xref: /openbmc/linux/net/bluetooth/hci_conn.c (revision 6774def6)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI connection handling. */
26 
27 #include <linux/export.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/l2cap.h>
32 
33 #include "smp.h"
34 #include "a2mp.h"
35 
36 struct sco_param {
37 	u16 pkt_type;
38 	u16 max_latency;
39 	u8  retrans_effort;
40 };
41 
42 static const struct sco_param esco_param_cvsd[] = {
43 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,	0x01 }, /* S3 */
44 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,	0x01 }, /* S2 */
45 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0007,	0x01 }, /* S1 */
46 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0x01 }, /* D1 */
47 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0x01 }, /* D0 */
48 };
49 
50 static const struct sco_param sco_param_cvsd[] = {
51 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0xff }, /* D1 */
52 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0xff }, /* D0 */
53 };
54 
55 static const struct sco_param esco_param_msbc[] = {
56 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,	0x02 }, /* T2 */
57 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0008,	0x02 }, /* T1 */
58 };
59 
60 static void hci_le_create_connection_cancel(struct hci_conn *conn)
61 {
62 	hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
63 }
64 
65 static void hci_acl_create_connection(struct hci_conn *conn)
66 {
67 	struct hci_dev *hdev = conn->hdev;
68 	struct inquiry_entry *ie;
69 	struct hci_cp_create_conn cp;
70 
71 	BT_DBG("hcon %p", conn);
72 
73 	conn->state = BT_CONNECT;
74 	conn->out = true;
75 	conn->role = HCI_ROLE_MASTER;
76 
77 	conn->attempt++;
78 
79 	conn->link_policy = hdev->link_policy;
80 
81 	memset(&cp, 0, sizeof(cp));
82 	bacpy(&cp.bdaddr, &conn->dst);
83 	cp.pscan_rep_mode = 0x02;
84 
85 	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
86 	if (ie) {
87 		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
88 			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
89 			cp.pscan_mode     = ie->data.pscan_mode;
90 			cp.clock_offset   = ie->data.clock_offset |
91 					    cpu_to_le16(0x8000);
92 		}
93 
94 		memcpy(conn->dev_class, ie->data.dev_class, 3);
95 		if (ie->data.ssp_mode > 0)
96 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
97 	}
98 
99 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
100 	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
101 		cp.role_switch = 0x01;
102 	else
103 		cp.role_switch = 0x00;
104 
105 	hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
106 }
107 
108 static void hci_acl_create_connection_cancel(struct hci_conn *conn)
109 {
110 	struct hci_cp_create_conn_cancel cp;
111 
112 	BT_DBG("hcon %p", conn);
113 
114 	if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
115 		return;
116 
117 	bacpy(&cp.bdaddr, &conn->dst);
118 	hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
119 }
120 
121 static void hci_reject_sco(struct hci_conn *conn)
122 {
123 	struct hci_cp_reject_sync_conn_req cp;
124 
125 	cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
126 	bacpy(&cp.bdaddr, &conn->dst);
127 
128 	hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
129 }
130 
131 int hci_disconnect(struct hci_conn *conn, __u8 reason)
132 {
133 	struct hci_cp_disconnect cp;
134 
135 	BT_DBG("hcon %p", conn);
136 
137 	/* When we are master of an established connection and it enters
138 	 * the disconnect timeout, then go ahead and try to read the
139 	 * current clock offset.  Processing of the result is done
140 	 * within the event handling and hci_clock_offset_evt function.
141 	 */
142 	if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER) {
143 		struct hci_dev *hdev = conn->hdev;
144 		struct hci_cp_read_clock_offset cp;
145 
146 		cp.handle = cpu_to_le16(conn->handle);
147 		hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(cp), &cp);
148 	}
149 
150 	conn->state = BT_DISCONN;
151 
152 	cp.handle = cpu_to_le16(conn->handle);
153 	cp.reason = reason;
154 	return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
155 }
156 
157 static void hci_amp_disconn(struct hci_conn *conn)
158 {
159 	struct hci_cp_disconn_phy_link cp;
160 
161 	BT_DBG("hcon %p", conn);
162 
163 	conn->state = BT_DISCONN;
164 
165 	cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
166 	cp.reason = hci_proto_disconn_ind(conn);
167 	hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
168 		     sizeof(cp), &cp);
169 }
170 
171 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
172 {
173 	struct hci_dev *hdev = conn->hdev;
174 	struct hci_cp_add_sco cp;
175 
176 	BT_DBG("hcon %p", conn);
177 
178 	conn->state = BT_CONNECT;
179 	conn->out = true;
180 
181 	conn->attempt++;
182 
183 	cp.handle   = cpu_to_le16(handle);
184 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
185 
186 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
187 }
188 
189 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
190 {
191 	struct hci_dev *hdev = conn->hdev;
192 	struct hci_cp_setup_sync_conn cp;
193 	const struct sco_param *param;
194 
195 	BT_DBG("hcon %p", conn);
196 
197 	conn->state = BT_CONNECT;
198 	conn->out = true;
199 
200 	conn->attempt++;
201 
202 	cp.handle   = cpu_to_le16(handle);
203 
204 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
205 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
206 	cp.voice_setting  = cpu_to_le16(conn->setting);
207 
208 	switch (conn->setting & SCO_AIRMODE_MASK) {
209 	case SCO_AIRMODE_TRANSP:
210 		if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
211 			return false;
212 		param = &esco_param_msbc[conn->attempt - 1];
213 		break;
214 	case SCO_AIRMODE_CVSD:
215 		if (lmp_esco_capable(conn->link)) {
216 			if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
217 				return false;
218 			param = &esco_param_cvsd[conn->attempt - 1];
219 		} else {
220 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
221 				return false;
222 			param = &sco_param_cvsd[conn->attempt - 1];
223 		}
224 		break;
225 	default:
226 		return false;
227 	}
228 
229 	cp.retrans_effort = param->retrans_effort;
230 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
231 	cp.max_latency = __cpu_to_le16(param->max_latency);
232 
233 	if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
234 		return false;
235 
236 	return true;
237 }
238 
239 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
240 		      u16 to_multiplier)
241 {
242 	struct hci_dev *hdev = conn->hdev;
243 	struct hci_conn_params *params;
244 	struct hci_cp_le_conn_update cp;
245 
246 	hci_dev_lock(hdev);
247 
248 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
249 	if (params) {
250 		params->conn_min_interval = min;
251 		params->conn_max_interval = max;
252 		params->conn_latency = latency;
253 		params->supervision_timeout = to_multiplier;
254 	}
255 
256 	hci_dev_unlock(hdev);
257 
258 	memset(&cp, 0, sizeof(cp));
259 	cp.handle		= cpu_to_le16(conn->handle);
260 	cp.conn_interval_min	= cpu_to_le16(min);
261 	cp.conn_interval_max	= cpu_to_le16(max);
262 	cp.conn_latency		= cpu_to_le16(latency);
263 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
264 	cp.min_ce_len		= cpu_to_le16(0x0000);
265 	cp.max_ce_len		= cpu_to_le16(0x0000);
266 
267 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
268 
269 	if (params)
270 		return 0x01;
271 
272 	return 0x00;
273 }
274 
275 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
276 		      __u8 ltk[16])
277 {
278 	struct hci_dev *hdev = conn->hdev;
279 	struct hci_cp_le_start_enc cp;
280 
281 	BT_DBG("hcon %p", conn);
282 
283 	memset(&cp, 0, sizeof(cp));
284 
285 	cp.handle = cpu_to_le16(conn->handle);
286 	cp.rand = rand;
287 	cp.ediv = ediv;
288 	memcpy(cp.ltk, ltk, sizeof(cp.ltk));
289 
290 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
291 }
292 
293 /* Device _must_ be locked */
294 void hci_sco_setup(struct hci_conn *conn, __u8 status)
295 {
296 	struct hci_conn *sco = conn->link;
297 
298 	if (!sco)
299 		return;
300 
301 	BT_DBG("hcon %p", conn);
302 
303 	if (!status) {
304 		if (lmp_esco_capable(conn->hdev))
305 			hci_setup_sync(sco, conn->handle);
306 		else
307 			hci_add_sco(sco, conn->handle);
308 	} else {
309 		hci_proto_connect_cfm(sco, status);
310 		hci_conn_del(sco);
311 	}
312 }
313 
314 static void hci_conn_timeout(struct work_struct *work)
315 {
316 	struct hci_conn *conn = container_of(work, struct hci_conn,
317 					     disc_work.work);
318 	int refcnt = atomic_read(&conn->refcnt);
319 
320 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
321 
322 	WARN_ON(refcnt < 0);
323 
324 	/* FIXME: It was observed that in pairing failed scenario, refcnt
325 	 * drops below 0. Probably this is because l2cap_conn_del calls
326 	 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
327 	 * dropped. After that loop hci_chan_del is called which also drops
328 	 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
329 	 * otherwise drop it.
330 	 */
331 	if (refcnt > 0)
332 		return;
333 
334 	switch (conn->state) {
335 	case BT_CONNECT:
336 	case BT_CONNECT2:
337 		if (conn->out) {
338 			if (conn->type == ACL_LINK)
339 				hci_acl_create_connection_cancel(conn);
340 			else if (conn->type == LE_LINK)
341 				hci_le_create_connection_cancel(conn);
342 		} else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
343 			hci_reject_sco(conn);
344 		}
345 		break;
346 	case BT_CONFIG:
347 	case BT_CONNECTED:
348 		if (conn->type == AMP_LINK) {
349 			hci_amp_disconn(conn);
350 		} else {
351 			__u8 reason = hci_proto_disconn_ind(conn);
352 			hci_disconnect(conn, reason);
353 		}
354 		break;
355 	default:
356 		conn->state = BT_CLOSED;
357 		break;
358 	}
359 }
360 
361 /* Enter sniff mode */
362 static void hci_conn_idle(struct work_struct *work)
363 {
364 	struct hci_conn *conn = container_of(work, struct hci_conn,
365 					     idle_work.work);
366 	struct hci_dev *hdev = conn->hdev;
367 
368 	BT_DBG("hcon %p mode %d", conn, conn->mode);
369 
370 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
371 		return;
372 
373 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
374 		return;
375 
376 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
377 		struct hci_cp_sniff_subrate cp;
378 		cp.handle             = cpu_to_le16(conn->handle);
379 		cp.max_latency        = cpu_to_le16(0);
380 		cp.min_remote_timeout = cpu_to_le16(0);
381 		cp.min_local_timeout  = cpu_to_le16(0);
382 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
383 	}
384 
385 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
386 		struct hci_cp_sniff_mode cp;
387 		cp.handle       = cpu_to_le16(conn->handle);
388 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
389 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
390 		cp.attempt      = cpu_to_le16(4);
391 		cp.timeout      = cpu_to_le16(1);
392 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
393 	}
394 }
395 
396 static void hci_conn_auto_accept(struct work_struct *work)
397 {
398 	struct hci_conn *conn = container_of(work, struct hci_conn,
399 					     auto_accept_work.work);
400 
401 	hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
402 		     &conn->dst);
403 }
404 
405 static void le_conn_timeout(struct work_struct *work)
406 {
407 	struct hci_conn *conn = container_of(work, struct hci_conn,
408 					     le_conn_timeout.work);
409 	struct hci_dev *hdev = conn->hdev;
410 
411 	BT_DBG("");
412 
413 	/* We could end up here due to having done directed advertising,
414 	 * so clean up the state if necessary. This should however only
415 	 * happen with broken hardware or if low duty cycle was used
416 	 * (which doesn't have a timeout of its own).
417 	 */
418 	if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
419 		u8 enable = 0x00;
420 		hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
421 			     &enable);
422 		hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
423 		return;
424 	}
425 
426 	hci_le_create_connection_cancel(conn);
427 }
428 
429 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
430 			      u8 role)
431 {
432 	struct hci_conn *conn;
433 
434 	BT_DBG("%s dst %pMR", hdev->name, dst);
435 
436 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
437 	if (!conn)
438 		return NULL;
439 
440 	bacpy(&conn->dst, dst);
441 	bacpy(&conn->src, &hdev->bdaddr);
442 	conn->hdev  = hdev;
443 	conn->type  = type;
444 	conn->role  = role;
445 	conn->mode  = HCI_CM_ACTIVE;
446 	conn->state = BT_OPEN;
447 	conn->auth_type = HCI_AT_GENERAL_BONDING;
448 	conn->io_capability = hdev->io_capability;
449 	conn->remote_auth = 0xff;
450 	conn->key_type = 0xff;
451 	conn->tx_power = HCI_TX_POWER_INVALID;
452 	conn->max_tx_power = HCI_TX_POWER_INVALID;
453 
454 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
455 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
456 
457 	if (conn->role == HCI_ROLE_MASTER)
458 		conn->out = true;
459 
460 	switch (type) {
461 	case ACL_LINK:
462 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
463 		break;
464 	case LE_LINK:
465 		/* conn->src should reflect the local identity address */
466 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
467 		break;
468 	case SCO_LINK:
469 		if (lmp_esco_capable(hdev))
470 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
471 					(hdev->esco_type & EDR_ESCO_MASK);
472 		else
473 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
474 		break;
475 	case ESCO_LINK:
476 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
477 		break;
478 	}
479 
480 	skb_queue_head_init(&conn->data_q);
481 
482 	INIT_LIST_HEAD(&conn->chan_list);
483 
484 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
485 	INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
486 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
487 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
488 
489 	atomic_set(&conn->refcnt, 0);
490 
491 	hci_dev_hold(hdev);
492 
493 	hci_conn_hash_add(hdev, conn);
494 	if (hdev->notify)
495 		hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
496 
497 	hci_conn_init_sysfs(conn);
498 
499 	return conn;
500 }
501 
502 int hci_conn_del(struct hci_conn *conn)
503 {
504 	struct hci_dev *hdev = conn->hdev;
505 
506 	BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
507 
508 	cancel_delayed_work_sync(&conn->disc_work);
509 	cancel_delayed_work_sync(&conn->auto_accept_work);
510 	cancel_delayed_work_sync(&conn->idle_work);
511 
512 	if (conn->type == ACL_LINK) {
513 		struct hci_conn *sco = conn->link;
514 		if (sco)
515 			sco->link = NULL;
516 
517 		/* Unacked frames */
518 		hdev->acl_cnt += conn->sent;
519 	} else if (conn->type == LE_LINK) {
520 		cancel_delayed_work_sync(&conn->le_conn_timeout);
521 
522 		if (hdev->le_pkts)
523 			hdev->le_cnt += conn->sent;
524 		else
525 			hdev->acl_cnt += conn->sent;
526 	} else {
527 		struct hci_conn *acl = conn->link;
528 		if (acl) {
529 			acl->link = NULL;
530 			hci_conn_drop(acl);
531 		}
532 	}
533 
534 	hci_chan_list_flush(conn);
535 
536 	if (conn->amp_mgr)
537 		amp_mgr_put(conn->amp_mgr);
538 
539 	hci_conn_hash_del(hdev, conn);
540 	if (hdev->notify)
541 		hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
542 
543 	skb_queue_purge(&conn->data_q);
544 
545 	hci_conn_del_sysfs(conn);
546 
547 	hci_dev_put(hdev);
548 
549 	hci_conn_put(conn);
550 
551 	return 0;
552 }
553 
554 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
555 {
556 	int use_src = bacmp(src, BDADDR_ANY);
557 	struct hci_dev *hdev = NULL, *d;
558 
559 	BT_DBG("%pMR -> %pMR", src, dst);
560 
561 	read_lock(&hci_dev_list_lock);
562 
563 	list_for_each_entry(d, &hci_dev_list, list) {
564 		if (!test_bit(HCI_UP, &d->flags) ||
565 		    test_bit(HCI_USER_CHANNEL, &d->dev_flags) ||
566 		    d->dev_type != HCI_BREDR)
567 			continue;
568 
569 		/* Simple routing:
570 		 *   No source address - find interface with bdaddr != dst
571 		 *   Source address    - find interface with bdaddr == src
572 		 */
573 
574 		if (use_src) {
575 			if (!bacmp(&d->bdaddr, src)) {
576 				hdev = d; break;
577 			}
578 		} else {
579 			if (bacmp(&d->bdaddr, dst)) {
580 				hdev = d; break;
581 			}
582 		}
583 	}
584 
585 	if (hdev)
586 		hdev = hci_dev_hold(hdev);
587 
588 	read_unlock(&hci_dev_list_lock);
589 	return hdev;
590 }
591 EXPORT_SYMBOL(hci_get_route);
592 
593 /* This function requires the caller holds hdev->lock */
594 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
595 {
596 	struct hci_dev *hdev = conn->hdev;
597 	struct hci_conn_params *params;
598 
599 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
600 					   conn->dst_type);
601 	if (params && params->conn) {
602 		hci_conn_drop(params->conn);
603 		hci_conn_put(params->conn);
604 		params->conn = NULL;
605 	}
606 
607 	conn->state = BT_CLOSED;
608 
609 	mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
610 			    status);
611 
612 	hci_proto_connect_cfm(conn, status);
613 
614 	hci_conn_del(conn);
615 
616 	/* Since we may have temporarily stopped the background scanning in
617 	 * favor of connection establishment, we should restart it.
618 	 */
619 	hci_update_background_scan(hdev);
620 
621 	/* Re-enable advertising in case this was a failed connection
622 	 * attempt as a peripheral.
623 	 */
624 	mgmt_reenable_advertising(hdev);
625 }
626 
627 static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
628 {
629 	struct hci_conn *conn;
630 
631 	if (status == 0)
632 		return;
633 
634 	BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
635 	       status);
636 
637 	hci_dev_lock(hdev);
638 
639 	conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
640 	if (!conn)
641 		goto done;
642 
643 	hci_le_conn_failed(conn, status);
644 
645 done:
646 	hci_dev_unlock(hdev);
647 }
648 
649 static void hci_req_add_le_create_conn(struct hci_request *req,
650 				       struct hci_conn *conn)
651 {
652 	struct hci_cp_le_create_conn cp;
653 	struct hci_dev *hdev = conn->hdev;
654 	u8 own_addr_type;
655 
656 	memset(&cp, 0, sizeof(cp));
657 
658 	/* Update random address, but set require_privacy to false so
659 	 * that we never connect with an unresolvable address.
660 	 */
661 	if (hci_update_random_address(req, false, &own_addr_type))
662 		return;
663 
664 	cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
665 	cp.scan_window = cpu_to_le16(hdev->le_scan_window);
666 	bacpy(&cp.peer_addr, &conn->dst);
667 	cp.peer_addr_type = conn->dst_type;
668 	cp.own_address_type = own_addr_type;
669 	cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
670 	cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
671 	cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
672 	cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
673 	cp.min_ce_len = cpu_to_le16(0x0000);
674 	cp.max_ce_len = cpu_to_le16(0x0000);
675 
676 	hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
677 
678 	conn->state = BT_CONNECT;
679 }
680 
681 static void hci_req_directed_advertising(struct hci_request *req,
682 					 struct hci_conn *conn)
683 {
684 	struct hci_dev *hdev = req->hdev;
685 	struct hci_cp_le_set_adv_param cp;
686 	u8 own_addr_type;
687 	u8 enable;
688 
689 	/* Clear the HCI_LE_ADV bit temporarily so that the
690 	 * hci_update_random_address knows that it's safe to go ahead
691 	 * and write a new random address. The flag will be set back on
692 	 * as soon as the SET_ADV_ENABLE HCI command completes.
693 	 */
694 	clear_bit(HCI_LE_ADV, &hdev->dev_flags);
695 
696 	/* Set require_privacy to false so that the remote device has a
697 	 * chance of identifying us.
698 	 */
699 	if (hci_update_random_address(req, false, &own_addr_type) < 0)
700 		return;
701 
702 	memset(&cp, 0, sizeof(cp));
703 	cp.type = LE_ADV_DIRECT_IND;
704 	cp.own_address_type = own_addr_type;
705 	cp.direct_addr_type = conn->dst_type;
706 	bacpy(&cp.direct_addr, &conn->dst);
707 	cp.channel_map = hdev->le_adv_channel_map;
708 
709 	hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
710 
711 	enable = 0x01;
712 	hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
713 
714 	conn->state = BT_CONNECT;
715 }
716 
717 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
718 				u8 dst_type, u8 sec_level, u16 conn_timeout,
719 				u8 role)
720 {
721 	struct hci_conn_params *params;
722 	struct hci_conn *conn;
723 	struct smp_irk *irk;
724 	struct hci_request req;
725 	int err;
726 
727 	/* Some devices send ATT messages as soon as the physical link is
728 	 * established. To be able to handle these ATT messages, the user-
729 	 * space first establishes the connection and then starts the pairing
730 	 * process.
731 	 *
732 	 * So if a hci_conn object already exists for the following connection
733 	 * attempt, we simply update pending_sec_level and auth_type fields
734 	 * and return the object found.
735 	 */
736 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
737 	if (conn) {
738 		conn->pending_sec_level = sec_level;
739 		goto done;
740 	}
741 
742 	/* Since the controller supports only one LE connection attempt at a
743 	 * time, we return -EBUSY if there is any connection attempt running.
744 	 */
745 	conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
746 	if (conn)
747 		return ERR_PTR(-EBUSY);
748 
749 	/* When given an identity address with existing identity
750 	 * resolving key, the connection needs to be established
751 	 * to a resolvable random address.
752 	 *
753 	 * This uses the cached random resolvable address from
754 	 * a previous scan. When no cached address is available,
755 	 * try connecting to the identity address instead.
756 	 *
757 	 * Storing the resolvable random address is required here
758 	 * to handle connection failures. The address will later
759 	 * be resolved back into the original identity address
760 	 * from the connect request.
761 	 */
762 	irk = hci_find_irk_by_addr(hdev, dst, dst_type);
763 	if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
764 		dst = &irk->rpa;
765 		dst_type = ADDR_LE_DEV_RANDOM;
766 	}
767 
768 	conn = hci_conn_add(hdev, LE_LINK, dst, role);
769 	if (!conn)
770 		return ERR_PTR(-ENOMEM);
771 
772 	conn->dst_type = dst_type;
773 	conn->sec_level = BT_SECURITY_LOW;
774 	conn->pending_sec_level = sec_level;
775 	conn->conn_timeout = conn_timeout;
776 
777 	hci_req_init(&req, hdev);
778 
779 	/* Disable advertising if we're active. For master role
780 	 * connections most controllers will refuse to connect if
781 	 * advertising is enabled, and for slave role connections we
782 	 * anyway have to disable it in order to start directed
783 	 * advertising.
784 	 */
785 	if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) {
786 		u8 enable = 0x00;
787 		hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
788 			    &enable);
789 	}
790 
791 	/* If requested to connect as slave use directed advertising */
792 	if (conn->role == HCI_ROLE_SLAVE) {
793 		/* If we're active scanning most controllers are unable
794 		 * to initiate advertising. Simply reject the attempt.
795 		 */
796 		if (test_bit(HCI_LE_SCAN, &hdev->dev_flags) &&
797 		    hdev->le_scan_type == LE_SCAN_ACTIVE) {
798 			skb_queue_purge(&req.cmd_q);
799 			hci_conn_del(conn);
800 			return ERR_PTR(-EBUSY);
801 		}
802 
803 		hci_req_directed_advertising(&req, conn);
804 		goto create_conn;
805 	}
806 
807 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
808 	if (params) {
809 		conn->le_conn_min_interval = params->conn_min_interval;
810 		conn->le_conn_max_interval = params->conn_max_interval;
811 		conn->le_conn_latency = params->conn_latency;
812 		conn->le_supv_timeout = params->supervision_timeout;
813 	} else {
814 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
815 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
816 		conn->le_conn_latency = hdev->le_conn_latency;
817 		conn->le_supv_timeout = hdev->le_supv_timeout;
818 	}
819 
820 	/* If controller is scanning, we stop it since some controllers are
821 	 * not able to scan and connect at the same time. Also set the
822 	 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
823 	 * handler for scan disabling knows to set the correct discovery
824 	 * state.
825 	 */
826 	if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
827 		hci_req_add_le_scan_disable(&req);
828 		set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
829 	}
830 
831 	hci_req_add_le_create_conn(&req, conn);
832 
833 create_conn:
834 	err = hci_req_run(&req, create_le_conn_complete);
835 	if (err) {
836 		hci_conn_del(conn);
837 		return ERR_PTR(err);
838 	}
839 
840 done:
841 	hci_conn_hold(conn);
842 	return conn;
843 }
844 
845 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
846 				 u8 sec_level, u8 auth_type)
847 {
848 	struct hci_conn *acl;
849 
850 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
851 		return ERR_PTR(-EOPNOTSUPP);
852 
853 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
854 	if (!acl) {
855 		acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
856 		if (!acl)
857 			return ERR_PTR(-ENOMEM);
858 	}
859 
860 	hci_conn_hold(acl);
861 
862 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
863 		acl->sec_level = BT_SECURITY_LOW;
864 		acl->pending_sec_level = sec_level;
865 		acl->auth_type = auth_type;
866 		hci_acl_create_connection(acl);
867 	}
868 
869 	return acl;
870 }
871 
872 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
873 				 __u16 setting)
874 {
875 	struct hci_conn *acl;
876 	struct hci_conn *sco;
877 
878 	acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
879 	if (IS_ERR(acl))
880 		return acl;
881 
882 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
883 	if (!sco) {
884 		sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
885 		if (!sco) {
886 			hci_conn_drop(acl);
887 			return ERR_PTR(-ENOMEM);
888 		}
889 	}
890 
891 	acl->link = sco;
892 	sco->link = acl;
893 
894 	hci_conn_hold(sco);
895 
896 	sco->setting = setting;
897 
898 	if (acl->state == BT_CONNECTED &&
899 	    (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
900 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
901 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
902 
903 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
904 			/* defer SCO setup until mode change completed */
905 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
906 			return sco;
907 		}
908 
909 		hci_sco_setup(acl, 0x00);
910 	}
911 
912 	return sco;
913 }
914 
915 /* Check link security requirement */
916 int hci_conn_check_link_mode(struct hci_conn *conn)
917 {
918 	BT_DBG("hcon %p", conn);
919 
920 	/* In Secure Connections Only mode, it is required that Secure
921 	 * Connections is used and the link is encrypted with AES-CCM
922 	 * using a P-256 authenticated combination key.
923 	 */
924 	if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) {
925 		if (!hci_conn_sc_enabled(conn) ||
926 		    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
927 		    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
928 			return 0;
929 	}
930 
931 	if (hci_conn_ssp_enabled(conn) &&
932 	    !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
933 		return 0;
934 
935 	return 1;
936 }
937 
938 /* Authenticate remote device */
939 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
940 {
941 	BT_DBG("hcon %p", conn);
942 
943 	if (conn->pending_sec_level > sec_level)
944 		sec_level = conn->pending_sec_level;
945 
946 	if (sec_level > conn->sec_level)
947 		conn->pending_sec_level = sec_level;
948 	else if (test_bit(HCI_CONN_AUTH, &conn->flags))
949 		return 1;
950 
951 	/* Make sure we preserve an existing MITM requirement*/
952 	auth_type |= (conn->auth_type & 0x01);
953 
954 	conn->auth_type = auth_type;
955 
956 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
957 		struct hci_cp_auth_requested cp;
958 
959 		cp.handle = cpu_to_le16(conn->handle);
960 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
961 			     sizeof(cp), &cp);
962 
963 		/* If we're already encrypted set the REAUTH_PEND flag,
964 		 * otherwise set the ENCRYPT_PEND.
965 		 */
966 		if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
967 			set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
968 		else
969 			set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
970 	}
971 
972 	return 0;
973 }
974 
975 /* Encrypt the the link */
976 static void hci_conn_encrypt(struct hci_conn *conn)
977 {
978 	BT_DBG("hcon %p", conn);
979 
980 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
981 		struct hci_cp_set_conn_encrypt cp;
982 		cp.handle  = cpu_to_le16(conn->handle);
983 		cp.encrypt = 0x01;
984 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
985 			     &cp);
986 	}
987 }
988 
989 /* Enable security */
990 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
991 		      bool initiator)
992 {
993 	BT_DBG("hcon %p", conn);
994 
995 	if (conn->type == LE_LINK)
996 		return smp_conn_security(conn, sec_level);
997 
998 	/* For sdp we don't need the link key. */
999 	if (sec_level == BT_SECURITY_SDP)
1000 		return 1;
1001 
1002 	/* For non 2.1 devices and low security level we don't need the link
1003 	   key. */
1004 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1005 		return 1;
1006 
1007 	/* For other security levels we need the link key. */
1008 	if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1009 		goto auth;
1010 
1011 	/* An authenticated FIPS approved combination key has sufficient
1012 	 * security for security level 4. */
1013 	if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1014 	    sec_level == BT_SECURITY_FIPS)
1015 		goto encrypt;
1016 
1017 	/* An authenticated combination key has sufficient security for
1018 	   security level 3. */
1019 	if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1020 	     conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1021 	    sec_level == BT_SECURITY_HIGH)
1022 		goto encrypt;
1023 
1024 	/* An unauthenticated combination key has sufficient security for
1025 	   security level 1 and 2. */
1026 	if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1027 	     conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
1028 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
1029 		goto encrypt;
1030 
1031 	/* A combination key has always sufficient security for the security
1032 	   levels 1 or 2. High security level requires the combination key
1033 	   is generated using maximum PIN code length (16).
1034 	   For pre 2.1 units. */
1035 	if (conn->key_type == HCI_LK_COMBINATION &&
1036 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1037 	     conn->pin_length == 16))
1038 		goto encrypt;
1039 
1040 auth:
1041 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1042 		return 0;
1043 
1044 	if (initiator)
1045 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1046 
1047 	if (!hci_conn_auth(conn, sec_level, auth_type))
1048 		return 0;
1049 
1050 encrypt:
1051 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1052 		return 1;
1053 
1054 	hci_conn_encrypt(conn);
1055 	return 0;
1056 }
1057 EXPORT_SYMBOL(hci_conn_security);
1058 
1059 /* Check secure link requirement */
1060 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1061 {
1062 	BT_DBG("hcon %p", conn);
1063 
1064 	/* Accept if non-secure or higher security level is required */
1065 	if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1066 		return 1;
1067 
1068 	/* Accept if secure or higher security level is already present */
1069 	if (conn->sec_level == BT_SECURITY_HIGH ||
1070 	    conn->sec_level == BT_SECURITY_FIPS)
1071 		return 1;
1072 
1073 	/* Reject not secure link */
1074 	return 0;
1075 }
1076 EXPORT_SYMBOL(hci_conn_check_secure);
1077 
1078 /* Change link key */
1079 int hci_conn_change_link_key(struct hci_conn *conn)
1080 {
1081 	BT_DBG("hcon %p", conn);
1082 
1083 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1084 		struct hci_cp_change_conn_link_key cp;
1085 		cp.handle = cpu_to_le16(conn->handle);
1086 		hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
1087 			     sizeof(cp), &cp);
1088 	}
1089 
1090 	return 0;
1091 }
1092 
1093 /* Switch role */
1094 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1095 {
1096 	BT_DBG("hcon %p", conn);
1097 
1098 	if (role == conn->role)
1099 		return 1;
1100 
1101 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1102 		struct hci_cp_switch_role cp;
1103 		bacpy(&cp.bdaddr, &conn->dst);
1104 		cp.role = role;
1105 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1106 	}
1107 
1108 	return 0;
1109 }
1110 EXPORT_SYMBOL(hci_conn_switch_role);
1111 
1112 /* Enter active mode */
1113 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1114 {
1115 	struct hci_dev *hdev = conn->hdev;
1116 
1117 	BT_DBG("hcon %p mode %d", conn, conn->mode);
1118 
1119 	if (conn->mode != HCI_CM_SNIFF)
1120 		goto timer;
1121 
1122 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1123 		goto timer;
1124 
1125 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1126 		struct hci_cp_exit_sniff_mode cp;
1127 		cp.handle = cpu_to_le16(conn->handle);
1128 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1129 	}
1130 
1131 timer:
1132 	if (hdev->idle_timeout > 0)
1133 		queue_delayed_work(hdev->workqueue, &conn->idle_work,
1134 				   msecs_to_jiffies(hdev->idle_timeout));
1135 }
1136 
1137 /* Drop all connection on the device */
1138 void hci_conn_hash_flush(struct hci_dev *hdev)
1139 {
1140 	struct hci_conn_hash *h = &hdev->conn_hash;
1141 	struct hci_conn *c, *n;
1142 
1143 	BT_DBG("hdev %s", hdev->name);
1144 
1145 	list_for_each_entry_safe(c, n, &h->list, list) {
1146 		c->state = BT_CLOSED;
1147 
1148 		hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1149 		hci_conn_del(c);
1150 	}
1151 }
1152 
1153 /* Check pending connect attempts */
1154 void hci_conn_check_pending(struct hci_dev *hdev)
1155 {
1156 	struct hci_conn *conn;
1157 
1158 	BT_DBG("hdev %s", hdev->name);
1159 
1160 	hci_dev_lock(hdev);
1161 
1162 	conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1163 	if (conn)
1164 		hci_acl_create_connection(conn);
1165 
1166 	hci_dev_unlock(hdev);
1167 }
1168 
1169 static u32 get_link_mode(struct hci_conn *conn)
1170 {
1171 	u32 link_mode = 0;
1172 
1173 	if (conn->role == HCI_ROLE_MASTER)
1174 		link_mode |= HCI_LM_MASTER;
1175 
1176 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1177 		link_mode |= HCI_LM_ENCRYPT;
1178 
1179 	if (test_bit(HCI_CONN_AUTH, &conn->flags))
1180 		link_mode |= HCI_LM_AUTH;
1181 
1182 	if (test_bit(HCI_CONN_SECURE, &conn->flags))
1183 		link_mode |= HCI_LM_SECURE;
1184 
1185 	if (test_bit(HCI_CONN_FIPS, &conn->flags))
1186 		link_mode |= HCI_LM_FIPS;
1187 
1188 	return link_mode;
1189 }
1190 
1191 int hci_get_conn_list(void __user *arg)
1192 {
1193 	struct hci_conn *c;
1194 	struct hci_conn_list_req req, *cl;
1195 	struct hci_conn_info *ci;
1196 	struct hci_dev *hdev;
1197 	int n = 0, size, err;
1198 
1199 	if (copy_from_user(&req, arg, sizeof(req)))
1200 		return -EFAULT;
1201 
1202 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1203 		return -EINVAL;
1204 
1205 	size = sizeof(req) + req.conn_num * sizeof(*ci);
1206 
1207 	cl = kmalloc(size, GFP_KERNEL);
1208 	if (!cl)
1209 		return -ENOMEM;
1210 
1211 	hdev = hci_dev_get(req.dev_id);
1212 	if (!hdev) {
1213 		kfree(cl);
1214 		return -ENODEV;
1215 	}
1216 
1217 	ci = cl->conn_info;
1218 
1219 	hci_dev_lock(hdev);
1220 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
1221 		bacpy(&(ci + n)->bdaddr, &c->dst);
1222 		(ci + n)->handle = c->handle;
1223 		(ci + n)->type  = c->type;
1224 		(ci + n)->out   = c->out;
1225 		(ci + n)->state = c->state;
1226 		(ci + n)->link_mode = get_link_mode(c);
1227 		if (++n >= req.conn_num)
1228 			break;
1229 	}
1230 	hci_dev_unlock(hdev);
1231 
1232 	cl->dev_id = hdev->id;
1233 	cl->conn_num = n;
1234 	size = sizeof(req) + n * sizeof(*ci);
1235 
1236 	hci_dev_put(hdev);
1237 
1238 	err = copy_to_user(arg, cl, size);
1239 	kfree(cl);
1240 
1241 	return err ? -EFAULT : 0;
1242 }
1243 
1244 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1245 {
1246 	struct hci_conn_info_req req;
1247 	struct hci_conn_info ci;
1248 	struct hci_conn *conn;
1249 	char __user *ptr = arg + sizeof(req);
1250 
1251 	if (copy_from_user(&req, arg, sizeof(req)))
1252 		return -EFAULT;
1253 
1254 	hci_dev_lock(hdev);
1255 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1256 	if (conn) {
1257 		bacpy(&ci.bdaddr, &conn->dst);
1258 		ci.handle = conn->handle;
1259 		ci.type  = conn->type;
1260 		ci.out   = conn->out;
1261 		ci.state = conn->state;
1262 		ci.link_mode = get_link_mode(conn);
1263 	}
1264 	hci_dev_unlock(hdev);
1265 
1266 	if (!conn)
1267 		return -ENOENT;
1268 
1269 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1270 }
1271 
1272 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1273 {
1274 	struct hci_auth_info_req req;
1275 	struct hci_conn *conn;
1276 
1277 	if (copy_from_user(&req, arg, sizeof(req)))
1278 		return -EFAULT;
1279 
1280 	hci_dev_lock(hdev);
1281 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1282 	if (conn)
1283 		req.type = conn->auth_type;
1284 	hci_dev_unlock(hdev);
1285 
1286 	if (!conn)
1287 		return -ENOENT;
1288 
1289 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1290 }
1291 
1292 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1293 {
1294 	struct hci_dev *hdev = conn->hdev;
1295 	struct hci_chan *chan;
1296 
1297 	BT_DBG("%s hcon %p", hdev->name, conn);
1298 
1299 	if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1300 		BT_DBG("Refusing to create new hci_chan");
1301 		return NULL;
1302 	}
1303 
1304 	chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1305 	if (!chan)
1306 		return NULL;
1307 
1308 	chan->conn = hci_conn_get(conn);
1309 	skb_queue_head_init(&chan->data_q);
1310 	chan->state = BT_CONNECTED;
1311 
1312 	list_add_rcu(&chan->list, &conn->chan_list);
1313 
1314 	return chan;
1315 }
1316 
1317 void hci_chan_del(struct hci_chan *chan)
1318 {
1319 	struct hci_conn *conn = chan->conn;
1320 	struct hci_dev *hdev = conn->hdev;
1321 
1322 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1323 
1324 	list_del_rcu(&chan->list);
1325 
1326 	synchronize_rcu();
1327 
1328 	/* Prevent new hci_chan's to be created for this hci_conn */
1329 	set_bit(HCI_CONN_DROP, &conn->flags);
1330 
1331 	hci_conn_put(conn);
1332 
1333 	skb_queue_purge(&chan->data_q);
1334 	kfree(chan);
1335 }
1336 
1337 void hci_chan_list_flush(struct hci_conn *conn)
1338 {
1339 	struct hci_chan *chan, *n;
1340 
1341 	BT_DBG("hcon %p", conn);
1342 
1343 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1344 		hci_chan_del(chan);
1345 }
1346 
1347 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1348 						 __u16 handle)
1349 {
1350 	struct hci_chan *hchan;
1351 
1352 	list_for_each_entry(hchan, &hcon->chan_list, list) {
1353 		if (hchan->handle == handle)
1354 			return hchan;
1355 	}
1356 
1357 	return NULL;
1358 }
1359 
1360 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1361 {
1362 	struct hci_conn_hash *h = &hdev->conn_hash;
1363 	struct hci_conn *hcon;
1364 	struct hci_chan *hchan = NULL;
1365 
1366 	rcu_read_lock();
1367 
1368 	list_for_each_entry_rcu(hcon, &h->list, list) {
1369 		hchan = __hci_chan_lookup_handle(hcon, handle);
1370 		if (hchan)
1371 			break;
1372 	}
1373 
1374 	rcu_read_unlock();
1375 
1376 	return hchan;
1377 }
1378