xref: /linux/net/bluetooth/hci_conn.c (revision 00a6d7b6762c27d441e9ac8faff36384bc0fc180)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI connection handling. */
26 
27 #include <linux/export.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 
32 #include "smp.h"
33 #include "a2mp.h"
34 
35 struct sco_param {
36 	u16 pkt_type;
37 	u16 max_latency;
38 };
39 
40 static const struct sco_param sco_param_cvsd[] = {
41 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a }, /* S3 */
42 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007 }, /* S2 */
43 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0007 }, /* S1 */
44 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff }, /* D1 */
45 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff }, /* D0 */
46 };
47 
48 static const struct sco_param sco_param_wideband[] = {
49 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d }, /* T2 */
50 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0008 }, /* T1 */
51 };
52 
53 static void hci_le_create_connection_cancel(struct hci_conn *conn)
54 {
55 	hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
56 }
57 
58 static void hci_acl_create_connection(struct hci_conn *conn)
59 {
60 	struct hci_dev *hdev = conn->hdev;
61 	struct inquiry_entry *ie;
62 	struct hci_cp_create_conn cp;
63 
64 	BT_DBG("hcon %p", conn);
65 
66 	conn->state = BT_CONNECT;
67 	conn->out = true;
68 
69 	conn->link_mode = HCI_LM_MASTER;
70 
71 	conn->attempt++;
72 
73 	conn->link_policy = hdev->link_policy;
74 
75 	memset(&cp, 0, sizeof(cp));
76 	bacpy(&cp.bdaddr, &conn->dst);
77 	cp.pscan_rep_mode = 0x02;
78 
79 	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
80 	if (ie) {
81 		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
82 			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
83 			cp.pscan_mode     = ie->data.pscan_mode;
84 			cp.clock_offset   = ie->data.clock_offset |
85 					    cpu_to_le16(0x8000);
86 		}
87 
88 		memcpy(conn->dev_class, ie->data.dev_class, 3);
89 		if (ie->data.ssp_mode > 0)
90 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
91 	}
92 
93 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
94 	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
95 		cp.role_switch = 0x01;
96 	else
97 		cp.role_switch = 0x00;
98 
99 	hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
100 }
101 
102 static void hci_acl_create_connection_cancel(struct hci_conn *conn)
103 {
104 	struct hci_cp_create_conn_cancel cp;
105 
106 	BT_DBG("hcon %p", conn);
107 
108 	if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
109 		return;
110 
111 	bacpy(&cp.bdaddr, &conn->dst);
112 	hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
113 }
114 
115 static void hci_reject_sco(struct hci_conn *conn)
116 {
117 	struct hci_cp_reject_sync_conn_req cp;
118 
119 	cp.reason = HCI_ERROR_REMOTE_USER_TERM;
120 	bacpy(&cp.bdaddr, &conn->dst);
121 
122 	hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
123 }
124 
125 void hci_disconnect(struct hci_conn *conn, __u8 reason)
126 {
127 	struct hci_cp_disconnect cp;
128 
129 	BT_DBG("hcon %p", conn);
130 
131 	conn->state = BT_DISCONN;
132 
133 	cp.handle = cpu_to_le16(conn->handle);
134 	cp.reason = reason;
135 	hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
136 }
137 
138 static void hci_amp_disconn(struct hci_conn *conn, __u8 reason)
139 {
140 	struct hci_cp_disconn_phy_link cp;
141 
142 	BT_DBG("hcon %p", conn);
143 
144 	conn->state = BT_DISCONN;
145 
146 	cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
147 	cp.reason = reason;
148 	hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
149 		     sizeof(cp), &cp);
150 }
151 
152 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
153 {
154 	struct hci_dev *hdev = conn->hdev;
155 	struct hci_cp_add_sco cp;
156 
157 	BT_DBG("hcon %p", conn);
158 
159 	conn->state = BT_CONNECT;
160 	conn->out = true;
161 
162 	conn->attempt++;
163 
164 	cp.handle   = cpu_to_le16(handle);
165 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
166 
167 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
168 }
169 
170 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
171 {
172 	struct hci_dev *hdev = conn->hdev;
173 	struct hci_cp_setup_sync_conn cp;
174 	const struct sco_param *param;
175 
176 	BT_DBG("hcon %p", conn);
177 
178 	conn->state = BT_CONNECT;
179 	conn->out = true;
180 
181 	conn->attempt++;
182 
183 	cp.handle   = cpu_to_le16(handle);
184 
185 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
186 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
187 	cp.voice_setting  = cpu_to_le16(conn->setting);
188 
189 	switch (conn->setting & SCO_AIRMODE_MASK) {
190 	case SCO_AIRMODE_TRANSP:
191 		if (conn->attempt > ARRAY_SIZE(sco_param_wideband))
192 			return false;
193 		cp.retrans_effort = 0x02;
194 		param = &sco_param_wideband[conn->attempt - 1];
195 		break;
196 	case SCO_AIRMODE_CVSD:
197 		if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
198 			return false;
199 		cp.retrans_effort = 0x01;
200 		param = &sco_param_cvsd[conn->attempt - 1];
201 		break;
202 	default:
203 		return false;
204 	}
205 
206 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
207 	cp.max_latency = __cpu_to_le16(param->max_latency);
208 
209 	if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
210 		return false;
211 
212 	return true;
213 }
214 
215 void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
216 			u16 latency, u16 to_multiplier)
217 {
218 	struct hci_cp_le_conn_update cp;
219 	struct hci_dev *hdev = conn->hdev;
220 
221 	memset(&cp, 0, sizeof(cp));
222 
223 	cp.handle		= cpu_to_le16(conn->handle);
224 	cp.conn_interval_min	= cpu_to_le16(min);
225 	cp.conn_interval_max	= cpu_to_le16(max);
226 	cp.conn_latency		= cpu_to_le16(latency);
227 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
228 	cp.min_ce_len		= cpu_to_le16(0x0000);
229 	cp.max_ce_len		= cpu_to_le16(0x0000);
230 
231 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
232 }
233 
234 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
235 		      __u8 ltk[16])
236 {
237 	struct hci_dev *hdev = conn->hdev;
238 	struct hci_cp_le_start_enc cp;
239 
240 	BT_DBG("hcon %p", conn);
241 
242 	memset(&cp, 0, sizeof(cp));
243 
244 	cp.handle = cpu_to_le16(conn->handle);
245 	cp.rand = rand;
246 	cp.ediv = ediv;
247 	memcpy(cp.ltk, ltk, sizeof(cp.ltk));
248 
249 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
250 }
251 
252 /* Device _must_ be locked */
253 void hci_sco_setup(struct hci_conn *conn, __u8 status)
254 {
255 	struct hci_conn *sco = conn->link;
256 
257 	if (!sco)
258 		return;
259 
260 	BT_DBG("hcon %p", conn);
261 
262 	if (!status) {
263 		if (lmp_esco_capable(conn->hdev))
264 			hci_setup_sync(sco, conn->handle);
265 		else
266 			hci_add_sco(sco, conn->handle);
267 	} else {
268 		hci_proto_connect_cfm(sco, status);
269 		hci_conn_del(sco);
270 	}
271 }
272 
273 static void hci_conn_disconnect(struct hci_conn *conn)
274 {
275 	__u8 reason = hci_proto_disconn_ind(conn);
276 
277 	switch (conn->type) {
278 	case AMP_LINK:
279 		hci_amp_disconn(conn, reason);
280 		break;
281 	default:
282 		hci_disconnect(conn, reason);
283 		break;
284 	}
285 }
286 
287 static void hci_conn_timeout(struct work_struct *work)
288 {
289 	struct hci_conn *conn = container_of(work, struct hci_conn,
290 					     disc_work.work);
291 
292 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
293 
294 	if (atomic_read(&conn->refcnt))
295 		return;
296 
297 	switch (conn->state) {
298 	case BT_CONNECT:
299 	case BT_CONNECT2:
300 		if (conn->out) {
301 			if (conn->type == ACL_LINK)
302 				hci_acl_create_connection_cancel(conn);
303 			else if (conn->type == LE_LINK)
304 				hci_le_create_connection_cancel(conn);
305 		} else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
306 			hci_reject_sco(conn);
307 		}
308 		break;
309 	case BT_CONFIG:
310 	case BT_CONNECTED:
311 		hci_conn_disconnect(conn);
312 		break;
313 	default:
314 		conn->state = BT_CLOSED;
315 		break;
316 	}
317 }
318 
319 /* Enter sniff mode */
320 static void hci_conn_idle(struct work_struct *work)
321 {
322 	struct hci_conn *conn = container_of(work, struct hci_conn,
323 					     idle_work.work);
324 	struct hci_dev *hdev = conn->hdev;
325 
326 	BT_DBG("hcon %p mode %d", conn, conn->mode);
327 
328 	if (test_bit(HCI_RAW, &hdev->flags))
329 		return;
330 
331 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
332 		return;
333 
334 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
335 		return;
336 
337 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
338 		struct hci_cp_sniff_subrate cp;
339 		cp.handle             = cpu_to_le16(conn->handle);
340 		cp.max_latency        = cpu_to_le16(0);
341 		cp.min_remote_timeout = cpu_to_le16(0);
342 		cp.min_local_timeout  = cpu_to_le16(0);
343 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
344 	}
345 
346 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
347 		struct hci_cp_sniff_mode cp;
348 		cp.handle       = cpu_to_le16(conn->handle);
349 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
350 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
351 		cp.attempt      = cpu_to_le16(4);
352 		cp.timeout      = cpu_to_le16(1);
353 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
354 	}
355 }
356 
357 static void hci_conn_auto_accept(struct work_struct *work)
358 {
359 	struct hci_conn *conn = container_of(work, struct hci_conn,
360 					     auto_accept_work.work);
361 
362 	hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
363 		     &conn->dst);
364 }
365 
366 static void le_conn_timeout(struct work_struct *work)
367 {
368 	struct hci_conn *conn = container_of(work, struct hci_conn,
369 					     le_conn_timeout.work);
370 
371 	BT_DBG("");
372 
373 	hci_le_create_connection_cancel(conn);
374 }
375 
376 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
377 {
378 	struct hci_conn *conn;
379 
380 	BT_DBG("%s dst %pMR", hdev->name, dst);
381 
382 	conn = kzalloc(sizeof(struct hci_conn), GFP_KERNEL);
383 	if (!conn)
384 		return NULL;
385 
386 	bacpy(&conn->dst, dst);
387 	bacpy(&conn->src, &hdev->bdaddr);
388 	conn->hdev  = hdev;
389 	conn->type  = type;
390 	conn->mode  = HCI_CM_ACTIVE;
391 	conn->state = BT_OPEN;
392 	conn->auth_type = HCI_AT_GENERAL_BONDING;
393 	conn->io_capability = hdev->io_capability;
394 	conn->remote_auth = 0xff;
395 	conn->key_type = 0xff;
396 
397 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
398 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
399 
400 	switch (type) {
401 	case ACL_LINK:
402 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
403 		break;
404 	case SCO_LINK:
405 		if (lmp_esco_capable(hdev))
406 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
407 					(hdev->esco_type & EDR_ESCO_MASK);
408 		else
409 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
410 		break;
411 	case ESCO_LINK:
412 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
413 		break;
414 	}
415 
416 	skb_queue_head_init(&conn->data_q);
417 
418 	INIT_LIST_HEAD(&conn->chan_list);
419 
420 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
421 	INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
422 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
423 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
424 
425 	atomic_set(&conn->refcnt, 0);
426 
427 	hci_dev_hold(hdev);
428 
429 	hci_conn_hash_add(hdev, conn);
430 	if (hdev->notify)
431 		hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
432 
433 	hci_conn_init_sysfs(conn);
434 
435 	return conn;
436 }
437 
438 int hci_conn_del(struct hci_conn *conn)
439 {
440 	struct hci_dev *hdev = conn->hdev;
441 
442 	BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
443 
444 	cancel_delayed_work_sync(&conn->disc_work);
445 	cancel_delayed_work_sync(&conn->auto_accept_work);
446 	cancel_delayed_work_sync(&conn->idle_work);
447 
448 	if (conn->type == ACL_LINK) {
449 		struct hci_conn *sco = conn->link;
450 		if (sco)
451 			sco->link = NULL;
452 
453 		/* Unacked frames */
454 		hdev->acl_cnt += conn->sent;
455 	} else if (conn->type == LE_LINK) {
456 		cancel_delayed_work_sync(&conn->le_conn_timeout);
457 
458 		if (hdev->le_pkts)
459 			hdev->le_cnt += conn->sent;
460 		else
461 			hdev->acl_cnt += conn->sent;
462 	} else {
463 		struct hci_conn *acl = conn->link;
464 		if (acl) {
465 			acl->link = NULL;
466 			hci_conn_drop(acl);
467 		}
468 	}
469 
470 	hci_chan_list_flush(conn);
471 
472 	if (conn->amp_mgr)
473 		amp_mgr_put(conn->amp_mgr);
474 
475 	hci_conn_hash_del(hdev, conn);
476 	if (hdev->notify)
477 		hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
478 
479 	skb_queue_purge(&conn->data_q);
480 
481 	hci_conn_del_sysfs(conn);
482 
483 	hci_dev_put(hdev);
484 
485 	hci_conn_put(conn);
486 
487 	return 0;
488 }
489 
490 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
491 {
492 	int use_src = bacmp(src, BDADDR_ANY);
493 	struct hci_dev *hdev = NULL, *d;
494 
495 	BT_DBG("%pMR -> %pMR", src, dst);
496 
497 	read_lock(&hci_dev_list_lock);
498 
499 	list_for_each_entry(d, &hci_dev_list, list) {
500 		if (!test_bit(HCI_UP, &d->flags) ||
501 		    test_bit(HCI_RAW, &d->flags) ||
502 		    test_bit(HCI_USER_CHANNEL, &d->dev_flags) ||
503 		    d->dev_type != HCI_BREDR)
504 			continue;
505 
506 		/* Simple routing:
507 		 *   No source address - find interface with bdaddr != dst
508 		 *   Source address    - find interface with bdaddr == src
509 		 */
510 
511 		if (use_src) {
512 			if (!bacmp(&d->bdaddr, src)) {
513 				hdev = d; break;
514 			}
515 		} else {
516 			if (bacmp(&d->bdaddr, dst)) {
517 				hdev = d; break;
518 			}
519 		}
520 	}
521 
522 	if (hdev)
523 		hdev = hci_dev_hold(hdev);
524 
525 	read_unlock(&hci_dev_list_lock);
526 	return hdev;
527 }
528 EXPORT_SYMBOL(hci_get_route);
529 
530 /* This function requires the caller holds hdev->lock */
531 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
532 {
533 	struct hci_dev *hdev = conn->hdev;
534 
535 	conn->state = BT_CLOSED;
536 
537 	mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
538 			    status);
539 
540 	hci_proto_connect_cfm(conn, status);
541 
542 	hci_conn_del(conn);
543 
544 	/* Since we may have temporarily stopped the background scanning in
545 	 * favor of connection establishment, we should restart it.
546 	 */
547 	hci_update_background_scan(hdev);
548 }
549 
550 static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
551 {
552 	struct hci_conn *conn;
553 
554 	if (status == 0)
555 		return;
556 
557 	BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
558 	       status);
559 
560 	hci_dev_lock(hdev);
561 
562 	conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
563 	if (!conn)
564 		goto done;
565 
566 	hci_le_conn_failed(conn, status);
567 
568 done:
569 	hci_dev_unlock(hdev);
570 }
571 
572 static void hci_req_add_le_create_conn(struct hci_request *req,
573 				       struct hci_conn *conn)
574 {
575 	struct hci_cp_le_create_conn cp;
576 	struct hci_dev *hdev = conn->hdev;
577 	u8 own_addr_type;
578 
579 	memset(&cp, 0, sizeof(cp));
580 
581 	/* Update random address, but set require_privacy to false so
582 	 * that we never connect with an unresolvable address.
583 	 */
584 	if (hci_update_random_address(req, false, &own_addr_type))
585 		return;
586 
587 	/* Save the address type used for this connnection attempt so we able
588 	 * to retrieve this information if we need it.
589 	 */
590 	conn->src_type = own_addr_type;
591 
592 	cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
593 	cp.scan_window = cpu_to_le16(hdev->le_scan_window);
594 	bacpy(&cp.peer_addr, &conn->dst);
595 	cp.peer_addr_type = conn->dst_type;
596 	cp.own_address_type = own_addr_type;
597 	cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
598 	cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
599 	cp.supervision_timeout = cpu_to_le16(0x002a);
600 	cp.min_ce_len = cpu_to_le16(0x0000);
601 	cp.max_ce_len = cpu_to_le16(0x0000);
602 
603 	hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
604 
605 	conn->state = BT_CONNECT;
606 }
607 
608 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
609 				u8 dst_type, u8 sec_level, u8 auth_type)
610 {
611 	struct hci_conn_params *params;
612 	struct hci_conn *conn;
613 	struct smp_irk *irk;
614 	struct hci_request req;
615 	int err;
616 
617 	if (test_bit(HCI_ADVERTISING, &hdev->flags))
618 		return ERR_PTR(-ENOTSUPP);
619 
620 	/* Some devices send ATT messages as soon as the physical link is
621 	 * established. To be able to handle these ATT messages, the user-
622 	 * space first establishes the connection and then starts the pairing
623 	 * process.
624 	 *
625 	 * So if a hci_conn object already exists for the following connection
626 	 * attempt, we simply update pending_sec_level and auth_type fields
627 	 * and return the object found.
628 	 */
629 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
630 	if (conn) {
631 		conn->pending_sec_level = sec_level;
632 		conn->auth_type = auth_type;
633 		goto done;
634 	}
635 
636 	/* Since the controller supports only one LE connection attempt at a
637 	 * time, we return -EBUSY if there is any connection attempt running.
638 	 */
639 	conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
640 	if (conn)
641 		return ERR_PTR(-EBUSY);
642 
643 	/* When given an identity address with existing identity
644 	 * resolving key, the connection needs to be established
645 	 * to a resolvable random address.
646 	 *
647 	 * This uses the cached random resolvable address from
648 	 * a previous scan. When no cached address is available,
649 	 * try connecting to the identity address instead.
650 	 *
651 	 * Storing the resolvable random address is required here
652 	 * to handle connection failures. The address will later
653 	 * be resolved back into the original identity address
654 	 * from the connect request.
655 	 */
656 	irk = hci_find_irk_by_addr(hdev, dst, dst_type);
657 	if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
658 		dst = &irk->rpa;
659 		dst_type = ADDR_LE_DEV_RANDOM;
660 	}
661 
662 	conn = hci_conn_add(hdev, LE_LINK, dst);
663 	if (!conn)
664 		return ERR_PTR(-ENOMEM);
665 
666 	conn->dst_type = dst_type;
667 
668 	conn->out = true;
669 	conn->link_mode |= HCI_LM_MASTER;
670 	conn->sec_level = BT_SECURITY_LOW;
671 	conn->pending_sec_level = sec_level;
672 	conn->auth_type = auth_type;
673 
674 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
675 	if (params) {
676 		conn->le_conn_min_interval = params->conn_min_interval;
677 		conn->le_conn_max_interval = params->conn_max_interval;
678 	} else {
679 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
680 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
681 	}
682 
683 	hci_req_init(&req, hdev);
684 
685 	/* If controller is scanning, we stop it since some controllers are
686 	 * not able to scan and connect at the same time. Also set the
687 	 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
688 	 * handler for scan disabling knows to set the correct discovery
689 	 * state.
690 	 */
691 	if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
692 		hci_req_add_le_scan_disable(&req);
693 		set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
694 	}
695 
696 	hci_req_add_le_create_conn(&req, conn);
697 
698 	err = hci_req_run(&req, create_le_conn_complete);
699 	if (err) {
700 		hci_conn_del(conn);
701 		return ERR_PTR(err);
702 	}
703 
704 done:
705 	hci_conn_hold(conn);
706 	return conn;
707 }
708 
709 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
710 				 u8 sec_level, u8 auth_type)
711 {
712 	struct hci_conn *acl;
713 
714 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
715 		return ERR_PTR(-ENOTSUPP);
716 
717 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
718 	if (!acl) {
719 		acl = hci_conn_add(hdev, ACL_LINK, dst);
720 		if (!acl)
721 			return ERR_PTR(-ENOMEM);
722 	}
723 
724 	hci_conn_hold(acl);
725 
726 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
727 		acl->sec_level = BT_SECURITY_LOW;
728 		acl->pending_sec_level = sec_level;
729 		acl->auth_type = auth_type;
730 		hci_acl_create_connection(acl);
731 	}
732 
733 	return acl;
734 }
735 
736 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
737 				 __u16 setting)
738 {
739 	struct hci_conn *acl;
740 	struct hci_conn *sco;
741 
742 	acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
743 	if (IS_ERR(acl))
744 		return acl;
745 
746 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
747 	if (!sco) {
748 		sco = hci_conn_add(hdev, type, dst);
749 		if (!sco) {
750 			hci_conn_drop(acl);
751 			return ERR_PTR(-ENOMEM);
752 		}
753 	}
754 
755 	acl->link = sco;
756 	sco->link = acl;
757 
758 	hci_conn_hold(sco);
759 
760 	sco->setting = setting;
761 
762 	if (acl->state == BT_CONNECTED &&
763 	    (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
764 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
765 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
766 
767 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
768 			/* defer SCO setup until mode change completed */
769 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
770 			return sco;
771 		}
772 
773 		hci_sco_setup(acl, 0x00);
774 	}
775 
776 	return sco;
777 }
778 
779 /* Check link security requirement */
780 int hci_conn_check_link_mode(struct hci_conn *conn)
781 {
782 	BT_DBG("hcon %p", conn);
783 
784 	/* In Secure Connections Only mode, it is required that Secure
785 	 * Connections is used and the link is encrypted with AES-CCM
786 	 * using a P-256 authenticated combination key.
787 	 */
788 	if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) {
789 		if (!hci_conn_sc_enabled(conn) ||
790 		    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
791 		    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
792 			return 0;
793 	}
794 
795 	if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT))
796 		return 0;
797 
798 	return 1;
799 }
800 
801 /* Authenticate remote device */
802 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
803 {
804 	BT_DBG("hcon %p", conn);
805 
806 	if (conn->pending_sec_level > sec_level)
807 		sec_level = conn->pending_sec_level;
808 
809 	if (sec_level > conn->sec_level)
810 		conn->pending_sec_level = sec_level;
811 	else if (conn->link_mode & HCI_LM_AUTH)
812 		return 1;
813 
814 	/* Make sure we preserve an existing MITM requirement*/
815 	auth_type |= (conn->auth_type & 0x01);
816 
817 	conn->auth_type = auth_type;
818 
819 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
820 		struct hci_cp_auth_requested cp;
821 
822 		cp.handle = cpu_to_le16(conn->handle);
823 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
824 			     sizeof(cp), &cp);
825 
826 		/* If we're already encrypted set the REAUTH_PEND flag,
827 		 * otherwise set the ENCRYPT_PEND.
828 		 */
829 		if (conn->key_type != 0xff)
830 			set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
831 		else
832 			set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
833 	}
834 
835 	return 0;
836 }
837 
838 /* Encrypt the the link */
839 static void hci_conn_encrypt(struct hci_conn *conn)
840 {
841 	BT_DBG("hcon %p", conn);
842 
843 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
844 		struct hci_cp_set_conn_encrypt cp;
845 		cp.handle  = cpu_to_le16(conn->handle);
846 		cp.encrypt = 0x01;
847 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
848 			     &cp);
849 	}
850 }
851 
852 /* Enable security */
853 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
854 {
855 	BT_DBG("hcon %p", conn);
856 
857 	if (conn->type == LE_LINK)
858 		return smp_conn_security(conn, sec_level);
859 
860 	/* For sdp we don't need the link key. */
861 	if (sec_level == BT_SECURITY_SDP)
862 		return 1;
863 
864 	/* For non 2.1 devices and low security level we don't need the link
865 	   key. */
866 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
867 		return 1;
868 
869 	/* For other security levels we need the link key. */
870 	if (!(conn->link_mode & HCI_LM_AUTH))
871 		goto auth;
872 
873 	/* An authenticated FIPS approved combination key has sufficient
874 	 * security for security level 4. */
875 	if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
876 	    sec_level == BT_SECURITY_FIPS)
877 		goto encrypt;
878 
879 	/* An authenticated combination key has sufficient security for
880 	   security level 3. */
881 	if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
882 	     conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
883 	    sec_level == BT_SECURITY_HIGH)
884 		goto encrypt;
885 
886 	/* An unauthenticated combination key has sufficient security for
887 	   security level 1 and 2. */
888 	if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
889 	     conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
890 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
891 		goto encrypt;
892 
893 	/* A combination key has always sufficient security for the security
894 	   levels 1 or 2. High security level requires the combination key
895 	   is generated using maximum PIN code length (16).
896 	   For pre 2.1 units. */
897 	if (conn->key_type == HCI_LK_COMBINATION &&
898 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
899 	     conn->pin_length == 16))
900 		goto encrypt;
901 
902 auth:
903 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
904 		return 0;
905 
906 	if (!hci_conn_auth(conn, sec_level, auth_type))
907 		return 0;
908 
909 encrypt:
910 	if (conn->link_mode & HCI_LM_ENCRYPT)
911 		return 1;
912 
913 	hci_conn_encrypt(conn);
914 	return 0;
915 }
916 EXPORT_SYMBOL(hci_conn_security);
917 
918 /* Check secure link requirement */
919 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
920 {
921 	BT_DBG("hcon %p", conn);
922 
923 	/* Accept if non-secure or higher security level is required */
924 	if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
925 		return 1;
926 
927 	/* Accept if secure or higher security level is already present */
928 	if (conn->sec_level == BT_SECURITY_HIGH ||
929 	    conn->sec_level == BT_SECURITY_FIPS)
930 		return 1;
931 
932 	/* Reject not secure link */
933 	return 0;
934 }
935 EXPORT_SYMBOL(hci_conn_check_secure);
936 
937 /* Change link key */
938 int hci_conn_change_link_key(struct hci_conn *conn)
939 {
940 	BT_DBG("hcon %p", conn);
941 
942 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
943 		struct hci_cp_change_conn_link_key cp;
944 		cp.handle = cpu_to_le16(conn->handle);
945 		hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
946 			     sizeof(cp), &cp);
947 	}
948 
949 	return 0;
950 }
951 
952 /* Switch role */
953 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
954 {
955 	BT_DBG("hcon %p", conn);
956 
957 	if (!role && conn->link_mode & HCI_LM_MASTER)
958 		return 1;
959 
960 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
961 		struct hci_cp_switch_role cp;
962 		bacpy(&cp.bdaddr, &conn->dst);
963 		cp.role = role;
964 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
965 	}
966 
967 	return 0;
968 }
969 EXPORT_SYMBOL(hci_conn_switch_role);
970 
971 /* Enter active mode */
972 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
973 {
974 	struct hci_dev *hdev = conn->hdev;
975 
976 	BT_DBG("hcon %p mode %d", conn, conn->mode);
977 
978 	if (test_bit(HCI_RAW, &hdev->flags))
979 		return;
980 
981 	if (conn->mode != HCI_CM_SNIFF)
982 		goto timer;
983 
984 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
985 		goto timer;
986 
987 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
988 		struct hci_cp_exit_sniff_mode cp;
989 		cp.handle = cpu_to_le16(conn->handle);
990 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
991 	}
992 
993 timer:
994 	if (hdev->idle_timeout > 0)
995 		queue_delayed_work(hdev->workqueue, &conn->idle_work,
996 				   msecs_to_jiffies(hdev->idle_timeout));
997 }
998 
999 /* Drop all connection on the device */
1000 void hci_conn_hash_flush(struct hci_dev *hdev)
1001 {
1002 	struct hci_conn_hash *h = &hdev->conn_hash;
1003 	struct hci_conn *c, *n;
1004 
1005 	BT_DBG("hdev %s", hdev->name);
1006 
1007 	list_for_each_entry_safe(c, n, &h->list, list) {
1008 		c->state = BT_CLOSED;
1009 
1010 		hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1011 		hci_conn_del(c);
1012 	}
1013 }
1014 
1015 /* Check pending connect attempts */
1016 void hci_conn_check_pending(struct hci_dev *hdev)
1017 {
1018 	struct hci_conn *conn;
1019 
1020 	BT_DBG("hdev %s", hdev->name);
1021 
1022 	hci_dev_lock(hdev);
1023 
1024 	conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1025 	if (conn)
1026 		hci_acl_create_connection(conn);
1027 
1028 	hci_dev_unlock(hdev);
1029 }
1030 
1031 int hci_get_conn_list(void __user *arg)
1032 {
1033 	struct hci_conn *c;
1034 	struct hci_conn_list_req req, *cl;
1035 	struct hci_conn_info *ci;
1036 	struct hci_dev *hdev;
1037 	int n = 0, size, err;
1038 
1039 	if (copy_from_user(&req, arg, sizeof(req)))
1040 		return -EFAULT;
1041 
1042 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1043 		return -EINVAL;
1044 
1045 	size = sizeof(req) + req.conn_num * sizeof(*ci);
1046 
1047 	cl = kmalloc(size, GFP_KERNEL);
1048 	if (!cl)
1049 		return -ENOMEM;
1050 
1051 	hdev = hci_dev_get(req.dev_id);
1052 	if (!hdev) {
1053 		kfree(cl);
1054 		return -ENODEV;
1055 	}
1056 
1057 	ci = cl->conn_info;
1058 
1059 	hci_dev_lock(hdev);
1060 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
1061 		bacpy(&(ci + n)->bdaddr, &c->dst);
1062 		(ci + n)->handle = c->handle;
1063 		(ci + n)->type  = c->type;
1064 		(ci + n)->out   = c->out;
1065 		(ci + n)->state = c->state;
1066 		(ci + n)->link_mode = c->link_mode;
1067 		if (++n >= req.conn_num)
1068 			break;
1069 	}
1070 	hci_dev_unlock(hdev);
1071 
1072 	cl->dev_id = hdev->id;
1073 	cl->conn_num = n;
1074 	size = sizeof(req) + n * sizeof(*ci);
1075 
1076 	hci_dev_put(hdev);
1077 
1078 	err = copy_to_user(arg, cl, size);
1079 	kfree(cl);
1080 
1081 	return err ? -EFAULT : 0;
1082 }
1083 
1084 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1085 {
1086 	struct hci_conn_info_req req;
1087 	struct hci_conn_info ci;
1088 	struct hci_conn *conn;
1089 	char __user *ptr = arg + sizeof(req);
1090 
1091 	if (copy_from_user(&req, arg, sizeof(req)))
1092 		return -EFAULT;
1093 
1094 	hci_dev_lock(hdev);
1095 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1096 	if (conn) {
1097 		bacpy(&ci.bdaddr, &conn->dst);
1098 		ci.handle = conn->handle;
1099 		ci.type  = conn->type;
1100 		ci.out   = conn->out;
1101 		ci.state = conn->state;
1102 		ci.link_mode = conn->link_mode;
1103 	}
1104 	hci_dev_unlock(hdev);
1105 
1106 	if (!conn)
1107 		return -ENOENT;
1108 
1109 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1110 }
1111 
1112 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1113 {
1114 	struct hci_auth_info_req req;
1115 	struct hci_conn *conn;
1116 
1117 	if (copy_from_user(&req, arg, sizeof(req)))
1118 		return -EFAULT;
1119 
1120 	hci_dev_lock(hdev);
1121 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1122 	if (conn)
1123 		req.type = conn->auth_type;
1124 	hci_dev_unlock(hdev);
1125 
1126 	if (!conn)
1127 		return -ENOENT;
1128 
1129 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1130 }
1131 
1132 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1133 {
1134 	struct hci_dev *hdev = conn->hdev;
1135 	struct hci_chan *chan;
1136 
1137 	BT_DBG("%s hcon %p", hdev->name, conn);
1138 
1139 	chan = kzalloc(sizeof(struct hci_chan), GFP_KERNEL);
1140 	if (!chan)
1141 		return NULL;
1142 
1143 	chan->conn = conn;
1144 	skb_queue_head_init(&chan->data_q);
1145 	chan->state = BT_CONNECTED;
1146 
1147 	list_add_rcu(&chan->list, &conn->chan_list);
1148 
1149 	return chan;
1150 }
1151 
1152 void hci_chan_del(struct hci_chan *chan)
1153 {
1154 	struct hci_conn *conn = chan->conn;
1155 	struct hci_dev *hdev = conn->hdev;
1156 
1157 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1158 
1159 	list_del_rcu(&chan->list);
1160 
1161 	synchronize_rcu();
1162 
1163 	hci_conn_drop(conn);
1164 
1165 	skb_queue_purge(&chan->data_q);
1166 	kfree(chan);
1167 }
1168 
1169 void hci_chan_list_flush(struct hci_conn *conn)
1170 {
1171 	struct hci_chan *chan, *n;
1172 
1173 	BT_DBG("hcon %p", conn);
1174 
1175 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1176 		hci_chan_del(chan);
1177 }
1178 
1179 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1180 						 __u16 handle)
1181 {
1182 	struct hci_chan *hchan;
1183 
1184 	list_for_each_entry(hchan, &hcon->chan_list, list) {
1185 		if (hchan->handle == handle)
1186 			return hchan;
1187 	}
1188 
1189 	return NULL;
1190 }
1191 
1192 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1193 {
1194 	struct hci_conn_hash *h = &hdev->conn_hash;
1195 	struct hci_conn *hcon;
1196 	struct hci_chan *hchan = NULL;
1197 
1198 	rcu_read_lock();
1199 
1200 	list_for_each_entry_rcu(hcon, &h->list, list) {
1201 		hchan = __hci_chan_lookup_handle(hcon, handle);
1202 		if (hchan)
1203 			break;
1204 	}
1205 
1206 	rcu_read_unlock();
1207 
1208 	return hchan;
1209 }
1210