1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI connection handling. */ 27 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/iso.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "hci_request.h" 38 #include "smp.h" 39 #include "eir.h" 40 41 struct sco_param { 42 u16 pkt_type; 43 u16 max_latency; 44 u8 retrans_effort; 45 }; 46 47 struct conn_handle_t { 48 struct hci_conn *conn; 49 __u16 handle; 50 }; 51 52 static const struct sco_param esco_param_cvsd[] = { 53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 58 }; 59 60 static const struct sco_param sco_param_cvsd[] = { 61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 63 }; 64 65 static const struct sco_param esco_param_msbc[] = { 66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 68 }; 69 70 /* This function requires the caller holds hdev->lock */ 71 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) 72 { 73 struct hci_conn_params *params; 74 struct hci_dev *hdev = conn->hdev; 75 struct smp_irk *irk; 76 bdaddr_t *bdaddr; 77 u8 bdaddr_type; 78 79 bdaddr = &conn->dst; 80 bdaddr_type = conn->dst_type; 81 82 /* Check if we need to convert to identity address */ 83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 84 if (irk) { 85 bdaddr = &irk->bdaddr; 86 bdaddr_type = irk->addr_type; 87 } 88 89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 90 bdaddr_type); 91 if (!params) 92 return; 93 94 if (params->conn) { 95 hci_conn_drop(params->conn); 96 hci_conn_put(params->conn); 97 params->conn = NULL; 98 } 99 100 if (!params->explicit_connect) 101 return; 102 103 /* If the status indicates successful cancellation of 104 * the attempt (i.e. Unknown Connection Id) there's no point of 105 * notifying failure since we'll go back to keep trying to 106 * connect. The only exception is explicit connect requests 107 * where a timeout + cancel does indicate an actual failure. 108 */ 109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) 110 mgmt_connect_failed(hdev, &conn->dst, conn->type, 111 conn->dst_type, status); 112 113 /* The connection attempt was doing scan for new RPA, and is 114 * in scan phase. If params are not associated with any other 115 * autoconnect action, remove them completely. If they are, just unmark 116 * them as waiting for connection, by clearing explicit_connect field. 117 */ 118 params->explicit_connect = false; 119 120 hci_pend_le_list_del_init(params); 121 122 switch (params->auto_connect) { 123 case HCI_AUTO_CONN_EXPLICIT: 124 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 125 /* return instead of break to avoid duplicate scan update */ 126 return; 127 case HCI_AUTO_CONN_DIRECT: 128 case HCI_AUTO_CONN_ALWAYS: 129 hci_pend_le_list_add(params, &hdev->pend_le_conns); 130 break; 131 case HCI_AUTO_CONN_REPORT: 132 hci_pend_le_list_add(params, &hdev->pend_le_reports); 133 break; 134 default: 135 break; 136 } 137 138 hci_update_passive_scan(hdev); 139 } 140 141 static void hci_conn_cleanup(struct hci_conn *conn) 142 { 143 struct hci_dev *hdev = conn->hdev; 144 145 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 146 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 147 148 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 149 hci_remove_link_key(hdev, &conn->dst); 150 151 hci_chan_list_flush(conn); 152 153 hci_conn_hash_del(hdev, conn); 154 155 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 156 ida_free(&hdev->unset_handle_ida, conn->handle); 157 158 if (conn->cleanup) 159 conn->cleanup(conn); 160 161 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 162 switch (conn->setting & SCO_AIRMODE_MASK) { 163 case SCO_AIRMODE_CVSD: 164 case SCO_AIRMODE_TRANSP: 165 if (hdev->notify) 166 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 167 break; 168 } 169 } else { 170 if (hdev->notify) 171 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 172 } 173 174 debugfs_remove_recursive(conn->debugfs); 175 176 hci_conn_del_sysfs(conn); 177 178 hci_dev_put(hdev); 179 } 180 181 static void hci_acl_create_connection(struct hci_conn *conn) 182 { 183 struct hci_dev *hdev = conn->hdev; 184 struct inquiry_entry *ie; 185 struct hci_cp_create_conn cp; 186 187 BT_DBG("hcon %p", conn); 188 189 /* Many controllers disallow HCI Create Connection while it is doing 190 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create 191 * Connection. This may cause the MGMT discovering state to become false 192 * without user space's request but it is okay since the MGMT Discovery 193 * APIs do not promise that discovery should be done forever. Instead, 194 * the user space monitors the status of MGMT discovering and it may 195 * request for discovery again when this flag becomes false. 196 */ 197 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 198 /* Put this connection to "pending" state so that it will be 199 * executed after the inquiry cancel command complete event. 200 */ 201 conn->state = BT_CONNECT2; 202 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL); 203 return; 204 } 205 206 conn->state = BT_CONNECT; 207 conn->out = true; 208 conn->role = HCI_ROLE_MASTER; 209 210 conn->attempt++; 211 212 conn->link_policy = hdev->link_policy; 213 214 memset(&cp, 0, sizeof(cp)); 215 bacpy(&cp.bdaddr, &conn->dst); 216 cp.pscan_rep_mode = 0x02; 217 218 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 219 if (ie) { 220 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 221 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 222 cp.pscan_mode = ie->data.pscan_mode; 223 cp.clock_offset = ie->data.clock_offset | 224 cpu_to_le16(0x8000); 225 } 226 227 memcpy(conn->dev_class, ie->data.dev_class, 3); 228 } 229 230 cp.pkt_type = cpu_to_le16(conn->pkt_type); 231 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 232 cp.role_switch = 0x01; 233 else 234 cp.role_switch = 0x00; 235 236 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 237 } 238 239 int hci_disconnect(struct hci_conn *conn, __u8 reason) 240 { 241 BT_DBG("hcon %p", conn); 242 243 /* When we are central of an established connection and it enters 244 * the disconnect timeout, then go ahead and try to read the 245 * current clock offset. Processing of the result is done 246 * within the event handling and hci_clock_offset_evt function. 247 */ 248 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 249 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 250 struct hci_dev *hdev = conn->hdev; 251 struct hci_cp_read_clock_offset clkoff_cp; 252 253 clkoff_cp.handle = cpu_to_le16(conn->handle); 254 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 255 &clkoff_cp); 256 } 257 258 return hci_abort_conn(conn, reason); 259 } 260 261 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 262 { 263 struct hci_dev *hdev = conn->hdev; 264 struct hci_cp_add_sco cp; 265 266 BT_DBG("hcon %p", conn); 267 268 conn->state = BT_CONNECT; 269 conn->out = true; 270 271 conn->attempt++; 272 273 cp.handle = cpu_to_le16(handle); 274 cp.pkt_type = cpu_to_le16(conn->pkt_type); 275 276 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 277 } 278 279 static bool find_next_esco_param(struct hci_conn *conn, 280 const struct sco_param *esco_param, int size) 281 { 282 if (!conn->parent) 283 return false; 284 285 for (; conn->attempt <= size; conn->attempt++) { 286 if (lmp_esco_2m_capable(conn->parent) || 287 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 288 break; 289 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 290 conn, conn->attempt); 291 } 292 293 return conn->attempt <= size; 294 } 295 296 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 297 { 298 int err; 299 __u8 vnd_len, *vnd_data = NULL; 300 struct hci_op_configure_data_path *cmd = NULL; 301 302 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 303 &vnd_data); 304 if (err < 0) 305 goto error; 306 307 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 308 if (!cmd) { 309 err = -ENOMEM; 310 goto error; 311 } 312 313 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 314 if (err < 0) 315 goto error; 316 317 cmd->vnd_len = vnd_len; 318 memcpy(cmd->vnd_data, vnd_data, vnd_len); 319 320 cmd->direction = 0x00; 321 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 322 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 323 324 cmd->direction = 0x01; 325 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 326 sizeof(*cmd) + vnd_len, cmd, 327 HCI_CMD_TIMEOUT); 328 error: 329 330 kfree(cmd); 331 kfree(vnd_data); 332 return err; 333 } 334 335 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 336 { 337 struct conn_handle_t *conn_handle = data; 338 struct hci_conn *conn = conn_handle->conn; 339 __u16 handle = conn_handle->handle; 340 struct hci_cp_enhanced_setup_sync_conn cp; 341 const struct sco_param *param; 342 343 kfree(conn_handle); 344 345 bt_dev_dbg(hdev, "hcon %p", conn); 346 347 /* for offload use case, codec needs to configured before opening SCO */ 348 if (conn->codec.data_path) 349 configure_datapath_sync(hdev, &conn->codec); 350 351 conn->state = BT_CONNECT; 352 conn->out = true; 353 354 conn->attempt++; 355 356 memset(&cp, 0x00, sizeof(cp)); 357 358 cp.handle = cpu_to_le16(handle); 359 360 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 361 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 362 363 switch (conn->codec.id) { 364 case BT_CODEC_MSBC: 365 if (!find_next_esco_param(conn, esco_param_msbc, 366 ARRAY_SIZE(esco_param_msbc))) 367 return -EINVAL; 368 369 param = &esco_param_msbc[conn->attempt - 1]; 370 cp.tx_coding_format.id = 0x05; 371 cp.rx_coding_format.id = 0x05; 372 cp.tx_codec_frame_size = __cpu_to_le16(60); 373 cp.rx_codec_frame_size = __cpu_to_le16(60); 374 cp.in_bandwidth = __cpu_to_le32(32000); 375 cp.out_bandwidth = __cpu_to_le32(32000); 376 cp.in_coding_format.id = 0x04; 377 cp.out_coding_format.id = 0x04; 378 cp.in_coded_data_size = __cpu_to_le16(16); 379 cp.out_coded_data_size = __cpu_to_le16(16); 380 cp.in_pcm_data_format = 2; 381 cp.out_pcm_data_format = 2; 382 cp.in_pcm_sample_payload_msb_pos = 0; 383 cp.out_pcm_sample_payload_msb_pos = 0; 384 cp.in_data_path = conn->codec.data_path; 385 cp.out_data_path = conn->codec.data_path; 386 cp.in_transport_unit_size = 1; 387 cp.out_transport_unit_size = 1; 388 break; 389 390 case BT_CODEC_TRANSPARENT: 391 if (!find_next_esco_param(conn, esco_param_msbc, 392 ARRAY_SIZE(esco_param_msbc))) 393 return false; 394 param = &esco_param_msbc[conn->attempt - 1]; 395 cp.tx_coding_format.id = 0x03; 396 cp.rx_coding_format.id = 0x03; 397 cp.tx_codec_frame_size = __cpu_to_le16(60); 398 cp.rx_codec_frame_size = __cpu_to_le16(60); 399 cp.in_bandwidth = __cpu_to_le32(0x1f40); 400 cp.out_bandwidth = __cpu_to_le32(0x1f40); 401 cp.in_coding_format.id = 0x03; 402 cp.out_coding_format.id = 0x03; 403 cp.in_coded_data_size = __cpu_to_le16(16); 404 cp.out_coded_data_size = __cpu_to_le16(16); 405 cp.in_pcm_data_format = 2; 406 cp.out_pcm_data_format = 2; 407 cp.in_pcm_sample_payload_msb_pos = 0; 408 cp.out_pcm_sample_payload_msb_pos = 0; 409 cp.in_data_path = conn->codec.data_path; 410 cp.out_data_path = conn->codec.data_path; 411 cp.in_transport_unit_size = 1; 412 cp.out_transport_unit_size = 1; 413 break; 414 415 case BT_CODEC_CVSD: 416 if (conn->parent && lmp_esco_capable(conn->parent)) { 417 if (!find_next_esco_param(conn, esco_param_cvsd, 418 ARRAY_SIZE(esco_param_cvsd))) 419 return -EINVAL; 420 param = &esco_param_cvsd[conn->attempt - 1]; 421 } else { 422 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 423 return -EINVAL; 424 param = &sco_param_cvsd[conn->attempt - 1]; 425 } 426 cp.tx_coding_format.id = 2; 427 cp.rx_coding_format.id = 2; 428 cp.tx_codec_frame_size = __cpu_to_le16(60); 429 cp.rx_codec_frame_size = __cpu_to_le16(60); 430 cp.in_bandwidth = __cpu_to_le32(16000); 431 cp.out_bandwidth = __cpu_to_le32(16000); 432 cp.in_coding_format.id = 4; 433 cp.out_coding_format.id = 4; 434 cp.in_coded_data_size = __cpu_to_le16(16); 435 cp.out_coded_data_size = __cpu_to_le16(16); 436 cp.in_pcm_data_format = 2; 437 cp.out_pcm_data_format = 2; 438 cp.in_pcm_sample_payload_msb_pos = 0; 439 cp.out_pcm_sample_payload_msb_pos = 0; 440 cp.in_data_path = conn->codec.data_path; 441 cp.out_data_path = conn->codec.data_path; 442 cp.in_transport_unit_size = 16; 443 cp.out_transport_unit_size = 16; 444 break; 445 default: 446 return -EINVAL; 447 } 448 449 cp.retrans_effort = param->retrans_effort; 450 cp.pkt_type = __cpu_to_le16(param->pkt_type); 451 cp.max_latency = __cpu_to_le16(param->max_latency); 452 453 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 454 return -EIO; 455 456 return 0; 457 } 458 459 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 460 { 461 struct hci_dev *hdev = conn->hdev; 462 struct hci_cp_setup_sync_conn cp; 463 const struct sco_param *param; 464 465 bt_dev_dbg(hdev, "hcon %p", conn); 466 467 conn->state = BT_CONNECT; 468 conn->out = true; 469 470 conn->attempt++; 471 472 cp.handle = cpu_to_le16(handle); 473 474 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 475 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 476 cp.voice_setting = cpu_to_le16(conn->setting); 477 478 switch (conn->setting & SCO_AIRMODE_MASK) { 479 case SCO_AIRMODE_TRANSP: 480 if (!find_next_esco_param(conn, esco_param_msbc, 481 ARRAY_SIZE(esco_param_msbc))) 482 return false; 483 param = &esco_param_msbc[conn->attempt - 1]; 484 break; 485 case SCO_AIRMODE_CVSD: 486 if (conn->parent && lmp_esco_capable(conn->parent)) { 487 if (!find_next_esco_param(conn, esco_param_cvsd, 488 ARRAY_SIZE(esco_param_cvsd))) 489 return false; 490 param = &esco_param_cvsd[conn->attempt - 1]; 491 } else { 492 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 493 return false; 494 param = &sco_param_cvsd[conn->attempt - 1]; 495 } 496 break; 497 default: 498 return false; 499 } 500 501 cp.retrans_effort = param->retrans_effort; 502 cp.pkt_type = __cpu_to_le16(param->pkt_type); 503 cp.max_latency = __cpu_to_le16(param->max_latency); 504 505 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 506 return false; 507 508 return true; 509 } 510 511 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 512 { 513 int result; 514 struct conn_handle_t *conn_handle; 515 516 if (enhanced_sync_conn_capable(conn->hdev)) { 517 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 518 519 if (!conn_handle) 520 return false; 521 522 conn_handle->conn = conn; 523 conn_handle->handle = handle; 524 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 525 conn_handle, NULL); 526 if (result < 0) 527 kfree(conn_handle); 528 529 return result == 0; 530 } 531 532 return hci_setup_sync_conn(conn, handle); 533 } 534 535 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 536 u16 to_multiplier) 537 { 538 struct hci_dev *hdev = conn->hdev; 539 struct hci_conn_params *params; 540 struct hci_cp_le_conn_update cp; 541 542 hci_dev_lock(hdev); 543 544 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 545 if (params) { 546 params->conn_min_interval = min; 547 params->conn_max_interval = max; 548 params->conn_latency = latency; 549 params->supervision_timeout = to_multiplier; 550 } 551 552 hci_dev_unlock(hdev); 553 554 memset(&cp, 0, sizeof(cp)); 555 cp.handle = cpu_to_le16(conn->handle); 556 cp.conn_interval_min = cpu_to_le16(min); 557 cp.conn_interval_max = cpu_to_le16(max); 558 cp.conn_latency = cpu_to_le16(latency); 559 cp.supervision_timeout = cpu_to_le16(to_multiplier); 560 cp.min_ce_len = cpu_to_le16(0x0000); 561 cp.max_ce_len = cpu_to_le16(0x0000); 562 563 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 564 565 if (params) 566 return 0x01; 567 568 return 0x00; 569 } 570 571 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 572 __u8 ltk[16], __u8 key_size) 573 { 574 struct hci_dev *hdev = conn->hdev; 575 struct hci_cp_le_start_enc cp; 576 577 BT_DBG("hcon %p", conn); 578 579 memset(&cp, 0, sizeof(cp)); 580 581 cp.handle = cpu_to_le16(conn->handle); 582 cp.rand = rand; 583 cp.ediv = ediv; 584 memcpy(cp.ltk, ltk, key_size); 585 586 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 587 } 588 589 /* Device _must_ be locked */ 590 void hci_sco_setup(struct hci_conn *conn, __u8 status) 591 { 592 struct hci_link *link; 593 594 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list); 595 if (!link || !link->conn) 596 return; 597 598 BT_DBG("hcon %p", conn); 599 600 if (!status) { 601 if (lmp_esco_capable(conn->hdev)) 602 hci_setup_sync(link->conn, conn->handle); 603 else 604 hci_add_sco(link->conn, conn->handle); 605 } else { 606 hci_connect_cfm(link->conn, status); 607 hci_conn_del(link->conn); 608 } 609 } 610 611 static void hci_conn_timeout(struct work_struct *work) 612 { 613 struct hci_conn *conn = container_of(work, struct hci_conn, 614 disc_work.work); 615 int refcnt = atomic_read(&conn->refcnt); 616 617 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 618 619 WARN_ON(refcnt < 0); 620 621 /* FIXME: It was observed that in pairing failed scenario, refcnt 622 * drops below 0. Probably this is because l2cap_conn_del calls 623 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 624 * dropped. After that loop hci_chan_del is called which also drops 625 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 626 * otherwise drop it. 627 */ 628 if (refcnt > 0) 629 return; 630 631 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 632 } 633 634 /* Enter sniff mode */ 635 static void hci_conn_idle(struct work_struct *work) 636 { 637 struct hci_conn *conn = container_of(work, struct hci_conn, 638 idle_work.work); 639 struct hci_dev *hdev = conn->hdev; 640 641 BT_DBG("hcon %p mode %d", conn, conn->mode); 642 643 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 644 return; 645 646 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 647 return; 648 649 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 650 struct hci_cp_sniff_subrate cp; 651 cp.handle = cpu_to_le16(conn->handle); 652 cp.max_latency = cpu_to_le16(0); 653 cp.min_remote_timeout = cpu_to_le16(0); 654 cp.min_local_timeout = cpu_to_le16(0); 655 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 656 } 657 658 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 659 struct hci_cp_sniff_mode cp; 660 cp.handle = cpu_to_le16(conn->handle); 661 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 662 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 663 cp.attempt = cpu_to_le16(4); 664 cp.timeout = cpu_to_le16(1); 665 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 666 } 667 } 668 669 static void hci_conn_auto_accept(struct work_struct *work) 670 { 671 struct hci_conn *conn = container_of(work, struct hci_conn, 672 auto_accept_work.work); 673 674 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 675 &conn->dst); 676 } 677 678 static void le_disable_advertising(struct hci_dev *hdev) 679 { 680 if (ext_adv_capable(hdev)) { 681 struct hci_cp_le_set_ext_adv_enable cp; 682 683 cp.enable = 0x00; 684 cp.num_of_sets = 0x00; 685 686 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 687 &cp); 688 } else { 689 u8 enable = 0x00; 690 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 691 &enable); 692 } 693 } 694 695 static void le_conn_timeout(struct work_struct *work) 696 { 697 struct hci_conn *conn = container_of(work, struct hci_conn, 698 le_conn_timeout.work); 699 struct hci_dev *hdev = conn->hdev; 700 701 BT_DBG(""); 702 703 /* We could end up here due to having done directed advertising, 704 * so clean up the state if necessary. This should however only 705 * happen with broken hardware or if low duty cycle was used 706 * (which doesn't have a timeout of its own). 707 */ 708 if (conn->role == HCI_ROLE_SLAVE) { 709 /* Disable LE Advertising */ 710 le_disable_advertising(hdev); 711 hci_dev_lock(hdev); 712 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 713 hci_dev_unlock(hdev); 714 return; 715 } 716 717 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 718 } 719 720 struct iso_cig_params { 721 struct hci_cp_le_set_cig_params cp; 722 struct hci_cis_params cis[0x1f]; 723 }; 724 725 struct iso_list_data { 726 union { 727 u8 cig; 728 u8 big; 729 }; 730 union { 731 u8 cis; 732 u8 bis; 733 u16 sync_handle; 734 }; 735 int count; 736 bool big_term; 737 bool pa_sync_term; 738 bool big_sync_term; 739 }; 740 741 static void bis_list(struct hci_conn *conn, void *data) 742 { 743 struct iso_list_data *d = data; 744 745 /* Skip if not broadcast/ANY address */ 746 if (bacmp(&conn->dst, BDADDR_ANY)) 747 return; 748 749 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET || 750 d->bis != conn->iso_qos.bcast.bis) 751 return; 752 753 d->count++; 754 } 755 756 static int terminate_big_sync(struct hci_dev *hdev, void *data) 757 { 758 struct iso_list_data *d = data; 759 760 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 761 762 hci_disable_per_advertising_sync(hdev, d->bis); 763 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 764 765 /* Only terminate BIG if it has been created */ 766 if (!d->big_term) 767 return 0; 768 769 return hci_le_terminate_big_sync(hdev, d->big, 770 HCI_ERROR_LOCAL_HOST_TERM); 771 } 772 773 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 774 { 775 kfree(data); 776 } 777 778 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn) 779 { 780 struct iso_list_data *d; 781 int ret; 782 783 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big, 784 conn->iso_qos.bcast.bis); 785 786 d = kzalloc(sizeof(*d), GFP_KERNEL); 787 if (!d) 788 return -ENOMEM; 789 790 d->big = conn->iso_qos.bcast.big; 791 d->bis = conn->iso_qos.bcast.bis; 792 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags); 793 794 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 795 terminate_big_destroy); 796 if (ret) 797 kfree(d); 798 799 return ret; 800 } 801 802 static int big_terminate_sync(struct hci_dev *hdev, void *data) 803 { 804 struct iso_list_data *d = data; 805 806 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 807 d->sync_handle); 808 809 if (d->big_sync_term) 810 hci_le_big_terminate_sync(hdev, d->big); 811 812 if (d->pa_sync_term) 813 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 814 815 return 0; 816 } 817 818 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn) 819 { 820 struct iso_list_data *d; 821 int ret; 822 823 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle); 824 825 d = kzalloc(sizeof(*d), GFP_KERNEL); 826 if (!d) 827 return -ENOMEM; 828 829 d->big = big; 830 d->sync_handle = conn->sync_handle; 831 d->pa_sync_term = test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags); 832 d->big_sync_term = test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags); 833 834 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 835 terminate_big_destroy); 836 if (ret) 837 kfree(d); 838 839 return ret; 840 } 841 842 /* Cleanup BIS connection 843 * 844 * Detects if there any BIS left connected in a BIG 845 * broadcaster: Remove advertising instance and terminate BIG. 846 * broadcaster receiver: Teminate BIG sync and terminate PA sync. 847 */ 848 static void bis_cleanup(struct hci_conn *conn) 849 { 850 struct hci_dev *hdev = conn->hdev; 851 struct hci_conn *bis; 852 853 bt_dev_dbg(hdev, "conn %p", conn); 854 855 if (conn->role == HCI_ROLE_MASTER) { 856 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 857 return; 858 859 /* Check if ISO connection is a BIS and terminate advertising 860 * set and BIG if there are no other connections using it. 861 */ 862 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big); 863 if (bis) 864 return; 865 866 hci_le_terminate_big(hdev, conn); 867 } else { 868 bis = hci_conn_hash_lookup_big_any_dst(hdev, 869 conn->iso_qos.bcast.big); 870 871 if (bis) 872 return; 873 874 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 875 conn); 876 } 877 } 878 879 static int remove_cig_sync(struct hci_dev *hdev, void *data) 880 { 881 u8 handle = PTR_UINT(data); 882 883 return hci_le_remove_cig_sync(hdev, handle); 884 } 885 886 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 887 { 888 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 889 890 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle), 891 NULL); 892 } 893 894 static void find_cis(struct hci_conn *conn, void *data) 895 { 896 struct iso_list_data *d = data; 897 898 /* Ignore broadcast or if CIG don't match */ 899 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig) 900 return; 901 902 d->count++; 903 } 904 905 /* Cleanup CIS connection: 906 * 907 * Detects if there any CIS left connected in a CIG and remove it. 908 */ 909 static void cis_cleanup(struct hci_conn *conn) 910 { 911 struct hci_dev *hdev = conn->hdev; 912 struct iso_list_data d; 913 914 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET) 915 return; 916 917 memset(&d, 0, sizeof(d)); 918 d.cig = conn->iso_qos.ucast.cig; 919 920 /* Check if ISO connection is a CIS and remove CIG if there are 921 * no other connections using it. 922 */ 923 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d); 924 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d); 925 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d); 926 if (d.count) 927 return; 928 929 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig); 930 } 931 932 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev) 933 { 934 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1, 935 U16_MAX, GFP_ATOMIC); 936 } 937 938 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 939 u8 role, u16 handle) 940 { 941 struct hci_conn *conn; 942 943 switch (type) { 944 case ACL_LINK: 945 if (!hdev->acl_mtu) 946 return ERR_PTR(-ECONNREFUSED); 947 break; 948 case ISO_LINK: 949 if (hdev->iso_mtu) 950 /* Dedicated ISO Buffer exists */ 951 break; 952 fallthrough; 953 case LE_LINK: 954 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 955 return ERR_PTR(-ECONNREFUSED); 956 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU) 957 return ERR_PTR(-ECONNREFUSED); 958 break; 959 case SCO_LINK: 960 case ESCO_LINK: 961 if (!hdev->sco_pkts) 962 /* Controller does not support SCO or eSCO over HCI */ 963 return ERR_PTR(-ECONNREFUSED); 964 break; 965 default: 966 return ERR_PTR(-ECONNREFUSED); 967 } 968 969 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle); 970 971 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 972 if (!conn) 973 return ERR_PTR(-ENOMEM); 974 975 bacpy(&conn->dst, dst); 976 bacpy(&conn->src, &hdev->bdaddr); 977 conn->handle = handle; 978 conn->hdev = hdev; 979 conn->type = type; 980 conn->role = role; 981 conn->mode = HCI_CM_ACTIVE; 982 conn->state = BT_OPEN; 983 conn->auth_type = HCI_AT_GENERAL_BONDING; 984 conn->io_capability = hdev->io_capability; 985 conn->remote_auth = 0xff; 986 conn->key_type = 0xff; 987 conn->rssi = HCI_RSSI_INVALID; 988 conn->tx_power = HCI_TX_POWER_INVALID; 989 conn->max_tx_power = HCI_TX_POWER_INVALID; 990 conn->sync_handle = HCI_SYNC_HANDLE_INVALID; 991 992 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 993 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 994 995 /* Set Default Authenticated payload timeout to 30s */ 996 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 997 998 if (conn->role == HCI_ROLE_MASTER) 999 conn->out = true; 1000 1001 switch (type) { 1002 case ACL_LINK: 1003 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 1004 conn->mtu = hdev->acl_mtu; 1005 break; 1006 case LE_LINK: 1007 /* conn->src should reflect the local identity address */ 1008 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1009 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 1010 break; 1011 case ISO_LINK: 1012 /* conn->src should reflect the local identity address */ 1013 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1014 1015 /* set proper cleanup function */ 1016 if (!bacmp(dst, BDADDR_ANY)) 1017 conn->cleanup = bis_cleanup; 1018 else if (conn->role == HCI_ROLE_MASTER) 1019 conn->cleanup = cis_cleanup; 1020 1021 conn->mtu = hdev->iso_mtu ? hdev->iso_mtu : 1022 hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 1023 break; 1024 case SCO_LINK: 1025 if (lmp_esco_capable(hdev)) 1026 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1027 (hdev->esco_type & EDR_ESCO_MASK); 1028 else 1029 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1030 1031 conn->mtu = hdev->sco_mtu; 1032 break; 1033 case ESCO_LINK: 1034 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1035 conn->mtu = hdev->sco_mtu; 1036 break; 1037 } 1038 1039 skb_queue_head_init(&conn->data_q); 1040 1041 INIT_LIST_HEAD(&conn->chan_list); 1042 INIT_LIST_HEAD(&conn->link_list); 1043 1044 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1045 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1046 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1047 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1048 1049 atomic_set(&conn->refcnt, 0); 1050 1051 hci_dev_hold(hdev); 1052 1053 hci_conn_hash_add(hdev, conn); 1054 1055 /* The SCO and eSCO connections will only be notified when their 1056 * setup has been completed. This is different to ACL links which 1057 * can be notified right away. 1058 */ 1059 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1060 if (hdev->notify) 1061 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1062 } 1063 1064 hci_conn_init_sysfs(conn); 1065 1066 return conn; 1067 } 1068 1069 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type, 1070 bdaddr_t *dst, u8 role) 1071 { 1072 int handle; 1073 1074 bt_dev_dbg(hdev, "dst %pMR", dst); 1075 1076 handle = hci_conn_hash_alloc_unset(hdev); 1077 if (unlikely(handle < 0)) 1078 return ERR_PTR(-ECONNREFUSED); 1079 1080 return hci_conn_add(hdev, type, dst, role, handle); 1081 } 1082 1083 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason) 1084 { 1085 if (!reason) 1086 reason = HCI_ERROR_REMOTE_USER_TERM; 1087 1088 /* Due to race, SCO/ISO conn might be not established yet at this point, 1089 * and nothing else will clean it up. In other cases it is done via HCI 1090 * events. 1091 */ 1092 switch (conn->type) { 1093 case SCO_LINK: 1094 case ESCO_LINK: 1095 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1096 hci_conn_failed(conn, reason); 1097 break; 1098 case ISO_LINK: 1099 if (conn->state != BT_CONNECTED && 1100 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) 1101 hci_conn_failed(conn, reason); 1102 break; 1103 } 1104 } 1105 1106 static void hci_conn_unlink(struct hci_conn *conn) 1107 { 1108 struct hci_dev *hdev = conn->hdev; 1109 1110 bt_dev_dbg(hdev, "hcon %p", conn); 1111 1112 if (!conn->parent) { 1113 struct hci_link *link, *t; 1114 1115 list_for_each_entry_safe(link, t, &conn->link_list, list) { 1116 struct hci_conn *child = link->conn; 1117 1118 hci_conn_unlink(child); 1119 1120 /* If hdev is down it means 1121 * hci_dev_close_sync/hci_conn_hash_flush is in progress 1122 * and links don't need to be cleanup as all connections 1123 * would be cleanup. 1124 */ 1125 if (!test_bit(HCI_UP, &hdev->flags)) 1126 continue; 1127 1128 hci_conn_cleanup_child(child, conn->abort_reason); 1129 } 1130 1131 return; 1132 } 1133 1134 if (!conn->link) 1135 return; 1136 1137 list_del_rcu(&conn->link->list); 1138 synchronize_rcu(); 1139 1140 hci_conn_drop(conn->parent); 1141 hci_conn_put(conn->parent); 1142 conn->parent = NULL; 1143 1144 kfree(conn->link); 1145 conn->link = NULL; 1146 } 1147 1148 void hci_conn_del(struct hci_conn *conn) 1149 { 1150 struct hci_dev *hdev = conn->hdev; 1151 1152 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1153 1154 hci_conn_unlink(conn); 1155 1156 cancel_delayed_work_sync(&conn->disc_work); 1157 cancel_delayed_work_sync(&conn->auto_accept_work); 1158 cancel_delayed_work_sync(&conn->idle_work); 1159 1160 if (conn->type == ACL_LINK) { 1161 /* Unacked frames */ 1162 hdev->acl_cnt += conn->sent; 1163 } else if (conn->type == LE_LINK) { 1164 cancel_delayed_work(&conn->le_conn_timeout); 1165 1166 if (hdev->le_pkts) 1167 hdev->le_cnt += conn->sent; 1168 else 1169 hdev->acl_cnt += conn->sent; 1170 } else { 1171 /* Unacked ISO frames */ 1172 if (conn->type == ISO_LINK) { 1173 if (hdev->iso_pkts) 1174 hdev->iso_cnt += conn->sent; 1175 else if (hdev->le_pkts) 1176 hdev->le_cnt += conn->sent; 1177 else 1178 hdev->acl_cnt += conn->sent; 1179 } 1180 } 1181 1182 skb_queue_purge(&conn->data_q); 1183 1184 /* Remove the connection from the list and cleanup its remaining 1185 * state. This is a separate function since for some cases like 1186 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1187 * rest of hci_conn_del. 1188 */ 1189 hci_conn_cleanup(conn); 1190 } 1191 1192 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1193 { 1194 int use_src = bacmp(src, BDADDR_ANY); 1195 struct hci_dev *hdev = NULL, *d; 1196 1197 BT_DBG("%pMR -> %pMR", src, dst); 1198 1199 read_lock(&hci_dev_list_lock); 1200 1201 list_for_each_entry(d, &hci_dev_list, list) { 1202 if (!test_bit(HCI_UP, &d->flags) || 1203 hci_dev_test_flag(d, HCI_USER_CHANNEL)) 1204 continue; 1205 1206 /* Simple routing: 1207 * No source address - find interface with bdaddr != dst 1208 * Source address - find interface with bdaddr == src 1209 */ 1210 1211 if (use_src) { 1212 bdaddr_t id_addr; 1213 u8 id_addr_type; 1214 1215 if (src_type == BDADDR_BREDR) { 1216 if (!lmp_bredr_capable(d)) 1217 continue; 1218 bacpy(&id_addr, &d->bdaddr); 1219 id_addr_type = BDADDR_BREDR; 1220 } else { 1221 if (!lmp_le_capable(d)) 1222 continue; 1223 1224 hci_copy_identity_address(d, &id_addr, 1225 &id_addr_type); 1226 1227 /* Convert from HCI to three-value type */ 1228 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1229 id_addr_type = BDADDR_LE_PUBLIC; 1230 else 1231 id_addr_type = BDADDR_LE_RANDOM; 1232 } 1233 1234 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1235 hdev = d; break; 1236 } 1237 } else { 1238 if (bacmp(&d->bdaddr, dst)) { 1239 hdev = d; break; 1240 } 1241 } 1242 } 1243 1244 if (hdev) 1245 hdev = hci_dev_hold(hdev); 1246 1247 read_unlock(&hci_dev_list_lock); 1248 return hdev; 1249 } 1250 EXPORT_SYMBOL(hci_get_route); 1251 1252 /* This function requires the caller holds hdev->lock */ 1253 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1254 { 1255 struct hci_dev *hdev = conn->hdev; 1256 1257 hci_connect_le_scan_cleanup(conn, status); 1258 1259 /* Enable advertising in case this was a failed connection 1260 * attempt as a peripheral. 1261 */ 1262 hci_enable_advertising(hdev); 1263 } 1264 1265 /* This function requires the caller holds hdev->lock */ 1266 void hci_conn_failed(struct hci_conn *conn, u8 status) 1267 { 1268 struct hci_dev *hdev = conn->hdev; 1269 1270 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1271 1272 switch (conn->type) { 1273 case LE_LINK: 1274 hci_le_conn_failed(conn, status); 1275 break; 1276 case ACL_LINK: 1277 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1278 conn->dst_type, status); 1279 break; 1280 } 1281 1282 /* In case of BIG/PA sync failed, clear conn flags so that 1283 * the conns will be correctly cleaned up by ISO layer 1284 */ 1285 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags); 1286 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags); 1287 1288 conn->state = BT_CLOSED; 1289 hci_connect_cfm(conn, status); 1290 hci_conn_del(conn); 1291 } 1292 1293 /* This function requires the caller holds hdev->lock */ 1294 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) 1295 { 1296 struct hci_dev *hdev = conn->hdev; 1297 1298 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); 1299 1300 if (conn->handle == handle) 1301 return 0; 1302 1303 if (handle > HCI_CONN_HANDLE_MAX) { 1304 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 1305 handle, HCI_CONN_HANDLE_MAX); 1306 return HCI_ERROR_INVALID_PARAMETERS; 1307 } 1308 1309 /* If abort_reason has been sent it means the connection is being 1310 * aborted and the handle shall not be changed. 1311 */ 1312 if (conn->abort_reason) 1313 return conn->abort_reason; 1314 1315 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1316 ida_free(&hdev->unset_handle_ida, conn->handle); 1317 1318 conn->handle = handle; 1319 1320 return 0; 1321 } 1322 1323 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) 1324 { 1325 struct hci_conn *conn; 1326 u16 handle = PTR_UINT(data); 1327 1328 conn = hci_conn_hash_lookup_handle(hdev, handle); 1329 if (!conn) 1330 return; 1331 1332 bt_dev_dbg(hdev, "err %d", err); 1333 1334 hci_dev_lock(hdev); 1335 1336 if (!err) { 1337 hci_connect_le_scan_cleanup(conn, 0x00); 1338 goto done; 1339 } 1340 1341 /* Check if connection is still pending */ 1342 if (conn != hci_lookup_le_connect(hdev)) 1343 goto done; 1344 1345 /* Flush to make sure we send create conn cancel command if needed */ 1346 flush_delayed_work(&conn->le_conn_timeout); 1347 hci_conn_failed(conn, bt_status(err)); 1348 1349 done: 1350 hci_dev_unlock(hdev); 1351 } 1352 1353 static int hci_connect_le_sync(struct hci_dev *hdev, void *data) 1354 { 1355 struct hci_conn *conn; 1356 u16 handle = PTR_UINT(data); 1357 1358 conn = hci_conn_hash_lookup_handle(hdev, handle); 1359 if (!conn) 1360 return 0; 1361 1362 bt_dev_dbg(hdev, "conn %p", conn); 1363 1364 clear_bit(HCI_CONN_SCANNING, &conn->flags); 1365 conn->state = BT_CONNECT; 1366 1367 return hci_le_create_conn_sync(hdev, conn); 1368 } 1369 1370 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1371 u8 dst_type, bool dst_resolved, u8 sec_level, 1372 u16 conn_timeout, u8 role) 1373 { 1374 struct hci_conn *conn; 1375 struct smp_irk *irk; 1376 int err; 1377 1378 /* Let's make sure that le is enabled.*/ 1379 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1380 if (lmp_le_capable(hdev)) 1381 return ERR_PTR(-ECONNREFUSED); 1382 1383 return ERR_PTR(-EOPNOTSUPP); 1384 } 1385 1386 /* Since the controller supports only one LE connection attempt at a 1387 * time, we return -EBUSY if there is any connection attempt running. 1388 */ 1389 if (hci_lookup_le_connect(hdev)) 1390 return ERR_PTR(-EBUSY); 1391 1392 /* If there's already a connection object but it's not in 1393 * scanning state it means it must already be established, in 1394 * which case we can't do anything else except report a failure 1395 * to connect. 1396 */ 1397 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1398 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1399 return ERR_PTR(-EBUSY); 1400 } 1401 1402 /* Check if the destination address has been resolved by the controller 1403 * since if it did then the identity address shall be used. 1404 */ 1405 if (!dst_resolved) { 1406 /* When given an identity address with existing identity 1407 * resolving key, the connection needs to be established 1408 * to a resolvable random address. 1409 * 1410 * Storing the resolvable random address is required here 1411 * to handle connection failures. The address will later 1412 * be resolved back into the original identity address 1413 * from the connect request. 1414 */ 1415 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1416 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1417 dst = &irk->rpa; 1418 dst_type = ADDR_LE_DEV_RANDOM; 1419 } 1420 } 1421 1422 if (conn) { 1423 bacpy(&conn->dst, dst); 1424 } else { 1425 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role); 1426 if (IS_ERR(conn)) 1427 return conn; 1428 hci_conn_hold(conn); 1429 conn->pending_sec_level = sec_level; 1430 } 1431 1432 conn->dst_type = dst_type; 1433 conn->sec_level = BT_SECURITY_LOW; 1434 conn->conn_timeout = conn_timeout; 1435 1436 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, 1437 UINT_PTR(conn->handle), 1438 create_le_conn_complete); 1439 if (err) { 1440 hci_conn_del(conn); 1441 return ERR_PTR(err); 1442 } 1443 1444 return conn; 1445 } 1446 1447 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1448 { 1449 struct hci_conn *conn; 1450 1451 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1452 if (!conn) 1453 return false; 1454 1455 if (conn->state != BT_CONNECTED) 1456 return false; 1457 1458 return true; 1459 } 1460 1461 /* This function requires the caller holds hdev->lock */ 1462 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1463 bdaddr_t *addr, u8 addr_type) 1464 { 1465 struct hci_conn_params *params; 1466 1467 if (is_connected(hdev, addr, addr_type)) 1468 return -EISCONN; 1469 1470 params = hci_conn_params_lookup(hdev, addr, addr_type); 1471 if (!params) { 1472 params = hci_conn_params_add(hdev, addr, addr_type); 1473 if (!params) 1474 return -ENOMEM; 1475 1476 /* If we created new params, mark them to be deleted in 1477 * hci_connect_le_scan_cleanup. It's different case than 1478 * existing disabled params, those will stay after cleanup. 1479 */ 1480 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1481 } 1482 1483 /* We're trying to connect, so make sure params are at pend_le_conns */ 1484 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1485 params->auto_connect == HCI_AUTO_CONN_REPORT || 1486 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1487 hci_pend_le_list_del_init(params); 1488 hci_pend_le_list_add(params, &hdev->pend_le_conns); 1489 } 1490 1491 params->explicit_connect = true; 1492 1493 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1494 params->auto_connect); 1495 1496 return 0; 1497 } 1498 1499 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1500 { 1501 struct hci_conn *conn; 1502 u8 big; 1503 1504 /* Allocate a BIG if not set */ 1505 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) { 1506 for (big = 0x00; big < 0xef; big++) { 1507 1508 conn = hci_conn_hash_lookup_big(hdev, big); 1509 if (!conn) 1510 break; 1511 } 1512 1513 if (big == 0xef) 1514 return -EADDRNOTAVAIL; 1515 1516 /* Update BIG */ 1517 qos->bcast.big = big; 1518 } 1519 1520 return 0; 1521 } 1522 1523 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1524 { 1525 struct hci_conn *conn; 1526 u8 bis; 1527 1528 /* Allocate BIS if not set */ 1529 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) { 1530 /* Find an unused adv set to advertise BIS, skip instance 0x00 1531 * since it is reserved as general purpose set. 1532 */ 1533 for (bis = 0x01; bis < hdev->le_num_of_adv_sets; 1534 bis++) { 1535 1536 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis); 1537 if (!conn) 1538 break; 1539 } 1540 1541 if (bis == hdev->le_num_of_adv_sets) 1542 return -EADDRNOTAVAIL; 1543 1544 /* Update BIS */ 1545 qos->bcast.bis = bis; 1546 } 1547 1548 return 0; 1549 } 1550 1551 /* This function requires the caller holds hdev->lock */ 1552 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1553 struct bt_iso_qos *qos, __u8 base_len, 1554 __u8 *base) 1555 { 1556 struct hci_conn *conn; 1557 int err; 1558 1559 /* Let's make sure that le is enabled.*/ 1560 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1561 if (lmp_le_capable(hdev)) 1562 return ERR_PTR(-ECONNREFUSED); 1563 return ERR_PTR(-EOPNOTSUPP); 1564 } 1565 1566 err = qos_set_big(hdev, qos); 1567 if (err) 1568 return ERR_PTR(err); 1569 1570 err = qos_set_bis(hdev, qos); 1571 if (err) 1572 return ERR_PTR(err); 1573 1574 /* Check if the LE Create BIG command has already been sent */ 1575 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big, 1576 qos->bcast.big); 1577 if (conn) 1578 return ERR_PTR(-EADDRINUSE); 1579 1580 /* Check BIS settings against other bound BISes, since all 1581 * BISes in a BIG must have the same value for all parameters 1582 */ 1583 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1584 1585 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) || 1586 base_len != conn->le_per_adv_data_len || 1587 memcmp(conn->le_per_adv_data, base, base_len))) 1588 return ERR_PTR(-EADDRINUSE); 1589 1590 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1591 if (IS_ERR(conn)) 1592 return conn; 1593 1594 conn->state = BT_CONNECT; 1595 1596 hci_conn_hold(conn); 1597 return conn; 1598 } 1599 1600 /* This function requires the caller holds hdev->lock */ 1601 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1602 u8 dst_type, u8 sec_level, 1603 u16 conn_timeout, 1604 enum conn_reasons conn_reason) 1605 { 1606 struct hci_conn *conn; 1607 1608 /* Let's make sure that le is enabled.*/ 1609 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1610 if (lmp_le_capable(hdev)) 1611 return ERR_PTR(-ECONNREFUSED); 1612 1613 return ERR_PTR(-EOPNOTSUPP); 1614 } 1615 1616 /* Some devices send ATT messages as soon as the physical link is 1617 * established. To be able to handle these ATT messages, the user- 1618 * space first establishes the connection and then starts the pairing 1619 * process. 1620 * 1621 * So if a hci_conn object already exists for the following connection 1622 * attempt, we simply update pending_sec_level and auth_type fields 1623 * and return the object found. 1624 */ 1625 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1626 if (conn) { 1627 if (conn->pending_sec_level < sec_level) 1628 conn->pending_sec_level = sec_level; 1629 goto done; 1630 } 1631 1632 BT_DBG("requesting refresh of dst_addr"); 1633 1634 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1635 if (IS_ERR(conn)) 1636 return conn; 1637 1638 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1639 hci_conn_del(conn); 1640 return ERR_PTR(-EBUSY); 1641 } 1642 1643 conn->state = BT_CONNECT; 1644 set_bit(HCI_CONN_SCANNING, &conn->flags); 1645 conn->dst_type = dst_type; 1646 conn->sec_level = BT_SECURITY_LOW; 1647 conn->pending_sec_level = sec_level; 1648 conn->conn_timeout = conn_timeout; 1649 conn->conn_reason = conn_reason; 1650 1651 hci_update_passive_scan(hdev); 1652 1653 done: 1654 hci_conn_hold(conn); 1655 return conn; 1656 } 1657 1658 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1659 u8 sec_level, u8 auth_type, 1660 enum conn_reasons conn_reason) 1661 { 1662 struct hci_conn *acl; 1663 1664 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1665 if (lmp_bredr_capable(hdev)) 1666 return ERR_PTR(-ECONNREFUSED); 1667 1668 return ERR_PTR(-EOPNOTSUPP); 1669 } 1670 1671 /* Reject outgoing connection to device with same BD ADDR against 1672 * CVE-2020-26555 1673 */ 1674 if (!bacmp(&hdev->bdaddr, dst)) { 1675 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 1676 dst); 1677 return ERR_PTR(-ECONNREFUSED); 1678 } 1679 1680 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1681 if (!acl) { 1682 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1683 if (IS_ERR(acl)) 1684 return acl; 1685 } 1686 1687 hci_conn_hold(acl); 1688 1689 acl->conn_reason = conn_reason; 1690 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1691 acl->sec_level = BT_SECURITY_LOW; 1692 acl->pending_sec_level = sec_level; 1693 acl->auth_type = auth_type; 1694 hci_acl_create_connection(acl); 1695 } 1696 1697 return acl; 1698 } 1699 1700 static struct hci_link *hci_conn_link(struct hci_conn *parent, 1701 struct hci_conn *conn) 1702 { 1703 struct hci_dev *hdev = parent->hdev; 1704 struct hci_link *link; 1705 1706 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn); 1707 1708 if (conn->link) 1709 return conn->link; 1710 1711 if (conn->parent) 1712 return NULL; 1713 1714 link = kzalloc(sizeof(*link), GFP_KERNEL); 1715 if (!link) 1716 return NULL; 1717 1718 link->conn = hci_conn_hold(conn); 1719 conn->link = link; 1720 conn->parent = hci_conn_get(parent); 1721 1722 /* Use list_add_tail_rcu append to the list */ 1723 list_add_tail_rcu(&link->list, &parent->link_list); 1724 1725 return link; 1726 } 1727 1728 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1729 __u16 setting, struct bt_codec *codec) 1730 { 1731 struct hci_conn *acl; 1732 struct hci_conn *sco; 1733 struct hci_link *link; 1734 1735 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1736 CONN_REASON_SCO_CONNECT); 1737 if (IS_ERR(acl)) 1738 return acl; 1739 1740 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1741 if (!sco) { 1742 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER); 1743 if (IS_ERR(sco)) { 1744 hci_conn_drop(acl); 1745 return sco; 1746 } 1747 } 1748 1749 link = hci_conn_link(acl, sco); 1750 if (!link) { 1751 hci_conn_drop(acl); 1752 hci_conn_drop(sco); 1753 return ERR_PTR(-ENOLINK); 1754 } 1755 1756 sco->setting = setting; 1757 sco->codec = *codec; 1758 1759 if (acl->state == BT_CONNECTED && 1760 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1761 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1762 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1763 1764 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1765 /* defer SCO setup until mode change completed */ 1766 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1767 return sco; 1768 } 1769 1770 hci_sco_setup(acl, 0x00); 1771 } 1772 1773 return sco; 1774 } 1775 1776 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1777 { 1778 struct hci_dev *hdev = conn->hdev; 1779 struct hci_cp_le_create_big cp; 1780 struct iso_list_data data; 1781 1782 memset(&cp, 0, sizeof(cp)); 1783 1784 data.big = qos->bcast.big; 1785 data.bis = qos->bcast.bis; 1786 data.count = 0; 1787 1788 /* Create a BIS for each bound connection */ 1789 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1790 BT_BOUND, &data); 1791 1792 cp.handle = qos->bcast.big; 1793 cp.adv_handle = qos->bcast.bis; 1794 cp.num_bis = data.count; 1795 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval); 1796 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu); 1797 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency); 1798 cp.bis.rtn = qos->bcast.out.rtn; 1799 cp.bis.phy = qos->bcast.out.phy; 1800 cp.bis.packing = qos->bcast.packing; 1801 cp.bis.framing = qos->bcast.framing; 1802 cp.bis.encryption = qos->bcast.encryption; 1803 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode)); 1804 1805 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1806 } 1807 1808 static int set_cig_params_sync(struct hci_dev *hdev, void *data) 1809 { 1810 u8 cig_id = PTR_UINT(data); 1811 struct hci_conn *conn; 1812 struct bt_iso_qos *qos; 1813 struct iso_cig_params pdu; 1814 u8 cis_id; 1815 1816 conn = hci_conn_hash_lookup_cig(hdev, cig_id); 1817 if (!conn) 1818 return 0; 1819 1820 memset(&pdu, 0, sizeof(pdu)); 1821 1822 qos = &conn->iso_qos; 1823 pdu.cp.cig_id = cig_id; 1824 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval); 1825 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval); 1826 pdu.cp.sca = qos->ucast.sca; 1827 pdu.cp.packing = qos->ucast.packing; 1828 pdu.cp.framing = qos->ucast.framing; 1829 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency); 1830 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency); 1831 1832 /* Reprogram all CIS(s) with the same CIG, valid range are: 1833 * num_cis: 0x00 to 0x1F 1834 * cis_id: 0x00 to 0xEF 1835 */ 1836 for (cis_id = 0x00; cis_id < 0xf0 && 1837 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) { 1838 struct hci_cis_params *cis; 1839 1840 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id); 1841 if (!conn) 1842 continue; 1843 1844 qos = &conn->iso_qos; 1845 1846 cis = &pdu.cis[pdu.cp.num_cis++]; 1847 cis->cis_id = cis_id; 1848 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu); 1849 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu); 1850 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : 1851 qos->ucast.in.phy; 1852 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : 1853 qos->ucast.out.phy; 1854 cis->c_rtn = qos->ucast.out.rtn; 1855 cis->p_rtn = qos->ucast.in.rtn; 1856 } 1857 1858 if (!pdu.cp.num_cis) 1859 return 0; 1860 1861 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1862 sizeof(pdu.cp) + 1863 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu, 1864 HCI_CMD_TIMEOUT); 1865 } 1866 1867 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1868 { 1869 struct hci_dev *hdev = conn->hdev; 1870 struct iso_list_data data; 1871 1872 memset(&data, 0, sizeof(data)); 1873 1874 /* Allocate first still reconfigurable CIG if not set */ 1875 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) { 1876 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) { 1877 data.count = 0; 1878 1879 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1880 BT_CONNECT, &data); 1881 if (data.count) 1882 continue; 1883 1884 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1885 BT_CONNECTED, &data); 1886 if (!data.count) 1887 break; 1888 } 1889 1890 if (data.cig == 0xf0) 1891 return false; 1892 1893 /* Update CIG */ 1894 qos->ucast.cig = data.cig; 1895 } 1896 1897 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) { 1898 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig, 1899 qos->ucast.cis)) 1900 return false; 1901 goto done; 1902 } 1903 1904 /* Allocate first available CIS if not set */ 1905 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0; 1906 data.cis++) { 1907 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig, 1908 data.cis)) { 1909 /* Update CIS */ 1910 qos->ucast.cis = data.cis; 1911 break; 1912 } 1913 } 1914 1915 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) 1916 return false; 1917 1918 done: 1919 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, 1920 UINT_PTR(qos->ucast.cig), NULL) < 0) 1921 return false; 1922 1923 return true; 1924 } 1925 1926 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1927 __u8 dst_type, struct bt_iso_qos *qos) 1928 { 1929 struct hci_conn *cis; 1930 1931 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig, 1932 qos->ucast.cis); 1933 if (!cis) { 1934 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1935 if (IS_ERR(cis)) 1936 return cis; 1937 cis->cleanup = cis_cleanup; 1938 cis->dst_type = dst_type; 1939 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET; 1940 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET; 1941 } 1942 1943 if (cis->state == BT_CONNECTED) 1944 return cis; 1945 1946 /* Check if CIS has been set and the settings matches */ 1947 if (cis->state == BT_BOUND && 1948 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1949 return cis; 1950 1951 /* Update LINK PHYs according to QoS preference */ 1952 cis->le_tx_phy = qos->ucast.out.phy; 1953 cis->le_rx_phy = qos->ucast.in.phy; 1954 1955 /* If output interval is not set use the input interval as it cannot be 1956 * 0x000000. 1957 */ 1958 if (!qos->ucast.out.interval) 1959 qos->ucast.out.interval = qos->ucast.in.interval; 1960 1961 /* If input interval is not set use the output interval as it cannot be 1962 * 0x000000. 1963 */ 1964 if (!qos->ucast.in.interval) 1965 qos->ucast.in.interval = qos->ucast.out.interval; 1966 1967 /* If output latency is not set use the input latency as it cannot be 1968 * 0x0000. 1969 */ 1970 if (!qos->ucast.out.latency) 1971 qos->ucast.out.latency = qos->ucast.in.latency; 1972 1973 /* If input latency is not set use the output latency as it cannot be 1974 * 0x0000. 1975 */ 1976 if (!qos->ucast.in.latency) 1977 qos->ucast.in.latency = qos->ucast.out.latency; 1978 1979 if (!hci_le_set_cig_params(cis, qos)) { 1980 hci_conn_drop(cis); 1981 return ERR_PTR(-EINVAL); 1982 } 1983 1984 hci_conn_hold(cis); 1985 1986 cis->iso_qos = *qos; 1987 cis->state = BT_BOUND; 1988 1989 return cis; 1990 } 1991 1992 bool hci_iso_setup_path(struct hci_conn *conn) 1993 { 1994 struct hci_dev *hdev = conn->hdev; 1995 struct hci_cp_le_setup_iso_path cmd; 1996 1997 memset(&cmd, 0, sizeof(cmd)); 1998 1999 if (conn->iso_qos.ucast.out.sdu) { 2000 cmd.handle = cpu_to_le16(conn->handle); 2001 cmd.direction = 0x00; /* Input (Host to Controller) */ 2002 cmd.path = 0x00; /* HCI path if enabled */ 2003 cmd.codec = 0x03; /* Transparent Data */ 2004 2005 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2006 &cmd) < 0) 2007 return false; 2008 } 2009 2010 if (conn->iso_qos.ucast.in.sdu) { 2011 cmd.handle = cpu_to_le16(conn->handle); 2012 cmd.direction = 0x01; /* Output (Controller to Host) */ 2013 cmd.path = 0x00; /* HCI path if enabled */ 2014 cmd.codec = 0x03; /* Transparent Data */ 2015 2016 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2017 &cmd) < 0) 2018 return false; 2019 } 2020 2021 return true; 2022 } 2023 2024 int hci_conn_check_create_cis(struct hci_conn *conn) 2025 { 2026 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY)) 2027 return -EINVAL; 2028 2029 if (!conn->parent || conn->parent->state != BT_CONNECTED || 2030 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle)) 2031 return 1; 2032 2033 return 0; 2034 } 2035 2036 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 2037 { 2038 return hci_le_create_cis_sync(hdev); 2039 } 2040 2041 int hci_le_create_cis_pending(struct hci_dev *hdev) 2042 { 2043 struct hci_conn *conn; 2044 bool pending = false; 2045 2046 rcu_read_lock(); 2047 2048 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2049 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) { 2050 rcu_read_unlock(); 2051 return -EBUSY; 2052 } 2053 2054 if (!hci_conn_check_create_cis(conn)) 2055 pending = true; 2056 } 2057 2058 rcu_read_unlock(); 2059 2060 if (!pending) 2061 return 0; 2062 2063 /* Queue Create CIS */ 2064 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL); 2065 } 2066 2067 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 2068 struct bt_iso_io_qos *qos, __u8 phy) 2069 { 2070 /* Only set MTU if PHY is enabled */ 2071 if (!qos->sdu && qos->phy) 2072 qos->sdu = conn->mtu; 2073 2074 /* Use the same PHY as ACL if set to any */ 2075 if (qos->phy == BT_ISO_PHY_ANY) 2076 qos->phy = phy; 2077 2078 /* Use LE ACL connection interval if not set */ 2079 if (!qos->interval) 2080 /* ACL interval unit in 1.25 ms to us */ 2081 qos->interval = conn->le_conn_interval * 1250; 2082 2083 /* Use LE ACL connection latency if not set */ 2084 if (!qos->latency) 2085 qos->latency = conn->le_conn_latency; 2086 } 2087 2088 static int create_big_sync(struct hci_dev *hdev, void *data) 2089 { 2090 struct hci_conn *conn = data; 2091 struct bt_iso_qos *qos = &conn->iso_qos; 2092 u16 interval, sync_interval = 0; 2093 u32 flags = 0; 2094 int err; 2095 2096 if (qos->bcast.out.phy == 0x02) 2097 flags |= MGMT_ADV_FLAG_SEC_2M; 2098 2099 /* Align intervals */ 2100 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor; 2101 2102 if (qos->bcast.bis) 2103 sync_interval = interval * 4; 2104 2105 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len, 2106 conn->le_per_adv_data, flags, interval, 2107 interval, sync_interval); 2108 if (err) 2109 return err; 2110 2111 return hci_le_create_big(conn, &conn->iso_qos); 2112 } 2113 2114 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2115 { 2116 struct hci_cp_le_pa_create_sync *cp = data; 2117 2118 bt_dev_dbg(hdev, ""); 2119 2120 if (err) 2121 bt_dev_err(hdev, "Unable to create PA: %d", err); 2122 2123 kfree(cp); 2124 } 2125 2126 static int create_pa_sync(struct hci_dev *hdev, void *data) 2127 { 2128 struct hci_cp_le_pa_create_sync *cp = data; 2129 int err; 2130 2131 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2132 sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2133 if (err) { 2134 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2135 return err; 2136 } 2137 2138 return hci_update_passive_scan_sync(hdev); 2139 } 2140 2141 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type, 2142 __u8 sid, struct bt_iso_qos *qos) 2143 { 2144 struct hci_cp_le_pa_create_sync *cp; 2145 2146 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2147 return -EBUSY; 2148 2149 cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2150 if (!cp) { 2151 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2152 return -ENOMEM; 2153 } 2154 2155 cp->options = qos->bcast.options; 2156 cp->sid = sid; 2157 cp->addr_type = dst_type; 2158 bacpy(&cp->addr, dst); 2159 cp->skip = cpu_to_le16(qos->bcast.skip); 2160 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2161 cp->sync_cte_type = qos->bcast.sync_cte_type; 2162 2163 /* Queue start pa_create_sync and scan */ 2164 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2165 } 2166 2167 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon, 2168 struct bt_iso_qos *qos, 2169 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2170 { 2171 struct _packed { 2172 struct hci_cp_le_big_create_sync cp; 2173 __u8 bis[0x11]; 2174 } pdu; 2175 int err; 2176 2177 if (num_bis > sizeof(pdu.bis)) 2178 return -EINVAL; 2179 2180 err = qos_set_big(hdev, qos); 2181 if (err) 2182 return err; 2183 2184 if (hcon) 2185 hcon->iso_qos.bcast.big = qos->bcast.big; 2186 2187 memset(&pdu, 0, sizeof(pdu)); 2188 pdu.cp.handle = qos->bcast.big; 2189 pdu.cp.sync_handle = cpu_to_le16(sync_handle); 2190 pdu.cp.encryption = qos->bcast.encryption; 2191 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode)); 2192 pdu.cp.mse = qos->bcast.mse; 2193 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout); 2194 pdu.cp.num_bis = num_bis; 2195 memcpy(pdu.bis, bis, num_bis); 2196 2197 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2198 sizeof(pdu.cp) + num_bis, &pdu); 2199 } 2200 2201 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2202 { 2203 struct hci_conn *conn = data; 2204 2205 bt_dev_dbg(hdev, "conn %p", conn); 2206 2207 if (err) { 2208 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2209 hci_connect_cfm(conn, err); 2210 hci_conn_del(conn); 2211 } 2212 } 2213 2214 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, 2215 struct bt_iso_qos *qos, 2216 __u8 base_len, __u8 *base) 2217 { 2218 struct hci_conn *conn; 2219 __u8 eir[HCI_MAX_PER_AD_LENGTH]; 2220 2221 if (base_len && base) 2222 base_len = eir_append_service_data(eir, 0, 0x1851, 2223 base, base_len); 2224 2225 /* We need hci_conn object using the BDADDR_ANY as dst */ 2226 conn = hci_add_bis(hdev, dst, qos, base_len, eir); 2227 if (IS_ERR(conn)) 2228 return conn; 2229 2230 /* Update LINK PHYs according to QoS preference */ 2231 conn->le_tx_phy = qos->bcast.out.phy; 2232 conn->le_tx_phy = qos->bcast.out.phy; 2233 2234 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2235 if (base_len && base) { 2236 memcpy(conn->le_per_adv_data, eir, sizeof(eir)); 2237 conn->le_per_adv_data_len = base_len; 2238 } 2239 2240 hci_iso_qos_setup(hdev, conn, &qos->bcast.out, 2241 conn->le_tx_phy ? conn->le_tx_phy : 2242 hdev->le_tx_def_phys); 2243 2244 conn->iso_qos = *qos; 2245 conn->state = BT_BOUND; 2246 2247 return conn; 2248 } 2249 2250 static void bis_mark_per_adv(struct hci_conn *conn, void *data) 2251 { 2252 struct iso_list_data *d = data; 2253 2254 /* Skip if not broadcast/ANY address */ 2255 if (bacmp(&conn->dst, BDADDR_ANY)) 2256 return; 2257 2258 if (d->big != conn->iso_qos.bcast.big || 2259 d->bis == BT_ISO_QOS_BIS_UNSET || 2260 d->bis != conn->iso_qos.bcast.bis) 2261 return; 2262 2263 set_bit(HCI_CONN_PER_ADV, &conn->flags); 2264 } 2265 2266 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2267 __u8 dst_type, struct bt_iso_qos *qos, 2268 __u8 base_len, __u8 *base) 2269 { 2270 struct hci_conn *conn; 2271 int err; 2272 struct iso_list_data data; 2273 2274 conn = hci_bind_bis(hdev, dst, qos, base_len, base); 2275 if (IS_ERR(conn)) 2276 return conn; 2277 2278 data.big = qos->bcast.big; 2279 data.bis = qos->bcast.bis; 2280 2281 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that 2282 * the start periodic advertising and create BIG commands have 2283 * been queued 2284 */ 2285 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK, 2286 BT_BOUND, &data); 2287 2288 /* Queue start periodic advertising and create BIG */ 2289 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2290 create_big_complete); 2291 if (err < 0) { 2292 hci_conn_drop(conn); 2293 return ERR_PTR(err); 2294 } 2295 2296 return conn; 2297 } 2298 2299 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2300 __u8 dst_type, struct bt_iso_qos *qos) 2301 { 2302 struct hci_conn *le; 2303 struct hci_conn *cis; 2304 struct hci_link *link; 2305 2306 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2307 le = hci_connect_le(hdev, dst, dst_type, false, 2308 BT_SECURITY_LOW, 2309 HCI_LE_CONN_TIMEOUT, 2310 HCI_ROLE_SLAVE); 2311 else 2312 le = hci_connect_le_scan(hdev, dst, dst_type, 2313 BT_SECURITY_LOW, 2314 HCI_LE_CONN_TIMEOUT, 2315 CONN_REASON_ISO_CONNECT); 2316 if (IS_ERR(le)) 2317 return le; 2318 2319 hci_iso_qos_setup(hdev, le, &qos->ucast.out, 2320 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2321 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2322 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2323 2324 cis = hci_bind_cis(hdev, dst, dst_type, qos); 2325 if (IS_ERR(cis)) { 2326 hci_conn_drop(le); 2327 return cis; 2328 } 2329 2330 link = hci_conn_link(le, cis); 2331 if (!link) { 2332 hci_conn_drop(le); 2333 hci_conn_drop(cis); 2334 return ERR_PTR(-ENOLINK); 2335 } 2336 2337 /* Link takes the refcount */ 2338 hci_conn_drop(cis); 2339 2340 cis->state = BT_CONNECT; 2341 2342 hci_le_create_cis_pending(hdev); 2343 2344 return cis; 2345 } 2346 2347 /* Check link security requirement */ 2348 int hci_conn_check_link_mode(struct hci_conn *conn) 2349 { 2350 BT_DBG("hcon %p", conn); 2351 2352 /* In Secure Connections Only mode, it is required that Secure 2353 * Connections is used and the link is encrypted with AES-CCM 2354 * using a P-256 authenticated combination key. 2355 */ 2356 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2357 if (!hci_conn_sc_enabled(conn) || 2358 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2359 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2360 return 0; 2361 } 2362 2363 /* AES encryption is required for Level 4: 2364 * 2365 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2366 * page 1319: 2367 * 2368 * 128-bit equivalent strength for link and encryption keys 2369 * required using FIPS approved algorithms (E0 not allowed, 2370 * SAFER+ not allowed, and P-192 not allowed; encryption key 2371 * not shortened) 2372 */ 2373 if (conn->sec_level == BT_SECURITY_FIPS && 2374 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2375 bt_dev_err(conn->hdev, 2376 "Invalid security: Missing AES-CCM usage"); 2377 return 0; 2378 } 2379 2380 if (hci_conn_ssp_enabled(conn) && 2381 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2382 return 0; 2383 2384 return 1; 2385 } 2386 2387 /* Authenticate remote device */ 2388 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2389 { 2390 BT_DBG("hcon %p", conn); 2391 2392 if (conn->pending_sec_level > sec_level) 2393 sec_level = conn->pending_sec_level; 2394 2395 if (sec_level > conn->sec_level) 2396 conn->pending_sec_level = sec_level; 2397 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2398 return 1; 2399 2400 /* Make sure we preserve an existing MITM requirement*/ 2401 auth_type |= (conn->auth_type & 0x01); 2402 2403 conn->auth_type = auth_type; 2404 2405 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2406 struct hci_cp_auth_requested cp; 2407 2408 cp.handle = cpu_to_le16(conn->handle); 2409 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2410 sizeof(cp), &cp); 2411 2412 /* Set the ENCRYPT_PEND to trigger encryption after 2413 * authentication. 2414 */ 2415 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2416 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2417 } 2418 2419 return 0; 2420 } 2421 2422 /* Encrypt the link */ 2423 static void hci_conn_encrypt(struct hci_conn *conn) 2424 { 2425 BT_DBG("hcon %p", conn); 2426 2427 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2428 struct hci_cp_set_conn_encrypt cp; 2429 cp.handle = cpu_to_le16(conn->handle); 2430 cp.encrypt = 0x01; 2431 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2432 &cp); 2433 } 2434 } 2435 2436 /* Enable security */ 2437 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2438 bool initiator) 2439 { 2440 BT_DBG("hcon %p", conn); 2441 2442 if (conn->type == LE_LINK) 2443 return smp_conn_security(conn, sec_level); 2444 2445 /* For sdp we don't need the link key. */ 2446 if (sec_level == BT_SECURITY_SDP) 2447 return 1; 2448 2449 /* For non 2.1 devices and low security level we don't need the link 2450 key. */ 2451 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2452 return 1; 2453 2454 /* For other security levels we need the link key. */ 2455 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2456 goto auth; 2457 2458 switch (conn->key_type) { 2459 case HCI_LK_AUTH_COMBINATION_P256: 2460 /* An authenticated FIPS approved combination key has 2461 * sufficient security for security level 4 or lower. 2462 */ 2463 if (sec_level <= BT_SECURITY_FIPS) 2464 goto encrypt; 2465 break; 2466 case HCI_LK_AUTH_COMBINATION_P192: 2467 /* An authenticated combination key has sufficient security for 2468 * security level 3 or lower. 2469 */ 2470 if (sec_level <= BT_SECURITY_HIGH) 2471 goto encrypt; 2472 break; 2473 case HCI_LK_UNAUTH_COMBINATION_P192: 2474 case HCI_LK_UNAUTH_COMBINATION_P256: 2475 /* An unauthenticated combination key has sufficient security 2476 * for security level 2 or lower. 2477 */ 2478 if (sec_level <= BT_SECURITY_MEDIUM) 2479 goto encrypt; 2480 break; 2481 case HCI_LK_COMBINATION: 2482 /* A combination key has always sufficient security for the 2483 * security levels 2 or lower. High security level requires the 2484 * combination key is generated using maximum PIN code length 2485 * (16). For pre 2.1 units. 2486 */ 2487 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16) 2488 goto encrypt; 2489 break; 2490 default: 2491 break; 2492 } 2493 2494 auth: 2495 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2496 return 0; 2497 2498 if (initiator) 2499 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2500 2501 if (!hci_conn_auth(conn, sec_level, auth_type)) 2502 return 0; 2503 2504 encrypt: 2505 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2506 /* Ensure that the encryption key size has been read, 2507 * otherwise stall the upper layer responses. 2508 */ 2509 if (!conn->enc_key_size) 2510 return 0; 2511 2512 /* Nothing else needed, all requirements are met */ 2513 return 1; 2514 } 2515 2516 hci_conn_encrypt(conn); 2517 return 0; 2518 } 2519 EXPORT_SYMBOL(hci_conn_security); 2520 2521 /* Check secure link requirement */ 2522 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2523 { 2524 BT_DBG("hcon %p", conn); 2525 2526 /* Accept if non-secure or higher security level is required */ 2527 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2528 return 1; 2529 2530 /* Accept if secure or higher security level is already present */ 2531 if (conn->sec_level == BT_SECURITY_HIGH || 2532 conn->sec_level == BT_SECURITY_FIPS) 2533 return 1; 2534 2535 /* Reject not secure link */ 2536 return 0; 2537 } 2538 EXPORT_SYMBOL(hci_conn_check_secure); 2539 2540 /* Switch role */ 2541 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2542 { 2543 BT_DBG("hcon %p", conn); 2544 2545 if (role == conn->role) 2546 return 1; 2547 2548 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2549 struct hci_cp_switch_role cp; 2550 bacpy(&cp.bdaddr, &conn->dst); 2551 cp.role = role; 2552 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2553 } 2554 2555 return 0; 2556 } 2557 EXPORT_SYMBOL(hci_conn_switch_role); 2558 2559 /* Enter active mode */ 2560 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2561 { 2562 struct hci_dev *hdev = conn->hdev; 2563 2564 BT_DBG("hcon %p mode %d", conn, conn->mode); 2565 2566 if (conn->mode != HCI_CM_SNIFF) 2567 goto timer; 2568 2569 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2570 goto timer; 2571 2572 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2573 struct hci_cp_exit_sniff_mode cp; 2574 cp.handle = cpu_to_le16(conn->handle); 2575 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2576 } 2577 2578 timer: 2579 if (hdev->idle_timeout > 0) 2580 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2581 msecs_to_jiffies(hdev->idle_timeout)); 2582 } 2583 2584 /* Drop all connection on the device */ 2585 void hci_conn_hash_flush(struct hci_dev *hdev) 2586 { 2587 struct list_head *head = &hdev->conn_hash.list; 2588 struct hci_conn *conn; 2589 2590 BT_DBG("hdev %s", hdev->name); 2591 2592 /* We should not traverse the list here, because hci_conn_del 2593 * can remove extra links, which may cause the list traversal 2594 * to hit items that have already been released. 2595 */ 2596 while ((conn = list_first_entry_or_null(head, 2597 struct hci_conn, 2598 list)) != NULL) { 2599 conn->state = BT_CLOSED; 2600 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); 2601 hci_conn_del(conn); 2602 } 2603 } 2604 2605 /* Check pending connect attempts */ 2606 void hci_conn_check_pending(struct hci_dev *hdev) 2607 { 2608 struct hci_conn *conn; 2609 2610 BT_DBG("hdev %s", hdev->name); 2611 2612 hci_dev_lock(hdev); 2613 2614 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 2615 if (conn) 2616 hci_acl_create_connection(conn); 2617 2618 hci_dev_unlock(hdev); 2619 } 2620 2621 static u32 get_link_mode(struct hci_conn *conn) 2622 { 2623 u32 link_mode = 0; 2624 2625 if (conn->role == HCI_ROLE_MASTER) 2626 link_mode |= HCI_LM_MASTER; 2627 2628 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2629 link_mode |= HCI_LM_ENCRYPT; 2630 2631 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2632 link_mode |= HCI_LM_AUTH; 2633 2634 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2635 link_mode |= HCI_LM_SECURE; 2636 2637 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2638 link_mode |= HCI_LM_FIPS; 2639 2640 return link_mode; 2641 } 2642 2643 int hci_get_conn_list(void __user *arg) 2644 { 2645 struct hci_conn *c; 2646 struct hci_conn_list_req req, *cl; 2647 struct hci_conn_info *ci; 2648 struct hci_dev *hdev; 2649 int n = 0, size, err; 2650 2651 if (copy_from_user(&req, arg, sizeof(req))) 2652 return -EFAULT; 2653 2654 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2655 return -EINVAL; 2656 2657 size = sizeof(req) + req.conn_num * sizeof(*ci); 2658 2659 cl = kmalloc(size, GFP_KERNEL); 2660 if (!cl) 2661 return -ENOMEM; 2662 2663 hdev = hci_dev_get(req.dev_id); 2664 if (!hdev) { 2665 kfree(cl); 2666 return -ENODEV; 2667 } 2668 2669 ci = cl->conn_info; 2670 2671 hci_dev_lock(hdev); 2672 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2673 bacpy(&(ci + n)->bdaddr, &c->dst); 2674 (ci + n)->handle = c->handle; 2675 (ci + n)->type = c->type; 2676 (ci + n)->out = c->out; 2677 (ci + n)->state = c->state; 2678 (ci + n)->link_mode = get_link_mode(c); 2679 if (++n >= req.conn_num) 2680 break; 2681 } 2682 hci_dev_unlock(hdev); 2683 2684 cl->dev_id = hdev->id; 2685 cl->conn_num = n; 2686 size = sizeof(req) + n * sizeof(*ci); 2687 2688 hci_dev_put(hdev); 2689 2690 err = copy_to_user(arg, cl, size); 2691 kfree(cl); 2692 2693 return err ? -EFAULT : 0; 2694 } 2695 2696 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2697 { 2698 struct hci_conn_info_req req; 2699 struct hci_conn_info ci; 2700 struct hci_conn *conn; 2701 char __user *ptr = arg + sizeof(req); 2702 2703 if (copy_from_user(&req, arg, sizeof(req))) 2704 return -EFAULT; 2705 2706 hci_dev_lock(hdev); 2707 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2708 if (conn) { 2709 bacpy(&ci.bdaddr, &conn->dst); 2710 ci.handle = conn->handle; 2711 ci.type = conn->type; 2712 ci.out = conn->out; 2713 ci.state = conn->state; 2714 ci.link_mode = get_link_mode(conn); 2715 } 2716 hci_dev_unlock(hdev); 2717 2718 if (!conn) 2719 return -ENOENT; 2720 2721 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2722 } 2723 2724 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2725 { 2726 struct hci_auth_info_req req; 2727 struct hci_conn *conn; 2728 2729 if (copy_from_user(&req, arg, sizeof(req))) 2730 return -EFAULT; 2731 2732 hci_dev_lock(hdev); 2733 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2734 if (conn) 2735 req.type = conn->auth_type; 2736 hci_dev_unlock(hdev); 2737 2738 if (!conn) 2739 return -ENOENT; 2740 2741 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2742 } 2743 2744 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2745 { 2746 struct hci_dev *hdev = conn->hdev; 2747 struct hci_chan *chan; 2748 2749 BT_DBG("%s hcon %p", hdev->name, conn); 2750 2751 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2752 BT_DBG("Refusing to create new hci_chan"); 2753 return NULL; 2754 } 2755 2756 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2757 if (!chan) 2758 return NULL; 2759 2760 chan->conn = hci_conn_get(conn); 2761 skb_queue_head_init(&chan->data_q); 2762 chan->state = BT_CONNECTED; 2763 2764 list_add_rcu(&chan->list, &conn->chan_list); 2765 2766 return chan; 2767 } 2768 2769 void hci_chan_del(struct hci_chan *chan) 2770 { 2771 struct hci_conn *conn = chan->conn; 2772 struct hci_dev *hdev = conn->hdev; 2773 2774 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2775 2776 list_del_rcu(&chan->list); 2777 2778 synchronize_rcu(); 2779 2780 /* Prevent new hci_chan's to be created for this hci_conn */ 2781 set_bit(HCI_CONN_DROP, &conn->flags); 2782 2783 hci_conn_put(conn); 2784 2785 skb_queue_purge(&chan->data_q); 2786 kfree(chan); 2787 } 2788 2789 void hci_chan_list_flush(struct hci_conn *conn) 2790 { 2791 struct hci_chan *chan, *n; 2792 2793 BT_DBG("hcon %p", conn); 2794 2795 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2796 hci_chan_del(chan); 2797 } 2798 2799 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2800 __u16 handle) 2801 { 2802 struct hci_chan *hchan; 2803 2804 list_for_each_entry(hchan, &hcon->chan_list, list) { 2805 if (hchan->handle == handle) 2806 return hchan; 2807 } 2808 2809 return NULL; 2810 } 2811 2812 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2813 { 2814 struct hci_conn_hash *h = &hdev->conn_hash; 2815 struct hci_conn *hcon; 2816 struct hci_chan *hchan = NULL; 2817 2818 rcu_read_lock(); 2819 2820 list_for_each_entry_rcu(hcon, &h->list, list) { 2821 hchan = __hci_chan_lookup_handle(hcon, handle); 2822 if (hchan) 2823 break; 2824 } 2825 2826 rcu_read_unlock(); 2827 2828 return hchan; 2829 } 2830 2831 u32 hci_conn_get_phy(struct hci_conn *conn) 2832 { 2833 u32 phys = 0; 2834 2835 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2836 * Table 6.2: Packets defined for synchronous, asynchronous, and 2837 * CPB logical transport types. 2838 */ 2839 switch (conn->type) { 2840 case SCO_LINK: 2841 /* SCO logical transport (1 Mb/s): 2842 * HV1, HV2, HV3 and DV. 2843 */ 2844 phys |= BT_PHY_BR_1M_1SLOT; 2845 2846 break; 2847 2848 case ACL_LINK: 2849 /* ACL logical transport (1 Mb/s) ptt=0: 2850 * DH1, DM3, DH3, DM5 and DH5. 2851 */ 2852 phys |= BT_PHY_BR_1M_1SLOT; 2853 2854 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2855 phys |= BT_PHY_BR_1M_3SLOT; 2856 2857 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2858 phys |= BT_PHY_BR_1M_5SLOT; 2859 2860 /* ACL logical transport (2 Mb/s) ptt=1: 2861 * 2-DH1, 2-DH3 and 2-DH5. 2862 */ 2863 if (!(conn->pkt_type & HCI_2DH1)) 2864 phys |= BT_PHY_EDR_2M_1SLOT; 2865 2866 if (!(conn->pkt_type & HCI_2DH3)) 2867 phys |= BT_PHY_EDR_2M_3SLOT; 2868 2869 if (!(conn->pkt_type & HCI_2DH5)) 2870 phys |= BT_PHY_EDR_2M_5SLOT; 2871 2872 /* ACL logical transport (3 Mb/s) ptt=1: 2873 * 3-DH1, 3-DH3 and 3-DH5. 2874 */ 2875 if (!(conn->pkt_type & HCI_3DH1)) 2876 phys |= BT_PHY_EDR_3M_1SLOT; 2877 2878 if (!(conn->pkt_type & HCI_3DH3)) 2879 phys |= BT_PHY_EDR_3M_3SLOT; 2880 2881 if (!(conn->pkt_type & HCI_3DH5)) 2882 phys |= BT_PHY_EDR_3M_5SLOT; 2883 2884 break; 2885 2886 case ESCO_LINK: 2887 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2888 phys |= BT_PHY_BR_1M_1SLOT; 2889 2890 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2891 phys |= BT_PHY_BR_1M_3SLOT; 2892 2893 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2894 if (!(conn->pkt_type & ESCO_2EV3)) 2895 phys |= BT_PHY_EDR_2M_1SLOT; 2896 2897 if (!(conn->pkt_type & ESCO_2EV5)) 2898 phys |= BT_PHY_EDR_2M_3SLOT; 2899 2900 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2901 if (!(conn->pkt_type & ESCO_3EV3)) 2902 phys |= BT_PHY_EDR_3M_1SLOT; 2903 2904 if (!(conn->pkt_type & ESCO_3EV5)) 2905 phys |= BT_PHY_EDR_3M_3SLOT; 2906 2907 break; 2908 2909 case LE_LINK: 2910 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2911 phys |= BT_PHY_LE_1M_TX; 2912 2913 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2914 phys |= BT_PHY_LE_1M_RX; 2915 2916 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2917 phys |= BT_PHY_LE_2M_TX; 2918 2919 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2920 phys |= BT_PHY_LE_2M_RX; 2921 2922 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2923 phys |= BT_PHY_LE_CODED_TX; 2924 2925 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2926 phys |= BT_PHY_LE_CODED_RX; 2927 2928 break; 2929 } 2930 2931 return phys; 2932 } 2933 2934 static int abort_conn_sync(struct hci_dev *hdev, void *data) 2935 { 2936 struct hci_conn *conn; 2937 u16 handle = PTR_UINT(data); 2938 2939 conn = hci_conn_hash_lookup_handle(hdev, handle); 2940 if (!conn) 2941 return 0; 2942 2943 return hci_abort_conn_sync(hdev, conn, conn->abort_reason); 2944 } 2945 2946 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2947 { 2948 struct hci_dev *hdev = conn->hdev; 2949 2950 /* If abort_reason has already been set it means the connection is 2951 * already being aborted so don't attempt to overwrite it. 2952 */ 2953 if (conn->abort_reason) 2954 return 0; 2955 2956 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); 2957 2958 conn->abort_reason = reason; 2959 2960 /* If the connection is pending check the command opcode since that 2961 * might be blocking on hci_cmd_sync_work while waiting its respective 2962 * event so we need to hci_cmd_sync_cancel to cancel it. 2963 * 2964 * hci_connect_le serializes the connection attempts so only one 2965 * connection can be in BT_CONNECT at time. 2966 */ 2967 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { 2968 switch (hci_skb_event(hdev->sent_cmd)) { 2969 case HCI_EV_LE_CONN_COMPLETE: 2970 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 2971 case HCI_EVT_LE_CIS_ESTABLISHED: 2972 hci_cmd_sync_cancel(hdev, ECANCELED); 2973 break; 2974 } 2975 } 2976 2977 return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle), 2978 NULL); 2979 } 2980