1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI connection handling. */ 27 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/iso.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "hci_request.h" 38 #include "smp.h" 39 #include "a2mp.h" 40 #include "eir.h" 41 42 struct sco_param { 43 u16 pkt_type; 44 u16 max_latency; 45 u8 retrans_effort; 46 }; 47 48 struct conn_handle_t { 49 struct hci_conn *conn; 50 __u16 handle; 51 }; 52 53 static const struct sco_param esco_param_cvsd[] = { 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 56 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 57 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 58 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 59 }; 60 61 static const struct sco_param sco_param_cvsd[] = { 62 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 63 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 64 }; 65 66 static const struct sco_param esco_param_msbc[] = { 67 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 68 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 69 }; 70 71 /* This function requires the caller holds hdev->lock */ 72 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) 73 { 74 struct hci_conn_params *params; 75 struct hci_dev *hdev = conn->hdev; 76 struct smp_irk *irk; 77 bdaddr_t *bdaddr; 78 u8 bdaddr_type; 79 80 bdaddr = &conn->dst; 81 bdaddr_type = conn->dst_type; 82 83 /* Check if we need to convert to identity address */ 84 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 85 if (irk) { 86 bdaddr = &irk->bdaddr; 87 bdaddr_type = irk->addr_type; 88 } 89 90 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 91 bdaddr_type); 92 if (!params) 93 return; 94 95 if (params->conn) { 96 hci_conn_drop(params->conn); 97 hci_conn_put(params->conn); 98 params->conn = NULL; 99 } 100 101 if (!params->explicit_connect) 102 return; 103 104 /* If the status indicates successful cancellation of 105 * the attempt (i.e. Unknown Connection Id) there's no point of 106 * notifying failure since we'll go back to keep trying to 107 * connect. The only exception is explicit connect requests 108 * where a timeout + cancel does indicate an actual failure. 109 */ 110 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) 111 mgmt_connect_failed(hdev, &conn->dst, conn->type, 112 conn->dst_type, status); 113 114 /* The connection attempt was doing scan for new RPA, and is 115 * in scan phase. If params are not associated with any other 116 * autoconnect action, remove them completely. If they are, just unmark 117 * them as waiting for connection, by clearing explicit_connect field. 118 */ 119 params->explicit_connect = false; 120 121 hci_pend_le_list_del_init(params); 122 123 switch (params->auto_connect) { 124 case HCI_AUTO_CONN_EXPLICIT: 125 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 126 /* return instead of break to avoid duplicate scan update */ 127 return; 128 case HCI_AUTO_CONN_DIRECT: 129 case HCI_AUTO_CONN_ALWAYS: 130 hci_pend_le_list_add(params, &hdev->pend_le_conns); 131 break; 132 case HCI_AUTO_CONN_REPORT: 133 hci_pend_le_list_add(params, &hdev->pend_le_reports); 134 break; 135 default: 136 break; 137 } 138 139 hci_update_passive_scan(hdev); 140 } 141 142 static void hci_conn_cleanup(struct hci_conn *conn) 143 { 144 struct hci_dev *hdev = conn->hdev; 145 146 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 147 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 148 149 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 150 hci_remove_link_key(hdev, &conn->dst); 151 152 hci_chan_list_flush(conn); 153 154 hci_conn_hash_del(hdev, conn); 155 156 if (conn->cleanup) 157 conn->cleanup(conn); 158 159 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 160 switch (conn->setting & SCO_AIRMODE_MASK) { 161 case SCO_AIRMODE_CVSD: 162 case SCO_AIRMODE_TRANSP: 163 if (hdev->notify) 164 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 165 break; 166 } 167 } else { 168 if (hdev->notify) 169 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 170 } 171 172 hci_conn_del_sysfs(conn); 173 174 debugfs_remove_recursive(conn->debugfs); 175 176 hci_dev_put(hdev); 177 178 hci_conn_put(conn); 179 } 180 181 static void hci_acl_create_connection(struct hci_conn *conn) 182 { 183 struct hci_dev *hdev = conn->hdev; 184 struct inquiry_entry *ie; 185 struct hci_cp_create_conn cp; 186 187 BT_DBG("hcon %p", conn); 188 189 /* Many controllers disallow HCI Create Connection while it is doing 190 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create 191 * Connection. This may cause the MGMT discovering state to become false 192 * without user space's request but it is okay since the MGMT Discovery 193 * APIs do not promise that discovery should be done forever. Instead, 194 * the user space monitors the status of MGMT discovering and it may 195 * request for discovery again when this flag becomes false. 196 */ 197 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 198 /* Put this connection to "pending" state so that it will be 199 * executed after the inquiry cancel command complete event. 200 */ 201 conn->state = BT_CONNECT2; 202 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL); 203 return; 204 } 205 206 conn->state = BT_CONNECT; 207 conn->out = true; 208 conn->role = HCI_ROLE_MASTER; 209 210 conn->attempt++; 211 212 conn->link_policy = hdev->link_policy; 213 214 memset(&cp, 0, sizeof(cp)); 215 bacpy(&cp.bdaddr, &conn->dst); 216 cp.pscan_rep_mode = 0x02; 217 218 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 219 if (ie) { 220 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 221 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 222 cp.pscan_mode = ie->data.pscan_mode; 223 cp.clock_offset = ie->data.clock_offset | 224 cpu_to_le16(0x8000); 225 } 226 227 memcpy(conn->dev_class, ie->data.dev_class, 3); 228 } 229 230 cp.pkt_type = cpu_to_le16(conn->pkt_type); 231 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 232 cp.role_switch = 0x01; 233 else 234 cp.role_switch = 0x00; 235 236 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 237 } 238 239 int hci_disconnect(struct hci_conn *conn, __u8 reason) 240 { 241 BT_DBG("hcon %p", conn); 242 243 /* When we are central of an established connection and it enters 244 * the disconnect timeout, then go ahead and try to read the 245 * current clock offset. Processing of the result is done 246 * within the event handling and hci_clock_offset_evt function. 247 */ 248 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 249 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 250 struct hci_dev *hdev = conn->hdev; 251 struct hci_cp_read_clock_offset clkoff_cp; 252 253 clkoff_cp.handle = cpu_to_le16(conn->handle); 254 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 255 &clkoff_cp); 256 } 257 258 return hci_abort_conn(conn, reason); 259 } 260 261 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 262 { 263 struct hci_dev *hdev = conn->hdev; 264 struct hci_cp_add_sco cp; 265 266 BT_DBG("hcon %p", conn); 267 268 conn->state = BT_CONNECT; 269 conn->out = true; 270 271 conn->attempt++; 272 273 cp.handle = cpu_to_le16(handle); 274 cp.pkt_type = cpu_to_le16(conn->pkt_type); 275 276 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 277 } 278 279 static bool find_next_esco_param(struct hci_conn *conn, 280 const struct sco_param *esco_param, int size) 281 { 282 if (!conn->parent) 283 return false; 284 285 for (; conn->attempt <= size; conn->attempt++) { 286 if (lmp_esco_2m_capable(conn->parent) || 287 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 288 break; 289 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 290 conn, conn->attempt); 291 } 292 293 return conn->attempt <= size; 294 } 295 296 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 297 { 298 int err; 299 __u8 vnd_len, *vnd_data = NULL; 300 struct hci_op_configure_data_path *cmd = NULL; 301 302 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 303 &vnd_data); 304 if (err < 0) 305 goto error; 306 307 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 308 if (!cmd) { 309 err = -ENOMEM; 310 goto error; 311 } 312 313 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 314 if (err < 0) 315 goto error; 316 317 cmd->vnd_len = vnd_len; 318 memcpy(cmd->vnd_data, vnd_data, vnd_len); 319 320 cmd->direction = 0x00; 321 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 322 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 323 324 cmd->direction = 0x01; 325 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 326 sizeof(*cmd) + vnd_len, cmd, 327 HCI_CMD_TIMEOUT); 328 error: 329 330 kfree(cmd); 331 kfree(vnd_data); 332 return err; 333 } 334 335 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 336 { 337 struct conn_handle_t *conn_handle = data; 338 struct hci_conn *conn = conn_handle->conn; 339 __u16 handle = conn_handle->handle; 340 struct hci_cp_enhanced_setup_sync_conn cp; 341 const struct sco_param *param; 342 343 kfree(conn_handle); 344 345 bt_dev_dbg(hdev, "hcon %p", conn); 346 347 /* for offload use case, codec needs to configured before opening SCO */ 348 if (conn->codec.data_path) 349 configure_datapath_sync(hdev, &conn->codec); 350 351 conn->state = BT_CONNECT; 352 conn->out = true; 353 354 conn->attempt++; 355 356 memset(&cp, 0x00, sizeof(cp)); 357 358 cp.handle = cpu_to_le16(handle); 359 360 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 361 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 362 363 switch (conn->codec.id) { 364 case BT_CODEC_MSBC: 365 if (!find_next_esco_param(conn, esco_param_msbc, 366 ARRAY_SIZE(esco_param_msbc))) 367 return -EINVAL; 368 369 param = &esco_param_msbc[conn->attempt - 1]; 370 cp.tx_coding_format.id = 0x05; 371 cp.rx_coding_format.id = 0x05; 372 cp.tx_codec_frame_size = __cpu_to_le16(60); 373 cp.rx_codec_frame_size = __cpu_to_le16(60); 374 cp.in_bandwidth = __cpu_to_le32(32000); 375 cp.out_bandwidth = __cpu_to_le32(32000); 376 cp.in_coding_format.id = 0x04; 377 cp.out_coding_format.id = 0x04; 378 cp.in_coded_data_size = __cpu_to_le16(16); 379 cp.out_coded_data_size = __cpu_to_le16(16); 380 cp.in_pcm_data_format = 2; 381 cp.out_pcm_data_format = 2; 382 cp.in_pcm_sample_payload_msb_pos = 0; 383 cp.out_pcm_sample_payload_msb_pos = 0; 384 cp.in_data_path = conn->codec.data_path; 385 cp.out_data_path = conn->codec.data_path; 386 cp.in_transport_unit_size = 1; 387 cp.out_transport_unit_size = 1; 388 break; 389 390 case BT_CODEC_TRANSPARENT: 391 if (!find_next_esco_param(conn, esco_param_msbc, 392 ARRAY_SIZE(esco_param_msbc))) 393 return false; 394 param = &esco_param_msbc[conn->attempt - 1]; 395 cp.tx_coding_format.id = 0x03; 396 cp.rx_coding_format.id = 0x03; 397 cp.tx_codec_frame_size = __cpu_to_le16(60); 398 cp.rx_codec_frame_size = __cpu_to_le16(60); 399 cp.in_bandwidth = __cpu_to_le32(0x1f40); 400 cp.out_bandwidth = __cpu_to_le32(0x1f40); 401 cp.in_coding_format.id = 0x03; 402 cp.out_coding_format.id = 0x03; 403 cp.in_coded_data_size = __cpu_to_le16(16); 404 cp.out_coded_data_size = __cpu_to_le16(16); 405 cp.in_pcm_data_format = 2; 406 cp.out_pcm_data_format = 2; 407 cp.in_pcm_sample_payload_msb_pos = 0; 408 cp.out_pcm_sample_payload_msb_pos = 0; 409 cp.in_data_path = conn->codec.data_path; 410 cp.out_data_path = conn->codec.data_path; 411 cp.in_transport_unit_size = 1; 412 cp.out_transport_unit_size = 1; 413 break; 414 415 case BT_CODEC_CVSD: 416 if (conn->parent && lmp_esco_capable(conn->parent)) { 417 if (!find_next_esco_param(conn, esco_param_cvsd, 418 ARRAY_SIZE(esco_param_cvsd))) 419 return -EINVAL; 420 param = &esco_param_cvsd[conn->attempt - 1]; 421 } else { 422 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 423 return -EINVAL; 424 param = &sco_param_cvsd[conn->attempt - 1]; 425 } 426 cp.tx_coding_format.id = 2; 427 cp.rx_coding_format.id = 2; 428 cp.tx_codec_frame_size = __cpu_to_le16(60); 429 cp.rx_codec_frame_size = __cpu_to_le16(60); 430 cp.in_bandwidth = __cpu_to_le32(16000); 431 cp.out_bandwidth = __cpu_to_le32(16000); 432 cp.in_coding_format.id = 4; 433 cp.out_coding_format.id = 4; 434 cp.in_coded_data_size = __cpu_to_le16(16); 435 cp.out_coded_data_size = __cpu_to_le16(16); 436 cp.in_pcm_data_format = 2; 437 cp.out_pcm_data_format = 2; 438 cp.in_pcm_sample_payload_msb_pos = 0; 439 cp.out_pcm_sample_payload_msb_pos = 0; 440 cp.in_data_path = conn->codec.data_path; 441 cp.out_data_path = conn->codec.data_path; 442 cp.in_transport_unit_size = 16; 443 cp.out_transport_unit_size = 16; 444 break; 445 default: 446 return -EINVAL; 447 } 448 449 cp.retrans_effort = param->retrans_effort; 450 cp.pkt_type = __cpu_to_le16(param->pkt_type); 451 cp.max_latency = __cpu_to_le16(param->max_latency); 452 453 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 454 return -EIO; 455 456 return 0; 457 } 458 459 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 460 { 461 struct hci_dev *hdev = conn->hdev; 462 struct hci_cp_setup_sync_conn cp; 463 const struct sco_param *param; 464 465 bt_dev_dbg(hdev, "hcon %p", conn); 466 467 conn->state = BT_CONNECT; 468 conn->out = true; 469 470 conn->attempt++; 471 472 cp.handle = cpu_to_le16(handle); 473 474 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 475 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 476 cp.voice_setting = cpu_to_le16(conn->setting); 477 478 switch (conn->setting & SCO_AIRMODE_MASK) { 479 case SCO_AIRMODE_TRANSP: 480 if (!find_next_esco_param(conn, esco_param_msbc, 481 ARRAY_SIZE(esco_param_msbc))) 482 return false; 483 param = &esco_param_msbc[conn->attempt - 1]; 484 break; 485 case SCO_AIRMODE_CVSD: 486 if (conn->parent && lmp_esco_capable(conn->parent)) { 487 if (!find_next_esco_param(conn, esco_param_cvsd, 488 ARRAY_SIZE(esco_param_cvsd))) 489 return false; 490 param = &esco_param_cvsd[conn->attempt - 1]; 491 } else { 492 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 493 return false; 494 param = &sco_param_cvsd[conn->attempt - 1]; 495 } 496 break; 497 default: 498 return false; 499 } 500 501 cp.retrans_effort = param->retrans_effort; 502 cp.pkt_type = __cpu_to_le16(param->pkt_type); 503 cp.max_latency = __cpu_to_le16(param->max_latency); 504 505 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 506 return false; 507 508 return true; 509 } 510 511 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 512 { 513 int result; 514 struct conn_handle_t *conn_handle; 515 516 if (enhanced_sync_conn_capable(conn->hdev)) { 517 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 518 519 if (!conn_handle) 520 return false; 521 522 conn_handle->conn = conn; 523 conn_handle->handle = handle; 524 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 525 conn_handle, NULL); 526 if (result < 0) 527 kfree(conn_handle); 528 529 return result == 0; 530 } 531 532 return hci_setup_sync_conn(conn, handle); 533 } 534 535 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 536 u16 to_multiplier) 537 { 538 struct hci_dev *hdev = conn->hdev; 539 struct hci_conn_params *params; 540 struct hci_cp_le_conn_update cp; 541 542 hci_dev_lock(hdev); 543 544 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 545 if (params) { 546 params->conn_min_interval = min; 547 params->conn_max_interval = max; 548 params->conn_latency = latency; 549 params->supervision_timeout = to_multiplier; 550 } 551 552 hci_dev_unlock(hdev); 553 554 memset(&cp, 0, sizeof(cp)); 555 cp.handle = cpu_to_le16(conn->handle); 556 cp.conn_interval_min = cpu_to_le16(min); 557 cp.conn_interval_max = cpu_to_le16(max); 558 cp.conn_latency = cpu_to_le16(latency); 559 cp.supervision_timeout = cpu_to_le16(to_multiplier); 560 cp.min_ce_len = cpu_to_le16(0x0000); 561 cp.max_ce_len = cpu_to_le16(0x0000); 562 563 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 564 565 if (params) 566 return 0x01; 567 568 return 0x00; 569 } 570 571 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 572 __u8 ltk[16], __u8 key_size) 573 { 574 struct hci_dev *hdev = conn->hdev; 575 struct hci_cp_le_start_enc cp; 576 577 BT_DBG("hcon %p", conn); 578 579 memset(&cp, 0, sizeof(cp)); 580 581 cp.handle = cpu_to_le16(conn->handle); 582 cp.rand = rand; 583 cp.ediv = ediv; 584 memcpy(cp.ltk, ltk, key_size); 585 586 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 587 } 588 589 /* Device _must_ be locked */ 590 void hci_sco_setup(struct hci_conn *conn, __u8 status) 591 { 592 struct hci_link *link; 593 594 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list); 595 if (!link || !link->conn) 596 return; 597 598 BT_DBG("hcon %p", conn); 599 600 if (!status) { 601 if (lmp_esco_capable(conn->hdev)) 602 hci_setup_sync(link->conn, conn->handle); 603 else 604 hci_add_sco(link->conn, conn->handle); 605 } else { 606 hci_connect_cfm(link->conn, status); 607 hci_conn_del(link->conn); 608 } 609 } 610 611 static void hci_conn_timeout(struct work_struct *work) 612 { 613 struct hci_conn *conn = container_of(work, struct hci_conn, 614 disc_work.work); 615 int refcnt = atomic_read(&conn->refcnt); 616 617 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 618 619 WARN_ON(refcnt < 0); 620 621 /* FIXME: It was observed that in pairing failed scenario, refcnt 622 * drops below 0. Probably this is because l2cap_conn_del calls 623 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 624 * dropped. After that loop hci_chan_del is called which also drops 625 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 626 * otherwise drop it. 627 */ 628 if (refcnt > 0) 629 return; 630 631 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 632 } 633 634 /* Enter sniff mode */ 635 static void hci_conn_idle(struct work_struct *work) 636 { 637 struct hci_conn *conn = container_of(work, struct hci_conn, 638 idle_work.work); 639 struct hci_dev *hdev = conn->hdev; 640 641 BT_DBG("hcon %p mode %d", conn, conn->mode); 642 643 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 644 return; 645 646 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 647 return; 648 649 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 650 struct hci_cp_sniff_subrate cp; 651 cp.handle = cpu_to_le16(conn->handle); 652 cp.max_latency = cpu_to_le16(0); 653 cp.min_remote_timeout = cpu_to_le16(0); 654 cp.min_local_timeout = cpu_to_le16(0); 655 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 656 } 657 658 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 659 struct hci_cp_sniff_mode cp; 660 cp.handle = cpu_to_le16(conn->handle); 661 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 662 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 663 cp.attempt = cpu_to_le16(4); 664 cp.timeout = cpu_to_le16(1); 665 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 666 } 667 } 668 669 static void hci_conn_auto_accept(struct work_struct *work) 670 { 671 struct hci_conn *conn = container_of(work, struct hci_conn, 672 auto_accept_work.work); 673 674 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 675 &conn->dst); 676 } 677 678 static void le_disable_advertising(struct hci_dev *hdev) 679 { 680 if (ext_adv_capable(hdev)) { 681 struct hci_cp_le_set_ext_adv_enable cp; 682 683 cp.enable = 0x00; 684 cp.num_of_sets = 0x00; 685 686 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 687 &cp); 688 } else { 689 u8 enable = 0x00; 690 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 691 &enable); 692 } 693 } 694 695 static void le_conn_timeout(struct work_struct *work) 696 { 697 struct hci_conn *conn = container_of(work, struct hci_conn, 698 le_conn_timeout.work); 699 struct hci_dev *hdev = conn->hdev; 700 701 BT_DBG(""); 702 703 /* We could end up here due to having done directed advertising, 704 * so clean up the state if necessary. This should however only 705 * happen with broken hardware or if low duty cycle was used 706 * (which doesn't have a timeout of its own). 707 */ 708 if (conn->role == HCI_ROLE_SLAVE) { 709 /* Disable LE Advertising */ 710 le_disable_advertising(hdev); 711 hci_dev_lock(hdev); 712 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 713 hci_dev_unlock(hdev); 714 return; 715 } 716 717 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 718 } 719 720 struct iso_cig_params { 721 struct hci_cp_le_set_cig_params cp; 722 struct hci_cis_params cis[0x1f]; 723 }; 724 725 struct iso_list_data { 726 union { 727 u8 cig; 728 u8 big; 729 }; 730 union { 731 u8 cis; 732 u8 bis; 733 u16 sync_handle; 734 }; 735 int count; 736 bool big_term; 737 bool pa_sync_term; 738 bool big_sync_term; 739 }; 740 741 static void bis_list(struct hci_conn *conn, void *data) 742 { 743 struct iso_list_data *d = data; 744 745 /* Skip if not broadcast/ANY address */ 746 if (bacmp(&conn->dst, BDADDR_ANY)) 747 return; 748 749 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET || 750 d->bis != conn->iso_qos.bcast.bis) 751 return; 752 753 d->count++; 754 } 755 756 static int terminate_big_sync(struct hci_dev *hdev, void *data) 757 { 758 struct iso_list_data *d = data; 759 760 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 761 762 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 763 764 /* Only terminate BIG if it has been created */ 765 if (!d->big_term) 766 return 0; 767 768 return hci_le_terminate_big_sync(hdev, d->big, 769 HCI_ERROR_LOCAL_HOST_TERM); 770 } 771 772 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 773 { 774 kfree(data); 775 } 776 777 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn) 778 { 779 struct iso_list_data *d; 780 int ret; 781 782 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big, 783 conn->iso_qos.bcast.bis); 784 785 d = kzalloc(sizeof(*d), GFP_KERNEL); 786 if (!d) 787 return -ENOMEM; 788 789 d->big = conn->iso_qos.bcast.big; 790 d->bis = conn->iso_qos.bcast.bis; 791 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags); 792 793 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 794 terminate_big_destroy); 795 if (ret) 796 kfree(d); 797 798 return ret; 799 } 800 801 static int big_terminate_sync(struct hci_dev *hdev, void *data) 802 { 803 struct iso_list_data *d = data; 804 805 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 806 d->sync_handle); 807 808 if (d->big_sync_term) 809 hci_le_big_terminate_sync(hdev, d->big); 810 811 if (d->pa_sync_term) 812 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 813 814 return 0; 815 } 816 817 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn) 818 { 819 struct iso_list_data *d; 820 int ret; 821 822 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle); 823 824 d = kzalloc(sizeof(*d), GFP_KERNEL); 825 if (!d) 826 return -ENOMEM; 827 828 d->big = big; 829 d->sync_handle = conn->sync_handle; 830 d->pa_sync_term = test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags); 831 d->big_sync_term = test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags); 832 833 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 834 terminate_big_destroy); 835 if (ret) 836 kfree(d); 837 838 return ret; 839 } 840 841 /* Cleanup BIS connection 842 * 843 * Detects if there any BIS left connected in a BIG 844 * broadcaster: Remove advertising instance and terminate BIG. 845 * broadcaster receiver: Teminate BIG sync and terminate PA sync. 846 */ 847 static void bis_cleanup(struct hci_conn *conn) 848 { 849 struct hci_dev *hdev = conn->hdev; 850 struct hci_conn *bis; 851 852 bt_dev_dbg(hdev, "conn %p", conn); 853 854 if (conn->role == HCI_ROLE_MASTER) { 855 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 856 return; 857 858 /* Check if ISO connection is a BIS and terminate advertising 859 * set and BIG if there are no other connections using it. 860 */ 861 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big); 862 if (bis) 863 return; 864 865 hci_le_terminate_big(hdev, conn); 866 } else { 867 bis = hci_conn_hash_lookup_big_any_dst(hdev, 868 conn->iso_qos.bcast.big); 869 870 if (bis) 871 return; 872 873 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 874 conn); 875 } 876 } 877 878 static int remove_cig_sync(struct hci_dev *hdev, void *data) 879 { 880 u8 handle = PTR_UINT(data); 881 882 return hci_le_remove_cig_sync(hdev, handle); 883 } 884 885 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 886 { 887 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 888 889 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle), 890 NULL); 891 } 892 893 static void find_cis(struct hci_conn *conn, void *data) 894 { 895 struct iso_list_data *d = data; 896 897 /* Ignore broadcast or if CIG don't match */ 898 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig) 899 return; 900 901 d->count++; 902 } 903 904 /* Cleanup CIS connection: 905 * 906 * Detects if there any CIS left connected in a CIG and remove it. 907 */ 908 static void cis_cleanup(struct hci_conn *conn) 909 { 910 struct hci_dev *hdev = conn->hdev; 911 struct iso_list_data d; 912 913 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET) 914 return; 915 916 memset(&d, 0, sizeof(d)); 917 d.cig = conn->iso_qos.ucast.cig; 918 919 /* Check if ISO connection is a CIS and remove CIG if there are 920 * no other connections using it. 921 */ 922 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d); 923 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d); 924 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d); 925 if (d.count) 926 return; 927 928 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig); 929 } 930 931 static u16 hci_conn_hash_alloc_unset(struct hci_dev *hdev) 932 { 933 struct hci_conn_hash *h = &hdev->conn_hash; 934 struct hci_conn *c; 935 u16 handle = HCI_CONN_HANDLE_MAX + 1; 936 937 rcu_read_lock(); 938 939 list_for_each_entry_rcu(c, &h->list, list) { 940 /* Find the first unused handle */ 941 if (handle == 0xffff || c->handle != handle) 942 break; 943 handle++; 944 } 945 rcu_read_unlock(); 946 947 return handle; 948 } 949 950 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 951 u8 role) 952 { 953 struct hci_conn *conn; 954 955 BT_DBG("%s dst %pMR", hdev->name, dst); 956 957 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 958 if (!conn) 959 return NULL; 960 961 bacpy(&conn->dst, dst); 962 bacpy(&conn->src, &hdev->bdaddr); 963 conn->handle = hci_conn_hash_alloc_unset(hdev); 964 conn->hdev = hdev; 965 conn->type = type; 966 conn->role = role; 967 conn->mode = HCI_CM_ACTIVE; 968 conn->state = BT_OPEN; 969 conn->auth_type = HCI_AT_GENERAL_BONDING; 970 conn->io_capability = hdev->io_capability; 971 conn->remote_auth = 0xff; 972 conn->key_type = 0xff; 973 conn->rssi = HCI_RSSI_INVALID; 974 conn->tx_power = HCI_TX_POWER_INVALID; 975 conn->max_tx_power = HCI_TX_POWER_INVALID; 976 977 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 978 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 979 980 /* Set Default Authenticated payload timeout to 30s */ 981 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 982 983 if (conn->role == HCI_ROLE_MASTER) 984 conn->out = true; 985 986 switch (type) { 987 case ACL_LINK: 988 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 989 break; 990 case LE_LINK: 991 /* conn->src should reflect the local identity address */ 992 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 993 break; 994 case ISO_LINK: 995 /* conn->src should reflect the local identity address */ 996 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 997 998 /* set proper cleanup function */ 999 if (!bacmp(dst, BDADDR_ANY)) 1000 conn->cleanup = bis_cleanup; 1001 else if (conn->role == HCI_ROLE_MASTER) 1002 conn->cleanup = cis_cleanup; 1003 1004 break; 1005 case SCO_LINK: 1006 if (lmp_esco_capable(hdev)) 1007 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1008 (hdev->esco_type & EDR_ESCO_MASK); 1009 else 1010 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1011 break; 1012 case ESCO_LINK: 1013 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1014 break; 1015 } 1016 1017 skb_queue_head_init(&conn->data_q); 1018 1019 INIT_LIST_HEAD(&conn->chan_list); 1020 INIT_LIST_HEAD(&conn->link_list); 1021 1022 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1023 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1024 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1025 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1026 1027 atomic_set(&conn->refcnt, 0); 1028 1029 hci_dev_hold(hdev); 1030 1031 hci_conn_hash_add(hdev, conn); 1032 1033 /* The SCO and eSCO connections will only be notified when their 1034 * setup has been completed. This is different to ACL links which 1035 * can be notified right away. 1036 */ 1037 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1038 if (hdev->notify) 1039 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1040 } 1041 1042 hci_conn_init_sysfs(conn); 1043 1044 return conn; 1045 } 1046 1047 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason) 1048 { 1049 if (!reason) 1050 reason = HCI_ERROR_REMOTE_USER_TERM; 1051 1052 /* Due to race, SCO/ISO conn might be not established yet at this point, 1053 * and nothing else will clean it up. In other cases it is done via HCI 1054 * events. 1055 */ 1056 switch (conn->type) { 1057 case SCO_LINK: 1058 case ESCO_LINK: 1059 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1060 hci_conn_failed(conn, reason); 1061 break; 1062 case ISO_LINK: 1063 if (conn->state != BT_CONNECTED && 1064 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) 1065 hci_conn_failed(conn, reason); 1066 break; 1067 } 1068 } 1069 1070 static void hci_conn_unlink(struct hci_conn *conn) 1071 { 1072 struct hci_dev *hdev = conn->hdev; 1073 1074 bt_dev_dbg(hdev, "hcon %p", conn); 1075 1076 if (!conn->parent) { 1077 struct hci_link *link, *t; 1078 1079 list_for_each_entry_safe(link, t, &conn->link_list, list) { 1080 struct hci_conn *child = link->conn; 1081 1082 hci_conn_unlink(child); 1083 1084 /* If hdev is down it means 1085 * hci_dev_close_sync/hci_conn_hash_flush is in progress 1086 * and links don't need to be cleanup as all connections 1087 * would be cleanup. 1088 */ 1089 if (!test_bit(HCI_UP, &hdev->flags)) 1090 continue; 1091 1092 hci_conn_cleanup_child(child, conn->abort_reason); 1093 } 1094 1095 return; 1096 } 1097 1098 if (!conn->link) 1099 return; 1100 1101 list_del_rcu(&conn->link->list); 1102 synchronize_rcu(); 1103 1104 hci_conn_drop(conn->parent); 1105 hci_conn_put(conn->parent); 1106 conn->parent = NULL; 1107 1108 kfree(conn->link); 1109 conn->link = NULL; 1110 } 1111 1112 void hci_conn_del(struct hci_conn *conn) 1113 { 1114 struct hci_dev *hdev = conn->hdev; 1115 1116 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1117 1118 hci_conn_unlink(conn); 1119 1120 cancel_delayed_work_sync(&conn->disc_work); 1121 cancel_delayed_work_sync(&conn->auto_accept_work); 1122 cancel_delayed_work_sync(&conn->idle_work); 1123 1124 if (conn->type == ACL_LINK) { 1125 /* Unacked frames */ 1126 hdev->acl_cnt += conn->sent; 1127 } else if (conn->type == LE_LINK) { 1128 cancel_delayed_work(&conn->le_conn_timeout); 1129 1130 if (hdev->le_pkts) 1131 hdev->le_cnt += conn->sent; 1132 else 1133 hdev->acl_cnt += conn->sent; 1134 } else { 1135 /* Unacked ISO frames */ 1136 if (conn->type == ISO_LINK) { 1137 if (hdev->iso_pkts) 1138 hdev->iso_cnt += conn->sent; 1139 else if (hdev->le_pkts) 1140 hdev->le_cnt += conn->sent; 1141 else 1142 hdev->acl_cnt += conn->sent; 1143 } 1144 } 1145 1146 if (conn->amp_mgr) 1147 amp_mgr_put(conn->amp_mgr); 1148 1149 skb_queue_purge(&conn->data_q); 1150 1151 /* Remove the connection from the list and cleanup its remaining 1152 * state. This is a separate function since for some cases like 1153 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1154 * rest of hci_conn_del. 1155 */ 1156 hci_conn_cleanup(conn); 1157 } 1158 1159 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1160 { 1161 int use_src = bacmp(src, BDADDR_ANY); 1162 struct hci_dev *hdev = NULL, *d; 1163 1164 BT_DBG("%pMR -> %pMR", src, dst); 1165 1166 read_lock(&hci_dev_list_lock); 1167 1168 list_for_each_entry(d, &hci_dev_list, list) { 1169 if (!test_bit(HCI_UP, &d->flags) || 1170 hci_dev_test_flag(d, HCI_USER_CHANNEL) || 1171 d->dev_type != HCI_PRIMARY) 1172 continue; 1173 1174 /* Simple routing: 1175 * No source address - find interface with bdaddr != dst 1176 * Source address - find interface with bdaddr == src 1177 */ 1178 1179 if (use_src) { 1180 bdaddr_t id_addr; 1181 u8 id_addr_type; 1182 1183 if (src_type == BDADDR_BREDR) { 1184 if (!lmp_bredr_capable(d)) 1185 continue; 1186 bacpy(&id_addr, &d->bdaddr); 1187 id_addr_type = BDADDR_BREDR; 1188 } else { 1189 if (!lmp_le_capable(d)) 1190 continue; 1191 1192 hci_copy_identity_address(d, &id_addr, 1193 &id_addr_type); 1194 1195 /* Convert from HCI to three-value type */ 1196 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1197 id_addr_type = BDADDR_LE_PUBLIC; 1198 else 1199 id_addr_type = BDADDR_LE_RANDOM; 1200 } 1201 1202 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1203 hdev = d; break; 1204 } 1205 } else { 1206 if (bacmp(&d->bdaddr, dst)) { 1207 hdev = d; break; 1208 } 1209 } 1210 } 1211 1212 if (hdev) 1213 hdev = hci_dev_hold(hdev); 1214 1215 read_unlock(&hci_dev_list_lock); 1216 return hdev; 1217 } 1218 EXPORT_SYMBOL(hci_get_route); 1219 1220 /* This function requires the caller holds hdev->lock */ 1221 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1222 { 1223 struct hci_dev *hdev = conn->hdev; 1224 1225 hci_connect_le_scan_cleanup(conn, status); 1226 1227 /* Enable advertising in case this was a failed connection 1228 * attempt as a peripheral. 1229 */ 1230 hci_enable_advertising(hdev); 1231 } 1232 1233 /* This function requires the caller holds hdev->lock */ 1234 void hci_conn_failed(struct hci_conn *conn, u8 status) 1235 { 1236 struct hci_dev *hdev = conn->hdev; 1237 1238 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1239 1240 switch (conn->type) { 1241 case LE_LINK: 1242 hci_le_conn_failed(conn, status); 1243 break; 1244 case ACL_LINK: 1245 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1246 conn->dst_type, status); 1247 break; 1248 } 1249 1250 conn->state = BT_CLOSED; 1251 hci_connect_cfm(conn, status); 1252 hci_conn_del(conn); 1253 } 1254 1255 /* This function requires the caller holds hdev->lock */ 1256 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) 1257 { 1258 struct hci_dev *hdev = conn->hdev; 1259 1260 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); 1261 1262 if (conn->handle == handle) 1263 return 0; 1264 1265 if (handle > HCI_CONN_HANDLE_MAX) { 1266 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 1267 handle, HCI_CONN_HANDLE_MAX); 1268 return HCI_ERROR_INVALID_PARAMETERS; 1269 } 1270 1271 /* If abort_reason has been sent it means the connection is being 1272 * aborted and the handle shall not be changed. 1273 */ 1274 if (conn->abort_reason) 1275 return conn->abort_reason; 1276 1277 conn->handle = handle; 1278 1279 return 0; 1280 } 1281 1282 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) 1283 { 1284 struct hci_conn *conn; 1285 u16 handle = PTR_UINT(data); 1286 1287 conn = hci_conn_hash_lookup_handle(hdev, handle); 1288 if (!conn) 1289 return; 1290 1291 bt_dev_dbg(hdev, "err %d", err); 1292 1293 hci_dev_lock(hdev); 1294 1295 if (!err) { 1296 hci_connect_le_scan_cleanup(conn, 0x00); 1297 goto done; 1298 } 1299 1300 /* Check if connection is still pending */ 1301 if (conn != hci_lookup_le_connect(hdev)) 1302 goto done; 1303 1304 /* Flush to make sure we send create conn cancel command if needed */ 1305 flush_delayed_work(&conn->le_conn_timeout); 1306 hci_conn_failed(conn, bt_status(err)); 1307 1308 done: 1309 hci_dev_unlock(hdev); 1310 } 1311 1312 static int hci_connect_le_sync(struct hci_dev *hdev, void *data) 1313 { 1314 struct hci_conn *conn; 1315 u16 handle = PTR_UINT(data); 1316 1317 conn = hci_conn_hash_lookup_handle(hdev, handle); 1318 if (!conn) 1319 return 0; 1320 1321 bt_dev_dbg(hdev, "conn %p", conn); 1322 1323 clear_bit(HCI_CONN_SCANNING, &conn->flags); 1324 conn->state = BT_CONNECT; 1325 1326 return hci_le_create_conn_sync(hdev, conn); 1327 } 1328 1329 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1330 u8 dst_type, bool dst_resolved, u8 sec_level, 1331 u16 conn_timeout, u8 role) 1332 { 1333 struct hci_conn *conn; 1334 struct smp_irk *irk; 1335 int err; 1336 1337 /* Let's make sure that le is enabled.*/ 1338 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1339 if (lmp_le_capable(hdev)) 1340 return ERR_PTR(-ECONNREFUSED); 1341 1342 return ERR_PTR(-EOPNOTSUPP); 1343 } 1344 1345 /* Since the controller supports only one LE connection attempt at a 1346 * time, we return -EBUSY if there is any connection attempt running. 1347 */ 1348 if (hci_lookup_le_connect(hdev)) 1349 return ERR_PTR(-EBUSY); 1350 1351 /* If there's already a connection object but it's not in 1352 * scanning state it means it must already be established, in 1353 * which case we can't do anything else except report a failure 1354 * to connect. 1355 */ 1356 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1357 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1358 return ERR_PTR(-EBUSY); 1359 } 1360 1361 /* Check if the destination address has been resolved by the controller 1362 * since if it did then the identity address shall be used. 1363 */ 1364 if (!dst_resolved) { 1365 /* When given an identity address with existing identity 1366 * resolving key, the connection needs to be established 1367 * to a resolvable random address. 1368 * 1369 * Storing the resolvable random address is required here 1370 * to handle connection failures. The address will later 1371 * be resolved back into the original identity address 1372 * from the connect request. 1373 */ 1374 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1375 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1376 dst = &irk->rpa; 1377 dst_type = ADDR_LE_DEV_RANDOM; 1378 } 1379 } 1380 1381 if (conn) { 1382 bacpy(&conn->dst, dst); 1383 } else { 1384 conn = hci_conn_add(hdev, LE_LINK, dst, role); 1385 if (!conn) 1386 return ERR_PTR(-ENOMEM); 1387 hci_conn_hold(conn); 1388 conn->pending_sec_level = sec_level; 1389 } 1390 1391 conn->dst_type = dst_type; 1392 conn->sec_level = BT_SECURITY_LOW; 1393 conn->conn_timeout = conn_timeout; 1394 1395 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, 1396 UINT_PTR(conn->handle), 1397 create_le_conn_complete); 1398 if (err) { 1399 hci_conn_del(conn); 1400 return ERR_PTR(err); 1401 } 1402 1403 return conn; 1404 } 1405 1406 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1407 { 1408 struct hci_conn *conn; 1409 1410 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1411 if (!conn) 1412 return false; 1413 1414 if (conn->state != BT_CONNECTED) 1415 return false; 1416 1417 return true; 1418 } 1419 1420 /* This function requires the caller holds hdev->lock */ 1421 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1422 bdaddr_t *addr, u8 addr_type) 1423 { 1424 struct hci_conn_params *params; 1425 1426 if (is_connected(hdev, addr, addr_type)) 1427 return -EISCONN; 1428 1429 params = hci_conn_params_lookup(hdev, addr, addr_type); 1430 if (!params) { 1431 params = hci_conn_params_add(hdev, addr, addr_type); 1432 if (!params) 1433 return -ENOMEM; 1434 1435 /* If we created new params, mark them to be deleted in 1436 * hci_connect_le_scan_cleanup. It's different case than 1437 * existing disabled params, those will stay after cleanup. 1438 */ 1439 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1440 } 1441 1442 /* We're trying to connect, so make sure params are at pend_le_conns */ 1443 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1444 params->auto_connect == HCI_AUTO_CONN_REPORT || 1445 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1446 hci_pend_le_list_del_init(params); 1447 hci_pend_le_list_add(params, &hdev->pend_le_conns); 1448 } 1449 1450 params->explicit_connect = true; 1451 1452 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1453 params->auto_connect); 1454 1455 return 0; 1456 } 1457 1458 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1459 { 1460 struct hci_conn *conn; 1461 u8 big; 1462 1463 /* Allocate a BIG if not set */ 1464 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) { 1465 for (big = 0x00; big < 0xef; big++) { 1466 1467 conn = hci_conn_hash_lookup_big(hdev, big); 1468 if (!conn) 1469 break; 1470 } 1471 1472 if (big == 0xef) 1473 return -EADDRNOTAVAIL; 1474 1475 /* Update BIG */ 1476 qos->bcast.big = big; 1477 } 1478 1479 return 0; 1480 } 1481 1482 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1483 { 1484 struct hci_conn *conn; 1485 u8 bis; 1486 1487 /* Allocate BIS if not set */ 1488 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) { 1489 /* Find an unused adv set to advertise BIS, skip instance 0x00 1490 * since it is reserved as general purpose set. 1491 */ 1492 for (bis = 0x01; bis < hdev->le_num_of_adv_sets; 1493 bis++) { 1494 1495 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis); 1496 if (!conn) 1497 break; 1498 } 1499 1500 if (bis == hdev->le_num_of_adv_sets) 1501 return -EADDRNOTAVAIL; 1502 1503 /* Update BIS */ 1504 qos->bcast.bis = bis; 1505 } 1506 1507 return 0; 1508 } 1509 1510 /* This function requires the caller holds hdev->lock */ 1511 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1512 struct bt_iso_qos *qos, __u8 base_len, 1513 __u8 *base) 1514 { 1515 struct hci_conn *conn; 1516 int err; 1517 1518 /* Let's make sure that le is enabled.*/ 1519 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1520 if (lmp_le_capable(hdev)) 1521 return ERR_PTR(-ECONNREFUSED); 1522 return ERR_PTR(-EOPNOTSUPP); 1523 } 1524 1525 err = qos_set_big(hdev, qos); 1526 if (err) 1527 return ERR_PTR(err); 1528 1529 err = qos_set_bis(hdev, qos); 1530 if (err) 1531 return ERR_PTR(err); 1532 1533 /* Check if the LE Create BIG command has already been sent */ 1534 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big, 1535 qos->bcast.big); 1536 if (conn) 1537 return ERR_PTR(-EADDRINUSE); 1538 1539 /* Check BIS settings against other bound BISes, since all 1540 * BISes in a BIG must have the same value for all parameters 1541 */ 1542 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1543 1544 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) || 1545 base_len != conn->le_per_adv_data_len || 1546 memcmp(conn->le_per_adv_data, base, base_len))) 1547 return ERR_PTR(-EADDRINUSE); 1548 1549 conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1550 if (!conn) 1551 return ERR_PTR(-ENOMEM); 1552 1553 conn->state = BT_CONNECT; 1554 1555 hci_conn_hold(conn); 1556 return conn; 1557 } 1558 1559 /* This function requires the caller holds hdev->lock */ 1560 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1561 u8 dst_type, u8 sec_level, 1562 u16 conn_timeout, 1563 enum conn_reasons conn_reason) 1564 { 1565 struct hci_conn *conn; 1566 1567 /* Let's make sure that le is enabled.*/ 1568 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1569 if (lmp_le_capable(hdev)) 1570 return ERR_PTR(-ECONNREFUSED); 1571 1572 return ERR_PTR(-EOPNOTSUPP); 1573 } 1574 1575 /* Some devices send ATT messages as soon as the physical link is 1576 * established. To be able to handle these ATT messages, the user- 1577 * space first establishes the connection and then starts the pairing 1578 * process. 1579 * 1580 * So if a hci_conn object already exists for the following connection 1581 * attempt, we simply update pending_sec_level and auth_type fields 1582 * and return the object found. 1583 */ 1584 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1585 if (conn) { 1586 if (conn->pending_sec_level < sec_level) 1587 conn->pending_sec_level = sec_level; 1588 goto done; 1589 } 1590 1591 BT_DBG("requesting refresh of dst_addr"); 1592 1593 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1594 if (!conn) 1595 return ERR_PTR(-ENOMEM); 1596 1597 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1598 hci_conn_del(conn); 1599 return ERR_PTR(-EBUSY); 1600 } 1601 1602 conn->state = BT_CONNECT; 1603 set_bit(HCI_CONN_SCANNING, &conn->flags); 1604 conn->dst_type = dst_type; 1605 conn->sec_level = BT_SECURITY_LOW; 1606 conn->pending_sec_level = sec_level; 1607 conn->conn_timeout = conn_timeout; 1608 conn->conn_reason = conn_reason; 1609 1610 hci_update_passive_scan(hdev); 1611 1612 done: 1613 hci_conn_hold(conn); 1614 return conn; 1615 } 1616 1617 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1618 u8 sec_level, u8 auth_type, 1619 enum conn_reasons conn_reason) 1620 { 1621 struct hci_conn *acl; 1622 1623 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1624 if (lmp_bredr_capable(hdev)) 1625 return ERR_PTR(-ECONNREFUSED); 1626 1627 return ERR_PTR(-EOPNOTSUPP); 1628 } 1629 1630 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1631 if (!acl) { 1632 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1633 if (!acl) 1634 return ERR_PTR(-ENOMEM); 1635 } 1636 1637 hci_conn_hold(acl); 1638 1639 acl->conn_reason = conn_reason; 1640 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1641 acl->sec_level = BT_SECURITY_LOW; 1642 acl->pending_sec_level = sec_level; 1643 acl->auth_type = auth_type; 1644 hci_acl_create_connection(acl); 1645 } 1646 1647 return acl; 1648 } 1649 1650 static struct hci_link *hci_conn_link(struct hci_conn *parent, 1651 struct hci_conn *conn) 1652 { 1653 struct hci_dev *hdev = parent->hdev; 1654 struct hci_link *link; 1655 1656 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn); 1657 1658 if (conn->link) 1659 return conn->link; 1660 1661 if (conn->parent) 1662 return NULL; 1663 1664 link = kzalloc(sizeof(*link), GFP_KERNEL); 1665 if (!link) 1666 return NULL; 1667 1668 link->conn = hci_conn_hold(conn); 1669 conn->link = link; 1670 conn->parent = hci_conn_get(parent); 1671 1672 /* Use list_add_tail_rcu append to the list */ 1673 list_add_tail_rcu(&link->list, &parent->link_list); 1674 1675 return link; 1676 } 1677 1678 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1679 __u16 setting, struct bt_codec *codec) 1680 { 1681 struct hci_conn *acl; 1682 struct hci_conn *sco; 1683 struct hci_link *link; 1684 1685 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1686 CONN_REASON_SCO_CONNECT); 1687 if (IS_ERR(acl)) 1688 return acl; 1689 1690 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1691 if (!sco) { 1692 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER); 1693 if (!sco) { 1694 hci_conn_drop(acl); 1695 return ERR_PTR(-ENOMEM); 1696 } 1697 } 1698 1699 link = hci_conn_link(acl, sco); 1700 if (!link) { 1701 hci_conn_drop(acl); 1702 hci_conn_drop(sco); 1703 return ERR_PTR(-ENOLINK); 1704 } 1705 1706 sco->setting = setting; 1707 sco->codec = *codec; 1708 1709 if (acl->state == BT_CONNECTED && 1710 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1711 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1712 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1713 1714 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1715 /* defer SCO setup until mode change completed */ 1716 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1717 return sco; 1718 } 1719 1720 hci_sco_setup(acl, 0x00); 1721 } 1722 1723 return sco; 1724 } 1725 1726 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1727 { 1728 struct hci_dev *hdev = conn->hdev; 1729 struct hci_cp_le_create_big cp; 1730 struct iso_list_data data; 1731 1732 memset(&cp, 0, sizeof(cp)); 1733 1734 data.big = qos->bcast.big; 1735 data.bis = qos->bcast.bis; 1736 data.count = 0; 1737 1738 /* Create a BIS for each bound connection */ 1739 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1740 BT_BOUND, &data); 1741 1742 cp.handle = qos->bcast.big; 1743 cp.adv_handle = qos->bcast.bis; 1744 cp.num_bis = data.count; 1745 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval); 1746 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu); 1747 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency); 1748 cp.bis.rtn = qos->bcast.out.rtn; 1749 cp.bis.phy = qos->bcast.out.phy; 1750 cp.bis.packing = qos->bcast.packing; 1751 cp.bis.framing = qos->bcast.framing; 1752 cp.bis.encryption = qos->bcast.encryption; 1753 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode)); 1754 1755 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1756 } 1757 1758 static int set_cig_params_sync(struct hci_dev *hdev, void *data) 1759 { 1760 u8 cig_id = PTR_UINT(data); 1761 struct hci_conn *conn; 1762 struct bt_iso_qos *qos; 1763 struct iso_cig_params pdu; 1764 u8 cis_id; 1765 1766 conn = hci_conn_hash_lookup_cig(hdev, cig_id); 1767 if (!conn) 1768 return 0; 1769 1770 memset(&pdu, 0, sizeof(pdu)); 1771 1772 qos = &conn->iso_qos; 1773 pdu.cp.cig_id = cig_id; 1774 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval); 1775 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval); 1776 pdu.cp.sca = qos->ucast.sca; 1777 pdu.cp.packing = qos->ucast.packing; 1778 pdu.cp.framing = qos->ucast.framing; 1779 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency); 1780 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency); 1781 1782 /* Reprogram all CIS(s) with the same CIG, valid range are: 1783 * num_cis: 0x00 to 0x1F 1784 * cis_id: 0x00 to 0xEF 1785 */ 1786 for (cis_id = 0x00; cis_id < 0xf0 && 1787 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) { 1788 struct hci_cis_params *cis; 1789 1790 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id); 1791 if (!conn) 1792 continue; 1793 1794 qos = &conn->iso_qos; 1795 1796 cis = &pdu.cis[pdu.cp.num_cis++]; 1797 cis->cis_id = cis_id; 1798 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu); 1799 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu); 1800 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : 1801 qos->ucast.in.phy; 1802 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : 1803 qos->ucast.out.phy; 1804 cis->c_rtn = qos->ucast.out.rtn; 1805 cis->p_rtn = qos->ucast.in.rtn; 1806 } 1807 1808 if (!pdu.cp.num_cis) 1809 return 0; 1810 1811 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1812 sizeof(pdu.cp) + 1813 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu, 1814 HCI_CMD_TIMEOUT); 1815 } 1816 1817 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1818 { 1819 struct hci_dev *hdev = conn->hdev; 1820 struct iso_list_data data; 1821 1822 memset(&data, 0, sizeof(data)); 1823 1824 /* Allocate first still reconfigurable CIG if not set */ 1825 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) { 1826 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) { 1827 data.count = 0; 1828 1829 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1830 BT_CONNECT, &data); 1831 if (data.count) 1832 continue; 1833 1834 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1835 BT_CONNECTED, &data); 1836 if (!data.count) 1837 break; 1838 } 1839 1840 if (data.cig == 0xf0) 1841 return false; 1842 1843 /* Update CIG */ 1844 qos->ucast.cig = data.cig; 1845 } 1846 1847 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) { 1848 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig, 1849 qos->ucast.cis)) 1850 return false; 1851 goto done; 1852 } 1853 1854 /* Allocate first available CIS if not set */ 1855 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0; 1856 data.cis++) { 1857 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig, 1858 data.cis)) { 1859 /* Update CIS */ 1860 qos->ucast.cis = data.cis; 1861 break; 1862 } 1863 } 1864 1865 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) 1866 return false; 1867 1868 done: 1869 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, 1870 UINT_PTR(qos->ucast.cig), NULL) < 0) 1871 return false; 1872 1873 return true; 1874 } 1875 1876 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1877 __u8 dst_type, struct bt_iso_qos *qos) 1878 { 1879 struct hci_conn *cis; 1880 1881 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig, 1882 qos->ucast.cis); 1883 if (!cis) { 1884 cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1885 if (!cis) 1886 return ERR_PTR(-ENOMEM); 1887 cis->cleanup = cis_cleanup; 1888 cis->dst_type = dst_type; 1889 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET; 1890 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET; 1891 } 1892 1893 if (cis->state == BT_CONNECTED) 1894 return cis; 1895 1896 /* Check if CIS has been set and the settings matches */ 1897 if (cis->state == BT_BOUND && 1898 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1899 return cis; 1900 1901 /* Update LINK PHYs according to QoS preference */ 1902 cis->le_tx_phy = qos->ucast.out.phy; 1903 cis->le_rx_phy = qos->ucast.in.phy; 1904 1905 /* If output interval is not set use the input interval as it cannot be 1906 * 0x000000. 1907 */ 1908 if (!qos->ucast.out.interval) 1909 qos->ucast.out.interval = qos->ucast.in.interval; 1910 1911 /* If input interval is not set use the output interval as it cannot be 1912 * 0x000000. 1913 */ 1914 if (!qos->ucast.in.interval) 1915 qos->ucast.in.interval = qos->ucast.out.interval; 1916 1917 /* If output latency is not set use the input latency as it cannot be 1918 * 0x0000. 1919 */ 1920 if (!qos->ucast.out.latency) 1921 qos->ucast.out.latency = qos->ucast.in.latency; 1922 1923 /* If input latency is not set use the output latency as it cannot be 1924 * 0x0000. 1925 */ 1926 if (!qos->ucast.in.latency) 1927 qos->ucast.in.latency = qos->ucast.out.latency; 1928 1929 if (!hci_le_set_cig_params(cis, qos)) { 1930 hci_conn_drop(cis); 1931 return ERR_PTR(-EINVAL); 1932 } 1933 1934 hci_conn_hold(cis); 1935 1936 cis->iso_qos = *qos; 1937 cis->state = BT_BOUND; 1938 1939 return cis; 1940 } 1941 1942 bool hci_iso_setup_path(struct hci_conn *conn) 1943 { 1944 struct hci_dev *hdev = conn->hdev; 1945 struct hci_cp_le_setup_iso_path cmd; 1946 1947 memset(&cmd, 0, sizeof(cmd)); 1948 1949 if (conn->iso_qos.ucast.out.sdu) { 1950 cmd.handle = cpu_to_le16(conn->handle); 1951 cmd.direction = 0x00; /* Input (Host to Controller) */ 1952 cmd.path = 0x00; /* HCI path if enabled */ 1953 cmd.codec = 0x03; /* Transparent Data */ 1954 1955 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 1956 &cmd) < 0) 1957 return false; 1958 } 1959 1960 if (conn->iso_qos.ucast.in.sdu) { 1961 cmd.handle = cpu_to_le16(conn->handle); 1962 cmd.direction = 0x01; /* Output (Controller to Host) */ 1963 cmd.path = 0x00; /* HCI path if enabled */ 1964 cmd.codec = 0x03; /* Transparent Data */ 1965 1966 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 1967 &cmd) < 0) 1968 return false; 1969 } 1970 1971 return true; 1972 } 1973 1974 int hci_conn_check_create_cis(struct hci_conn *conn) 1975 { 1976 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY)) 1977 return -EINVAL; 1978 1979 if (!conn->parent || conn->parent->state != BT_CONNECTED || 1980 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle)) 1981 return 1; 1982 1983 return 0; 1984 } 1985 1986 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 1987 { 1988 return hci_le_create_cis_sync(hdev); 1989 } 1990 1991 int hci_le_create_cis_pending(struct hci_dev *hdev) 1992 { 1993 struct hci_conn *conn; 1994 bool pending = false; 1995 1996 rcu_read_lock(); 1997 1998 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 1999 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) { 2000 rcu_read_unlock(); 2001 return -EBUSY; 2002 } 2003 2004 if (!hci_conn_check_create_cis(conn)) 2005 pending = true; 2006 } 2007 2008 rcu_read_unlock(); 2009 2010 if (!pending) 2011 return 0; 2012 2013 /* Queue Create CIS */ 2014 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL); 2015 } 2016 2017 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 2018 struct bt_iso_io_qos *qos, __u8 phy) 2019 { 2020 /* Only set MTU if PHY is enabled */ 2021 if (!qos->sdu && qos->phy) { 2022 if (hdev->iso_mtu > 0) 2023 qos->sdu = hdev->iso_mtu; 2024 else if (hdev->le_mtu > 0) 2025 qos->sdu = hdev->le_mtu; 2026 else 2027 qos->sdu = hdev->acl_mtu; 2028 } 2029 2030 /* Use the same PHY as ACL if set to any */ 2031 if (qos->phy == BT_ISO_PHY_ANY) 2032 qos->phy = phy; 2033 2034 /* Use LE ACL connection interval if not set */ 2035 if (!qos->interval) 2036 /* ACL interval unit in 1.25 ms to us */ 2037 qos->interval = conn->le_conn_interval * 1250; 2038 2039 /* Use LE ACL connection latency if not set */ 2040 if (!qos->latency) 2041 qos->latency = conn->le_conn_latency; 2042 } 2043 2044 static int create_big_sync(struct hci_dev *hdev, void *data) 2045 { 2046 struct hci_conn *conn = data; 2047 struct bt_iso_qos *qos = &conn->iso_qos; 2048 u16 interval, sync_interval = 0; 2049 u32 flags = 0; 2050 int err; 2051 2052 if (qos->bcast.out.phy == 0x02) 2053 flags |= MGMT_ADV_FLAG_SEC_2M; 2054 2055 /* Align intervals */ 2056 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor; 2057 2058 if (qos->bcast.bis) 2059 sync_interval = interval * 4; 2060 2061 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len, 2062 conn->le_per_adv_data, flags, interval, 2063 interval, sync_interval); 2064 if (err) 2065 return err; 2066 2067 return hci_le_create_big(conn, &conn->iso_qos); 2068 } 2069 2070 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2071 { 2072 struct hci_cp_le_pa_create_sync *cp = data; 2073 2074 bt_dev_dbg(hdev, ""); 2075 2076 if (err) 2077 bt_dev_err(hdev, "Unable to create PA: %d", err); 2078 2079 kfree(cp); 2080 } 2081 2082 static int create_pa_sync(struct hci_dev *hdev, void *data) 2083 { 2084 struct hci_cp_le_pa_create_sync *cp = data; 2085 int err; 2086 2087 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2088 sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2089 if (err) { 2090 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2091 return err; 2092 } 2093 2094 return hci_update_passive_scan_sync(hdev); 2095 } 2096 2097 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type, 2098 __u8 sid, struct bt_iso_qos *qos) 2099 { 2100 struct hci_cp_le_pa_create_sync *cp; 2101 2102 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2103 return -EBUSY; 2104 2105 cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2106 if (!cp) { 2107 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2108 return -ENOMEM; 2109 } 2110 2111 cp->options = qos->bcast.options; 2112 cp->sid = sid; 2113 cp->addr_type = dst_type; 2114 bacpy(&cp->addr, dst); 2115 cp->skip = cpu_to_le16(qos->bcast.skip); 2116 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2117 cp->sync_cte_type = qos->bcast.sync_cte_type; 2118 2119 /* Queue start pa_create_sync and scan */ 2120 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2121 } 2122 2123 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon, 2124 struct bt_iso_qos *qos, 2125 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2126 { 2127 struct _packed { 2128 struct hci_cp_le_big_create_sync cp; 2129 __u8 bis[0x11]; 2130 } pdu; 2131 int err; 2132 2133 if (num_bis > sizeof(pdu.bis)) 2134 return -EINVAL; 2135 2136 err = qos_set_big(hdev, qos); 2137 if (err) 2138 return err; 2139 2140 if (hcon) 2141 hcon->iso_qos.bcast.big = qos->bcast.big; 2142 2143 memset(&pdu, 0, sizeof(pdu)); 2144 pdu.cp.handle = qos->bcast.big; 2145 pdu.cp.sync_handle = cpu_to_le16(sync_handle); 2146 pdu.cp.encryption = qos->bcast.encryption; 2147 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode)); 2148 pdu.cp.mse = qos->bcast.mse; 2149 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout); 2150 pdu.cp.num_bis = num_bis; 2151 memcpy(pdu.bis, bis, num_bis); 2152 2153 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2154 sizeof(pdu.cp) + num_bis, &pdu); 2155 } 2156 2157 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2158 { 2159 struct hci_conn *conn = data; 2160 2161 bt_dev_dbg(hdev, "conn %p", conn); 2162 2163 if (err) { 2164 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2165 hci_connect_cfm(conn, err); 2166 hci_conn_del(conn); 2167 } 2168 } 2169 2170 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, 2171 struct bt_iso_qos *qos, 2172 __u8 base_len, __u8 *base) 2173 { 2174 struct hci_conn *conn; 2175 __u8 eir[HCI_MAX_PER_AD_LENGTH]; 2176 2177 if (base_len && base) 2178 base_len = eir_append_service_data(eir, 0, 0x1851, 2179 base, base_len); 2180 2181 /* We need hci_conn object using the BDADDR_ANY as dst */ 2182 conn = hci_add_bis(hdev, dst, qos, base_len, eir); 2183 if (IS_ERR(conn)) 2184 return conn; 2185 2186 /* Update LINK PHYs according to QoS preference */ 2187 conn->le_tx_phy = qos->bcast.out.phy; 2188 conn->le_tx_phy = qos->bcast.out.phy; 2189 2190 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2191 if (base_len && base) { 2192 memcpy(conn->le_per_adv_data, eir, sizeof(eir)); 2193 conn->le_per_adv_data_len = base_len; 2194 } 2195 2196 hci_iso_qos_setup(hdev, conn, &qos->bcast.out, 2197 conn->le_tx_phy ? conn->le_tx_phy : 2198 hdev->le_tx_def_phys); 2199 2200 conn->iso_qos = *qos; 2201 conn->state = BT_BOUND; 2202 2203 return conn; 2204 } 2205 2206 static void bis_mark_per_adv(struct hci_conn *conn, void *data) 2207 { 2208 struct iso_list_data *d = data; 2209 2210 /* Skip if not broadcast/ANY address */ 2211 if (bacmp(&conn->dst, BDADDR_ANY)) 2212 return; 2213 2214 if (d->big != conn->iso_qos.bcast.big || 2215 d->bis == BT_ISO_QOS_BIS_UNSET || 2216 d->bis != conn->iso_qos.bcast.bis) 2217 return; 2218 2219 set_bit(HCI_CONN_PER_ADV, &conn->flags); 2220 } 2221 2222 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2223 __u8 dst_type, struct bt_iso_qos *qos, 2224 __u8 base_len, __u8 *base) 2225 { 2226 struct hci_conn *conn; 2227 int err; 2228 struct iso_list_data data; 2229 2230 conn = hci_bind_bis(hdev, dst, qos, base_len, base); 2231 if (IS_ERR(conn)) 2232 return conn; 2233 2234 data.big = qos->bcast.big; 2235 data.bis = qos->bcast.bis; 2236 2237 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that 2238 * the start periodic advertising and create BIG commands have 2239 * been queued 2240 */ 2241 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK, 2242 BT_BOUND, &data); 2243 2244 /* Queue start periodic advertising and create BIG */ 2245 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2246 create_big_complete); 2247 if (err < 0) { 2248 hci_conn_drop(conn); 2249 return ERR_PTR(err); 2250 } 2251 2252 return conn; 2253 } 2254 2255 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2256 __u8 dst_type, struct bt_iso_qos *qos) 2257 { 2258 struct hci_conn *le; 2259 struct hci_conn *cis; 2260 struct hci_link *link; 2261 2262 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2263 le = hci_connect_le(hdev, dst, dst_type, false, 2264 BT_SECURITY_LOW, 2265 HCI_LE_CONN_TIMEOUT, 2266 HCI_ROLE_SLAVE); 2267 else 2268 le = hci_connect_le_scan(hdev, dst, dst_type, 2269 BT_SECURITY_LOW, 2270 HCI_LE_CONN_TIMEOUT, 2271 CONN_REASON_ISO_CONNECT); 2272 if (IS_ERR(le)) 2273 return le; 2274 2275 hci_iso_qos_setup(hdev, le, &qos->ucast.out, 2276 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2277 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2278 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2279 2280 cis = hci_bind_cis(hdev, dst, dst_type, qos); 2281 if (IS_ERR(cis)) { 2282 hci_conn_drop(le); 2283 return cis; 2284 } 2285 2286 link = hci_conn_link(le, cis); 2287 if (!link) { 2288 hci_conn_drop(le); 2289 hci_conn_drop(cis); 2290 return ERR_PTR(-ENOLINK); 2291 } 2292 2293 /* Link takes the refcount */ 2294 hci_conn_drop(cis); 2295 2296 cis->state = BT_CONNECT; 2297 2298 hci_le_create_cis_pending(hdev); 2299 2300 return cis; 2301 } 2302 2303 /* Check link security requirement */ 2304 int hci_conn_check_link_mode(struct hci_conn *conn) 2305 { 2306 BT_DBG("hcon %p", conn); 2307 2308 /* In Secure Connections Only mode, it is required that Secure 2309 * Connections is used and the link is encrypted with AES-CCM 2310 * using a P-256 authenticated combination key. 2311 */ 2312 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2313 if (!hci_conn_sc_enabled(conn) || 2314 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2315 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2316 return 0; 2317 } 2318 2319 /* AES encryption is required for Level 4: 2320 * 2321 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2322 * page 1319: 2323 * 2324 * 128-bit equivalent strength for link and encryption keys 2325 * required using FIPS approved algorithms (E0 not allowed, 2326 * SAFER+ not allowed, and P-192 not allowed; encryption key 2327 * not shortened) 2328 */ 2329 if (conn->sec_level == BT_SECURITY_FIPS && 2330 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2331 bt_dev_err(conn->hdev, 2332 "Invalid security: Missing AES-CCM usage"); 2333 return 0; 2334 } 2335 2336 if (hci_conn_ssp_enabled(conn) && 2337 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2338 return 0; 2339 2340 return 1; 2341 } 2342 2343 /* Authenticate remote device */ 2344 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2345 { 2346 BT_DBG("hcon %p", conn); 2347 2348 if (conn->pending_sec_level > sec_level) 2349 sec_level = conn->pending_sec_level; 2350 2351 if (sec_level > conn->sec_level) 2352 conn->pending_sec_level = sec_level; 2353 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2354 return 1; 2355 2356 /* Make sure we preserve an existing MITM requirement*/ 2357 auth_type |= (conn->auth_type & 0x01); 2358 2359 conn->auth_type = auth_type; 2360 2361 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2362 struct hci_cp_auth_requested cp; 2363 2364 cp.handle = cpu_to_le16(conn->handle); 2365 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2366 sizeof(cp), &cp); 2367 2368 /* If we're already encrypted set the REAUTH_PEND flag, 2369 * otherwise set the ENCRYPT_PEND. 2370 */ 2371 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2372 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2373 else 2374 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2375 } 2376 2377 return 0; 2378 } 2379 2380 /* Encrypt the link */ 2381 static void hci_conn_encrypt(struct hci_conn *conn) 2382 { 2383 BT_DBG("hcon %p", conn); 2384 2385 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2386 struct hci_cp_set_conn_encrypt cp; 2387 cp.handle = cpu_to_le16(conn->handle); 2388 cp.encrypt = 0x01; 2389 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2390 &cp); 2391 } 2392 } 2393 2394 /* Enable security */ 2395 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2396 bool initiator) 2397 { 2398 BT_DBG("hcon %p", conn); 2399 2400 if (conn->type == LE_LINK) 2401 return smp_conn_security(conn, sec_level); 2402 2403 /* For sdp we don't need the link key. */ 2404 if (sec_level == BT_SECURITY_SDP) 2405 return 1; 2406 2407 /* For non 2.1 devices and low security level we don't need the link 2408 key. */ 2409 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2410 return 1; 2411 2412 /* For other security levels we need the link key. */ 2413 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2414 goto auth; 2415 2416 /* An authenticated FIPS approved combination key has sufficient 2417 * security for security level 4. */ 2418 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 && 2419 sec_level == BT_SECURITY_FIPS) 2420 goto encrypt; 2421 2422 /* An authenticated combination key has sufficient security for 2423 security level 3. */ 2424 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 || 2425 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) && 2426 sec_level == BT_SECURITY_HIGH) 2427 goto encrypt; 2428 2429 /* An unauthenticated combination key has sufficient security for 2430 security level 1 and 2. */ 2431 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 || 2432 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) && 2433 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) 2434 goto encrypt; 2435 2436 /* A combination key has always sufficient security for the security 2437 levels 1 or 2. High security level requires the combination key 2438 is generated using maximum PIN code length (16). 2439 For pre 2.1 units. */ 2440 if (conn->key_type == HCI_LK_COMBINATION && 2441 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW || 2442 conn->pin_length == 16)) 2443 goto encrypt; 2444 2445 auth: 2446 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2447 return 0; 2448 2449 if (initiator) 2450 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2451 2452 if (!hci_conn_auth(conn, sec_level, auth_type)) 2453 return 0; 2454 2455 encrypt: 2456 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2457 /* Ensure that the encryption key size has been read, 2458 * otherwise stall the upper layer responses. 2459 */ 2460 if (!conn->enc_key_size) 2461 return 0; 2462 2463 /* Nothing else needed, all requirements are met */ 2464 return 1; 2465 } 2466 2467 hci_conn_encrypt(conn); 2468 return 0; 2469 } 2470 EXPORT_SYMBOL(hci_conn_security); 2471 2472 /* Check secure link requirement */ 2473 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2474 { 2475 BT_DBG("hcon %p", conn); 2476 2477 /* Accept if non-secure or higher security level is required */ 2478 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2479 return 1; 2480 2481 /* Accept if secure or higher security level is already present */ 2482 if (conn->sec_level == BT_SECURITY_HIGH || 2483 conn->sec_level == BT_SECURITY_FIPS) 2484 return 1; 2485 2486 /* Reject not secure link */ 2487 return 0; 2488 } 2489 EXPORT_SYMBOL(hci_conn_check_secure); 2490 2491 /* Switch role */ 2492 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2493 { 2494 BT_DBG("hcon %p", conn); 2495 2496 if (role == conn->role) 2497 return 1; 2498 2499 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2500 struct hci_cp_switch_role cp; 2501 bacpy(&cp.bdaddr, &conn->dst); 2502 cp.role = role; 2503 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2504 } 2505 2506 return 0; 2507 } 2508 EXPORT_SYMBOL(hci_conn_switch_role); 2509 2510 /* Enter active mode */ 2511 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2512 { 2513 struct hci_dev *hdev = conn->hdev; 2514 2515 BT_DBG("hcon %p mode %d", conn, conn->mode); 2516 2517 if (conn->mode != HCI_CM_SNIFF) 2518 goto timer; 2519 2520 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2521 goto timer; 2522 2523 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2524 struct hci_cp_exit_sniff_mode cp; 2525 cp.handle = cpu_to_le16(conn->handle); 2526 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2527 } 2528 2529 timer: 2530 if (hdev->idle_timeout > 0) 2531 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2532 msecs_to_jiffies(hdev->idle_timeout)); 2533 } 2534 2535 /* Drop all connection on the device */ 2536 void hci_conn_hash_flush(struct hci_dev *hdev) 2537 { 2538 struct list_head *head = &hdev->conn_hash.list; 2539 struct hci_conn *conn; 2540 2541 BT_DBG("hdev %s", hdev->name); 2542 2543 /* We should not traverse the list here, because hci_conn_del 2544 * can remove extra links, which may cause the list traversal 2545 * to hit items that have already been released. 2546 */ 2547 while ((conn = list_first_entry_or_null(head, 2548 struct hci_conn, 2549 list)) != NULL) { 2550 conn->state = BT_CLOSED; 2551 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); 2552 hci_conn_del(conn); 2553 } 2554 } 2555 2556 /* Check pending connect attempts */ 2557 void hci_conn_check_pending(struct hci_dev *hdev) 2558 { 2559 struct hci_conn *conn; 2560 2561 BT_DBG("hdev %s", hdev->name); 2562 2563 hci_dev_lock(hdev); 2564 2565 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 2566 if (conn) 2567 hci_acl_create_connection(conn); 2568 2569 hci_dev_unlock(hdev); 2570 } 2571 2572 static u32 get_link_mode(struct hci_conn *conn) 2573 { 2574 u32 link_mode = 0; 2575 2576 if (conn->role == HCI_ROLE_MASTER) 2577 link_mode |= HCI_LM_MASTER; 2578 2579 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2580 link_mode |= HCI_LM_ENCRYPT; 2581 2582 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2583 link_mode |= HCI_LM_AUTH; 2584 2585 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2586 link_mode |= HCI_LM_SECURE; 2587 2588 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2589 link_mode |= HCI_LM_FIPS; 2590 2591 return link_mode; 2592 } 2593 2594 int hci_get_conn_list(void __user *arg) 2595 { 2596 struct hci_conn *c; 2597 struct hci_conn_list_req req, *cl; 2598 struct hci_conn_info *ci; 2599 struct hci_dev *hdev; 2600 int n = 0, size, err; 2601 2602 if (copy_from_user(&req, arg, sizeof(req))) 2603 return -EFAULT; 2604 2605 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2606 return -EINVAL; 2607 2608 size = sizeof(req) + req.conn_num * sizeof(*ci); 2609 2610 cl = kmalloc(size, GFP_KERNEL); 2611 if (!cl) 2612 return -ENOMEM; 2613 2614 hdev = hci_dev_get(req.dev_id); 2615 if (!hdev) { 2616 kfree(cl); 2617 return -ENODEV; 2618 } 2619 2620 ci = cl->conn_info; 2621 2622 hci_dev_lock(hdev); 2623 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2624 bacpy(&(ci + n)->bdaddr, &c->dst); 2625 (ci + n)->handle = c->handle; 2626 (ci + n)->type = c->type; 2627 (ci + n)->out = c->out; 2628 (ci + n)->state = c->state; 2629 (ci + n)->link_mode = get_link_mode(c); 2630 if (++n >= req.conn_num) 2631 break; 2632 } 2633 hci_dev_unlock(hdev); 2634 2635 cl->dev_id = hdev->id; 2636 cl->conn_num = n; 2637 size = sizeof(req) + n * sizeof(*ci); 2638 2639 hci_dev_put(hdev); 2640 2641 err = copy_to_user(arg, cl, size); 2642 kfree(cl); 2643 2644 return err ? -EFAULT : 0; 2645 } 2646 2647 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2648 { 2649 struct hci_conn_info_req req; 2650 struct hci_conn_info ci; 2651 struct hci_conn *conn; 2652 char __user *ptr = arg + sizeof(req); 2653 2654 if (copy_from_user(&req, arg, sizeof(req))) 2655 return -EFAULT; 2656 2657 hci_dev_lock(hdev); 2658 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2659 if (conn) { 2660 bacpy(&ci.bdaddr, &conn->dst); 2661 ci.handle = conn->handle; 2662 ci.type = conn->type; 2663 ci.out = conn->out; 2664 ci.state = conn->state; 2665 ci.link_mode = get_link_mode(conn); 2666 } 2667 hci_dev_unlock(hdev); 2668 2669 if (!conn) 2670 return -ENOENT; 2671 2672 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2673 } 2674 2675 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2676 { 2677 struct hci_auth_info_req req; 2678 struct hci_conn *conn; 2679 2680 if (copy_from_user(&req, arg, sizeof(req))) 2681 return -EFAULT; 2682 2683 hci_dev_lock(hdev); 2684 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2685 if (conn) 2686 req.type = conn->auth_type; 2687 hci_dev_unlock(hdev); 2688 2689 if (!conn) 2690 return -ENOENT; 2691 2692 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2693 } 2694 2695 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2696 { 2697 struct hci_dev *hdev = conn->hdev; 2698 struct hci_chan *chan; 2699 2700 BT_DBG("%s hcon %p", hdev->name, conn); 2701 2702 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2703 BT_DBG("Refusing to create new hci_chan"); 2704 return NULL; 2705 } 2706 2707 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2708 if (!chan) 2709 return NULL; 2710 2711 chan->conn = hci_conn_get(conn); 2712 skb_queue_head_init(&chan->data_q); 2713 chan->state = BT_CONNECTED; 2714 2715 list_add_rcu(&chan->list, &conn->chan_list); 2716 2717 return chan; 2718 } 2719 2720 void hci_chan_del(struct hci_chan *chan) 2721 { 2722 struct hci_conn *conn = chan->conn; 2723 struct hci_dev *hdev = conn->hdev; 2724 2725 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2726 2727 list_del_rcu(&chan->list); 2728 2729 synchronize_rcu(); 2730 2731 /* Prevent new hci_chan's to be created for this hci_conn */ 2732 set_bit(HCI_CONN_DROP, &conn->flags); 2733 2734 hci_conn_put(conn); 2735 2736 skb_queue_purge(&chan->data_q); 2737 kfree(chan); 2738 } 2739 2740 void hci_chan_list_flush(struct hci_conn *conn) 2741 { 2742 struct hci_chan *chan, *n; 2743 2744 BT_DBG("hcon %p", conn); 2745 2746 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2747 hci_chan_del(chan); 2748 } 2749 2750 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2751 __u16 handle) 2752 { 2753 struct hci_chan *hchan; 2754 2755 list_for_each_entry(hchan, &hcon->chan_list, list) { 2756 if (hchan->handle == handle) 2757 return hchan; 2758 } 2759 2760 return NULL; 2761 } 2762 2763 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2764 { 2765 struct hci_conn_hash *h = &hdev->conn_hash; 2766 struct hci_conn *hcon; 2767 struct hci_chan *hchan = NULL; 2768 2769 rcu_read_lock(); 2770 2771 list_for_each_entry_rcu(hcon, &h->list, list) { 2772 hchan = __hci_chan_lookup_handle(hcon, handle); 2773 if (hchan) 2774 break; 2775 } 2776 2777 rcu_read_unlock(); 2778 2779 return hchan; 2780 } 2781 2782 u32 hci_conn_get_phy(struct hci_conn *conn) 2783 { 2784 u32 phys = 0; 2785 2786 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2787 * Table 6.2: Packets defined for synchronous, asynchronous, and 2788 * CPB logical transport types. 2789 */ 2790 switch (conn->type) { 2791 case SCO_LINK: 2792 /* SCO logical transport (1 Mb/s): 2793 * HV1, HV2, HV3 and DV. 2794 */ 2795 phys |= BT_PHY_BR_1M_1SLOT; 2796 2797 break; 2798 2799 case ACL_LINK: 2800 /* ACL logical transport (1 Mb/s) ptt=0: 2801 * DH1, DM3, DH3, DM5 and DH5. 2802 */ 2803 phys |= BT_PHY_BR_1M_1SLOT; 2804 2805 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2806 phys |= BT_PHY_BR_1M_3SLOT; 2807 2808 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2809 phys |= BT_PHY_BR_1M_5SLOT; 2810 2811 /* ACL logical transport (2 Mb/s) ptt=1: 2812 * 2-DH1, 2-DH3 and 2-DH5. 2813 */ 2814 if (!(conn->pkt_type & HCI_2DH1)) 2815 phys |= BT_PHY_EDR_2M_1SLOT; 2816 2817 if (!(conn->pkt_type & HCI_2DH3)) 2818 phys |= BT_PHY_EDR_2M_3SLOT; 2819 2820 if (!(conn->pkt_type & HCI_2DH5)) 2821 phys |= BT_PHY_EDR_2M_5SLOT; 2822 2823 /* ACL logical transport (3 Mb/s) ptt=1: 2824 * 3-DH1, 3-DH3 and 3-DH5. 2825 */ 2826 if (!(conn->pkt_type & HCI_3DH1)) 2827 phys |= BT_PHY_EDR_3M_1SLOT; 2828 2829 if (!(conn->pkt_type & HCI_3DH3)) 2830 phys |= BT_PHY_EDR_3M_3SLOT; 2831 2832 if (!(conn->pkt_type & HCI_3DH5)) 2833 phys |= BT_PHY_EDR_3M_5SLOT; 2834 2835 break; 2836 2837 case ESCO_LINK: 2838 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2839 phys |= BT_PHY_BR_1M_1SLOT; 2840 2841 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2842 phys |= BT_PHY_BR_1M_3SLOT; 2843 2844 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2845 if (!(conn->pkt_type & ESCO_2EV3)) 2846 phys |= BT_PHY_EDR_2M_1SLOT; 2847 2848 if (!(conn->pkt_type & ESCO_2EV5)) 2849 phys |= BT_PHY_EDR_2M_3SLOT; 2850 2851 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2852 if (!(conn->pkt_type & ESCO_3EV3)) 2853 phys |= BT_PHY_EDR_3M_1SLOT; 2854 2855 if (!(conn->pkt_type & ESCO_3EV5)) 2856 phys |= BT_PHY_EDR_3M_3SLOT; 2857 2858 break; 2859 2860 case LE_LINK: 2861 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2862 phys |= BT_PHY_LE_1M_TX; 2863 2864 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2865 phys |= BT_PHY_LE_1M_RX; 2866 2867 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2868 phys |= BT_PHY_LE_2M_TX; 2869 2870 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2871 phys |= BT_PHY_LE_2M_RX; 2872 2873 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2874 phys |= BT_PHY_LE_CODED_TX; 2875 2876 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2877 phys |= BT_PHY_LE_CODED_RX; 2878 2879 break; 2880 } 2881 2882 return phys; 2883 } 2884 2885 static int abort_conn_sync(struct hci_dev *hdev, void *data) 2886 { 2887 struct hci_conn *conn; 2888 u16 handle = PTR_UINT(data); 2889 2890 conn = hci_conn_hash_lookup_handle(hdev, handle); 2891 if (!conn) 2892 return 0; 2893 2894 return hci_abort_conn_sync(hdev, conn, conn->abort_reason); 2895 } 2896 2897 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2898 { 2899 struct hci_dev *hdev = conn->hdev; 2900 2901 /* If abort_reason has already been set it means the connection is 2902 * already being aborted so don't attempt to overwrite it. 2903 */ 2904 if (conn->abort_reason) 2905 return 0; 2906 2907 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); 2908 2909 conn->abort_reason = reason; 2910 2911 /* If the connection is pending check the command opcode since that 2912 * might be blocking on hci_cmd_sync_work while waiting its respective 2913 * event so we need to hci_cmd_sync_cancel to cancel it. 2914 * 2915 * hci_connect_le serializes the connection attempts so only one 2916 * connection can be in BT_CONNECT at time. 2917 */ 2918 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { 2919 switch (hci_skb_event(hdev->sent_cmd)) { 2920 case HCI_EV_LE_CONN_COMPLETE: 2921 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 2922 case HCI_EVT_LE_CIS_ESTABLISHED: 2923 hci_cmd_sync_cancel(hdev, -ECANCELED); 2924 break; 2925 } 2926 } 2927 2928 return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle), 2929 NULL); 2930 } 2931