2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI connection handling. */
27 #include <linux/export.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/l2cap.h>
41 static const struct sco_param sco_param_cvsd
[] = {
42 { EDR_ESCO_MASK
& ~ESCO_2EV3
, 0x000a }, /* S3 */
43 { EDR_ESCO_MASK
& ~ESCO_2EV3
, 0x0007 }, /* S2 */
44 { EDR_ESCO_MASK
| ESCO_EV3
, 0x0007 }, /* S1 */
45 { EDR_ESCO_MASK
| ESCO_HV3
, 0xffff }, /* D1 */
46 { EDR_ESCO_MASK
| ESCO_HV1
, 0xffff }, /* D0 */
49 static const struct sco_param sco_param_wideband
[] = {
50 { EDR_ESCO_MASK
& ~ESCO_2EV3
, 0x000d }, /* T2 */
51 { EDR_ESCO_MASK
| ESCO_EV3
, 0x0008 }, /* T1 */
54 static void hci_le_create_connection_cancel(struct hci_conn
*conn
)
56 hci_send_cmd(conn
->hdev
, HCI_OP_LE_CREATE_CONN_CANCEL
, 0, NULL
);
59 static void hci_acl_create_connection(struct hci_conn
*conn
)
61 struct hci_dev
*hdev
= conn
->hdev
;
62 struct inquiry_entry
*ie
;
63 struct hci_cp_create_conn cp
;
65 BT_DBG("hcon %p", conn
);
67 conn
->state
= BT_CONNECT
;
69 conn
->role
= HCI_ROLE_MASTER
;
73 conn
->link_policy
= hdev
->link_policy
;
75 memset(&cp
, 0, sizeof(cp
));
76 bacpy(&cp
.bdaddr
, &conn
->dst
);
77 cp
.pscan_rep_mode
= 0x02;
79 ie
= hci_inquiry_cache_lookup(hdev
, &conn
->dst
);
81 if (inquiry_entry_age(ie
) <= INQUIRY_ENTRY_AGE_MAX
) {
82 cp
.pscan_rep_mode
= ie
->data
.pscan_rep_mode
;
83 cp
.pscan_mode
= ie
->data
.pscan_mode
;
84 cp
.clock_offset
= ie
->data
.clock_offset
|
88 memcpy(conn
->dev_class
, ie
->data
.dev_class
, 3);
89 if (ie
->data
.ssp_mode
> 0)
90 set_bit(HCI_CONN_SSP_ENABLED
, &conn
->flags
);
93 cp
.pkt_type
= cpu_to_le16(conn
->pkt_type
);
94 if (lmp_rswitch_capable(hdev
) && !(hdev
->link_mode
& HCI_LM_MASTER
))
95 cp
.role_switch
= 0x01;
97 cp
.role_switch
= 0x00;
99 hci_send_cmd(hdev
, HCI_OP_CREATE_CONN
, sizeof(cp
), &cp
);
102 static void hci_acl_create_connection_cancel(struct hci_conn
*conn
)
104 struct hci_cp_create_conn_cancel cp
;
106 BT_DBG("hcon %p", conn
);
108 if (conn
->hdev
->hci_ver
< BLUETOOTH_VER_1_2
)
111 bacpy(&cp
.bdaddr
, &conn
->dst
);
112 hci_send_cmd(conn
->hdev
, HCI_OP_CREATE_CONN_CANCEL
, sizeof(cp
), &cp
);
115 static void hci_reject_sco(struct hci_conn
*conn
)
117 struct hci_cp_reject_sync_conn_req cp
;
119 cp
.reason
= HCI_ERROR_REMOTE_USER_TERM
;
120 bacpy(&cp
.bdaddr
, &conn
->dst
);
122 hci_send_cmd(conn
->hdev
, HCI_OP_REJECT_SYNC_CONN_REQ
, sizeof(cp
), &cp
);
125 void hci_disconnect(struct hci_conn
*conn
, __u8 reason
)
127 struct hci_cp_disconnect cp
;
129 BT_DBG("hcon %p", conn
);
131 conn
->state
= BT_DISCONN
;
133 cp
.handle
= cpu_to_le16(conn
->handle
);
135 hci_send_cmd(conn
->hdev
, HCI_OP_DISCONNECT
, sizeof(cp
), &cp
);
138 static void hci_amp_disconn(struct hci_conn
*conn
)
140 struct hci_cp_disconn_phy_link cp
;
142 BT_DBG("hcon %p", conn
);
144 conn
->state
= BT_DISCONN
;
146 cp
.phy_handle
= HCI_PHY_HANDLE(conn
->handle
);
147 cp
.reason
= hci_proto_disconn_ind(conn
);
148 hci_send_cmd(conn
->hdev
, HCI_OP_DISCONN_PHY_LINK
,
152 static void hci_add_sco(struct hci_conn
*conn
, __u16 handle
)
154 struct hci_dev
*hdev
= conn
->hdev
;
155 struct hci_cp_add_sco cp
;
157 BT_DBG("hcon %p", conn
);
159 conn
->state
= BT_CONNECT
;
164 cp
.handle
= cpu_to_le16(handle
);
165 cp
.pkt_type
= cpu_to_le16(conn
->pkt_type
);
167 hci_send_cmd(hdev
, HCI_OP_ADD_SCO
, sizeof(cp
), &cp
);
170 bool hci_setup_sync(struct hci_conn
*conn
, __u16 handle
)
172 struct hci_dev
*hdev
= conn
->hdev
;
173 struct hci_cp_setup_sync_conn cp
;
174 const struct sco_param
*param
;
176 BT_DBG("hcon %p", conn
);
178 conn
->state
= BT_CONNECT
;
183 cp
.handle
= cpu_to_le16(handle
);
185 cp
.tx_bandwidth
= cpu_to_le32(0x00001f40);
186 cp
.rx_bandwidth
= cpu_to_le32(0x00001f40);
187 cp
.voice_setting
= cpu_to_le16(conn
->setting
);
189 switch (conn
->setting
& SCO_AIRMODE_MASK
) {
190 case SCO_AIRMODE_TRANSP
:
191 if (conn
->attempt
> ARRAY_SIZE(sco_param_wideband
))
193 cp
.retrans_effort
= 0x02;
194 param
= &sco_param_wideband
[conn
->attempt
- 1];
196 case SCO_AIRMODE_CVSD
:
197 if (conn
->attempt
> ARRAY_SIZE(sco_param_cvsd
))
199 cp
.retrans_effort
= 0x01;
200 param
= &sco_param_cvsd
[conn
->attempt
- 1];
206 cp
.pkt_type
= __cpu_to_le16(param
->pkt_type
);
207 cp
.max_latency
= __cpu_to_le16(param
->max_latency
);
209 if (hci_send_cmd(hdev
, HCI_OP_SETUP_SYNC_CONN
, sizeof(cp
), &cp
) < 0)
215 u8
hci_le_conn_update(struct hci_conn
*conn
, u16 min
, u16 max
, u16 latency
,
218 struct hci_dev
*hdev
= conn
->hdev
;
219 struct hci_conn_params
*params
;
220 struct hci_cp_le_conn_update cp
;
224 params
= hci_conn_params_lookup(hdev
, &conn
->dst
, conn
->dst_type
);
226 params
->conn_min_interval
= min
;
227 params
->conn_max_interval
= max
;
228 params
->conn_latency
= latency
;
229 params
->supervision_timeout
= to_multiplier
;
232 hci_dev_unlock(hdev
);
234 memset(&cp
, 0, sizeof(cp
));
235 cp
.handle
= cpu_to_le16(conn
->handle
);
236 cp
.conn_interval_min
= cpu_to_le16(min
);
237 cp
.conn_interval_max
= cpu_to_le16(max
);
238 cp
.conn_latency
= cpu_to_le16(latency
);
239 cp
.supervision_timeout
= cpu_to_le16(to_multiplier
);
240 cp
.min_ce_len
= cpu_to_le16(0x0000);
241 cp
.max_ce_len
= cpu_to_le16(0x0000);
243 hci_send_cmd(hdev
, HCI_OP_LE_CONN_UPDATE
, sizeof(cp
), &cp
);
251 void hci_le_start_enc(struct hci_conn
*conn
, __le16 ediv
, __le64 rand
,
254 struct hci_dev
*hdev
= conn
->hdev
;
255 struct hci_cp_le_start_enc cp
;
257 BT_DBG("hcon %p", conn
);
259 memset(&cp
, 0, sizeof(cp
));
261 cp
.handle
= cpu_to_le16(conn
->handle
);
264 memcpy(cp
.ltk
, ltk
, sizeof(cp
.ltk
));
266 hci_send_cmd(hdev
, HCI_OP_LE_START_ENC
, sizeof(cp
), &cp
);
269 /* Device _must_ be locked */
270 void hci_sco_setup(struct hci_conn
*conn
, __u8 status
)
272 struct hci_conn
*sco
= conn
->link
;
277 BT_DBG("hcon %p", conn
);
280 if (lmp_esco_capable(conn
->hdev
))
281 hci_setup_sync(sco
, conn
->handle
);
283 hci_add_sco(sco
, conn
->handle
);
285 hci_proto_connect_cfm(sco
, status
);
290 static void hci_conn_timeout(struct work_struct
*work
)
292 struct hci_conn
*conn
= container_of(work
, struct hci_conn
,
294 int refcnt
= atomic_read(&conn
->refcnt
);
296 BT_DBG("hcon %p state %s", conn
, state_to_string(conn
->state
));
300 /* FIXME: It was observed that in pairing failed scenario, refcnt
301 * drops below 0. Probably this is because l2cap_conn_del calls
302 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
303 * dropped. After that loop hci_chan_del is called which also drops
304 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
310 switch (conn
->state
) {
314 if (conn
->type
== ACL_LINK
)
315 hci_acl_create_connection_cancel(conn
);
316 else if (conn
->type
== LE_LINK
)
317 hci_le_create_connection_cancel(conn
);
318 } else if (conn
->type
== SCO_LINK
|| conn
->type
== ESCO_LINK
) {
319 hci_reject_sco(conn
);
324 if (conn
->type
== AMP_LINK
) {
325 hci_amp_disconn(conn
);
327 __u8 reason
= hci_proto_disconn_ind(conn
);
329 /* When we are master of an established connection
330 * and it enters the disconnect timeout, then go
331 * ahead and try to read the current clock offset.
333 * Processing of the result is done within the
334 * event handling and hci_clock_offset_evt function.
336 if (conn
->type
== ACL_LINK
&&
337 conn
->role
== HCI_ROLE_MASTER
) {
338 struct hci_dev
*hdev
= conn
->hdev
;
339 struct hci_cp_read_clock_offset cp
;
341 cp
.handle
= cpu_to_le16(conn
->handle
);
343 hci_send_cmd(hdev
, HCI_OP_READ_CLOCK_OFFSET
,
347 hci_disconnect(conn
, reason
);
351 conn
->state
= BT_CLOSED
;
356 /* Enter sniff mode */
357 static void hci_conn_idle(struct work_struct
*work
)
359 struct hci_conn
*conn
= container_of(work
, struct hci_conn
,
361 struct hci_dev
*hdev
= conn
->hdev
;
363 BT_DBG("hcon %p mode %d", conn
, conn
->mode
);
365 if (!lmp_sniff_capable(hdev
) || !lmp_sniff_capable(conn
))
368 if (conn
->mode
!= HCI_CM_ACTIVE
|| !(conn
->link_policy
& HCI_LP_SNIFF
))
371 if (lmp_sniffsubr_capable(hdev
) && lmp_sniffsubr_capable(conn
)) {
372 struct hci_cp_sniff_subrate cp
;
373 cp
.handle
= cpu_to_le16(conn
->handle
);
374 cp
.max_latency
= cpu_to_le16(0);
375 cp
.min_remote_timeout
= cpu_to_le16(0);
376 cp
.min_local_timeout
= cpu_to_le16(0);
377 hci_send_cmd(hdev
, HCI_OP_SNIFF_SUBRATE
, sizeof(cp
), &cp
);
380 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND
, &conn
->flags
)) {
381 struct hci_cp_sniff_mode cp
;
382 cp
.handle
= cpu_to_le16(conn
->handle
);
383 cp
.max_interval
= cpu_to_le16(hdev
->sniff_max_interval
);
384 cp
.min_interval
= cpu_to_le16(hdev
->sniff_min_interval
);
385 cp
.attempt
= cpu_to_le16(4);
386 cp
.timeout
= cpu_to_le16(1);
387 hci_send_cmd(hdev
, HCI_OP_SNIFF_MODE
, sizeof(cp
), &cp
);
391 static void hci_conn_auto_accept(struct work_struct
*work
)
393 struct hci_conn
*conn
= container_of(work
, struct hci_conn
,
394 auto_accept_work
.work
);
396 hci_send_cmd(conn
->hdev
, HCI_OP_USER_CONFIRM_REPLY
, sizeof(conn
->dst
),
400 static void le_conn_timeout(struct work_struct
*work
)
402 struct hci_conn
*conn
= container_of(work
, struct hci_conn
,
403 le_conn_timeout
.work
);
404 struct hci_dev
*hdev
= conn
->hdev
;
408 /* We could end up here due to having done directed advertising,
409 * so clean up the state if necessary. This should however only
410 * happen with broken hardware or if low duty cycle was used
411 * (which doesn't have a timeout of its own).
413 if (test_bit(HCI_ADVERTISING
, &hdev
->dev_flags
)) {
415 hci_send_cmd(hdev
, HCI_OP_LE_SET_ADV_ENABLE
, sizeof(enable
),
417 hci_le_conn_failed(conn
, HCI_ERROR_ADVERTISING_TIMEOUT
);
421 hci_le_create_connection_cancel(conn
);
424 struct hci_conn
*hci_conn_add(struct hci_dev
*hdev
, int type
, bdaddr_t
*dst
)
426 struct hci_conn
*conn
;
428 BT_DBG("%s dst %pMR", hdev
->name
, dst
);
430 conn
= kzalloc(sizeof(struct hci_conn
), GFP_KERNEL
);
434 bacpy(&conn
->dst
, dst
);
435 bacpy(&conn
->src
, &hdev
->bdaddr
);
438 conn
->mode
= HCI_CM_ACTIVE
;
439 conn
->state
= BT_OPEN
;
440 conn
->auth_type
= HCI_AT_GENERAL_BONDING
;
441 conn
->io_capability
= hdev
->io_capability
;
442 conn
->remote_auth
= 0xff;
443 conn
->key_type
= 0xff;
444 conn
->tx_power
= HCI_TX_POWER_INVALID
;
445 conn
->max_tx_power
= HCI_TX_POWER_INVALID
;
447 set_bit(HCI_CONN_POWER_SAVE
, &conn
->flags
);
448 conn
->disc_timeout
= HCI_DISCONN_TIMEOUT
;
452 conn
->pkt_type
= hdev
->pkt_type
& ACL_PTYPE_MASK
;
455 /* conn->src should reflect the local identity address */
456 hci_copy_identity_address(hdev
, &conn
->src
, &conn
->src_type
);
459 if (lmp_esco_capable(hdev
))
460 conn
->pkt_type
= (hdev
->esco_type
& SCO_ESCO_MASK
) |
461 (hdev
->esco_type
& EDR_ESCO_MASK
);
463 conn
->pkt_type
= hdev
->pkt_type
& SCO_PTYPE_MASK
;
466 conn
->pkt_type
= hdev
->esco_type
& ~EDR_ESCO_MASK
;
470 skb_queue_head_init(&conn
->data_q
);
472 INIT_LIST_HEAD(&conn
->chan_list
);
474 INIT_DELAYED_WORK(&conn
->disc_work
, hci_conn_timeout
);
475 INIT_DELAYED_WORK(&conn
->auto_accept_work
, hci_conn_auto_accept
);
476 INIT_DELAYED_WORK(&conn
->idle_work
, hci_conn_idle
);
477 INIT_DELAYED_WORK(&conn
->le_conn_timeout
, le_conn_timeout
);
479 atomic_set(&conn
->refcnt
, 0);
483 hci_conn_hash_add(hdev
, conn
);
485 hdev
->notify(hdev
, HCI_NOTIFY_CONN_ADD
);
487 hci_conn_init_sysfs(conn
);
492 int hci_conn_del(struct hci_conn
*conn
)
494 struct hci_dev
*hdev
= conn
->hdev
;
496 BT_DBG("%s hcon %p handle %d", hdev
->name
, conn
, conn
->handle
);
498 cancel_delayed_work_sync(&conn
->disc_work
);
499 cancel_delayed_work_sync(&conn
->auto_accept_work
);
500 cancel_delayed_work_sync(&conn
->idle_work
);
502 if (conn
->type
== ACL_LINK
) {
503 struct hci_conn
*sco
= conn
->link
;
508 hdev
->acl_cnt
+= conn
->sent
;
509 } else if (conn
->type
== LE_LINK
) {
510 cancel_delayed_work_sync(&conn
->le_conn_timeout
);
513 hdev
->le_cnt
+= conn
->sent
;
515 hdev
->acl_cnt
+= conn
->sent
;
517 struct hci_conn
*acl
= conn
->link
;
524 hci_chan_list_flush(conn
);
527 amp_mgr_put(conn
->amp_mgr
);
529 hci_conn_hash_del(hdev
, conn
);
531 hdev
->notify(hdev
, HCI_NOTIFY_CONN_DEL
);
533 skb_queue_purge(&conn
->data_q
);
535 hci_conn_del_sysfs(conn
);
544 struct hci_dev
*hci_get_route(bdaddr_t
*dst
, bdaddr_t
*src
)
546 int use_src
= bacmp(src
, BDADDR_ANY
);
547 struct hci_dev
*hdev
= NULL
, *d
;
549 BT_DBG("%pMR -> %pMR", src
, dst
);
551 read_lock(&hci_dev_list_lock
);
553 list_for_each_entry(d
, &hci_dev_list
, list
) {
554 if (!test_bit(HCI_UP
, &d
->flags
) ||
555 test_bit(HCI_USER_CHANNEL
, &d
->dev_flags
) ||
556 d
->dev_type
!= HCI_BREDR
)
560 * No source address - find interface with bdaddr != dst
561 * Source address - find interface with bdaddr == src
565 if (!bacmp(&d
->bdaddr
, src
)) {
569 if (bacmp(&d
->bdaddr
, dst
)) {
576 hdev
= hci_dev_hold(hdev
);
578 read_unlock(&hci_dev_list_lock
);
581 EXPORT_SYMBOL(hci_get_route
);
583 /* This function requires the caller holds hdev->lock */
584 void hci_le_conn_failed(struct hci_conn
*conn
, u8 status
)
586 struct hci_dev
*hdev
= conn
->hdev
;
588 conn
->state
= BT_CLOSED
;
590 mgmt_connect_failed(hdev
, &conn
->dst
, conn
->type
, conn
->dst_type
,
593 hci_proto_connect_cfm(conn
, status
);
597 /* Since we may have temporarily stopped the background scanning in
598 * favor of connection establishment, we should restart it.
600 hci_update_background_scan(hdev
);
602 /* Re-enable advertising in case this was a failed connection
603 * attempt as a peripheral.
605 mgmt_reenable_advertising(hdev
);
608 static void create_le_conn_complete(struct hci_dev
*hdev
, u8 status
)
610 struct hci_conn
*conn
;
615 BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
620 conn
= hci_conn_hash_lookup_state(hdev
, LE_LINK
, BT_CONNECT
);
624 hci_le_conn_failed(conn
, status
);
627 hci_dev_unlock(hdev
);
630 static void hci_req_add_le_create_conn(struct hci_request
*req
,
631 struct hci_conn
*conn
)
633 struct hci_cp_le_create_conn cp
;
634 struct hci_dev
*hdev
= conn
->hdev
;
637 memset(&cp
, 0, sizeof(cp
));
639 /* Update random address, but set require_privacy to false so
640 * that we never connect with an unresolvable address.
642 if (hci_update_random_address(req
, false, &own_addr_type
))
645 cp
.scan_interval
= cpu_to_le16(hdev
->le_scan_interval
);
646 cp
.scan_window
= cpu_to_le16(hdev
->le_scan_window
);
647 bacpy(&cp
.peer_addr
, &conn
->dst
);
648 cp
.peer_addr_type
= conn
->dst_type
;
649 cp
.own_address_type
= own_addr_type
;
650 cp
.conn_interval_min
= cpu_to_le16(conn
->le_conn_min_interval
);
651 cp
.conn_interval_max
= cpu_to_le16(conn
->le_conn_max_interval
);
652 cp
.conn_latency
= cpu_to_le16(conn
->le_conn_latency
);
653 cp
.supervision_timeout
= cpu_to_le16(conn
->le_supv_timeout
);
654 cp
.min_ce_len
= cpu_to_le16(0x0000);
655 cp
.max_ce_len
= cpu_to_le16(0x0000);
657 hci_req_add(req
, HCI_OP_LE_CREATE_CONN
, sizeof(cp
), &cp
);
659 conn
->state
= BT_CONNECT
;
662 static void hci_req_directed_advertising(struct hci_request
*req
,
663 struct hci_conn
*conn
)
665 struct hci_dev
*hdev
= req
->hdev
;
666 struct hci_cp_le_set_adv_param cp
;
670 /* Clear the HCI_LE_ADV bit temporarily so that the
671 * hci_update_random_address knows that it's safe to go ahead
672 * and write a new random address. The flag will be set back on
673 * as soon as the SET_ADV_ENABLE HCI command completes.
675 clear_bit(HCI_LE_ADV
, &hdev
->dev_flags
);
677 /* Set require_privacy to false so that the remote device has a
678 * chance of identifying us.
680 if (hci_update_random_address(req
, false, &own_addr_type
) < 0)
683 memset(&cp
, 0, sizeof(cp
));
684 cp
.type
= LE_ADV_DIRECT_IND
;
685 cp
.own_address_type
= own_addr_type
;
686 cp
.direct_addr_type
= conn
->dst_type
;
687 bacpy(&cp
.direct_addr
, &conn
->dst
);
688 cp
.channel_map
= hdev
->le_adv_channel_map
;
690 hci_req_add(req
, HCI_OP_LE_SET_ADV_PARAM
, sizeof(cp
), &cp
);
693 hci_req_add(req
, HCI_OP_LE_SET_ADV_ENABLE
, sizeof(enable
), &enable
);
695 conn
->state
= BT_CONNECT
;
698 struct hci_conn
*hci_connect_le(struct hci_dev
*hdev
, bdaddr_t
*dst
,
699 u8 dst_type
, u8 sec_level
, u16 conn_timeout
,
702 struct hci_conn_params
*params
;
703 struct hci_conn
*conn
;
705 struct hci_request req
;
708 /* Some devices send ATT messages as soon as the physical link is
709 * established. To be able to handle these ATT messages, the user-
710 * space first establishes the connection and then starts the pairing
713 * So if a hci_conn object already exists for the following connection
714 * attempt, we simply update pending_sec_level and auth_type fields
715 * and return the object found.
717 conn
= hci_conn_hash_lookup_ba(hdev
, LE_LINK
, dst
);
719 conn
->pending_sec_level
= sec_level
;
723 /* Since the controller supports only one LE connection attempt at a
724 * time, we return -EBUSY if there is any connection attempt running.
726 conn
= hci_conn_hash_lookup_state(hdev
, LE_LINK
, BT_CONNECT
);
728 return ERR_PTR(-EBUSY
);
730 /* When given an identity address with existing identity
731 * resolving key, the connection needs to be established
732 * to a resolvable random address.
734 * This uses the cached random resolvable address from
735 * a previous scan. When no cached address is available,
736 * try connecting to the identity address instead.
738 * Storing the resolvable random address is required here
739 * to handle connection failures. The address will later
740 * be resolved back into the original identity address
741 * from the connect request.
743 irk
= hci_find_irk_by_addr(hdev
, dst
, dst_type
);
744 if (irk
&& bacmp(&irk
->rpa
, BDADDR_ANY
)) {
746 dst_type
= ADDR_LE_DEV_RANDOM
;
749 conn
= hci_conn_add(hdev
, LE_LINK
, dst
);
751 return ERR_PTR(-ENOMEM
);
753 conn
->dst_type
= dst_type
;
754 conn
->sec_level
= BT_SECURITY_LOW
;
755 conn
->pending_sec_level
= sec_level
;
756 conn
->conn_timeout
= conn_timeout
;
758 hci_req_init(&req
, hdev
);
760 /* Disable advertising if we're active. For master role
761 * connections most controllers will refuse to connect if
762 * advertising is enabled, and for slave role connections we
763 * anyway have to disable it in order to start directed
766 if (test_bit(HCI_LE_ADV
, &hdev
->dev_flags
)) {
768 hci_req_add(&req
, HCI_OP_LE_SET_ADV_ENABLE
, sizeof(enable
),
774 /* If requested to connect as slave use directed advertising */
775 if (conn
->role
== HCI_ROLE_SLAVE
) {
776 /* If we're active scanning most controllers are unable
777 * to initiate advertising. Simply reject the attempt.
779 if (test_bit(HCI_LE_SCAN
, &hdev
->dev_flags
) &&
780 hdev
->le_scan_type
== LE_SCAN_ACTIVE
) {
781 skb_queue_purge(&req
.cmd_q
);
783 return ERR_PTR(-EBUSY
);
786 hci_req_directed_advertising(&req
, conn
);
792 params
= hci_conn_params_lookup(hdev
, &conn
->dst
, conn
->dst_type
);
794 conn
->le_conn_min_interval
= params
->conn_min_interval
;
795 conn
->le_conn_max_interval
= params
->conn_max_interval
;
796 conn
->le_conn_latency
= params
->conn_latency
;
797 conn
->le_supv_timeout
= params
->supervision_timeout
;
799 conn
->le_conn_min_interval
= hdev
->le_conn_min_interval
;
800 conn
->le_conn_max_interval
= hdev
->le_conn_max_interval
;
801 conn
->le_conn_latency
= hdev
->le_conn_latency
;
802 conn
->le_supv_timeout
= hdev
->le_supv_timeout
;
805 /* If controller is scanning, we stop it since some controllers are
806 * not able to scan and connect at the same time. Also set the
807 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
808 * handler for scan disabling knows to set the correct discovery
811 if (test_bit(HCI_LE_SCAN
, &hdev
->dev_flags
)) {
812 hci_req_add_le_scan_disable(&req
);
813 set_bit(HCI_LE_SCAN_INTERRUPTED
, &hdev
->dev_flags
);
816 hci_req_add_le_create_conn(&req
, conn
);
819 err
= hci_req_run(&req
, create_le_conn_complete
);
830 struct hci_conn
*hci_connect_acl(struct hci_dev
*hdev
, bdaddr_t
*dst
,
831 u8 sec_level
, u8 auth_type
)
833 struct hci_conn
*acl
;
835 if (!test_bit(HCI_BREDR_ENABLED
, &hdev
->dev_flags
))
836 return ERR_PTR(-ENOTSUPP
);
838 acl
= hci_conn_hash_lookup_ba(hdev
, ACL_LINK
, dst
);
840 acl
= hci_conn_add(hdev
, ACL_LINK
, dst
);
842 return ERR_PTR(-ENOMEM
);
847 if (acl
->state
== BT_OPEN
|| acl
->state
== BT_CLOSED
) {
848 acl
->sec_level
= BT_SECURITY_LOW
;
849 acl
->pending_sec_level
= sec_level
;
850 acl
->auth_type
= auth_type
;
851 hci_acl_create_connection(acl
);
857 struct hci_conn
*hci_connect_sco(struct hci_dev
*hdev
, int type
, bdaddr_t
*dst
,
860 struct hci_conn
*acl
;
861 struct hci_conn
*sco
;
863 acl
= hci_connect_acl(hdev
, dst
, BT_SECURITY_LOW
, HCI_AT_NO_BONDING
);
867 sco
= hci_conn_hash_lookup_ba(hdev
, type
, dst
);
869 sco
= hci_conn_add(hdev
, type
, dst
);
872 return ERR_PTR(-ENOMEM
);
881 sco
->setting
= setting
;
883 if (acl
->state
== BT_CONNECTED
&&
884 (sco
->state
== BT_OPEN
|| sco
->state
== BT_CLOSED
)) {
885 set_bit(HCI_CONN_POWER_SAVE
, &acl
->flags
);
886 hci_conn_enter_active_mode(acl
, BT_POWER_FORCE_ACTIVE_ON
);
888 if (test_bit(HCI_CONN_MODE_CHANGE_PEND
, &acl
->flags
)) {
889 /* defer SCO setup until mode change completed */
890 set_bit(HCI_CONN_SCO_SETUP_PEND
, &acl
->flags
);
894 hci_sco_setup(acl
, 0x00);
900 /* Check link security requirement */
901 int hci_conn_check_link_mode(struct hci_conn
*conn
)
903 BT_DBG("hcon %p", conn
);
905 /* In Secure Connections Only mode, it is required that Secure
906 * Connections is used and the link is encrypted with AES-CCM
907 * using a P-256 authenticated combination key.
909 if (test_bit(HCI_SC_ONLY
, &conn
->hdev
->flags
)) {
910 if (!hci_conn_sc_enabled(conn
) ||
911 !test_bit(HCI_CONN_AES_CCM
, &conn
->flags
) ||
912 conn
->key_type
!= HCI_LK_AUTH_COMBINATION_P256
)
916 if (hci_conn_ssp_enabled(conn
) &&
917 !test_bit(HCI_CONN_ENCRYPT
, &conn
->flags
))
923 /* Authenticate remote device */
924 static int hci_conn_auth(struct hci_conn
*conn
, __u8 sec_level
, __u8 auth_type
)
926 BT_DBG("hcon %p", conn
);
928 if (conn
->pending_sec_level
> sec_level
)
929 sec_level
= conn
->pending_sec_level
;
931 if (sec_level
> conn
->sec_level
)
932 conn
->pending_sec_level
= sec_level
;
933 else if (test_bit(HCI_CONN_AUTH
, &conn
->flags
))
936 /* Make sure we preserve an existing MITM requirement*/
937 auth_type
|= (conn
->auth_type
& 0x01);
939 conn
->auth_type
= auth_type
;
941 if (!test_and_set_bit(HCI_CONN_AUTH_PEND
, &conn
->flags
)) {
942 struct hci_cp_auth_requested cp
;
944 cp
.handle
= cpu_to_le16(conn
->handle
);
945 hci_send_cmd(conn
->hdev
, HCI_OP_AUTH_REQUESTED
,
948 /* If we're already encrypted set the REAUTH_PEND flag,
949 * otherwise set the ENCRYPT_PEND.
951 if (test_bit(HCI_CONN_ENCRYPT
, &conn
->flags
))
952 set_bit(HCI_CONN_REAUTH_PEND
, &conn
->flags
);
954 set_bit(HCI_CONN_ENCRYPT_PEND
, &conn
->flags
);
960 /* Encrypt the the link */
961 static void hci_conn_encrypt(struct hci_conn
*conn
)
963 BT_DBG("hcon %p", conn
);
965 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND
, &conn
->flags
)) {
966 struct hci_cp_set_conn_encrypt cp
;
967 cp
.handle
= cpu_to_le16(conn
->handle
);
969 hci_send_cmd(conn
->hdev
, HCI_OP_SET_CONN_ENCRYPT
, sizeof(cp
),
974 /* Enable security */
975 int hci_conn_security(struct hci_conn
*conn
, __u8 sec_level
, __u8 auth_type
)
977 BT_DBG("hcon %p", conn
);
979 if (conn
->type
== LE_LINK
)
980 return smp_conn_security(conn
, sec_level
);
982 /* For sdp we don't need the link key. */
983 if (sec_level
== BT_SECURITY_SDP
)
986 /* For non 2.1 devices and low security level we don't need the link
988 if (sec_level
== BT_SECURITY_LOW
&& !hci_conn_ssp_enabled(conn
))
991 /* For other security levels we need the link key. */
992 if (!test_bit(HCI_CONN_AUTH
, &conn
->flags
))
995 /* An authenticated FIPS approved combination key has sufficient
996 * security for security level 4. */
997 if (conn
->key_type
== HCI_LK_AUTH_COMBINATION_P256
&&
998 sec_level
== BT_SECURITY_FIPS
)
1001 /* An authenticated combination key has sufficient security for
1002 security level 3. */
1003 if ((conn
->key_type
== HCI_LK_AUTH_COMBINATION_P192
||
1004 conn
->key_type
== HCI_LK_AUTH_COMBINATION_P256
) &&
1005 sec_level
== BT_SECURITY_HIGH
)
1008 /* An unauthenticated combination key has sufficient security for
1009 security level 1 and 2. */
1010 if ((conn
->key_type
== HCI_LK_UNAUTH_COMBINATION_P192
||
1011 conn
->key_type
== HCI_LK_UNAUTH_COMBINATION_P256
) &&
1012 (sec_level
== BT_SECURITY_MEDIUM
|| sec_level
== BT_SECURITY_LOW
))
1015 /* A combination key has always sufficient security for the security
1016 levels 1 or 2. High security level requires the combination key
1017 is generated using maximum PIN code length (16).
1018 For pre 2.1 units. */
1019 if (conn
->key_type
== HCI_LK_COMBINATION
&&
1020 (sec_level
== BT_SECURITY_MEDIUM
|| sec_level
== BT_SECURITY_LOW
||
1021 conn
->pin_length
== 16))
1025 if (test_bit(HCI_CONN_ENCRYPT_PEND
, &conn
->flags
))
1028 if (!hci_conn_auth(conn
, sec_level
, auth_type
))
1032 if (test_bit(HCI_CONN_ENCRYPT
, &conn
->flags
))
1035 hci_conn_encrypt(conn
);
1038 EXPORT_SYMBOL(hci_conn_security
);
1040 /* Check secure link requirement */
1041 int hci_conn_check_secure(struct hci_conn
*conn
, __u8 sec_level
)
1043 BT_DBG("hcon %p", conn
);
1045 /* Accept if non-secure or higher security level is required */
1046 if (sec_level
!= BT_SECURITY_HIGH
&& sec_level
!= BT_SECURITY_FIPS
)
1049 /* Accept if secure or higher security level is already present */
1050 if (conn
->sec_level
== BT_SECURITY_HIGH
||
1051 conn
->sec_level
== BT_SECURITY_FIPS
)
1054 /* Reject not secure link */
1057 EXPORT_SYMBOL(hci_conn_check_secure
);
1059 /* Change link key */
1060 int hci_conn_change_link_key(struct hci_conn
*conn
)
1062 BT_DBG("hcon %p", conn
);
1064 if (!test_and_set_bit(HCI_CONN_AUTH_PEND
, &conn
->flags
)) {
1065 struct hci_cp_change_conn_link_key cp
;
1066 cp
.handle
= cpu_to_le16(conn
->handle
);
1067 hci_send_cmd(conn
->hdev
, HCI_OP_CHANGE_CONN_LINK_KEY
,
1075 int hci_conn_switch_role(struct hci_conn
*conn
, __u8 role
)
1077 BT_DBG("hcon %p", conn
);
1079 if (role
== conn
->role
)
1082 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND
, &conn
->flags
)) {
1083 struct hci_cp_switch_role cp
;
1084 bacpy(&cp
.bdaddr
, &conn
->dst
);
1086 hci_send_cmd(conn
->hdev
, HCI_OP_SWITCH_ROLE
, sizeof(cp
), &cp
);
1091 EXPORT_SYMBOL(hci_conn_switch_role
);
1093 /* Enter active mode */
1094 void hci_conn_enter_active_mode(struct hci_conn
*conn
, __u8 force_active
)
1096 struct hci_dev
*hdev
= conn
->hdev
;
1098 BT_DBG("hcon %p mode %d", conn
, conn
->mode
);
1100 if (conn
->mode
!= HCI_CM_SNIFF
)
1103 if (!test_bit(HCI_CONN_POWER_SAVE
, &conn
->flags
) && !force_active
)
1106 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND
, &conn
->flags
)) {
1107 struct hci_cp_exit_sniff_mode cp
;
1108 cp
.handle
= cpu_to_le16(conn
->handle
);
1109 hci_send_cmd(hdev
, HCI_OP_EXIT_SNIFF_MODE
, sizeof(cp
), &cp
);
1113 if (hdev
->idle_timeout
> 0)
1114 queue_delayed_work(hdev
->workqueue
, &conn
->idle_work
,
1115 msecs_to_jiffies(hdev
->idle_timeout
));
1118 /* Drop all connection on the device */
1119 void hci_conn_hash_flush(struct hci_dev
*hdev
)
1121 struct hci_conn_hash
*h
= &hdev
->conn_hash
;
1122 struct hci_conn
*c
, *n
;
1124 BT_DBG("hdev %s", hdev
->name
);
1126 list_for_each_entry_safe(c
, n
, &h
->list
, list
) {
1127 c
->state
= BT_CLOSED
;
1129 hci_proto_disconn_cfm(c
, HCI_ERROR_LOCAL_HOST_TERM
);
1134 /* Check pending connect attempts */
1135 void hci_conn_check_pending(struct hci_dev
*hdev
)
1137 struct hci_conn
*conn
;
1139 BT_DBG("hdev %s", hdev
->name
);
1143 conn
= hci_conn_hash_lookup_state(hdev
, ACL_LINK
, BT_CONNECT2
);
1145 hci_acl_create_connection(conn
);
1147 hci_dev_unlock(hdev
);
1150 static u32
get_link_mode(struct hci_conn
*conn
)
1154 if (conn
->role
== HCI_ROLE_MASTER
)
1155 link_mode
|= HCI_LM_MASTER
;
1157 if (test_bit(HCI_CONN_ENCRYPT
, &conn
->flags
))
1158 link_mode
|= HCI_LM_ENCRYPT
;
1160 if (test_bit(HCI_CONN_AUTH
, &conn
->flags
))
1161 link_mode
|= HCI_LM_AUTH
;
1163 if (test_bit(HCI_CONN_SECURE
, &conn
->flags
))
1164 link_mode
|= HCI_LM_SECURE
;
1166 if (test_bit(HCI_CONN_FIPS
, &conn
->flags
))
1167 link_mode
|= HCI_LM_FIPS
;
1172 int hci_get_conn_list(void __user
*arg
)
1175 struct hci_conn_list_req req
, *cl
;
1176 struct hci_conn_info
*ci
;
1177 struct hci_dev
*hdev
;
1178 int n
= 0, size
, err
;
1180 if (copy_from_user(&req
, arg
, sizeof(req
)))
1183 if (!req
.conn_num
|| req
.conn_num
> (PAGE_SIZE
* 2) / sizeof(*ci
))
1186 size
= sizeof(req
) + req
.conn_num
* sizeof(*ci
);
1188 cl
= kmalloc(size
, GFP_KERNEL
);
1192 hdev
= hci_dev_get(req
.dev_id
);
1201 list_for_each_entry(c
, &hdev
->conn_hash
.list
, list
) {
1202 bacpy(&(ci
+ n
)->bdaddr
, &c
->dst
);
1203 (ci
+ n
)->handle
= c
->handle
;
1204 (ci
+ n
)->type
= c
->type
;
1205 (ci
+ n
)->out
= c
->out
;
1206 (ci
+ n
)->state
= c
->state
;
1207 (ci
+ n
)->link_mode
= get_link_mode(c
);
1208 if (++n
>= req
.conn_num
)
1211 hci_dev_unlock(hdev
);
1213 cl
->dev_id
= hdev
->id
;
1215 size
= sizeof(req
) + n
* sizeof(*ci
);
1219 err
= copy_to_user(arg
, cl
, size
);
1222 return err
? -EFAULT
: 0;
1225 int hci_get_conn_info(struct hci_dev
*hdev
, void __user
*arg
)
1227 struct hci_conn_info_req req
;
1228 struct hci_conn_info ci
;
1229 struct hci_conn
*conn
;
1230 char __user
*ptr
= arg
+ sizeof(req
);
1232 if (copy_from_user(&req
, arg
, sizeof(req
)))
1236 conn
= hci_conn_hash_lookup_ba(hdev
, req
.type
, &req
.bdaddr
);
1238 bacpy(&ci
.bdaddr
, &conn
->dst
);
1239 ci
.handle
= conn
->handle
;
1240 ci
.type
= conn
->type
;
1242 ci
.state
= conn
->state
;
1243 ci
.link_mode
= get_link_mode(conn
);
1245 hci_dev_unlock(hdev
);
1250 return copy_to_user(ptr
, &ci
, sizeof(ci
)) ? -EFAULT
: 0;
1253 int hci_get_auth_info(struct hci_dev
*hdev
, void __user
*arg
)
1255 struct hci_auth_info_req req
;
1256 struct hci_conn
*conn
;
1258 if (copy_from_user(&req
, arg
, sizeof(req
)))
1262 conn
= hci_conn_hash_lookup_ba(hdev
, ACL_LINK
, &req
.bdaddr
);
1264 req
.type
= conn
->auth_type
;
1265 hci_dev_unlock(hdev
);
1270 return copy_to_user(arg
, &req
, sizeof(req
)) ? -EFAULT
: 0;
1273 struct hci_chan
*hci_chan_create(struct hci_conn
*conn
)
1275 struct hci_dev
*hdev
= conn
->hdev
;
1276 struct hci_chan
*chan
;
1278 BT_DBG("%s hcon %p", hdev
->name
, conn
);
1280 chan
= kzalloc(sizeof(struct hci_chan
), GFP_KERNEL
);
1285 skb_queue_head_init(&chan
->data_q
);
1286 chan
->state
= BT_CONNECTED
;
1288 list_add_rcu(&chan
->list
, &conn
->chan_list
);
1293 void hci_chan_del(struct hci_chan
*chan
)
1295 struct hci_conn
*conn
= chan
->conn
;
1296 struct hci_dev
*hdev
= conn
->hdev
;
1298 BT_DBG("%s hcon %p chan %p", hdev
->name
, conn
, chan
);
1300 list_del_rcu(&chan
->list
);
1304 hci_conn_drop(conn
);
1306 skb_queue_purge(&chan
->data_q
);
1310 void hci_chan_list_flush(struct hci_conn
*conn
)
1312 struct hci_chan
*chan
, *n
;
1314 BT_DBG("hcon %p", conn
);
1316 list_for_each_entry_safe(chan
, n
, &conn
->chan_list
, list
)
1320 static struct hci_chan
*__hci_chan_lookup_handle(struct hci_conn
*hcon
,
1323 struct hci_chan
*hchan
;
1325 list_for_each_entry(hchan
, &hcon
->chan_list
, list
) {
1326 if (hchan
->handle
== handle
)
1333 struct hci_chan
*hci_chan_lookup_handle(struct hci_dev
*hdev
, __u16 handle
)
1335 struct hci_conn_hash
*h
= &hdev
->conn_hash
;
1336 struct hci_conn
*hcon
;
1337 struct hci_chan
*hchan
= NULL
;
1341 list_for_each_entry_rcu(hcon
, &h
->list
, list
) {
1342 hchan
= __hci_chan_lookup_handle(hcon
, handle
);