1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023-2024 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI connection handling. */ 27 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 #include <linux/errqueue.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/l2cap.h> 35 #include <net/bluetooth/iso.h> 36 #include <net/bluetooth/mgmt.h> 37 38 #include "smp.h" 39 #include "eir.h" 40 41 struct sco_param { 42 u16 pkt_type; 43 u16 max_latency; 44 u8 retrans_effort; 45 }; 46 47 struct conn_handle_t { 48 struct hci_conn *conn; 49 __u16 handle; 50 }; 51 52 static const struct sco_param esco_param_cvsd[] = { 53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 58 }; 59 60 static const struct sco_param sco_param_cvsd[] = { 61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 63 }; 64 65 static const struct sco_param esco_param_msbc[] = { 66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 68 }; 69 70 /* This function requires the caller holds hdev->lock */ 71 void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) 72 { 73 struct hci_conn_params *params; 74 struct hci_dev *hdev = conn->hdev; 75 struct smp_irk *irk; 76 bdaddr_t *bdaddr; 77 u8 bdaddr_type; 78 79 bdaddr = &conn->dst; 80 bdaddr_type = conn->dst_type; 81 82 /* Check if we need to convert to identity address */ 83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 84 if (irk) { 85 bdaddr = &irk->bdaddr; 86 bdaddr_type = irk->addr_type; 87 } 88 89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 90 bdaddr_type); 91 if (!params) 92 return; 93 94 if (params->conn) { 95 hci_conn_drop(params->conn); 96 hci_conn_put(params->conn); 97 params->conn = NULL; 98 } 99 100 if (!params->explicit_connect) 101 return; 102 103 /* If the status indicates successful cancellation of 104 * the attempt (i.e. Unknown Connection Id) there's no point of 105 * notifying failure since we'll go back to keep trying to 106 * connect. The only exception is explicit connect requests 107 * where a timeout + cancel does indicate an actual failure. 108 */ 109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) 110 mgmt_connect_failed(hdev, conn, status); 111 112 /* The connection attempt was doing scan for new RPA, and is 113 * in scan phase. If params are not associated with any other 114 * autoconnect action, remove them completely. If they are, just unmark 115 * them as waiting for connection, by clearing explicit_connect field. 116 */ 117 params->explicit_connect = false; 118 119 hci_pend_le_list_del_init(params); 120 121 switch (params->auto_connect) { 122 case HCI_AUTO_CONN_EXPLICIT: 123 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 124 /* return instead of break to avoid duplicate scan update */ 125 return; 126 case HCI_AUTO_CONN_DIRECT: 127 case HCI_AUTO_CONN_ALWAYS: 128 hci_pend_le_list_add(params, &hdev->pend_le_conns); 129 break; 130 case HCI_AUTO_CONN_REPORT: 131 hci_pend_le_list_add(params, &hdev->pend_le_reports); 132 break; 133 default: 134 break; 135 } 136 137 hci_update_passive_scan(hdev); 138 } 139 140 static void hci_conn_cleanup(struct hci_conn *conn) 141 { 142 struct hci_dev *hdev = conn->hdev; 143 144 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 145 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 146 147 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 148 hci_remove_link_key(hdev, &conn->dst); 149 150 hci_chan_list_flush(conn); 151 152 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 153 ida_free(&hdev->unset_handle_ida, conn->handle); 154 155 if (conn->cleanup) 156 conn->cleanup(conn); 157 158 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 159 switch (conn->setting & SCO_AIRMODE_MASK) { 160 case SCO_AIRMODE_CVSD: 161 case SCO_AIRMODE_TRANSP: 162 if (hdev->notify) 163 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 164 break; 165 } 166 } else { 167 if (hdev->notify) 168 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 169 } 170 171 debugfs_remove_recursive(conn->debugfs); 172 173 hci_conn_del_sysfs(conn); 174 175 hci_dev_put(hdev); 176 } 177 178 int hci_disconnect(struct hci_conn *conn, __u8 reason) 179 { 180 BT_DBG("hcon %p", conn); 181 182 /* When we are central of an established connection and it enters 183 * the disconnect timeout, then go ahead and try to read the 184 * current clock offset. Processing of the result is done 185 * within the event handling and hci_clock_offset_evt function. 186 */ 187 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 188 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 189 struct hci_dev *hdev = conn->hdev; 190 struct hci_cp_read_clock_offset clkoff_cp; 191 192 clkoff_cp.handle = cpu_to_le16(conn->handle); 193 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 194 &clkoff_cp); 195 } 196 197 return hci_abort_conn(conn, reason); 198 } 199 200 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 201 { 202 struct hci_dev *hdev = conn->hdev; 203 struct hci_cp_add_sco cp; 204 205 BT_DBG("hcon %p", conn); 206 207 conn->state = BT_CONNECT; 208 conn->out = true; 209 210 conn->attempt++; 211 212 cp.handle = cpu_to_le16(handle); 213 cp.pkt_type = cpu_to_le16(conn->pkt_type); 214 215 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 216 } 217 218 static bool find_next_esco_param(struct hci_conn *conn, 219 const struct sco_param *esco_param, int size) 220 { 221 if (!conn->parent) 222 return false; 223 224 for (; conn->attempt <= size; conn->attempt++) { 225 if (lmp_esco_2m_capable(conn->parent) || 226 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 227 break; 228 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 229 conn, conn->attempt); 230 } 231 232 return conn->attempt <= size; 233 } 234 235 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 236 { 237 int err; 238 __u8 vnd_len, *vnd_data = NULL; 239 struct hci_op_configure_data_path *cmd = NULL; 240 241 /* Do not take below 2 checks as error since the 1st means user do not 242 * want to use HFP offload mode and the 2nd means the vendor controller 243 * do not need to send below HCI command for offload mode. 244 */ 245 if (!codec->data_path || !hdev->get_codec_config_data) 246 return 0; 247 248 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 249 &vnd_data); 250 if (err < 0) 251 goto error; 252 253 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 254 if (!cmd) { 255 err = -ENOMEM; 256 goto error; 257 } 258 259 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 260 if (err < 0) 261 goto error; 262 263 cmd->vnd_len = vnd_len; 264 memcpy(cmd->vnd_data, vnd_data, vnd_len); 265 266 cmd->direction = 0x00; 267 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 268 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 269 270 cmd->direction = 0x01; 271 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 272 sizeof(*cmd) + vnd_len, cmd, 273 HCI_CMD_TIMEOUT); 274 error: 275 276 kfree(cmd); 277 kfree(vnd_data); 278 return err; 279 } 280 281 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 282 { 283 struct conn_handle_t *conn_handle = data; 284 struct hci_conn *conn = conn_handle->conn; 285 __u16 handle = conn_handle->handle; 286 struct hci_cp_enhanced_setup_sync_conn cp; 287 const struct sco_param *param; 288 289 kfree(conn_handle); 290 291 if (!hci_conn_valid(hdev, conn)) 292 return -ECANCELED; 293 294 bt_dev_dbg(hdev, "hcon %p", conn); 295 296 configure_datapath_sync(hdev, &conn->codec); 297 298 conn->state = BT_CONNECT; 299 conn->out = true; 300 301 conn->attempt++; 302 303 memset(&cp, 0x00, sizeof(cp)); 304 305 cp.handle = cpu_to_le16(handle); 306 307 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 308 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 309 310 switch (conn->codec.id) { 311 case BT_CODEC_MSBC: 312 if (!find_next_esco_param(conn, esco_param_msbc, 313 ARRAY_SIZE(esco_param_msbc))) 314 return -EINVAL; 315 316 param = &esco_param_msbc[conn->attempt - 1]; 317 cp.tx_coding_format.id = 0x05; 318 cp.rx_coding_format.id = 0x05; 319 cp.tx_codec_frame_size = __cpu_to_le16(60); 320 cp.rx_codec_frame_size = __cpu_to_le16(60); 321 cp.in_bandwidth = __cpu_to_le32(32000); 322 cp.out_bandwidth = __cpu_to_le32(32000); 323 cp.in_coding_format.id = 0x04; 324 cp.out_coding_format.id = 0x04; 325 cp.in_coded_data_size = __cpu_to_le16(16); 326 cp.out_coded_data_size = __cpu_to_le16(16); 327 cp.in_pcm_data_format = 2; 328 cp.out_pcm_data_format = 2; 329 cp.in_pcm_sample_payload_msb_pos = 0; 330 cp.out_pcm_sample_payload_msb_pos = 0; 331 cp.in_data_path = conn->codec.data_path; 332 cp.out_data_path = conn->codec.data_path; 333 cp.in_transport_unit_size = 1; 334 cp.out_transport_unit_size = 1; 335 break; 336 337 case BT_CODEC_TRANSPARENT: 338 if (!find_next_esco_param(conn, esco_param_msbc, 339 ARRAY_SIZE(esco_param_msbc))) 340 return -EINVAL; 341 342 param = &esco_param_msbc[conn->attempt - 1]; 343 cp.tx_coding_format.id = 0x03; 344 cp.rx_coding_format.id = 0x03; 345 cp.tx_codec_frame_size = __cpu_to_le16(60); 346 cp.rx_codec_frame_size = __cpu_to_le16(60); 347 cp.in_bandwidth = __cpu_to_le32(0x1f40); 348 cp.out_bandwidth = __cpu_to_le32(0x1f40); 349 cp.in_coding_format.id = 0x03; 350 cp.out_coding_format.id = 0x03; 351 cp.in_coded_data_size = __cpu_to_le16(16); 352 cp.out_coded_data_size = __cpu_to_le16(16); 353 cp.in_pcm_data_format = 2; 354 cp.out_pcm_data_format = 2; 355 cp.in_pcm_sample_payload_msb_pos = 0; 356 cp.out_pcm_sample_payload_msb_pos = 0; 357 cp.in_data_path = conn->codec.data_path; 358 cp.out_data_path = conn->codec.data_path; 359 cp.in_transport_unit_size = 1; 360 cp.out_transport_unit_size = 1; 361 break; 362 363 case BT_CODEC_CVSD: 364 if (conn->parent && lmp_esco_capable(conn->parent)) { 365 if (!find_next_esco_param(conn, esco_param_cvsd, 366 ARRAY_SIZE(esco_param_cvsd))) 367 return -EINVAL; 368 param = &esco_param_cvsd[conn->attempt - 1]; 369 } else { 370 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 371 return -EINVAL; 372 param = &sco_param_cvsd[conn->attempt - 1]; 373 } 374 cp.tx_coding_format.id = 2; 375 cp.rx_coding_format.id = 2; 376 cp.tx_codec_frame_size = __cpu_to_le16(60); 377 cp.rx_codec_frame_size = __cpu_to_le16(60); 378 cp.in_bandwidth = __cpu_to_le32(16000); 379 cp.out_bandwidth = __cpu_to_le32(16000); 380 cp.in_coding_format.id = 4; 381 cp.out_coding_format.id = 4; 382 cp.in_coded_data_size = __cpu_to_le16(16); 383 cp.out_coded_data_size = __cpu_to_le16(16); 384 cp.in_pcm_data_format = 2; 385 cp.out_pcm_data_format = 2; 386 cp.in_pcm_sample_payload_msb_pos = 0; 387 cp.out_pcm_sample_payload_msb_pos = 0; 388 cp.in_data_path = conn->codec.data_path; 389 cp.out_data_path = conn->codec.data_path; 390 cp.in_transport_unit_size = 16; 391 cp.out_transport_unit_size = 16; 392 break; 393 default: 394 return -EINVAL; 395 } 396 397 cp.retrans_effort = param->retrans_effort; 398 cp.pkt_type = __cpu_to_le16(param->pkt_type); 399 cp.max_latency = __cpu_to_le16(param->max_latency); 400 401 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 402 return -EIO; 403 404 return 0; 405 } 406 407 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 408 { 409 struct hci_dev *hdev = conn->hdev; 410 struct hci_cp_setup_sync_conn cp; 411 const struct sco_param *param; 412 413 bt_dev_dbg(hdev, "hcon %p", conn); 414 415 conn->state = BT_CONNECT; 416 conn->out = true; 417 418 conn->attempt++; 419 420 cp.handle = cpu_to_le16(handle); 421 422 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 423 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 424 cp.voice_setting = cpu_to_le16(conn->setting); 425 426 switch (conn->setting & SCO_AIRMODE_MASK) { 427 case SCO_AIRMODE_TRANSP: 428 if (!find_next_esco_param(conn, esco_param_msbc, 429 ARRAY_SIZE(esco_param_msbc))) 430 return false; 431 param = &esco_param_msbc[conn->attempt - 1]; 432 break; 433 case SCO_AIRMODE_CVSD: 434 if (conn->parent && lmp_esco_capable(conn->parent)) { 435 if (!find_next_esco_param(conn, esco_param_cvsd, 436 ARRAY_SIZE(esco_param_cvsd))) 437 return false; 438 param = &esco_param_cvsd[conn->attempt - 1]; 439 } else { 440 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 441 return false; 442 param = &sco_param_cvsd[conn->attempt - 1]; 443 } 444 break; 445 default: 446 return false; 447 } 448 449 cp.retrans_effort = param->retrans_effort; 450 cp.pkt_type = __cpu_to_le16(param->pkt_type); 451 cp.max_latency = __cpu_to_le16(param->max_latency); 452 453 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 454 return false; 455 456 return true; 457 } 458 459 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 460 { 461 int result; 462 struct conn_handle_t *conn_handle; 463 464 if (enhanced_sync_conn_capable(conn->hdev)) { 465 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 466 467 if (!conn_handle) 468 return false; 469 470 conn_handle->conn = conn; 471 conn_handle->handle = handle; 472 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 473 conn_handle, NULL); 474 if (result < 0) 475 kfree(conn_handle); 476 477 return result == 0; 478 } 479 480 return hci_setup_sync_conn(conn, handle); 481 } 482 483 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 484 u16 to_multiplier) 485 { 486 struct hci_dev *hdev = conn->hdev; 487 struct hci_conn_params *params; 488 struct hci_cp_le_conn_update cp; 489 490 hci_dev_lock(hdev); 491 492 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 493 if (params) { 494 params->conn_min_interval = min; 495 params->conn_max_interval = max; 496 params->conn_latency = latency; 497 params->supervision_timeout = to_multiplier; 498 } 499 500 hci_dev_unlock(hdev); 501 502 memset(&cp, 0, sizeof(cp)); 503 cp.handle = cpu_to_le16(conn->handle); 504 cp.conn_interval_min = cpu_to_le16(min); 505 cp.conn_interval_max = cpu_to_le16(max); 506 cp.conn_latency = cpu_to_le16(latency); 507 cp.supervision_timeout = cpu_to_le16(to_multiplier); 508 cp.min_ce_len = cpu_to_le16(0x0000); 509 cp.max_ce_len = cpu_to_le16(0x0000); 510 511 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 512 513 if (params) 514 return 0x01; 515 516 return 0x00; 517 } 518 519 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 520 __u8 ltk[16], __u8 key_size) 521 { 522 struct hci_dev *hdev = conn->hdev; 523 struct hci_cp_le_start_enc cp; 524 525 BT_DBG("hcon %p", conn); 526 527 memset(&cp, 0, sizeof(cp)); 528 529 cp.handle = cpu_to_le16(conn->handle); 530 cp.rand = rand; 531 cp.ediv = ediv; 532 memcpy(cp.ltk, ltk, key_size); 533 534 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 535 } 536 537 /* Device _must_ be locked */ 538 void hci_sco_setup(struct hci_conn *conn, __u8 status) 539 { 540 struct hci_link *link; 541 542 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list); 543 if (!link || !link->conn) 544 return; 545 546 BT_DBG("hcon %p", conn); 547 548 if (!status) { 549 if (lmp_esco_capable(conn->hdev)) 550 hci_setup_sync(link->conn, conn->handle); 551 else 552 hci_add_sco(link->conn, conn->handle); 553 } else { 554 hci_connect_cfm(link->conn, status); 555 hci_conn_del(link->conn); 556 } 557 } 558 559 static void hci_conn_timeout(struct work_struct *work) 560 { 561 struct hci_conn *conn = container_of(work, struct hci_conn, 562 disc_work.work); 563 int refcnt = atomic_read(&conn->refcnt); 564 565 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 566 567 WARN_ON(refcnt < 0); 568 569 /* FIXME: It was observed that in pairing failed scenario, refcnt 570 * drops below 0. Probably this is because l2cap_conn_del calls 571 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 572 * dropped. After that loop hci_chan_del is called which also drops 573 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 574 * otherwise drop it. 575 */ 576 if (refcnt > 0) 577 return; 578 579 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 580 } 581 582 /* Enter sniff mode */ 583 static void hci_conn_idle(struct work_struct *work) 584 { 585 struct hci_conn *conn = container_of(work, struct hci_conn, 586 idle_work.work); 587 struct hci_dev *hdev = conn->hdev; 588 589 BT_DBG("hcon %p mode %d", conn, conn->mode); 590 591 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 592 return; 593 594 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 595 return; 596 597 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 598 struct hci_cp_sniff_subrate cp; 599 cp.handle = cpu_to_le16(conn->handle); 600 cp.max_latency = cpu_to_le16(0); 601 cp.min_remote_timeout = cpu_to_le16(0); 602 cp.min_local_timeout = cpu_to_le16(0); 603 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 604 } 605 606 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 607 struct hci_cp_sniff_mode cp; 608 cp.handle = cpu_to_le16(conn->handle); 609 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 610 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 611 cp.attempt = cpu_to_le16(4); 612 cp.timeout = cpu_to_le16(1); 613 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 614 } 615 } 616 617 static void hci_conn_auto_accept(struct work_struct *work) 618 { 619 struct hci_conn *conn = container_of(work, struct hci_conn, 620 auto_accept_work.work); 621 622 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 623 &conn->dst); 624 } 625 626 static void le_disable_advertising(struct hci_dev *hdev) 627 { 628 if (ext_adv_capable(hdev)) { 629 struct hci_cp_le_set_ext_adv_enable cp; 630 631 cp.enable = 0x00; 632 cp.num_of_sets = 0x00; 633 634 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 635 &cp); 636 } else { 637 u8 enable = 0x00; 638 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 639 &enable); 640 } 641 } 642 643 static void le_conn_timeout(struct work_struct *work) 644 { 645 struct hci_conn *conn = container_of(work, struct hci_conn, 646 le_conn_timeout.work); 647 struct hci_dev *hdev = conn->hdev; 648 649 BT_DBG(""); 650 651 /* We could end up here due to having done directed advertising, 652 * so clean up the state if necessary. This should however only 653 * happen with broken hardware or if low duty cycle was used 654 * (which doesn't have a timeout of its own). 655 */ 656 if (conn->role == HCI_ROLE_SLAVE) { 657 /* Disable LE Advertising */ 658 le_disable_advertising(hdev); 659 hci_dev_lock(hdev); 660 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 661 hci_dev_unlock(hdev); 662 return; 663 } 664 665 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 666 } 667 668 struct iso_list_data { 669 union { 670 u8 cig; 671 u8 big; 672 }; 673 union { 674 u8 cis; 675 u8 bis; 676 u16 sync_handle; 677 }; 678 int count; 679 bool big_term; 680 bool pa_sync_term; 681 bool big_sync_term; 682 }; 683 684 static void bis_list(struct hci_conn *conn, void *data) 685 { 686 struct iso_list_data *d = data; 687 688 /* Skip if not broadcast/ANY address */ 689 if (bacmp(&conn->dst, BDADDR_ANY)) 690 return; 691 692 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET || 693 d->bis != conn->iso_qos.bcast.bis) 694 return; 695 696 d->count++; 697 } 698 699 static int terminate_big_sync(struct hci_dev *hdev, void *data) 700 { 701 struct iso_list_data *d = data; 702 703 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 704 705 hci_disable_per_advertising_sync(hdev, d->bis); 706 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 707 708 /* Only terminate BIG if it has been created */ 709 if (!d->big_term) 710 return 0; 711 712 return hci_le_terminate_big_sync(hdev, d->big, 713 HCI_ERROR_LOCAL_HOST_TERM); 714 } 715 716 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 717 { 718 kfree(data); 719 } 720 721 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn) 722 { 723 struct iso_list_data *d; 724 int ret; 725 726 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big, 727 conn->iso_qos.bcast.bis); 728 729 d = kzalloc(sizeof(*d), GFP_KERNEL); 730 if (!d) 731 return -ENOMEM; 732 733 d->big = conn->iso_qos.bcast.big; 734 d->bis = conn->iso_qos.bcast.bis; 735 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags); 736 737 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 738 terminate_big_destroy); 739 if (ret) 740 kfree(d); 741 742 return ret; 743 } 744 745 static int big_terminate_sync(struct hci_dev *hdev, void *data) 746 { 747 struct iso_list_data *d = data; 748 749 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 750 d->sync_handle); 751 752 if (d->big_sync_term) 753 hci_le_big_terminate_sync(hdev, d->big); 754 755 if (d->pa_sync_term) 756 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 757 758 return 0; 759 } 760 761 static void find_bis(struct hci_conn *conn, void *data) 762 { 763 struct iso_list_data *d = data; 764 765 /* Ignore if BIG doesn't match */ 766 if (d->big != conn->iso_qos.bcast.big) 767 return; 768 769 d->count++; 770 } 771 772 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn) 773 { 774 struct iso_list_data *d; 775 int ret; 776 777 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle); 778 779 d = kzalloc(sizeof(*d), GFP_KERNEL); 780 if (!d) 781 return -ENOMEM; 782 783 d->big = big; 784 d->sync_handle = conn->sync_handle; 785 786 if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) { 787 hci_conn_hash_list_flag(hdev, find_bis, PA_LINK, 788 HCI_CONN_PA_SYNC, d); 789 790 if (!d->count) 791 d->pa_sync_term = true; 792 793 d->count = 0; 794 } 795 796 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) { 797 hci_conn_hash_list_flag(hdev, find_bis, BIS_LINK, 798 HCI_CONN_BIG_SYNC, d); 799 800 if (!d->count) 801 d->big_sync_term = true; 802 } 803 804 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 805 terminate_big_destroy); 806 if (ret) 807 kfree(d); 808 809 return ret; 810 } 811 812 /* Cleanup BIS connection 813 * 814 * Detects if there any BIS left connected in a BIG 815 * broadcaster: Remove advertising instance and terminate BIG. 816 * broadcaster receiver: Terminate BIG sync and terminate PA sync. 817 */ 818 static void bis_cleanup(struct hci_conn *conn) 819 { 820 struct hci_dev *hdev = conn->hdev; 821 struct hci_conn *bis; 822 823 bt_dev_dbg(hdev, "conn %p", conn); 824 825 if (conn->role == HCI_ROLE_MASTER) { 826 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 827 return; 828 829 /* Check if ISO connection is a BIS and terminate advertising 830 * set and BIG if there are no other connections using it. 831 */ 832 bis = hci_conn_hash_lookup_big_state(hdev, 833 conn->iso_qos.bcast.big, 834 BT_CONNECTED, 835 HCI_ROLE_MASTER); 836 if (bis) 837 return; 838 839 bis = hci_conn_hash_lookup_big_state(hdev, 840 conn->iso_qos.bcast.big, 841 BT_CONNECT, 842 HCI_ROLE_MASTER); 843 if (bis) 844 return; 845 846 hci_le_terminate_big(hdev, conn); 847 } else { 848 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 849 conn); 850 } 851 } 852 853 static int remove_cig_sync(struct hci_dev *hdev, void *data) 854 { 855 u8 handle = PTR_UINT(data); 856 857 return hci_le_remove_cig_sync(hdev, handle); 858 } 859 860 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 861 { 862 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 863 864 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle), 865 NULL); 866 } 867 868 static void find_cis(struct hci_conn *conn, void *data) 869 { 870 struct iso_list_data *d = data; 871 872 /* Ignore broadcast or if CIG don't match */ 873 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig) 874 return; 875 876 d->count++; 877 } 878 879 /* Cleanup CIS connection: 880 * 881 * Detects if there any CIS left connected in a CIG and remove it. 882 */ 883 static void cis_cleanup(struct hci_conn *conn) 884 { 885 struct hci_dev *hdev = conn->hdev; 886 struct iso_list_data d; 887 888 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET) 889 return; 890 891 memset(&d, 0, sizeof(d)); 892 d.cig = conn->iso_qos.ucast.cig; 893 894 /* Check if ISO connection is a CIS and remove CIG if there are 895 * no other connections using it. 896 */ 897 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_BOUND, &d); 898 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECT, 899 &d); 900 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECTED, 901 &d); 902 if (d.count) 903 return; 904 905 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig); 906 } 907 908 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev) 909 { 910 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1, 911 U16_MAX, GFP_ATOMIC); 912 } 913 914 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 915 u8 role, u16 handle) 916 { 917 struct hci_conn *conn; 918 919 switch (type) { 920 case ACL_LINK: 921 if (!hdev->acl_mtu) 922 return ERR_PTR(-ECONNREFUSED); 923 break; 924 case CIS_LINK: 925 case BIS_LINK: 926 case PA_LINK: 927 if (!hdev->iso_mtu) 928 return ERR_PTR(-ECONNREFUSED); 929 break; 930 case LE_LINK: 931 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 932 return ERR_PTR(-ECONNREFUSED); 933 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU) 934 return ERR_PTR(-ECONNREFUSED); 935 break; 936 case SCO_LINK: 937 case ESCO_LINK: 938 if (!hdev->sco_pkts) 939 /* Controller does not support SCO or eSCO over HCI */ 940 return ERR_PTR(-ECONNREFUSED); 941 break; 942 default: 943 return ERR_PTR(-ECONNREFUSED); 944 } 945 946 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle); 947 948 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 949 if (!conn) 950 return ERR_PTR(-ENOMEM); 951 952 bacpy(&conn->dst, dst); 953 bacpy(&conn->src, &hdev->bdaddr); 954 conn->handle = handle; 955 conn->hdev = hdev; 956 conn->type = type; 957 conn->role = role; 958 conn->mode = HCI_CM_ACTIVE; 959 conn->state = BT_OPEN; 960 conn->auth_type = HCI_AT_GENERAL_BONDING; 961 conn->io_capability = hdev->io_capability; 962 conn->remote_auth = 0xff; 963 conn->key_type = 0xff; 964 conn->rssi = HCI_RSSI_INVALID; 965 conn->tx_power = HCI_TX_POWER_INVALID; 966 conn->max_tx_power = HCI_TX_POWER_INVALID; 967 conn->sync_handle = HCI_SYNC_HANDLE_INVALID; 968 conn->sid = HCI_SID_INVALID; 969 970 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 971 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 972 973 /* Set Default Authenticated payload timeout to 30s */ 974 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 975 976 if (conn->role == HCI_ROLE_MASTER) 977 conn->out = true; 978 979 switch (type) { 980 case ACL_LINK: 981 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 982 conn->mtu = hdev->acl_mtu; 983 break; 984 case LE_LINK: 985 /* conn->src should reflect the local identity address */ 986 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 987 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 988 break; 989 case CIS_LINK: 990 case BIS_LINK: 991 case PA_LINK: 992 /* conn->src should reflect the local identity address */ 993 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 994 995 /* set proper cleanup function */ 996 if (!bacmp(dst, BDADDR_ANY)) 997 conn->cleanup = bis_cleanup; 998 else if (conn->role == HCI_ROLE_MASTER) 999 conn->cleanup = cis_cleanup; 1000 1001 conn->mtu = hdev->iso_mtu ? hdev->iso_mtu : 1002 hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 1003 break; 1004 case SCO_LINK: 1005 if (lmp_esco_capable(hdev)) 1006 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1007 (hdev->esco_type & EDR_ESCO_MASK); 1008 else 1009 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1010 1011 conn->mtu = hdev->sco_mtu; 1012 break; 1013 case ESCO_LINK: 1014 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1015 conn->mtu = hdev->sco_mtu; 1016 break; 1017 } 1018 1019 skb_queue_head_init(&conn->data_q); 1020 skb_queue_head_init(&conn->tx_q.queue); 1021 1022 INIT_LIST_HEAD(&conn->chan_list); 1023 INIT_LIST_HEAD(&conn->link_list); 1024 1025 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1026 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1027 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1028 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1029 1030 atomic_set(&conn->refcnt, 0); 1031 1032 hci_dev_hold(hdev); 1033 1034 hci_conn_hash_add(hdev, conn); 1035 1036 /* The SCO and eSCO connections will only be notified when their 1037 * setup has been completed. This is different to ACL links which 1038 * can be notified right away. 1039 */ 1040 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1041 if (hdev->notify) 1042 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1043 } 1044 1045 hci_conn_init_sysfs(conn); 1046 return conn; 1047 } 1048 1049 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type, 1050 bdaddr_t *dst, u8 role) 1051 { 1052 int handle; 1053 1054 bt_dev_dbg(hdev, "dst %pMR", dst); 1055 1056 handle = hci_conn_hash_alloc_unset(hdev); 1057 if (unlikely(handle < 0)) 1058 return ERR_PTR(-ECONNREFUSED); 1059 1060 return __hci_conn_add(hdev, type, dst, role, handle); 1061 } 1062 1063 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 1064 u8 role, u16 handle) 1065 { 1066 if (handle > HCI_CONN_HANDLE_MAX) 1067 return ERR_PTR(-EINVAL); 1068 1069 return __hci_conn_add(hdev, type, dst, role, handle); 1070 } 1071 1072 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason) 1073 { 1074 if (!reason) 1075 reason = HCI_ERROR_REMOTE_USER_TERM; 1076 1077 /* Due to race, SCO/ISO conn might be not established yet at this point, 1078 * and nothing else will clean it up. In other cases it is done via HCI 1079 * events. 1080 */ 1081 switch (conn->type) { 1082 case SCO_LINK: 1083 case ESCO_LINK: 1084 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1085 hci_conn_failed(conn, reason); 1086 break; 1087 case CIS_LINK: 1088 case BIS_LINK: 1089 case PA_LINK: 1090 if ((conn->state != BT_CONNECTED && 1091 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) || 1092 test_bit(HCI_CONN_BIG_CREATED, &conn->flags)) 1093 hci_conn_failed(conn, reason); 1094 break; 1095 } 1096 } 1097 1098 static void hci_conn_unlink(struct hci_conn *conn) 1099 { 1100 struct hci_dev *hdev = conn->hdev; 1101 1102 bt_dev_dbg(hdev, "hcon %p", conn); 1103 1104 if (!conn->parent) { 1105 struct hci_link *link, *t; 1106 1107 list_for_each_entry_safe(link, t, &conn->link_list, list) { 1108 struct hci_conn *child = link->conn; 1109 1110 hci_conn_unlink(child); 1111 1112 /* If hdev is down it means 1113 * hci_dev_close_sync/hci_conn_hash_flush is in progress 1114 * and links don't need to be cleanup as all connections 1115 * would be cleanup. 1116 */ 1117 if (!test_bit(HCI_UP, &hdev->flags)) 1118 continue; 1119 1120 hci_conn_cleanup_child(child, conn->abort_reason); 1121 } 1122 1123 return; 1124 } 1125 1126 if (!conn->link) 1127 return; 1128 1129 list_del_rcu(&conn->link->list); 1130 synchronize_rcu(); 1131 1132 hci_conn_drop(conn->parent); 1133 hci_conn_put(conn->parent); 1134 conn->parent = NULL; 1135 1136 kfree(conn->link); 1137 conn->link = NULL; 1138 } 1139 1140 void hci_conn_del(struct hci_conn *conn) 1141 { 1142 struct hci_dev *hdev = conn->hdev; 1143 1144 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1145 1146 hci_conn_unlink(conn); 1147 1148 disable_delayed_work_sync(&conn->disc_work); 1149 disable_delayed_work_sync(&conn->auto_accept_work); 1150 disable_delayed_work_sync(&conn->idle_work); 1151 1152 /* Remove the connection from the list so unacked logic can detect when 1153 * a certain pool is not being utilized. 1154 */ 1155 hci_conn_hash_del(hdev, conn); 1156 1157 /* Handle unacked frames: 1158 * 1159 * - In case there are no connection, or if restoring the buffers 1160 * considered in transist would overflow, restore all buffers to the 1161 * pool. 1162 * - Otherwise restore just the buffers considered in transit for the 1163 * hci_conn 1164 */ 1165 switch (conn->type) { 1166 case ACL_LINK: 1167 if (!hci_conn_num(hdev, ACL_LINK) || 1168 hdev->acl_cnt + conn->sent > hdev->acl_pkts) 1169 hdev->acl_cnt = hdev->acl_pkts; 1170 else 1171 hdev->acl_cnt += conn->sent; 1172 break; 1173 case LE_LINK: 1174 cancel_delayed_work(&conn->le_conn_timeout); 1175 1176 if (hdev->le_pkts) { 1177 if (!hci_conn_num(hdev, LE_LINK) || 1178 hdev->le_cnt + conn->sent > hdev->le_pkts) 1179 hdev->le_cnt = hdev->le_pkts; 1180 else 1181 hdev->le_cnt += conn->sent; 1182 } else { 1183 if ((!hci_conn_num(hdev, LE_LINK) && 1184 !hci_conn_num(hdev, ACL_LINK)) || 1185 hdev->acl_cnt + conn->sent > hdev->acl_pkts) 1186 hdev->acl_cnt = hdev->acl_pkts; 1187 else 1188 hdev->acl_cnt += conn->sent; 1189 } 1190 break; 1191 case CIS_LINK: 1192 case BIS_LINK: 1193 case PA_LINK: 1194 if (!hci_iso_count(hdev) || 1195 hdev->iso_cnt + conn->sent > hdev->iso_pkts) 1196 hdev->iso_cnt = hdev->iso_pkts; 1197 else 1198 hdev->iso_cnt += conn->sent; 1199 break; 1200 } 1201 1202 skb_queue_purge(&conn->data_q); 1203 skb_queue_purge(&conn->tx_q.queue); 1204 1205 /* Remove the connection from the list and cleanup its remaining 1206 * state. This is a separate function since for some cases like 1207 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1208 * rest of hci_conn_del. 1209 */ 1210 hci_conn_cleanup(conn); 1211 1212 /* Dequeue callbacks using connection pointer as data */ 1213 hci_cmd_sync_dequeue(hdev, NULL, conn, NULL); 1214 } 1215 1216 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1217 { 1218 int use_src = bacmp(src, BDADDR_ANY); 1219 struct hci_dev *hdev = NULL, *d; 1220 1221 BT_DBG("%pMR -> %pMR", src, dst); 1222 1223 read_lock(&hci_dev_list_lock); 1224 1225 list_for_each_entry(d, &hci_dev_list, list) { 1226 if (!test_bit(HCI_UP, &d->flags) || 1227 hci_dev_test_flag(d, HCI_USER_CHANNEL)) 1228 continue; 1229 1230 /* Simple routing: 1231 * No source address - find interface with bdaddr != dst 1232 * Source address - find interface with bdaddr == src 1233 */ 1234 1235 if (use_src) { 1236 bdaddr_t id_addr; 1237 u8 id_addr_type; 1238 1239 if (src_type == BDADDR_BREDR) { 1240 if (!lmp_bredr_capable(d)) 1241 continue; 1242 bacpy(&id_addr, &d->bdaddr); 1243 id_addr_type = BDADDR_BREDR; 1244 } else { 1245 if (!lmp_le_capable(d)) 1246 continue; 1247 1248 hci_copy_identity_address(d, &id_addr, 1249 &id_addr_type); 1250 1251 /* Convert from HCI to three-value type */ 1252 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1253 id_addr_type = BDADDR_LE_PUBLIC; 1254 else 1255 id_addr_type = BDADDR_LE_RANDOM; 1256 } 1257 1258 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1259 hdev = d; break; 1260 } 1261 } else { 1262 if (bacmp(&d->bdaddr, dst)) { 1263 hdev = d; break; 1264 } 1265 } 1266 } 1267 1268 if (hdev) 1269 hdev = hci_dev_hold(hdev); 1270 1271 read_unlock(&hci_dev_list_lock); 1272 return hdev; 1273 } 1274 EXPORT_SYMBOL(hci_get_route); 1275 1276 /* This function requires the caller holds hdev->lock */ 1277 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1278 { 1279 struct hci_dev *hdev = conn->hdev; 1280 1281 hci_connect_le_scan_cleanup(conn, status); 1282 1283 /* Enable advertising in case this was a failed connection 1284 * attempt as a peripheral. 1285 */ 1286 hci_enable_advertising(hdev); 1287 } 1288 1289 /* This function requires the caller holds hdev->lock */ 1290 void hci_conn_failed(struct hci_conn *conn, u8 status) 1291 { 1292 struct hci_dev *hdev = conn->hdev; 1293 1294 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1295 1296 switch (conn->type) { 1297 case LE_LINK: 1298 hci_le_conn_failed(conn, status); 1299 break; 1300 case ACL_LINK: 1301 mgmt_connect_failed(hdev, conn, status); 1302 break; 1303 } 1304 1305 /* In case of BIG/PA sync failed, clear conn flags so that 1306 * the conns will be correctly cleaned up by ISO layer 1307 */ 1308 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags); 1309 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags); 1310 1311 conn->state = BT_CLOSED; 1312 hci_connect_cfm(conn, status); 1313 hci_conn_del(conn); 1314 } 1315 1316 /* This function requires the caller holds hdev->lock */ 1317 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) 1318 { 1319 struct hci_dev *hdev = conn->hdev; 1320 1321 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); 1322 1323 if (conn->handle == handle) 1324 return 0; 1325 1326 if (handle > HCI_CONN_HANDLE_MAX) { 1327 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 1328 handle, HCI_CONN_HANDLE_MAX); 1329 return HCI_ERROR_INVALID_PARAMETERS; 1330 } 1331 1332 /* If abort_reason has been sent it means the connection is being 1333 * aborted and the handle shall not be changed. 1334 */ 1335 if (conn->abort_reason) 1336 return conn->abort_reason; 1337 1338 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1339 ida_free(&hdev->unset_handle_ida, conn->handle); 1340 1341 conn->handle = handle; 1342 1343 return 0; 1344 } 1345 1346 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1347 u8 dst_type, bool dst_resolved, u8 sec_level, 1348 u16 conn_timeout, u8 role, u8 phy, u8 sec_phy) 1349 { 1350 struct hci_conn *conn; 1351 struct smp_irk *irk; 1352 int err; 1353 1354 /* Let's make sure that le is enabled.*/ 1355 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1356 if (lmp_le_capable(hdev)) 1357 return ERR_PTR(-ECONNREFUSED); 1358 1359 return ERR_PTR(-EOPNOTSUPP); 1360 } 1361 1362 /* Since the controller supports only one LE connection attempt at a 1363 * time, we return -EBUSY if there is any connection attempt running. 1364 */ 1365 if (hci_lookup_le_connect(hdev)) 1366 return ERR_PTR(-EBUSY); 1367 1368 /* If there's already a connection object but it's not in 1369 * scanning state it means it must already be established, in 1370 * which case we can't do anything else except report a failure 1371 * to connect. 1372 */ 1373 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1374 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1375 return ERR_PTR(-EBUSY); 1376 } 1377 1378 /* Check if the destination address has been resolved by the controller 1379 * since if it did then the identity address shall be used. 1380 */ 1381 if (!dst_resolved) { 1382 /* When given an identity address with existing identity 1383 * resolving key, the connection needs to be established 1384 * to a resolvable random address. 1385 * 1386 * Storing the resolvable random address is required here 1387 * to handle connection failures. The address will later 1388 * be resolved back into the original identity address 1389 * from the connect request. 1390 */ 1391 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1392 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1393 dst = &irk->rpa; 1394 dst_type = ADDR_LE_DEV_RANDOM; 1395 } 1396 } 1397 1398 if (conn) { 1399 bacpy(&conn->dst, dst); 1400 } else { 1401 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role); 1402 if (IS_ERR(conn)) 1403 return conn; 1404 hci_conn_hold(conn); 1405 conn->pending_sec_level = sec_level; 1406 } 1407 1408 conn->dst_type = dst_type; 1409 conn->sec_level = BT_SECURITY_LOW; 1410 conn->conn_timeout = conn_timeout; 1411 conn->le_adv_phy = phy; 1412 conn->le_adv_sec_phy = sec_phy; 1413 1414 err = hci_connect_le_sync(hdev, conn); 1415 if (err) { 1416 hci_conn_del(conn); 1417 return ERR_PTR(err); 1418 } 1419 1420 return conn; 1421 } 1422 1423 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1424 { 1425 struct hci_conn *conn; 1426 1427 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1428 if (!conn) 1429 return false; 1430 1431 if (conn->state != BT_CONNECTED) 1432 return false; 1433 1434 return true; 1435 } 1436 1437 /* This function requires the caller holds hdev->lock */ 1438 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1439 bdaddr_t *addr, u8 addr_type) 1440 { 1441 struct hci_conn_params *params; 1442 1443 if (is_connected(hdev, addr, addr_type)) 1444 return -EISCONN; 1445 1446 params = hci_conn_params_lookup(hdev, addr, addr_type); 1447 if (!params) { 1448 params = hci_conn_params_add(hdev, addr, addr_type); 1449 if (!params) 1450 return -ENOMEM; 1451 1452 /* If we created new params, mark them to be deleted in 1453 * hci_connect_le_scan_cleanup. It's different case than 1454 * existing disabled params, those will stay after cleanup. 1455 */ 1456 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1457 } 1458 1459 /* We're trying to connect, so make sure params are at pend_le_conns */ 1460 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1461 params->auto_connect == HCI_AUTO_CONN_REPORT || 1462 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1463 hci_pend_le_list_del_init(params); 1464 hci_pend_le_list_add(params, &hdev->pend_le_conns); 1465 } 1466 1467 params->explicit_connect = true; 1468 1469 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1470 params->auto_connect); 1471 1472 return 0; 1473 } 1474 1475 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1476 { 1477 struct hci_conn *conn; 1478 u8 big; 1479 1480 /* Allocate a BIG if not set */ 1481 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) { 1482 for (big = 0x00; big < 0xef; big++) { 1483 1484 conn = hci_conn_hash_lookup_big(hdev, big); 1485 if (!conn) 1486 break; 1487 } 1488 1489 if (big == 0xef) 1490 return -EADDRNOTAVAIL; 1491 1492 /* Update BIG */ 1493 qos->bcast.big = big; 1494 } 1495 1496 return 0; 1497 } 1498 1499 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1500 { 1501 struct hci_conn *conn; 1502 u8 bis; 1503 1504 /* Allocate BIS if not set */ 1505 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) { 1506 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) { 1507 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1508 1509 if (conn) { 1510 /* If the BIG handle is already matched to an advertising 1511 * handle, do not allocate a new one. 1512 */ 1513 qos->bcast.bis = conn->iso_qos.bcast.bis; 1514 return 0; 1515 } 1516 } 1517 1518 /* Find an unused adv set to advertise BIS, skip instance 0x00 1519 * since it is reserved as general purpose set. 1520 */ 1521 for (bis = 0x01; bis < hdev->le_num_of_adv_sets; 1522 bis++) { 1523 1524 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis); 1525 if (!conn) 1526 break; 1527 } 1528 1529 if (bis == hdev->le_num_of_adv_sets) 1530 return -EADDRNOTAVAIL; 1531 1532 /* Update BIS */ 1533 qos->bcast.bis = bis; 1534 } 1535 1536 return 0; 1537 } 1538 1539 /* This function requires the caller holds hdev->lock */ 1540 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1541 __u8 sid, struct bt_iso_qos *qos, 1542 __u8 base_len, __u8 *base, u16 timeout) 1543 { 1544 struct hci_conn *conn; 1545 int err; 1546 1547 /* Let's make sure that le is enabled.*/ 1548 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1549 if (lmp_le_capable(hdev)) 1550 return ERR_PTR(-ECONNREFUSED); 1551 return ERR_PTR(-EOPNOTSUPP); 1552 } 1553 1554 err = qos_set_big(hdev, qos); 1555 if (err) 1556 return ERR_PTR(err); 1557 1558 err = qos_set_bis(hdev, qos); 1559 if (err) 1560 return ERR_PTR(err); 1561 1562 /* Check if the LE Create BIG command has already been sent */ 1563 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big, 1564 qos->bcast.big); 1565 if (conn) 1566 return ERR_PTR(-EADDRINUSE); 1567 1568 /* Check BIS settings against other bound BISes, since all 1569 * BISes in a BIG must have the same value for all parameters 1570 */ 1571 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1572 1573 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) || 1574 base_len != conn->le_per_adv_data_len || 1575 memcmp(conn->le_per_adv_data, base, base_len))) 1576 return ERR_PTR(-EADDRINUSE); 1577 1578 conn = hci_conn_add_unset(hdev, BIS_LINK, dst, HCI_ROLE_MASTER); 1579 if (IS_ERR(conn)) 1580 return conn; 1581 1582 conn->state = BT_CONNECT; 1583 conn->sid = sid; 1584 conn->conn_timeout = timeout; 1585 1586 hci_conn_hold(conn); 1587 return conn; 1588 } 1589 1590 /* This function requires the caller holds hdev->lock */ 1591 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1592 u8 dst_type, u8 sec_level, 1593 u16 conn_timeout, 1594 enum conn_reasons conn_reason) 1595 { 1596 struct hci_conn *conn; 1597 1598 /* Let's make sure that le is enabled.*/ 1599 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1600 if (lmp_le_capable(hdev)) 1601 return ERR_PTR(-ECONNREFUSED); 1602 1603 return ERR_PTR(-EOPNOTSUPP); 1604 } 1605 1606 /* Some devices send ATT messages as soon as the physical link is 1607 * established. To be able to handle these ATT messages, the user- 1608 * space first establishes the connection and then starts the pairing 1609 * process. 1610 * 1611 * So if a hci_conn object already exists for the following connection 1612 * attempt, we simply update pending_sec_level and auth_type fields 1613 * and return the object found. 1614 */ 1615 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1616 if (conn) { 1617 if (conn->pending_sec_level < sec_level) 1618 conn->pending_sec_level = sec_level; 1619 goto done; 1620 } 1621 1622 BT_DBG("requesting refresh of dst_addr"); 1623 1624 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1625 if (IS_ERR(conn)) 1626 return conn; 1627 1628 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1629 hci_conn_del(conn); 1630 return ERR_PTR(-EBUSY); 1631 } 1632 1633 conn->state = BT_CONNECT; 1634 set_bit(HCI_CONN_SCANNING, &conn->flags); 1635 conn->dst_type = dst_type; 1636 conn->sec_level = BT_SECURITY_LOW; 1637 conn->pending_sec_level = sec_level; 1638 conn->conn_timeout = conn_timeout; 1639 conn->conn_reason = conn_reason; 1640 1641 hci_update_passive_scan(hdev); 1642 1643 done: 1644 hci_conn_hold(conn); 1645 return conn; 1646 } 1647 1648 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1649 u8 sec_level, u8 auth_type, 1650 enum conn_reasons conn_reason, u16 timeout) 1651 { 1652 struct hci_conn *acl; 1653 1654 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1655 if (lmp_bredr_capable(hdev)) 1656 return ERR_PTR(-ECONNREFUSED); 1657 1658 return ERR_PTR(-EOPNOTSUPP); 1659 } 1660 1661 /* Reject outgoing connection to device with same BD ADDR against 1662 * CVE-2020-26555 1663 */ 1664 if (!bacmp(&hdev->bdaddr, dst)) { 1665 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 1666 dst); 1667 return ERR_PTR(-ECONNREFUSED); 1668 } 1669 1670 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1671 if (!acl) { 1672 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1673 if (IS_ERR(acl)) 1674 return acl; 1675 } 1676 1677 hci_conn_hold(acl); 1678 1679 acl->conn_reason = conn_reason; 1680 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1681 int err; 1682 1683 acl->sec_level = BT_SECURITY_LOW; 1684 acl->pending_sec_level = sec_level; 1685 acl->auth_type = auth_type; 1686 acl->conn_timeout = timeout; 1687 1688 err = hci_connect_acl_sync(hdev, acl); 1689 if (err) { 1690 hci_conn_del(acl); 1691 return ERR_PTR(err); 1692 } 1693 } 1694 1695 return acl; 1696 } 1697 1698 static struct hci_link *hci_conn_link(struct hci_conn *parent, 1699 struct hci_conn *conn) 1700 { 1701 struct hci_dev *hdev = parent->hdev; 1702 struct hci_link *link; 1703 1704 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn); 1705 1706 if (conn->link) 1707 return conn->link; 1708 1709 if (conn->parent) 1710 return NULL; 1711 1712 link = kzalloc(sizeof(*link), GFP_KERNEL); 1713 if (!link) 1714 return NULL; 1715 1716 link->conn = hci_conn_hold(conn); 1717 conn->link = link; 1718 conn->parent = hci_conn_get(parent); 1719 1720 /* Use list_add_tail_rcu append to the list */ 1721 list_add_tail_rcu(&link->list, &parent->link_list); 1722 1723 return link; 1724 } 1725 1726 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1727 __u16 setting, struct bt_codec *codec, 1728 u16 timeout) 1729 { 1730 struct hci_conn *acl; 1731 struct hci_conn *sco; 1732 struct hci_link *link; 1733 1734 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1735 CONN_REASON_SCO_CONNECT, timeout); 1736 if (IS_ERR(acl)) 1737 return acl; 1738 1739 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1740 if (!sco) { 1741 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER); 1742 if (IS_ERR(sco)) { 1743 hci_conn_drop(acl); 1744 return sco; 1745 } 1746 } 1747 1748 link = hci_conn_link(acl, sco); 1749 if (!link) { 1750 hci_conn_drop(acl); 1751 hci_conn_drop(sco); 1752 return ERR_PTR(-ENOLINK); 1753 } 1754 1755 sco->setting = setting; 1756 sco->codec = *codec; 1757 1758 if (acl->state == BT_CONNECTED && 1759 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1760 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1761 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1762 1763 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1764 /* defer SCO setup until mode change completed */ 1765 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1766 return sco; 1767 } 1768 1769 hci_sco_setup(acl, 0x00); 1770 } 1771 1772 return sco; 1773 } 1774 1775 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1776 { 1777 struct hci_dev *hdev = conn->hdev; 1778 struct hci_cp_le_create_big cp; 1779 struct iso_list_data data; 1780 1781 memset(&cp, 0, sizeof(cp)); 1782 1783 data.big = qos->bcast.big; 1784 data.bis = qos->bcast.bis; 1785 data.count = 0; 1786 1787 /* Create a BIS for each bound connection */ 1788 hci_conn_hash_list_state(hdev, bis_list, BIS_LINK, 1789 BT_BOUND, &data); 1790 1791 cp.handle = qos->bcast.big; 1792 cp.adv_handle = qos->bcast.bis; 1793 cp.num_bis = data.count; 1794 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval); 1795 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu); 1796 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency); 1797 cp.bis.rtn = qos->bcast.out.rtn; 1798 cp.bis.phy = qos->bcast.out.phy; 1799 cp.bis.packing = qos->bcast.packing; 1800 cp.bis.framing = qos->bcast.framing; 1801 cp.bis.encryption = qos->bcast.encryption; 1802 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode)); 1803 1804 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1805 } 1806 1807 static int set_cig_params_sync(struct hci_dev *hdev, void *data) 1808 { 1809 DEFINE_FLEX(struct hci_cp_le_set_cig_params, pdu, cis, num_cis, 0x1f); 1810 u8 cig_id = PTR_UINT(data); 1811 struct hci_conn *conn; 1812 struct bt_iso_qos *qos; 1813 u8 aux_num_cis = 0; 1814 u8 cis_id; 1815 1816 conn = hci_conn_hash_lookup_cig(hdev, cig_id); 1817 if (!conn) 1818 return 0; 1819 1820 qos = &conn->iso_qos; 1821 pdu->cig_id = cig_id; 1822 hci_cpu_to_le24(qos->ucast.out.interval, pdu->c_interval); 1823 hci_cpu_to_le24(qos->ucast.in.interval, pdu->p_interval); 1824 pdu->sca = qos->ucast.sca; 1825 pdu->packing = qos->ucast.packing; 1826 pdu->framing = qos->ucast.framing; 1827 pdu->c_latency = cpu_to_le16(qos->ucast.out.latency); 1828 pdu->p_latency = cpu_to_le16(qos->ucast.in.latency); 1829 1830 /* Reprogram all CIS(s) with the same CIG, valid range are: 1831 * num_cis: 0x00 to 0x1F 1832 * cis_id: 0x00 to 0xEF 1833 */ 1834 for (cis_id = 0x00; cis_id < 0xf0 && 1835 aux_num_cis < pdu->num_cis; cis_id++) { 1836 struct hci_cis_params *cis; 1837 1838 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id); 1839 if (!conn) 1840 continue; 1841 1842 qos = &conn->iso_qos; 1843 1844 cis = &pdu->cis[aux_num_cis++]; 1845 cis->cis_id = cis_id; 1846 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu); 1847 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu); 1848 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : 1849 qos->ucast.in.phy; 1850 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : 1851 qos->ucast.out.phy; 1852 cis->c_rtn = qos->ucast.out.rtn; 1853 cis->p_rtn = qos->ucast.in.rtn; 1854 } 1855 pdu->num_cis = aux_num_cis; 1856 1857 if (!pdu->num_cis) 1858 return 0; 1859 1860 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1861 struct_size(pdu, cis, pdu->num_cis), 1862 pdu, HCI_CMD_TIMEOUT); 1863 } 1864 1865 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1866 { 1867 struct hci_dev *hdev = conn->hdev; 1868 struct iso_list_data data; 1869 1870 memset(&data, 0, sizeof(data)); 1871 1872 /* Allocate first still reconfigurable CIG if not set */ 1873 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) { 1874 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) { 1875 data.count = 0; 1876 1877 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, 1878 BT_CONNECT, &data); 1879 if (data.count) 1880 continue; 1881 1882 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, 1883 BT_CONNECTED, &data); 1884 if (!data.count) 1885 break; 1886 } 1887 1888 if (data.cig == 0xf0) 1889 return false; 1890 1891 /* Update CIG */ 1892 qos->ucast.cig = data.cig; 1893 } 1894 1895 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) { 1896 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig, 1897 qos->ucast.cis)) 1898 return false; 1899 goto done; 1900 } 1901 1902 /* Allocate first available CIS if not set */ 1903 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0; 1904 data.cis++) { 1905 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig, 1906 data.cis)) { 1907 /* Update CIS */ 1908 qos->ucast.cis = data.cis; 1909 break; 1910 } 1911 } 1912 1913 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) 1914 return false; 1915 1916 done: 1917 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, 1918 UINT_PTR(qos->ucast.cig), NULL) < 0) 1919 return false; 1920 1921 return true; 1922 } 1923 1924 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1925 __u8 dst_type, struct bt_iso_qos *qos, 1926 u16 timeout) 1927 { 1928 struct hci_conn *cis; 1929 1930 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig, 1931 qos->ucast.cis); 1932 if (!cis) { 1933 cis = hci_conn_add_unset(hdev, CIS_LINK, dst, 1934 HCI_ROLE_MASTER); 1935 if (IS_ERR(cis)) 1936 return cis; 1937 cis->cleanup = cis_cleanup; 1938 cis->dst_type = dst_type; 1939 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET; 1940 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET; 1941 cis->conn_timeout = timeout; 1942 } 1943 1944 if (cis->state == BT_CONNECTED) 1945 return cis; 1946 1947 /* Check if CIS has been set and the settings matches */ 1948 if (cis->state == BT_BOUND && 1949 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1950 return cis; 1951 1952 /* Update LINK PHYs according to QoS preference */ 1953 cis->le_tx_phy = qos->ucast.out.phy; 1954 cis->le_rx_phy = qos->ucast.in.phy; 1955 1956 /* If output interval is not set use the input interval as it cannot be 1957 * 0x000000. 1958 */ 1959 if (!qos->ucast.out.interval) 1960 qos->ucast.out.interval = qos->ucast.in.interval; 1961 1962 /* If input interval is not set use the output interval as it cannot be 1963 * 0x000000. 1964 */ 1965 if (!qos->ucast.in.interval) 1966 qos->ucast.in.interval = qos->ucast.out.interval; 1967 1968 /* If output latency is not set use the input latency as it cannot be 1969 * 0x0000. 1970 */ 1971 if (!qos->ucast.out.latency) 1972 qos->ucast.out.latency = qos->ucast.in.latency; 1973 1974 /* If input latency is not set use the output latency as it cannot be 1975 * 0x0000. 1976 */ 1977 if (!qos->ucast.in.latency) 1978 qos->ucast.in.latency = qos->ucast.out.latency; 1979 1980 if (!hci_le_set_cig_params(cis, qos)) { 1981 hci_conn_drop(cis); 1982 return ERR_PTR(-EINVAL); 1983 } 1984 1985 hci_conn_hold(cis); 1986 1987 cis->iso_qos = *qos; 1988 cis->state = BT_BOUND; 1989 1990 return cis; 1991 } 1992 1993 bool hci_iso_setup_path(struct hci_conn *conn) 1994 { 1995 struct hci_dev *hdev = conn->hdev; 1996 struct hci_cp_le_setup_iso_path cmd; 1997 1998 memset(&cmd, 0, sizeof(cmd)); 1999 2000 if (conn->iso_qos.ucast.out.sdu) { 2001 cmd.handle = cpu_to_le16(conn->handle); 2002 cmd.direction = 0x00; /* Input (Host to Controller) */ 2003 cmd.path = 0x00; /* HCI path if enabled */ 2004 cmd.codec = 0x03; /* Transparent Data */ 2005 2006 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2007 &cmd) < 0) 2008 return false; 2009 } 2010 2011 if (conn->iso_qos.ucast.in.sdu) { 2012 cmd.handle = cpu_to_le16(conn->handle); 2013 cmd.direction = 0x01; /* Output (Controller to Host) */ 2014 cmd.path = 0x00; /* HCI path if enabled */ 2015 cmd.codec = 0x03; /* Transparent Data */ 2016 2017 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2018 &cmd) < 0) 2019 return false; 2020 } 2021 2022 return true; 2023 } 2024 2025 int hci_conn_check_create_cis(struct hci_conn *conn) 2026 { 2027 if (conn->type != CIS_LINK) 2028 return -EINVAL; 2029 2030 if (!conn->parent || conn->parent->state != BT_CONNECTED || 2031 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle)) 2032 return 1; 2033 2034 return 0; 2035 } 2036 2037 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 2038 { 2039 return hci_le_create_cis_sync(hdev); 2040 } 2041 2042 int hci_le_create_cis_pending(struct hci_dev *hdev) 2043 { 2044 struct hci_conn *conn; 2045 bool pending = false; 2046 2047 rcu_read_lock(); 2048 2049 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2050 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) { 2051 rcu_read_unlock(); 2052 return -EBUSY; 2053 } 2054 2055 if (!hci_conn_check_create_cis(conn)) 2056 pending = true; 2057 } 2058 2059 rcu_read_unlock(); 2060 2061 if (!pending) 2062 return 0; 2063 2064 /* Queue Create CIS */ 2065 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL); 2066 } 2067 2068 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 2069 struct bt_iso_io_qos *qos, __u8 phy) 2070 { 2071 /* Only set MTU if PHY is enabled */ 2072 if (!qos->sdu && qos->phy) 2073 qos->sdu = conn->mtu; 2074 2075 /* Use the same PHY as ACL if set to any */ 2076 if (qos->phy == BT_ISO_PHY_ANY) 2077 qos->phy = phy; 2078 2079 /* Use LE ACL connection interval if not set */ 2080 if (!qos->interval) 2081 /* ACL interval unit in 1.25 ms to us */ 2082 qos->interval = conn->le_conn_interval * 1250; 2083 2084 /* Use LE ACL connection latency if not set */ 2085 if (!qos->latency) 2086 qos->latency = conn->le_conn_latency; 2087 } 2088 2089 static int create_big_sync(struct hci_dev *hdev, void *data) 2090 { 2091 struct hci_conn *conn = data; 2092 struct bt_iso_qos *qos = &conn->iso_qos; 2093 u16 interval, sync_interval = 0; 2094 u32 flags = 0; 2095 int err; 2096 2097 if (qos->bcast.out.phy == 0x02) 2098 flags |= MGMT_ADV_FLAG_SEC_2M; 2099 2100 /* Align intervals */ 2101 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor; 2102 2103 if (qos->bcast.bis) 2104 sync_interval = interval * 4; 2105 2106 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->sid, 2107 conn->le_per_adv_data_len, 2108 conn->le_per_adv_data, flags, interval, 2109 interval, sync_interval); 2110 if (err) 2111 return err; 2112 2113 return hci_le_create_big(conn, &conn->iso_qos); 2114 } 2115 2116 struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, 2117 __u8 dst_type, __u8 sid, 2118 struct bt_iso_qos *qos) 2119 { 2120 struct hci_conn *conn; 2121 2122 bt_dev_dbg(hdev, "dst %pMR type %d sid %d", dst, dst_type, sid); 2123 2124 conn = hci_conn_add_unset(hdev, PA_LINK, dst, HCI_ROLE_SLAVE); 2125 if (IS_ERR(conn)) 2126 return conn; 2127 2128 conn->iso_qos = *qos; 2129 conn->dst_type = dst_type; 2130 conn->sid = sid; 2131 conn->state = BT_LISTEN; 2132 conn->conn_timeout = msecs_to_jiffies(qos->bcast.sync_timeout * 10); 2133 2134 hci_conn_hold(conn); 2135 2136 hci_connect_pa_sync(hdev, conn); 2137 2138 return conn; 2139 } 2140 2141 int hci_conn_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon, 2142 struct bt_iso_qos *qos, __u16 sync_handle, 2143 __u8 num_bis, __u8 bis[]) 2144 { 2145 int err; 2146 2147 if (num_bis < 0x01 || num_bis > ISO_MAX_NUM_BIS) 2148 return -EINVAL; 2149 2150 err = qos_set_big(hdev, qos); 2151 if (err) 2152 return err; 2153 2154 if (hcon) { 2155 /* Update hcon QoS */ 2156 hcon->iso_qos = *qos; 2157 2158 hcon->num_bis = num_bis; 2159 memcpy(hcon->bis, bis, num_bis); 2160 hcon->conn_timeout = msecs_to_jiffies(qos->bcast.timeout * 10); 2161 } 2162 2163 return hci_connect_big_sync(hdev, hcon); 2164 } 2165 2166 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2167 { 2168 struct hci_conn *conn = data; 2169 2170 bt_dev_dbg(hdev, "conn %p", conn); 2171 2172 if (err) { 2173 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2174 hci_connect_cfm(conn, err); 2175 hci_conn_del(conn); 2176 } 2177 } 2178 2179 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, __u8 sid, 2180 struct bt_iso_qos *qos, 2181 __u8 base_len, __u8 *base, u16 timeout) 2182 { 2183 struct hci_conn *conn; 2184 struct hci_conn *parent; 2185 __u8 eir[HCI_MAX_PER_AD_LENGTH]; 2186 struct hci_link *link; 2187 2188 /* Look for any BIS that is open for rebinding */ 2189 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN, 2190 HCI_ROLE_MASTER); 2191 if (conn) { 2192 memcpy(qos, &conn->iso_qos, sizeof(*qos)); 2193 conn->state = BT_CONNECTED; 2194 return conn; 2195 } 2196 2197 if (base_len && base) 2198 base_len = eir_append_service_data(eir, 0, 0x1851, 2199 base, base_len); 2200 2201 /* We need hci_conn object using the BDADDR_ANY as dst */ 2202 conn = hci_add_bis(hdev, dst, sid, qos, base_len, eir, timeout); 2203 if (IS_ERR(conn)) 2204 return conn; 2205 2206 /* Update LINK PHYs according to QoS preference */ 2207 conn->le_tx_phy = qos->bcast.out.phy; 2208 conn->le_tx_phy = qos->bcast.out.phy; 2209 2210 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2211 if (base_len && base) { 2212 memcpy(conn->le_per_adv_data, eir, sizeof(eir)); 2213 conn->le_per_adv_data_len = base_len; 2214 } 2215 2216 hci_iso_qos_setup(hdev, conn, &qos->bcast.out, 2217 conn->le_tx_phy ? conn->le_tx_phy : 2218 hdev->le_tx_def_phys); 2219 2220 conn->iso_qos = *qos; 2221 conn->state = BT_BOUND; 2222 2223 /* Link BISes together */ 2224 parent = hci_conn_hash_lookup_big(hdev, 2225 conn->iso_qos.bcast.big); 2226 if (parent && parent != conn) { 2227 link = hci_conn_link(parent, conn); 2228 hci_conn_drop(conn); 2229 if (!link) 2230 return ERR_PTR(-ENOLINK); 2231 } 2232 2233 return conn; 2234 } 2235 2236 static void bis_mark_per_adv(struct hci_conn *conn, void *data) 2237 { 2238 struct iso_list_data *d = data; 2239 2240 /* Skip if not broadcast/ANY address */ 2241 if (bacmp(&conn->dst, BDADDR_ANY)) 2242 return; 2243 2244 if (d->big != conn->iso_qos.bcast.big || 2245 d->bis == BT_ISO_QOS_BIS_UNSET || 2246 d->bis != conn->iso_qos.bcast.bis) 2247 return; 2248 2249 set_bit(HCI_CONN_PER_ADV, &conn->flags); 2250 } 2251 2252 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2253 __u8 dst_type, __u8 sid, 2254 struct bt_iso_qos *qos, 2255 __u8 base_len, __u8 *base, u16 timeout) 2256 { 2257 struct hci_conn *conn; 2258 int err; 2259 struct iso_list_data data; 2260 2261 conn = hci_bind_bis(hdev, dst, sid, qos, base_len, base, timeout); 2262 if (IS_ERR(conn)) 2263 return conn; 2264 2265 if (conn->state == BT_CONNECTED) 2266 return conn; 2267 2268 /* Check if SID needs to be allocated then search for the first 2269 * available. 2270 */ 2271 if (conn->sid == HCI_SID_INVALID) { 2272 u8 sid; 2273 2274 for (sid = 0; sid <= 0x0f; sid++) { 2275 if (!hci_find_adv_sid(hdev, sid)) { 2276 conn->sid = sid; 2277 break; 2278 } 2279 } 2280 } 2281 2282 data.big = qos->bcast.big; 2283 data.bis = qos->bcast.bis; 2284 2285 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that 2286 * the start periodic advertising and create BIG commands have 2287 * been queued 2288 */ 2289 hci_conn_hash_list_state(hdev, bis_mark_per_adv, BIS_LINK, 2290 BT_BOUND, &data); 2291 2292 /* Queue start periodic advertising and create BIG */ 2293 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2294 create_big_complete); 2295 if (err < 0) { 2296 hci_conn_drop(conn); 2297 return ERR_PTR(err); 2298 } 2299 2300 return conn; 2301 } 2302 2303 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2304 __u8 dst_type, struct bt_iso_qos *qos, 2305 u16 timeout) 2306 { 2307 struct hci_conn *le; 2308 struct hci_conn *cis; 2309 struct hci_link *link; 2310 2311 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2312 le = hci_connect_le(hdev, dst, dst_type, false, 2313 BT_SECURITY_LOW, 2314 HCI_LE_CONN_TIMEOUT, 2315 HCI_ROLE_SLAVE, 0, 0); 2316 else 2317 le = hci_connect_le_scan(hdev, dst, dst_type, 2318 BT_SECURITY_LOW, 2319 HCI_LE_CONN_TIMEOUT, 2320 CONN_REASON_ISO_CONNECT); 2321 if (IS_ERR(le)) 2322 return le; 2323 2324 hci_iso_qos_setup(hdev, le, &qos->ucast.out, 2325 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2326 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2327 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2328 2329 cis = hci_bind_cis(hdev, dst, dst_type, qos, timeout); 2330 if (IS_ERR(cis)) { 2331 hci_conn_drop(le); 2332 return cis; 2333 } 2334 2335 link = hci_conn_link(le, cis); 2336 hci_conn_drop(cis); 2337 if (!link) { 2338 hci_conn_drop(le); 2339 return ERR_PTR(-ENOLINK); 2340 } 2341 2342 cis->state = BT_CONNECT; 2343 2344 hci_le_create_cis_pending(hdev); 2345 2346 return cis; 2347 } 2348 2349 /* Check link security requirement */ 2350 int hci_conn_check_link_mode(struct hci_conn *conn) 2351 { 2352 BT_DBG("hcon %p", conn); 2353 2354 /* In Secure Connections Only mode, it is required that Secure 2355 * Connections is used and the link is encrypted with AES-CCM 2356 * using a P-256 authenticated combination key. 2357 */ 2358 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2359 if (!hci_conn_sc_enabled(conn) || 2360 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2361 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2362 return 0; 2363 } 2364 2365 /* AES encryption is required for Level 4: 2366 * 2367 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2368 * page 1319: 2369 * 2370 * 128-bit equivalent strength for link and encryption keys 2371 * required using FIPS approved algorithms (E0 not allowed, 2372 * SAFER+ not allowed, and P-192 not allowed; encryption key 2373 * not shortened) 2374 */ 2375 if (conn->sec_level == BT_SECURITY_FIPS && 2376 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2377 bt_dev_err(conn->hdev, 2378 "Invalid security: Missing AES-CCM usage"); 2379 return 0; 2380 } 2381 2382 if (hci_conn_ssp_enabled(conn) && 2383 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2384 return 0; 2385 2386 return 1; 2387 } 2388 2389 /* Authenticate remote device */ 2390 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2391 { 2392 BT_DBG("hcon %p", conn); 2393 2394 if (conn->pending_sec_level > sec_level) 2395 sec_level = conn->pending_sec_level; 2396 2397 if (sec_level > conn->sec_level) 2398 conn->pending_sec_level = sec_level; 2399 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2400 return 1; 2401 2402 /* Make sure we preserve an existing MITM requirement*/ 2403 auth_type |= (conn->auth_type & 0x01); 2404 2405 conn->auth_type = auth_type; 2406 2407 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2408 struct hci_cp_auth_requested cp; 2409 2410 cp.handle = cpu_to_le16(conn->handle); 2411 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2412 sizeof(cp), &cp); 2413 2414 /* Set the ENCRYPT_PEND to trigger encryption after 2415 * authentication. 2416 */ 2417 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2418 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2419 } 2420 2421 return 0; 2422 } 2423 2424 /* Encrypt the link */ 2425 static void hci_conn_encrypt(struct hci_conn *conn) 2426 { 2427 BT_DBG("hcon %p", conn); 2428 2429 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2430 struct hci_cp_set_conn_encrypt cp; 2431 cp.handle = cpu_to_le16(conn->handle); 2432 cp.encrypt = 0x01; 2433 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2434 &cp); 2435 } 2436 } 2437 2438 /* Enable security */ 2439 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2440 bool initiator) 2441 { 2442 BT_DBG("hcon %p", conn); 2443 2444 if (conn->type == LE_LINK) 2445 return smp_conn_security(conn, sec_level); 2446 2447 /* For sdp we don't need the link key. */ 2448 if (sec_level == BT_SECURITY_SDP) 2449 return 1; 2450 2451 /* For non 2.1 devices and low security level we don't need the link 2452 key. */ 2453 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2454 return 1; 2455 2456 /* For other security levels we need the link key. */ 2457 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2458 goto auth; 2459 2460 switch (conn->key_type) { 2461 case HCI_LK_AUTH_COMBINATION_P256: 2462 /* An authenticated FIPS approved combination key has 2463 * sufficient security for security level 4 or lower. 2464 */ 2465 if (sec_level <= BT_SECURITY_FIPS) 2466 goto encrypt; 2467 break; 2468 case HCI_LK_AUTH_COMBINATION_P192: 2469 /* An authenticated combination key has sufficient security for 2470 * security level 3 or lower. 2471 */ 2472 if (sec_level <= BT_SECURITY_HIGH) 2473 goto encrypt; 2474 break; 2475 case HCI_LK_UNAUTH_COMBINATION_P192: 2476 case HCI_LK_UNAUTH_COMBINATION_P256: 2477 /* An unauthenticated combination key has sufficient security 2478 * for security level 2 or lower. 2479 */ 2480 if (sec_level <= BT_SECURITY_MEDIUM) 2481 goto encrypt; 2482 break; 2483 case HCI_LK_COMBINATION: 2484 /* A combination key has always sufficient security for the 2485 * security levels 2 or lower. High security level requires the 2486 * combination key is generated using maximum PIN code length 2487 * (16). For pre 2.1 units. 2488 */ 2489 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16) 2490 goto encrypt; 2491 break; 2492 default: 2493 break; 2494 } 2495 2496 auth: 2497 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2498 return 0; 2499 2500 if (initiator) 2501 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2502 2503 if (!hci_conn_auth(conn, sec_level, auth_type)) 2504 return 0; 2505 2506 encrypt: 2507 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2508 /* Ensure that the encryption key size has been read, 2509 * otherwise stall the upper layer responses. 2510 */ 2511 if (!conn->enc_key_size) 2512 return 0; 2513 2514 /* Nothing else needed, all requirements are met */ 2515 return 1; 2516 } 2517 2518 hci_conn_encrypt(conn); 2519 return 0; 2520 } 2521 EXPORT_SYMBOL(hci_conn_security); 2522 2523 /* Check secure link requirement */ 2524 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2525 { 2526 BT_DBG("hcon %p", conn); 2527 2528 /* Accept if non-secure or higher security level is required */ 2529 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2530 return 1; 2531 2532 /* Accept if secure or higher security level is already present */ 2533 if (conn->sec_level == BT_SECURITY_HIGH || 2534 conn->sec_level == BT_SECURITY_FIPS) 2535 return 1; 2536 2537 /* Reject not secure link */ 2538 return 0; 2539 } 2540 EXPORT_SYMBOL(hci_conn_check_secure); 2541 2542 /* Switch role */ 2543 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2544 { 2545 BT_DBG("hcon %p", conn); 2546 2547 if (role == conn->role) 2548 return 1; 2549 2550 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2551 struct hci_cp_switch_role cp; 2552 bacpy(&cp.bdaddr, &conn->dst); 2553 cp.role = role; 2554 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2555 } 2556 2557 return 0; 2558 } 2559 EXPORT_SYMBOL(hci_conn_switch_role); 2560 2561 /* Enter active mode */ 2562 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2563 { 2564 struct hci_dev *hdev = conn->hdev; 2565 2566 BT_DBG("hcon %p mode %d", conn, conn->mode); 2567 2568 if (conn->mode != HCI_CM_SNIFF) 2569 goto timer; 2570 2571 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2572 goto timer; 2573 2574 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2575 struct hci_cp_exit_sniff_mode cp; 2576 cp.handle = cpu_to_le16(conn->handle); 2577 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2578 } 2579 2580 timer: 2581 if (hdev->idle_timeout > 0) 2582 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2583 msecs_to_jiffies(hdev->idle_timeout)); 2584 } 2585 2586 /* Drop all connection on the device */ 2587 void hci_conn_hash_flush(struct hci_dev *hdev) 2588 { 2589 struct list_head *head = &hdev->conn_hash.list; 2590 struct hci_conn *conn; 2591 2592 BT_DBG("hdev %s", hdev->name); 2593 2594 /* We should not traverse the list here, because hci_conn_del 2595 * can remove extra links, which may cause the list traversal 2596 * to hit items that have already been released. 2597 */ 2598 while ((conn = list_first_entry_or_null(head, 2599 struct hci_conn, 2600 list)) != NULL) { 2601 conn->state = BT_CLOSED; 2602 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); 2603 hci_conn_del(conn); 2604 } 2605 } 2606 2607 static u32 get_link_mode(struct hci_conn *conn) 2608 { 2609 u32 link_mode = 0; 2610 2611 if (conn->role == HCI_ROLE_MASTER) 2612 link_mode |= HCI_LM_MASTER; 2613 2614 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2615 link_mode |= HCI_LM_ENCRYPT; 2616 2617 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2618 link_mode |= HCI_LM_AUTH; 2619 2620 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2621 link_mode |= HCI_LM_SECURE; 2622 2623 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2624 link_mode |= HCI_LM_FIPS; 2625 2626 return link_mode; 2627 } 2628 2629 int hci_get_conn_list(void __user *arg) 2630 { 2631 struct hci_conn *c; 2632 struct hci_conn_list_req req, *cl; 2633 struct hci_conn_info *ci; 2634 struct hci_dev *hdev; 2635 int n = 0, size, err; 2636 2637 if (copy_from_user(&req, arg, sizeof(req))) 2638 return -EFAULT; 2639 2640 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2641 return -EINVAL; 2642 2643 size = sizeof(req) + req.conn_num * sizeof(*ci); 2644 2645 cl = kmalloc(size, GFP_KERNEL); 2646 if (!cl) 2647 return -ENOMEM; 2648 2649 hdev = hci_dev_get(req.dev_id); 2650 if (!hdev) { 2651 kfree(cl); 2652 return -ENODEV; 2653 } 2654 2655 ci = cl->conn_info; 2656 2657 hci_dev_lock(hdev); 2658 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2659 bacpy(&(ci + n)->bdaddr, &c->dst); 2660 (ci + n)->handle = c->handle; 2661 (ci + n)->type = c->type; 2662 (ci + n)->out = c->out; 2663 (ci + n)->state = c->state; 2664 (ci + n)->link_mode = get_link_mode(c); 2665 if (++n >= req.conn_num) 2666 break; 2667 } 2668 hci_dev_unlock(hdev); 2669 2670 cl->dev_id = hdev->id; 2671 cl->conn_num = n; 2672 size = sizeof(req) + n * sizeof(*ci); 2673 2674 hci_dev_put(hdev); 2675 2676 err = copy_to_user(arg, cl, size); 2677 kfree(cl); 2678 2679 return err ? -EFAULT : 0; 2680 } 2681 2682 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2683 { 2684 struct hci_conn_info_req req; 2685 struct hci_conn_info ci; 2686 struct hci_conn *conn; 2687 char __user *ptr = arg + sizeof(req); 2688 2689 if (copy_from_user(&req, arg, sizeof(req))) 2690 return -EFAULT; 2691 2692 hci_dev_lock(hdev); 2693 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2694 if (conn) { 2695 bacpy(&ci.bdaddr, &conn->dst); 2696 ci.handle = conn->handle; 2697 ci.type = conn->type; 2698 ci.out = conn->out; 2699 ci.state = conn->state; 2700 ci.link_mode = get_link_mode(conn); 2701 } 2702 hci_dev_unlock(hdev); 2703 2704 if (!conn) 2705 return -ENOENT; 2706 2707 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2708 } 2709 2710 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2711 { 2712 struct hci_auth_info_req req; 2713 struct hci_conn *conn; 2714 2715 if (copy_from_user(&req, arg, sizeof(req))) 2716 return -EFAULT; 2717 2718 hci_dev_lock(hdev); 2719 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2720 if (conn) 2721 req.type = conn->auth_type; 2722 hci_dev_unlock(hdev); 2723 2724 if (!conn) 2725 return -ENOENT; 2726 2727 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2728 } 2729 2730 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2731 { 2732 struct hci_dev *hdev = conn->hdev; 2733 struct hci_chan *chan; 2734 2735 BT_DBG("%s hcon %p", hdev->name, conn); 2736 2737 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2738 BT_DBG("Refusing to create new hci_chan"); 2739 return NULL; 2740 } 2741 2742 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2743 if (!chan) 2744 return NULL; 2745 2746 chan->conn = hci_conn_get(conn); 2747 skb_queue_head_init(&chan->data_q); 2748 chan->state = BT_CONNECTED; 2749 2750 list_add_rcu(&chan->list, &conn->chan_list); 2751 2752 return chan; 2753 } 2754 2755 void hci_chan_del(struct hci_chan *chan) 2756 { 2757 struct hci_conn *conn = chan->conn; 2758 struct hci_dev *hdev = conn->hdev; 2759 2760 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2761 2762 list_del_rcu(&chan->list); 2763 2764 synchronize_rcu(); 2765 2766 /* Prevent new hci_chan's to be created for this hci_conn */ 2767 set_bit(HCI_CONN_DROP, &conn->flags); 2768 2769 hci_conn_put(conn); 2770 2771 skb_queue_purge(&chan->data_q); 2772 kfree(chan); 2773 } 2774 2775 void hci_chan_list_flush(struct hci_conn *conn) 2776 { 2777 struct hci_chan *chan, *n; 2778 2779 BT_DBG("hcon %p", conn); 2780 2781 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2782 hci_chan_del(chan); 2783 } 2784 2785 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2786 __u16 handle) 2787 { 2788 struct hci_chan *hchan; 2789 2790 list_for_each_entry(hchan, &hcon->chan_list, list) { 2791 if (hchan->handle == handle) 2792 return hchan; 2793 } 2794 2795 return NULL; 2796 } 2797 2798 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2799 { 2800 struct hci_conn_hash *h = &hdev->conn_hash; 2801 struct hci_conn *hcon; 2802 struct hci_chan *hchan = NULL; 2803 2804 rcu_read_lock(); 2805 2806 list_for_each_entry_rcu(hcon, &h->list, list) { 2807 hchan = __hci_chan_lookup_handle(hcon, handle); 2808 if (hchan) 2809 break; 2810 } 2811 2812 rcu_read_unlock(); 2813 2814 return hchan; 2815 } 2816 2817 u32 hci_conn_get_phy(struct hci_conn *conn) 2818 { 2819 u32 phys = 0; 2820 2821 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2822 * Table 6.2: Packets defined for synchronous, asynchronous, and 2823 * CPB logical transport types. 2824 */ 2825 switch (conn->type) { 2826 case SCO_LINK: 2827 /* SCO logical transport (1 Mb/s): 2828 * HV1, HV2, HV3 and DV. 2829 */ 2830 phys |= BT_PHY_BR_1M_1SLOT; 2831 2832 break; 2833 2834 case ACL_LINK: 2835 /* ACL logical transport (1 Mb/s) ptt=0: 2836 * DH1, DM3, DH3, DM5 and DH5. 2837 */ 2838 phys |= BT_PHY_BR_1M_1SLOT; 2839 2840 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2841 phys |= BT_PHY_BR_1M_3SLOT; 2842 2843 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2844 phys |= BT_PHY_BR_1M_5SLOT; 2845 2846 /* ACL logical transport (2 Mb/s) ptt=1: 2847 * 2-DH1, 2-DH3 and 2-DH5. 2848 */ 2849 if (!(conn->pkt_type & HCI_2DH1)) 2850 phys |= BT_PHY_EDR_2M_1SLOT; 2851 2852 if (!(conn->pkt_type & HCI_2DH3)) 2853 phys |= BT_PHY_EDR_2M_3SLOT; 2854 2855 if (!(conn->pkt_type & HCI_2DH5)) 2856 phys |= BT_PHY_EDR_2M_5SLOT; 2857 2858 /* ACL logical transport (3 Mb/s) ptt=1: 2859 * 3-DH1, 3-DH3 and 3-DH5. 2860 */ 2861 if (!(conn->pkt_type & HCI_3DH1)) 2862 phys |= BT_PHY_EDR_3M_1SLOT; 2863 2864 if (!(conn->pkt_type & HCI_3DH3)) 2865 phys |= BT_PHY_EDR_3M_3SLOT; 2866 2867 if (!(conn->pkt_type & HCI_3DH5)) 2868 phys |= BT_PHY_EDR_3M_5SLOT; 2869 2870 break; 2871 2872 case ESCO_LINK: 2873 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2874 phys |= BT_PHY_BR_1M_1SLOT; 2875 2876 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2877 phys |= BT_PHY_BR_1M_3SLOT; 2878 2879 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2880 if (!(conn->pkt_type & ESCO_2EV3)) 2881 phys |= BT_PHY_EDR_2M_1SLOT; 2882 2883 if (!(conn->pkt_type & ESCO_2EV5)) 2884 phys |= BT_PHY_EDR_2M_3SLOT; 2885 2886 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2887 if (!(conn->pkt_type & ESCO_3EV3)) 2888 phys |= BT_PHY_EDR_3M_1SLOT; 2889 2890 if (!(conn->pkt_type & ESCO_3EV5)) 2891 phys |= BT_PHY_EDR_3M_3SLOT; 2892 2893 break; 2894 2895 case LE_LINK: 2896 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2897 phys |= BT_PHY_LE_1M_TX; 2898 2899 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2900 phys |= BT_PHY_LE_1M_RX; 2901 2902 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2903 phys |= BT_PHY_LE_2M_TX; 2904 2905 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2906 phys |= BT_PHY_LE_2M_RX; 2907 2908 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2909 phys |= BT_PHY_LE_CODED_TX; 2910 2911 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2912 phys |= BT_PHY_LE_CODED_RX; 2913 2914 break; 2915 } 2916 2917 return phys; 2918 } 2919 2920 static int abort_conn_sync(struct hci_dev *hdev, void *data) 2921 { 2922 struct hci_conn *conn = data; 2923 2924 if (!hci_conn_valid(hdev, conn)) 2925 return -ECANCELED; 2926 2927 return hci_abort_conn_sync(hdev, conn, conn->abort_reason); 2928 } 2929 2930 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2931 { 2932 struct hci_dev *hdev = conn->hdev; 2933 2934 /* If abort_reason has already been set it means the connection is 2935 * already being aborted so don't attempt to overwrite it. 2936 */ 2937 if (conn->abort_reason) 2938 return 0; 2939 2940 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); 2941 2942 conn->abort_reason = reason; 2943 2944 /* If the connection is pending check the command opcode since that 2945 * might be blocking on hci_cmd_sync_work while waiting its respective 2946 * event so we need to hci_cmd_sync_cancel to cancel it. 2947 * 2948 * hci_connect_le serializes the connection attempts so only one 2949 * connection can be in BT_CONNECT at time. 2950 */ 2951 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { 2952 switch (hci_skb_event(hdev->sent_cmd)) { 2953 case HCI_EV_CONN_COMPLETE: 2954 case HCI_EV_LE_CONN_COMPLETE: 2955 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 2956 case HCI_EVT_LE_CIS_ESTABLISHED: 2957 hci_cmd_sync_cancel(hdev, ECANCELED); 2958 break; 2959 } 2960 /* Cancel connect attempt if still queued/pending */ 2961 } else if (!hci_cancel_connect_sync(hdev, conn)) { 2962 return 0; 2963 } 2964 2965 /* Run immediately if on cmd_sync_work since this may be called 2966 * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does 2967 * already queue its callback on cmd_sync_work. 2968 */ 2969 return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL); 2970 } 2971 2972 void hci_setup_tx_timestamp(struct sk_buff *skb, size_t key_offset, 2973 const struct sockcm_cookie *sockc) 2974 { 2975 struct sock *sk = skb ? skb->sk : NULL; 2976 int key; 2977 2978 /* This shall be called on a single skb of those generated by user 2979 * sendmsg(), and only when the sendmsg() does not return error to 2980 * user. This is required for keeping the tskey that increments here in 2981 * sync with possible sendmsg() counting by user. 2982 * 2983 * Stream sockets shall set key_offset to sendmsg() length in bytes 2984 * and call with the last fragment, others to 1 and first fragment. 2985 */ 2986 2987 if (!skb || !sockc || !sk || !key_offset) 2988 return; 2989 2990 sock_tx_timestamp(sk, sockc, &skb_shinfo(skb)->tx_flags); 2991 2992 if (sk->sk_type == SOCK_STREAM) 2993 key = atomic_add_return(key_offset, &sk->sk_tskey); 2994 2995 if (sockc->tsflags & SOF_TIMESTAMPING_OPT_ID && 2996 sockc->tsflags & SOF_TIMESTAMPING_TX_RECORD_MASK) { 2997 if (sockc->tsflags & SOCKCM_FLAG_TS_OPT_ID) { 2998 skb_shinfo(skb)->tskey = sockc->ts_opt_id; 2999 } else { 3000 if (sk->sk_type != SOCK_STREAM) 3001 key = atomic_inc_return(&sk->sk_tskey); 3002 skb_shinfo(skb)->tskey = key - 1; 3003 } 3004 } 3005 } 3006 3007 void hci_conn_tx_queue(struct hci_conn *conn, struct sk_buff *skb) 3008 { 3009 struct tx_queue *comp = &conn->tx_q; 3010 bool track = false; 3011 3012 /* Emit SND now, ie. just before sending to driver */ 3013 if (skb_shinfo(skb)->tx_flags & SKBTX_SW_TSTAMP) 3014 __skb_tstamp_tx(skb, NULL, NULL, skb->sk, SCM_TSTAMP_SND); 3015 3016 /* COMPLETION tstamp is emitted for tracked skb later in Number of 3017 * Completed Packets event. Available only for flow controlled cases. 3018 * 3019 * TODO: SCO support without flowctl (needs to be done in drivers) 3020 */ 3021 switch (conn->type) { 3022 case CIS_LINK: 3023 case BIS_LINK: 3024 case PA_LINK: 3025 case ACL_LINK: 3026 case LE_LINK: 3027 break; 3028 case SCO_LINK: 3029 case ESCO_LINK: 3030 if (!hci_dev_test_flag(conn->hdev, HCI_SCO_FLOWCTL)) 3031 return; 3032 break; 3033 default: 3034 return; 3035 } 3036 3037 if (skb->sk && (skb_shinfo(skb)->tx_flags & SKBTX_COMPLETION_TSTAMP)) 3038 track = true; 3039 3040 /* If nothing is tracked, just count extra skbs at the queue head */ 3041 if (!track && !comp->tracked) { 3042 comp->extra++; 3043 return; 3044 } 3045 3046 if (track) { 3047 skb = skb_clone_sk(skb); 3048 if (!skb) 3049 goto count_only; 3050 3051 comp->tracked++; 3052 } else { 3053 skb = skb_clone(skb, GFP_KERNEL); 3054 if (!skb) 3055 goto count_only; 3056 } 3057 3058 skb_queue_tail(&comp->queue, skb); 3059 return; 3060 3061 count_only: 3062 /* Stop tracking skbs, and only count. This will not emit timestamps for 3063 * the packets, but if we get here something is more seriously wrong. 3064 */ 3065 comp->tracked = 0; 3066 comp->extra += skb_queue_len(&comp->queue) + 1; 3067 skb_queue_purge(&comp->queue); 3068 } 3069 3070 void hci_conn_tx_dequeue(struct hci_conn *conn) 3071 { 3072 struct tx_queue *comp = &conn->tx_q; 3073 struct sk_buff *skb; 3074 3075 /* If there are tracked skbs, the counted extra go before dequeuing real 3076 * skbs, to keep ordering. When nothing is tracked, the ordering doesn't 3077 * matter so dequeue real skbs first to get rid of them ASAP. 3078 */ 3079 if (comp->extra && (comp->tracked || skb_queue_empty(&comp->queue))) { 3080 comp->extra--; 3081 return; 3082 } 3083 3084 skb = skb_dequeue(&comp->queue); 3085 if (!skb) 3086 return; 3087 3088 if (skb->sk) { 3089 comp->tracked--; 3090 __skb_tstamp_tx(skb, NULL, NULL, skb->sk, 3091 SCM_TSTAMP_COMPLETION); 3092 } 3093 3094 kfree_skb(skb); 3095 } 3096 3097 u8 *hci_conn_key_enc_size(struct hci_conn *conn) 3098 { 3099 if (conn->type == ACL_LINK) { 3100 struct link_key *key; 3101 3102 key = hci_find_link_key(conn->hdev, &conn->dst); 3103 if (!key) 3104 return NULL; 3105 3106 return &key->pin_len; 3107 } else if (conn->type == LE_LINK) { 3108 struct smp_ltk *ltk; 3109 3110 ltk = hci_find_ltk(conn->hdev, &conn->dst, conn->dst_type, 3111 conn->role); 3112 if (!ltk) 3113 return NULL; 3114 3115 return <k->enc_size; 3116 } 3117 3118 return NULL; 3119 } 3120 3121 int hci_ethtool_ts_info(unsigned int index, int sk_proto, 3122 struct kernel_ethtool_ts_info *info) 3123 { 3124 struct hci_dev *hdev; 3125 3126 hdev = hci_dev_get(index); 3127 if (!hdev) 3128 return -ENODEV; 3129 3130 info->so_timestamping = 3131 SOF_TIMESTAMPING_RX_SOFTWARE | 3132 SOF_TIMESTAMPING_SOFTWARE; 3133 info->phc_index = -1; 3134 info->tx_types = BIT(HWTSTAMP_TX_OFF); 3135 info->rx_filters = BIT(HWTSTAMP_FILTER_NONE); 3136 3137 switch (sk_proto) { 3138 case BTPROTO_ISO: 3139 case BTPROTO_L2CAP: 3140 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE; 3141 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION; 3142 break; 3143 case BTPROTO_SCO: 3144 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE; 3145 if (hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL)) 3146 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION; 3147 break; 3148 } 3149 3150 hci_dev_put(hdev); 3151 return 0; 3152 } 3153