1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 Copyright 2023 NXP
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI connection handling. */
27
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
36
37 #include "hci_request.h"
38 #include "smp.h"
39 #include "eir.h"
40
41 struct sco_param {
42 u16 pkt_type;
43 u16 max_latency;
44 u8 retrans_effort;
45 };
46
47 struct conn_handle_t {
48 struct hci_conn *conn;
49 __u16 handle;
50 };
51
52 static const struct sco_param esco_param_cvsd[] = {
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
58 };
59
60 static const struct sco_param sco_param_cvsd[] = {
61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
63 };
64
65 static const struct sco_param esco_param_msbc[] = {
66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
68 };
69
70 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn,u8 status)71 void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
72 {
73 struct hci_conn_params *params;
74 struct hci_dev *hdev = conn->hdev;
75 struct smp_irk *irk;
76 bdaddr_t *bdaddr;
77 u8 bdaddr_type;
78
79 bdaddr = &conn->dst;
80 bdaddr_type = conn->dst_type;
81
82 /* Check if we need to convert to identity address */
83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
84 if (irk) {
85 bdaddr = &irk->bdaddr;
86 bdaddr_type = irk->addr_type;
87 }
88
89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
90 bdaddr_type);
91 if (!params)
92 return;
93
94 if (params->conn) {
95 hci_conn_drop(params->conn);
96 hci_conn_put(params->conn);
97 params->conn = NULL;
98 }
99
100 if (!params->explicit_connect)
101 return;
102
103 /* If the status indicates successful cancellation of
104 * the attempt (i.e. Unknown Connection Id) there's no point of
105 * notifying failure since we'll go back to keep trying to
106 * connect. The only exception is explicit connect requests
107 * where a timeout + cancel does indicate an actual failure.
108 */
109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 mgmt_connect_failed(hdev, conn, status);
111
112 /* The connection attempt was doing scan for new RPA, and is
113 * in scan phase. If params are not associated with any other
114 * autoconnect action, remove them completely. If they are, just unmark
115 * them as waiting for connection, by clearing explicit_connect field.
116 */
117 params->explicit_connect = false;
118
119 hci_pend_le_list_del_init(params);
120
121 switch (params->auto_connect) {
122 case HCI_AUTO_CONN_EXPLICIT:
123 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
124 /* return instead of break to avoid duplicate scan update */
125 return;
126 case HCI_AUTO_CONN_DIRECT:
127 case HCI_AUTO_CONN_ALWAYS:
128 hci_pend_le_list_add(params, &hdev->pend_le_conns);
129 break;
130 case HCI_AUTO_CONN_REPORT:
131 hci_pend_le_list_add(params, &hdev->pend_le_reports);
132 break;
133 default:
134 break;
135 }
136
137 hci_update_passive_scan(hdev);
138 }
139
hci_conn_cleanup(struct hci_conn * conn)140 static void hci_conn_cleanup(struct hci_conn *conn)
141 {
142 struct hci_dev *hdev = conn->hdev;
143
144 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
145 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
146
147 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
148 hci_remove_link_key(hdev, &conn->dst);
149
150 hci_chan_list_flush(conn);
151
152 hci_conn_hash_del(hdev, conn);
153
154 if (HCI_CONN_HANDLE_UNSET(conn->handle))
155 ida_free(&hdev->unset_handle_ida, conn->handle);
156
157 if (conn->cleanup)
158 conn->cleanup(conn);
159
160 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
161 switch (conn->setting & SCO_AIRMODE_MASK) {
162 case SCO_AIRMODE_CVSD:
163 case SCO_AIRMODE_TRANSP:
164 if (hdev->notify)
165 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
166 break;
167 }
168 } else {
169 if (hdev->notify)
170 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
171 }
172
173 debugfs_remove_recursive(conn->debugfs);
174
175 hci_conn_del_sysfs(conn);
176
177 hci_dev_put(hdev);
178 }
179
hci_disconnect(struct hci_conn * conn,__u8 reason)180 int hci_disconnect(struct hci_conn *conn, __u8 reason)
181 {
182 BT_DBG("hcon %p", conn);
183
184 /* When we are central of an established connection and it enters
185 * the disconnect timeout, then go ahead and try to read the
186 * current clock offset. Processing of the result is done
187 * within the event handling and hci_clock_offset_evt function.
188 */
189 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
190 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
191 struct hci_dev *hdev = conn->hdev;
192 struct hci_cp_read_clock_offset clkoff_cp;
193
194 clkoff_cp.handle = cpu_to_le16(conn->handle);
195 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
196 &clkoff_cp);
197 }
198
199 return hci_abort_conn(conn, reason);
200 }
201
hci_add_sco(struct hci_conn * conn,__u16 handle)202 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
203 {
204 struct hci_dev *hdev = conn->hdev;
205 struct hci_cp_add_sco cp;
206
207 BT_DBG("hcon %p", conn);
208
209 conn->state = BT_CONNECT;
210 conn->out = true;
211
212 conn->attempt++;
213
214 cp.handle = cpu_to_le16(handle);
215 cp.pkt_type = cpu_to_le16(conn->pkt_type);
216
217 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
218 }
219
find_next_esco_param(struct hci_conn * conn,const struct sco_param * esco_param,int size)220 static bool find_next_esco_param(struct hci_conn *conn,
221 const struct sco_param *esco_param, int size)
222 {
223 if (!conn->parent)
224 return false;
225
226 for (; conn->attempt <= size; conn->attempt++) {
227 if (lmp_esco_2m_capable(conn->parent) ||
228 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
229 break;
230 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
231 conn, conn->attempt);
232 }
233
234 return conn->attempt <= size;
235 }
236
configure_datapath_sync(struct hci_dev * hdev,struct bt_codec * codec)237 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
238 {
239 int err;
240 __u8 vnd_len, *vnd_data = NULL;
241 struct hci_op_configure_data_path *cmd = NULL;
242
243 if (!codec->data_path || !hdev->get_codec_config_data)
244 return 0;
245
246 /* Do not take me as error */
247 if (!hdev->get_codec_config_data)
248 return 0;
249
250 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
251 &vnd_data);
252 if (err < 0)
253 goto error;
254
255 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
256 if (!cmd) {
257 err = -ENOMEM;
258 goto error;
259 }
260
261 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
262 if (err < 0)
263 goto error;
264
265 cmd->vnd_len = vnd_len;
266 memcpy(cmd->vnd_data, vnd_data, vnd_len);
267
268 cmd->direction = 0x00;
269 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
270 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
271
272 cmd->direction = 0x01;
273 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
274 sizeof(*cmd) + vnd_len, cmd,
275 HCI_CMD_TIMEOUT);
276 error:
277
278 kfree(cmd);
279 kfree(vnd_data);
280 return err;
281 }
282
hci_enhanced_setup_sync(struct hci_dev * hdev,void * data)283 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
284 {
285 struct conn_handle_t *conn_handle = data;
286 struct hci_conn *conn = conn_handle->conn;
287 __u16 handle = conn_handle->handle;
288 struct hci_cp_enhanced_setup_sync_conn cp;
289 const struct sco_param *param;
290
291 kfree(conn_handle);
292
293 if (!hci_conn_valid(hdev, conn))
294 return -ECANCELED;
295
296 bt_dev_dbg(hdev, "hcon %p", conn);
297
298 configure_datapath_sync(hdev, &conn->codec);
299
300 conn->state = BT_CONNECT;
301 conn->out = true;
302
303 conn->attempt++;
304
305 memset(&cp, 0x00, sizeof(cp));
306
307 cp.handle = cpu_to_le16(handle);
308
309 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
310 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
311
312 switch (conn->codec.id) {
313 case BT_CODEC_MSBC:
314 if (!find_next_esco_param(conn, esco_param_msbc,
315 ARRAY_SIZE(esco_param_msbc)))
316 return -EINVAL;
317
318 param = &esco_param_msbc[conn->attempt - 1];
319 cp.tx_coding_format.id = 0x05;
320 cp.rx_coding_format.id = 0x05;
321 cp.tx_codec_frame_size = __cpu_to_le16(60);
322 cp.rx_codec_frame_size = __cpu_to_le16(60);
323 cp.in_bandwidth = __cpu_to_le32(32000);
324 cp.out_bandwidth = __cpu_to_le32(32000);
325 cp.in_coding_format.id = 0x04;
326 cp.out_coding_format.id = 0x04;
327 cp.in_coded_data_size = __cpu_to_le16(16);
328 cp.out_coded_data_size = __cpu_to_le16(16);
329 cp.in_pcm_data_format = 2;
330 cp.out_pcm_data_format = 2;
331 cp.in_pcm_sample_payload_msb_pos = 0;
332 cp.out_pcm_sample_payload_msb_pos = 0;
333 cp.in_data_path = conn->codec.data_path;
334 cp.out_data_path = conn->codec.data_path;
335 cp.in_transport_unit_size = 1;
336 cp.out_transport_unit_size = 1;
337 break;
338
339 case BT_CODEC_TRANSPARENT:
340 if (!find_next_esco_param(conn, esco_param_msbc,
341 ARRAY_SIZE(esco_param_msbc)))
342 return false;
343 param = &esco_param_msbc[conn->attempt - 1];
344 cp.tx_coding_format.id = 0x03;
345 cp.rx_coding_format.id = 0x03;
346 cp.tx_codec_frame_size = __cpu_to_le16(60);
347 cp.rx_codec_frame_size = __cpu_to_le16(60);
348 cp.in_bandwidth = __cpu_to_le32(0x1f40);
349 cp.out_bandwidth = __cpu_to_le32(0x1f40);
350 cp.in_coding_format.id = 0x03;
351 cp.out_coding_format.id = 0x03;
352 cp.in_coded_data_size = __cpu_to_le16(16);
353 cp.out_coded_data_size = __cpu_to_le16(16);
354 cp.in_pcm_data_format = 2;
355 cp.out_pcm_data_format = 2;
356 cp.in_pcm_sample_payload_msb_pos = 0;
357 cp.out_pcm_sample_payload_msb_pos = 0;
358 cp.in_data_path = conn->codec.data_path;
359 cp.out_data_path = conn->codec.data_path;
360 cp.in_transport_unit_size = 1;
361 cp.out_transport_unit_size = 1;
362 break;
363
364 case BT_CODEC_CVSD:
365 if (conn->parent && lmp_esco_capable(conn->parent)) {
366 if (!find_next_esco_param(conn, esco_param_cvsd,
367 ARRAY_SIZE(esco_param_cvsd)))
368 return -EINVAL;
369 param = &esco_param_cvsd[conn->attempt - 1];
370 } else {
371 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
372 return -EINVAL;
373 param = &sco_param_cvsd[conn->attempt - 1];
374 }
375 cp.tx_coding_format.id = 2;
376 cp.rx_coding_format.id = 2;
377 cp.tx_codec_frame_size = __cpu_to_le16(60);
378 cp.rx_codec_frame_size = __cpu_to_le16(60);
379 cp.in_bandwidth = __cpu_to_le32(16000);
380 cp.out_bandwidth = __cpu_to_le32(16000);
381 cp.in_coding_format.id = 4;
382 cp.out_coding_format.id = 4;
383 cp.in_coded_data_size = __cpu_to_le16(16);
384 cp.out_coded_data_size = __cpu_to_le16(16);
385 cp.in_pcm_data_format = 2;
386 cp.out_pcm_data_format = 2;
387 cp.in_pcm_sample_payload_msb_pos = 0;
388 cp.out_pcm_sample_payload_msb_pos = 0;
389 cp.in_data_path = conn->codec.data_path;
390 cp.out_data_path = conn->codec.data_path;
391 cp.in_transport_unit_size = 16;
392 cp.out_transport_unit_size = 16;
393 break;
394 default:
395 return -EINVAL;
396 }
397
398 cp.retrans_effort = param->retrans_effort;
399 cp.pkt_type = __cpu_to_le16(param->pkt_type);
400 cp.max_latency = __cpu_to_le16(param->max_latency);
401
402 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
403 return -EIO;
404
405 return 0;
406 }
407
hci_setup_sync_conn(struct hci_conn * conn,__u16 handle)408 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
409 {
410 struct hci_dev *hdev = conn->hdev;
411 struct hci_cp_setup_sync_conn cp;
412 const struct sco_param *param;
413
414 bt_dev_dbg(hdev, "hcon %p", conn);
415
416 conn->state = BT_CONNECT;
417 conn->out = true;
418
419 conn->attempt++;
420
421 cp.handle = cpu_to_le16(handle);
422
423 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
424 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
425 cp.voice_setting = cpu_to_le16(conn->setting);
426
427 switch (conn->setting & SCO_AIRMODE_MASK) {
428 case SCO_AIRMODE_TRANSP:
429 if (!find_next_esco_param(conn, esco_param_msbc,
430 ARRAY_SIZE(esco_param_msbc)))
431 return false;
432 param = &esco_param_msbc[conn->attempt - 1];
433 break;
434 case SCO_AIRMODE_CVSD:
435 if (conn->parent && lmp_esco_capable(conn->parent)) {
436 if (!find_next_esco_param(conn, esco_param_cvsd,
437 ARRAY_SIZE(esco_param_cvsd)))
438 return false;
439 param = &esco_param_cvsd[conn->attempt - 1];
440 } else {
441 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
442 return false;
443 param = &sco_param_cvsd[conn->attempt - 1];
444 }
445 break;
446 default:
447 return false;
448 }
449
450 cp.retrans_effort = param->retrans_effort;
451 cp.pkt_type = __cpu_to_le16(param->pkt_type);
452 cp.max_latency = __cpu_to_le16(param->max_latency);
453
454 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
455 return false;
456
457 return true;
458 }
459
hci_setup_sync(struct hci_conn * conn,__u16 handle)460 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
461 {
462 int result;
463 struct conn_handle_t *conn_handle;
464
465 if (enhanced_sync_conn_capable(conn->hdev)) {
466 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
467
468 if (!conn_handle)
469 return false;
470
471 conn_handle->conn = conn;
472 conn_handle->handle = handle;
473 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
474 conn_handle, NULL);
475 if (result < 0)
476 kfree(conn_handle);
477
478 return result == 0;
479 }
480
481 return hci_setup_sync_conn(conn, handle);
482 }
483
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)484 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
485 u16 to_multiplier)
486 {
487 struct hci_dev *hdev = conn->hdev;
488 struct hci_conn_params *params;
489 struct hci_cp_le_conn_update cp;
490
491 hci_dev_lock(hdev);
492
493 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
494 if (params) {
495 params->conn_min_interval = min;
496 params->conn_max_interval = max;
497 params->conn_latency = latency;
498 params->supervision_timeout = to_multiplier;
499 }
500
501 hci_dev_unlock(hdev);
502
503 memset(&cp, 0, sizeof(cp));
504 cp.handle = cpu_to_le16(conn->handle);
505 cp.conn_interval_min = cpu_to_le16(min);
506 cp.conn_interval_max = cpu_to_le16(max);
507 cp.conn_latency = cpu_to_le16(latency);
508 cp.supervision_timeout = cpu_to_le16(to_multiplier);
509 cp.min_ce_len = cpu_to_le16(0x0000);
510 cp.max_ce_len = cpu_to_le16(0x0000);
511
512 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
513
514 if (params)
515 return 0x01;
516
517 return 0x00;
518 }
519
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)520 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
521 __u8 ltk[16], __u8 key_size)
522 {
523 struct hci_dev *hdev = conn->hdev;
524 struct hci_cp_le_start_enc cp;
525
526 BT_DBG("hcon %p", conn);
527
528 memset(&cp, 0, sizeof(cp));
529
530 cp.handle = cpu_to_le16(conn->handle);
531 cp.rand = rand;
532 cp.ediv = ediv;
533 memcpy(cp.ltk, ltk, key_size);
534
535 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
536 }
537
538 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)539 void hci_sco_setup(struct hci_conn *conn, __u8 status)
540 {
541 struct hci_link *link;
542
543 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
544 if (!link || !link->conn)
545 return;
546
547 BT_DBG("hcon %p", conn);
548
549 if (!status) {
550 if (lmp_esco_capable(conn->hdev))
551 hci_setup_sync(link->conn, conn->handle);
552 else
553 hci_add_sco(link->conn, conn->handle);
554 } else {
555 hci_connect_cfm(link->conn, status);
556 hci_conn_del(link->conn);
557 }
558 }
559
hci_conn_timeout(struct work_struct * work)560 static void hci_conn_timeout(struct work_struct *work)
561 {
562 struct hci_conn *conn = container_of(work, struct hci_conn,
563 disc_work.work);
564 int refcnt = atomic_read(&conn->refcnt);
565
566 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
567
568 WARN_ON(refcnt < 0);
569
570 /* FIXME: It was observed that in pairing failed scenario, refcnt
571 * drops below 0. Probably this is because l2cap_conn_del calls
572 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
573 * dropped. After that loop hci_chan_del is called which also drops
574 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
575 * otherwise drop it.
576 */
577 if (refcnt > 0)
578 return;
579
580 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
581 }
582
583 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)584 static void hci_conn_idle(struct work_struct *work)
585 {
586 struct hci_conn *conn = container_of(work, struct hci_conn,
587 idle_work.work);
588 struct hci_dev *hdev = conn->hdev;
589
590 BT_DBG("hcon %p mode %d", conn, conn->mode);
591
592 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
593 return;
594
595 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
596 return;
597
598 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
599 struct hci_cp_sniff_subrate cp;
600 cp.handle = cpu_to_le16(conn->handle);
601 cp.max_latency = cpu_to_le16(0);
602 cp.min_remote_timeout = cpu_to_le16(0);
603 cp.min_local_timeout = cpu_to_le16(0);
604 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
605 }
606
607 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
608 struct hci_cp_sniff_mode cp;
609 cp.handle = cpu_to_le16(conn->handle);
610 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
611 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
612 cp.attempt = cpu_to_le16(4);
613 cp.timeout = cpu_to_le16(1);
614 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
615 }
616 }
617
hci_conn_auto_accept(struct work_struct * work)618 static void hci_conn_auto_accept(struct work_struct *work)
619 {
620 struct hci_conn *conn = container_of(work, struct hci_conn,
621 auto_accept_work.work);
622
623 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
624 &conn->dst);
625 }
626
le_disable_advertising(struct hci_dev * hdev)627 static void le_disable_advertising(struct hci_dev *hdev)
628 {
629 if (ext_adv_capable(hdev)) {
630 struct hci_cp_le_set_ext_adv_enable cp;
631
632 cp.enable = 0x00;
633 cp.num_of_sets = 0x00;
634
635 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
636 &cp);
637 } else {
638 u8 enable = 0x00;
639 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
640 &enable);
641 }
642 }
643
le_conn_timeout(struct work_struct * work)644 static void le_conn_timeout(struct work_struct *work)
645 {
646 struct hci_conn *conn = container_of(work, struct hci_conn,
647 le_conn_timeout.work);
648 struct hci_dev *hdev = conn->hdev;
649
650 BT_DBG("");
651
652 /* We could end up here due to having done directed advertising,
653 * so clean up the state if necessary. This should however only
654 * happen with broken hardware or if low duty cycle was used
655 * (which doesn't have a timeout of its own).
656 */
657 if (conn->role == HCI_ROLE_SLAVE) {
658 /* Disable LE Advertising */
659 le_disable_advertising(hdev);
660 hci_dev_lock(hdev);
661 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
662 hci_dev_unlock(hdev);
663 return;
664 }
665
666 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
667 }
668
669 struct iso_cig_params {
670 struct hci_cp_le_set_cig_params cp;
671 struct hci_cis_params cis[0x1f];
672 };
673
674 struct iso_list_data {
675 union {
676 u8 cig;
677 u8 big;
678 };
679 union {
680 u8 cis;
681 u8 bis;
682 u16 sync_handle;
683 };
684 int count;
685 bool big_term;
686 bool pa_sync_term;
687 bool big_sync_term;
688 };
689
bis_list(struct hci_conn * conn,void * data)690 static void bis_list(struct hci_conn *conn, void *data)
691 {
692 struct iso_list_data *d = data;
693
694 /* Skip if not broadcast/ANY address */
695 if (bacmp(&conn->dst, BDADDR_ANY))
696 return;
697
698 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
699 d->bis != conn->iso_qos.bcast.bis)
700 return;
701
702 d->count++;
703 }
704
terminate_big_sync(struct hci_dev * hdev,void * data)705 static int terminate_big_sync(struct hci_dev *hdev, void *data)
706 {
707 struct iso_list_data *d = data;
708
709 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
710
711 hci_disable_per_advertising_sync(hdev, d->bis);
712 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
713
714 /* Only terminate BIG if it has been created */
715 if (!d->big_term)
716 return 0;
717
718 return hci_le_terminate_big_sync(hdev, d->big,
719 HCI_ERROR_LOCAL_HOST_TERM);
720 }
721
terminate_big_destroy(struct hci_dev * hdev,void * data,int err)722 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
723 {
724 kfree(data);
725 }
726
hci_le_terminate_big(struct hci_dev * hdev,struct hci_conn * conn)727 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
728 {
729 struct iso_list_data *d;
730 int ret;
731
732 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
733 conn->iso_qos.bcast.bis);
734
735 d = kzalloc(sizeof(*d), GFP_KERNEL);
736 if (!d)
737 return -ENOMEM;
738
739 d->big = conn->iso_qos.bcast.big;
740 d->bis = conn->iso_qos.bcast.bis;
741 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
742
743 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
744 terminate_big_destroy);
745 if (ret)
746 kfree(d);
747
748 return ret;
749 }
750
big_terminate_sync(struct hci_dev * hdev,void * data)751 static int big_terminate_sync(struct hci_dev *hdev, void *data)
752 {
753 struct iso_list_data *d = data;
754
755 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
756 d->sync_handle);
757
758 if (d->big_sync_term)
759 hci_le_big_terminate_sync(hdev, d->big);
760
761 if (d->pa_sync_term)
762 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
763
764 return 0;
765 }
766
hci_le_big_terminate(struct hci_dev * hdev,u8 big,struct hci_conn * conn)767 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
768 {
769 struct iso_list_data *d;
770 int ret;
771
772 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
773
774 d = kzalloc(sizeof(*d), GFP_KERNEL);
775 if (!d)
776 return -ENOMEM;
777
778 d->big = big;
779 d->sync_handle = conn->sync_handle;
780 d->pa_sync_term = test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags);
781 d->big_sync_term = test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags);
782
783 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
784 terminate_big_destroy);
785 if (ret)
786 kfree(d);
787
788 return ret;
789 }
790
791 /* Cleanup BIS connection
792 *
793 * Detects if there any BIS left connected in a BIG
794 * broadcaster: Remove advertising instance and terminate BIG.
795 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
796 */
bis_cleanup(struct hci_conn * conn)797 static void bis_cleanup(struct hci_conn *conn)
798 {
799 struct hci_dev *hdev = conn->hdev;
800 struct hci_conn *bis;
801
802 bt_dev_dbg(hdev, "conn %p", conn);
803
804 if (conn->role == HCI_ROLE_MASTER) {
805 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
806 return;
807
808 /* Check if ISO connection is a BIS and terminate advertising
809 * set and BIG if there are no other connections using it.
810 */
811 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
812 if (bis)
813 return;
814
815 hci_le_terminate_big(hdev, conn);
816 } else {
817 bis = hci_conn_hash_lookup_big_any_dst(hdev,
818 conn->iso_qos.bcast.big);
819
820 if (bis)
821 return;
822
823 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
824 conn);
825 }
826 }
827
remove_cig_sync(struct hci_dev * hdev,void * data)828 static int remove_cig_sync(struct hci_dev *hdev, void *data)
829 {
830 u8 handle = PTR_UINT(data);
831
832 return hci_le_remove_cig_sync(hdev, handle);
833 }
834
hci_le_remove_cig(struct hci_dev * hdev,u8 handle)835 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
836 {
837 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
838
839 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
840 NULL);
841 }
842
find_cis(struct hci_conn * conn,void * data)843 static void find_cis(struct hci_conn *conn, void *data)
844 {
845 struct iso_list_data *d = data;
846
847 /* Ignore broadcast or if CIG don't match */
848 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
849 return;
850
851 d->count++;
852 }
853
854 /* Cleanup CIS connection:
855 *
856 * Detects if there any CIS left connected in a CIG and remove it.
857 */
cis_cleanup(struct hci_conn * conn)858 static void cis_cleanup(struct hci_conn *conn)
859 {
860 struct hci_dev *hdev = conn->hdev;
861 struct iso_list_data d;
862
863 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
864 return;
865
866 memset(&d, 0, sizeof(d));
867 d.cig = conn->iso_qos.ucast.cig;
868
869 /* Check if ISO connection is a CIS and remove CIG if there are
870 * no other connections using it.
871 */
872 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
873 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
874 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
875 if (d.count)
876 return;
877
878 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
879 }
880
hci_conn_hash_alloc_unset(struct hci_dev * hdev)881 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
882 {
883 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
884 U16_MAX, GFP_ATOMIC);
885 }
886
__hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)887 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
888 u8 role, u16 handle)
889 {
890 struct hci_conn *conn;
891
892 switch (type) {
893 case ACL_LINK:
894 if (!hdev->acl_mtu)
895 return ERR_PTR(-ECONNREFUSED);
896 break;
897 case ISO_LINK:
898 if (hdev->iso_mtu)
899 /* Dedicated ISO Buffer exists */
900 break;
901 fallthrough;
902 case LE_LINK:
903 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
904 return ERR_PTR(-ECONNREFUSED);
905 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU)
906 return ERR_PTR(-ECONNREFUSED);
907 break;
908 case SCO_LINK:
909 case ESCO_LINK:
910 if (!hdev->sco_pkts)
911 /* Controller does not support SCO or eSCO over HCI */
912 return ERR_PTR(-ECONNREFUSED);
913 break;
914 default:
915 return ERR_PTR(-ECONNREFUSED);
916 }
917
918 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
919
920 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
921 if (!conn)
922 return ERR_PTR(-ENOMEM);
923
924 bacpy(&conn->dst, dst);
925 bacpy(&conn->src, &hdev->bdaddr);
926 conn->handle = handle;
927 conn->hdev = hdev;
928 conn->type = type;
929 conn->role = role;
930 conn->mode = HCI_CM_ACTIVE;
931 conn->state = BT_OPEN;
932 conn->auth_type = HCI_AT_GENERAL_BONDING;
933 conn->io_capability = hdev->io_capability;
934 conn->remote_auth = 0xff;
935 conn->key_type = 0xff;
936 conn->rssi = HCI_RSSI_INVALID;
937 conn->tx_power = HCI_TX_POWER_INVALID;
938 conn->max_tx_power = HCI_TX_POWER_INVALID;
939 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
940
941 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
942 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
943
944 /* Set Default Authenticated payload timeout to 30s */
945 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
946
947 if (conn->role == HCI_ROLE_MASTER)
948 conn->out = true;
949
950 switch (type) {
951 case ACL_LINK:
952 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
953 conn->mtu = hdev->acl_mtu;
954 break;
955 case LE_LINK:
956 /* conn->src should reflect the local identity address */
957 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
958 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
959 break;
960 case ISO_LINK:
961 /* conn->src should reflect the local identity address */
962 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
963
964 /* set proper cleanup function */
965 if (!bacmp(dst, BDADDR_ANY))
966 conn->cleanup = bis_cleanup;
967 else if (conn->role == HCI_ROLE_MASTER)
968 conn->cleanup = cis_cleanup;
969
970 conn->mtu = hdev->iso_mtu ? hdev->iso_mtu :
971 hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
972 break;
973 case SCO_LINK:
974 if (lmp_esco_capable(hdev))
975 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
976 (hdev->esco_type & EDR_ESCO_MASK);
977 else
978 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
979
980 conn->mtu = hdev->sco_mtu;
981 break;
982 case ESCO_LINK:
983 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
984 conn->mtu = hdev->sco_mtu;
985 break;
986 }
987
988 skb_queue_head_init(&conn->data_q);
989
990 INIT_LIST_HEAD(&conn->chan_list);
991 INIT_LIST_HEAD(&conn->link_list);
992
993 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
994 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
995 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
996 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
997
998 atomic_set(&conn->refcnt, 0);
999
1000 hci_dev_hold(hdev);
1001
1002 hci_conn_hash_add(hdev, conn);
1003
1004 /* The SCO and eSCO connections will only be notified when their
1005 * setup has been completed. This is different to ACL links which
1006 * can be notified right away.
1007 */
1008 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1009 if (hdev->notify)
1010 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1011 }
1012
1013 hci_conn_init_sysfs(conn);
1014
1015 return conn;
1016 }
1017
hci_conn_add_unset(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)1018 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1019 bdaddr_t *dst, u8 role)
1020 {
1021 int handle;
1022
1023 bt_dev_dbg(hdev, "dst %pMR", dst);
1024
1025 handle = hci_conn_hash_alloc_unset(hdev);
1026 if (unlikely(handle < 0))
1027 return ERR_PTR(-ECONNREFUSED);
1028
1029 return __hci_conn_add(hdev, type, dst, role, handle);
1030 }
1031
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)1032 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
1033 u8 role, u16 handle)
1034 {
1035 if (handle > HCI_CONN_HANDLE_MAX)
1036 return ERR_PTR(-EINVAL);
1037
1038 return __hci_conn_add(hdev, type, dst, role, handle);
1039 }
1040
hci_conn_cleanup_child(struct hci_conn * conn,u8 reason)1041 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1042 {
1043 if (!reason)
1044 reason = HCI_ERROR_REMOTE_USER_TERM;
1045
1046 /* Due to race, SCO/ISO conn might be not established yet at this point,
1047 * and nothing else will clean it up. In other cases it is done via HCI
1048 * events.
1049 */
1050 switch (conn->type) {
1051 case SCO_LINK:
1052 case ESCO_LINK:
1053 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1054 hci_conn_failed(conn, reason);
1055 break;
1056 case ISO_LINK:
1057 if ((conn->state != BT_CONNECTED &&
1058 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ||
1059 test_bit(HCI_CONN_BIG_CREATED, &conn->flags))
1060 hci_conn_failed(conn, reason);
1061 break;
1062 }
1063 }
1064
hci_conn_unlink(struct hci_conn * conn)1065 static void hci_conn_unlink(struct hci_conn *conn)
1066 {
1067 struct hci_dev *hdev = conn->hdev;
1068
1069 bt_dev_dbg(hdev, "hcon %p", conn);
1070
1071 if (!conn->parent) {
1072 struct hci_link *link, *t;
1073
1074 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1075 struct hci_conn *child = link->conn;
1076
1077 hci_conn_unlink(child);
1078
1079 /* If hdev is down it means
1080 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1081 * and links don't need to be cleanup as all connections
1082 * would be cleanup.
1083 */
1084 if (!test_bit(HCI_UP, &hdev->flags))
1085 continue;
1086
1087 hci_conn_cleanup_child(child, conn->abort_reason);
1088 }
1089
1090 return;
1091 }
1092
1093 if (!conn->link)
1094 return;
1095
1096 list_del_rcu(&conn->link->list);
1097 synchronize_rcu();
1098
1099 hci_conn_drop(conn->parent);
1100 hci_conn_put(conn->parent);
1101 conn->parent = NULL;
1102
1103 kfree(conn->link);
1104 conn->link = NULL;
1105 }
1106
hci_conn_del(struct hci_conn * conn)1107 void hci_conn_del(struct hci_conn *conn)
1108 {
1109 struct hci_dev *hdev = conn->hdev;
1110
1111 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1112
1113 hci_conn_unlink(conn);
1114
1115 cancel_delayed_work_sync(&conn->disc_work);
1116 cancel_delayed_work_sync(&conn->auto_accept_work);
1117 cancel_delayed_work_sync(&conn->idle_work);
1118
1119 if (conn->type == ACL_LINK) {
1120 /* Unacked frames */
1121 hdev->acl_cnt += conn->sent;
1122 } else if (conn->type == LE_LINK) {
1123 cancel_delayed_work(&conn->le_conn_timeout);
1124
1125 if (hdev->le_pkts)
1126 hdev->le_cnt += conn->sent;
1127 else
1128 hdev->acl_cnt += conn->sent;
1129 } else {
1130 /* Unacked ISO frames */
1131 if (conn->type == ISO_LINK) {
1132 if (hdev->iso_pkts)
1133 hdev->iso_cnt += conn->sent;
1134 else if (hdev->le_pkts)
1135 hdev->le_cnt += conn->sent;
1136 else
1137 hdev->acl_cnt += conn->sent;
1138 }
1139 }
1140
1141 skb_queue_purge(&conn->data_q);
1142
1143 /* Remove the connection from the list and cleanup its remaining
1144 * state. This is a separate function since for some cases like
1145 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1146 * rest of hci_conn_del.
1147 */
1148 hci_conn_cleanup(conn);
1149
1150 /* Dequeue callbacks using connection pointer as data */
1151 hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
1152 }
1153
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)1154 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1155 {
1156 int use_src = bacmp(src, BDADDR_ANY);
1157 struct hci_dev *hdev = NULL, *d;
1158
1159 BT_DBG("%pMR -> %pMR", src, dst);
1160
1161 read_lock(&hci_dev_list_lock);
1162
1163 list_for_each_entry(d, &hci_dev_list, list) {
1164 if (!test_bit(HCI_UP, &d->flags) ||
1165 hci_dev_test_flag(d, HCI_USER_CHANNEL))
1166 continue;
1167
1168 /* Simple routing:
1169 * No source address - find interface with bdaddr != dst
1170 * Source address - find interface with bdaddr == src
1171 */
1172
1173 if (use_src) {
1174 bdaddr_t id_addr;
1175 u8 id_addr_type;
1176
1177 if (src_type == BDADDR_BREDR) {
1178 if (!lmp_bredr_capable(d))
1179 continue;
1180 bacpy(&id_addr, &d->bdaddr);
1181 id_addr_type = BDADDR_BREDR;
1182 } else {
1183 if (!lmp_le_capable(d))
1184 continue;
1185
1186 hci_copy_identity_address(d, &id_addr,
1187 &id_addr_type);
1188
1189 /* Convert from HCI to three-value type */
1190 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1191 id_addr_type = BDADDR_LE_PUBLIC;
1192 else
1193 id_addr_type = BDADDR_LE_RANDOM;
1194 }
1195
1196 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1197 hdev = d; break;
1198 }
1199 } else {
1200 if (bacmp(&d->bdaddr, dst)) {
1201 hdev = d; break;
1202 }
1203 }
1204 }
1205
1206 if (hdev)
1207 hdev = hci_dev_hold(hdev);
1208
1209 read_unlock(&hci_dev_list_lock);
1210 return hdev;
1211 }
1212 EXPORT_SYMBOL(hci_get_route);
1213
1214 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)1215 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1216 {
1217 struct hci_dev *hdev = conn->hdev;
1218
1219 hci_connect_le_scan_cleanup(conn, status);
1220
1221 /* Enable advertising in case this was a failed connection
1222 * attempt as a peripheral.
1223 */
1224 hci_enable_advertising(hdev);
1225 }
1226
1227 /* This function requires the caller holds hdev->lock */
hci_conn_failed(struct hci_conn * conn,u8 status)1228 void hci_conn_failed(struct hci_conn *conn, u8 status)
1229 {
1230 struct hci_dev *hdev = conn->hdev;
1231
1232 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1233
1234 switch (conn->type) {
1235 case LE_LINK:
1236 hci_le_conn_failed(conn, status);
1237 break;
1238 case ACL_LINK:
1239 mgmt_connect_failed(hdev, conn, status);
1240 break;
1241 }
1242
1243 /* In case of BIG/PA sync failed, clear conn flags so that
1244 * the conns will be correctly cleaned up by ISO layer
1245 */
1246 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1247 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1248
1249 conn->state = BT_CLOSED;
1250 hci_connect_cfm(conn, status);
1251 hci_conn_del(conn);
1252 }
1253
1254 /* This function requires the caller holds hdev->lock */
hci_conn_set_handle(struct hci_conn * conn,u16 handle)1255 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1256 {
1257 struct hci_dev *hdev = conn->hdev;
1258
1259 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1260
1261 if (conn->handle == handle)
1262 return 0;
1263
1264 if (handle > HCI_CONN_HANDLE_MAX) {
1265 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1266 handle, HCI_CONN_HANDLE_MAX);
1267 return HCI_ERROR_INVALID_PARAMETERS;
1268 }
1269
1270 /* If abort_reason has been sent it means the connection is being
1271 * aborted and the handle shall not be changed.
1272 */
1273 if (conn->abort_reason)
1274 return conn->abort_reason;
1275
1276 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1277 ida_free(&hdev->unset_handle_ida, conn->handle);
1278
1279 conn->handle = handle;
1280
1281 return 0;
1282 }
1283
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,bool dst_resolved,u8 sec_level,u16 conn_timeout,u8 role)1284 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1285 u8 dst_type, bool dst_resolved, u8 sec_level,
1286 u16 conn_timeout, u8 role)
1287 {
1288 struct hci_conn *conn;
1289 struct smp_irk *irk;
1290 int err;
1291
1292 /* Let's make sure that le is enabled.*/
1293 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1294 if (lmp_le_capable(hdev))
1295 return ERR_PTR(-ECONNREFUSED);
1296
1297 return ERR_PTR(-EOPNOTSUPP);
1298 }
1299
1300 /* Since the controller supports only one LE connection attempt at a
1301 * time, we return -EBUSY if there is any connection attempt running.
1302 */
1303 if (hci_lookup_le_connect(hdev))
1304 return ERR_PTR(-EBUSY);
1305
1306 /* If there's already a connection object but it's not in
1307 * scanning state it means it must already be established, in
1308 * which case we can't do anything else except report a failure
1309 * to connect.
1310 */
1311 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1312 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1313 return ERR_PTR(-EBUSY);
1314 }
1315
1316 /* Check if the destination address has been resolved by the controller
1317 * since if it did then the identity address shall be used.
1318 */
1319 if (!dst_resolved) {
1320 /* When given an identity address with existing identity
1321 * resolving key, the connection needs to be established
1322 * to a resolvable random address.
1323 *
1324 * Storing the resolvable random address is required here
1325 * to handle connection failures. The address will later
1326 * be resolved back into the original identity address
1327 * from the connect request.
1328 */
1329 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1330 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1331 dst = &irk->rpa;
1332 dst_type = ADDR_LE_DEV_RANDOM;
1333 }
1334 }
1335
1336 if (conn) {
1337 bacpy(&conn->dst, dst);
1338 } else {
1339 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1340 if (IS_ERR(conn))
1341 return conn;
1342 hci_conn_hold(conn);
1343 conn->pending_sec_level = sec_level;
1344 }
1345
1346 conn->dst_type = dst_type;
1347 conn->sec_level = BT_SECURITY_LOW;
1348 conn->conn_timeout = conn_timeout;
1349
1350 err = hci_connect_le_sync(hdev, conn);
1351 if (err) {
1352 hci_conn_del(conn);
1353 return ERR_PTR(err);
1354 }
1355
1356 return conn;
1357 }
1358
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1359 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1360 {
1361 struct hci_conn *conn;
1362
1363 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1364 if (!conn)
1365 return false;
1366
1367 if (conn->state != BT_CONNECTED)
1368 return false;
1369
1370 return true;
1371 }
1372
1373 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1374 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1375 bdaddr_t *addr, u8 addr_type)
1376 {
1377 struct hci_conn_params *params;
1378
1379 if (is_connected(hdev, addr, addr_type))
1380 return -EISCONN;
1381
1382 params = hci_conn_params_lookup(hdev, addr, addr_type);
1383 if (!params) {
1384 params = hci_conn_params_add(hdev, addr, addr_type);
1385 if (!params)
1386 return -ENOMEM;
1387
1388 /* If we created new params, mark them to be deleted in
1389 * hci_connect_le_scan_cleanup. It's different case than
1390 * existing disabled params, those will stay after cleanup.
1391 */
1392 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1393 }
1394
1395 /* We're trying to connect, so make sure params are at pend_le_conns */
1396 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1397 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1398 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1399 hci_pend_le_list_del_init(params);
1400 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1401 }
1402
1403 params->explicit_connect = true;
1404
1405 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1406 params->auto_connect);
1407
1408 return 0;
1409 }
1410
qos_set_big(struct hci_dev * hdev,struct bt_iso_qos * qos)1411 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1412 {
1413 struct hci_conn *conn;
1414 u8 big;
1415
1416 /* Allocate a BIG if not set */
1417 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1418 for (big = 0x00; big < 0xef; big++) {
1419
1420 conn = hci_conn_hash_lookup_big(hdev, big);
1421 if (!conn)
1422 break;
1423 }
1424
1425 if (big == 0xef)
1426 return -EADDRNOTAVAIL;
1427
1428 /* Update BIG */
1429 qos->bcast.big = big;
1430 }
1431
1432 return 0;
1433 }
1434
qos_set_bis(struct hci_dev * hdev,struct bt_iso_qos * qos)1435 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1436 {
1437 struct hci_conn *conn;
1438 u8 bis;
1439
1440 /* Allocate BIS if not set */
1441 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1442 /* Find an unused adv set to advertise BIS, skip instance 0x00
1443 * since it is reserved as general purpose set.
1444 */
1445 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1446 bis++) {
1447
1448 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1449 if (!conn)
1450 break;
1451 }
1452
1453 if (bis == hdev->le_num_of_adv_sets)
1454 return -EADDRNOTAVAIL;
1455
1456 /* Update BIS */
1457 qos->bcast.bis = bis;
1458 }
1459
1460 return 0;
1461 }
1462
1463 /* This function requires the caller holds hdev->lock */
hci_add_bis(struct hci_dev * hdev,bdaddr_t * dst,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)1464 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1465 struct bt_iso_qos *qos, __u8 base_len,
1466 __u8 *base)
1467 {
1468 struct hci_conn *conn;
1469 int err;
1470
1471 /* Let's make sure that le is enabled.*/
1472 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1473 if (lmp_le_capable(hdev))
1474 return ERR_PTR(-ECONNREFUSED);
1475 return ERR_PTR(-EOPNOTSUPP);
1476 }
1477
1478 err = qos_set_big(hdev, qos);
1479 if (err)
1480 return ERR_PTR(err);
1481
1482 err = qos_set_bis(hdev, qos);
1483 if (err)
1484 return ERR_PTR(err);
1485
1486 /* Check if the LE Create BIG command has already been sent */
1487 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1488 qos->bcast.big);
1489 if (conn)
1490 return ERR_PTR(-EADDRINUSE);
1491
1492 /* Check BIS settings against other bound BISes, since all
1493 * BISes in a BIG must have the same value for all parameters
1494 */
1495 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1496
1497 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1498 base_len != conn->le_per_adv_data_len ||
1499 memcmp(conn->le_per_adv_data, base, base_len)))
1500 return ERR_PTR(-EADDRINUSE);
1501
1502 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1503 if (IS_ERR(conn))
1504 return conn;
1505
1506 conn->state = BT_CONNECT;
1507
1508 hci_conn_hold(conn);
1509 return conn;
1510 }
1511
1512 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,enum conn_reasons conn_reason)1513 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1514 u8 dst_type, u8 sec_level,
1515 u16 conn_timeout,
1516 enum conn_reasons conn_reason)
1517 {
1518 struct hci_conn *conn;
1519
1520 /* Let's make sure that le is enabled.*/
1521 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1522 if (lmp_le_capable(hdev))
1523 return ERR_PTR(-ECONNREFUSED);
1524
1525 return ERR_PTR(-EOPNOTSUPP);
1526 }
1527
1528 /* Some devices send ATT messages as soon as the physical link is
1529 * established. To be able to handle these ATT messages, the user-
1530 * space first establishes the connection and then starts the pairing
1531 * process.
1532 *
1533 * So if a hci_conn object already exists for the following connection
1534 * attempt, we simply update pending_sec_level and auth_type fields
1535 * and return the object found.
1536 */
1537 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1538 if (conn) {
1539 if (conn->pending_sec_level < sec_level)
1540 conn->pending_sec_level = sec_level;
1541 goto done;
1542 }
1543
1544 BT_DBG("requesting refresh of dst_addr");
1545
1546 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1547 if (IS_ERR(conn))
1548 return conn;
1549
1550 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1551 hci_conn_del(conn);
1552 return ERR_PTR(-EBUSY);
1553 }
1554
1555 conn->state = BT_CONNECT;
1556 set_bit(HCI_CONN_SCANNING, &conn->flags);
1557 conn->dst_type = dst_type;
1558 conn->sec_level = BT_SECURITY_LOW;
1559 conn->pending_sec_level = sec_level;
1560 conn->conn_timeout = conn_timeout;
1561 conn->conn_reason = conn_reason;
1562
1563 hci_update_passive_scan(hdev);
1564
1565 done:
1566 hci_conn_hold(conn);
1567 return conn;
1568 }
1569
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type,enum conn_reasons conn_reason)1570 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1571 u8 sec_level, u8 auth_type,
1572 enum conn_reasons conn_reason)
1573 {
1574 struct hci_conn *acl;
1575
1576 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1577 if (lmp_bredr_capable(hdev))
1578 return ERR_PTR(-ECONNREFUSED);
1579
1580 return ERR_PTR(-EOPNOTSUPP);
1581 }
1582
1583 /* Reject outgoing connection to device with same BD ADDR against
1584 * CVE-2020-26555
1585 */
1586 if (!bacmp(&hdev->bdaddr, dst)) {
1587 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1588 dst);
1589 return ERR_PTR(-ECONNREFUSED);
1590 }
1591
1592 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1593 if (!acl) {
1594 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1595 if (IS_ERR(acl))
1596 return acl;
1597 }
1598
1599 hci_conn_hold(acl);
1600
1601 acl->conn_reason = conn_reason;
1602 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1603 int err;
1604
1605 acl->sec_level = BT_SECURITY_LOW;
1606 acl->pending_sec_level = sec_level;
1607 acl->auth_type = auth_type;
1608
1609 err = hci_connect_acl_sync(hdev, acl);
1610 if (err) {
1611 hci_conn_del(acl);
1612 return ERR_PTR(err);
1613 }
1614 }
1615
1616 return acl;
1617 }
1618
hci_conn_link(struct hci_conn * parent,struct hci_conn * conn)1619 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1620 struct hci_conn *conn)
1621 {
1622 struct hci_dev *hdev = parent->hdev;
1623 struct hci_link *link;
1624
1625 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1626
1627 if (conn->link)
1628 return conn->link;
1629
1630 if (conn->parent)
1631 return NULL;
1632
1633 link = kzalloc(sizeof(*link), GFP_KERNEL);
1634 if (!link)
1635 return NULL;
1636
1637 link->conn = hci_conn_hold(conn);
1638 conn->link = link;
1639 conn->parent = hci_conn_get(parent);
1640
1641 /* Use list_add_tail_rcu append to the list */
1642 list_add_tail_rcu(&link->list, &parent->link_list);
1643
1644 return link;
1645 }
1646
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting,struct bt_codec * codec)1647 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1648 __u16 setting, struct bt_codec *codec)
1649 {
1650 struct hci_conn *acl;
1651 struct hci_conn *sco;
1652 struct hci_link *link;
1653
1654 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1655 CONN_REASON_SCO_CONNECT);
1656 if (IS_ERR(acl))
1657 return acl;
1658
1659 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1660 if (!sco) {
1661 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1662 if (IS_ERR(sco)) {
1663 hci_conn_drop(acl);
1664 return sco;
1665 }
1666 }
1667
1668 link = hci_conn_link(acl, sco);
1669 if (!link) {
1670 hci_conn_drop(acl);
1671 hci_conn_drop(sco);
1672 return ERR_PTR(-ENOLINK);
1673 }
1674
1675 sco->setting = setting;
1676 sco->codec = *codec;
1677
1678 if (acl->state == BT_CONNECTED &&
1679 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1680 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1681 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1682
1683 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1684 /* defer SCO setup until mode change completed */
1685 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1686 return sco;
1687 }
1688
1689 hci_sco_setup(acl, 0x00);
1690 }
1691
1692 return sco;
1693 }
1694
hci_le_create_big(struct hci_conn * conn,struct bt_iso_qos * qos)1695 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1696 {
1697 struct hci_dev *hdev = conn->hdev;
1698 struct hci_cp_le_create_big cp;
1699 struct iso_list_data data;
1700
1701 memset(&cp, 0, sizeof(cp));
1702
1703 data.big = qos->bcast.big;
1704 data.bis = qos->bcast.bis;
1705 data.count = 0;
1706
1707 /* Create a BIS for each bound connection */
1708 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1709 BT_BOUND, &data);
1710
1711 cp.handle = qos->bcast.big;
1712 cp.adv_handle = qos->bcast.bis;
1713 cp.num_bis = data.count;
1714 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1715 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1716 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1717 cp.bis.rtn = qos->bcast.out.rtn;
1718 cp.bis.phy = qos->bcast.out.phy;
1719 cp.bis.packing = qos->bcast.packing;
1720 cp.bis.framing = qos->bcast.framing;
1721 cp.bis.encryption = qos->bcast.encryption;
1722 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1723
1724 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1725 }
1726
set_cig_params_sync(struct hci_dev * hdev,void * data)1727 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1728 {
1729 u8 cig_id = PTR_UINT(data);
1730 struct hci_conn *conn;
1731 struct bt_iso_qos *qos;
1732 struct iso_cig_params pdu;
1733 u8 cis_id;
1734
1735 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1736 if (!conn)
1737 return 0;
1738
1739 memset(&pdu, 0, sizeof(pdu));
1740
1741 qos = &conn->iso_qos;
1742 pdu.cp.cig_id = cig_id;
1743 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval);
1744 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval);
1745 pdu.cp.sca = qos->ucast.sca;
1746 pdu.cp.packing = qos->ucast.packing;
1747 pdu.cp.framing = qos->ucast.framing;
1748 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency);
1749 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency);
1750
1751 /* Reprogram all CIS(s) with the same CIG, valid range are:
1752 * num_cis: 0x00 to 0x1F
1753 * cis_id: 0x00 to 0xEF
1754 */
1755 for (cis_id = 0x00; cis_id < 0xf0 &&
1756 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) {
1757 struct hci_cis_params *cis;
1758
1759 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1760 if (!conn)
1761 continue;
1762
1763 qos = &conn->iso_qos;
1764
1765 cis = &pdu.cis[pdu.cp.num_cis++];
1766 cis->cis_id = cis_id;
1767 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1768 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1769 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy :
1770 qos->ucast.in.phy;
1771 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy :
1772 qos->ucast.out.phy;
1773 cis->c_rtn = qos->ucast.out.rtn;
1774 cis->p_rtn = qos->ucast.in.rtn;
1775 }
1776
1777 if (!pdu.cp.num_cis)
1778 return 0;
1779
1780 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1781 sizeof(pdu.cp) +
1782 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu,
1783 HCI_CMD_TIMEOUT);
1784 }
1785
hci_le_set_cig_params(struct hci_conn * conn,struct bt_iso_qos * qos)1786 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1787 {
1788 struct hci_dev *hdev = conn->hdev;
1789 struct iso_list_data data;
1790
1791 memset(&data, 0, sizeof(data));
1792
1793 /* Allocate first still reconfigurable CIG if not set */
1794 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1795 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1796 data.count = 0;
1797
1798 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1799 BT_CONNECT, &data);
1800 if (data.count)
1801 continue;
1802
1803 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1804 BT_CONNECTED, &data);
1805 if (!data.count)
1806 break;
1807 }
1808
1809 if (data.cig == 0xf0)
1810 return false;
1811
1812 /* Update CIG */
1813 qos->ucast.cig = data.cig;
1814 }
1815
1816 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1817 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1818 qos->ucast.cis))
1819 return false;
1820 goto done;
1821 }
1822
1823 /* Allocate first available CIS if not set */
1824 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1825 data.cis++) {
1826 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1827 data.cis)) {
1828 /* Update CIS */
1829 qos->ucast.cis = data.cis;
1830 break;
1831 }
1832 }
1833
1834 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1835 return false;
1836
1837 done:
1838 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1839 UINT_PTR(qos->ucast.cig), NULL) < 0)
1840 return false;
1841
1842 return true;
1843 }
1844
hci_bind_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)1845 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1846 __u8 dst_type, struct bt_iso_qos *qos)
1847 {
1848 struct hci_conn *cis;
1849
1850 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1851 qos->ucast.cis);
1852 if (!cis) {
1853 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1854 if (IS_ERR(cis))
1855 return cis;
1856 cis->cleanup = cis_cleanup;
1857 cis->dst_type = dst_type;
1858 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1859 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1860 }
1861
1862 if (cis->state == BT_CONNECTED)
1863 return cis;
1864
1865 /* Check if CIS has been set and the settings matches */
1866 if (cis->state == BT_BOUND &&
1867 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1868 return cis;
1869
1870 /* Update LINK PHYs according to QoS preference */
1871 cis->le_tx_phy = qos->ucast.out.phy;
1872 cis->le_rx_phy = qos->ucast.in.phy;
1873
1874 /* If output interval is not set use the input interval as it cannot be
1875 * 0x000000.
1876 */
1877 if (!qos->ucast.out.interval)
1878 qos->ucast.out.interval = qos->ucast.in.interval;
1879
1880 /* If input interval is not set use the output interval as it cannot be
1881 * 0x000000.
1882 */
1883 if (!qos->ucast.in.interval)
1884 qos->ucast.in.interval = qos->ucast.out.interval;
1885
1886 /* If output latency is not set use the input latency as it cannot be
1887 * 0x0000.
1888 */
1889 if (!qos->ucast.out.latency)
1890 qos->ucast.out.latency = qos->ucast.in.latency;
1891
1892 /* If input latency is not set use the output latency as it cannot be
1893 * 0x0000.
1894 */
1895 if (!qos->ucast.in.latency)
1896 qos->ucast.in.latency = qos->ucast.out.latency;
1897
1898 if (!hci_le_set_cig_params(cis, qos)) {
1899 hci_conn_drop(cis);
1900 return ERR_PTR(-EINVAL);
1901 }
1902
1903 hci_conn_hold(cis);
1904
1905 cis->iso_qos = *qos;
1906 cis->state = BT_BOUND;
1907
1908 return cis;
1909 }
1910
hci_iso_setup_path(struct hci_conn * conn)1911 bool hci_iso_setup_path(struct hci_conn *conn)
1912 {
1913 struct hci_dev *hdev = conn->hdev;
1914 struct hci_cp_le_setup_iso_path cmd;
1915
1916 memset(&cmd, 0, sizeof(cmd));
1917
1918 if (conn->iso_qos.ucast.out.sdu) {
1919 cmd.handle = cpu_to_le16(conn->handle);
1920 cmd.direction = 0x00; /* Input (Host to Controller) */
1921 cmd.path = 0x00; /* HCI path if enabled */
1922 cmd.codec = 0x03; /* Transparent Data */
1923
1924 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1925 &cmd) < 0)
1926 return false;
1927 }
1928
1929 if (conn->iso_qos.ucast.in.sdu) {
1930 cmd.handle = cpu_to_le16(conn->handle);
1931 cmd.direction = 0x01; /* Output (Controller to Host) */
1932 cmd.path = 0x00; /* HCI path if enabled */
1933 cmd.codec = 0x03; /* Transparent Data */
1934
1935 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1936 &cmd) < 0)
1937 return false;
1938 }
1939
1940 return true;
1941 }
1942
hci_conn_check_create_cis(struct hci_conn * conn)1943 int hci_conn_check_create_cis(struct hci_conn *conn)
1944 {
1945 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
1946 return -EINVAL;
1947
1948 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
1949 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
1950 return 1;
1951
1952 return 0;
1953 }
1954
hci_create_cis_sync(struct hci_dev * hdev,void * data)1955 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1956 {
1957 return hci_le_create_cis_sync(hdev);
1958 }
1959
hci_le_create_cis_pending(struct hci_dev * hdev)1960 int hci_le_create_cis_pending(struct hci_dev *hdev)
1961 {
1962 struct hci_conn *conn;
1963 bool pending = false;
1964
1965 rcu_read_lock();
1966
1967 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
1968 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
1969 rcu_read_unlock();
1970 return -EBUSY;
1971 }
1972
1973 if (!hci_conn_check_create_cis(conn))
1974 pending = true;
1975 }
1976
1977 rcu_read_unlock();
1978
1979 if (!pending)
1980 return 0;
1981
1982 /* Queue Create CIS */
1983 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
1984 }
1985
hci_iso_qos_setup(struct hci_dev * hdev,struct hci_conn * conn,struct bt_iso_io_qos * qos,__u8 phy)1986 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
1987 struct bt_iso_io_qos *qos, __u8 phy)
1988 {
1989 /* Only set MTU if PHY is enabled */
1990 if (!qos->sdu && qos->phy)
1991 qos->sdu = conn->mtu;
1992
1993 /* Use the same PHY as ACL if set to any */
1994 if (qos->phy == BT_ISO_PHY_ANY)
1995 qos->phy = phy;
1996
1997 /* Use LE ACL connection interval if not set */
1998 if (!qos->interval)
1999 /* ACL interval unit in 1.25 ms to us */
2000 qos->interval = conn->le_conn_interval * 1250;
2001
2002 /* Use LE ACL connection latency if not set */
2003 if (!qos->latency)
2004 qos->latency = conn->le_conn_latency;
2005 }
2006
create_big_sync(struct hci_dev * hdev,void * data)2007 static int create_big_sync(struct hci_dev *hdev, void *data)
2008 {
2009 struct hci_conn *conn = data;
2010 struct bt_iso_qos *qos = &conn->iso_qos;
2011 u16 interval, sync_interval = 0;
2012 u32 flags = 0;
2013 int err;
2014
2015 if (qos->bcast.out.phy == 0x02)
2016 flags |= MGMT_ADV_FLAG_SEC_2M;
2017
2018 /* Align intervals */
2019 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2020
2021 if (qos->bcast.bis)
2022 sync_interval = interval * 4;
2023
2024 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2025 conn->le_per_adv_data, flags, interval,
2026 interval, sync_interval);
2027 if (err)
2028 return err;
2029
2030 return hci_le_create_big(conn, &conn->iso_qos);
2031 }
2032
create_pa_complete(struct hci_dev * hdev,void * data,int err)2033 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2034 {
2035 struct hci_cp_le_pa_create_sync *cp = data;
2036
2037 bt_dev_dbg(hdev, "");
2038
2039 if (err)
2040 bt_dev_err(hdev, "Unable to create PA: %d", err);
2041
2042 kfree(cp);
2043 }
2044
create_pa_sync(struct hci_dev * hdev,void * data)2045 static int create_pa_sync(struct hci_dev *hdev, void *data)
2046 {
2047 struct hci_cp_le_pa_create_sync *cp = data;
2048 int err;
2049
2050 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2051 sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2052 if (err) {
2053 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2054 return err;
2055 }
2056
2057 return hci_update_passive_scan_sync(hdev);
2058 }
2059
hci_pa_create_sync(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid,struct bt_iso_qos * qos)2060 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2061 __u8 sid, struct bt_iso_qos *qos)
2062 {
2063 struct hci_cp_le_pa_create_sync *cp;
2064
2065 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2066 return -EBUSY;
2067
2068 cp = kzalloc(sizeof(*cp), GFP_KERNEL);
2069 if (!cp) {
2070 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2071 return -ENOMEM;
2072 }
2073
2074 cp->options = qos->bcast.options;
2075 cp->sid = sid;
2076 cp->addr_type = dst_type;
2077 bacpy(&cp->addr, dst);
2078 cp->skip = cpu_to_le16(qos->bcast.skip);
2079 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
2080 cp->sync_cte_type = qos->bcast.sync_cte_type;
2081
2082 /* Queue start pa_create_sync and scan */
2083 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2084 }
2085
hci_le_big_create_sync(struct hci_dev * hdev,struct hci_conn * hcon,struct bt_iso_qos * qos,__u16 sync_handle,__u8 num_bis,__u8 bis[])2086 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2087 struct bt_iso_qos *qos,
2088 __u16 sync_handle, __u8 num_bis, __u8 bis[])
2089 {
2090 struct _packed {
2091 struct hci_cp_le_big_create_sync cp;
2092 __u8 bis[0x11];
2093 } pdu;
2094 int err;
2095
2096 if (num_bis > sizeof(pdu.bis))
2097 return -EINVAL;
2098
2099 err = qos_set_big(hdev, qos);
2100 if (err)
2101 return err;
2102
2103 if (hcon)
2104 hcon->iso_qos.bcast.big = qos->bcast.big;
2105
2106 memset(&pdu, 0, sizeof(pdu));
2107 pdu.cp.handle = qos->bcast.big;
2108 pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2109 pdu.cp.encryption = qos->bcast.encryption;
2110 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode));
2111 pdu.cp.mse = qos->bcast.mse;
2112 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout);
2113 pdu.cp.num_bis = num_bis;
2114 memcpy(pdu.bis, bis, num_bis);
2115
2116 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2117 sizeof(pdu.cp) + num_bis, &pdu);
2118 }
2119
create_big_complete(struct hci_dev * hdev,void * data,int err)2120 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2121 {
2122 struct hci_conn *conn = data;
2123
2124 bt_dev_dbg(hdev, "conn %p", conn);
2125
2126 if (err) {
2127 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2128 hci_connect_cfm(conn, err);
2129 hci_conn_del(conn);
2130 }
2131 }
2132
hci_bind_bis(struct hci_dev * hdev,bdaddr_t * dst,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2133 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2134 struct bt_iso_qos *qos,
2135 __u8 base_len, __u8 *base)
2136 {
2137 struct hci_conn *conn;
2138 struct hci_conn *parent;
2139 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2140 struct hci_link *link;
2141
2142 /* Look for any BIS that is open for rebinding */
2143 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN);
2144 if (conn) {
2145 memcpy(qos, &conn->iso_qos, sizeof(*qos));
2146 conn->state = BT_CONNECTED;
2147 return conn;
2148 }
2149
2150 if (base_len && base)
2151 base_len = eir_append_service_data(eir, 0, 0x1851,
2152 base, base_len);
2153
2154 /* We need hci_conn object using the BDADDR_ANY as dst */
2155 conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2156 if (IS_ERR(conn))
2157 return conn;
2158
2159 /* Update LINK PHYs according to QoS preference */
2160 conn->le_tx_phy = qos->bcast.out.phy;
2161 conn->le_tx_phy = qos->bcast.out.phy;
2162
2163 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2164 if (base_len && base) {
2165 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2166 conn->le_per_adv_data_len = base_len;
2167 }
2168
2169 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2170 conn->le_tx_phy ? conn->le_tx_phy :
2171 hdev->le_tx_def_phys);
2172
2173 conn->iso_qos = *qos;
2174 conn->state = BT_BOUND;
2175
2176 /* Link BISes together */
2177 parent = hci_conn_hash_lookup_big(hdev,
2178 conn->iso_qos.bcast.big);
2179 if (parent && parent != conn) {
2180 link = hci_conn_link(parent, conn);
2181 if (!link) {
2182 hci_conn_drop(conn);
2183 return ERR_PTR(-ENOLINK);
2184 }
2185
2186 /* Link takes the refcount */
2187 hci_conn_drop(conn);
2188 }
2189
2190 return conn;
2191 }
2192
bis_mark_per_adv(struct hci_conn * conn,void * data)2193 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2194 {
2195 struct iso_list_data *d = data;
2196
2197 /* Skip if not broadcast/ANY address */
2198 if (bacmp(&conn->dst, BDADDR_ANY))
2199 return;
2200
2201 if (d->big != conn->iso_qos.bcast.big ||
2202 d->bis == BT_ISO_QOS_BIS_UNSET ||
2203 d->bis != conn->iso_qos.bcast.bis)
2204 return;
2205
2206 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2207 }
2208
hci_connect_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2209 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2210 __u8 dst_type, struct bt_iso_qos *qos,
2211 __u8 base_len, __u8 *base)
2212 {
2213 struct hci_conn *conn;
2214 int err;
2215 struct iso_list_data data;
2216
2217 conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2218 if (IS_ERR(conn))
2219 return conn;
2220
2221 if (conn->state == BT_CONNECTED)
2222 return conn;
2223
2224 data.big = qos->bcast.big;
2225 data.bis = qos->bcast.bis;
2226
2227 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2228 * the start periodic advertising and create BIG commands have
2229 * been queued
2230 */
2231 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2232 BT_BOUND, &data);
2233
2234 /* Queue start periodic advertising and create BIG */
2235 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2236 create_big_complete);
2237 if (err < 0) {
2238 hci_conn_drop(conn);
2239 return ERR_PTR(err);
2240 }
2241
2242 return conn;
2243 }
2244
hci_connect_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)2245 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2246 __u8 dst_type, struct bt_iso_qos *qos)
2247 {
2248 struct hci_conn *le;
2249 struct hci_conn *cis;
2250 struct hci_link *link;
2251
2252 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2253 le = hci_connect_le(hdev, dst, dst_type, false,
2254 BT_SECURITY_LOW,
2255 HCI_LE_CONN_TIMEOUT,
2256 HCI_ROLE_SLAVE);
2257 else
2258 le = hci_connect_le_scan(hdev, dst, dst_type,
2259 BT_SECURITY_LOW,
2260 HCI_LE_CONN_TIMEOUT,
2261 CONN_REASON_ISO_CONNECT);
2262 if (IS_ERR(le))
2263 return le;
2264
2265 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2266 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2267 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2268 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2269
2270 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2271 if (IS_ERR(cis)) {
2272 hci_conn_drop(le);
2273 return cis;
2274 }
2275
2276 link = hci_conn_link(le, cis);
2277 if (!link) {
2278 hci_conn_drop(le);
2279 hci_conn_drop(cis);
2280 return ERR_PTR(-ENOLINK);
2281 }
2282
2283 /* Link takes the refcount */
2284 hci_conn_drop(cis);
2285
2286 cis->state = BT_CONNECT;
2287
2288 hci_le_create_cis_pending(hdev);
2289
2290 return cis;
2291 }
2292
2293 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)2294 int hci_conn_check_link_mode(struct hci_conn *conn)
2295 {
2296 BT_DBG("hcon %p", conn);
2297
2298 /* In Secure Connections Only mode, it is required that Secure
2299 * Connections is used and the link is encrypted with AES-CCM
2300 * using a P-256 authenticated combination key.
2301 */
2302 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2303 if (!hci_conn_sc_enabled(conn) ||
2304 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2305 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2306 return 0;
2307 }
2308
2309 /* AES encryption is required for Level 4:
2310 *
2311 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2312 * page 1319:
2313 *
2314 * 128-bit equivalent strength for link and encryption keys
2315 * required using FIPS approved algorithms (E0 not allowed,
2316 * SAFER+ not allowed, and P-192 not allowed; encryption key
2317 * not shortened)
2318 */
2319 if (conn->sec_level == BT_SECURITY_FIPS &&
2320 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2321 bt_dev_err(conn->hdev,
2322 "Invalid security: Missing AES-CCM usage");
2323 return 0;
2324 }
2325
2326 if (hci_conn_ssp_enabled(conn) &&
2327 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2328 return 0;
2329
2330 return 1;
2331 }
2332
2333 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)2334 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2335 {
2336 BT_DBG("hcon %p", conn);
2337
2338 if (conn->pending_sec_level > sec_level)
2339 sec_level = conn->pending_sec_level;
2340
2341 if (sec_level > conn->sec_level)
2342 conn->pending_sec_level = sec_level;
2343 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2344 return 1;
2345
2346 /* Make sure we preserve an existing MITM requirement*/
2347 auth_type |= (conn->auth_type & 0x01);
2348
2349 conn->auth_type = auth_type;
2350
2351 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2352 struct hci_cp_auth_requested cp;
2353
2354 cp.handle = cpu_to_le16(conn->handle);
2355 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2356 sizeof(cp), &cp);
2357
2358 /* Set the ENCRYPT_PEND to trigger encryption after
2359 * authentication.
2360 */
2361 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2362 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2363 }
2364
2365 return 0;
2366 }
2367
2368 /* Encrypt the link */
hci_conn_encrypt(struct hci_conn * conn)2369 static void hci_conn_encrypt(struct hci_conn *conn)
2370 {
2371 BT_DBG("hcon %p", conn);
2372
2373 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2374 struct hci_cp_set_conn_encrypt cp;
2375 cp.handle = cpu_to_le16(conn->handle);
2376 cp.encrypt = 0x01;
2377 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2378 &cp);
2379 }
2380 }
2381
2382 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)2383 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2384 bool initiator)
2385 {
2386 BT_DBG("hcon %p", conn);
2387
2388 if (conn->type == LE_LINK)
2389 return smp_conn_security(conn, sec_level);
2390
2391 /* For sdp we don't need the link key. */
2392 if (sec_level == BT_SECURITY_SDP)
2393 return 1;
2394
2395 /* For non 2.1 devices and low security level we don't need the link
2396 key. */
2397 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2398 return 1;
2399
2400 /* For other security levels we need the link key. */
2401 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2402 goto auth;
2403
2404 switch (conn->key_type) {
2405 case HCI_LK_AUTH_COMBINATION_P256:
2406 /* An authenticated FIPS approved combination key has
2407 * sufficient security for security level 4 or lower.
2408 */
2409 if (sec_level <= BT_SECURITY_FIPS)
2410 goto encrypt;
2411 break;
2412 case HCI_LK_AUTH_COMBINATION_P192:
2413 /* An authenticated combination key has sufficient security for
2414 * security level 3 or lower.
2415 */
2416 if (sec_level <= BT_SECURITY_HIGH)
2417 goto encrypt;
2418 break;
2419 case HCI_LK_UNAUTH_COMBINATION_P192:
2420 case HCI_LK_UNAUTH_COMBINATION_P256:
2421 /* An unauthenticated combination key has sufficient security
2422 * for security level 2 or lower.
2423 */
2424 if (sec_level <= BT_SECURITY_MEDIUM)
2425 goto encrypt;
2426 break;
2427 case HCI_LK_COMBINATION:
2428 /* A combination key has always sufficient security for the
2429 * security levels 2 or lower. High security level requires the
2430 * combination key is generated using maximum PIN code length
2431 * (16). For pre 2.1 units.
2432 */
2433 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2434 goto encrypt;
2435 break;
2436 default:
2437 break;
2438 }
2439
2440 auth:
2441 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2442 return 0;
2443
2444 if (initiator)
2445 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2446
2447 if (!hci_conn_auth(conn, sec_level, auth_type))
2448 return 0;
2449
2450 encrypt:
2451 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2452 /* Ensure that the encryption key size has been read,
2453 * otherwise stall the upper layer responses.
2454 */
2455 if (!conn->enc_key_size)
2456 return 0;
2457
2458 /* Nothing else needed, all requirements are met */
2459 return 1;
2460 }
2461
2462 hci_conn_encrypt(conn);
2463 return 0;
2464 }
2465 EXPORT_SYMBOL(hci_conn_security);
2466
2467 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)2468 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2469 {
2470 BT_DBG("hcon %p", conn);
2471
2472 /* Accept if non-secure or higher security level is required */
2473 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2474 return 1;
2475
2476 /* Accept if secure or higher security level is already present */
2477 if (conn->sec_level == BT_SECURITY_HIGH ||
2478 conn->sec_level == BT_SECURITY_FIPS)
2479 return 1;
2480
2481 /* Reject not secure link */
2482 return 0;
2483 }
2484 EXPORT_SYMBOL(hci_conn_check_secure);
2485
2486 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)2487 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2488 {
2489 BT_DBG("hcon %p", conn);
2490
2491 if (role == conn->role)
2492 return 1;
2493
2494 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2495 struct hci_cp_switch_role cp;
2496 bacpy(&cp.bdaddr, &conn->dst);
2497 cp.role = role;
2498 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2499 }
2500
2501 return 0;
2502 }
2503 EXPORT_SYMBOL(hci_conn_switch_role);
2504
2505 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)2506 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2507 {
2508 struct hci_dev *hdev = conn->hdev;
2509
2510 BT_DBG("hcon %p mode %d", conn, conn->mode);
2511
2512 if (conn->mode != HCI_CM_SNIFF)
2513 goto timer;
2514
2515 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2516 goto timer;
2517
2518 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2519 struct hci_cp_exit_sniff_mode cp;
2520 cp.handle = cpu_to_le16(conn->handle);
2521 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2522 }
2523
2524 timer:
2525 if (hdev->idle_timeout > 0)
2526 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2527 msecs_to_jiffies(hdev->idle_timeout));
2528 }
2529
2530 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)2531 void hci_conn_hash_flush(struct hci_dev *hdev)
2532 {
2533 struct list_head *head = &hdev->conn_hash.list;
2534 struct hci_conn *conn;
2535
2536 BT_DBG("hdev %s", hdev->name);
2537
2538 /* We should not traverse the list here, because hci_conn_del
2539 * can remove extra links, which may cause the list traversal
2540 * to hit items that have already been released.
2541 */
2542 while ((conn = list_first_entry_or_null(head,
2543 struct hci_conn,
2544 list)) != NULL) {
2545 conn->state = BT_CLOSED;
2546 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2547 hci_conn_del(conn);
2548 }
2549 }
2550
get_link_mode(struct hci_conn * conn)2551 static u32 get_link_mode(struct hci_conn *conn)
2552 {
2553 u32 link_mode = 0;
2554
2555 if (conn->role == HCI_ROLE_MASTER)
2556 link_mode |= HCI_LM_MASTER;
2557
2558 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2559 link_mode |= HCI_LM_ENCRYPT;
2560
2561 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2562 link_mode |= HCI_LM_AUTH;
2563
2564 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2565 link_mode |= HCI_LM_SECURE;
2566
2567 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2568 link_mode |= HCI_LM_FIPS;
2569
2570 return link_mode;
2571 }
2572
hci_get_conn_list(void __user * arg)2573 int hci_get_conn_list(void __user *arg)
2574 {
2575 struct hci_conn *c;
2576 struct hci_conn_list_req req, *cl;
2577 struct hci_conn_info *ci;
2578 struct hci_dev *hdev;
2579 int n = 0, size, err;
2580
2581 if (copy_from_user(&req, arg, sizeof(req)))
2582 return -EFAULT;
2583
2584 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2585 return -EINVAL;
2586
2587 size = sizeof(req) + req.conn_num * sizeof(*ci);
2588
2589 cl = kmalloc(size, GFP_KERNEL);
2590 if (!cl)
2591 return -ENOMEM;
2592
2593 hdev = hci_dev_get(req.dev_id);
2594 if (!hdev) {
2595 kfree(cl);
2596 return -ENODEV;
2597 }
2598
2599 ci = cl->conn_info;
2600
2601 hci_dev_lock(hdev);
2602 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2603 bacpy(&(ci + n)->bdaddr, &c->dst);
2604 (ci + n)->handle = c->handle;
2605 (ci + n)->type = c->type;
2606 (ci + n)->out = c->out;
2607 (ci + n)->state = c->state;
2608 (ci + n)->link_mode = get_link_mode(c);
2609 if (++n >= req.conn_num)
2610 break;
2611 }
2612 hci_dev_unlock(hdev);
2613
2614 cl->dev_id = hdev->id;
2615 cl->conn_num = n;
2616 size = sizeof(req) + n * sizeof(*ci);
2617
2618 hci_dev_put(hdev);
2619
2620 err = copy_to_user(arg, cl, size);
2621 kfree(cl);
2622
2623 return err ? -EFAULT : 0;
2624 }
2625
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)2626 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2627 {
2628 struct hci_conn_info_req req;
2629 struct hci_conn_info ci;
2630 struct hci_conn *conn;
2631 char __user *ptr = arg + sizeof(req);
2632
2633 if (copy_from_user(&req, arg, sizeof(req)))
2634 return -EFAULT;
2635
2636 hci_dev_lock(hdev);
2637 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2638 if (conn) {
2639 bacpy(&ci.bdaddr, &conn->dst);
2640 ci.handle = conn->handle;
2641 ci.type = conn->type;
2642 ci.out = conn->out;
2643 ci.state = conn->state;
2644 ci.link_mode = get_link_mode(conn);
2645 }
2646 hci_dev_unlock(hdev);
2647
2648 if (!conn)
2649 return -ENOENT;
2650
2651 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2652 }
2653
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)2654 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2655 {
2656 struct hci_auth_info_req req;
2657 struct hci_conn *conn;
2658
2659 if (copy_from_user(&req, arg, sizeof(req)))
2660 return -EFAULT;
2661
2662 hci_dev_lock(hdev);
2663 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2664 if (conn)
2665 req.type = conn->auth_type;
2666 hci_dev_unlock(hdev);
2667
2668 if (!conn)
2669 return -ENOENT;
2670
2671 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2672 }
2673
hci_chan_create(struct hci_conn * conn)2674 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2675 {
2676 struct hci_dev *hdev = conn->hdev;
2677 struct hci_chan *chan;
2678
2679 BT_DBG("%s hcon %p", hdev->name, conn);
2680
2681 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2682 BT_DBG("Refusing to create new hci_chan");
2683 return NULL;
2684 }
2685
2686 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2687 if (!chan)
2688 return NULL;
2689
2690 chan->conn = hci_conn_get(conn);
2691 skb_queue_head_init(&chan->data_q);
2692 chan->state = BT_CONNECTED;
2693
2694 list_add_rcu(&chan->list, &conn->chan_list);
2695
2696 return chan;
2697 }
2698
hci_chan_del(struct hci_chan * chan)2699 void hci_chan_del(struct hci_chan *chan)
2700 {
2701 struct hci_conn *conn = chan->conn;
2702 struct hci_dev *hdev = conn->hdev;
2703
2704 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2705
2706 list_del_rcu(&chan->list);
2707
2708 synchronize_rcu();
2709
2710 /* Prevent new hci_chan's to be created for this hci_conn */
2711 set_bit(HCI_CONN_DROP, &conn->flags);
2712
2713 hci_conn_put(conn);
2714
2715 skb_queue_purge(&chan->data_q);
2716 kfree(chan);
2717 }
2718
hci_chan_list_flush(struct hci_conn * conn)2719 void hci_chan_list_flush(struct hci_conn *conn)
2720 {
2721 struct hci_chan *chan, *n;
2722
2723 BT_DBG("hcon %p", conn);
2724
2725 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2726 hci_chan_del(chan);
2727 }
2728
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)2729 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2730 __u16 handle)
2731 {
2732 struct hci_chan *hchan;
2733
2734 list_for_each_entry(hchan, &hcon->chan_list, list) {
2735 if (hchan->handle == handle)
2736 return hchan;
2737 }
2738
2739 return NULL;
2740 }
2741
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)2742 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2743 {
2744 struct hci_conn_hash *h = &hdev->conn_hash;
2745 struct hci_conn *hcon;
2746 struct hci_chan *hchan = NULL;
2747
2748 rcu_read_lock();
2749
2750 list_for_each_entry_rcu(hcon, &h->list, list) {
2751 hchan = __hci_chan_lookup_handle(hcon, handle);
2752 if (hchan)
2753 break;
2754 }
2755
2756 rcu_read_unlock();
2757
2758 return hchan;
2759 }
2760
hci_conn_get_phy(struct hci_conn * conn)2761 u32 hci_conn_get_phy(struct hci_conn *conn)
2762 {
2763 u32 phys = 0;
2764
2765 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2766 * Table 6.2: Packets defined for synchronous, asynchronous, and
2767 * CPB logical transport types.
2768 */
2769 switch (conn->type) {
2770 case SCO_LINK:
2771 /* SCO logical transport (1 Mb/s):
2772 * HV1, HV2, HV3 and DV.
2773 */
2774 phys |= BT_PHY_BR_1M_1SLOT;
2775
2776 break;
2777
2778 case ACL_LINK:
2779 /* ACL logical transport (1 Mb/s) ptt=0:
2780 * DH1, DM3, DH3, DM5 and DH5.
2781 */
2782 phys |= BT_PHY_BR_1M_1SLOT;
2783
2784 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2785 phys |= BT_PHY_BR_1M_3SLOT;
2786
2787 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2788 phys |= BT_PHY_BR_1M_5SLOT;
2789
2790 /* ACL logical transport (2 Mb/s) ptt=1:
2791 * 2-DH1, 2-DH3 and 2-DH5.
2792 */
2793 if (!(conn->pkt_type & HCI_2DH1))
2794 phys |= BT_PHY_EDR_2M_1SLOT;
2795
2796 if (!(conn->pkt_type & HCI_2DH3))
2797 phys |= BT_PHY_EDR_2M_3SLOT;
2798
2799 if (!(conn->pkt_type & HCI_2DH5))
2800 phys |= BT_PHY_EDR_2M_5SLOT;
2801
2802 /* ACL logical transport (3 Mb/s) ptt=1:
2803 * 3-DH1, 3-DH3 and 3-DH5.
2804 */
2805 if (!(conn->pkt_type & HCI_3DH1))
2806 phys |= BT_PHY_EDR_3M_1SLOT;
2807
2808 if (!(conn->pkt_type & HCI_3DH3))
2809 phys |= BT_PHY_EDR_3M_3SLOT;
2810
2811 if (!(conn->pkt_type & HCI_3DH5))
2812 phys |= BT_PHY_EDR_3M_5SLOT;
2813
2814 break;
2815
2816 case ESCO_LINK:
2817 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2818 phys |= BT_PHY_BR_1M_1SLOT;
2819
2820 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2821 phys |= BT_PHY_BR_1M_3SLOT;
2822
2823 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2824 if (!(conn->pkt_type & ESCO_2EV3))
2825 phys |= BT_PHY_EDR_2M_1SLOT;
2826
2827 if (!(conn->pkt_type & ESCO_2EV5))
2828 phys |= BT_PHY_EDR_2M_3SLOT;
2829
2830 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2831 if (!(conn->pkt_type & ESCO_3EV3))
2832 phys |= BT_PHY_EDR_3M_1SLOT;
2833
2834 if (!(conn->pkt_type & ESCO_3EV5))
2835 phys |= BT_PHY_EDR_3M_3SLOT;
2836
2837 break;
2838
2839 case LE_LINK:
2840 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2841 phys |= BT_PHY_LE_1M_TX;
2842
2843 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2844 phys |= BT_PHY_LE_1M_RX;
2845
2846 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2847 phys |= BT_PHY_LE_2M_TX;
2848
2849 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2850 phys |= BT_PHY_LE_2M_RX;
2851
2852 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2853 phys |= BT_PHY_LE_CODED_TX;
2854
2855 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2856 phys |= BT_PHY_LE_CODED_RX;
2857
2858 break;
2859 }
2860
2861 return phys;
2862 }
2863
abort_conn_sync(struct hci_dev * hdev,void * data)2864 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2865 {
2866 struct hci_conn *conn = data;
2867
2868 if (!hci_conn_valid(hdev, conn))
2869 return -ECANCELED;
2870
2871 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2872 }
2873
hci_abort_conn(struct hci_conn * conn,u8 reason)2874 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2875 {
2876 struct hci_dev *hdev = conn->hdev;
2877
2878 /* If abort_reason has already been set it means the connection is
2879 * already being aborted so don't attempt to overwrite it.
2880 */
2881 if (conn->abort_reason)
2882 return 0;
2883
2884 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2885
2886 conn->abort_reason = reason;
2887
2888 /* If the connection is pending check the command opcode since that
2889 * might be blocking on hci_cmd_sync_work while waiting its respective
2890 * event so we need to hci_cmd_sync_cancel to cancel it.
2891 *
2892 * hci_connect_le serializes the connection attempts so only one
2893 * connection can be in BT_CONNECT at time.
2894 */
2895 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2896 switch (hci_skb_event(hdev->sent_cmd)) {
2897 case HCI_EV_CONN_COMPLETE:
2898 case HCI_EV_LE_CONN_COMPLETE:
2899 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2900 case HCI_EVT_LE_CIS_ESTABLISHED:
2901 hci_cmd_sync_cancel(hdev, ECANCELED);
2902 break;
2903 }
2904 /* Cancel connect attempt if still queued/pending */
2905 } else if (!hci_cancel_connect_sync(hdev, conn)) {
2906 return 0;
2907 }
2908
2909 /* Run immediately if on cmd_sync_work since this may be called
2910 * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
2911 * already queue its callback on cmd_sync_work.
2912 */
2913 return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
2914 }
2915