1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 Copyright 2023-2024 NXP
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI connection handling. */
27
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/errqueue.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/iso.h>
36 #include <net/bluetooth/mgmt.h>
37
38 #include "smp.h"
39 #include "eir.h"
40
41 struct sco_param {
42 u16 pkt_type;
43 u16 max_latency;
44 u8 retrans_effort;
45 };
46
47 struct conn_handle_t {
48 struct hci_conn *conn;
49 __u16 handle;
50 };
51
52 static const struct sco_param esco_param_cvsd[] = {
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
58 };
59
60 static const struct sco_param sco_param_cvsd[] = {
61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
63 };
64
65 static const struct sco_param esco_param_msbc[] = {
66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
68 };
69
70 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn,u8 status)71 void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
72 {
73 struct hci_conn_params *params;
74 struct hci_dev *hdev = conn->hdev;
75 struct smp_irk *irk;
76 bdaddr_t *bdaddr;
77 u8 bdaddr_type;
78
79 bdaddr = &conn->dst;
80 bdaddr_type = conn->dst_type;
81
82 /* Check if we need to convert to identity address */
83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
84 if (irk) {
85 bdaddr = &irk->bdaddr;
86 bdaddr_type = irk->addr_type;
87 }
88
89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
90 bdaddr_type);
91 if (!params)
92 return;
93
94 if (params->conn) {
95 hci_conn_drop(params->conn);
96 hci_conn_put(params->conn);
97 params->conn = NULL;
98 }
99
100 if (!params->explicit_connect)
101 return;
102
103 /* If the status indicates successful cancellation of
104 * the attempt (i.e. Unknown Connection Id) there's no point of
105 * notifying failure since we'll go back to keep trying to
106 * connect. The only exception is explicit connect requests
107 * where a timeout + cancel does indicate an actual failure.
108 */
109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 mgmt_connect_failed(hdev, conn, status);
111
112 /* The connection attempt was doing scan for new RPA, and is
113 * in scan phase. If params are not associated with any other
114 * autoconnect action, remove them completely. If they are, just unmark
115 * them as waiting for connection, by clearing explicit_connect field.
116 */
117 params->explicit_connect = false;
118
119 hci_pend_le_list_del_init(params);
120
121 switch (params->auto_connect) {
122 case HCI_AUTO_CONN_EXPLICIT:
123 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
124 /* return instead of break to avoid duplicate scan update */
125 return;
126 case HCI_AUTO_CONN_DIRECT:
127 case HCI_AUTO_CONN_ALWAYS:
128 hci_pend_le_list_add(params, &hdev->pend_le_conns);
129 break;
130 case HCI_AUTO_CONN_REPORT:
131 hci_pend_le_list_add(params, &hdev->pend_le_reports);
132 break;
133 default:
134 break;
135 }
136
137 hci_update_passive_scan(hdev);
138 }
139
hci_conn_cleanup(struct hci_conn * conn)140 static void hci_conn_cleanup(struct hci_conn *conn)
141 {
142 struct hci_dev *hdev = conn->hdev;
143
144 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
145 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
146
147 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
148 hci_remove_link_key(hdev, &conn->dst);
149
150 hci_chan_list_flush(conn);
151
152 if (HCI_CONN_HANDLE_UNSET(conn->handle))
153 ida_free(&hdev->unset_handle_ida, conn->handle);
154
155 if (conn->cleanup)
156 conn->cleanup(conn);
157
158 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
159 switch (conn->setting & SCO_AIRMODE_MASK) {
160 case SCO_AIRMODE_CVSD:
161 case SCO_AIRMODE_TRANSP:
162 if (hdev->notify)
163 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
164 break;
165 }
166 } else {
167 if (hdev->notify)
168 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
169 }
170
171 debugfs_remove_recursive(conn->debugfs);
172
173 hci_conn_del_sysfs(conn);
174
175 hci_dev_put(hdev);
176 }
177
hci_disconnect(struct hci_conn * conn,__u8 reason)178 int hci_disconnect(struct hci_conn *conn, __u8 reason)
179 {
180 BT_DBG("hcon %p", conn);
181
182 /* When we are central of an established connection and it enters
183 * the disconnect timeout, then go ahead and try to read the
184 * current clock offset. Processing of the result is done
185 * within the event handling and hci_clock_offset_evt function.
186 */
187 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
188 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
189 struct hci_dev *hdev = conn->hdev;
190 struct hci_cp_read_clock_offset clkoff_cp;
191
192 clkoff_cp.handle = cpu_to_le16(conn->handle);
193 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
194 &clkoff_cp);
195 }
196
197 return hci_abort_conn(conn, reason);
198 }
199
hci_add_sco(struct hci_conn * conn,__u16 handle)200 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
201 {
202 struct hci_dev *hdev = conn->hdev;
203 struct hci_cp_add_sco cp;
204
205 BT_DBG("hcon %p", conn);
206
207 conn->state = BT_CONNECT;
208 conn->out = true;
209
210 conn->attempt++;
211
212 cp.handle = cpu_to_le16(handle);
213 cp.pkt_type = cpu_to_le16(conn->pkt_type);
214
215 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
216 }
217
find_next_esco_param(struct hci_conn * conn,const struct sco_param * esco_param,int size)218 static bool find_next_esco_param(struct hci_conn *conn,
219 const struct sco_param *esco_param, int size)
220 {
221 if (!conn->parent)
222 return false;
223
224 for (; conn->attempt <= size; conn->attempt++) {
225 if (lmp_esco_2m_capable(conn->parent) ||
226 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
227 break;
228 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
229 conn, conn->attempt);
230 }
231
232 return conn->attempt <= size;
233 }
234
configure_datapath_sync(struct hci_dev * hdev,struct bt_codec * codec)235 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
236 {
237 int err;
238 __u8 vnd_len, *vnd_data = NULL;
239 struct hci_op_configure_data_path *cmd = NULL;
240
241 /* Do not take below 2 checks as error since the 1st means user do not
242 * want to use HFP offload mode and the 2nd means the vendor controller
243 * do not need to send below HCI command for offload mode.
244 */
245 if (!codec->data_path || !hdev->get_codec_config_data)
246 return 0;
247
248 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
249 &vnd_data);
250 if (err < 0)
251 goto error;
252
253 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
254 if (!cmd) {
255 err = -ENOMEM;
256 goto error;
257 }
258
259 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
260 if (err < 0)
261 goto error;
262
263 cmd->vnd_len = vnd_len;
264 memcpy(cmd->vnd_data, vnd_data, vnd_len);
265
266 cmd->direction = 0x00;
267 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
268 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
269
270 cmd->direction = 0x01;
271 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
272 sizeof(*cmd) + vnd_len, cmd,
273 HCI_CMD_TIMEOUT);
274 error:
275
276 kfree(cmd);
277 kfree(vnd_data);
278 return err;
279 }
280
hci_enhanced_setup_sync(struct hci_dev * hdev,void * data)281 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
282 {
283 struct conn_handle_t *conn_handle = data;
284 struct hci_conn *conn = conn_handle->conn;
285 __u16 handle = conn_handle->handle;
286 struct hci_cp_enhanced_setup_sync_conn cp;
287 const struct sco_param *param;
288
289 kfree(conn_handle);
290
291 if (!hci_conn_valid(hdev, conn))
292 return -ECANCELED;
293
294 bt_dev_dbg(hdev, "hcon %p", conn);
295
296 configure_datapath_sync(hdev, &conn->codec);
297
298 conn->state = BT_CONNECT;
299 conn->out = true;
300
301 conn->attempt++;
302
303 memset(&cp, 0x00, sizeof(cp));
304
305 cp.handle = cpu_to_le16(handle);
306
307 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
308 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
309
310 switch (conn->codec.id) {
311 case BT_CODEC_MSBC:
312 if (!find_next_esco_param(conn, esco_param_msbc,
313 ARRAY_SIZE(esco_param_msbc)))
314 return -EINVAL;
315
316 param = &esco_param_msbc[conn->attempt - 1];
317 cp.tx_coding_format.id = 0x05;
318 cp.rx_coding_format.id = 0x05;
319 cp.tx_codec_frame_size = __cpu_to_le16(60);
320 cp.rx_codec_frame_size = __cpu_to_le16(60);
321 cp.in_bandwidth = __cpu_to_le32(32000);
322 cp.out_bandwidth = __cpu_to_le32(32000);
323 cp.in_coding_format.id = 0x04;
324 cp.out_coding_format.id = 0x04;
325 cp.in_coded_data_size = __cpu_to_le16(16);
326 cp.out_coded_data_size = __cpu_to_le16(16);
327 cp.in_pcm_data_format = 2;
328 cp.out_pcm_data_format = 2;
329 cp.in_pcm_sample_payload_msb_pos = 0;
330 cp.out_pcm_sample_payload_msb_pos = 0;
331 cp.in_data_path = conn->codec.data_path;
332 cp.out_data_path = conn->codec.data_path;
333 cp.in_transport_unit_size = 1;
334 cp.out_transport_unit_size = 1;
335 break;
336
337 case BT_CODEC_TRANSPARENT:
338 if (!find_next_esco_param(conn, esco_param_msbc,
339 ARRAY_SIZE(esco_param_msbc)))
340 return -EINVAL;
341
342 param = &esco_param_msbc[conn->attempt - 1];
343 cp.tx_coding_format.id = 0x03;
344 cp.rx_coding_format.id = 0x03;
345 cp.tx_codec_frame_size = __cpu_to_le16(60);
346 cp.rx_codec_frame_size = __cpu_to_le16(60);
347 cp.in_bandwidth = __cpu_to_le32(0x1f40);
348 cp.out_bandwidth = __cpu_to_le32(0x1f40);
349 cp.in_coding_format.id = 0x03;
350 cp.out_coding_format.id = 0x03;
351 cp.in_coded_data_size = __cpu_to_le16(16);
352 cp.out_coded_data_size = __cpu_to_le16(16);
353 cp.in_pcm_data_format = 2;
354 cp.out_pcm_data_format = 2;
355 cp.in_pcm_sample_payload_msb_pos = 0;
356 cp.out_pcm_sample_payload_msb_pos = 0;
357 cp.in_data_path = conn->codec.data_path;
358 cp.out_data_path = conn->codec.data_path;
359 cp.in_transport_unit_size = 1;
360 cp.out_transport_unit_size = 1;
361 break;
362
363 case BT_CODEC_CVSD:
364 if (conn->parent && lmp_esco_capable(conn->parent)) {
365 if (!find_next_esco_param(conn, esco_param_cvsd,
366 ARRAY_SIZE(esco_param_cvsd)))
367 return -EINVAL;
368 param = &esco_param_cvsd[conn->attempt - 1];
369 } else {
370 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
371 return -EINVAL;
372 param = &sco_param_cvsd[conn->attempt - 1];
373 }
374 cp.tx_coding_format.id = 2;
375 cp.rx_coding_format.id = 2;
376 cp.tx_codec_frame_size = __cpu_to_le16(60);
377 cp.rx_codec_frame_size = __cpu_to_le16(60);
378 cp.in_bandwidth = __cpu_to_le32(16000);
379 cp.out_bandwidth = __cpu_to_le32(16000);
380 cp.in_coding_format.id = 4;
381 cp.out_coding_format.id = 4;
382 cp.in_coded_data_size = __cpu_to_le16(16);
383 cp.out_coded_data_size = __cpu_to_le16(16);
384 cp.in_pcm_data_format = 2;
385 cp.out_pcm_data_format = 2;
386 cp.in_pcm_sample_payload_msb_pos = 0;
387 cp.out_pcm_sample_payload_msb_pos = 0;
388 cp.in_data_path = conn->codec.data_path;
389 cp.out_data_path = conn->codec.data_path;
390 cp.in_transport_unit_size = 16;
391 cp.out_transport_unit_size = 16;
392 break;
393 default:
394 return -EINVAL;
395 }
396
397 cp.retrans_effort = param->retrans_effort;
398 cp.pkt_type = __cpu_to_le16(param->pkt_type);
399 cp.max_latency = __cpu_to_le16(param->max_latency);
400
401 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
402 return -EIO;
403
404 return 0;
405 }
406
hci_setup_sync_conn(struct hci_conn * conn,__u16 handle)407 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
408 {
409 struct hci_dev *hdev = conn->hdev;
410 struct hci_cp_setup_sync_conn cp;
411 const struct sco_param *param;
412
413 bt_dev_dbg(hdev, "hcon %p", conn);
414
415 conn->state = BT_CONNECT;
416 conn->out = true;
417
418 conn->attempt++;
419
420 cp.handle = cpu_to_le16(handle);
421
422 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
423 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
424 cp.voice_setting = cpu_to_le16(conn->setting);
425
426 switch (conn->setting & SCO_AIRMODE_MASK) {
427 case SCO_AIRMODE_TRANSP:
428 if (!find_next_esco_param(conn, esco_param_msbc,
429 ARRAY_SIZE(esco_param_msbc)))
430 return false;
431 param = &esco_param_msbc[conn->attempt - 1];
432 break;
433 case SCO_AIRMODE_CVSD:
434 if (conn->parent && lmp_esco_capable(conn->parent)) {
435 if (!find_next_esco_param(conn, esco_param_cvsd,
436 ARRAY_SIZE(esco_param_cvsd)))
437 return false;
438 param = &esco_param_cvsd[conn->attempt - 1];
439 } else {
440 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
441 return false;
442 param = &sco_param_cvsd[conn->attempt - 1];
443 }
444 break;
445 default:
446 return false;
447 }
448
449 cp.retrans_effort = param->retrans_effort;
450 cp.pkt_type = __cpu_to_le16(param->pkt_type);
451 cp.max_latency = __cpu_to_le16(param->max_latency);
452
453 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
454 return false;
455
456 return true;
457 }
458
hci_setup_sync(struct hci_conn * conn,__u16 handle)459 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
460 {
461 int result;
462 struct conn_handle_t *conn_handle;
463
464 if (enhanced_sync_conn_capable(conn->hdev)) {
465 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
466
467 if (!conn_handle)
468 return false;
469
470 conn_handle->conn = conn;
471 conn_handle->handle = handle;
472 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
473 conn_handle, NULL);
474 if (result < 0)
475 kfree(conn_handle);
476
477 return result == 0;
478 }
479
480 return hci_setup_sync_conn(conn, handle);
481 }
482
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)483 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
484 u16 to_multiplier)
485 {
486 struct hci_dev *hdev = conn->hdev;
487 struct hci_conn_params *params;
488 struct hci_cp_le_conn_update cp;
489
490 hci_dev_lock(hdev);
491
492 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
493 if (params) {
494 params->conn_min_interval = min;
495 params->conn_max_interval = max;
496 params->conn_latency = latency;
497 params->supervision_timeout = to_multiplier;
498 }
499
500 hci_dev_unlock(hdev);
501
502 memset(&cp, 0, sizeof(cp));
503 cp.handle = cpu_to_le16(conn->handle);
504 cp.conn_interval_min = cpu_to_le16(min);
505 cp.conn_interval_max = cpu_to_le16(max);
506 cp.conn_latency = cpu_to_le16(latency);
507 cp.supervision_timeout = cpu_to_le16(to_multiplier);
508 cp.min_ce_len = cpu_to_le16(0x0000);
509 cp.max_ce_len = cpu_to_le16(0x0000);
510
511 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
512
513 if (params)
514 return 0x01;
515
516 return 0x00;
517 }
518
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)519 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
520 __u8 ltk[16], __u8 key_size)
521 {
522 struct hci_dev *hdev = conn->hdev;
523 struct hci_cp_le_start_enc cp;
524
525 BT_DBG("hcon %p", conn);
526
527 memset(&cp, 0, sizeof(cp));
528
529 cp.handle = cpu_to_le16(conn->handle);
530 cp.rand = rand;
531 cp.ediv = ediv;
532 memcpy(cp.ltk, ltk, key_size);
533
534 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
535 }
536
537 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)538 void hci_sco_setup(struct hci_conn *conn, __u8 status)
539 {
540 struct hci_link *link;
541
542 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
543 if (!link || !link->conn)
544 return;
545
546 BT_DBG("hcon %p", conn);
547
548 if (!status) {
549 if (lmp_esco_capable(conn->hdev))
550 hci_setup_sync(link->conn, conn->handle);
551 else
552 hci_add_sco(link->conn, conn->handle);
553 } else {
554 hci_connect_cfm(link->conn, status);
555 hci_conn_del(link->conn);
556 }
557 }
558
hci_conn_timeout(struct work_struct * work)559 static void hci_conn_timeout(struct work_struct *work)
560 {
561 struct hci_conn *conn = container_of(work, struct hci_conn,
562 disc_work.work);
563 int refcnt = atomic_read(&conn->refcnt);
564
565 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
566
567 WARN_ON(refcnt < 0);
568
569 /* FIXME: It was observed that in pairing failed scenario, refcnt
570 * drops below 0. Probably this is because l2cap_conn_del calls
571 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
572 * dropped. After that loop hci_chan_del is called which also drops
573 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
574 * otherwise drop it.
575 */
576 if (refcnt > 0)
577 return;
578
579 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
580 }
581
582 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)583 static void hci_conn_idle(struct work_struct *work)
584 {
585 struct hci_conn *conn = container_of(work, struct hci_conn,
586 idle_work.work);
587 struct hci_dev *hdev = conn->hdev;
588
589 BT_DBG("hcon %p mode %d", conn, conn->mode);
590
591 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
592 return;
593
594 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
595 return;
596
597 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
598 struct hci_cp_sniff_subrate cp;
599 cp.handle = cpu_to_le16(conn->handle);
600 cp.max_latency = cpu_to_le16(0);
601 cp.min_remote_timeout = cpu_to_le16(0);
602 cp.min_local_timeout = cpu_to_le16(0);
603 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
604 }
605
606 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
607 struct hci_cp_sniff_mode cp;
608 cp.handle = cpu_to_le16(conn->handle);
609 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
610 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
611 cp.attempt = cpu_to_le16(4);
612 cp.timeout = cpu_to_le16(1);
613 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
614 }
615 }
616
hci_conn_auto_accept(struct work_struct * work)617 static void hci_conn_auto_accept(struct work_struct *work)
618 {
619 struct hci_conn *conn = container_of(work, struct hci_conn,
620 auto_accept_work.work);
621
622 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
623 &conn->dst);
624 }
625
le_disable_advertising(struct hci_dev * hdev)626 static void le_disable_advertising(struct hci_dev *hdev)
627 {
628 if (ext_adv_capable(hdev)) {
629 struct hci_cp_le_set_ext_adv_enable cp;
630
631 cp.enable = 0x00;
632 cp.num_of_sets = 0x00;
633
634 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
635 &cp);
636 } else {
637 u8 enable = 0x00;
638 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
639 &enable);
640 }
641 }
642
le_conn_timeout(struct work_struct * work)643 static void le_conn_timeout(struct work_struct *work)
644 {
645 struct hci_conn *conn = container_of(work, struct hci_conn,
646 le_conn_timeout.work);
647 struct hci_dev *hdev = conn->hdev;
648
649 BT_DBG("");
650
651 /* We could end up here due to having done directed advertising,
652 * so clean up the state if necessary. This should however only
653 * happen with broken hardware or if low duty cycle was used
654 * (which doesn't have a timeout of its own).
655 */
656 if (conn->role == HCI_ROLE_SLAVE) {
657 /* Disable LE Advertising */
658 le_disable_advertising(hdev);
659 hci_dev_lock(hdev);
660 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
661 hci_dev_unlock(hdev);
662 return;
663 }
664
665 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
666 }
667
668 struct iso_list_data {
669 union {
670 u8 cig;
671 u8 big;
672 };
673 union {
674 u8 cis;
675 u8 bis;
676 u16 sync_handle;
677 };
678 int count;
679 bool big_term;
680 bool pa_sync_term;
681 bool big_sync_term;
682 };
683
bis_list(struct hci_conn * conn,void * data)684 static void bis_list(struct hci_conn *conn, void *data)
685 {
686 struct iso_list_data *d = data;
687
688 /* Skip if not broadcast/ANY address */
689 if (bacmp(&conn->dst, BDADDR_ANY))
690 return;
691
692 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
693 d->bis != conn->iso_qos.bcast.bis)
694 return;
695
696 d->count++;
697 }
698
terminate_big_sync(struct hci_dev * hdev,void * data)699 static int terminate_big_sync(struct hci_dev *hdev, void *data)
700 {
701 struct iso_list_data *d = data;
702
703 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
704
705 hci_disable_per_advertising_sync(hdev, d->bis);
706 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
707
708 /* Only terminate BIG if it has been created */
709 if (!d->big_term)
710 return 0;
711
712 return hci_le_terminate_big_sync(hdev, d->big,
713 HCI_ERROR_LOCAL_HOST_TERM);
714 }
715
terminate_big_destroy(struct hci_dev * hdev,void * data,int err)716 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
717 {
718 kfree(data);
719 }
720
hci_le_terminate_big(struct hci_dev * hdev,struct hci_conn * conn)721 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
722 {
723 struct iso_list_data *d;
724 int ret;
725
726 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
727 conn->iso_qos.bcast.bis);
728
729 d = kzalloc(sizeof(*d), GFP_KERNEL);
730 if (!d)
731 return -ENOMEM;
732
733 d->big = conn->iso_qos.bcast.big;
734 d->bis = conn->iso_qos.bcast.bis;
735 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
736
737 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
738 terminate_big_destroy);
739 if (ret)
740 kfree(d);
741
742 return ret;
743 }
744
big_terminate_sync(struct hci_dev * hdev,void * data)745 static int big_terminate_sync(struct hci_dev *hdev, void *data)
746 {
747 struct iso_list_data *d = data;
748
749 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
750 d->sync_handle);
751
752 if (d->big_sync_term)
753 hci_le_big_terminate_sync(hdev, d->big);
754
755 if (d->pa_sync_term)
756 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
757
758 return 0;
759 }
760
find_bis(struct hci_conn * conn,void * data)761 static void find_bis(struct hci_conn *conn, void *data)
762 {
763 struct iso_list_data *d = data;
764
765 /* Ignore if BIG doesn't match */
766 if (d->big != conn->iso_qos.bcast.big)
767 return;
768
769 d->count++;
770 }
771
hci_le_big_terminate(struct hci_dev * hdev,struct hci_conn * conn)772 static int hci_le_big_terminate(struct hci_dev *hdev, struct hci_conn *conn)
773 {
774 struct iso_list_data *d;
775 int ret;
776
777 bt_dev_dbg(hdev, "hcon %p big 0x%2.2x sync_handle 0x%4.4x", conn,
778 conn->iso_qos.bcast.big, conn->sync_handle);
779
780 d = kzalloc(sizeof(*d), GFP_KERNEL);
781 if (!d)
782 return -ENOMEM;
783
784 d->big = conn->iso_qos.bcast.big;
785 d->sync_handle = conn->sync_handle;
786
787 if (conn->type == PA_LINK &&
788 test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) {
789 hci_conn_hash_list_flag(hdev, find_bis, PA_LINK,
790 HCI_CONN_PA_SYNC, d);
791
792 if (!d->count)
793 d->pa_sync_term = true;
794
795 d->count = 0;
796 }
797
798 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) {
799 hci_conn_hash_list_flag(hdev, find_bis, BIS_LINK,
800 HCI_CONN_BIG_SYNC, d);
801
802 if (!d->count)
803 d->big_sync_term = true;
804 }
805
806 if (!d->pa_sync_term && !d->big_sync_term)
807 return 0;
808
809 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
810 terminate_big_destroy);
811 if (ret)
812 kfree(d);
813
814 return ret;
815 }
816
817 /* Cleanup BIS connection
818 *
819 * Detects if there any BIS left connected in a BIG
820 * broadcaster: Remove advertising instance and terminate BIG.
821 * broadcaster receiver: Terminate BIG sync and terminate PA sync.
822 */
bis_cleanup(struct hci_conn * conn)823 static void bis_cleanup(struct hci_conn *conn)
824 {
825 struct hci_dev *hdev = conn->hdev;
826 struct hci_conn *bis;
827
828 bt_dev_dbg(hdev, "conn %p", conn);
829
830 if (conn->role == HCI_ROLE_MASTER) {
831 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
832 return;
833
834 /* Check if ISO connection is a BIS and terminate advertising
835 * set and BIG if there are no other connections using it.
836 */
837 bis = hci_conn_hash_lookup_big_state(hdev,
838 conn->iso_qos.bcast.big,
839 BT_CONNECTED,
840 HCI_ROLE_MASTER);
841 if (bis)
842 return;
843
844 bis = hci_conn_hash_lookup_big_state(hdev,
845 conn->iso_qos.bcast.big,
846 BT_CONNECT,
847 HCI_ROLE_MASTER);
848 if (bis)
849 return;
850
851 bis = hci_conn_hash_lookup_big_state(hdev,
852 conn->iso_qos.bcast.big,
853 BT_OPEN,
854 HCI_ROLE_MASTER);
855 if (bis)
856 return;
857
858 hci_le_terminate_big(hdev, conn);
859 } else {
860 hci_le_big_terminate(hdev, conn);
861 }
862 }
863
remove_cig_sync(struct hci_dev * hdev,void * data)864 static int remove_cig_sync(struct hci_dev *hdev, void *data)
865 {
866 u8 handle = PTR_UINT(data);
867
868 return hci_le_remove_cig_sync(hdev, handle);
869 }
870
hci_le_remove_cig(struct hci_dev * hdev,u8 handle)871 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
872 {
873 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
874
875 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
876 NULL);
877 }
878
find_cis(struct hci_conn * conn,void * data)879 static void find_cis(struct hci_conn *conn, void *data)
880 {
881 struct iso_list_data *d = data;
882
883 /* Ignore broadcast or if CIG don't match */
884 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
885 return;
886
887 d->count++;
888 }
889
890 /* Cleanup CIS connection:
891 *
892 * Detects if there any CIS left connected in a CIG and remove it.
893 */
cis_cleanup(struct hci_conn * conn)894 static void cis_cleanup(struct hci_conn *conn)
895 {
896 struct hci_dev *hdev = conn->hdev;
897 struct iso_list_data d;
898
899 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
900 return;
901
902 memset(&d, 0, sizeof(d));
903 d.cig = conn->iso_qos.ucast.cig;
904
905 /* Check if ISO connection is a CIS and remove CIG if there are
906 * no other connections using it.
907 */
908 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_BOUND, &d);
909 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECT,
910 &d);
911 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECTED,
912 &d);
913 if (d.count)
914 return;
915
916 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
917 }
918
hci_conn_hash_alloc_unset(struct hci_dev * hdev)919 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
920 {
921 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
922 U16_MAX, GFP_ATOMIC);
923 }
924
__hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)925 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
926 u8 role, u16 handle)
927 {
928 struct hci_conn *conn;
929
930 switch (type) {
931 case ACL_LINK:
932 if (!hdev->acl_mtu)
933 return ERR_PTR(-ECONNREFUSED);
934 break;
935 case CIS_LINK:
936 case BIS_LINK:
937 case PA_LINK:
938 if (!hdev->iso_mtu)
939 return ERR_PTR(-ECONNREFUSED);
940 break;
941 case LE_LINK:
942 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
943 return ERR_PTR(-ECONNREFUSED);
944 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU)
945 return ERR_PTR(-ECONNREFUSED);
946 break;
947 case SCO_LINK:
948 case ESCO_LINK:
949 if (!hdev->sco_pkts)
950 /* Controller does not support SCO or eSCO over HCI */
951 return ERR_PTR(-ECONNREFUSED);
952 break;
953 default:
954 return ERR_PTR(-ECONNREFUSED);
955 }
956
957 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
958
959 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
960 if (!conn)
961 return ERR_PTR(-ENOMEM);
962
963 bacpy(&conn->dst, dst);
964 bacpy(&conn->src, &hdev->bdaddr);
965 conn->handle = handle;
966 conn->hdev = hdev;
967 conn->type = type;
968 conn->role = role;
969 conn->mode = HCI_CM_ACTIVE;
970 conn->state = BT_OPEN;
971 conn->auth_type = HCI_AT_GENERAL_BONDING;
972 conn->io_capability = hdev->io_capability;
973 conn->remote_auth = 0xff;
974 conn->key_type = 0xff;
975 conn->rssi = HCI_RSSI_INVALID;
976 conn->tx_power = HCI_TX_POWER_INVALID;
977 conn->max_tx_power = HCI_TX_POWER_INVALID;
978 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
979 conn->sid = HCI_SID_INVALID;
980
981 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
982 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
983
984 /* Set Default Authenticated payload timeout to 30s */
985 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
986
987 if (conn->role == HCI_ROLE_MASTER)
988 conn->out = true;
989
990 switch (type) {
991 case ACL_LINK:
992 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
993 conn->mtu = hdev->acl_mtu;
994 break;
995 case LE_LINK:
996 /* conn->src should reflect the local identity address */
997 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
998 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
999 break;
1000 case CIS_LINK:
1001 /* conn->src should reflect the local identity address */
1002 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1003
1004 if (conn->role == HCI_ROLE_MASTER)
1005 conn->cleanup = cis_cleanup;
1006
1007 conn->mtu = hdev->iso_mtu;
1008 break;
1009 case PA_LINK:
1010 case BIS_LINK:
1011 /* conn->src should reflect the local identity address */
1012 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1013 conn->cleanup = bis_cleanup;
1014 conn->mtu = hdev->iso_mtu;
1015 break;
1016 case SCO_LINK:
1017 if (lmp_esco_capable(hdev))
1018 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1019 (hdev->esco_type & EDR_ESCO_MASK);
1020 else
1021 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1022
1023 conn->mtu = hdev->sco_mtu;
1024 break;
1025 case ESCO_LINK:
1026 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1027 conn->mtu = hdev->sco_mtu;
1028 break;
1029 }
1030
1031 skb_queue_head_init(&conn->data_q);
1032 skb_queue_head_init(&conn->tx_q.queue);
1033
1034 INIT_LIST_HEAD(&conn->chan_list);
1035 INIT_LIST_HEAD(&conn->link_list);
1036
1037 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1038 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1039 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1040 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1041
1042 atomic_set(&conn->refcnt, 0);
1043
1044 hci_dev_hold(hdev);
1045
1046 hci_conn_hash_add(hdev, conn);
1047
1048 /* The SCO and eSCO connections will only be notified when their
1049 * setup has been completed. This is different to ACL links which
1050 * can be notified right away.
1051 */
1052 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1053 if (hdev->notify)
1054 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1055 }
1056
1057 hci_conn_init_sysfs(conn);
1058 return conn;
1059 }
1060
hci_conn_add_unset(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)1061 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1062 bdaddr_t *dst, u8 role)
1063 {
1064 int handle;
1065
1066 bt_dev_dbg(hdev, "dst %pMR", dst);
1067
1068 handle = hci_conn_hash_alloc_unset(hdev);
1069 if (unlikely(handle < 0))
1070 return ERR_PTR(-ECONNREFUSED);
1071
1072 return __hci_conn_add(hdev, type, dst, role, handle);
1073 }
1074
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)1075 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
1076 u8 role, u16 handle)
1077 {
1078 if (handle > HCI_CONN_HANDLE_MAX)
1079 return ERR_PTR(-EINVAL);
1080
1081 return __hci_conn_add(hdev, type, dst, role, handle);
1082 }
1083
hci_conn_cleanup_child(struct hci_conn * conn,u8 reason)1084 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1085 {
1086 if (!reason)
1087 reason = HCI_ERROR_REMOTE_USER_TERM;
1088
1089 /* Due to race, SCO/ISO conn might be not established yet at this point,
1090 * and nothing else will clean it up. In other cases it is done via HCI
1091 * events.
1092 */
1093 switch (conn->type) {
1094 case SCO_LINK:
1095 case ESCO_LINK:
1096 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1097 hci_conn_failed(conn, reason);
1098 break;
1099 case CIS_LINK:
1100 case BIS_LINK:
1101 case PA_LINK:
1102 if ((conn->state != BT_CONNECTED &&
1103 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ||
1104 test_bit(HCI_CONN_BIG_CREATED, &conn->flags))
1105 hci_conn_failed(conn, reason);
1106 break;
1107 }
1108 }
1109
hci_conn_unlink(struct hci_conn * conn)1110 static void hci_conn_unlink(struct hci_conn *conn)
1111 {
1112 struct hci_dev *hdev = conn->hdev;
1113
1114 bt_dev_dbg(hdev, "hcon %p", conn);
1115
1116 if (!conn->parent) {
1117 struct hci_link *link, *t;
1118
1119 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1120 struct hci_conn *child = link->conn;
1121
1122 hci_conn_unlink(child);
1123
1124 /* If hdev is down it means
1125 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1126 * and links don't need to be cleanup as all connections
1127 * would be cleanup.
1128 */
1129 if (!test_bit(HCI_UP, &hdev->flags))
1130 continue;
1131
1132 hci_conn_cleanup_child(child, conn->abort_reason);
1133 }
1134
1135 return;
1136 }
1137
1138 if (!conn->link)
1139 return;
1140
1141 list_del_rcu(&conn->link->list);
1142 synchronize_rcu();
1143
1144 hci_conn_drop(conn->parent);
1145 hci_conn_put(conn->parent);
1146 conn->parent = NULL;
1147
1148 kfree(conn->link);
1149 conn->link = NULL;
1150 }
1151
hci_conn_del(struct hci_conn * conn)1152 void hci_conn_del(struct hci_conn *conn)
1153 {
1154 struct hci_dev *hdev = conn->hdev;
1155
1156 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1157
1158 hci_conn_unlink(conn);
1159
1160 disable_delayed_work_sync(&conn->disc_work);
1161 disable_delayed_work_sync(&conn->auto_accept_work);
1162 disable_delayed_work_sync(&conn->idle_work);
1163
1164 /* Remove the connection from the list so unacked logic can detect when
1165 * a certain pool is not being utilized.
1166 */
1167 hci_conn_hash_del(hdev, conn);
1168
1169 /* Handle unacked frames:
1170 *
1171 * - In case there are no connection, or if restoring the buffers
1172 * considered in transist would overflow, restore all buffers to the
1173 * pool.
1174 * - Otherwise restore just the buffers considered in transit for the
1175 * hci_conn
1176 */
1177 switch (conn->type) {
1178 case ACL_LINK:
1179 if (!hci_conn_num(hdev, ACL_LINK) ||
1180 hdev->acl_cnt + conn->sent > hdev->acl_pkts)
1181 hdev->acl_cnt = hdev->acl_pkts;
1182 else
1183 hdev->acl_cnt += conn->sent;
1184 break;
1185 case LE_LINK:
1186 cancel_delayed_work(&conn->le_conn_timeout);
1187
1188 if (hdev->le_pkts) {
1189 if (!hci_conn_num(hdev, LE_LINK) ||
1190 hdev->le_cnt + conn->sent > hdev->le_pkts)
1191 hdev->le_cnt = hdev->le_pkts;
1192 else
1193 hdev->le_cnt += conn->sent;
1194 } else {
1195 if ((!hci_conn_num(hdev, LE_LINK) &&
1196 !hci_conn_num(hdev, ACL_LINK)) ||
1197 hdev->acl_cnt + conn->sent > hdev->acl_pkts)
1198 hdev->acl_cnt = hdev->acl_pkts;
1199 else
1200 hdev->acl_cnt += conn->sent;
1201 }
1202 break;
1203 case CIS_LINK:
1204 case BIS_LINK:
1205 case PA_LINK:
1206 if (!hci_iso_count(hdev) ||
1207 hdev->iso_cnt + conn->sent > hdev->iso_pkts)
1208 hdev->iso_cnt = hdev->iso_pkts;
1209 else
1210 hdev->iso_cnt += conn->sent;
1211 break;
1212 }
1213
1214 skb_queue_purge(&conn->data_q);
1215 skb_queue_purge(&conn->tx_q.queue);
1216
1217 /* Remove the connection from the list and cleanup its remaining
1218 * state. This is a separate function since for some cases like
1219 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1220 * rest of hci_conn_del.
1221 */
1222 hci_conn_cleanup(conn);
1223
1224 /* Dequeue callbacks using connection pointer as data */
1225 hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
1226 }
1227
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)1228 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1229 {
1230 int use_src = bacmp(src, BDADDR_ANY);
1231 struct hci_dev *hdev = NULL, *d;
1232
1233 BT_DBG("%pMR -> %pMR", src, dst);
1234
1235 read_lock(&hci_dev_list_lock);
1236
1237 list_for_each_entry(d, &hci_dev_list, list) {
1238 if (!test_bit(HCI_UP, &d->flags) ||
1239 hci_dev_test_flag(d, HCI_USER_CHANNEL))
1240 continue;
1241
1242 /* Simple routing:
1243 * No source address - find interface with bdaddr != dst
1244 * Source address - find interface with bdaddr == src
1245 */
1246
1247 if (use_src) {
1248 bdaddr_t id_addr;
1249 u8 id_addr_type;
1250
1251 if (src_type == BDADDR_BREDR) {
1252 if (!lmp_bredr_capable(d))
1253 continue;
1254 bacpy(&id_addr, &d->bdaddr);
1255 id_addr_type = BDADDR_BREDR;
1256 } else {
1257 if (!lmp_le_capable(d))
1258 continue;
1259
1260 hci_copy_identity_address(d, &id_addr,
1261 &id_addr_type);
1262
1263 /* Convert from HCI to three-value type */
1264 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1265 id_addr_type = BDADDR_LE_PUBLIC;
1266 else
1267 id_addr_type = BDADDR_LE_RANDOM;
1268 }
1269
1270 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1271 hdev = d; break;
1272 }
1273 } else {
1274 if (bacmp(&d->bdaddr, dst)) {
1275 hdev = d; break;
1276 }
1277 }
1278 }
1279
1280 if (hdev)
1281 hdev = hci_dev_hold(hdev);
1282
1283 read_unlock(&hci_dev_list_lock);
1284 return hdev;
1285 }
1286 EXPORT_SYMBOL(hci_get_route);
1287
1288 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)1289 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1290 {
1291 struct hci_dev *hdev = conn->hdev;
1292
1293 hci_connect_le_scan_cleanup(conn, status);
1294
1295 /* Enable advertising in case this was a failed connection
1296 * attempt as a peripheral.
1297 */
1298 hci_enable_advertising(hdev);
1299 }
1300
1301 /* This function requires the caller holds hdev->lock */
hci_conn_failed(struct hci_conn * conn,u8 status)1302 void hci_conn_failed(struct hci_conn *conn, u8 status)
1303 {
1304 struct hci_dev *hdev = conn->hdev;
1305
1306 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1307
1308 switch (conn->type) {
1309 case LE_LINK:
1310 hci_le_conn_failed(conn, status);
1311 break;
1312 case ACL_LINK:
1313 mgmt_connect_failed(hdev, conn, status);
1314 break;
1315 }
1316
1317 /* In case of BIG/PA sync failed, clear conn flags so that
1318 * the conns will be correctly cleaned up by ISO layer
1319 */
1320 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1321 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1322
1323 conn->state = BT_CLOSED;
1324 hci_connect_cfm(conn, status);
1325 hci_conn_del(conn);
1326 }
1327
1328 /* This function requires the caller holds hdev->lock */
hci_conn_set_handle(struct hci_conn * conn,u16 handle)1329 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1330 {
1331 struct hci_dev *hdev = conn->hdev;
1332
1333 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1334
1335 if (conn->handle == handle)
1336 return 0;
1337
1338 if (handle > HCI_CONN_HANDLE_MAX) {
1339 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1340 handle, HCI_CONN_HANDLE_MAX);
1341 return HCI_ERROR_INVALID_PARAMETERS;
1342 }
1343
1344 /* If abort_reason has been sent it means the connection is being
1345 * aborted and the handle shall not be changed.
1346 */
1347 if (conn->abort_reason)
1348 return conn->abort_reason;
1349
1350 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1351 ida_free(&hdev->unset_handle_ida, conn->handle);
1352
1353 conn->handle = handle;
1354
1355 return 0;
1356 }
1357
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,bool dst_resolved,u8 sec_level,u16 conn_timeout,u8 role,u8 phy,u8 sec_phy)1358 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1359 u8 dst_type, bool dst_resolved, u8 sec_level,
1360 u16 conn_timeout, u8 role, u8 phy, u8 sec_phy)
1361 {
1362 struct hci_conn *conn;
1363 struct smp_irk *irk;
1364 int err;
1365
1366 /* Let's make sure that le is enabled.*/
1367 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1368 if (lmp_le_capable(hdev))
1369 return ERR_PTR(-ECONNREFUSED);
1370
1371 return ERR_PTR(-EOPNOTSUPP);
1372 }
1373
1374 /* Since the controller supports only one LE connection attempt at a
1375 * time, we return -EBUSY if there is any connection attempt running.
1376 */
1377 if (hci_lookup_le_connect(hdev))
1378 return ERR_PTR(-EBUSY);
1379
1380 /* If there's already a connection object but it's not in
1381 * scanning state it means it must already be established, in
1382 * which case we can't do anything else except report a failure
1383 * to connect.
1384 */
1385 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1386 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1387 return ERR_PTR(-EBUSY);
1388 }
1389
1390 /* Check if the destination address has been resolved by the controller
1391 * since if it did then the identity address shall be used.
1392 */
1393 if (!dst_resolved) {
1394 /* When given an identity address with existing identity
1395 * resolving key, the connection needs to be established
1396 * to a resolvable random address.
1397 *
1398 * Storing the resolvable random address is required here
1399 * to handle connection failures. The address will later
1400 * be resolved back into the original identity address
1401 * from the connect request.
1402 */
1403 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1404 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1405 dst = &irk->rpa;
1406 dst_type = ADDR_LE_DEV_RANDOM;
1407 }
1408 }
1409
1410 if (conn) {
1411 bacpy(&conn->dst, dst);
1412 } else {
1413 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1414 if (IS_ERR(conn))
1415 return conn;
1416 hci_conn_hold(conn);
1417 conn->pending_sec_level = sec_level;
1418 }
1419
1420 conn->dst_type = dst_type;
1421 conn->sec_level = BT_SECURITY_LOW;
1422 conn->conn_timeout = conn_timeout;
1423 conn->le_adv_phy = phy;
1424 conn->le_adv_sec_phy = sec_phy;
1425
1426 err = hci_connect_le_sync(hdev, conn);
1427 if (err) {
1428 hci_conn_del(conn);
1429 return ERR_PTR(err);
1430 }
1431
1432 return conn;
1433 }
1434
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1435 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1436 {
1437 struct hci_conn *conn;
1438
1439 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1440 if (!conn)
1441 return false;
1442
1443 if (conn->state != BT_CONNECTED)
1444 return false;
1445
1446 return true;
1447 }
1448
1449 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1450 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1451 bdaddr_t *addr, u8 addr_type)
1452 {
1453 struct hci_conn_params *params;
1454
1455 if (is_connected(hdev, addr, addr_type))
1456 return -EISCONN;
1457
1458 params = hci_conn_params_lookup(hdev, addr, addr_type);
1459 if (!params) {
1460 params = hci_conn_params_add(hdev, addr, addr_type);
1461 if (!params)
1462 return -ENOMEM;
1463
1464 /* If we created new params, mark them to be deleted in
1465 * hci_connect_le_scan_cleanup. It's different case than
1466 * existing disabled params, those will stay after cleanup.
1467 */
1468 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1469 }
1470
1471 /* We're trying to connect, so make sure params are at pend_le_conns */
1472 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1473 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1474 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1475 hci_pend_le_list_del_init(params);
1476 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1477 }
1478
1479 params->explicit_connect = true;
1480
1481 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1482 params->auto_connect);
1483
1484 return 0;
1485 }
1486
qos_set_big(struct hci_dev * hdev,struct bt_iso_qos * qos)1487 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1488 {
1489 struct hci_conn *conn;
1490 u8 big;
1491
1492 /* Allocate a BIG if not set */
1493 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1494 for (big = 0x00; big < 0xef; big++) {
1495
1496 conn = hci_conn_hash_lookup_big(hdev, big);
1497 if (!conn)
1498 break;
1499 }
1500
1501 if (big == 0xef)
1502 return -EADDRNOTAVAIL;
1503
1504 /* Update BIG */
1505 qos->bcast.big = big;
1506 }
1507
1508 return 0;
1509 }
1510
qos_set_bis(struct hci_dev * hdev,struct bt_iso_qos * qos)1511 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1512 {
1513 struct hci_conn *conn;
1514 u8 bis;
1515
1516 /* Allocate BIS if not set */
1517 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1518 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) {
1519 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1520
1521 if (conn) {
1522 /* If the BIG handle is already matched to an advertising
1523 * handle, do not allocate a new one.
1524 */
1525 qos->bcast.bis = conn->iso_qos.bcast.bis;
1526 return 0;
1527 }
1528 }
1529
1530 /* Find an unused adv set to advertise BIS, skip instance 0x00
1531 * since it is reserved as general purpose set.
1532 */
1533 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1534 bis++) {
1535
1536 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1537 if (!conn)
1538 break;
1539 }
1540
1541 if (bis == hdev->le_num_of_adv_sets)
1542 return -EADDRNOTAVAIL;
1543
1544 /* Update BIS */
1545 qos->bcast.bis = bis;
1546 }
1547
1548 return 0;
1549 }
1550
1551 /* This function requires the caller holds hdev->lock */
hci_add_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 sid,struct bt_iso_qos * qos,__u8 base_len,__u8 * base,u16 timeout)1552 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1553 __u8 sid, struct bt_iso_qos *qos,
1554 __u8 base_len, __u8 *base, u16 timeout)
1555 {
1556 struct hci_conn *conn;
1557 int err;
1558
1559 /* Let's make sure that le is enabled.*/
1560 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1561 if (lmp_le_capable(hdev))
1562 return ERR_PTR(-ECONNREFUSED);
1563 return ERR_PTR(-EOPNOTSUPP);
1564 }
1565
1566 err = qos_set_big(hdev, qos);
1567 if (err)
1568 return ERR_PTR(err);
1569
1570 err = qos_set_bis(hdev, qos);
1571 if (err)
1572 return ERR_PTR(err);
1573
1574 /* Check if the LE Create BIG command has already been sent */
1575 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1576 qos->bcast.big);
1577 if (conn)
1578 return ERR_PTR(-EADDRINUSE);
1579
1580 /* Check BIS settings against other bound BISes, since all
1581 * BISes in a BIG must have the same value for all parameters
1582 */
1583 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1584
1585 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1586 base_len != conn->le_per_adv_data_len ||
1587 memcmp(conn->le_per_adv_data, base, base_len)))
1588 return ERR_PTR(-EADDRINUSE);
1589
1590 conn = hci_conn_add_unset(hdev, BIS_LINK, dst, HCI_ROLE_MASTER);
1591 if (IS_ERR(conn))
1592 return conn;
1593
1594 conn->state = BT_CONNECT;
1595 conn->sid = sid;
1596 conn->conn_timeout = timeout;
1597
1598 hci_conn_hold(conn);
1599 return conn;
1600 }
1601
1602 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,enum conn_reasons conn_reason)1603 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1604 u8 dst_type, u8 sec_level,
1605 u16 conn_timeout,
1606 enum conn_reasons conn_reason)
1607 {
1608 struct hci_conn *conn;
1609
1610 /* Let's make sure that le is enabled.*/
1611 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1612 if (lmp_le_capable(hdev))
1613 return ERR_PTR(-ECONNREFUSED);
1614
1615 return ERR_PTR(-EOPNOTSUPP);
1616 }
1617
1618 /* Some devices send ATT messages as soon as the physical link is
1619 * established. To be able to handle these ATT messages, the user-
1620 * space first establishes the connection and then starts the pairing
1621 * process.
1622 *
1623 * So if a hci_conn object already exists for the following connection
1624 * attempt, we simply update pending_sec_level and auth_type fields
1625 * and return the object found.
1626 */
1627 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1628 if (conn) {
1629 if (conn->pending_sec_level < sec_level)
1630 conn->pending_sec_level = sec_level;
1631 goto done;
1632 }
1633
1634 BT_DBG("requesting refresh of dst_addr");
1635
1636 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1637 if (IS_ERR(conn))
1638 return conn;
1639
1640 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1641 hci_conn_del(conn);
1642 return ERR_PTR(-EBUSY);
1643 }
1644
1645 conn->state = BT_CONNECT;
1646 set_bit(HCI_CONN_SCANNING, &conn->flags);
1647 conn->dst_type = dst_type;
1648 conn->sec_level = BT_SECURITY_LOW;
1649 conn->pending_sec_level = sec_level;
1650 conn->conn_timeout = conn_timeout;
1651 conn->conn_reason = conn_reason;
1652
1653 hci_update_passive_scan(hdev);
1654
1655 done:
1656 hci_conn_hold(conn);
1657 return conn;
1658 }
1659
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type,enum conn_reasons conn_reason,u16 timeout)1660 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1661 u8 sec_level, u8 auth_type,
1662 enum conn_reasons conn_reason, u16 timeout)
1663 {
1664 struct hci_conn *acl;
1665
1666 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1667 if (lmp_bredr_capable(hdev))
1668 return ERR_PTR(-ECONNREFUSED);
1669
1670 return ERR_PTR(-EOPNOTSUPP);
1671 }
1672
1673 /* Reject outgoing connection to device with same BD ADDR against
1674 * CVE-2020-26555
1675 */
1676 if (!bacmp(&hdev->bdaddr, dst)) {
1677 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1678 dst);
1679 return ERR_PTR(-ECONNREFUSED);
1680 }
1681
1682 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1683 if (!acl) {
1684 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1685 if (IS_ERR(acl))
1686 return acl;
1687 }
1688
1689 hci_conn_hold(acl);
1690
1691 acl->conn_reason = conn_reason;
1692 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1693 int err;
1694
1695 acl->sec_level = BT_SECURITY_LOW;
1696 acl->pending_sec_level = sec_level;
1697 acl->auth_type = auth_type;
1698 acl->conn_timeout = timeout;
1699
1700 err = hci_connect_acl_sync(hdev, acl);
1701 if (err) {
1702 hci_conn_del(acl);
1703 return ERR_PTR(err);
1704 }
1705 }
1706
1707 return acl;
1708 }
1709
hci_conn_link(struct hci_conn * parent,struct hci_conn * conn)1710 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1711 struct hci_conn *conn)
1712 {
1713 struct hci_dev *hdev = parent->hdev;
1714 struct hci_link *link;
1715
1716 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1717
1718 if (conn->link)
1719 return conn->link;
1720
1721 if (conn->parent)
1722 return NULL;
1723
1724 link = kzalloc(sizeof(*link), GFP_KERNEL);
1725 if (!link)
1726 return NULL;
1727
1728 link->conn = hci_conn_hold(conn);
1729 conn->link = link;
1730 conn->parent = hci_conn_get(parent);
1731
1732 /* Use list_add_tail_rcu append to the list */
1733 list_add_tail_rcu(&link->list, &parent->link_list);
1734
1735 return link;
1736 }
1737
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting,struct bt_codec * codec,u16 timeout)1738 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1739 __u16 setting, struct bt_codec *codec,
1740 u16 timeout)
1741 {
1742 struct hci_conn *acl;
1743 struct hci_conn *sco;
1744 struct hci_link *link;
1745
1746 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1747 CONN_REASON_SCO_CONNECT, timeout);
1748 if (IS_ERR(acl))
1749 return acl;
1750
1751 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1752 if (!sco) {
1753 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1754 if (IS_ERR(sco)) {
1755 hci_conn_drop(acl);
1756 return sco;
1757 }
1758 }
1759
1760 link = hci_conn_link(acl, sco);
1761 if (!link) {
1762 hci_conn_drop(acl);
1763 hci_conn_drop(sco);
1764 return ERR_PTR(-ENOLINK);
1765 }
1766
1767 sco->setting = setting;
1768 sco->codec = *codec;
1769
1770 if (acl->state == BT_CONNECTED &&
1771 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1772 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1773 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1774
1775 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1776 /* defer SCO setup until mode change completed */
1777 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1778 return sco;
1779 }
1780
1781 hci_sco_setup(acl, 0x00);
1782 }
1783
1784 return sco;
1785 }
1786
hci_le_create_big(struct hci_conn * conn,struct bt_iso_qos * qos)1787 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1788 {
1789 struct hci_dev *hdev = conn->hdev;
1790 struct hci_cp_le_create_big cp;
1791 struct iso_list_data data;
1792
1793 memset(&cp, 0, sizeof(cp));
1794
1795 data.big = qos->bcast.big;
1796 data.bis = qos->bcast.bis;
1797 data.count = 0;
1798
1799 /* Create a BIS for each bound connection */
1800 hci_conn_hash_list_state(hdev, bis_list, BIS_LINK,
1801 BT_BOUND, &data);
1802
1803 cp.handle = qos->bcast.big;
1804 cp.adv_handle = qos->bcast.bis;
1805 cp.num_bis = data.count;
1806 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1807 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1808 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1809 cp.bis.rtn = qos->bcast.out.rtn;
1810 cp.bis.phy = qos->bcast.out.phy;
1811 cp.bis.packing = qos->bcast.packing;
1812 cp.bis.framing = qos->bcast.framing;
1813 cp.bis.encryption = qos->bcast.encryption;
1814 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1815
1816 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1817 }
1818
set_cig_params_sync(struct hci_dev * hdev,void * data)1819 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1820 {
1821 DEFINE_FLEX(struct hci_cp_le_set_cig_params, pdu, cis, num_cis, 0x1f);
1822 u8 cig_id = PTR_UINT(data);
1823 struct hci_conn *conn;
1824 struct bt_iso_qos *qos;
1825 u8 aux_num_cis = 0;
1826 u8 cis_id;
1827
1828 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1829 if (!conn)
1830 return 0;
1831
1832 qos = &conn->iso_qos;
1833 pdu->cig_id = cig_id;
1834 hci_cpu_to_le24(qos->ucast.out.interval, pdu->c_interval);
1835 hci_cpu_to_le24(qos->ucast.in.interval, pdu->p_interval);
1836 pdu->sca = qos->ucast.sca;
1837 pdu->packing = qos->ucast.packing;
1838 pdu->framing = qos->ucast.framing;
1839 pdu->c_latency = cpu_to_le16(qos->ucast.out.latency);
1840 pdu->p_latency = cpu_to_le16(qos->ucast.in.latency);
1841
1842 /* Reprogram all CIS(s) with the same CIG, valid range are:
1843 * num_cis: 0x00 to 0x1F
1844 * cis_id: 0x00 to 0xEF
1845 */
1846 for (cis_id = 0x00; cis_id < 0xf0 &&
1847 aux_num_cis < pdu->num_cis; cis_id++) {
1848 struct hci_cis_params *cis;
1849
1850 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1851 if (!conn)
1852 continue;
1853
1854 qos = &conn->iso_qos;
1855
1856 cis = &pdu->cis[aux_num_cis++];
1857 cis->cis_id = cis_id;
1858 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1859 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1860 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy :
1861 qos->ucast.in.phy;
1862 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy :
1863 qos->ucast.out.phy;
1864 cis->c_rtn = qos->ucast.out.rtn;
1865 cis->p_rtn = qos->ucast.in.rtn;
1866 }
1867 pdu->num_cis = aux_num_cis;
1868
1869 if (!pdu->num_cis)
1870 return 0;
1871
1872 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1873 struct_size(pdu, cis, pdu->num_cis),
1874 pdu, HCI_CMD_TIMEOUT);
1875 }
1876
hci_le_set_cig_params(struct hci_conn * conn,struct bt_iso_qos * qos)1877 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1878 {
1879 struct hci_dev *hdev = conn->hdev;
1880 struct iso_list_data data;
1881
1882 memset(&data, 0, sizeof(data));
1883
1884 /* Allocate first still reconfigurable CIG if not set */
1885 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1886 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1887 data.count = 0;
1888
1889 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK,
1890 BT_CONNECT, &data);
1891 if (data.count)
1892 continue;
1893
1894 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK,
1895 BT_CONNECTED, &data);
1896 if (!data.count)
1897 break;
1898 }
1899
1900 if (data.cig == 0xf0)
1901 return false;
1902
1903 /* Update CIG */
1904 qos->ucast.cig = data.cig;
1905 }
1906
1907 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1908 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1909 qos->ucast.cis))
1910 return false;
1911 goto done;
1912 }
1913
1914 /* Allocate first available CIS if not set */
1915 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1916 data.cis++) {
1917 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1918 data.cis)) {
1919 /* Update CIS */
1920 qos->ucast.cis = data.cis;
1921 break;
1922 }
1923 }
1924
1925 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1926 return false;
1927
1928 done:
1929 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1930 UINT_PTR(qos->ucast.cig), NULL) < 0)
1931 return false;
1932
1933 return true;
1934 }
1935
hci_bind_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos,u16 timeout)1936 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1937 __u8 dst_type, struct bt_iso_qos *qos,
1938 u16 timeout)
1939 {
1940 struct hci_conn *cis;
1941
1942 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1943 qos->ucast.cis);
1944 if (!cis) {
1945 cis = hci_conn_add_unset(hdev, CIS_LINK, dst,
1946 HCI_ROLE_MASTER);
1947 if (IS_ERR(cis))
1948 return cis;
1949 cis->cleanup = cis_cleanup;
1950 cis->dst_type = dst_type;
1951 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1952 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1953 cis->conn_timeout = timeout;
1954 }
1955
1956 if (cis->state == BT_CONNECTED)
1957 return cis;
1958
1959 /* Check if CIS has been set and the settings matches */
1960 if (cis->state == BT_BOUND &&
1961 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1962 return cis;
1963
1964 /* Update LINK PHYs according to QoS preference */
1965 cis->le_tx_phy = qos->ucast.out.phy;
1966 cis->le_rx_phy = qos->ucast.in.phy;
1967
1968 /* If output interval is not set use the input interval as it cannot be
1969 * 0x000000.
1970 */
1971 if (!qos->ucast.out.interval)
1972 qos->ucast.out.interval = qos->ucast.in.interval;
1973
1974 /* If input interval is not set use the output interval as it cannot be
1975 * 0x000000.
1976 */
1977 if (!qos->ucast.in.interval)
1978 qos->ucast.in.interval = qos->ucast.out.interval;
1979
1980 /* If output latency is not set use the input latency as it cannot be
1981 * 0x0000.
1982 */
1983 if (!qos->ucast.out.latency)
1984 qos->ucast.out.latency = qos->ucast.in.latency;
1985
1986 /* If input latency is not set use the output latency as it cannot be
1987 * 0x0000.
1988 */
1989 if (!qos->ucast.in.latency)
1990 qos->ucast.in.latency = qos->ucast.out.latency;
1991
1992 if (!hci_le_set_cig_params(cis, qos)) {
1993 hci_conn_drop(cis);
1994 return ERR_PTR(-EINVAL);
1995 }
1996
1997 hci_conn_hold(cis);
1998
1999 cis->iso_qos = *qos;
2000 cis->state = BT_BOUND;
2001
2002 return cis;
2003 }
2004
hci_iso_setup_path(struct hci_conn * conn)2005 bool hci_iso_setup_path(struct hci_conn *conn)
2006 {
2007 struct hci_dev *hdev = conn->hdev;
2008 struct hci_cp_le_setup_iso_path cmd;
2009
2010 memset(&cmd, 0, sizeof(cmd));
2011
2012 if (conn->iso_qos.ucast.out.sdu) {
2013 cmd.handle = cpu_to_le16(conn->handle);
2014 cmd.direction = 0x00; /* Input (Host to Controller) */
2015 cmd.path = 0x00; /* HCI path if enabled */
2016 cmd.codec = 0x03; /* Transparent Data */
2017
2018 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2019 &cmd) < 0)
2020 return false;
2021 }
2022
2023 if (conn->iso_qos.ucast.in.sdu) {
2024 cmd.handle = cpu_to_le16(conn->handle);
2025 cmd.direction = 0x01; /* Output (Controller to Host) */
2026 cmd.path = 0x00; /* HCI path if enabled */
2027 cmd.codec = 0x03; /* Transparent Data */
2028
2029 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2030 &cmd) < 0)
2031 return false;
2032 }
2033
2034 return true;
2035 }
2036
hci_conn_check_create_cis(struct hci_conn * conn)2037 int hci_conn_check_create_cis(struct hci_conn *conn)
2038 {
2039 if (conn->type != CIS_LINK)
2040 return -EINVAL;
2041
2042 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
2043 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
2044 return 1;
2045
2046 return 0;
2047 }
2048
hci_create_cis_sync(struct hci_dev * hdev,void * data)2049 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
2050 {
2051 return hci_le_create_cis_sync(hdev);
2052 }
2053
hci_le_create_cis_pending(struct hci_dev * hdev)2054 int hci_le_create_cis_pending(struct hci_dev *hdev)
2055 {
2056 struct hci_conn *conn;
2057 bool pending = false;
2058
2059 rcu_read_lock();
2060
2061 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
2062 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
2063 rcu_read_unlock();
2064 return -EBUSY;
2065 }
2066
2067 if (!hci_conn_check_create_cis(conn))
2068 pending = true;
2069 }
2070
2071 rcu_read_unlock();
2072
2073 if (!pending)
2074 return 0;
2075
2076 /* Queue Create CIS */
2077 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2078 }
2079
hci_iso_qos_setup(struct hci_dev * hdev,struct hci_conn * conn,struct bt_iso_io_qos * qos,__u8 phy)2080 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2081 struct bt_iso_io_qos *qos, __u8 phy)
2082 {
2083 /* Only set MTU if PHY is enabled */
2084 if (!qos->sdu && qos->phy)
2085 qos->sdu = conn->mtu;
2086
2087 /* Use the same PHY as ACL if set to any */
2088 if (qos->phy == BT_ISO_PHY_ANY)
2089 qos->phy = phy;
2090
2091 /* Use LE ACL connection interval if not set */
2092 if (!qos->interval)
2093 /* ACL interval unit in 1.25 ms to us */
2094 qos->interval = conn->le_conn_interval * 1250;
2095
2096 /* Use LE ACL connection latency if not set */
2097 if (!qos->latency)
2098 qos->latency = conn->le_conn_latency;
2099 }
2100
create_big_sync(struct hci_dev * hdev,void * data)2101 static int create_big_sync(struct hci_dev *hdev, void *data)
2102 {
2103 struct hci_conn *conn = data;
2104 struct bt_iso_qos *qos = &conn->iso_qos;
2105 u16 interval, sync_interval = 0;
2106 u32 flags = 0;
2107 int err;
2108
2109 if (qos->bcast.out.phy == 0x02)
2110 flags |= MGMT_ADV_FLAG_SEC_2M;
2111
2112 /* Align intervals */
2113 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2114
2115 if (qos->bcast.bis)
2116 sync_interval = interval * 4;
2117
2118 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->sid,
2119 conn->le_per_adv_data_len,
2120 conn->le_per_adv_data, flags, interval,
2121 interval, sync_interval);
2122 if (err)
2123 return err;
2124
2125 return hci_le_create_big(conn, &conn->iso_qos);
2126 }
2127
hci_pa_create_sync(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid,struct bt_iso_qos * qos)2128 struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst,
2129 __u8 dst_type, __u8 sid,
2130 struct bt_iso_qos *qos)
2131 {
2132 struct hci_conn *conn;
2133
2134 bt_dev_dbg(hdev, "dst %pMR type %d sid %d", dst, dst_type, sid);
2135
2136 conn = hci_conn_add_unset(hdev, PA_LINK, dst, HCI_ROLE_SLAVE);
2137 if (IS_ERR(conn))
2138 return conn;
2139
2140 conn->iso_qos = *qos;
2141 conn->dst_type = dst_type;
2142 conn->sid = sid;
2143 conn->state = BT_LISTEN;
2144 conn->conn_timeout = msecs_to_jiffies(qos->bcast.sync_timeout * 10);
2145
2146 hci_conn_hold(conn);
2147
2148 hci_connect_pa_sync(hdev, conn);
2149
2150 return conn;
2151 }
2152
hci_conn_big_create_sync(struct hci_dev * hdev,struct hci_conn * hcon,struct bt_iso_qos * qos,__u16 sync_handle,__u8 num_bis,__u8 bis[])2153 int hci_conn_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2154 struct bt_iso_qos *qos, __u16 sync_handle,
2155 __u8 num_bis, __u8 bis[])
2156 {
2157 int err;
2158
2159 if (num_bis < 0x01 || num_bis > ISO_MAX_NUM_BIS)
2160 return -EINVAL;
2161
2162 err = qos_set_big(hdev, qos);
2163 if (err)
2164 return err;
2165
2166 if (hcon) {
2167 /* Update hcon QoS */
2168 hcon->iso_qos = *qos;
2169
2170 hcon->num_bis = num_bis;
2171 memcpy(hcon->bis, bis, num_bis);
2172 hcon->conn_timeout = msecs_to_jiffies(qos->bcast.timeout * 10);
2173 }
2174
2175 return hci_connect_big_sync(hdev, hcon);
2176 }
2177
create_big_complete(struct hci_dev * hdev,void * data,int err)2178 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2179 {
2180 struct hci_conn *conn = data;
2181
2182 bt_dev_dbg(hdev, "conn %p", conn);
2183
2184 if (err) {
2185 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2186 hci_connect_cfm(conn, err);
2187 hci_conn_del(conn);
2188 }
2189 }
2190
hci_bind_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 sid,struct bt_iso_qos * qos,__u8 base_len,__u8 * base,u16 timeout)2191 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, __u8 sid,
2192 struct bt_iso_qos *qos,
2193 __u8 base_len, __u8 *base, u16 timeout)
2194 {
2195 struct hci_conn *conn;
2196 struct hci_conn *parent;
2197 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2198 struct hci_link *link;
2199
2200 /* Look for any BIS that is open for rebinding */
2201 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN,
2202 HCI_ROLE_MASTER);
2203 if (conn) {
2204 memcpy(qos, &conn->iso_qos, sizeof(*qos));
2205 conn->state = BT_CONNECTED;
2206 return conn;
2207 }
2208
2209 if (base_len && base)
2210 base_len = eir_append_service_data(eir, 0, 0x1851,
2211 base, base_len);
2212
2213 /* We need hci_conn object using the BDADDR_ANY as dst */
2214 conn = hci_add_bis(hdev, dst, sid, qos, base_len, eir, timeout);
2215 if (IS_ERR(conn))
2216 return conn;
2217
2218 /* Update LINK PHYs according to QoS preference */
2219 conn->le_tx_phy = qos->bcast.out.phy;
2220 conn->le_tx_phy = qos->bcast.out.phy;
2221
2222 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2223 if (base_len && base) {
2224 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2225 conn->le_per_adv_data_len = base_len;
2226 }
2227
2228 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2229 conn->le_tx_phy ? conn->le_tx_phy :
2230 hdev->le_tx_def_phys);
2231
2232 conn->iso_qos = *qos;
2233 conn->state = BT_BOUND;
2234
2235 /* Link BISes together */
2236 parent = hci_conn_hash_lookup_big(hdev,
2237 conn->iso_qos.bcast.big);
2238 if (parent && parent != conn) {
2239 link = hci_conn_link(parent, conn);
2240 hci_conn_drop(conn);
2241 if (!link)
2242 return ERR_PTR(-ENOLINK);
2243 }
2244
2245 return conn;
2246 }
2247
bis_mark_per_adv(struct hci_conn * conn,void * data)2248 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2249 {
2250 struct iso_list_data *d = data;
2251
2252 /* Skip if not broadcast/ANY address */
2253 if (bacmp(&conn->dst, BDADDR_ANY))
2254 return;
2255
2256 if (d->big != conn->iso_qos.bcast.big ||
2257 d->bis == BT_ISO_QOS_BIS_UNSET ||
2258 d->bis != conn->iso_qos.bcast.bis)
2259 return;
2260
2261 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2262 }
2263
hci_connect_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid,struct bt_iso_qos * qos,__u8 base_len,__u8 * base,u16 timeout)2264 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2265 __u8 dst_type, __u8 sid,
2266 struct bt_iso_qos *qos,
2267 __u8 base_len, __u8 *base, u16 timeout)
2268 {
2269 struct hci_conn *conn;
2270 int err;
2271 struct iso_list_data data;
2272
2273 conn = hci_bind_bis(hdev, dst, sid, qos, base_len, base, timeout);
2274 if (IS_ERR(conn))
2275 return conn;
2276
2277 if (conn->state == BT_CONNECTED)
2278 return conn;
2279
2280 /* Check if SID needs to be allocated then search for the first
2281 * available.
2282 */
2283 if (conn->sid == HCI_SID_INVALID) {
2284 u8 sid;
2285
2286 for (sid = 0; sid <= 0x0f; sid++) {
2287 if (!hci_find_adv_sid(hdev, sid)) {
2288 conn->sid = sid;
2289 break;
2290 }
2291 }
2292 }
2293
2294 data.big = qos->bcast.big;
2295 data.bis = qos->bcast.bis;
2296
2297 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2298 * the start periodic advertising and create BIG commands have
2299 * been queued
2300 */
2301 hci_conn_hash_list_state(hdev, bis_mark_per_adv, BIS_LINK,
2302 BT_BOUND, &data);
2303
2304 /* Queue start periodic advertising and create BIG */
2305 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2306 create_big_complete);
2307 if (err < 0) {
2308 hci_conn_drop(conn);
2309 return ERR_PTR(err);
2310 }
2311
2312 return conn;
2313 }
2314
hci_connect_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos,u16 timeout)2315 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2316 __u8 dst_type, struct bt_iso_qos *qos,
2317 u16 timeout)
2318 {
2319 struct hci_conn *le;
2320 struct hci_conn *cis;
2321 struct hci_link *link;
2322
2323 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2324 le = hci_connect_le(hdev, dst, dst_type, false,
2325 BT_SECURITY_LOW,
2326 HCI_LE_CONN_TIMEOUT,
2327 HCI_ROLE_SLAVE, 0, 0);
2328 else
2329 le = hci_connect_le_scan(hdev, dst, dst_type,
2330 BT_SECURITY_LOW,
2331 HCI_LE_CONN_TIMEOUT,
2332 CONN_REASON_ISO_CONNECT);
2333 if (IS_ERR(le))
2334 return le;
2335
2336 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2337 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2338 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2339 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2340
2341 cis = hci_bind_cis(hdev, dst, dst_type, qos, timeout);
2342 if (IS_ERR(cis)) {
2343 hci_conn_drop(le);
2344 return cis;
2345 }
2346
2347 link = hci_conn_link(le, cis);
2348 hci_conn_drop(cis);
2349 if (!link) {
2350 hci_conn_drop(le);
2351 return ERR_PTR(-ENOLINK);
2352 }
2353
2354 cis->state = BT_CONNECT;
2355
2356 hci_le_create_cis_pending(hdev);
2357
2358 return cis;
2359 }
2360
2361 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)2362 int hci_conn_check_link_mode(struct hci_conn *conn)
2363 {
2364 BT_DBG("hcon %p", conn);
2365
2366 /* In Secure Connections Only mode, it is required that Secure
2367 * Connections is used and the link is encrypted with AES-CCM
2368 * using a P-256 authenticated combination key.
2369 */
2370 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2371 if (!hci_conn_sc_enabled(conn) ||
2372 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2373 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2374 return 0;
2375 }
2376
2377 /* AES encryption is required for Level 4:
2378 *
2379 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2380 * page 1319:
2381 *
2382 * 128-bit equivalent strength for link and encryption keys
2383 * required using FIPS approved algorithms (E0 not allowed,
2384 * SAFER+ not allowed, and P-192 not allowed; encryption key
2385 * not shortened)
2386 */
2387 if (conn->sec_level == BT_SECURITY_FIPS &&
2388 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2389 bt_dev_err(conn->hdev,
2390 "Invalid security: Missing AES-CCM usage");
2391 return 0;
2392 }
2393
2394 if (hci_conn_ssp_enabled(conn) &&
2395 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2396 return 0;
2397
2398 return 1;
2399 }
2400
2401 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)2402 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2403 {
2404 BT_DBG("hcon %p", conn);
2405
2406 if (conn->pending_sec_level > sec_level)
2407 sec_level = conn->pending_sec_level;
2408
2409 if (sec_level > conn->sec_level)
2410 conn->pending_sec_level = sec_level;
2411 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2412 return 1;
2413
2414 /* Make sure we preserve an existing MITM requirement*/
2415 auth_type |= (conn->auth_type & 0x01);
2416
2417 conn->auth_type = auth_type;
2418
2419 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2420 struct hci_cp_auth_requested cp;
2421
2422 cp.handle = cpu_to_le16(conn->handle);
2423 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2424 sizeof(cp), &cp);
2425
2426 /* Set the ENCRYPT_PEND to trigger encryption after
2427 * authentication.
2428 */
2429 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2430 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2431 }
2432
2433 return 0;
2434 }
2435
2436 /* Encrypt the link */
hci_conn_encrypt(struct hci_conn * conn)2437 static void hci_conn_encrypt(struct hci_conn *conn)
2438 {
2439 BT_DBG("hcon %p", conn);
2440
2441 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2442 struct hci_cp_set_conn_encrypt cp;
2443 cp.handle = cpu_to_le16(conn->handle);
2444 cp.encrypt = 0x01;
2445 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2446 &cp);
2447 }
2448 }
2449
2450 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)2451 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2452 bool initiator)
2453 {
2454 BT_DBG("hcon %p", conn);
2455
2456 if (conn->type == LE_LINK)
2457 return smp_conn_security(conn, sec_level);
2458
2459 /* For sdp we don't need the link key. */
2460 if (sec_level == BT_SECURITY_SDP)
2461 return 1;
2462
2463 /* For non 2.1 devices and low security level we don't need the link
2464 key. */
2465 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2466 return 1;
2467
2468 /* For other security levels we need the link key. */
2469 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2470 goto auth;
2471
2472 switch (conn->key_type) {
2473 case HCI_LK_AUTH_COMBINATION_P256:
2474 /* An authenticated FIPS approved combination key has
2475 * sufficient security for security level 4 or lower.
2476 */
2477 if (sec_level <= BT_SECURITY_FIPS)
2478 goto encrypt;
2479 break;
2480 case HCI_LK_AUTH_COMBINATION_P192:
2481 /* An authenticated combination key has sufficient security for
2482 * security level 3 or lower.
2483 */
2484 if (sec_level <= BT_SECURITY_HIGH)
2485 goto encrypt;
2486 break;
2487 case HCI_LK_UNAUTH_COMBINATION_P192:
2488 case HCI_LK_UNAUTH_COMBINATION_P256:
2489 /* An unauthenticated combination key has sufficient security
2490 * for security level 2 or lower.
2491 */
2492 if (sec_level <= BT_SECURITY_MEDIUM)
2493 goto encrypt;
2494 break;
2495 case HCI_LK_COMBINATION:
2496 /* A combination key has always sufficient security for the
2497 * security levels 2 or lower. High security level requires the
2498 * combination key is generated using maximum PIN code length
2499 * (16). For pre 2.1 units.
2500 */
2501 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2502 goto encrypt;
2503 break;
2504 default:
2505 break;
2506 }
2507
2508 auth:
2509 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2510 return 0;
2511
2512 if (initiator)
2513 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2514
2515 if (!hci_conn_auth(conn, sec_level, auth_type))
2516 return 0;
2517
2518 encrypt:
2519 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2520 /* Ensure that the encryption key size has been read,
2521 * otherwise stall the upper layer responses.
2522 */
2523 if (!conn->enc_key_size)
2524 return 0;
2525
2526 /* Nothing else needed, all requirements are met */
2527 return 1;
2528 }
2529
2530 hci_conn_encrypt(conn);
2531 return 0;
2532 }
2533 EXPORT_SYMBOL(hci_conn_security);
2534
2535 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)2536 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2537 {
2538 BT_DBG("hcon %p", conn);
2539
2540 /* Accept if non-secure or higher security level is required */
2541 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2542 return 1;
2543
2544 /* Accept if secure or higher security level is already present */
2545 if (conn->sec_level == BT_SECURITY_HIGH ||
2546 conn->sec_level == BT_SECURITY_FIPS)
2547 return 1;
2548
2549 /* Reject not secure link */
2550 return 0;
2551 }
2552 EXPORT_SYMBOL(hci_conn_check_secure);
2553
2554 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)2555 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2556 {
2557 BT_DBG("hcon %p", conn);
2558
2559 if (role == conn->role)
2560 return 1;
2561
2562 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2563 struct hci_cp_switch_role cp;
2564 bacpy(&cp.bdaddr, &conn->dst);
2565 cp.role = role;
2566 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2567 }
2568
2569 return 0;
2570 }
2571 EXPORT_SYMBOL(hci_conn_switch_role);
2572
2573 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)2574 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2575 {
2576 struct hci_dev *hdev = conn->hdev;
2577
2578 BT_DBG("hcon %p mode %d", conn, conn->mode);
2579
2580 if (conn->mode != HCI_CM_SNIFF)
2581 goto timer;
2582
2583 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2584 goto timer;
2585
2586 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2587 struct hci_cp_exit_sniff_mode cp;
2588 cp.handle = cpu_to_le16(conn->handle);
2589 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2590 }
2591
2592 timer:
2593 if (hdev->idle_timeout > 0)
2594 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2595 msecs_to_jiffies(hdev->idle_timeout));
2596 }
2597
2598 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)2599 void hci_conn_hash_flush(struct hci_dev *hdev)
2600 {
2601 struct list_head *head = &hdev->conn_hash.list;
2602 struct hci_conn *conn;
2603
2604 BT_DBG("hdev %s", hdev->name);
2605
2606 /* We should not traverse the list here, because hci_conn_del
2607 * can remove extra links, which may cause the list traversal
2608 * to hit items that have already been released.
2609 */
2610 while ((conn = list_first_entry_or_null(head,
2611 struct hci_conn,
2612 list)) != NULL) {
2613 conn->state = BT_CLOSED;
2614 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2615 hci_conn_del(conn);
2616 }
2617 }
2618
get_link_mode(struct hci_conn * conn)2619 static u32 get_link_mode(struct hci_conn *conn)
2620 {
2621 u32 link_mode = 0;
2622
2623 if (conn->role == HCI_ROLE_MASTER)
2624 link_mode |= HCI_LM_MASTER;
2625
2626 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2627 link_mode |= HCI_LM_ENCRYPT;
2628
2629 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2630 link_mode |= HCI_LM_AUTH;
2631
2632 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2633 link_mode |= HCI_LM_SECURE;
2634
2635 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2636 link_mode |= HCI_LM_FIPS;
2637
2638 return link_mode;
2639 }
2640
hci_get_conn_list(void __user * arg)2641 int hci_get_conn_list(void __user *arg)
2642 {
2643 struct hci_conn *c;
2644 struct hci_conn_list_req req, *cl;
2645 struct hci_conn_info *ci;
2646 struct hci_dev *hdev;
2647 int n = 0, size, err;
2648
2649 if (copy_from_user(&req, arg, sizeof(req)))
2650 return -EFAULT;
2651
2652 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2653 return -EINVAL;
2654
2655 size = sizeof(req) + req.conn_num * sizeof(*ci);
2656
2657 cl = kmalloc(size, GFP_KERNEL);
2658 if (!cl)
2659 return -ENOMEM;
2660
2661 hdev = hci_dev_get(req.dev_id);
2662 if (!hdev) {
2663 kfree(cl);
2664 return -ENODEV;
2665 }
2666
2667 ci = cl->conn_info;
2668
2669 hci_dev_lock(hdev);
2670 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2671 bacpy(&(ci + n)->bdaddr, &c->dst);
2672 (ci + n)->handle = c->handle;
2673 (ci + n)->type = c->type;
2674 (ci + n)->out = c->out;
2675 (ci + n)->state = c->state;
2676 (ci + n)->link_mode = get_link_mode(c);
2677 if (++n >= req.conn_num)
2678 break;
2679 }
2680 hci_dev_unlock(hdev);
2681
2682 cl->dev_id = hdev->id;
2683 cl->conn_num = n;
2684 size = sizeof(req) + n * sizeof(*ci);
2685
2686 hci_dev_put(hdev);
2687
2688 err = copy_to_user(arg, cl, size);
2689 kfree(cl);
2690
2691 return err ? -EFAULT : 0;
2692 }
2693
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)2694 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2695 {
2696 struct hci_conn_info_req req;
2697 struct hci_conn_info ci;
2698 struct hci_conn *conn;
2699 char __user *ptr = arg + sizeof(req);
2700
2701 if (copy_from_user(&req, arg, sizeof(req)))
2702 return -EFAULT;
2703
2704 hci_dev_lock(hdev);
2705 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2706 if (conn) {
2707 bacpy(&ci.bdaddr, &conn->dst);
2708 ci.handle = conn->handle;
2709 ci.type = conn->type;
2710 ci.out = conn->out;
2711 ci.state = conn->state;
2712 ci.link_mode = get_link_mode(conn);
2713 }
2714 hci_dev_unlock(hdev);
2715
2716 if (!conn)
2717 return -ENOENT;
2718
2719 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2720 }
2721
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)2722 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2723 {
2724 struct hci_auth_info_req req;
2725 struct hci_conn *conn;
2726
2727 if (copy_from_user(&req, arg, sizeof(req)))
2728 return -EFAULT;
2729
2730 hci_dev_lock(hdev);
2731 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2732 if (conn)
2733 req.type = conn->auth_type;
2734 hci_dev_unlock(hdev);
2735
2736 if (!conn)
2737 return -ENOENT;
2738
2739 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2740 }
2741
hci_chan_create(struct hci_conn * conn)2742 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2743 {
2744 struct hci_dev *hdev = conn->hdev;
2745 struct hci_chan *chan;
2746
2747 BT_DBG("%s hcon %p", hdev->name, conn);
2748
2749 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2750 BT_DBG("Refusing to create new hci_chan");
2751 return NULL;
2752 }
2753
2754 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2755 if (!chan)
2756 return NULL;
2757
2758 chan->conn = hci_conn_get(conn);
2759 skb_queue_head_init(&chan->data_q);
2760 chan->state = BT_CONNECTED;
2761
2762 list_add_rcu(&chan->list, &conn->chan_list);
2763
2764 return chan;
2765 }
2766
hci_chan_del(struct hci_chan * chan)2767 void hci_chan_del(struct hci_chan *chan)
2768 {
2769 struct hci_conn *conn = chan->conn;
2770 struct hci_dev *hdev = conn->hdev;
2771
2772 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2773
2774 list_del_rcu(&chan->list);
2775
2776 synchronize_rcu();
2777
2778 /* Prevent new hci_chan's to be created for this hci_conn */
2779 set_bit(HCI_CONN_DROP, &conn->flags);
2780
2781 hci_conn_put(conn);
2782
2783 skb_queue_purge(&chan->data_q);
2784 kfree(chan);
2785 }
2786
hci_chan_list_flush(struct hci_conn * conn)2787 void hci_chan_list_flush(struct hci_conn *conn)
2788 {
2789 struct hci_chan *chan, *n;
2790
2791 BT_DBG("hcon %p", conn);
2792
2793 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2794 hci_chan_del(chan);
2795 }
2796
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)2797 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2798 __u16 handle)
2799 {
2800 struct hci_chan *hchan;
2801
2802 list_for_each_entry(hchan, &hcon->chan_list, list) {
2803 if (hchan->handle == handle)
2804 return hchan;
2805 }
2806
2807 return NULL;
2808 }
2809
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)2810 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2811 {
2812 struct hci_conn_hash *h = &hdev->conn_hash;
2813 struct hci_conn *hcon;
2814 struct hci_chan *hchan = NULL;
2815
2816 rcu_read_lock();
2817
2818 list_for_each_entry_rcu(hcon, &h->list, list) {
2819 hchan = __hci_chan_lookup_handle(hcon, handle);
2820 if (hchan)
2821 break;
2822 }
2823
2824 rcu_read_unlock();
2825
2826 return hchan;
2827 }
2828
hci_conn_get_phy(struct hci_conn * conn)2829 u32 hci_conn_get_phy(struct hci_conn *conn)
2830 {
2831 u32 phys = 0;
2832
2833 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2834 * Table 6.2: Packets defined for synchronous, asynchronous, and
2835 * CPB logical transport types.
2836 */
2837 switch (conn->type) {
2838 case SCO_LINK:
2839 /* SCO logical transport (1 Mb/s):
2840 * HV1, HV2, HV3 and DV.
2841 */
2842 phys |= BT_PHY_BR_1M_1SLOT;
2843
2844 break;
2845
2846 case ACL_LINK:
2847 /* ACL logical transport (1 Mb/s) ptt=0:
2848 * DH1, DM3, DH3, DM5 and DH5.
2849 */
2850 phys |= BT_PHY_BR_1M_1SLOT;
2851
2852 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2853 phys |= BT_PHY_BR_1M_3SLOT;
2854
2855 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2856 phys |= BT_PHY_BR_1M_5SLOT;
2857
2858 /* ACL logical transport (2 Mb/s) ptt=1:
2859 * 2-DH1, 2-DH3 and 2-DH5.
2860 */
2861 if (!(conn->pkt_type & HCI_2DH1))
2862 phys |= BT_PHY_EDR_2M_1SLOT;
2863
2864 if (!(conn->pkt_type & HCI_2DH3))
2865 phys |= BT_PHY_EDR_2M_3SLOT;
2866
2867 if (!(conn->pkt_type & HCI_2DH5))
2868 phys |= BT_PHY_EDR_2M_5SLOT;
2869
2870 /* ACL logical transport (3 Mb/s) ptt=1:
2871 * 3-DH1, 3-DH3 and 3-DH5.
2872 */
2873 if (!(conn->pkt_type & HCI_3DH1))
2874 phys |= BT_PHY_EDR_3M_1SLOT;
2875
2876 if (!(conn->pkt_type & HCI_3DH3))
2877 phys |= BT_PHY_EDR_3M_3SLOT;
2878
2879 if (!(conn->pkt_type & HCI_3DH5))
2880 phys |= BT_PHY_EDR_3M_5SLOT;
2881
2882 break;
2883
2884 case ESCO_LINK:
2885 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2886 phys |= BT_PHY_BR_1M_1SLOT;
2887
2888 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2889 phys |= BT_PHY_BR_1M_3SLOT;
2890
2891 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2892 if (!(conn->pkt_type & ESCO_2EV3))
2893 phys |= BT_PHY_EDR_2M_1SLOT;
2894
2895 if (!(conn->pkt_type & ESCO_2EV5))
2896 phys |= BT_PHY_EDR_2M_3SLOT;
2897
2898 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2899 if (!(conn->pkt_type & ESCO_3EV3))
2900 phys |= BT_PHY_EDR_3M_1SLOT;
2901
2902 if (!(conn->pkt_type & ESCO_3EV5))
2903 phys |= BT_PHY_EDR_3M_3SLOT;
2904
2905 break;
2906
2907 case LE_LINK:
2908 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2909 phys |= BT_PHY_LE_1M_TX;
2910
2911 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2912 phys |= BT_PHY_LE_1M_RX;
2913
2914 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2915 phys |= BT_PHY_LE_2M_TX;
2916
2917 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2918 phys |= BT_PHY_LE_2M_RX;
2919
2920 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2921 phys |= BT_PHY_LE_CODED_TX;
2922
2923 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2924 phys |= BT_PHY_LE_CODED_RX;
2925
2926 break;
2927 }
2928
2929 return phys;
2930 }
2931
abort_conn_sync(struct hci_dev * hdev,void * data)2932 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2933 {
2934 struct hci_conn *conn = data;
2935
2936 if (!hci_conn_valid(hdev, conn))
2937 return -ECANCELED;
2938
2939 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2940 }
2941
hci_abort_conn(struct hci_conn * conn,u8 reason)2942 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2943 {
2944 struct hci_dev *hdev = conn->hdev;
2945
2946 /* If abort_reason has already been set it means the connection is
2947 * already being aborted so don't attempt to overwrite it.
2948 */
2949 if (conn->abort_reason)
2950 return 0;
2951
2952 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2953
2954 conn->abort_reason = reason;
2955
2956 /* If the connection is pending check the command opcode since that
2957 * might be blocking on hci_cmd_sync_work while waiting its respective
2958 * event so we need to hci_cmd_sync_cancel to cancel it.
2959 *
2960 * hci_connect_le serializes the connection attempts so only one
2961 * connection can be in BT_CONNECT at time.
2962 */
2963 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2964 switch (hci_skb_event(hdev->sent_cmd)) {
2965 case HCI_EV_CONN_COMPLETE:
2966 case HCI_EV_LE_CONN_COMPLETE:
2967 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2968 case HCI_EVT_LE_CIS_ESTABLISHED:
2969 hci_cmd_sync_cancel(hdev, ECANCELED);
2970 break;
2971 }
2972 /* Cancel connect attempt if still queued/pending */
2973 } else if (!hci_cancel_connect_sync(hdev, conn)) {
2974 return 0;
2975 }
2976
2977 /* Run immediately if on cmd_sync_work since this may be called
2978 * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
2979 * already queue its callback on cmd_sync_work.
2980 */
2981 return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
2982 }
2983
hci_setup_tx_timestamp(struct sk_buff * skb,size_t key_offset,const struct sockcm_cookie * sockc)2984 void hci_setup_tx_timestamp(struct sk_buff *skb, size_t key_offset,
2985 const struct sockcm_cookie *sockc)
2986 {
2987 struct sock *sk = skb ? skb->sk : NULL;
2988 int key;
2989
2990 /* This shall be called on a single skb of those generated by user
2991 * sendmsg(), and only when the sendmsg() does not return error to
2992 * user. This is required for keeping the tskey that increments here in
2993 * sync with possible sendmsg() counting by user.
2994 *
2995 * Stream sockets shall set key_offset to sendmsg() length in bytes
2996 * and call with the last fragment, others to 1 and first fragment.
2997 */
2998
2999 if (!skb || !sockc || !sk || !key_offset)
3000 return;
3001
3002 sock_tx_timestamp(sk, sockc, &skb_shinfo(skb)->tx_flags);
3003
3004 if (sk->sk_type == SOCK_STREAM)
3005 key = atomic_add_return(key_offset, &sk->sk_tskey);
3006
3007 if (sockc->tsflags & SOF_TIMESTAMPING_OPT_ID &&
3008 sockc->tsflags & SOF_TIMESTAMPING_TX_RECORD_MASK) {
3009 if (sockc->tsflags & SOCKCM_FLAG_TS_OPT_ID) {
3010 skb_shinfo(skb)->tskey = sockc->ts_opt_id;
3011 } else {
3012 if (sk->sk_type != SOCK_STREAM)
3013 key = atomic_inc_return(&sk->sk_tskey);
3014 skb_shinfo(skb)->tskey = key - 1;
3015 }
3016 }
3017 }
3018
hci_conn_tx_queue(struct hci_conn * conn,struct sk_buff * skb)3019 void hci_conn_tx_queue(struct hci_conn *conn, struct sk_buff *skb)
3020 {
3021 struct tx_queue *comp = &conn->tx_q;
3022 bool track = false;
3023
3024 /* Emit SND now, ie. just before sending to driver */
3025 if (skb_shinfo(skb)->tx_flags & SKBTX_SW_TSTAMP)
3026 __skb_tstamp_tx(skb, NULL, NULL, skb->sk, SCM_TSTAMP_SND);
3027
3028 /* COMPLETION tstamp is emitted for tracked skb later in Number of
3029 * Completed Packets event. Available only for flow controlled cases.
3030 *
3031 * TODO: SCO support without flowctl (needs to be done in drivers)
3032 */
3033 switch (conn->type) {
3034 case CIS_LINK:
3035 case BIS_LINK:
3036 case PA_LINK:
3037 case ACL_LINK:
3038 case LE_LINK:
3039 break;
3040 case SCO_LINK:
3041 case ESCO_LINK:
3042 if (!hci_dev_test_flag(conn->hdev, HCI_SCO_FLOWCTL))
3043 return;
3044 break;
3045 default:
3046 return;
3047 }
3048
3049 if (skb->sk && (skb_shinfo(skb)->tx_flags & SKBTX_COMPLETION_TSTAMP))
3050 track = true;
3051
3052 /* If nothing is tracked, just count extra skbs at the queue head */
3053 if (!track && !comp->tracked) {
3054 comp->extra++;
3055 return;
3056 }
3057
3058 if (track) {
3059 skb = skb_clone_sk(skb);
3060 if (!skb)
3061 goto count_only;
3062
3063 comp->tracked++;
3064 } else {
3065 skb = skb_clone(skb, GFP_KERNEL);
3066 if (!skb)
3067 goto count_only;
3068 }
3069
3070 skb_queue_tail(&comp->queue, skb);
3071 return;
3072
3073 count_only:
3074 /* Stop tracking skbs, and only count. This will not emit timestamps for
3075 * the packets, but if we get here something is more seriously wrong.
3076 */
3077 comp->tracked = 0;
3078 comp->extra += skb_queue_len(&comp->queue) + 1;
3079 skb_queue_purge(&comp->queue);
3080 }
3081
hci_conn_tx_dequeue(struct hci_conn * conn)3082 void hci_conn_tx_dequeue(struct hci_conn *conn)
3083 {
3084 struct tx_queue *comp = &conn->tx_q;
3085 struct sk_buff *skb;
3086
3087 /* If there are tracked skbs, the counted extra go before dequeuing real
3088 * skbs, to keep ordering. When nothing is tracked, the ordering doesn't
3089 * matter so dequeue real skbs first to get rid of them ASAP.
3090 */
3091 if (comp->extra && (comp->tracked || skb_queue_empty(&comp->queue))) {
3092 comp->extra--;
3093 return;
3094 }
3095
3096 skb = skb_dequeue(&comp->queue);
3097 if (!skb)
3098 return;
3099
3100 if (skb->sk) {
3101 comp->tracked--;
3102 __skb_tstamp_tx(skb, NULL, NULL, skb->sk,
3103 SCM_TSTAMP_COMPLETION);
3104 }
3105
3106 kfree_skb(skb);
3107 }
3108
hci_conn_key_enc_size(struct hci_conn * conn)3109 u8 *hci_conn_key_enc_size(struct hci_conn *conn)
3110 {
3111 if (conn->type == ACL_LINK) {
3112 struct link_key *key;
3113
3114 key = hci_find_link_key(conn->hdev, &conn->dst);
3115 if (!key)
3116 return NULL;
3117
3118 return &key->pin_len;
3119 } else if (conn->type == LE_LINK) {
3120 struct smp_ltk *ltk;
3121
3122 ltk = hci_find_ltk(conn->hdev, &conn->dst, conn->dst_type,
3123 conn->role);
3124 if (!ltk)
3125 return NULL;
3126
3127 return <k->enc_size;
3128 }
3129
3130 return NULL;
3131 }
3132
hci_ethtool_ts_info(unsigned int index,int sk_proto,struct kernel_ethtool_ts_info * info)3133 int hci_ethtool_ts_info(unsigned int index, int sk_proto,
3134 struct kernel_ethtool_ts_info *info)
3135 {
3136 struct hci_dev *hdev;
3137
3138 hdev = hci_dev_get(index);
3139 if (!hdev)
3140 return -ENODEV;
3141
3142 info->so_timestamping =
3143 SOF_TIMESTAMPING_RX_SOFTWARE |
3144 SOF_TIMESTAMPING_SOFTWARE;
3145 info->phc_index = -1;
3146 info->tx_types = BIT(HWTSTAMP_TX_OFF);
3147 info->rx_filters = BIT(HWTSTAMP_FILTER_NONE);
3148
3149 switch (sk_proto) {
3150 case BTPROTO_ISO:
3151 case BTPROTO_L2CAP:
3152 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE;
3153 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION;
3154 break;
3155 case BTPROTO_SCO:
3156 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE;
3157 if (hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3158 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION;
3159 break;
3160 }
3161
3162 hci_dev_put(hdev);
3163 return 0;
3164 }
3165