xref: /openbmc/linux/net/bluetooth/hci_conn.c (revision b34e08d5)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI connection handling. */
26 
27 #include <linux/export.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 
32 #include "smp.h"
33 #include "a2mp.h"
34 
35 struct sco_param {
36 	u16 pkt_type;
37 	u16 max_latency;
38 };
39 
40 static const struct sco_param sco_param_cvsd[] = {
41 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a }, /* S3 */
42 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007 }, /* S2 */
43 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0007 }, /* S1 */
44 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff }, /* D1 */
45 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff }, /* D0 */
46 };
47 
48 static const struct sco_param sco_param_wideband[] = {
49 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d }, /* T2 */
50 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0008 }, /* T1 */
51 };
52 
53 static void hci_le_create_connection_cancel(struct hci_conn *conn)
54 {
55 	hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
56 }
57 
58 static void hci_acl_create_connection(struct hci_conn *conn)
59 {
60 	struct hci_dev *hdev = conn->hdev;
61 	struct inquiry_entry *ie;
62 	struct hci_cp_create_conn cp;
63 
64 	BT_DBG("hcon %p", conn);
65 
66 	conn->state = BT_CONNECT;
67 	conn->out = true;
68 
69 	conn->link_mode = HCI_LM_MASTER;
70 
71 	conn->attempt++;
72 
73 	conn->link_policy = hdev->link_policy;
74 
75 	memset(&cp, 0, sizeof(cp));
76 	bacpy(&cp.bdaddr, &conn->dst);
77 	cp.pscan_rep_mode = 0x02;
78 
79 	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
80 	if (ie) {
81 		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
82 			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
83 			cp.pscan_mode     = ie->data.pscan_mode;
84 			cp.clock_offset   = ie->data.clock_offset |
85 					    cpu_to_le16(0x8000);
86 		}
87 
88 		memcpy(conn->dev_class, ie->data.dev_class, 3);
89 		if (ie->data.ssp_mode > 0)
90 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
91 	}
92 
93 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
94 	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
95 		cp.role_switch = 0x01;
96 	else
97 		cp.role_switch = 0x00;
98 
99 	hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
100 }
101 
102 static void hci_acl_create_connection_cancel(struct hci_conn *conn)
103 {
104 	struct hci_cp_create_conn_cancel cp;
105 
106 	BT_DBG("hcon %p", conn);
107 
108 	if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
109 		return;
110 
111 	bacpy(&cp.bdaddr, &conn->dst);
112 	hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
113 }
114 
115 static void hci_reject_sco(struct hci_conn *conn)
116 {
117 	struct hci_cp_reject_sync_conn_req cp;
118 
119 	cp.reason = HCI_ERROR_REMOTE_USER_TERM;
120 	bacpy(&cp.bdaddr, &conn->dst);
121 
122 	hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
123 }
124 
125 void hci_disconnect(struct hci_conn *conn, __u8 reason)
126 {
127 	struct hci_cp_disconnect cp;
128 
129 	BT_DBG("hcon %p", conn);
130 
131 	conn->state = BT_DISCONN;
132 
133 	cp.handle = cpu_to_le16(conn->handle);
134 	cp.reason = reason;
135 	hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
136 }
137 
138 static void hci_amp_disconn(struct hci_conn *conn, __u8 reason)
139 {
140 	struct hci_cp_disconn_phy_link cp;
141 
142 	BT_DBG("hcon %p", conn);
143 
144 	conn->state = BT_DISCONN;
145 
146 	cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
147 	cp.reason = reason;
148 	hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
149 		     sizeof(cp), &cp);
150 }
151 
152 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
153 {
154 	struct hci_dev *hdev = conn->hdev;
155 	struct hci_cp_add_sco cp;
156 
157 	BT_DBG("hcon %p", conn);
158 
159 	conn->state = BT_CONNECT;
160 	conn->out = true;
161 
162 	conn->attempt++;
163 
164 	cp.handle   = cpu_to_le16(handle);
165 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
166 
167 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
168 }
169 
170 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
171 {
172 	struct hci_dev *hdev = conn->hdev;
173 	struct hci_cp_setup_sync_conn cp;
174 	const struct sco_param *param;
175 
176 	BT_DBG("hcon %p", conn);
177 
178 	conn->state = BT_CONNECT;
179 	conn->out = true;
180 
181 	conn->attempt++;
182 
183 	cp.handle   = cpu_to_le16(handle);
184 
185 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
186 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
187 	cp.voice_setting  = cpu_to_le16(conn->setting);
188 
189 	switch (conn->setting & SCO_AIRMODE_MASK) {
190 	case SCO_AIRMODE_TRANSP:
191 		if (conn->attempt > ARRAY_SIZE(sco_param_wideband))
192 			return false;
193 		cp.retrans_effort = 0x02;
194 		param = &sco_param_wideband[conn->attempt - 1];
195 		break;
196 	case SCO_AIRMODE_CVSD:
197 		if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
198 			return false;
199 		cp.retrans_effort = 0x01;
200 		param = &sco_param_cvsd[conn->attempt - 1];
201 		break;
202 	default:
203 		return false;
204 	}
205 
206 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
207 	cp.max_latency = __cpu_to_le16(param->max_latency);
208 
209 	if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
210 		return false;
211 
212 	return true;
213 }
214 
215 void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
216 			u16 latency, u16 to_multiplier)
217 {
218 	struct hci_cp_le_conn_update cp;
219 	struct hci_dev *hdev = conn->hdev;
220 
221 	memset(&cp, 0, sizeof(cp));
222 
223 	cp.handle		= cpu_to_le16(conn->handle);
224 	cp.conn_interval_min	= cpu_to_le16(min);
225 	cp.conn_interval_max	= cpu_to_le16(max);
226 	cp.conn_latency		= cpu_to_le16(latency);
227 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
228 	cp.min_ce_len		= cpu_to_le16(0x0000);
229 	cp.max_ce_len		= cpu_to_le16(0x0000);
230 
231 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
232 }
233 
234 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
235 		      __u8 ltk[16])
236 {
237 	struct hci_dev *hdev = conn->hdev;
238 	struct hci_cp_le_start_enc cp;
239 
240 	BT_DBG("hcon %p", conn);
241 
242 	memset(&cp, 0, sizeof(cp));
243 
244 	cp.handle = cpu_to_le16(conn->handle);
245 	cp.rand = rand;
246 	cp.ediv = ediv;
247 	memcpy(cp.ltk, ltk, sizeof(cp.ltk));
248 
249 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
250 }
251 
252 /* Device _must_ be locked */
253 void hci_sco_setup(struct hci_conn *conn, __u8 status)
254 {
255 	struct hci_conn *sco = conn->link;
256 
257 	if (!sco)
258 		return;
259 
260 	BT_DBG("hcon %p", conn);
261 
262 	if (!status) {
263 		if (lmp_esco_capable(conn->hdev))
264 			hci_setup_sync(sco, conn->handle);
265 		else
266 			hci_add_sco(sco, conn->handle);
267 	} else {
268 		hci_proto_connect_cfm(sco, status);
269 		hci_conn_del(sco);
270 	}
271 }
272 
273 static void hci_conn_disconnect(struct hci_conn *conn)
274 {
275 	__u8 reason = hci_proto_disconn_ind(conn);
276 
277 	switch (conn->type) {
278 	case AMP_LINK:
279 		hci_amp_disconn(conn, reason);
280 		break;
281 	default:
282 		hci_disconnect(conn, reason);
283 		break;
284 	}
285 }
286 
287 static void hci_conn_timeout(struct work_struct *work)
288 {
289 	struct hci_conn *conn = container_of(work, struct hci_conn,
290 					     disc_work.work);
291 
292 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
293 
294 	if (atomic_read(&conn->refcnt))
295 		return;
296 
297 	switch (conn->state) {
298 	case BT_CONNECT:
299 	case BT_CONNECT2:
300 		if (conn->out) {
301 			if (conn->type == ACL_LINK)
302 				hci_acl_create_connection_cancel(conn);
303 			else if (conn->type == LE_LINK)
304 				hci_le_create_connection_cancel(conn);
305 		} else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
306 			hci_reject_sco(conn);
307 		}
308 		break;
309 	case BT_CONFIG:
310 	case BT_CONNECTED:
311 		hci_conn_disconnect(conn);
312 		break;
313 	default:
314 		conn->state = BT_CLOSED;
315 		break;
316 	}
317 }
318 
319 /* Enter sniff mode */
320 static void hci_conn_idle(struct work_struct *work)
321 {
322 	struct hci_conn *conn = container_of(work, struct hci_conn,
323 					     idle_work.work);
324 	struct hci_dev *hdev = conn->hdev;
325 
326 	BT_DBG("hcon %p mode %d", conn, conn->mode);
327 
328 	if (test_bit(HCI_RAW, &hdev->flags))
329 		return;
330 
331 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
332 		return;
333 
334 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
335 		return;
336 
337 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
338 		struct hci_cp_sniff_subrate cp;
339 		cp.handle             = cpu_to_le16(conn->handle);
340 		cp.max_latency        = cpu_to_le16(0);
341 		cp.min_remote_timeout = cpu_to_le16(0);
342 		cp.min_local_timeout  = cpu_to_le16(0);
343 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
344 	}
345 
346 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
347 		struct hci_cp_sniff_mode cp;
348 		cp.handle       = cpu_to_le16(conn->handle);
349 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
350 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
351 		cp.attempt      = cpu_to_le16(4);
352 		cp.timeout      = cpu_to_le16(1);
353 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
354 	}
355 }
356 
357 static void hci_conn_auto_accept(struct work_struct *work)
358 {
359 	struct hci_conn *conn = container_of(work, struct hci_conn,
360 					     auto_accept_work.work);
361 
362 	hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
363 		     &conn->dst);
364 }
365 
366 static void le_conn_timeout(struct work_struct *work)
367 {
368 	struct hci_conn *conn = container_of(work, struct hci_conn,
369 					     le_conn_timeout.work);
370 
371 	BT_DBG("");
372 
373 	hci_le_create_connection_cancel(conn);
374 }
375 
376 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
377 {
378 	struct hci_conn *conn;
379 
380 	BT_DBG("%s dst %pMR", hdev->name, dst);
381 
382 	conn = kzalloc(sizeof(struct hci_conn), GFP_KERNEL);
383 	if (!conn)
384 		return NULL;
385 
386 	bacpy(&conn->dst, dst);
387 	bacpy(&conn->src, &hdev->bdaddr);
388 	conn->hdev  = hdev;
389 	conn->type  = type;
390 	conn->mode  = HCI_CM_ACTIVE;
391 	conn->state = BT_OPEN;
392 	conn->auth_type = HCI_AT_GENERAL_BONDING;
393 	conn->io_capability = hdev->io_capability;
394 	conn->remote_auth = 0xff;
395 	conn->key_type = 0xff;
396 
397 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
398 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
399 
400 	switch (type) {
401 	case ACL_LINK:
402 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
403 		break;
404 	case SCO_LINK:
405 		if (lmp_esco_capable(hdev))
406 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
407 					(hdev->esco_type & EDR_ESCO_MASK);
408 		else
409 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
410 		break;
411 	case ESCO_LINK:
412 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
413 		break;
414 	}
415 
416 	skb_queue_head_init(&conn->data_q);
417 
418 	INIT_LIST_HEAD(&conn->chan_list);
419 
420 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
421 	INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
422 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
423 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
424 
425 	atomic_set(&conn->refcnt, 0);
426 
427 	hci_dev_hold(hdev);
428 
429 	hci_conn_hash_add(hdev, conn);
430 	if (hdev->notify)
431 		hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
432 
433 	hci_conn_init_sysfs(conn);
434 
435 	return conn;
436 }
437 
438 int hci_conn_del(struct hci_conn *conn)
439 {
440 	struct hci_dev *hdev = conn->hdev;
441 
442 	BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
443 
444 	cancel_delayed_work_sync(&conn->disc_work);
445 	cancel_delayed_work_sync(&conn->auto_accept_work);
446 	cancel_delayed_work_sync(&conn->idle_work);
447 
448 	if (conn->type == ACL_LINK) {
449 		struct hci_conn *sco = conn->link;
450 		if (sco)
451 			sco->link = NULL;
452 
453 		/* Unacked frames */
454 		hdev->acl_cnt += conn->sent;
455 	} else if (conn->type == LE_LINK) {
456 		cancel_delayed_work_sync(&conn->le_conn_timeout);
457 
458 		if (hdev->le_pkts)
459 			hdev->le_cnt += conn->sent;
460 		else
461 			hdev->acl_cnt += conn->sent;
462 	} else {
463 		struct hci_conn *acl = conn->link;
464 		if (acl) {
465 			acl->link = NULL;
466 			hci_conn_drop(acl);
467 		}
468 	}
469 
470 	hci_chan_list_flush(conn);
471 
472 	if (conn->amp_mgr)
473 		amp_mgr_put(conn->amp_mgr);
474 
475 	hci_conn_hash_del(hdev, conn);
476 	if (hdev->notify)
477 		hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
478 
479 	skb_queue_purge(&conn->data_q);
480 
481 	hci_conn_del_sysfs(conn);
482 
483 	hci_dev_put(hdev);
484 
485 	hci_conn_put(conn);
486 
487 	return 0;
488 }
489 
490 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
491 {
492 	int use_src = bacmp(src, BDADDR_ANY);
493 	struct hci_dev *hdev = NULL, *d;
494 
495 	BT_DBG("%pMR -> %pMR", src, dst);
496 
497 	read_lock(&hci_dev_list_lock);
498 
499 	list_for_each_entry(d, &hci_dev_list, list) {
500 		if (!test_bit(HCI_UP, &d->flags) ||
501 		    test_bit(HCI_RAW, &d->flags) ||
502 		    test_bit(HCI_USER_CHANNEL, &d->dev_flags) ||
503 		    d->dev_type != HCI_BREDR)
504 			continue;
505 
506 		/* Simple routing:
507 		 *   No source address - find interface with bdaddr != dst
508 		 *   Source address    - find interface with bdaddr == src
509 		 */
510 
511 		if (use_src) {
512 			if (!bacmp(&d->bdaddr, src)) {
513 				hdev = d; break;
514 			}
515 		} else {
516 			if (bacmp(&d->bdaddr, dst)) {
517 				hdev = d; break;
518 			}
519 		}
520 	}
521 
522 	if (hdev)
523 		hdev = hci_dev_hold(hdev);
524 
525 	read_unlock(&hci_dev_list_lock);
526 	return hdev;
527 }
528 EXPORT_SYMBOL(hci_get_route);
529 
530 /* This function requires the caller holds hdev->lock */
531 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
532 {
533 	struct hci_dev *hdev = conn->hdev;
534 
535 	conn->state = BT_CLOSED;
536 
537 	mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
538 			    status);
539 
540 	hci_proto_connect_cfm(conn, status);
541 
542 	hci_conn_del(conn);
543 
544 	/* Since we may have temporarily stopped the background scanning in
545 	 * favor of connection establishment, we should restart it.
546 	 */
547 	hci_update_background_scan(hdev);
548 }
549 
550 static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
551 {
552 	struct hci_conn *conn;
553 
554 	if (status == 0)
555 		return;
556 
557 	BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
558 	       status);
559 
560 	hci_dev_lock(hdev);
561 
562 	conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
563 	if (!conn)
564 		goto done;
565 
566 	hci_le_conn_failed(conn, status);
567 
568 done:
569 	hci_dev_unlock(hdev);
570 }
571 
572 static void hci_req_add_le_create_conn(struct hci_request *req,
573 				       struct hci_conn *conn)
574 {
575 	struct hci_cp_le_create_conn cp;
576 	struct hci_dev *hdev = conn->hdev;
577 	u8 own_addr_type;
578 
579 	memset(&cp, 0, sizeof(cp));
580 
581 	/* Update random address, but set require_privacy to false so
582 	 * that we never connect with an unresolvable address.
583 	 */
584 	if (hci_update_random_address(req, false, &own_addr_type))
585 		return;
586 
587 	/* Save the address type used for this connnection attempt so we able
588 	 * to retrieve this information if we need it.
589 	 */
590 	conn->src_type = own_addr_type;
591 
592 	cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
593 	cp.scan_window = cpu_to_le16(hdev->le_scan_window);
594 	bacpy(&cp.peer_addr, &conn->dst);
595 	cp.peer_addr_type = conn->dst_type;
596 	cp.own_address_type = own_addr_type;
597 	cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
598 	cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
599 	cp.supervision_timeout = cpu_to_le16(0x002a);
600 	cp.min_ce_len = cpu_to_le16(0x0000);
601 	cp.max_ce_len = cpu_to_le16(0x0000);
602 
603 	hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
604 
605 	conn->state = BT_CONNECT;
606 }
607 
608 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
609 				u8 dst_type, u8 sec_level, u8 auth_type)
610 {
611 	struct hci_conn_params *params;
612 	struct hci_conn *conn;
613 	struct smp_irk *irk;
614 	struct hci_request req;
615 	int err;
616 
617 	if (test_bit(HCI_ADVERTISING, &hdev->flags))
618 		return ERR_PTR(-ENOTSUPP);
619 
620 	/* Some devices send ATT messages as soon as the physical link is
621 	 * established. To be able to handle these ATT messages, the user-
622 	 * space first establishes the connection and then starts the pairing
623 	 * process.
624 	 *
625 	 * So if a hci_conn object already exists for the following connection
626 	 * attempt, we simply update pending_sec_level and auth_type fields
627 	 * and return the object found.
628 	 */
629 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
630 	if (conn) {
631 		conn->pending_sec_level = sec_level;
632 		conn->auth_type = auth_type;
633 		goto done;
634 	}
635 
636 	/* Since the controller supports only one LE connection attempt at a
637 	 * time, we return -EBUSY if there is any connection attempt running.
638 	 */
639 	conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
640 	if (conn)
641 		return ERR_PTR(-EBUSY);
642 
643 	/* When given an identity address with existing identity
644 	 * resolving key, the connection needs to be established
645 	 * to a resolvable random address.
646 	 *
647 	 * This uses the cached random resolvable address from
648 	 * a previous scan. When no cached address is available,
649 	 * try connecting to the identity address instead.
650 	 *
651 	 * Storing the resolvable random address is required here
652 	 * to handle connection failures. The address will later
653 	 * be resolved back into the original identity address
654 	 * from the connect request.
655 	 */
656 	irk = hci_find_irk_by_addr(hdev, dst, dst_type);
657 	if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
658 		dst = &irk->rpa;
659 		dst_type = ADDR_LE_DEV_RANDOM;
660 	}
661 
662 	conn = hci_conn_add(hdev, LE_LINK, dst);
663 	if (!conn)
664 		return ERR_PTR(-ENOMEM);
665 
666 	conn->dst_type = dst_type;
667 
668 	conn->out = true;
669 	conn->link_mode |= HCI_LM_MASTER;
670 	conn->sec_level = BT_SECURITY_LOW;
671 	conn->pending_sec_level = sec_level;
672 	conn->auth_type = auth_type;
673 
674 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
675 	if (params) {
676 		conn->le_conn_min_interval = params->conn_min_interval;
677 		conn->le_conn_max_interval = params->conn_max_interval;
678 	} else {
679 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
680 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
681 	}
682 
683 	hci_req_init(&req, hdev);
684 
685 	/* If controller is scanning, we stop it since some controllers are
686 	 * not able to scan and connect at the same time. Also set the
687 	 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
688 	 * handler for scan disabling knows to set the correct discovery
689 	 * state.
690 	 */
691 	if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
692 		hci_req_add_le_scan_disable(&req);
693 		set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
694 	}
695 
696 	hci_req_add_le_create_conn(&req, conn);
697 
698 	err = hci_req_run(&req, create_le_conn_complete);
699 	if (err) {
700 		hci_conn_del(conn);
701 		return ERR_PTR(err);
702 	}
703 
704 done:
705 	hci_conn_hold(conn);
706 	return conn;
707 }
708 
709 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
710 				 u8 sec_level, u8 auth_type)
711 {
712 	struct hci_conn *acl;
713 
714 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
715 		return ERR_PTR(-ENOTSUPP);
716 
717 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
718 	if (!acl) {
719 		acl = hci_conn_add(hdev, ACL_LINK, dst);
720 		if (!acl)
721 			return ERR_PTR(-ENOMEM);
722 	}
723 
724 	hci_conn_hold(acl);
725 
726 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
727 		acl->sec_level = BT_SECURITY_LOW;
728 		acl->pending_sec_level = sec_level;
729 		acl->auth_type = auth_type;
730 		hci_acl_create_connection(acl);
731 	}
732 
733 	return acl;
734 }
735 
736 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
737 				 __u16 setting)
738 {
739 	struct hci_conn *acl;
740 	struct hci_conn *sco;
741 
742 	acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
743 	if (IS_ERR(acl))
744 		return acl;
745 
746 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
747 	if (!sco) {
748 		sco = hci_conn_add(hdev, type, dst);
749 		if (!sco) {
750 			hci_conn_drop(acl);
751 			return ERR_PTR(-ENOMEM);
752 		}
753 	}
754 
755 	acl->link = sco;
756 	sco->link = acl;
757 
758 	hci_conn_hold(sco);
759 
760 	sco->setting = setting;
761 
762 	if (acl->state == BT_CONNECTED &&
763 	    (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
764 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
765 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
766 
767 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
768 			/* defer SCO setup until mode change completed */
769 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
770 			return sco;
771 		}
772 
773 		hci_sco_setup(acl, 0x00);
774 	}
775 
776 	return sco;
777 }
778 
779 /* Check link security requirement */
780 int hci_conn_check_link_mode(struct hci_conn *conn)
781 {
782 	BT_DBG("hcon %p", conn);
783 
784 	/* In Secure Connections Only mode, it is required that Secure
785 	 * Connections is used and the link is encrypted with AES-CCM
786 	 * using a P-256 authenticated combination key.
787 	 */
788 	if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) {
789 		if (!hci_conn_sc_enabled(conn) ||
790 		    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
791 		    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
792 			return 0;
793 	}
794 
795 	if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT))
796 		return 0;
797 
798 	return 1;
799 }
800 
801 /* Authenticate remote device */
802 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
803 {
804 	BT_DBG("hcon %p", conn);
805 
806 	if (conn->pending_sec_level > sec_level)
807 		sec_level = conn->pending_sec_level;
808 
809 	if (sec_level > conn->sec_level)
810 		conn->pending_sec_level = sec_level;
811 	else if (conn->link_mode & HCI_LM_AUTH)
812 		return 1;
813 
814 	/* Make sure we preserve an existing MITM requirement*/
815 	auth_type |= (conn->auth_type & 0x01);
816 
817 	conn->auth_type = auth_type;
818 
819 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
820 		struct hci_cp_auth_requested cp;
821 
822 		/* encrypt must be pending if auth is also pending */
823 		set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
824 
825 		cp.handle = cpu_to_le16(conn->handle);
826 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
827 			     sizeof(cp), &cp);
828 		if (conn->key_type != 0xff)
829 			set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
830 	}
831 
832 	return 0;
833 }
834 
835 /* Encrypt the the link */
836 static void hci_conn_encrypt(struct hci_conn *conn)
837 {
838 	BT_DBG("hcon %p", conn);
839 
840 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
841 		struct hci_cp_set_conn_encrypt cp;
842 		cp.handle  = cpu_to_le16(conn->handle);
843 		cp.encrypt = 0x01;
844 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
845 			     &cp);
846 	}
847 }
848 
849 /* Enable security */
850 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
851 {
852 	BT_DBG("hcon %p", conn);
853 
854 	if (conn->type == LE_LINK)
855 		return smp_conn_security(conn, sec_level);
856 
857 	/* For sdp we don't need the link key. */
858 	if (sec_level == BT_SECURITY_SDP)
859 		return 1;
860 
861 	/* For non 2.1 devices and low security level we don't need the link
862 	   key. */
863 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
864 		return 1;
865 
866 	/* For other security levels we need the link key. */
867 	if (!(conn->link_mode & HCI_LM_AUTH))
868 		goto auth;
869 
870 	/* An authenticated FIPS approved combination key has sufficient
871 	 * security for security level 4. */
872 	if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
873 	    sec_level == BT_SECURITY_FIPS)
874 		goto encrypt;
875 
876 	/* An authenticated combination key has sufficient security for
877 	   security level 3. */
878 	if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
879 	     conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
880 	    sec_level == BT_SECURITY_HIGH)
881 		goto encrypt;
882 
883 	/* An unauthenticated combination key has sufficient security for
884 	   security level 1 and 2. */
885 	if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
886 	     conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
887 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
888 		goto encrypt;
889 
890 	/* A combination key has always sufficient security for the security
891 	   levels 1 or 2. High security level requires the combination key
892 	   is generated using maximum PIN code length (16).
893 	   For pre 2.1 units. */
894 	if (conn->key_type == HCI_LK_COMBINATION &&
895 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
896 	     conn->pin_length == 16))
897 		goto encrypt;
898 
899 auth:
900 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
901 		return 0;
902 
903 	if (!hci_conn_auth(conn, sec_level, auth_type))
904 		return 0;
905 
906 encrypt:
907 	if (conn->link_mode & HCI_LM_ENCRYPT)
908 		return 1;
909 
910 	hci_conn_encrypt(conn);
911 	return 0;
912 }
913 EXPORT_SYMBOL(hci_conn_security);
914 
915 /* Check secure link requirement */
916 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
917 {
918 	BT_DBG("hcon %p", conn);
919 
920 	/* Accept if non-secure or higher security level is required */
921 	if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
922 		return 1;
923 
924 	/* Accept if secure or higher security level is already present */
925 	if (conn->sec_level == BT_SECURITY_HIGH ||
926 	    conn->sec_level == BT_SECURITY_FIPS)
927 		return 1;
928 
929 	/* Reject not secure link */
930 	return 0;
931 }
932 EXPORT_SYMBOL(hci_conn_check_secure);
933 
934 /* Change link key */
935 int hci_conn_change_link_key(struct hci_conn *conn)
936 {
937 	BT_DBG("hcon %p", conn);
938 
939 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
940 		struct hci_cp_change_conn_link_key cp;
941 		cp.handle = cpu_to_le16(conn->handle);
942 		hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
943 			     sizeof(cp), &cp);
944 	}
945 
946 	return 0;
947 }
948 
949 /* Switch role */
950 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
951 {
952 	BT_DBG("hcon %p", conn);
953 
954 	if (!role && conn->link_mode & HCI_LM_MASTER)
955 		return 1;
956 
957 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
958 		struct hci_cp_switch_role cp;
959 		bacpy(&cp.bdaddr, &conn->dst);
960 		cp.role = role;
961 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
962 	}
963 
964 	return 0;
965 }
966 EXPORT_SYMBOL(hci_conn_switch_role);
967 
968 /* Enter active mode */
969 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
970 {
971 	struct hci_dev *hdev = conn->hdev;
972 
973 	BT_DBG("hcon %p mode %d", conn, conn->mode);
974 
975 	if (test_bit(HCI_RAW, &hdev->flags))
976 		return;
977 
978 	if (conn->mode != HCI_CM_SNIFF)
979 		goto timer;
980 
981 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
982 		goto timer;
983 
984 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
985 		struct hci_cp_exit_sniff_mode cp;
986 		cp.handle = cpu_to_le16(conn->handle);
987 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
988 	}
989 
990 timer:
991 	if (hdev->idle_timeout > 0)
992 		queue_delayed_work(hdev->workqueue, &conn->idle_work,
993 				   msecs_to_jiffies(hdev->idle_timeout));
994 }
995 
996 /* Drop all connection on the device */
997 void hci_conn_hash_flush(struct hci_dev *hdev)
998 {
999 	struct hci_conn_hash *h = &hdev->conn_hash;
1000 	struct hci_conn *c, *n;
1001 
1002 	BT_DBG("hdev %s", hdev->name);
1003 
1004 	list_for_each_entry_safe(c, n, &h->list, list) {
1005 		c->state = BT_CLOSED;
1006 
1007 		hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1008 		hci_conn_del(c);
1009 	}
1010 }
1011 
1012 /* Check pending connect attempts */
1013 void hci_conn_check_pending(struct hci_dev *hdev)
1014 {
1015 	struct hci_conn *conn;
1016 
1017 	BT_DBG("hdev %s", hdev->name);
1018 
1019 	hci_dev_lock(hdev);
1020 
1021 	conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1022 	if (conn)
1023 		hci_acl_create_connection(conn);
1024 
1025 	hci_dev_unlock(hdev);
1026 }
1027 
1028 int hci_get_conn_list(void __user *arg)
1029 {
1030 	struct hci_conn *c;
1031 	struct hci_conn_list_req req, *cl;
1032 	struct hci_conn_info *ci;
1033 	struct hci_dev *hdev;
1034 	int n = 0, size, err;
1035 
1036 	if (copy_from_user(&req, arg, sizeof(req)))
1037 		return -EFAULT;
1038 
1039 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1040 		return -EINVAL;
1041 
1042 	size = sizeof(req) + req.conn_num * sizeof(*ci);
1043 
1044 	cl = kmalloc(size, GFP_KERNEL);
1045 	if (!cl)
1046 		return -ENOMEM;
1047 
1048 	hdev = hci_dev_get(req.dev_id);
1049 	if (!hdev) {
1050 		kfree(cl);
1051 		return -ENODEV;
1052 	}
1053 
1054 	ci = cl->conn_info;
1055 
1056 	hci_dev_lock(hdev);
1057 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
1058 		bacpy(&(ci + n)->bdaddr, &c->dst);
1059 		(ci + n)->handle = c->handle;
1060 		(ci + n)->type  = c->type;
1061 		(ci + n)->out   = c->out;
1062 		(ci + n)->state = c->state;
1063 		(ci + n)->link_mode = c->link_mode;
1064 		if (++n >= req.conn_num)
1065 			break;
1066 	}
1067 	hci_dev_unlock(hdev);
1068 
1069 	cl->dev_id = hdev->id;
1070 	cl->conn_num = n;
1071 	size = sizeof(req) + n * sizeof(*ci);
1072 
1073 	hci_dev_put(hdev);
1074 
1075 	err = copy_to_user(arg, cl, size);
1076 	kfree(cl);
1077 
1078 	return err ? -EFAULT : 0;
1079 }
1080 
1081 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1082 {
1083 	struct hci_conn_info_req req;
1084 	struct hci_conn_info ci;
1085 	struct hci_conn *conn;
1086 	char __user *ptr = arg + sizeof(req);
1087 
1088 	if (copy_from_user(&req, arg, sizeof(req)))
1089 		return -EFAULT;
1090 
1091 	hci_dev_lock(hdev);
1092 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1093 	if (conn) {
1094 		bacpy(&ci.bdaddr, &conn->dst);
1095 		ci.handle = conn->handle;
1096 		ci.type  = conn->type;
1097 		ci.out   = conn->out;
1098 		ci.state = conn->state;
1099 		ci.link_mode = conn->link_mode;
1100 	}
1101 	hci_dev_unlock(hdev);
1102 
1103 	if (!conn)
1104 		return -ENOENT;
1105 
1106 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1107 }
1108 
1109 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1110 {
1111 	struct hci_auth_info_req req;
1112 	struct hci_conn *conn;
1113 
1114 	if (copy_from_user(&req, arg, sizeof(req)))
1115 		return -EFAULT;
1116 
1117 	hci_dev_lock(hdev);
1118 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1119 	if (conn)
1120 		req.type = conn->auth_type;
1121 	hci_dev_unlock(hdev);
1122 
1123 	if (!conn)
1124 		return -ENOENT;
1125 
1126 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1127 }
1128 
1129 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1130 {
1131 	struct hci_dev *hdev = conn->hdev;
1132 	struct hci_chan *chan;
1133 
1134 	BT_DBG("%s hcon %p", hdev->name, conn);
1135 
1136 	chan = kzalloc(sizeof(struct hci_chan), GFP_KERNEL);
1137 	if (!chan)
1138 		return NULL;
1139 
1140 	chan->conn = conn;
1141 	skb_queue_head_init(&chan->data_q);
1142 	chan->state = BT_CONNECTED;
1143 
1144 	list_add_rcu(&chan->list, &conn->chan_list);
1145 
1146 	return chan;
1147 }
1148 
1149 void hci_chan_del(struct hci_chan *chan)
1150 {
1151 	struct hci_conn *conn = chan->conn;
1152 	struct hci_dev *hdev = conn->hdev;
1153 
1154 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1155 
1156 	list_del_rcu(&chan->list);
1157 
1158 	synchronize_rcu();
1159 
1160 	hci_conn_drop(conn);
1161 
1162 	skb_queue_purge(&chan->data_q);
1163 	kfree(chan);
1164 }
1165 
1166 void hci_chan_list_flush(struct hci_conn *conn)
1167 {
1168 	struct hci_chan *chan, *n;
1169 
1170 	BT_DBG("hcon %p", conn);
1171 
1172 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1173 		hci_chan_del(chan);
1174 }
1175 
1176 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1177 						 __u16 handle)
1178 {
1179 	struct hci_chan *hchan;
1180 
1181 	list_for_each_entry(hchan, &hcon->chan_list, list) {
1182 		if (hchan->handle == handle)
1183 			return hchan;
1184 	}
1185 
1186 	return NULL;
1187 }
1188 
1189 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1190 {
1191 	struct hci_conn_hash *h = &hdev->conn_hash;
1192 	struct hci_conn *hcon;
1193 	struct hci_chan *hchan = NULL;
1194 
1195 	rcu_read_lock();
1196 
1197 	list_for_each_entry_rcu(hcon, &h->list, list) {
1198 		hchan = __hci_chan_lookup_handle(hcon, handle);
1199 		if (hchan)
1200 			break;
1201 	}
1202 
1203 	rcu_read_unlock();
1204 
1205 	return hchan;
1206 }
1207