1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI connection handling. */ 26 27 #include <linux/export.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 32 #include "smp.h" 33 #include "a2mp.h" 34 35 struct sco_param { 36 u16 pkt_type; 37 u16 max_latency; 38 }; 39 40 static const struct sco_param sco_param_cvsd[] = { 41 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a }, /* S3 */ 42 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007 }, /* S2 */ 43 { EDR_ESCO_MASK | ESCO_EV3, 0x0007 }, /* S1 */ 44 { EDR_ESCO_MASK | ESCO_HV3, 0xffff }, /* D1 */ 45 { EDR_ESCO_MASK | ESCO_HV1, 0xffff }, /* D0 */ 46 }; 47 48 static const struct sco_param sco_param_wideband[] = { 49 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d }, /* T2 */ 50 { EDR_ESCO_MASK | ESCO_EV3, 0x0008 }, /* T1 */ 51 }; 52 53 static void hci_le_create_connection_cancel(struct hci_conn *conn) 54 { 55 hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL); 56 } 57 58 static void hci_acl_create_connection(struct hci_conn *conn) 59 { 60 struct hci_dev *hdev = conn->hdev; 61 struct inquiry_entry *ie; 62 struct hci_cp_create_conn cp; 63 64 BT_DBG("hcon %p", conn); 65 66 conn->state = BT_CONNECT; 67 conn->out = true; 68 69 conn->link_mode = HCI_LM_MASTER; 70 71 conn->attempt++; 72 73 conn->link_policy = hdev->link_policy; 74 75 memset(&cp, 0, sizeof(cp)); 76 bacpy(&cp.bdaddr, &conn->dst); 77 cp.pscan_rep_mode = 0x02; 78 79 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 80 if (ie) { 81 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 82 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 83 cp.pscan_mode = ie->data.pscan_mode; 84 cp.clock_offset = ie->data.clock_offset | 85 cpu_to_le16(0x8000); 86 } 87 88 memcpy(conn->dev_class, ie->data.dev_class, 3); 89 if (ie->data.ssp_mode > 0) 90 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 91 } 92 93 cp.pkt_type = cpu_to_le16(conn->pkt_type); 94 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 95 cp.role_switch = 0x01; 96 else 97 cp.role_switch = 0x00; 98 99 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 100 } 101 102 static void hci_acl_create_connection_cancel(struct hci_conn *conn) 103 { 104 struct hci_cp_create_conn_cancel cp; 105 106 BT_DBG("hcon %p", conn); 107 108 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2) 109 return; 110 111 bacpy(&cp.bdaddr, &conn->dst); 112 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp); 113 } 114 115 static void hci_reject_sco(struct hci_conn *conn) 116 { 117 struct hci_cp_reject_sync_conn_req cp; 118 119 cp.reason = HCI_ERROR_REMOTE_USER_TERM; 120 bacpy(&cp.bdaddr, &conn->dst); 121 122 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp); 123 } 124 125 void hci_disconnect(struct hci_conn *conn, __u8 reason) 126 { 127 struct hci_cp_disconnect cp; 128 129 BT_DBG("hcon %p", conn); 130 131 conn->state = BT_DISCONN; 132 133 cp.handle = cpu_to_le16(conn->handle); 134 cp.reason = reason; 135 hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp); 136 } 137 138 static void hci_amp_disconn(struct hci_conn *conn, __u8 reason) 139 { 140 struct hci_cp_disconn_phy_link cp; 141 142 BT_DBG("hcon %p", conn); 143 144 conn->state = BT_DISCONN; 145 146 cp.phy_handle = HCI_PHY_HANDLE(conn->handle); 147 cp.reason = reason; 148 hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK, 149 sizeof(cp), &cp); 150 } 151 152 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 153 { 154 struct hci_dev *hdev = conn->hdev; 155 struct hci_cp_add_sco cp; 156 157 BT_DBG("hcon %p", conn); 158 159 conn->state = BT_CONNECT; 160 conn->out = true; 161 162 conn->attempt++; 163 164 cp.handle = cpu_to_le16(handle); 165 cp.pkt_type = cpu_to_le16(conn->pkt_type); 166 167 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 168 } 169 170 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 171 { 172 struct hci_dev *hdev = conn->hdev; 173 struct hci_cp_setup_sync_conn cp; 174 const struct sco_param *param; 175 176 BT_DBG("hcon %p", conn); 177 178 conn->state = BT_CONNECT; 179 conn->out = true; 180 181 conn->attempt++; 182 183 cp.handle = cpu_to_le16(handle); 184 185 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 186 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 187 cp.voice_setting = cpu_to_le16(conn->setting); 188 189 switch (conn->setting & SCO_AIRMODE_MASK) { 190 case SCO_AIRMODE_TRANSP: 191 if (conn->attempt > ARRAY_SIZE(sco_param_wideband)) 192 return false; 193 cp.retrans_effort = 0x02; 194 param = &sco_param_wideband[conn->attempt - 1]; 195 break; 196 case SCO_AIRMODE_CVSD: 197 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 198 return false; 199 cp.retrans_effort = 0x01; 200 param = &sco_param_cvsd[conn->attempt - 1]; 201 break; 202 default: 203 return false; 204 } 205 206 cp.pkt_type = __cpu_to_le16(param->pkt_type); 207 cp.max_latency = __cpu_to_le16(param->max_latency); 208 209 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 210 return false; 211 212 return true; 213 } 214 215 void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, 216 u16 latency, u16 to_multiplier) 217 { 218 struct hci_cp_le_conn_update cp; 219 struct hci_dev *hdev = conn->hdev; 220 221 memset(&cp, 0, sizeof(cp)); 222 223 cp.handle = cpu_to_le16(conn->handle); 224 cp.conn_interval_min = cpu_to_le16(min); 225 cp.conn_interval_max = cpu_to_le16(max); 226 cp.conn_latency = cpu_to_le16(latency); 227 cp.supervision_timeout = cpu_to_le16(to_multiplier); 228 cp.min_ce_len = cpu_to_le16(0x0000); 229 cp.max_ce_len = cpu_to_le16(0x0000); 230 231 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 232 } 233 234 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 235 __u8 ltk[16]) 236 { 237 struct hci_dev *hdev = conn->hdev; 238 struct hci_cp_le_start_enc cp; 239 240 BT_DBG("hcon %p", conn); 241 242 memset(&cp, 0, sizeof(cp)); 243 244 cp.handle = cpu_to_le16(conn->handle); 245 cp.rand = rand; 246 cp.ediv = ediv; 247 memcpy(cp.ltk, ltk, sizeof(cp.ltk)); 248 249 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 250 } 251 252 /* Device _must_ be locked */ 253 void hci_sco_setup(struct hci_conn *conn, __u8 status) 254 { 255 struct hci_conn *sco = conn->link; 256 257 if (!sco) 258 return; 259 260 BT_DBG("hcon %p", conn); 261 262 if (!status) { 263 if (lmp_esco_capable(conn->hdev)) 264 hci_setup_sync(sco, conn->handle); 265 else 266 hci_add_sco(sco, conn->handle); 267 } else { 268 hci_proto_connect_cfm(sco, status); 269 hci_conn_del(sco); 270 } 271 } 272 273 static void hci_conn_disconnect(struct hci_conn *conn) 274 { 275 __u8 reason = hci_proto_disconn_ind(conn); 276 277 switch (conn->type) { 278 case AMP_LINK: 279 hci_amp_disconn(conn, reason); 280 break; 281 default: 282 hci_disconnect(conn, reason); 283 break; 284 } 285 } 286 287 static void hci_conn_timeout(struct work_struct *work) 288 { 289 struct hci_conn *conn = container_of(work, struct hci_conn, 290 disc_work.work); 291 292 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 293 294 if (atomic_read(&conn->refcnt)) 295 return; 296 297 switch (conn->state) { 298 case BT_CONNECT: 299 case BT_CONNECT2: 300 if (conn->out) { 301 if (conn->type == ACL_LINK) 302 hci_acl_create_connection_cancel(conn); 303 else if (conn->type == LE_LINK) 304 hci_le_create_connection_cancel(conn); 305 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 306 hci_reject_sco(conn); 307 } 308 break; 309 case BT_CONFIG: 310 case BT_CONNECTED: 311 hci_conn_disconnect(conn); 312 break; 313 default: 314 conn->state = BT_CLOSED; 315 break; 316 } 317 } 318 319 /* Enter sniff mode */ 320 static void hci_conn_idle(struct work_struct *work) 321 { 322 struct hci_conn *conn = container_of(work, struct hci_conn, 323 idle_work.work); 324 struct hci_dev *hdev = conn->hdev; 325 326 BT_DBG("hcon %p mode %d", conn, conn->mode); 327 328 if (test_bit(HCI_RAW, &hdev->flags)) 329 return; 330 331 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 332 return; 333 334 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 335 return; 336 337 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 338 struct hci_cp_sniff_subrate cp; 339 cp.handle = cpu_to_le16(conn->handle); 340 cp.max_latency = cpu_to_le16(0); 341 cp.min_remote_timeout = cpu_to_le16(0); 342 cp.min_local_timeout = cpu_to_le16(0); 343 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 344 } 345 346 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 347 struct hci_cp_sniff_mode cp; 348 cp.handle = cpu_to_le16(conn->handle); 349 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 350 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 351 cp.attempt = cpu_to_le16(4); 352 cp.timeout = cpu_to_le16(1); 353 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 354 } 355 } 356 357 static void hci_conn_auto_accept(struct work_struct *work) 358 { 359 struct hci_conn *conn = container_of(work, struct hci_conn, 360 auto_accept_work.work); 361 362 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 363 &conn->dst); 364 } 365 366 static void le_conn_timeout(struct work_struct *work) 367 { 368 struct hci_conn *conn = container_of(work, struct hci_conn, 369 le_conn_timeout.work); 370 371 BT_DBG(""); 372 373 hci_le_create_connection_cancel(conn); 374 } 375 376 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst) 377 { 378 struct hci_conn *conn; 379 380 BT_DBG("%s dst %pMR", hdev->name, dst); 381 382 conn = kzalloc(sizeof(struct hci_conn), GFP_KERNEL); 383 if (!conn) 384 return NULL; 385 386 bacpy(&conn->dst, dst); 387 bacpy(&conn->src, &hdev->bdaddr); 388 conn->hdev = hdev; 389 conn->type = type; 390 conn->mode = HCI_CM_ACTIVE; 391 conn->state = BT_OPEN; 392 conn->auth_type = HCI_AT_GENERAL_BONDING; 393 conn->io_capability = hdev->io_capability; 394 conn->remote_auth = 0xff; 395 conn->key_type = 0xff; 396 397 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 398 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 399 400 switch (type) { 401 case ACL_LINK: 402 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 403 break; 404 case SCO_LINK: 405 if (lmp_esco_capable(hdev)) 406 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 407 (hdev->esco_type & EDR_ESCO_MASK); 408 else 409 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 410 break; 411 case ESCO_LINK: 412 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 413 break; 414 } 415 416 skb_queue_head_init(&conn->data_q); 417 418 INIT_LIST_HEAD(&conn->chan_list); 419 420 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 421 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 422 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 423 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 424 425 atomic_set(&conn->refcnt, 0); 426 427 hci_dev_hold(hdev); 428 429 hci_conn_hash_add(hdev, conn); 430 if (hdev->notify) 431 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 432 433 hci_conn_init_sysfs(conn); 434 435 return conn; 436 } 437 438 int hci_conn_del(struct hci_conn *conn) 439 { 440 struct hci_dev *hdev = conn->hdev; 441 442 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 443 444 cancel_delayed_work_sync(&conn->disc_work); 445 cancel_delayed_work_sync(&conn->auto_accept_work); 446 cancel_delayed_work_sync(&conn->idle_work); 447 448 if (conn->type == ACL_LINK) { 449 struct hci_conn *sco = conn->link; 450 if (sco) 451 sco->link = NULL; 452 453 /* Unacked frames */ 454 hdev->acl_cnt += conn->sent; 455 } else if (conn->type == LE_LINK) { 456 cancel_delayed_work_sync(&conn->le_conn_timeout); 457 458 if (hdev->le_pkts) 459 hdev->le_cnt += conn->sent; 460 else 461 hdev->acl_cnt += conn->sent; 462 } else { 463 struct hci_conn *acl = conn->link; 464 if (acl) { 465 acl->link = NULL; 466 hci_conn_drop(acl); 467 } 468 } 469 470 hci_chan_list_flush(conn); 471 472 if (conn->amp_mgr) 473 amp_mgr_put(conn->amp_mgr); 474 475 hci_conn_hash_del(hdev, conn); 476 if (hdev->notify) 477 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 478 479 skb_queue_purge(&conn->data_q); 480 481 hci_conn_del_sysfs(conn); 482 483 hci_dev_put(hdev); 484 485 hci_conn_put(conn); 486 487 return 0; 488 } 489 490 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src) 491 { 492 int use_src = bacmp(src, BDADDR_ANY); 493 struct hci_dev *hdev = NULL, *d; 494 495 BT_DBG("%pMR -> %pMR", src, dst); 496 497 read_lock(&hci_dev_list_lock); 498 499 list_for_each_entry(d, &hci_dev_list, list) { 500 if (!test_bit(HCI_UP, &d->flags) || 501 test_bit(HCI_RAW, &d->flags) || 502 test_bit(HCI_USER_CHANNEL, &d->dev_flags) || 503 d->dev_type != HCI_BREDR) 504 continue; 505 506 /* Simple routing: 507 * No source address - find interface with bdaddr != dst 508 * Source address - find interface with bdaddr == src 509 */ 510 511 if (use_src) { 512 if (!bacmp(&d->bdaddr, src)) { 513 hdev = d; break; 514 } 515 } else { 516 if (bacmp(&d->bdaddr, dst)) { 517 hdev = d; break; 518 } 519 } 520 } 521 522 if (hdev) 523 hdev = hci_dev_hold(hdev); 524 525 read_unlock(&hci_dev_list_lock); 526 return hdev; 527 } 528 EXPORT_SYMBOL(hci_get_route); 529 530 /* This function requires the caller holds hdev->lock */ 531 void hci_le_conn_failed(struct hci_conn *conn, u8 status) 532 { 533 struct hci_dev *hdev = conn->hdev; 534 535 conn->state = BT_CLOSED; 536 537 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type, 538 status); 539 540 hci_proto_connect_cfm(conn, status); 541 542 hci_conn_del(conn); 543 544 /* Since we may have temporarily stopped the background scanning in 545 * favor of connection establishment, we should restart it. 546 */ 547 hci_update_background_scan(hdev); 548 } 549 550 static void create_le_conn_complete(struct hci_dev *hdev, u8 status) 551 { 552 struct hci_conn *conn; 553 554 if (status == 0) 555 return; 556 557 BT_ERR("HCI request failed to create LE connection: status 0x%2.2x", 558 status); 559 560 hci_dev_lock(hdev); 561 562 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT); 563 if (!conn) 564 goto done; 565 566 hci_le_conn_failed(conn, status); 567 568 done: 569 hci_dev_unlock(hdev); 570 } 571 572 static void hci_req_add_le_create_conn(struct hci_request *req, 573 struct hci_conn *conn) 574 { 575 struct hci_cp_le_create_conn cp; 576 struct hci_dev *hdev = conn->hdev; 577 u8 own_addr_type; 578 579 memset(&cp, 0, sizeof(cp)); 580 581 /* Update random address, but set require_privacy to false so 582 * that we never connect with an unresolvable address. 583 */ 584 if (hci_update_random_address(req, false, &own_addr_type)) 585 return; 586 587 /* Save the address type used for this connnection attempt so we able 588 * to retrieve this information if we need it. 589 */ 590 conn->src_type = own_addr_type; 591 592 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval); 593 cp.scan_window = cpu_to_le16(hdev->le_scan_window); 594 bacpy(&cp.peer_addr, &conn->dst); 595 cp.peer_addr_type = conn->dst_type; 596 cp.own_address_type = own_addr_type; 597 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval); 598 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval); 599 cp.supervision_timeout = cpu_to_le16(0x002a); 600 cp.min_ce_len = cpu_to_le16(0x0000); 601 cp.max_ce_len = cpu_to_le16(0x0000); 602 603 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp); 604 605 conn->state = BT_CONNECT; 606 } 607 608 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 609 u8 dst_type, u8 sec_level, u8 auth_type) 610 { 611 struct hci_conn_params *params; 612 struct hci_conn *conn; 613 struct smp_irk *irk; 614 struct hci_request req; 615 int err; 616 617 if (test_bit(HCI_ADVERTISING, &hdev->flags)) 618 return ERR_PTR(-ENOTSUPP); 619 620 /* Some devices send ATT messages as soon as the physical link is 621 * established. To be able to handle these ATT messages, the user- 622 * space first establishes the connection and then starts the pairing 623 * process. 624 * 625 * So if a hci_conn object already exists for the following connection 626 * attempt, we simply update pending_sec_level and auth_type fields 627 * and return the object found. 628 */ 629 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst); 630 if (conn) { 631 conn->pending_sec_level = sec_level; 632 conn->auth_type = auth_type; 633 goto done; 634 } 635 636 /* Since the controller supports only one LE connection attempt at a 637 * time, we return -EBUSY if there is any connection attempt running. 638 */ 639 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT); 640 if (conn) 641 return ERR_PTR(-EBUSY); 642 643 /* When given an identity address with existing identity 644 * resolving key, the connection needs to be established 645 * to a resolvable random address. 646 * 647 * This uses the cached random resolvable address from 648 * a previous scan. When no cached address is available, 649 * try connecting to the identity address instead. 650 * 651 * Storing the resolvable random address is required here 652 * to handle connection failures. The address will later 653 * be resolved back into the original identity address 654 * from the connect request. 655 */ 656 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 657 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 658 dst = &irk->rpa; 659 dst_type = ADDR_LE_DEV_RANDOM; 660 } 661 662 conn = hci_conn_add(hdev, LE_LINK, dst); 663 if (!conn) 664 return ERR_PTR(-ENOMEM); 665 666 conn->dst_type = dst_type; 667 668 conn->out = true; 669 conn->link_mode |= HCI_LM_MASTER; 670 conn->sec_level = BT_SECURITY_LOW; 671 conn->pending_sec_level = sec_level; 672 conn->auth_type = auth_type; 673 674 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 675 if (params) { 676 conn->le_conn_min_interval = params->conn_min_interval; 677 conn->le_conn_max_interval = params->conn_max_interval; 678 } else { 679 conn->le_conn_min_interval = hdev->le_conn_min_interval; 680 conn->le_conn_max_interval = hdev->le_conn_max_interval; 681 } 682 683 hci_req_init(&req, hdev); 684 685 /* If controller is scanning, we stop it since some controllers are 686 * not able to scan and connect at the same time. Also set the 687 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete 688 * handler for scan disabling knows to set the correct discovery 689 * state. 690 */ 691 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) { 692 hci_req_add_le_scan_disable(&req); 693 set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags); 694 } 695 696 hci_req_add_le_create_conn(&req, conn); 697 698 err = hci_req_run(&req, create_le_conn_complete); 699 if (err) { 700 hci_conn_del(conn); 701 return ERR_PTR(err); 702 } 703 704 done: 705 hci_conn_hold(conn); 706 return conn; 707 } 708 709 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 710 u8 sec_level, u8 auth_type) 711 { 712 struct hci_conn *acl; 713 714 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) 715 return ERR_PTR(-ENOTSUPP); 716 717 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 718 if (!acl) { 719 acl = hci_conn_add(hdev, ACL_LINK, dst); 720 if (!acl) 721 return ERR_PTR(-ENOMEM); 722 } 723 724 hci_conn_hold(acl); 725 726 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 727 acl->sec_level = BT_SECURITY_LOW; 728 acl->pending_sec_level = sec_level; 729 acl->auth_type = auth_type; 730 hci_acl_create_connection(acl); 731 } 732 733 return acl; 734 } 735 736 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 737 __u16 setting) 738 { 739 struct hci_conn *acl; 740 struct hci_conn *sco; 741 742 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING); 743 if (IS_ERR(acl)) 744 return acl; 745 746 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 747 if (!sco) { 748 sco = hci_conn_add(hdev, type, dst); 749 if (!sco) { 750 hci_conn_drop(acl); 751 return ERR_PTR(-ENOMEM); 752 } 753 } 754 755 acl->link = sco; 756 sco->link = acl; 757 758 hci_conn_hold(sco); 759 760 sco->setting = setting; 761 762 if (acl->state == BT_CONNECTED && 763 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 764 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 765 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 766 767 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 768 /* defer SCO setup until mode change completed */ 769 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 770 return sco; 771 } 772 773 hci_sco_setup(acl, 0x00); 774 } 775 776 return sco; 777 } 778 779 /* Check link security requirement */ 780 int hci_conn_check_link_mode(struct hci_conn *conn) 781 { 782 BT_DBG("hcon %p", conn); 783 784 /* In Secure Connections Only mode, it is required that Secure 785 * Connections is used and the link is encrypted with AES-CCM 786 * using a P-256 authenticated combination key. 787 */ 788 if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) { 789 if (!hci_conn_sc_enabled(conn) || 790 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 791 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 792 return 0; 793 } 794 795 if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT)) 796 return 0; 797 798 return 1; 799 } 800 801 /* Authenticate remote device */ 802 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 803 { 804 BT_DBG("hcon %p", conn); 805 806 if (conn->pending_sec_level > sec_level) 807 sec_level = conn->pending_sec_level; 808 809 if (sec_level > conn->sec_level) 810 conn->pending_sec_level = sec_level; 811 else if (conn->link_mode & HCI_LM_AUTH) 812 return 1; 813 814 /* Make sure we preserve an existing MITM requirement*/ 815 auth_type |= (conn->auth_type & 0x01); 816 817 conn->auth_type = auth_type; 818 819 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 820 struct hci_cp_auth_requested cp; 821 822 cp.handle = cpu_to_le16(conn->handle); 823 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 824 sizeof(cp), &cp); 825 826 /* If we're already encrypted set the REAUTH_PEND flag, 827 * otherwise set the ENCRYPT_PEND. 828 */ 829 if (conn->key_type != 0xff) 830 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 831 else 832 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 833 } 834 835 return 0; 836 } 837 838 /* Encrypt the the link */ 839 static void hci_conn_encrypt(struct hci_conn *conn) 840 { 841 BT_DBG("hcon %p", conn); 842 843 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 844 struct hci_cp_set_conn_encrypt cp; 845 cp.handle = cpu_to_le16(conn->handle); 846 cp.encrypt = 0x01; 847 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 848 &cp); 849 } 850 } 851 852 /* Enable security */ 853 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 854 { 855 BT_DBG("hcon %p", conn); 856 857 if (conn->type == LE_LINK) 858 return smp_conn_security(conn, sec_level); 859 860 /* For sdp we don't need the link key. */ 861 if (sec_level == BT_SECURITY_SDP) 862 return 1; 863 864 /* For non 2.1 devices and low security level we don't need the link 865 key. */ 866 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 867 return 1; 868 869 /* For other security levels we need the link key. */ 870 if (!(conn->link_mode & HCI_LM_AUTH)) 871 goto auth; 872 873 /* An authenticated FIPS approved combination key has sufficient 874 * security for security level 4. */ 875 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 && 876 sec_level == BT_SECURITY_FIPS) 877 goto encrypt; 878 879 /* An authenticated combination key has sufficient security for 880 security level 3. */ 881 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 || 882 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) && 883 sec_level == BT_SECURITY_HIGH) 884 goto encrypt; 885 886 /* An unauthenticated combination key has sufficient security for 887 security level 1 and 2. */ 888 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 || 889 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) && 890 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) 891 goto encrypt; 892 893 /* A combination key has always sufficient security for the security 894 levels 1 or 2. High security level requires the combination key 895 is generated using maximum PIN code length (16). 896 For pre 2.1 units. */ 897 if (conn->key_type == HCI_LK_COMBINATION && 898 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW || 899 conn->pin_length == 16)) 900 goto encrypt; 901 902 auth: 903 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 904 return 0; 905 906 if (!hci_conn_auth(conn, sec_level, auth_type)) 907 return 0; 908 909 encrypt: 910 if (conn->link_mode & HCI_LM_ENCRYPT) 911 return 1; 912 913 hci_conn_encrypt(conn); 914 return 0; 915 } 916 EXPORT_SYMBOL(hci_conn_security); 917 918 /* Check secure link requirement */ 919 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 920 { 921 BT_DBG("hcon %p", conn); 922 923 /* Accept if non-secure or higher security level is required */ 924 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 925 return 1; 926 927 /* Accept if secure or higher security level is already present */ 928 if (conn->sec_level == BT_SECURITY_HIGH || 929 conn->sec_level == BT_SECURITY_FIPS) 930 return 1; 931 932 /* Reject not secure link */ 933 return 0; 934 } 935 EXPORT_SYMBOL(hci_conn_check_secure); 936 937 /* Change link key */ 938 int hci_conn_change_link_key(struct hci_conn *conn) 939 { 940 BT_DBG("hcon %p", conn); 941 942 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 943 struct hci_cp_change_conn_link_key cp; 944 cp.handle = cpu_to_le16(conn->handle); 945 hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY, 946 sizeof(cp), &cp); 947 } 948 949 return 0; 950 } 951 952 /* Switch role */ 953 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 954 { 955 BT_DBG("hcon %p", conn); 956 957 if (!role && conn->link_mode & HCI_LM_MASTER) 958 return 1; 959 960 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 961 struct hci_cp_switch_role cp; 962 bacpy(&cp.bdaddr, &conn->dst); 963 cp.role = role; 964 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 965 } 966 967 return 0; 968 } 969 EXPORT_SYMBOL(hci_conn_switch_role); 970 971 /* Enter active mode */ 972 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 973 { 974 struct hci_dev *hdev = conn->hdev; 975 976 BT_DBG("hcon %p mode %d", conn, conn->mode); 977 978 if (test_bit(HCI_RAW, &hdev->flags)) 979 return; 980 981 if (conn->mode != HCI_CM_SNIFF) 982 goto timer; 983 984 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 985 goto timer; 986 987 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 988 struct hci_cp_exit_sniff_mode cp; 989 cp.handle = cpu_to_le16(conn->handle); 990 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 991 } 992 993 timer: 994 if (hdev->idle_timeout > 0) 995 queue_delayed_work(hdev->workqueue, &conn->idle_work, 996 msecs_to_jiffies(hdev->idle_timeout)); 997 } 998 999 /* Drop all connection on the device */ 1000 void hci_conn_hash_flush(struct hci_dev *hdev) 1001 { 1002 struct hci_conn_hash *h = &hdev->conn_hash; 1003 struct hci_conn *c, *n; 1004 1005 BT_DBG("hdev %s", hdev->name); 1006 1007 list_for_each_entry_safe(c, n, &h->list, list) { 1008 c->state = BT_CLOSED; 1009 1010 hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM); 1011 hci_conn_del(c); 1012 } 1013 } 1014 1015 /* Check pending connect attempts */ 1016 void hci_conn_check_pending(struct hci_dev *hdev) 1017 { 1018 struct hci_conn *conn; 1019 1020 BT_DBG("hdev %s", hdev->name); 1021 1022 hci_dev_lock(hdev); 1023 1024 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 1025 if (conn) 1026 hci_acl_create_connection(conn); 1027 1028 hci_dev_unlock(hdev); 1029 } 1030 1031 int hci_get_conn_list(void __user *arg) 1032 { 1033 struct hci_conn *c; 1034 struct hci_conn_list_req req, *cl; 1035 struct hci_conn_info *ci; 1036 struct hci_dev *hdev; 1037 int n = 0, size, err; 1038 1039 if (copy_from_user(&req, arg, sizeof(req))) 1040 return -EFAULT; 1041 1042 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 1043 return -EINVAL; 1044 1045 size = sizeof(req) + req.conn_num * sizeof(*ci); 1046 1047 cl = kmalloc(size, GFP_KERNEL); 1048 if (!cl) 1049 return -ENOMEM; 1050 1051 hdev = hci_dev_get(req.dev_id); 1052 if (!hdev) { 1053 kfree(cl); 1054 return -ENODEV; 1055 } 1056 1057 ci = cl->conn_info; 1058 1059 hci_dev_lock(hdev); 1060 list_for_each_entry(c, &hdev->conn_hash.list, list) { 1061 bacpy(&(ci + n)->bdaddr, &c->dst); 1062 (ci + n)->handle = c->handle; 1063 (ci + n)->type = c->type; 1064 (ci + n)->out = c->out; 1065 (ci + n)->state = c->state; 1066 (ci + n)->link_mode = c->link_mode; 1067 if (++n >= req.conn_num) 1068 break; 1069 } 1070 hci_dev_unlock(hdev); 1071 1072 cl->dev_id = hdev->id; 1073 cl->conn_num = n; 1074 size = sizeof(req) + n * sizeof(*ci); 1075 1076 hci_dev_put(hdev); 1077 1078 err = copy_to_user(arg, cl, size); 1079 kfree(cl); 1080 1081 return err ? -EFAULT : 0; 1082 } 1083 1084 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 1085 { 1086 struct hci_conn_info_req req; 1087 struct hci_conn_info ci; 1088 struct hci_conn *conn; 1089 char __user *ptr = arg + sizeof(req); 1090 1091 if (copy_from_user(&req, arg, sizeof(req))) 1092 return -EFAULT; 1093 1094 hci_dev_lock(hdev); 1095 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 1096 if (conn) { 1097 bacpy(&ci.bdaddr, &conn->dst); 1098 ci.handle = conn->handle; 1099 ci.type = conn->type; 1100 ci.out = conn->out; 1101 ci.state = conn->state; 1102 ci.link_mode = conn->link_mode; 1103 } 1104 hci_dev_unlock(hdev); 1105 1106 if (!conn) 1107 return -ENOENT; 1108 1109 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 1110 } 1111 1112 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 1113 { 1114 struct hci_auth_info_req req; 1115 struct hci_conn *conn; 1116 1117 if (copy_from_user(&req, arg, sizeof(req))) 1118 return -EFAULT; 1119 1120 hci_dev_lock(hdev); 1121 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 1122 if (conn) 1123 req.type = conn->auth_type; 1124 hci_dev_unlock(hdev); 1125 1126 if (!conn) 1127 return -ENOENT; 1128 1129 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 1130 } 1131 1132 struct hci_chan *hci_chan_create(struct hci_conn *conn) 1133 { 1134 struct hci_dev *hdev = conn->hdev; 1135 struct hci_chan *chan; 1136 1137 BT_DBG("%s hcon %p", hdev->name, conn); 1138 1139 chan = kzalloc(sizeof(struct hci_chan), GFP_KERNEL); 1140 if (!chan) 1141 return NULL; 1142 1143 chan->conn = conn; 1144 skb_queue_head_init(&chan->data_q); 1145 chan->state = BT_CONNECTED; 1146 1147 list_add_rcu(&chan->list, &conn->chan_list); 1148 1149 return chan; 1150 } 1151 1152 void hci_chan_del(struct hci_chan *chan) 1153 { 1154 struct hci_conn *conn = chan->conn; 1155 struct hci_dev *hdev = conn->hdev; 1156 1157 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 1158 1159 list_del_rcu(&chan->list); 1160 1161 synchronize_rcu(); 1162 1163 hci_conn_drop(conn); 1164 1165 skb_queue_purge(&chan->data_q); 1166 kfree(chan); 1167 } 1168 1169 void hci_chan_list_flush(struct hci_conn *conn) 1170 { 1171 struct hci_chan *chan, *n; 1172 1173 BT_DBG("hcon %p", conn); 1174 1175 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 1176 hci_chan_del(chan); 1177 } 1178 1179 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 1180 __u16 handle) 1181 { 1182 struct hci_chan *hchan; 1183 1184 list_for_each_entry(hchan, &hcon->chan_list, list) { 1185 if (hchan->handle == handle) 1186 return hchan; 1187 } 1188 1189 return NULL; 1190 } 1191 1192 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 1193 { 1194 struct hci_conn_hash *h = &hdev->conn_hash; 1195 struct hci_conn *hcon; 1196 struct hci_chan *hchan = NULL; 1197 1198 rcu_read_lock(); 1199 1200 list_for_each_entry_rcu(hcon, &h->list, list) { 1201 hchan = __hci_chan_lookup_handle(hcon, handle); 1202 if (hchan) 1203 break; 1204 } 1205 1206 rcu_read_unlock(); 1207 1208 return hchan; 1209 } 1210