1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI connection handling. */ 26 27 #include <linux/export.h> 28 #include <linux/debugfs.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/l2cap.h> 33 #include <net/bluetooth/iso.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "hci_request.h" 37 #include "smp.h" 38 #include "a2mp.h" 39 #include "eir.h" 40 41 struct sco_param { 42 u16 pkt_type; 43 u16 max_latency; 44 u8 retrans_effort; 45 }; 46 47 struct conn_handle_t { 48 struct hci_conn *conn; 49 __u16 handle; 50 }; 51 52 static const struct sco_param esco_param_cvsd[] = { 53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 58 }; 59 60 static const struct sco_param sco_param_cvsd[] = { 61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 63 }; 64 65 static const struct sco_param esco_param_msbc[] = { 66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 68 }; 69 70 /* This function requires the caller holds hdev->lock */ 71 static void hci_connect_le_scan_cleanup(struct hci_conn *conn) 72 { 73 struct hci_conn_params *params; 74 struct hci_dev *hdev = conn->hdev; 75 struct smp_irk *irk; 76 bdaddr_t *bdaddr; 77 u8 bdaddr_type; 78 79 bdaddr = &conn->dst; 80 bdaddr_type = conn->dst_type; 81 82 /* Check if we need to convert to identity address */ 83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 84 if (irk) { 85 bdaddr = &irk->bdaddr; 86 bdaddr_type = irk->addr_type; 87 } 88 89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 90 bdaddr_type); 91 if (!params || !params->explicit_connect) 92 return; 93 94 /* The connection attempt was doing scan for new RPA, and is 95 * in scan phase. If params are not associated with any other 96 * autoconnect action, remove them completely. If they are, just unmark 97 * them as waiting for connection, by clearing explicit_connect field. 98 */ 99 params->explicit_connect = false; 100 101 list_del_init(¶ms->action); 102 103 switch (params->auto_connect) { 104 case HCI_AUTO_CONN_EXPLICIT: 105 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 106 /* return instead of break to avoid duplicate scan update */ 107 return; 108 case HCI_AUTO_CONN_DIRECT: 109 case HCI_AUTO_CONN_ALWAYS: 110 list_add(¶ms->action, &hdev->pend_le_conns); 111 break; 112 case HCI_AUTO_CONN_REPORT: 113 list_add(¶ms->action, &hdev->pend_le_reports); 114 break; 115 default: 116 break; 117 } 118 119 hci_update_passive_scan(hdev); 120 } 121 122 static void hci_conn_cleanup(struct hci_conn *conn) 123 { 124 struct hci_dev *hdev = conn->hdev; 125 126 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 127 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 128 129 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 130 hci_remove_link_key(hdev, &conn->dst); 131 132 hci_chan_list_flush(conn); 133 134 hci_conn_hash_del(hdev, conn); 135 136 if (conn->cleanup) 137 conn->cleanup(conn); 138 139 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 140 switch (conn->setting & SCO_AIRMODE_MASK) { 141 case SCO_AIRMODE_CVSD: 142 case SCO_AIRMODE_TRANSP: 143 if (hdev->notify) 144 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 145 break; 146 } 147 } else { 148 if (hdev->notify) 149 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 150 } 151 152 hci_conn_del_sysfs(conn); 153 154 debugfs_remove_recursive(conn->debugfs); 155 156 hci_dev_put(hdev); 157 158 hci_conn_put(conn); 159 } 160 161 static void le_scan_cleanup(struct work_struct *work) 162 { 163 struct hci_conn *conn = container_of(work, struct hci_conn, 164 le_scan_cleanup); 165 struct hci_dev *hdev = conn->hdev; 166 struct hci_conn *c = NULL; 167 168 BT_DBG("%s hcon %p", hdev->name, conn); 169 170 hci_dev_lock(hdev); 171 172 /* Check that the hci_conn is still around */ 173 rcu_read_lock(); 174 list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) { 175 if (c == conn) 176 break; 177 } 178 rcu_read_unlock(); 179 180 if (c == conn) { 181 hci_connect_le_scan_cleanup(conn); 182 hci_conn_cleanup(conn); 183 } 184 185 hci_dev_unlock(hdev); 186 hci_dev_put(hdev); 187 hci_conn_put(conn); 188 } 189 190 static void hci_connect_le_scan_remove(struct hci_conn *conn) 191 { 192 BT_DBG("%s hcon %p", conn->hdev->name, conn); 193 194 /* We can't call hci_conn_del/hci_conn_cleanup here since that 195 * could deadlock with another hci_conn_del() call that's holding 196 * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work). 197 * Instead, grab temporary extra references to the hci_dev and 198 * hci_conn and perform the necessary cleanup in a separate work 199 * callback. 200 */ 201 202 hci_dev_hold(conn->hdev); 203 hci_conn_get(conn); 204 205 /* Even though we hold a reference to the hdev, many other 206 * things might get cleaned up meanwhile, including the hdev's 207 * own workqueue, so we can't use that for scheduling. 208 */ 209 schedule_work(&conn->le_scan_cleanup); 210 } 211 212 static void hci_acl_create_connection(struct hci_conn *conn) 213 { 214 struct hci_dev *hdev = conn->hdev; 215 struct inquiry_entry *ie; 216 struct hci_cp_create_conn cp; 217 218 BT_DBG("hcon %p", conn); 219 220 /* Many controllers disallow HCI Create Connection while it is doing 221 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create 222 * Connection. This may cause the MGMT discovering state to become false 223 * without user space's request but it is okay since the MGMT Discovery 224 * APIs do not promise that discovery should be done forever. Instead, 225 * the user space monitors the status of MGMT discovering and it may 226 * request for discovery again when this flag becomes false. 227 */ 228 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 229 /* Put this connection to "pending" state so that it will be 230 * executed after the inquiry cancel command complete event. 231 */ 232 conn->state = BT_CONNECT2; 233 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL); 234 return; 235 } 236 237 conn->state = BT_CONNECT; 238 conn->out = true; 239 conn->role = HCI_ROLE_MASTER; 240 241 conn->attempt++; 242 243 conn->link_policy = hdev->link_policy; 244 245 memset(&cp, 0, sizeof(cp)); 246 bacpy(&cp.bdaddr, &conn->dst); 247 cp.pscan_rep_mode = 0x02; 248 249 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 250 if (ie) { 251 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 252 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 253 cp.pscan_mode = ie->data.pscan_mode; 254 cp.clock_offset = ie->data.clock_offset | 255 cpu_to_le16(0x8000); 256 } 257 258 memcpy(conn->dev_class, ie->data.dev_class, 3); 259 } 260 261 cp.pkt_type = cpu_to_le16(conn->pkt_type); 262 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 263 cp.role_switch = 0x01; 264 else 265 cp.role_switch = 0x00; 266 267 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 268 } 269 270 int hci_disconnect(struct hci_conn *conn, __u8 reason) 271 { 272 BT_DBG("hcon %p", conn); 273 274 /* When we are central of an established connection and it enters 275 * the disconnect timeout, then go ahead and try to read the 276 * current clock offset. Processing of the result is done 277 * within the event handling and hci_clock_offset_evt function. 278 */ 279 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 280 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 281 struct hci_dev *hdev = conn->hdev; 282 struct hci_cp_read_clock_offset clkoff_cp; 283 284 clkoff_cp.handle = cpu_to_le16(conn->handle); 285 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 286 &clkoff_cp); 287 } 288 289 return hci_abort_conn(conn, reason); 290 } 291 292 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 293 { 294 struct hci_dev *hdev = conn->hdev; 295 struct hci_cp_add_sco cp; 296 297 BT_DBG("hcon %p", conn); 298 299 conn->state = BT_CONNECT; 300 conn->out = true; 301 302 conn->attempt++; 303 304 cp.handle = cpu_to_le16(handle); 305 cp.pkt_type = cpu_to_le16(conn->pkt_type); 306 307 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 308 } 309 310 static bool find_next_esco_param(struct hci_conn *conn, 311 const struct sco_param *esco_param, int size) 312 { 313 for (; conn->attempt <= size; conn->attempt++) { 314 if (lmp_esco_2m_capable(conn->link) || 315 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 316 break; 317 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 318 conn, conn->attempt); 319 } 320 321 return conn->attempt <= size; 322 } 323 324 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 325 { 326 int err; 327 __u8 vnd_len, *vnd_data = NULL; 328 struct hci_op_configure_data_path *cmd = NULL; 329 330 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 331 &vnd_data); 332 if (err < 0) 333 goto error; 334 335 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 336 if (!cmd) { 337 err = -ENOMEM; 338 goto error; 339 } 340 341 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 342 if (err < 0) 343 goto error; 344 345 cmd->vnd_len = vnd_len; 346 memcpy(cmd->vnd_data, vnd_data, vnd_len); 347 348 cmd->direction = 0x00; 349 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 350 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 351 352 cmd->direction = 0x01; 353 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 354 sizeof(*cmd) + vnd_len, cmd, 355 HCI_CMD_TIMEOUT); 356 error: 357 358 kfree(cmd); 359 kfree(vnd_data); 360 return err; 361 } 362 363 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 364 { 365 struct conn_handle_t *conn_handle = data; 366 struct hci_conn *conn = conn_handle->conn; 367 __u16 handle = conn_handle->handle; 368 struct hci_cp_enhanced_setup_sync_conn cp; 369 const struct sco_param *param; 370 371 kfree(conn_handle); 372 373 bt_dev_dbg(hdev, "hcon %p", conn); 374 375 /* for offload use case, codec needs to configured before opening SCO */ 376 if (conn->codec.data_path) 377 configure_datapath_sync(hdev, &conn->codec); 378 379 conn->state = BT_CONNECT; 380 conn->out = true; 381 382 conn->attempt++; 383 384 memset(&cp, 0x00, sizeof(cp)); 385 386 cp.handle = cpu_to_le16(handle); 387 388 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 389 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 390 391 switch (conn->codec.id) { 392 case BT_CODEC_MSBC: 393 if (!find_next_esco_param(conn, esco_param_msbc, 394 ARRAY_SIZE(esco_param_msbc))) 395 return -EINVAL; 396 397 param = &esco_param_msbc[conn->attempt - 1]; 398 cp.tx_coding_format.id = 0x05; 399 cp.rx_coding_format.id = 0x05; 400 cp.tx_codec_frame_size = __cpu_to_le16(60); 401 cp.rx_codec_frame_size = __cpu_to_le16(60); 402 cp.in_bandwidth = __cpu_to_le32(32000); 403 cp.out_bandwidth = __cpu_to_le32(32000); 404 cp.in_coding_format.id = 0x04; 405 cp.out_coding_format.id = 0x04; 406 cp.in_coded_data_size = __cpu_to_le16(16); 407 cp.out_coded_data_size = __cpu_to_le16(16); 408 cp.in_pcm_data_format = 2; 409 cp.out_pcm_data_format = 2; 410 cp.in_pcm_sample_payload_msb_pos = 0; 411 cp.out_pcm_sample_payload_msb_pos = 0; 412 cp.in_data_path = conn->codec.data_path; 413 cp.out_data_path = conn->codec.data_path; 414 cp.in_transport_unit_size = 1; 415 cp.out_transport_unit_size = 1; 416 break; 417 418 case BT_CODEC_TRANSPARENT: 419 if (!find_next_esco_param(conn, esco_param_msbc, 420 ARRAY_SIZE(esco_param_msbc))) 421 return false; 422 param = &esco_param_msbc[conn->attempt - 1]; 423 cp.tx_coding_format.id = 0x03; 424 cp.rx_coding_format.id = 0x03; 425 cp.tx_codec_frame_size = __cpu_to_le16(60); 426 cp.rx_codec_frame_size = __cpu_to_le16(60); 427 cp.in_bandwidth = __cpu_to_le32(0x1f40); 428 cp.out_bandwidth = __cpu_to_le32(0x1f40); 429 cp.in_coding_format.id = 0x03; 430 cp.out_coding_format.id = 0x03; 431 cp.in_coded_data_size = __cpu_to_le16(16); 432 cp.out_coded_data_size = __cpu_to_le16(16); 433 cp.in_pcm_data_format = 2; 434 cp.out_pcm_data_format = 2; 435 cp.in_pcm_sample_payload_msb_pos = 0; 436 cp.out_pcm_sample_payload_msb_pos = 0; 437 cp.in_data_path = conn->codec.data_path; 438 cp.out_data_path = conn->codec.data_path; 439 cp.in_transport_unit_size = 1; 440 cp.out_transport_unit_size = 1; 441 break; 442 443 case BT_CODEC_CVSD: 444 if (lmp_esco_capable(conn->link)) { 445 if (!find_next_esco_param(conn, esco_param_cvsd, 446 ARRAY_SIZE(esco_param_cvsd))) 447 return -EINVAL; 448 param = &esco_param_cvsd[conn->attempt - 1]; 449 } else { 450 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 451 return -EINVAL; 452 param = &sco_param_cvsd[conn->attempt - 1]; 453 } 454 cp.tx_coding_format.id = 2; 455 cp.rx_coding_format.id = 2; 456 cp.tx_codec_frame_size = __cpu_to_le16(60); 457 cp.rx_codec_frame_size = __cpu_to_le16(60); 458 cp.in_bandwidth = __cpu_to_le32(16000); 459 cp.out_bandwidth = __cpu_to_le32(16000); 460 cp.in_coding_format.id = 4; 461 cp.out_coding_format.id = 4; 462 cp.in_coded_data_size = __cpu_to_le16(16); 463 cp.out_coded_data_size = __cpu_to_le16(16); 464 cp.in_pcm_data_format = 2; 465 cp.out_pcm_data_format = 2; 466 cp.in_pcm_sample_payload_msb_pos = 0; 467 cp.out_pcm_sample_payload_msb_pos = 0; 468 cp.in_data_path = conn->codec.data_path; 469 cp.out_data_path = conn->codec.data_path; 470 cp.in_transport_unit_size = 16; 471 cp.out_transport_unit_size = 16; 472 break; 473 default: 474 return -EINVAL; 475 } 476 477 cp.retrans_effort = param->retrans_effort; 478 cp.pkt_type = __cpu_to_le16(param->pkt_type); 479 cp.max_latency = __cpu_to_le16(param->max_latency); 480 481 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 482 return -EIO; 483 484 return 0; 485 } 486 487 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 488 { 489 struct hci_dev *hdev = conn->hdev; 490 struct hci_cp_setup_sync_conn cp; 491 const struct sco_param *param; 492 493 bt_dev_dbg(hdev, "hcon %p", conn); 494 495 conn->state = BT_CONNECT; 496 conn->out = true; 497 498 conn->attempt++; 499 500 cp.handle = cpu_to_le16(handle); 501 502 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 503 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 504 cp.voice_setting = cpu_to_le16(conn->setting); 505 506 switch (conn->setting & SCO_AIRMODE_MASK) { 507 case SCO_AIRMODE_TRANSP: 508 if (!find_next_esco_param(conn, esco_param_msbc, 509 ARRAY_SIZE(esco_param_msbc))) 510 return false; 511 param = &esco_param_msbc[conn->attempt - 1]; 512 break; 513 case SCO_AIRMODE_CVSD: 514 if (lmp_esco_capable(conn->link)) { 515 if (!find_next_esco_param(conn, esco_param_cvsd, 516 ARRAY_SIZE(esco_param_cvsd))) 517 return false; 518 param = &esco_param_cvsd[conn->attempt - 1]; 519 } else { 520 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 521 return false; 522 param = &sco_param_cvsd[conn->attempt - 1]; 523 } 524 break; 525 default: 526 return false; 527 } 528 529 cp.retrans_effort = param->retrans_effort; 530 cp.pkt_type = __cpu_to_le16(param->pkt_type); 531 cp.max_latency = __cpu_to_le16(param->max_latency); 532 533 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 534 return false; 535 536 return true; 537 } 538 539 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 540 { 541 int result; 542 struct conn_handle_t *conn_handle; 543 544 if (enhanced_sync_conn_capable(conn->hdev)) { 545 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 546 547 if (!conn_handle) 548 return false; 549 550 conn_handle->conn = conn; 551 conn_handle->handle = handle; 552 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 553 conn_handle, NULL); 554 if (result < 0) 555 kfree(conn_handle); 556 557 return result == 0; 558 } 559 560 return hci_setup_sync_conn(conn, handle); 561 } 562 563 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 564 u16 to_multiplier) 565 { 566 struct hci_dev *hdev = conn->hdev; 567 struct hci_conn_params *params; 568 struct hci_cp_le_conn_update cp; 569 570 hci_dev_lock(hdev); 571 572 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 573 if (params) { 574 params->conn_min_interval = min; 575 params->conn_max_interval = max; 576 params->conn_latency = latency; 577 params->supervision_timeout = to_multiplier; 578 } 579 580 hci_dev_unlock(hdev); 581 582 memset(&cp, 0, sizeof(cp)); 583 cp.handle = cpu_to_le16(conn->handle); 584 cp.conn_interval_min = cpu_to_le16(min); 585 cp.conn_interval_max = cpu_to_le16(max); 586 cp.conn_latency = cpu_to_le16(latency); 587 cp.supervision_timeout = cpu_to_le16(to_multiplier); 588 cp.min_ce_len = cpu_to_le16(0x0000); 589 cp.max_ce_len = cpu_to_le16(0x0000); 590 591 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 592 593 if (params) 594 return 0x01; 595 596 return 0x00; 597 } 598 599 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 600 __u8 ltk[16], __u8 key_size) 601 { 602 struct hci_dev *hdev = conn->hdev; 603 struct hci_cp_le_start_enc cp; 604 605 BT_DBG("hcon %p", conn); 606 607 memset(&cp, 0, sizeof(cp)); 608 609 cp.handle = cpu_to_le16(conn->handle); 610 cp.rand = rand; 611 cp.ediv = ediv; 612 memcpy(cp.ltk, ltk, key_size); 613 614 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 615 } 616 617 /* Device _must_ be locked */ 618 void hci_sco_setup(struct hci_conn *conn, __u8 status) 619 { 620 struct hci_conn *sco = conn->link; 621 622 if (!sco) 623 return; 624 625 BT_DBG("hcon %p", conn); 626 627 if (!status) { 628 if (lmp_esco_capable(conn->hdev)) 629 hci_setup_sync(sco, conn->handle); 630 else 631 hci_add_sco(sco, conn->handle); 632 } else { 633 hci_connect_cfm(sco, status); 634 hci_conn_del(sco); 635 } 636 } 637 638 static void hci_conn_timeout(struct work_struct *work) 639 { 640 struct hci_conn *conn = container_of(work, struct hci_conn, 641 disc_work.work); 642 int refcnt = atomic_read(&conn->refcnt); 643 644 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 645 646 WARN_ON(refcnt < 0); 647 648 /* FIXME: It was observed that in pairing failed scenario, refcnt 649 * drops below 0. Probably this is because l2cap_conn_del calls 650 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 651 * dropped. After that loop hci_chan_del is called which also drops 652 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 653 * otherwise drop it. 654 */ 655 if (refcnt > 0) 656 return; 657 658 /* LE connections in scanning state need special handling */ 659 if (conn->state == BT_CONNECT && conn->type == LE_LINK && 660 test_bit(HCI_CONN_SCANNING, &conn->flags)) { 661 hci_connect_le_scan_remove(conn); 662 return; 663 } 664 665 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 666 } 667 668 /* Enter sniff mode */ 669 static void hci_conn_idle(struct work_struct *work) 670 { 671 struct hci_conn *conn = container_of(work, struct hci_conn, 672 idle_work.work); 673 struct hci_dev *hdev = conn->hdev; 674 675 BT_DBG("hcon %p mode %d", conn, conn->mode); 676 677 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 678 return; 679 680 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 681 return; 682 683 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 684 struct hci_cp_sniff_subrate cp; 685 cp.handle = cpu_to_le16(conn->handle); 686 cp.max_latency = cpu_to_le16(0); 687 cp.min_remote_timeout = cpu_to_le16(0); 688 cp.min_local_timeout = cpu_to_le16(0); 689 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 690 } 691 692 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 693 struct hci_cp_sniff_mode cp; 694 cp.handle = cpu_to_le16(conn->handle); 695 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 696 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 697 cp.attempt = cpu_to_le16(4); 698 cp.timeout = cpu_to_le16(1); 699 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 700 } 701 } 702 703 static void hci_conn_auto_accept(struct work_struct *work) 704 { 705 struct hci_conn *conn = container_of(work, struct hci_conn, 706 auto_accept_work.work); 707 708 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 709 &conn->dst); 710 } 711 712 static void le_disable_advertising(struct hci_dev *hdev) 713 { 714 if (ext_adv_capable(hdev)) { 715 struct hci_cp_le_set_ext_adv_enable cp; 716 717 cp.enable = 0x00; 718 cp.num_of_sets = 0x00; 719 720 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 721 &cp); 722 } else { 723 u8 enable = 0x00; 724 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 725 &enable); 726 } 727 } 728 729 static void le_conn_timeout(struct work_struct *work) 730 { 731 struct hci_conn *conn = container_of(work, struct hci_conn, 732 le_conn_timeout.work); 733 struct hci_dev *hdev = conn->hdev; 734 735 BT_DBG(""); 736 737 /* We could end up here due to having done directed advertising, 738 * so clean up the state if necessary. This should however only 739 * happen with broken hardware or if low duty cycle was used 740 * (which doesn't have a timeout of its own). 741 */ 742 if (conn->role == HCI_ROLE_SLAVE) { 743 /* Disable LE Advertising */ 744 le_disable_advertising(hdev); 745 hci_dev_lock(hdev); 746 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 747 hci_dev_unlock(hdev); 748 return; 749 } 750 751 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 752 } 753 754 struct iso_list_data { 755 union { 756 u8 cig; 757 u8 big; 758 }; 759 union { 760 u8 cis; 761 u8 bis; 762 u16 sync_handle; 763 }; 764 int count; 765 struct { 766 struct hci_cp_le_set_cig_params cp; 767 struct hci_cis_params cis[0x11]; 768 } pdu; 769 }; 770 771 static void bis_list(struct hci_conn *conn, void *data) 772 { 773 struct iso_list_data *d = data; 774 775 /* Skip if not broadcast/ANY address */ 776 if (bacmp(&conn->dst, BDADDR_ANY)) 777 return; 778 779 if (d->big != conn->iso_qos.big || d->bis == BT_ISO_QOS_BIS_UNSET || 780 d->bis != conn->iso_qos.bis) 781 return; 782 783 d->count++; 784 } 785 786 static void find_bis(struct hci_conn *conn, void *data) 787 { 788 struct iso_list_data *d = data; 789 790 /* Ignore unicast */ 791 if (bacmp(&conn->dst, BDADDR_ANY)) 792 return; 793 794 d->count++; 795 } 796 797 static int terminate_big_sync(struct hci_dev *hdev, void *data) 798 { 799 struct iso_list_data *d = data; 800 801 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 802 803 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 804 805 /* Check if ISO connection is a BIS and terminate BIG if there are 806 * no other connections using it. 807 */ 808 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d); 809 if (d->count) 810 return 0; 811 812 return hci_le_terminate_big_sync(hdev, d->big, 813 HCI_ERROR_LOCAL_HOST_TERM); 814 } 815 816 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 817 { 818 kfree(data); 819 } 820 821 static int hci_le_terminate_big(struct hci_dev *hdev, u8 big, u8 bis) 822 { 823 struct iso_list_data *d; 824 int ret; 825 826 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", big, bis); 827 828 d = kzalloc(sizeof(*d), GFP_KERNEL); 829 if (!d) 830 return -ENOMEM; 831 832 d->big = big; 833 d->bis = bis; 834 835 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 836 terminate_big_destroy); 837 if (ret) 838 kfree(d); 839 840 return ret; 841 } 842 843 static int big_terminate_sync(struct hci_dev *hdev, void *data) 844 { 845 struct iso_list_data *d = data; 846 847 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 848 d->sync_handle); 849 850 /* Check if ISO connection is a BIS and terminate BIG if there are 851 * no other connections using it. 852 */ 853 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d); 854 if (d->count) 855 return 0; 856 857 hci_le_big_terminate_sync(hdev, d->big); 858 859 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 860 } 861 862 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, u16 sync_handle) 863 { 864 struct iso_list_data *d; 865 int ret; 866 867 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, sync_handle); 868 869 d = kzalloc(sizeof(*d), GFP_KERNEL); 870 if (!d) 871 return -ENOMEM; 872 873 d->big = big; 874 d->sync_handle = sync_handle; 875 876 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 877 terminate_big_destroy); 878 if (ret) 879 kfree(d); 880 881 return ret; 882 } 883 884 /* Cleanup BIS connection 885 * 886 * Detects if there any BIS left connected in a BIG 887 * broadcaster: Remove advertising instance and terminate BIG. 888 * broadcaster receiver: Teminate BIG sync and terminate PA sync. 889 */ 890 static void bis_cleanup(struct hci_conn *conn) 891 { 892 struct hci_dev *hdev = conn->hdev; 893 894 bt_dev_dbg(hdev, "conn %p", conn); 895 896 if (conn->role == HCI_ROLE_MASTER) { 897 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 898 return; 899 900 hci_le_terminate_big(hdev, conn->iso_qos.big, 901 conn->iso_qos.bis); 902 } else { 903 hci_le_big_terminate(hdev, conn->iso_qos.big, 904 conn->sync_handle); 905 } 906 } 907 908 static int remove_cig_sync(struct hci_dev *hdev, void *data) 909 { 910 u8 handle = PTR_ERR(data); 911 912 return hci_le_remove_cig_sync(hdev, handle); 913 } 914 915 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 916 { 917 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 918 919 return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL); 920 } 921 922 static void find_cis(struct hci_conn *conn, void *data) 923 { 924 struct iso_list_data *d = data; 925 926 /* Ignore broadcast */ 927 if (!bacmp(&conn->dst, BDADDR_ANY)) 928 return; 929 930 d->count++; 931 } 932 933 /* Cleanup CIS connection: 934 * 935 * Detects if there any CIS left connected in a CIG and remove it. 936 */ 937 static void cis_cleanup(struct hci_conn *conn) 938 { 939 struct hci_dev *hdev = conn->hdev; 940 struct iso_list_data d; 941 942 memset(&d, 0, sizeof(d)); 943 d.cig = conn->iso_qos.cig; 944 945 /* Check if ISO connection is a CIS and remove CIG if there are 946 * no other connections using it. 947 */ 948 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d); 949 if (d.count) 950 return; 951 952 hci_le_remove_cig(hdev, conn->iso_qos.cig); 953 } 954 955 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 956 u8 role) 957 { 958 struct hci_conn *conn; 959 960 BT_DBG("%s dst %pMR", hdev->name, dst); 961 962 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 963 if (!conn) 964 return NULL; 965 966 bacpy(&conn->dst, dst); 967 bacpy(&conn->src, &hdev->bdaddr); 968 conn->handle = HCI_CONN_HANDLE_UNSET; 969 conn->hdev = hdev; 970 conn->type = type; 971 conn->role = role; 972 conn->mode = HCI_CM_ACTIVE; 973 conn->state = BT_OPEN; 974 conn->auth_type = HCI_AT_GENERAL_BONDING; 975 conn->io_capability = hdev->io_capability; 976 conn->remote_auth = 0xff; 977 conn->key_type = 0xff; 978 conn->rssi = HCI_RSSI_INVALID; 979 conn->tx_power = HCI_TX_POWER_INVALID; 980 conn->max_tx_power = HCI_TX_POWER_INVALID; 981 982 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 983 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 984 985 /* Set Default Authenticated payload timeout to 30s */ 986 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 987 988 if (conn->role == HCI_ROLE_MASTER) 989 conn->out = true; 990 991 switch (type) { 992 case ACL_LINK: 993 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 994 break; 995 case LE_LINK: 996 /* conn->src should reflect the local identity address */ 997 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 998 break; 999 case ISO_LINK: 1000 /* conn->src should reflect the local identity address */ 1001 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1002 1003 /* set proper cleanup function */ 1004 if (!bacmp(dst, BDADDR_ANY)) 1005 conn->cleanup = bis_cleanup; 1006 else if (conn->role == HCI_ROLE_MASTER) 1007 conn->cleanup = cis_cleanup; 1008 1009 break; 1010 case SCO_LINK: 1011 if (lmp_esco_capable(hdev)) 1012 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1013 (hdev->esco_type & EDR_ESCO_MASK); 1014 else 1015 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1016 break; 1017 case ESCO_LINK: 1018 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1019 break; 1020 } 1021 1022 skb_queue_head_init(&conn->data_q); 1023 1024 INIT_LIST_HEAD(&conn->chan_list); 1025 1026 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1027 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1028 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1029 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1030 INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup); 1031 1032 atomic_set(&conn->refcnt, 0); 1033 1034 hci_dev_hold(hdev); 1035 1036 hci_conn_hash_add(hdev, conn); 1037 1038 /* The SCO and eSCO connections will only be notified when their 1039 * setup has been completed. This is different to ACL links which 1040 * can be notified right away. 1041 */ 1042 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1043 if (hdev->notify) 1044 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1045 } 1046 1047 hci_conn_init_sysfs(conn); 1048 1049 return conn; 1050 } 1051 1052 int hci_conn_del(struct hci_conn *conn) 1053 { 1054 struct hci_dev *hdev = conn->hdev; 1055 1056 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1057 1058 cancel_delayed_work_sync(&conn->disc_work); 1059 cancel_delayed_work_sync(&conn->auto_accept_work); 1060 cancel_delayed_work_sync(&conn->idle_work); 1061 1062 if (conn->type == ACL_LINK) { 1063 struct hci_conn *sco = conn->link; 1064 if (sco) { 1065 sco->link = NULL; 1066 /* Due to race, SCO connection might be not established 1067 * yet at this point. Delete it now, otherwise it is 1068 * possible for it to be stuck and can't be deleted. 1069 */ 1070 if (sco->handle == HCI_CONN_HANDLE_UNSET) 1071 hci_conn_del(sco); 1072 } 1073 1074 /* Unacked frames */ 1075 hdev->acl_cnt += conn->sent; 1076 } else if (conn->type == LE_LINK) { 1077 cancel_delayed_work(&conn->le_conn_timeout); 1078 1079 if (hdev->le_pkts) 1080 hdev->le_cnt += conn->sent; 1081 else 1082 hdev->acl_cnt += conn->sent; 1083 } else { 1084 struct hci_conn *acl = conn->link; 1085 1086 if (acl) { 1087 acl->link = NULL; 1088 hci_conn_drop(acl); 1089 } 1090 1091 /* Unacked ISO frames */ 1092 if (conn->type == ISO_LINK) { 1093 if (hdev->iso_pkts) 1094 hdev->iso_cnt += conn->sent; 1095 else if (hdev->le_pkts) 1096 hdev->le_cnt += conn->sent; 1097 else 1098 hdev->acl_cnt += conn->sent; 1099 } 1100 } 1101 1102 if (conn->amp_mgr) 1103 amp_mgr_put(conn->amp_mgr); 1104 1105 skb_queue_purge(&conn->data_q); 1106 1107 /* Remove the connection from the list and cleanup its remaining 1108 * state. This is a separate function since for some cases like 1109 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1110 * rest of hci_conn_del. 1111 */ 1112 hci_conn_cleanup(conn); 1113 1114 return 0; 1115 } 1116 1117 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1118 { 1119 int use_src = bacmp(src, BDADDR_ANY); 1120 struct hci_dev *hdev = NULL, *d; 1121 1122 BT_DBG("%pMR -> %pMR", src, dst); 1123 1124 read_lock(&hci_dev_list_lock); 1125 1126 list_for_each_entry(d, &hci_dev_list, list) { 1127 if (!test_bit(HCI_UP, &d->flags) || 1128 hci_dev_test_flag(d, HCI_USER_CHANNEL) || 1129 d->dev_type != HCI_PRIMARY) 1130 continue; 1131 1132 /* Simple routing: 1133 * No source address - find interface with bdaddr != dst 1134 * Source address - find interface with bdaddr == src 1135 */ 1136 1137 if (use_src) { 1138 bdaddr_t id_addr; 1139 u8 id_addr_type; 1140 1141 if (src_type == BDADDR_BREDR) { 1142 if (!lmp_bredr_capable(d)) 1143 continue; 1144 bacpy(&id_addr, &d->bdaddr); 1145 id_addr_type = BDADDR_BREDR; 1146 } else { 1147 if (!lmp_le_capable(d)) 1148 continue; 1149 1150 hci_copy_identity_address(d, &id_addr, 1151 &id_addr_type); 1152 1153 /* Convert from HCI to three-value type */ 1154 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1155 id_addr_type = BDADDR_LE_PUBLIC; 1156 else 1157 id_addr_type = BDADDR_LE_RANDOM; 1158 } 1159 1160 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1161 hdev = d; break; 1162 } 1163 } else { 1164 if (bacmp(&d->bdaddr, dst)) { 1165 hdev = d; break; 1166 } 1167 } 1168 } 1169 1170 if (hdev) 1171 hdev = hci_dev_hold(hdev); 1172 1173 read_unlock(&hci_dev_list_lock); 1174 return hdev; 1175 } 1176 EXPORT_SYMBOL(hci_get_route); 1177 1178 /* This function requires the caller holds hdev->lock */ 1179 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1180 { 1181 struct hci_dev *hdev = conn->hdev; 1182 struct hci_conn_params *params; 1183 1184 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 1185 conn->dst_type); 1186 if (params && params->conn) { 1187 hci_conn_drop(params->conn); 1188 hci_conn_put(params->conn); 1189 params->conn = NULL; 1190 } 1191 1192 /* If the status indicates successful cancellation of 1193 * the attempt (i.e. Unknown Connection Id) there's no point of 1194 * notifying failure since we'll go back to keep trying to 1195 * connect. The only exception is explicit connect requests 1196 * where a timeout + cancel does indicate an actual failure. 1197 */ 1198 if (status != HCI_ERROR_UNKNOWN_CONN_ID || 1199 (params && params->explicit_connect)) 1200 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1201 conn->dst_type, status); 1202 1203 /* Since we may have temporarily stopped the background scanning in 1204 * favor of connection establishment, we should restart it. 1205 */ 1206 hci_update_passive_scan(hdev); 1207 1208 /* Enable advertising in case this was a failed connection 1209 * attempt as a peripheral. 1210 */ 1211 hci_enable_advertising(hdev); 1212 } 1213 1214 /* This function requires the caller holds hdev->lock */ 1215 void hci_conn_failed(struct hci_conn *conn, u8 status) 1216 { 1217 struct hci_dev *hdev = conn->hdev; 1218 1219 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1220 1221 switch (conn->type) { 1222 case LE_LINK: 1223 hci_le_conn_failed(conn, status); 1224 break; 1225 case ACL_LINK: 1226 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1227 conn->dst_type, status); 1228 break; 1229 } 1230 1231 conn->state = BT_CLOSED; 1232 hci_connect_cfm(conn, status); 1233 hci_conn_del(conn); 1234 } 1235 1236 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) 1237 { 1238 struct hci_conn *conn = data; 1239 1240 hci_dev_lock(hdev); 1241 1242 if (!err) { 1243 hci_connect_le_scan_cleanup(conn); 1244 goto done; 1245 } 1246 1247 bt_dev_err(hdev, "request failed to create LE connection: err %d", err); 1248 1249 /* Check if connection is still pending */ 1250 if (conn != hci_lookup_le_connect(hdev)) 1251 goto done; 1252 1253 /* Flush to make sure we send create conn cancel command if needed */ 1254 flush_delayed_work(&conn->le_conn_timeout); 1255 hci_conn_failed(conn, bt_status(err)); 1256 1257 done: 1258 hci_dev_unlock(hdev); 1259 } 1260 1261 static int hci_connect_le_sync(struct hci_dev *hdev, void *data) 1262 { 1263 struct hci_conn *conn = data; 1264 1265 bt_dev_dbg(hdev, "conn %p", conn); 1266 1267 return hci_le_create_conn_sync(hdev, conn); 1268 } 1269 1270 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1271 u8 dst_type, bool dst_resolved, u8 sec_level, 1272 u16 conn_timeout, u8 role) 1273 { 1274 struct hci_conn *conn; 1275 struct smp_irk *irk; 1276 int err; 1277 1278 /* Let's make sure that le is enabled.*/ 1279 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1280 if (lmp_le_capable(hdev)) 1281 return ERR_PTR(-ECONNREFUSED); 1282 1283 return ERR_PTR(-EOPNOTSUPP); 1284 } 1285 1286 /* Since the controller supports only one LE connection attempt at a 1287 * time, we return -EBUSY if there is any connection attempt running. 1288 */ 1289 if (hci_lookup_le_connect(hdev)) 1290 return ERR_PTR(-EBUSY); 1291 1292 /* If there's already a connection object but it's not in 1293 * scanning state it means it must already be established, in 1294 * which case we can't do anything else except report a failure 1295 * to connect. 1296 */ 1297 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1298 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1299 return ERR_PTR(-EBUSY); 1300 } 1301 1302 /* Check if the destination address has been resolved by the controller 1303 * since if it did then the identity address shall be used. 1304 */ 1305 if (!dst_resolved) { 1306 /* When given an identity address with existing identity 1307 * resolving key, the connection needs to be established 1308 * to a resolvable random address. 1309 * 1310 * Storing the resolvable random address is required here 1311 * to handle connection failures. The address will later 1312 * be resolved back into the original identity address 1313 * from the connect request. 1314 */ 1315 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1316 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1317 dst = &irk->rpa; 1318 dst_type = ADDR_LE_DEV_RANDOM; 1319 } 1320 } 1321 1322 if (conn) { 1323 bacpy(&conn->dst, dst); 1324 } else { 1325 conn = hci_conn_add(hdev, LE_LINK, dst, role); 1326 if (!conn) 1327 return ERR_PTR(-ENOMEM); 1328 hci_conn_hold(conn); 1329 conn->pending_sec_level = sec_level; 1330 } 1331 1332 conn->dst_type = dst_type; 1333 conn->sec_level = BT_SECURITY_LOW; 1334 conn->conn_timeout = conn_timeout; 1335 1336 conn->state = BT_CONNECT; 1337 clear_bit(HCI_CONN_SCANNING, &conn->flags); 1338 1339 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn, 1340 create_le_conn_complete); 1341 if (err) { 1342 hci_conn_del(conn); 1343 return ERR_PTR(err); 1344 } 1345 1346 return conn; 1347 } 1348 1349 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1350 { 1351 struct hci_conn *conn; 1352 1353 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1354 if (!conn) 1355 return false; 1356 1357 if (conn->state != BT_CONNECTED) 1358 return false; 1359 1360 return true; 1361 } 1362 1363 /* This function requires the caller holds hdev->lock */ 1364 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1365 bdaddr_t *addr, u8 addr_type) 1366 { 1367 struct hci_conn_params *params; 1368 1369 if (is_connected(hdev, addr, addr_type)) 1370 return -EISCONN; 1371 1372 params = hci_conn_params_lookup(hdev, addr, addr_type); 1373 if (!params) { 1374 params = hci_conn_params_add(hdev, addr, addr_type); 1375 if (!params) 1376 return -ENOMEM; 1377 1378 /* If we created new params, mark them to be deleted in 1379 * hci_connect_le_scan_cleanup. It's different case than 1380 * existing disabled params, those will stay after cleanup. 1381 */ 1382 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1383 } 1384 1385 /* We're trying to connect, so make sure params are at pend_le_conns */ 1386 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1387 params->auto_connect == HCI_AUTO_CONN_REPORT || 1388 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1389 list_del_init(¶ms->action); 1390 list_add(¶ms->action, &hdev->pend_le_conns); 1391 } 1392 1393 params->explicit_connect = true; 1394 1395 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1396 params->auto_connect); 1397 1398 return 0; 1399 } 1400 1401 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1402 { 1403 struct iso_list_data data; 1404 1405 /* Allocate a BIG if not set */ 1406 if (qos->big == BT_ISO_QOS_BIG_UNSET) { 1407 for (data.big = 0x00; data.big < 0xef; data.big++) { 1408 data.count = 0; 1409 data.bis = 0xff; 1410 1411 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1412 BT_BOUND, &data); 1413 if (!data.count) 1414 break; 1415 } 1416 1417 if (data.big == 0xef) 1418 return -EADDRNOTAVAIL; 1419 1420 /* Update BIG */ 1421 qos->big = data.big; 1422 } 1423 1424 return 0; 1425 } 1426 1427 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1428 { 1429 struct iso_list_data data; 1430 1431 /* Allocate BIS if not set */ 1432 if (qos->bis == BT_ISO_QOS_BIS_UNSET) { 1433 /* Find an unused adv set to advertise BIS, skip instance 0x00 1434 * since it is reserved as general purpose set. 1435 */ 1436 for (data.bis = 0x01; data.bis < hdev->le_num_of_adv_sets; 1437 data.bis++) { 1438 data.count = 0; 1439 1440 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1441 BT_BOUND, &data); 1442 if (!data.count) 1443 break; 1444 } 1445 1446 if (data.bis == hdev->le_num_of_adv_sets) 1447 return -EADDRNOTAVAIL; 1448 1449 /* Update BIS */ 1450 qos->bis = data.bis; 1451 } 1452 1453 return 0; 1454 } 1455 1456 /* This function requires the caller holds hdev->lock */ 1457 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1458 struct bt_iso_qos *qos) 1459 { 1460 struct hci_conn *conn; 1461 struct iso_list_data data; 1462 int err; 1463 1464 /* Let's make sure that le is enabled.*/ 1465 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1466 if (lmp_le_capable(hdev)) 1467 return ERR_PTR(-ECONNREFUSED); 1468 return ERR_PTR(-EOPNOTSUPP); 1469 } 1470 1471 err = qos_set_big(hdev, qos); 1472 if (err) 1473 return ERR_PTR(err); 1474 1475 err = qos_set_bis(hdev, qos); 1476 if (err) 1477 return ERR_PTR(err); 1478 1479 data.big = qos->big; 1480 data.bis = qos->bis; 1481 data.count = 0; 1482 1483 /* Check if there is already a matching BIG/BIS */ 1484 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, BT_BOUND, &data); 1485 if (data.count) 1486 return ERR_PTR(-EADDRINUSE); 1487 1488 conn = hci_conn_hash_lookup_bis(hdev, dst, qos->big, qos->bis); 1489 if (conn) 1490 return ERR_PTR(-EADDRINUSE); 1491 1492 conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1493 if (!conn) 1494 return ERR_PTR(-ENOMEM); 1495 1496 set_bit(HCI_CONN_PER_ADV, &conn->flags); 1497 conn->state = BT_CONNECT; 1498 1499 hci_conn_hold(conn); 1500 return conn; 1501 } 1502 1503 /* This function requires the caller holds hdev->lock */ 1504 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1505 u8 dst_type, u8 sec_level, 1506 u16 conn_timeout, 1507 enum conn_reasons conn_reason) 1508 { 1509 struct hci_conn *conn; 1510 1511 /* Let's make sure that le is enabled.*/ 1512 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1513 if (lmp_le_capable(hdev)) 1514 return ERR_PTR(-ECONNREFUSED); 1515 1516 return ERR_PTR(-EOPNOTSUPP); 1517 } 1518 1519 /* Some devices send ATT messages as soon as the physical link is 1520 * established. To be able to handle these ATT messages, the user- 1521 * space first establishes the connection and then starts the pairing 1522 * process. 1523 * 1524 * So if a hci_conn object already exists for the following connection 1525 * attempt, we simply update pending_sec_level and auth_type fields 1526 * and return the object found. 1527 */ 1528 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1529 if (conn) { 1530 if (conn->pending_sec_level < sec_level) 1531 conn->pending_sec_level = sec_level; 1532 goto done; 1533 } 1534 1535 BT_DBG("requesting refresh of dst_addr"); 1536 1537 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1538 if (!conn) 1539 return ERR_PTR(-ENOMEM); 1540 1541 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1542 hci_conn_del(conn); 1543 return ERR_PTR(-EBUSY); 1544 } 1545 1546 conn->state = BT_CONNECT; 1547 set_bit(HCI_CONN_SCANNING, &conn->flags); 1548 conn->dst_type = dst_type; 1549 conn->sec_level = BT_SECURITY_LOW; 1550 conn->pending_sec_level = sec_level; 1551 conn->conn_timeout = conn_timeout; 1552 conn->conn_reason = conn_reason; 1553 1554 hci_update_passive_scan(hdev); 1555 1556 done: 1557 hci_conn_hold(conn); 1558 return conn; 1559 } 1560 1561 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1562 u8 sec_level, u8 auth_type, 1563 enum conn_reasons conn_reason) 1564 { 1565 struct hci_conn *acl; 1566 1567 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1568 if (lmp_bredr_capable(hdev)) 1569 return ERR_PTR(-ECONNREFUSED); 1570 1571 return ERR_PTR(-EOPNOTSUPP); 1572 } 1573 1574 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1575 if (!acl) { 1576 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1577 if (!acl) 1578 return ERR_PTR(-ENOMEM); 1579 } 1580 1581 hci_conn_hold(acl); 1582 1583 acl->conn_reason = conn_reason; 1584 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1585 acl->sec_level = BT_SECURITY_LOW; 1586 acl->pending_sec_level = sec_level; 1587 acl->auth_type = auth_type; 1588 hci_acl_create_connection(acl); 1589 } 1590 1591 return acl; 1592 } 1593 1594 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1595 __u16 setting, struct bt_codec *codec) 1596 { 1597 struct hci_conn *acl; 1598 struct hci_conn *sco; 1599 1600 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1601 CONN_REASON_SCO_CONNECT); 1602 if (IS_ERR(acl)) 1603 return acl; 1604 1605 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1606 if (!sco) { 1607 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER); 1608 if (!sco) { 1609 hci_conn_drop(acl); 1610 return ERR_PTR(-ENOMEM); 1611 } 1612 } 1613 1614 acl->link = sco; 1615 sco->link = acl; 1616 1617 hci_conn_hold(sco); 1618 1619 sco->setting = setting; 1620 sco->codec = *codec; 1621 1622 if (acl->state == BT_CONNECTED && 1623 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1624 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1625 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1626 1627 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1628 /* defer SCO setup until mode change completed */ 1629 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1630 return sco; 1631 } 1632 1633 hci_sco_setup(acl, 0x00); 1634 } 1635 1636 return sco; 1637 } 1638 1639 static void cis_add(struct iso_list_data *d, struct bt_iso_qos *qos) 1640 { 1641 struct hci_cis_params *cis = &d->pdu.cis[d->pdu.cp.num_cis]; 1642 1643 cis->cis_id = qos->cis; 1644 cis->c_sdu = cpu_to_le16(qos->out.sdu); 1645 cis->p_sdu = cpu_to_le16(qos->in.sdu); 1646 cis->c_phy = qos->out.phy ? qos->out.phy : qos->in.phy; 1647 cis->p_phy = qos->in.phy ? qos->in.phy : qos->out.phy; 1648 cis->c_rtn = qos->out.rtn; 1649 cis->p_rtn = qos->in.rtn; 1650 1651 d->pdu.cp.num_cis++; 1652 } 1653 1654 static void cis_list(struct hci_conn *conn, void *data) 1655 { 1656 struct iso_list_data *d = data; 1657 1658 /* Skip if broadcast/ANY address */ 1659 if (!bacmp(&conn->dst, BDADDR_ANY)) 1660 return; 1661 1662 if (d->cig != conn->iso_qos.cig || d->cis == BT_ISO_QOS_CIS_UNSET || 1663 d->cis != conn->iso_qos.cis) 1664 return; 1665 1666 d->count++; 1667 1668 if (d->pdu.cp.cig_id == BT_ISO_QOS_CIG_UNSET || 1669 d->count >= ARRAY_SIZE(d->pdu.cis)) 1670 return; 1671 1672 cis_add(d, &conn->iso_qos); 1673 } 1674 1675 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1676 { 1677 struct hci_dev *hdev = conn->hdev; 1678 struct hci_cp_le_create_big cp; 1679 1680 memset(&cp, 0, sizeof(cp)); 1681 1682 cp.handle = qos->big; 1683 cp.adv_handle = qos->bis; 1684 cp.num_bis = 0x01; 1685 hci_cpu_to_le24(qos->out.interval, cp.bis.sdu_interval); 1686 cp.bis.sdu = cpu_to_le16(qos->out.sdu); 1687 cp.bis.latency = cpu_to_le16(qos->out.latency); 1688 cp.bis.rtn = qos->out.rtn; 1689 cp.bis.phy = qos->out.phy; 1690 cp.bis.packing = qos->packing; 1691 cp.bis.framing = qos->framing; 1692 cp.bis.encryption = 0x00; 1693 memset(&cp.bis.bcode, 0, sizeof(cp.bis.bcode)); 1694 1695 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1696 } 1697 1698 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1699 { 1700 struct hci_dev *hdev = conn->hdev; 1701 struct iso_list_data data; 1702 1703 memset(&data, 0, sizeof(data)); 1704 1705 /* Allocate a CIG if not set */ 1706 if (qos->cig == BT_ISO_QOS_CIG_UNSET) { 1707 for (data.cig = 0x00; data.cig < 0xff; data.cig++) { 1708 data.count = 0; 1709 data.cis = 0xff; 1710 1711 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, 1712 BT_BOUND, &data); 1713 if (data.count) 1714 continue; 1715 1716 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, 1717 BT_CONNECTED, &data); 1718 if (!data.count) 1719 break; 1720 } 1721 1722 if (data.cig == 0xff) 1723 return false; 1724 1725 /* Update CIG */ 1726 qos->cig = data.cig; 1727 } 1728 1729 data.pdu.cp.cig_id = qos->cig; 1730 hci_cpu_to_le24(qos->out.interval, data.pdu.cp.c_interval); 1731 hci_cpu_to_le24(qos->in.interval, data.pdu.cp.p_interval); 1732 data.pdu.cp.sca = qos->sca; 1733 data.pdu.cp.packing = qos->packing; 1734 data.pdu.cp.framing = qos->framing; 1735 data.pdu.cp.c_latency = cpu_to_le16(qos->out.latency); 1736 data.pdu.cp.p_latency = cpu_to_le16(qos->in.latency); 1737 1738 if (qos->cis != BT_ISO_QOS_CIS_UNSET) { 1739 data.count = 0; 1740 data.cig = qos->cig; 1741 data.cis = qos->cis; 1742 1743 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND, 1744 &data); 1745 if (data.count) 1746 return false; 1747 1748 cis_add(&data, qos); 1749 } 1750 1751 /* Reprogram all CIS(s) with the same CIG */ 1752 for (data.cig = qos->cig, data.cis = 0x00; data.cis < 0x11; 1753 data.cis++) { 1754 data.count = 0; 1755 1756 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND, 1757 &data); 1758 if (data.count) 1759 continue; 1760 1761 /* Allocate a CIS if not set */ 1762 if (qos->cis == BT_ISO_QOS_CIS_UNSET) { 1763 /* Update CIS */ 1764 qos->cis = data.cis; 1765 cis_add(&data, qos); 1766 } 1767 } 1768 1769 if (qos->cis == BT_ISO_QOS_CIS_UNSET || !data.pdu.cp.num_cis) 1770 return false; 1771 1772 if (hci_send_cmd(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1773 sizeof(data.pdu.cp) + 1774 (data.pdu.cp.num_cis * sizeof(*data.pdu.cis)), 1775 &data.pdu) < 0) 1776 return false; 1777 1778 return true; 1779 } 1780 1781 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1782 __u8 dst_type, struct bt_iso_qos *qos) 1783 { 1784 struct hci_conn *cis; 1785 1786 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type); 1787 if (!cis) { 1788 cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1789 if (!cis) 1790 return ERR_PTR(-ENOMEM); 1791 cis->cleanup = cis_cleanup; 1792 cis->dst_type = dst_type; 1793 } 1794 1795 if (cis->state == BT_CONNECTED) 1796 return cis; 1797 1798 /* Check if CIS has been set and the settings matches */ 1799 if (cis->state == BT_BOUND && 1800 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1801 return cis; 1802 1803 /* Update LINK PHYs according to QoS preference */ 1804 cis->le_tx_phy = qos->out.phy; 1805 cis->le_rx_phy = qos->in.phy; 1806 1807 /* If output interval is not set use the input interval as it cannot be 1808 * 0x000000. 1809 */ 1810 if (!qos->out.interval) 1811 qos->out.interval = qos->in.interval; 1812 1813 /* If input interval is not set use the output interval as it cannot be 1814 * 0x000000. 1815 */ 1816 if (!qos->in.interval) 1817 qos->in.interval = qos->out.interval; 1818 1819 /* If output latency is not set use the input latency as it cannot be 1820 * 0x0000. 1821 */ 1822 if (!qos->out.latency) 1823 qos->out.latency = qos->in.latency; 1824 1825 /* If input latency is not set use the output latency as it cannot be 1826 * 0x0000. 1827 */ 1828 if (!qos->in.latency) 1829 qos->in.latency = qos->out.latency; 1830 1831 if (!hci_le_set_cig_params(cis, qos)) { 1832 hci_conn_drop(cis); 1833 return ERR_PTR(-EINVAL); 1834 } 1835 1836 cis->iso_qos = *qos; 1837 cis->state = BT_BOUND; 1838 1839 return cis; 1840 } 1841 1842 bool hci_iso_setup_path(struct hci_conn *conn) 1843 { 1844 struct hci_dev *hdev = conn->hdev; 1845 struct hci_cp_le_setup_iso_path cmd; 1846 1847 memset(&cmd, 0, sizeof(cmd)); 1848 1849 if (conn->iso_qos.out.sdu) { 1850 cmd.handle = cpu_to_le16(conn->handle); 1851 cmd.direction = 0x00; /* Input (Host to Controller) */ 1852 cmd.path = 0x00; /* HCI path if enabled */ 1853 cmd.codec = 0x03; /* Transparent Data */ 1854 1855 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 1856 &cmd) < 0) 1857 return false; 1858 } 1859 1860 if (conn->iso_qos.in.sdu) { 1861 cmd.handle = cpu_to_le16(conn->handle); 1862 cmd.direction = 0x01; /* Output (Controller to Host) */ 1863 cmd.path = 0x00; /* HCI path if enabled */ 1864 cmd.codec = 0x03; /* Transparent Data */ 1865 1866 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 1867 &cmd) < 0) 1868 return false; 1869 } 1870 1871 return true; 1872 } 1873 1874 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 1875 { 1876 struct { 1877 struct hci_cp_le_create_cis cp; 1878 struct hci_cis cis[0x1f]; 1879 } cmd; 1880 struct hci_conn *conn = data; 1881 u8 cig; 1882 1883 memset(&cmd, 0, sizeof(cmd)); 1884 cmd.cis[0].acl_handle = cpu_to_le16(conn->link->handle); 1885 cmd.cis[0].cis_handle = cpu_to_le16(conn->handle); 1886 cmd.cp.num_cis++; 1887 cig = conn->iso_qos.cig; 1888 1889 hci_dev_lock(hdev); 1890 1891 rcu_read_lock(); 1892 1893 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 1894 struct hci_cis *cis = &cmd.cis[cmd.cp.num_cis]; 1895 1896 if (conn == data || conn->type != ISO_LINK || 1897 conn->state == BT_CONNECTED || conn->iso_qos.cig != cig) 1898 continue; 1899 1900 /* Check if all CIS(s) belonging to a CIG are ready */ 1901 if (!conn->link || conn->link->state != BT_CONNECTED || 1902 conn->state != BT_CONNECT) { 1903 cmd.cp.num_cis = 0; 1904 break; 1905 } 1906 1907 /* Group all CIS with state BT_CONNECT since the spec don't 1908 * allow to send them individually: 1909 * 1910 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E 1911 * page 2566: 1912 * 1913 * If the Host issues this command before all the 1914 * HCI_LE_CIS_Established events from the previous use of the 1915 * command have been generated, the Controller shall return the 1916 * error code Command Disallowed (0x0C). 1917 */ 1918 cis->acl_handle = cpu_to_le16(conn->link->handle); 1919 cis->cis_handle = cpu_to_le16(conn->handle); 1920 cmd.cp.num_cis++; 1921 } 1922 1923 rcu_read_unlock(); 1924 1925 hci_dev_unlock(hdev); 1926 1927 if (!cmd.cp.num_cis) 1928 return 0; 1929 1930 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_CIS, sizeof(cmd.cp) + 1931 sizeof(cmd.cis[0]) * cmd.cp.num_cis, &cmd); 1932 } 1933 1934 int hci_le_create_cis(struct hci_conn *conn) 1935 { 1936 struct hci_conn *cis; 1937 struct hci_dev *hdev = conn->hdev; 1938 int err; 1939 1940 switch (conn->type) { 1941 case LE_LINK: 1942 if (!conn->link || conn->state != BT_CONNECTED) 1943 return -EINVAL; 1944 cis = conn->link; 1945 break; 1946 case ISO_LINK: 1947 cis = conn; 1948 break; 1949 default: 1950 return -EINVAL; 1951 } 1952 1953 if (cis->state == BT_CONNECT) 1954 return 0; 1955 1956 /* Queue Create CIS */ 1957 err = hci_cmd_sync_queue(hdev, hci_create_cis_sync, cis, NULL); 1958 if (err) 1959 return err; 1960 1961 cis->state = BT_CONNECT; 1962 1963 return 0; 1964 } 1965 1966 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 1967 struct bt_iso_io_qos *qos, __u8 phy) 1968 { 1969 /* Only set MTU if PHY is enabled */ 1970 if (!qos->sdu && qos->phy) { 1971 if (hdev->iso_mtu > 0) 1972 qos->sdu = hdev->iso_mtu; 1973 else if (hdev->le_mtu > 0) 1974 qos->sdu = hdev->le_mtu; 1975 else 1976 qos->sdu = hdev->acl_mtu; 1977 } 1978 1979 /* Use the same PHY as ACL if set to any */ 1980 if (qos->phy == BT_ISO_PHY_ANY) 1981 qos->phy = phy; 1982 1983 /* Use LE ACL connection interval if not set */ 1984 if (!qos->interval) 1985 /* ACL interval unit in 1.25 ms to us */ 1986 qos->interval = conn->le_conn_interval * 1250; 1987 1988 /* Use LE ACL connection latency if not set */ 1989 if (!qos->latency) 1990 qos->latency = conn->le_conn_latency; 1991 } 1992 1993 static void hci_bind_bis(struct hci_conn *conn, 1994 struct bt_iso_qos *qos) 1995 { 1996 /* Update LINK PHYs according to QoS preference */ 1997 conn->le_tx_phy = qos->out.phy; 1998 conn->le_tx_phy = qos->out.phy; 1999 conn->iso_qos = *qos; 2000 conn->state = BT_BOUND; 2001 } 2002 2003 static int create_big_sync(struct hci_dev *hdev, void *data) 2004 { 2005 struct hci_conn *conn = data; 2006 struct bt_iso_qos *qos = &conn->iso_qos; 2007 u16 interval, sync_interval = 0; 2008 u32 flags = 0; 2009 int err; 2010 2011 if (qos->out.phy == 0x02) 2012 flags |= MGMT_ADV_FLAG_SEC_2M; 2013 2014 /* Align intervals */ 2015 interval = qos->out.interval / 1250; 2016 2017 if (qos->bis) 2018 sync_interval = qos->sync_interval * 1600; 2019 2020 err = hci_start_per_adv_sync(hdev, qos->bis, conn->le_per_adv_data_len, 2021 conn->le_per_adv_data, flags, interval, 2022 interval, sync_interval); 2023 if (err) 2024 return err; 2025 2026 return hci_le_create_big(conn, &conn->iso_qos); 2027 } 2028 2029 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2030 { 2031 struct hci_cp_le_pa_create_sync *cp = data; 2032 2033 bt_dev_dbg(hdev, ""); 2034 2035 if (err) 2036 bt_dev_err(hdev, "Unable to create PA: %d", err); 2037 2038 kfree(cp); 2039 } 2040 2041 static int create_pa_sync(struct hci_dev *hdev, void *data) 2042 { 2043 struct hci_cp_le_pa_create_sync *cp = data; 2044 int err; 2045 2046 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2047 sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2048 if (err) { 2049 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2050 return err; 2051 } 2052 2053 return hci_update_passive_scan_sync(hdev); 2054 } 2055 2056 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type, 2057 __u8 sid) 2058 { 2059 struct hci_cp_le_pa_create_sync *cp; 2060 2061 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2062 return -EBUSY; 2063 2064 cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2065 if (!cp) { 2066 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2067 return -ENOMEM; 2068 } 2069 2070 cp->sid = sid; 2071 cp->addr_type = dst_type; 2072 bacpy(&cp->addr, dst); 2073 2074 /* Queue start pa_create_sync and scan */ 2075 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2076 } 2077 2078 int hci_le_big_create_sync(struct hci_dev *hdev, struct bt_iso_qos *qos, 2079 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2080 { 2081 struct _packed { 2082 struct hci_cp_le_big_create_sync cp; 2083 __u8 bis[0x11]; 2084 } pdu; 2085 int err; 2086 2087 if (num_bis > sizeof(pdu.bis)) 2088 return -EINVAL; 2089 2090 err = qos_set_big(hdev, qos); 2091 if (err) 2092 return err; 2093 2094 memset(&pdu, 0, sizeof(pdu)); 2095 pdu.cp.handle = qos->big; 2096 pdu.cp.sync_handle = cpu_to_le16(sync_handle); 2097 pdu.cp.num_bis = num_bis; 2098 memcpy(pdu.bis, bis, num_bis); 2099 2100 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2101 sizeof(pdu.cp) + num_bis, &pdu); 2102 } 2103 2104 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2105 { 2106 struct hci_conn *conn = data; 2107 2108 bt_dev_dbg(hdev, "conn %p", conn); 2109 2110 if (err) { 2111 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2112 hci_connect_cfm(conn, err); 2113 hci_conn_del(conn); 2114 } 2115 } 2116 2117 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2118 __u8 dst_type, struct bt_iso_qos *qos, 2119 __u8 base_len, __u8 *base) 2120 { 2121 struct hci_conn *conn; 2122 int err; 2123 2124 /* We need hci_conn object using the BDADDR_ANY as dst */ 2125 conn = hci_add_bis(hdev, dst, qos); 2126 if (IS_ERR(conn)) 2127 return conn; 2128 2129 hci_bind_bis(conn, qos); 2130 2131 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2132 if (base_len && base) { 2133 base_len = eir_append_service_data(conn->le_per_adv_data, 0, 2134 0x1851, base, base_len); 2135 conn->le_per_adv_data_len = base_len; 2136 } 2137 2138 /* Queue start periodic advertising and create BIG */ 2139 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2140 create_big_complete); 2141 if (err < 0) { 2142 hci_conn_drop(conn); 2143 return ERR_PTR(err); 2144 } 2145 2146 hci_iso_qos_setup(hdev, conn, &qos->out, 2147 conn->le_tx_phy ? conn->le_tx_phy : 2148 hdev->le_tx_def_phys); 2149 2150 return conn; 2151 } 2152 2153 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2154 __u8 dst_type, struct bt_iso_qos *qos) 2155 { 2156 struct hci_conn *le; 2157 struct hci_conn *cis; 2158 2159 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2160 le = hci_connect_le(hdev, dst, dst_type, false, 2161 BT_SECURITY_LOW, 2162 HCI_LE_CONN_TIMEOUT, 2163 HCI_ROLE_SLAVE); 2164 else 2165 le = hci_connect_le_scan(hdev, dst, dst_type, 2166 BT_SECURITY_LOW, 2167 HCI_LE_CONN_TIMEOUT, 2168 CONN_REASON_ISO_CONNECT); 2169 if (IS_ERR(le)) 2170 return le; 2171 2172 hci_iso_qos_setup(hdev, le, &qos->out, 2173 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2174 hci_iso_qos_setup(hdev, le, &qos->in, 2175 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2176 2177 cis = hci_bind_cis(hdev, dst, dst_type, qos); 2178 if (IS_ERR(cis)) { 2179 hci_conn_drop(le); 2180 return cis; 2181 } 2182 2183 le->link = cis; 2184 cis->link = le; 2185 2186 hci_conn_hold(cis); 2187 2188 /* If LE is already connected and CIS handle is already set proceed to 2189 * Create CIS immediately. 2190 */ 2191 if (le->state == BT_CONNECTED && cis->handle != HCI_CONN_HANDLE_UNSET) 2192 hci_le_create_cis(le); 2193 2194 return cis; 2195 } 2196 2197 /* Check link security requirement */ 2198 int hci_conn_check_link_mode(struct hci_conn *conn) 2199 { 2200 BT_DBG("hcon %p", conn); 2201 2202 /* In Secure Connections Only mode, it is required that Secure 2203 * Connections is used and the link is encrypted with AES-CCM 2204 * using a P-256 authenticated combination key. 2205 */ 2206 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2207 if (!hci_conn_sc_enabled(conn) || 2208 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2209 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2210 return 0; 2211 } 2212 2213 /* AES encryption is required for Level 4: 2214 * 2215 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2216 * page 1319: 2217 * 2218 * 128-bit equivalent strength for link and encryption keys 2219 * required using FIPS approved algorithms (E0 not allowed, 2220 * SAFER+ not allowed, and P-192 not allowed; encryption key 2221 * not shortened) 2222 */ 2223 if (conn->sec_level == BT_SECURITY_FIPS && 2224 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2225 bt_dev_err(conn->hdev, 2226 "Invalid security: Missing AES-CCM usage"); 2227 return 0; 2228 } 2229 2230 if (hci_conn_ssp_enabled(conn) && 2231 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2232 return 0; 2233 2234 return 1; 2235 } 2236 2237 /* Authenticate remote device */ 2238 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2239 { 2240 BT_DBG("hcon %p", conn); 2241 2242 if (conn->pending_sec_level > sec_level) 2243 sec_level = conn->pending_sec_level; 2244 2245 if (sec_level > conn->sec_level) 2246 conn->pending_sec_level = sec_level; 2247 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2248 return 1; 2249 2250 /* Make sure we preserve an existing MITM requirement*/ 2251 auth_type |= (conn->auth_type & 0x01); 2252 2253 conn->auth_type = auth_type; 2254 2255 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2256 struct hci_cp_auth_requested cp; 2257 2258 cp.handle = cpu_to_le16(conn->handle); 2259 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2260 sizeof(cp), &cp); 2261 2262 /* If we're already encrypted set the REAUTH_PEND flag, 2263 * otherwise set the ENCRYPT_PEND. 2264 */ 2265 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2266 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2267 else 2268 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2269 } 2270 2271 return 0; 2272 } 2273 2274 /* Encrypt the link */ 2275 static void hci_conn_encrypt(struct hci_conn *conn) 2276 { 2277 BT_DBG("hcon %p", conn); 2278 2279 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2280 struct hci_cp_set_conn_encrypt cp; 2281 cp.handle = cpu_to_le16(conn->handle); 2282 cp.encrypt = 0x01; 2283 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2284 &cp); 2285 } 2286 } 2287 2288 /* Enable security */ 2289 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2290 bool initiator) 2291 { 2292 BT_DBG("hcon %p", conn); 2293 2294 if (conn->type == LE_LINK) 2295 return smp_conn_security(conn, sec_level); 2296 2297 /* For sdp we don't need the link key. */ 2298 if (sec_level == BT_SECURITY_SDP) 2299 return 1; 2300 2301 /* For non 2.1 devices and low security level we don't need the link 2302 key. */ 2303 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2304 return 1; 2305 2306 /* For other security levels we need the link key. */ 2307 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2308 goto auth; 2309 2310 /* An authenticated FIPS approved combination key has sufficient 2311 * security for security level 4. */ 2312 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 && 2313 sec_level == BT_SECURITY_FIPS) 2314 goto encrypt; 2315 2316 /* An authenticated combination key has sufficient security for 2317 security level 3. */ 2318 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 || 2319 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) && 2320 sec_level == BT_SECURITY_HIGH) 2321 goto encrypt; 2322 2323 /* An unauthenticated combination key has sufficient security for 2324 security level 1 and 2. */ 2325 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 || 2326 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) && 2327 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) 2328 goto encrypt; 2329 2330 /* A combination key has always sufficient security for the security 2331 levels 1 or 2. High security level requires the combination key 2332 is generated using maximum PIN code length (16). 2333 For pre 2.1 units. */ 2334 if (conn->key_type == HCI_LK_COMBINATION && 2335 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW || 2336 conn->pin_length == 16)) 2337 goto encrypt; 2338 2339 auth: 2340 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2341 return 0; 2342 2343 if (initiator) 2344 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2345 2346 if (!hci_conn_auth(conn, sec_level, auth_type)) 2347 return 0; 2348 2349 encrypt: 2350 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2351 /* Ensure that the encryption key size has been read, 2352 * otherwise stall the upper layer responses. 2353 */ 2354 if (!conn->enc_key_size) 2355 return 0; 2356 2357 /* Nothing else needed, all requirements are met */ 2358 return 1; 2359 } 2360 2361 hci_conn_encrypt(conn); 2362 return 0; 2363 } 2364 EXPORT_SYMBOL(hci_conn_security); 2365 2366 /* Check secure link requirement */ 2367 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2368 { 2369 BT_DBG("hcon %p", conn); 2370 2371 /* Accept if non-secure or higher security level is required */ 2372 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2373 return 1; 2374 2375 /* Accept if secure or higher security level is already present */ 2376 if (conn->sec_level == BT_SECURITY_HIGH || 2377 conn->sec_level == BT_SECURITY_FIPS) 2378 return 1; 2379 2380 /* Reject not secure link */ 2381 return 0; 2382 } 2383 EXPORT_SYMBOL(hci_conn_check_secure); 2384 2385 /* Switch role */ 2386 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2387 { 2388 BT_DBG("hcon %p", conn); 2389 2390 if (role == conn->role) 2391 return 1; 2392 2393 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2394 struct hci_cp_switch_role cp; 2395 bacpy(&cp.bdaddr, &conn->dst); 2396 cp.role = role; 2397 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2398 } 2399 2400 return 0; 2401 } 2402 EXPORT_SYMBOL(hci_conn_switch_role); 2403 2404 /* Enter active mode */ 2405 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2406 { 2407 struct hci_dev *hdev = conn->hdev; 2408 2409 BT_DBG("hcon %p mode %d", conn, conn->mode); 2410 2411 if (conn->mode != HCI_CM_SNIFF) 2412 goto timer; 2413 2414 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2415 goto timer; 2416 2417 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2418 struct hci_cp_exit_sniff_mode cp; 2419 cp.handle = cpu_to_le16(conn->handle); 2420 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2421 } 2422 2423 timer: 2424 if (hdev->idle_timeout > 0) 2425 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2426 msecs_to_jiffies(hdev->idle_timeout)); 2427 } 2428 2429 /* Drop all connection on the device */ 2430 void hci_conn_hash_flush(struct hci_dev *hdev) 2431 { 2432 struct hci_conn_hash *h = &hdev->conn_hash; 2433 struct hci_conn *c, *n; 2434 2435 BT_DBG("hdev %s", hdev->name); 2436 2437 list_for_each_entry_safe(c, n, &h->list, list) { 2438 c->state = BT_CLOSED; 2439 2440 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM); 2441 hci_conn_del(c); 2442 } 2443 } 2444 2445 /* Check pending connect attempts */ 2446 void hci_conn_check_pending(struct hci_dev *hdev) 2447 { 2448 struct hci_conn *conn; 2449 2450 BT_DBG("hdev %s", hdev->name); 2451 2452 hci_dev_lock(hdev); 2453 2454 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 2455 if (conn) 2456 hci_acl_create_connection(conn); 2457 2458 hci_dev_unlock(hdev); 2459 } 2460 2461 static u32 get_link_mode(struct hci_conn *conn) 2462 { 2463 u32 link_mode = 0; 2464 2465 if (conn->role == HCI_ROLE_MASTER) 2466 link_mode |= HCI_LM_MASTER; 2467 2468 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2469 link_mode |= HCI_LM_ENCRYPT; 2470 2471 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2472 link_mode |= HCI_LM_AUTH; 2473 2474 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2475 link_mode |= HCI_LM_SECURE; 2476 2477 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2478 link_mode |= HCI_LM_FIPS; 2479 2480 return link_mode; 2481 } 2482 2483 int hci_get_conn_list(void __user *arg) 2484 { 2485 struct hci_conn *c; 2486 struct hci_conn_list_req req, *cl; 2487 struct hci_conn_info *ci; 2488 struct hci_dev *hdev; 2489 int n = 0, size, err; 2490 2491 if (copy_from_user(&req, arg, sizeof(req))) 2492 return -EFAULT; 2493 2494 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2495 return -EINVAL; 2496 2497 size = sizeof(req) + req.conn_num * sizeof(*ci); 2498 2499 cl = kmalloc(size, GFP_KERNEL); 2500 if (!cl) 2501 return -ENOMEM; 2502 2503 hdev = hci_dev_get(req.dev_id); 2504 if (!hdev) { 2505 kfree(cl); 2506 return -ENODEV; 2507 } 2508 2509 ci = cl->conn_info; 2510 2511 hci_dev_lock(hdev); 2512 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2513 bacpy(&(ci + n)->bdaddr, &c->dst); 2514 (ci + n)->handle = c->handle; 2515 (ci + n)->type = c->type; 2516 (ci + n)->out = c->out; 2517 (ci + n)->state = c->state; 2518 (ci + n)->link_mode = get_link_mode(c); 2519 if (++n >= req.conn_num) 2520 break; 2521 } 2522 hci_dev_unlock(hdev); 2523 2524 cl->dev_id = hdev->id; 2525 cl->conn_num = n; 2526 size = sizeof(req) + n * sizeof(*ci); 2527 2528 hci_dev_put(hdev); 2529 2530 err = copy_to_user(arg, cl, size); 2531 kfree(cl); 2532 2533 return err ? -EFAULT : 0; 2534 } 2535 2536 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2537 { 2538 struct hci_conn_info_req req; 2539 struct hci_conn_info ci; 2540 struct hci_conn *conn; 2541 char __user *ptr = arg + sizeof(req); 2542 2543 if (copy_from_user(&req, arg, sizeof(req))) 2544 return -EFAULT; 2545 2546 hci_dev_lock(hdev); 2547 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2548 if (conn) { 2549 bacpy(&ci.bdaddr, &conn->dst); 2550 ci.handle = conn->handle; 2551 ci.type = conn->type; 2552 ci.out = conn->out; 2553 ci.state = conn->state; 2554 ci.link_mode = get_link_mode(conn); 2555 } 2556 hci_dev_unlock(hdev); 2557 2558 if (!conn) 2559 return -ENOENT; 2560 2561 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2562 } 2563 2564 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2565 { 2566 struct hci_auth_info_req req; 2567 struct hci_conn *conn; 2568 2569 if (copy_from_user(&req, arg, sizeof(req))) 2570 return -EFAULT; 2571 2572 hci_dev_lock(hdev); 2573 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2574 if (conn) 2575 req.type = conn->auth_type; 2576 hci_dev_unlock(hdev); 2577 2578 if (!conn) 2579 return -ENOENT; 2580 2581 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2582 } 2583 2584 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2585 { 2586 struct hci_dev *hdev = conn->hdev; 2587 struct hci_chan *chan; 2588 2589 BT_DBG("%s hcon %p", hdev->name, conn); 2590 2591 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2592 BT_DBG("Refusing to create new hci_chan"); 2593 return NULL; 2594 } 2595 2596 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2597 if (!chan) 2598 return NULL; 2599 2600 chan->conn = hci_conn_get(conn); 2601 skb_queue_head_init(&chan->data_q); 2602 chan->state = BT_CONNECTED; 2603 2604 list_add_rcu(&chan->list, &conn->chan_list); 2605 2606 return chan; 2607 } 2608 2609 void hci_chan_del(struct hci_chan *chan) 2610 { 2611 struct hci_conn *conn = chan->conn; 2612 struct hci_dev *hdev = conn->hdev; 2613 2614 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2615 2616 list_del_rcu(&chan->list); 2617 2618 synchronize_rcu(); 2619 2620 /* Prevent new hci_chan's to be created for this hci_conn */ 2621 set_bit(HCI_CONN_DROP, &conn->flags); 2622 2623 hci_conn_put(conn); 2624 2625 skb_queue_purge(&chan->data_q); 2626 kfree(chan); 2627 } 2628 2629 void hci_chan_list_flush(struct hci_conn *conn) 2630 { 2631 struct hci_chan *chan, *n; 2632 2633 BT_DBG("hcon %p", conn); 2634 2635 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2636 hci_chan_del(chan); 2637 } 2638 2639 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2640 __u16 handle) 2641 { 2642 struct hci_chan *hchan; 2643 2644 list_for_each_entry(hchan, &hcon->chan_list, list) { 2645 if (hchan->handle == handle) 2646 return hchan; 2647 } 2648 2649 return NULL; 2650 } 2651 2652 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2653 { 2654 struct hci_conn_hash *h = &hdev->conn_hash; 2655 struct hci_conn *hcon; 2656 struct hci_chan *hchan = NULL; 2657 2658 rcu_read_lock(); 2659 2660 list_for_each_entry_rcu(hcon, &h->list, list) { 2661 hchan = __hci_chan_lookup_handle(hcon, handle); 2662 if (hchan) 2663 break; 2664 } 2665 2666 rcu_read_unlock(); 2667 2668 return hchan; 2669 } 2670 2671 u32 hci_conn_get_phy(struct hci_conn *conn) 2672 { 2673 u32 phys = 0; 2674 2675 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2676 * Table 6.2: Packets defined for synchronous, asynchronous, and 2677 * CPB logical transport types. 2678 */ 2679 switch (conn->type) { 2680 case SCO_LINK: 2681 /* SCO logical transport (1 Mb/s): 2682 * HV1, HV2, HV3 and DV. 2683 */ 2684 phys |= BT_PHY_BR_1M_1SLOT; 2685 2686 break; 2687 2688 case ACL_LINK: 2689 /* ACL logical transport (1 Mb/s) ptt=0: 2690 * DH1, DM3, DH3, DM5 and DH5. 2691 */ 2692 phys |= BT_PHY_BR_1M_1SLOT; 2693 2694 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2695 phys |= BT_PHY_BR_1M_3SLOT; 2696 2697 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2698 phys |= BT_PHY_BR_1M_5SLOT; 2699 2700 /* ACL logical transport (2 Mb/s) ptt=1: 2701 * 2-DH1, 2-DH3 and 2-DH5. 2702 */ 2703 if (!(conn->pkt_type & HCI_2DH1)) 2704 phys |= BT_PHY_EDR_2M_1SLOT; 2705 2706 if (!(conn->pkt_type & HCI_2DH3)) 2707 phys |= BT_PHY_EDR_2M_3SLOT; 2708 2709 if (!(conn->pkt_type & HCI_2DH5)) 2710 phys |= BT_PHY_EDR_2M_5SLOT; 2711 2712 /* ACL logical transport (3 Mb/s) ptt=1: 2713 * 3-DH1, 3-DH3 and 3-DH5. 2714 */ 2715 if (!(conn->pkt_type & HCI_3DH1)) 2716 phys |= BT_PHY_EDR_3M_1SLOT; 2717 2718 if (!(conn->pkt_type & HCI_3DH3)) 2719 phys |= BT_PHY_EDR_3M_3SLOT; 2720 2721 if (!(conn->pkt_type & HCI_3DH5)) 2722 phys |= BT_PHY_EDR_3M_5SLOT; 2723 2724 break; 2725 2726 case ESCO_LINK: 2727 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2728 phys |= BT_PHY_BR_1M_1SLOT; 2729 2730 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2731 phys |= BT_PHY_BR_1M_3SLOT; 2732 2733 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2734 if (!(conn->pkt_type & ESCO_2EV3)) 2735 phys |= BT_PHY_EDR_2M_1SLOT; 2736 2737 if (!(conn->pkt_type & ESCO_2EV5)) 2738 phys |= BT_PHY_EDR_2M_3SLOT; 2739 2740 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2741 if (!(conn->pkt_type & ESCO_3EV3)) 2742 phys |= BT_PHY_EDR_3M_1SLOT; 2743 2744 if (!(conn->pkt_type & ESCO_3EV5)) 2745 phys |= BT_PHY_EDR_3M_3SLOT; 2746 2747 break; 2748 2749 case LE_LINK: 2750 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2751 phys |= BT_PHY_LE_1M_TX; 2752 2753 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2754 phys |= BT_PHY_LE_1M_RX; 2755 2756 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2757 phys |= BT_PHY_LE_2M_TX; 2758 2759 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2760 phys |= BT_PHY_LE_2M_RX; 2761 2762 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2763 phys |= BT_PHY_LE_CODED_TX; 2764 2765 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2766 phys |= BT_PHY_LE_CODED_RX; 2767 2768 break; 2769 } 2770 2771 return phys; 2772 } 2773 2774 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2775 { 2776 int r = 0; 2777 2778 switch (conn->state) { 2779 case BT_CONNECTED: 2780 case BT_CONFIG: 2781 if (conn->type == AMP_LINK) { 2782 struct hci_cp_disconn_phy_link cp; 2783 2784 cp.phy_handle = HCI_PHY_HANDLE(conn->handle); 2785 cp.reason = reason; 2786 r = hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK, 2787 sizeof(cp), &cp); 2788 } else { 2789 struct hci_cp_disconnect dc; 2790 2791 dc.handle = cpu_to_le16(conn->handle); 2792 dc.reason = reason; 2793 r = hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, 2794 sizeof(dc), &dc); 2795 } 2796 2797 conn->state = BT_DISCONN; 2798 2799 break; 2800 case BT_CONNECT: 2801 if (conn->type == LE_LINK) { 2802 if (test_bit(HCI_CONN_SCANNING, &conn->flags)) 2803 break; 2804 r = hci_send_cmd(conn->hdev, 2805 HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL); 2806 } else if (conn->type == ACL_LINK) { 2807 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2) 2808 break; 2809 r = hci_send_cmd(conn->hdev, 2810 HCI_OP_CREATE_CONN_CANCEL, 2811 6, &conn->dst); 2812 } 2813 break; 2814 case BT_CONNECT2: 2815 if (conn->type == ACL_LINK) { 2816 struct hci_cp_reject_conn_req rej; 2817 2818 bacpy(&rej.bdaddr, &conn->dst); 2819 rej.reason = reason; 2820 2821 r = hci_send_cmd(conn->hdev, 2822 HCI_OP_REJECT_CONN_REQ, 2823 sizeof(rej), &rej); 2824 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 2825 struct hci_cp_reject_sync_conn_req rej; 2826 2827 bacpy(&rej.bdaddr, &conn->dst); 2828 2829 /* SCO rejection has its own limited set of 2830 * allowed error values (0x0D-0x0F) which isn't 2831 * compatible with most values passed to this 2832 * function. To be safe hard-code one of the 2833 * values that's suitable for SCO. 2834 */ 2835 rej.reason = HCI_ERROR_REJ_LIMITED_RESOURCES; 2836 2837 r = hci_send_cmd(conn->hdev, 2838 HCI_OP_REJECT_SYNC_CONN_REQ, 2839 sizeof(rej), &rej); 2840 } 2841 break; 2842 default: 2843 conn->state = BT_CLOSED; 2844 break; 2845 } 2846 2847 return r; 2848 } 2849