xref: /openbmc/linux/net/bluetooth/hci_conn.c (revision ce932d0c5589e9766e089c22c66890dfc48fbd94)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI connection handling. */
26 
27 #include <linux/module.h>
28 
29 #include <linux/types.h>
30 #include <linux/errno.h>
31 #include <linux/kernel.h>
32 #include <linux/slab.h>
33 #include <linux/poll.h>
34 #include <linux/fcntl.h>
35 #include <linux/init.h>
36 #include <linux/skbuff.h>
37 #include <linux/interrupt.h>
38 #include <net/sock.h>
39 
40 #include <linux/uaccess.h>
41 #include <asm/unaligned.h>
42 
43 #include <net/bluetooth/bluetooth.h>
44 #include <net/bluetooth/hci_core.h>
45 
46 static void hci_le_connect(struct hci_conn *conn)
47 {
48 	struct hci_dev *hdev = conn->hdev;
49 	struct hci_cp_le_create_conn cp;
50 
51 	conn->state = BT_CONNECT;
52 	conn->out = true;
53 	conn->link_mode |= HCI_LM_MASTER;
54 	conn->sec_level = BT_SECURITY_LOW;
55 
56 	memset(&cp, 0, sizeof(cp));
57 	cp.scan_interval = cpu_to_le16(0x0060);
58 	cp.scan_window = cpu_to_le16(0x0030);
59 	bacpy(&cp.peer_addr, &conn->dst);
60 	cp.peer_addr_type = conn->dst_type;
61 	cp.conn_interval_min = cpu_to_le16(0x0028);
62 	cp.conn_interval_max = cpu_to_le16(0x0038);
63 	cp.supervision_timeout = cpu_to_le16(0x002a);
64 	cp.min_ce_len = cpu_to_le16(0x0000);
65 	cp.max_ce_len = cpu_to_le16(0x0000);
66 
67 	hci_send_cmd(hdev, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
68 }
69 
70 static void hci_le_connect_cancel(struct hci_conn *conn)
71 {
72 	hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
73 }
74 
75 void hci_acl_connect(struct hci_conn *conn)
76 {
77 	struct hci_dev *hdev = conn->hdev;
78 	struct inquiry_entry *ie;
79 	struct hci_cp_create_conn cp;
80 
81 	BT_DBG("hcon %p", conn);
82 
83 	conn->state = BT_CONNECT;
84 	conn->out = true;
85 
86 	conn->link_mode = HCI_LM_MASTER;
87 
88 	conn->attempt++;
89 
90 	conn->link_policy = hdev->link_policy;
91 
92 	memset(&cp, 0, sizeof(cp));
93 	bacpy(&cp.bdaddr, &conn->dst);
94 	cp.pscan_rep_mode = 0x02;
95 
96 	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
97 	if (ie) {
98 		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
99 			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
100 			cp.pscan_mode     = ie->data.pscan_mode;
101 			cp.clock_offset   = ie->data.clock_offset |
102 							cpu_to_le16(0x8000);
103 		}
104 
105 		memcpy(conn->dev_class, ie->data.dev_class, 3);
106 		if (ie->data.ssp_mode > 0)
107 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
108 	}
109 
110 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
111 	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
112 		cp.role_switch = 0x01;
113 	else
114 		cp.role_switch = 0x00;
115 
116 	hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
117 }
118 
119 static void hci_acl_connect_cancel(struct hci_conn *conn)
120 {
121 	struct hci_cp_create_conn_cancel cp;
122 
123 	BT_DBG("%p", conn);
124 
125 	if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
126 		return;
127 
128 	bacpy(&cp.bdaddr, &conn->dst);
129 	hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
130 }
131 
132 void hci_acl_disconn(struct hci_conn *conn, __u8 reason)
133 {
134 	struct hci_cp_disconnect cp;
135 
136 	BT_DBG("%p", conn);
137 
138 	conn->state = BT_DISCONN;
139 
140 	cp.handle = cpu_to_le16(conn->handle);
141 	cp.reason = reason;
142 	hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
143 }
144 
145 void hci_add_sco(struct hci_conn *conn, __u16 handle)
146 {
147 	struct hci_dev *hdev = conn->hdev;
148 	struct hci_cp_add_sco cp;
149 
150 	BT_DBG("%p", conn);
151 
152 	conn->state = BT_CONNECT;
153 	conn->out = true;
154 
155 	conn->attempt++;
156 
157 	cp.handle   = cpu_to_le16(handle);
158 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
159 
160 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
161 }
162 
163 void hci_setup_sync(struct hci_conn *conn, __u16 handle)
164 {
165 	struct hci_dev *hdev = conn->hdev;
166 	struct hci_cp_setup_sync_conn cp;
167 
168 	BT_DBG("%p", conn);
169 
170 	conn->state = BT_CONNECT;
171 	conn->out = true;
172 
173 	conn->attempt++;
174 
175 	cp.handle   = cpu_to_le16(handle);
176 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
177 
178 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
179 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
180 	cp.max_latency    = cpu_to_le16(0xffff);
181 	cp.voice_setting  = cpu_to_le16(hdev->voice_setting);
182 	cp.retrans_effort = 0xff;
183 
184 	hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp);
185 }
186 
187 void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
188 					u16 latency, u16 to_multiplier)
189 {
190 	struct hci_cp_le_conn_update cp;
191 	struct hci_dev *hdev = conn->hdev;
192 
193 	memset(&cp, 0, sizeof(cp));
194 
195 	cp.handle		= cpu_to_le16(conn->handle);
196 	cp.conn_interval_min	= cpu_to_le16(min);
197 	cp.conn_interval_max	= cpu_to_le16(max);
198 	cp.conn_latency		= cpu_to_le16(latency);
199 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
200 	cp.min_ce_len		= cpu_to_le16(0x0001);
201 	cp.max_ce_len		= cpu_to_le16(0x0001);
202 
203 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
204 }
205 EXPORT_SYMBOL(hci_le_conn_update);
206 
207 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
208 							__u8 ltk[16])
209 {
210 	struct hci_dev *hdev = conn->hdev;
211 	struct hci_cp_le_start_enc cp;
212 
213 	BT_DBG("%p", conn);
214 
215 	memset(&cp, 0, sizeof(cp));
216 
217 	cp.handle = cpu_to_le16(conn->handle);
218 	memcpy(cp.ltk, ltk, sizeof(cp.ltk));
219 	cp.ediv = ediv;
220 	memcpy(cp.rand, rand, sizeof(cp.rand));
221 
222 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
223 }
224 EXPORT_SYMBOL(hci_le_start_enc);
225 
226 void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16])
227 {
228 	struct hci_dev *hdev = conn->hdev;
229 	struct hci_cp_le_ltk_reply cp;
230 
231 	BT_DBG("%p", conn);
232 
233 	memset(&cp, 0, sizeof(cp));
234 
235 	cp.handle = cpu_to_le16(conn->handle);
236 	memcpy(cp.ltk, ltk, sizeof(ltk));
237 
238 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
239 }
240 EXPORT_SYMBOL(hci_le_ltk_reply);
241 
242 void hci_le_ltk_neg_reply(struct hci_conn *conn)
243 {
244 	struct hci_dev *hdev = conn->hdev;
245 	struct hci_cp_le_ltk_neg_reply cp;
246 
247 	BT_DBG("%p", conn);
248 
249 	memset(&cp, 0, sizeof(cp));
250 
251 	cp.handle = cpu_to_le16(conn->handle);
252 
253 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(cp), &cp);
254 }
255 
256 /* Device _must_ be locked */
257 void hci_sco_setup(struct hci_conn *conn, __u8 status)
258 {
259 	struct hci_conn *sco = conn->link;
260 
261 	BT_DBG("%p", conn);
262 
263 	if (!sco)
264 		return;
265 
266 	if (!status) {
267 		if (lmp_esco_capable(conn->hdev))
268 			hci_setup_sync(sco, conn->handle);
269 		else
270 			hci_add_sco(sco, conn->handle);
271 	} else {
272 		hci_proto_connect_cfm(sco, status);
273 		hci_conn_del(sco);
274 	}
275 }
276 
277 static void hci_conn_timeout(struct work_struct *work)
278 {
279 	struct hci_conn *conn = container_of(work, struct hci_conn,
280 							disc_work.work);
281 	__u8 reason;
282 
283 	BT_DBG("conn %p state %s", conn, state_to_string(conn->state));
284 
285 	if (atomic_read(&conn->refcnt))
286 		return;
287 
288 	switch (conn->state) {
289 	case BT_CONNECT:
290 	case BT_CONNECT2:
291 		if (conn->out) {
292 			if (conn->type == ACL_LINK)
293 				hci_acl_connect_cancel(conn);
294 			else if (conn->type == LE_LINK)
295 				hci_le_connect_cancel(conn);
296 		}
297 		break;
298 	case BT_CONFIG:
299 	case BT_CONNECTED:
300 		reason = hci_proto_disconn_ind(conn);
301 		hci_acl_disconn(conn, reason);
302 		break;
303 	default:
304 		conn->state = BT_CLOSED;
305 		break;
306 	}
307 }
308 
309 /* Enter sniff mode */
310 static void hci_conn_enter_sniff_mode(struct hci_conn *conn)
311 {
312 	struct hci_dev *hdev = conn->hdev;
313 
314 	BT_DBG("conn %p mode %d", conn, conn->mode);
315 
316 	if (test_bit(HCI_RAW, &hdev->flags))
317 		return;
318 
319 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
320 		return;
321 
322 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
323 		return;
324 
325 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
326 		struct hci_cp_sniff_subrate cp;
327 		cp.handle             = cpu_to_le16(conn->handle);
328 		cp.max_latency        = cpu_to_le16(0);
329 		cp.min_remote_timeout = cpu_to_le16(0);
330 		cp.min_local_timeout  = cpu_to_le16(0);
331 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
332 	}
333 
334 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
335 		struct hci_cp_sniff_mode cp;
336 		cp.handle       = cpu_to_le16(conn->handle);
337 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
338 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
339 		cp.attempt      = cpu_to_le16(4);
340 		cp.timeout      = cpu_to_le16(1);
341 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
342 	}
343 }
344 
345 static void hci_conn_idle(unsigned long arg)
346 {
347 	struct hci_conn *conn = (void *) arg;
348 
349 	BT_DBG("conn %p mode %d", conn, conn->mode);
350 
351 	hci_conn_enter_sniff_mode(conn);
352 }
353 
354 static void hci_conn_auto_accept(unsigned long arg)
355 {
356 	struct hci_conn *conn = (void *) arg;
357 	struct hci_dev *hdev = conn->hdev;
358 
359 	hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
360 								&conn->dst);
361 }
362 
363 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
364 {
365 	struct hci_conn *conn;
366 
367 	BT_DBG("%s dst %s", hdev->name, batostr(dst));
368 
369 	conn = kzalloc(sizeof(struct hci_conn), GFP_KERNEL);
370 	if (!conn)
371 		return NULL;
372 
373 	bacpy(&conn->dst, dst);
374 	conn->hdev  = hdev;
375 	conn->type  = type;
376 	conn->mode  = HCI_CM_ACTIVE;
377 	conn->state = BT_OPEN;
378 	conn->auth_type = HCI_AT_GENERAL_BONDING;
379 	conn->io_capability = hdev->io_capability;
380 	conn->remote_auth = 0xff;
381 	conn->key_type = 0xff;
382 
383 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
384 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
385 
386 	switch (type) {
387 	case ACL_LINK:
388 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
389 		break;
390 	case SCO_LINK:
391 		if (lmp_esco_capable(hdev))
392 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
393 					(hdev->esco_type & EDR_ESCO_MASK);
394 		else
395 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
396 		break;
397 	case ESCO_LINK:
398 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
399 		break;
400 	}
401 
402 	skb_queue_head_init(&conn->data_q);
403 
404 	INIT_LIST_HEAD(&conn->chan_list);
405 
406 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
407 	setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn);
408 	setup_timer(&conn->auto_accept_timer, hci_conn_auto_accept,
409 							(unsigned long) conn);
410 
411 	atomic_set(&conn->refcnt, 0);
412 
413 	hci_dev_hold(hdev);
414 
415 	hci_conn_hash_add(hdev, conn);
416 	if (hdev->notify)
417 		hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
418 
419 	atomic_set(&conn->devref, 0);
420 
421 	hci_conn_init_sysfs(conn);
422 
423 	return conn;
424 }
425 
426 int hci_conn_del(struct hci_conn *conn)
427 {
428 	struct hci_dev *hdev = conn->hdev;
429 
430 	BT_DBG("%s conn %p handle %d", hdev->name, conn, conn->handle);
431 
432 	del_timer(&conn->idle_timer);
433 
434 	cancel_delayed_work_sync(&conn->disc_work);
435 
436 	del_timer(&conn->auto_accept_timer);
437 
438 	if (conn->type == ACL_LINK) {
439 		struct hci_conn *sco = conn->link;
440 		if (sco)
441 			sco->link = NULL;
442 
443 		/* Unacked frames */
444 		hdev->acl_cnt += conn->sent;
445 	} else if (conn->type == LE_LINK) {
446 		if (hdev->le_pkts)
447 			hdev->le_cnt += conn->sent;
448 		else
449 			hdev->acl_cnt += conn->sent;
450 	} else {
451 		struct hci_conn *acl = conn->link;
452 		if (acl) {
453 			acl->link = NULL;
454 			hci_conn_put(acl);
455 		}
456 	}
457 
458 
459 	hci_chan_list_flush(conn);
460 
461 	hci_conn_hash_del(hdev, conn);
462 	if (hdev->notify)
463 		hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
464 
465 	skb_queue_purge(&conn->data_q);
466 
467 	hci_conn_put_device(conn);
468 
469 	hci_dev_put(hdev);
470 
471 	if (conn->handle == 0)
472 		kfree(conn);
473 
474 	return 0;
475 }
476 
477 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
478 {
479 	int use_src = bacmp(src, BDADDR_ANY);
480 	struct hci_dev *hdev = NULL, *d;
481 
482 	BT_DBG("%s -> %s", batostr(src), batostr(dst));
483 
484 	read_lock(&hci_dev_list_lock);
485 
486 	list_for_each_entry(d, &hci_dev_list, list) {
487 		if (!test_bit(HCI_UP, &d->flags) || test_bit(HCI_RAW, &d->flags))
488 			continue;
489 
490 		/* Simple routing:
491 		 *   No source address - find interface with bdaddr != dst
492 		 *   Source address    - find interface with bdaddr == src
493 		 */
494 
495 		if (use_src) {
496 			if (!bacmp(&d->bdaddr, src)) {
497 				hdev = d; break;
498 			}
499 		} else {
500 			if (bacmp(&d->bdaddr, dst)) {
501 				hdev = d; break;
502 			}
503 		}
504 	}
505 
506 	if (hdev)
507 		hdev = hci_dev_hold(hdev);
508 
509 	read_unlock(&hci_dev_list_lock);
510 	return hdev;
511 }
512 EXPORT_SYMBOL(hci_get_route);
513 
514 /* Create SCO, ACL or LE connection.
515  * Device _must_ be locked */
516 struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8 sec_level, __u8 auth_type)
517 {
518 	struct hci_conn *acl;
519 	struct hci_conn *sco;
520 	struct hci_conn *le;
521 
522 	BT_DBG("%s dst %s", hdev->name, batostr(dst));
523 
524 	if (type == LE_LINK) {
525 		struct adv_entry *entry;
526 
527 		le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
528 		if (le)
529 			return ERR_PTR(-EBUSY);
530 
531 		entry = hci_find_adv_entry(hdev, dst);
532 		if (!entry)
533 			return ERR_PTR(-EHOSTUNREACH);
534 
535 		le = hci_conn_add(hdev, LE_LINK, dst);
536 		if (!le)
537 			return ERR_PTR(-ENOMEM);
538 
539 		le->dst_type = entry->bdaddr_type;
540 
541 		hci_le_connect(le);
542 
543 		hci_conn_hold(le);
544 
545 		return le;
546 	}
547 
548 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
549 	if (!acl) {
550 		acl = hci_conn_add(hdev, ACL_LINK, dst);
551 		if (!acl)
552 			return ERR_PTR(-ENOMEM);
553 	}
554 
555 	hci_conn_hold(acl);
556 
557 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
558 		acl->sec_level = BT_SECURITY_LOW;
559 		acl->pending_sec_level = sec_level;
560 		acl->auth_type = auth_type;
561 		hci_acl_connect(acl);
562 	}
563 
564 	if (type == ACL_LINK)
565 		return acl;
566 
567 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
568 	if (!sco) {
569 		sco = hci_conn_add(hdev, type, dst);
570 		if (!sco) {
571 			hci_conn_put(acl);
572 			return ERR_PTR(-ENOMEM);
573 		}
574 	}
575 
576 	acl->link = sco;
577 	sco->link = acl;
578 
579 	hci_conn_hold(sco);
580 
581 	if (acl->state == BT_CONNECTED &&
582 			(sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
583 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
584 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
585 
586 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
587 			/* defer SCO setup until mode change completed */
588 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
589 			return sco;
590 		}
591 
592 		hci_sco_setup(acl, 0x00);
593 	}
594 
595 	return sco;
596 }
597 EXPORT_SYMBOL(hci_connect);
598 
599 /* Check link security requirement */
600 int hci_conn_check_link_mode(struct hci_conn *conn)
601 {
602 	BT_DBG("conn %p", conn);
603 
604 	if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT))
605 		return 0;
606 
607 	return 1;
608 }
609 EXPORT_SYMBOL(hci_conn_check_link_mode);
610 
611 /* Authenticate remote device */
612 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
613 {
614 	BT_DBG("conn %p", conn);
615 
616 	if (conn->pending_sec_level > sec_level)
617 		sec_level = conn->pending_sec_level;
618 
619 	if (sec_level > conn->sec_level)
620 		conn->pending_sec_level = sec_level;
621 	else if (conn->link_mode & HCI_LM_AUTH)
622 		return 1;
623 
624 	/* Make sure we preserve an existing MITM requirement*/
625 	auth_type |= (conn->auth_type & 0x01);
626 
627 	conn->auth_type = auth_type;
628 
629 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
630 		struct hci_cp_auth_requested cp;
631 
632 		/* encrypt must be pending if auth is also pending */
633 		set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
634 
635 		cp.handle = cpu_to_le16(conn->handle);
636 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
637 							sizeof(cp), &cp);
638 		if (conn->key_type != 0xff)
639 			set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
640 	}
641 
642 	return 0;
643 }
644 
645 /* Encrypt the the link */
646 static void hci_conn_encrypt(struct hci_conn *conn)
647 {
648 	BT_DBG("conn %p", conn);
649 
650 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
651 		struct hci_cp_set_conn_encrypt cp;
652 		cp.handle  = cpu_to_le16(conn->handle);
653 		cp.encrypt = 0x01;
654 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
655 									&cp);
656 	}
657 }
658 
659 /* Enable security */
660 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
661 {
662 	BT_DBG("conn %p", conn);
663 
664 	/* For sdp we don't need the link key. */
665 	if (sec_level == BT_SECURITY_SDP)
666 		return 1;
667 
668 	/* For non 2.1 devices and low security level we don't need the link
669 	   key. */
670 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
671 		return 1;
672 
673 	/* For other security levels we need the link key. */
674 	if (!(conn->link_mode & HCI_LM_AUTH))
675 		goto auth;
676 
677 	/* An authenticated combination key has sufficient security for any
678 	   security level. */
679 	if (conn->key_type == HCI_LK_AUTH_COMBINATION)
680 		goto encrypt;
681 
682 	/* An unauthenticated combination key has sufficient security for
683 	   security level 1 and 2. */
684 	if (conn->key_type == HCI_LK_UNAUTH_COMBINATION &&
685 			(sec_level == BT_SECURITY_MEDIUM ||
686 			sec_level == BT_SECURITY_LOW))
687 		goto encrypt;
688 
689 	/* A combination key has always sufficient security for the security
690 	   levels 1 or 2. High security level requires the combination key
691 	   is generated using maximum PIN code length (16).
692 	   For pre 2.1 units. */
693 	if (conn->key_type == HCI_LK_COMBINATION &&
694 			(sec_level != BT_SECURITY_HIGH ||
695 			conn->pin_length == 16))
696 		goto encrypt;
697 
698 auth:
699 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
700 		return 0;
701 
702 	if (!hci_conn_auth(conn, sec_level, auth_type))
703 		return 0;
704 
705 encrypt:
706 	if (conn->link_mode & HCI_LM_ENCRYPT)
707 		return 1;
708 
709 	hci_conn_encrypt(conn);
710 	return 0;
711 }
712 EXPORT_SYMBOL(hci_conn_security);
713 
714 /* Check secure link requirement */
715 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
716 {
717 	BT_DBG("conn %p", conn);
718 
719 	if (sec_level != BT_SECURITY_HIGH)
720 		return 1; /* Accept if non-secure is required */
721 
722 	if (conn->sec_level == BT_SECURITY_HIGH)
723 		return 1;
724 
725 	return 0; /* Reject not secure link */
726 }
727 EXPORT_SYMBOL(hci_conn_check_secure);
728 
729 /* Change link key */
730 int hci_conn_change_link_key(struct hci_conn *conn)
731 {
732 	BT_DBG("conn %p", conn);
733 
734 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
735 		struct hci_cp_change_conn_link_key cp;
736 		cp.handle = cpu_to_le16(conn->handle);
737 		hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
738 							sizeof(cp), &cp);
739 	}
740 
741 	return 0;
742 }
743 EXPORT_SYMBOL(hci_conn_change_link_key);
744 
745 /* Switch role */
746 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
747 {
748 	BT_DBG("conn %p", conn);
749 
750 	if (!role && conn->link_mode & HCI_LM_MASTER)
751 		return 1;
752 
753 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
754 		struct hci_cp_switch_role cp;
755 		bacpy(&cp.bdaddr, &conn->dst);
756 		cp.role = role;
757 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
758 	}
759 
760 	return 0;
761 }
762 EXPORT_SYMBOL(hci_conn_switch_role);
763 
764 /* Enter active mode */
765 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
766 {
767 	struct hci_dev *hdev = conn->hdev;
768 
769 	BT_DBG("conn %p mode %d", conn, conn->mode);
770 
771 	if (test_bit(HCI_RAW, &hdev->flags))
772 		return;
773 
774 	if (conn->mode != HCI_CM_SNIFF)
775 		goto timer;
776 
777 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
778 		goto timer;
779 
780 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
781 		struct hci_cp_exit_sniff_mode cp;
782 		cp.handle = cpu_to_le16(conn->handle);
783 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
784 	}
785 
786 timer:
787 	if (hdev->idle_timeout > 0)
788 		mod_timer(&conn->idle_timer,
789 			jiffies + msecs_to_jiffies(hdev->idle_timeout));
790 }
791 
792 /* Drop all connection on the device */
793 void hci_conn_hash_flush(struct hci_dev *hdev)
794 {
795 	struct hci_conn_hash *h = &hdev->conn_hash;
796 	struct hci_conn *c, *n;
797 
798 	BT_DBG("hdev %s", hdev->name);
799 
800 	list_for_each_entry_safe(c, n, &h->list, list) {
801 		c->state = BT_CLOSED;
802 
803 		hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
804 		hci_conn_del(c);
805 	}
806 }
807 
808 /* Check pending connect attempts */
809 void hci_conn_check_pending(struct hci_dev *hdev)
810 {
811 	struct hci_conn *conn;
812 
813 	BT_DBG("hdev %s", hdev->name);
814 
815 	hci_dev_lock(hdev);
816 
817 	conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
818 	if (conn)
819 		hci_acl_connect(conn);
820 
821 	hci_dev_unlock(hdev);
822 }
823 
824 void hci_conn_hold_device(struct hci_conn *conn)
825 {
826 	atomic_inc(&conn->devref);
827 }
828 EXPORT_SYMBOL(hci_conn_hold_device);
829 
830 void hci_conn_put_device(struct hci_conn *conn)
831 {
832 	if (atomic_dec_and_test(&conn->devref))
833 		hci_conn_del_sysfs(conn);
834 }
835 EXPORT_SYMBOL(hci_conn_put_device);
836 
837 int hci_get_conn_list(void __user *arg)
838 {
839 	register struct hci_conn *c;
840 	struct hci_conn_list_req req, *cl;
841 	struct hci_conn_info *ci;
842 	struct hci_dev *hdev;
843 	int n = 0, size, err;
844 
845 	if (copy_from_user(&req, arg, sizeof(req)))
846 		return -EFAULT;
847 
848 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
849 		return -EINVAL;
850 
851 	size = sizeof(req) + req.conn_num * sizeof(*ci);
852 
853 	cl = kmalloc(size, GFP_KERNEL);
854 	if (!cl)
855 		return -ENOMEM;
856 
857 	hdev = hci_dev_get(req.dev_id);
858 	if (!hdev) {
859 		kfree(cl);
860 		return -ENODEV;
861 	}
862 
863 	ci = cl->conn_info;
864 
865 	hci_dev_lock(hdev);
866 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
867 		bacpy(&(ci + n)->bdaddr, &c->dst);
868 		(ci + n)->handle = c->handle;
869 		(ci + n)->type  = c->type;
870 		(ci + n)->out   = c->out;
871 		(ci + n)->state = c->state;
872 		(ci + n)->link_mode = c->link_mode;
873 		if (++n >= req.conn_num)
874 			break;
875 	}
876 	hci_dev_unlock(hdev);
877 
878 	cl->dev_id = hdev->id;
879 	cl->conn_num = n;
880 	size = sizeof(req) + n * sizeof(*ci);
881 
882 	hci_dev_put(hdev);
883 
884 	err = copy_to_user(arg, cl, size);
885 	kfree(cl);
886 
887 	return err ? -EFAULT : 0;
888 }
889 
890 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
891 {
892 	struct hci_conn_info_req req;
893 	struct hci_conn_info ci;
894 	struct hci_conn *conn;
895 	char __user *ptr = arg + sizeof(req);
896 
897 	if (copy_from_user(&req, arg, sizeof(req)))
898 		return -EFAULT;
899 
900 	hci_dev_lock(hdev);
901 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
902 	if (conn) {
903 		bacpy(&ci.bdaddr, &conn->dst);
904 		ci.handle = conn->handle;
905 		ci.type  = conn->type;
906 		ci.out   = conn->out;
907 		ci.state = conn->state;
908 		ci.link_mode = conn->link_mode;
909 	}
910 	hci_dev_unlock(hdev);
911 
912 	if (!conn)
913 		return -ENOENT;
914 
915 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
916 }
917 
918 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
919 {
920 	struct hci_auth_info_req req;
921 	struct hci_conn *conn;
922 
923 	if (copy_from_user(&req, arg, sizeof(req)))
924 		return -EFAULT;
925 
926 	hci_dev_lock(hdev);
927 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
928 	if (conn)
929 		req.type = conn->auth_type;
930 	hci_dev_unlock(hdev);
931 
932 	if (!conn)
933 		return -ENOENT;
934 
935 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
936 }
937 
938 struct hci_chan *hci_chan_create(struct hci_conn *conn)
939 {
940 	struct hci_dev *hdev = conn->hdev;
941 	struct hci_chan *chan;
942 
943 	BT_DBG("%s conn %p", hdev->name, conn);
944 
945 	chan = kzalloc(sizeof(struct hci_chan), GFP_KERNEL);
946 	if (!chan)
947 		return NULL;
948 
949 	chan->conn = conn;
950 	skb_queue_head_init(&chan->data_q);
951 
952 	list_add_rcu(&chan->list, &conn->chan_list);
953 
954 	return chan;
955 }
956 
957 int hci_chan_del(struct hci_chan *chan)
958 {
959 	struct hci_conn *conn = chan->conn;
960 	struct hci_dev *hdev = conn->hdev;
961 
962 	BT_DBG("%s conn %p chan %p", hdev->name, conn, chan);
963 
964 	list_del_rcu(&chan->list);
965 
966 	synchronize_rcu();
967 
968 	skb_queue_purge(&chan->data_q);
969 	kfree(chan);
970 
971 	return 0;
972 }
973 
974 void hci_chan_list_flush(struct hci_conn *conn)
975 {
976 	struct hci_chan *chan, *n;
977 
978 	BT_DBG("conn %p", conn);
979 
980 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
981 		hci_chan_del(chan);
982 }
983