove(struct hci_conn *conn) 142 { 143 hci_connect_le_scan_cleanup(conn); 144 145 /* We can't call hci_conn_del here since that would deadlock 146 * with trying to call cancel_delayed_work_sync(&conn->disc_work). 147 * Instead, call just hci_conn_cleanup() which contains the bare 148 * minimum cleanup operations needed for a connection in this 149 * state. 150 */ 151 hci_conn_cleanup(conn); 152 } 153 154 static void hci_acl_create_connection(struct hci_conn *conn) 155 { 156 struct hci_dev *hdev = conn->hdev; 157 struct inquiry_entry *ie; 158 struct hci_cp_create_conn cp; 159 160 BT_DBG("hcon %p", conn); 161 162 conn->state = BT_CONNECT; 163 conn->out = true; 164 conn->role = HCI_ROLE_MASTER; 165 166 conn->attempt++; 167 168 conn->link_policy = hdev->link_policy; 169 170 memset(&cp, 0, sizeof(cp)); 171 bacpy(&cp.bdaddr, &conn->dst); 172 cp.pscan_rep_mode = 0x02; 173 174 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 175 if (ie) { 176 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 177 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 178 cp.pscan_mode = ie->data.pscan_mode; 179 cp.clock_offset = ie->data.clock_offset | 180 cpu_to_le16(0x8000); 181 } 182 183 memcpy(conn->dev_class, ie->data.dev_class, 3); 184 if (ie->data.ssp_mode > 0) 185 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 186 } 187 188 cp.pkt_type = cpu_to_le16(conn->pkt_type); 189 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 190 cp.role_switch = 0x01; 191 else 192 cp.role_switch = 0x00; 193 194 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 195 } 196 197 static void hci_acl_create_connection_cancel(struct hci_conn *conn) 198 { 199 struct hci_cp_create_conn_cancel cp; 200 201 BT_DBG("hcon %p", conn); 202 203 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2) 204 return; 205 206 bacpy(&cp.bdaddr, &conn->dst); 207 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp); 208 } 209 210 static void hci_reject_sco(struct hci_conn *conn) 211 { 212 struct hci_cp_reject_sync_conn_req cp; 213 214 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES; 215 bacpy(&cp.bdaddr, &conn->dst); 216 217 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp); 218 } 219 220 int hci_disconnect(struct hci_conn *conn, __u8 reason) 221 { 222 struct hci_cp_disconnect cp; 223 224 BT_DBG("hcon %p", conn); 225 226 /* When we are master of an established connection and it enters 227 * the disconnect timeout, then go ahead and try to read the 228 * current clock offset. Processing of the result is done 229 * within the event handling and hci_clock_offset_evt function. 230 */ 231 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER) { 232 struct hci_dev *hdev = conn->hdev; 233 struct hci_cp_read_clock_offset clkoff_cp; 234 235 clkoff_cp.handle = cpu_to_le16(conn->handle); 236 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 237 &clkoff_cp); 238 } 239 240 conn->state = BT_DISCONN; 241 242 cp.handle = cpu_to_le16(conn->handle); 243 cp.reason = reason; 244 return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp); 245 } 246 247 static void hci_amp_disconn(struct hci_conn *conn) 248 { 249 struct hci_cp_disconn_phy_link cp; 250 251 BT_DBG("hcon %p", conn); 252 253 conn->state = BT_DISCONN; 254 255 cp.phy_handle = HCI_PHY_HANDLE(conn->handle); 256 cp.reason = hci_proto_disconn_ind(conn); 257 hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK, 258 sizeof(cp), &cp); 259 } 260 261 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 262 { 263 struct hci_dev *hdev = conn->hdev; 264 struct hci_cp_add_sco cp; 265 266 BT_DBG("hcon %p", conn); 267 268 conn->state = BT_CONNECT; 269 conn->out = true; 270 271 conn->attempt++; 272 273 cp.handle = cpu_to_le16(handle); 274 cp.pkt_type = cpu_to_le16(conn->pkt_type); 275 276 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 277 } 278 279 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 280 { 281 struct hci_dev *hdev = conn->hdev; 282 struct hci_cp_setup_sync_conn cp; 283 const struct sco_param *param; 284 285 BT_DBG("hcon %p", conn); 286 287 conn->state = BT_CONNECT; 288 conn->out = true; 289 290 conn->attempt++; 291 292 cp.handle = cpu_to_le16(handle); 293 294 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 295 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 296 cp.voice_setting = cpu_to_le16(conn->setting); 297 298 switch (conn->setting & SCO_AIRMODE_MASK) { 299 case SCO_AIRMODE_TRANSP: 300 if (conn->attempt > ARRAY_SIZE(esco_param_msbc)) 301 return false; 302 param = &esco_param_msbc[conn->attempt - 1]; 303 break; 304 case SCO_AIRMODE_CVSD: 305 if (lmp_esco_capable(conn->link)) { 306 if (conn->attempt > ARRAY_SIZE(esco_param_cvsd)) 307 return false; 308 param = &esco_param_cvsd[conn->attempt - 1]; 309 } else { 310 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 311 return false; 312 param = &sco_param_cvsd[conn->attempt - 1]; 313 } 314 break; 315 default: 316 return false; 317 } 318 319 cp.retrans_effort = param->retrans_effort; 320 cp.pkt_type = __cpu_to_le16(param->pkt_type); 321 cp.max_latency = __cpu_to_le16(param->max_latency); 322 323 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 324 return false; 325 326 return true; 327 } 328 329 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 330 u16 to_multiplier) 331 { 332 struct hci_dev *hdev = conn->hdev; 333 struct hci_conn_params *params; 334 struct hci_cp_le_conn_update cp; 335 336 hci_dev_lock(hdev); 337 338 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 339 if (params) { 340 params->conn_min_interval = min; 341 params->conn_max_interval = max; 342 params->conn_latency = latency; 343 params->supervision_timeout = to_multiplier; 344 } 345 346 hci_dev_unlock(hdev); 347 348 memset(&cp, 0, sizeof(cp)); 349 cp.handle = cpu_to_le16(conn->handle); 350 cp.conn_interval_min = cpu_to_le16(min); 351 cp.conn_interval_max = cpu_to_le16(max); 352 cp.conn_latency = cpu_to_le16(latency); 353 cp.supervision_timeout = cpu_to_le16(to_multiplier); 354 cp.min_ce_len = cpu_to_le16(0x0000); 355 cp.max_ce_len = cpu_to_le16(0x0000); 356 357 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 358 359 if (params) 360 return 0x01; 361 362 return 0x00; 363 } 364 365 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 366 __u8 ltk[16], __u8 key_size) 367 { 368 struct hci_dev *hdev = conn->hdev; 369 struct hci_cp_le_start_enc cp; 370 371 BT_DBG("hcon %p", conn); 372 373 memset(&cp, 0, sizeof(cp)); 374 375 cp.handle = cpu_to_le16(conn->handle); 376 cp.rand = rand; 377 cp.ediv = ediv; 378 memcpy(cp.ltk, ltk, key_size); 379 380 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 381 } 382 383 /* Device _must_ be locked */ 384 void hci_sco_setup(struct hci_conn *conn, __u8 status) 385 { 386 struct hci_conn *sco = conn->link; 387 388 if (!sco) 389 return; 390 391 BT_DBG("hcon %p", conn); 392 393 if (!status) { 394 if (lmp_esco_capable(conn->hdev)) 395 hci_setup_sync(sco, conn->handle); 396 else 397 hci_add_sco(sco, conn->handle); 398 } else { 399 hci_connect_cfm(sco, status); 400 hci_conn_del(sco); 401 } 402 } 403 404 static void hci_conn_timeout(struct work_struct *work) 405 { 406 struct hci_conn *conn = container_of(work, struct hci_conn, 407 disc_work.work); 408 int refcnt = atomic_read(&conn->refcnt); 409 410 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 411 412 WARN_ON(refcnt < 0); 413 414 /* FIXME: It was observed that in pairing failed scenario, refcnt 415 * drops below 0. Probably this is because l2cap_conn_del calls 416 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 417 * dropped. After that loop hci_chan_del is called which also drops 418 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 419 * otherwise drop it. 420 */ 421 if (refcnt > 0) 422 return; 423 424 switch (conn->state) { 425 case BT_CONNECT: 426 case BT_CONNECT2: 427 if (conn->out) { 428 if (conn->type == ACL_LINK) 429 hci_acl_create_connection_cancel(conn); 430 else if (conn->type == LE_LINK) { 431 if (test_bit(HCI_CONN_SCANNING, &conn->flags)) 432 hci_connect_le_scan_remove(conn); 433 else 434 hci_le_create_connection_cancel(conn); 435 } 436 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 437 hci_reject_sco(conn); 438 } 439 break; 440 case BT_CONFIG: 441 case BT_CONNECTED: 442 if (conn->type == AMP_LINK) { 443 hci_amp_disconn(conn); 444 } else { 445 __u8 reason = hci_proto_disconn_ind(conn); 446 hci_disconnect(conn, reason); 447 } 448 break; 449 default: 450 conn->state = BT_CLOSED; 451 break; 452 } 453 } 454 455 /* Enter sniff mode */ 456 static void hci_conn_idle(struct work_struct *work) 457 { 458 struct hci_conn *conn = container_of(work, struct hci_conn, 459 idle_work.work); 460 struct hci_dev *hdev = conn->hdev; 461 462 BT_DBG("hcon %p mode %d", conn, conn->mode); 463 464 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 465 return; 466 467 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 468 return; 469 470 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 471 struct hci_cp_sniff_subrate cp; 472 cp.handle = cpu_to_le16(conn->handle); 473 cp.max_latency = cpu_to_le16(0); 474 cp.min_remote_timeout = cpu_to_le16(0); 475 cp.min_local_timeout = cpu_to_le16(0); 476 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 477 } 478 479 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 480 struct hci_cp_sniff_mode cp; 481 cp.handle = cpu_to_le16(conn->handle); 482 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 483 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 484 cp.attempt = cpu_to_le16(4); 485 cp.timeout = cpu_to_le16(1); 486 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 487 } 488 } 489 490 static void hci_conn_auto_accept(struct work_struct *work) 491 { 492 struct hci_conn *conn = container_of(work, struct hci_conn, 493 auto_accept_work.work); 494 495 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 496 &conn->dst); 497 } 498 499 static void le_conn_timeout(struct work_struct *work) 500 { 501 struct hci_conn *conn = container_of(work, struct hci_conn, 502 le_conn_timeout.work); 503 struct hci_dev *hdev = conn->hdev; 504 505 BT_DBG(""); 506 507 /* We could end up here due to having done directed advertising, 508 * so clean up the state if necessary. This should however only 509 * happen with broken hardware or if low duty cycle was used 510 * (which doesn't have a timeout of its own). 511 */ 512 if (conn->role == HCI_ROLE_SLAVE) { 513 u8 enable = 0x00; 514 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 515 &enable); 516 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 517 return; 518 } 519 520 hci_le_create_connection_cancel(conn); 521 } 522 523 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 524 u8 role) 525 { 526 struct hci_conn *conn; 527 528 BT_DBG("%s dst %pMR", hdev->name, dst); 529 530 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 531 if (!conn) 532 return NULL; 533 534 bacpy(&conn->dst, dst); 535 bacpy(&conn->src, &hdev->bdaddr); 536 conn->hdev = hdev; 537 conn->type = type; 538 conn->role = role; 539 conn->mode = HCI_CM_ACTIVE; 540 conn->state = BT_OPEN; 541 conn->auth_type = HCI_AT_GENERAL_BONDING; 542 conn->io_capability = hdev->io_capability; 543 conn->remote_auth = 0xff; 544 conn->key_type = 0xff; 545 conn->rssi = HCI_RSSI_INVALID; 546 conn->tx_power = HCI_TX_POWER_INVALID; 547 conn->max_tx_power = HCI_TX_POWER_INVALID; 548 549 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 550 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 551 552 if (conn->role == HCI_ROLE_MASTER) 553 conn->out = true; 554 555 switch (type) { 556 case ACL_LINK: 557 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 558 break; 559 case LE_LINK: 560 /* conn->src should reflect the local identity address */ 561 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 562 break; 563 case SCO_LINK: 564 if (lmp_esco_capable(hdev)) 565 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 566 (hdev->esco_type & EDR_ESCO_MASK); 567 else 568 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 569 break; 570 case ESCO_LINK: 571 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 572 break; 573 } 574 575 skb_queue_head_init(&conn->data_q); 576 577 INIT_LIST_HEAD(&conn->chan_list); 578 579 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 580 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 581 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 582 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 583 584 atomic_set(&conn->refcnt, 0); 585 586 hci_dev_hold(hdev); 587 588 hci_conn_hash_add(hdev, conn); 589 if (hdev->notify) 590 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 591 592 hci_conn_init_sysfs(conn); 593 594 return conn; 595 } 596 597 int hci_conn_del(struct hci_conn *conn) 598 { 599 struct hci_dev *hdev = conn->hdev; 600 601 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 602 603 cancel_delayed_work_sync(&conn->disc_work); 604 cancel_delayed_work_sync(&conn->auto_accept_work); 605 cancel_delayed_work_sync(&conn->idle_work); 606 607 if (conn->type == ACL_LINK) { 608 struct hci_conn *sco = conn->link; 609 if (sco) 610 sco->link = NULL; 611 612 /* Unacked frames */ 613 hdev->acl_cnt += conn->sent; 614 } else if (conn->type == LE_LINK) { 615 cancel_delayed_work(&conn->le_conn_timeout); 616 617 if (hdev->le_pkts) 618 hdev->le_cnt += conn->sent; 619 else 620 hdev->acl_cnt += conn->sent; 621 } else { 622 struct hci_conn *acl = conn->link; 623 if (acl) { 624 acl->link = NULL; 625 hci_conn_drop(acl); 626 } 627 } 628 629 if (conn->amp_mgr) 630 amp_mgr_put(conn->amp_mgr); 631 632 skb_queue_purge(&conn->data_q); 633 634 /* Remove the connection from the list and cleanup its remaining 635 * state. This is a separate function since for some cases like 636 * BT_CONNECT_SCAN we *only* want the cleanup part without the 637 * rest of hci_conn_del. 638 */ 639 hci_conn_cleanup(conn); 640 641 return 0; 642 } 643 644 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src) 645 { 646 int use_src = bacmp(src, BDADDR_ANY); 647 struct hci_dev *hdev = NULL, *d; 648 649 BT_DBG("%pMR -> %pMR", src, dst); 650 651 read_lock(&hci_dev_list_lock); 652 653 list_for_each_entry(d, &hci_dev_list, list) { 654 if (!test_bit(HCI_UP, &d->flags) || 655 hci_dev_test_flag(d, HCI_USER_CHANNEL) || 656 d->dev_type != HCI_BREDR) 657 continue; 658 659 /* Simple routing: 660 * No source address - find interface with bdaddr != dst 661 * Source address - find interface with bdaddr == src 662 */ 663 664 if (use_src) { 665 if (!bacmp(&d->bdaddr, src)) { 666 hdev = d; break; 667 } 668 } else { 669 if (bacmp(&d->bdaddr, dst)) { 670 hdev = d; break; 671 } 672 } 673 } 674 675 if (hdev) 676 hdev = hci_dev_hold(hdev); 677 678 read_unlock(&hci_dev_list_lock); 679 return hdev; 680 } 681 EXPORT_SYMBOL(hci_get_route); 682 683 /* This function requires the caller holds hdev->lock */ 684 void hci_le_conn_failed(struct hci_conn *conn, u8 status) 685 { 686 struct hci_dev *hdev = conn->hdev; 687 struct hci_conn_params *params; 688 689 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 690 conn->dst_type); 691 if (params && params->conn) { 692 hci_conn_drop(params->conn); 693 hci_conn_put(params->conn); 694 params->conn = NULL; 695 } 696 697 conn->state = BT_CLOSED; 698 699 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type, 700 status); 701 702 hci_connect_cfm(conn, status); 703 704 hci_conn_del(conn); 705 706 /* Since we may have temporarily stopped the background scanning in 707 * favor of connection establishment, we should restart it. 708 */ 709 hci_update_background_scan(hdev); 710 711 /* Re-enable advertising in case this was a failed connection 712 * attempt as a peripheral. 713 */ 714 mgmt_reenable_advertising(hdev); 715 } 716 717 static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode) 718 { 719 struct hci_conn *conn; 720 721 hci_dev_lock(hdev); 722 723 conn = hci_lookup_le_connect(hdev); 724 725 if (!status) { 726 hci_connect_le_scan_cleanup(conn); 727 goto done; 728 } 729 730 BT_ERR("HCI request failed to create LE connection: status 0x%2.2x", 731 status); 732 733 if (!conn) 734 goto done; 735 736 hci_le_conn_failed(conn, status); 737 738 done: 739 hci_dev_unlock(hdev); 740 } 741 742 static void hci_req_add_le_create_conn(struct hci_request *req, 743 struct hci_conn *conn) 744 { 745 struct hci_cp_le_create_conn cp; 746 struct hci_dev *hdev = conn->hdev; 747 u8 own_addr_type; 748 749 memset(&cp, 0, sizeof(cp)); 750 751 /* Update random address, but set require_privacy to false so 752 * that we never connect with an non-resolvable address. 753 */ 754 if (hci_update_random_address(req, false, &own_addr_type)) 755 return; 756 757 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval); 758 cp.scan_window = cpu_to_le16(hdev->le_scan_window); 759 bacpy(&cp.peer_addr, &conn->dst); 760 cp.peer_addr_type = conn->dst_type; 761 cp.own_address_type = own_addr_type; 762 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval); 763 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval); 764 cp.conn_latency = cpu_to_le16(conn->le_conn_latency); 765 cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout); 766 cp.min_ce_len = cpu_to_le16(0x0000); 767 cp.max_ce_len = cpu_to_le16(0x0000); 768 769 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp); 770 771 conn->state = BT_CONNECT; 772 clear_bit(HCI_CONN_SCANNING, &conn->flags); 773 } 774 775 static void hci_req_directed_advertising(struct hci_request *req, 776 struct hci_conn *conn) 777 { 778 struct hci_dev *hdev = req->hdev; 779 struct hci_cp_le_set_adv_param cp; 780 u8 own_addr_type; 781 u8 enable; 782 783 /* Clear the HCI_LE_ADV bit temporarily so that the 784 * hci_update_random_address knows that it's safe to go ahead 785 * and write a new random address. The flag will be set back on 786 * as soon as the SET_ADV_ENABLE HCI command completes. 787 */ 788 hci_dev_clear_flag(hdev, HCI_LE_ADV); 789 790 /* Set require_privacy to false so that the remote device has a 791 * chance of identifying us. 792 */ 793 if (hci_update_random_address(req, false, &own_addr_type) < 0) 794 return; 795 796 memset(&cp, 0, sizeof(cp)); 797 cp.type = LE_ADV_DIRECT_IND; 798 cp.own_address_type = own_addr_type; 799 cp.direct_addr_type = conn->dst_type; 800 bacpy(&cp.direct_addr, &conn->dst); 801 cp.channel_map = hdev->le_adv_channel_map; 802 803 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp); 804 805 enable = 0x01; 806 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable); 807 808 conn->state = BT_CONNECT; 809 } 810 811 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 812 u8 dst_type, u8 sec_level, u16 conn_timeout, 813 u8 role) 814 { 815 struct hci_conn_params *params; 816 struct hci_conn *conn, *conn_unfinished; 817 struct smp_irk *irk; 818 struct hci_request req; 819 int err; 820 821 /* Let's make sure that le is enabled.*/ 822 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 823 if (lmp_le_capable(hdev)) 824 return ERR_PTR(-ECONNREFUSED); 825 826 return ERR_PTR(-EOPNOTSUPP); 827 } 828 829 /* Some devices send ATT messages as soon as the physical link is 830 * established. To be able to handle these ATT messages, the user- 831 * space first establishes the connection and then starts the pairing 832 * process. 833 * 834 * So if a hci_conn object already exists for the following connection 835 * attempt, we simply update pending_sec_level and auth_type fields 836 * and return the object found. 837 */ 838 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst); 839 conn_unfinished = NULL; 840 if (conn) { 841 if (conn->state == BT_CONNECT && 842 test_bit(HCI_CONN_SCANNING, &conn->flags)) { 843 BT_DBG("will continue unfinished conn %pMR", dst); 844 conn_unfinished = conn; 845 } else { 846 if (conn->pending_sec_level < sec_level) 847 conn->pending_sec_level = sec_level; 848 goto done; 849 } 850 } 851 852 /* Since the controller supports only one LE connection attempt at a 853 * time, we return -EBUSY if there is any connection attempt running. 854 */ 855 if (hci_lookup_le_connect(hdev)) 856 return ERR_PTR(-EBUSY); 857 858 /* When given an identity address with existing identity 859 * resolving key, the connection needs to be established 860 * to a resolvable random address. 861 * 862 * Storing the resolvable random address is required here 863 * to handle connection failures. The address will later 864 * be resolved back into the original identity address 865 * from the connect request. 866 */ 867 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 868 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 869 dst = &irk->rpa; 870 dst_type = ADDR_LE_DEV_RANDOM; 871 } 872 873 if (conn_unfinished) { 874 conn = conn_unfinished; 875 bacpy(&conn->dst, dst); 876 } else { 877 conn = hci_conn_add(hdev, LE_LINK, dst, role); 878 } 879 880 if (!conn) 881 return ERR_PTR(-ENOMEM); 882 883 conn->dst_type = dst_type; 884 conn->sec_level = BT_SECURITY_LOW; 885 conn->conn_timeout = conn_timeout; 886 887 if (!conn_unfinished) 888 conn->pending_sec_level = sec_level; 889 890 hci_req_init(&req, hdev); 891 892 /* Disable advertising if we're active. For master role 893 * connections most controllers will refuse to connect if 894 * advertising is enabled, and for slave role connections we 895 * anyway have to disable it in order to start directed 896 * advertising. 897 */ 898 if (hci_dev_test_flag(hdev, HCI_LE_ADV)) { 899 u8 enable = 0x00; 900 hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 901 &enable); 902 } 903 904 /* If requested to connect as slave use directed advertising */ 905 if (conn->role == HCI_ROLE_SLAVE) { 906 /* If we're active scanning most controllers are unable 907 * to initiate advertising. Simply reject the attempt. 908 */ 909 if (hci_dev_test_flag(hdev, HCI_LE_SCAN) && 910 hdev->le_scan_type == LE_SCAN_ACTIVE) { 911 skb_queue_purge(&req.cmd_q); 912 hci_conn_del(conn); 913 return ERR_PTR(-EBUSY); 914 } 915 916 hci_req_directed_advertising(&req, conn); 917 goto create_conn; 918 } 919 920 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 921 if (params) { 922 conn->le_conn_min_interval = params->conn_min_interval; 923 conn->le_conn_max_interval = params->conn_max_interval; 924 conn->le_conn_latency = params->conn_latency; 925 conn->le_supv_timeout = params->supervision_timeout; 926 } else { 927 conn->le_conn_min_interval = hdev->le_conn_min_interval; 928 conn->le_conn_max_interval = hdev->le_conn_max_interval; 929 conn->le_conn_latency = hdev->le_conn_latency; 930 conn->le_supv_timeout = hdev->le_supv_timeout; 931 } 932 933 /* If controller is scanning, we stop it since some controllers are 934 * not able to scan and connect at the same time. Also set the 935 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete 936 * handler for scan disabling knows to set the correct discovery 937 * state. 938 */ 939 if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) { 940 hci_req_add_le_scan_disable(&req); 941 hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); 942 } 943 944 hci_req_add_le_create_conn(&req, conn); 945 946 create_conn: 947 err = hci_req_run(&req, create_le_conn_complete); 948 if (err) { 949 hci_conn_del(conn); 950 return ERR_PTR(err); 951 } 952 953 done: 954 /* If this is continuation of connect started by hci_connect_le_scan, 955 * it already called hci_conn_hold and calling it again would mess the 956 * counter. 957 */ 958 if (!conn_unfinished) 959 hci_conn_hold(conn); 960 961 return conn; 962 } 963 964 static void hci_connect_le_scan_complete(struct hci_dev *hdev, u8 status, 965 u16 opcode) 966 { 967 struct hci_conn *conn; 968 969 if (!status) 970 return; 971 972 BT_ERR("Failed to add device to auto conn whitelist: status 0x%2.2x", 973 status); 974 975 hci_dev_lock(hdev); 976 977 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT); 978 if (conn) 979 hci_le_conn_failed(conn, status); 980 981 hci_dev_unlock(hdev); 982 } 983 984 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 985 { 986 struct hci_conn *conn; 987 988 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr); 989 if (!conn) 990 return false; 991 992 if (conn->dst_type != type) 993 return false; 994 995 if (conn->state != BT_CONNECTED) 996 return false; 997 998 return true; 999 } 1000 1001 /* This function requires the caller holds hdev->lock */ 1002 static int hci_explicit_conn_params_set(struct hci_request *req, 1003 bdaddr_t *addr, u8 addr_type) 1004 { 1005 struct hci_dev *hdev = req->hdev; 1006 struct hci_conn_params *params; 1007 1008 if (is_connected(hdev, addr, addr_type)) 1009 return -EISCONN; 1010 1011 params = hci_conn_params_lookup(hdev, addr, addr_type); 1012 if (!params) { 1013 params = hci_conn_params_add(hdev, addr, addr_type); 1014 if (!params) 1015 return -ENOMEM; 1016 1017 /* If we created new params, mark them to be deleted in 1018 * hci_connect_le_scan_cleanup. It's different case than 1019 * existing disabled params, those will stay after cleanup. 1020 */ 1021 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1022 } 1023 1024 /* We're trying to connect, so make sure params are at pend_le_conns */ 1025 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1026 params->auto_connect == HCI_AUTO_CONN_REPORT || 1027 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1028 list_del_init(¶ms->action); 1029 list_add(¶ms->action, &hdev->pend_le_conns); 1030 } 1031 1032 params->explicit_connect = true; 1033 __hci_update_background_scan(req); 1034 1035 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1036 params->auto_connect); 1037 1038 return 0; 1039 } 1040 1041 /* This function requires the caller holds hdev->lock */ 1042 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1043 u8 dst_type, u8 sec_level, 1044 u16 conn_timeout, u8 role) 1045 { 1046 struct hci_conn *conn; 1047 struct hci_request req; 1048 int err; 1049 1050 /* Let's make sure that le is enabled.*/ 1051 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1052 if (lmp_le_capable(hdev)) 1053 return ERR_PTR(-ECONNREFUSED); 1054 1055 return ERR_PTR(-EOPNOTSUPP); 1056 } 1057 1058 /* Some devices send ATT messages as soon as the physical link is 1059 * established. To be able to handle these ATT messages, the user- 1060 * space first establishes the connection and then starts the pairing 1061 * process. 1062 * 1063 * So if a hci_conn object already exists for the following connection 1064 * attempt, we simply update pending_sec_level and auth_type fields 1065 * and return the object found. 1066 */ 1067 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst); 1068 if (conn) { 1069 if (conn->pending_sec_level < sec_level) 1070 conn->pending_sec_level = sec_level; 1071 goto done; 1072 } 1073 1074 BT_DBG("requesting refresh of dst_addr"); 1075 1076 conn = hci_conn_add(hdev, LE_LINK, dst, role); 1077 if (!conn) 1078 return ERR_PTR(-ENOMEM); 1079 1080 hci_req_init(&req, hdev); 1081 1082 if (hci_explicit_conn_params_set(&req, dst, dst_type) < 0) 1083 return ERR_PTR(-EBUSY); 1084 1085 conn->state = BT_CONNECT; 1086 set_bit(HCI_CONN_SCANNING, &conn->flags); 1087 1088 err = hci_req_run(&req, hci_connect_le_scan_complete); 1089 if (err && err != -ENODATA) { 1090 hci_conn_del(conn); 1091 return ERR_PTR(err); 1092 } 1093 1094 conn->dst_type = dst_type; 1095 conn->sec_level = BT_SECURITY_LOW; 1096 conn->pending_sec_level = sec_level; 1097 conn->conn_timeout = conn_timeout; 1098 1099 done: 1100 hci_conn_hold(conn); 1101 return conn; 1102 } 1103 1104 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1105 u8 sec_level, u8 auth_type) 1106 { 1107 struct hci_conn *acl; 1108 1109 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1110 if (lmp_bredr_capable(hdev)) 1111 return ERR_PTR(-ECONNREFUSED); 1112 1113 return ERR_PTR(-EOPNOTSUPP); 1114 } 1115 1116 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1117 if (!acl) { 1118 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1119 if (!acl) 1120 return ERR_PTR(-ENOMEM); 1121 } 1122 1123 hci_conn_hold(acl); 1124 1125 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1126 acl->sec_level = BT_SECURITY_LOW; 1127 acl->pending_sec_level = sec_level; 1128 acl->auth_type = auth_type; 1129 hci_acl_create_connection(acl); 1130 } 1131 1132 return acl; 1133 } 1134 1135 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1136 __u16 setting) 1137 { 1138 struct hci_conn *acl; 1139 struct hci_conn *sco; 1140 1141 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING); 1142 if (IS_ERR(acl)) 1143 return acl; 1144 1145 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1146 if (!sco) { 1147 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER); 1148 if (!sco) { 1149 hci_conn_drop(acl); 1150 return ERR_PTR(-ENOMEM); 1151 } 1152 } 1153 1154 acl->link = sco; 1155 sco->link = acl; 1156 1157 hci_conn_hold(sco); 1158 1159 sco->setting = setting; 1160 1161 if (acl->state == BT_CONNECTED && 1162 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1163 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1164 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1165 1166 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1167 /* defer SCO setup until mode change completed */ 1168 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1169 return sco; 1170 } 1171 1172 hci_sco_setup(acl, 0x00); 1173 } 1174 1175 return sco; 1176 } 1177 1178 /* Check link security requirement */ 1179 int hci_conn_check_link_mode(struct hci_conn *conn) 1180 { 1181 BT_DBG("hcon %p", conn); 1182 1183 /* In Secure Connections Only mode, it is required that Secure 1184 * Connections is used and the link is encrypted with AES-CCM 1185 * using a P-256 authenticated combination key. 1186 */ 1187 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 1188 if (!hci_conn_sc_enabled(conn) || 1189 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 1190 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 1191 return 0; 1192 } 1193 1194 if (hci_conn_ssp_enabled(conn) && 1195 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 1196 return 0; 1197 1198 return 1; 1199 } 1200 1201 /* Authenticate remote device */ 1202 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 1203 { 1204 BT_DBG("hcon %p", conn); 1205 1206 if (conn->pending_sec_level > sec_level) 1207 sec_level = conn->pending_sec_level; 1208 1209 if (sec_level > conn->sec_level) 1210 conn->pending_sec_level = sec_level; 1211 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 1212 return 1; 1213 1214 /* Make sure we preserve an existing MITM requirement*/ 1215 auth_type |= (conn->auth_type & 0x01); 1216 1217 conn->auth_type = auth_type; 1218 1219 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 1220 struct hci_cp_auth_requested cp; 1221 1222 cp.handle = cpu_to_le16(conn->handle); 1223 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 1224 sizeof(cp), &cp); 1225 1226 /* If we're already encrypted set the REAUTH_PEND flag, 1227 * otherwise set the ENCRYPT_PEND. 1228 */ 1229 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 1230 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 1231 else 1232 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 1233 } 1234 1235 return 0; 1236 } 1237 1238 /* Encrypt the the link */ 1239 static void hci_conn_encrypt(struct hci_conn *conn) 1240 { 1241 BT_DBG("hcon %p", conn); 1242 1243 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 1244 struct hci_cp_set_conn_encrypt cp; 1245 cp.handle = cpu_to_le16(conn->handle); 1246 cp.encrypt = 0x01; 1247 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 1248 &cp); 1249 } 1250 } 1251 1252 /* Enable security */ 1253 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 1254 bool initiator) 1255 { 1256 BT_DBG("hcon %p", conn); 1257 1258 if (conn->type == LE_LINK) 1259 return smp_conn_security(conn, sec_level); 1260 1261 /* For sdp we don't need the link key. */ 1262 if (sec_level == BT_SECURITY_SDP) 1263 return 1; 1264 1265 /* For non 2.1 devices and low security level we don't need the link 1266 key. */ 1267 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 1268 return 1; 1269 1270 /* For other security levels we need the link key. */ 1271 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 1272 goto auth; 1273 1274 /* An authenticated FIPS approved combination key has sufficient 1275 * security for security level 4. */ 1276 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 && 1277 sec_level == BT_SECURITY_FIPS) 1278 goto encrypt; 1279 1280 /* An authenticated combination key has sufficient security for 1281 security level 3. */ 1282 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 || 1283 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) && 1284 sec_level == BT_SECURITY_HIGH) 1285 goto encrypt; 1286 1287 /* An unauthenticated combination key has sufficient security for 1288 security level 1 and 2. */ 1289 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 || 1290 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) && 1291 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) 1292 goto encrypt; 1293 1294 /* A combination key has always sufficient security for the security 1295 levels 1 or 2. High security level requires the combination key 1296 is generated using maximum PIN code length (16). 1297 For pre 2.1 units. */ 1298 if (conn->key_type == HCI_LK_COMBINATION && 1299 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW || 1300 conn->pin_length == 16)) 1301 goto encrypt; 1302 1303 auth: 1304 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 1305 return 0; 1306 1307 if (initiator) 1308 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 1309 1310 if (!hci_conn_auth(conn, sec_level, auth_type)) 1311 return 0; 1312 1313 encrypt: 1314 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 1315 return 1; 1316 1317 hci_conn_encrypt(conn); 1318 return 0; 1319 } 1320 EXPORT_SYMBOL(hci_conn_security); 1321 1322 /* Check secure link requirement */ 1323 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 1324 { 1325 BT_DBG("hcon %p", conn); 1326 1327 /* Accept if non-secure or higher security level is required */ 1328 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 1329 return 1; 1330 1331 /* Accept if secure or higher security level is already present */ 1332 if (conn->sec_level == BT_SECURITY_HIGH || 1333 conn->sec_level == BT_SECURITY_FIPS) 1334 return 1; 1335 1336 /* Reject not secure link */ 1337 return 0; 1338 } 1339 EXPORT_SYMBOL(hci_conn_check_secure); 1340 1341 /* Switch role */ 1342 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 1343 { 1344 BT_DBG("hcon %p", conn); 1345 1346 if (role == conn->role) 1347 return 1; 1348 1349 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 1350 struct hci_cp_switch_role cp; 1351 bacpy(&cp.bdaddr, &conn->dst); 1352 cp.role = role; 1353 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 1354 } 1355 1356 return 0; 1357 } 1358 EXPORT_SYMBOL(hci_conn_switch_role); 1359 1360 /* Enter active mode */ 1361 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 1362 { 1363 struct hci_dev *hdev = conn->hdev; 1364 1365 BT_DBG("hcon %p mode %d", conn, conn->mode); 1366 1367 if (conn->mode != HCI_CM_SNIFF) 1368 goto timer; 1369 1370 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 1371 goto timer; 1372 1373 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 1374 struct hci_cp_exit_sniff_mode cp; 1375 cp.handle = cpu_to_le16(conn->handle); 1376 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 1377 } 1378 1379 timer: 1380 if (hdev->idle_timeout > 0) 1381 queue_delayed_work(hdev->workqueue, &conn->idle_work, 1382 msecs_to_jiffies(hdev->idle_timeout)); 1383 } 1384 1385 /* Drop all connection on the device */ 1386 void hci_conn_hash_flush(struct hci_dev *hdev) 1387 { 1388 struct hci_conn_hash *h = &hdev->conn_hash; 1389 struct hci_conn *c, *n; 1390 1391 BT_DBG("hdev %s", hdev->name); 1392 1393 list_for_each_entry_safe(c, n, &h->list, list) { 1394 c->state = BT_CLOSED; 1395 1396 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM); 1397 hci_conn_del(c); 1398 } 1399 } 1400 1401 /* Check pending connect attempts */ 1402 void hci_conn_check_pending(struct hci_dev *hdev) 1403 { 1404 struct hci_conn *conn; 1405 1406 BT_DBG("hdev %s", hdev->name); 1407 1408 hci_dev_lock(hdev); 1409 1410 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 1411 if (conn) 1412 hci_acl_create_connection(conn); 1413 1414 hci_dev_unlock(hdev); 1415 } 1416 1417 static u32 get_link_mode(struct hci_conn *conn) 1418 { 1419 u32 link_mode = 0; 1420 1421 if (conn->role == HCI_ROLE_MASTER) 1422 link_mode |= HCI_LM_MASTER; 1423 1424 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 1425 link_mode |= HCI_LM_ENCRYPT; 1426 1427 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 1428 link_mode |= HCI_LM_AUTH; 1429 1430 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 1431 link_mode |= HCI_LM_SECURE; 1432 1433 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 1434 link_mode |= HCI_LM_FIPS; 1435 1436 return link_mode; 1437 } 1438 1439 int hci_get_conn_list(void __user *arg) 1440 { 1441 struct hci_conn *c; 1442 struct hci_conn_list_req req, *cl; 1443 struct hci_conn_info *ci; 1444 struct hci_dev *hdev; 1445 int n = 0, size, err; 1446 1447 if (copy_from_user(&req, arg, sizeof(req))) 1448 return -EFAULT; 1449 1450 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 1451 return -EINVAL; 1452 1453 size = sizeof(req) + req.conn_num * sizeof(*ci); 1454 1455 cl = kmalloc(size, GFP_KERNEL); 1456 if (!cl) 1457 return -ENOMEM; 1458 1459 hdev = hci_dev_get(req.dev_id); 1460 if (!hdev) { 1461 kfree(cl); 1462 return -ENODEV; 1463 } 1464 1465 ci = cl->conn_info; 1466 1467 hci_dev_lock(hdev); 1468 list_for_each_entry(c, &hdev->conn_hash.list, list) { 1469 bacpy(&(ci + n)->bdaddr, &c->dst); 1470 (ci + n)->handle = c->handle; 1471 (ci + n)->type = c->type; 1472 (ci + n)->out = c->out; 1473 (ci + n)->state = c->state; 1474 (ci + n)->link_mode = get_link_mode(c); 1475 if (++n >= req.conn_num) 1476 break; 1477 } 1478 hci_dev_unlock(hdev); 1479 1480 cl->dev_id = hdev->id; 1481 cl->conn_num = n; 1482 size = sizeof(req) + n * sizeof(*ci); 1483 1484 hci_dev_put(hdev); 1485 1486 err = copy_to_user(arg, cl, size); 1487 kfree(cl); 1488 1489 return err ? -EFAULT : 0; 1490 } 1491 1492 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 1493 { 1494 struct hci_conn_info_req req; 1495 struct hci_conn_info ci; 1496 struct hci_conn *conn; 1497 char __user *ptr = arg + sizeof(req); 1498 1499 if (copy_from_user(&req, arg, sizeof(req))) 1500 return -EFAULT; 1501 1502 hci_dev_lock(hdev); 1503 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 1504 if (conn) { 1505 bacpy(&ci.bdaddr, &conn->dst); 1506 ci.handle = conn->handle; 1507 ci.type = conn->type; 1508 ci.out = conn->out; 1509 ci.state = conn->state; 1510 ci.link_mode = get_link_mode(conn); 1511 } 1512 hci_dev_unlock(hdev); 1513 1514 if (!conn) 1515 return -ENOENT; 1516 1517 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 1518 } 1519 1520 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 1521 { 1522 struct hci_auth_info_req req; 1523 struct hci_conn *conn; 1524 1525 if (copy_from_user(&req, arg, sizeof(req))) 1526 return -EFAULT; 1527 1528 hci_dev_lock(hdev); 1529 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 1530 if (conn) 1531 req.type = conn->auth_type; 1532 hci_dev_unlock(hdev); 1533 1534 if (!conn) 1535 return -ENOENT; 1536 1537 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 1538 } 1539 1540 struct hci_chan *hci_chan_create(struct hci_conn *conn) 1541 { 1542 struct hci_dev *hdev = conn->hdev; 1543 struct hci_chan *chan; 1544 1545 BT_DBG("%s hcon %p", hdev->name, conn); 1546 1547 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 1548 BT_DBG("Refusing to create new hci_chan"); 1549 return NULL; 1550 } 1551 1552 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 1553 if (!chan) 1554 return NULL; 1555 1556 chan->conn = hci_conn_get(conn); 1557 skb_queue_head_init(&chan->data_q); 1558 chan->state = BT_CONNECTED; 1559 1560 list_add_rcu(&chan->list, &conn->chan_list); 1561 1562 return chan; 1563 } 1564 1565 void hci_chan_del(struct hci_chan *chan) 1566 { 1567 struct hci_conn *conn = chan->conn; 1568 struct hci_dev *hdev = conn->hdev; 1569 1570 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 1571 1572 list_del_rcu(&chan->list); 1573 1574 synchronize_rcu(); 1575 1576 /* Prevent new hci_chan's to be created for this hci_conn */ 1577 set_bit(HCI_CONN_DROP, &conn->flags); 1578 1579 hci_conn_put(conn); 1580 1581 skb_queue_purge(&chan->data_q); 1582 kfree(chan); 1583 } 1584 1585 void hci_chan_list_flush(struct hci_conn *conn) 1586 { 1587 struct hci_chan *chan, *n; 1588 1589 BT_DBG("hcon %p", conn); 1590 1591 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 1592 hci_chan_del(chan); 1593 } 1594 1595 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 1596 __u16 handle) 1597 { 1598 struct hci_chan *hchan; 1599 1600 list_for_each_entry(hchan, &hcon->chan_list, list) { 1601 if (hchan->handle == handle) 1602 return hchan; 1603 } 1604 1605 return NULL; 1606 } 1607 1608 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 1609 { 1610 struct hci_conn_hash *h = &hdev->conn_hash; 1611 struct hci_conn *hcon; 1612 struct hci_chan *hchan = NULL; 1613 1614 rcu_read_lock(); 1615 1616 list_for_each_entry_rcu(hcon, &h->list, list) { 1617 hchan = __hci_chan_lookup_handle(hcon, handle); 1618 if (hchan) 1619 break; 1620 } 1621 1622 rcu_read_unlock(); 1623 1624 return hchan; 1625 } 1626