projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix double scan updates
[linux-2.6-block.git] / net / bluetooth / hci_conn.c
CommitLineData
8e87d142 1/*
1da177e4 2 BlueZ - Bluetooth protocol stack for Linux
2d0a0346 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
1da177e4
LT		 4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth HCI connection handling. */
26
8c520a59 27#include <linux/export.h>
23b9ceb7 28#include <linux/debugfs.h>
1da177e4
LT		 29
30#include <net/bluetooth/bluetooth.h>
31#include <net/bluetooth/hci_core.h>
4bc58f51 32#include <net/bluetooth/l2cap.h>
1da177e4 33
0857dd3b 34#include "hci_request.h"
ac4b7236 35#include "smp.h"
7024728e
MH		 36#include "a2mp.h"
37
2dea632f
FD		 38struct sco_param {
39 u16 pkt_type;
40 u16 max_latency;
c7da5797 41 u8 retrans_effort;
2dea632f
FD		 42};
43
48e68ff5 44static const struct sco_param esco_param_cvsd[] = {
c7da5797
JH		 45 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
46 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
47 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
48 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
49 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
2dea632f
FD		 50};
51
48e68ff5 52static const struct sco_param sco_param_cvsd[] = {
c7da5797
JH		 53 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
54 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
48e68ff5
BT		 55};
56
565766b0 57static const struct sco_param esco_param_msbc[] = {
c7da5797
JH		 58 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
59 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
2dea632f
FD		 60};
61
1aef8669 62static void hci_le_create_connection_cancel(struct hci_conn *conn)
fcd89c09
VT		 63{
64 hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
65}
66
f75113a2
JP		 67/* This function requires the caller holds hdev->lock */
68static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
69{
70 struct hci_conn_params *params;
71 struct smp_irk *irk;
72 bdaddr_t *bdaddr;
73 u8 bdaddr_type;
74
75 bdaddr = &conn->dst;
76 bdaddr_type = conn->dst_type;
77
78 /* Check if we need to convert to identity address */
79 irk = hci_get_irk(conn->hdev, bdaddr, bdaddr_type);
80 if (irk) {
81 bdaddr = &irk->bdaddr;
82 bdaddr_type = irk->addr_type;
83 }
84
85 params = hci_explicit_connect_lookup(conn->hdev, bdaddr, bdaddr_type);
86 if (!params)
87 return;
88
89 /* The connection attempt was doing scan for new RPA, and is
90 * in scan phase. If params are not associated with any other
91 * autoconnect action, remove them completely. If they are, just unmark
92 * them as waiting for connection, by clearing explicit_connect field.
93 */
168b8a25 94 if (params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
f75113a2 95 hci_conn_params_del(conn->hdev, bdaddr, bdaddr_type);
168b8a25 96 } else {
f75113a2 97 params->explicit_connect = false;
168b8a25
JP		 98 hci_update_background_scan(conn->hdev);
99 }
f75113a2
JP		 100}
101
102/* This function requires the caller holds hdev->lock */
103static void hci_connect_le_scan_remove(struct hci_conn *conn)
104{
105 hci_connect_le_scan_cleanup(conn);
106
107 hci_conn_hash_del(conn->hdev, conn);
f75113a2
JP		 108}
109
1aef8669 110static void hci_acl_create_connection(struct hci_conn *conn)
1da177e4
LT		 111{
112 struct hci_dev *hdev = conn->hdev;
113 struct inquiry_entry *ie;
114 struct hci_cp_create_conn cp;
115
42d2d87c 116 BT_DBG("hcon %p", conn);
1da177e4
LT		 117
118 conn->state = BT_CONNECT;
a0c808b3 119 conn->out = true;
40bef302 120 conn->role = HCI_ROLE_MASTER;
1da177e4 121
4c67bc74
MH		 122 conn->attempt++;
123
e4e8e37c
MH		 124 conn->link_policy = hdev->link_policy;
125
1da177e4
LT		 126 memset(&cp, 0, sizeof(cp));
127 bacpy(&cp.bdaddr, &conn->dst);
128 cp.pscan_rep_mode = 0x02;
129
70f23020
AE		 130 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
131 if (ie) {
41a96212
MH		 132 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
133 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
134 cp.pscan_mode = ie->data.pscan_mode;
135 cp.clock_offset = ie->data.clock_offset |
dcf4adbf 136 cpu_to_le16(0x8000);
41a96212
MH		 137 }
138
1da177e4 139 memcpy(conn->dev_class, ie->data.dev_class, 3);
58a681ef
JH		 140 if (ie->data.ssp_mode > 0)
141 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
1da177e4
LT		 142 }
143
a8746417 144 cp.pkt_type = cpu_to_le16(conn->pkt_type);
1da177e4 145 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
b6a0dc82 146 cp.role_switch = 0x01;
1da177e4 147 else
b6a0dc82 148 cp.role_switch = 0x00;
4c67bc74 149
a9de9248 150 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
1da177e4
LT		 151}
152
1aef8669 153static void hci_acl_create_connection_cancel(struct hci_conn *conn)
6ac59344
MH		 154{
155 struct hci_cp_create_conn_cancel cp;
156
38b3fef1 157 BT_DBG("hcon %p", conn);
6ac59344 158
d095c1eb 159 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
6ac59344
MH		 160 return;
161
162 bacpy(&cp.bdaddr, &conn->dst);
a9de9248 163 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
6ac59344
MH		 164}
165
93796fa6
CT		 166static void hci_reject_sco(struct hci_conn *conn)
167{
168 struct hci_cp_reject_sync_conn_req cp;
169
d41c15cf 170 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
93796fa6
CT		 171 bacpy(&cp.bdaddr, &conn->dst);
172
173 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
174}
175
e3b679d5 176int hci_disconnect(struct hci_conn *conn, __u8 reason)
1da177e4
LT		 177{
178 struct hci_cp_disconnect cp;
179
38b3fef1 180 BT_DBG("hcon %p", conn);
1da177e4 181
839035a7
JH		 182 /* When we are master of an established connection and it enters
183 * the disconnect timeout, then go ahead and try to read the
184 * current clock offset. Processing of the result is done
185 * within the event handling and hci_clock_offset_evt function.
186 */
187 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER) {
188 struct hci_dev *hdev = conn->hdev;
4f639ede 189 struct hci_cp_read_clock_offset clkoff_cp;
839035a7 190
4f639ede
FF		 191 clkoff_cp.handle = cpu_to_le16(conn->handle);
192 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
193 &clkoff_cp);
839035a7
JH		 194 }
195
1da177e4
LT		 196 conn->state = BT_DISCONN;
197
aca3192c 198 cp.handle = cpu_to_le16(conn->handle);
1da177e4 199 cp.reason = reason;
e3b679d5 200 return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
1da177e4
LT		 201}
202
a2b1976b 203static void hci_amp_disconn(struct hci_conn *conn)
53502d69
AE		 204{
205 struct hci_cp_disconn_phy_link cp;
206
207 BT_DBG("hcon %p", conn);
208
209 conn->state = BT_DISCONN;
210
211 cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
a2b1976b 212 cp.reason = hci_proto_disconn_ind(conn);
53502d69
AE		 213 hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
214 sizeof(cp), &cp);
215}
216
57f5d0d1 217static void hci_add_sco(struct hci_conn *conn, __u16 handle)
1da177e4
LT		 218{
219 struct hci_dev *hdev = conn->hdev;
220 struct hci_cp_add_sco cp;
221
38b3fef1 222 BT_DBG("hcon %p", conn);
1da177e4
LT		 223
224 conn->state = BT_CONNECT;
a0c808b3 225 conn->out = true;
1da177e4 226
efc7688b
MH		 227 conn->attempt++;
228
aca3192c 229 cp.handle = cpu_to_le16(handle);
a8746417 230 cp.pkt_type = cpu_to_le16(conn->pkt_type);
1da177e4 231
a9de9248 232 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
1da177e4
LT		 233}
234
2dea632f 235bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
b6a0dc82
MH		 236{
237 struct hci_dev *hdev = conn->hdev;
238 struct hci_cp_setup_sync_conn cp;
2dea632f 239 const struct sco_param *param;
b6a0dc82 240
38b3fef1 241 BT_DBG("hcon %p", conn);
b6a0dc82
MH		 242
243 conn->state = BT_CONNECT;
a0c808b3 244 conn->out = true;
b6a0dc82 245
efc7688b
MH		 246 conn->attempt++;
247
b6a0dc82 248 cp.handle = cpu_to_le16(handle);
b6a0dc82 249
dcf4adbf
JP		 250 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
251 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
10c62ddc
FD		 252 cp.voice_setting = cpu_to_le16(conn->setting);
253
254 switch (conn->setting & SCO_AIRMODE_MASK) {
255 case SCO_AIRMODE_TRANSP:
565766b0 256 if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
2dea632f 257 return false;
565766b0 258 param = &esco_param_msbc[conn->attempt - 1];
10c62ddc
FD		 259 break;
260 case SCO_AIRMODE_CVSD:
48e68ff5
BT		 261 if (lmp_esco_capable(conn->link)) {
262 if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
263 return false;
48e68ff5
BT		 264 param = &esco_param_cvsd[conn->attempt - 1];
265 } else {
266 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
267 return false;
48e68ff5
BT		 268 param = &sco_param_cvsd[conn->attempt - 1];
269 }
10c62ddc 270 break;
2dea632f
FD		 271 default:
272 return false;
10c62ddc 273 }
b6a0dc82 274
c7da5797 275 cp.retrans_effort = param->retrans_effort;
2dea632f
FD		 276 cp.pkt_type = __cpu_to_le16(param->pkt_type);
277 cp.max_latency = __cpu_to_le16(param->max_latency);
278
279 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
280 return false;
281
282 return true;
b6a0dc82
MH		 283}
284
7d6ca693
JH		 285u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
286 u16 to_multiplier)
2ce603eb 287{
2ce603eb 288 struct hci_dev *hdev = conn->hdev;
f044eb05
MH		 289 struct hci_conn_params *params;
290 struct hci_cp_le_conn_update cp;
2ce603eb 291
f044eb05 292 hci_dev_lock(hdev);
2ce603eb 293
f044eb05
MH		 294 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
295 if (params) {
296 params->conn_min_interval = min;
297 params->conn_max_interval = max;
298 params->conn_latency = latency;
299 params->supervision_timeout = to_multiplier;
300 }
301
302 hci_dev_unlock(hdev);
303
304 memset(&cp, 0, sizeof(cp));
2ce603eb
CT		 305 cp.handle = cpu_to_le16(conn->handle);
306 cp.conn_interval_min = cpu_to_le16(min);
307 cp.conn_interval_max = cpu_to_le16(max);
308 cp.conn_latency = cpu_to_le16(latency);
309 cp.supervision_timeout = cpu_to_le16(to_multiplier);
dcf4adbf
JP		 310 cp.min_ce_len = cpu_to_le16(0x0000);
311 cp.max_ce_len = cpu_to_le16(0x0000);
2ce603eb
CT		 312
313 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
7d6ca693
JH		 314
315 if (params)
316 return 0x01;
317
318 return 0x00;
2ce603eb 319}
2ce603eb 320
fe39c7b2 321void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
8b76ce34 322 __u8 ltk[16], __u8 key_size)
a7a595f6
VCG		 323{
324 struct hci_dev *hdev = conn->hdev;
325 struct hci_cp_le_start_enc cp;
326
38b3fef1 327 BT_DBG("hcon %p", conn);
a7a595f6
VCG		 328
329 memset(&cp, 0, sizeof(cp));
330
331 cp.handle = cpu_to_le16(conn->handle);
fe39c7b2 332 cp.rand = rand;
a7a595f6 333 cp.ediv = ediv;
8b76ce34 334 memcpy(cp.ltk, ltk, key_size);
a7a595f6
VCG		 335
336 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
337}
a7a595f6 338
e73439d8
MH		 339/* Device _must_ be locked */
340void hci_sco_setup(struct hci_conn *conn, __u8 status)
341{
342 struct hci_conn *sco = conn->link;
343
e73439d8
MH		 344 if (!sco)
345 return;
346
38b3fef1
AE		 347 BT_DBG("hcon %p", conn);
348
e73439d8
MH		 349 if (!status) {
350 if (lmp_esco_capable(conn->hdev))
351 hci_setup_sync(sco, conn->handle);
352 else
353 hci_add_sco(sco, conn->handle);
354 } else {
539c496d 355 hci_connect_cfm(sco, status);
e73439d8
MH		 356 hci_conn_del(sco);
357 }
358}
359
19c40e3b 360static void hci_conn_timeout(struct work_struct *work)
1da177e4 361{
19c40e3b 362 struct hci_conn *conn = container_of(work, struct hci_conn,
5974e4c4 363 disc_work.work);
1d56dc4f 364 int refcnt = atomic_read(&conn->refcnt);
1da177e4 365
38b3fef1 366 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
1da177e4 367
1d56dc4f
LR		 368 WARN_ON(refcnt < 0);
369
370 /* FIXME: It was observed that in pairing failed scenario, refcnt
371 * drops below 0. Probably this is because l2cap_conn_del calls
372 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
373 * dropped. After that loop hci_chan_del is called which also drops
374 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
375 * otherwise drop it.
376 */
377 if (refcnt > 0)
1da177e4
LT		 378 return;
379
6ac59344
MH		 380 switch (conn->state) {
381 case BT_CONNECT:
769be974 382 case BT_CONNECT2:
fcd89c09
VT		 383 if (conn->out) {
384 if (conn->type == ACL_LINK)
1aef8669 385 hci_acl_create_connection_cancel(conn);
cc2b6911
JP		 386 else if (conn->type == LE_LINK) {
387 if (test_bit(HCI_CONN_SCANNING, &conn->flags))
388 hci_connect_le_scan_remove(conn);
389 else
390 hci_le_create_connection_cancel(conn);
391 }
93796fa6
CT		 392 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
393 hci_reject_sco(conn);
fcd89c09 394 }
6ac59344 395 break;
769be974 396 case BT_CONFIG:
8e87d142 397 case BT_CONNECTED:
40051e46
MH		 398 if (conn->type == AMP_LINK) {
399 hci_amp_disconn(conn);
400 } else {
401 __u8 reason = hci_proto_disconn_ind(conn);
402 hci_disconnect(conn, reason);
403 }
6ac59344
MH		 404 break;
405 default:
1da177e4 406 conn->state = BT_CLOSED;
6ac59344
MH		 407 break;
408 }
1da177e4
LT		 409}
410
416dc94b 411/* Enter sniff mode */
a74a84f6 412static void hci_conn_idle(struct work_struct *work)
416dc94b 413{
a74a84f6
JH		 414 struct hci_conn *conn = container_of(work, struct hci_conn,
415 idle_work.work);
416dc94b
GP		 416 struct hci_dev *hdev = conn->hdev;
417
38b3fef1 418 BT_DBG("hcon %p mode %d", conn, conn->mode);
416dc94b 419
416dc94b
GP		 420 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
421 return;
422
423 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
424 return;
425
426 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
427 struct hci_cp_sniff_subrate cp;
428 cp.handle = cpu_to_le16(conn->handle);
dcf4adbf
JP		 429 cp.max_latency = cpu_to_le16(0);
430 cp.min_remote_timeout = cpu_to_le16(0);
431 cp.min_local_timeout = cpu_to_le16(0);
416dc94b
GP		 432 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
433 }
434
51a8efd7 435 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
416dc94b
GP		 436 struct hci_cp_sniff_mode cp;
437 cp.handle = cpu_to_le16(conn->handle);
438 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
439 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
dcf4adbf
JP		 440 cp.attempt = cpu_to_le16(4);
441 cp.timeout = cpu_to_le16(1);
416dc94b
GP		 442 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
443 }
444}
445
7bc18d9d 446static void hci_conn_auto_accept(struct work_struct *work)
9f61656a 447{
7bc18d9d
JH		 448 struct hci_conn *conn = container_of(work, struct hci_conn,
449 auto_accept_work.work);
9f61656a 450
7bc18d9d 451 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
5974e4c4 452 &conn->dst);
9f61656a
JH		 453}
454
9489eca4
JH		 455static void le_conn_timeout(struct work_struct *work)
456{
457 struct hci_conn *conn = container_of(work, struct hci_conn,
458 le_conn_timeout.work);
3c857757 459 struct hci_dev *hdev = conn->hdev;
9489eca4
JH		 460
461 BT_DBG("");
462
3c857757
JH		 463 /* We could end up here due to having done directed advertising,
464 * so clean up the state if necessary. This should however only
465 * happen with broken hardware or if low duty cycle was used
466 * (which doesn't have a timeout of its own).
467 */
0b1db38c 468 if (conn->role == HCI_ROLE_SLAVE) {
3c857757
JH		 469 u8 enable = 0x00;
470 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
471 &enable);
472 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
473 return;
474 }
475
9489eca4
JH		 476 hci_le_create_connection_cancel(conn);
477}
478
a5c4e309
JH		 479struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
480 u8 role)
1da177e4
LT		 481{
482 struct hci_conn *conn;
483
6ed93dc6 484 BT_DBG("%s dst %pMR", hdev->name, dst);
1da177e4 485
27f70f3e 486 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
04837f64 487 if (!conn)
1da177e4 488 return NULL;
1da177e4
LT		 489
490 bacpy(&conn->dst, dst);
662e8820 491 bacpy(&conn->src, &hdev->bdaddr);
a8746417
MH		 492 conn->hdev = hdev;
493 conn->type = type;
a5c4e309 494 conn->role = role;
a8746417
MH		 495 conn->mode = HCI_CM_ACTIVE;
496 conn->state = BT_OPEN;
93f19c9f 497 conn->auth_type = HCI_AT_GENERAL_BONDING;
17fa4b9d 498 conn->io_capability = hdev->io_capability;
a9583556 499 conn->remote_auth = 0xff;
13d39315 500 conn->key_type = 0xff;
ebf86aa3 501 conn->rssi = HCI_RSSI_INVALID;
5a134fae 502 conn->tx_power = HCI_TX_POWER_INVALID;
d0455ed9 503 conn->max_tx_power = HCI_TX_POWER_INVALID;
1da177e4 504
58a681ef 505 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
052b30b0 506 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
04837f64 507
a5c4e309
JH		 508 if (conn->role == HCI_ROLE_MASTER)
509 conn->out = true;
510
a8746417
MH		 511 switch (type) {
512 case ACL_LINK:
513 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
514 break;
9c84d1da
JH		 515 case LE_LINK:
516 /* conn->src should reflect the local identity address */
517 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
518 break;
a8746417
MH		 519 case SCO_LINK:
520 if (lmp_esco_capable(hdev))
efc7688b
MH		 521 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
522 (hdev->esco_type & EDR_ESCO_MASK);
a8746417
MH		 523 else
524 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
525 break;
526 case ESCO_LINK:
efc7688b 527 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
a8746417
MH		 528 break;
529 }
530
1da177e4 531 skb_queue_head_init(&conn->data_q);
04837f64 532
70c1f20b 533 INIT_LIST_HEAD(&conn->chan_list);
73d80deb 534
19c40e3b 535 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
7bc18d9d 536 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
a74a84f6 537 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
9489eca4 538 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1da177e4
LT		 539
540 atomic_set(&conn->refcnt, 0);
541
542 hci_dev_hold(hdev);
543
1da177e4 544 hci_conn_hash_add(hdev, conn);
3c54711c 545 if (hdev->notify)
1da177e4
LT		 546 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
547
a67e899c
MH		 548 hci_conn_init_sysfs(conn);
549
1da177e4
LT		 550 return conn;
551}
552
553int hci_conn_del(struct hci_conn *conn)
554{
555 struct hci_dev *hdev = conn->hdev;
556
38b3fef1 557 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1da177e4 558
19c40e3b 559 cancel_delayed_work_sync(&conn->disc_work);
7bc18d9d 560 cancel_delayed_work_sync(&conn->auto_accept_work);
a74a84f6 561 cancel_delayed_work_sync(&conn->idle_work);
9f61656a 562
5b7f9909 563 if (conn->type == ACL_LINK) {
1da177e4
LT		 564 struct hci_conn *sco = conn->link;
565 if (sco)
566 sco->link = NULL;
567
568 /* Unacked frames */
569 hdev->acl_cnt += conn->sent;
6ed58ec5 570 } else if (conn->type == LE_LINK) {
980ffc0a 571 cancel_delayed_work(&conn->le_conn_timeout);
9489eca4 572
6ed58ec5
VT		 573 if (hdev->le_pkts)
574 hdev->le_cnt += conn->sent;
575 else
576 hdev->acl_cnt += conn->sent;
5b7f9909
MH		 577 } else {
578 struct hci_conn *acl = conn->link;
579 if (acl) {
580 acl->link = NULL;
76a68ba0 581 hci_conn_drop(acl);
5b7f9909 582 }
1da177e4
LT		 583 }
584
2c33c06a 585 hci_chan_list_flush(conn);
73d80deb 586
9740e49d
AE		 587 if (conn->amp_mgr)
588 amp_mgr_put(conn->amp_mgr);
589
1da177e4 590 hci_conn_hash_del(hdev, conn);
3c54711c 591 if (hdev->notify)
1da177e4 592 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
7d0db0a3 593
1da177e4 594 skb_queue_purge(&conn->data_q);
1da177e4 595
fc225c3f 596 hci_conn_del_sysfs(conn);
2ae9a6be 597
23b9ceb7
MH		 598 debugfs_remove_recursive(conn->debugfs);
599
89cbb063
AA		 600 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
601 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
602
384943ec
MH		 603 hci_dev_put(hdev);
604
8d12356f 605 hci_conn_put(conn);
163f4dab 606
1da177e4
LT		 607 return 0;
608}
609
610struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
611{
612 int use_src = bacmp(src, BDADDR_ANY);
8035ded4 613 struct hci_dev *hdev = NULL, *d;
1da177e4 614
6ed93dc6 615 BT_DBG("%pMR -> %pMR", src, dst);
1da177e4 616
f20d09d5 617 read_lock(&hci_dev_list_lock);
1da177e4 618
8035ded4 619 list_for_each_entry(d, &hci_dev_list, list) {
8fc9ced3 620 if (!test_bit(HCI_UP, &d->flags) ||
d7a5a11d 621 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
d300fa9b 622 d->dev_type != HCI_BREDR)
1da177e4
LT		 623 continue;
624
8e87d142 625 /* Simple routing:
1da177e4
LT		 626 * No source address - find interface with bdaddr != dst
627 * Source address - find interface with bdaddr == src
628 */
629
630 if (use_src) {
631 if (!bacmp(&d->bdaddr, src)) {
632 hdev = d; break;
633 }
634 } else {
635 if (bacmp(&d->bdaddr, dst)) {
636 hdev = d; break;
637 }
638 }
639 }
640
641 if (hdev)
642 hdev = hci_dev_hold(hdev);
643
f20d09d5 644 read_unlock(&hci_dev_list_lock);
1da177e4
LT		 645 return hdev;
646}
647EXPORT_SYMBOL(hci_get_route);
648
9bb3c01f 649/* This function requires the caller holds hdev->lock */
06c053fb 650void hci_le_conn_failed(struct hci_conn *conn, u8 status)
9bb3c01f
AG		 651{
652 struct hci_dev *hdev = conn->hdev;
f161dd41
JH		 653 struct hci_conn_params *params;
654
655 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
656 conn->dst_type);
657 if (params && params->conn) {
658 hci_conn_drop(params->conn);
f8aaf9b6 659 hci_conn_put(params->conn);
f161dd41
JH		 660 params->conn = NULL;
661 }
9bb3c01f
AG		 662
663 conn->state = BT_CLOSED;
664
665 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
666 status);
667
539c496d 668 hci_connect_cfm(conn, status);
9bb3c01f
AG		 669
670 hci_conn_del(conn);
a4790dbd
AG		 671
672 /* Since we may have temporarily stopped the background scanning in
673 * favor of connection establishment, we should restart it.
674 */
675 hci_update_background_scan(hdev);
3c857757
JH		 676
677 /* Re-enable advertising in case this was a failed connection
678 * attempt as a peripheral.
679 */
680 mgmt_reenable_advertising(hdev);
9bb3c01f
AG		 681}
682
1904a853 683static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1d399ae5
AG		 684{
685 struct hci_conn *conn;
686
28a667c9
JP		 687 hci_dev_lock(hdev);
688
689 conn = hci_lookup_le_connect(hdev);
690
691 if (!status) {
692 hci_connect_le_scan_cleanup(conn);
693 goto done;
694 }
1d399ae5
AG		 695
696 BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
697 status);
698
1d399ae5
AG		 699 if (!conn)
700 goto done;
701
06c053fb 702 hci_le_conn_failed(conn, status);
1d399ae5
AG		 703
704done:
705 hci_dev_unlock(hdev);
706}
707
2acf3d90
AG		 708static void hci_req_add_le_create_conn(struct hci_request *req,
709 struct hci_conn *conn)
710{
711 struct hci_cp_le_create_conn cp;
712 struct hci_dev *hdev = conn->hdev;
713 u8 own_addr_type;
714
715 memset(&cp, 0, sizeof(cp));
716
717 /* Update random address, but set require_privacy to false so
9437d2ed 718 * that we never connect with an non-resolvable address.
2acf3d90
AG		 719 */
720 if (hci_update_random_address(req, false, &own_addr_type))
721 return;
722
2acf3d90
AG		 723 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
724 cp.scan_window = cpu_to_le16(hdev->le_scan_window);
725 bacpy(&cp.peer_addr, &conn->dst);
726 cp.peer_addr_type = conn->dst_type;
727 cp.own_address_type = own_addr_type;
728 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
729 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
037fc415
MH		 730 cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
731 cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
dcf4adbf
JP		 732 cp.min_ce_len = cpu_to_le16(0x0000);
733 cp.max_ce_len = cpu_to_le16(0x0000);
2acf3d90
AG		 734
735 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
b46e0030
JH		 736
737 conn->state = BT_CONNECT;
28a667c9 738 clear_bit(HCI_CONN_SCANNING, &conn->flags);
2acf3d90
AG		 739}
740
3c857757
JH		 741static void hci_req_directed_advertising(struct hci_request *req,
742 struct hci_conn *conn)
743{
744 struct hci_dev *hdev = req->hdev;
745 struct hci_cp_le_set_adv_param cp;
746 u8 own_addr_type;
747 u8 enable;
748
5ce194c4 749 /* Clear the HCI_LE_ADV bit temporarily so that the
3c857757
JH		 750 * hci_update_random_address knows that it's safe to go ahead
751 * and write a new random address. The flag will be set back on
752 * as soon as the SET_ADV_ENABLE HCI command completes.
753 */
a358dc11 754 hci_dev_clear_flag(hdev, HCI_LE_ADV);
3c857757
JH		 755
756 /* Set require_privacy to false so that the remote device has a
757 * chance of identifying us.
758 */
759 if (hci_update_random_address(req, false, &own_addr_type) < 0)
760 return;
761
762 memset(&cp, 0, sizeof(cp));
763 cp.type = LE_ADV_DIRECT_IND;
764 cp.own_address_type = own_addr_type;
765 cp.direct_addr_type = conn->dst_type;
766 bacpy(&cp.direct_addr, &conn->dst);
767 cp.channel_map = hdev->le_adv_channel_map;
768
769 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
770
771 enable = 0x01;
772 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
773
774 conn->state = BT_CONNECT;
775}
776
04a6c589 777struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
cdd6275e 778 u8 dst_type, u8 sec_level, u16 conn_timeout,
e804d25d 779 u8 role)
1da177e4 780{
4292f1f3 781 struct hci_conn_params *params;
28a667c9 782 struct hci_conn *conn, *conn_unfinished;
1ebfcc1f 783 struct smp_irk *irk;
2acf3d90 784 struct hci_request req;
1d399ae5 785 int err;
1da177e4 786
152d386e 787 /* Let's make sure that le is enabled.*/
d7a5a11d 788 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
152d386e
LR		 789 if (lmp_le_capable(hdev))
790 return ERR_PTR(-ECONNREFUSED);
791
792 return ERR_PTR(-EOPNOTSUPP);
793 }
794
620ad521
AG		 795 /* Some devices send ATT messages as soon as the physical link is
796 * established. To be able to handle these ATT messages, the user-
797 * space first establishes the connection and then starts the pairing
798 * process.
799 *
800 * So if a hci_conn object already exists for the following connection
801 * attempt, we simply update pending_sec_level and auth_type fields
802 * and return the object found.
803 */
f1e5d547 804 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
28a667c9 805 conn_unfinished = NULL;
620ad521 806 if (conn) {
28a667c9
JP		 807 if (conn->state == BT_CONNECT &&
808 test_bit(HCI_CONN_SCANNING, &conn->flags)) {
809 BT_DBG("will continue unfinished conn %pMR", dst);
810 conn_unfinished = conn;
811 } else {
812 if (conn->pending_sec_level < sec_level)
813 conn->pending_sec_level = sec_level;
814 goto done;
815 }
620ad521 816 }
dfc94dbd 817
620ad521
AG		 818 /* Since the controller supports only one LE connection attempt at a
819 * time, we return -EBUSY if there is any connection attempt running.
820 */
e7d9ab73 821 if (hci_lookup_le_connect(hdev))
620ad521 822 return ERR_PTR(-EBUSY);
46a190cb 823
edb4b466
MH		 824 /* When given an identity address with existing identity
825 * resolving key, the connection needs to be established
826 * to a resolvable random address.
827 *
edb4b466
MH		 828 * Storing the resolvable random address is required here
829 * to handle connection failures. The address will later
830 * be resolved back into the original identity address
831 * from the connect request.
832 */
1ebfcc1f
JH		 833 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
834 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
835 dst = &irk->rpa;
836 dst_type = ADDR_LE_DEV_RANDOM;
837 }
838
28a667c9
JP		 839 if (conn_unfinished) {
840 conn = conn_unfinished;
841 bacpy(&conn->dst, dst);
842 } else {
843 conn = hci_conn_add(hdev, LE_LINK, dst, role);
844 }
845
620ad521
AG		 846 if (!conn)
847 return ERR_PTR(-ENOMEM);
9f0caeb1 848
1ebfcc1f 849 conn->dst_type = dst_type;
620ad521 850 conn->sec_level = BT_SECURITY_LOW;
09ae260b 851 conn->conn_timeout = conn_timeout;
4292f1f3 852
28a667c9
JP		 853 if (!conn_unfinished)
854 conn->pending_sec_level = sec_level;
855
3c857757
JH		 856 hci_req_init(&req, hdev);
857
376f54c1
JH		 858 /* Disable advertising if we're active. For master role
859 * connections most controllers will refuse to connect if
860 * advertising is enabled, and for slave role connections we
861 * anyway have to disable it in order to start directed
862 * advertising.
863 */
d7a5a11d 864 if (hci_dev_test_flag(hdev, HCI_LE_ADV)) {
376f54c1
JH		 865 u8 enable = 0x00;
866 hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
867 &enable);
868 }
869
cdd6275e 870 /* If requested to connect as slave use directed advertising */
e804d25d 871 if (conn->role == HCI_ROLE_SLAVE) {
e8bb6b97
JH		 872 /* If we're active scanning most controllers are unable
873 * to initiate advertising. Simply reject the attempt.
874 */
d7a5a11d 875 if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
e8bb6b97
JH		 876 hdev->le_scan_type == LE_SCAN_ACTIVE) {
877 skb_queue_purge(&req.cmd_q);
878 hci_conn_del(conn);
879 return ERR_PTR(-EBUSY);
880 }
881
3c857757
JH		 882 hci_req_directed_advertising(&req, conn);
883 goto create_conn;
884 }
885
4292f1f3
AG		 886 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
887 if (params) {
888 conn->le_conn_min_interval = params->conn_min_interval;
889 conn->le_conn_max_interval = params->conn_max_interval;
037fc415
MH		 890 conn->le_conn_latency = params->conn_latency;
891 conn->le_supv_timeout = params->supervision_timeout;
4292f1f3
AG		 892 } else {
893 conn->le_conn_min_interval = hdev->le_conn_min_interval;
894 conn->le_conn_max_interval = hdev->le_conn_max_interval;
04fb7d90
MH		 895 conn->le_conn_latency = hdev->le_conn_latency;
896 conn->le_supv_timeout = hdev->le_supv_timeout;
4292f1f3 897 }
eda42b50 898
2acf3d90 899 /* If controller is scanning, we stop it since some controllers are
81ad6fd9
JH		 900 * not able to scan and connect at the same time. Also set the
901 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
902 * handler for scan disabling knows to set the correct discovery
903 * state.
2acf3d90 904 */
d7a5a11d 905 if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
2acf3d90 906 hci_req_add_le_scan_disable(&req);
a1536da2 907 hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
2acf3d90
AG		 908 }
909
81ad6fd9
JH		 910 hci_req_add_le_create_conn(&req, conn);
911
3c857757 912create_conn:
81ad6fd9 913 err = hci_req_run(&req, create_le_conn_complete);
2acf3d90
AG		 914 if (err) {
915 hci_conn_del(conn);
620ad521 916 return ERR_PTR(err);
2acf3d90 917 }
fcd89c09 918
620ad521 919done:
28a667c9
JP		 920 /* If this is continuation of connect started by hci_connect_le_scan,
921 * it already called hci_conn_hold and calling it again would mess the
922 * counter.
923 */
924 if (!conn_unfinished)
925 hci_conn_hold(conn);
926
f1e5d547 927 return conn;
d04aef4c 928}
fcd89c09 929
f75113a2
JP		 930static void hci_connect_le_scan_complete(struct hci_dev *hdev, u8 status,
931 u16 opcode)
932{
933 struct hci_conn *conn;
934
935 if (!status)
936 return;
937
938 BT_ERR("Failed to add device to auto conn whitelist: status 0x%2.2x",
939 status);
940
941 hci_dev_lock(hdev);
942
943 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
944 if (conn)
945 hci_le_conn_failed(conn, status);
946
947 hci_dev_unlock(hdev);
948}
949
950static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
951{
952 struct hci_conn *conn;
953
954 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
955 if (!conn)
956 return false;
957
958 if (conn->dst_type != type)
959 return false;
960
961 if (conn->state != BT_CONNECTED)
962 return false;
963
964 return true;
965}
966
967/* This function requires the caller holds hdev->lock */
968static int hci_explicit_conn_params_set(struct hci_request *req,
969 bdaddr_t *addr, u8 addr_type)
970{
971 struct hci_dev *hdev = req->hdev;
972 struct hci_conn_params *params;
973
974 if (is_connected(hdev, addr, addr_type))
975 return -EISCONN;
976
977 params = hci_conn_params_add(hdev, addr, addr_type);
978 if (!params)
979 return -EIO;
980
981 /* If we created new params, or existing params were marked as disabled,
982 * mark them to be used just once to connect.
983 */
984 if (params->auto_connect == HCI_AUTO_CONN_DISABLED) {
985 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
986 list_del_init(&params->action);
987 list_add(&params->action, &hdev->pend_le_conns);
988 }
989
990 params->explicit_connect = true;
991 __hci_update_background_scan(req);
992
993 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
994 params->auto_connect);
995
996 return 0;
997}
998
999/* This function requires the caller holds hdev->lock */
1000struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1001 u8 dst_type, u8 sec_level,
1002 u16 conn_timeout, u8 role)
1003{
1004 struct hci_conn *conn;
1005 struct hci_request req;
1006 int err;
1007
1008 /* Let's make sure that le is enabled.*/
1009 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1010 if (lmp_le_capable(hdev))
1011 return ERR_PTR(-ECONNREFUSED);
1012
1013 return ERR_PTR(-EOPNOTSUPP);
1014 }
1015
1016 /* Some devices send ATT messages as soon as the physical link is
1017 * established. To be able to handle these ATT messages, the user-
1018 * space first establishes the connection and then starts the pairing
1019 * process.
1020 *
1021 * So if a hci_conn object already exists for the following connection
1022 * attempt, we simply update pending_sec_level and auth_type fields
1023 * and return the object found.
1024 */
1025 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
1026 if (conn) {
1027 if (conn->pending_sec_level < sec_level)
1028 conn->pending_sec_level = sec_level;
1029 goto done;
1030 }
1031
1032 BT_DBG("requesting refresh of dst_addr");
1033
1034 conn = hci_conn_add(hdev, LE_LINK, dst, role);
1035 if (!conn)
1036 return ERR_PTR(-ENOMEM);
1037
1038 hci_req_init(&req, hdev);
1039
1040 if (hci_explicit_conn_params_set(&req, dst, dst_type) < 0)
1041 return ERR_PTR(-EBUSY);
1042
1043 conn->state = BT_CONNECT;
1044 set_bit(HCI_CONN_SCANNING, &conn->flags);
1045
1046 err = hci_req_run(&req, hci_connect_le_scan_complete);
1047 if (err && err != -ENODATA) {
1048 hci_conn_del(conn);
1049 return ERR_PTR(err);
1050 }
1051
1052 conn->dst_type = dst_type;
1053 conn->sec_level = BT_SECURITY_LOW;
1054 conn->pending_sec_level = sec_level;
1055 conn->conn_timeout = conn_timeout;
1056
1057done:
1058 hci_conn_hold(conn);
1059 return conn;
1060}
1061
04a6c589
AG		 1062struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1063 u8 sec_level, u8 auth_type)
1da177e4
LT		 1064{
1065 struct hci_conn *acl;
fcd89c09 1066
d7a5a11d 1067 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
c411110e
LR		 1068 if (lmp_bredr_capable(hdev))
1069 return ERR_PTR(-ECONNREFUSED);
1070
beb19e4c 1071 return ERR_PTR(-EOPNOTSUPP);
c411110e 1072 }
56f87901 1073
70f23020
AE		 1074 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1075 if (!acl) {
a5c4e309 1076 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
70f23020 1077 if (!acl)
48c7aba9 1078 return ERR_PTR(-ENOMEM);
1da177e4
LT		 1079 }
1080
1081 hci_conn_hold(acl);
1082
09ab6f4c 1083 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
765c2a96
JH		 1084 acl->sec_level = BT_SECURITY_LOW;
1085 acl->pending_sec_level = sec_level;
09ab6f4c 1086 acl->auth_type = auth_type;
1aef8669 1087 hci_acl_create_connection(acl);
09ab6f4c 1088 }
1da177e4 1089
db474275
VCG		 1090 return acl;
1091}
1092
10c62ddc
FD		 1093struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1094 __u16 setting)
db474275
VCG		 1095{
1096 struct hci_conn *acl;
1097 struct hci_conn *sco;
1098
e660ed6c 1099 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
db474275 1100 if (IS_ERR(acl))
5b7f9909 1101 return acl;
1da177e4 1102
70f23020
AE		 1103 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1104 if (!sco) {
a5c4e309 1105 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
70f23020 1106 if (!sco) {
76a68ba0 1107 hci_conn_drop(acl);
48c7aba9 1108 return ERR_PTR(-ENOMEM);
1da177e4 1109 }
5b7f9909 1110 }
1da177e4 1111
5b7f9909
MH		 1112 acl->link = sco;
1113 sco->link = acl;
1da177e4 1114
5b7f9909 1115 hci_conn_hold(sco);
1da177e4 1116
10c62ddc
FD		 1117 sco->setting = setting;
1118
5b7f9909 1119 if (acl->state == BT_CONNECTED &&
5974e4c4 1120 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
58a681ef 1121 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
14b12d0b 1122 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
c390216b 1123
51a8efd7 1124 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
e73439d8 1125 /* defer SCO setup until mode change completed */
51a8efd7 1126 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
e73439d8
MH		 1127 return sco;
1128 }
1129
1130 hci_sco_setup(acl, 0x00);
b6a0dc82 1131 }
5b7f9909
MH		 1132
1133 return sco;
1da177e4 1134}
1da177e4 1135
e7c29cb1
MH		 1136/* Check link security requirement */
1137int hci_conn_check_link_mode(struct hci_conn *conn)
1138{
38b3fef1 1139 BT_DBG("hcon %p", conn);
e7c29cb1 1140
40b552aa
MH		 1141 /* In Secure Connections Only mode, it is required that Secure
1142 * Connections is used and the link is encrypted with AES-CCM
1143 * using a P-256 authenticated combination key.
1144 */
d7a5a11d 1145 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
40b552aa
MH		 1146 if (!hci_conn_sc_enabled(conn) ||
1147 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
1148 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
1149 return 0;
1150 }
1151
4dae2798
JH		 1152 if (hci_conn_ssp_enabled(conn) &&
1153 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
e7c29cb1
MH		 1154 return 0;
1155
1156 return 1;
1157}
e7c29cb1 1158
1da177e4 1159/* Authenticate remote device */
0684e5f9 1160static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
1da177e4 1161{
38b3fef1 1162 BT_DBG("hcon %p", conn);
1da177e4 1163
765c2a96
JH		 1164 if (conn->pending_sec_level > sec_level)
1165 sec_level = conn->pending_sec_level;
1166
96a31833 1167 if (sec_level > conn->sec_level)
765c2a96 1168 conn->pending_sec_level = sec_level;
4dae2798 1169 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
1da177e4
LT		 1170 return 1;
1171
65cf686e
JH		 1172 /* Make sure we preserve an existing MITM requirement*/
1173 auth_type |= (conn->auth_type & 0x01);
1174
96a31833
MH		 1175 conn->auth_type = auth_type;
1176
51a8efd7 1177 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1da177e4 1178 struct hci_cp_auth_requested cp;
b7d05bad 1179
aca3192c 1180 cp.handle = cpu_to_le16(conn->handle);
40be492f 1181 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
5974e4c4 1182 sizeof(cp), &cp);
09da1f34
JH		 1183
1184 /* If we're already encrypted set the REAUTH_PEND flag,
1185 * otherwise set the ENCRYPT_PEND.
1186 */
4dae2798 1187 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
51a8efd7 1188 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
09da1f34
JH		 1189 else
1190 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1da177e4 1191 }
8c1b2355 1192
1da177e4
LT		 1193 return 0;
1194}
1da177e4 1195
13d39315
WR		 1196/* Encrypt the the link */
1197static void hci_conn_encrypt(struct hci_conn *conn)
1198{
38b3fef1 1199 BT_DBG("hcon %p", conn);
13d39315 1200
51a8efd7 1201 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
13d39315
WR		 1202 struct hci_cp_set_conn_encrypt cp;
1203 cp.handle = cpu_to_le16(conn->handle);
1204 cp.encrypt = 0x01;
1205 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
5974e4c4 1206 &cp);
13d39315
WR		 1207 }
1208}
1209
8c1b2355 1210/* Enable security */
e7cafc45
JH		 1211int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1212 bool initiator)
1da177e4 1213{
38b3fef1 1214 BT_DBG("hcon %p", conn);
1da177e4 1215
d8343f12
VCG		 1216 if (conn->type == LE_LINK)
1217 return smp_conn_security(conn, sec_level);
1218
13d39315 1219 /* For sdp we don't need the link key. */
8c1b2355
MH		 1220 if (sec_level == BT_SECURITY_SDP)
1221 return 1;
1222
13d39315
WR		 1223 /* For non 2.1 devices and low security level we don't need the link
1224 key. */
aa64a8b5 1225 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
3fdca1e1 1226 return 1;
8c1b2355 1227
13d39315 1228 /* For other security levels we need the link key. */
4dae2798 1229 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
13d39315
WR		 1230 goto auth;
1231
7b5a9241
MH		 1232 /* An authenticated FIPS approved combination key has sufficient
1233 * security for security level 4. */
1234 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1235 sec_level == BT_SECURITY_FIPS)
1236 goto encrypt;
1237
1238 /* An authenticated combination key has sufficient security for
1239 security level 3. */
1240 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1241 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1242 sec_level == BT_SECURITY_HIGH)
13d39315
WR		 1243 goto encrypt;
1244
1245 /* An unauthenticated combination key has sufficient security for
1246 security level 1 and 2. */
66138ce8
MH		 1247 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1248 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
5974e4c4 1249 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
13d39315
WR		 1250 goto encrypt;
1251
1252 /* A combination key has always sufficient security for the security
1253 levels 1 or 2. High security level requires the combination key
1254 is generated using maximum PIN code length (16).
1255 For pre 2.1 units. */
1256 if (conn->key_type == HCI_LK_COMBINATION &&
7b5a9241
MH		 1257 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1258 conn->pin_length == 16))
13d39315
WR		 1259 goto encrypt;
1260
1261auth:
51a8efd7 1262 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1da177e4
LT		 1263 return 0;
1264
977f8fce
JH		 1265 if (initiator)
1266 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1267
6fdf658c
LAD		 1268 if (!hci_conn_auth(conn, sec_level, auth_type))
1269 return 0;
13d39315
WR		 1270
1271encrypt:
4dae2798 1272 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
13d39315 1273 return 1;
8c1b2355 1274
13d39315 1275 hci_conn_encrypt(conn);
1da177e4
LT		 1276 return 0;
1277}
8c1b2355 1278EXPORT_SYMBOL(hci_conn_security);
1da177e4 1279
b3b1b061
WR		 1280/* Check secure link requirement */
1281int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1282{
38b3fef1 1283 BT_DBG("hcon %p", conn);
b3b1b061 1284
9cb2e030
MH		 1285 /* Accept if non-secure or higher security level is required */
1286 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1287 return 1;
b3b1b061 1288
9cb2e030
MH		 1289 /* Accept if secure or higher security level is already present */
1290 if (conn->sec_level == BT_SECURITY_HIGH ||
1291 conn->sec_level == BT_SECURITY_FIPS)
b3b1b061
WR		 1292 return 1;
1293
9cb2e030
MH		 1294 /* Reject not secure link */
1295 return 0;
b3b1b061
WR		 1296}
1297EXPORT_SYMBOL(hci_conn_check_secure);
1298
1da177e4 1299/* Switch role */
8c1b2355 1300int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1da177e4 1301{
38b3fef1 1302 BT_DBG("hcon %p", conn);
1da177e4 1303
40bef302 1304 if (role == conn->role)
1da177e4
LT		 1305 return 1;
1306
51a8efd7 1307 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1da177e4
LT		 1308 struct hci_cp_switch_role cp;
1309 bacpy(&cp.bdaddr, &conn->dst);
1310 cp.role = role;
a9de9248 1311 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1da177e4 1312 }
8c1b2355 1313
1da177e4
LT		 1314 return 0;
1315}
1316EXPORT_SYMBOL(hci_conn_switch_role);
1317
04837f64 1318/* Enter active mode */
14b12d0b 1319void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
04837f64
MH		 1320{
1321 struct hci_dev *hdev = conn->hdev;
1322
38b3fef1 1323 BT_DBG("hcon %p mode %d", conn, conn->mode);
04837f64 1324
14b12d0b
JG		 1325 if (conn->mode != HCI_CM_SNIFF)
1326 goto timer;
1327
58a681ef 1328 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
04837f64
MH		 1329 goto timer;
1330
51a8efd7 1331 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
04837f64 1332 struct hci_cp_exit_sniff_mode cp;
aca3192c 1333 cp.handle = cpu_to_le16(conn->handle);
a9de9248 1334 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
04837f64
MH		 1335 }
1336
1337timer:
1338 if (hdev->idle_timeout > 0)
a74a84f6
JH		 1339 queue_delayed_work(hdev->workqueue, &conn->idle_work,
1340 msecs_to_jiffies(hdev->idle_timeout));
04837f64
MH		 1341}
1342
1da177e4
LT		 1343/* Drop all connection on the device */
1344void hci_conn_hash_flush(struct hci_dev *hdev)
1345{
1346 struct hci_conn_hash *h = &hdev->conn_hash;
3c4e0df0 1347 struct hci_conn *c, *n;
1da177e4
LT		 1348
1349 BT_DBG("hdev %s", hdev->name);
1350
3c4e0df0 1351 list_for_each_entry_safe(c, n, &h->list, list) {
1da177e4
LT		 1352 c->state = BT_CLOSED;
1353
3a6d576b 1354 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1da177e4
LT		 1355 hci_conn_del(c);
1356 }
1357}
1358
a9de9248
MH		 1359/* Check pending connect attempts */
1360void hci_conn_check_pending(struct hci_dev *hdev)
1361{
1362 struct hci_conn *conn;
1363
1364 BT_DBG("hdev %s", hdev->name);
1365
1366 hci_dev_lock(hdev);
1367
1368 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1369 if (conn)
1aef8669 1370 hci_acl_create_connection(conn);
a9de9248
MH		 1371
1372 hci_dev_unlock(hdev);
1373}
1374
4dae2798
JH		 1375static u32 get_link_mode(struct hci_conn *conn)
1376{
1377 u32 link_mode = 0;
1378
40bef302 1379 if (conn->role == HCI_ROLE_MASTER)
4dae2798
JH		 1380 link_mode |= HCI_LM_MASTER;
1381
1382 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1383 link_mode |= HCI_LM_ENCRYPT;
1384
1385 if (test_bit(HCI_CONN_AUTH, &conn->flags))
1386 link_mode |= HCI_LM_AUTH;
1387
1388 if (test_bit(HCI_CONN_SECURE, &conn->flags))
1389 link_mode |= HCI_LM_SECURE;
1390
1391 if (test_bit(HCI_CONN_FIPS, &conn->flags))
1392 link_mode |= HCI_LM_FIPS;
1393
1394 return link_mode;
1395}
1396
1da177e4
LT		 1397int hci_get_conn_list(void __user *arg)
1398{
fc5fef61 1399 struct hci_conn *c;
1da177e4
LT		 1400 struct hci_conn_list_req req, *cl;
1401 struct hci_conn_info *ci;
1402 struct hci_dev *hdev;
1da177e4
LT		 1403 int n = 0, size, err;
1404
1405 if (copy_from_user(&req, arg, sizeof(req)))
1406 return -EFAULT;
1407
1408 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1409 return -EINVAL;
1410
1411 size = sizeof(req) + req.conn_num * sizeof(*ci);
1412
70f23020
AE		 1413 cl = kmalloc(size, GFP_KERNEL);
1414 if (!cl)
1da177e4
LT		 1415 return -ENOMEM;
1416
70f23020
AE		 1417 hdev = hci_dev_get(req.dev_id);
1418 if (!hdev) {
1da177e4
LT		 1419 kfree(cl);
1420 return -ENODEV;
1421 }
1422
1423 ci = cl->conn_info;
1424
09fd0de5 1425 hci_dev_lock(hdev);
8035ded4 1426 list_for_each_entry(c, &hdev->conn_hash.list, list) {
1da177e4
LT		 1427 bacpy(&(ci + n)->bdaddr, &c->dst);
1428 (ci + n)->handle = c->handle;
1429 (ci + n)->type = c->type;
1430 (ci + n)->out = c->out;
1431 (ci + n)->state = c->state;
4dae2798 1432 (ci + n)->link_mode = get_link_mode(c);
1da177e4
LT		 1433 if (++n >= req.conn_num)
1434 break;
1435 }
09fd0de5 1436 hci_dev_unlock(hdev);
1da177e4
LT		 1437
1438 cl->dev_id = hdev->id;
1439 cl->conn_num = n;
1440 size = sizeof(req) + n * sizeof(*ci);
1441
1442 hci_dev_put(hdev);
1443
1444 err = copy_to_user(arg, cl, size);
1445 kfree(cl);
1446
1447 return err ? -EFAULT : 0;
1448}
1449
1450int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1451{
1452 struct hci_conn_info_req req;
1453 struct hci_conn_info ci;
1454 struct hci_conn *conn;
1455 char __user *ptr = arg + sizeof(req);
1456
1457 if (copy_from_user(&req, arg, sizeof(req)))
1458 return -EFAULT;
1459
09fd0de5 1460 hci_dev_lock(hdev);
1da177e4
LT		 1461 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1462 if (conn) {
1463 bacpy(&ci.bdaddr, &conn->dst);
1464 ci.handle = conn->handle;
1465 ci.type = conn->type;
1466 ci.out = conn->out;
1467 ci.state = conn->state;
4dae2798 1468 ci.link_mode = get_link_mode(conn);
1da177e4 1469 }
09fd0de5 1470 hci_dev_unlock(hdev);
1da177e4
LT		 1471
1472 if (!conn)
1473 return -ENOENT;
1474
1475 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1476}
40be492f
MH		 1477
1478int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1479{
1480 struct hci_auth_info_req req;
1481 struct hci_conn *conn;
1482
1483 if (copy_from_user(&req, arg, sizeof(req)))
1484 return -EFAULT;
1485
09fd0de5 1486 hci_dev_lock(hdev);
40be492f
MH		 1487 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1488 if (conn)
1489 req.type = conn->auth_type;
09fd0de5 1490 hci_dev_unlock(hdev);
40be492f
MH		 1491
1492 if (!conn)
1493 return -ENOENT;
1494
1495 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1496}
73d80deb
LAD		 1497
1498struct hci_chan *hci_chan_create(struct hci_conn *conn)
1499{
1500 struct hci_dev *hdev = conn->hdev;
1501 struct hci_chan *chan;
1502
38b3fef1 1503 BT_DBG("%s hcon %p", hdev->name, conn);
73d80deb 1504
f94b665d
JH		 1505 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1506 BT_DBG("Refusing to create new hci_chan");
1507 return NULL;
1508 }
1509
27f70f3e 1510 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
73d80deb
LAD		 1511 if (!chan)
1512 return NULL;
1513
6c388d32 1514 chan->conn = hci_conn_get(conn);
73d80deb 1515 skb_queue_head_init(&chan->data_q);
168df8e5 1516 chan->state = BT_CONNECTED;
73d80deb 1517
8192edef 1518 list_add_rcu(&chan->list, &conn->chan_list);
73d80deb
LAD		 1519
1520 return chan;
1521}
1522
9472007c 1523void hci_chan_del(struct hci_chan *chan)
73d80deb
LAD		 1524{
1525 struct hci_conn *conn = chan->conn;
1526 struct hci_dev *hdev = conn->hdev;
1527
38b3fef1 1528 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
73d80deb 1529
8192edef
GP		 1530 list_del_rcu(&chan->list);
1531
1532 synchronize_rcu();
73d80deb 1533
bcbb655a 1534 /* Prevent new hci_chan's to be created for this hci_conn */
f94b665d 1535 set_bit(HCI_CONN_DROP, &conn->flags);
b3ff670a 1536
6c388d32 1537 hci_conn_put(conn);
e9b02748 1538
73d80deb
LAD		 1539 skb_queue_purge(&chan->data_q);
1540 kfree(chan);
73d80deb
LAD		 1541}
1542
2c33c06a 1543void hci_chan_list_flush(struct hci_conn *conn)
73d80deb 1544{
2a5a5ec6 1545 struct hci_chan *chan, *n;
73d80deb 1546
38b3fef1 1547 BT_DBG("hcon %p", conn);
73d80deb 1548
2a5a5ec6 1549 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
73d80deb
LAD		 1550 hci_chan_del(chan);
1551}
42c4e53e
AE		 1552
1553static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1554 __u16 handle)
1555{
1556 struct hci_chan *hchan;
1557
1558 list_for_each_entry(hchan, &hcon->chan_list, list) {
1559 if (hchan->handle == handle)
1560 return hchan;
1561 }
1562
1563 return NULL;
1564}
1565
1566struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1567{
1568 struct hci_conn_hash *h = &hdev->conn_hash;
1569 struct hci_conn *hcon;
1570 struct hci_chan *hchan = NULL;
1571
1572 rcu_read_lock();
1573
1574 list_for_each_entry_rcu(hcon, &h->list, list) {
1575 hchan = __hci_chan_lookup_handle(hcon, handle);
1576 if (hchan)
1577 break;
1578 }
1579
1580 rcu_read_unlock();
1581
1582 return hchan;
1583}
Linux 6.x block layer and io_uring tree(s)