xref: /openbmc/linux/net/bluetooth/hci_conn.c (revision bed0896008334eeee4b4bfd7150491ca098cbf72)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4    Copyright 2023 NXP
5 
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11 
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25 
26 /* Bluetooth HCI connection handling. */
27 
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "hci_request.h"
38 #include "smp.h"
39 #include "eir.h"
40 
41 struct sco_param {
42 	u16 pkt_type;
43 	u16 max_latency;
44 	u8  retrans_effort;
45 };
46 
47 struct conn_handle_t {
48 	struct hci_conn *conn;
49 	__u16 handle;
50 };
51 
52 static const struct sco_param esco_param_cvsd[] = {
53 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,	0x01 }, /* S3 */
54 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,	0x01 }, /* S2 */
55 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0007,	0x01 }, /* S1 */
56 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0x01 }, /* D1 */
57 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0x01 }, /* D0 */
58 };
59 
60 static const struct sco_param sco_param_cvsd[] = {
61 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0xff }, /* D1 */
62 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0xff }, /* D0 */
63 };
64 
65 static const struct sco_param esco_param_msbc[] = {
66 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,	0x02 }, /* T2 */
67 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0008,	0x02 }, /* T1 */
68 };
69 
70 /* This function requires the caller holds hdev->lock */
71 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
72 {
73 	struct hci_conn_params *params;
74 	struct hci_dev *hdev = conn->hdev;
75 	struct smp_irk *irk;
76 	bdaddr_t *bdaddr;
77 	u8 bdaddr_type;
78 
79 	bdaddr = &conn->dst;
80 	bdaddr_type = conn->dst_type;
81 
82 	/* Check if we need to convert to identity address */
83 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
84 	if (irk) {
85 		bdaddr = &irk->bdaddr;
86 		bdaddr_type = irk->addr_type;
87 	}
88 
89 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
90 					   bdaddr_type);
91 	if (!params)
92 		return;
93 
94 	if (params->conn) {
95 		hci_conn_drop(params->conn);
96 		hci_conn_put(params->conn);
97 		params->conn = NULL;
98 	}
99 
100 	if (!params->explicit_connect)
101 		return;
102 
103 	/* If the status indicates successful cancellation of
104 	 * the attempt (i.e. Unknown Connection Id) there's no point of
105 	 * notifying failure since we'll go back to keep trying to
106 	 * connect. The only exception is explicit connect requests
107 	 * where a timeout + cancel does indicate an actual failure.
108 	 */
109 	if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 		mgmt_connect_failed(hdev, &conn->dst, conn->type,
111 				    conn->dst_type, status);
112 
113 	/* The connection attempt was doing scan for new RPA, and is
114 	 * in scan phase. If params are not associated with any other
115 	 * autoconnect action, remove them completely. If they are, just unmark
116 	 * them as waiting for connection, by clearing explicit_connect field.
117 	 */
118 	params->explicit_connect = false;
119 
120 	hci_pend_le_list_del_init(params);
121 
122 	switch (params->auto_connect) {
123 	case HCI_AUTO_CONN_EXPLICIT:
124 		hci_conn_params_del(hdev, bdaddr, bdaddr_type);
125 		/* return instead of break to avoid duplicate scan update */
126 		return;
127 	case HCI_AUTO_CONN_DIRECT:
128 	case HCI_AUTO_CONN_ALWAYS:
129 		hci_pend_le_list_add(params, &hdev->pend_le_conns);
130 		break;
131 	case HCI_AUTO_CONN_REPORT:
132 		hci_pend_le_list_add(params, &hdev->pend_le_reports);
133 		break;
134 	default:
135 		break;
136 	}
137 
138 	hci_update_passive_scan(hdev);
139 }
140 
141 static void hci_conn_cleanup(struct hci_conn *conn)
142 {
143 	struct hci_dev *hdev = conn->hdev;
144 
145 	if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
146 		hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
147 
148 	if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
149 		hci_remove_link_key(hdev, &conn->dst);
150 
151 	hci_chan_list_flush(conn);
152 
153 	hci_conn_hash_del(hdev, conn);
154 
155 	if (HCI_CONN_HANDLE_UNSET(conn->handle))
156 		ida_free(&hdev->unset_handle_ida, conn->handle);
157 
158 	if (conn->cleanup)
159 		conn->cleanup(conn);
160 
161 	if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
162 		switch (conn->setting & SCO_AIRMODE_MASK) {
163 		case SCO_AIRMODE_CVSD:
164 		case SCO_AIRMODE_TRANSP:
165 			if (hdev->notify)
166 				hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
167 			break;
168 		}
169 	} else {
170 		if (hdev->notify)
171 			hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
172 	}
173 
174 	debugfs_remove_recursive(conn->debugfs);
175 
176 	hci_conn_del_sysfs(conn);
177 
178 	hci_dev_put(hdev);
179 }
180 
181 static void hci_acl_create_connection(struct hci_conn *conn)
182 {
183 	struct hci_dev *hdev = conn->hdev;
184 	struct inquiry_entry *ie;
185 	struct hci_cp_create_conn cp;
186 
187 	BT_DBG("hcon %p", conn);
188 
189 	/* Many controllers disallow HCI Create Connection while it is doing
190 	 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
191 	 * Connection. This may cause the MGMT discovering state to become false
192 	 * without user space's request but it is okay since the MGMT Discovery
193 	 * APIs do not promise that discovery should be done forever. Instead,
194 	 * the user space monitors the status of MGMT discovering and it may
195 	 * request for discovery again when this flag becomes false.
196 	 */
197 	if (test_bit(HCI_INQUIRY, &hdev->flags)) {
198 		/* Put this connection to "pending" state so that it will be
199 		 * executed after the inquiry cancel command complete event.
200 		 */
201 		conn->state = BT_CONNECT2;
202 		hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
203 		return;
204 	}
205 
206 	conn->state = BT_CONNECT;
207 	conn->out = true;
208 	conn->role = HCI_ROLE_MASTER;
209 
210 	conn->attempt++;
211 
212 	conn->link_policy = hdev->link_policy;
213 
214 	memset(&cp, 0, sizeof(cp));
215 	bacpy(&cp.bdaddr, &conn->dst);
216 	cp.pscan_rep_mode = 0x02;
217 
218 	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
219 	if (ie) {
220 		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
221 			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
222 			cp.pscan_mode     = ie->data.pscan_mode;
223 			cp.clock_offset   = ie->data.clock_offset |
224 					    cpu_to_le16(0x8000);
225 		}
226 
227 		memcpy(conn->dev_class, ie->data.dev_class, 3);
228 	}
229 
230 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
231 	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
232 		cp.role_switch = 0x01;
233 	else
234 		cp.role_switch = 0x00;
235 
236 	hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
237 }
238 
239 int hci_disconnect(struct hci_conn *conn, __u8 reason)
240 {
241 	BT_DBG("hcon %p", conn);
242 
243 	/* When we are central of an established connection and it enters
244 	 * the disconnect timeout, then go ahead and try to read the
245 	 * current clock offset.  Processing of the result is done
246 	 * within the event handling and hci_clock_offset_evt function.
247 	 */
248 	if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
249 	    (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
250 		struct hci_dev *hdev = conn->hdev;
251 		struct hci_cp_read_clock_offset clkoff_cp;
252 
253 		clkoff_cp.handle = cpu_to_le16(conn->handle);
254 		hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
255 			     &clkoff_cp);
256 	}
257 
258 	return hci_abort_conn(conn, reason);
259 }
260 
261 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
262 {
263 	struct hci_dev *hdev = conn->hdev;
264 	struct hci_cp_add_sco cp;
265 
266 	BT_DBG("hcon %p", conn);
267 
268 	conn->state = BT_CONNECT;
269 	conn->out = true;
270 
271 	conn->attempt++;
272 
273 	cp.handle   = cpu_to_le16(handle);
274 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
275 
276 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
277 }
278 
279 static bool find_next_esco_param(struct hci_conn *conn,
280 				 const struct sco_param *esco_param, int size)
281 {
282 	if (!conn->parent)
283 		return false;
284 
285 	for (; conn->attempt <= size; conn->attempt++) {
286 		if (lmp_esco_2m_capable(conn->parent) ||
287 		    (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
288 			break;
289 		BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
290 		       conn, conn->attempt);
291 	}
292 
293 	return conn->attempt <= size;
294 }
295 
296 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
297 {
298 	int err;
299 	__u8 vnd_len, *vnd_data = NULL;
300 	struct hci_op_configure_data_path *cmd = NULL;
301 
302 	err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
303 					  &vnd_data);
304 	if (err < 0)
305 		goto error;
306 
307 	cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
308 	if (!cmd) {
309 		err = -ENOMEM;
310 		goto error;
311 	}
312 
313 	err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
314 	if (err < 0)
315 		goto error;
316 
317 	cmd->vnd_len = vnd_len;
318 	memcpy(cmd->vnd_data, vnd_data, vnd_len);
319 
320 	cmd->direction = 0x00;
321 	__hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
322 			      sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
323 
324 	cmd->direction = 0x01;
325 	err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
326 				    sizeof(*cmd) + vnd_len, cmd,
327 				    HCI_CMD_TIMEOUT);
328 error:
329 
330 	kfree(cmd);
331 	kfree(vnd_data);
332 	return err;
333 }
334 
335 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
336 {
337 	struct conn_handle_t *conn_handle = data;
338 	struct hci_conn *conn = conn_handle->conn;
339 	__u16 handle = conn_handle->handle;
340 	struct hci_cp_enhanced_setup_sync_conn cp;
341 	const struct sco_param *param;
342 
343 	kfree(conn_handle);
344 
345 	bt_dev_dbg(hdev, "hcon %p", conn);
346 
347 	/* for offload use case, codec needs to configured before opening SCO */
348 	if (conn->codec.data_path)
349 		configure_datapath_sync(hdev, &conn->codec);
350 
351 	conn->state = BT_CONNECT;
352 	conn->out = true;
353 
354 	conn->attempt++;
355 
356 	memset(&cp, 0x00, sizeof(cp));
357 
358 	cp.handle   = cpu_to_le16(handle);
359 
360 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
361 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
362 
363 	switch (conn->codec.id) {
364 	case BT_CODEC_MSBC:
365 		if (!find_next_esco_param(conn, esco_param_msbc,
366 					  ARRAY_SIZE(esco_param_msbc)))
367 			return -EINVAL;
368 
369 		param = &esco_param_msbc[conn->attempt - 1];
370 		cp.tx_coding_format.id = 0x05;
371 		cp.rx_coding_format.id = 0x05;
372 		cp.tx_codec_frame_size = __cpu_to_le16(60);
373 		cp.rx_codec_frame_size = __cpu_to_le16(60);
374 		cp.in_bandwidth = __cpu_to_le32(32000);
375 		cp.out_bandwidth = __cpu_to_le32(32000);
376 		cp.in_coding_format.id = 0x04;
377 		cp.out_coding_format.id = 0x04;
378 		cp.in_coded_data_size = __cpu_to_le16(16);
379 		cp.out_coded_data_size = __cpu_to_le16(16);
380 		cp.in_pcm_data_format = 2;
381 		cp.out_pcm_data_format = 2;
382 		cp.in_pcm_sample_payload_msb_pos = 0;
383 		cp.out_pcm_sample_payload_msb_pos = 0;
384 		cp.in_data_path = conn->codec.data_path;
385 		cp.out_data_path = conn->codec.data_path;
386 		cp.in_transport_unit_size = 1;
387 		cp.out_transport_unit_size = 1;
388 		break;
389 
390 	case BT_CODEC_TRANSPARENT:
391 		if (!find_next_esco_param(conn, esco_param_msbc,
392 					  ARRAY_SIZE(esco_param_msbc)))
393 			return false;
394 		param = &esco_param_msbc[conn->attempt - 1];
395 		cp.tx_coding_format.id = 0x03;
396 		cp.rx_coding_format.id = 0x03;
397 		cp.tx_codec_frame_size = __cpu_to_le16(60);
398 		cp.rx_codec_frame_size = __cpu_to_le16(60);
399 		cp.in_bandwidth = __cpu_to_le32(0x1f40);
400 		cp.out_bandwidth = __cpu_to_le32(0x1f40);
401 		cp.in_coding_format.id = 0x03;
402 		cp.out_coding_format.id = 0x03;
403 		cp.in_coded_data_size = __cpu_to_le16(16);
404 		cp.out_coded_data_size = __cpu_to_le16(16);
405 		cp.in_pcm_data_format = 2;
406 		cp.out_pcm_data_format = 2;
407 		cp.in_pcm_sample_payload_msb_pos = 0;
408 		cp.out_pcm_sample_payload_msb_pos = 0;
409 		cp.in_data_path = conn->codec.data_path;
410 		cp.out_data_path = conn->codec.data_path;
411 		cp.in_transport_unit_size = 1;
412 		cp.out_transport_unit_size = 1;
413 		break;
414 
415 	case BT_CODEC_CVSD:
416 		if (conn->parent && lmp_esco_capable(conn->parent)) {
417 			if (!find_next_esco_param(conn, esco_param_cvsd,
418 						  ARRAY_SIZE(esco_param_cvsd)))
419 				return -EINVAL;
420 			param = &esco_param_cvsd[conn->attempt - 1];
421 		} else {
422 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
423 				return -EINVAL;
424 			param = &sco_param_cvsd[conn->attempt - 1];
425 		}
426 		cp.tx_coding_format.id = 2;
427 		cp.rx_coding_format.id = 2;
428 		cp.tx_codec_frame_size = __cpu_to_le16(60);
429 		cp.rx_codec_frame_size = __cpu_to_le16(60);
430 		cp.in_bandwidth = __cpu_to_le32(16000);
431 		cp.out_bandwidth = __cpu_to_le32(16000);
432 		cp.in_coding_format.id = 4;
433 		cp.out_coding_format.id = 4;
434 		cp.in_coded_data_size = __cpu_to_le16(16);
435 		cp.out_coded_data_size = __cpu_to_le16(16);
436 		cp.in_pcm_data_format = 2;
437 		cp.out_pcm_data_format = 2;
438 		cp.in_pcm_sample_payload_msb_pos = 0;
439 		cp.out_pcm_sample_payload_msb_pos = 0;
440 		cp.in_data_path = conn->codec.data_path;
441 		cp.out_data_path = conn->codec.data_path;
442 		cp.in_transport_unit_size = 16;
443 		cp.out_transport_unit_size = 16;
444 		break;
445 	default:
446 		return -EINVAL;
447 	}
448 
449 	cp.retrans_effort = param->retrans_effort;
450 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
451 	cp.max_latency = __cpu_to_le16(param->max_latency);
452 
453 	if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
454 		return -EIO;
455 
456 	return 0;
457 }
458 
459 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
460 {
461 	struct hci_dev *hdev = conn->hdev;
462 	struct hci_cp_setup_sync_conn cp;
463 	const struct sco_param *param;
464 
465 	bt_dev_dbg(hdev, "hcon %p", conn);
466 
467 	conn->state = BT_CONNECT;
468 	conn->out = true;
469 
470 	conn->attempt++;
471 
472 	cp.handle   = cpu_to_le16(handle);
473 
474 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
475 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
476 	cp.voice_setting  = cpu_to_le16(conn->setting);
477 
478 	switch (conn->setting & SCO_AIRMODE_MASK) {
479 	case SCO_AIRMODE_TRANSP:
480 		if (!find_next_esco_param(conn, esco_param_msbc,
481 					  ARRAY_SIZE(esco_param_msbc)))
482 			return false;
483 		param = &esco_param_msbc[conn->attempt - 1];
484 		break;
485 	case SCO_AIRMODE_CVSD:
486 		if (conn->parent && lmp_esco_capable(conn->parent)) {
487 			if (!find_next_esco_param(conn, esco_param_cvsd,
488 						  ARRAY_SIZE(esco_param_cvsd)))
489 				return false;
490 			param = &esco_param_cvsd[conn->attempt - 1];
491 		} else {
492 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
493 				return false;
494 			param = &sco_param_cvsd[conn->attempt - 1];
495 		}
496 		break;
497 	default:
498 		return false;
499 	}
500 
501 	cp.retrans_effort = param->retrans_effort;
502 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
503 	cp.max_latency = __cpu_to_le16(param->max_latency);
504 
505 	if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
506 		return false;
507 
508 	return true;
509 }
510 
511 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
512 {
513 	int result;
514 	struct conn_handle_t *conn_handle;
515 
516 	if (enhanced_sync_conn_capable(conn->hdev)) {
517 		conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
518 
519 		if (!conn_handle)
520 			return false;
521 
522 		conn_handle->conn = conn;
523 		conn_handle->handle = handle;
524 		result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
525 					    conn_handle, NULL);
526 		if (result < 0)
527 			kfree(conn_handle);
528 
529 		return result == 0;
530 	}
531 
532 	return hci_setup_sync_conn(conn, handle);
533 }
534 
535 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
536 		      u16 to_multiplier)
537 {
538 	struct hci_dev *hdev = conn->hdev;
539 	struct hci_conn_params *params;
540 	struct hci_cp_le_conn_update cp;
541 
542 	hci_dev_lock(hdev);
543 
544 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
545 	if (params) {
546 		params->conn_min_interval = min;
547 		params->conn_max_interval = max;
548 		params->conn_latency = latency;
549 		params->supervision_timeout = to_multiplier;
550 	}
551 
552 	hci_dev_unlock(hdev);
553 
554 	memset(&cp, 0, sizeof(cp));
555 	cp.handle		= cpu_to_le16(conn->handle);
556 	cp.conn_interval_min	= cpu_to_le16(min);
557 	cp.conn_interval_max	= cpu_to_le16(max);
558 	cp.conn_latency		= cpu_to_le16(latency);
559 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
560 	cp.min_ce_len		= cpu_to_le16(0x0000);
561 	cp.max_ce_len		= cpu_to_le16(0x0000);
562 
563 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
564 
565 	if (params)
566 		return 0x01;
567 
568 	return 0x00;
569 }
570 
571 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
572 		      __u8 ltk[16], __u8 key_size)
573 {
574 	struct hci_dev *hdev = conn->hdev;
575 	struct hci_cp_le_start_enc cp;
576 
577 	BT_DBG("hcon %p", conn);
578 
579 	memset(&cp, 0, sizeof(cp));
580 
581 	cp.handle = cpu_to_le16(conn->handle);
582 	cp.rand = rand;
583 	cp.ediv = ediv;
584 	memcpy(cp.ltk, ltk, key_size);
585 
586 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
587 }
588 
589 /* Device _must_ be locked */
590 void hci_sco_setup(struct hci_conn *conn, __u8 status)
591 {
592 	struct hci_link *link;
593 
594 	link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
595 	if (!link || !link->conn)
596 		return;
597 
598 	BT_DBG("hcon %p", conn);
599 
600 	if (!status) {
601 		if (lmp_esco_capable(conn->hdev))
602 			hci_setup_sync(link->conn, conn->handle);
603 		else
604 			hci_add_sco(link->conn, conn->handle);
605 	} else {
606 		hci_connect_cfm(link->conn, status);
607 		hci_conn_del(link->conn);
608 	}
609 }
610 
611 static void hci_conn_timeout(struct work_struct *work)
612 {
613 	struct hci_conn *conn = container_of(work, struct hci_conn,
614 					     disc_work.work);
615 	int refcnt = atomic_read(&conn->refcnt);
616 
617 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
618 
619 	WARN_ON(refcnt < 0);
620 
621 	/* FIXME: It was observed that in pairing failed scenario, refcnt
622 	 * drops below 0. Probably this is because l2cap_conn_del calls
623 	 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
624 	 * dropped. After that loop hci_chan_del is called which also drops
625 	 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
626 	 * otherwise drop it.
627 	 */
628 	if (refcnt > 0)
629 		return;
630 
631 	hci_abort_conn(conn, hci_proto_disconn_ind(conn));
632 }
633 
634 /* Enter sniff mode */
635 static void hci_conn_idle(struct work_struct *work)
636 {
637 	struct hci_conn *conn = container_of(work, struct hci_conn,
638 					     idle_work.work);
639 	struct hci_dev *hdev = conn->hdev;
640 
641 	BT_DBG("hcon %p mode %d", conn, conn->mode);
642 
643 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
644 		return;
645 
646 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
647 		return;
648 
649 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
650 		struct hci_cp_sniff_subrate cp;
651 		cp.handle             = cpu_to_le16(conn->handle);
652 		cp.max_latency        = cpu_to_le16(0);
653 		cp.min_remote_timeout = cpu_to_le16(0);
654 		cp.min_local_timeout  = cpu_to_le16(0);
655 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
656 	}
657 
658 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
659 		struct hci_cp_sniff_mode cp;
660 		cp.handle       = cpu_to_le16(conn->handle);
661 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
662 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
663 		cp.attempt      = cpu_to_le16(4);
664 		cp.timeout      = cpu_to_le16(1);
665 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
666 	}
667 }
668 
669 static void hci_conn_auto_accept(struct work_struct *work)
670 {
671 	struct hci_conn *conn = container_of(work, struct hci_conn,
672 					     auto_accept_work.work);
673 
674 	hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
675 		     &conn->dst);
676 }
677 
678 static void le_disable_advertising(struct hci_dev *hdev)
679 {
680 	if (ext_adv_capable(hdev)) {
681 		struct hci_cp_le_set_ext_adv_enable cp;
682 
683 		cp.enable = 0x00;
684 		cp.num_of_sets = 0x00;
685 
686 		hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
687 			     &cp);
688 	} else {
689 		u8 enable = 0x00;
690 		hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
691 			     &enable);
692 	}
693 }
694 
695 static void le_conn_timeout(struct work_struct *work)
696 {
697 	struct hci_conn *conn = container_of(work, struct hci_conn,
698 					     le_conn_timeout.work);
699 	struct hci_dev *hdev = conn->hdev;
700 
701 	BT_DBG("");
702 
703 	/* We could end up here due to having done directed advertising,
704 	 * so clean up the state if necessary. This should however only
705 	 * happen with broken hardware or if low duty cycle was used
706 	 * (which doesn't have a timeout of its own).
707 	 */
708 	if (conn->role == HCI_ROLE_SLAVE) {
709 		/* Disable LE Advertising */
710 		le_disable_advertising(hdev);
711 		hci_dev_lock(hdev);
712 		hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
713 		hci_dev_unlock(hdev);
714 		return;
715 	}
716 
717 	hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
718 }
719 
720 struct iso_cig_params {
721 	struct hci_cp_le_set_cig_params cp;
722 	struct hci_cis_params cis[0x1f];
723 };
724 
725 struct iso_list_data {
726 	union {
727 		u8  cig;
728 		u8  big;
729 	};
730 	union {
731 		u8  cis;
732 		u8  bis;
733 		u16 sync_handle;
734 	};
735 	int count;
736 	bool big_term;
737 	bool pa_sync_term;
738 	bool big_sync_term;
739 };
740 
741 static void bis_list(struct hci_conn *conn, void *data)
742 {
743 	struct iso_list_data *d = data;
744 
745 	/* Skip if not broadcast/ANY address */
746 	if (bacmp(&conn->dst, BDADDR_ANY))
747 		return;
748 
749 	if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
750 	    d->bis != conn->iso_qos.bcast.bis)
751 		return;
752 
753 	d->count++;
754 }
755 
756 static int terminate_big_sync(struct hci_dev *hdev, void *data)
757 {
758 	struct iso_list_data *d = data;
759 
760 	bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
761 
762 	hci_disable_per_advertising_sync(hdev, d->bis);
763 	hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
764 
765 	/* Only terminate BIG if it has been created */
766 	if (!d->big_term)
767 		return 0;
768 
769 	return hci_le_terminate_big_sync(hdev, d->big,
770 					 HCI_ERROR_LOCAL_HOST_TERM);
771 }
772 
773 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
774 {
775 	kfree(data);
776 }
777 
778 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
779 {
780 	struct iso_list_data *d;
781 	int ret;
782 
783 	bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
784 		   conn->iso_qos.bcast.bis);
785 
786 	d = kzalloc(sizeof(*d), GFP_KERNEL);
787 	if (!d)
788 		return -ENOMEM;
789 
790 	d->big = conn->iso_qos.bcast.big;
791 	d->bis = conn->iso_qos.bcast.bis;
792 	d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
793 
794 	ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
795 				 terminate_big_destroy);
796 	if (ret)
797 		kfree(d);
798 
799 	return ret;
800 }
801 
802 static int big_terminate_sync(struct hci_dev *hdev, void *data)
803 {
804 	struct iso_list_data *d = data;
805 
806 	bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
807 		   d->sync_handle);
808 
809 	if (d->big_sync_term)
810 		hci_le_big_terminate_sync(hdev, d->big);
811 
812 	if (d->pa_sync_term)
813 		return hci_le_pa_terminate_sync(hdev, d->sync_handle);
814 
815 	return 0;
816 }
817 
818 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
819 {
820 	struct iso_list_data *d;
821 	int ret;
822 
823 	bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
824 
825 	d = kzalloc(sizeof(*d), GFP_KERNEL);
826 	if (!d)
827 		return -ENOMEM;
828 
829 	d->big = big;
830 	d->sync_handle = conn->sync_handle;
831 	d->pa_sync_term = test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags);
832 	d->big_sync_term = test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags);
833 
834 	ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
835 				 terminate_big_destroy);
836 	if (ret)
837 		kfree(d);
838 
839 	return ret;
840 }
841 
842 /* Cleanup BIS connection
843  *
844  * Detects if there any BIS left connected in a BIG
845  * broadcaster: Remove advertising instance and terminate BIG.
846  * broadcaster receiver: Teminate BIG sync and terminate PA sync.
847  */
848 static void bis_cleanup(struct hci_conn *conn)
849 {
850 	struct hci_dev *hdev = conn->hdev;
851 	struct hci_conn *bis;
852 
853 	bt_dev_dbg(hdev, "conn %p", conn);
854 
855 	if (conn->role == HCI_ROLE_MASTER) {
856 		if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
857 			return;
858 
859 		/* Check if ISO connection is a BIS and terminate advertising
860 		 * set and BIG if there are no other connections using it.
861 		 */
862 		bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
863 		if (bis)
864 			return;
865 
866 		hci_le_terminate_big(hdev, conn);
867 	} else {
868 		bis = hci_conn_hash_lookup_big_any_dst(hdev,
869 						       conn->iso_qos.bcast.big);
870 
871 		if (bis)
872 			return;
873 
874 		hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
875 				     conn);
876 	}
877 }
878 
879 static int remove_cig_sync(struct hci_dev *hdev, void *data)
880 {
881 	u8 handle = PTR_UINT(data);
882 
883 	return hci_le_remove_cig_sync(hdev, handle);
884 }
885 
886 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
887 {
888 	bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
889 
890 	return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
891 				  NULL);
892 }
893 
894 static void find_cis(struct hci_conn *conn, void *data)
895 {
896 	struct iso_list_data *d = data;
897 
898 	/* Ignore broadcast or if CIG don't match */
899 	if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
900 		return;
901 
902 	d->count++;
903 }
904 
905 /* Cleanup CIS connection:
906  *
907  * Detects if there any CIS left connected in a CIG and remove it.
908  */
909 static void cis_cleanup(struct hci_conn *conn)
910 {
911 	struct hci_dev *hdev = conn->hdev;
912 	struct iso_list_data d;
913 
914 	if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
915 		return;
916 
917 	memset(&d, 0, sizeof(d));
918 	d.cig = conn->iso_qos.ucast.cig;
919 
920 	/* Check if ISO connection is a CIS and remove CIG if there are
921 	 * no other connections using it.
922 	 */
923 	hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
924 	hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
925 	hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
926 	if (d.count)
927 		return;
928 
929 	hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
930 }
931 
932 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
933 {
934 	return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
935 			       U16_MAX, GFP_ATOMIC);
936 }
937 
938 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
939 				       u8 role, u16 handle)
940 {
941 	struct hci_conn *conn;
942 
943 	switch (type) {
944 	case ACL_LINK:
945 		if (!hdev->acl_mtu)
946 			return ERR_PTR(-ECONNREFUSED);
947 		break;
948 	case ISO_LINK:
949 		if (hdev->iso_mtu)
950 			/* Dedicated ISO Buffer exists */
951 			break;
952 		fallthrough;
953 	case LE_LINK:
954 		if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
955 			return ERR_PTR(-ECONNREFUSED);
956 		if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU)
957 			return ERR_PTR(-ECONNREFUSED);
958 		break;
959 	case SCO_LINK:
960 	case ESCO_LINK:
961 		if (!hdev->sco_pkts)
962 			/* Controller does not support SCO or eSCO over HCI */
963 			return ERR_PTR(-ECONNREFUSED);
964 		break;
965 	default:
966 		return ERR_PTR(-ECONNREFUSED);
967 	}
968 
969 	bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
970 
971 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
972 	if (!conn)
973 		return ERR_PTR(-ENOMEM);
974 
975 	bacpy(&conn->dst, dst);
976 	bacpy(&conn->src, &hdev->bdaddr);
977 	conn->handle = handle;
978 	conn->hdev  = hdev;
979 	conn->type  = type;
980 	conn->role  = role;
981 	conn->mode  = HCI_CM_ACTIVE;
982 	conn->state = BT_OPEN;
983 	conn->auth_type = HCI_AT_GENERAL_BONDING;
984 	conn->io_capability = hdev->io_capability;
985 	conn->remote_auth = 0xff;
986 	conn->key_type = 0xff;
987 	conn->rssi = HCI_RSSI_INVALID;
988 	conn->tx_power = HCI_TX_POWER_INVALID;
989 	conn->max_tx_power = HCI_TX_POWER_INVALID;
990 	conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
991 
992 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
993 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
994 
995 	/* Set Default Authenticated payload timeout to 30s */
996 	conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
997 
998 	if (conn->role == HCI_ROLE_MASTER)
999 		conn->out = true;
1000 
1001 	switch (type) {
1002 	case ACL_LINK:
1003 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
1004 		conn->mtu = hdev->acl_mtu;
1005 		break;
1006 	case LE_LINK:
1007 		/* conn->src should reflect the local identity address */
1008 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1009 		conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
1010 		break;
1011 	case ISO_LINK:
1012 		/* conn->src should reflect the local identity address */
1013 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1014 
1015 		/* set proper cleanup function */
1016 		if (!bacmp(dst, BDADDR_ANY))
1017 			conn->cleanup = bis_cleanup;
1018 		else if (conn->role == HCI_ROLE_MASTER)
1019 			conn->cleanup = cis_cleanup;
1020 
1021 		conn->mtu = hdev->iso_mtu ? hdev->iso_mtu :
1022 			    hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
1023 		break;
1024 	case SCO_LINK:
1025 		if (lmp_esco_capable(hdev))
1026 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1027 					(hdev->esco_type & EDR_ESCO_MASK);
1028 		else
1029 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1030 
1031 		conn->mtu = hdev->sco_mtu;
1032 		break;
1033 	case ESCO_LINK:
1034 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1035 		conn->mtu = hdev->sco_mtu;
1036 		break;
1037 	}
1038 
1039 	skb_queue_head_init(&conn->data_q);
1040 
1041 	INIT_LIST_HEAD(&conn->chan_list);
1042 	INIT_LIST_HEAD(&conn->link_list);
1043 
1044 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1045 	INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1046 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1047 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1048 
1049 	atomic_set(&conn->refcnt, 0);
1050 
1051 	hci_dev_hold(hdev);
1052 
1053 	hci_conn_hash_add(hdev, conn);
1054 
1055 	/* The SCO and eSCO connections will only be notified when their
1056 	 * setup has been completed. This is different to ACL links which
1057 	 * can be notified right away.
1058 	 */
1059 	if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1060 		if (hdev->notify)
1061 			hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1062 	}
1063 
1064 	hci_conn_init_sysfs(conn);
1065 
1066 	return conn;
1067 }
1068 
1069 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1070 				    bdaddr_t *dst, u8 role)
1071 {
1072 	int handle;
1073 
1074 	bt_dev_dbg(hdev, "dst %pMR", dst);
1075 
1076 	handle = hci_conn_hash_alloc_unset(hdev);
1077 	if (unlikely(handle < 0))
1078 		return ERR_PTR(-ECONNREFUSED);
1079 
1080 	return __hci_conn_add(hdev, type, dst, role, handle);
1081 }
1082 
1083 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
1084 			      u8 role, u16 handle)
1085 {
1086 	if (handle > HCI_CONN_HANDLE_MAX)
1087 		return ERR_PTR(-EINVAL);
1088 
1089 	return __hci_conn_add(hdev, type, dst, role, handle);
1090 }
1091 
1092 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1093 {
1094 	if (!reason)
1095 		reason = HCI_ERROR_REMOTE_USER_TERM;
1096 
1097 	/* Due to race, SCO/ISO conn might be not established yet at this point,
1098 	 * and nothing else will clean it up. In other cases it is done via HCI
1099 	 * events.
1100 	 */
1101 	switch (conn->type) {
1102 	case SCO_LINK:
1103 	case ESCO_LINK:
1104 		if (HCI_CONN_HANDLE_UNSET(conn->handle))
1105 			hci_conn_failed(conn, reason);
1106 		break;
1107 	case ISO_LINK:
1108 		if (conn->state != BT_CONNECTED &&
1109 		    !test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
1110 			hci_conn_failed(conn, reason);
1111 		break;
1112 	}
1113 }
1114 
1115 static void hci_conn_unlink(struct hci_conn *conn)
1116 {
1117 	struct hci_dev *hdev = conn->hdev;
1118 
1119 	bt_dev_dbg(hdev, "hcon %p", conn);
1120 
1121 	if (!conn->parent) {
1122 		struct hci_link *link, *t;
1123 
1124 		list_for_each_entry_safe(link, t, &conn->link_list, list) {
1125 			struct hci_conn *child = link->conn;
1126 
1127 			hci_conn_unlink(child);
1128 
1129 			/* If hdev is down it means
1130 			 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1131 			 * and links don't need to be cleanup as all connections
1132 			 * would be cleanup.
1133 			 */
1134 			if (!test_bit(HCI_UP, &hdev->flags))
1135 				continue;
1136 
1137 			hci_conn_cleanup_child(child, conn->abort_reason);
1138 		}
1139 
1140 		return;
1141 	}
1142 
1143 	if (!conn->link)
1144 		return;
1145 
1146 	list_del_rcu(&conn->link->list);
1147 	synchronize_rcu();
1148 
1149 	hci_conn_drop(conn->parent);
1150 	hci_conn_put(conn->parent);
1151 	conn->parent = NULL;
1152 
1153 	kfree(conn->link);
1154 	conn->link = NULL;
1155 }
1156 
1157 void hci_conn_del(struct hci_conn *conn)
1158 {
1159 	struct hci_dev *hdev = conn->hdev;
1160 
1161 	BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1162 
1163 	hci_conn_unlink(conn);
1164 
1165 	cancel_delayed_work_sync(&conn->disc_work);
1166 	cancel_delayed_work_sync(&conn->auto_accept_work);
1167 	cancel_delayed_work_sync(&conn->idle_work);
1168 
1169 	if (conn->type == ACL_LINK) {
1170 		/* Unacked frames */
1171 		hdev->acl_cnt += conn->sent;
1172 	} else if (conn->type == LE_LINK) {
1173 		cancel_delayed_work(&conn->le_conn_timeout);
1174 
1175 		if (hdev->le_pkts)
1176 			hdev->le_cnt += conn->sent;
1177 		else
1178 			hdev->acl_cnt += conn->sent;
1179 	} else {
1180 		/* Unacked ISO frames */
1181 		if (conn->type == ISO_LINK) {
1182 			if (hdev->iso_pkts)
1183 				hdev->iso_cnt += conn->sent;
1184 			else if (hdev->le_pkts)
1185 				hdev->le_cnt += conn->sent;
1186 			else
1187 				hdev->acl_cnt += conn->sent;
1188 		}
1189 	}
1190 
1191 	skb_queue_purge(&conn->data_q);
1192 
1193 	/* Remove the connection from the list and cleanup its remaining
1194 	 * state. This is a separate function since for some cases like
1195 	 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1196 	 * rest of hci_conn_del.
1197 	 */
1198 	hci_conn_cleanup(conn);
1199 }
1200 
1201 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1202 {
1203 	int use_src = bacmp(src, BDADDR_ANY);
1204 	struct hci_dev *hdev = NULL, *d;
1205 
1206 	BT_DBG("%pMR -> %pMR", src, dst);
1207 
1208 	read_lock(&hci_dev_list_lock);
1209 
1210 	list_for_each_entry(d, &hci_dev_list, list) {
1211 		if (!test_bit(HCI_UP, &d->flags) ||
1212 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
1213 			continue;
1214 
1215 		/* Simple routing:
1216 		 *   No source address - find interface with bdaddr != dst
1217 		 *   Source address    - find interface with bdaddr == src
1218 		 */
1219 
1220 		if (use_src) {
1221 			bdaddr_t id_addr;
1222 			u8 id_addr_type;
1223 
1224 			if (src_type == BDADDR_BREDR) {
1225 				if (!lmp_bredr_capable(d))
1226 					continue;
1227 				bacpy(&id_addr, &d->bdaddr);
1228 				id_addr_type = BDADDR_BREDR;
1229 			} else {
1230 				if (!lmp_le_capable(d))
1231 					continue;
1232 
1233 				hci_copy_identity_address(d, &id_addr,
1234 							  &id_addr_type);
1235 
1236 				/* Convert from HCI to three-value type */
1237 				if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1238 					id_addr_type = BDADDR_LE_PUBLIC;
1239 				else
1240 					id_addr_type = BDADDR_LE_RANDOM;
1241 			}
1242 
1243 			if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1244 				hdev = d; break;
1245 			}
1246 		} else {
1247 			if (bacmp(&d->bdaddr, dst)) {
1248 				hdev = d; break;
1249 			}
1250 		}
1251 	}
1252 
1253 	if (hdev)
1254 		hdev = hci_dev_hold(hdev);
1255 
1256 	read_unlock(&hci_dev_list_lock);
1257 	return hdev;
1258 }
1259 EXPORT_SYMBOL(hci_get_route);
1260 
1261 /* This function requires the caller holds hdev->lock */
1262 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1263 {
1264 	struct hci_dev *hdev = conn->hdev;
1265 
1266 	hci_connect_le_scan_cleanup(conn, status);
1267 
1268 	/* Enable advertising in case this was a failed connection
1269 	 * attempt as a peripheral.
1270 	 */
1271 	hci_enable_advertising(hdev);
1272 }
1273 
1274 /* This function requires the caller holds hdev->lock */
1275 void hci_conn_failed(struct hci_conn *conn, u8 status)
1276 {
1277 	struct hci_dev *hdev = conn->hdev;
1278 
1279 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
1280 
1281 	switch (conn->type) {
1282 	case LE_LINK:
1283 		hci_le_conn_failed(conn, status);
1284 		break;
1285 	case ACL_LINK:
1286 		mgmt_connect_failed(hdev, &conn->dst, conn->type,
1287 				    conn->dst_type, status);
1288 		break;
1289 	}
1290 
1291 	/* In case of BIG/PA sync failed, clear conn flags so that
1292 	 * the conns will be correctly cleaned up by ISO layer
1293 	 */
1294 	test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1295 	test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1296 
1297 	conn->state = BT_CLOSED;
1298 	hci_connect_cfm(conn, status);
1299 	hci_conn_del(conn);
1300 }
1301 
1302 /* This function requires the caller holds hdev->lock */
1303 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1304 {
1305 	struct hci_dev *hdev = conn->hdev;
1306 
1307 	bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1308 
1309 	if (conn->handle == handle)
1310 		return 0;
1311 
1312 	if (handle > HCI_CONN_HANDLE_MAX) {
1313 		bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1314 			   handle, HCI_CONN_HANDLE_MAX);
1315 		return HCI_ERROR_INVALID_PARAMETERS;
1316 	}
1317 
1318 	/* If abort_reason has been sent it means the connection is being
1319 	 * aborted and the handle shall not be changed.
1320 	 */
1321 	if (conn->abort_reason)
1322 		return conn->abort_reason;
1323 
1324 	if (HCI_CONN_HANDLE_UNSET(conn->handle))
1325 		ida_free(&hdev->unset_handle_ida, conn->handle);
1326 
1327 	conn->handle = handle;
1328 
1329 	return 0;
1330 }
1331 
1332 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
1333 {
1334 	struct hci_conn *conn;
1335 	u16 handle = PTR_UINT(data);
1336 
1337 	conn = hci_conn_hash_lookup_handle(hdev, handle);
1338 	if (!conn)
1339 		return;
1340 
1341 	bt_dev_dbg(hdev, "err %d", err);
1342 
1343 	hci_dev_lock(hdev);
1344 
1345 	if (!err) {
1346 		hci_connect_le_scan_cleanup(conn, 0x00);
1347 		goto done;
1348 	}
1349 
1350 	/* Check if connection is still pending */
1351 	if (conn != hci_lookup_le_connect(hdev))
1352 		goto done;
1353 
1354 	/* Flush to make sure we send create conn cancel command if needed */
1355 	flush_delayed_work(&conn->le_conn_timeout);
1356 	hci_conn_failed(conn, bt_status(err));
1357 
1358 done:
1359 	hci_dev_unlock(hdev);
1360 }
1361 
1362 static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
1363 {
1364 	struct hci_conn *conn;
1365 	u16 handle = PTR_UINT(data);
1366 
1367 	conn = hci_conn_hash_lookup_handle(hdev, handle);
1368 	if (!conn)
1369 		return 0;
1370 
1371 	bt_dev_dbg(hdev, "conn %p", conn);
1372 
1373 	clear_bit(HCI_CONN_SCANNING, &conn->flags);
1374 	conn->state = BT_CONNECT;
1375 
1376 	return hci_le_create_conn_sync(hdev, conn);
1377 }
1378 
1379 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1380 				u8 dst_type, bool dst_resolved, u8 sec_level,
1381 				u16 conn_timeout, u8 role)
1382 {
1383 	struct hci_conn *conn;
1384 	struct smp_irk *irk;
1385 	int err;
1386 
1387 	/* Let's make sure that le is enabled.*/
1388 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1389 		if (lmp_le_capable(hdev))
1390 			return ERR_PTR(-ECONNREFUSED);
1391 
1392 		return ERR_PTR(-EOPNOTSUPP);
1393 	}
1394 
1395 	/* Since the controller supports only one LE connection attempt at a
1396 	 * time, we return -EBUSY if there is any connection attempt running.
1397 	 */
1398 	if (hci_lookup_le_connect(hdev))
1399 		return ERR_PTR(-EBUSY);
1400 
1401 	/* If there's already a connection object but it's not in
1402 	 * scanning state it means it must already be established, in
1403 	 * which case we can't do anything else except report a failure
1404 	 * to connect.
1405 	 */
1406 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1407 	if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1408 		return ERR_PTR(-EBUSY);
1409 	}
1410 
1411 	/* Check if the destination address has been resolved by the controller
1412 	 * since if it did then the identity address shall be used.
1413 	 */
1414 	if (!dst_resolved) {
1415 		/* When given an identity address with existing identity
1416 		 * resolving key, the connection needs to be established
1417 		 * to a resolvable random address.
1418 		 *
1419 		 * Storing the resolvable random address is required here
1420 		 * to handle connection failures. The address will later
1421 		 * be resolved back into the original identity address
1422 		 * from the connect request.
1423 		 */
1424 		irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1425 		if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1426 			dst = &irk->rpa;
1427 			dst_type = ADDR_LE_DEV_RANDOM;
1428 		}
1429 	}
1430 
1431 	if (conn) {
1432 		bacpy(&conn->dst, dst);
1433 	} else {
1434 		conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1435 		if (IS_ERR(conn))
1436 			return conn;
1437 		hci_conn_hold(conn);
1438 		conn->pending_sec_level = sec_level;
1439 	}
1440 
1441 	conn->dst_type = dst_type;
1442 	conn->sec_level = BT_SECURITY_LOW;
1443 	conn->conn_timeout = conn_timeout;
1444 
1445 	err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
1446 				 UINT_PTR(conn->handle),
1447 				 create_le_conn_complete);
1448 	if (err) {
1449 		hci_conn_del(conn);
1450 		return ERR_PTR(err);
1451 	}
1452 
1453 	return conn;
1454 }
1455 
1456 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1457 {
1458 	struct hci_conn *conn;
1459 
1460 	conn = hci_conn_hash_lookup_le(hdev, addr, type);
1461 	if (!conn)
1462 		return false;
1463 
1464 	if (conn->state != BT_CONNECTED)
1465 		return false;
1466 
1467 	return true;
1468 }
1469 
1470 /* This function requires the caller holds hdev->lock */
1471 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1472 					bdaddr_t *addr, u8 addr_type)
1473 {
1474 	struct hci_conn_params *params;
1475 
1476 	if (is_connected(hdev, addr, addr_type))
1477 		return -EISCONN;
1478 
1479 	params = hci_conn_params_lookup(hdev, addr, addr_type);
1480 	if (!params) {
1481 		params = hci_conn_params_add(hdev, addr, addr_type);
1482 		if (!params)
1483 			return -ENOMEM;
1484 
1485 		/* If we created new params, mark them to be deleted in
1486 		 * hci_connect_le_scan_cleanup. It's different case than
1487 		 * existing disabled params, those will stay after cleanup.
1488 		 */
1489 		params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1490 	}
1491 
1492 	/* We're trying to connect, so make sure params are at pend_le_conns */
1493 	if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1494 	    params->auto_connect == HCI_AUTO_CONN_REPORT ||
1495 	    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1496 		hci_pend_le_list_del_init(params);
1497 		hci_pend_le_list_add(params, &hdev->pend_le_conns);
1498 	}
1499 
1500 	params->explicit_connect = true;
1501 
1502 	BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1503 	       params->auto_connect);
1504 
1505 	return 0;
1506 }
1507 
1508 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1509 {
1510 	struct hci_conn *conn;
1511 	u8  big;
1512 
1513 	/* Allocate a BIG if not set */
1514 	if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1515 		for (big = 0x00; big < 0xef; big++) {
1516 
1517 			conn = hci_conn_hash_lookup_big(hdev, big);
1518 			if (!conn)
1519 				break;
1520 		}
1521 
1522 		if (big == 0xef)
1523 			return -EADDRNOTAVAIL;
1524 
1525 		/* Update BIG */
1526 		qos->bcast.big = big;
1527 	}
1528 
1529 	return 0;
1530 }
1531 
1532 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1533 {
1534 	struct hci_conn *conn;
1535 	u8  bis;
1536 
1537 	/* Allocate BIS if not set */
1538 	if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1539 		/* Find an unused adv set to advertise BIS, skip instance 0x00
1540 		 * since it is reserved as general purpose set.
1541 		 */
1542 		for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1543 		     bis++) {
1544 
1545 			conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1546 			if (!conn)
1547 				break;
1548 		}
1549 
1550 		if (bis == hdev->le_num_of_adv_sets)
1551 			return -EADDRNOTAVAIL;
1552 
1553 		/* Update BIS */
1554 		qos->bcast.bis = bis;
1555 	}
1556 
1557 	return 0;
1558 }
1559 
1560 /* This function requires the caller holds hdev->lock */
1561 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1562 				    struct bt_iso_qos *qos, __u8 base_len,
1563 				    __u8 *base)
1564 {
1565 	struct hci_conn *conn;
1566 	int err;
1567 
1568 	/* Let's make sure that le is enabled.*/
1569 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1570 		if (lmp_le_capable(hdev))
1571 			return ERR_PTR(-ECONNREFUSED);
1572 		return ERR_PTR(-EOPNOTSUPP);
1573 	}
1574 
1575 	err = qos_set_big(hdev, qos);
1576 	if (err)
1577 		return ERR_PTR(err);
1578 
1579 	err = qos_set_bis(hdev, qos);
1580 	if (err)
1581 		return ERR_PTR(err);
1582 
1583 	/* Check if the LE Create BIG command has already been sent */
1584 	conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1585 						qos->bcast.big);
1586 	if (conn)
1587 		return ERR_PTR(-EADDRINUSE);
1588 
1589 	/* Check BIS settings against other bound BISes, since all
1590 	 * BISes in a BIG must have the same value for all parameters
1591 	 */
1592 	conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1593 
1594 	if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1595 		     base_len != conn->le_per_adv_data_len ||
1596 		     memcmp(conn->le_per_adv_data, base, base_len)))
1597 		return ERR_PTR(-EADDRINUSE);
1598 
1599 	conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1600 	if (IS_ERR(conn))
1601 		return conn;
1602 
1603 	conn->state = BT_CONNECT;
1604 
1605 	hci_conn_hold(conn);
1606 	return conn;
1607 }
1608 
1609 /* This function requires the caller holds hdev->lock */
1610 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1611 				     u8 dst_type, u8 sec_level,
1612 				     u16 conn_timeout,
1613 				     enum conn_reasons conn_reason)
1614 {
1615 	struct hci_conn *conn;
1616 
1617 	/* Let's make sure that le is enabled.*/
1618 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1619 		if (lmp_le_capable(hdev))
1620 			return ERR_PTR(-ECONNREFUSED);
1621 
1622 		return ERR_PTR(-EOPNOTSUPP);
1623 	}
1624 
1625 	/* Some devices send ATT messages as soon as the physical link is
1626 	 * established. To be able to handle these ATT messages, the user-
1627 	 * space first establishes the connection and then starts the pairing
1628 	 * process.
1629 	 *
1630 	 * So if a hci_conn object already exists for the following connection
1631 	 * attempt, we simply update pending_sec_level and auth_type fields
1632 	 * and return the object found.
1633 	 */
1634 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1635 	if (conn) {
1636 		if (conn->pending_sec_level < sec_level)
1637 			conn->pending_sec_level = sec_level;
1638 		goto done;
1639 	}
1640 
1641 	BT_DBG("requesting refresh of dst_addr");
1642 
1643 	conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1644 	if (IS_ERR(conn))
1645 		return conn;
1646 
1647 	if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1648 		hci_conn_del(conn);
1649 		return ERR_PTR(-EBUSY);
1650 	}
1651 
1652 	conn->state = BT_CONNECT;
1653 	set_bit(HCI_CONN_SCANNING, &conn->flags);
1654 	conn->dst_type = dst_type;
1655 	conn->sec_level = BT_SECURITY_LOW;
1656 	conn->pending_sec_level = sec_level;
1657 	conn->conn_timeout = conn_timeout;
1658 	conn->conn_reason = conn_reason;
1659 
1660 	hci_update_passive_scan(hdev);
1661 
1662 done:
1663 	hci_conn_hold(conn);
1664 	return conn;
1665 }
1666 
1667 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1668 				 u8 sec_level, u8 auth_type,
1669 				 enum conn_reasons conn_reason)
1670 {
1671 	struct hci_conn *acl;
1672 
1673 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1674 		if (lmp_bredr_capable(hdev))
1675 			return ERR_PTR(-ECONNREFUSED);
1676 
1677 		return ERR_PTR(-EOPNOTSUPP);
1678 	}
1679 
1680 	/* Reject outgoing connection to device with same BD ADDR against
1681 	 * CVE-2020-26555
1682 	 */
1683 	if (!bacmp(&hdev->bdaddr, dst)) {
1684 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1685 			   dst);
1686 		return ERR_PTR(-ECONNREFUSED);
1687 	}
1688 
1689 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1690 	if (!acl) {
1691 		acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1692 		if (IS_ERR(acl))
1693 			return acl;
1694 	}
1695 
1696 	hci_conn_hold(acl);
1697 
1698 	acl->conn_reason = conn_reason;
1699 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1700 		acl->sec_level = BT_SECURITY_LOW;
1701 		acl->pending_sec_level = sec_level;
1702 		acl->auth_type = auth_type;
1703 		hci_acl_create_connection(acl);
1704 	}
1705 
1706 	return acl;
1707 }
1708 
1709 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1710 				      struct hci_conn *conn)
1711 {
1712 	struct hci_dev *hdev = parent->hdev;
1713 	struct hci_link *link;
1714 
1715 	bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1716 
1717 	if (conn->link)
1718 		return conn->link;
1719 
1720 	if (conn->parent)
1721 		return NULL;
1722 
1723 	link = kzalloc(sizeof(*link), GFP_KERNEL);
1724 	if (!link)
1725 		return NULL;
1726 
1727 	link->conn = hci_conn_hold(conn);
1728 	conn->link = link;
1729 	conn->parent = hci_conn_get(parent);
1730 
1731 	/* Use list_add_tail_rcu append to the list */
1732 	list_add_tail_rcu(&link->list, &parent->link_list);
1733 
1734 	return link;
1735 }
1736 
1737 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1738 				 __u16 setting, struct bt_codec *codec)
1739 {
1740 	struct hci_conn *acl;
1741 	struct hci_conn *sco;
1742 	struct hci_link *link;
1743 
1744 	acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1745 			      CONN_REASON_SCO_CONNECT);
1746 	if (IS_ERR(acl))
1747 		return acl;
1748 
1749 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1750 	if (!sco) {
1751 		sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1752 		if (IS_ERR(sco)) {
1753 			hci_conn_drop(acl);
1754 			return sco;
1755 		}
1756 	}
1757 
1758 	link = hci_conn_link(acl, sco);
1759 	if (!link) {
1760 		hci_conn_drop(acl);
1761 		hci_conn_drop(sco);
1762 		return ERR_PTR(-ENOLINK);
1763 	}
1764 
1765 	sco->setting = setting;
1766 	sco->codec = *codec;
1767 
1768 	if (acl->state == BT_CONNECTED &&
1769 	    (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1770 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1771 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1772 
1773 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1774 			/* defer SCO setup until mode change completed */
1775 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1776 			return sco;
1777 		}
1778 
1779 		hci_sco_setup(acl, 0x00);
1780 	}
1781 
1782 	return sco;
1783 }
1784 
1785 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1786 {
1787 	struct hci_dev *hdev = conn->hdev;
1788 	struct hci_cp_le_create_big cp;
1789 	struct iso_list_data data;
1790 
1791 	memset(&cp, 0, sizeof(cp));
1792 
1793 	data.big = qos->bcast.big;
1794 	data.bis = qos->bcast.bis;
1795 	data.count = 0;
1796 
1797 	/* Create a BIS for each bound connection */
1798 	hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1799 				 BT_BOUND, &data);
1800 
1801 	cp.handle = qos->bcast.big;
1802 	cp.adv_handle = qos->bcast.bis;
1803 	cp.num_bis  = data.count;
1804 	hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1805 	cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1806 	cp.bis.latency =  cpu_to_le16(qos->bcast.out.latency);
1807 	cp.bis.rtn  = qos->bcast.out.rtn;
1808 	cp.bis.phy  = qos->bcast.out.phy;
1809 	cp.bis.packing = qos->bcast.packing;
1810 	cp.bis.framing = qos->bcast.framing;
1811 	cp.bis.encryption = qos->bcast.encryption;
1812 	memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1813 
1814 	return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1815 }
1816 
1817 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1818 {
1819 	u8 cig_id = PTR_UINT(data);
1820 	struct hci_conn *conn;
1821 	struct bt_iso_qos *qos;
1822 	struct iso_cig_params pdu;
1823 	u8 cis_id;
1824 
1825 	conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1826 	if (!conn)
1827 		return 0;
1828 
1829 	memset(&pdu, 0, sizeof(pdu));
1830 
1831 	qos = &conn->iso_qos;
1832 	pdu.cp.cig_id = cig_id;
1833 	hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval);
1834 	hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval);
1835 	pdu.cp.sca = qos->ucast.sca;
1836 	pdu.cp.packing = qos->ucast.packing;
1837 	pdu.cp.framing = qos->ucast.framing;
1838 	pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency);
1839 	pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency);
1840 
1841 	/* Reprogram all CIS(s) with the same CIG, valid range are:
1842 	 * num_cis: 0x00 to 0x1F
1843 	 * cis_id: 0x00 to 0xEF
1844 	 */
1845 	for (cis_id = 0x00; cis_id < 0xf0 &&
1846 	     pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) {
1847 		struct hci_cis_params *cis;
1848 
1849 		conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1850 		if (!conn)
1851 			continue;
1852 
1853 		qos = &conn->iso_qos;
1854 
1855 		cis = &pdu.cis[pdu.cp.num_cis++];
1856 		cis->cis_id = cis_id;
1857 		cis->c_sdu  = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1858 		cis->p_sdu  = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1859 		cis->c_phy  = qos->ucast.out.phy ? qos->ucast.out.phy :
1860 			      qos->ucast.in.phy;
1861 		cis->p_phy  = qos->ucast.in.phy ? qos->ucast.in.phy :
1862 			      qos->ucast.out.phy;
1863 		cis->c_rtn  = qos->ucast.out.rtn;
1864 		cis->p_rtn  = qos->ucast.in.rtn;
1865 	}
1866 
1867 	if (!pdu.cp.num_cis)
1868 		return 0;
1869 
1870 	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1871 				     sizeof(pdu.cp) +
1872 				     pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu,
1873 				     HCI_CMD_TIMEOUT);
1874 }
1875 
1876 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1877 {
1878 	struct hci_dev *hdev = conn->hdev;
1879 	struct iso_list_data data;
1880 
1881 	memset(&data, 0, sizeof(data));
1882 
1883 	/* Allocate first still reconfigurable CIG if not set */
1884 	if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1885 		for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1886 			data.count = 0;
1887 
1888 			hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1889 						 BT_CONNECT, &data);
1890 			if (data.count)
1891 				continue;
1892 
1893 			hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1894 						 BT_CONNECTED, &data);
1895 			if (!data.count)
1896 				break;
1897 		}
1898 
1899 		if (data.cig == 0xf0)
1900 			return false;
1901 
1902 		/* Update CIG */
1903 		qos->ucast.cig = data.cig;
1904 	}
1905 
1906 	if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1907 		if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1908 					     qos->ucast.cis))
1909 			return false;
1910 		goto done;
1911 	}
1912 
1913 	/* Allocate first available CIS if not set */
1914 	for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1915 	     data.cis++) {
1916 		if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1917 					      data.cis)) {
1918 			/* Update CIS */
1919 			qos->ucast.cis = data.cis;
1920 			break;
1921 		}
1922 	}
1923 
1924 	if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1925 		return false;
1926 
1927 done:
1928 	if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1929 			       UINT_PTR(qos->ucast.cig), NULL) < 0)
1930 		return false;
1931 
1932 	return true;
1933 }
1934 
1935 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1936 			      __u8 dst_type, struct bt_iso_qos *qos)
1937 {
1938 	struct hci_conn *cis;
1939 
1940 	cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1941 				       qos->ucast.cis);
1942 	if (!cis) {
1943 		cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1944 		if (IS_ERR(cis))
1945 			return cis;
1946 		cis->cleanup = cis_cleanup;
1947 		cis->dst_type = dst_type;
1948 		cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1949 		cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1950 	}
1951 
1952 	if (cis->state == BT_CONNECTED)
1953 		return cis;
1954 
1955 	/* Check if CIS has been set and the settings matches */
1956 	if (cis->state == BT_BOUND &&
1957 	    !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1958 		return cis;
1959 
1960 	/* Update LINK PHYs according to QoS preference */
1961 	cis->le_tx_phy = qos->ucast.out.phy;
1962 	cis->le_rx_phy = qos->ucast.in.phy;
1963 
1964 	/* If output interval is not set use the input interval as it cannot be
1965 	 * 0x000000.
1966 	 */
1967 	if (!qos->ucast.out.interval)
1968 		qos->ucast.out.interval = qos->ucast.in.interval;
1969 
1970 	/* If input interval is not set use the output interval as it cannot be
1971 	 * 0x000000.
1972 	 */
1973 	if (!qos->ucast.in.interval)
1974 		qos->ucast.in.interval = qos->ucast.out.interval;
1975 
1976 	/* If output latency is not set use the input latency as it cannot be
1977 	 * 0x0000.
1978 	 */
1979 	if (!qos->ucast.out.latency)
1980 		qos->ucast.out.latency = qos->ucast.in.latency;
1981 
1982 	/* If input latency is not set use the output latency as it cannot be
1983 	 * 0x0000.
1984 	 */
1985 	if (!qos->ucast.in.latency)
1986 		qos->ucast.in.latency = qos->ucast.out.latency;
1987 
1988 	if (!hci_le_set_cig_params(cis, qos)) {
1989 		hci_conn_drop(cis);
1990 		return ERR_PTR(-EINVAL);
1991 	}
1992 
1993 	hci_conn_hold(cis);
1994 
1995 	cis->iso_qos = *qos;
1996 	cis->state = BT_BOUND;
1997 
1998 	return cis;
1999 }
2000 
2001 bool hci_iso_setup_path(struct hci_conn *conn)
2002 {
2003 	struct hci_dev *hdev = conn->hdev;
2004 	struct hci_cp_le_setup_iso_path cmd;
2005 
2006 	memset(&cmd, 0, sizeof(cmd));
2007 
2008 	if (conn->iso_qos.ucast.out.sdu) {
2009 		cmd.handle = cpu_to_le16(conn->handle);
2010 		cmd.direction = 0x00; /* Input (Host to Controller) */
2011 		cmd.path = 0x00; /* HCI path if enabled */
2012 		cmd.codec = 0x03; /* Transparent Data */
2013 
2014 		if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2015 				 &cmd) < 0)
2016 			return false;
2017 	}
2018 
2019 	if (conn->iso_qos.ucast.in.sdu) {
2020 		cmd.handle = cpu_to_le16(conn->handle);
2021 		cmd.direction = 0x01; /* Output (Controller to Host) */
2022 		cmd.path = 0x00; /* HCI path if enabled */
2023 		cmd.codec = 0x03; /* Transparent Data */
2024 
2025 		if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2026 				 &cmd) < 0)
2027 			return false;
2028 	}
2029 
2030 	return true;
2031 }
2032 
2033 int hci_conn_check_create_cis(struct hci_conn *conn)
2034 {
2035 	if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
2036 		return -EINVAL;
2037 
2038 	if (!conn->parent || conn->parent->state != BT_CONNECTED ||
2039 	    conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
2040 		return 1;
2041 
2042 	return 0;
2043 }
2044 
2045 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
2046 {
2047 	return hci_le_create_cis_sync(hdev);
2048 }
2049 
2050 int hci_le_create_cis_pending(struct hci_dev *hdev)
2051 {
2052 	struct hci_conn *conn;
2053 	bool pending = false;
2054 
2055 	rcu_read_lock();
2056 
2057 	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
2058 		if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
2059 			rcu_read_unlock();
2060 			return -EBUSY;
2061 		}
2062 
2063 		if (!hci_conn_check_create_cis(conn))
2064 			pending = true;
2065 	}
2066 
2067 	rcu_read_unlock();
2068 
2069 	if (!pending)
2070 		return 0;
2071 
2072 	/* Queue Create CIS */
2073 	return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2074 }
2075 
2076 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2077 			      struct bt_iso_io_qos *qos, __u8 phy)
2078 {
2079 	/* Only set MTU if PHY is enabled */
2080 	if (!qos->sdu && qos->phy)
2081 		qos->sdu = conn->mtu;
2082 
2083 	/* Use the same PHY as ACL if set to any */
2084 	if (qos->phy == BT_ISO_PHY_ANY)
2085 		qos->phy = phy;
2086 
2087 	/* Use LE ACL connection interval if not set */
2088 	if (!qos->interval)
2089 		/* ACL interval unit in 1.25 ms to us */
2090 		qos->interval = conn->le_conn_interval * 1250;
2091 
2092 	/* Use LE ACL connection latency if not set */
2093 	if (!qos->latency)
2094 		qos->latency = conn->le_conn_latency;
2095 }
2096 
2097 static int create_big_sync(struct hci_dev *hdev, void *data)
2098 {
2099 	struct hci_conn *conn = data;
2100 	struct bt_iso_qos *qos = &conn->iso_qos;
2101 	u16 interval, sync_interval = 0;
2102 	u32 flags = 0;
2103 	int err;
2104 
2105 	if (qos->bcast.out.phy == 0x02)
2106 		flags |= MGMT_ADV_FLAG_SEC_2M;
2107 
2108 	/* Align intervals */
2109 	interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2110 
2111 	if (qos->bcast.bis)
2112 		sync_interval = interval * 4;
2113 
2114 	err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2115 				     conn->le_per_adv_data, flags, interval,
2116 				     interval, sync_interval);
2117 	if (err)
2118 		return err;
2119 
2120 	return hci_le_create_big(conn, &conn->iso_qos);
2121 }
2122 
2123 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2124 {
2125 	struct hci_cp_le_pa_create_sync *cp = data;
2126 
2127 	bt_dev_dbg(hdev, "");
2128 
2129 	if (err)
2130 		bt_dev_err(hdev, "Unable to create PA: %d", err);
2131 
2132 	kfree(cp);
2133 }
2134 
2135 static int create_pa_sync(struct hci_dev *hdev, void *data)
2136 {
2137 	struct hci_cp_le_pa_create_sync *cp = data;
2138 	int err;
2139 
2140 	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2141 				    sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2142 	if (err) {
2143 		hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2144 		return err;
2145 	}
2146 
2147 	return hci_update_passive_scan_sync(hdev);
2148 }
2149 
2150 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2151 		       __u8 sid, struct bt_iso_qos *qos)
2152 {
2153 	struct hci_cp_le_pa_create_sync *cp;
2154 
2155 	if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2156 		return -EBUSY;
2157 
2158 	cp = kzalloc(sizeof(*cp), GFP_KERNEL);
2159 	if (!cp) {
2160 		hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2161 		return -ENOMEM;
2162 	}
2163 
2164 	cp->options = qos->bcast.options;
2165 	cp->sid = sid;
2166 	cp->addr_type = dst_type;
2167 	bacpy(&cp->addr, dst);
2168 	cp->skip = cpu_to_le16(qos->bcast.skip);
2169 	cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
2170 	cp->sync_cte_type = qos->bcast.sync_cte_type;
2171 
2172 	/* Queue start pa_create_sync and scan */
2173 	return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2174 }
2175 
2176 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2177 			   struct bt_iso_qos *qos,
2178 			   __u16 sync_handle, __u8 num_bis, __u8 bis[])
2179 {
2180 	struct _packed {
2181 		struct hci_cp_le_big_create_sync cp;
2182 		__u8  bis[0x11];
2183 	} pdu;
2184 	int err;
2185 
2186 	if (num_bis > sizeof(pdu.bis))
2187 		return -EINVAL;
2188 
2189 	err = qos_set_big(hdev, qos);
2190 	if (err)
2191 		return err;
2192 
2193 	if (hcon)
2194 		hcon->iso_qos.bcast.big = qos->bcast.big;
2195 
2196 	memset(&pdu, 0, sizeof(pdu));
2197 	pdu.cp.handle = qos->bcast.big;
2198 	pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2199 	pdu.cp.encryption = qos->bcast.encryption;
2200 	memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode));
2201 	pdu.cp.mse = qos->bcast.mse;
2202 	pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout);
2203 	pdu.cp.num_bis = num_bis;
2204 	memcpy(pdu.bis, bis, num_bis);
2205 
2206 	return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2207 			    sizeof(pdu.cp) + num_bis, &pdu);
2208 }
2209 
2210 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2211 {
2212 	struct hci_conn *conn = data;
2213 
2214 	bt_dev_dbg(hdev, "conn %p", conn);
2215 
2216 	if (err) {
2217 		bt_dev_err(hdev, "Unable to create BIG: %d", err);
2218 		hci_connect_cfm(conn, err);
2219 		hci_conn_del(conn);
2220 	}
2221 }
2222 
2223 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2224 			      struct bt_iso_qos *qos,
2225 			      __u8 base_len, __u8 *base)
2226 {
2227 	struct hci_conn *conn;
2228 	__u8 eir[HCI_MAX_PER_AD_LENGTH];
2229 
2230 	if (base_len && base)
2231 		base_len = eir_append_service_data(eir, 0,  0x1851,
2232 						   base, base_len);
2233 
2234 	/* We need hci_conn object using the BDADDR_ANY as dst */
2235 	conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2236 	if (IS_ERR(conn))
2237 		return conn;
2238 
2239 	/* Update LINK PHYs according to QoS preference */
2240 	conn->le_tx_phy = qos->bcast.out.phy;
2241 	conn->le_tx_phy = qos->bcast.out.phy;
2242 
2243 	/* Add Basic Announcement into Peridic Adv Data if BASE is set */
2244 	if (base_len && base) {
2245 		memcpy(conn->le_per_adv_data,  eir, sizeof(eir));
2246 		conn->le_per_adv_data_len = base_len;
2247 	}
2248 
2249 	hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2250 			  conn->le_tx_phy ? conn->le_tx_phy :
2251 			  hdev->le_tx_def_phys);
2252 
2253 	conn->iso_qos = *qos;
2254 	conn->state = BT_BOUND;
2255 
2256 	return conn;
2257 }
2258 
2259 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2260 {
2261 	struct iso_list_data *d = data;
2262 
2263 	/* Skip if not broadcast/ANY address */
2264 	if (bacmp(&conn->dst, BDADDR_ANY))
2265 		return;
2266 
2267 	if (d->big != conn->iso_qos.bcast.big ||
2268 	    d->bis == BT_ISO_QOS_BIS_UNSET ||
2269 	    d->bis != conn->iso_qos.bcast.bis)
2270 		return;
2271 
2272 	set_bit(HCI_CONN_PER_ADV, &conn->flags);
2273 }
2274 
2275 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2276 				 __u8 dst_type, struct bt_iso_qos *qos,
2277 				 __u8 base_len, __u8 *base)
2278 {
2279 	struct hci_conn *conn;
2280 	int err;
2281 	struct iso_list_data data;
2282 
2283 	conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2284 	if (IS_ERR(conn))
2285 		return conn;
2286 
2287 	data.big = qos->bcast.big;
2288 	data.bis = qos->bcast.bis;
2289 
2290 	/* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2291 	 * the start periodic advertising and create BIG commands have
2292 	 * been queued
2293 	 */
2294 	hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2295 				 BT_BOUND, &data);
2296 
2297 	/* Queue start periodic advertising and create BIG */
2298 	err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2299 				 create_big_complete);
2300 	if (err < 0) {
2301 		hci_conn_drop(conn);
2302 		return ERR_PTR(err);
2303 	}
2304 
2305 	return conn;
2306 }
2307 
2308 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2309 				 __u8 dst_type, struct bt_iso_qos *qos)
2310 {
2311 	struct hci_conn *le;
2312 	struct hci_conn *cis;
2313 	struct hci_link *link;
2314 
2315 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2316 		le = hci_connect_le(hdev, dst, dst_type, false,
2317 				    BT_SECURITY_LOW,
2318 				    HCI_LE_CONN_TIMEOUT,
2319 				    HCI_ROLE_SLAVE);
2320 	else
2321 		le = hci_connect_le_scan(hdev, dst, dst_type,
2322 					 BT_SECURITY_LOW,
2323 					 HCI_LE_CONN_TIMEOUT,
2324 					 CONN_REASON_ISO_CONNECT);
2325 	if (IS_ERR(le))
2326 		return le;
2327 
2328 	hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2329 			  le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2330 	hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2331 			  le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2332 
2333 	cis = hci_bind_cis(hdev, dst, dst_type, qos);
2334 	if (IS_ERR(cis)) {
2335 		hci_conn_drop(le);
2336 		return cis;
2337 	}
2338 
2339 	link = hci_conn_link(le, cis);
2340 	if (!link) {
2341 		hci_conn_drop(le);
2342 		hci_conn_drop(cis);
2343 		return ERR_PTR(-ENOLINK);
2344 	}
2345 
2346 	/* Link takes the refcount */
2347 	hci_conn_drop(cis);
2348 
2349 	cis->state = BT_CONNECT;
2350 
2351 	hci_le_create_cis_pending(hdev);
2352 
2353 	return cis;
2354 }
2355 
2356 /* Check link security requirement */
2357 int hci_conn_check_link_mode(struct hci_conn *conn)
2358 {
2359 	BT_DBG("hcon %p", conn);
2360 
2361 	/* In Secure Connections Only mode, it is required that Secure
2362 	 * Connections is used and the link is encrypted with AES-CCM
2363 	 * using a P-256 authenticated combination key.
2364 	 */
2365 	if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2366 		if (!hci_conn_sc_enabled(conn) ||
2367 		    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2368 		    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2369 			return 0;
2370 	}
2371 
2372 	 /* AES encryption is required for Level 4:
2373 	  *
2374 	  * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2375 	  * page 1319:
2376 	  *
2377 	  * 128-bit equivalent strength for link and encryption keys
2378 	  * required using FIPS approved algorithms (E0 not allowed,
2379 	  * SAFER+ not allowed, and P-192 not allowed; encryption key
2380 	  * not shortened)
2381 	  */
2382 	if (conn->sec_level == BT_SECURITY_FIPS &&
2383 	    !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2384 		bt_dev_err(conn->hdev,
2385 			   "Invalid security: Missing AES-CCM usage");
2386 		return 0;
2387 	}
2388 
2389 	if (hci_conn_ssp_enabled(conn) &&
2390 	    !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2391 		return 0;
2392 
2393 	return 1;
2394 }
2395 
2396 /* Authenticate remote device */
2397 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2398 {
2399 	BT_DBG("hcon %p", conn);
2400 
2401 	if (conn->pending_sec_level > sec_level)
2402 		sec_level = conn->pending_sec_level;
2403 
2404 	if (sec_level > conn->sec_level)
2405 		conn->pending_sec_level = sec_level;
2406 	else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2407 		return 1;
2408 
2409 	/* Make sure we preserve an existing MITM requirement*/
2410 	auth_type |= (conn->auth_type & 0x01);
2411 
2412 	conn->auth_type = auth_type;
2413 
2414 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2415 		struct hci_cp_auth_requested cp;
2416 
2417 		cp.handle = cpu_to_le16(conn->handle);
2418 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2419 			     sizeof(cp), &cp);
2420 
2421 		/* Set the ENCRYPT_PEND to trigger encryption after
2422 		 * authentication.
2423 		 */
2424 		if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2425 			set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2426 	}
2427 
2428 	return 0;
2429 }
2430 
2431 /* Encrypt the link */
2432 static void hci_conn_encrypt(struct hci_conn *conn)
2433 {
2434 	BT_DBG("hcon %p", conn);
2435 
2436 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2437 		struct hci_cp_set_conn_encrypt cp;
2438 		cp.handle  = cpu_to_le16(conn->handle);
2439 		cp.encrypt = 0x01;
2440 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2441 			     &cp);
2442 	}
2443 }
2444 
2445 /* Enable security */
2446 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2447 		      bool initiator)
2448 {
2449 	BT_DBG("hcon %p", conn);
2450 
2451 	if (conn->type == LE_LINK)
2452 		return smp_conn_security(conn, sec_level);
2453 
2454 	/* For sdp we don't need the link key. */
2455 	if (sec_level == BT_SECURITY_SDP)
2456 		return 1;
2457 
2458 	/* For non 2.1 devices and low security level we don't need the link
2459 	   key. */
2460 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2461 		return 1;
2462 
2463 	/* For other security levels we need the link key. */
2464 	if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2465 		goto auth;
2466 
2467 	switch (conn->key_type) {
2468 	case HCI_LK_AUTH_COMBINATION_P256:
2469 		/* An authenticated FIPS approved combination key has
2470 		 * sufficient security for security level 4 or lower.
2471 		 */
2472 		if (sec_level <= BT_SECURITY_FIPS)
2473 			goto encrypt;
2474 		break;
2475 	case HCI_LK_AUTH_COMBINATION_P192:
2476 		/* An authenticated combination key has sufficient security for
2477 		 * security level 3 or lower.
2478 		 */
2479 		if (sec_level <= BT_SECURITY_HIGH)
2480 			goto encrypt;
2481 		break;
2482 	case HCI_LK_UNAUTH_COMBINATION_P192:
2483 	case HCI_LK_UNAUTH_COMBINATION_P256:
2484 		/* An unauthenticated combination key has sufficient security
2485 		 * for security level 2 or lower.
2486 		 */
2487 		if (sec_level <= BT_SECURITY_MEDIUM)
2488 			goto encrypt;
2489 		break;
2490 	case HCI_LK_COMBINATION:
2491 		/* A combination key has always sufficient security for the
2492 		 * security levels 2 or lower. High security level requires the
2493 		 * combination key is generated using maximum PIN code length
2494 		 * (16). For pre 2.1 units.
2495 		 */
2496 		if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2497 			goto encrypt;
2498 		break;
2499 	default:
2500 		break;
2501 	}
2502 
2503 auth:
2504 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2505 		return 0;
2506 
2507 	if (initiator)
2508 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2509 
2510 	if (!hci_conn_auth(conn, sec_level, auth_type))
2511 		return 0;
2512 
2513 encrypt:
2514 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2515 		/* Ensure that the encryption key size has been read,
2516 		 * otherwise stall the upper layer responses.
2517 		 */
2518 		if (!conn->enc_key_size)
2519 			return 0;
2520 
2521 		/* Nothing else needed, all requirements are met */
2522 		return 1;
2523 	}
2524 
2525 	hci_conn_encrypt(conn);
2526 	return 0;
2527 }
2528 EXPORT_SYMBOL(hci_conn_security);
2529 
2530 /* Check secure link requirement */
2531 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2532 {
2533 	BT_DBG("hcon %p", conn);
2534 
2535 	/* Accept if non-secure or higher security level is required */
2536 	if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2537 		return 1;
2538 
2539 	/* Accept if secure or higher security level is already present */
2540 	if (conn->sec_level == BT_SECURITY_HIGH ||
2541 	    conn->sec_level == BT_SECURITY_FIPS)
2542 		return 1;
2543 
2544 	/* Reject not secure link */
2545 	return 0;
2546 }
2547 EXPORT_SYMBOL(hci_conn_check_secure);
2548 
2549 /* Switch role */
2550 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2551 {
2552 	BT_DBG("hcon %p", conn);
2553 
2554 	if (role == conn->role)
2555 		return 1;
2556 
2557 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2558 		struct hci_cp_switch_role cp;
2559 		bacpy(&cp.bdaddr, &conn->dst);
2560 		cp.role = role;
2561 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2562 	}
2563 
2564 	return 0;
2565 }
2566 EXPORT_SYMBOL(hci_conn_switch_role);
2567 
2568 /* Enter active mode */
2569 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2570 {
2571 	struct hci_dev *hdev = conn->hdev;
2572 
2573 	BT_DBG("hcon %p mode %d", conn, conn->mode);
2574 
2575 	if (conn->mode != HCI_CM_SNIFF)
2576 		goto timer;
2577 
2578 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2579 		goto timer;
2580 
2581 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2582 		struct hci_cp_exit_sniff_mode cp;
2583 		cp.handle = cpu_to_le16(conn->handle);
2584 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2585 	}
2586 
2587 timer:
2588 	if (hdev->idle_timeout > 0)
2589 		queue_delayed_work(hdev->workqueue, &conn->idle_work,
2590 				   msecs_to_jiffies(hdev->idle_timeout));
2591 }
2592 
2593 /* Drop all connection on the device */
2594 void hci_conn_hash_flush(struct hci_dev *hdev)
2595 {
2596 	struct list_head *head = &hdev->conn_hash.list;
2597 	struct hci_conn *conn;
2598 
2599 	BT_DBG("hdev %s", hdev->name);
2600 
2601 	/* We should not traverse the list here, because hci_conn_del
2602 	 * can remove extra links, which may cause the list traversal
2603 	 * to hit items that have already been released.
2604 	 */
2605 	while ((conn = list_first_entry_or_null(head,
2606 						struct hci_conn,
2607 						list)) != NULL) {
2608 		conn->state = BT_CLOSED;
2609 		hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2610 		hci_conn_del(conn);
2611 	}
2612 }
2613 
2614 /* Check pending connect attempts */
2615 void hci_conn_check_pending(struct hci_dev *hdev)
2616 {
2617 	struct hci_conn *conn;
2618 
2619 	BT_DBG("hdev %s", hdev->name);
2620 
2621 	hci_dev_lock(hdev);
2622 
2623 	conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
2624 	if (conn)
2625 		hci_acl_create_connection(conn);
2626 
2627 	hci_dev_unlock(hdev);
2628 }
2629 
2630 static u32 get_link_mode(struct hci_conn *conn)
2631 {
2632 	u32 link_mode = 0;
2633 
2634 	if (conn->role == HCI_ROLE_MASTER)
2635 		link_mode |= HCI_LM_MASTER;
2636 
2637 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2638 		link_mode |= HCI_LM_ENCRYPT;
2639 
2640 	if (test_bit(HCI_CONN_AUTH, &conn->flags))
2641 		link_mode |= HCI_LM_AUTH;
2642 
2643 	if (test_bit(HCI_CONN_SECURE, &conn->flags))
2644 		link_mode |= HCI_LM_SECURE;
2645 
2646 	if (test_bit(HCI_CONN_FIPS, &conn->flags))
2647 		link_mode |= HCI_LM_FIPS;
2648 
2649 	return link_mode;
2650 }
2651 
2652 int hci_get_conn_list(void __user *arg)
2653 {
2654 	struct hci_conn *c;
2655 	struct hci_conn_list_req req, *cl;
2656 	struct hci_conn_info *ci;
2657 	struct hci_dev *hdev;
2658 	int n = 0, size, err;
2659 
2660 	if (copy_from_user(&req, arg, sizeof(req)))
2661 		return -EFAULT;
2662 
2663 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2664 		return -EINVAL;
2665 
2666 	size = sizeof(req) + req.conn_num * sizeof(*ci);
2667 
2668 	cl = kmalloc(size, GFP_KERNEL);
2669 	if (!cl)
2670 		return -ENOMEM;
2671 
2672 	hdev = hci_dev_get(req.dev_id);
2673 	if (!hdev) {
2674 		kfree(cl);
2675 		return -ENODEV;
2676 	}
2677 
2678 	ci = cl->conn_info;
2679 
2680 	hci_dev_lock(hdev);
2681 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2682 		bacpy(&(ci + n)->bdaddr, &c->dst);
2683 		(ci + n)->handle = c->handle;
2684 		(ci + n)->type  = c->type;
2685 		(ci + n)->out   = c->out;
2686 		(ci + n)->state = c->state;
2687 		(ci + n)->link_mode = get_link_mode(c);
2688 		if (++n >= req.conn_num)
2689 			break;
2690 	}
2691 	hci_dev_unlock(hdev);
2692 
2693 	cl->dev_id = hdev->id;
2694 	cl->conn_num = n;
2695 	size = sizeof(req) + n * sizeof(*ci);
2696 
2697 	hci_dev_put(hdev);
2698 
2699 	err = copy_to_user(arg, cl, size);
2700 	kfree(cl);
2701 
2702 	return err ? -EFAULT : 0;
2703 }
2704 
2705 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2706 {
2707 	struct hci_conn_info_req req;
2708 	struct hci_conn_info ci;
2709 	struct hci_conn *conn;
2710 	char __user *ptr = arg + sizeof(req);
2711 
2712 	if (copy_from_user(&req, arg, sizeof(req)))
2713 		return -EFAULT;
2714 
2715 	hci_dev_lock(hdev);
2716 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2717 	if (conn) {
2718 		bacpy(&ci.bdaddr, &conn->dst);
2719 		ci.handle = conn->handle;
2720 		ci.type  = conn->type;
2721 		ci.out   = conn->out;
2722 		ci.state = conn->state;
2723 		ci.link_mode = get_link_mode(conn);
2724 	}
2725 	hci_dev_unlock(hdev);
2726 
2727 	if (!conn)
2728 		return -ENOENT;
2729 
2730 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2731 }
2732 
2733 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2734 {
2735 	struct hci_auth_info_req req;
2736 	struct hci_conn *conn;
2737 
2738 	if (copy_from_user(&req, arg, sizeof(req)))
2739 		return -EFAULT;
2740 
2741 	hci_dev_lock(hdev);
2742 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2743 	if (conn)
2744 		req.type = conn->auth_type;
2745 	hci_dev_unlock(hdev);
2746 
2747 	if (!conn)
2748 		return -ENOENT;
2749 
2750 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2751 }
2752 
2753 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2754 {
2755 	struct hci_dev *hdev = conn->hdev;
2756 	struct hci_chan *chan;
2757 
2758 	BT_DBG("%s hcon %p", hdev->name, conn);
2759 
2760 	if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2761 		BT_DBG("Refusing to create new hci_chan");
2762 		return NULL;
2763 	}
2764 
2765 	chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2766 	if (!chan)
2767 		return NULL;
2768 
2769 	chan->conn = hci_conn_get(conn);
2770 	skb_queue_head_init(&chan->data_q);
2771 	chan->state = BT_CONNECTED;
2772 
2773 	list_add_rcu(&chan->list, &conn->chan_list);
2774 
2775 	return chan;
2776 }
2777 
2778 void hci_chan_del(struct hci_chan *chan)
2779 {
2780 	struct hci_conn *conn = chan->conn;
2781 	struct hci_dev *hdev = conn->hdev;
2782 
2783 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2784 
2785 	list_del_rcu(&chan->list);
2786 
2787 	synchronize_rcu();
2788 
2789 	/* Prevent new hci_chan's to be created for this hci_conn */
2790 	set_bit(HCI_CONN_DROP, &conn->flags);
2791 
2792 	hci_conn_put(conn);
2793 
2794 	skb_queue_purge(&chan->data_q);
2795 	kfree(chan);
2796 }
2797 
2798 void hci_chan_list_flush(struct hci_conn *conn)
2799 {
2800 	struct hci_chan *chan, *n;
2801 
2802 	BT_DBG("hcon %p", conn);
2803 
2804 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2805 		hci_chan_del(chan);
2806 }
2807 
2808 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2809 						 __u16 handle)
2810 {
2811 	struct hci_chan *hchan;
2812 
2813 	list_for_each_entry(hchan, &hcon->chan_list, list) {
2814 		if (hchan->handle == handle)
2815 			return hchan;
2816 	}
2817 
2818 	return NULL;
2819 }
2820 
2821 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2822 {
2823 	struct hci_conn_hash *h = &hdev->conn_hash;
2824 	struct hci_conn *hcon;
2825 	struct hci_chan *hchan = NULL;
2826 
2827 	rcu_read_lock();
2828 
2829 	list_for_each_entry_rcu(hcon, &h->list, list) {
2830 		hchan = __hci_chan_lookup_handle(hcon, handle);
2831 		if (hchan)
2832 			break;
2833 	}
2834 
2835 	rcu_read_unlock();
2836 
2837 	return hchan;
2838 }
2839 
2840 u32 hci_conn_get_phy(struct hci_conn *conn)
2841 {
2842 	u32 phys = 0;
2843 
2844 	/* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2845 	 * Table 6.2: Packets defined for synchronous, asynchronous, and
2846 	 * CPB logical transport types.
2847 	 */
2848 	switch (conn->type) {
2849 	case SCO_LINK:
2850 		/* SCO logical transport (1 Mb/s):
2851 		 * HV1, HV2, HV3 and DV.
2852 		 */
2853 		phys |= BT_PHY_BR_1M_1SLOT;
2854 
2855 		break;
2856 
2857 	case ACL_LINK:
2858 		/* ACL logical transport (1 Mb/s) ptt=0:
2859 		 * DH1, DM3, DH3, DM5 and DH5.
2860 		 */
2861 		phys |= BT_PHY_BR_1M_1SLOT;
2862 
2863 		if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2864 			phys |= BT_PHY_BR_1M_3SLOT;
2865 
2866 		if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2867 			phys |= BT_PHY_BR_1M_5SLOT;
2868 
2869 		/* ACL logical transport (2 Mb/s) ptt=1:
2870 		 * 2-DH1, 2-DH3 and 2-DH5.
2871 		 */
2872 		if (!(conn->pkt_type & HCI_2DH1))
2873 			phys |= BT_PHY_EDR_2M_1SLOT;
2874 
2875 		if (!(conn->pkt_type & HCI_2DH3))
2876 			phys |= BT_PHY_EDR_2M_3SLOT;
2877 
2878 		if (!(conn->pkt_type & HCI_2DH5))
2879 			phys |= BT_PHY_EDR_2M_5SLOT;
2880 
2881 		/* ACL logical transport (3 Mb/s) ptt=1:
2882 		 * 3-DH1, 3-DH3 and 3-DH5.
2883 		 */
2884 		if (!(conn->pkt_type & HCI_3DH1))
2885 			phys |= BT_PHY_EDR_3M_1SLOT;
2886 
2887 		if (!(conn->pkt_type & HCI_3DH3))
2888 			phys |= BT_PHY_EDR_3M_3SLOT;
2889 
2890 		if (!(conn->pkt_type & HCI_3DH5))
2891 			phys |= BT_PHY_EDR_3M_5SLOT;
2892 
2893 		break;
2894 
2895 	case ESCO_LINK:
2896 		/* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2897 		phys |= BT_PHY_BR_1M_1SLOT;
2898 
2899 		if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2900 			phys |= BT_PHY_BR_1M_3SLOT;
2901 
2902 		/* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2903 		if (!(conn->pkt_type & ESCO_2EV3))
2904 			phys |= BT_PHY_EDR_2M_1SLOT;
2905 
2906 		if (!(conn->pkt_type & ESCO_2EV5))
2907 			phys |= BT_PHY_EDR_2M_3SLOT;
2908 
2909 		/* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2910 		if (!(conn->pkt_type & ESCO_3EV3))
2911 			phys |= BT_PHY_EDR_3M_1SLOT;
2912 
2913 		if (!(conn->pkt_type & ESCO_3EV5))
2914 			phys |= BT_PHY_EDR_3M_3SLOT;
2915 
2916 		break;
2917 
2918 	case LE_LINK:
2919 		if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2920 			phys |= BT_PHY_LE_1M_TX;
2921 
2922 		if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2923 			phys |= BT_PHY_LE_1M_RX;
2924 
2925 		if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2926 			phys |= BT_PHY_LE_2M_TX;
2927 
2928 		if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2929 			phys |= BT_PHY_LE_2M_RX;
2930 
2931 		if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2932 			phys |= BT_PHY_LE_CODED_TX;
2933 
2934 		if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2935 			phys |= BT_PHY_LE_CODED_RX;
2936 
2937 		break;
2938 	}
2939 
2940 	return phys;
2941 }
2942 
2943 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2944 {
2945 	struct hci_conn *conn;
2946 	u16 handle = PTR_UINT(data);
2947 
2948 	conn = hci_conn_hash_lookup_handle(hdev, handle);
2949 	if (!conn)
2950 		return 0;
2951 
2952 	return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2953 }
2954 
2955 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2956 {
2957 	struct hci_dev *hdev = conn->hdev;
2958 
2959 	/* If abort_reason has already been set it means the connection is
2960 	 * already being aborted so don't attempt to overwrite it.
2961 	 */
2962 	if (conn->abort_reason)
2963 		return 0;
2964 
2965 	bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2966 
2967 	conn->abort_reason = reason;
2968 
2969 	/* If the connection is pending check the command opcode since that
2970 	 * might be blocking on hci_cmd_sync_work while waiting its respective
2971 	 * event so we need to hci_cmd_sync_cancel to cancel it.
2972 	 *
2973 	 * hci_connect_le serializes the connection attempts so only one
2974 	 * connection can be in BT_CONNECT at time.
2975 	 */
2976 	if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2977 		switch (hci_skb_event(hdev->sent_cmd)) {
2978 		case HCI_EV_LE_CONN_COMPLETE:
2979 		case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2980 		case HCI_EVT_LE_CIS_ESTABLISHED:
2981 			hci_cmd_sync_cancel(hdev, ECANCELED);
2982 			break;
2983 		}
2984 	}
2985 
2986 	return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle),
2987 				  NULL);
2988 }
2989