1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI connection handling. */ 27 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/iso.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "hci_request.h" 38 #include "smp.h" 39 #include "a2mp.h" 40 #include "eir.h" 41 42 struct sco_param { 43 u16 pkt_type; 44 u16 max_latency; 45 u8 retrans_effort; 46 }; 47 48 struct conn_handle_t { 49 struct hci_conn *conn; 50 __u16 handle; 51 }; 52 53 static const struct sco_param esco_param_cvsd[] = { 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 56 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 57 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 58 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 59 }; 60 61 static const struct sco_param sco_param_cvsd[] = { 62 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 63 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 64 }; 65 66 static const struct sco_param esco_param_msbc[] = { 67 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 68 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 69 }; 70 71 /* This function requires the caller holds hdev->lock */ 72 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) 73 { 74 struct hci_conn_params *params; 75 struct hci_dev *hdev = conn->hdev; 76 struct smp_irk *irk; 77 bdaddr_t *bdaddr; 78 u8 bdaddr_type; 79 80 bdaddr = &conn->dst; 81 bdaddr_type = conn->dst_type; 82 83 /* Check if we need to convert to identity address */ 84 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 85 if (irk) { 86 bdaddr = &irk->bdaddr; 87 bdaddr_type = irk->addr_type; 88 } 89 90 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 91 bdaddr_type); 92 if (!params) 93 return; 94 95 if (params->conn) { 96 hci_conn_drop(params->conn); 97 hci_conn_put(params->conn); 98 params->conn = NULL; 99 } 100 101 if (!params->explicit_connect) 102 return; 103 104 /* If the status indicates successful cancellation of 105 * the attempt (i.e. Unknown Connection Id) there's no point of 106 * notifying failure since we'll go back to keep trying to 107 * connect. The only exception is explicit connect requests 108 * where a timeout + cancel does indicate an actual failure. 109 */ 110 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) 111 mgmt_connect_failed(hdev, &conn->dst, conn->type, 112 conn->dst_type, status); 113 114 /* The connection attempt was doing scan for new RPA, and is 115 * in scan phase. If params are not associated with any other 116 * autoconnect action, remove them completely. If they are, just unmark 117 * them as waiting for connection, by clearing explicit_connect field. 118 */ 119 params->explicit_connect = false; 120 121 list_del_init(¶ms->action); 122 123 switch (params->auto_connect) { 124 case HCI_AUTO_CONN_EXPLICIT: 125 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 126 /* return instead of break to avoid duplicate scan update */ 127 return; 128 case HCI_AUTO_CONN_DIRECT: 129 case HCI_AUTO_CONN_ALWAYS: 130 list_add(¶ms->action, &hdev->pend_le_conns); 131 break; 132 case HCI_AUTO_CONN_REPORT: 133 list_add(¶ms->action, &hdev->pend_le_reports); 134 break; 135 default: 136 break; 137 } 138 139 hci_update_passive_scan(hdev); 140 } 141 142 static void hci_conn_cleanup(struct hci_conn *conn) 143 { 144 struct hci_dev *hdev = conn->hdev; 145 146 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 147 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 148 149 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 150 hci_remove_link_key(hdev, &conn->dst); 151 152 hci_chan_list_flush(conn); 153 154 hci_conn_hash_del(hdev, conn); 155 156 if (conn->cleanup) 157 conn->cleanup(conn); 158 159 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 160 switch (conn->setting & SCO_AIRMODE_MASK) { 161 case SCO_AIRMODE_CVSD: 162 case SCO_AIRMODE_TRANSP: 163 if (hdev->notify) 164 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 165 break; 166 } 167 } else { 168 if (hdev->notify) 169 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 170 } 171 172 hci_conn_del_sysfs(conn); 173 174 debugfs_remove_recursive(conn->debugfs); 175 176 hci_dev_put(hdev); 177 178 hci_conn_put(conn); 179 } 180 181 static void le_scan_cleanup(struct work_struct *work) 182 { 183 struct hci_conn *conn = container_of(work, struct hci_conn, 184 le_scan_cleanup); 185 struct hci_dev *hdev = conn->hdev; 186 struct hci_conn *c = NULL; 187 188 BT_DBG("%s hcon %p", hdev->name, conn); 189 190 hci_dev_lock(hdev); 191 192 /* Check that the hci_conn is still around */ 193 rcu_read_lock(); 194 list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) { 195 if (c == conn) 196 break; 197 } 198 rcu_read_unlock(); 199 200 if (c == conn) { 201 hci_connect_le_scan_cleanup(conn, 0x00); 202 hci_conn_cleanup(conn); 203 } 204 205 hci_dev_unlock(hdev); 206 hci_dev_put(hdev); 207 hci_conn_put(conn); 208 } 209 210 static void hci_connect_le_scan_remove(struct hci_conn *conn) 211 { 212 BT_DBG("%s hcon %p", conn->hdev->name, conn); 213 214 /* We can't call hci_conn_del/hci_conn_cleanup here since that 215 * could deadlock with another hci_conn_del() call that's holding 216 * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work). 217 * Instead, grab temporary extra references to the hci_dev and 218 * hci_conn and perform the necessary cleanup in a separate work 219 * callback. 220 */ 221 222 hci_dev_hold(conn->hdev); 223 hci_conn_get(conn); 224 225 /* Even though we hold a reference to the hdev, many other 226 * things might get cleaned up meanwhile, including the hdev's 227 * own workqueue, so we can't use that for scheduling. 228 */ 229 schedule_work(&conn->le_scan_cleanup); 230 } 231 232 static void hci_acl_create_connection(struct hci_conn *conn) 233 { 234 struct hci_dev *hdev = conn->hdev; 235 struct inquiry_entry *ie; 236 struct hci_cp_create_conn cp; 237 238 BT_DBG("hcon %p", conn); 239 240 /* Many controllers disallow HCI Create Connection while it is doing 241 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create 242 * Connection. This may cause the MGMT discovering state to become false 243 * without user space's request but it is okay since the MGMT Discovery 244 * APIs do not promise that discovery should be done forever. Instead, 245 * the user space monitors the status of MGMT discovering and it may 246 * request for discovery again when this flag becomes false. 247 */ 248 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 249 /* Put this connection to "pending" state so that it will be 250 * executed after the inquiry cancel command complete event. 251 */ 252 conn->state = BT_CONNECT2; 253 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL); 254 return; 255 } 256 257 conn->state = BT_CONNECT; 258 conn->out = true; 259 conn->role = HCI_ROLE_MASTER; 260 261 conn->attempt++; 262 263 conn->link_policy = hdev->link_policy; 264 265 memset(&cp, 0, sizeof(cp)); 266 bacpy(&cp.bdaddr, &conn->dst); 267 cp.pscan_rep_mode = 0x02; 268 269 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 270 if (ie) { 271 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 272 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 273 cp.pscan_mode = ie->data.pscan_mode; 274 cp.clock_offset = ie->data.clock_offset | 275 cpu_to_le16(0x8000); 276 } 277 278 memcpy(conn->dev_class, ie->data.dev_class, 3); 279 } 280 281 cp.pkt_type = cpu_to_le16(conn->pkt_type); 282 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 283 cp.role_switch = 0x01; 284 else 285 cp.role_switch = 0x00; 286 287 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 288 } 289 290 int hci_disconnect(struct hci_conn *conn, __u8 reason) 291 { 292 BT_DBG("hcon %p", conn); 293 294 /* When we are central of an established connection and it enters 295 * the disconnect timeout, then go ahead and try to read the 296 * current clock offset. Processing of the result is done 297 * within the event handling and hci_clock_offset_evt function. 298 */ 299 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 300 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 301 struct hci_dev *hdev = conn->hdev; 302 struct hci_cp_read_clock_offset clkoff_cp; 303 304 clkoff_cp.handle = cpu_to_le16(conn->handle); 305 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 306 &clkoff_cp); 307 } 308 309 return hci_abort_conn(conn, reason); 310 } 311 312 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 313 { 314 struct hci_dev *hdev = conn->hdev; 315 struct hci_cp_add_sco cp; 316 317 BT_DBG("hcon %p", conn); 318 319 conn->state = BT_CONNECT; 320 conn->out = true; 321 322 conn->attempt++; 323 324 cp.handle = cpu_to_le16(handle); 325 cp.pkt_type = cpu_to_le16(conn->pkt_type); 326 327 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 328 } 329 330 static bool find_next_esco_param(struct hci_conn *conn, 331 const struct sco_param *esco_param, int size) 332 { 333 if (!conn->parent) 334 return false; 335 336 for (; conn->attempt <= size; conn->attempt++) { 337 if (lmp_esco_2m_capable(conn->parent) || 338 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 339 break; 340 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 341 conn, conn->attempt); 342 } 343 344 return conn->attempt <= size; 345 } 346 347 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 348 { 349 int err; 350 __u8 vnd_len, *vnd_data = NULL; 351 struct hci_op_configure_data_path *cmd = NULL; 352 353 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 354 &vnd_data); 355 if (err < 0) 356 goto error; 357 358 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 359 if (!cmd) { 360 err = -ENOMEM; 361 goto error; 362 } 363 364 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 365 if (err < 0) 366 goto error; 367 368 cmd->vnd_len = vnd_len; 369 memcpy(cmd->vnd_data, vnd_data, vnd_len); 370 371 cmd->direction = 0x00; 372 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 373 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 374 375 cmd->direction = 0x01; 376 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 377 sizeof(*cmd) + vnd_len, cmd, 378 HCI_CMD_TIMEOUT); 379 error: 380 381 kfree(cmd); 382 kfree(vnd_data); 383 return err; 384 } 385 386 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 387 { 388 struct conn_handle_t *conn_handle = data; 389 struct hci_conn *conn = conn_handle->conn; 390 __u16 handle = conn_handle->handle; 391 struct hci_cp_enhanced_setup_sync_conn cp; 392 const struct sco_param *param; 393 394 kfree(conn_handle); 395 396 bt_dev_dbg(hdev, "hcon %p", conn); 397 398 /* for offload use case, codec needs to configured before opening SCO */ 399 if (conn->codec.data_path) 400 configure_datapath_sync(hdev, &conn->codec); 401 402 conn->state = BT_CONNECT; 403 conn->out = true; 404 405 conn->attempt++; 406 407 memset(&cp, 0x00, sizeof(cp)); 408 409 cp.handle = cpu_to_le16(handle); 410 411 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 412 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 413 414 switch (conn->codec.id) { 415 case BT_CODEC_MSBC: 416 if (!find_next_esco_param(conn, esco_param_msbc, 417 ARRAY_SIZE(esco_param_msbc))) 418 return -EINVAL; 419 420 param = &esco_param_msbc[conn->attempt - 1]; 421 cp.tx_coding_format.id = 0x05; 422 cp.rx_coding_format.id = 0x05; 423 cp.tx_codec_frame_size = __cpu_to_le16(60); 424 cp.rx_codec_frame_size = __cpu_to_le16(60); 425 cp.in_bandwidth = __cpu_to_le32(32000); 426 cp.out_bandwidth = __cpu_to_le32(32000); 427 cp.in_coding_format.id = 0x04; 428 cp.out_coding_format.id = 0x04; 429 cp.in_coded_data_size = __cpu_to_le16(16); 430 cp.out_coded_data_size = __cpu_to_le16(16); 431 cp.in_pcm_data_format = 2; 432 cp.out_pcm_data_format = 2; 433 cp.in_pcm_sample_payload_msb_pos = 0; 434 cp.out_pcm_sample_payload_msb_pos = 0; 435 cp.in_data_path = conn->codec.data_path; 436 cp.out_data_path = conn->codec.data_path; 437 cp.in_transport_unit_size = 1; 438 cp.out_transport_unit_size = 1; 439 break; 440 441 case BT_CODEC_TRANSPARENT: 442 if (!find_next_esco_param(conn, esco_param_msbc, 443 ARRAY_SIZE(esco_param_msbc))) 444 return false; 445 param = &esco_param_msbc[conn->attempt - 1]; 446 cp.tx_coding_format.id = 0x03; 447 cp.rx_coding_format.id = 0x03; 448 cp.tx_codec_frame_size = __cpu_to_le16(60); 449 cp.rx_codec_frame_size = __cpu_to_le16(60); 450 cp.in_bandwidth = __cpu_to_le32(0x1f40); 451 cp.out_bandwidth = __cpu_to_le32(0x1f40); 452 cp.in_coding_format.id = 0x03; 453 cp.out_coding_format.id = 0x03; 454 cp.in_coded_data_size = __cpu_to_le16(16); 455 cp.out_coded_data_size = __cpu_to_le16(16); 456 cp.in_pcm_data_format = 2; 457 cp.out_pcm_data_format = 2; 458 cp.in_pcm_sample_payload_msb_pos = 0; 459 cp.out_pcm_sample_payload_msb_pos = 0; 460 cp.in_data_path = conn->codec.data_path; 461 cp.out_data_path = conn->codec.data_path; 462 cp.in_transport_unit_size = 1; 463 cp.out_transport_unit_size = 1; 464 break; 465 466 case BT_CODEC_CVSD: 467 if (conn->parent && lmp_esco_capable(conn->parent)) { 468 if (!find_next_esco_param(conn, esco_param_cvsd, 469 ARRAY_SIZE(esco_param_cvsd))) 470 return -EINVAL; 471 param = &esco_param_cvsd[conn->attempt - 1]; 472 } else { 473 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 474 return -EINVAL; 475 param = &sco_param_cvsd[conn->attempt - 1]; 476 } 477 cp.tx_coding_format.id = 2; 478 cp.rx_coding_format.id = 2; 479 cp.tx_codec_frame_size = __cpu_to_le16(60); 480 cp.rx_codec_frame_size = __cpu_to_le16(60); 481 cp.in_bandwidth = __cpu_to_le32(16000); 482 cp.out_bandwidth = __cpu_to_le32(16000); 483 cp.in_coding_format.id = 4; 484 cp.out_coding_format.id = 4; 485 cp.in_coded_data_size = __cpu_to_le16(16); 486 cp.out_coded_data_size = __cpu_to_le16(16); 487 cp.in_pcm_data_format = 2; 488 cp.out_pcm_data_format = 2; 489 cp.in_pcm_sample_payload_msb_pos = 0; 490 cp.out_pcm_sample_payload_msb_pos = 0; 491 cp.in_data_path = conn->codec.data_path; 492 cp.out_data_path = conn->codec.data_path; 493 cp.in_transport_unit_size = 16; 494 cp.out_transport_unit_size = 16; 495 break; 496 default: 497 return -EINVAL; 498 } 499 500 cp.retrans_effort = param->retrans_effort; 501 cp.pkt_type = __cpu_to_le16(param->pkt_type); 502 cp.max_latency = __cpu_to_le16(param->max_latency); 503 504 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 505 return -EIO; 506 507 return 0; 508 } 509 510 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 511 { 512 struct hci_dev *hdev = conn->hdev; 513 struct hci_cp_setup_sync_conn cp; 514 const struct sco_param *param; 515 516 bt_dev_dbg(hdev, "hcon %p", conn); 517 518 conn->state = BT_CONNECT; 519 conn->out = true; 520 521 conn->attempt++; 522 523 cp.handle = cpu_to_le16(handle); 524 525 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 526 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 527 cp.voice_setting = cpu_to_le16(conn->setting); 528 529 switch (conn->setting & SCO_AIRMODE_MASK) { 530 case SCO_AIRMODE_TRANSP: 531 if (!find_next_esco_param(conn, esco_param_msbc, 532 ARRAY_SIZE(esco_param_msbc))) 533 return false; 534 param = &esco_param_msbc[conn->attempt - 1]; 535 break; 536 case SCO_AIRMODE_CVSD: 537 if (conn->parent && lmp_esco_capable(conn->parent)) { 538 if (!find_next_esco_param(conn, esco_param_cvsd, 539 ARRAY_SIZE(esco_param_cvsd))) 540 return false; 541 param = &esco_param_cvsd[conn->attempt - 1]; 542 } else { 543 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 544 return false; 545 param = &sco_param_cvsd[conn->attempt - 1]; 546 } 547 break; 548 default: 549 return false; 550 } 551 552 cp.retrans_effort = param->retrans_effort; 553 cp.pkt_type = __cpu_to_le16(param->pkt_type); 554 cp.max_latency = __cpu_to_le16(param->max_latency); 555 556 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 557 return false; 558 559 return true; 560 } 561 562 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 563 { 564 int result; 565 struct conn_handle_t *conn_handle; 566 567 if (enhanced_sync_conn_capable(conn->hdev)) { 568 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 569 570 if (!conn_handle) 571 return false; 572 573 conn_handle->conn = conn; 574 conn_handle->handle = handle; 575 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 576 conn_handle, NULL); 577 if (result < 0) 578 kfree(conn_handle); 579 580 return result == 0; 581 } 582 583 return hci_setup_sync_conn(conn, handle); 584 } 585 586 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 587 u16 to_multiplier) 588 { 589 struct hci_dev *hdev = conn->hdev; 590 struct hci_conn_params *params; 591 struct hci_cp_le_conn_update cp; 592 593 hci_dev_lock(hdev); 594 595 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 596 if (params) { 597 params->conn_min_interval = min; 598 params->conn_max_interval = max; 599 params->conn_latency = latency; 600 params->supervision_timeout = to_multiplier; 601 } 602 603 hci_dev_unlock(hdev); 604 605 memset(&cp, 0, sizeof(cp)); 606 cp.handle = cpu_to_le16(conn->handle); 607 cp.conn_interval_min = cpu_to_le16(min); 608 cp.conn_interval_max = cpu_to_le16(max); 609 cp.conn_latency = cpu_to_le16(latency); 610 cp.supervision_timeout = cpu_to_le16(to_multiplier); 611 cp.min_ce_len = cpu_to_le16(0x0000); 612 cp.max_ce_len = cpu_to_le16(0x0000); 613 614 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 615 616 if (params) 617 return 0x01; 618 619 return 0x00; 620 } 621 622 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 623 __u8 ltk[16], __u8 key_size) 624 { 625 struct hci_dev *hdev = conn->hdev; 626 struct hci_cp_le_start_enc cp; 627 628 BT_DBG("hcon %p", conn); 629 630 memset(&cp, 0, sizeof(cp)); 631 632 cp.handle = cpu_to_le16(conn->handle); 633 cp.rand = rand; 634 cp.ediv = ediv; 635 memcpy(cp.ltk, ltk, key_size); 636 637 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 638 } 639 640 /* Device _must_ be locked */ 641 void hci_sco_setup(struct hci_conn *conn, __u8 status) 642 { 643 struct hci_link *link; 644 645 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list); 646 if (!link || !link->conn) 647 return; 648 649 BT_DBG("hcon %p", conn); 650 651 if (!status) { 652 if (lmp_esco_capable(conn->hdev)) 653 hci_setup_sync(link->conn, conn->handle); 654 else 655 hci_add_sco(link->conn, conn->handle); 656 } else { 657 hci_connect_cfm(link->conn, status); 658 hci_conn_del(link->conn); 659 } 660 } 661 662 static void hci_conn_timeout(struct work_struct *work) 663 { 664 struct hci_conn *conn = container_of(work, struct hci_conn, 665 disc_work.work); 666 int refcnt = atomic_read(&conn->refcnt); 667 668 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 669 670 WARN_ON(refcnt < 0); 671 672 /* FIXME: It was observed that in pairing failed scenario, refcnt 673 * drops below 0. Probably this is because l2cap_conn_del calls 674 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 675 * dropped. After that loop hci_chan_del is called which also drops 676 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 677 * otherwise drop it. 678 */ 679 if (refcnt > 0) 680 return; 681 682 /* LE connections in scanning state need special handling */ 683 if (conn->state == BT_CONNECT && conn->type == LE_LINK && 684 test_bit(HCI_CONN_SCANNING, &conn->flags)) { 685 hci_connect_le_scan_remove(conn); 686 return; 687 } 688 689 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 690 } 691 692 /* Enter sniff mode */ 693 static void hci_conn_idle(struct work_struct *work) 694 { 695 struct hci_conn *conn = container_of(work, struct hci_conn, 696 idle_work.work); 697 struct hci_dev *hdev = conn->hdev; 698 699 BT_DBG("hcon %p mode %d", conn, conn->mode); 700 701 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 702 return; 703 704 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 705 return; 706 707 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 708 struct hci_cp_sniff_subrate cp; 709 cp.handle = cpu_to_le16(conn->handle); 710 cp.max_latency = cpu_to_le16(0); 711 cp.min_remote_timeout = cpu_to_le16(0); 712 cp.min_local_timeout = cpu_to_le16(0); 713 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 714 } 715 716 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 717 struct hci_cp_sniff_mode cp; 718 cp.handle = cpu_to_le16(conn->handle); 719 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 720 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 721 cp.attempt = cpu_to_le16(4); 722 cp.timeout = cpu_to_le16(1); 723 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 724 } 725 } 726 727 static void hci_conn_auto_accept(struct work_struct *work) 728 { 729 struct hci_conn *conn = container_of(work, struct hci_conn, 730 auto_accept_work.work); 731 732 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 733 &conn->dst); 734 } 735 736 static void le_disable_advertising(struct hci_dev *hdev) 737 { 738 if (ext_adv_capable(hdev)) { 739 struct hci_cp_le_set_ext_adv_enable cp; 740 741 cp.enable = 0x00; 742 cp.num_of_sets = 0x00; 743 744 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 745 &cp); 746 } else { 747 u8 enable = 0x00; 748 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 749 &enable); 750 } 751 } 752 753 static void le_conn_timeout(struct work_struct *work) 754 { 755 struct hci_conn *conn = container_of(work, struct hci_conn, 756 le_conn_timeout.work); 757 struct hci_dev *hdev = conn->hdev; 758 759 BT_DBG(""); 760 761 /* We could end up here due to having done directed advertising, 762 * so clean up the state if necessary. This should however only 763 * happen with broken hardware or if low duty cycle was used 764 * (which doesn't have a timeout of its own). 765 */ 766 if (conn->role == HCI_ROLE_SLAVE) { 767 /* Disable LE Advertising */ 768 le_disable_advertising(hdev); 769 hci_dev_lock(hdev); 770 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 771 hci_dev_unlock(hdev); 772 return; 773 } 774 775 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 776 } 777 778 struct iso_list_data { 779 union { 780 u8 cig; 781 u8 big; 782 }; 783 union { 784 u8 cis; 785 u8 bis; 786 u16 sync_handle; 787 }; 788 int count; 789 struct { 790 struct hci_cp_le_set_cig_params cp; 791 struct hci_cis_params cis[0x11]; 792 } pdu; 793 }; 794 795 static void bis_list(struct hci_conn *conn, void *data) 796 { 797 struct iso_list_data *d = data; 798 799 /* Skip if not broadcast/ANY address */ 800 if (bacmp(&conn->dst, BDADDR_ANY)) 801 return; 802 803 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET || 804 d->bis != conn->iso_qos.bcast.bis) 805 return; 806 807 d->count++; 808 } 809 810 static void find_bis(struct hci_conn *conn, void *data) 811 { 812 struct iso_list_data *d = data; 813 814 /* Ignore unicast */ 815 if (bacmp(&conn->dst, BDADDR_ANY)) 816 return; 817 818 d->count++; 819 } 820 821 static int terminate_big_sync(struct hci_dev *hdev, void *data) 822 { 823 struct iso_list_data *d = data; 824 825 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 826 827 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 828 829 /* Check if ISO connection is a BIS and terminate BIG if there are 830 * no other connections using it. 831 */ 832 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d); 833 if (d->count) 834 return 0; 835 836 return hci_le_terminate_big_sync(hdev, d->big, 837 HCI_ERROR_LOCAL_HOST_TERM); 838 } 839 840 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 841 { 842 kfree(data); 843 } 844 845 static int hci_le_terminate_big(struct hci_dev *hdev, u8 big, u8 bis) 846 { 847 struct iso_list_data *d; 848 int ret; 849 850 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", big, bis); 851 852 d = kzalloc(sizeof(*d), GFP_KERNEL); 853 if (!d) 854 return -ENOMEM; 855 856 d->big = big; 857 d->bis = bis; 858 859 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 860 terminate_big_destroy); 861 if (ret) 862 kfree(d); 863 864 return ret; 865 } 866 867 static int big_terminate_sync(struct hci_dev *hdev, void *data) 868 { 869 struct iso_list_data *d = data; 870 871 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 872 d->sync_handle); 873 874 /* Check if ISO connection is a BIS and terminate BIG if there are 875 * no other connections using it. 876 */ 877 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d); 878 if (d->count) 879 return 0; 880 881 hci_le_big_terminate_sync(hdev, d->big); 882 883 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 884 } 885 886 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, u16 sync_handle) 887 { 888 struct iso_list_data *d; 889 int ret; 890 891 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, sync_handle); 892 893 d = kzalloc(sizeof(*d), GFP_KERNEL); 894 if (!d) 895 return -ENOMEM; 896 897 d->big = big; 898 d->sync_handle = sync_handle; 899 900 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 901 terminate_big_destroy); 902 if (ret) 903 kfree(d); 904 905 return ret; 906 } 907 908 /* Cleanup BIS connection 909 * 910 * Detects if there any BIS left connected in a BIG 911 * broadcaster: Remove advertising instance and terminate BIG. 912 * broadcaster receiver: Teminate BIG sync and terminate PA sync. 913 */ 914 static void bis_cleanup(struct hci_conn *conn) 915 { 916 struct hci_dev *hdev = conn->hdev; 917 918 bt_dev_dbg(hdev, "conn %p", conn); 919 920 if (conn->role == HCI_ROLE_MASTER) { 921 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 922 return; 923 924 hci_le_terminate_big(hdev, conn->iso_qos.bcast.big, 925 conn->iso_qos.bcast.bis); 926 } else { 927 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 928 conn->sync_handle); 929 } 930 } 931 932 static int remove_cig_sync(struct hci_dev *hdev, void *data) 933 { 934 u8 handle = PTR_ERR(data); 935 936 return hci_le_remove_cig_sync(hdev, handle); 937 } 938 939 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 940 { 941 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 942 943 return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL); 944 } 945 946 static void find_cis(struct hci_conn *conn, void *data) 947 { 948 struct iso_list_data *d = data; 949 950 /* Ignore broadcast */ 951 if (!bacmp(&conn->dst, BDADDR_ANY)) 952 return; 953 954 d->count++; 955 } 956 957 /* Cleanup CIS connection: 958 * 959 * Detects if there any CIS left connected in a CIG and remove it. 960 */ 961 static void cis_cleanup(struct hci_conn *conn) 962 { 963 struct hci_dev *hdev = conn->hdev; 964 struct iso_list_data d; 965 966 memset(&d, 0, sizeof(d)); 967 d.cig = conn->iso_qos.ucast.cig; 968 969 /* Check if ISO connection is a CIS and remove CIG if there are 970 * no other connections using it. 971 */ 972 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d); 973 if (d.count) 974 return; 975 976 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig); 977 } 978 979 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 980 u8 role) 981 { 982 struct hci_conn *conn; 983 984 BT_DBG("%s dst %pMR", hdev->name, dst); 985 986 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 987 if (!conn) 988 return NULL; 989 990 bacpy(&conn->dst, dst); 991 bacpy(&conn->src, &hdev->bdaddr); 992 conn->handle = HCI_CONN_HANDLE_UNSET; 993 conn->hdev = hdev; 994 conn->type = type; 995 conn->role = role; 996 conn->mode = HCI_CM_ACTIVE; 997 conn->state = BT_OPEN; 998 conn->auth_type = HCI_AT_GENERAL_BONDING; 999 conn->io_capability = hdev->io_capability; 1000 conn->remote_auth = 0xff; 1001 conn->key_type = 0xff; 1002 conn->rssi = HCI_RSSI_INVALID; 1003 conn->tx_power = HCI_TX_POWER_INVALID; 1004 conn->max_tx_power = HCI_TX_POWER_INVALID; 1005 1006 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 1007 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 1008 1009 /* Set Default Authenticated payload timeout to 30s */ 1010 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 1011 1012 if (conn->role == HCI_ROLE_MASTER) 1013 conn->out = true; 1014 1015 switch (type) { 1016 case ACL_LINK: 1017 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 1018 break; 1019 case LE_LINK: 1020 /* conn->src should reflect the local identity address */ 1021 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1022 break; 1023 case ISO_LINK: 1024 /* conn->src should reflect the local identity address */ 1025 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1026 1027 /* set proper cleanup function */ 1028 if (!bacmp(dst, BDADDR_ANY)) 1029 conn->cleanup = bis_cleanup; 1030 else if (conn->role == HCI_ROLE_MASTER) 1031 conn->cleanup = cis_cleanup; 1032 1033 break; 1034 case SCO_LINK: 1035 if (lmp_esco_capable(hdev)) 1036 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1037 (hdev->esco_type & EDR_ESCO_MASK); 1038 else 1039 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1040 break; 1041 case ESCO_LINK: 1042 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1043 break; 1044 } 1045 1046 skb_queue_head_init(&conn->data_q); 1047 1048 INIT_LIST_HEAD(&conn->chan_list); 1049 INIT_LIST_HEAD(&conn->link_list); 1050 1051 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1052 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1053 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1054 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1055 INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup); 1056 1057 atomic_set(&conn->refcnt, 0); 1058 1059 hci_dev_hold(hdev); 1060 1061 hci_conn_hash_add(hdev, conn); 1062 1063 /* The SCO and eSCO connections will only be notified when their 1064 * setup has been completed. This is different to ACL links which 1065 * can be notified right away. 1066 */ 1067 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1068 if (hdev->notify) 1069 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1070 } 1071 1072 hci_conn_init_sysfs(conn); 1073 1074 return conn; 1075 } 1076 1077 static void hci_conn_unlink(struct hci_conn *conn) 1078 { 1079 struct hci_dev *hdev = conn->hdev; 1080 1081 bt_dev_dbg(hdev, "hcon %p", conn); 1082 1083 if (!conn->parent) { 1084 struct hci_link *link, *t; 1085 1086 list_for_each_entry_safe(link, t, &conn->link_list, list) 1087 hci_conn_unlink(link->conn); 1088 1089 return; 1090 } 1091 1092 if (!conn->link) 1093 return; 1094 1095 hci_conn_put(conn->parent); 1096 conn->parent = NULL; 1097 1098 list_del_rcu(&conn->link->list); 1099 synchronize_rcu(); 1100 1101 kfree(conn->link); 1102 conn->link = NULL; 1103 1104 /* Due to race, SCO connection might be not established 1105 * yet at this point. Delete it now, otherwise it is 1106 * possible for it to be stuck and can't be deleted. 1107 */ 1108 if (conn->handle == HCI_CONN_HANDLE_UNSET) 1109 hci_conn_del(conn); 1110 } 1111 1112 int hci_conn_del(struct hci_conn *conn) 1113 { 1114 struct hci_dev *hdev = conn->hdev; 1115 1116 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1117 1118 cancel_delayed_work_sync(&conn->disc_work); 1119 cancel_delayed_work_sync(&conn->auto_accept_work); 1120 cancel_delayed_work_sync(&conn->idle_work); 1121 1122 if (conn->type == ACL_LINK) { 1123 hci_conn_unlink(conn); 1124 /* Unacked frames */ 1125 hdev->acl_cnt += conn->sent; 1126 } else if (conn->type == LE_LINK) { 1127 cancel_delayed_work(&conn->le_conn_timeout); 1128 1129 if (hdev->le_pkts) 1130 hdev->le_cnt += conn->sent; 1131 else 1132 hdev->acl_cnt += conn->sent; 1133 } else { 1134 struct hci_conn *acl = conn->parent; 1135 1136 if (acl) { 1137 hci_conn_unlink(conn); 1138 hci_conn_drop(acl); 1139 } 1140 1141 /* Unacked ISO frames */ 1142 if (conn->type == ISO_LINK) { 1143 if (hdev->iso_pkts) 1144 hdev->iso_cnt += conn->sent; 1145 else if (hdev->le_pkts) 1146 hdev->le_cnt += conn->sent; 1147 else 1148 hdev->acl_cnt += conn->sent; 1149 } 1150 } 1151 1152 if (conn->amp_mgr) 1153 amp_mgr_put(conn->amp_mgr); 1154 1155 skb_queue_purge(&conn->data_q); 1156 1157 /* Remove the connection from the list and cleanup its remaining 1158 * state. This is a separate function since for some cases like 1159 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1160 * rest of hci_conn_del. 1161 */ 1162 hci_conn_cleanup(conn); 1163 1164 return 0; 1165 } 1166 1167 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1168 { 1169 int use_src = bacmp(src, BDADDR_ANY); 1170 struct hci_dev *hdev = NULL, *d; 1171 1172 BT_DBG("%pMR -> %pMR", src, dst); 1173 1174 read_lock(&hci_dev_list_lock); 1175 1176 list_for_each_entry(d, &hci_dev_list, list) { 1177 if (!test_bit(HCI_UP, &d->flags) || 1178 hci_dev_test_flag(d, HCI_USER_CHANNEL) || 1179 d->dev_type != HCI_PRIMARY) 1180 continue; 1181 1182 /* Simple routing: 1183 * No source address - find interface with bdaddr != dst 1184 * Source address - find interface with bdaddr == src 1185 */ 1186 1187 if (use_src) { 1188 bdaddr_t id_addr; 1189 u8 id_addr_type; 1190 1191 if (src_type == BDADDR_BREDR) { 1192 if (!lmp_bredr_capable(d)) 1193 continue; 1194 bacpy(&id_addr, &d->bdaddr); 1195 id_addr_type = BDADDR_BREDR; 1196 } else { 1197 if (!lmp_le_capable(d)) 1198 continue; 1199 1200 hci_copy_identity_address(d, &id_addr, 1201 &id_addr_type); 1202 1203 /* Convert from HCI to three-value type */ 1204 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1205 id_addr_type = BDADDR_LE_PUBLIC; 1206 else 1207 id_addr_type = BDADDR_LE_RANDOM; 1208 } 1209 1210 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1211 hdev = d; break; 1212 } 1213 } else { 1214 if (bacmp(&d->bdaddr, dst)) { 1215 hdev = d; break; 1216 } 1217 } 1218 } 1219 1220 if (hdev) 1221 hdev = hci_dev_hold(hdev); 1222 1223 read_unlock(&hci_dev_list_lock); 1224 return hdev; 1225 } 1226 EXPORT_SYMBOL(hci_get_route); 1227 1228 /* This function requires the caller holds hdev->lock */ 1229 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1230 { 1231 struct hci_dev *hdev = conn->hdev; 1232 1233 hci_connect_le_scan_cleanup(conn, status); 1234 1235 /* Enable advertising in case this was a failed connection 1236 * attempt as a peripheral. 1237 */ 1238 hci_enable_advertising(hdev); 1239 } 1240 1241 /* This function requires the caller holds hdev->lock */ 1242 void hci_conn_failed(struct hci_conn *conn, u8 status) 1243 { 1244 struct hci_dev *hdev = conn->hdev; 1245 1246 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1247 1248 switch (conn->type) { 1249 case LE_LINK: 1250 hci_le_conn_failed(conn, status); 1251 break; 1252 case ACL_LINK: 1253 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1254 conn->dst_type, status); 1255 break; 1256 } 1257 1258 conn->state = BT_CLOSED; 1259 hci_connect_cfm(conn, status); 1260 hci_conn_del(conn); 1261 } 1262 1263 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) 1264 { 1265 struct hci_conn *conn = data; 1266 1267 bt_dev_dbg(hdev, "err %d", err); 1268 1269 hci_dev_lock(hdev); 1270 1271 if (!err) { 1272 hci_connect_le_scan_cleanup(conn, 0x00); 1273 goto done; 1274 } 1275 1276 /* Check if connection is still pending */ 1277 if (conn != hci_lookup_le_connect(hdev)) 1278 goto done; 1279 1280 /* Flush to make sure we send create conn cancel command if needed */ 1281 flush_delayed_work(&conn->le_conn_timeout); 1282 hci_conn_failed(conn, bt_status(err)); 1283 1284 done: 1285 hci_dev_unlock(hdev); 1286 } 1287 1288 static int hci_connect_le_sync(struct hci_dev *hdev, void *data) 1289 { 1290 struct hci_conn *conn = data; 1291 1292 bt_dev_dbg(hdev, "conn %p", conn); 1293 1294 return hci_le_create_conn_sync(hdev, conn); 1295 } 1296 1297 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1298 u8 dst_type, bool dst_resolved, u8 sec_level, 1299 u16 conn_timeout, u8 role) 1300 { 1301 struct hci_conn *conn; 1302 struct smp_irk *irk; 1303 int err; 1304 1305 /* Let's make sure that le is enabled.*/ 1306 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1307 if (lmp_le_capable(hdev)) 1308 return ERR_PTR(-ECONNREFUSED); 1309 1310 return ERR_PTR(-EOPNOTSUPP); 1311 } 1312 1313 /* Since the controller supports only one LE connection attempt at a 1314 * time, we return -EBUSY if there is any connection attempt running. 1315 */ 1316 if (hci_lookup_le_connect(hdev)) 1317 return ERR_PTR(-EBUSY); 1318 1319 /* If there's already a connection object but it's not in 1320 * scanning state it means it must already be established, in 1321 * which case we can't do anything else except report a failure 1322 * to connect. 1323 */ 1324 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1325 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1326 return ERR_PTR(-EBUSY); 1327 } 1328 1329 /* Check if the destination address has been resolved by the controller 1330 * since if it did then the identity address shall be used. 1331 */ 1332 if (!dst_resolved) { 1333 /* When given an identity address with existing identity 1334 * resolving key, the connection needs to be established 1335 * to a resolvable random address. 1336 * 1337 * Storing the resolvable random address is required here 1338 * to handle connection failures. The address will later 1339 * be resolved back into the original identity address 1340 * from the connect request. 1341 */ 1342 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1343 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1344 dst = &irk->rpa; 1345 dst_type = ADDR_LE_DEV_RANDOM; 1346 } 1347 } 1348 1349 if (conn) { 1350 bacpy(&conn->dst, dst); 1351 } else { 1352 conn = hci_conn_add(hdev, LE_LINK, dst, role); 1353 if (!conn) 1354 return ERR_PTR(-ENOMEM); 1355 hci_conn_hold(conn); 1356 conn->pending_sec_level = sec_level; 1357 } 1358 1359 conn->dst_type = dst_type; 1360 conn->sec_level = BT_SECURITY_LOW; 1361 conn->conn_timeout = conn_timeout; 1362 1363 conn->state = BT_CONNECT; 1364 clear_bit(HCI_CONN_SCANNING, &conn->flags); 1365 1366 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn, 1367 create_le_conn_complete); 1368 if (err) { 1369 hci_conn_del(conn); 1370 return ERR_PTR(err); 1371 } 1372 1373 return conn; 1374 } 1375 1376 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1377 { 1378 struct hci_conn *conn; 1379 1380 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1381 if (!conn) 1382 return false; 1383 1384 if (conn->state != BT_CONNECTED) 1385 return false; 1386 1387 return true; 1388 } 1389 1390 /* This function requires the caller holds hdev->lock */ 1391 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1392 bdaddr_t *addr, u8 addr_type) 1393 { 1394 struct hci_conn_params *params; 1395 1396 if (is_connected(hdev, addr, addr_type)) 1397 return -EISCONN; 1398 1399 params = hci_conn_params_lookup(hdev, addr, addr_type); 1400 if (!params) { 1401 params = hci_conn_params_add(hdev, addr, addr_type); 1402 if (!params) 1403 return -ENOMEM; 1404 1405 /* If we created new params, mark them to be deleted in 1406 * hci_connect_le_scan_cleanup. It's different case than 1407 * existing disabled params, those will stay after cleanup. 1408 */ 1409 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1410 } 1411 1412 /* We're trying to connect, so make sure params are at pend_le_conns */ 1413 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1414 params->auto_connect == HCI_AUTO_CONN_REPORT || 1415 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1416 list_del_init(¶ms->action); 1417 list_add(¶ms->action, &hdev->pend_le_conns); 1418 } 1419 1420 params->explicit_connect = true; 1421 1422 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1423 params->auto_connect); 1424 1425 return 0; 1426 } 1427 1428 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1429 { 1430 struct iso_list_data data; 1431 1432 /* Allocate a BIG if not set */ 1433 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) { 1434 for (data.big = 0x00; data.big < 0xef; data.big++) { 1435 data.count = 0; 1436 data.bis = 0xff; 1437 1438 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1439 BT_BOUND, &data); 1440 if (!data.count) 1441 break; 1442 } 1443 1444 if (data.big == 0xef) 1445 return -EADDRNOTAVAIL; 1446 1447 /* Update BIG */ 1448 qos->bcast.big = data.big; 1449 } 1450 1451 return 0; 1452 } 1453 1454 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1455 { 1456 struct iso_list_data data; 1457 1458 /* Allocate BIS if not set */ 1459 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) { 1460 /* Find an unused adv set to advertise BIS, skip instance 0x00 1461 * since it is reserved as general purpose set. 1462 */ 1463 for (data.bis = 0x01; data.bis < hdev->le_num_of_adv_sets; 1464 data.bis++) { 1465 data.count = 0; 1466 1467 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1468 BT_BOUND, &data); 1469 if (!data.count) 1470 break; 1471 } 1472 1473 if (data.bis == hdev->le_num_of_adv_sets) 1474 return -EADDRNOTAVAIL; 1475 1476 /* Update BIS */ 1477 qos->bcast.bis = data.bis; 1478 } 1479 1480 return 0; 1481 } 1482 1483 /* This function requires the caller holds hdev->lock */ 1484 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1485 struct bt_iso_qos *qos) 1486 { 1487 struct hci_conn *conn; 1488 struct iso_list_data data; 1489 int err; 1490 1491 /* Let's make sure that le is enabled.*/ 1492 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1493 if (lmp_le_capable(hdev)) 1494 return ERR_PTR(-ECONNREFUSED); 1495 return ERR_PTR(-EOPNOTSUPP); 1496 } 1497 1498 err = qos_set_big(hdev, qos); 1499 if (err) 1500 return ERR_PTR(err); 1501 1502 err = qos_set_bis(hdev, qos); 1503 if (err) 1504 return ERR_PTR(err); 1505 1506 data.big = qos->bcast.big; 1507 data.bis = qos->bcast.bis; 1508 data.count = 0; 1509 1510 /* Check if there is already a matching BIG/BIS */ 1511 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, BT_BOUND, &data); 1512 if (data.count) 1513 return ERR_PTR(-EADDRINUSE); 1514 1515 conn = hci_conn_hash_lookup_bis(hdev, dst, qos->bcast.big, qos->bcast.bis); 1516 if (conn) 1517 return ERR_PTR(-EADDRINUSE); 1518 1519 conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1520 if (!conn) 1521 return ERR_PTR(-ENOMEM); 1522 1523 set_bit(HCI_CONN_PER_ADV, &conn->flags); 1524 conn->state = BT_CONNECT; 1525 1526 hci_conn_hold(conn); 1527 return conn; 1528 } 1529 1530 /* This function requires the caller holds hdev->lock */ 1531 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1532 u8 dst_type, u8 sec_level, 1533 u16 conn_timeout, 1534 enum conn_reasons conn_reason) 1535 { 1536 struct hci_conn *conn; 1537 1538 /* Let's make sure that le is enabled.*/ 1539 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1540 if (lmp_le_capable(hdev)) 1541 return ERR_PTR(-ECONNREFUSED); 1542 1543 return ERR_PTR(-EOPNOTSUPP); 1544 } 1545 1546 /* Some devices send ATT messages as soon as the physical link is 1547 * established. To be able to handle these ATT messages, the user- 1548 * space first establishes the connection and then starts the pairing 1549 * process. 1550 * 1551 * So if a hci_conn object already exists for the following connection 1552 * attempt, we simply update pending_sec_level and auth_type fields 1553 * and return the object found. 1554 */ 1555 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1556 if (conn) { 1557 if (conn->pending_sec_level < sec_level) 1558 conn->pending_sec_level = sec_level; 1559 goto done; 1560 } 1561 1562 BT_DBG("requesting refresh of dst_addr"); 1563 1564 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1565 if (!conn) 1566 return ERR_PTR(-ENOMEM); 1567 1568 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1569 hci_conn_del(conn); 1570 return ERR_PTR(-EBUSY); 1571 } 1572 1573 conn->state = BT_CONNECT; 1574 set_bit(HCI_CONN_SCANNING, &conn->flags); 1575 conn->dst_type = dst_type; 1576 conn->sec_level = BT_SECURITY_LOW; 1577 conn->pending_sec_level = sec_level; 1578 conn->conn_timeout = conn_timeout; 1579 conn->conn_reason = conn_reason; 1580 1581 hci_update_passive_scan(hdev); 1582 1583 done: 1584 hci_conn_hold(conn); 1585 return conn; 1586 } 1587 1588 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1589 u8 sec_level, u8 auth_type, 1590 enum conn_reasons conn_reason) 1591 { 1592 struct hci_conn *acl; 1593 1594 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1595 if (lmp_bredr_capable(hdev)) 1596 return ERR_PTR(-ECONNREFUSED); 1597 1598 return ERR_PTR(-EOPNOTSUPP); 1599 } 1600 1601 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1602 if (!acl) { 1603 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1604 if (!acl) 1605 return ERR_PTR(-ENOMEM); 1606 } 1607 1608 hci_conn_hold(acl); 1609 1610 acl->conn_reason = conn_reason; 1611 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1612 acl->sec_level = BT_SECURITY_LOW; 1613 acl->pending_sec_level = sec_level; 1614 acl->auth_type = auth_type; 1615 hci_acl_create_connection(acl); 1616 } 1617 1618 return acl; 1619 } 1620 1621 static struct hci_link *hci_conn_link(struct hci_conn *parent, 1622 struct hci_conn *conn) 1623 { 1624 struct hci_dev *hdev = parent->hdev; 1625 struct hci_link *link; 1626 1627 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn); 1628 1629 if (conn->link) 1630 return conn->link; 1631 1632 if (conn->parent) 1633 return NULL; 1634 1635 link = kzalloc(sizeof(*link), GFP_KERNEL); 1636 if (!link) 1637 return NULL; 1638 1639 link->conn = hci_conn_hold(conn); 1640 conn->link = link; 1641 conn->parent = hci_conn_get(parent); 1642 1643 /* Use list_add_tail_rcu append to the list */ 1644 list_add_tail_rcu(&link->list, &parent->link_list); 1645 1646 return link; 1647 } 1648 1649 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1650 __u16 setting, struct bt_codec *codec) 1651 { 1652 struct hci_conn *acl; 1653 struct hci_conn *sco; 1654 struct hci_link *link; 1655 1656 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1657 CONN_REASON_SCO_CONNECT); 1658 if (IS_ERR(acl)) 1659 return acl; 1660 1661 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1662 if (!sco) { 1663 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER); 1664 if (!sco) { 1665 hci_conn_drop(acl); 1666 return ERR_PTR(-ENOMEM); 1667 } 1668 } 1669 1670 link = hci_conn_link(acl, sco); 1671 if (!link) { 1672 hci_conn_drop(acl); 1673 hci_conn_drop(sco); 1674 return NULL; 1675 } 1676 1677 sco->setting = setting; 1678 sco->codec = *codec; 1679 1680 if (acl->state == BT_CONNECTED && 1681 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1682 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1683 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1684 1685 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1686 /* defer SCO setup until mode change completed */ 1687 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1688 return sco; 1689 } 1690 1691 hci_sco_setup(acl, 0x00); 1692 } 1693 1694 return sco; 1695 } 1696 1697 static void cis_add(struct iso_list_data *d, struct bt_iso_qos *qos) 1698 { 1699 struct hci_cis_params *cis = &d->pdu.cis[d->pdu.cp.num_cis]; 1700 1701 cis->cis_id = qos->ucast.cis; 1702 cis->c_sdu = cpu_to_le16(qos->ucast.out.sdu); 1703 cis->p_sdu = cpu_to_le16(qos->ucast.in.sdu); 1704 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : qos->ucast.in.phy; 1705 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : qos->ucast.out.phy; 1706 cis->c_rtn = qos->ucast.out.rtn; 1707 cis->p_rtn = qos->ucast.in.rtn; 1708 1709 d->pdu.cp.num_cis++; 1710 } 1711 1712 static void cis_list(struct hci_conn *conn, void *data) 1713 { 1714 struct iso_list_data *d = data; 1715 1716 /* Skip if broadcast/ANY address */ 1717 if (!bacmp(&conn->dst, BDADDR_ANY)) 1718 return; 1719 1720 if (d->cig != conn->iso_qos.ucast.cig || d->cis == BT_ISO_QOS_CIS_UNSET || 1721 d->cis != conn->iso_qos.ucast.cis) 1722 return; 1723 1724 d->count++; 1725 1726 if (d->pdu.cp.cig_id == BT_ISO_QOS_CIG_UNSET || 1727 d->count >= ARRAY_SIZE(d->pdu.cis)) 1728 return; 1729 1730 cis_add(d, &conn->iso_qos); 1731 } 1732 1733 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1734 { 1735 struct hci_dev *hdev = conn->hdev; 1736 struct hci_cp_le_create_big cp; 1737 1738 memset(&cp, 0, sizeof(cp)); 1739 1740 cp.handle = qos->bcast.big; 1741 cp.adv_handle = qos->bcast.bis; 1742 cp.num_bis = 0x01; 1743 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval); 1744 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu); 1745 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency); 1746 cp.bis.rtn = qos->bcast.out.rtn; 1747 cp.bis.phy = qos->bcast.out.phy; 1748 cp.bis.packing = qos->bcast.packing; 1749 cp.bis.framing = qos->bcast.framing; 1750 cp.bis.encryption = qos->bcast.encryption; 1751 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode)); 1752 1753 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1754 } 1755 1756 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1757 { 1758 struct hci_dev *hdev = conn->hdev; 1759 struct iso_list_data data; 1760 1761 memset(&data, 0, sizeof(data)); 1762 1763 /* Allocate a CIG if not set */ 1764 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) { 1765 for (data.cig = 0x00; data.cig < 0xff; data.cig++) { 1766 data.count = 0; 1767 data.cis = 0xff; 1768 1769 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, 1770 BT_BOUND, &data); 1771 if (data.count) 1772 continue; 1773 1774 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, 1775 BT_CONNECTED, &data); 1776 if (!data.count) 1777 break; 1778 } 1779 1780 if (data.cig == 0xff) 1781 return false; 1782 1783 /* Update CIG */ 1784 qos->ucast.cig = data.cig; 1785 } 1786 1787 data.pdu.cp.cig_id = qos->ucast.cig; 1788 hci_cpu_to_le24(qos->ucast.out.interval, data.pdu.cp.c_interval); 1789 hci_cpu_to_le24(qos->ucast.in.interval, data.pdu.cp.p_interval); 1790 data.pdu.cp.sca = qos->ucast.sca; 1791 data.pdu.cp.packing = qos->ucast.packing; 1792 data.pdu.cp.framing = qos->ucast.framing; 1793 data.pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency); 1794 data.pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency); 1795 1796 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) { 1797 data.count = 0; 1798 data.cig = qos->ucast.cig; 1799 data.cis = qos->ucast.cis; 1800 1801 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND, 1802 &data); 1803 if (data.count) 1804 return false; 1805 1806 cis_add(&data, qos); 1807 } 1808 1809 /* Reprogram all CIS(s) with the same CIG */ 1810 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0x11; 1811 data.cis++) { 1812 data.count = 0; 1813 1814 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND, 1815 &data); 1816 if (data.count) 1817 continue; 1818 1819 /* Allocate a CIS if not set */ 1820 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) { 1821 /* Update CIS */ 1822 qos->ucast.cis = data.cis; 1823 cis_add(&data, qos); 1824 } 1825 } 1826 1827 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET || !data.pdu.cp.num_cis) 1828 return false; 1829 1830 if (hci_send_cmd(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1831 sizeof(data.pdu.cp) + 1832 (data.pdu.cp.num_cis * sizeof(*data.pdu.cis)), 1833 &data.pdu) < 0) 1834 return false; 1835 1836 return true; 1837 } 1838 1839 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1840 __u8 dst_type, struct bt_iso_qos *qos) 1841 { 1842 struct hci_conn *cis; 1843 1844 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig, 1845 qos->ucast.cis); 1846 if (!cis) { 1847 cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1848 if (!cis) 1849 return ERR_PTR(-ENOMEM); 1850 cis->cleanup = cis_cleanup; 1851 cis->dst_type = dst_type; 1852 } 1853 1854 if (cis->state == BT_CONNECTED) 1855 return cis; 1856 1857 /* Check if CIS has been set and the settings matches */ 1858 if (cis->state == BT_BOUND && 1859 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1860 return cis; 1861 1862 /* Update LINK PHYs according to QoS preference */ 1863 cis->le_tx_phy = qos->ucast.out.phy; 1864 cis->le_rx_phy = qos->ucast.in.phy; 1865 1866 /* If output interval is not set use the input interval as it cannot be 1867 * 0x000000. 1868 */ 1869 if (!qos->ucast.out.interval) 1870 qos->ucast.out.interval = qos->ucast.in.interval; 1871 1872 /* If input interval is not set use the output interval as it cannot be 1873 * 0x000000. 1874 */ 1875 if (!qos->ucast.in.interval) 1876 qos->ucast.in.interval = qos->ucast.out.interval; 1877 1878 /* If output latency is not set use the input latency as it cannot be 1879 * 0x0000. 1880 */ 1881 if (!qos->ucast.out.latency) 1882 qos->ucast.out.latency = qos->ucast.in.latency; 1883 1884 /* If input latency is not set use the output latency as it cannot be 1885 * 0x0000. 1886 */ 1887 if (!qos->ucast.in.latency) 1888 qos->ucast.in.latency = qos->ucast.out.latency; 1889 1890 if (!hci_le_set_cig_params(cis, qos)) { 1891 hci_conn_drop(cis); 1892 return ERR_PTR(-EINVAL); 1893 } 1894 1895 cis->iso_qos = *qos; 1896 cis->state = BT_BOUND; 1897 1898 return cis; 1899 } 1900 1901 bool hci_iso_setup_path(struct hci_conn *conn) 1902 { 1903 struct hci_dev *hdev = conn->hdev; 1904 struct hci_cp_le_setup_iso_path cmd; 1905 1906 memset(&cmd, 0, sizeof(cmd)); 1907 1908 if (conn->iso_qos.ucast.out.sdu) { 1909 cmd.handle = cpu_to_le16(conn->handle); 1910 cmd.direction = 0x00; /* Input (Host to Controller) */ 1911 cmd.path = 0x00; /* HCI path if enabled */ 1912 cmd.codec = 0x03; /* Transparent Data */ 1913 1914 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 1915 &cmd) < 0) 1916 return false; 1917 } 1918 1919 if (conn->iso_qos.ucast.in.sdu) { 1920 cmd.handle = cpu_to_le16(conn->handle); 1921 cmd.direction = 0x01; /* Output (Controller to Host) */ 1922 cmd.path = 0x00; /* HCI path if enabled */ 1923 cmd.codec = 0x03; /* Transparent Data */ 1924 1925 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 1926 &cmd) < 0) 1927 return false; 1928 } 1929 1930 return true; 1931 } 1932 1933 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 1934 { 1935 return hci_le_create_cis_sync(hdev, data); 1936 } 1937 1938 int hci_le_create_cis(struct hci_conn *conn) 1939 { 1940 struct hci_conn *cis; 1941 struct hci_link *link, *t; 1942 struct hci_dev *hdev = conn->hdev; 1943 int err; 1944 1945 bt_dev_dbg(hdev, "hcon %p", conn); 1946 1947 switch (conn->type) { 1948 case LE_LINK: 1949 if (conn->state != BT_CONNECTED || list_empty(&conn->link_list)) 1950 return -EINVAL; 1951 1952 cis = NULL; 1953 1954 /* hci_conn_link uses list_add_tail_rcu so the list is in 1955 * the same order as the connections are requested. 1956 */ 1957 list_for_each_entry_safe(link, t, &conn->link_list, list) { 1958 if (link->conn->state == BT_BOUND) { 1959 err = hci_le_create_cis(link->conn); 1960 if (err) 1961 return err; 1962 1963 cis = link->conn; 1964 } 1965 } 1966 1967 return cis ? 0 : -EINVAL; 1968 case ISO_LINK: 1969 cis = conn; 1970 break; 1971 default: 1972 return -EINVAL; 1973 } 1974 1975 if (cis->state == BT_CONNECT) 1976 return 0; 1977 1978 /* Queue Create CIS */ 1979 err = hci_cmd_sync_queue(hdev, hci_create_cis_sync, cis, NULL); 1980 if (err) 1981 return err; 1982 1983 cis->state = BT_CONNECT; 1984 1985 return 0; 1986 } 1987 1988 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 1989 struct bt_iso_io_qos *qos, __u8 phy) 1990 { 1991 /* Only set MTU if PHY is enabled */ 1992 if (!qos->sdu && qos->phy) { 1993 if (hdev->iso_mtu > 0) 1994 qos->sdu = hdev->iso_mtu; 1995 else if (hdev->le_mtu > 0) 1996 qos->sdu = hdev->le_mtu; 1997 else 1998 qos->sdu = hdev->acl_mtu; 1999 } 2000 2001 /* Use the same PHY as ACL if set to any */ 2002 if (qos->phy == BT_ISO_PHY_ANY) 2003 qos->phy = phy; 2004 2005 /* Use LE ACL connection interval if not set */ 2006 if (!qos->interval) 2007 /* ACL interval unit in 1.25 ms to us */ 2008 qos->interval = conn->le_conn_interval * 1250; 2009 2010 /* Use LE ACL connection latency if not set */ 2011 if (!qos->latency) 2012 qos->latency = conn->le_conn_latency; 2013 } 2014 2015 static void hci_bind_bis(struct hci_conn *conn, 2016 struct bt_iso_qos *qos) 2017 { 2018 /* Update LINK PHYs according to QoS preference */ 2019 conn->le_tx_phy = qos->bcast.out.phy; 2020 conn->le_tx_phy = qos->bcast.out.phy; 2021 conn->iso_qos = *qos; 2022 conn->state = BT_BOUND; 2023 } 2024 2025 static int create_big_sync(struct hci_dev *hdev, void *data) 2026 { 2027 struct hci_conn *conn = data; 2028 struct bt_iso_qos *qos = &conn->iso_qos; 2029 u16 interval, sync_interval = 0; 2030 u32 flags = 0; 2031 int err; 2032 2033 if (qos->bcast.out.phy == 0x02) 2034 flags |= MGMT_ADV_FLAG_SEC_2M; 2035 2036 /* Align intervals */ 2037 interval = qos->bcast.out.interval / 1250; 2038 2039 if (qos->bcast.bis) 2040 sync_interval = qos->bcast.sync_interval * 1600; 2041 2042 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len, 2043 conn->le_per_adv_data, flags, interval, 2044 interval, sync_interval); 2045 if (err) 2046 return err; 2047 2048 return hci_le_create_big(conn, &conn->iso_qos); 2049 } 2050 2051 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2052 { 2053 struct hci_cp_le_pa_create_sync *cp = data; 2054 2055 bt_dev_dbg(hdev, ""); 2056 2057 if (err) 2058 bt_dev_err(hdev, "Unable to create PA: %d", err); 2059 2060 kfree(cp); 2061 } 2062 2063 static int create_pa_sync(struct hci_dev *hdev, void *data) 2064 { 2065 struct hci_cp_le_pa_create_sync *cp = data; 2066 int err; 2067 2068 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2069 sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2070 if (err) { 2071 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2072 return err; 2073 } 2074 2075 return hci_update_passive_scan_sync(hdev); 2076 } 2077 2078 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type, 2079 __u8 sid, struct bt_iso_qos *qos) 2080 { 2081 struct hci_cp_le_pa_create_sync *cp; 2082 2083 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2084 return -EBUSY; 2085 2086 cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2087 if (!cp) { 2088 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2089 return -ENOMEM; 2090 } 2091 2092 cp->options = qos->bcast.options; 2093 cp->sid = sid; 2094 cp->addr_type = dst_type; 2095 bacpy(&cp->addr, dst); 2096 cp->skip = cpu_to_le16(qos->bcast.skip); 2097 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2098 cp->sync_cte_type = qos->bcast.sync_cte_type; 2099 2100 /* Queue start pa_create_sync and scan */ 2101 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2102 } 2103 2104 int hci_le_big_create_sync(struct hci_dev *hdev, struct bt_iso_qos *qos, 2105 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2106 { 2107 struct _packed { 2108 struct hci_cp_le_big_create_sync cp; 2109 __u8 bis[0x11]; 2110 } pdu; 2111 int err; 2112 2113 if (num_bis > sizeof(pdu.bis)) 2114 return -EINVAL; 2115 2116 err = qos_set_big(hdev, qos); 2117 if (err) 2118 return err; 2119 2120 memset(&pdu, 0, sizeof(pdu)); 2121 pdu.cp.handle = qos->bcast.big; 2122 pdu.cp.sync_handle = cpu_to_le16(sync_handle); 2123 pdu.cp.encryption = qos->bcast.encryption; 2124 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode)); 2125 pdu.cp.mse = qos->bcast.mse; 2126 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout); 2127 pdu.cp.num_bis = num_bis; 2128 memcpy(pdu.bis, bis, num_bis); 2129 2130 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2131 sizeof(pdu.cp) + num_bis, &pdu); 2132 } 2133 2134 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2135 { 2136 struct hci_conn *conn = data; 2137 2138 bt_dev_dbg(hdev, "conn %p", conn); 2139 2140 if (err) { 2141 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2142 hci_connect_cfm(conn, err); 2143 hci_conn_del(conn); 2144 } 2145 } 2146 2147 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2148 __u8 dst_type, struct bt_iso_qos *qos, 2149 __u8 base_len, __u8 *base) 2150 { 2151 struct hci_conn *conn; 2152 int err; 2153 2154 /* We need hci_conn object using the BDADDR_ANY as dst */ 2155 conn = hci_add_bis(hdev, dst, qos); 2156 if (IS_ERR(conn)) 2157 return conn; 2158 2159 hci_bind_bis(conn, qos); 2160 2161 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2162 if (base_len && base) { 2163 base_len = eir_append_service_data(conn->le_per_adv_data, 0, 2164 0x1851, base, base_len); 2165 conn->le_per_adv_data_len = base_len; 2166 } 2167 2168 /* Queue start periodic advertising and create BIG */ 2169 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2170 create_big_complete); 2171 if (err < 0) { 2172 hci_conn_drop(conn); 2173 return ERR_PTR(err); 2174 } 2175 2176 hci_iso_qos_setup(hdev, conn, &qos->bcast.out, 2177 conn->le_tx_phy ? conn->le_tx_phy : 2178 hdev->le_tx_def_phys); 2179 2180 return conn; 2181 } 2182 2183 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2184 __u8 dst_type, struct bt_iso_qos *qos) 2185 { 2186 struct hci_conn *le; 2187 struct hci_conn *cis; 2188 struct hci_link *link; 2189 2190 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2191 le = hci_connect_le(hdev, dst, dst_type, false, 2192 BT_SECURITY_LOW, 2193 HCI_LE_CONN_TIMEOUT, 2194 HCI_ROLE_SLAVE); 2195 else 2196 le = hci_connect_le_scan(hdev, dst, dst_type, 2197 BT_SECURITY_LOW, 2198 HCI_LE_CONN_TIMEOUT, 2199 CONN_REASON_ISO_CONNECT); 2200 if (IS_ERR(le)) 2201 return le; 2202 2203 hci_iso_qos_setup(hdev, le, &qos->ucast.out, 2204 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2205 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2206 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2207 2208 cis = hci_bind_cis(hdev, dst, dst_type, qos); 2209 if (IS_ERR(cis)) { 2210 hci_conn_drop(le); 2211 return cis; 2212 } 2213 2214 link = hci_conn_link(le, cis); 2215 if (!link) { 2216 hci_conn_drop(le); 2217 hci_conn_drop(cis); 2218 return NULL; 2219 } 2220 2221 /* If LE is already connected and CIS handle is already set proceed to 2222 * Create CIS immediately. 2223 */ 2224 if (le->state == BT_CONNECTED && cis->handle != HCI_CONN_HANDLE_UNSET) 2225 hci_le_create_cis(cis); 2226 2227 return cis; 2228 } 2229 2230 /* Check link security requirement */ 2231 int hci_conn_check_link_mode(struct hci_conn *conn) 2232 { 2233 BT_DBG("hcon %p", conn); 2234 2235 /* In Secure Connections Only mode, it is required that Secure 2236 * Connections is used and the link is encrypted with AES-CCM 2237 * using a P-256 authenticated combination key. 2238 */ 2239 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2240 if (!hci_conn_sc_enabled(conn) || 2241 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2242 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2243 return 0; 2244 } 2245 2246 /* AES encryption is required for Level 4: 2247 * 2248 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2249 * page 1319: 2250 * 2251 * 128-bit equivalent strength for link and encryption keys 2252 * required using FIPS approved algorithms (E0 not allowed, 2253 * SAFER+ not allowed, and P-192 not allowed; encryption key 2254 * not shortened) 2255 */ 2256 if (conn->sec_level == BT_SECURITY_FIPS && 2257 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2258 bt_dev_err(conn->hdev, 2259 "Invalid security: Missing AES-CCM usage"); 2260 return 0; 2261 } 2262 2263 if (hci_conn_ssp_enabled(conn) && 2264 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2265 return 0; 2266 2267 return 1; 2268 } 2269 2270 /* Authenticate remote device */ 2271 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2272 { 2273 BT_DBG("hcon %p", conn); 2274 2275 if (conn->pending_sec_level > sec_level) 2276 sec_level = conn->pending_sec_level; 2277 2278 if (sec_level > conn->sec_level) 2279 conn->pending_sec_level = sec_level; 2280 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2281 return 1; 2282 2283 /* Make sure we preserve an existing MITM requirement*/ 2284 auth_type |= (conn->auth_type & 0x01); 2285 2286 conn->auth_type = auth_type; 2287 2288 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2289 struct hci_cp_auth_requested cp; 2290 2291 cp.handle = cpu_to_le16(conn->handle); 2292 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2293 sizeof(cp), &cp); 2294 2295 /* If we're already encrypted set the REAUTH_PEND flag, 2296 * otherwise set the ENCRYPT_PEND. 2297 */ 2298 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2299 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2300 else 2301 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2302 } 2303 2304 return 0; 2305 } 2306 2307 /* Encrypt the link */ 2308 static void hci_conn_encrypt(struct hci_conn *conn) 2309 { 2310 BT_DBG("hcon %p", conn); 2311 2312 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2313 struct hci_cp_set_conn_encrypt cp; 2314 cp.handle = cpu_to_le16(conn->handle); 2315 cp.encrypt = 0x01; 2316 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2317 &cp); 2318 } 2319 } 2320 2321 /* Enable security */ 2322 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2323 bool initiator) 2324 { 2325 BT_DBG("hcon %p", conn); 2326 2327 if (conn->type == LE_LINK) 2328 return smp_conn_security(conn, sec_level); 2329 2330 /* For sdp we don't need the link key. */ 2331 if (sec_level == BT_SECURITY_SDP) 2332 return 1; 2333 2334 /* For non 2.1 devices and low security level we don't need the link 2335 key. */ 2336 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2337 return 1; 2338 2339 /* For other security levels we need the link key. */ 2340 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2341 goto auth; 2342 2343 /* An authenticated FIPS approved combination key has sufficient 2344 * security for security level 4. */ 2345 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 && 2346 sec_level == BT_SECURITY_FIPS) 2347 goto encrypt; 2348 2349 /* An authenticated combination key has sufficient security for 2350 security level 3. */ 2351 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 || 2352 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) && 2353 sec_level == BT_SECURITY_HIGH) 2354 goto encrypt; 2355 2356 /* An unauthenticated combination key has sufficient security for 2357 security level 1 and 2. */ 2358 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 || 2359 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) && 2360 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) 2361 goto encrypt; 2362 2363 /* A combination key has always sufficient security for the security 2364 levels 1 or 2. High security level requires the combination key 2365 is generated using maximum PIN code length (16). 2366 For pre 2.1 units. */ 2367 if (conn->key_type == HCI_LK_COMBINATION && 2368 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW || 2369 conn->pin_length == 16)) 2370 goto encrypt; 2371 2372 auth: 2373 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2374 return 0; 2375 2376 if (initiator) 2377 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2378 2379 if (!hci_conn_auth(conn, sec_level, auth_type)) 2380 return 0; 2381 2382 encrypt: 2383 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2384 /* Ensure that the encryption key size has been read, 2385 * otherwise stall the upper layer responses. 2386 */ 2387 if (!conn->enc_key_size) 2388 return 0; 2389 2390 /* Nothing else needed, all requirements are met */ 2391 return 1; 2392 } 2393 2394 hci_conn_encrypt(conn); 2395 return 0; 2396 } 2397 EXPORT_SYMBOL(hci_conn_security); 2398 2399 /* Check secure link requirement */ 2400 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2401 { 2402 BT_DBG("hcon %p", conn); 2403 2404 /* Accept if non-secure or higher security level is required */ 2405 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2406 return 1; 2407 2408 /* Accept if secure or higher security level is already present */ 2409 if (conn->sec_level == BT_SECURITY_HIGH || 2410 conn->sec_level == BT_SECURITY_FIPS) 2411 return 1; 2412 2413 /* Reject not secure link */ 2414 return 0; 2415 } 2416 EXPORT_SYMBOL(hci_conn_check_secure); 2417 2418 /* Switch role */ 2419 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2420 { 2421 BT_DBG("hcon %p", conn); 2422 2423 if (role == conn->role) 2424 return 1; 2425 2426 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2427 struct hci_cp_switch_role cp; 2428 bacpy(&cp.bdaddr, &conn->dst); 2429 cp.role = role; 2430 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2431 } 2432 2433 return 0; 2434 } 2435 EXPORT_SYMBOL(hci_conn_switch_role); 2436 2437 /* Enter active mode */ 2438 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2439 { 2440 struct hci_dev *hdev = conn->hdev; 2441 2442 BT_DBG("hcon %p mode %d", conn, conn->mode); 2443 2444 if (conn->mode != HCI_CM_SNIFF) 2445 goto timer; 2446 2447 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2448 goto timer; 2449 2450 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2451 struct hci_cp_exit_sniff_mode cp; 2452 cp.handle = cpu_to_le16(conn->handle); 2453 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2454 } 2455 2456 timer: 2457 if (hdev->idle_timeout > 0) 2458 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2459 msecs_to_jiffies(hdev->idle_timeout)); 2460 } 2461 2462 /* Drop all connection on the device */ 2463 void hci_conn_hash_flush(struct hci_dev *hdev) 2464 { 2465 struct hci_conn_hash *h = &hdev->conn_hash; 2466 struct hci_conn *c, *n; 2467 2468 BT_DBG("hdev %s", hdev->name); 2469 2470 list_for_each_entry_safe(c, n, &h->list, list) { 2471 c->state = BT_CLOSED; 2472 2473 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM); 2474 2475 /* Unlink before deleting otherwise it is possible that 2476 * hci_conn_del removes the link which may cause the list to 2477 * contain items already freed. 2478 */ 2479 hci_conn_unlink(c); 2480 hci_conn_del(c); 2481 } 2482 } 2483 2484 /* Check pending connect attempts */ 2485 void hci_conn_check_pending(struct hci_dev *hdev) 2486 { 2487 struct hci_conn *conn; 2488 2489 BT_DBG("hdev %s", hdev->name); 2490 2491 hci_dev_lock(hdev); 2492 2493 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 2494 if (conn) 2495 hci_acl_create_connection(conn); 2496 2497 hci_dev_unlock(hdev); 2498 } 2499 2500 static u32 get_link_mode(struct hci_conn *conn) 2501 { 2502 u32 link_mode = 0; 2503 2504 if (conn->role == HCI_ROLE_MASTER) 2505 link_mode |= HCI_LM_MASTER; 2506 2507 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2508 link_mode |= HCI_LM_ENCRYPT; 2509 2510 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2511 link_mode |= HCI_LM_AUTH; 2512 2513 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2514 link_mode |= HCI_LM_SECURE; 2515 2516 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2517 link_mode |= HCI_LM_FIPS; 2518 2519 return link_mode; 2520 } 2521 2522 int hci_get_conn_list(void __user *arg) 2523 { 2524 struct hci_conn *c; 2525 struct hci_conn_list_req req, *cl; 2526 struct hci_conn_info *ci; 2527 struct hci_dev *hdev; 2528 int n = 0, size, err; 2529 2530 if (copy_from_user(&req, arg, sizeof(req))) 2531 return -EFAULT; 2532 2533 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2534 return -EINVAL; 2535 2536 size = sizeof(req) + req.conn_num * sizeof(*ci); 2537 2538 cl = kmalloc(size, GFP_KERNEL); 2539 if (!cl) 2540 return -ENOMEM; 2541 2542 hdev = hci_dev_get(req.dev_id); 2543 if (!hdev) { 2544 kfree(cl); 2545 return -ENODEV; 2546 } 2547 2548 ci = cl->conn_info; 2549 2550 hci_dev_lock(hdev); 2551 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2552 bacpy(&(ci + n)->bdaddr, &c->dst); 2553 (ci + n)->handle = c->handle; 2554 (ci + n)->type = c->type; 2555 (ci + n)->out = c->out; 2556 (ci + n)->state = c->state; 2557 (ci + n)->link_mode = get_link_mode(c); 2558 if (++n >= req.conn_num) 2559 break; 2560 } 2561 hci_dev_unlock(hdev); 2562 2563 cl->dev_id = hdev->id; 2564 cl->conn_num = n; 2565 size = sizeof(req) + n * sizeof(*ci); 2566 2567 hci_dev_put(hdev); 2568 2569 err = copy_to_user(arg, cl, size); 2570 kfree(cl); 2571 2572 return err ? -EFAULT : 0; 2573 } 2574 2575 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2576 { 2577 struct hci_conn_info_req req; 2578 struct hci_conn_info ci; 2579 struct hci_conn *conn; 2580 char __user *ptr = arg + sizeof(req); 2581 2582 if (copy_from_user(&req, arg, sizeof(req))) 2583 return -EFAULT; 2584 2585 hci_dev_lock(hdev); 2586 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2587 if (conn) { 2588 bacpy(&ci.bdaddr, &conn->dst); 2589 ci.handle = conn->handle; 2590 ci.type = conn->type; 2591 ci.out = conn->out; 2592 ci.state = conn->state; 2593 ci.link_mode = get_link_mode(conn); 2594 } 2595 hci_dev_unlock(hdev); 2596 2597 if (!conn) 2598 return -ENOENT; 2599 2600 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2601 } 2602 2603 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2604 { 2605 struct hci_auth_info_req req; 2606 struct hci_conn *conn; 2607 2608 if (copy_from_user(&req, arg, sizeof(req))) 2609 return -EFAULT; 2610 2611 hci_dev_lock(hdev); 2612 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2613 if (conn) 2614 req.type = conn->auth_type; 2615 hci_dev_unlock(hdev); 2616 2617 if (!conn) 2618 return -ENOENT; 2619 2620 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2621 } 2622 2623 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2624 { 2625 struct hci_dev *hdev = conn->hdev; 2626 struct hci_chan *chan; 2627 2628 BT_DBG("%s hcon %p", hdev->name, conn); 2629 2630 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2631 BT_DBG("Refusing to create new hci_chan"); 2632 return NULL; 2633 } 2634 2635 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2636 if (!chan) 2637 return NULL; 2638 2639 chan->conn = hci_conn_get(conn); 2640 skb_queue_head_init(&chan->data_q); 2641 chan->state = BT_CONNECTED; 2642 2643 list_add_rcu(&chan->list, &conn->chan_list); 2644 2645 return chan; 2646 } 2647 2648 void hci_chan_del(struct hci_chan *chan) 2649 { 2650 struct hci_conn *conn = chan->conn; 2651 struct hci_dev *hdev = conn->hdev; 2652 2653 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2654 2655 list_del_rcu(&chan->list); 2656 2657 synchronize_rcu(); 2658 2659 /* Prevent new hci_chan's to be created for this hci_conn */ 2660 set_bit(HCI_CONN_DROP, &conn->flags); 2661 2662 hci_conn_put(conn); 2663 2664 skb_queue_purge(&chan->data_q); 2665 kfree(chan); 2666 } 2667 2668 void hci_chan_list_flush(struct hci_conn *conn) 2669 { 2670 struct hci_chan *chan, *n; 2671 2672 BT_DBG("hcon %p", conn); 2673 2674 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2675 hci_chan_del(chan); 2676 } 2677 2678 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2679 __u16 handle) 2680 { 2681 struct hci_chan *hchan; 2682 2683 list_for_each_entry(hchan, &hcon->chan_list, list) { 2684 if (hchan->handle == handle) 2685 return hchan; 2686 } 2687 2688 return NULL; 2689 } 2690 2691 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2692 { 2693 struct hci_conn_hash *h = &hdev->conn_hash; 2694 struct hci_conn *hcon; 2695 struct hci_chan *hchan = NULL; 2696 2697 rcu_read_lock(); 2698 2699 list_for_each_entry_rcu(hcon, &h->list, list) { 2700 hchan = __hci_chan_lookup_handle(hcon, handle); 2701 if (hchan) 2702 break; 2703 } 2704 2705 rcu_read_unlock(); 2706 2707 return hchan; 2708 } 2709 2710 u32 hci_conn_get_phy(struct hci_conn *conn) 2711 { 2712 u32 phys = 0; 2713 2714 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2715 * Table 6.2: Packets defined for synchronous, asynchronous, and 2716 * CPB logical transport types. 2717 */ 2718 switch (conn->type) { 2719 case SCO_LINK: 2720 /* SCO logical transport (1 Mb/s): 2721 * HV1, HV2, HV3 and DV. 2722 */ 2723 phys |= BT_PHY_BR_1M_1SLOT; 2724 2725 break; 2726 2727 case ACL_LINK: 2728 /* ACL logical transport (1 Mb/s) ptt=0: 2729 * DH1, DM3, DH3, DM5 and DH5. 2730 */ 2731 phys |= BT_PHY_BR_1M_1SLOT; 2732 2733 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2734 phys |= BT_PHY_BR_1M_3SLOT; 2735 2736 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2737 phys |= BT_PHY_BR_1M_5SLOT; 2738 2739 /* ACL logical transport (2 Mb/s) ptt=1: 2740 * 2-DH1, 2-DH3 and 2-DH5. 2741 */ 2742 if (!(conn->pkt_type & HCI_2DH1)) 2743 phys |= BT_PHY_EDR_2M_1SLOT; 2744 2745 if (!(conn->pkt_type & HCI_2DH3)) 2746 phys |= BT_PHY_EDR_2M_3SLOT; 2747 2748 if (!(conn->pkt_type & HCI_2DH5)) 2749 phys |= BT_PHY_EDR_2M_5SLOT; 2750 2751 /* ACL logical transport (3 Mb/s) ptt=1: 2752 * 3-DH1, 3-DH3 and 3-DH5. 2753 */ 2754 if (!(conn->pkt_type & HCI_3DH1)) 2755 phys |= BT_PHY_EDR_3M_1SLOT; 2756 2757 if (!(conn->pkt_type & HCI_3DH3)) 2758 phys |= BT_PHY_EDR_3M_3SLOT; 2759 2760 if (!(conn->pkt_type & HCI_3DH5)) 2761 phys |= BT_PHY_EDR_3M_5SLOT; 2762 2763 break; 2764 2765 case ESCO_LINK: 2766 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2767 phys |= BT_PHY_BR_1M_1SLOT; 2768 2769 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2770 phys |= BT_PHY_BR_1M_3SLOT; 2771 2772 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2773 if (!(conn->pkt_type & ESCO_2EV3)) 2774 phys |= BT_PHY_EDR_2M_1SLOT; 2775 2776 if (!(conn->pkt_type & ESCO_2EV5)) 2777 phys |= BT_PHY_EDR_2M_3SLOT; 2778 2779 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2780 if (!(conn->pkt_type & ESCO_3EV3)) 2781 phys |= BT_PHY_EDR_3M_1SLOT; 2782 2783 if (!(conn->pkt_type & ESCO_3EV5)) 2784 phys |= BT_PHY_EDR_3M_3SLOT; 2785 2786 break; 2787 2788 case LE_LINK: 2789 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2790 phys |= BT_PHY_LE_1M_TX; 2791 2792 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2793 phys |= BT_PHY_LE_1M_RX; 2794 2795 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2796 phys |= BT_PHY_LE_2M_TX; 2797 2798 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2799 phys |= BT_PHY_LE_2M_RX; 2800 2801 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2802 phys |= BT_PHY_LE_CODED_TX; 2803 2804 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2805 phys |= BT_PHY_LE_CODED_RX; 2806 2807 break; 2808 } 2809 2810 return phys; 2811 } 2812 2813 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2814 { 2815 int r = 0; 2816 2817 if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags)) 2818 return 0; 2819 2820 switch (conn->state) { 2821 case BT_CONNECTED: 2822 case BT_CONFIG: 2823 if (conn->type == AMP_LINK) { 2824 struct hci_cp_disconn_phy_link cp; 2825 2826 cp.phy_handle = HCI_PHY_HANDLE(conn->handle); 2827 cp.reason = reason; 2828 r = hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK, 2829 sizeof(cp), &cp); 2830 } else { 2831 struct hci_cp_disconnect dc; 2832 2833 dc.handle = cpu_to_le16(conn->handle); 2834 dc.reason = reason; 2835 r = hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, 2836 sizeof(dc), &dc); 2837 } 2838 2839 conn->state = BT_DISCONN; 2840 2841 break; 2842 case BT_CONNECT: 2843 if (conn->type == LE_LINK) { 2844 if (test_bit(HCI_CONN_SCANNING, &conn->flags)) 2845 break; 2846 r = hci_send_cmd(conn->hdev, 2847 HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL); 2848 } else if (conn->type == ACL_LINK) { 2849 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2) 2850 break; 2851 r = hci_send_cmd(conn->hdev, 2852 HCI_OP_CREATE_CONN_CANCEL, 2853 6, &conn->dst); 2854 } 2855 break; 2856 case BT_CONNECT2: 2857 if (conn->type == ACL_LINK) { 2858 struct hci_cp_reject_conn_req rej; 2859 2860 bacpy(&rej.bdaddr, &conn->dst); 2861 rej.reason = reason; 2862 2863 r = hci_send_cmd(conn->hdev, 2864 HCI_OP_REJECT_CONN_REQ, 2865 sizeof(rej), &rej); 2866 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 2867 struct hci_cp_reject_sync_conn_req rej; 2868 2869 bacpy(&rej.bdaddr, &conn->dst); 2870 2871 /* SCO rejection has its own limited set of 2872 * allowed error values (0x0D-0x0F) which isn't 2873 * compatible with most values passed to this 2874 * function. To be safe hard-code one of the 2875 * values that's suitable for SCO. 2876 */ 2877 rej.reason = HCI_ERROR_REJ_LIMITED_RESOURCES; 2878 2879 r = hci_send_cmd(conn->hdev, 2880 HCI_OP_REJECT_SYNC_CONN_REQ, 2881 sizeof(rej), &rej); 2882 } 2883 break; 2884 default: 2885 conn->state = BT_CLOSED; 2886 break; 2887 } 2888 2889 return r; 2890 } 2891