1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 Copyright 2023-2024 NXP
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI connection handling. */
27
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/errqueue.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/iso.h>
36 #include <net/bluetooth/mgmt.h>
37
38 #include "smp.h"
39 #include "eir.h"
40
41 struct sco_param {
42 u16 pkt_type;
43 u16 max_latency;
44 u8 retrans_effort;
45 };
46
47 struct conn_handle_t {
48 struct hci_conn *conn;
49 __u16 handle;
50 };
51
52 static const struct sco_param esco_param_cvsd[] = {
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
58 };
59
60 static const struct sco_param sco_param_cvsd[] = {
61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
63 };
64
65 static const struct sco_param esco_param_msbc[] = {
66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
68 };
69
70 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn,u8 status)71 void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
72 {
73 struct hci_conn_params *params;
74 struct hci_dev *hdev = conn->hdev;
75 struct smp_irk *irk;
76 bdaddr_t *bdaddr;
77 u8 bdaddr_type;
78
79 bdaddr = &conn->dst;
80 bdaddr_type = conn->dst_type;
81
82 /* Check if we need to convert to identity address */
83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
84 if (irk) {
85 bdaddr = &irk->bdaddr;
86 bdaddr_type = irk->addr_type;
87 }
88
89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
90 bdaddr_type);
91 if (!params)
92 return;
93
94 if (params->conn) {
95 hci_conn_drop(params->conn);
96 hci_conn_put(params->conn);
97 params->conn = NULL;
98 }
99
100 if (!params->explicit_connect)
101 return;
102
103 /* If the status indicates successful cancellation of
104 * the attempt (i.e. Unknown Connection Id) there's no point of
105 * notifying failure since we'll go back to keep trying to
106 * connect. The only exception is explicit connect requests
107 * where a timeout + cancel does indicate an actual failure.
108 */
109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 mgmt_connect_failed(hdev, conn, status);
111
112 /* The connection attempt was doing scan for new RPA, and is
113 * in scan phase. If params are not associated with any other
114 * autoconnect action, remove them completely. If they are, just unmark
115 * them as waiting for connection, by clearing explicit_connect field.
116 */
117 params->explicit_connect = false;
118
119 hci_pend_le_list_del_init(params);
120
121 switch (params->auto_connect) {
122 case HCI_AUTO_CONN_EXPLICIT:
123 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
124 /* return instead of break to avoid duplicate scan update */
125 return;
126 case HCI_AUTO_CONN_DIRECT:
127 case HCI_AUTO_CONN_ALWAYS:
128 hci_pend_le_list_add(params, &hdev->pend_le_conns);
129 break;
130 case HCI_AUTO_CONN_REPORT:
131 hci_pend_le_list_add(params, &hdev->pend_le_reports);
132 break;
133 default:
134 break;
135 }
136
137 hci_update_passive_scan(hdev);
138 }
139
hci_conn_cleanup(struct hci_conn * conn)140 static void hci_conn_cleanup(struct hci_conn *conn)
141 {
142 struct hci_dev *hdev = conn->hdev;
143
144 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
145 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
146
147 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
148 hci_remove_link_key(hdev, &conn->dst);
149
150 hci_chan_list_flush(conn);
151
152 hci_conn_hash_del(hdev, conn);
153
154 if (HCI_CONN_HANDLE_UNSET(conn->handle))
155 ida_free(&hdev->unset_handle_ida, conn->handle);
156
157 if (conn->cleanup)
158 conn->cleanup(conn);
159
160 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
161 switch (conn->setting & SCO_AIRMODE_MASK) {
162 case SCO_AIRMODE_CVSD:
163 case SCO_AIRMODE_TRANSP:
164 if (hdev->notify)
165 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
166 break;
167 }
168 } else {
169 if (hdev->notify)
170 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
171 }
172
173 debugfs_remove_recursive(conn->debugfs);
174
175 hci_conn_del_sysfs(conn);
176
177 hci_dev_put(hdev);
178 }
179
hci_disconnect(struct hci_conn * conn,__u8 reason)180 int hci_disconnect(struct hci_conn *conn, __u8 reason)
181 {
182 BT_DBG("hcon %p", conn);
183
184 /* When we are central of an established connection and it enters
185 * the disconnect timeout, then go ahead and try to read the
186 * current clock offset. Processing of the result is done
187 * within the event handling and hci_clock_offset_evt function.
188 */
189 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
190 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
191 struct hci_dev *hdev = conn->hdev;
192 struct hci_cp_read_clock_offset clkoff_cp;
193
194 clkoff_cp.handle = cpu_to_le16(conn->handle);
195 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
196 &clkoff_cp);
197 }
198
199 return hci_abort_conn(conn, reason);
200 }
201
hci_add_sco(struct hci_conn * conn,__u16 handle)202 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
203 {
204 struct hci_dev *hdev = conn->hdev;
205 struct hci_cp_add_sco cp;
206
207 BT_DBG("hcon %p", conn);
208
209 conn->state = BT_CONNECT;
210 conn->out = true;
211
212 conn->attempt++;
213
214 cp.handle = cpu_to_le16(handle);
215 cp.pkt_type = cpu_to_le16(conn->pkt_type);
216
217 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
218 }
219
find_next_esco_param(struct hci_conn * conn,const struct sco_param * esco_param,int size)220 static bool find_next_esco_param(struct hci_conn *conn,
221 const struct sco_param *esco_param, int size)
222 {
223 if (!conn->parent)
224 return false;
225
226 for (; conn->attempt <= size; conn->attempt++) {
227 if (lmp_esco_2m_capable(conn->parent) ||
228 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
229 break;
230 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
231 conn, conn->attempt);
232 }
233
234 return conn->attempt <= size;
235 }
236
configure_datapath_sync(struct hci_dev * hdev,struct bt_codec * codec)237 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
238 {
239 int err;
240 __u8 vnd_len, *vnd_data = NULL;
241 struct hci_op_configure_data_path *cmd = NULL;
242
243 /* Do not take below 2 checks as error since the 1st means user do not
244 * want to use HFP offload mode and the 2nd means the vendor controller
245 * do not need to send below HCI command for offload mode.
246 */
247 if (!codec->data_path || !hdev->get_codec_config_data)
248 return 0;
249
250 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
251 &vnd_data);
252 if (err < 0)
253 goto error;
254
255 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
256 if (!cmd) {
257 err = -ENOMEM;
258 goto error;
259 }
260
261 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
262 if (err < 0)
263 goto error;
264
265 cmd->vnd_len = vnd_len;
266 memcpy(cmd->vnd_data, vnd_data, vnd_len);
267
268 cmd->direction = 0x00;
269 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
270 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
271
272 cmd->direction = 0x01;
273 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
274 sizeof(*cmd) + vnd_len, cmd,
275 HCI_CMD_TIMEOUT);
276 error:
277
278 kfree(cmd);
279 kfree(vnd_data);
280 return err;
281 }
282
hci_enhanced_setup_sync(struct hci_dev * hdev,void * data)283 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
284 {
285 struct conn_handle_t *conn_handle = data;
286 struct hci_conn *conn = conn_handle->conn;
287 __u16 handle = conn_handle->handle;
288 struct hci_cp_enhanced_setup_sync_conn cp;
289 const struct sco_param *param;
290
291 kfree(conn_handle);
292
293 if (!hci_conn_valid(hdev, conn))
294 return -ECANCELED;
295
296 bt_dev_dbg(hdev, "hcon %p", conn);
297
298 configure_datapath_sync(hdev, &conn->codec);
299
300 conn->state = BT_CONNECT;
301 conn->out = true;
302
303 conn->attempt++;
304
305 memset(&cp, 0x00, sizeof(cp));
306
307 cp.handle = cpu_to_le16(handle);
308
309 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
310 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
311
312 switch (conn->codec.id) {
313 case BT_CODEC_MSBC:
314 if (!find_next_esco_param(conn, esco_param_msbc,
315 ARRAY_SIZE(esco_param_msbc)))
316 return -EINVAL;
317
318 param = &esco_param_msbc[conn->attempt - 1];
319 cp.tx_coding_format.id = 0x05;
320 cp.rx_coding_format.id = 0x05;
321 cp.tx_codec_frame_size = __cpu_to_le16(60);
322 cp.rx_codec_frame_size = __cpu_to_le16(60);
323 cp.in_bandwidth = __cpu_to_le32(32000);
324 cp.out_bandwidth = __cpu_to_le32(32000);
325 cp.in_coding_format.id = 0x04;
326 cp.out_coding_format.id = 0x04;
327 cp.in_coded_data_size = __cpu_to_le16(16);
328 cp.out_coded_data_size = __cpu_to_le16(16);
329 cp.in_pcm_data_format = 2;
330 cp.out_pcm_data_format = 2;
331 cp.in_pcm_sample_payload_msb_pos = 0;
332 cp.out_pcm_sample_payload_msb_pos = 0;
333 cp.in_data_path = conn->codec.data_path;
334 cp.out_data_path = conn->codec.data_path;
335 cp.in_transport_unit_size = 1;
336 cp.out_transport_unit_size = 1;
337 break;
338
339 case BT_CODEC_TRANSPARENT:
340 if (!find_next_esco_param(conn, esco_param_msbc,
341 ARRAY_SIZE(esco_param_msbc)))
342 return false;
343 param = &esco_param_msbc[conn->attempt - 1];
344 cp.tx_coding_format.id = 0x03;
345 cp.rx_coding_format.id = 0x03;
346 cp.tx_codec_frame_size = __cpu_to_le16(60);
347 cp.rx_codec_frame_size = __cpu_to_le16(60);
348 cp.in_bandwidth = __cpu_to_le32(0x1f40);
349 cp.out_bandwidth = __cpu_to_le32(0x1f40);
350 cp.in_coding_format.id = 0x03;
351 cp.out_coding_format.id = 0x03;
352 cp.in_coded_data_size = __cpu_to_le16(16);
353 cp.out_coded_data_size = __cpu_to_le16(16);
354 cp.in_pcm_data_format = 2;
355 cp.out_pcm_data_format = 2;
356 cp.in_pcm_sample_payload_msb_pos = 0;
357 cp.out_pcm_sample_payload_msb_pos = 0;
358 cp.in_data_path = conn->codec.data_path;
359 cp.out_data_path = conn->codec.data_path;
360 cp.in_transport_unit_size = 1;
361 cp.out_transport_unit_size = 1;
362 break;
363
364 case BT_CODEC_CVSD:
365 if (conn->parent && lmp_esco_capable(conn->parent)) {
366 if (!find_next_esco_param(conn, esco_param_cvsd,
367 ARRAY_SIZE(esco_param_cvsd)))
368 return -EINVAL;
369 param = &esco_param_cvsd[conn->attempt - 1];
370 } else {
371 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
372 return -EINVAL;
373 param = &sco_param_cvsd[conn->attempt - 1];
374 }
375 cp.tx_coding_format.id = 2;
376 cp.rx_coding_format.id = 2;
377 cp.tx_codec_frame_size = __cpu_to_le16(60);
378 cp.rx_codec_frame_size = __cpu_to_le16(60);
379 cp.in_bandwidth = __cpu_to_le32(16000);
380 cp.out_bandwidth = __cpu_to_le32(16000);
381 cp.in_coding_format.id = 4;
382 cp.out_coding_format.id = 4;
383 cp.in_coded_data_size = __cpu_to_le16(16);
384 cp.out_coded_data_size = __cpu_to_le16(16);
385 cp.in_pcm_data_format = 2;
386 cp.out_pcm_data_format = 2;
387 cp.in_pcm_sample_payload_msb_pos = 0;
388 cp.out_pcm_sample_payload_msb_pos = 0;
389 cp.in_data_path = conn->codec.data_path;
390 cp.out_data_path = conn->codec.data_path;
391 cp.in_transport_unit_size = 16;
392 cp.out_transport_unit_size = 16;
393 break;
394 default:
395 return -EINVAL;
396 }
397
398 cp.retrans_effort = param->retrans_effort;
399 cp.pkt_type = __cpu_to_le16(param->pkt_type);
400 cp.max_latency = __cpu_to_le16(param->max_latency);
401
402 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
403 return -EIO;
404
405 return 0;
406 }
407
hci_setup_sync_conn(struct hci_conn * conn,__u16 handle)408 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
409 {
410 struct hci_dev *hdev = conn->hdev;
411 struct hci_cp_setup_sync_conn cp;
412 const struct sco_param *param;
413
414 bt_dev_dbg(hdev, "hcon %p", conn);
415
416 conn->state = BT_CONNECT;
417 conn->out = true;
418
419 conn->attempt++;
420
421 cp.handle = cpu_to_le16(handle);
422
423 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
424 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
425 cp.voice_setting = cpu_to_le16(conn->setting);
426
427 switch (conn->setting & SCO_AIRMODE_MASK) {
428 case SCO_AIRMODE_TRANSP:
429 if (!find_next_esco_param(conn, esco_param_msbc,
430 ARRAY_SIZE(esco_param_msbc)))
431 return false;
432 param = &esco_param_msbc[conn->attempt - 1];
433 break;
434 case SCO_AIRMODE_CVSD:
435 if (conn->parent && lmp_esco_capable(conn->parent)) {
436 if (!find_next_esco_param(conn, esco_param_cvsd,
437 ARRAY_SIZE(esco_param_cvsd)))
438 return false;
439 param = &esco_param_cvsd[conn->attempt - 1];
440 } else {
441 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
442 return false;
443 param = &sco_param_cvsd[conn->attempt - 1];
444 }
445 break;
446 default:
447 return false;
448 }
449
450 cp.retrans_effort = param->retrans_effort;
451 cp.pkt_type = __cpu_to_le16(param->pkt_type);
452 cp.max_latency = __cpu_to_le16(param->max_latency);
453
454 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
455 return false;
456
457 return true;
458 }
459
hci_setup_sync(struct hci_conn * conn,__u16 handle)460 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
461 {
462 int result;
463 struct conn_handle_t *conn_handle;
464
465 if (enhanced_sync_conn_capable(conn->hdev)) {
466 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
467
468 if (!conn_handle)
469 return false;
470
471 conn_handle->conn = conn;
472 conn_handle->handle = handle;
473 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
474 conn_handle, NULL);
475 if (result < 0)
476 kfree(conn_handle);
477
478 return result == 0;
479 }
480
481 return hci_setup_sync_conn(conn, handle);
482 }
483
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)484 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
485 u16 to_multiplier)
486 {
487 struct hci_dev *hdev = conn->hdev;
488 struct hci_conn_params *params;
489 struct hci_cp_le_conn_update cp;
490
491 hci_dev_lock(hdev);
492
493 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
494 if (params) {
495 params->conn_min_interval = min;
496 params->conn_max_interval = max;
497 params->conn_latency = latency;
498 params->supervision_timeout = to_multiplier;
499 }
500
501 hci_dev_unlock(hdev);
502
503 memset(&cp, 0, sizeof(cp));
504 cp.handle = cpu_to_le16(conn->handle);
505 cp.conn_interval_min = cpu_to_le16(min);
506 cp.conn_interval_max = cpu_to_le16(max);
507 cp.conn_latency = cpu_to_le16(latency);
508 cp.supervision_timeout = cpu_to_le16(to_multiplier);
509 cp.min_ce_len = cpu_to_le16(0x0000);
510 cp.max_ce_len = cpu_to_le16(0x0000);
511
512 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
513
514 if (params)
515 return 0x01;
516
517 return 0x00;
518 }
519
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)520 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
521 __u8 ltk[16], __u8 key_size)
522 {
523 struct hci_dev *hdev = conn->hdev;
524 struct hci_cp_le_start_enc cp;
525
526 BT_DBG("hcon %p", conn);
527
528 memset(&cp, 0, sizeof(cp));
529
530 cp.handle = cpu_to_le16(conn->handle);
531 cp.rand = rand;
532 cp.ediv = ediv;
533 memcpy(cp.ltk, ltk, key_size);
534
535 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
536 }
537
538 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)539 void hci_sco_setup(struct hci_conn *conn, __u8 status)
540 {
541 struct hci_link *link;
542
543 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
544 if (!link || !link->conn)
545 return;
546
547 BT_DBG("hcon %p", conn);
548
549 if (!status) {
550 if (lmp_esco_capable(conn->hdev))
551 hci_setup_sync(link->conn, conn->handle);
552 else
553 hci_add_sco(link->conn, conn->handle);
554 } else {
555 hci_connect_cfm(link->conn, status);
556 hci_conn_del(link->conn);
557 }
558 }
559
hci_conn_timeout(struct work_struct * work)560 static void hci_conn_timeout(struct work_struct *work)
561 {
562 struct hci_conn *conn = container_of(work, struct hci_conn,
563 disc_work.work);
564 int refcnt = atomic_read(&conn->refcnt);
565
566 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
567
568 WARN_ON(refcnt < 0);
569
570 /* FIXME: It was observed that in pairing failed scenario, refcnt
571 * drops below 0. Probably this is because l2cap_conn_del calls
572 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
573 * dropped. After that loop hci_chan_del is called which also drops
574 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
575 * otherwise drop it.
576 */
577 if (refcnt > 0)
578 return;
579
580 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
581 }
582
583 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)584 static void hci_conn_idle(struct work_struct *work)
585 {
586 struct hci_conn *conn = container_of(work, struct hci_conn,
587 idle_work.work);
588 struct hci_dev *hdev = conn->hdev;
589
590 BT_DBG("hcon %p mode %d", conn, conn->mode);
591
592 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
593 return;
594
595 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
596 return;
597
598 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
599 struct hci_cp_sniff_subrate cp;
600 cp.handle = cpu_to_le16(conn->handle);
601 cp.max_latency = cpu_to_le16(0);
602 cp.min_remote_timeout = cpu_to_le16(0);
603 cp.min_local_timeout = cpu_to_le16(0);
604 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
605 }
606
607 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
608 struct hci_cp_sniff_mode cp;
609 cp.handle = cpu_to_le16(conn->handle);
610 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
611 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
612 cp.attempt = cpu_to_le16(4);
613 cp.timeout = cpu_to_le16(1);
614 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
615 }
616 }
617
hci_conn_auto_accept(struct work_struct * work)618 static void hci_conn_auto_accept(struct work_struct *work)
619 {
620 struct hci_conn *conn = container_of(work, struct hci_conn,
621 auto_accept_work.work);
622
623 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
624 &conn->dst);
625 }
626
le_disable_advertising(struct hci_dev * hdev)627 static void le_disable_advertising(struct hci_dev *hdev)
628 {
629 if (ext_adv_capable(hdev)) {
630 struct hci_cp_le_set_ext_adv_enable cp;
631
632 cp.enable = 0x00;
633 cp.num_of_sets = 0x00;
634
635 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
636 &cp);
637 } else {
638 u8 enable = 0x00;
639 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
640 &enable);
641 }
642 }
643
le_conn_timeout(struct work_struct * work)644 static void le_conn_timeout(struct work_struct *work)
645 {
646 struct hci_conn *conn = container_of(work, struct hci_conn,
647 le_conn_timeout.work);
648 struct hci_dev *hdev = conn->hdev;
649
650 BT_DBG("");
651
652 /* We could end up here due to having done directed advertising,
653 * so clean up the state if necessary. This should however only
654 * happen with broken hardware or if low duty cycle was used
655 * (which doesn't have a timeout of its own).
656 */
657 if (conn->role == HCI_ROLE_SLAVE) {
658 /* Disable LE Advertising */
659 le_disable_advertising(hdev);
660 hci_dev_lock(hdev);
661 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
662 hci_dev_unlock(hdev);
663 return;
664 }
665
666 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
667 }
668
669 struct iso_list_data {
670 union {
671 u8 cig;
672 u8 big;
673 };
674 union {
675 u8 cis;
676 u8 bis;
677 u16 sync_handle;
678 };
679 int count;
680 bool big_term;
681 bool pa_sync_term;
682 bool big_sync_term;
683 };
684
bis_list(struct hci_conn * conn,void * data)685 static void bis_list(struct hci_conn *conn, void *data)
686 {
687 struct iso_list_data *d = data;
688
689 /* Skip if not broadcast/ANY address */
690 if (bacmp(&conn->dst, BDADDR_ANY))
691 return;
692
693 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
694 d->bis != conn->iso_qos.bcast.bis)
695 return;
696
697 d->count++;
698 }
699
terminate_big_sync(struct hci_dev * hdev,void * data)700 static int terminate_big_sync(struct hci_dev *hdev, void *data)
701 {
702 struct iso_list_data *d = data;
703
704 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
705
706 hci_disable_per_advertising_sync(hdev, d->bis);
707 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
708
709 /* Only terminate BIG if it has been created */
710 if (!d->big_term)
711 return 0;
712
713 return hci_le_terminate_big_sync(hdev, d->big,
714 HCI_ERROR_LOCAL_HOST_TERM);
715 }
716
terminate_big_destroy(struct hci_dev * hdev,void * data,int err)717 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
718 {
719 kfree(data);
720 }
721
hci_le_terminate_big(struct hci_dev * hdev,struct hci_conn * conn)722 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
723 {
724 struct iso_list_data *d;
725 int ret;
726
727 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
728 conn->iso_qos.bcast.bis);
729
730 d = kzalloc(sizeof(*d), GFP_KERNEL);
731 if (!d)
732 return -ENOMEM;
733
734 d->big = conn->iso_qos.bcast.big;
735 d->bis = conn->iso_qos.bcast.bis;
736 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
737
738 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
739 terminate_big_destroy);
740 if (ret)
741 kfree(d);
742
743 return ret;
744 }
745
big_terminate_sync(struct hci_dev * hdev,void * data)746 static int big_terminate_sync(struct hci_dev *hdev, void *data)
747 {
748 struct iso_list_data *d = data;
749
750 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
751 d->sync_handle);
752
753 if (d->big_sync_term)
754 hci_le_big_terminate_sync(hdev, d->big);
755
756 if (d->pa_sync_term)
757 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
758
759 return 0;
760 }
761
find_bis(struct hci_conn * conn,void * data)762 static void find_bis(struct hci_conn *conn, void *data)
763 {
764 struct iso_list_data *d = data;
765
766 /* Ignore if BIG doesn't match */
767 if (d->big != conn->iso_qos.bcast.big)
768 return;
769
770 d->count++;
771 }
772
hci_le_big_terminate(struct hci_dev * hdev,u8 big,struct hci_conn * conn)773 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
774 {
775 struct iso_list_data *d;
776 int ret;
777
778 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
779
780 d = kzalloc(sizeof(*d), GFP_KERNEL);
781 if (!d)
782 return -ENOMEM;
783
784 d->big = big;
785 d->sync_handle = conn->sync_handle;
786
787 if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) {
788 hci_conn_hash_list_flag(hdev, find_bis, PA_LINK,
789 HCI_CONN_PA_SYNC, d);
790
791 if (!d->count)
792 d->pa_sync_term = true;
793
794 d->count = 0;
795 }
796
797 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) {
798 hci_conn_hash_list_flag(hdev, find_bis, BIS_LINK,
799 HCI_CONN_BIG_SYNC, d);
800
801 if (!d->count)
802 d->big_sync_term = true;
803 }
804
805 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
806 terminate_big_destroy);
807 if (ret)
808 kfree(d);
809
810 return ret;
811 }
812
813 /* Cleanup BIS connection
814 *
815 * Detects if there any BIS left connected in a BIG
816 * broadcaster: Remove advertising instance and terminate BIG.
817 * broadcaster receiver: Terminate BIG sync and terminate PA sync.
818 */
bis_cleanup(struct hci_conn * conn)819 static void bis_cleanup(struct hci_conn *conn)
820 {
821 struct hci_dev *hdev = conn->hdev;
822 struct hci_conn *bis;
823
824 bt_dev_dbg(hdev, "conn %p", conn);
825
826 if (conn->role == HCI_ROLE_MASTER) {
827 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
828 return;
829
830 /* Check if ISO connection is a BIS and terminate advertising
831 * set and BIG if there are no other connections using it.
832 */
833 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
834 if (bis)
835 return;
836
837 hci_le_terminate_big(hdev, conn);
838 } else {
839 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
840 conn);
841 }
842 }
843
remove_cig_sync(struct hci_dev * hdev,void * data)844 static int remove_cig_sync(struct hci_dev *hdev, void *data)
845 {
846 u8 handle = PTR_UINT(data);
847
848 return hci_le_remove_cig_sync(hdev, handle);
849 }
850
hci_le_remove_cig(struct hci_dev * hdev,u8 handle)851 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
852 {
853 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
854
855 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
856 NULL);
857 }
858
find_cis(struct hci_conn * conn,void * data)859 static void find_cis(struct hci_conn *conn, void *data)
860 {
861 struct iso_list_data *d = data;
862
863 /* Ignore broadcast or if CIG don't match */
864 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
865 return;
866
867 d->count++;
868 }
869
870 /* Cleanup CIS connection:
871 *
872 * Detects if there any CIS left connected in a CIG and remove it.
873 */
cis_cleanup(struct hci_conn * conn)874 static void cis_cleanup(struct hci_conn *conn)
875 {
876 struct hci_dev *hdev = conn->hdev;
877 struct iso_list_data d;
878
879 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
880 return;
881
882 memset(&d, 0, sizeof(d));
883 d.cig = conn->iso_qos.ucast.cig;
884
885 /* Check if ISO connection is a CIS and remove CIG if there are
886 * no other connections using it.
887 */
888 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_BOUND, &d);
889 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECT,
890 &d);
891 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECTED,
892 &d);
893 if (d.count)
894 return;
895
896 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
897 }
898
hci_conn_hash_alloc_unset(struct hci_dev * hdev)899 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
900 {
901 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
902 U16_MAX, GFP_ATOMIC);
903 }
904
__hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)905 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
906 u8 role, u16 handle)
907 {
908 struct hci_conn *conn;
909
910 switch (type) {
911 case ACL_LINK:
912 if (!hdev->acl_mtu)
913 return ERR_PTR(-ECONNREFUSED);
914 break;
915 case CIS_LINK:
916 case BIS_LINK:
917 case PA_LINK:
918 if (hdev->iso_mtu)
919 /* Dedicated ISO Buffer exists */
920 break;
921 fallthrough;
922 case LE_LINK:
923 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
924 return ERR_PTR(-ECONNREFUSED);
925 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU)
926 return ERR_PTR(-ECONNREFUSED);
927 break;
928 case SCO_LINK:
929 case ESCO_LINK:
930 if (!hdev->sco_pkts)
931 /* Controller does not support SCO or eSCO over HCI */
932 return ERR_PTR(-ECONNREFUSED);
933 break;
934 default:
935 return ERR_PTR(-ECONNREFUSED);
936 }
937
938 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
939
940 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
941 if (!conn)
942 return ERR_PTR(-ENOMEM);
943
944 bacpy(&conn->dst, dst);
945 bacpy(&conn->src, &hdev->bdaddr);
946 conn->handle = handle;
947 conn->hdev = hdev;
948 conn->type = type;
949 conn->role = role;
950 conn->mode = HCI_CM_ACTIVE;
951 conn->state = BT_OPEN;
952 conn->auth_type = HCI_AT_GENERAL_BONDING;
953 conn->io_capability = hdev->io_capability;
954 conn->remote_auth = 0xff;
955 conn->key_type = 0xff;
956 conn->rssi = HCI_RSSI_INVALID;
957 conn->tx_power = HCI_TX_POWER_INVALID;
958 conn->max_tx_power = HCI_TX_POWER_INVALID;
959 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
960 conn->sid = HCI_SID_INVALID;
961
962 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
963 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
964
965 /* Set Default Authenticated payload timeout to 30s */
966 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
967
968 if (conn->role == HCI_ROLE_MASTER)
969 conn->out = true;
970
971 switch (type) {
972 case ACL_LINK:
973 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
974 conn->mtu = hdev->acl_mtu;
975 break;
976 case LE_LINK:
977 /* conn->src should reflect the local identity address */
978 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
979 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
980 break;
981 case CIS_LINK:
982 case BIS_LINK:
983 case PA_LINK:
984 /* conn->src should reflect the local identity address */
985 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
986
987 /* set proper cleanup function */
988 if (!bacmp(dst, BDADDR_ANY))
989 conn->cleanup = bis_cleanup;
990 else if (conn->role == HCI_ROLE_MASTER)
991 conn->cleanup = cis_cleanup;
992
993 conn->mtu = hdev->iso_mtu ? hdev->iso_mtu :
994 hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
995 break;
996 case SCO_LINK:
997 if (lmp_esco_capable(hdev))
998 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
999 (hdev->esco_type & EDR_ESCO_MASK);
1000 else
1001 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1002
1003 conn->mtu = hdev->sco_mtu;
1004 break;
1005 case ESCO_LINK:
1006 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1007 conn->mtu = hdev->sco_mtu;
1008 break;
1009 }
1010
1011 skb_queue_head_init(&conn->data_q);
1012 skb_queue_head_init(&conn->tx_q.queue);
1013
1014 INIT_LIST_HEAD(&conn->chan_list);
1015 INIT_LIST_HEAD(&conn->link_list);
1016
1017 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1018 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1019 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1020 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1021
1022 atomic_set(&conn->refcnt, 0);
1023
1024 hci_dev_hold(hdev);
1025
1026 hci_conn_hash_add(hdev, conn);
1027
1028 /* The SCO and eSCO connections will only be notified when their
1029 * setup has been completed. This is different to ACL links which
1030 * can be notified right away.
1031 */
1032 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1033 if (hdev->notify)
1034 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1035 }
1036
1037 hci_conn_init_sysfs(conn);
1038 return conn;
1039 }
1040
hci_conn_add_unset(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)1041 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1042 bdaddr_t *dst, u8 role)
1043 {
1044 int handle;
1045
1046 bt_dev_dbg(hdev, "dst %pMR", dst);
1047
1048 handle = hci_conn_hash_alloc_unset(hdev);
1049 if (unlikely(handle < 0))
1050 return ERR_PTR(-ECONNREFUSED);
1051
1052 return __hci_conn_add(hdev, type, dst, role, handle);
1053 }
1054
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)1055 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
1056 u8 role, u16 handle)
1057 {
1058 if (handle > HCI_CONN_HANDLE_MAX)
1059 return ERR_PTR(-EINVAL);
1060
1061 return __hci_conn_add(hdev, type, dst, role, handle);
1062 }
1063
hci_conn_cleanup_child(struct hci_conn * conn,u8 reason)1064 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1065 {
1066 if (!reason)
1067 reason = HCI_ERROR_REMOTE_USER_TERM;
1068
1069 /* Due to race, SCO/ISO conn might be not established yet at this point,
1070 * and nothing else will clean it up. In other cases it is done via HCI
1071 * events.
1072 */
1073 switch (conn->type) {
1074 case SCO_LINK:
1075 case ESCO_LINK:
1076 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1077 hci_conn_failed(conn, reason);
1078 break;
1079 case CIS_LINK:
1080 case BIS_LINK:
1081 case PA_LINK:
1082 if ((conn->state != BT_CONNECTED &&
1083 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ||
1084 test_bit(HCI_CONN_BIG_CREATED, &conn->flags))
1085 hci_conn_failed(conn, reason);
1086 break;
1087 }
1088 }
1089
hci_conn_unlink(struct hci_conn * conn)1090 static void hci_conn_unlink(struct hci_conn *conn)
1091 {
1092 struct hci_dev *hdev = conn->hdev;
1093
1094 bt_dev_dbg(hdev, "hcon %p", conn);
1095
1096 if (!conn->parent) {
1097 struct hci_link *link, *t;
1098
1099 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1100 struct hci_conn *child = link->conn;
1101
1102 hci_conn_unlink(child);
1103
1104 /* If hdev is down it means
1105 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1106 * and links don't need to be cleanup as all connections
1107 * would be cleanup.
1108 */
1109 if (!test_bit(HCI_UP, &hdev->flags))
1110 continue;
1111
1112 hci_conn_cleanup_child(child, conn->abort_reason);
1113 }
1114
1115 return;
1116 }
1117
1118 if (!conn->link)
1119 return;
1120
1121 list_del_rcu(&conn->link->list);
1122 synchronize_rcu();
1123
1124 hci_conn_drop(conn->parent);
1125 hci_conn_put(conn->parent);
1126 conn->parent = NULL;
1127
1128 kfree(conn->link);
1129 conn->link = NULL;
1130 }
1131
hci_conn_del(struct hci_conn * conn)1132 void hci_conn_del(struct hci_conn *conn)
1133 {
1134 struct hci_dev *hdev = conn->hdev;
1135
1136 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1137
1138 hci_conn_unlink(conn);
1139
1140 disable_delayed_work_sync(&conn->disc_work);
1141 disable_delayed_work_sync(&conn->auto_accept_work);
1142 disable_delayed_work_sync(&conn->idle_work);
1143
1144 if (conn->type == ACL_LINK) {
1145 /* Unacked frames */
1146 hdev->acl_cnt += conn->sent;
1147 } else if (conn->type == LE_LINK) {
1148 cancel_delayed_work(&conn->le_conn_timeout);
1149
1150 if (hdev->le_pkts)
1151 hdev->le_cnt += conn->sent;
1152 else
1153 hdev->acl_cnt += conn->sent;
1154 } else {
1155 /* Unacked ISO frames */
1156 if (conn->type == CIS_LINK ||
1157 conn->type == BIS_LINK ||
1158 conn->type == PA_LINK) {
1159 if (hdev->iso_pkts)
1160 hdev->iso_cnt += conn->sent;
1161 else if (hdev->le_pkts)
1162 hdev->le_cnt += conn->sent;
1163 else
1164 hdev->acl_cnt += conn->sent;
1165 }
1166 }
1167
1168 skb_queue_purge(&conn->data_q);
1169 skb_queue_purge(&conn->tx_q.queue);
1170
1171 /* Remove the connection from the list and cleanup its remaining
1172 * state. This is a separate function since for some cases like
1173 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1174 * rest of hci_conn_del.
1175 */
1176 hci_conn_cleanup(conn);
1177
1178 /* Dequeue callbacks using connection pointer as data */
1179 hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
1180 }
1181
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)1182 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1183 {
1184 int use_src = bacmp(src, BDADDR_ANY);
1185 struct hci_dev *hdev = NULL, *d;
1186
1187 BT_DBG("%pMR -> %pMR", src, dst);
1188
1189 read_lock(&hci_dev_list_lock);
1190
1191 list_for_each_entry(d, &hci_dev_list, list) {
1192 if (!test_bit(HCI_UP, &d->flags) ||
1193 hci_dev_test_flag(d, HCI_USER_CHANNEL))
1194 continue;
1195
1196 /* Simple routing:
1197 * No source address - find interface with bdaddr != dst
1198 * Source address - find interface with bdaddr == src
1199 */
1200
1201 if (use_src) {
1202 bdaddr_t id_addr;
1203 u8 id_addr_type;
1204
1205 if (src_type == BDADDR_BREDR) {
1206 if (!lmp_bredr_capable(d))
1207 continue;
1208 bacpy(&id_addr, &d->bdaddr);
1209 id_addr_type = BDADDR_BREDR;
1210 } else {
1211 if (!lmp_le_capable(d))
1212 continue;
1213
1214 hci_copy_identity_address(d, &id_addr,
1215 &id_addr_type);
1216
1217 /* Convert from HCI to three-value type */
1218 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1219 id_addr_type = BDADDR_LE_PUBLIC;
1220 else
1221 id_addr_type = BDADDR_LE_RANDOM;
1222 }
1223
1224 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1225 hdev = d; break;
1226 }
1227 } else {
1228 if (bacmp(&d->bdaddr, dst)) {
1229 hdev = d; break;
1230 }
1231 }
1232 }
1233
1234 if (hdev)
1235 hdev = hci_dev_hold(hdev);
1236
1237 read_unlock(&hci_dev_list_lock);
1238 return hdev;
1239 }
1240 EXPORT_SYMBOL(hci_get_route);
1241
1242 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)1243 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1244 {
1245 struct hci_dev *hdev = conn->hdev;
1246
1247 hci_connect_le_scan_cleanup(conn, status);
1248
1249 /* Enable advertising in case this was a failed connection
1250 * attempt as a peripheral.
1251 */
1252 hci_enable_advertising(hdev);
1253 }
1254
1255 /* This function requires the caller holds hdev->lock */
hci_conn_failed(struct hci_conn * conn,u8 status)1256 void hci_conn_failed(struct hci_conn *conn, u8 status)
1257 {
1258 struct hci_dev *hdev = conn->hdev;
1259
1260 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1261
1262 switch (conn->type) {
1263 case LE_LINK:
1264 hci_le_conn_failed(conn, status);
1265 break;
1266 case ACL_LINK:
1267 mgmt_connect_failed(hdev, conn, status);
1268 break;
1269 }
1270
1271 /* In case of BIG/PA sync failed, clear conn flags so that
1272 * the conns will be correctly cleaned up by ISO layer
1273 */
1274 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1275 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1276
1277 conn->state = BT_CLOSED;
1278 hci_connect_cfm(conn, status);
1279 hci_conn_del(conn);
1280 }
1281
1282 /* This function requires the caller holds hdev->lock */
hci_conn_set_handle(struct hci_conn * conn,u16 handle)1283 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1284 {
1285 struct hci_dev *hdev = conn->hdev;
1286
1287 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1288
1289 if (conn->handle == handle)
1290 return 0;
1291
1292 if (handle > HCI_CONN_HANDLE_MAX) {
1293 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1294 handle, HCI_CONN_HANDLE_MAX);
1295 return HCI_ERROR_INVALID_PARAMETERS;
1296 }
1297
1298 /* If abort_reason has been sent it means the connection is being
1299 * aborted and the handle shall not be changed.
1300 */
1301 if (conn->abort_reason)
1302 return conn->abort_reason;
1303
1304 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1305 ida_free(&hdev->unset_handle_ida, conn->handle);
1306
1307 conn->handle = handle;
1308
1309 return 0;
1310 }
1311
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,bool dst_resolved,u8 sec_level,u16 conn_timeout,u8 role,u8 phy,u8 sec_phy)1312 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1313 u8 dst_type, bool dst_resolved, u8 sec_level,
1314 u16 conn_timeout, u8 role, u8 phy, u8 sec_phy)
1315 {
1316 struct hci_conn *conn;
1317 struct smp_irk *irk;
1318 int err;
1319
1320 /* Let's make sure that le is enabled.*/
1321 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1322 if (lmp_le_capable(hdev))
1323 return ERR_PTR(-ECONNREFUSED);
1324
1325 return ERR_PTR(-EOPNOTSUPP);
1326 }
1327
1328 /* Since the controller supports only one LE connection attempt at a
1329 * time, we return -EBUSY if there is any connection attempt running.
1330 */
1331 if (hci_lookup_le_connect(hdev))
1332 return ERR_PTR(-EBUSY);
1333
1334 /* If there's already a connection object but it's not in
1335 * scanning state it means it must already be established, in
1336 * which case we can't do anything else except report a failure
1337 * to connect.
1338 */
1339 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1340 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1341 return ERR_PTR(-EBUSY);
1342 }
1343
1344 /* Check if the destination address has been resolved by the controller
1345 * since if it did then the identity address shall be used.
1346 */
1347 if (!dst_resolved) {
1348 /* When given an identity address with existing identity
1349 * resolving key, the connection needs to be established
1350 * to a resolvable random address.
1351 *
1352 * Storing the resolvable random address is required here
1353 * to handle connection failures. The address will later
1354 * be resolved back into the original identity address
1355 * from the connect request.
1356 */
1357 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1358 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1359 dst = &irk->rpa;
1360 dst_type = ADDR_LE_DEV_RANDOM;
1361 }
1362 }
1363
1364 if (conn) {
1365 bacpy(&conn->dst, dst);
1366 } else {
1367 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1368 if (IS_ERR(conn))
1369 return conn;
1370 hci_conn_hold(conn);
1371 conn->pending_sec_level = sec_level;
1372 }
1373
1374 conn->dst_type = dst_type;
1375 conn->sec_level = BT_SECURITY_LOW;
1376 conn->conn_timeout = conn_timeout;
1377 conn->le_adv_phy = phy;
1378 conn->le_adv_sec_phy = sec_phy;
1379
1380 err = hci_connect_le_sync(hdev, conn);
1381 if (err) {
1382 hci_conn_del(conn);
1383 return ERR_PTR(err);
1384 }
1385
1386 return conn;
1387 }
1388
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1389 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1390 {
1391 struct hci_conn *conn;
1392
1393 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1394 if (!conn)
1395 return false;
1396
1397 if (conn->state != BT_CONNECTED)
1398 return false;
1399
1400 return true;
1401 }
1402
1403 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1404 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1405 bdaddr_t *addr, u8 addr_type)
1406 {
1407 struct hci_conn_params *params;
1408
1409 if (is_connected(hdev, addr, addr_type))
1410 return -EISCONN;
1411
1412 params = hci_conn_params_lookup(hdev, addr, addr_type);
1413 if (!params) {
1414 params = hci_conn_params_add(hdev, addr, addr_type);
1415 if (!params)
1416 return -ENOMEM;
1417
1418 /* If we created new params, mark them to be deleted in
1419 * hci_connect_le_scan_cleanup. It's different case than
1420 * existing disabled params, those will stay after cleanup.
1421 */
1422 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1423 }
1424
1425 /* We're trying to connect, so make sure params are at pend_le_conns */
1426 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1427 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1428 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1429 hci_pend_le_list_del_init(params);
1430 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1431 }
1432
1433 params->explicit_connect = true;
1434
1435 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1436 params->auto_connect);
1437
1438 return 0;
1439 }
1440
qos_set_big(struct hci_dev * hdev,struct bt_iso_qos * qos)1441 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1442 {
1443 struct hci_conn *conn;
1444 u8 big;
1445
1446 /* Allocate a BIG if not set */
1447 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1448 for (big = 0x00; big < 0xef; big++) {
1449
1450 conn = hci_conn_hash_lookup_big(hdev, big);
1451 if (!conn)
1452 break;
1453 }
1454
1455 if (big == 0xef)
1456 return -EADDRNOTAVAIL;
1457
1458 /* Update BIG */
1459 qos->bcast.big = big;
1460 }
1461
1462 return 0;
1463 }
1464
qos_set_bis(struct hci_dev * hdev,struct bt_iso_qos * qos)1465 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1466 {
1467 struct hci_conn *conn;
1468 u8 bis;
1469
1470 /* Allocate BIS if not set */
1471 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1472 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) {
1473 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1474
1475 if (conn) {
1476 /* If the BIG handle is already matched to an advertising
1477 * handle, do not allocate a new one.
1478 */
1479 qos->bcast.bis = conn->iso_qos.bcast.bis;
1480 return 0;
1481 }
1482 }
1483
1484 /* Find an unused adv set to advertise BIS, skip instance 0x00
1485 * since it is reserved as general purpose set.
1486 */
1487 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1488 bis++) {
1489
1490 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1491 if (!conn)
1492 break;
1493 }
1494
1495 if (bis == hdev->le_num_of_adv_sets)
1496 return -EADDRNOTAVAIL;
1497
1498 /* Update BIS */
1499 qos->bcast.bis = bis;
1500 }
1501
1502 return 0;
1503 }
1504
1505 /* This function requires the caller holds hdev->lock */
hci_add_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 sid,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)1506 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1507 __u8 sid, struct bt_iso_qos *qos,
1508 __u8 base_len, __u8 *base)
1509 {
1510 struct hci_conn *conn;
1511 int err;
1512
1513 /* Let's make sure that le is enabled.*/
1514 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1515 if (lmp_le_capable(hdev))
1516 return ERR_PTR(-ECONNREFUSED);
1517 return ERR_PTR(-EOPNOTSUPP);
1518 }
1519
1520 err = qos_set_big(hdev, qos);
1521 if (err)
1522 return ERR_PTR(err);
1523
1524 err = qos_set_bis(hdev, qos);
1525 if (err)
1526 return ERR_PTR(err);
1527
1528 /* Check if the LE Create BIG command has already been sent */
1529 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1530 qos->bcast.big);
1531 if (conn)
1532 return ERR_PTR(-EADDRINUSE);
1533
1534 /* Check BIS settings against other bound BISes, since all
1535 * BISes in a BIG must have the same value for all parameters
1536 */
1537 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1538
1539 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1540 base_len != conn->le_per_adv_data_len ||
1541 memcmp(conn->le_per_adv_data, base, base_len)))
1542 return ERR_PTR(-EADDRINUSE);
1543
1544 conn = hci_conn_add_unset(hdev, BIS_LINK, dst, HCI_ROLE_MASTER);
1545 if (IS_ERR(conn))
1546 return conn;
1547
1548 conn->state = BT_CONNECT;
1549 conn->sid = sid;
1550
1551 hci_conn_hold(conn);
1552 return conn;
1553 }
1554
1555 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,enum conn_reasons conn_reason)1556 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1557 u8 dst_type, u8 sec_level,
1558 u16 conn_timeout,
1559 enum conn_reasons conn_reason)
1560 {
1561 struct hci_conn *conn;
1562
1563 /* Let's make sure that le is enabled.*/
1564 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1565 if (lmp_le_capable(hdev))
1566 return ERR_PTR(-ECONNREFUSED);
1567
1568 return ERR_PTR(-EOPNOTSUPP);
1569 }
1570
1571 /* Some devices send ATT messages as soon as the physical link is
1572 * established. To be able to handle these ATT messages, the user-
1573 * space first establishes the connection and then starts the pairing
1574 * process.
1575 *
1576 * So if a hci_conn object already exists for the following connection
1577 * attempt, we simply update pending_sec_level and auth_type fields
1578 * and return the object found.
1579 */
1580 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1581 if (conn) {
1582 if (conn->pending_sec_level < sec_level)
1583 conn->pending_sec_level = sec_level;
1584 goto done;
1585 }
1586
1587 BT_DBG("requesting refresh of dst_addr");
1588
1589 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1590 if (IS_ERR(conn))
1591 return conn;
1592
1593 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1594 hci_conn_del(conn);
1595 return ERR_PTR(-EBUSY);
1596 }
1597
1598 conn->state = BT_CONNECT;
1599 set_bit(HCI_CONN_SCANNING, &conn->flags);
1600 conn->dst_type = dst_type;
1601 conn->sec_level = BT_SECURITY_LOW;
1602 conn->pending_sec_level = sec_level;
1603 conn->conn_timeout = conn_timeout;
1604 conn->conn_reason = conn_reason;
1605
1606 hci_update_passive_scan(hdev);
1607
1608 done:
1609 hci_conn_hold(conn);
1610 return conn;
1611 }
1612
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type,enum conn_reasons conn_reason,u16 timeout)1613 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1614 u8 sec_level, u8 auth_type,
1615 enum conn_reasons conn_reason, u16 timeout)
1616 {
1617 struct hci_conn *acl;
1618
1619 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1620 if (lmp_bredr_capable(hdev))
1621 return ERR_PTR(-ECONNREFUSED);
1622
1623 return ERR_PTR(-EOPNOTSUPP);
1624 }
1625
1626 /* Reject outgoing connection to device with same BD ADDR against
1627 * CVE-2020-26555
1628 */
1629 if (!bacmp(&hdev->bdaddr, dst)) {
1630 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1631 dst);
1632 return ERR_PTR(-ECONNREFUSED);
1633 }
1634
1635 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1636 if (!acl) {
1637 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1638 if (IS_ERR(acl))
1639 return acl;
1640 }
1641
1642 hci_conn_hold(acl);
1643
1644 acl->conn_reason = conn_reason;
1645 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1646 int err;
1647
1648 acl->sec_level = BT_SECURITY_LOW;
1649 acl->pending_sec_level = sec_level;
1650 acl->auth_type = auth_type;
1651 acl->conn_timeout = timeout;
1652
1653 err = hci_connect_acl_sync(hdev, acl);
1654 if (err) {
1655 hci_conn_del(acl);
1656 return ERR_PTR(err);
1657 }
1658 }
1659
1660 return acl;
1661 }
1662
hci_conn_link(struct hci_conn * parent,struct hci_conn * conn)1663 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1664 struct hci_conn *conn)
1665 {
1666 struct hci_dev *hdev = parent->hdev;
1667 struct hci_link *link;
1668
1669 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1670
1671 if (conn->link)
1672 return conn->link;
1673
1674 if (conn->parent)
1675 return NULL;
1676
1677 link = kzalloc(sizeof(*link), GFP_KERNEL);
1678 if (!link)
1679 return NULL;
1680
1681 link->conn = hci_conn_hold(conn);
1682 conn->link = link;
1683 conn->parent = hci_conn_get(parent);
1684
1685 /* Use list_add_tail_rcu append to the list */
1686 list_add_tail_rcu(&link->list, &parent->link_list);
1687
1688 return link;
1689 }
1690
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting,struct bt_codec * codec,u16 timeout)1691 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1692 __u16 setting, struct bt_codec *codec,
1693 u16 timeout)
1694 {
1695 struct hci_conn *acl;
1696 struct hci_conn *sco;
1697 struct hci_link *link;
1698
1699 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1700 CONN_REASON_SCO_CONNECT, timeout);
1701 if (IS_ERR(acl))
1702 return acl;
1703
1704 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1705 if (!sco) {
1706 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1707 if (IS_ERR(sco)) {
1708 hci_conn_drop(acl);
1709 return sco;
1710 }
1711 }
1712
1713 link = hci_conn_link(acl, sco);
1714 if (!link) {
1715 hci_conn_drop(acl);
1716 hci_conn_drop(sco);
1717 return ERR_PTR(-ENOLINK);
1718 }
1719
1720 sco->setting = setting;
1721 sco->codec = *codec;
1722
1723 if (acl->state == BT_CONNECTED &&
1724 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1725 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1726 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1727
1728 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1729 /* defer SCO setup until mode change completed */
1730 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1731 return sco;
1732 }
1733
1734 hci_sco_setup(acl, 0x00);
1735 }
1736
1737 return sco;
1738 }
1739
hci_le_create_big(struct hci_conn * conn,struct bt_iso_qos * qos)1740 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1741 {
1742 struct hci_dev *hdev = conn->hdev;
1743 struct hci_cp_le_create_big cp;
1744 struct iso_list_data data;
1745
1746 memset(&cp, 0, sizeof(cp));
1747
1748 data.big = qos->bcast.big;
1749 data.bis = qos->bcast.bis;
1750 data.count = 0;
1751
1752 /* Create a BIS for each bound connection */
1753 hci_conn_hash_list_state(hdev, bis_list, BIS_LINK,
1754 BT_BOUND, &data);
1755
1756 cp.handle = qos->bcast.big;
1757 cp.adv_handle = qos->bcast.bis;
1758 cp.num_bis = data.count;
1759 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1760 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1761 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1762 cp.bis.rtn = qos->bcast.out.rtn;
1763 cp.bis.phy = qos->bcast.out.phy;
1764 cp.bis.packing = qos->bcast.packing;
1765 cp.bis.framing = qos->bcast.framing;
1766 cp.bis.encryption = qos->bcast.encryption;
1767 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1768
1769 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1770 }
1771
set_cig_params_sync(struct hci_dev * hdev,void * data)1772 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1773 {
1774 DEFINE_FLEX(struct hci_cp_le_set_cig_params, pdu, cis, num_cis, 0x1f);
1775 u8 cig_id = PTR_UINT(data);
1776 struct hci_conn *conn;
1777 struct bt_iso_qos *qos;
1778 u8 aux_num_cis = 0;
1779 u8 cis_id;
1780
1781 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1782 if (!conn)
1783 return 0;
1784
1785 qos = &conn->iso_qos;
1786 pdu->cig_id = cig_id;
1787 hci_cpu_to_le24(qos->ucast.out.interval, pdu->c_interval);
1788 hci_cpu_to_le24(qos->ucast.in.interval, pdu->p_interval);
1789 pdu->sca = qos->ucast.sca;
1790 pdu->packing = qos->ucast.packing;
1791 pdu->framing = qos->ucast.framing;
1792 pdu->c_latency = cpu_to_le16(qos->ucast.out.latency);
1793 pdu->p_latency = cpu_to_le16(qos->ucast.in.latency);
1794
1795 /* Reprogram all CIS(s) with the same CIG, valid range are:
1796 * num_cis: 0x00 to 0x1F
1797 * cis_id: 0x00 to 0xEF
1798 */
1799 for (cis_id = 0x00; cis_id < 0xf0 &&
1800 aux_num_cis < pdu->num_cis; cis_id++) {
1801 struct hci_cis_params *cis;
1802
1803 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1804 if (!conn)
1805 continue;
1806
1807 qos = &conn->iso_qos;
1808
1809 cis = &pdu->cis[aux_num_cis++];
1810 cis->cis_id = cis_id;
1811 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1812 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1813 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy :
1814 qos->ucast.in.phy;
1815 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy :
1816 qos->ucast.out.phy;
1817 cis->c_rtn = qos->ucast.out.rtn;
1818 cis->p_rtn = qos->ucast.in.rtn;
1819 }
1820 pdu->num_cis = aux_num_cis;
1821
1822 if (!pdu->num_cis)
1823 return 0;
1824
1825 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1826 struct_size(pdu, cis, pdu->num_cis),
1827 pdu, HCI_CMD_TIMEOUT);
1828 }
1829
hci_le_set_cig_params(struct hci_conn * conn,struct bt_iso_qos * qos)1830 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1831 {
1832 struct hci_dev *hdev = conn->hdev;
1833 struct iso_list_data data;
1834
1835 memset(&data, 0, sizeof(data));
1836
1837 /* Allocate first still reconfigurable CIG if not set */
1838 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1839 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1840 data.count = 0;
1841
1842 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK,
1843 BT_CONNECT, &data);
1844 if (data.count)
1845 continue;
1846
1847 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK,
1848 BT_CONNECTED, &data);
1849 if (!data.count)
1850 break;
1851 }
1852
1853 if (data.cig == 0xf0)
1854 return false;
1855
1856 /* Update CIG */
1857 qos->ucast.cig = data.cig;
1858 }
1859
1860 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1861 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1862 qos->ucast.cis))
1863 return false;
1864 goto done;
1865 }
1866
1867 /* Allocate first available CIS if not set */
1868 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1869 data.cis++) {
1870 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1871 data.cis)) {
1872 /* Update CIS */
1873 qos->ucast.cis = data.cis;
1874 break;
1875 }
1876 }
1877
1878 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1879 return false;
1880
1881 done:
1882 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1883 UINT_PTR(qos->ucast.cig), NULL) < 0)
1884 return false;
1885
1886 return true;
1887 }
1888
hci_bind_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)1889 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1890 __u8 dst_type, struct bt_iso_qos *qos)
1891 {
1892 struct hci_conn *cis;
1893
1894 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1895 qos->ucast.cis);
1896 if (!cis) {
1897 cis = hci_conn_add_unset(hdev, CIS_LINK, dst,
1898 HCI_ROLE_MASTER);
1899 if (IS_ERR(cis))
1900 return cis;
1901 cis->cleanup = cis_cleanup;
1902 cis->dst_type = dst_type;
1903 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1904 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1905 }
1906
1907 if (cis->state == BT_CONNECTED)
1908 return cis;
1909
1910 /* Check if CIS has been set and the settings matches */
1911 if (cis->state == BT_BOUND &&
1912 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1913 return cis;
1914
1915 /* Update LINK PHYs according to QoS preference */
1916 cis->le_tx_phy = qos->ucast.out.phy;
1917 cis->le_rx_phy = qos->ucast.in.phy;
1918
1919 /* If output interval is not set use the input interval as it cannot be
1920 * 0x000000.
1921 */
1922 if (!qos->ucast.out.interval)
1923 qos->ucast.out.interval = qos->ucast.in.interval;
1924
1925 /* If input interval is not set use the output interval as it cannot be
1926 * 0x000000.
1927 */
1928 if (!qos->ucast.in.interval)
1929 qos->ucast.in.interval = qos->ucast.out.interval;
1930
1931 /* If output latency is not set use the input latency as it cannot be
1932 * 0x0000.
1933 */
1934 if (!qos->ucast.out.latency)
1935 qos->ucast.out.latency = qos->ucast.in.latency;
1936
1937 /* If input latency is not set use the output latency as it cannot be
1938 * 0x0000.
1939 */
1940 if (!qos->ucast.in.latency)
1941 qos->ucast.in.latency = qos->ucast.out.latency;
1942
1943 if (!hci_le_set_cig_params(cis, qos)) {
1944 hci_conn_drop(cis);
1945 return ERR_PTR(-EINVAL);
1946 }
1947
1948 hci_conn_hold(cis);
1949
1950 cis->iso_qos = *qos;
1951 cis->state = BT_BOUND;
1952
1953 return cis;
1954 }
1955
hci_iso_setup_path(struct hci_conn * conn)1956 bool hci_iso_setup_path(struct hci_conn *conn)
1957 {
1958 struct hci_dev *hdev = conn->hdev;
1959 struct hci_cp_le_setup_iso_path cmd;
1960
1961 memset(&cmd, 0, sizeof(cmd));
1962
1963 if (conn->iso_qos.ucast.out.sdu) {
1964 cmd.handle = cpu_to_le16(conn->handle);
1965 cmd.direction = 0x00; /* Input (Host to Controller) */
1966 cmd.path = 0x00; /* HCI path if enabled */
1967 cmd.codec = 0x03; /* Transparent Data */
1968
1969 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1970 &cmd) < 0)
1971 return false;
1972 }
1973
1974 if (conn->iso_qos.ucast.in.sdu) {
1975 cmd.handle = cpu_to_le16(conn->handle);
1976 cmd.direction = 0x01; /* Output (Controller to Host) */
1977 cmd.path = 0x00; /* HCI path if enabled */
1978 cmd.codec = 0x03; /* Transparent Data */
1979
1980 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1981 &cmd) < 0)
1982 return false;
1983 }
1984
1985 return true;
1986 }
1987
hci_conn_check_create_cis(struct hci_conn * conn)1988 int hci_conn_check_create_cis(struct hci_conn *conn)
1989 {
1990 if (conn->type != CIS_LINK)
1991 return -EINVAL;
1992
1993 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
1994 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
1995 return 1;
1996
1997 return 0;
1998 }
1999
hci_create_cis_sync(struct hci_dev * hdev,void * data)2000 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
2001 {
2002 return hci_le_create_cis_sync(hdev);
2003 }
2004
hci_le_create_cis_pending(struct hci_dev * hdev)2005 int hci_le_create_cis_pending(struct hci_dev *hdev)
2006 {
2007 struct hci_conn *conn;
2008 bool pending = false;
2009
2010 rcu_read_lock();
2011
2012 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
2013 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
2014 rcu_read_unlock();
2015 return -EBUSY;
2016 }
2017
2018 if (!hci_conn_check_create_cis(conn))
2019 pending = true;
2020 }
2021
2022 rcu_read_unlock();
2023
2024 if (!pending)
2025 return 0;
2026
2027 /* Queue Create CIS */
2028 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2029 }
2030
hci_iso_qos_setup(struct hci_dev * hdev,struct hci_conn * conn,struct bt_iso_io_qos * qos,__u8 phy)2031 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2032 struct bt_iso_io_qos *qos, __u8 phy)
2033 {
2034 /* Only set MTU if PHY is enabled */
2035 if (!qos->sdu && qos->phy)
2036 qos->sdu = conn->mtu;
2037
2038 /* Use the same PHY as ACL if set to any */
2039 if (qos->phy == BT_ISO_PHY_ANY)
2040 qos->phy = phy;
2041
2042 /* Use LE ACL connection interval if not set */
2043 if (!qos->interval)
2044 /* ACL interval unit in 1.25 ms to us */
2045 qos->interval = conn->le_conn_interval * 1250;
2046
2047 /* Use LE ACL connection latency if not set */
2048 if (!qos->latency)
2049 qos->latency = conn->le_conn_latency;
2050 }
2051
create_big_sync(struct hci_dev * hdev,void * data)2052 static int create_big_sync(struct hci_dev *hdev, void *data)
2053 {
2054 struct hci_conn *conn = data;
2055 struct bt_iso_qos *qos = &conn->iso_qos;
2056 u16 interval, sync_interval = 0;
2057 u32 flags = 0;
2058 int err;
2059
2060 if (qos->bcast.out.phy == 0x02)
2061 flags |= MGMT_ADV_FLAG_SEC_2M;
2062
2063 /* Align intervals */
2064 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2065
2066 if (qos->bcast.bis)
2067 sync_interval = interval * 4;
2068
2069 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->sid,
2070 conn->le_per_adv_data_len,
2071 conn->le_per_adv_data, flags, interval,
2072 interval, sync_interval);
2073 if (err)
2074 return err;
2075
2076 return hci_le_create_big(conn, &conn->iso_qos);
2077 }
2078
hci_pa_create_sync(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid,struct bt_iso_qos * qos)2079 struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst,
2080 __u8 dst_type, __u8 sid,
2081 struct bt_iso_qos *qos)
2082 {
2083 struct hci_conn *conn;
2084
2085 bt_dev_dbg(hdev, "dst %pMR type %d sid %d", dst, dst_type, sid);
2086
2087 conn = hci_conn_add_unset(hdev, PA_LINK, dst, HCI_ROLE_SLAVE);
2088 if (IS_ERR(conn))
2089 return conn;
2090
2091 conn->iso_qos = *qos;
2092 conn->dst_type = dst_type;
2093 conn->sid = sid;
2094 conn->state = BT_LISTEN;
2095 conn->conn_timeout = msecs_to_jiffies(qos->bcast.sync_timeout * 10);
2096
2097 hci_conn_hold(conn);
2098
2099 hci_connect_pa_sync(hdev, conn);
2100
2101 return conn;
2102 }
2103
hci_conn_big_create_sync(struct hci_dev * hdev,struct hci_conn * hcon,struct bt_iso_qos * qos,__u16 sync_handle,__u8 num_bis,__u8 bis[])2104 int hci_conn_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2105 struct bt_iso_qos *qos, __u16 sync_handle,
2106 __u8 num_bis, __u8 bis[])
2107 {
2108 int err;
2109
2110 if (num_bis < 0x01 || num_bis > ISO_MAX_NUM_BIS)
2111 return -EINVAL;
2112
2113 err = qos_set_big(hdev, qos);
2114 if (err)
2115 return err;
2116
2117 if (hcon) {
2118 /* Update hcon QoS */
2119 hcon->iso_qos = *qos;
2120
2121 hcon->num_bis = num_bis;
2122 memcpy(hcon->bis, bis, num_bis);
2123 hcon->conn_timeout = msecs_to_jiffies(qos->bcast.timeout * 10);
2124 }
2125
2126 return hci_connect_big_sync(hdev, hcon);
2127 }
2128
create_big_complete(struct hci_dev * hdev,void * data,int err)2129 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2130 {
2131 struct hci_conn *conn = data;
2132
2133 bt_dev_dbg(hdev, "conn %p", conn);
2134
2135 if (err) {
2136 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2137 hci_connect_cfm(conn, err);
2138 hci_conn_del(conn);
2139 }
2140 }
2141
hci_bind_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 sid,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2142 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, __u8 sid,
2143 struct bt_iso_qos *qos,
2144 __u8 base_len, __u8 *base)
2145 {
2146 struct hci_conn *conn;
2147 struct hci_conn *parent;
2148 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2149 struct hci_link *link;
2150
2151 /* Look for any BIS that is open for rebinding */
2152 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN,
2153 HCI_ROLE_MASTER);
2154 if (conn) {
2155 memcpy(qos, &conn->iso_qos, sizeof(*qos));
2156 conn->state = BT_CONNECTED;
2157 return conn;
2158 }
2159
2160 if (base_len && base)
2161 base_len = eir_append_service_data(eir, 0, 0x1851,
2162 base, base_len);
2163
2164 /* We need hci_conn object using the BDADDR_ANY as dst */
2165 conn = hci_add_bis(hdev, dst, sid, qos, base_len, eir);
2166 if (IS_ERR(conn))
2167 return conn;
2168
2169 /* Update LINK PHYs according to QoS preference */
2170 conn->le_tx_phy = qos->bcast.out.phy;
2171 conn->le_tx_phy = qos->bcast.out.phy;
2172
2173 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2174 if (base_len && base) {
2175 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2176 conn->le_per_adv_data_len = base_len;
2177 }
2178
2179 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2180 conn->le_tx_phy ? conn->le_tx_phy :
2181 hdev->le_tx_def_phys);
2182
2183 conn->iso_qos = *qos;
2184 conn->state = BT_BOUND;
2185
2186 /* Link BISes together */
2187 parent = hci_conn_hash_lookup_big(hdev,
2188 conn->iso_qos.bcast.big);
2189 if (parent && parent != conn) {
2190 link = hci_conn_link(parent, conn);
2191 hci_conn_drop(conn);
2192 if (!link)
2193 return ERR_PTR(-ENOLINK);
2194 }
2195
2196 return conn;
2197 }
2198
bis_mark_per_adv(struct hci_conn * conn,void * data)2199 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2200 {
2201 struct iso_list_data *d = data;
2202
2203 /* Skip if not broadcast/ANY address */
2204 if (bacmp(&conn->dst, BDADDR_ANY))
2205 return;
2206
2207 if (d->big != conn->iso_qos.bcast.big ||
2208 d->bis == BT_ISO_QOS_BIS_UNSET ||
2209 d->bis != conn->iso_qos.bcast.bis)
2210 return;
2211
2212 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2213 }
2214
hci_connect_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2215 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2216 __u8 dst_type, __u8 sid,
2217 struct bt_iso_qos *qos,
2218 __u8 base_len, __u8 *base)
2219 {
2220 struct hci_conn *conn;
2221 int err;
2222 struct iso_list_data data;
2223
2224 conn = hci_bind_bis(hdev, dst, sid, qos, base_len, base);
2225 if (IS_ERR(conn))
2226 return conn;
2227
2228 if (conn->state == BT_CONNECTED)
2229 return conn;
2230
2231 /* Check if SID needs to be allocated then search for the first
2232 * available.
2233 */
2234 if (conn->sid == HCI_SID_INVALID) {
2235 u8 sid;
2236
2237 for (sid = 0; sid <= 0x0f; sid++) {
2238 if (!hci_find_adv_sid(hdev, sid)) {
2239 conn->sid = sid;
2240 break;
2241 }
2242 }
2243 }
2244
2245 data.big = qos->bcast.big;
2246 data.bis = qos->bcast.bis;
2247
2248 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2249 * the start periodic advertising and create BIG commands have
2250 * been queued
2251 */
2252 hci_conn_hash_list_state(hdev, bis_mark_per_adv, PA_LINK,
2253 BT_BOUND, &data);
2254
2255 /* Queue start periodic advertising and create BIG */
2256 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2257 create_big_complete);
2258 if (err < 0) {
2259 hci_conn_drop(conn);
2260 return ERR_PTR(err);
2261 }
2262
2263 return conn;
2264 }
2265
hci_connect_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)2266 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2267 __u8 dst_type, struct bt_iso_qos *qos)
2268 {
2269 struct hci_conn *le;
2270 struct hci_conn *cis;
2271 struct hci_link *link;
2272
2273 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2274 le = hci_connect_le(hdev, dst, dst_type, false,
2275 BT_SECURITY_LOW,
2276 HCI_LE_CONN_TIMEOUT,
2277 HCI_ROLE_SLAVE, 0, 0);
2278 else
2279 le = hci_connect_le_scan(hdev, dst, dst_type,
2280 BT_SECURITY_LOW,
2281 HCI_LE_CONN_TIMEOUT,
2282 CONN_REASON_ISO_CONNECT);
2283 if (IS_ERR(le))
2284 return le;
2285
2286 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2287 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2288 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2289 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2290
2291 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2292 if (IS_ERR(cis)) {
2293 hci_conn_drop(le);
2294 return cis;
2295 }
2296
2297 link = hci_conn_link(le, cis);
2298 hci_conn_drop(cis);
2299 if (!link) {
2300 hci_conn_drop(le);
2301 return ERR_PTR(-ENOLINK);
2302 }
2303
2304 cis->state = BT_CONNECT;
2305
2306 hci_le_create_cis_pending(hdev);
2307
2308 return cis;
2309 }
2310
2311 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)2312 int hci_conn_check_link_mode(struct hci_conn *conn)
2313 {
2314 BT_DBG("hcon %p", conn);
2315
2316 /* In Secure Connections Only mode, it is required that Secure
2317 * Connections is used and the link is encrypted with AES-CCM
2318 * using a P-256 authenticated combination key.
2319 */
2320 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2321 if (!hci_conn_sc_enabled(conn) ||
2322 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2323 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2324 return 0;
2325 }
2326
2327 /* AES encryption is required for Level 4:
2328 *
2329 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2330 * page 1319:
2331 *
2332 * 128-bit equivalent strength for link and encryption keys
2333 * required using FIPS approved algorithms (E0 not allowed,
2334 * SAFER+ not allowed, and P-192 not allowed; encryption key
2335 * not shortened)
2336 */
2337 if (conn->sec_level == BT_SECURITY_FIPS &&
2338 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2339 bt_dev_err(conn->hdev,
2340 "Invalid security: Missing AES-CCM usage");
2341 return 0;
2342 }
2343
2344 if (hci_conn_ssp_enabled(conn) &&
2345 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2346 return 0;
2347
2348 return 1;
2349 }
2350
2351 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)2352 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2353 {
2354 BT_DBG("hcon %p", conn);
2355
2356 if (conn->pending_sec_level > sec_level)
2357 sec_level = conn->pending_sec_level;
2358
2359 if (sec_level > conn->sec_level)
2360 conn->pending_sec_level = sec_level;
2361 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2362 return 1;
2363
2364 /* Make sure we preserve an existing MITM requirement*/
2365 auth_type |= (conn->auth_type & 0x01);
2366
2367 conn->auth_type = auth_type;
2368
2369 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2370 struct hci_cp_auth_requested cp;
2371
2372 cp.handle = cpu_to_le16(conn->handle);
2373 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2374 sizeof(cp), &cp);
2375
2376 /* Set the ENCRYPT_PEND to trigger encryption after
2377 * authentication.
2378 */
2379 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2380 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2381 }
2382
2383 return 0;
2384 }
2385
2386 /* Encrypt the link */
hci_conn_encrypt(struct hci_conn * conn)2387 static void hci_conn_encrypt(struct hci_conn *conn)
2388 {
2389 BT_DBG("hcon %p", conn);
2390
2391 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2392 struct hci_cp_set_conn_encrypt cp;
2393 cp.handle = cpu_to_le16(conn->handle);
2394 cp.encrypt = 0x01;
2395 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2396 &cp);
2397 }
2398 }
2399
2400 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)2401 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2402 bool initiator)
2403 {
2404 BT_DBG("hcon %p", conn);
2405
2406 if (conn->type == LE_LINK)
2407 return smp_conn_security(conn, sec_level);
2408
2409 /* For sdp we don't need the link key. */
2410 if (sec_level == BT_SECURITY_SDP)
2411 return 1;
2412
2413 /* For non 2.1 devices and low security level we don't need the link
2414 key. */
2415 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2416 return 1;
2417
2418 /* For other security levels we need the link key. */
2419 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2420 goto auth;
2421
2422 switch (conn->key_type) {
2423 case HCI_LK_AUTH_COMBINATION_P256:
2424 /* An authenticated FIPS approved combination key has
2425 * sufficient security for security level 4 or lower.
2426 */
2427 if (sec_level <= BT_SECURITY_FIPS)
2428 goto encrypt;
2429 break;
2430 case HCI_LK_AUTH_COMBINATION_P192:
2431 /* An authenticated combination key has sufficient security for
2432 * security level 3 or lower.
2433 */
2434 if (sec_level <= BT_SECURITY_HIGH)
2435 goto encrypt;
2436 break;
2437 case HCI_LK_UNAUTH_COMBINATION_P192:
2438 case HCI_LK_UNAUTH_COMBINATION_P256:
2439 /* An unauthenticated combination key has sufficient security
2440 * for security level 2 or lower.
2441 */
2442 if (sec_level <= BT_SECURITY_MEDIUM)
2443 goto encrypt;
2444 break;
2445 case HCI_LK_COMBINATION:
2446 /* A combination key has always sufficient security for the
2447 * security levels 2 or lower. High security level requires the
2448 * combination key is generated using maximum PIN code length
2449 * (16). For pre 2.1 units.
2450 */
2451 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2452 goto encrypt;
2453 break;
2454 default:
2455 break;
2456 }
2457
2458 auth:
2459 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2460 return 0;
2461
2462 if (initiator)
2463 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2464
2465 if (!hci_conn_auth(conn, sec_level, auth_type))
2466 return 0;
2467
2468 encrypt:
2469 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2470 /* Ensure that the encryption key size has been read,
2471 * otherwise stall the upper layer responses.
2472 */
2473 if (!conn->enc_key_size)
2474 return 0;
2475
2476 /* Nothing else needed, all requirements are met */
2477 return 1;
2478 }
2479
2480 hci_conn_encrypt(conn);
2481 return 0;
2482 }
2483 EXPORT_SYMBOL(hci_conn_security);
2484
2485 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)2486 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2487 {
2488 BT_DBG("hcon %p", conn);
2489
2490 /* Accept if non-secure or higher security level is required */
2491 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2492 return 1;
2493
2494 /* Accept if secure or higher security level is already present */
2495 if (conn->sec_level == BT_SECURITY_HIGH ||
2496 conn->sec_level == BT_SECURITY_FIPS)
2497 return 1;
2498
2499 /* Reject not secure link */
2500 return 0;
2501 }
2502 EXPORT_SYMBOL(hci_conn_check_secure);
2503
2504 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)2505 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2506 {
2507 BT_DBG("hcon %p", conn);
2508
2509 if (role == conn->role)
2510 return 1;
2511
2512 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2513 struct hci_cp_switch_role cp;
2514 bacpy(&cp.bdaddr, &conn->dst);
2515 cp.role = role;
2516 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2517 }
2518
2519 return 0;
2520 }
2521 EXPORT_SYMBOL(hci_conn_switch_role);
2522
2523 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)2524 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2525 {
2526 struct hci_dev *hdev = conn->hdev;
2527
2528 BT_DBG("hcon %p mode %d", conn, conn->mode);
2529
2530 if (conn->mode != HCI_CM_SNIFF)
2531 goto timer;
2532
2533 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2534 goto timer;
2535
2536 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2537 struct hci_cp_exit_sniff_mode cp;
2538 cp.handle = cpu_to_le16(conn->handle);
2539 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2540 }
2541
2542 timer:
2543 if (hdev->idle_timeout > 0)
2544 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2545 msecs_to_jiffies(hdev->idle_timeout));
2546 }
2547
2548 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)2549 void hci_conn_hash_flush(struct hci_dev *hdev)
2550 {
2551 struct list_head *head = &hdev->conn_hash.list;
2552 struct hci_conn *conn;
2553
2554 BT_DBG("hdev %s", hdev->name);
2555
2556 /* We should not traverse the list here, because hci_conn_del
2557 * can remove extra links, which may cause the list traversal
2558 * to hit items that have already been released.
2559 */
2560 while ((conn = list_first_entry_or_null(head,
2561 struct hci_conn,
2562 list)) != NULL) {
2563 conn->state = BT_CLOSED;
2564 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2565 hci_conn_del(conn);
2566 }
2567 }
2568
get_link_mode(struct hci_conn * conn)2569 static u32 get_link_mode(struct hci_conn *conn)
2570 {
2571 u32 link_mode = 0;
2572
2573 if (conn->role == HCI_ROLE_MASTER)
2574 link_mode |= HCI_LM_MASTER;
2575
2576 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2577 link_mode |= HCI_LM_ENCRYPT;
2578
2579 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2580 link_mode |= HCI_LM_AUTH;
2581
2582 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2583 link_mode |= HCI_LM_SECURE;
2584
2585 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2586 link_mode |= HCI_LM_FIPS;
2587
2588 return link_mode;
2589 }
2590
hci_get_conn_list(void __user * arg)2591 int hci_get_conn_list(void __user *arg)
2592 {
2593 struct hci_conn *c;
2594 struct hci_conn_list_req req, *cl;
2595 struct hci_conn_info *ci;
2596 struct hci_dev *hdev;
2597 int n = 0, size, err;
2598
2599 if (copy_from_user(&req, arg, sizeof(req)))
2600 return -EFAULT;
2601
2602 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2603 return -EINVAL;
2604
2605 size = sizeof(req) + req.conn_num * sizeof(*ci);
2606
2607 cl = kmalloc(size, GFP_KERNEL);
2608 if (!cl)
2609 return -ENOMEM;
2610
2611 hdev = hci_dev_get(req.dev_id);
2612 if (!hdev) {
2613 kfree(cl);
2614 return -ENODEV;
2615 }
2616
2617 ci = cl->conn_info;
2618
2619 hci_dev_lock(hdev);
2620 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2621 bacpy(&(ci + n)->bdaddr, &c->dst);
2622 (ci + n)->handle = c->handle;
2623 (ci + n)->type = c->type;
2624 (ci + n)->out = c->out;
2625 (ci + n)->state = c->state;
2626 (ci + n)->link_mode = get_link_mode(c);
2627 if (++n >= req.conn_num)
2628 break;
2629 }
2630 hci_dev_unlock(hdev);
2631
2632 cl->dev_id = hdev->id;
2633 cl->conn_num = n;
2634 size = sizeof(req) + n * sizeof(*ci);
2635
2636 hci_dev_put(hdev);
2637
2638 err = copy_to_user(arg, cl, size);
2639 kfree(cl);
2640
2641 return err ? -EFAULT : 0;
2642 }
2643
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)2644 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2645 {
2646 struct hci_conn_info_req req;
2647 struct hci_conn_info ci;
2648 struct hci_conn *conn;
2649 char __user *ptr = arg + sizeof(req);
2650
2651 if (copy_from_user(&req, arg, sizeof(req)))
2652 return -EFAULT;
2653
2654 hci_dev_lock(hdev);
2655 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2656 if (conn) {
2657 bacpy(&ci.bdaddr, &conn->dst);
2658 ci.handle = conn->handle;
2659 ci.type = conn->type;
2660 ci.out = conn->out;
2661 ci.state = conn->state;
2662 ci.link_mode = get_link_mode(conn);
2663 }
2664 hci_dev_unlock(hdev);
2665
2666 if (!conn)
2667 return -ENOENT;
2668
2669 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2670 }
2671
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)2672 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2673 {
2674 struct hci_auth_info_req req;
2675 struct hci_conn *conn;
2676
2677 if (copy_from_user(&req, arg, sizeof(req)))
2678 return -EFAULT;
2679
2680 hci_dev_lock(hdev);
2681 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2682 if (conn)
2683 req.type = conn->auth_type;
2684 hci_dev_unlock(hdev);
2685
2686 if (!conn)
2687 return -ENOENT;
2688
2689 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2690 }
2691
hci_chan_create(struct hci_conn * conn)2692 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2693 {
2694 struct hci_dev *hdev = conn->hdev;
2695 struct hci_chan *chan;
2696
2697 BT_DBG("%s hcon %p", hdev->name, conn);
2698
2699 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2700 BT_DBG("Refusing to create new hci_chan");
2701 return NULL;
2702 }
2703
2704 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2705 if (!chan)
2706 return NULL;
2707
2708 chan->conn = hci_conn_get(conn);
2709 skb_queue_head_init(&chan->data_q);
2710 chan->state = BT_CONNECTED;
2711
2712 list_add_rcu(&chan->list, &conn->chan_list);
2713
2714 return chan;
2715 }
2716
hci_chan_del(struct hci_chan * chan)2717 void hci_chan_del(struct hci_chan *chan)
2718 {
2719 struct hci_conn *conn = chan->conn;
2720 struct hci_dev *hdev = conn->hdev;
2721
2722 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2723
2724 list_del_rcu(&chan->list);
2725
2726 synchronize_rcu();
2727
2728 /* Prevent new hci_chan's to be created for this hci_conn */
2729 set_bit(HCI_CONN_DROP, &conn->flags);
2730
2731 hci_conn_put(conn);
2732
2733 skb_queue_purge(&chan->data_q);
2734 kfree(chan);
2735 }
2736
hci_chan_list_flush(struct hci_conn * conn)2737 void hci_chan_list_flush(struct hci_conn *conn)
2738 {
2739 struct hci_chan *chan, *n;
2740
2741 BT_DBG("hcon %p", conn);
2742
2743 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2744 hci_chan_del(chan);
2745 }
2746
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)2747 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2748 __u16 handle)
2749 {
2750 struct hci_chan *hchan;
2751
2752 list_for_each_entry(hchan, &hcon->chan_list, list) {
2753 if (hchan->handle == handle)
2754 return hchan;
2755 }
2756
2757 return NULL;
2758 }
2759
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)2760 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2761 {
2762 struct hci_conn_hash *h = &hdev->conn_hash;
2763 struct hci_conn *hcon;
2764 struct hci_chan *hchan = NULL;
2765
2766 rcu_read_lock();
2767
2768 list_for_each_entry_rcu(hcon, &h->list, list) {
2769 hchan = __hci_chan_lookup_handle(hcon, handle);
2770 if (hchan)
2771 break;
2772 }
2773
2774 rcu_read_unlock();
2775
2776 return hchan;
2777 }
2778
hci_conn_get_phy(struct hci_conn * conn)2779 u32 hci_conn_get_phy(struct hci_conn *conn)
2780 {
2781 u32 phys = 0;
2782
2783 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2784 * Table 6.2: Packets defined for synchronous, asynchronous, and
2785 * CPB logical transport types.
2786 */
2787 switch (conn->type) {
2788 case SCO_LINK:
2789 /* SCO logical transport (1 Mb/s):
2790 * HV1, HV2, HV3 and DV.
2791 */
2792 phys |= BT_PHY_BR_1M_1SLOT;
2793
2794 break;
2795
2796 case ACL_LINK:
2797 /* ACL logical transport (1 Mb/s) ptt=0:
2798 * DH1, DM3, DH3, DM5 and DH5.
2799 */
2800 phys |= BT_PHY_BR_1M_1SLOT;
2801
2802 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2803 phys |= BT_PHY_BR_1M_3SLOT;
2804
2805 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2806 phys |= BT_PHY_BR_1M_5SLOT;
2807
2808 /* ACL logical transport (2 Mb/s) ptt=1:
2809 * 2-DH1, 2-DH3 and 2-DH5.
2810 */
2811 if (!(conn->pkt_type & HCI_2DH1))
2812 phys |= BT_PHY_EDR_2M_1SLOT;
2813
2814 if (!(conn->pkt_type & HCI_2DH3))
2815 phys |= BT_PHY_EDR_2M_3SLOT;
2816
2817 if (!(conn->pkt_type & HCI_2DH5))
2818 phys |= BT_PHY_EDR_2M_5SLOT;
2819
2820 /* ACL logical transport (3 Mb/s) ptt=1:
2821 * 3-DH1, 3-DH3 and 3-DH5.
2822 */
2823 if (!(conn->pkt_type & HCI_3DH1))
2824 phys |= BT_PHY_EDR_3M_1SLOT;
2825
2826 if (!(conn->pkt_type & HCI_3DH3))
2827 phys |= BT_PHY_EDR_3M_3SLOT;
2828
2829 if (!(conn->pkt_type & HCI_3DH5))
2830 phys |= BT_PHY_EDR_3M_5SLOT;
2831
2832 break;
2833
2834 case ESCO_LINK:
2835 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2836 phys |= BT_PHY_BR_1M_1SLOT;
2837
2838 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2839 phys |= BT_PHY_BR_1M_3SLOT;
2840
2841 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2842 if (!(conn->pkt_type & ESCO_2EV3))
2843 phys |= BT_PHY_EDR_2M_1SLOT;
2844
2845 if (!(conn->pkt_type & ESCO_2EV5))
2846 phys |= BT_PHY_EDR_2M_3SLOT;
2847
2848 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2849 if (!(conn->pkt_type & ESCO_3EV3))
2850 phys |= BT_PHY_EDR_3M_1SLOT;
2851
2852 if (!(conn->pkt_type & ESCO_3EV5))
2853 phys |= BT_PHY_EDR_3M_3SLOT;
2854
2855 break;
2856
2857 case LE_LINK:
2858 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2859 phys |= BT_PHY_LE_1M_TX;
2860
2861 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2862 phys |= BT_PHY_LE_1M_RX;
2863
2864 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2865 phys |= BT_PHY_LE_2M_TX;
2866
2867 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2868 phys |= BT_PHY_LE_2M_RX;
2869
2870 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2871 phys |= BT_PHY_LE_CODED_TX;
2872
2873 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2874 phys |= BT_PHY_LE_CODED_RX;
2875
2876 break;
2877 }
2878
2879 return phys;
2880 }
2881
abort_conn_sync(struct hci_dev * hdev,void * data)2882 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2883 {
2884 struct hci_conn *conn = data;
2885
2886 if (!hci_conn_valid(hdev, conn))
2887 return -ECANCELED;
2888
2889 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2890 }
2891
hci_abort_conn(struct hci_conn * conn,u8 reason)2892 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2893 {
2894 struct hci_dev *hdev = conn->hdev;
2895
2896 /* If abort_reason has already been set it means the connection is
2897 * already being aborted so don't attempt to overwrite it.
2898 */
2899 if (conn->abort_reason)
2900 return 0;
2901
2902 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2903
2904 conn->abort_reason = reason;
2905
2906 /* If the connection is pending check the command opcode since that
2907 * might be blocking on hci_cmd_sync_work while waiting its respective
2908 * event so we need to hci_cmd_sync_cancel to cancel it.
2909 *
2910 * hci_connect_le serializes the connection attempts so only one
2911 * connection can be in BT_CONNECT at time.
2912 */
2913 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2914 switch (hci_skb_event(hdev->sent_cmd)) {
2915 case HCI_EV_CONN_COMPLETE:
2916 case HCI_EV_LE_CONN_COMPLETE:
2917 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2918 case HCI_EVT_LE_CIS_ESTABLISHED:
2919 hci_cmd_sync_cancel(hdev, ECANCELED);
2920 break;
2921 }
2922 /* Cancel connect attempt if still queued/pending */
2923 } else if (!hci_cancel_connect_sync(hdev, conn)) {
2924 return 0;
2925 }
2926
2927 /* Run immediately if on cmd_sync_work since this may be called
2928 * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
2929 * already queue its callback on cmd_sync_work.
2930 */
2931 return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
2932 }
2933
hci_setup_tx_timestamp(struct sk_buff * skb,size_t key_offset,const struct sockcm_cookie * sockc)2934 void hci_setup_tx_timestamp(struct sk_buff *skb, size_t key_offset,
2935 const struct sockcm_cookie *sockc)
2936 {
2937 struct sock *sk = skb ? skb->sk : NULL;
2938 int key;
2939
2940 /* This shall be called on a single skb of those generated by user
2941 * sendmsg(), and only when the sendmsg() does not return error to
2942 * user. This is required for keeping the tskey that increments here in
2943 * sync with possible sendmsg() counting by user.
2944 *
2945 * Stream sockets shall set key_offset to sendmsg() length in bytes
2946 * and call with the last fragment, others to 1 and first fragment.
2947 */
2948
2949 if (!skb || !sockc || !sk || !key_offset)
2950 return;
2951
2952 sock_tx_timestamp(sk, sockc, &skb_shinfo(skb)->tx_flags);
2953
2954 if (sk->sk_type == SOCK_STREAM)
2955 key = atomic_add_return(key_offset, &sk->sk_tskey);
2956
2957 if (sockc->tsflags & SOF_TIMESTAMPING_OPT_ID &&
2958 sockc->tsflags & SOF_TIMESTAMPING_TX_RECORD_MASK) {
2959 if (sockc->tsflags & SOCKCM_FLAG_TS_OPT_ID) {
2960 skb_shinfo(skb)->tskey = sockc->ts_opt_id;
2961 } else {
2962 if (sk->sk_type != SOCK_STREAM)
2963 key = atomic_inc_return(&sk->sk_tskey);
2964 skb_shinfo(skb)->tskey = key - 1;
2965 }
2966 }
2967 }
2968
hci_conn_tx_queue(struct hci_conn * conn,struct sk_buff * skb)2969 void hci_conn_tx_queue(struct hci_conn *conn, struct sk_buff *skb)
2970 {
2971 struct tx_queue *comp = &conn->tx_q;
2972 bool track = false;
2973
2974 /* Emit SND now, ie. just before sending to driver */
2975 if (skb_shinfo(skb)->tx_flags & SKBTX_SW_TSTAMP)
2976 __skb_tstamp_tx(skb, NULL, NULL, skb->sk, SCM_TSTAMP_SND);
2977
2978 /* COMPLETION tstamp is emitted for tracked skb later in Number of
2979 * Completed Packets event. Available only for flow controlled cases.
2980 *
2981 * TODO: SCO support without flowctl (needs to be done in drivers)
2982 */
2983 switch (conn->type) {
2984 case CIS_LINK:
2985 case BIS_LINK:
2986 case PA_LINK:
2987 case ACL_LINK:
2988 case LE_LINK:
2989 break;
2990 case SCO_LINK:
2991 case ESCO_LINK:
2992 if (!hci_dev_test_flag(conn->hdev, HCI_SCO_FLOWCTL))
2993 return;
2994 break;
2995 default:
2996 return;
2997 }
2998
2999 if (skb->sk && (skb_shinfo(skb)->tx_flags & SKBTX_COMPLETION_TSTAMP))
3000 track = true;
3001
3002 /* If nothing is tracked, just count extra skbs at the queue head */
3003 if (!track && !comp->tracked) {
3004 comp->extra++;
3005 return;
3006 }
3007
3008 if (track) {
3009 skb = skb_clone_sk(skb);
3010 if (!skb)
3011 goto count_only;
3012
3013 comp->tracked++;
3014 } else {
3015 skb = skb_clone(skb, GFP_KERNEL);
3016 if (!skb)
3017 goto count_only;
3018 }
3019
3020 skb_queue_tail(&comp->queue, skb);
3021 return;
3022
3023 count_only:
3024 /* Stop tracking skbs, and only count. This will not emit timestamps for
3025 * the packets, but if we get here something is more seriously wrong.
3026 */
3027 comp->tracked = 0;
3028 comp->extra += skb_queue_len(&comp->queue) + 1;
3029 skb_queue_purge(&comp->queue);
3030 }
3031
hci_conn_tx_dequeue(struct hci_conn * conn)3032 void hci_conn_tx_dequeue(struct hci_conn *conn)
3033 {
3034 struct tx_queue *comp = &conn->tx_q;
3035 struct sk_buff *skb;
3036
3037 /* If there are tracked skbs, the counted extra go before dequeuing real
3038 * skbs, to keep ordering. When nothing is tracked, the ordering doesn't
3039 * matter so dequeue real skbs first to get rid of them ASAP.
3040 */
3041 if (comp->extra && (comp->tracked || skb_queue_empty(&comp->queue))) {
3042 comp->extra--;
3043 return;
3044 }
3045
3046 skb = skb_dequeue(&comp->queue);
3047 if (!skb)
3048 return;
3049
3050 if (skb->sk) {
3051 comp->tracked--;
3052 __skb_tstamp_tx(skb, NULL, NULL, skb->sk,
3053 SCM_TSTAMP_COMPLETION);
3054 }
3055
3056 kfree_skb(skb);
3057 }
3058
hci_conn_key_enc_size(struct hci_conn * conn)3059 u8 *hci_conn_key_enc_size(struct hci_conn *conn)
3060 {
3061 if (conn->type == ACL_LINK) {
3062 struct link_key *key;
3063
3064 key = hci_find_link_key(conn->hdev, &conn->dst);
3065 if (!key)
3066 return NULL;
3067
3068 return &key->pin_len;
3069 } else if (conn->type == LE_LINK) {
3070 struct smp_ltk *ltk;
3071
3072 ltk = hci_find_ltk(conn->hdev, &conn->dst, conn->dst_type,
3073 conn->role);
3074 if (!ltk)
3075 return NULL;
3076
3077 return <k->enc_size;
3078 }
3079
3080 return NULL;
3081 }
3082
hci_ethtool_ts_info(unsigned int index,int sk_proto,struct kernel_ethtool_ts_info * info)3083 int hci_ethtool_ts_info(unsigned int index, int sk_proto,
3084 struct kernel_ethtool_ts_info *info)
3085 {
3086 struct hci_dev *hdev;
3087
3088 hdev = hci_dev_get(index);
3089 if (!hdev)
3090 return -ENODEV;
3091
3092 info->so_timestamping =
3093 SOF_TIMESTAMPING_RX_SOFTWARE |
3094 SOF_TIMESTAMPING_SOFTWARE;
3095 info->phc_index = -1;
3096 info->tx_types = BIT(HWTSTAMP_TX_OFF);
3097 info->rx_filters = BIT(HWTSTAMP_FILTER_NONE);
3098
3099 switch (sk_proto) {
3100 case BTPROTO_ISO:
3101 case BTPROTO_L2CAP:
3102 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE;
3103 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION;
3104 break;
3105 case BTPROTO_SCO:
3106 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE;
3107 if (hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3108 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION;
3109 break;
3110 }
3111
3112 hci_dev_put(hdev);
3113 return 0;
3114 }
3115