2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI connection handling. */
27 #include <linux/export.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/l2cap.h>
41 static const struct sco_param sco_param_cvsd[] = {
42 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a }, /* S3 */
43 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007 }, /* S2 */
44 { EDR_ESCO_MASK | ESCO_EV3, 0x0007 }, /* S1 */
45 { EDR_ESCO_MASK | ESCO_HV3, 0xffff }, /* D1 */
46 { EDR_ESCO_MASK | ESCO_HV1, 0xffff }, /* D0 */
49 static const struct sco_param sco_param_wideband[] = {
50 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d }, /* T2 */
51 { EDR_ESCO_MASK | ESCO_EV3, 0x0008 }, /* T1 */
54 static void hci_le_create_connection_cancel(struct hci_conn *conn)
56 hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
59 static void hci_acl_create_connection(struct hci_conn *conn)
61 struct hci_dev *hdev = conn->hdev;
62 struct inquiry_entry *ie;
63 struct hci_cp_create_conn cp;
65 BT_DBG("hcon %p", conn);
67 conn->state = BT_CONNECT;
70 conn->link_mode = HCI_LM_MASTER;
74 conn->link_policy = hdev->link_policy;
76 memset(&cp, 0, sizeof(cp));
77 bacpy(&cp.bdaddr, &conn->dst);
78 cp.pscan_rep_mode = 0x02;
80 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
82 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
83 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
84 cp.pscan_mode = ie->data.pscan_mode;
85 cp.clock_offset = ie->data.clock_offset |
89 memcpy(conn->dev_class, ie->data.dev_class, 3);
90 if (ie->data.ssp_mode > 0)
91 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
94 cp.pkt_type = cpu_to_le16(conn->pkt_type);
95 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
96 cp.role_switch = 0x01;
98 cp.role_switch = 0x00;
100 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
103 static void hci_acl_create_connection_cancel(struct hci_conn *conn)
105 struct hci_cp_create_conn_cancel cp;
107 BT_DBG("hcon %p", conn);
109 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
112 bacpy(&cp.bdaddr, &conn->dst);
113 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
116 static void hci_reject_sco(struct hci_conn *conn)
118 struct hci_cp_reject_sync_conn_req cp;
120 cp.reason = HCI_ERROR_REMOTE_USER_TERM;
121 bacpy(&cp.bdaddr, &conn->dst);
123 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
126 void hci_disconnect(struct hci_conn *conn, __u8 reason)
128 struct hci_cp_disconnect cp;
130 BT_DBG("hcon %p", conn);
132 conn->state = BT_DISCONN;
134 cp.handle = cpu_to_le16(conn->handle);
136 hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
139 static void hci_amp_disconn(struct hci_conn *conn, __u8 reason)
141 struct hci_cp_disconn_phy_link cp;
143 BT_DBG("hcon %p", conn);
145 conn->state = BT_DISCONN;
147 cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
149 hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
153 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
155 struct hci_dev *hdev = conn->hdev;
156 struct hci_cp_add_sco cp;
158 BT_DBG("hcon %p", conn);
160 conn->state = BT_CONNECT;
165 cp.handle = cpu_to_le16(handle);
166 cp.pkt_type = cpu_to_le16(conn->pkt_type);
168 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
171 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
173 struct hci_dev *hdev = conn->hdev;
174 struct hci_cp_setup_sync_conn cp;
175 const struct sco_param *param;
177 BT_DBG("hcon %p", conn);
179 conn->state = BT_CONNECT;
184 cp.handle = cpu_to_le16(handle);
186 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
187 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
188 cp.voice_setting = cpu_to_le16(conn->setting);
190 switch (conn->setting & SCO_AIRMODE_MASK) {
191 case SCO_AIRMODE_TRANSP:
192 if (conn->attempt > ARRAY_SIZE(sco_param_wideband))
194 cp.retrans_effort = 0x02;
195 param = &sco_param_wideband[conn->attempt - 1];
197 case SCO_AIRMODE_CVSD:
198 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
200 cp.retrans_effort = 0x01;
201 param = &sco_param_cvsd[conn->attempt - 1];
207 cp.pkt_type = __cpu_to_le16(param->pkt_type);
208 cp.max_latency = __cpu_to_le16(param->max_latency);
210 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
216 void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
217 u16 latency, u16 to_multiplier)
219 struct hci_cp_le_conn_update cp;
220 struct hci_dev *hdev = conn->hdev;
222 memset(&cp, 0, sizeof(cp));
224 cp.handle = cpu_to_le16(conn->handle);
225 cp.conn_interval_min = cpu_to_le16(min);
226 cp.conn_interval_max = cpu_to_le16(max);
227 cp.conn_latency = cpu_to_le16(latency);
228 cp.supervision_timeout = cpu_to_le16(to_multiplier);
229 cp.min_ce_len = cpu_to_le16(0x0000);
230 cp.max_ce_len = cpu_to_le16(0x0000);
232 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
235 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
238 struct hci_dev *hdev = conn->hdev;
239 struct hci_cp_le_start_enc cp;
241 BT_DBG("hcon %p", conn);
243 memset(&cp, 0, sizeof(cp));
245 cp.handle = cpu_to_le16(conn->handle);
248 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
250 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
253 /* Device _must_ be locked */
254 void hci_sco_setup(struct hci_conn *conn, __u8 status)
256 struct hci_conn *sco = conn->link;
261 BT_DBG("hcon %p", conn);
264 if (lmp_esco_capable(conn->hdev))
265 hci_setup_sync(sco, conn->handle);
267 hci_add_sco(sco, conn->handle);
269 hci_proto_connect_cfm(sco, status);
274 static void hci_conn_disconnect(struct hci_conn *conn)
276 __u8 reason = hci_proto_disconn_ind(conn);
278 switch (conn->type) {
280 hci_amp_disconn(conn, reason);
283 hci_disconnect(conn, reason);
288 static void hci_conn_timeout(struct work_struct *work)
290 struct hci_conn *conn = container_of(work, struct hci_conn,
292 int refcnt = atomic_read(&conn->refcnt);
294 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
298 /* FIXME: It was observed that in pairing failed scenario, refcnt
299 * drops below 0. Probably this is because l2cap_conn_del calls
300 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
301 * dropped. After that loop hci_chan_del is called which also drops
302 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
308 switch (conn->state) {
312 if (conn->type == ACL_LINK)
313 hci_acl_create_connection_cancel(conn);
314 else if (conn->type == LE_LINK)
315 hci_le_create_connection_cancel(conn);
316 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
317 hci_reject_sco(conn);
322 hci_conn_disconnect(conn);
325 conn->state = BT_CLOSED;
330 /* Enter sniff mode */
331 static void hci_conn_idle(struct work_struct *work)
333 struct hci_conn *conn = container_of(work, struct hci_conn,
335 struct hci_dev *hdev = conn->hdev;
337 BT_DBG("hcon %p mode %d", conn, conn->mode);
339 if (test_bit(HCI_RAW, &hdev->flags))
342 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
345 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
348 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
349 struct hci_cp_sniff_subrate cp;
350 cp.handle = cpu_to_le16(conn->handle);
351 cp.max_latency = cpu_to_le16(0);
352 cp.min_remote_timeout = cpu_to_le16(0);
353 cp.min_local_timeout = cpu_to_le16(0);
354 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
357 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
358 struct hci_cp_sniff_mode cp;
359 cp.handle = cpu_to_le16(conn->handle);
360 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
361 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
362 cp.attempt = cpu_to_le16(4);
363 cp.timeout = cpu_to_le16(1);
364 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
368 static void hci_conn_auto_accept(struct work_struct *work)
370 struct hci_conn *conn = container_of(work, struct hci_conn,
371 auto_accept_work.work);
373 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
377 static void le_conn_timeout(struct work_struct *work)
379 struct hci_conn *conn = container_of(work, struct hci_conn,
380 le_conn_timeout.work);
381 struct hci_dev *hdev = conn->hdev;
385 /* We could end up here due to having done directed advertising,
386 * so clean up the state if necessary. This should however only
387 * happen with broken hardware or if low duty cycle was used
388 * (which doesn't have a timeout of its own).
390 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
392 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
394 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
398 hci_le_create_connection_cancel(conn);
401 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
403 struct hci_conn *conn;
405 BT_DBG("%s dst %pMR", hdev->name, dst);
407 conn = kzalloc(sizeof(struct hci_conn), GFP_KERNEL);
411 bacpy(&conn->dst, dst);
412 bacpy(&conn->src, &hdev->bdaddr);
415 conn->mode = HCI_CM_ACTIVE;
416 conn->state = BT_OPEN;
417 conn->auth_type = HCI_AT_GENERAL_BONDING;
418 conn->io_capability = hdev->io_capability;
419 conn->remote_auth = 0xff;
420 conn->key_type = 0xff;
421 conn->tx_power = HCI_TX_POWER_INVALID;
422 conn->max_tx_power = HCI_TX_POWER_INVALID;
424 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
425 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
429 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
432 /* conn->src should reflect the local identity address */
433 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
436 if (lmp_esco_capable(hdev))
437 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
438 (hdev->esco_type & EDR_ESCO_MASK);
440 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
443 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
447 skb_queue_head_init(&conn->data_q);
449 INIT_LIST_HEAD(&conn->chan_list);
451 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
452 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
453 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
454 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
456 atomic_set(&conn->refcnt, 0);
460 hci_conn_hash_add(hdev, conn);
462 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
464 hci_conn_init_sysfs(conn);
469 int hci_conn_del(struct hci_conn *conn)
471 struct hci_dev *hdev = conn->hdev;
473 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
475 cancel_delayed_work_sync(&conn->disc_work);
476 cancel_delayed_work_sync(&conn->auto_accept_work);
477 cancel_delayed_work_sync(&conn->idle_work);
479 if (conn->type == ACL_LINK) {
480 struct hci_conn *sco = conn->link;
485 hdev->acl_cnt += conn->sent;
486 } else if (conn->type == LE_LINK) {
487 cancel_delayed_work_sync(&conn->le_conn_timeout);
490 hdev->le_cnt += conn->sent;
492 hdev->acl_cnt += conn->sent;
494 struct hci_conn *acl = conn->link;
501 hci_chan_list_flush(conn);
504 amp_mgr_put(conn->amp_mgr);
506 hci_conn_hash_del(hdev, conn);
508 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
510 skb_queue_purge(&conn->data_q);
512 hci_conn_del_sysfs(conn);
521 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
523 int use_src = bacmp(src, BDADDR_ANY);
524 struct hci_dev *hdev = NULL, *d;
526 BT_DBG("%pMR -> %pMR", src, dst);
528 read_lock(&hci_dev_list_lock);
530 list_for_each_entry(d, &hci_dev_list, list) {
531 if (!test_bit(HCI_UP, &d->flags) ||
532 test_bit(HCI_RAW, &d->flags) ||
533 test_bit(HCI_USER_CHANNEL, &d->dev_flags) ||
534 d->dev_type != HCI_BREDR)
538 * No source address - find interface with bdaddr != dst
539 * Source address - find interface with bdaddr == src
543 if (!bacmp(&d->bdaddr, src)) {
547 if (bacmp(&d->bdaddr, dst)) {
554 hdev = hci_dev_hold(hdev);
556 read_unlock(&hci_dev_list_lock);
559 EXPORT_SYMBOL(hci_get_route);
561 /* This function requires the caller holds hdev->lock */
562 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
564 struct hci_dev *hdev = conn->hdev;
566 conn->state = BT_CLOSED;
568 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
571 hci_proto_connect_cfm(conn, status);
575 /* Since we may have temporarily stopped the background scanning in
576 * favor of connection establishment, we should restart it.
578 hci_update_background_scan(hdev);
580 /* Re-enable advertising in case this was a failed connection
581 * attempt as a peripheral.
583 mgmt_reenable_advertising(hdev);
586 static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
588 struct hci_conn *conn;
593 BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
598 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
602 hci_le_conn_failed(conn, status);
605 hci_dev_unlock(hdev);
608 static void hci_req_add_le_create_conn(struct hci_request *req,
609 struct hci_conn *conn)
611 struct hci_cp_le_create_conn cp;
612 struct hci_dev *hdev = conn->hdev;
615 memset(&cp, 0, sizeof(cp));
617 /* Update random address, but set require_privacy to false so
618 * that we never connect with an unresolvable address.
620 if (hci_update_random_address(req, false, &own_addr_type))
623 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
624 cp.scan_window = cpu_to_le16(hdev->le_scan_window);
625 bacpy(&cp.peer_addr, &conn->dst);
626 cp.peer_addr_type = conn->dst_type;
627 cp.own_address_type = own_addr_type;
628 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
629 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
630 cp.supervision_timeout = cpu_to_le16(0x002a);
631 cp.min_ce_len = cpu_to_le16(0x0000);
632 cp.max_ce_len = cpu_to_le16(0x0000);
634 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
636 conn->state = BT_CONNECT;
639 static void hci_req_directed_advertising(struct hci_request *req,
640 struct hci_conn *conn)
642 struct hci_dev *hdev = req->hdev;
643 struct hci_cp_le_set_adv_param cp;
648 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
650 /* Clear the HCI_ADVERTISING bit temporarily so that the
651 * hci_update_random_address knows that it's safe to go ahead
652 * and write a new random address. The flag will be set back on
653 * as soon as the SET_ADV_ENABLE HCI command completes.
655 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
657 /* Set require_privacy to false so that the remote device has a
658 * chance of identifying us.
660 if (hci_update_random_address(req, false, &own_addr_type) < 0)
663 memset(&cp, 0, sizeof(cp));
664 cp.type = LE_ADV_DIRECT_IND;
665 cp.own_address_type = own_addr_type;
666 cp.direct_addr_type = conn->dst_type;
667 bacpy(&cp.direct_addr, &conn->dst);
668 cp.channel_map = hdev->le_adv_channel_map;
670 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
673 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
675 conn->state = BT_CONNECT;
678 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
679 u8 dst_type, u8 sec_level, u8 auth_type)
681 struct hci_conn_params *params;
682 struct hci_conn *conn;
684 struct hci_request req;
687 /* Some devices send ATT messages as soon as the physical link is
688 * established. To be able to handle these ATT messages, the user-
689 * space first establishes the connection and then starts the pairing
692 * So if a hci_conn object already exists for the following connection
693 * attempt, we simply update pending_sec_level and auth_type fields
694 * and return the object found.
696 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
698 conn->pending_sec_level = sec_level;
699 conn->auth_type = auth_type;
703 /* Since the controller supports only one LE connection attempt at a
704 * time, we return -EBUSY if there is any connection attempt running.
706 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
708 return ERR_PTR(-EBUSY);
710 /* When given an identity address with existing identity
711 * resolving key, the connection needs to be established
712 * to a resolvable random address.
714 * This uses the cached random resolvable address from
715 * a previous scan. When no cached address is available,
716 * try connecting to the identity address instead.
718 * Storing the resolvable random address is required here
719 * to handle connection failures. The address will later
720 * be resolved back into the original identity address
721 * from the connect request.
723 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
724 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
726 dst_type = ADDR_LE_DEV_RANDOM;
729 conn = hci_conn_add(hdev, LE_LINK, dst);
731 return ERR_PTR(-ENOMEM);
733 conn->dst_type = dst_type;
734 conn->sec_level = BT_SECURITY_LOW;
735 conn->pending_sec_level = sec_level;
736 conn->auth_type = auth_type;
738 hci_req_init(&req, hdev);
740 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
741 hci_req_directed_advertising(&req, conn);
746 conn->link_mode |= HCI_LM_MASTER;
748 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
750 conn->le_conn_min_interval = params->conn_min_interval;
751 conn->le_conn_max_interval = params->conn_max_interval;
753 conn->le_conn_min_interval = hdev->le_conn_min_interval;
754 conn->le_conn_max_interval = hdev->le_conn_max_interval;
757 /* If controller is scanning, we stop it since some controllers are
758 * not able to scan and connect at the same time. Also set the
759 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
760 * handler for scan disabling knows to set the correct discovery
763 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
764 hci_req_add_le_scan_disable(&req);
765 set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
768 hci_req_add_le_create_conn(&req, conn);
771 err = hci_req_run(&req, create_le_conn_complete);
782 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
783 u8 sec_level, u8 auth_type)
785 struct hci_conn *acl;
787 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
788 return ERR_PTR(-ENOTSUPP);
790 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
792 acl = hci_conn_add(hdev, ACL_LINK, dst);
794 return ERR_PTR(-ENOMEM);
799 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
800 acl->sec_level = BT_SECURITY_LOW;
801 acl->pending_sec_level = sec_level;
802 acl->auth_type = auth_type;
803 hci_acl_create_connection(acl);
809 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
812 struct hci_conn *acl;
813 struct hci_conn *sco;
815 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
819 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
821 sco = hci_conn_add(hdev, type, dst);
824 return ERR_PTR(-ENOMEM);
833 sco->setting = setting;
835 if (acl->state == BT_CONNECTED &&
836 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
837 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
838 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
840 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
841 /* defer SCO setup until mode change completed */
842 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
846 hci_sco_setup(acl, 0x00);
852 /* Check link security requirement */
853 int hci_conn_check_link_mode(struct hci_conn *conn)
855 BT_DBG("hcon %p", conn);
857 /* In Secure Connections Only mode, it is required that Secure
858 * Connections is used and the link is encrypted with AES-CCM
859 * using a P-256 authenticated combination key.
861 if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) {
862 if (!hci_conn_sc_enabled(conn) ||
863 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
864 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
868 if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT))
874 /* Authenticate remote device */
875 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
877 BT_DBG("hcon %p", conn);
879 if (conn->pending_sec_level > sec_level)
880 sec_level = conn->pending_sec_level;
882 if (sec_level > conn->sec_level)
883 conn->pending_sec_level = sec_level;
884 else if (conn->link_mode & HCI_LM_AUTH)
887 /* Make sure we preserve an existing MITM requirement*/
888 auth_type |= (conn->auth_type & 0x01);
890 conn->auth_type = auth_type;
892 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
893 struct hci_cp_auth_requested cp;
895 cp.handle = cpu_to_le16(conn->handle);
896 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
899 /* If we're already encrypted set the REAUTH_PEND flag,
900 * otherwise set the ENCRYPT_PEND.
902 if (conn->link_mode & HCI_LM_ENCRYPT)
903 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
905 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
911 /* Encrypt the the link */
912 static void hci_conn_encrypt(struct hci_conn *conn)
914 BT_DBG("hcon %p", conn);
916 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
917 struct hci_cp_set_conn_encrypt cp;
918 cp.handle = cpu_to_le16(conn->handle);
920 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
925 /* Enable security */
926 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
928 BT_DBG("hcon %p", conn);
930 if (conn->type == LE_LINK)
931 return smp_conn_security(conn, sec_level);
933 /* For sdp we don't need the link key. */
934 if (sec_level == BT_SECURITY_SDP)
937 /* For non 2.1 devices and low security level we don't need the link
939 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
942 /* For other security levels we need the link key. */
943 if (!(conn->link_mode & HCI_LM_AUTH))
946 /* An authenticated FIPS approved combination key has sufficient
947 * security for security level 4. */
948 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
949 sec_level == BT_SECURITY_FIPS)
952 /* An authenticated combination key has sufficient security for
954 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
955 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
956 sec_level == BT_SECURITY_HIGH)
959 /* An unauthenticated combination key has sufficient security for
960 security level 1 and 2. */
961 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
962 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
963 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
966 /* A combination key has always sufficient security for the security
967 levels 1 or 2. High security level requires the combination key
968 is generated using maximum PIN code length (16).
969 For pre 2.1 units. */
970 if (conn->key_type == HCI_LK_COMBINATION &&
971 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
972 conn->pin_length == 16))
976 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
979 if (!hci_conn_auth(conn, sec_level, auth_type))
983 if (conn->link_mode & HCI_LM_ENCRYPT)
986 hci_conn_encrypt(conn);
989 EXPORT_SYMBOL(hci_conn_security);
991 /* Check secure link requirement */
992 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
994 BT_DBG("hcon %p", conn);
996 /* Accept if non-secure or higher security level is required */
997 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1000 /* Accept if secure or higher security level is already present */
1001 if (conn->sec_level == BT_SECURITY_HIGH ||
1002 conn->sec_level == BT_SECURITY_FIPS)
1005 /* Reject not secure link */
1008 EXPORT_SYMBOL(hci_conn_check_secure);
1010 /* Change link key */
1011 int hci_conn_change_link_key(struct hci_conn *conn)
1013 BT_DBG("hcon %p", conn);
1015 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1016 struct hci_cp_change_conn_link_key cp;
1017 cp.handle = cpu_to_le16(conn->handle);
1018 hci_send_cmd(conn->hdev, HCI_OP_CHANGE_CONN_LINK_KEY,
1026 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1028 BT_DBG("hcon %p", conn);
1030 if (!role && conn->link_mode & HCI_LM_MASTER)
1033 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1034 struct hci_cp_switch_role cp;
1035 bacpy(&cp.bdaddr, &conn->dst);
1037 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1042 EXPORT_SYMBOL(hci_conn_switch_role);
1044 /* Enter active mode */
1045 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1047 struct hci_dev *hdev = conn->hdev;
1049 BT_DBG("hcon %p mode %d", conn, conn->mode);
1051 if (test_bit(HCI_RAW, &hdev->flags))
1054 if (conn->mode != HCI_CM_SNIFF)
1057 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1060 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1061 struct hci_cp_exit_sniff_mode cp;
1062 cp.handle = cpu_to_le16(conn->handle);
1063 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1067 if (hdev->idle_timeout > 0)
1068 queue_delayed_work(hdev->workqueue, &conn->idle_work,
1069 msecs_to_jiffies(hdev->idle_timeout));
1072 /* Drop all connection on the device */
1073 void hci_conn_hash_flush(struct hci_dev *hdev)
1075 struct hci_conn_hash *h = &hdev->conn_hash;
1076 struct hci_conn *c, *n;
1078 BT_DBG("hdev %s", hdev->name);
1080 list_for_each_entry_safe(c, n, &h->list, list) {
1081 c->state = BT_CLOSED;
1083 hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1088 /* Check pending connect attempts */
1089 void hci_conn_check_pending(struct hci_dev *hdev)
1091 struct hci_conn *conn;
1093 BT_DBG("hdev %s", hdev->name);
1097 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1099 hci_acl_create_connection(conn);
1101 hci_dev_unlock(hdev);
1104 int hci_get_conn_list(void __user *arg)
1107 struct hci_conn_list_req req, *cl;
1108 struct hci_conn_info *ci;
1109 struct hci_dev *hdev;
1110 int n = 0, size, err;
1112 if (copy_from_user(&req, arg, sizeof(req)))
1115 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1118 size = sizeof(req) + req.conn_num * sizeof(*ci);
1120 cl = kmalloc(size, GFP_KERNEL);
1124 hdev = hci_dev_get(req.dev_id);
1133 list_for_each_entry(c, &hdev->conn_hash.list, list) {
1134 bacpy(&(ci + n)->bdaddr, &c->dst);
1135 (ci + n)->handle = c->handle;
1136 (ci + n)->type = c->type;
1137 (ci + n)->out = c->out;
1138 (ci + n)->state = c->state;
1139 (ci + n)->link_mode = c->link_mode;
1140 if (++n >= req.conn_num)
1143 hci_dev_unlock(hdev);
1145 cl->dev_id = hdev->id;
1147 size = sizeof(req) + n * sizeof(*ci);
1151 err = copy_to_user(arg, cl, size);
1154 return err ? -EFAULT : 0;
1157 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1159 struct hci_conn_info_req req;
1160 struct hci_conn_info ci;
1161 struct hci_conn *conn;
1162 char __user *ptr = arg + sizeof(req);
1164 if (copy_from_user(&req, arg, sizeof(req)))
1168 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1170 bacpy(&ci.bdaddr, &conn->dst);
1171 ci.handle = conn->handle;
1172 ci.type = conn->type;
1174 ci.state = conn->state;
1175 ci.link_mode = conn->link_mode;
1177 hci_dev_unlock(hdev);
1182 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1185 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1187 struct hci_auth_info_req req;
1188 struct hci_conn *conn;
1190 if (copy_from_user(&req, arg, sizeof(req)))
1194 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1196 req.type = conn->auth_type;
1197 hci_dev_unlock(hdev);
1202 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1205 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1207 struct hci_dev *hdev = conn->hdev;
1208 struct hci_chan *chan;
1210 BT_DBG("%s hcon %p", hdev->name, conn);
1212 chan = kzalloc(sizeof(struct hci_chan), GFP_KERNEL);
1217 skb_queue_head_init(&chan->data_q);
1218 chan->state = BT_CONNECTED;
1220 list_add_rcu(&chan->list, &conn->chan_list);
1225 void hci_chan_del(struct hci_chan *chan)
1227 struct hci_conn *conn = chan->conn;
1228 struct hci_dev *hdev = conn->hdev;
1230 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1232 list_del_rcu(&chan->list);
1236 hci_conn_drop(conn);
1238 skb_queue_purge(&chan->data_q);
1242 void hci_chan_list_flush(struct hci_conn *conn)
1244 struct hci_chan *chan, *n;
1246 BT_DBG("hcon %p", conn);
1248 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1252 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1255 struct hci_chan *hchan;
1257 list_for_each_entry(hchan, &hcon->chan_list, list) {
1258 if (hchan->handle == handle)
1265 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1267 struct hci_conn_hash *h = &hdev->conn_hash;
1268 struct hci_conn *hcon;
1269 struct hci_chan *hchan = NULL;
1273 list_for_each_entry_rcu(hcon, &h->list, list) {
1274 hchan = __hci_chan_lookup_handle(hcon, handle);
projects / firefly-linux-kernel-4.4.55.git / blob