2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI connection handling. */
27 #include <linux/export.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/l2cap.h>
41 static const struct sco_param sco_param_cvsd[] = {
42 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a }, /* S3 */
43 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007 }, /* S2 */
44 { EDR_ESCO_MASK | ESCO_EV3, 0x0007 }, /* S1 */
45 { EDR_ESCO_MASK | ESCO_HV3, 0xffff }, /* D1 */
46 { EDR_ESCO_MASK | ESCO_HV1, 0xffff }, /* D0 */
49 static const struct sco_param sco_param_wideband[] = {
50 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d }, /* T2 */
51 { EDR_ESCO_MASK | ESCO_EV3, 0x0008 }, /* T1 */
54 static void hci_le_create_connection_cancel(struct hci_conn *conn)
56 hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
59 static void hci_acl_create_connection(struct hci_conn *conn)
61 struct hci_dev *hdev = conn->hdev;
62 struct inquiry_entry *ie;
63 struct hci_cp_create_conn cp;
65 BT_DBG("hcon %p", conn);
67 conn->state = BT_CONNECT;
70 conn->link_mode = HCI_LM_MASTER;
74 conn->link_policy = hdev->link_policy;
76 memset(&cp, 0, sizeof(cp));
77 bacpy(&cp.bdaddr, &conn->dst);
78 cp.pscan_rep_mode = 0x02;
80 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
82 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
83 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
84 cp.pscan_mode = ie->data.pscan_mode;
85 cp.clock_offset = ie->data.clock_offset |
89 memcpy(conn->dev_class, ie->data.dev_class, 3);
90 if (ie->data.ssp_mode > 0)
91 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
94 cp.pkt_type = cpu_to_le16(conn->pkt_type);
95 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
96 cp.role_switch = 0x01;
98 cp.role_switch = 0x00;
100 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
103 static void hci_acl_create_connection_cancel(struct hci_conn *conn)
105 struct hci_cp_create_conn_cancel cp;
107 BT_DBG("hcon %p", conn);
109 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
112 bacpy(&cp.bdaddr, &conn->dst);
113 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
116 static void hci_reject_sco(struct hci_conn *conn)
118 struct hci_cp_reject_sync_conn_req cp;
120 cp.reason = HCI_ERROR_REMOTE_USER_TERM;
121 bacpy(&cp.bdaddr, &conn->dst);
123 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
126 void hci_disconnect(struct hci_conn *conn, __u8 reason)
128 struct hci_cp_disconnect cp;
130 BT_DBG("hcon %p", conn);
132 conn->state = BT_DISCONN;
134 cp.handle = cpu_to_le16(conn->handle);
136 hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
139 static void hci_amp_disconn(struct hci_conn *conn, __u8 reason)
141 struct hci_cp_disconn_phy_link cp;
143 BT_DBG("hcon %p", conn);
145 conn->state = BT_DISCONN;
147 cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
149 hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
153 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
155 struct hci_dev *hdev = conn->hdev;
156 struct hci_cp_add_sco cp;
158 BT_DBG("hcon %p", conn);
160 conn->state = BT_CONNECT;
165 cp.handle = cpu_to_le16(handle);
166 cp.pkt_type = cpu_to_le16(conn->pkt_type);
168 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
171 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
173 struct hci_dev *hdev = conn->hdev;
174 struct hci_cp_setup_sync_conn cp;
175 const struct sco_param *param;
177 BT_DBG("hcon %p", conn);
179 conn->state = BT_CONNECT;
184 cp.handle = cpu_to_le16(handle);
186 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
187 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
188 cp.voice_setting = cpu_to_le16(conn->setting);
190 switch (conn->setting & SCO_AIRMODE_MASK) {
191 case SCO_AIRMODE_TRANSP:
192 if (conn->attempt > ARRAY_SIZE(sco_param_wideband))
194 cp.retrans_effort = 0x02;
195 param = &sco_param_wideband[conn->attempt - 1];
197 case SCO_AIRMODE_CVSD:
198 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
200 cp.retrans_effort = 0x01;
201 param = &sco_param_cvsd[conn->attempt - 1];
207 cp.pkt_type = __cpu_to_le16(param->pkt_type);
208 cp.max_latency = __cpu_to_le16(param->max_latency);
210 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
216 void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
217 u16 latency, u16 to_multiplier)
219 struct hci_cp_le_conn_update cp;
220 struct hci_dev *hdev = conn->hdev;
222 memset(&cp, 0, sizeof(cp));
224 cp.handle = cpu_to_le16(conn->handle);
225 cp.conn_interval_min = cpu_to_le16(min);
226 cp.conn_interval_max = cpu_to_le16(max);
227 cp.conn_latency = cpu_to_le16(latency);
228 cp.supervision_timeout = cpu_to_le16(to_multiplier);
229 cp.min_ce_len = cpu_to_le16(0x0000);
230 cp.max_ce_len = cpu_to_le16(0x0000);
232 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
235 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
238 struct hci_dev *hdev = conn->hdev;
239 struct hci_cp_le_start_enc cp;
241 BT_DBG("hcon %p", conn);
243 memset(&cp, 0, sizeof(cp));
245 cp.handle = cpu_to_le16(conn->handle);
248 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
250 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
253 /* Device _must_ be locked */
254 void hci_sco_setup(struct hci_conn *conn, __u8 status)
256 struct hci_conn *sco = conn->link;
261 BT_DBG("hcon %p", conn);
264 if (lmp_esco_capable(conn->hdev))
265 hci_setup_sync(sco, conn->handle);
267 hci_add_sco(sco, conn->handle);
269 hci_proto_connect_cfm(sco, status);
274 static void hci_conn_disconnect(struct hci_conn *conn)
276 __u8 reason = hci_proto_disconn_ind(conn);
278 switch (conn->type) {
280 hci_amp_disconn(conn, reason);
283 hci_disconnect(conn, reason);
288 static void hci_conn_timeout(struct work_struct *work)
290 struct hci_conn *conn = container_of(work, struct hci_conn,
293 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
295 if (atomic_read(&conn->refcnt))
298 switch (conn->state) {
302 if (conn->type == ACL_LINK)
303 hci_acl_create_connection_cancel(conn);
304 else if (conn->type == LE_LINK)
305 hci_le_create_connection_cancel(conn);
306 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
307 hci_reject_sco(conn);
312 hci_conn_disconnect(conn);
315 conn->state = BT_CLOSED;
320 /* Enter sniff mode */
321 static void hci_conn_idle(struct work_struct *work)
323 struct hci_conn *conn = container_of(work, struct hci_conn,
325 struct hci_dev *hdev = conn->hdev;
327 BT_DBG("hcon %p mode %d", conn, conn->mode);
329 if (test_bit(HCI_RAW, &hdev->flags))
332 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
335 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
338 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
339 struct hci_cp_sniff_subrate cp;
340 cp.handle = cpu_to_le16(conn->handle);
341 cp.max_latency = cpu_to_le16(0);
342 cp.min_remote_timeout = cpu_to_le16(0);
343 cp.min_local_timeout = cpu_to_le16(0);
344 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
347 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
348 struct hci_cp_sniff_mode cp;
349 cp.handle = cpu_to_le16(conn->handle);
350 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
351 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
352 cp.attempt = cpu_to_le16(4);
353 cp.timeout = cpu_to_le16(1);
354 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
358 static void hci_conn_auto_accept(struct work_struct *work)
360 struct hci_conn *conn = container_of(work, struct hci_conn,
361 auto_accept_work.work);
363 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
367 static void le_conn_timeout(struct work_struct *work)
369 struct hci_conn *conn = container_of(work, struct hci_conn,
370 le_conn_timeout.work);
371 struct hci_dev *hdev = conn->hdev;
375 /* We could end up here due to having done directed advertising,
376 * so clean up the state if necessary. This should however only
377 * happen with broken hardware or if low duty cycle was used
378 * (which doesn't have a timeout of its own).
380 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
382 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
384 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
388 hci_le_create_connection_cancel(conn);
391 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
393 struct hci_conn *conn;
395 BT_DBG("%s dst %pMR", hdev->name, dst);
397 conn = kzalloc(sizeof(struct hci_conn), GFP_KERNEL);
401 bacpy(&conn->dst, dst);
402 bacpy(&conn->src, &hdev->bdaddr);
405 conn->mode = HCI_CM_ACTIVE;
406 conn->state = BT_OPEN;
407 conn->auth_type = HCI_AT_GENERAL_BONDING;
408 conn->io_capability = hdev->io_capability;
409 conn->remote_auth = 0xff;
410 conn->key_type = 0xff;
411 conn->tx_power = HCI_TX_POWER_INVALID;
412 conn->max_tx_power = HCI_TX_POWER_INVALID;
414 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
415 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
419 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
422 /* conn->src should reflect the local identity address */
423 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
426 if (lmp_esco_capable(hdev))
427 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
428 (hdev->esco_type & EDR_ESCO_MASK);
430 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
433 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
437 skb_queue_head_init(&conn->data_q);
439 INIT_LIST_HEAD(&conn->chan_list);
441 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
442 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
443 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
444 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
446 atomic_set(&conn->refcnt, 0);
450 hci_conn_hash_add(hdev, conn);
452 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
454 hci_conn_init_sysfs(conn);
459 int hci_conn_del(struct hci_conn *conn)
461 struct hci_dev *hdev = conn->hdev;
463 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
465 cancel_delayed_work_sync(&conn->disc_work);
466 cancel_delayed_work_sync(&conn->auto_accept_work);
467 cancel_delayed_work_sync(&conn->idle_work);
469 if (conn->type == ACL_LINK) {
470 struct hci_conn *sco = conn->link;
475 hdev->acl_cnt += conn->sent;
476 } else if (conn->type == LE_LINK) {
477 cancel_delayed_work_sync(&conn->le_conn_timeout);
480 hdev->le_cnt += conn->sent;
482 hdev->acl_cnt += conn->sent;
484 struct hci_conn *acl = conn->link;
491 hci_chan_list_flush(conn);
494 amp_mgr_put(conn->amp_mgr);
496 hci_conn_hash_del(hdev, conn);
498 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
500 skb_queue_purge(&conn->data_q);
502 hci_conn_del_sysfs(conn);
511 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
513 int use_src = bacmp(src, BDADDR_ANY);
514 struct hci_dev *hdev = NULL, *d;
516 BT_DBG("%pMR -> %pMR", src, dst);
518 read_lock(&hci_dev_list_lock);
520 list_for_each_entry(d, &hci_dev_list, list) {
521 if (!test_bit(HCI_UP, &d->flags) ||
522 test_bit(HCI_RAW, &d->flags) ||
523 test_bit(HCI_USER_CHANNEL, &d->dev_flags) ||
524 d->dev_type != HCI_BREDR)
528 * No source address - find interface with bdaddr != dst
529 * Source address - find interface with bdaddr == src
533 if (!bacmp(&d->bdaddr, src)) {
537 if (bacmp(&d->bdaddr, dst)) {
544 hdev = hci_dev_hold(hdev);
546 read_unlock(&hci_dev_list_lock);
549 EXPORT_SYMBOL(hci_get_route);
551 /* This function requires the caller holds hdev->lock */
552 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
554 struct hci_dev *hdev = conn->hdev;
556 conn->state = BT_CLOSED;
558 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
561 hci_proto_connect_cfm(conn, status);
565 /* Since we may have temporarily stopped the background scanning in
566 * favor of connection establishment, we should restart it.
568 hci_update_background_scan(hdev);
570 /* Re-enable advertising in case this was a failed connection
571 * attempt as a peripheral.
573 mgmt_reenable_advertising(hdev);
576 static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
578 struct hci_conn *conn;
583 BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
588 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
592 hci_le_conn_failed(conn, status);
595 hci_dev_unlock(hdev);
598 static void hci_req_add_le_create_conn(struct hci_request *req,
599 struct hci_conn *conn)
601 struct hci_cp_le_create_conn cp;
602 struct hci_dev *hdev = conn->hdev;
605 memset(&cp, 0, sizeof(cp));
607 /* Update random address, but set require_privacy to false so
608 * that we never connect with an unresolvable address.
610 if (hci_update_random_address(req, false, &own_addr_type))
613 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
614 cp.scan_window = cpu_to_le16(hdev->le_scan_window);
615 bacpy(&cp.peer_addr, &conn->dst);
616 cp.peer_addr_type = conn->dst_type;
617 cp.own_address_type = own_addr_type;
618 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
619 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
620 cp.supervision_timeout = cpu_to_le16(0x002a);
621 cp.min_ce_len = cpu_to_le16(0x0000);
622 cp.max_ce_len = cpu_to_le16(0x0000);
624 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
626 conn->state = BT_CONNECT;
629 static void hci_req_directed_advertising(struct hci_request *req,
630 struct hci_conn *conn)
632 struct hci_dev *hdev = req->hdev;
633 struct hci_cp_le_set_adv_param cp;
638 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
640 /* Clear the HCI_ADVERTISING bit temporarily so that the
641 * hci_update_random_address knows that it's safe to go ahead
642 * and write a new random address. The flag will be set back on
643 * as soon as the SET_ADV_ENABLE HCI command completes.
645 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
647 /* Set require_privacy to false so that the remote device has a
648 * chance of identifying us.
650 if (hci_update_random_address(req, false, &own_addr_type) < 0)
653 memset(&cp, 0, sizeof(cp));
654 cp.type = LE_ADV_DIRECT_IND;
655 cp.own_address_type = own_addr_type;
656 cp.direct_addr_type = conn->dst_type;
657 bacpy(&cp.direct_addr, &conn->dst);
658 cp.channel_map = hdev->le_adv_channel_map;
660 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
663 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
665 conn->state = BT_CONNECT;
668 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
669 u8 dst_type, u8 sec_level, u8 auth_type)
671 struct hci_conn_params *params;
672 struct hci_conn *conn;
674 struct hci_request req;
677 /* Some devices send ATT messages as soon as the physical link is
678 * established. To be able to handle these ATT messages, the user-
679 * space first establishes the connection and then starts the pairing
682 * So if a hci_conn object already exists for the following connection
683 * attempt, we simply update pending_sec_level and auth_type fields
684 * and return the object found.
686 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
688 conn->pending_sec_level = sec_level;
689 conn->auth_type = auth_type;
693 /* Since the controller supports only one LE connection attempt at a
694 * time, we return -EBUSY if there is any connection attempt running.
696 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
698 return ERR_PTR(-EBUSY);
700 /* When given an identity address with existing identity
701 * resolving key, the connection needs to be established
702 * to a resolvable random address.
704 * This uses the cached random resolvable address from
705 * a previous scan. When no cached address is available,
706 * try connecting to the identity address instead.
708 * Storing the resolvable random address is required here
709 * to handle connection failures. The address will later
710 * be resolved back into the original identity address
711 * from the connect request.
713 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
714 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
716 dst_type = ADDR_LE_DEV_RANDOM;
719 conn = hci_conn_add(hdev, LE_LINK, dst);
721 return ERR_PTR(-ENOMEM);
723 conn->dst_type = dst_type;
724 conn->sec_level = BT_SECURITY_LOW;
725 conn->pending_sec_level = sec_level;
726 conn->auth_type = auth_type;
728 hci_req_init(&req, hdev);
730 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
731 hci_req_directed_advertising(&req, conn);
736 conn->link_mode |= HCI_LM_MASTER;
738 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
740 conn->le_conn_min_interval = params->conn_min_interval;
741 conn->le_conn_max_interval = params->conn_max_interval;
743 conn->le_conn_min_interval = hdev->le_conn_min_interval;
744 conn->le_conn_max_interval = hdev->le_conn_max_interval;
747 /* If controller is scanning, we stop it since some controllers are
748 * not able to scan and connect at the same time. Also set the
749 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
750 * handler for scan disabling knows to set the correct discovery
753 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
754 hci_req_add_le_scan_disable(&req);
755 set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
758 hci_req_add_le_create_conn(&req, conn);
761 err = hci_req_run(&req, create_le_conn_complete);
772 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
773 u8 sec_level, u8 auth_type)
775 struct hci_conn *acl;
777 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
778 return ERR_PTR(-ENOTSUPP);
780 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
782 acl = hci_conn_add(hdev, ACL_LINK, dst);
784 return ERR_PTR(-ENOMEM);
789 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
790 acl->sec_level = BT_SECURITY_LOW;
791 acl->pending_sec_level = sec_level;
792 acl->auth_type = auth_type;
793 hci_acl_create_connection(acl);
799 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
802 struct hci_conn *acl;
803 struct hci_conn *sco;
805 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
809 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
811 sco = hci_conn_add(hdev, type, dst);
814 return ERR_PTR(-ENOMEM);
823 sco->setting = setting;
825 if (acl->state == BT_CONNECTED &&
826 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
827 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
828 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
830 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
831 /* defer SCO setup until mode change completed */
832 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
836 hci_sco_setup(acl, 0x00);
842 /* Check link security requirement */
843 int hci_conn_check_link_mode(struct hci_conn *conn)
845 BT_DBG("hcon %p", conn);
847 /* In Secure Connections Only mode, it is required that Secure
848 * Connections is used and the link is encrypted with AES-CCM
849 * using a P-256 authenticated combination key.
851 if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) {
852 if (!hci_conn_sc_enabled(conn) ||
853 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
854 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
858 if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT))
864 /* Authenticate remote device */
865 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
867 BT_DBG("hcon %p", conn);
869 if (conn->pending_sec_level > sec_level)
870 sec_level = conn->pending_sec_level;
872 if (sec_level > conn->sec_level)
873 conn->pending_sec_level = sec_level;
874 else if (conn->link_mode & HCI_LM_AUTH)
877 /* Make sure we preserve an existing MITM requirement*/
878 auth_type |= (conn->auth_type & 0x01);
880 conn->auth_type = auth_type;
882 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
883 struct hci_cp_auth_requested cp;
885 cp.handle = cpu_to_le16(conn->handle);
886 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
889 /* If we're already encrypted set the REAUTH_PEND flag,
890 * otherwise set the ENCRYPT_PEND.
892 if (conn->link_mode & HCI_LM_ENCRYPT)
893 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
895 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
901 /* Encrypt the the link */
902 static void hci_conn_encrypt(struct hci_conn *conn)
904 BT_DBG("hcon %p", conn);
906 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
907 struct hci_cp_set_conn_encrypt cp;
908 cp.handle = cpu_to_le16(conn->handle);
910 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
915 /* Enable security */
916 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
918 BT_DBG("hcon %p", conn);
920 if (conn->type == LE_LINK)
921 return smp_conn_security(conn, sec_level);
923 /* For sdp we don't need the link key. */
924 if (sec_level == BT_SECURITY_SDP)
927 /* For non 2.1 devices and low security level we don't need the link
929 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
932 /* For other security levels we need the link key. */
933 if (!(conn->link_mode & HCI_LM_AUTH))
936 /* An authenticated FIPS approved combination key has sufficient
937 * security for security level 4. */
938 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
939 sec_level == BT_SECURITY_FIPS)
942 /* An authenticated combination key has sufficient security for
944 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
945 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
946 sec_level == BT_SECURITY_HIGH)
949 /* An unauthenticated combination key has sufficient security for
950 security level 1 and 2. */
951 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
952 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
953 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
956 /* A combination key has always sufficient security for the security
957 levels 1 or 2. High security level requires the combination key
958 is generated using maximum PIN code length (16).
959 For pre 2.1 units. */
960 if (conn->key_type == HCI_LK_COMBINATION &&
961 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
962 conn->pin_length == 16))
966 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
969 if (!hci_conn_auth(conn, sec_level, auth_type))
973 if (conn->link_mode & HCI_LM_ENCRYPT)
976 hci_conn_encrypt(conn);
979 EXPORT_SYMBOL(hci_conn_security);
981 /* Check secure link requirement */
982 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
984 BT_DBG("hcon %p", conn);
986 /* Accept if non-secure or higher security level is required */
987 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
990 /* Accept if secure or higher security level is already present */
991 if (conn->sec_level == BT_SECURITY_HIGH ||
992 conn->sec_level == BT_SECURITY_FIPS)
995 /* Reject not secure link */
998 EXPORT_SYMBOL(hci_conn_check_secure);
1000 /* Change link key */
1001 int hci_conn_change_link_key(struct hci_conn *conn)
1003 BT_DBG("hcon %p", conn);
1005 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1006 struct hci_cp_change_conn_link_key cp;
1007 cp.handle = cpu_to_le16(conn->handle);
1008 hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
1016 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1018 BT_DBG("hcon %p", conn);
1020 if (!role && conn->link_mode & HCI_LM_MASTER)
1023 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1024 struct hci_cp_switch_role cp;
1025 bacpy(&cp.bdaddr, &conn->dst);
1027 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1032 EXPORT_SYMBOL(hci_conn_switch_role);
1034 /* Enter active mode */
1035 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1037 struct hci_dev *hdev = conn->hdev;
1039 BT_DBG("hcon %p mode %d", conn, conn->mode);
1041 if (test_bit(HCI_RAW, &hdev->flags))
1044 if (conn->mode != HCI_CM_SNIFF)
1047 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1050 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1051 struct hci_cp_exit_sniff_mode cp;
1052 cp.handle = cpu_to_le16(conn->handle);
1053 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1057 if (hdev->idle_timeout > 0)
1058 queue_delayed_work(hdev->workqueue, &conn->idle_work,
1059 msecs_to_jiffies(hdev->idle_timeout));
1062 /* Drop all connection on the device */
1063 void hci_conn_hash_flush(struct hci_dev *hdev)
1065 struct hci_conn_hash *h = &hdev->conn_hash;
1066 struct hci_conn *c, *n;
1068 BT_DBG("hdev %s", hdev->name);
1070 list_for_each_entry_safe(c, n, &h->list, list) {
1071 c->state = BT_CLOSED;
1073 hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1078 /* Check pending connect attempts */
1079 void hci_conn_check_pending(struct hci_dev *hdev)
1081 struct hci_conn *conn;
1083 BT_DBG("hdev %s", hdev->name);
1087 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1089 hci_acl_create_connection(conn);
1091 hci_dev_unlock(hdev);
1094 int hci_get_conn_list(void __user *arg)
1097 struct hci_conn_list_req req, *cl;
1098 struct hci_conn_info *ci;
1099 struct hci_dev *hdev;
1100 int n = 0, size, err;
1102 if (copy_from_user(&req, arg, sizeof(req)))
1105 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1108 size = sizeof(req) + req.conn_num * sizeof(*ci);
1110 cl = kmalloc(size, GFP_KERNEL);
1114 hdev = hci_dev_get(req.dev_id);
1123 list_for_each_entry(c, &hdev->conn_hash.list, list) {
1124 bacpy(&(ci + n)->bdaddr, &c->dst);
1125 (ci + n)->handle = c->handle;
1126 (ci + n)->type = c->type;
1127 (ci + n)->out = c->out;
1128 (ci + n)->state = c->state;
1129 (ci + n)->link_mode = c->link_mode;
1130 if (++n >= req.conn_num)
1133 hci_dev_unlock(hdev);
1135 cl->dev_id = hdev->id;
1137 size = sizeof(req) + n * sizeof(*ci);
1141 err = copy_to_user(arg, cl, size);
1144 return err ? -EFAULT : 0;
1147 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1149 struct hci_conn_info_req req;
1150 struct hci_conn_info ci;
1151 struct hci_conn *conn;
1152 char __user *ptr = arg + sizeof(req);
1154 if (copy_from_user(&req, arg, sizeof(req)))
1158 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1160 bacpy(&ci.bdaddr, &conn->dst);
1161 ci.handle = conn->handle;
1162 ci.type = conn->type;
1164 ci.state = conn->state;
1165 ci.link_mode = conn->link_mode;
1167 hci_dev_unlock(hdev);
1172 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1175 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1177 struct hci_auth_info_req req;
1178 struct hci_conn *conn;
1180 if (copy_from_user(&req, arg, sizeof(req)))
1184 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1186 req.type = conn->auth_type;
1187 hci_dev_unlock(hdev);
1192 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1195 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1197 struct hci_dev *hdev = conn->hdev;
1198 struct hci_chan *chan;
1200 BT_DBG("%s hcon %p", hdev->name, conn);
1202 chan = kzalloc(sizeof(struct hci_chan), GFP_KERNEL);
1207 skb_queue_head_init(&chan->data_q);
1208 chan->state = BT_CONNECTED;
1210 list_add_rcu(&chan->list, &conn->chan_list);
1215 void hci_chan_del(struct hci_chan *chan)
1217 struct hci_conn *conn = chan->conn;
1218 struct hci_dev *hdev = conn->hdev;
1220 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1222 list_del_rcu(&chan->list);
1226 hci_conn_drop(conn);
1228 skb_queue_purge(&chan->data_q);
1232 void hci_chan_list_flush(struct hci_conn *conn)
1234 struct hci_chan *chan, *n;
1236 BT_DBG("hcon %p", conn);
1238 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1242 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1245 struct hci_chan *hchan;
1247 list_for_each_entry(hchan, &hcon->chan_list, list) {
1248 if (hchan->handle == handle)
1255 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1257 struct hci_conn_hash *h = &hdev->conn_hash;
1258 struct hci_conn *hcon;
1259 struct hci_chan *hchan = NULL;
1263 list_for_each_entry_rcu(hcon, &h->list, list) {
1264 hchan = __hci_chan_lookup_handle(hcon, handle);