1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI connection handling. */ 27 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/iso.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "hci_request.h" 38 #include "smp.h" 39 #include "eir.h" 40 41 struct sco_param { 42 u16 pkt_type; 43 u16 max_latency; 44 u8 retrans_effort; 45 }; 46 47 struct conn_handle_t { 48 struct hci_conn *conn; 49 __u16 handle; 50 }; 51 52 static const struct sco_param esco_param_cvsd[] = { 53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 58 }; 59 60 static const struct sco_param sco_param_cvsd[] = { 61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 63 }; 64 65 static const struct sco_param esco_param_msbc[] = { 66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 68 }; 69 70 /* This function requires the caller holds hdev->lock */ 71 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) 72 { 73 struct hci_conn_params *params; 74 struct hci_dev *hdev = conn->hdev; 75 struct smp_irk *irk; 76 bdaddr_t *bdaddr; 77 u8 bdaddr_type; 78 79 bdaddr = &conn->dst; 80 bdaddr_type = conn->dst_type; 81 82 /* Check if we need to convert to identity address */ 83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 84 if (irk) { 85 bdaddr = &irk->bdaddr; 86 bdaddr_type = irk->addr_type; 87 } 88 89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 90 bdaddr_type); 91 if (!params) 92 return; 93 94 if (params->conn) { 95 hci_conn_drop(params->conn); 96 hci_conn_put(params->conn); 97 params->conn = NULL; 98 } 99 100 if (!params->explicit_connect) 101 return; 102 103 /* If the status indicates successful cancellation of 104 * the attempt (i.e. Unknown Connection Id) there's no point of 105 * notifying failure since we'll go back to keep trying to 106 * connect. The only exception is explicit connect requests 107 * where a timeout + cancel does indicate an actual failure. 108 */ 109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) 110 mgmt_connect_failed(hdev, &conn->dst, conn->type, 111 conn->dst_type, status); 112 113 /* The connection attempt was doing scan for new RPA, and is 114 * in scan phase. If params are not associated with any other 115 * autoconnect action, remove them completely. If they are, just unmark 116 * them as waiting for connection, by clearing explicit_connect field. 117 */ 118 params->explicit_connect = false; 119 120 hci_pend_le_list_del_init(params); 121 122 switch (params->auto_connect) { 123 case HCI_AUTO_CONN_EXPLICIT: 124 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 125 /* return instead of break to avoid duplicate scan update */ 126 return; 127 case HCI_AUTO_CONN_DIRECT: 128 case HCI_AUTO_CONN_ALWAYS: 129 hci_pend_le_list_add(params, &hdev->pend_le_conns); 130 break; 131 case HCI_AUTO_CONN_REPORT: 132 hci_pend_le_list_add(params, &hdev->pend_le_reports); 133 break; 134 default: 135 break; 136 } 137 138 hci_update_passive_scan(hdev); 139 } 140 141 static void hci_conn_cleanup(struct hci_conn *conn) 142 { 143 struct hci_dev *hdev = conn->hdev; 144 145 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 146 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 147 148 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 149 hci_remove_link_key(hdev, &conn->dst); 150 151 hci_chan_list_flush(conn); 152 153 hci_conn_hash_del(hdev, conn); 154 155 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 156 ida_free(&hdev->unset_handle_ida, conn->handle); 157 158 if (conn->cleanup) 159 conn->cleanup(conn); 160 161 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 162 switch (conn->setting & SCO_AIRMODE_MASK) { 163 case SCO_AIRMODE_CVSD: 164 case SCO_AIRMODE_TRANSP: 165 if (hdev->notify) 166 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 167 break; 168 } 169 } else { 170 if (hdev->notify) 171 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 172 } 173 174 debugfs_remove_recursive(conn->debugfs); 175 176 hci_conn_del_sysfs(conn); 177 178 hci_dev_put(hdev); 179 } 180 181 static void hci_acl_create_connection(struct hci_conn *conn) 182 { 183 struct hci_dev *hdev = conn->hdev; 184 struct inquiry_entry *ie; 185 struct hci_cp_create_conn cp; 186 187 BT_DBG("hcon %p", conn); 188 189 /* Many controllers disallow HCI Create Connection while it is doing 190 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create 191 * Connection. This may cause the MGMT discovering state to become false 192 * without user space's request but it is okay since the MGMT Discovery 193 * APIs do not promise that discovery should be done forever. Instead, 194 * the user space monitors the status of MGMT discovering and it may 195 * request for discovery again when this flag becomes false. 196 */ 197 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 198 /* Put this connection to "pending" state so that it will be 199 * executed after the inquiry cancel command complete event. 200 */ 201 conn->state = BT_CONNECT2; 202 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL); 203 return; 204 } 205 206 conn->state = BT_CONNECT; 207 conn->out = true; 208 conn->role = HCI_ROLE_MASTER; 209 210 conn->attempt++; 211 212 conn->link_policy = hdev->link_policy; 213 214 memset(&cp, 0, sizeof(cp)); 215 bacpy(&cp.bdaddr, &conn->dst); 216 cp.pscan_rep_mode = 0x02; 217 218 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 219 if (ie) { 220 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 221 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 222 cp.pscan_mode = ie->data.pscan_mode; 223 cp.clock_offset = ie->data.clock_offset | 224 cpu_to_le16(0x8000); 225 } 226 227 memcpy(conn->dev_class, ie->data.dev_class, 3); 228 } 229 230 cp.pkt_type = cpu_to_le16(conn->pkt_type); 231 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 232 cp.role_switch = 0x01; 233 else 234 cp.role_switch = 0x00; 235 236 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 237 } 238 239 int hci_disconnect(struct hci_conn *conn, __u8 reason) 240 { 241 BT_DBG("hcon %p", conn); 242 243 /* When we are central of an established connection and it enters 244 * the disconnect timeout, then go ahead and try to read the 245 * current clock offset. Processing of the result is done 246 * within the event handling and hci_clock_offset_evt function. 247 */ 248 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 249 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 250 struct hci_dev *hdev = conn->hdev; 251 struct hci_cp_read_clock_offset clkoff_cp; 252 253 clkoff_cp.handle = cpu_to_le16(conn->handle); 254 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 255 &clkoff_cp); 256 } 257 258 return hci_abort_conn(conn, reason); 259 } 260 261 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 262 { 263 struct hci_dev *hdev = conn->hdev; 264 struct hci_cp_add_sco cp; 265 266 BT_DBG("hcon %p", conn); 267 268 conn->state = BT_CONNECT; 269 conn->out = true; 270 271 conn->attempt++; 272 273 cp.handle = cpu_to_le16(handle); 274 cp.pkt_type = cpu_to_le16(conn->pkt_type); 275 276 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 277 } 278 279 static bool find_next_esco_param(struct hci_conn *conn, 280 const struct sco_param *esco_param, int size) 281 { 282 if (!conn->parent) 283 return false; 284 285 for (; conn->attempt <= size; conn->attempt++) { 286 if (lmp_esco_2m_capable(conn->parent) || 287 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 288 break; 289 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 290 conn, conn->attempt); 291 } 292 293 return conn->attempt <= size; 294 } 295 296 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 297 { 298 int err; 299 __u8 vnd_len, *vnd_data = NULL; 300 struct hci_op_configure_data_path *cmd = NULL; 301 302 if (!codec->data_path || !hdev->get_codec_config_data) 303 return 0; 304 305 /* Do not take me as error */ 306 if (!hdev->get_codec_config_data) 307 return 0; 308 309 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 310 &vnd_data); 311 if (err < 0) 312 goto error; 313 314 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 315 if (!cmd) { 316 err = -ENOMEM; 317 goto error; 318 } 319 320 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 321 if (err < 0) 322 goto error; 323 324 cmd->vnd_len = vnd_len; 325 memcpy(cmd->vnd_data, vnd_data, vnd_len); 326 327 cmd->direction = 0x00; 328 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 329 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 330 331 cmd->direction = 0x01; 332 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 333 sizeof(*cmd) + vnd_len, cmd, 334 HCI_CMD_TIMEOUT); 335 error: 336 337 kfree(cmd); 338 kfree(vnd_data); 339 return err; 340 } 341 342 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 343 { 344 struct conn_handle_t *conn_handle = data; 345 struct hci_conn *conn = conn_handle->conn; 346 __u16 handle = conn_handle->handle; 347 struct hci_cp_enhanced_setup_sync_conn cp; 348 const struct sco_param *param; 349 350 kfree(conn_handle); 351 352 bt_dev_dbg(hdev, "hcon %p", conn); 353 354 configure_datapath_sync(hdev, &conn->codec); 355 356 conn->state = BT_CONNECT; 357 conn->out = true; 358 359 conn->attempt++; 360 361 memset(&cp, 0x00, sizeof(cp)); 362 363 cp.handle = cpu_to_le16(handle); 364 365 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 366 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 367 368 switch (conn->codec.id) { 369 case BT_CODEC_MSBC: 370 if (!find_next_esco_param(conn, esco_param_msbc, 371 ARRAY_SIZE(esco_param_msbc))) 372 return -EINVAL; 373 374 param = &esco_param_msbc[conn->attempt - 1]; 375 cp.tx_coding_format.id = 0x05; 376 cp.rx_coding_format.id = 0x05; 377 cp.tx_codec_frame_size = __cpu_to_le16(60); 378 cp.rx_codec_frame_size = __cpu_to_le16(60); 379 cp.in_bandwidth = __cpu_to_le32(32000); 380 cp.out_bandwidth = __cpu_to_le32(32000); 381 cp.in_coding_format.id = 0x04; 382 cp.out_coding_format.id = 0x04; 383 cp.in_coded_data_size = __cpu_to_le16(16); 384 cp.out_coded_data_size = __cpu_to_le16(16); 385 cp.in_pcm_data_format = 2; 386 cp.out_pcm_data_format = 2; 387 cp.in_pcm_sample_payload_msb_pos = 0; 388 cp.out_pcm_sample_payload_msb_pos = 0; 389 cp.in_data_path = conn->codec.data_path; 390 cp.out_data_path = conn->codec.data_path; 391 cp.in_transport_unit_size = 1; 392 cp.out_transport_unit_size = 1; 393 break; 394 395 case BT_CODEC_TRANSPARENT: 396 if (!find_next_esco_param(conn, esco_param_msbc, 397 ARRAY_SIZE(esco_param_msbc))) 398 return false; 399 param = &esco_param_msbc[conn->attempt - 1]; 400 cp.tx_coding_format.id = 0x03; 401 cp.rx_coding_format.id = 0x03; 402 cp.tx_codec_frame_size = __cpu_to_le16(60); 403 cp.rx_codec_frame_size = __cpu_to_le16(60); 404 cp.in_bandwidth = __cpu_to_le32(0x1f40); 405 cp.out_bandwidth = __cpu_to_le32(0x1f40); 406 cp.in_coding_format.id = 0x03; 407 cp.out_coding_format.id = 0x03; 408 cp.in_coded_data_size = __cpu_to_le16(16); 409 cp.out_coded_data_size = __cpu_to_le16(16); 410 cp.in_pcm_data_format = 2; 411 cp.out_pcm_data_format = 2; 412 cp.in_pcm_sample_payload_msb_pos = 0; 413 cp.out_pcm_sample_payload_msb_pos = 0; 414 cp.in_data_path = conn->codec.data_path; 415 cp.out_data_path = conn->codec.data_path; 416 cp.in_transport_unit_size = 1; 417 cp.out_transport_unit_size = 1; 418 break; 419 420 case BT_CODEC_CVSD: 421 if (conn->parent && lmp_esco_capable(conn->parent)) { 422 if (!find_next_esco_param(conn, esco_param_cvsd, 423 ARRAY_SIZE(esco_param_cvsd))) 424 return -EINVAL; 425 param = &esco_param_cvsd[conn->attempt - 1]; 426 } else { 427 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 428 return -EINVAL; 429 param = &sco_param_cvsd[conn->attempt - 1]; 430 } 431 cp.tx_coding_format.id = 2; 432 cp.rx_coding_format.id = 2; 433 cp.tx_codec_frame_size = __cpu_to_le16(60); 434 cp.rx_codec_frame_size = __cpu_to_le16(60); 435 cp.in_bandwidth = __cpu_to_le32(16000); 436 cp.out_bandwidth = __cpu_to_le32(16000); 437 cp.in_coding_format.id = 4; 438 cp.out_coding_format.id = 4; 439 cp.in_coded_data_size = __cpu_to_le16(16); 440 cp.out_coded_data_size = __cpu_to_le16(16); 441 cp.in_pcm_data_format = 2; 442 cp.out_pcm_data_format = 2; 443 cp.in_pcm_sample_payload_msb_pos = 0; 444 cp.out_pcm_sample_payload_msb_pos = 0; 445 cp.in_data_path = conn->codec.data_path; 446 cp.out_data_path = conn->codec.data_path; 447 cp.in_transport_unit_size = 16; 448 cp.out_transport_unit_size = 16; 449 break; 450 default: 451 return -EINVAL; 452 } 453 454 cp.retrans_effort = param->retrans_effort; 455 cp.pkt_type = __cpu_to_le16(param->pkt_type); 456 cp.max_latency = __cpu_to_le16(param->max_latency); 457 458 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 459 return -EIO; 460 461 return 0; 462 } 463 464 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 465 { 466 struct hci_dev *hdev = conn->hdev; 467 struct hci_cp_setup_sync_conn cp; 468 const struct sco_param *param; 469 470 bt_dev_dbg(hdev, "hcon %p", conn); 471 472 conn->state = BT_CONNECT; 473 conn->out = true; 474 475 conn->attempt++; 476 477 cp.handle = cpu_to_le16(handle); 478 479 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 480 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 481 cp.voice_setting = cpu_to_le16(conn->setting); 482 483 switch (conn->setting & SCO_AIRMODE_MASK) { 484 case SCO_AIRMODE_TRANSP: 485 if (!find_next_esco_param(conn, esco_param_msbc, 486 ARRAY_SIZE(esco_param_msbc))) 487 return false; 488 param = &esco_param_msbc[conn->attempt - 1]; 489 break; 490 case SCO_AIRMODE_CVSD: 491 if (conn->parent && lmp_esco_capable(conn->parent)) { 492 if (!find_next_esco_param(conn, esco_param_cvsd, 493 ARRAY_SIZE(esco_param_cvsd))) 494 return false; 495 param = &esco_param_cvsd[conn->attempt - 1]; 496 } else { 497 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 498 return false; 499 param = &sco_param_cvsd[conn->attempt - 1]; 500 } 501 break; 502 default: 503 return false; 504 } 505 506 cp.retrans_effort = param->retrans_effort; 507 cp.pkt_type = __cpu_to_le16(param->pkt_type); 508 cp.max_latency = __cpu_to_le16(param->max_latency); 509 510 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 511 return false; 512 513 return true; 514 } 515 516 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 517 { 518 int result; 519 struct conn_handle_t *conn_handle; 520 521 if (enhanced_sync_conn_capable(conn->hdev)) { 522 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 523 524 if (!conn_handle) 525 return false; 526 527 conn_handle->conn = conn; 528 conn_handle->handle = handle; 529 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 530 conn_handle, NULL); 531 if (result < 0) 532 kfree(conn_handle); 533 534 return result == 0; 535 } 536 537 return hci_setup_sync_conn(conn, handle); 538 } 539 540 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 541 u16 to_multiplier) 542 { 543 struct hci_dev *hdev = conn->hdev; 544 struct hci_conn_params *params; 545 struct hci_cp_le_conn_update cp; 546 547 hci_dev_lock(hdev); 548 549 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 550 if (params) { 551 params->conn_min_interval = min; 552 params->conn_max_interval = max; 553 params->conn_latency = latency; 554 params->supervision_timeout = to_multiplier; 555 } 556 557 hci_dev_unlock(hdev); 558 559 memset(&cp, 0, sizeof(cp)); 560 cp.handle = cpu_to_le16(conn->handle); 561 cp.conn_interval_min = cpu_to_le16(min); 562 cp.conn_interval_max = cpu_to_le16(max); 563 cp.conn_latency = cpu_to_le16(latency); 564 cp.supervision_timeout = cpu_to_le16(to_multiplier); 565 cp.min_ce_len = cpu_to_le16(0x0000); 566 cp.max_ce_len = cpu_to_le16(0x0000); 567 568 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 569 570 if (params) 571 return 0x01; 572 573 return 0x00; 574 } 575 576 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 577 __u8 ltk[16], __u8 key_size) 578 { 579 struct hci_dev *hdev = conn->hdev; 580 struct hci_cp_le_start_enc cp; 581 582 BT_DBG("hcon %p", conn); 583 584 memset(&cp, 0, sizeof(cp)); 585 586 cp.handle = cpu_to_le16(conn->handle); 587 cp.rand = rand; 588 cp.ediv = ediv; 589 memcpy(cp.ltk, ltk, key_size); 590 591 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 592 } 593 594 /* Device _must_ be locked */ 595 void hci_sco_setup(struct hci_conn *conn, __u8 status) 596 { 597 struct hci_link *link; 598 599 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list); 600 if (!link || !link->conn) 601 return; 602 603 BT_DBG("hcon %p", conn); 604 605 if (!status) { 606 if (lmp_esco_capable(conn->hdev)) 607 hci_setup_sync(link->conn, conn->handle); 608 else 609 hci_add_sco(link->conn, conn->handle); 610 } else { 611 hci_connect_cfm(link->conn, status); 612 hci_conn_del(link->conn); 613 } 614 } 615 616 static void hci_conn_timeout(struct work_struct *work) 617 { 618 struct hci_conn *conn = container_of(work, struct hci_conn, 619 disc_work.work); 620 int refcnt = atomic_read(&conn->refcnt); 621 622 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 623 624 WARN_ON(refcnt < 0); 625 626 /* FIXME: It was observed that in pairing failed scenario, refcnt 627 * drops below 0. Probably this is because l2cap_conn_del calls 628 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 629 * dropped. After that loop hci_chan_del is called which also drops 630 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 631 * otherwise drop it. 632 */ 633 if (refcnt > 0) 634 return; 635 636 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 637 } 638 639 /* Enter sniff mode */ 640 static void hci_conn_idle(struct work_struct *work) 641 { 642 struct hci_conn *conn = container_of(work, struct hci_conn, 643 idle_work.work); 644 struct hci_dev *hdev = conn->hdev; 645 646 BT_DBG("hcon %p mode %d", conn, conn->mode); 647 648 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 649 return; 650 651 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 652 return; 653 654 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 655 struct hci_cp_sniff_subrate cp; 656 cp.handle = cpu_to_le16(conn->handle); 657 cp.max_latency = cpu_to_le16(0); 658 cp.min_remote_timeout = cpu_to_le16(0); 659 cp.min_local_timeout = cpu_to_le16(0); 660 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 661 } 662 663 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 664 struct hci_cp_sniff_mode cp; 665 cp.handle = cpu_to_le16(conn->handle); 666 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 667 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 668 cp.attempt = cpu_to_le16(4); 669 cp.timeout = cpu_to_le16(1); 670 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 671 } 672 } 673 674 static void hci_conn_auto_accept(struct work_struct *work) 675 { 676 struct hci_conn *conn = container_of(work, struct hci_conn, 677 auto_accept_work.work); 678 679 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 680 &conn->dst); 681 } 682 683 static void le_disable_advertising(struct hci_dev *hdev) 684 { 685 if (ext_adv_capable(hdev)) { 686 struct hci_cp_le_set_ext_adv_enable cp; 687 688 cp.enable = 0x00; 689 cp.num_of_sets = 0x00; 690 691 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 692 &cp); 693 } else { 694 u8 enable = 0x00; 695 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 696 &enable); 697 } 698 } 699 700 static void le_conn_timeout(struct work_struct *work) 701 { 702 struct hci_conn *conn = container_of(work, struct hci_conn, 703 le_conn_timeout.work); 704 struct hci_dev *hdev = conn->hdev; 705 706 BT_DBG(""); 707 708 /* We could end up here due to having done directed advertising, 709 * so clean up the state if necessary. This should however only 710 * happen with broken hardware or if low duty cycle was used 711 * (which doesn't have a timeout of its own). 712 */ 713 if (conn->role == HCI_ROLE_SLAVE) { 714 /* Disable LE Advertising */ 715 le_disable_advertising(hdev); 716 hci_dev_lock(hdev); 717 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 718 hci_dev_unlock(hdev); 719 return; 720 } 721 722 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 723 } 724 725 struct iso_cig_params { 726 struct hci_cp_le_set_cig_params cp; 727 struct hci_cis_params cis[0x1f]; 728 }; 729 730 struct iso_list_data { 731 union { 732 u8 cig; 733 u8 big; 734 }; 735 union { 736 u8 cis; 737 u8 bis; 738 u16 sync_handle; 739 }; 740 int count; 741 bool big_term; 742 bool pa_sync_term; 743 bool big_sync_term; 744 }; 745 746 static void bis_list(struct hci_conn *conn, void *data) 747 { 748 struct iso_list_data *d = data; 749 750 /* Skip if not broadcast/ANY address */ 751 if (bacmp(&conn->dst, BDADDR_ANY)) 752 return; 753 754 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET || 755 d->bis != conn->iso_qos.bcast.bis) 756 return; 757 758 d->count++; 759 } 760 761 static int terminate_big_sync(struct hci_dev *hdev, void *data) 762 { 763 struct iso_list_data *d = data; 764 765 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 766 767 hci_disable_per_advertising_sync(hdev, d->bis); 768 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 769 770 /* Only terminate BIG if it has been created */ 771 if (!d->big_term) 772 return 0; 773 774 return hci_le_terminate_big_sync(hdev, d->big, 775 HCI_ERROR_LOCAL_HOST_TERM); 776 } 777 778 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 779 { 780 kfree(data); 781 } 782 783 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn) 784 { 785 struct iso_list_data *d; 786 int ret; 787 788 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big, 789 conn->iso_qos.bcast.bis); 790 791 d = kzalloc(sizeof(*d), GFP_KERNEL); 792 if (!d) 793 return -ENOMEM; 794 795 d->big = conn->iso_qos.bcast.big; 796 d->bis = conn->iso_qos.bcast.bis; 797 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags); 798 799 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 800 terminate_big_destroy); 801 if (ret) 802 kfree(d); 803 804 return ret; 805 } 806 807 static int big_terminate_sync(struct hci_dev *hdev, void *data) 808 { 809 struct iso_list_data *d = data; 810 811 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 812 d->sync_handle); 813 814 if (d->big_sync_term) 815 hci_le_big_terminate_sync(hdev, d->big); 816 817 if (d->pa_sync_term) 818 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 819 820 return 0; 821 } 822 823 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn) 824 { 825 struct iso_list_data *d; 826 int ret; 827 828 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle); 829 830 d = kzalloc(sizeof(*d), GFP_KERNEL); 831 if (!d) 832 return -ENOMEM; 833 834 d->big = big; 835 d->sync_handle = conn->sync_handle; 836 d->pa_sync_term = test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags); 837 d->big_sync_term = test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags); 838 839 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 840 terminate_big_destroy); 841 if (ret) 842 kfree(d); 843 844 return ret; 845 } 846 847 /* Cleanup BIS connection 848 * 849 * Detects if there any BIS left connected in a BIG 850 * broadcaster: Remove advertising instance and terminate BIG. 851 * broadcaster receiver: Teminate BIG sync and terminate PA sync. 852 */ 853 static void bis_cleanup(struct hci_conn *conn) 854 { 855 struct hci_dev *hdev = conn->hdev; 856 struct hci_conn *bis; 857 858 bt_dev_dbg(hdev, "conn %p", conn); 859 860 if (conn->role == HCI_ROLE_MASTER) { 861 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 862 return; 863 864 /* Check if ISO connection is a BIS and terminate advertising 865 * set and BIG if there are no other connections using it. 866 */ 867 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big); 868 if (bis) 869 return; 870 871 hci_le_terminate_big(hdev, conn); 872 } else { 873 bis = hci_conn_hash_lookup_big_any_dst(hdev, 874 conn->iso_qos.bcast.big); 875 876 if (bis) 877 return; 878 879 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 880 conn); 881 } 882 } 883 884 static int remove_cig_sync(struct hci_dev *hdev, void *data) 885 { 886 u8 handle = PTR_UINT(data); 887 888 return hci_le_remove_cig_sync(hdev, handle); 889 } 890 891 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 892 { 893 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 894 895 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle), 896 NULL); 897 } 898 899 static void find_cis(struct hci_conn *conn, void *data) 900 { 901 struct iso_list_data *d = data; 902 903 /* Ignore broadcast or if CIG don't match */ 904 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig) 905 return; 906 907 d->count++; 908 } 909 910 /* Cleanup CIS connection: 911 * 912 * Detects if there any CIS left connected in a CIG and remove it. 913 */ 914 static void cis_cleanup(struct hci_conn *conn) 915 { 916 struct hci_dev *hdev = conn->hdev; 917 struct iso_list_data d; 918 919 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET) 920 return; 921 922 memset(&d, 0, sizeof(d)); 923 d.cig = conn->iso_qos.ucast.cig; 924 925 /* Check if ISO connection is a CIS and remove CIG if there are 926 * no other connections using it. 927 */ 928 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d); 929 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d); 930 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d); 931 if (d.count) 932 return; 933 934 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig); 935 } 936 937 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev) 938 { 939 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1, 940 U16_MAX, GFP_ATOMIC); 941 } 942 943 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 944 u8 role, u16 handle) 945 { 946 struct hci_conn *conn; 947 948 switch (type) { 949 case ACL_LINK: 950 if (!hdev->acl_mtu) 951 return ERR_PTR(-ECONNREFUSED); 952 break; 953 case ISO_LINK: 954 if (hdev->iso_mtu) 955 /* Dedicated ISO Buffer exists */ 956 break; 957 fallthrough; 958 case LE_LINK: 959 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 960 return ERR_PTR(-ECONNREFUSED); 961 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU) 962 return ERR_PTR(-ECONNREFUSED); 963 break; 964 case SCO_LINK: 965 case ESCO_LINK: 966 if (!hdev->sco_pkts) 967 /* Controller does not support SCO or eSCO over HCI */ 968 return ERR_PTR(-ECONNREFUSED); 969 break; 970 default: 971 return ERR_PTR(-ECONNREFUSED); 972 } 973 974 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle); 975 976 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 977 if (!conn) 978 return ERR_PTR(-ENOMEM); 979 980 bacpy(&conn->dst, dst); 981 bacpy(&conn->src, &hdev->bdaddr); 982 conn->handle = handle; 983 conn->hdev = hdev; 984 conn->type = type; 985 conn->role = role; 986 conn->mode = HCI_CM_ACTIVE; 987 conn->state = BT_OPEN; 988 conn->auth_type = HCI_AT_GENERAL_BONDING; 989 conn->io_capability = hdev->io_capability; 990 conn->remote_auth = 0xff; 991 conn->key_type = 0xff; 992 conn->rssi = HCI_RSSI_INVALID; 993 conn->tx_power = HCI_TX_POWER_INVALID; 994 conn->max_tx_power = HCI_TX_POWER_INVALID; 995 conn->sync_handle = HCI_SYNC_HANDLE_INVALID; 996 997 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 998 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 999 1000 /* Set Default Authenticated payload timeout to 30s */ 1001 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 1002 1003 if (conn->role == HCI_ROLE_MASTER) 1004 conn->out = true; 1005 1006 switch (type) { 1007 case ACL_LINK: 1008 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 1009 conn->mtu = hdev->acl_mtu; 1010 break; 1011 case LE_LINK: 1012 /* conn->src should reflect the local identity address */ 1013 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1014 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 1015 break; 1016 case ISO_LINK: 1017 /* conn->src should reflect the local identity address */ 1018 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1019 1020 /* set proper cleanup function */ 1021 if (!bacmp(dst, BDADDR_ANY)) 1022 conn->cleanup = bis_cleanup; 1023 else if (conn->role == HCI_ROLE_MASTER) 1024 conn->cleanup = cis_cleanup; 1025 1026 conn->mtu = hdev->iso_mtu ? hdev->iso_mtu : 1027 hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 1028 break; 1029 case SCO_LINK: 1030 if (lmp_esco_capable(hdev)) 1031 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1032 (hdev->esco_type & EDR_ESCO_MASK); 1033 else 1034 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1035 1036 conn->mtu = hdev->sco_mtu; 1037 break; 1038 case ESCO_LINK: 1039 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1040 conn->mtu = hdev->sco_mtu; 1041 break; 1042 } 1043 1044 skb_queue_head_init(&conn->data_q); 1045 1046 INIT_LIST_HEAD(&conn->chan_list); 1047 INIT_LIST_HEAD(&conn->link_list); 1048 1049 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1050 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1051 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1052 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1053 1054 atomic_set(&conn->refcnt, 0); 1055 1056 hci_dev_hold(hdev); 1057 1058 hci_conn_hash_add(hdev, conn); 1059 1060 /* The SCO and eSCO connections will only be notified when their 1061 * setup has been completed. This is different to ACL links which 1062 * can be notified right away. 1063 */ 1064 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1065 if (hdev->notify) 1066 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1067 } 1068 1069 hci_conn_init_sysfs(conn); 1070 1071 return conn; 1072 } 1073 1074 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type, 1075 bdaddr_t *dst, u8 role) 1076 { 1077 int handle; 1078 1079 bt_dev_dbg(hdev, "dst %pMR", dst); 1080 1081 handle = hci_conn_hash_alloc_unset(hdev); 1082 if (unlikely(handle < 0)) 1083 return ERR_PTR(-ECONNREFUSED); 1084 1085 return __hci_conn_add(hdev, type, dst, role, handle); 1086 } 1087 1088 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 1089 u8 role, u16 handle) 1090 { 1091 if (handle > HCI_CONN_HANDLE_MAX) 1092 return ERR_PTR(-EINVAL); 1093 1094 return __hci_conn_add(hdev, type, dst, role, handle); 1095 } 1096 1097 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason) 1098 { 1099 if (!reason) 1100 reason = HCI_ERROR_REMOTE_USER_TERM; 1101 1102 /* Due to race, SCO/ISO conn might be not established yet at this point, 1103 * and nothing else will clean it up. In other cases it is done via HCI 1104 * events. 1105 */ 1106 switch (conn->type) { 1107 case SCO_LINK: 1108 case ESCO_LINK: 1109 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1110 hci_conn_failed(conn, reason); 1111 break; 1112 case ISO_LINK: 1113 if (conn->state != BT_CONNECTED && 1114 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) 1115 hci_conn_failed(conn, reason); 1116 break; 1117 } 1118 } 1119 1120 static void hci_conn_unlink(struct hci_conn *conn) 1121 { 1122 struct hci_dev *hdev = conn->hdev; 1123 1124 bt_dev_dbg(hdev, "hcon %p", conn); 1125 1126 if (!conn->parent) { 1127 struct hci_link *link, *t; 1128 1129 list_for_each_entry_safe(link, t, &conn->link_list, list) { 1130 struct hci_conn *child = link->conn; 1131 1132 hci_conn_unlink(child); 1133 1134 /* If hdev is down it means 1135 * hci_dev_close_sync/hci_conn_hash_flush is in progress 1136 * and links don't need to be cleanup as all connections 1137 * would be cleanup. 1138 */ 1139 if (!test_bit(HCI_UP, &hdev->flags)) 1140 continue; 1141 1142 hci_conn_cleanup_child(child, conn->abort_reason); 1143 } 1144 1145 return; 1146 } 1147 1148 if (!conn->link) 1149 return; 1150 1151 list_del_rcu(&conn->link->list); 1152 synchronize_rcu(); 1153 1154 hci_conn_drop(conn->parent); 1155 hci_conn_put(conn->parent); 1156 conn->parent = NULL; 1157 1158 kfree(conn->link); 1159 conn->link = NULL; 1160 } 1161 1162 void hci_conn_del(struct hci_conn *conn) 1163 { 1164 struct hci_dev *hdev = conn->hdev; 1165 1166 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1167 1168 hci_conn_unlink(conn); 1169 1170 cancel_delayed_work_sync(&conn->disc_work); 1171 cancel_delayed_work_sync(&conn->auto_accept_work); 1172 cancel_delayed_work_sync(&conn->idle_work); 1173 1174 if (conn->type == ACL_LINK) { 1175 /* Unacked frames */ 1176 hdev->acl_cnt += conn->sent; 1177 } else if (conn->type == LE_LINK) { 1178 cancel_delayed_work(&conn->le_conn_timeout); 1179 1180 if (hdev->le_pkts) 1181 hdev->le_cnt += conn->sent; 1182 else 1183 hdev->acl_cnt += conn->sent; 1184 } else { 1185 /* Unacked ISO frames */ 1186 if (conn->type == ISO_LINK) { 1187 if (hdev->iso_pkts) 1188 hdev->iso_cnt += conn->sent; 1189 else if (hdev->le_pkts) 1190 hdev->le_cnt += conn->sent; 1191 else 1192 hdev->acl_cnt += conn->sent; 1193 } 1194 } 1195 1196 skb_queue_purge(&conn->data_q); 1197 1198 /* Remove the connection from the list and cleanup its remaining 1199 * state. This is a separate function since for some cases like 1200 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1201 * rest of hci_conn_del. 1202 */ 1203 hci_conn_cleanup(conn); 1204 } 1205 1206 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1207 { 1208 int use_src = bacmp(src, BDADDR_ANY); 1209 struct hci_dev *hdev = NULL, *d; 1210 1211 BT_DBG("%pMR -> %pMR", src, dst); 1212 1213 read_lock(&hci_dev_list_lock); 1214 1215 list_for_each_entry(d, &hci_dev_list, list) { 1216 if (!test_bit(HCI_UP, &d->flags) || 1217 hci_dev_test_flag(d, HCI_USER_CHANNEL)) 1218 continue; 1219 1220 /* Simple routing: 1221 * No source address - find interface with bdaddr != dst 1222 * Source address - find interface with bdaddr == src 1223 */ 1224 1225 if (use_src) { 1226 bdaddr_t id_addr; 1227 u8 id_addr_type; 1228 1229 if (src_type == BDADDR_BREDR) { 1230 if (!lmp_bredr_capable(d)) 1231 continue; 1232 bacpy(&id_addr, &d->bdaddr); 1233 id_addr_type = BDADDR_BREDR; 1234 } else { 1235 if (!lmp_le_capable(d)) 1236 continue; 1237 1238 hci_copy_identity_address(d, &id_addr, 1239 &id_addr_type); 1240 1241 /* Convert from HCI to three-value type */ 1242 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1243 id_addr_type = BDADDR_LE_PUBLIC; 1244 else 1245 id_addr_type = BDADDR_LE_RANDOM; 1246 } 1247 1248 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1249 hdev = d; break; 1250 } 1251 } else { 1252 if (bacmp(&d->bdaddr, dst)) { 1253 hdev = d; break; 1254 } 1255 } 1256 } 1257 1258 if (hdev) 1259 hdev = hci_dev_hold(hdev); 1260 1261 read_unlock(&hci_dev_list_lock); 1262 return hdev; 1263 } 1264 EXPORT_SYMBOL(hci_get_route); 1265 1266 /* This function requires the caller holds hdev->lock */ 1267 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1268 { 1269 struct hci_dev *hdev = conn->hdev; 1270 1271 hci_connect_le_scan_cleanup(conn, status); 1272 1273 /* Enable advertising in case this was a failed connection 1274 * attempt as a peripheral. 1275 */ 1276 hci_enable_advertising(hdev); 1277 } 1278 1279 /* This function requires the caller holds hdev->lock */ 1280 void hci_conn_failed(struct hci_conn *conn, u8 status) 1281 { 1282 struct hci_dev *hdev = conn->hdev; 1283 1284 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1285 1286 switch (conn->type) { 1287 case LE_LINK: 1288 hci_le_conn_failed(conn, status); 1289 break; 1290 case ACL_LINK: 1291 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1292 conn->dst_type, status); 1293 break; 1294 } 1295 1296 /* In case of BIG/PA sync failed, clear conn flags so that 1297 * the conns will be correctly cleaned up by ISO layer 1298 */ 1299 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags); 1300 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags); 1301 1302 conn->state = BT_CLOSED; 1303 hci_connect_cfm(conn, status); 1304 hci_conn_del(conn); 1305 } 1306 1307 /* This function requires the caller holds hdev->lock */ 1308 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) 1309 { 1310 struct hci_dev *hdev = conn->hdev; 1311 1312 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); 1313 1314 if (conn->handle == handle) 1315 return 0; 1316 1317 if (handle > HCI_CONN_HANDLE_MAX) { 1318 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 1319 handle, HCI_CONN_HANDLE_MAX); 1320 return HCI_ERROR_INVALID_PARAMETERS; 1321 } 1322 1323 /* If abort_reason has been sent it means the connection is being 1324 * aborted and the handle shall not be changed. 1325 */ 1326 if (conn->abort_reason) 1327 return conn->abort_reason; 1328 1329 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1330 ida_free(&hdev->unset_handle_ida, conn->handle); 1331 1332 conn->handle = handle; 1333 1334 return 0; 1335 } 1336 1337 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) 1338 { 1339 struct hci_conn *conn; 1340 u16 handle = PTR_UINT(data); 1341 1342 conn = hci_conn_hash_lookup_handle(hdev, handle); 1343 if (!conn) 1344 return; 1345 1346 bt_dev_dbg(hdev, "err %d", err); 1347 1348 hci_dev_lock(hdev); 1349 1350 if (!err) { 1351 hci_connect_le_scan_cleanup(conn, 0x00); 1352 goto done; 1353 } 1354 1355 /* Check if connection is still pending */ 1356 if (conn != hci_lookup_le_connect(hdev)) 1357 goto done; 1358 1359 /* Flush to make sure we send create conn cancel command if needed */ 1360 flush_delayed_work(&conn->le_conn_timeout); 1361 hci_conn_failed(conn, bt_status(err)); 1362 1363 done: 1364 hci_dev_unlock(hdev); 1365 } 1366 1367 static int hci_connect_le_sync(struct hci_dev *hdev, void *data) 1368 { 1369 struct hci_conn *conn; 1370 u16 handle = PTR_UINT(data); 1371 1372 conn = hci_conn_hash_lookup_handle(hdev, handle); 1373 if (!conn) 1374 return 0; 1375 1376 bt_dev_dbg(hdev, "conn %p", conn); 1377 1378 clear_bit(HCI_CONN_SCANNING, &conn->flags); 1379 conn->state = BT_CONNECT; 1380 1381 return hci_le_create_conn_sync(hdev, conn); 1382 } 1383 1384 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1385 u8 dst_type, bool dst_resolved, u8 sec_level, 1386 u16 conn_timeout, u8 role) 1387 { 1388 struct hci_conn *conn; 1389 struct smp_irk *irk; 1390 int err; 1391 1392 /* Let's make sure that le is enabled.*/ 1393 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1394 if (lmp_le_capable(hdev)) 1395 return ERR_PTR(-ECONNREFUSED); 1396 1397 return ERR_PTR(-EOPNOTSUPP); 1398 } 1399 1400 /* Since the controller supports only one LE connection attempt at a 1401 * time, we return -EBUSY if there is any connection attempt running. 1402 */ 1403 if (hci_lookup_le_connect(hdev)) 1404 return ERR_PTR(-EBUSY); 1405 1406 /* If there's already a connection object but it's not in 1407 * scanning state it means it must already be established, in 1408 * which case we can't do anything else except report a failure 1409 * to connect. 1410 */ 1411 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1412 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1413 return ERR_PTR(-EBUSY); 1414 } 1415 1416 /* Check if the destination address has been resolved by the controller 1417 * since if it did then the identity address shall be used. 1418 */ 1419 if (!dst_resolved) { 1420 /* When given an identity address with existing identity 1421 * resolving key, the connection needs to be established 1422 * to a resolvable random address. 1423 * 1424 * Storing the resolvable random address is required here 1425 * to handle connection failures. The address will later 1426 * be resolved back into the original identity address 1427 * from the connect request. 1428 */ 1429 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1430 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1431 dst = &irk->rpa; 1432 dst_type = ADDR_LE_DEV_RANDOM; 1433 } 1434 } 1435 1436 if (conn) { 1437 bacpy(&conn->dst, dst); 1438 } else { 1439 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role); 1440 if (IS_ERR(conn)) 1441 return conn; 1442 hci_conn_hold(conn); 1443 conn->pending_sec_level = sec_level; 1444 } 1445 1446 conn->dst_type = dst_type; 1447 conn->sec_level = BT_SECURITY_LOW; 1448 conn->conn_timeout = conn_timeout; 1449 1450 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, 1451 UINT_PTR(conn->handle), 1452 create_le_conn_complete); 1453 if (err) { 1454 hci_conn_del(conn); 1455 return ERR_PTR(err); 1456 } 1457 1458 return conn; 1459 } 1460 1461 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1462 { 1463 struct hci_conn *conn; 1464 1465 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1466 if (!conn) 1467 return false; 1468 1469 if (conn->state != BT_CONNECTED) 1470 return false; 1471 1472 return true; 1473 } 1474 1475 /* This function requires the caller holds hdev->lock */ 1476 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1477 bdaddr_t *addr, u8 addr_type) 1478 { 1479 struct hci_conn_params *params; 1480 1481 if (is_connected(hdev, addr, addr_type)) 1482 return -EISCONN; 1483 1484 params = hci_conn_params_lookup(hdev, addr, addr_type); 1485 if (!params) { 1486 params = hci_conn_params_add(hdev, addr, addr_type); 1487 if (!params) 1488 return -ENOMEM; 1489 1490 /* If we created new params, mark them to be deleted in 1491 * hci_connect_le_scan_cleanup. It's different case than 1492 * existing disabled params, those will stay after cleanup. 1493 */ 1494 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1495 } 1496 1497 /* We're trying to connect, so make sure params are at pend_le_conns */ 1498 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1499 params->auto_connect == HCI_AUTO_CONN_REPORT || 1500 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1501 hci_pend_le_list_del_init(params); 1502 hci_pend_le_list_add(params, &hdev->pend_le_conns); 1503 } 1504 1505 params->explicit_connect = true; 1506 1507 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1508 params->auto_connect); 1509 1510 return 0; 1511 } 1512 1513 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1514 { 1515 struct hci_conn *conn; 1516 u8 big; 1517 1518 /* Allocate a BIG if not set */ 1519 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) { 1520 for (big = 0x00; big < 0xef; big++) { 1521 1522 conn = hci_conn_hash_lookup_big(hdev, big); 1523 if (!conn) 1524 break; 1525 } 1526 1527 if (big == 0xef) 1528 return -EADDRNOTAVAIL; 1529 1530 /* Update BIG */ 1531 qos->bcast.big = big; 1532 } 1533 1534 return 0; 1535 } 1536 1537 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1538 { 1539 struct hci_conn *conn; 1540 u8 bis; 1541 1542 /* Allocate BIS if not set */ 1543 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) { 1544 /* Find an unused adv set to advertise BIS, skip instance 0x00 1545 * since it is reserved as general purpose set. 1546 */ 1547 for (bis = 0x01; bis < hdev->le_num_of_adv_sets; 1548 bis++) { 1549 1550 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis); 1551 if (!conn) 1552 break; 1553 } 1554 1555 if (bis == hdev->le_num_of_adv_sets) 1556 return -EADDRNOTAVAIL; 1557 1558 /* Update BIS */ 1559 qos->bcast.bis = bis; 1560 } 1561 1562 return 0; 1563 } 1564 1565 /* This function requires the caller holds hdev->lock */ 1566 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1567 struct bt_iso_qos *qos, __u8 base_len, 1568 __u8 *base) 1569 { 1570 struct hci_conn *conn; 1571 int err; 1572 1573 /* Let's make sure that le is enabled.*/ 1574 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1575 if (lmp_le_capable(hdev)) 1576 return ERR_PTR(-ECONNREFUSED); 1577 return ERR_PTR(-EOPNOTSUPP); 1578 } 1579 1580 err = qos_set_big(hdev, qos); 1581 if (err) 1582 return ERR_PTR(err); 1583 1584 err = qos_set_bis(hdev, qos); 1585 if (err) 1586 return ERR_PTR(err); 1587 1588 /* Check if the LE Create BIG command has already been sent */ 1589 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big, 1590 qos->bcast.big); 1591 if (conn) 1592 return ERR_PTR(-EADDRINUSE); 1593 1594 /* Check BIS settings against other bound BISes, since all 1595 * BISes in a BIG must have the same value for all parameters 1596 */ 1597 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1598 1599 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) || 1600 base_len != conn->le_per_adv_data_len || 1601 memcmp(conn->le_per_adv_data, base, base_len))) 1602 return ERR_PTR(-EADDRINUSE); 1603 1604 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1605 if (IS_ERR(conn)) 1606 return conn; 1607 1608 conn->state = BT_CONNECT; 1609 1610 hci_conn_hold(conn); 1611 return conn; 1612 } 1613 1614 /* This function requires the caller holds hdev->lock */ 1615 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1616 u8 dst_type, u8 sec_level, 1617 u16 conn_timeout, 1618 enum conn_reasons conn_reason) 1619 { 1620 struct hci_conn *conn; 1621 1622 /* Let's make sure that le is enabled.*/ 1623 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1624 if (lmp_le_capable(hdev)) 1625 return ERR_PTR(-ECONNREFUSED); 1626 1627 return ERR_PTR(-EOPNOTSUPP); 1628 } 1629 1630 /* Some devices send ATT messages as soon as the physical link is 1631 * established. To be able to handle these ATT messages, the user- 1632 * space first establishes the connection and then starts the pairing 1633 * process. 1634 * 1635 * So if a hci_conn object already exists for the following connection 1636 * attempt, we simply update pending_sec_level and auth_type fields 1637 * and return the object found. 1638 */ 1639 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1640 if (conn) { 1641 if (conn->pending_sec_level < sec_level) 1642 conn->pending_sec_level = sec_level; 1643 goto done; 1644 } 1645 1646 BT_DBG("requesting refresh of dst_addr"); 1647 1648 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1649 if (IS_ERR(conn)) 1650 return conn; 1651 1652 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1653 hci_conn_del(conn); 1654 return ERR_PTR(-EBUSY); 1655 } 1656 1657 conn->state = BT_CONNECT; 1658 set_bit(HCI_CONN_SCANNING, &conn->flags); 1659 conn->dst_type = dst_type; 1660 conn->sec_level = BT_SECURITY_LOW; 1661 conn->pending_sec_level = sec_level; 1662 conn->conn_timeout = conn_timeout; 1663 conn->conn_reason = conn_reason; 1664 1665 hci_update_passive_scan(hdev); 1666 1667 done: 1668 hci_conn_hold(conn); 1669 return conn; 1670 } 1671 1672 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1673 u8 sec_level, u8 auth_type, 1674 enum conn_reasons conn_reason) 1675 { 1676 struct hci_conn *acl; 1677 1678 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1679 if (lmp_bredr_capable(hdev)) 1680 return ERR_PTR(-ECONNREFUSED); 1681 1682 return ERR_PTR(-EOPNOTSUPP); 1683 } 1684 1685 /* Reject outgoing connection to device with same BD ADDR against 1686 * CVE-2020-26555 1687 */ 1688 if (!bacmp(&hdev->bdaddr, dst)) { 1689 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 1690 dst); 1691 return ERR_PTR(-ECONNREFUSED); 1692 } 1693 1694 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1695 if (!acl) { 1696 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1697 if (IS_ERR(acl)) 1698 return acl; 1699 } 1700 1701 hci_conn_hold(acl); 1702 1703 acl->conn_reason = conn_reason; 1704 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1705 acl->sec_level = BT_SECURITY_LOW; 1706 acl->pending_sec_level = sec_level; 1707 acl->auth_type = auth_type; 1708 hci_acl_create_connection(acl); 1709 } 1710 1711 return acl; 1712 } 1713 1714 static struct hci_link *hci_conn_link(struct hci_conn *parent, 1715 struct hci_conn *conn) 1716 { 1717 struct hci_dev *hdev = parent->hdev; 1718 struct hci_link *link; 1719 1720 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn); 1721 1722 if (conn->link) 1723 return conn->link; 1724 1725 if (conn->parent) 1726 return NULL; 1727 1728 link = kzalloc(sizeof(*link), GFP_KERNEL); 1729 if (!link) 1730 return NULL; 1731 1732 link->conn = hci_conn_hold(conn); 1733 conn->link = link; 1734 conn->parent = hci_conn_get(parent); 1735 1736 /* Use list_add_tail_rcu append to the list */ 1737 list_add_tail_rcu(&link->list, &parent->link_list); 1738 1739 return link; 1740 } 1741 1742 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1743 __u16 setting, struct bt_codec *codec) 1744 { 1745 struct hci_conn *acl; 1746 struct hci_conn *sco; 1747 struct hci_link *link; 1748 1749 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1750 CONN_REASON_SCO_CONNECT); 1751 if (IS_ERR(acl)) 1752 return acl; 1753 1754 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1755 if (!sco) { 1756 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER); 1757 if (IS_ERR(sco)) { 1758 hci_conn_drop(acl); 1759 return sco; 1760 } 1761 } 1762 1763 link = hci_conn_link(acl, sco); 1764 if (!link) { 1765 hci_conn_drop(acl); 1766 hci_conn_drop(sco); 1767 return ERR_PTR(-ENOLINK); 1768 } 1769 1770 sco->setting = setting; 1771 sco->codec = *codec; 1772 1773 if (acl->state == BT_CONNECTED && 1774 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1775 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1776 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1777 1778 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1779 /* defer SCO setup until mode change completed */ 1780 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1781 return sco; 1782 } 1783 1784 hci_sco_setup(acl, 0x00); 1785 } 1786 1787 return sco; 1788 } 1789 1790 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1791 { 1792 struct hci_dev *hdev = conn->hdev; 1793 struct hci_cp_le_create_big cp; 1794 struct iso_list_data data; 1795 1796 memset(&cp, 0, sizeof(cp)); 1797 1798 data.big = qos->bcast.big; 1799 data.bis = qos->bcast.bis; 1800 data.count = 0; 1801 1802 /* Create a BIS for each bound connection */ 1803 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1804 BT_BOUND, &data); 1805 1806 cp.handle = qos->bcast.big; 1807 cp.adv_handle = qos->bcast.bis; 1808 cp.num_bis = data.count; 1809 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval); 1810 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu); 1811 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency); 1812 cp.bis.rtn = qos->bcast.out.rtn; 1813 cp.bis.phy = qos->bcast.out.phy; 1814 cp.bis.packing = qos->bcast.packing; 1815 cp.bis.framing = qos->bcast.framing; 1816 cp.bis.encryption = qos->bcast.encryption; 1817 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode)); 1818 1819 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1820 } 1821 1822 static int set_cig_params_sync(struct hci_dev *hdev, void *data) 1823 { 1824 u8 cig_id = PTR_UINT(data); 1825 struct hci_conn *conn; 1826 struct bt_iso_qos *qos; 1827 struct iso_cig_params pdu; 1828 u8 cis_id; 1829 1830 conn = hci_conn_hash_lookup_cig(hdev, cig_id); 1831 if (!conn) 1832 return 0; 1833 1834 memset(&pdu, 0, sizeof(pdu)); 1835 1836 qos = &conn->iso_qos; 1837 pdu.cp.cig_id = cig_id; 1838 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval); 1839 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval); 1840 pdu.cp.sca = qos->ucast.sca; 1841 pdu.cp.packing = qos->ucast.packing; 1842 pdu.cp.framing = qos->ucast.framing; 1843 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency); 1844 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency); 1845 1846 /* Reprogram all CIS(s) with the same CIG, valid range are: 1847 * num_cis: 0x00 to 0x1F 1848 * cis_id: 0x00 to 0xEF 1849 */ 1850 for (cis_id = 0x00; cis_id < 0xf0 && 1851 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) { 1852 struct hci_cis_params *cis; 1853 1854 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id); 1855 if (!conn) 1856 continue; 1857 1858 qos = &conn->iso_qos; 1859 1860 cis = &pdu.cis[pdu.cp.num_cis++]; 1861 cis->cis_id = cis_id; 1862 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu); 1863 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu); 1864 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : 1865 qos->ucast.in.phy; 1866 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : 1867 qos->ucast.out.phy; 1868 cis->c_rtn = qos->ucast.out.rtn; 1869 cis->p_rtn = qos->ucast.in.rtn; 1870 } 1871 1872 if (!pdu.cp.num_cis) 1873 return 0; 1874 1875 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1876 sizeof(pdu.cp) + 1877 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu, 1878 HCI_CMD_TIMEOUT); 1879 } 1880 1881 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1882 { 1883 struct hci_dev *hdev = conn->hdev; 1884 struct iso_list_data data; 1885 1886 memset(&data, 0, sizeof(data)); 1887 1888 /* Allocate first still reconfigurable CIG if not set */ 1889 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) { 1890 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) { 1891 data.count = 0; 1892 1893 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1894 BT_CONNECT, &data); 1895 if (data.count) 1896 continue; 1897 1898 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1899 BT_CONNECTED, &data); 1900 if (!data.count) 1901 break; 1902 } 1903 1904 if (data.cig == 0xf0) 1905 return false; 1906 1907 /* Update CIG */ 1908 qos->ucast.cig = data.cig; 1909 } 1910 1911 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) { 1912 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig, 1913 qos->ucast.cis)) 1914 return false; 1915 goto done; 1916 } 1917 1918 /* Allocate first available CIS if not set */ 1919 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0; 1920 data.cis++) { 1921 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig, 1922 data.cis)) { 1923 /* Update CIS */ 1924 qos->ucast.cis = data.cis; 1925 break; 1926 } 1927 } 1928 1929 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) 1930 return false; 1931 1932 done: 1933 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, 1934 UINT_PTR(qos->ucast.cig), NULL) < 0) 1935 return false; 1936 1937 return true; 1938 } 1939 1940 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1941 __u8 dst_type, struct bt_iso_qos *qos) 1942 { 1943 struct hci_conn *cis; 1944 1945 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig, 1946 qos->ucast.cis); 1947 if (!cis) { 1948 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1949 if (IS_ERR(cis)) 1950 return cis; 1951 cis->cleanup = cis_cleanup; 1952 cis->dst_type = dst_type; 1953 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET; 1954 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET; 1955 } 1956 1957 if (cis->state == BT_CONNECTED) 1958 return cis; 1959 1960 /* Check if CIS has been set and the settings matches */ 1961 if (cis->state == BT_BOUND && 1962 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1963 return cis; 1964 1965 /* Update LINK PHYs according to QoS preference */ 1966 cis->le_tx_phy = qos->ucast.out.phy; 1967 cis->le_rx_phy = qos->ucast.in.phy; 1968 1969 /* If output interval is not set use the input interval as it cannot be 1970 * 0x000000. 1971 */ 1972 if (!qos->ucast.out.interval) 1973 qos->ucast.out.interval = qos->ucast.in.interval; 1974 1975 /* If input interval is not set use the output interval as it cannot be 1976 * 0x000000. 1977 */ 1978 if (!qos->ucast.in.interval) 1979 qos->ucast.in.interval = qos->ucast.out.interval; 1980 1981 /* If output latency is not set use the input latency as it cannot be 1982 * 0x0000. 1983 */ 1984 if (!qos->ucast.out.latency) 1985 qos->ucast.out.latency = qos->ucast.in.latency; 1986 1987 /* If input latency is not set use the output latency as it cannot be 1988 * 0x0000. 1989 */ 1990 if (!qos->ucast.in.latency) 1991 qos->ucast.in.latency = qos->ucast.out.latency; 1992 1993 if (!hci_le_set_cig_params(cis, qos)) { 1994 hci_conn_drop(cis); 1995 return ERR_PTR(-EINVAL); 1996 } 1997 1998 hci_conn_hold(cis); 1999 2000 cis->iso_qos = *qos; 2001 cis->state = BT_BOUND; 2002 2003 return cis; 2004 } 2005 2006 bool hci_iso_setup_path(struct hci_conn *conn) 2007 { 2008 struct hci_dev *hdev = conn->hdev; 2009 struct hci_cp_le_setup_iso_path cmd; 2010 2011 memset(&cmd, 0, sizeof(cmd)); 2012 2013 if (conn->iso_qos.ucast.out.sdu) { 2014 cmd.handle = cpu_to_le16(conn->handle); 2015 cmd.direction = 0x00; /* Input (Host to Controller) */ 2016 cmd.path = 0x00; /* HCI path if enabled */ 2017 cmd.codec = 0x03; /* Transparent Data */ 2018 2019 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2020 &cmd) < 0) 2021 return false; 2022 } 2023 2024 if (conn->iso_qos.ucast.in.sdu) { 2025 cmd.handle = cpu_to_le16(conn->handle); 2026 cmd.direction = 0x01; /* Output (Controller to Host) */ 2027 cmd.path = 0x00; /* HCI path if enabled */ 2028 cmd.codec = 0x03; /* Transparent Data */ 2029 2030 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2031 &cmd) < 0) 2032 return false; 2033 } 2034 2035 return true; 2036 } 2037 2038 int hci_conn_check_create_cis(struct hci_conn *conn) 2039 { 2040 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY)) 2041 return -EINVAL; 2042 2043 if (!conn->parent || conn->parent->state != BT_CONNECTED || 2044 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle)) 2045 return 1; 2046 2047 return 0; 2048 } 2049 2050 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 2051 { 2052 return hci_le_create_cis_sync(hdev); 2053 } 2054 2055 int hci_le_create_cis_pending(struct hci_dev *hdev) 2056 { 2057 struct hci_conn *conn; 2058 bool pending = false; 2059 2060 rcu_read_lock(); 2061 2062 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2063 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) { 2064 rcu_read_unlock(); 2065 return -EBUSY; 2066 } 2067 2068 if (!hci_conn_check_create_cis(conn)) 2069 pending = true; 2070 } 2071 2072 rcu_read_unlock(); 2073 2074 if (!pending) 2075 return 0; 2076 2077 /* Queue Create CIS */ 2078 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL); 2079 } 2080 2081 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 2082 struct bt_iso_io_qos *qos, __u8 phy) 2083 { 2084 /* Only set MTU if PHY is enabled */ 2085 if (!qos->sdu && qos->phy) 2086 qos->sdu = conn->mtu; 2087 2088 /* Use the same PHY as ACL if set to any */ 2089 if (qos->phy == BT_ISO_PHY_ANY) 2090 qos->phy = phy; 2091 2092 /* Use LE ACL connection interval if not set */ 2093 if (!qos->interval) 2094 /* ACL interval unit in 1.25 ms to us */ 2095 qos->interval = conn->le_conn_interval * 1250; 2096 2097 /* Use LE ACL connection latency if not set */ 2098 if (!qos->latency) 2099 qos->latency = conn->le_conn_latency; 2100 } 2101 2102 static int create_big_sync(struct hci_dev *hdev, void *data) 2103 { 2104 struct hci_conn *conn = data; 2105 struct bt_iso_qos *qos = &conn->iso_qos; 2106 u16 interval, sync_interval = 0; 2107 u32 flags = 0; 2108 int err; 2109 2110 if (qos->bcast.out.phy == 0x02) 2111 flags |= MGMT_ADV_FLAG_SEC_2M; 2112 2113 /* Align intervals */ 2114 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor; 2115 2116 if (qos->bcast.bis) 2117 sync_interval = interval * 4; 2118 2119 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len, 2120 conn->le_per_adv_data, flags, interval, 2121 interval, sync_interval); 2122 if (err) 2123 return err; 2124 2125 return hci_le_create_big(conn, &conn->iso_qos); 2126 } 2127 2128 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2129 { 2130 struct hci_cp_le_pa_create_sync *cp = data; 2131 2132 bt_dev_dbg(hdev, ""); 2133 2134 if (err) 2135 bt_dev_err(hdev, "Unable to create PA: %d", err); 2136 2137 kfree(cp); 2138 } 2139 2140 static int create_pa_sync(struct hci_dev *hdev, void *data) 2141 { 2142 struct hci_cp_le_pa_create_sync *cp = data; 2143 int err; 2144 2145 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2146 sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2147 if (err) { 2148 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2149 return err; 2150 } 2151 2152 return hci_update_passive_scan_sync(hdev); 2153 } 2154 2155 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type, 2156 __u8 sid, struct bt_iso_qos *qos) 2157 { 2158 struct hci_cp_le_pa_create_sync *cp; 2159 2160 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2161 return -EBUSY; 2162 2163 cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2164 if (!cp) { 2165 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2166 return -ENOMEM; 2167 } 2168 2169 cp->options = qos->bcast.options; 2170 cp->sid = sid; 2171 cp->addr_type = dst_type; 2172 bacpy(&cp->addr, dst); 2173 cp->skip = cpu_to_le16(qos->bcast.skip); 2174 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2175 cp->sync_cte_type = qos->bcast.sync_cte_type; 2176 2177 /* Queue start pa_create_sync and scan */ 2178 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2179 } 2180 2181 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon, 2182 struct bt_iso_qos *qos, 2183 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2184 { 2185 struct _packed { 2186 struct hci_cp_le_big_create_sync cp; 2187 __u8 bis[0x11]; 2188 } pdu; 2189 int err; 2190 2191 if (num_bis > sizeof(pdu.bis)) 2192 return -EINVAL; 2193 2194 err = qos_set_big(hdev, qos); 2195 if (err) 2196 return err; 2197 2198 if (hcon) 2199 hcon->iso_qos.bcast.big = qos->bcast.big; 2200 2201 memset(&pdu, 0, sizeof(pdu)); 2202 pdu.cp.handle = qos->bcast.big; 2203 pdu.cp.sync_handle = cpu_to_le16(sync_handle); 2204 pdu.cp.encryption = qos->bcast.encryption; 2205 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode)); 2206 pdu.cp.mse = qos->bcast.mse; 2207 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout); 2208 pdu.cp.num_bis = num_bis; 2209 memcpy(pdu.bis, bis, num_bis); 2210 2211 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2212 sizeof(pdu.cp) + num_bis, &pdu); 2213 } 2214 2215 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2216 { 2217 struct hci_conn *conn = data; 2218 2219 bt_dev_dbg(hdev, "conn %p", conn); 2220 2221 if (err) { 2222 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2223 hci_connect_cfm(conn, err); 2224 hci_conn_del(conn); 2225 } 2226 } 2227 2228 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, 2229 struct bt_iso_qos *qos, 2230 __u8 base_len, __u8 *base) 2231 { 2232 struct hci_conn *conn; 2233 __u8 eir[HCI_MAX_PER_AD_LENGTH]; 2234 2235 if (base_len && base) 2236 base_len = eir_append_service_data(eir, 0, 0x1851, 2237 base, base_len); 2238 2239 /* We need hci_conn object using the BDADDR_ANY as dst */ 2240 conn = hci_add_bis(hdev, dst, qos, base_len, eir); 2241 if (IS_ERR(conn)) 2242 return conn; 2243 2244 /* Update LINK PHYs according to QoS preference */ 2245 conn->le_tx_phy = qos->bcast.out.phy; 2246 conn->le_tx_phy = qos->bcast.out.phy; 2247 2248 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2249 if (base_len && base) { 2250 memcpy(conn->le_per_adv_data, eir, sizeof(eir)); 2251 conn->le_per_adv_data_len = base_len; 2252 } 2253 2254 hci_iso_qos_setup(hdev, conn, &qos->bcast.out, 2255 conn->le_tx_phy ? conn->le_tx_phy : 2256 hdev->le_tx_def_phys); 2257 2258 conn->iso_qos = *qos; 2259 conn->state = BT_BOUND; 2260 2261 return conn; 2262 } 2263 2264 static void bis_mark_per_adv(struct hci_conn *conn, void *data) 2265 { 2266 struct iso_list_data *d = data; 2267 2268 /* Skip if not broadcast/ANY address */ 2269 if (bacmp(&conn->dst, BDADDR_ANY)) 2270 return; 2271 2272 if (d->big != conn->iso_qos.bcast.big || 2273 d->bis == BT_ISO_QOS_BIS_UNSET || 2274 d->bis != conn->iso_qos.bcast.bis) 2275 return; 2276 2277 set_bit(HCI_CONN_PER_ADV, &conn->flags); 2278 } 2279 2280 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2281 __u8 dst_type, struct bt_iso_qos *qos, 2282 __u8 base_len, __u8 *base) 2283 { 2284 struct hci_conn *conn; 2285 int err; 2286 struct iso_list_data data; 2287 2288 conn = hci_bind_bis(hdev, dst, qos, base_len, base); 2289 if (IS_ERR(conn)) 2290 return conn; 2291 2292 data.big = qos->bcast.big; 2293 data.bis = qos->bcast.bis; 2294 2295 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that 2296 * the start periodic advertising and create BIG commands have 2297 * been queued 2298 */ 2299 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK, 2300 BT_BOUND, &data); 2301 2302 /* Queue start periodic advertising and create BIG */ 2303 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2304 create_big_complete); 2305 if (err < 0) { 2306 hci_conn_drop(conn); 2307 return ERR_PTR(err); 2308 } 2309 2310 return conn; 2311 } 2312 2313 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2314 __u8 dst_type, struct bt_iso_qos *qos) 2315 { 2316 struct hci_conn *le; 2317 struct hci_conn *cis; 2318 struct hci_link *link; 2319 2320 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2321 le = hci_connect_le(hdev, dst, dst_type, false, 2322 BT_SECURITY_LOW, 2323 HCI_LE_CONN_TIMEOUT, 2324 HCI_ROLE_SLAVE); 2325 else 2326 le = hci_connect_le_scan(hdev, dst, dst_type, 2327 BT_SECURITY_LOW, 2328 HCI_LE_CONN_TIMEOUT, 2329 CONN_REASON_ISO_CONNECT); 2330 if (IS_ERR(le)) 2331 return le; 2332 2333 hci_iso_qos_setup(hdev, le, &qos->ucast.out, 2334 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2335 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2336 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2337 2338 cis = hci_bind_cis(hdev, dst, dst_type, qos); 2339 if (IS_ERR(cis)) { 2340 hci_conn_drop(le); 2341 return cis; 2342 } 2343 2344 link = hci_conn_link(le, cis); 2345 if (!link) { 2346 hci_conn_drop(le); 2347 hci_conn_drop(cis); 2348 return ERR_PTR(-ENOLINK); 2349 } 2350 2351 /* Link takes the refcount */ 2352 hci_conn_drop(cis); 2353 2354 cis->state = BT_CONNECT; 2355 2356 hci_le_create_cis_pending(hdev); 2357 2358 return cis; 2359 } 2360 2361 /* Check link security requirement */ 2362 int hci_conn_check_link_mode(struct hci_conn *conn) 2363 { 2364 BT_DBG("hcon %p", conn); 2365 2366 /* In Secure Connections Only mode, it is required that Secure 2367 * Connections is used and the link is encrypted with AES-CCM 2368 * using a P-256 authenticated combination key. 2369 */ 2370 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2371 if (!hci_conn_sc_enabled(conn) || 2372 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2373 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2374 return 0; 2375 } 2376 2377 /* AES encryption is required for Level 4: 2378 * 2379 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2380 * page 1319: 2381 * 2382 * 128-bit equivalent strength for link and encryption keys 2383 * required using FIPS approved algorithms (E0 not allowed, 2384 * SAFER+ not allowed, and P-192 not allowed; encryption key 2385 * not shortened) 2386 */ 2387 if (conn->sec_level == BT_SECURITY_FIPS && 2388 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2389 bt_dev_err(conn->hdev, 2390 "Invalid security: Missing AES-CCM usage"); 2391 return 0; 2392 } 2393 2394 if (hci_conn_ssp_enabled(conn) && 2395 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2396 return 0; 2397 2398 return 1; 2399 } 2400 2401 /* Authenticate remote device */ 2402 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2403 { 2404 BT_DBG("hcon %p", conn); 2405 2406 if (conn->pending_sec_level > sec_level) 2407 sec_level = conn->pending_sec_level; 2408 2409 if (sec_level > conn->sec_level) 2410 conn->pending_sec_level = sec_level; 2411 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2412 return 1; 2413 2414 /* Make sure we preserve an existing MITM requirement*/ 2415 auth_type |= (conn->auth_type & 0x01); 2416 2417 conn->auth_type = auth_type; 2418 2419 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2420 struct hci_cp_auth_requested cp; 2421 2422 cp.handle = cpu_to_le16(conn->handle); 2423 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2424 sizeof(cp), &cp); 2425 2426 /* Set the ENCRYPT_PEND to trigger encryption after 2427 * authentication. 2428 */ 2429 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2430 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2431 } 2432 2433 return 0; 2434 } 2435 2436 /* Encrypt the link */ 2437 static void hci_conn_encrypt(struct hci_conn *conn) 2438 { 2439 BT_DBG("hcon %p", conn); 2440 2441 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2442 struct hci_cp_set_conn_encrypt cp; 2443 cp.handle = cpu_to_le16(conn->handle); 2444 cp.encrypt = 0x01; 2445 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2446 &cp); 2447 } 2448 } 2449 2450 /* Enable security */ 2451 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2452 bool initiator) 2453 { 2454 BT_DBG("hcon %p", conn); 2455 2456 if (conn->type == LE_LINK) 2457 return smp_conn_security(conn, sec_level); 2458 2459 /* For sdp we don't need the link key. */ 2460 if (sec_level == BT_SECURITY_SDP) 2461 return 1; 2462 2463 /* For non 2.1 devices and low security level we don't need the link 2464 key. */ 2465 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2466 return 1; 2467 2468 /* For other security levels we need the link key. */ 2469 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2470 goto auth; 2471 2472 switch (conn->key_type) { 2473 case HCI_LK_AUTH_COMBINATION_P256: 2474 /* An authenticated FIPS approved combination key has 2475 * sufficient security for security level 4 or lower. 2476 */ 2477 if (sec_level <= BT_SECURITY_FIPS) 2478 goto encrypt; 2479 break; 2480 case HCI_LK_AUTH_COMBINATION_P192: 2481 /* An authenticated combination key has sufficient security for 2482 * security level 3 or lower. 2483 */ 2484 if (sec_level <= BT_SECURITY_HIGH) 2485 goto encrypt; 2486 break; 2487 case HCI_LK_UNAUTH_COMBINATION_P192: 2488 case HCI_LK_UNAUTH_COMBINATION_P256: 2489 /* An unauthenticated combination key has sufficient security 2490 * for security level 2 or lower. 2491 */ 2492 if (sec_level <= BT_SECURITY_MEDIUM) 2493 goto encrypt; 2494 break; 2495 case HCI_LK_COMBINATION: 2496 /* A combination key has always sufficient security for the 2497 * security levels 2 or lower. High security level requires the 2498 * combination key is generated using maximum PIN code length 2499 * (16). For pre 2.1 units. 2500 */ 2501 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16) 2502 goto encrypt; 2503 break; 2504 default: 2505 break; 2506 } 2507 2508 auth: 2509 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2510 return 0; 2511 2512 if (initiator) 2513 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2514 2515 if (!hci_conn_auth(conn, sec_level, auth_type)) 2516 return 0; 2517 2518 encrypt: 2519 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2520 /* Ensure that the encryption key size has been read, 2521 * otherwise stall the upper layer responses. 2522 */ 2523 if (!conn->enc_key_size) 2524 return 0; 2525 2526 /* Nothing else needed, all requirements are met */ 2527 return 1; 2528 } 2529 2530 hci_conn_encrypt(conn); 2531 return 0; 2532 } 2533 EXPORT_SYMBOL(hci_conn_security); 2534 2535 /* Check secure link requirement */ 2536 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2537 { 2538 BT_DBG("hcon %p", conn); 2539 2540 /* Accept if non-secure or higher security level is required */ 2541 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2542 return 1; 2543 2544 /* Accept if secure or higher security level is already present */ 2545 if (conn->sec_level == BT_SECURITY_HIGH || 2546 conn->sec_level == BT_SECURITY_FIPS) 2547 return 1; 2548 2549 /* Reject not secure link */ 2550 return 0; 2551 } 2552 EXPORT_SYMBOL(hci_conn_check_secure); 2553 2554 /* Switch role */ 2555 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2556 { 2557 BT_DBG("hcon %p", conn); 2558 2559 if (role == conn->role) 2560 return 1; 2561 2562 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2563 struct hci_cp_switch_role cp; 2564 bacpy(&cp.bdaddr, &conn->dst); 2565 cp.role = role; 2566 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2567 } 2568 2569 return 0; 2570 } 2571 EXPORT_SYMBOL(hci_conn_switch_role); 2572 2573 /* Enter active mode */ 2574 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2575 { 2576 struct hci_dev *hdev = conn->hdev; 2577 2578 BT_DBG("hcon %p mode %d", conn, conn->mode); 2579 2580 if (conn->mode != HCI_CM_SNIFF) 2581 goto timer; 2582 2583 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2584 goto timer; 2585 2586 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2587 struct hci_cp_exit_sniff_mode cp; 2588 cp.handle = cpu_to_le16(conn->handle); 2589 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2590 } 2591 2592 timer: 2593 if (hdev->idle_timeout > 0) 2594 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2595 msecs_to_jiffies(hdev->idle_timeout)); 2596 } 2597 2598 /* Drop all connection on the device */ 2599 void hci_conn_hash_flush(struct hci_dev *hdev) 2600 { 2601 struct list_head *head = &hdev->conn_hash.list; 2602 struct hci_conn *conn; 2603 2604 BT_DBG("hdev %s", hdev->name); 2605 2606 /* We should not traverse the list here, because hci_conn_del 2607 * can remove extra links, which may cause the list traversal 2608 * to hit items that have already been released. 2609 */ 2610 while ((conn = list_first_entry_or_null(head, 2611 struct hci_conn, 2612 list)) != NULL) { 2613 conn->state = BT_CLOSED; 2614 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); 2615 hci_conn_del(conn); 2616 } 2617 } 2618 2619 /* Check pending connect attempts */ 2620 void hci_conn_check_pending(struct hci_dev *hdev) 2621 { 2622 struct hci_conn *conn; 2623 2624 BT_DBG("hdev %s", hdev->name); 2625 2626 hci_dev_lock(hdev); 2627 2628 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 2629 if (conn) 2630 hci_acl_create_connection(conn); 2631 2632 hci_dev_unlock(hdev); 2633 } 2634 2635 static u32 get_link_mode(struct hci_conn *conn) 2636 { 2637 u32 link_mode = 0; 2638 2639 if (conn->role == HCI_ROLE_MASTER) 2640 link_mode |= HCI_LM_MASTER; 2641 2642 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2643 link_mode |= HCI_LM_ENCRYPT; 2644 2645 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2646 link_mode |= HCI_LM_AUTH; 2647 2648 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2649 link_mode |= HCI_LM_SECURE; 2650 2651 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2652 link_mode |= HCI_LM_FIPS; 2653 2654 return link_mode; 2655 } 2656 2657 int hci_get_conn_list(void __user *arg) 2658 { 2659 struct hci_conn *c; 2660 struct hci_conn_list_req req, *cl; 2661 struct hci_conn_info *ci; 2662 struct hci_dev *hdev; 2663 int n = 0, size, err; 2664 2665 if (copy_from_user(&req, arg, sizeof(req))) 2666 return -EFAULT; 2667 2668 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2669 return -EINVAL; 2670 2671 size = sizeof(req) + req.conn_num * sizeof(*ci); 2672 2673 cl = kmalloc(size, GFP_KERNEL); 2674 if (!cl) 2675 return -ENOMEM; 2676 2677 hdev = hci_dev_get(req.dev_id); 2678 if (!hdev) { 2679 kfree(cl); 2680 return -ENODEV; 2681 } 2682 2683 ci = cl->conn_info; 2684 2685 hci_dev_lock(hdev); 2686 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2687 bacpy(&(ci + n)->bdaddr, &c->dst); 2688 (ci + n)->handle = c->handle; 2689 (ci + n)->type = c->type; 2690 (ci + n)->out = c->out; 2691 (ci + n)->state = c->state; 2692 (ci + n)->link_mode = get_link_mode(c); 2693 if (++n >= req.conn_num) 2694 break; 2695 } 2696 hci_dev_unlock(hdev); 2697 2698 cl->dev_id = hdev->id; 2699 cl->conn_num = n; 2700 size = sizeof(req) + n * sizeof(*ci); 2701 2702 hci_dev_put(hdev); 2703 2704 err = copy_to_user(arg, cl, size); 2705 kfree(cl); 2706 2707 return err ? -EFAULT : 0; 2708 } 2709 2710 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2711 { 2712 struct hci_conn_info_req req; 2713 struct hci_conn_info ci; 2714 struct hci_conn *conn; 2715 char __user *ptr = arg + sizeof(req); 2716 2717 if (copy_from_user(&req, arg, sizeof(req))) 2718 return -EFAULT; 2719 2720 hci_dev_lock(hdev); 2721 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2722 if (conn) { 2723 bacpy(&ci.bdaddr, &conn->dst); 2724 ci.handle = conn->handle; 2725 ci.type = conn->type; 2726 ci.out = conn->out; 2727 ci.state = conn->state; 2728 ci.link_mode = get_link_mode(conn); 2729 } 2730 hci_dev_unlock(hdev); 2731 2732 if (!conn) 2733 return -ENOENT; 2734 2735 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2736 } 2737 2738 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2739 { 2740 struct hci_auth_info_req req; 2741 struct hci_conn *conn; 2742 2743 if (copy_from_user(&req, arg, sizeof(req))) 2744 return -EFAULT; 2745 2746 hci_dev_lock(hdev); 2747 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2748 if (conn) 2749 req.type = conn->auth_type; 2750 hci_dev_unlock(hdev); 2751 2752 if (!conn) 2753 return -ENOENT; 2754 2755 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2756 } 2757 2758 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2759 { 2760 struct hci_dev *hdev = conn->hdev; 2761 struct hci_chan *chan; 2762 2763 BT_DBG("%s hcon %p", hdev->name, conn); 2764 2765 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2766 BT_DBG("Refusing to create new hci_chan"); 2767 return NULL; 2768 } 2769 2770 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2771 if (!chan) 2772 return NULL; 2773 2774 chan->conn = hci_conn_get(conn); 2775 skb_queue_head_init(&chan->data_q); 2776 chan->state = BT_CONNECTED; 2777 2778 list_add_rcu(&chan->list, &conn->chan_list); 2779 2780 return chan; 2781 } 2782 2783 void hci_chan_del(struct hci_chan *chan) 2784 { 2785 struct hci_conn *conn = chan->conn; 2786 struct hci_dev *hdev = conn->hdev; 2787 2788 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2789 2790 list_del_rcu(&chan->list); 2791 2792 synchronize_rcu(); 2793 2794 /* Prevent new hci_chan's to be created for this hci_conn */ 2795 set_bit(HCI_CONN_DROP, &conn->flags); 2796 2797 hci_conn_put(conn); 2798 2799 skb_queue_purge(&chan->data_q); 2800 kfree(chan); 2801 } 2802 2803 void hci_chan_list_flush(struct hci_conn *conn) 2804 { 2805 struct hci_chan *chan, *n; 2806 2807 BT_DBG("hcon %p", conn); 2808 2809 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2810 hci_chan_del(chan); 2811 } 2812 2813 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2814 __u16 handle) 2815 { 2816 struct hci_chan *hchan; 2817 2818 list_for_each_entry(hchan, &hcon->chan_list, list) { 2819 if (hchan->handle == handle) 2820 return hchan; 2821 } 2822 2823 return NULL; 2824 } 2825 2826 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2827 { 2828 struct hci_conn_hash *h = &hdev->conn_hash; 2829 struct hci_conn *hcon; 2830 struct hci_chan *hchan = NULL; 2831 2832 rcu_read_lock(); 2833 2834 list_for_each_entry_rcu(hcon, &h->list, list) { 2835 hchan = __hci_chan_lookup_handle(hcon, handle); 2836 if (hchan) 2837 break; 2838 } 2839 2840 rcu_read_unlock(); 2841 2842 return hchan; 2843 } 2844 2845 u32 hci_conn_get_phy(struct hci_conn *conn) 2846 { 2847 u32 phys = 0; 2848 2849 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2850 * Table 6.2: Packets defined for synchronous, asynchronous, and 2851 * CPB logical transport types. 2852 */ 2853 switch (conn->type) { 2854 case SCO_LINK: 2855 /* SCO logical transport (1 Mb/s): 2856 * HV1, HV2, HV3 and DV. 2857 */ 2858 phys |= BT_PHY_BR_1M_1SLOT; 2859 2860 break; 2861 2862 case ACL_LINK: 2863 /* ACL logical transport (1 Mb/s) ptt=0: 2864 * DH1, DM3, DH3, DM5 and DH5. 2865 */ 2866 phys |= BT_PHY_BR_1M_1SLOT; 2867 2868 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2869 phys |= BT_PHY_BR_1M_3SLOT; 2870 2871 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2872 phys |= BT_PHY_BR_1M_5SLOT; 2873 2874 /* ACL logical transport (2 Mb/s) ptt=1: 2875 * 2-DH1, 2-DH3 and 2-DH5. 2876 */ 2877 if (!(conn->pkt_type & HCI_2DH1)) 2878 phys |= BT_PHY_EDR_2M_1SLOT; 2879 2880 if (!(conn->pkt_type & HCI_2DH3)) 2881 phys |= BT_PHY_EDR_2M_3SLOT; 2882 2883 if (!(conn->pkt_type & HCI_2DH5)) 2884 phys |= BT_PHY_EDR_2M_5SLOT; 2885 2886 /* ACL logical transport (3 Mb/s) ptt=1: 2887 * 3-DH1, 3-DH3 and 3-DH5. 2888 */ 2889 if (!(conn->pkt_type & HCI_3DH1)) 2890 phys |= BT_PHY_EDR_3M_1SLOT; 2891 2892 if (!(conn->pkt_type & HCI_3DH3)) 2893 phys |= BT_PHY_EDR_3M_3SLOT; 2894 2895 if (!(conn->pkt_type & HCI_3DH5)) 2896 phys |= BT_PHY_EDR_3M_5SLOT; 2897 2898 break; 2899 2900 case ESCO_LINK: 2901 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2902 phys |= BT_PHY_BR_1M_1SLOT; 2903 2904 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2905 phys |= BT_PHY_BR_1M_3SLOT; 2906 2907 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2908 if (!(conn->pkt_type & ESCO_2EV3)) 2909 phys |= BT_PHY_EDR_2M_1SLOT; 2910 2911 if (!(conn->pkt_type & ESCO_2EV5)) 2912 phys |= BT_PHY_EDR_2M_3SLOT; 2913 2914 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2915 if (!(conn->pkt_type & ESCO_3EV3)) 2916 phys |= BT_PHY_EDR_3M_1SLOT; 2917 2918 if (!(conn->pkt_type & ESCO_3EV5)) 2919 phys |= BT_PHY_EDR_3M_3SLOT; 2920 2921 break; 2922 2923 case LE_LINK: 2924 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2925 phys |= BT_PHY_LE_1M_TX; 2926 2927 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2928 phys |= BT_PHY_LE_1M_RX; 2929 2930 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2931 phys |= BT_PHY_LE_2M_TX; 2932 2933 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2934 phys |= BT_PHY_LE_2M_RX; 2935 2936 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2937 phys |= BT_PHY_LE_CODED_TX; 2938 2939 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2940 phys |= BT_PHY_LE_CODED_RX; 2941 2942 break; 2943 } 2944 2945 return phys; 2946 } 2947 2948 static int abort_conn_sync(struct hci_dev *hdev, void *data) 2949 { 2950 struct hci_conn *conn; 2951 u16 handle = PTR_UINT(data); 2952 2953 conn = hci_conn_hash_lookup_handle(hdev, handle); 2954 if (!conn) 2955 return 0; 2956 2957 return hci_abort_conn_sync(hdev, conn, conn->abort_reason); 2958 } 2959 2960 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2961 { 2962 struct hci_dev *hdev = conn->hdev; 2963 2964 /* If abort_reason has already been set it means the connection is 2965 * already being aborted so don't attempt to overwrite it. 2966 */ 2967 if (conn->abort_reason) 2968 return 0; 2969 2970 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); 2971 2972 conn->abort_reason = reason; 2973 2974 /* If the connection is pending check the command opcode since that 2975 * might be blocking on hci_cmd_sync_work while waiting its respective 2976 * event so we need to hci_cmd_sync_cancel to cancel it. 2977 * 2978 * hci_connect_le serializes the connection attempts so only one 2979 * connection can be in BT_CONNECT at time. 2980 */ 2981 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { 2982 switch (hci_skb_event(hdev->sent_cmd)) { 2983 case HCI_EV_LE_CONN_COMPLETE: 2984 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 2985 case HCI_EVT_LE_CIS_ESTABLISHED: 2986 hci_cmd_sync_cancel(hdev, ECANCELED); 2987 break; 2988 } 2989 } 2990 2991 return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle), 2992 NULL); 2993 } 2994