2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI connection handling. */
27 #include <linux/export.h>
28 #include <linux/debugfs.h>
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
34 #include "hci_request.h"
45 static const struct sco_param esco_param_cvsd[] = {
46 { (EDR_ESCO_MASK & ~ESCO_2EV3) | SCO_ESCO_MASK | ESCO_EV3,
47 0x000a, 0x01 }, /* S3 */
48 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
49 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
50 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
51 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
54 static const struct sco_param esco_param_cvsd[] = {
55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
56 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
57 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
58 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
59 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
63 static const struct sco_param sco_param_cvsd[] = {
64 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
65 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
69 static const struct sco_param esco_param_msbc[] = {
70 { (EDR_ESCO_MASK & ~ESCO_2EV3) | ESCO_EV3,
71 0x000d, 0x02 }, /* T2 */
72 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
75 static const struct sco_param esco_param_msbc[] = {
76 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
77 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
81 /* This function requires the caller holds hdev->lock */
82 static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
84 struct hci_conn_params *params;
85 struct hci_dev *hdev = conn->hdev;
91 bdaddr_type = conn->dst_type;
93 /* Check if we need to convert to identity address */
94 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
96 bdaddr = &irk->bdaddr;
97 bdaddr_type = irk->addr_type;
100 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
102 if (!params || !params->explicit_connect)
105 /* The connection attempt was doing scan for new RPA, and is
106 * in scan phase. If params are not associated with any other
107 * autoconnect action, remove them completely. If they are, just unmark
108 * them as waiting for connection, by clearing explicit_connect field.
110 params->explicit_connect = false;
112 list_del_init(¶ms->action);
114 switch (params->auto_connect) {
115 case HCI_AUTO_CONN_EXPLICIT:
116 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
117 /* return instead of break to avoid duplicate scan update */
119 case HCI_AUTO_CONN_DIRECT:
120 case HCI_AUTO_CONN_ALWAYS:
121 list_add(¶ms->action, &hdev->pend_le_conns);
123 case HCI_AUTO_CONN_REPORT:
124 list_add(¶ms->action, &hdev->pend_le_reports);
130 hci_update_background_scan(hdev);
133 static void hci_conn_cleanup(struct hci_conn *conn)
135 struct hci_dev *hdev = conn->hdev;
137 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
138 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
140 hci_chan_list_flush(conn);
142 hci_conn_hash_del(hdev, conn);
144 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
145 switch (conn->setting & SCO_AIRMODE_MASK) {
146 case SCO_AIRMODE_CVSD:
147 case SCO_AIRMODE_TRANSP:
149 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
154 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
157 hci_conn_del_sysfs(conn);
159 debugfs_remove_recursive(conn->debugfs);
166 static void le_scan_cleanup(struct work_struct *work)
168 struct hci_conn *conn = container_of(work, struct hci_conn,
170 struct hci_dev *hdev = conn->hdev;
171 struct hci_conn *c = NULL;
173 BT_DBG("%s hcon %p", hdev->name, conn);
177 /* Check that the hci_conn is still around */
179 list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
186 hci_connect_le_scan_cleanup(conn);
187 hci_conn_cleanup(conn);
190 hci_dev_unlock(hdev);
195 static void hci_connect_le_scan_remove(struct hci_conn *conn)
197 BT_DBG("%s hcon %p", conn->hdev->name, conn);
199 /* We can't call hci_conn_del/hci_conn_cleanup here since that
200 * could deadlock with another hci_conn_del() call that's holding
201 * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
202 * Instead, grab temporary extra references to the hci_dev and
203 * hci_conn and perform the necessary cleanup in a separate work
207 hci_dev_hold(conn->hdev);
210 /* Even though we hold a reference to the hdev, many other
211 * things might get cleaned up meanwhile, including the hdev's
212 * own workqueue, so we can't use that for scheduling.
214 schedule_work(&conn->le_scan_cleanup);
217 static void hci_acl_create_connection(struct hci_conn *conn)
219 struct hci_dev *hdev = conn->hdev;
220 struct inquiry_entry *ie;
221 struct hci_cp_create_conn cp;
223 BT_DBG("hcon %p", conn);
225 /* Many controllers disallow HCI Create Connection while it is doing
226 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
227 * Connection. This may cause the MGMT discovering state to become false
228 * without user space's request but it is okay since the MGMT Discovery
229 * APIs do not promise that discovery should be done forever. Instead,
230 * the user space monitors the status of MGMT discovering and it may
231 * request for discovery again when this flag becomes false.
233 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
234 /* Put this connection to "pending" state so that it will be
235 * executed after the inquiry cancel command complete event.
237 conn->state = BT_CONNECT2;
238 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
242 conn->state = BT_CONNECT;
244 conn->role = HCI_ROLE_MASTER;
248 conn->link_policy = hdev->link_policy;
250 memset(&cp, 0, sizeof(cp));
251 bacpy(&cp.bdaddr, &conn->dst);
252 cp.pscan_rep_mode = 0x02;
254 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
256 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
257 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
258 cp.pscan_mode = ie->data.pscan_mode;
259 cp.clock_offset = ie->data.clock_offset |
263 memcpy(conn->dev_class, ie->data.dev_class, 3);
266 cp.pkt_type = cpu_to_le16(conn->pkt_type);
267 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
268 cp.role_switch = 0x01;
270 cp.role_switch = 0x00;
272 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
275 int hci_disconnect(struct hci_conn *conn, __u8 reason)
277 BT_DBG("hcon %p", conn);
279 /* When we are central of an established connection and it enters
280 * the disconnect timeout, then go ahead and try to read the
281 * current clock offset. Processing of the result is done
282 * within the event handling and hci_clock_offset_evt function.
284 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
285 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
286 struct hci_dev *hdev = conn->hdev;
287 struct hci_cp_read_clock_offset clkoff_cp;
289 clkoff_cp.handle = cpu_to_le16(conn->handle);
290 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
294 return hci_abort_conn(conn, reason);
297 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
299 struct hci_dev *hdev = conn->hdev;
300 struct hci_cp_add_sco cp;
302 BT_DBG("hcon %p", conn);
304 conn->state = BT_CONNECT;
309 cp.handle = cpu_to_le16(handle);
310 cp.pkt_type = cpu_to_le16(conn->pkt_type);
312 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
315 static bool find_next_esco_param(struct hci_conn *conn,
316 const struct sco_param *esco_param, int size)
318 for (; conn->attempt <= size; conn->attempt++) {
319 if (lmp_esco_2m_capable(conn->link) ||
320 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
322 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
323 conn, conn->attempt);
326 return conn->attempt <= size;
329 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
331 struct hci_dev *hdev = conn->hdev;
332 struct hci_cp_setup_sync_conn cp;
333 const struct sco_param *param;
335 BT_DBG("hcon %p", conn);
337 conn->state = BT_CONNECT;
342 cp.handle = cpu_to_le16(handle);
344 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
345 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
346 cp.voice_setting = cpu_to_le16(conn->setting);
348 switch (conn->setting & SCO_AIRMODE_MASK) {
349 case SCO_AIRMODE_TRANSP:
350 if (!find_next_esco_param(conn, esco_param_msbc,
351 ARRAY_SIZE(esco_param_msbc)))
353 param = &esco_param_msbc[conn->attempt - 1];
355 case SCO_AIRMODE_CVSD:
356 if (lmp_esco_capable(conn->link)) {
357 if (!find_next_esco_param(conn, esco_param_cvsd,
358 ARRAY_SIZE(esco_param_cvsd)))
360 param = &esco_param_cvsd[conn->attempt - 1];
362 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
364 param = &sco_param_cvsd[conn->attempt - 1];
371 cp.retrans_effort = param->retrans_effort;
372 cp.pkt_type = __cpu_to_le16(param->pkt_type);
373 cp.max_latency = __cpu_to_le16(param->max_latency);
375 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
381 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
384 struct hci_dev *hdev = conn->hdev;
385 struct hci_conn_params *params;
386 struct hci_cp_le_conn_update cp;
390 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
392 params->conn_min_interval = min;
393 params->conn_max_interval = max;
394 params->conn_latency = latency;
395 params->supervision_timeout = to_multiplier;
398 hci_dev_unlock(hdev);
400 memset(&cp, 0, sizeof(cp));
401 cp.handle = cpu_to_le16(conn->handle);
402 cp.conn_interval_min = cpu_to_le16(min);
403 cp.conn_interval_max = cpu_to_le16(max);
404 cp.conn_latency = cpu_to_le16(latency);
405 cp.supervision_timeout = cpu_to_le16(to_multiplier);
406 cp.min_ce_len = cpu_to_le16(0x0000);
407 cp.max_ce_len = cpu_to_le16(0x0000);
409 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
417 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
418 __u8 ltk[16], __u8 key_size)
420 struct hci_dev *hdev = conn->hdev;
421 struct hci_cp_le_start_enc cp;
423 BT_DBG("hcon %p", conn);
425 memset(&cp, 0, sizeof(cp));
427 cp.handle = cpu_to_le16(conn->handle);
430 memcpy(cp.ltk, ltk, key_size);
432 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
435 /* Device _must_ be locked */
436 void hci_sco_setup(struct hci_conn *conn, __u8 status)
438 struct hci_conn *sco = conn->link;
443 BT_DBG("hcon %p", conn);
446 if (lmp_esco_capable(conn->hdev))
447 hci_setup_sync(sco, conn->handle);
449 hci_add_sco(sco, conn->handle);
451 hci_connect_cfm(sco, status);
456 static void hci_conn_timeout(struct work_struct *work)
458 struct hci_conn *conn = container_of(work, struct hci_conn,
460 int refcnt = atomic_read(&conn->refcnt);
462 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
466 /* FIXME: It was observed that in pairing failed scenario, refcnt
467 * drops below 0. Probably this is because l2cap_conn_del calls
468 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
469 * dropped. After that loop hci_chan_del is called which also drops
470 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
476 /* LE connections in scanning state need special handling */
477 if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
478 test_bit(HCI_CONN_SCANNING, &conn->flags)) {
479 hci_connect_le_scan_remove(conn);
483 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
486 /* Enter sniff mode */
487 static void hci_conn_idle(struct work_struct *work)
489 struct hci_conn *conn = container_of(work, struct hci_conn,
491 struct hci_dev *hdev = conn->hdev;
493 BT_DBG("hcon %p mode %d", conn, conn->mode);
495 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
498 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
501 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
502 struct hci_cp_sniff_subrate cp;
503 cp.handle = cpu_to_le16(conn->handle);
504 cp.max_latency = cpu_to_le16(0);
505 cp.min_remote_timeout = cpu_to_le16(0);
506 cp.min_local_timeout = cpu_to_le16(0);
507 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
510 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
511 struct hci_cp_sniff_mode cp;
512 cp.handle = cpu_to_le16(conn->handle);
513 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
514 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
515 cp.attempt = cpu_to_le16(4);
516 cp.timeout = cpu_to_le16(1);
517 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
521 static void hci_conn_auto_accept(struct work_struct *work)
523 struct hci_conn *conn = container_of(work, struct hci_conn,
524 auto_accept_work.work);
526 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
530 static void le_disable_advertising(struct hci_dev *hdev)
532 if (ext_adv_capable(hdev)) {
533 struct hci_cp_le_set_ext_adv_enable cp;
536 cp.num_of_sets = 0x00;
538 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
542 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
547 static void le_conn_timeout(struct work_struct *work)
549 struct hci_conn *conn = container_of(work, struct hci_conn,
550 le_conn_timeout.work);
551 struct hci_dev *hdev = conn->hdev;
555 /* We could end up here due to having done directed advertising,
556 * so clean up the state if necessary. This should however only
557 * happen with broken hardware or if low duty cycle was used
558 * (which doesn't have a timeout of its own).
560 if (conn->role == HCI_ROLE_SLAVE) {
561 /* Disable LE Advertising */
562 le_disable_advertising(hdev);
563 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
567 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
570 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
573 struct hci_conn *conn;
575 BT_DBG("%s dst %pMR", hdev->name, dst);
577 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
581 bacpy(&conn->dst, dst);
582 bacpy(&conn->src, &hdev->bdaddr);
586 conn->mode = HCI_CM_ACTIVE;
587 conn->state = BT_OPEN;
588 conn->auth_type = HCI_AT_GENERAL_BONDING;
589 conn->io_capability = hdev->io_capability;
590 conn->remote_auth = 0xff;
591 conn->key_type = 0xff;
592 conn->rssi = HCI_RSSI_INVALID;
593 conn->tx_power = HCI_TX_POWER_INVALID;
594 conn->max_tx_power = HCI_TX_POWER_INVALID;
596 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
597 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
599 /* Set Default Authenticated payload timeout to 30s */
600 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
602 if (conn->role == HCI_ROLE_MASTER)
607 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
610 /* conn->src should reflect the local identity address */
611 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
614 if (lmp_esco_capable(hdev))
615 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
616 (hdev->esco_type & EDR_ESCO_MASK);
618 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
621 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
625 skb_queue_head_init(&conn->data_q);
627 INIT_LIST_HEAD(&conn->chan_list);
629 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
630 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
631 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
632 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
633 INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
635 atomic_set(&conn->refcnt, 0);
639 hci_conn_hash_add(hdev, conn);
641 /* The SCO and eSCO connections will only be notified when their
642 * setup has been completed. This is different to ACL links which
643 * can be notified right away.
645 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
647 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
650 hci_conn_init_sysfs(conn);
655 int hci_conn_del(struct hci_conn *conn)
657 struct hci_dev *hdev = conn->hdev;
659 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
661 cancel_delayed_work_sync(&conn->disc_work);
662 cancel_delayed_work_sync(&conn->auto_accept_work);
663 cancel_delayed_work_sync(&conn->idle_work);
665 if (conn->type == ACL_LINK) {
666 struct hci_conn *sco = conn->link;
671 hdev->acl_cnt += conn->sent;
672 } else if (conn->type == LE_LINK) {
673 cancel_delayed_work(&conn->le_conn_timeout);
676 hdev->le_cnt += conn->sent;
678 hdev->acl_cnt += conn->sent;
680 struct hci_conn *acl = conn->link;
688 amp_mgr_put(conn->amp_mgr);
690 skb_queue_purge(&conn->data_q);
692 /* Remove the connection from the list and cleanup its remaining
693 * state. This is a separate function since for some cases like
694 * BT_CONNECT_SCAN we *only* want the cleanup part without the
695 * rest of hci_conn_del.
697 hci_conn_cleanup(conn);
702 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
704 int use_src = bacmp(src, BDADDR_ANY);
705 struct hci_dev *hdev = NULL, *d;
707 BT_DBG("%pMR -> %pMR", src, dst);
709 read_lock(&hci_dev_list_lock);
711 list_for_each_entry(d, &hci_dev_list, list) {
712 if (!test_bit(HCI_UP, &d->flags) ||
713 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
714 d->dev_type != HCI_PRIMARY)
718 * No source address - find interface with bdaddr != dst
719 * Source address - find interface with bdaddr == src
726 if (src_type == BDADDR_BREDR) {
727 if (!lmp_bredr_capable(d))
729 bacpy(&id_addr, &d->bdaddr);
730 id_addr_type = BDADDR_BREDR;
732 if (!lmp_le_capable(d))
735 hci_copy_identity_address(d, &id_addr,
738 /* Convert from HCI to three-value type */
739 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
740 id_addr_type = BDADDR_LE_PUBLIC;
742 id_addr_type = BDADDR_LE_RANDOM;
745 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
749 if (bacmp(&d->bdaddr, dst)) {
756 hdev = hci_dev_hold(hdev);
758 read_unlock(&hci_dev_list_lock);
761 EXPORT_SYMBOL(hci_get_route);
763 /* This function requires the caller holds hdev->lock */
764 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
766 struct hci_dev *hdev = conn->hdev;
767 struct hci_conn_params *params;
769 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
771 if (params && params->conn) {
772 hci_conn_drop(params->conn);
773 hci_conn_put(params->conn);
777 conn->state = BT_CLOSED;
779 /* If the status indicates successful cancellation of
780 * the attempt (i.e. Unknown Connection Id) there's no point of
781 * notifying failure since we'll go back to keep trying to
782 * connect. The only exception is explicit connect requests
783 * where a timeout + cancel does indicate an actual failure.
785 if (status != HCI_ERROR_UNKNOWN_CONN_ID ||
786 (params && params->explicit_connect))
787 mgmt_connect_failed(hdev, &conn->dst, conn->type,
788 conn->dst_type, status);
790 hci_connect_cfm(conn, status);
794 /* The suspend notifier is waiting for all devices to disconnect and an
795 * LE connect cancel will result in an hci_le_conn_failed. Once the last
796 * connection is deleted, we should also wake the suspend queue to
797 * complete suspend operations.
799 if (list_empty(&hdev->conn_hash.list) &&
800 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {
801 wake_up(&hdev->suspend_wait_q);
804 /* Since we may have temporarily stopped the background scanning in
805 * favor of connection establishment, we should restart it.
807 hci_update_background_scan(hdev);
809 /* Re-enable advertising in case this was a failed connection
810 * attempt as a peripheral.
812 hci_req_reenable_advertising(hdev);
815 static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
817 struct hci_conn *conn;
821 conn = hci_lookup_le_connect(hdev);
823 if (hdev->adv_instance_cnt)
824 hci_req_resume_adv_instances(hdev);
827 hci_connect_le_scan_cleanup(conn);
831 bt_dev_err(hdev, "request failed to create LE connection: "
832 "status 0x%2.2x", status);
837 hci_le_conn_failed(conn, status);
840 hci_dev_unlock(hdev);
843 static bool conn_use_rpa(struct hci_conn *conn)
845 struct hci_dev *hdev = conn->hdev;
847 return hci_dev_test_flag(hdev, HCI_PRIVACY);
850 static void set_ext_conn_params(struct hci_conn *conn,
851 struct hci_cp_le_ext_conn_param *p)
853 struct hci_dev *hdev = conn->hdev;
855 memset(p, 0, sizeof(*p));
857 p->scan_interval = cpu_to_le16(hdev->le_scan_int_connect);
858 p->scan_window = cpu_to_le16(hdev->le_scan_window_connect);
859 p->conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
860 p->conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
861 p->conn_latency = cpu_to_le16(conn->le_conn_latency);
862 p->supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
863 p->min_ce_len = cpu_to_le16(0x0000);
864 p->max_ce_len = cpu_to_le16(0x0000);
867 static void hci_req_add_le_create_conn(struct hci_request *req,
868 struct hci_conn *conn,
869 bdaddr_t *direct_rpa)
871 struct hci_dev *hdev = conn->hdev;
874 /* If direct address was provided we use it instead of current
878 if (bacmp(&req->hdev->random_addr, direct_rpa))
879 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
882 /* direct address is always RPA */
883 own_addr_type = ADDR_LE_DEV_RANDOM;
885 /* Update random address, but set require_privacy to false so
886 * that we never connect with an non-resolvable address.
888 if (hci_update_random_address(req, false, conn_use_rpa(conn),
893 if (use_ext_conn(hdev)) {
894 struct hci_cp_le_ext_create_conn *cp;
895 struct hci_cp_le_ext_conn_param *p;
896 u8 data[sizeof(*cp) + sizeof(*p) * 3];
900 p = (void *) cp->data;
902 memset(cp, 0, sizeof(*cp));
904 bacpy(&cp->peer_addr, &conn->dst);
905 cp->peer_addr_type = conn->dst_type;
906 cp->own_addr_type = own_addr_type;
911 cp->phys |= LE_SCAN_PHY_1M;
912 set_ext_conn_params(conn, p);
919 cp->phys |= LE_SCAN_PHY_2M;
920 set_ext_conn_params(conn, p);
926 if (scan_coded(hdev)) {
927 cp->phys |= LE_SCAN_PHY_CODED;
928 set_ext_conn_params(conn, p);
933 hci_req_add(req, HCI_OP_LE_EXT_CREATE_CONN, plen, data);
936 struct hci_cp_le_create_conn cp;
938 memset(&cp, 0, sizeof(cp));
940 cp.scan_interval = cpu_to_le16(hdev->le_scan_int_connect);
941 cp.scan_window = cpu_to_le16(hdev->le_scan_window_connect);
943 bacpy(&cp.peer_addr, &conn->dst);
944 cp.peer_addr_type = conn->dst_type;
945 cp.own_address_type = own_addr_type;
946 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
947 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
948 cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
949 cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
950 cp.min_ce_len = cpu_to_le16(0x0000);
951 cp.max_ce_len = cpu_to_le16(0x0000);
953 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
956 conn->state = BT_CONNECT;
957 clear_bit(HCI_CONN_SCANNING, &conn->flags);
960 static void hci_req_directed_advertising(struct hci_request *req,
961 struct hci_conn *conn)
963 struct hci_dev *hdev = req->hdev;
967 if (ext_adv_capable(hdev)) {
968 struct hci_cp_le_set_ext_adv_params cp;
969 bdaddr_t random_addr;
971 /* Set require_privacy to false so that the remote device has a
972 * chance of identifying us.
974 if (hci_get_random_address(hdev, false, conn_use_rpa(conn), NULL,
975 &own_addr_type, &random_addr) < 0)
978 memset(&cp, 0, sizeof(cp));
980 cp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_DIRECT_IND);
981 cp.own_addr_type = own_addr_type;
982 cp.channel_map = hdev->le_adv_channel_map;
983 cp.tx_power = HCI_TX_POWER_INVALID;
984 cp.primary_phy = HCI_ADV_PHY_1M;
985 cp.secondary_phy = HCI_ADV_PHY_1M;
986 cp.handle = 0; /* Use instance 0 for directed adv */
987 cp.own_addr_type = own_addr_type;
988 cp.peer_addr_type = conn->dst_type;
989 bacpy(&cp.peer_addr, &conn->dst);
991 /* As per Core Spec 5.2 Vol 2, PART E, Sec 7.8.53, for
992 * advertising_event_property LE_LEGACY_ADV_DIRECT_IND
993 * does not supports advertising data when the advertising set already
994 * contains some, the controller shall return erroc code 'Invalid
995 * HCI Command Parameters(0x12).
996 * So it is required to remove adv set for handle 0x00. since we use
997 * instance 0 for directed adv.
999 __hci_req_remove_ext_adv_instance(req, cp.handle);
1001 hci_req_add(req, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(cp), &cp);
1003 if (own_addr_type == ADDR_LE_DEV_RANDOM &&
1004 bacmp(&random_addr, BDADDR_ANY) &&
1005 bacmp(&random_addr, &hdev->random_addr)) {
1006 struct hci_cp_le_set_adv_set_rand_addr cp;
1008 memset(&cp, 0, sizeof(cp));
1011 bacpy(&cp.bdaddr, &random_addr);
1014 HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
1018 __hci_req_enable_ext_advertising(req, 0x00);
1020 struct hci_cp_le_set_adv_param cp;
1022 /* Clear the HCI_LE_ADV bit temporarily so that the
1023 * hci_update_random_address knows that it's safe to go ahead
1024 * and write a new random address. The flag will be set back on
1025 * as soon as the SET_ADV_ENABLE HCI command completes.
1027 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1029 /* Set require_privacy to false so that the remote device has a
1030 * chance of identifying us.
1032 if (hci_update_random_address(req, false, conn_use_rpa(conn),
1033 &own_addr_type) < 0)
1036 memset(&cp, 0, sizeof(cp));
1038 /* Some controllers might reject command if intervals are not
1039 * within range for undirected advertising.
1040 * BCM20702A0 is known to be affected by this.
1042 cp.min_interval = cpu_to_le16(0x0020);
1043 cp.max_interval = cpu_to_le16(0x0020);
1045 cp.type = LE_ADV_DIRECT_IND;
1046 cp.own_address_type = own_addr_type;
1047 cp.direct_addr_type = conn->dst_type;
1048 bacpy(&cp.direct_addr, &conn->dst);
1049 cp.channel_map = hdev->le_adv_channel_map;
1051 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
1054 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
1058 conn->state = BT_CONNECT;
1061 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1062 u8 dst_type, u8 sec_level, u16 conn_timeout,
1063 u8 role, bdaddr_t *direct_rpa)
1065 struct hci_conn_params *params;
1066 struct hci_conn *conn;
1067 struct smp_irk *irk;
1068 struct hci_request req;
1071 /* This ensures that during disable le_scan address resolution
1072 * will not be disabled if it is followed by le_create_conn
1074 bool rpa_le_conn = true;
1076 /* Let's make sure that le is enabled.*/
1077 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1078 if (lmp_le_capable(hdev))
1079 return ERR_PTR(-ECONNREFUSED);
1081 return ERR_PTR(-EOPNOTSUPP);
1084 /* Since the controller supports only one LE connection attempt at a
1085 * time, we return -EBUSY if there is any connection attempt running.
1087 if (hci_lookup_le_connect(hdev))
1088 return ERR_PTR(-EBUSY);
1090 /* If there's already a connection object but it's not in
1091 * scanning state it means it must already be established, in
1092 * which case we can't do anything else except report a failure
1095 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1096 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1097 return ERR_PTR(-EBUSY);
1100 /* When given an identity address with existing identity
1101 * resolving key, the connection needs to be established
1102 * to a resolvable random address.
1104 * Storing the resolvable random address is required here
1105 * to handle connection failures. The address will later
1106 * be resolved back into the original identity address
1107 * from the connect request.
1109 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1110 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1112 dst_type = ADDR_LE_DEV_RANDOM;
1116 bacpy(&conn->dst, dst);
1118 conn = hci_conn_add(hdev, LE_LINK, dst, role);
1120 return ERR_PTR(-ENOMEM);
1121 hci_conn_hold(conn);
1122 conn->pending_sec_level = sec_level;
1125 conn->dst_type = dst_type;
1126 conn->sec_level = BT_SECURITY_LOW;
1127 conn->conn_timeout = conn_timeout;
1129 hci_req_init(&req, hdev);
1131 /* Disable advertising if we're active. For central role
1132 * connections most controllers will refuse to connect if
1133 * advertising is enabled, and for peripheral role connections we
1134 * anyway have to disable it in order to start directed
1135 * advertising. Any registered advertisements will be
1136 * re-enabled after the connection attempt is finished.
1138 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1139 __hci_req_pause_adv_instances(&req);
1141 /* If requested to connect as peripheral use directed advertising */
1142 if (conn->role == HCI_ROLE_SLAVE) {
1143 /* If we're active scanning most controllers are unable
1144 * to initiate advertising. Simply reject the attempt.
1146 if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
1147 hdev->le_scan_type == LE_SCAN_ACTIVE) {
1148 hci_req_purge(&req);
1150 return ERR_PTR(-EBUSY);
1153 hci_req_directed_advertising(&req, conn);
1157 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
1159 conn->le_conn_min_interval = params->conn_min_interval;
1160 conn->le_conn_max_interval = params->conn_max_interval;
1161 conn->le_conn_latency = params->conn_latency;
1162 conn->le_supv_timeout = params->supervision_timeout;
1164 conn->le_conn_min_interval = hdev->le_conn_min_interval;
1165 conn->le_conn_max_interval = hdev->le_conn_max_interval;
1166 conn->le_conn_latency = hdev->le_conn_latency;
1167 conn->le_supv_timeout = hdev->le_supv_timeout;
1170 /* If controller is scanning, we stop it since some controllers are
1171 * not able to scan and connect at the same time. Also set the
1172 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
1173 * handler for scan disabling knows to set the correct discovery
1176 if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
1177 hci_req_add_le_scan_disable(&req, rpa_le_conn);
1178 hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
1181 hci_req_add_le_create_conn(&req, conn, direct_rpa);
1184 err = hci_req_run(&req, create_le_conn_complete);
1188 if (hdev->adv_instance_cnt)
1189 hci_req_resume_adv_instances(hdev);
1191 return ERR_PTR(err);
1197 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1199 struct hci_conn *conn;
1201 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1205 if (conn->state != BT_CONNECTED)
1211 /* This function requires the caller holds hdev->lock */
1212 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1213 bdaddr_t *addr, u8 addr_type)
1215 struct hci_conn_params *params;
1217 if (is_connected(hdev, addr, addr_type))
1220 params = hci_conn_params_lookup(hdev, addr, addr_type);
1222 params = hci_conn_params_add(hdev, addr, addr_type);
1226 /* If we created new params, mark them to be deleted in
1227 * hci_connect_le_scan_cleanup. It's different case than
1228 * existing disabled params, those will stay after cleanup.
1230 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1233 /* We're trying to connect, so make sure params are at pend_le_conns */
1234 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1235 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1236 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1237 list_del_init(¶ms->action);
1238 list_add(¶ms->action, &hdev->pend_le_conns);
1241 params->explicit_connect = true;
1243 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1244 params->auto_connect);
1249 /* This function requires the caller holds hdev->lock */
1250 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1251 u8 dst_type, u8 sec_level,
1253 enum conn_reasons conn_reason)
1255 struct hci_conn *conn;
1257 /* Let's make sure that le is enabled.*/
1258 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1259 if (lmp_le_capable(hdev))
1260 return ERR_PTR(-ECONNREFUSED);
1262 return ERR_PTR(-EOPNOTSUPP);
1265 /* Some devices send ATT messages as soon as the physical link is
1266 * established. To be able to handle these ATT messages, the user-
1267 * space first establishes the connection and then starts the pairing
1270 * So if a hci_conn object already exists for the following connection
1271 * attempt, we simply update pending_sec_level and auth_type fields
1272 * and return the object found.
1274 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1276 if (conn->pending_sec_level < sec_level)
1277 conn->pending_sec_level = sec_level;
1281 BT_DBG("requesting refresh of dst_addr");
1283 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1285 return ERR_PTR(-ENOMEM);
1287 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1289 return ERR_PTR(-EBUSY);
1292 conn->state = BT_CONNECT;
1293 set_bit(HCI_CONN_SCANNING, &conn->flags);
1294 conn->dst_type = dst_type;
1295 conn->sec_level = BT_SECURITY_LOW;
1296 conn->pending_sec_level = sec_level;
1297 conn->conn_timeout = conn_timeout;
1298 conn->conn_reason = conn_reason;
1300 hci_update_background_scan(hdev);
1303 hci_conn_hold(conn);
1307 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1308 u8 sec_level, u8 auth_type,
1309 enum conn_reasons conn_reason)
1311 struct hci_conn *acl;
1313 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1314 if (lmp_bredr_capable(hdev))
1315 return ERR_PTR(-ECONNREFUSED);
1317 return ERR_PTR(-EOPNOTSUPP);
1320 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1322 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1324 return ERR_PTR(-ENOMEM);
1329 acl->conn_reason = conn_reason;
1330 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1331 acl->sec_level = BT_SECURITY_LOW;
1332 acl->pending_sec_level = sec_level;
1333 acl->auth_type = auth_type;
1334 hci_acl_create_connection(acl);
1340 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1343 struct hci_conn *acl;
1344 struct hci_conn *sco;
1346 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1347 CONN_REASON_SCO_CONNECT);
1351 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1353 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1356 return ERR_PTR(-ENOMEM);
1365 sco->setting = setting;
1367 if (acl->state == BT_CONNECTED &&
1368 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1369 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1370 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1372 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1373 /* defer SCO setup until mode change completed */
1374 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1378 hci_sco_setup(acl, 0x00);
1384 /* Check link security requirement */
1385 int hci_conn_check_link_mode(struct hci_conn *conn)
1387 BT_DBG("hcon %p", conn);
1389 /* In Secure Connections Only mode, it is required that Secure
1390 * Connections is used and the link is encrypted with AES-CCM
1391 * using a P-256 authenticated combination key.
1393 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
1394 if (!hci_conn_sc_enabled(conn) ||
1395 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
1396 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
1400 /* AES encryption is required for Level 4:
1402 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
1405 * 128-bit equivalent strength for link and encryption keys
1406 * required using FIPS approved algorithms (E0 not allowed,
1407 * SAFER+ not allowed, and P-192 not allowed; encryption key
1410 if (conn->sec_level == BT_SECURITY_FIPS &&
1411 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
1412 bt_dev_err(conn->hdev,
1413 "Invalid security: Missing AES-CCM usage");
1417 if (hci_conn_ssp_enabled(conn) &&
1418 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1424 /* Authenticate remote device */
1425 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
1427 BT_DBG("hcon %p", conn);
1429 if (conn->pending_sec_level > sec_level)
1430 sec_level = conn->pending_sec_level;
1432 if (sec_level > conn->sec_level)
1433 conn->pending_sec_level = sec_level;
1434 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
1437 /* Make sure we preserve an existing MITM requirement*/
1438 auth_type |= (conn->auth_type & 0x01);
1440 conn->auth_type = auth_type;
1442 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1443 struct hci_cp_auth_requested cp;
1445 cp.handle = cpu_to_le16(conn->handle);
1446 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
1449 /* If we're already encrypted set the REAUTH_PEND flag,
1450 * otherwise set the ENCRYPT_PEND.
1452 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1453 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
1455 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1461 /* Encrypt the link */
1462 static void hci_conn_encrypt(struct hci_conn *conn)
1464 BT_DBG("hcon %p", conn);
1466 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
1467 struct hci_cp_set_conn_encrypt cp;
1468 cp.handle = cpu_to_le16(conn->handle);
1470 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1475 /* Enable security */
1476 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1479 BT_DBG("hcon %p", conn);
1481 if (conn->type == LE_LINK)
1482 return smp_conn_security(conn, sec_level);
1484 /* For sdp we don't need the link key. */
1485 if (sec_level == BT_SECURITY_SDP)
1488 /* For non 2.1 devices and low security level we don't need the link
1490 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1493 /* For other security levels we need the link key. */
1494 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1497 /* An authenticated FIPS approved combination key has sufficient
1498 * security for security level 4. */
1499 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1500 sec_level == BT_SECURITY_FIPS)
1503 /* An authenticated combination key has sufficient security for
1504 security level 3. */
1505 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1506 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1507 sec_level == BT_SECURITY_HIGH)
1510 /* An unauthenticated combination key has sufficient security for
1511 security level 1 and 2. */
1512 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1513 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
1514 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
1517 /* A combination key has always sufficient security for the security
1518 levels 1 or 2. High security level requires the combination key
1519 is generated using maximum PIN code length (16).
1520 For pre 2.1 units. */
1521 if (conn->key_type == HCI_LK_COMBINATION &&
1522 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1523 conn->pin_length == 16))
1527 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1531 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1533 if (!hci_conn_auth(conn, sec_level, auth_type))
1537 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
1538 /* Ensure that the encryption key size has been read,
1539 * otherwise stall the upper layer responses.
1541 if (!conn->enc_key_size)
1544 /* Nothing else needed, all requirements are met */
1548 hci_conn_encrypt(conn);
1551 EXPORT_SYMBOL(hci_conn_security);
1553 /* Check secure link requirement */
1554 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1556 BT_DBG("hcon %p", conn);
1558 /* Accept if non-secure or higher security level is required */
1559 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1562 /* Accept if secure or higher security level is already present */
1563 if (conn->sec_level == BT_SECURITY_HIGH ||
1564 conn->sec_level == BT_SECURITY_FIPS)
1567 /* Reject not secure link */
1570 EXPORT_SYMBOL(hci_conn_check_secure);
1573 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1575 BT_DBG("hcon %p", conn);
1577 if (role == conn->role)
1580 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1581 struct hci_cp_switch_role cp;
1582 bacpy(&cp.bdaddr, &conn->dst);
1584 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1589 EXPORT_SYMBOL(hci_conn_switch_role);
1591 /* Enter active mode */
1592 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1594 struct hci_dev *hdev = conn->hdev;
1596 BT_DBG("hcon %p mode %d", conn, conn->mode);
1598 if (conn->mode != HCI_CM_SNIFF)
1601 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1604 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1605 struct hci_cp_exit_sniff_mode cp;
1606 cp.handle = cpu_to_le16(conn->handle);
1607 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1611 if (hdev->idle_timeout > 0)
1612 queue_delayed_work(hdev->workqueue, &conn->idle_work,
1613 msecs_to_jiffies(hdev->idle_timeout));
1616 /* Drop all connection on the device */
1617 void hci_conn_hash_flush(struct hci_dev *hdev)
1619 struct hci_conn_hash *h = &hdev->conn_hash;
1620 struct hci_conn *c, *n;
1622 BT_DBG("hdev %s", hdev->name);
1624 list_for_each_entry_safe(c, n, &h->list, list) {
1625 c->state = BT_CLOSED;
1627 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1632 /* Check pending connect attempts */
1633 void hci_conn_check_pending(struct hci_dev *hdev)
1635 struct hci_conn *conn;
1637 BT_DBG("hdev %s", hdev->name);
1641 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1643 hci_acl_create_connection(conn);
1645 hci_dev_unlock(hdev);
1648 static u32 get_link_mode(struct hci_conn *conn)
1652 if (conn->role == HCI_ROLE_MASTER)
1653 link_mode |= HCI_LM_MASTER;
1655 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1656 link_mode |= HCI_LM_ENCRYPT;
1658 if (test_bit(HCI_CONN_AUTH, &conn->flags))
1659 link_mode |= HCI_LM_AUTH;
1661 if (test_bit(HCI_CONN_SECURE, &conn->flags))
1662 link_mode |= HCI_LM_SECURE;
1664 if (test_bit(HCI_CONN_FIPS, &conn->flags))
1665 link_mode |= HCI_LM_FIPS;
1670 int hci_get_conn_list(void __user *arg)
1673 struct hci_conn_list_req req, *cl;
1674 struct hci_conn_info *ci;
1675 struct hci_dev *hdev;
1676 int n = 0, size, err;
1678 if (copy_from_user(&req, arg, sizeof(req)))
1681 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1684 size = sizeof(req) + req.conn_num * sizeof(*ci);
1686 cl = kmalloc(size, GFP_KERNEL);
1690 hdev = hci_dev_get(req.dev_id);
1699 list_for_each_entry(c, &hdev->conn_hash.list, list) {
1700 bacpy(&(ci + n)->bdaddr, &c->dst);
1701 (ci + n)->handle = c->handle;
1702 (ci + n)->type = c->type;
1703 (ci + n)->out = c->out;
1704 (ci + n)->state = c->state;
1705 (ci + n)->link_mode = get_link_mode(c);
1706 if (++n >= req.conn_num)
1709 hci_dev_unlock(hdev);
1711 cl->dev_id = hdev->id;
1713 size = sizeof(req) + n * sizeof(*ci);
1717 err = copy_to_user(arg, cl, size);
1720 return err ? -EFAULT : 0;
1723 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1725 struct hci_conn_info_req req;
1726 struct hci_conn_info ci;
1727 struct hci_conn *conn;
1728 char __user *ptr = arg + sizeof(req);
1730 if (copy_from_user(&req, arg, sizeof(req)))
1734 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1736 bacpy(&ci.bdaddr, &conn->dst);
1737 ci.handle = conn->handle;
1738 ci.type = conn->type;
1740 ci.state = conn->state;
1741 ci.link_mode = get_link_mode(conn);
1743 hci_dev_unlock(hdev);
1748 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1751 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1753 struct hci_auth_info_req req;
1754 struct hci_conn *conn;
1756 if (copy_from_user(&req, arg, sizeof(req)))
1760 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1762 req.type = conn->auth_type;
1763 hci_dev_unlock(hdev);
1768 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1771 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1773 struct hci_dev *hdev = conn->hdev;
1774 struct hci_chan *chan;
1776 BT_DBG("%s hcon %p", hdev->name, conn);
1778 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1779 BT_DBG("Refusing to create new hci_chan");
1783 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1787 chan->conn = hci_conn_get(conn);
1788 skb_queue_head_init(&chan->data_q);
1789 chan->state = BT_CONNECTED;
1791 list_add_rcu(&chan->list, &conn->chan_list);
1796 void hci_chan_del(struct hci_chan *chan)
1798 struct hci_conn *conn = chan->conn;
1799 struct hci_dev *hdev = conn->hdev;
1801 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1803 list_del_rcu(&chan->list);
1807 /* Prevent new hci_chan's to be created for this hci_conn */
1808 set_bit(HCI_CONN_DROP, &conn->flags);
1812 skb_queue_purge(&chan->data_q);
1816 void hci_chan_list_flush(struct hci_conn *conn)
1818 struct hci_chan *chan, *n;
1820 BT_DBG("hcon %p", conn);
1822 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1826 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1829 struct hci_chan *hchan;
1831 list_for_each_entry(hchan, &hcon->chan_list, list) {
1832 if (hchan->handle == handle)
1839 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1841 struct hci_conn_hash *h = &hdev->conn_hash;
1842 struct hci_conn *hcon;
1843 struct hci_chan *hchan = NULL;
1847 list_for_each_entry_rcu(hcon, &h->list, list) {
1848 hchan = __hci_chan_lookup_handle(hcon, handle);
1858 u32 hci_conn_get_phy(struct hci_conn *conn)
1862 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
1863 * Table 6.2: Packets defined for synchronous, asynchronous, and
1864 * CPB logical transport types.
1866 switch (conn->type) {
1868 /* SCO logical transport (1 Mb/s):
1869 * HV1, HV2, HV3 and DV.
1871 phys |= BT_PHY_BR_1M_1SLOT;
1876 /* ACL logical transport (1 Mb/s) ptt=0:
1877 * DH1, DM3, DH3, DM5 and DH5.
1879 phys |= BT_PHY_BR_1M_1SLOT;
1881 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
1882 phys |= BT_PHY_BR_1M_3SLOT;
1884 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
1885 phys |= BT_PHY_BR_1M_5SLOT;
1887 /* ACL logical transport (2 Mb/s) ptt=1:
1888 * 2-DH1, 2-DH3 and 2-DH5.
1890 if (!(conn->pkt_type & HCI_2DH1))
1891 phys |= BT_PHY_EDR_2M_1SLOT;
1893 if (!(conn->pkt_type & HCI_2DH3))
1894 phys |= BT_PHY_EDR_2M_3SLOT;
1896 if (!(conn->pkt_type & HCI_2DH5))
1897 phys |= BT_PHY_EDR_2M_5SLOT;
1899 /* ACL logical transport (3 Mb/s) ptt=1:
1900 * 3-DH1, 3-DH3 and 3-DH5.
1902 if (!(conn->pkt_type & HCI_3DH1))
1903 phys |= BT_PHY_EDR_3M_1SLOT;
1905 if (!(conn->pkt_type & HCI_3DH3))
1906 phys |= BT_PHY_EDR_3M_3SLOT;
1908 if (!(conn->pkt_type & HCI_3DH5))
1909 phys |= BT_PHY_EDR_3M_5SLOT;
1914 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
1915 phys |= BT_PHY_BR_1M_1SLOT;
1917 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
1918 phys |= BT_PHY_BR_1M_3SLOT;
1920 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
1921 if (!(conn->pkt_type & ESCO_2EV3))
1922 phys |= BT_PHY_EDR_2M_1SLOT;
1924 if (!(conn->pkt_type & ESCO_2EV5))
1925 phys |= BT_PHY_EDR_2M_3SLOT;
1927 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
1928 if (!(conn->pkt_type & ESCO_3EV3))
1929 phys |= BT_PHY_EDR_3M_1SLOT;
1931 if (!(conn->pkt_type & ESCO_3EV5))
1932 phys |= BT_PHY_EDR_3M_3SLOT;
1937 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
1938 phys |= BT_PHY_LE_1M_TX;
1940 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
1941 phys |= BT_PHY_LE_1M_RX;
1943 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
1944 phys |= BT_PHY_LE_2M_TX;
1946 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
1947 phys |= BT_PHY_LE_2M_RX;
1949 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
1950 phys |= BT_PHY_LE_CODED_TX;
1952 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
1953 phys |= BT_PHY_LE_CODED_RX;