xref: /openbmc/linux/net/bluetooth/hci_conn.c (revision 9144f784f852f9a125cabe9927b986d909bfa439)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4    Copyright 2023 NXP
5 
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11 
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25 
26 /* Bluetooth HCI connection handling. */
27 
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "hci_request.h"
38 #include "smp.h"
39 #include "eir.h"
40 
41 struct sco_param {
42 	u16 pkt_type;
43 	u16 max_latency;
44 	u8  retrans_effort;
45 };
46 
47 struct conn_handle_t {
48 	struct hci_conn *conn;
49 	__u16 handle;
50 };
51 
52 static const struct sco_param esco_param_cvsd[] = {
53 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,	0x01 }, /* S3 */
54 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,	0x01 }, /* S2 */
55 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0007,	0x01 }, /* S1 */
56 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0x01 }, /* D1 */
57 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0x01 }, /* D0 */
58 };
59 
60 static const struct sco_param sco_param_cvsd[] = {
61 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0xff }, /* D1 */
62 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0xff }, /* D0 */
63 };
64 
65 static const struct sco_param esco_param_msbc[] = {
66 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,	0x02 }, /* T2 */
67 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0008,	0x02 }, /* T1 */
68 };
69 
70 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn,u8 status)71 void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
72 {
73 	struct hci_conn_params *params;
74 	struct hci_dev *hdev = conn->hdev;
75 	struct smp_irk *irk;
76 	bdaddr_t *bdaddr;
77 	u8 bdaddr_type;
78 
79 	bdaddr = &conn->dst;
80 	bdaddr_type = conn->dst_type;
81 
82 	/* Check if we need to convert to identity address */
83 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
84 	if (irk) {
85 		bdaddr = &irk->bdaddr;
86 		bdaddr_type = irk->addr_type;
87 	}
88 
89 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
90 					   bdaddr_type);
91 	if (!params)
92 		return;
93 
94 	if (params->conn) {
95 		hci_conn_drop(params->conn);
96 		hci_conn_put(params->conn);
97 		params->conn = NULL;
98 	}
99 
100 	if (!params->explicit_connect)
101 		return;
102 
103 	/* If the status indicates successful cancellation of
104 	 * the attempt (i.e. Unknown Connection Id) there's no point of
105 	 * notifying failure since we'll go back to keep trying to
106 	 * connect. The only exception is explicit connect requests
107 	 * where a timeout + cancel does indicate an actual failure.
108 	 */
109 	if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 		mgmt_connect_failed(hdev, conn, status);
111 
112 	/* The connection attempt was doing scan for new RPA, and is
113 	 * in scan phase. If params are not associated with any other
114 	 * autoconnect action, remove them completely. If they are, just unmark
115 	 * them as waiting for connection, by clearing explicit_connect field.
116 	 */
117 	params->explicit_connect = false;
118 
119 	hci_pend_le_list_del_init(params);
120 
121 	switch (params->auto_connect) {
122 	case HCI_AUTO_CONN_EXPLICIT:
123 		hci_conn_params_del(hdev, bdaddr, bdaddr_type);
124 		/* return instead of break to avoid duplicate scan update */
125 		return;
126 	case HCI_AUTO_CONN_DIRECT:
127 	case HCI_AUTO_CONN_ALWAYS:
128 		hci_pend_le_list_add(params, &hdev->pend_le_conns);
129 		break;
130 	case HCI_AUTO_CONN_REPORT:
131 		hci_pend_le_list_add(params, &hdev->pend_le_reports);
132 		break;
133 	default:
134 		break;
135 	}
136 
137 	hci_update_passive_scan(hdev);
138 }
139 
hci_conn_cleanup(struct hci_conn * conn)140 static void hci_conn_cleanup(struct hci_conn *conn)
141 {
142 	struct hci_dev *hdev = conn->hdev;
143 
144 	if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
145 		hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
146 
147 	if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
148 		hci_remove_link_key(hdev, &conn->dst);
149 
150 	hci_chan_list_flush(conn);
151 
152 	hci_conn_hash_del(hdev, conn);
153 
154 	if (HCI_CONN_HANDLE_UNSET(conn->handle))
155 		ida_free(&hdev->unset_handle_ida, conn->handle);
156 
157 	if (conn->cleanup)
158 		conn->cleanup(conn);
159 
160 	if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
161 		switch (conn->setting & SCO_AIRMODE_MASK) {
162 		case SCO_AIRMODE_CVSD:
163 		case SCO_AIRMODE_TRANSP:
164 			if (hdev->notify)
165 				hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
166 			break;
167 		}
168 	} else {
169 		if (hdev->notify)
170 			hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
171 	}
172 
173 	debugfs_remove_recursive(conn->debugfs);
174 
175 	hci_conn_del_sysfs(conn);
176 
177 	hci_dev_put(hdev);
178 }
179 
hci_disconnect(struct hci_conn * conn,__u8 reason)180 int hci_disconnect(struct hci_conn *conn, __u8 reason)
181 {
182 	BT_DBG("hcon %p", conn);
183 
184 	/* When we are central of an established connection and it enters
185 	 * the disconnect timeout, then go ahead and try to read the
186 	 * current clock offset.  Processing of the result is done
187 	 * within the event handling and hci_clock_offset_evt function.
188 	 */
189 	if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
190 	    (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
191 		struct hci_dev *hdev = conn->hdev;
192 		struct hci_cp_read_clock_offset clkoff_cp;
193 
194 		clkoff_cp.handle = cpu_to_le16(conn->handle);
195 		hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
196 			     &clkoff_cp);
197 	}
198 
199 	return hci_abort_conn(conn, reason);
200 }
201 
hci_add_sco(struct hci_conn * conn,__u16 handle)202 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
203 {
204 	struct hci_dev *hdev = conn->hdev;
205 	struct hci_cp_add_sco cp;
206 
207 	BT_DBG("hcon %p", conn);
208 
209 	conn->state = BT_CONNECT;
210 	conn->out = true;
211 
212 	conn->attempt++;
213 
214 	cp.handle   = cpu_to_le16(handle);
215 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
216 
217 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
218 }
219 
find_next_esco_param(struct hci_conn * conn,const struct sco_param * esco_param,int size)220 static bool find_next_esco_param(struct hci_conn *conn,
221 				 const struct sco_param *esco_param, int size)
222 {
223 	if (!conn->parent)
224 		return false;
225 
226 	for (; conn->attempt <= size; conn->attempt++) {
227 		if (lmp_esco_2m_capable(conn->parent) ||
228 		    (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
229 			break;
230 		BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
231 		       conn, conn->attempt);
232 	}
233 
234 	return conn->attempt <= size;
235 }
236 
configure_datapath_sync(struct hci_dev * hdev,struct bt_codec * codec)237 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
238 {
239 	int err;
240 	__u8 vnd_len, *vnd_data = NULL;
241 	struct hci_op_configure_data_path *cmd = NULL;
242 
243 	if (!codec->data_path || !hdev->get_codec_config_data)
244 		return 0;
245 
246 	/* Do not take me as error */
247 	if (!hdev->get_codec_config_data)
248 		return 0;
249 
250 	err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
251 					  &vnd_data);
252 	if (err < 0)
253 		goto error;
254 
255 	cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
256 	if (!cmd) {
257 		err = -ENOMEM;
258 		goto error;
259 	}
260 
261 	err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
262 	if (err < 0)
263 		goto error;
264 
265 	cmd->vnd_len = vnd_len;
266 	memcpy(cmd->vnd_data, vnd_data, vnd_len);
267 
268 	cmd->direction = 0x00;
269 	__hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
270 			      sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
271 
272 	cmd->direction = 0x01;
273 	err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
274 				    sizeof(*cmd) + vnd_len, cmd,
275 				    HCI_CMD_TIMEOUT);
276 error:
277 
278 	kfree(cmd);
279 	kfree(vnd_data);
280 	return err;
281 }
282 
hci_enhanced_setup_sync(struct hci_dev * hdev,void * data)283 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
284 {
285 	struct conn_handle_t *conn_handle = data;
286 	struct hci_conn *conn = conn_handle->conn;
287 	__u16 handle = conn_handle->handle;
288 	struct hci_cp_enhanced_setup_sync_conn cp;
289 	const struct sco_param *param;
290 
291 	kfree(conn_handle);
292 
293 	if (!hci_conn_valid(hdev, conn))
294 		return -ECANCELED;
295 
296 	bt_dev_dbg(hdev, "hcon %p", conn);
297 
298 	configure_datapath_sync(hdev, &conn->codec);
299 
300 	conn->state = BT_CONNECT;
301 	conn->out = true;
302 
303 	conn->attempt++;
304 
305 	memset(&cp, 0x00, sizeof(cp));
306 
307 	cp.handle   = cpu_to_le16(handle);
308 
309 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
310 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
311 
312 	switch (conn->codec.id) {
313 	case BT_CODEC_MSBC:
314 		if (!find_next_esco_param(conn, esco_param_msbc,
315 					  ARRAY_SIZE(esco_param_msbc)))
316 			return -EINVAL;
317 
318 		param = &esco_param_msbc[conn->attempt - 1];
319 		cp.tx_coding_format.id = 0x05;
320 		cp.rx_coding_format.id = 0x05;
321 		cp.tx_codec_frame_size = __cpu_to_le16(60);
322 		cp.rx_codec_frame_size = __cpu_to_le16(60);
323 		cp.in_bandwidth = __cpu_to_le32(32000);
324 		cp.out_bandwidth = __cpu_to_le32(32000);
325 		cp.in_coding_format.id = 0x04;
326 		cp.out_coding_format.id = 0x04;
327 		cp.in_coded_data_size = __cpu_to_le16(16);
328 		cp.out_coded_data_size = __cpu_to_le16(16);
329 		cp.in_pcm_data_format = 2;
330 		cp.out_pcm_data_format = 2;
331 		cp.in_pcm_sample_payload_msb_pos = 0;
332 		cp.out_pcm_sample_payload_msb_pos = 0;
333 		cp.in_data_path = conn->codec.data_path;
334 		cp.out_data_path = conn->codec.data_path;
335 		cp.in_transport_unit_size = 1;
336 		cp.out_transport_unit_size = 1;
337 		break;
338 
339 	case BT_CODEC_TRANSPARENT:
340 		if (!find_next_esco_param(conn, esco_param_msbc,
341 					  ARRAY_SIZE(esco_param_msbc)))
342 			return false;
343 		param = &esco_param_msbc[conn->attempt - 1];
344 		cp.tx_coding_format.id = 0x03;
345 		cp.rx_coding_format.id = 0x03;
346 		cp.tx_codec_frame_size = __cpu_to_le16(60);
347 		cp.rx_codec_frame_size = __cpu_to_le16(60);
348 		cp.in_bandwidth = __cpu_to_le32(0x1f40);
349 		cp.out_bandwidth = __cpu_to_le32(0x1f40);
350 		cp.in_coding_format.id = 0x03;
351 		cp.out_coding_format.id = 0x03;
352 		cp.in_coded_data_size = __cpu_to_le16(16);
353 		cp.out_coded_data_size = __cpu_to_le16(16);
354 		cp.in_pcm_data_format = 2;
355 		cp.out_pcm_data_format = 2;
356 		cp.in_pcm_sample_payload_msb_pos = 0;
357 		cp.out_pcm_sample_payload_msb_pos = 0;
358 		cp.in_data_path = conn->codec.data_path;
359 		cp.out_data_path = conn->codec.data_path;
360 		cp.in_transport_unit_size = 1;
361 		cp.out_transport_unit_size = 1;
362 		break;
363 
364 	case BT_CODEC_CVSD:
365 		if (conn->parent && lmp_esco_capable(conn->parent)) {
366 			if (!find_next_esco_param(conn, esco_param_cvsd,
367 						  ARRAY_SIZE(esco_param_cvsd)))
368 				return -EINVAL;
369 			param = &esco_param_cvsd[conn->attempt - 1];
370 		} else {
371 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
372 				return -EINVAL;
373 			param = &sco_param_cvsd[conn->attempt - 1];
374 		}
375 		cp.tx_coding_format.id = 2;
376 		cp.rx_coding_format.id = 2;
377 		cp.tx_codec_frame_size = __cpu_to_le16(60);
378 		cp.rx_codec_frame_size = __cpu_to_le16(60);
379 		cp.in_bandwidth = __cpu_to_le32(16000);
380 		cp.out_bandwidth = __cpu_to_le32(16000);
381 		cp.in_coding_format.id = 4;
382 		cp.out_coding_format.id = 4;
383 		cp.in_coded_data_size = __cpu_to_le16(16);
384 		cp.out_coded_data_size = __cpu_to_le16(16);
385 		cp.in_pcm_data_format = 2;
386 		cp.out_pcm_data_format = 2;
387 		cp.in_pcm_sample_payload_msb_pos = 0;
388 		cp.out_pcm_sample_payload_msb_pos = 0;
389 		cp.in_data_path = conn->codec.data_path;
390 		cp.out_data_path = conn->codec.data_path;
391 		cp.in_transport_unit_size = 16;
392 		cp.out_transport_unit_size = 16;
393 		break;
394 	default:
395 		return -EINVAL;
396 	}
397 
398 	cp.retrans_effort = param->retrans_effort;
399 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
400 	cp.max_latency = __cpu_to_le16(param->max_latency);
401 
402 	if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
403 		return -EIO;
404 
405 	return 0;
406 }
407 
hci_setup_sync_conn(struct hci_conn * conn,__u16 handle)408 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
409 {
410 	struct hci_dev *hdev = conn->hdev;
411 	struct hci_cp_setup_sync_conn cp;
412 	const struct sco_param *param;
413 
414 	bt_dev_dbg(hdev, "hcon %p", conn);
415 
416 	conn->state = BT_CONNECT;
417 	conn->out = true;
418 
419 	conn->attempt++;
420 
421 	cp.handle   = cpu_to_le16(handle);
422 
423 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
424 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
425 	cp.voice_setting  = cpu_to_le16(conn->setting);
426 
427 	switch (conn->setting & SCO_AIRMODE_MASK) {
428 	case SCO_AIRMODE_TRANSP:
429 		if (!find_next_esco_param(conn, esco_param_msbc,
430 					  ARRAY_SIZE(esco_param_msbc)))
431 			return false;
432 		param = &esco_param_msbc[conn->attempt - 1];
433 		break;
434 	case SCO_AIRMODE_CVSD:
435 		if (conn->parent && lmp_esco_capable(conn->parent)) {
436 			if (!find_next_esco_param(conn, esco_param_cvsd,
437 						  ARRAY_SIZE(esco_param_cvsd)))
438 				return false;
439 			param = &esco_param_cvsd[conn->attempt - 1];
440 		} else {
441 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
442 				return false;
443 			param = &sco_param_cvsd[conn->attempt - 1];
444 		}
445 		break;
446 	default:
447 		return false;
448 	}
449 
450 	cp.retrans_effort = param->retrans_effort;
451 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
452 	cp.max_latency = __cpu_to_le16(param->max_latency);
453 
454 	if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
455 		return false;
456 
457 	return true;
458 }
459 
hci_setup_sync(struct hci_conn * conn,__u16 handle)460 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
461 {
462 	int result;
463 	struct conn_handle_t *conn_handle;
464 
465 	if (enhanced_sync_conn_capable(conn->hdev)) {
466 		conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
467 
468 		if (!conn_handle)
469 			return false;
470 
471 		conn_handle->conn = conn;
472 		conn_handle->handle = handle;
473 		result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
474 					    conn_handle, NULL);
475 		if (result < 0)
476 			kfree(conn_handle);
477 
478 		return result == 0;
479 	}
480 
481 	return hci_setup_sync_conn(conn, handle);
482 }
483 
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)484 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
485 		      u16 to_multiplier)
486 {
487 	struct hci_dev *hdev = conn->hdev;
488 	struct hci_conn_params *params;
489 	struct hci_cp_le_conn_update cp;
490 
491 	hci_dev_lock(hdev);
492 
493 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
494 	if (params) {
495 		params->conn_min_interval = min;
496 		params->conn_max_interval = max;
497 		params->conn_latency = latency;
498 		params->supervision_timeout = to_multiplier;
499 	}
500 
501 	hci_dev_unlock(hdev);
502 
503 	memset(&cp, 0, sizeof(cp));
504 	cp.handle		= cpu_to_le16(conn->handle);
505 	cp.conn_interval_min	= cpu_to_le16(min);
506 	cp.conn_interval_max	= cpu_to_le16(max);
507 	cp.conn_latency		= cpu_to_le16(latency);
508 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
509 	cp.min_ce_len		= cpu_to_le16(0x0000);
510 	cp.max_ce_len		= cpu_to_le16(0x0000);
511 
512 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
513 
514 	if (params)
515 		return 0x01;
516 
517 	return 0x00;
518 }
519 
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)520 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
521 		      __u8 ltk[16], __u8 key_size)
522 {
523 	struct hci_dev *hdev = conn->hdev;
524 	struct hci_cp_le_start_enc cp;
525 
526 	BT_DBG("hcon %p", conn);
527 
528 	memset(&cp, 0, sizeof(cp));
529 
530 	cp.handle = cpu_to_le16(conn->handle);
531 	cp.rand = rand;
532 	cp.ediv = ediv;
533 	memcpy(cp.ltk, ltk, key_size);
534 
535 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
536 }
537 
538 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)539 void hci_sco_setup(struct hci_conn *conn, __u8 status)
540 {
541 	struct hci_link *link;
542 
543 	link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
544 	if (!link || !link->conn)
545 		return;
546 
547 	BT_DBG("hcon %p", conn);
548 
549 	if (!status) {
550 		if (lmp_esco_capable(conn->hdev))
551 			hci_setup_sync(link->conn, conn->handle);
552 		else
553 			hci_add_sco(link->conn, conn->handle);
554 	} else {
555 		hci_connect_cfm(link->conn, status);
556 		hci_conn_del(link->conn);
557 	}
558 }
559 
hci_conn_timeout(struct work_struct * work)560 static void hci_conn_timeout(struct work_struct *work)
561 {
562 	struct hci_conn *conn = container_of(work, struct hci_conn,
563 					     disc_work.work);
564 	int refcnt = atomic_read(&conn->refcnt);
565 
566 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
567 
568 	WARN_ON(refcnt < 0);
569 
570 	/* FIXME: It was observed that in pairing failed scenario, refcnt
571 	 * drops below 0. Probably this is because l2cap_conn_del calls
572 	 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
573 	 * dropped. After that loop hci_chan_del is called which also drops
574 	 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
575 	 * otherwise drop it.
576 	 */
577 	if (refcnt > 0)
578 		return;
579 
580 	hci_abort_conn(conn, hci_proto_disconn_ind(conn));
581 }
582 
583 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)584 static void hci_conn_idle(struct work_struct *work)
585 {
586 	struct hci_conn *conn = container_of(work, struct hci_conn,
587 					     idle_work.work);
588 	struct hci_dev *hdev = conn->hdev;
589 
590 	BT_DBG("hcon %p mode %d", conn, conn->mode);
591 
592 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
593 		return;
594 
595 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
596 		return;
597 
598 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
599 		struct hci_cp_sniff_subrate cp;
600 		cp.handle             = cpu_to_le16(conn->handle);
601 		cp.max_latency        = cpu_to_le16(0);
602 		cp.min_remote_timeout = cpu_to_le16(0);
603 		cp.min_local_timeout  = cpu_to_le16(0);
604 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
605 	}
606 
607 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
608 		struct hci_cp_sniff_mode cp;
609 		cp.handle       = cpu_to_le16(conn->handle);
610 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
611 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
612 		cp.attempt      = cpu_to_le16(4);
613 		cp.timeout      = cpu_to_le16(1);
614 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
615 	}
616 }
617 
hci_conn_auto_accept(struct work_struct * work)618 static void hci_conn_auto_accept(struct work_struct *work)
619 {
620 	struct hci_conn *conn = container_of(work, struct hci_conn,
621 					     auto_accept_work.work);
622 
623 	hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
624 		     &conn->dst);
625 }
626 
le_disable_advertising(struct hci_dev * hdev)627 static void le_disable_advertising(struct hci_dev *hdev)
628 {
629 	if (ext_adv_capable(hdev)) {
630 		struct hci_cp_le_set_ext_adv_enable cp;
631 
632 		cp.enable = 0x00;
633 		cp.num_of_sets = 0x00;
634 
635 		hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
636 			     &cp);
637 	} else {
638 		u8 enable = 0x00;
639 		hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
640 			     &enable);
641 	}
642 }
643 
le_conn_timeout(struct work_struct * work)644 static void le_conn_timeout(struct work_struct *work)
645 {
646 	struct hci_conn *conn = container_of(work, struct hci_conn,
647 					     le_conn_timeout.work);
648 	struct hci_dev *hdev = conn->hdev;
649 
650 	BT_DBG("");
651 
652 	/* We could end up here due to having done directed advertising,
653 	 * so clean up the state if necessary. This should however only
654 	 * happen with broken hardware or if low duty cycle was used
655 	 * (which doesn't have a timeout of its own).
656 	 */
657 	if (conn->role == HCI_ROLE_SLAVE) {
658 		/* Disable LE Advertising */
659 		le_disable_advertising(hdev);
660 		hci_dev_lock(hdev);
661 		hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
662 		hci_dev_unlock(hdev);
663 		return;
664 	}
665 
666 	hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
667 }
668 
669 struct iso_cig_params {
670 	struct hci_cp_le_set_cig_params cp;
671 	struct hci_cis_params cis[0x1f];
672 };
673 
674 struct iso_list_data {
675 	union {
676 		u8  cig;
677 		u8  big;
678 	};
679 	union {
680 		u8  cis;
681 		u8  bis;
682 		u16 sync_handle;
683 	};
684 	int count;
685 	bool big_term;
686 	bool pa_sync_term;
687 	bool big_sync_term;
688 };
689 
bis_list(struct hci_conn * conn,void * data)690 static void bis_list(struct hci_conn *conn, void *data)
691 {
692 	struct iso_list_data *d = data;
693 
694 	/* Skip if not broadcast/ANY address */
695 	if (bacmp(&conn->dst, BDADDR_ANY))
696 		return;
697 
698 	if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
699 	    d->bis != conn->iso_qos.bcast.bis)
700 		return;
701 
702 	d->count++;
703 }
704 
terminate_big_sync(struct hci_dev * hdev,void * data)705 static int terminate_big_sync(struct hci_dev *hdev, void *data)
706 {
707 	struct iso_list_data *d = data;
708 
709 	bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
710 
711 	hci_disable_per_advertising_sync(hdev, d->bis);
712 	hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
713 
714 	/* Only terminate BIG if it has been created */
715 	if (!d->big_term)
716 		return 0;
717 
718 	return hci_le_terminate_big_sync(hdev, d->big,
719 					 HCI_ERROR_LOCAL_HOST_TERM);
720 }
721 
terminate_big_destroy(struct hci_dev * hdev,void * data,int err)722 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
723 {
724 	kfree(data);
725 }
726 
hci_le_terminate_big(struct hci_dev * hdev,struct hci_conn * conn)727 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
728 {
729 	struct iso_list_data *d;
730 	int ret;
731 
732 	bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
733 		   conn->iso_qos.bcast.bis);
734 
735 	d = kzalloc(sizeof(*d), GFP_KERNEL);
736 	if (!d)
737 		return -ENOMEM;
738 
739 	d->big = conn->iso_qos.bcast.big;
740 	d->bis = conn->iso_qos.bcast.bis;
741 	d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
742 
743 	ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
744 				 terminate_big_destroy);
745 	if (ret)
746 		kfree(d);
747 
748 	return ret;
749 }
750 
big_terminate_sync(struct hci_dev * hdev,void * data)751 static int big_terminate_sync(struct hci_dev *hdev, void *data)
752 {
753 	struct iso_list_data *d = data;
754 
755 	bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
756 		   d->sync_handle);
757 
758 	if (d->big_sync_term)
759 		hci_le_big_terminate_sync(hdev, d->big);
760 
761 	if (d->pa_sync_term)
762 		return hci_le_pa_terminate_sync(hdev, d->sync_handle);
763 
764 	return 0;
765 }
766 
hci_le_big_terminate(struct hci_dev * hdev,u8 big,struct hci_conn * conn)767 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
768 {
769 	struct iso_list_data *d;
770 	int ret;
771 
772 	bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
773 
774 	d = kzalloc(sizeof(*d), GFP_KERNEL);
775 	if (!d)
776 		return -ENOMEM;
777 
778 	d->big = big;
779 	d->sync_handle = conn->sync_handle;
780 	d->pa_sync_term = test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags);
781 	d->big_sync_term = test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags);
782 
783 	ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
784 				 terminate_big_destroy);
785 	if (ret)
786 		kfree(d);
787 
788 	return ret;
789 }
790 
791 /* Cleanup BIS connection
792  *
793  * Detects if there any BIS left connected in a BIG
794  * broadcaster: Remove advertising instance and terminate BIG.
795  * broadcaster receiver: Teminate BIG sync and terminate PA sync.
796  */
bis_cleanup(struct hci_conn * conn)797 static void bis_cleanup(struct hci_conn *conn)
798 {
799 	struct hci_dev *hdev = conn->hdev;
800 	struct hci_conn *bis;
801 
802 	bt_dev_dbg(hdev, "conn %p", conn);
803 
804 	if (conn->role == HCI_ROLE_MASTER) {
805 		if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
806 			return;
807 
808 		/* Check if ISO connection is a BIS and terminate advertising
809 		 * set and BIG if there are no other connections using it.
810 		 */
811 		bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
812 		if (bis)
813 			return;
814 
815 		hci_le_terminate_big(hdev, conn);
816 	} else {
817 		bis = hci_conn_hash_lookup_big_any_dst(hdev,
818 						       conn->iso_qos.bcast.big);
819 
820 		if (bis)
821 			return;
822 
823 		hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
824 				     conn);
825 	}
826 }
827 
remove_cig_sync(struct hci_dev * hdev,void * data)828 static int remove_cig_sync(struct hci_dev *hdev, void *data)
829 {
830 	u8 handle = PTR_UINT(data);
831 
832 	return hci_le_remove_cig_sync(hdev, handle);
833 }
834 
hci_le_remove_cig(struct hci_dev * hdev,u8 handle)835 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
836 {
837 	bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
838 
839 	return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
840 				  NULL);
841 }
842 
find_cis(struct hci_conn * conn,void * data)843 static void find_cis(struct hci_conn *conn, void *data)
844 {
845 	struct iso_list_data *d = data;
846 
847 	/* Ignore broadcast or if CIG don't match */
848 	if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
849 		return;
850 
851 	d->count++;
852 }
853 
854 /* Cleanup CIS connection:
855  *
856  * Detects if there any CIS left connected in a CIG and remove it.
857  */
cis_cleanup(struct hci_conn * conn)858 static void cis_cleanup(struct hci_conn *conn)
859 {
860 	struct hci_dev *hdev = conn->hdev;
861 	struct iso_list_data d;
862 
863 	if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
864 		return;
865 
866 	memset(&d, 0, sizeof(d));
867 	d.cig = conn->iso_qos.ucast.cig;
868 
869 	/* Check if ISO connection is a CIS and remove CIG if there are
870 	 * no other connections using it.
871 	 */
872 	hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
873 	hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
874 	hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
875 	if (d.count)
876 		return;
877 
878 	hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
879 }
880 
hci_conn_hash_alloc_unset(struct hci_dev * hdev)881 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
882 {
883 	return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
884 			       U16_MAX, GFP_ATOMIC);
885 }
886 
__hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)887 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
888 				       u8 role, u16 handle)
889 {
890 	struct hci_conn *conn;
891 
892 	switch (type) {
893 	case ACL_LINK:
894 		if (!hdev->acl_mtu)
895 			return ERR_PTR(-ECONNREFUSED);
896 		break;
897 	case ISO_LINK:
898 		if (hdev->iso_mtu)
899 			/* Dedicated ISO Buffer exists */
900 			break;
901 		fallthrough;
902 	case LE_LINK:
903 		if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
904 			return ERR_PTR(-ECONNREFUSED);
905 		if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU)
906 			return ERR_PTR(-ECONNREFUSED);
907 		break;
908 	case SCO_LINK:
909 	case ESCO_LINK:
910 		if (!hdev->sco_pkts)
911 			/* Controller does not support SCO or eSCO over HCI */
912 			return ERR_PTR(-ECONNREFUSED);
913 		break;
914 	default:
915 		return ERR_PTR(-ECONNREFUSED);
916 	}
917 
918 	bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
919 
920 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
921 	if (!conn)
922 		return ERR_PTR(-ENOMEM);
923 
924 	bacpy(&conn->dst, dst);
925 	bacpy(&conn->src, &hdev->bdaddr);
926 	conn->handle = handle;
927 	conn->hdev  = hdev;
928 	conn->type  = type;
929 	conn->role  = role;
930 	conn->mode  = HCI_CM_ACTIVE;
931 	conn->state = BT_OPEN;
932 	conn->auth_type = HCI_AT_GENERAL_BONDING;
933 	conn->io_capability = hdev->io_capability;
934 	conn->remote_auth = 0xff;
935 	conn->key_type = 0xff;
936 	conn->rssi = HCI_RSSI_INVALID;
937 	conn->tx_power = HCI_TX_POWER_INVALID;
938 	conn->max_tx_power = HCI_TX_POWER_INVALID;
939 	conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
940 
941 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
942 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
943 
944 	/* Set Default Authenticated payload timeout to 30s */
945 	conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
946 
947 	if (conn->role == HCI_ROLE_MASTER)
948 		conn->out = true;
949 
950 	switch (type) {
951 	case ACL_LINK:
952 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
953 		conn->mtu = hdev->acl_mtu;
954 		break;
955 	case LE_LINK:
956 		/* conn->src should reflect the local identity address */
957 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
958 		conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
959 		break;
960 	case ISO_LINK:
961 		/* conn->src should reflect the local identity address */
962 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
963 
964 		/* set proper cleanup function */
965 		if (!bacmp(dst, BDADDR_ANY))
966 			conn->cleanup = bis_cleanup;
967 		else if (conn->role == HCI_ROLE_MASTER)
968 			conn->cleanup = cis_cleanup;
969 
970 		conn->mtu = hdev->iso_mtu ? hdev->iso_mtu :
971 			    hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
972 		break;
973 	case SCO_LINK:
974 		if (lmp_esco_capable(hdev))
975 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
976 					(hdev->esco_type & EDR_ESCO_MASK);
977 		else
978 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
979 
980 		conn->mtu = hdev->sco_mtu;
981 		break;
982 	case ESCO_LINK:
983 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
984 		conn->mtu = hdev->sco_mtu;
985 		break;
986 	}
987 
988 	skb_queue_head_init(&conn->data_q);
989 
990 	INIT_LIST_HEAD(&conn->chan_list);
991 	INIT_LIST_HEAD(&conn->link_list);
992 
993 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
994 	INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
995 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
996 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
997 
998 	atomic_set(&conn->refcnt, 0);
999 
1000 	hci_dev_hold(hdev);
1001 
1002 	hci_conn_hash_add(hdev, conn);
1003 
1004 	/* The SCO and eSCO connections will only be notified when their
1005 	 * setup has been completed. This is different to ACL links which
1006 	 * can be notified right away.
1007 	 */
1008 	if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1009 		if (hdev->notify)
1010 			hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1011 	}
1012 
1013 	hci_conn_init_sysfs(conn);
1014 
1015 	return conn;
1016 }
1017 
hci_conn_add_unset(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)1018 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1019 				    bdaddr_t *dst, u8 role)
1020 {
1021 	int handle;
1022 
1023 	bt_dev_dbg(hdev, "dst %pMR", dst);
1024 
1025 	handle = hci_conn_hash_alloc_unset(hdev);
1026 	if (unlikely(handle < 0))
1027 		return ERR_PTR(-ECONNREFUSED);
1028 
1029 	return __hci_conn_add(hdev, type, dst, role, handle);
1030 }
1031 
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)1032 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
1033 			      u8 role, u16 handle)
1034 {
1035 	if (handle > HCI_CONN_HANDLE_MAX)
1036 		return ERR_PTR(-EINVAL);
1037 
1038 	return __hci_conn_add(hdev, type, dst, role, handle);
1039 }
1040 
hci_conn_cleanup_child(struct hci_conn * conn,u8 reason)1041 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1042 {
1043 	if (!reason)
1044 		reason = HCI_ERROR_REMOTE_USER_TERM;
1045 
1046 	/* Due to race, SCO/ISO conn might be not established yet at this point,
1047 	 * and nothing else will clean it up. In other cases it is done via HCI
1048 	 * events.
1049 	 */
1050 	switch (conn->type) {
1051 	case SCO_LINK:
1052 	case ESCO_LINK:
1053 		if (HCI_CONN_HANDLE_UNSET(conn->handle))
1054 			hci_conn_failed(conn, reason);
1055 		break;
1056 	case ISO_LINK:
1057 		if ((conn->state != BT_CONNECTED &&
1058 		    !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ||
1059 		    test_bit(HCI_CONN_BIG_CREATED, &conn->flags))
1060 			hci_conn_failed(conn, reason);
1061 		break;
1062 	}
1063 }
1064 
hci_conn_unlink(struct hci_conn * conn)1065 static void hci_conn_unlink(struct hci_conn *conn)
1066 {
1067 	struct hci_dev *hdev = conn->hdev;
1068 
1069 	bt_dev_dbg(hdev, "hcon %p", conn);
1070 
1071 	if (!conn->parent) {
1072 		struct hci_link *link, *t;
1073 
1074 		list_for_each_entry_safe(link, t, &conn->link_list, list) {
1075 			struct hci_conn *child = link->conn;
1076 
1077 			hci_conn_unlink(child);
1078 
1079 			/* If hdev is down it means
1080 			 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1081 			 * and links don't need to be cleanup as all connections
1082 			 * would be cleanup.
1083 			 */
1084 			if (!test_bit(HCI_UP, &hdev->flags))
1085 				continue;
1086 
1087 			hci_conn_cleanup_child(child, conn->abort_reason);
1088 		}
1089 
1090 		return;
1091 	}
1092 
1093 	if (!conn->link)
1094 		return;
1095 
1096 	list_del_rcu(&conn->link->list);
1097 	synchronize_rcu();
1098 
1099 	hci_conn_drop(conn->parent);
1100 	hci_conn_put(conn->parent);
1101 	conn->parent = NULL;
1102 
1103 	kfree(conn->link);
1104 	conn->link = NULL;
1105 }
1106 
hci_conn_del(struct hci_conn * conn)1107 void hci_conn_del(struct hci_conn *conn)
1108 {
1109 	struct hci_dev *hdev = conn->hdev;
1110 
1111 	BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1112 
1113 	hci_conn_unlink(conn);
1114 
1115 	cancel_delayed_work_sync(&conn->disc_work);
1116 	cancel_delayed_work_sync(&conn->auto_accept_work);
1117 	cancel_delayed_work_sync(&conn->idle_work);
1118 
1119 	if (conn->type == ACL_LINK) {
1120 		/* Unacked frames */
1121 		hdev->acl_cnt += conn->sent;
1122 	} else if (conn->type == LE_LINK) {
1123 		cancel_delayed_work(&conn->le_conn_timeout);
1124 
1125 		if (hdev->le_pkts)
1126 			hdev->le_cnt += conn->sent;
1127 		else
1128 			hdev->acl_cnt += conn->sent;
1129 	} else {
1130 		/* Unacked ISO frames */
1131 		if (conn->type == ISO_LINK) {
1132 			if (hdev->iso_pkts)
1133 				hdev->iso_cnt += conn->sent;
1134 			else if (hdev->le_pkts)
1135 				hdev->le_cnt += conn->sent;
1136 			else
1137 				hdev->acl_cnt += conn->sent;
1138 		}
1139 	}
1140 
1141 	skb_queue_purge(&conn->data_q);
1142 
1143 	/* Remove the connection from the list and cleanup its remaining
1144 	 * state. This is a separate function since for some cases like
1145 	 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1146 	 * rest of hci_conn_del.
1147 	 */
1148 	hci_conn_cleanup(conn);
1149 
1150 	/* Dequeue callbacks using connection pointer as data */
1151 	hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
1152 }
1153 
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)1154 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1155 {
1156 	int use_src = bacmp(src, BDADDR_ANY);
1157 	struct hci_dev *hdev = NULL, *d;
1158 
1159 	BT_DBG("%pMR -> %pMR", src, dst);
1160 
1161 	read_lock(&hci_dev_list_lock);
1162 
1163 	list_for_each_entry(d, &hci_dev_list, list) {
1164 		if (!test_bit(HCI_UP, &d->flags) ||
1165 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
1166 			continue;
1167 
1168 		/* Simple routing:
1169 		 *   No source address - find interface with bdaddr != dst
1170 		 *   Source address    - find interface with bdaddr == src
1171 		 */
1172 
1173 		if (use_src) {
1174 			bdaddr_t id_addr;
1175 			u8 id_addr_type;
1176 
1177 			if (src_type == BDADDR_BREDR) {
1178 				if (!lmp_bredr_capable(d))
1179 					continue;
1180 				bacpy(&id_addr, &d->bdaddr);
1181 				id_addr_type = BDADDR_BREDR;
1182 			} else {
1183 				if (!lmp_le_capable(d))
1184 					continue;
1185 
1186 				hci_copy_identity_address(d, &id_addr,
1187 							  &id_addr_type);
1188 
1189 				/* Convert from HCI to three-value type */
1190 				if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1191 					id_addr_type = BDADDR_LE_PUBLIC;
1192 				else
1193 					id_addr_type = BDADDR_LE_RANDOM;
1194 			}
1195 
1196 			if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1197 				hdev = d; break;
1198 			}
1199 		} else {
1200 			if (bacmp(&d->bdaddr, dst)) {
1201 				hdev = d; break;
1202 			}
1203 		}
1204 	}
1205 
1206 	if (hdev)
1207 		hdev = hci_dev_hold(hdev);
1208 
1209 	read_unlock(&hci_dev_list_lock);
1210 	return hdev;
1211 }
1212 EXPORT_SYMBOL(hci_get_route);
1213 
1214 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)1215 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1216 {
1217 	struct hci_dev *hdev = conn->hdev;
1218 
1219 	hci_connect_le_scan_cleanup(conn, status);
1220 
1221 	/* Enable advertising in case this was a failed connection
1222 	 * attempt as a peripheral.
1223 	 */
1224 	hci_enable_advertising(hdev);
1225 }
1226 
1227 /* This function requires the caller holds hdev->lock */
hci_conn_failed(struct hci_conn * conn,u8 status)1228 void hci_conn_failed(struct hci_conn *conn, u8 status)
1229 {
1230 	struct hci_dev *hdev = conn->hdev;
1231 
1232 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
1233 
1234 	switch (conn->type) {
1235 	case LE_LINK:
1236 		hci_le_conn_failed(conn, status);
1237 		break;
1238 	case ACL_LINK:
1239 		mgmt_connect_failed(hdev, conn, status);
1240 		break;
1241 	}
1242 
1243 	/* In case of BIG/PA sync failed, clear conn flags so that
1244 	 * the conns will be correctly cleaned up by ISO layer
1245 	 */
1246 	test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1247 	test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1248 
1249 	conn->state = BT_CLOSED;
1250 	hci_connect_cfm(conn, status);
1251 	hci_conn_del(conn);
1252 }
1253 
1254 /* This function requires the caller holds hdev->lock */
hci_conn_set_handle(struct hci_conn * conn,u16 handle)1255 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1256 {
1257 	struct hci_dev *hdev = conn->hdev;
1258 
1259 	bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1260 
1261 	if (conn->handle == handle)
1262 		return 0;
1263 
1264 	if (handle > HCI_CONN_HANDLE_MAX) {
1265 		bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1266 			   handle, HCI_CONN_HANDLE_MAX);
1267 		return HCI_ERROR_INVALID_PARAMETERS;
1268 	}
1269 
1270 	/* If abort_reason has been sent it means the connection is being
1271 	 * aborted and the handle shall not be changed.
1272 	 */
1273 	if (conn->abort_reason)
1274 		return conn->abort_reason;
1275 
1276 	if (HCI_CONN_HANDLE_UNSET(conn->handle))
1277 		ida_free(&hdev->unset_handle_ida, conn->handle);
1278 
1279 	conn->handle = handle;
1280 
1281 	return 0;
1282 }
1283 
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,bool dst_resolved,u8 sec_level,u16 conn_timeout,u8 role)1284 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1285 				u8 dst_type, bool dst_resolved, u8 sec_level,
1286 				u16 conn_timeout, u8 role)
1287 {
1288 	struct hci_conn *conn;
1289 	struct smp_irk *irk;
1290 	int err;
1291 
1292 	/* Let's make sure that le is enabled.*/
1293 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1294 		if (lmp_le_capable(hdev))
1295 			return ERR_PTR(-ECONNREFUSED);
1296 
1297 		return ERR_PTR(-EOPNOTSUPP);
1298 	}
1299 
1300 	/* Since the controller supports only one LE connection attempt at a
1301 	 * time, we return -EBUSY if there is any connection attempt running.
1302 	 */
1303 	if (hci_lookup_le_connect(hdev))
1304 		return ERR_PTR(-EBUSY);
1305 
1306 	/* If there's already a connection object but it's not in
1307 	 * scanning state it means it must already be established, in
1308 	 * which case we can't do anything else except report a failure
1309 	 * to connect.
1310 	 */
1311 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1312 	if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1313 		return ERR_PTR(-EBUSY);
1314 	}
1315 
1316 	/* Check if the destination address has been resolved by the controller
1317 	 * since if it did then the identity address shall be used.
1318 	 */
1319 	if (!dst_resolved) {
1320 		/* When given an identity address with existing identity
1321 		 * resolving key, the connection needs to be established
1322 		 * to a resolvable random address.
1323 		 *
1324 		 * Storing the resolvable random address is required here
1325 		 * to handle connection failures. The address will later
1326 		 * be resolved back into the original identity address
1327 		 * from the connect request.
1328 		 */
1329 		irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1330 		if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1331 			dst = &irk->rpa;
1332 			dst_type = ADDR_LE_DEV_RANDOM;
1333 		}
1334 	}
1335 
1336 	if (conn) {
1337 		bacpy(&conn->dst, dst);
1338 	} else {
1339 		conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1340 		if (IS_ERR(conn))
1341 			return conn;
1342 		hci_conn_hold(conn);
1343 		conn->pending_sec_level = sec_level;
1344 	}
1345 
1346 	conn->dst_type = dst_type;
1347 	conn->sec_level = BT_SECURITY_LOW;
1348 	conn->conn_timeout = conn_timeout;
1349 
1350 	err = hci_connect_le_sync(hdev, conn);
1351 	if (err) {
1352 		hci_conn_del(conn);
1353 		return ERR_PTR(err);
1354 	}
1355 
1356 	return conn;
1357 }
1358 
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1359 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1360 {
1361 	struct hci_conn *conn;
1362 
1363 	conn = hci_conn_hash_lookup_le(hdev, addr, type);
1364 	if (!conn)
1365 		return false;
1366 
1367 	if (conn->state != BT_CONNECTED)
1368 		return false;
1369 
1370 	return true;
1371 }
1372 
1373 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1374 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1375 					bdaddr_t *addr, u8 addr_type)
1376 {
1377 	struct hci_conn_params *params;
1378 
1379 	if (is_connected(hdev, addr, addr_type))
1380 		return -EISCONN;
1381 
1382 	params = hci_conn_params_lookup(hdev, addr, addr_type);
1383 	if (!params) {
1384 		params = hci_conn_params_add(hdev, addr, addr_type);
1385 		if (!params)
1386 			return -ENOMEM;
1387 
1388 		/* If we created new params, mark them to be deleted in
1389 		 * hci_connect_le_scan_cleanup. It's different case than
1390 		 * existing disabled params, those will stay after cleanup.
1391 		 */
1392 		params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1393 	}
1394 
1395 	/* We're trying to connect, so make sure params are at pend_le_conns */
1396 	if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1397 	    params->auto_connect == HCI_AUTO_CONN_REPORT ||
1398 	    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1399 		hci_pend_le_list_del_init(params);
1400 		hci_pend_le_list_add(params, &hdev->pend_le_conns);
1401 	}
1402 
1403 	params->explicit_connect = true;
1404 
1405 	BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1406 	       params->auto_connect);
1407 
1408 	return 0;
1409 }
1410 
qos_set_big(struct hci_dev * hdev,struct bt_iso_qos * qos)1411 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1412 {
1413 	struct hci_conn *conn;
1414 	u8  big;
1415 
1416 	/* Allocate a BIG if not set */
1417 	if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1418 		for (big = 0x00; big < 0xef; big++) {
1419 
1420 			conn = hci_conn_hash_lookup_big(hdev, big);
1421 			if (!conn)
1422 				break;
1423 		}
1424 
1425 		if (big == 0xef)
1426 			return -EADDRNOTAVAIL;
1427 
1428 		/* Update BIG */
1429 		qos->bcast.big = big;
1430 	}
1431 
1432 	return 0;
1433 }
1434 
qos_set_bis(struct hci_dev * hdev,struct bt_iso_qos * qos)1435 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1436 {
1437 	struct hci_conn *conn;
1438 	u8  bis;
1439 
1440 	/* Allocate BIS if not set */
1441 	if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1442 		/* Find an unused adv set to advertise BIS, skip instance 0x00
1443 		 * since it is reserved as general purpose set.
1444 		 */
1445 		for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1446 		     bis++) {
1447 
1448 			conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1449 			if (!conn)
1450 				break;
1451 		}
1452 
1453 		if (bis == hdev->le_num_of_adv_sets)
1454 			return -EADDRNOTAVAIL;
1455 
1456 		/* Update BIS */
1457 		qos->bcast.bis = bis;
1458 	}
1459 
1460 	return 0;
1461 }
1462 
1463 /* This function requires the caller holds hdev->lock */
hci_add_bis(struct hci_dev * hdev,bdaddr_t * dst,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)1464 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1465 				    struct bt_iso_qos *qos, __u8 base_len,
1466 				    __u8 *base)
1467 {
1468 	struct hci_conn *conn;
1469 	int err;
1470 
1471 	/* Let's make sure that le is enabled.*/
1472 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1473 		if (lmp_le_capable(hdev))
1474 			return ERR_PTR(-ECONNREFUSED);
1475 		return ERR_PTR(-EOPNOTSUPP);
1476 	}
1477 
1478 	err = qos_set_big(hdev, qos);
1479 	if (err)
1480 		return ERR_PTR(err);
1481 
1482 	err = qos_set_bis(hdev, qos);
1483 	if (err)
1484 		return ERR_PTR(err);
1485 
1486 	/* Check if the LE Create BIG command has already been sent */
1487 	conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1488 						qos->bcast.big);
1489 	if (conn)
1490 		return ERR_PTR(-EADDRINUSE);
1491 
1492 	/* Check BIS settings against other bound BISes, since all
1493 	 * BISes in a BIG must have the same value for all parameters
1494 	 */
1495 	conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1496 
1497 	if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1498 		     base_len != conn->le_per_adv_data_len ||
1499 		     memcmp(conn->le_per_adv_data, base, base_len)))
1500 		return ERR_PTR(-EADDRINUSE);
1501 
1502 	conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1503 	if (IS_ERR(conn))
1504 		return conn;
1505 
1506 	conn->state = BT_CONNECT;
1507 
1508 	hci_conn_hold(conn);
1509 	return conn;
1510 }
1511 
1512 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,enum conn_reasons conn_reason)1513 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1514 				     u8 dst_type, u8 sec_level,
1515 				     u16 conn_timeout,
1516 				     enum conn_reasons conn_reason)
1517 {
1518 	struct hci_conn *conn;
1519 
1520 	/* Let's make sure that le is enabled.*/
1521 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1522 		if (lmp_le_capable(hdev))
1523 			return ERR_PTR(-ECONNREFUSED);
1524 
1525 		return ERR_PTR(-EOPNOTSUPP);
1526 	}
1527 
1528 	/* Some devices send ATT messages as soon as the physical link is
1529 	 * established. To be able to handle these ATT messages, the user-
1530 	 * space first establishes the connection and then starts the pairing
1531 	 * process.
1532 	 *
1533 	 * So if a hci_conn object already exists for the following connection
1534 	 * attempt, we simply update pending_sec_level and auth_type fields
1535 	 * and return the object found.
1536 	 */
1537 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1538 	if (conn) {
1539 		if (conn->pending_sec_level < sec_level)
1540 			conn->pending_sec_level = sec_level;
1541 		goto done;
1542 	}
1543 
1544 	BT_DBG("requesting refresh of dst_addr");
1545 
1546 	conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1547 	if (IS_ERR(conn))
1548 		return conn;
1549 
1550 	if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1551 		hci_conn_del(conn);
1552 		return ERR_PTR(-EBUSY);
1553 	}
1554 
1555 	conn->state = BT_CONNECT;
1556 	set_bit(HCI_CONN_SCANNING, &conn->flags);
1557 	conn->dst_type = dst_type;
1558 	conn->sec_level = BT_SECURITY_LOW;
1559 	conn->pending_sec_level = sec_level;
1560 	conn->conn_timeout = conn_timeout;
1561 	conn->conn_reason = conn_reason;
1562 
1563 	hci_update_passive_scan(hdev);
1564 
1565 done:
1566 	hci_conn_hold(conn);
1567 	return conn;
1568 }
1569 
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type,enum conn_reasons conn_reason)1570 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1571 				 u8 sec_level, u8 auth_type,
1572 				 enum conn_reasons conn_reason)
1573 {
1574 	struct hci_conn *acl;
1575 
1576 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1577 		if (lmp_bredr_capable(hdev))
1578 			return ERR_PTR(-ECONNREFUSED);
1579 
1580 		return ERR_PTR(-EOPNOTSUPP);
1581 	}
1582 
1583 	/* Reject outgoing connection to device with same BD ADDR against
1584 	 * CVE-2020-26555
1585 	 */
1586 	if (!bacmp(&hdev->bdaddr, dst)) {
1587 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1588 			   dst);
1589 		return ERR_PTR(-ECONNREFUSED);
1590 	}
1591 
1592 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1593 	if (!acl) {
1594 		acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1595 		if (IS_ERR(acl))
1596 			return acl;
1597 	}
1598 
1599 	hci_conn_hold(acl);
1600 
1601 	acl->conn_reason = conn_reason;
1602 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1603 		int err;
1604 
1605 		acl->sec_level = BT_SECURITY_LOW;
1606 		acl->pending_sec_level = sec_level;
1607 		acl->auth_type = auth_type;
1608 
1609 		err = hci_connect_acl_sync(hdev, acl);
1610 		if (err) {
1611 			hci_conn_del(acl);
1612 			return ERR_PTR(err);
1613 		}
1614 	}
1615 
1616 	return acl;
1617 }
1618 
hci_conn_link(struct hci_conn * parent,struct hci_conn * conn)1619 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1620 				      struct hci_conn *conn)
1621 {
1622 	struct hci_dev *hdev = parent->hdev;
1623 	struct hci_link *link;
1624 
1625 	bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1626 
1627 	if (conn->link)
1628 		return conn->link;
1629 
1630 	if (conn->parent)
1631 		return NULL;
1632 
1633 	link = kzalloc(sizeof(*link), GFP_KERNEL);
1634 	if (!link)
1635 		return NULL;
1636 
1637 	link->conn = hci_conn_hold(conn);
1638 	conn->link = link;
1639 	conn->parent = hci_conn_get(parent);
1640 
1641 	/* Use list_add_tail_rcu append to the list */
1642 	list_add_tail_rcu(&link->list, &parent->link_list);
1643 
1644 	return link;
1645 }
1646 
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting,struct bt_codec * codec)1647 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1648 				 __u16 setting, struct bt_codec *codec)
1649 {
1650 	struct hci_conn *acl;
1651 	struct hci_conn *sco;
1652 	struct hci_link *link;
1653 
1654 	acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1655 			      CONN_REASON_SCO_CONNECT);
1656 	if (IS_ERR(acl))
1657 		return acl;
1658 
1659 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1660 	if (!sco) {
1661 		sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1662 		if (IS_ERR(sco)) {
1663 			hci_conn_drop(acl);
1664 			return sco;
1665 		}
1666 	}
1667 
1668 	link = hci_conn_link(acl, sco);
1669 	if (!link) {
1670 		hci_conn_drop(acl);
1671 		hci_conn_drop(sco);
1672 		return ERR_PTR(-ENOLINK);
1673 	}
1674 
1675 	sco->setting = setting;
1676 	sco->codec = *codec;
1677 
1678 	if (acl->state == BT_CONNECTED &&
1679 	    (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1680 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1681 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1682 
1683 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1684 			/* defer SCO setup until mode change completed */
1685 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1686 			return sco;
1687 		}
1688 
1689 		hci_sco_setup(acl, 0x00);
1690 	}
1691 
1692 	return sco;
1693 }
1694 
hci_le_create_big(struct hci_conn * conn,struct bt_iso_qos * qos)1695 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1696 {
1697 	struct hci_dev *hdev = conn->hdev;
1698 	struct hci_cp_le_create_big cp;
1699 	struct iso_list_data data;
1700 
1701 	memset(&cp, 0, sizeof(cp));
1702 
1703 	data.big = qos->bcast.big;
1704 	data.bis = qos->bcast.bis;
1705 	data.count = 0;
1706 
1707 	/* Create a BIS for each bound connection */
1708 	hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1709 				 BT_BOUND, &data);
1710 
1711 	cp.handle = qos->bcast.big;
1712 	cp.adv_handle = qos->bcast.bis;
1713 	cp.num_bis  = data.count;
1714 	hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1715 	cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1716 	cp.bis.latency =  cpu_to_le16(qos->bcast.out.latency);
1717 	cp.bis.rtn  = qos->bcast.out.rtn;
1718 	cp.bis.phy  = qos->bcast.out.phy;
1719 	cp.bis.packing = qos->bcast.packing;
1720 	cp.bis.framing = qos->bcast.framing;
1721 	cp.bis.encryption = qos->bcast.encryption;
1722 	memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1723 
1724 	return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1725 }
1726 
set_cig_params_sync(struct hci_dev * hdev,void * data)1727 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1728 {
1729 	u8 cig_id = PTR_UINT(data);
1730 	struct hci_conn *conn;
1731 	struct bt_iso_qos *qos;
1732 	struct iso_cig_params pdu;
1733 	u8 cis_id;
1734 
1735 	conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1736 	if (!conn)
1737 		return 0;
1738 
1739 	memset(&pdu, 0, sizeof(pdu));
1740 
1741 	qos = &conn->iso_qos;
1742 	pdu.cp.cig_id = cig_id;
1743 	hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval);
1744 	hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval);
1745 	pdu.cp.sca = qos->ucast.sca;
1746 	pdu.cp.packing = qos->ucast.packing;
1747 	pdu.cp.framing = qos->ucast.framing;
1748 	pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency);
1749 	pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency);
1750 
1751 	/* Reprogram all CIS(s) with the same CIG, valid range are:
1752 	 * num_cis: 0x00 to 0x1F
1753 	 * cis_id: 0x00 to 0xEF
1754 	 */
1755 	for (cis_id = 0x00; cis_id < 0xf0 &&
1756 	     pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) {
1757 		struct hci_cis_params *cis;
1758 
1759 		conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1760 		if (!conn)
1761 			continue;
1762 
1763 		qos = &conn->iso_qos;
1764 
1765 		cis = &pdu.cis[pdu.cp.num_cis++];
1766 		cis->cis_id = cis_id;
1767 		cis->c_sdu  = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1768 		cis->p_sdu  = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1769 		cis->c_phy  = qos->ucast.out.phy ? qos->ucast.out.phy :
1770 			      qos->ucast.in.phy;
1771 		cis->p_phy  = qos->ucast.in.phy ? qos->ucast.in.phy :
1772 			      qos->ucast.out.phy;
1773 		cis->c_rtn  = qos->ucast.out.rtn;
1774 		cis->p_rtn  = qos->ucast.in.rtn;
1775 	}
1776 
1777 	if (!pdu.cp.num_cis)
1778 		return 0;
1779 
1780 	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1781 				     sizeof(pdu.cp) +
1782 				     pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu,
1783 				     HCI_CMD_TIMEOUT);
1784 }
1785 
hci_le_set_cig_params(struct hci_conn * conn,struct bt_iso_qos * qos)1786 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1787 {
1788 	struct hci_dev *hdev = conn->hdev;
1789 	struct iso_list_data data;
1790 
1791 	memset(&data, 0, sizeof(data));
1792 
1793 	/* Allocate first still reconfigurable CIG if not set */
1794 	if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1795 		for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1796 			data.count = 0;
1797 
1798 			hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1799 						 BT_CONNECT, &data);
1800 			if (data.count)
1801 				continue;
1802 
1803 			hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1804 						 BT_CONNECTED, &data);
1805 			if (!data.count)
1806 				break;
1807 		}
1808 
1809 		if (data.cig == 0xf0)
1810 			return false;
1811 
1812 		/* Update CIG */
1813 		qos->ucast.cig = data.cig;
1814 	}
1815 
1816 	if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1817 		if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1818 					     qos->ucast.cis))
1819 			return false;
1820 		goto done;
1821 	}
1822 
1823 	/* Allocate first available CIS if not set */
1824 	for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1825 	     data.cis++) {
1826 		if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1827 					      data.cis)) {
1828 			/* Update CIS */
1829 			qos->ucast.cis = data.cis;
1830 			break;
1831 		}
1832 	}
1833 
1834 	if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1835 		return false;
1836 
1837 done:
1838 	if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1839 			       UINT_PTR(qos->ucast.cig), NULL) < 0)
1840 		return false;
1841 
1842 	return true;
1843 }
1844 
hci_bind_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)1845 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1846 			      __u8 dst_type, struct bt_iso_qos *qos)
1847 {
1848 	struct hci_conn *cis;
1849 
1850 	cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1851 				       qos->ucast.cis);
1852 	if (!cis) {
1853 		cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1854 		if (IS_ERR(cis))
1855 			return cis;
1856 		cis->cleanup = cis_cleanup;
1857 		cis->dst_type = dst_type;
1858 		cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1859 		cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1860 	}
1861 
1862 	if (cis->state == BT_CONNECTED)
1863 		return cis;
1864 
1865 	/* Check if CIS has been set and the settings matches */
1866 	if (cis->state == BT_BOUND &&
1867 	    !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1868 		return cis;
1869 
1870 	/* Update LINK PHYs according to QoS preference */
1871 	cis->le_tx_phy = qos->ucast.out.phy;
1872 	cis->le_rx_phy = qos->ucast.in.phy;
1873 
1874 	/* If output interval is not set use the input interval as it cannot be
1875 	 * 0x000000.
1876 	 */
1877 	if (!qos->ucast.out.interval)
1878 		qos->ucast.out.interval = qos->ucast.in.interval;
1879 
1880 	/* If input interval is not set use the output interval as it cannot be
1881 	 * 0x000000.
1882 	 */
1883 	if (!qos->ucast.in.interval)
1884 		qos->ucast.in.interval = qos->ucast.out.interval;
1885 
1886 	/* If output latency is not set use the input latency as it cannot be
1887 	 * 0x0000.
1888 	 */
1889 	if (!qos->ucast.out.latency)
1890 		qos->ucast.out.latency = qos->ucast.in.latency;
1891 
1892 	/* If input latency is not set use the output latency as it cannot be
1893 	 * 0x0000.
1894 	 */
1895 	if (!qos->ucast.in.latency)
1896 		qos->ucast.in.latency = qos->ucast.out.latency;
1897 
1898 	if (!hci_le_set_cig_params(cis, qos)) {
1899 		hci_conn_drop(cis);
1900 		return ERR_PTR(-EINVAL);
1901 	}
1902 
1903 	hci_conn_hold(cis);
1904 
1905 	cis->iso_qos = *qos;
1906 	cis->state = BT_BOUND;
1907 
1908 	return cis;
1909 }
1910 
hci_iso_setup_path(struct hci_conn * conn)1911 bool hci_iso_setup_path(struct hci_conn *conn)
1912 {
1913 	struct hci_dev *hdev = conn->hdev;
1914 	struct hci_cp_le_setup_iso_path cmd;
1915 
1916 	memset(&cmd, 0, sizeof(cmd));
1917 
1918 	if (conn->iso_qos.ucast.out.sdu) {
1919 		cmd.handle = cpu_to_le16(conn->handle);
1920 		cmd.direction = 0x00; /* Input (Host to Controller) */
1921 		cmd.path = 0x00; /* HCI path if enabled */
1922 		cmd.codec = 0x03; /* Transparent Data */
1923 
1924 		if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1925 				 &cmd) < 0)
1926 			return false;
1927 	}
1928 
1929 	if (conn->iso_qos.ucast.in.sdu) {
1930 		cmd.handle = cpu_to_le16(conn->handle);
1931 		cmd.direction = 0x01; /* Output (Controller to Host) */
1932 		cmd.path = 0x00; /* HCI path if enabled */
1933 		cmd.codec = 0x03; /* Transparent Data */
1934 
1935 		if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1936 				 &cmd) < 0)
1937 			return false;
1938 	}
1939 
1940 	return true;
1941 }
1942 
hci_conn_check_create_cis(struct hci_conn * conn)1943 int hci_conn_check_create_cis(struct hci_conn *conn)
1944 {
1945 	if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
1946 		return -EINVAL;
1947 
1948 	if (!conn->parent || conn->parent->state != BT_CONNECTED ||
1949 	    conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
1950 		return 1;
1951 
1952 	return 0;
1953 }
1954 
hci_create_cis_sync(struct hci_dev * hdev,void * data)1955 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1956 {
1957 	return hci_le_create_cis_sync(hdev);
1958 }
1959 
hci_le_create_cis_pending(struct hci_dev * hdev)1960 int hci_le_create_cis_pending(struct hci_dev *hdev)
1961 {
1962 	struct hci_conn *conn;
1963 	bool pending = false;
1964 
1965 	rcu_read_lock();
1966 
1967 	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
1968 		if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
1969 			rcu_read_unlock();
1970 			return -EBUSY;
1971 		}
1972 
1973 		if (!hci_conn_check_create_cis(conn))
1974 			pending = true;
1975 	}
1976 
1977 	rcu_read_unlock();
1978 
1979 	if (!pending)
1980 		return 0;
1981 
1982 	/* Queue Create CIS */
1983 	return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
1984 }
1985 
hci_iso_qos_setup(struct hci_dev * hdev,struct hci_conn * conn,struct bt_iso_io_qos * qos,__u8 phy)1986 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
1987 			      struct bt_iso_io_qos *qos, __u8 phy)
1988 {
1989 	/* Only set MTU if PHY is enabled */
1990 	if (!qos->sdu && qos->phy)
1991 		qos->sdu = conn->mtu;
1992 
1993 	/* Use the same PHY as ACL if set to any */
1994 	if (qos->phy == BT_ISO_PHY_ANY)
1995 		qos->phy = phy;
1996 
1997 	/* Use LE ACL connection interval if not set */
1998 	if (!qos->interval)
1999 		/* ACL interval unit in 1.25 ms to us */
2000 		qos->interval = conn->le_conn_interval * 1250;
2001 
2002 	/* Use LE ACL connection latency if not set */
2003 	if (!qos->latency)
2004 		qos->latency = conn->le_conn_latency;
2005 }
2006 
create_big_sync(struct hci_dev * hdev,void * data)2007 static int create_big_sync(struct hci_dev *hdev, void *data)
2008 {
2009 	struct hci_conn *conn = data;
2010 	struct bt_iso_qos *qos = &conn->iso_qos;
2011 	u16 interval, sync_interval = 0;
2012 	u32 flags = 0;
2013 	int err;
2014 
2015 	if (qos->bcast.out.phy == 0x02)
2016 		flags |= MGMT_ADV_FLAG_SEC_2M;
2017 
2018 	/* Align intervals */
2019 	interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2020 
2021 	if (qos->bcast.bis)
2022 		sync_interval = interval * 4;
2023 
2024 	err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2025 				     conn->le_per_adv_data, flags, interval,
2026 				     interval, sync_interval);
2027 	if (err)
2028 		return err;
2029 
2030 	return hci_le_create_big(conn, &conn->iso_qos);
2031 }
2032 
create_pa_complete(struct hci_dev * hdev,void * data,int err)2033 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2034 {
2035 	struct hci_cp_le_pa_create_sync *cp = data;
2036 
2037 	bt_dev_dbg(hdev, "");
2038 
2039 	if (err)
2040 		bt_dev_err(hdev, "Unable to create PA: %d", err);
2041 
2042 	kfree(cp);
2043 }
2044 
create_pa_sync(struct hci_dev * hdev,void * data)2045 static int create_pa_sync(struct hci_dev *hdev, void *data)
2046 {
2047 	struct hci_cp_le_pa_create_sync *cp = data;
2048 	int err;
2049 
2050 	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2051 				    sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2052 	if (err) {
2053 		hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2054 		return err;
2055 	}
2056 
2057 	return hci_update_passive_scan_sync(hdev);
2058 }
2059 
hci_pa_create_sync(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid,struct bt_iso_qos * qos)2060 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2061 		       __u8 sid, struct bt_iso_qos *qos)
2062 {
2063 	struct hci_cp_le_pa_create_sync *cp;
2064 
2065 	if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2066 		return -EBUSY;
2067 
2068 	cp = kzalloc(sizeof(*cp), GFP_KERNEL);
2069 	if (!cp) {
2070 		hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2071 		return -ENOMEM;
2072 	}
2073 
2074 	cp->options = qos->bcast.options;
2075 	cp->sid = sid;
2076 	cp->addr_type = dst_type;
2077 	bacpy(&cp->addr, dst);
2078 	cp->skip = cpu_to_le16(qos->bcast.skip);
2079 	cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
2080 	cp->sync_cte_type = qos->bcast.sync_cte_type;
2081 
2082 	/* Queue start pa_create_sync and scan */
2083 	return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2084 }
2085 
hci_le_big_create_sync(struct hci_dev * hdev,struct hci_conn * hcon,struct bt_iso_qos * qos,__u16 sync_handle,__u8 num_bis,__u8 bis[])2086 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2087 			   struct bt_iso_qos *qos,
2088 			   __u16 sync_handle, __u8 num_bis, __u8 bis[])
2089 {
2090 	struct _packed {
2091 		struct hci_cp_le_big_create_sync cp;
2092 		__u8  bis[0x11];
2093 	} pdu;
2094 	int err;
2095 
2096 	if (num_bis > sizeof(pdu.bis))
2097 		return -EINVAL;
2098 
2099 	err = qos_set_big(hdev, qos);
2100 	if (err)
2101 		return err;
2102 
2103 	if (hcon)
2104 		hcon->iso_qos.bcast.big = qos->bcast.big;
2105 
2106 	memset(&pdu, 0, sizeof(pdu));
2107 	pdu.cp.handle = qos->bcast.big;
2108 	pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2109 	pdu.cp.encryption = qos->bcast.encryption;
2110 	memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode));
2111 	pdu.cp.mse = qos->bcast.mse;
2112 	pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout);
2113 	pdu.cp.num_bis = num_bis;
2114 	memcpy(pdu.bis, bis, num_bis);
2115 
2116 	return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2117 			    sizeof(pdu.cp) + num_bis, &pdu);
2118 }
2119 
create_big_complete(struct hci_dev * hdev,void * data,int err)2120 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2121 {
2122 	struct hci_conn *conn = data;
2123 
2124 	bt_dev_dbg(hdev, "conn %p", conn);
2125 
2126 	if (err) {
2127 		bt_dev_err(hdev, "Unable to create BIG: %d", err);
2128 		hci_connect_cfm(conn, err);
2129 		hci_conn_del(conn);
2130 	}
2131 }
2132 
hci_bind_bis(struct hci_dev * hdev,bdaddr_t * dst,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2133 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2134 			      struct bt_iso_qos *qos,
2135 			      __u8 base_len, __u8 *base)
2136 {
2137 	struct hci_conn *conn;
2138 	struct hci_conn *parent;
2139 	__u8 eir[HCI_MAX_PER_AD_LENGTH];
2140 	struct hci_link *link;
2141 
2142 	/* Look for any BIS that is open for rebinding */
2143 	conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN);
2144 	if (conn) {
2145 		memcpy(qos, &conn->iso_qos, sizeof(*qos));
2146 		conn->state = BT_CONNECTED;
2147 		return conn;
2148 	}
2149 
2150 	if (base_len && base)
2151 		base_len = eir_append_service_data(eir, 0,  0x1851,
2152 						   base, base_len);
2153 
2154 	/* We need hci_conn object using the BDADDR_ANY as dst */
2155 	conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2156 	if (IS_ERR(conn))
2157 		return conn;
2158 
2159 	/* Update LINK PHYs according to QoS preference */
2160 	conn->le_tx_phy = qos->bcast.out.phy;
2161 	conn->le_tx_phy = qos->bcast.out.phy;
2162 
2163 	/* Add Basic Announcement into Peridic Adv Data if BASE is set */
2164 	if (base_len && base) {
2165 		memcpy(conn->le_per_adv_data,  eir, sizeof(eir));
2166 		conn->le_per_adv_data_len = base_len;
2167 	}
2168 
2169 	hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2170 			  conn->le_tx_phy ? conn->le_tx_phy :
2171 			  hdev->le_tx_def_phys);
2172 
2173 	conn->iso_qos = *qos;
2174 	conn->state = BT_BOUND;
2175 
2176 	/* Link BISes together */
2177 	parent = hci_conn_hash_lookup_big(hdev,
2178 					  conn->iso_qos.bcast.big);
2179 	if (parent && parent != conn) {
2180 		link = hci_conn_link(parent, conn);
2181 		hci_conn_drop(conn);
2182 		if (!link)
2183 			return ERR_PTR(-ENOLINK);
2184 	}
2185 
2186 	return conn;
2187 }
2188 
bis_mark_per_adv(struct hci_conn * conn,void * data)2189 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2190 {
2191 	struct iso_list_data *d = data;
2192 
2193 	/* Skip if not broadcast/ANY address */
2194 	if (bacmp(&conn->dst, BDADDR_ANY))
2195 		return;
2196 
2197 	if (d->big != conn->iso_qos.bcast.big ||
2198 	    d->bis == BT_ISO_QOS_BIS_UNSET ||
2199 	    d->bis != conn->iso_qos.bcast.bis)
2200 		return;
2201 
2202 	set_bit(HCI_CONN_PER_ADV, &conn->flags);
2203 }
2204 
hci_connect_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2205 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2206 				 __u8 dst_type, struct bt_iso_qos *qos,
2207 				 __u8 base_len, __u8 *base)
2208 {
2209 	struct hci_conn *conn;
2210 	int err;
2211 	struct iso_list_data data;
2212 
2213 	conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2214 	if (IS_ERR(conn))
2215 		return conn;
2216 
2217 	if (conn->state == BT_CONNECTED)
2218 		return conn;
2219 
2220 	data.big = qos->bcast.big;
2221 	data.bis = qos->bcast.bis;
2222 
2223 	/* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2224 	 * the start periodic advertising and create BIG commands have
2225 	 * been queued
2226 	 */
2227 	hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2228 				 BT_BOUND, &data);
2229 
2230 	/* Queue start periodic advertising and create BIG */
2231 	err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2232 				 create_big_complete);
2233 	if (err < 0) {
2234 		hci_conn_drop(conn);
2235 		return ERR_PTR(err);
2236 	}
2237 
2238 	return conn;
2239 }
2240 
hci_connect_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)2241 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2242 				 __u8 dst_type, struct bt_iso_qos *qos)
2243 {
2244 	struct hci_conn *le;
2245 	struct hci_conn *cis;
2246 	struct hci_link *link;
2247 
2248 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2249 		le = hci_connect_le(hdev, dst, dst_type, false,
2250 				    BT_SECURITY_LOW,
2251 				    HCI_LE_CONN_TIMEOUT,
2252 				    HCI_ROLE_SLAVE);
2253 	else
2254 		le = hci_connect_le_scan(hdev, dst, dst_type,
2255 					 BT_SECURITY_LOW,
2256 					 HCI_LE_CONN_TIMEOUT,
2257 					 CONN_REASON_ISO_CONNECT);
2258 	if (IS_ERR(le))
2259 		return le;
2260 
2261 	hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2262 			  le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2263 	hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2264 			  le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2265 
2266 	cis = hci_bind_cis(hdev, dst, dst_type, qos);
2267 	if (IS_ERR(cis)) {
2268 		hci_conn_drop(le);
2269 		return cis;
2270 	}
2271 
2272 	link = hci_conn_link(le, cis);
2273 	hci_conn_drop(cis);
2274 	if (!link) {
2275 		hci_conn_drop(le);
2276 		return ERR_PTR(-ENOLINK);
2277 	}
2278 
2279 	cis->state = BT_CONNECT;
2280 
2281 	hci_le_create_cis_pending(hdev);
2282 
2283 	return cis;
2284 }
2285 
2286 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)2287 int hci_conn_check_link_mode(struct hci_conn *conn)
2288 {
2289 	BT_DBG("hcon %p", conn);
2290 
2291 	/* In Secure Connections Only mode, it is required that Secure
2292 	 * Connections is used and the link is encrypted with AES-CCM
2293 	 * using a P-256 authenticated combination key.
2294 	 */
2295 	if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2296 		if (!hci_conn_sc_enabled(conn) ||
2297 		    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2298 		    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2299 			return 0;
2300 	}
2301 
2302 	 /* AES encryption is required for Level 4:
2303 	  *
2304 	  * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2305 	  * page 1319:
2306 	  *
2307 	  * 128-bit equivalent strength for link and encryption keys
2308 	  * required using FIPS approved algorithms (E0 not allowed,
2309 	  * SAFER+ not allowed, and P-192 not allowed; encryption key
2310 	  * not shortened)
2311 	  */
2312 	if (conn->sec_level == BT_SECURITY_FIPS &&
2313 	    !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2314 		bt_dev_err(conn->hdev,
2315 			   "Invalid security: Missing AES-CCM usage");
2316 		return 0;
2317 	}
2318 
2319 	if (hci_conn_ssp_enabled(conn) &&
2320 	    !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2321 		return 0;
2322 
2323 	return 1;
2324 }
2325 
2326 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)2327 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2328 {
2329 	BT_DBG("hcon %p", conn);
2330 
2331 	if (conn->pending_sec_level > sec_level)
2332 		sec_level = conn->pending_sec_level;
2333 
2334 	if (sec_level > conn->sec_level)
2335 		conn->pending_sec_level = sec_level;
2336 	else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2337 		return 1;
2338 
2339 	/* Make sure we preserve an existing MITM requirement*/
2340 	auth_type |= (conn->auth_type & 0x01);
2341 
2342 	conn->auth_type = auth_type;
2343 
2344 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2345 		struct hci_cp_auth_requested cp;
2346 
2347 		cp.handle = cpu_to_le16(conn->handle);
2348 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2349 			     sizeof(cp), &cp);
2350 
2351 		/* Set the ENCRYPT_PEND to trigger encryption after
2352 		 * authentication.
2353 		 */
2354 		if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2355 			set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2356 	}
2357 
2358 	return 0;
2359 }
2360 
2361 /* Encrypt the link */
hci_conn_encrypt(struct hci_conn * conn)2362 static void hci_conn_encrypt(struct hci_conn *conn)
2363 {
2364 	BT_DBG("hcon %p", conn);
2365 
2366 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2367 		struct hci_cp_set_conn_encrypt cp;
2368 		cp.handle  = cpu_to_le16(conn->handle);
2369 		cp.encrypt = 0x01;
2370 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2371 			     &cp);
2372 	}
2373 }
2374 
2375 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)2376 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2377 		      bool initiator)
2378 {
2379 	BT_DBG("hcon %p", conn);
2380 
2381 	if (conn->type == LE_LINK)
2382 		return smp_conn_security(conn, sec_level);
2383 
2384 	/* For sdp we don't need the link key. */
2385 	if (sec_level == BT_SECURITY_SDP)
2386 		return 1;
2387 
2388 	/* For non 2.1 devices and low security level we don't need the link
2389 	   key. */
2390 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2391 		return 1;
2392 
2393 	/* For other security levels we need the link key. */
2394 	if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2395 		goto auth;
2396 
2397 	switch (conn->key_type) {
2398 	case HCI_LK_AUTH_COMBINATION_P256:
2399 		/* An authenticated FIPS approved combination key has
2400 		 * sufficient security for security level 4 or lower.
2401 		 */
2402 		if (sec_level <= BT_SECURITY_FIPS)
2403 			goto encrypt;
2404 		break;
2405 	case HCI_LK_AUTH_COMBINATION_P192:
2406 		/* An authenticated combination key has sufficient security for
2407 		 * security level 3 or lower.
2408 		 */
2409 		if (sec_level <= BT_SECURITY_HIGH)
2410 			goto encrypt;
2411 		break;
2412 	case HCI_LK_UNAUTH_COMBINATION_P192:
2413 	case HCI_LK_UNAUTH_COMBINATION_P256:
2414 		/* An unauthenticated combination key has sufficient security
2415 		 * for security level 2 or lower.
2416 		 */
2417 		if (sec_level <= BT_SECURITY_MEDIUM)
2418 			goto encrypt;
2419 		break;
2420 	case HCI_LK_COMBINATION:
2421 		/* A combination key has always sufficient security for the
2422 		 * security levels 2 or lower. High security level requires the
2423 		 * combination key is generated using maximum PIN code length
2424 		 * (16). For pre 2.1 units.
2425 		 */
2426 		if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2427 			goto encrypt;
2428 		break;
2429 	default:
2430 		break;
2431 	}
2432 
2433 auth:
2434 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2435 		return 0;
2436 
2437 	if (initiator)
2438 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2439 
2440 	if (!hci_conn_auth(conn, sec_level, auth_type))
2441 		return 0;
2442 
2443 encrypt:
2444 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2445 		/* Ensure that the encryption key size has been read,
2446 		 * otherwise stall the upper layer responses.
2447 		 */
2448 		if (!conn->enc_key_size)
2449 			return 0;
2450 
2451 		/* Nothing else needed, all requirements are met */
2452 		return 1;
2453 	}
2454 
2455 	hci_conn_encrypt(conn);
2456 	return 0;
2457 }
2458 EXPORT_SYMBOL(hci_conn_security);
2459 
2460 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)2461 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2462 {
2463 	BT_DBG("hcon %p", conn);
2464 
2465 	/* Accept if non-secure or higher security level is required */
2466 	if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2467 		return 1;
2468 
2469 	/* Accept if secure or higher security level is already present */
2470 	if (conn->sec_level == BT_SECURITY_HIGH ||
2471 	    conn->sec_level == BT_SECURITY_FIPS)
2472 		return 1;
2473 
2474 	/* Reject not secure link */
2475 	return 0;
2476 }
2477 EXPORT_SYMBOL(hci_conn_check_secure);
2478 
2479 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)2480 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2481 {
2482 	BT_DBG("hcon %p", conn);
2483 
2484 	if (role == conn->role)
2485 		return 1;
2486 
2487 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2488 		struct hci_cp_switch_role cp;
2489 		bacpy(&cp.bdaddr, &conn->dst);
2490 		cp.role = role;
2491 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2492 	}
2493 
2494 	return 0;
2495 }
2496 EXPORT_SYMBOL(hci_conn_switch_role);
2497 
2498 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)2499 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2500 {
2501 	struct hci_dev *hdev = conn->hdev;
2502 
2503 	BT_DBG("hcon %p mode %d", conn, conn->mode);
2504 
2505 	if (conn->mode != HCI_CM_SNIFF)
2506 		goto timer;
2507 
2508 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2509 		goto timer;
2510 
2511 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2512 		struct hci_cp_exit_sniff_mode cp;
2513 		cp.handle = cpu_to_le16(conn->handle);
2514 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2515 	}
2516 
2517 timer:
2518 	if (hdev->idle_timeout > 0)
2519 		queue_delayed_work(hdev->workqueue, &conn->idle_work,
2520 				   msecs_to_jiffies(hdev->idle_timeout));
2521 }
2522 
2523 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)2524 void hci_conn_hash_flush(struct hci_dev *hdev)
2525 {
2526 	struct list_head *head = &hdev->conn_hash.list;
2527 	struct hci_conn *conn;
2528 
2529 	BT_DBG("hdev %s", hdev->name);
2530 
2531 	/* We should not traverse the list here, because hci_conn_del
2532 	 * can remove extra links, which may cause the list traversal
2533 	 * to hit items that have already been released.
2534 	 */
2535 	while ((conn = list_first_entry_or_null(head,
2536 						struct hci_conn,
2537 						list)) != NULL) {
2538 		conn->state = BT_CLOSED;
2539 		hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2540 		hci_conn_del(conn);
2541 	}
2542 }
2543 
get_link_mode(struct hci_conn * conn)2544 static u32 get_link_mode(struct hci_conn *conn)
2545 {
2546 	u32 link_mode = 0;
2547 
2548 	if (conn->role == HCI_ROLE_MASTER)
2549 		link_mode |= HCI_LM_MASTER;
2550 
2551 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2552 		link_mode |= HCI_LM_ENCRYPT;
2553 
2554 	if (test_bit(HCI_CONN_AUTH, &conn->flags))
2555 		link_mode |= HCI_LM_AUTH;
2556 
2557 	if (test_bit(HCI_CONN_SECURE, &conn->flags))
2558 		link_mode |= HCI_LM_SECURE;
2559 
2560 	if (test_bit(HCI_CONN_FIPS, &conn->flags))
2561 		link_mode |= HCI_LM_FIPS;
2562 
2563 	return link_mode;
2564 }
2565 
hci_get_conn_list(void __user * arg)2566 int hci_get_conn_list(void __user *arg)
2567 {
2568 	struct hci_conn *c;
2569 	struct hci_conn_list_req req, *cl;
2570 	struct hci_conn_info *ci;
2571 	struct hci_dev *hdev;
2572 	int n = 0, size, err;
2573 
2574 	if (copy_from_user(&req, arg, sizeof(req)))
2575 		return -EFAULT;
2576 
2577 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2578 		return -EINVAL;
2579 
2580 	size = sizeof(req) + req.conn_num * sizeof(*ci);
2581 
2582 	cl = kmalloc(size, GFP_KERNEL);
2583 	if (!cl)
2584 		return -ENOMEM;
2585 
2586 	hdev = hci_dev_get(req.dev_id);
2587 	if (!hdev) {
2588 		kfree(cl);
2589 		return -ENODEV;
2590 	}
2591 
2592 	ci = cl->conn_info;
2593 
2594 	hci_dev_lock(hdev);
2595 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2596 		bacpy(&(ci + n)->bdaddr, &c->dst);
2597 		(ci + n)->handle = c->handle;
2598 		(ci + n)->type  = c->type;
2599 		(ci + n)->out   = c->out;
2600 		(ci + n)->state = c->state;
2601 		(ci + n)->link_mode = get_link_mode(c);
2602 		if (++n >= req.conn_num)
2603 			break;
2604 	}
2605 	hci_dev_unlock(hdev);
2606 
2607 	cl->dev_id = hdev->id;
2608 	cl->conn_num = n;
2609 	size = sizeof(req) + n * sizeof(*ci);
2610 
2611 	hci_dev_put(hdev);
2612 
2613 	err = copy_to_user(arg, cl, size);
2614 	kfree(cl);
2615 
2616 	return err ? -EFAULT : 0;
2617 }
2618 
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)2619 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2620 {
2621 	struct hci_conn_info_req req;
2622 	struct hci_conn_info ci;
2623 	struct hci_conn *conn;
2624 	char __user *ptr = arg + sizeof(req);
2625 
2626 	if (copy_from_user(&req, arg, sizeof(req)))
2627 		return -EFAULT;
2628 
2629 	hci_dev_lock(hdev);
2630 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2631 	if (conn) {
2632 		bacpy(&ci.bdaddr, &conn->dst);
2633 		ci.handle = conn->handle;
2634 		ci.type  = conn->type;
2635 		ci.out   = conn->out;
2636 		ci.state = conn->state;
2637 		ci.link_mode = get_link_mode(conn);
2638 	}
2639 	hci_dev_unlock(hdev);
2640 
2641 	if (!conn)
2642 		return -ENOENT;
2643 
2644 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2645 }
2646 
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)2647 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2648 {
2649 	struct hci_auth_info_req req;
2650 	struct hci_conn *conn;
2651 
2652 	if (copy_from_user(&req, arg, sizeof(req)))
2653 		return -EFAULT;
2654 
2655 	hci_dev_lock(hdev);
2656 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2657 	if (conn)
2658 		req.type = conn->auth_type;
2659 	hci_dev_unlock(hdev);
2660 
2661 	if (!conn)
2662 		return -ENOENT;
2663 
2664 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2665 }
2666 
hci_chan_create(struct hci_conn * conn)2667 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2668 {
2669 	struct hci_dev *hdev = conn->hdev;
2670 	struct hci_chan *chan;
2671 
2672 	BT_DBG("%s hcon %p", hdev->name, conn);
2673 
2674 	if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2675 		BT_DBG("Refusing to create new hci_chan");
2676 		return NULL;
2677 	}
2678 
2679 	chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2680 	if (!chan)
2681 		return NULL;
2682 
2683 	chan->conn = hci_conn_get(conn);
2684 	skb_queue_head_init(&chan->data_q);
2685 	chan->state = BT_CONNECTED;
2686 
2687 	list_add_rcu(&chan->list, &conn->chan_list);
2688 
2689 	return chan;
2690 }
2691 
hci_chan_del(struct hci_chan * chan)2692 void hci_chan_del(struct hci_chan *chan)
2693 {
2694 	struct hci_conn *conn = chan->conn;
2695 	struct hci_dev *hdev = conn->hdev;
2696 
2697 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2698 
2699 	list_del_rcu(&chan->list);
2700 
2701 	synchronize_rcu();
2702 
2703 	/* Prevent new hci_chan's to be created for this hci_conn */
2704 	set_bit(HCI_CONN_DROP, &conn->flags);
2705 
2706 	hci_conn_put(conn);
2707 
2708 	skb_queue_purge(&chan->data_q);
2709 	kfree(chan);
2710 }
2711 
hci_chan_list_flush(struct hci_conn * conn)2712 void hci_chan_list_flush(struct hci_conn *conn)
2713 {
2714 	struct hci_chan *chan, *n;
2715 
2716 	BT_DBG("hcon %p", conn);
2717 
2718 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2719 		hci_chan_del(chan);
2720 }
2721 
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)2722 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2723 						 __u16 handle)
2724 {
2725 	struct hci_chan *hchan;
2726 
2727 	list_for_each_entry(hchan, &hcon->chan_list, list) {
2728 		if (hchan->handle == handle)
2729 			return hchan;
2730 	}
2731 
2732 	return NULL;
2733 }
2734 
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)2735 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2736 {
2737 	struct hci_conn_hash *h = &hdev->conn_hash;
2738 	struct hci_conn *hcon;
2739 	struct hci_chan *hchan = NULL;
2740 
2741 	rcu_read_lock();
2742 
2743 	list_for_each_entry_rcu(hcon, &h->list, list) {
2744 		hchan = __hci_chan_lookup_handle(hcon, handle);
2745 		if (hchan)
2746 			break;
2747 	}
2748 
2749 	rcu_read_unlock();
2750 
2751 	return hchan;
2752 }
2753 
hci_conn_get_phy(struct hci_conn * conn)2754 u32 hci_conn_get_phy(struct hci_conn *conn)
2755 {
2756 	u32 phys = 0;
2757 
2758 	/* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2759 	 * Table 6.2: Packets defined for synchronous, asynchronous, and
2760 	 * CPB logical transport types.
2761 	 */
2762 	switch (conn->type) {
2763 	case SCO_LINK:
2764 		/* SCO logical transport (1 Mb/s):
2765 		 * HV1, HV2, HV3 and DV.
2766 		 */
2767 		phys |= BT_PHY_BR_1M_1SLOT;
2768 
2769 		break;
2770 
2771 	case ACL_LINK:
2772 		/* ACL logical transport (1 Mb/s) ptt=0:
2773 		 * DH1, DM3, DH3, DM5 and DH5.
2774 		 */
2775 		phys |= BT_PHY_BR_1M_1SLOT;
2776 
2777 		if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2778 			phys |= BT_PHY_BR_1M_3SLOT;
2779 
2780 		if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2781 			phys |= BT_PHY_BR_1M_5SLOT;
2782 
2783 		/* ACL logical transport (2 Mb/s) ptt=1:
2784 		 * 2-DH1, 2-DH3 and 2-DH5.
2785 		 */
2786 		if (!(conn->pkt_type & HCI_2DH1))
2787 			phys |= BT_PHY_EDR_2M_1SLOT;
2788 
2789 		if (!(conn->pkt_type & HCI_2DH3))
2790 			phys |= BT_PHY_EDR_2M_3SLOT;
2791 
2792 		if (!(conn->pkt_type & HCI_2DH5))
2793 			phys |= BT_PHY_EDR_2M_5SLOT;
2794 
2795 		/* ACL logical transport (3 Mb/s) ptt=1:
2796 		 * 3-DH1, 3-DH3 and 3-DH5.
2797 		 */
2798 		if (!(conn->pkt_type & HCI_3DH1))
2799 			phys |= BT_PHY_EDR_3M_1SLOT;
2800 
2801 		if (!(conn->pkt_type & HCI_3DH3))
2802 			phys |= BT_PHY_EDR_3M_3SLOT;
2803 
2804 		if (!(conn->pkt_type & HCI_3DH5))
2805 			phys |= BT_PHY_EDR_3M_5SLOT;
2806 
2807 		break;
2808 
2809 	case ESCO_LINK:
2810 		/* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2811 		phys |= BT_PHY_BR_1M_1SLOT;
2812 
2813 		if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2814 			phys |= BT_PHY_BR_1M_3SLOT;
2815 
2816 		/* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2817 		if (!(conn->pkt_type & ESCO_2EV3))
2818 			phys |= BT_PHY_EDR_2M_1SLOT;
2819 
2820 		if (!(conn->pkt_type & ESCO_2EV5))
2821 			phys |= BT_PHY_EDR_2M_3SLOT;
2822 
2823 		/* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2824 		if (!(conn->pkt_type & ESCO_3EV3))
2825 			phys |= BT_PHY_EDR_3M_1SLOT;
2826 
2827 		if (!(conn->pkt_type & ESCO_3EV5))
2828 			phys |= BT_PHY_EDR_3M_3SLOT;
2829 
2830 		break;
2831 
2832 	case LE_LINK:
2833 		if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2834 			phys |= BT_PHY_LE_1M_TX;
2835 
2836 		if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2837 			phys |= BT_PHY_LE_1M_RX;
2838 
2839 		if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2840 			phys |= BT_PHY_LE_2M_TX;
2841 
2842 		if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2843 			phys |= BT_PHY_LE_2M_RX;
2844 
2845 		if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2846 			phys |= BT_PHY_LE_CODED_TX;
2847 
2848 		if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2849 			phys |= BT_PHY_LE_CODED_RX;
2850 
2851 		break;
2852 	}
2853 
2854 	return phys;
2855 }
2856 
abort_conn_sync(struct hci_dev * hdev,void * data)2857 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2858 {
2859 	struct hci_conn *conn = data;
2860 
2861 	if (!hci_conn_valid(hdev, conn))
2862 		return -ECANCELED;
2863 
2864 	return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2865 }
2866 
hci_abort_conn(struct hci_conn * conn,u8 reason)2867 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2868 {
2869 	struct hci_dev *hdev = conn->hdev;
2870 
2871 	/* If abort_reason has already been set it means the connection is
2872 	 * already being aborted so don't attempt to overwrite it.
2873 	 */
2874 	if (conn->abort_reason)
2875 		return 0;
2876 
2877 	bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2878 
2879 	conn->abort_reason = reason;
2880 
2881 	/* If the connection is pending check the command opcode since that
2882 	 * might be blocking on hci_cmd_sync_work while waiting its respective
2883 	 * event so we need to hci_cmd_sync_cancel to cancel it.
2884 	 *
2885 	 * hci_connect_le serializes the connection attempts so only one
2886 	 * connection can be in BT_CONNECT at time.
2887 	 */
2888 	if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2889 		switch (hci_skb_event(hdev->sent_cmd)) {
2890 		case HCI_EV_CONN_COMPLETE:
2891 		case HCI_EV_LE_CONN_COMPLETE:
2892 		case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2893 		case HCI_EVT_LE_CIS_ESTABLISHED:
2894 			hci_cmd_sync_cancel(hdev, ECANCELED);
2895 			break;
2896 		}
2897 	/* Cancel connect attempt if still queued/pending */
2898 	} else if (!hci_cancel_connect_sync(hdev, conn)) {
2899 		return 0;
2900 	}
2901 
2902 	/* Run immediately if on cmd_sync_work since this may be called
2903 	 * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
2904 	 * already queue its callback on cmd_sync_work.
2905 	 */
2906 	return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
2907 }
2908