1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI connection handling. */ 27 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/iso.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "hci_request.h" 38 #include "smp.h" 39 #include "a2mp.h" 40 #include "eir.h" 41 42 struct sco_param { 43 u16 pkt_type; 44 u16 max_latency; 45 u8 retrans_effort; 46 }; 47 48 struct conn_handle_t { 49 struct hci_conn *conn; 50 __u16 handle; 51 }; 52 53 static const struct sco_param esco_param_cvsd[] = { 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 56 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 57 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 58 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 59 }; 60 61 static const struct sco_param sco_param_cvsd[] = { 62 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 63 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 64 }; 65 66 static const struct sco_param esco_param_msbc[] = { 67 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 68 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 69 }; 70 71 /* This function requires the caller holds hdev->lock */ 72 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) 73 { 74 struct hci_conn_params *params; 75 struct hci_dev *hdev = conn->hdev; 76 struct smp_irk *irk; 77 bdaddr_t *bdaddr; 78 u8 bdaddr_type; 79 80 bdaddr = &conn->dst; 81 bdaddr_type = conn->dst_type; 82 83 /* Check if we need to convert to identity address */ 84 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 85 if (irk) { 86 bdaddr = &irk->bdaddr; 87 bdaddr_type = irk->addr_type; 88 } 89 90 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 91 bdaddr_type); 92 if (!params) 93 return; 94 95 if (params->conn) { 96 hci_conn_drop(params->conn); 97 hci_conn_put(params->conn); 98 params->conn = NULL; 99 } 100 101 if (!params->explicit_connect) 102 return; 103 104 /* If the status indicates successful cancellation of 105 * the attempt (i.e. Unknown Connection Id) there's no point of 106 * notifying failure since we'll go back to keep trying to 107 * connect. The only exception is explicit connect requests 108 * where a timeout + cancel does indicate an actual failure. 109 */ 110 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) 111 mgmt_connect_failed(hdev, &conn->dst, conn->type, 112 conn->dst_type, status); 113 114 /* The connection attempt was doing scan for new RPA, and is 115 * in scan phase. If params are not associated with any other 116 * autoconnect action, remove them completely. If they are, just unmark 117 * them as waiting for connection, by clearing explicit_connect field. 118 */ 119 params->explicit_connect = false; 120 121 hci_pend_le_list_del_init(params); 122 123 switch (params->auto_connect) { 124 case HCI_AUTO_CONN_EXPLICIT: 125 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 126 /* return instead of break to avoid duplicate scan update */ 127 return; 128 case HCI_AUTO_CONN_DIRECT: 129 case HCI_AUTO_CONN_ALWAYS: 130 hci_pend_le_list_add(params, &hdev->pend_le_conns); 131 break; 132 case HCI_AUTO_CONN_REPORT: 133 hci_pend_le_list_add(params, &hdev->pend_le_reports); 134 break; 135 default: 136 break; 137 } 138 139 hci_update_passive_scan(hdev); 140 } 141 142 static void hci_conn_cleanup(struct hci_conn *conn) 143 { 144 struct hci_dev *hdev = conn->hdev; 145 146 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 147 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 148 149 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 150 hci_remove_link_key(hdev, &conn->dst); 151 152 hci_chan_list_flush(conn); 153 154 hci_conn_hash_del(hdev, conn); 155 156 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 157 ida_free(&hdev->unset_handle_ida, conn->handle); 158 159 if (conn->cleanup) 160 conn->cleanup(conn); 161 162 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 163 switch (conn->setting & SCO_AIRMODE_MASK) { 164 case SCO_AIRMODE_CVSD: 165 case SCO_AIRMODE_TRANSP: 166 if (hdev->notify) 167 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 168 break; 169 } 170 } else { 171 if (hdev->notify) 172 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 173 } 174 175 debugfs_remove_recursive(conn->debugfs); 176 177 hci_conn_del_sysfs(conn); 178 179 hci_dev_put(hdev); 180 } 181 182 static void hci_acl_create_connection(struct hci_conn *conn) 183 { 184 struct hci_dev *hdev = conn->hdev; 185 struct inquiry_entry *ie; 186 struct hci_cp_create_conn cp; 187 188 BT_DBG("hcon %p", conn); 189 190 /* Many controllers disallow HCI Create Connection while it is doing 191 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create 192 * Connection. This may cause the MGMT discovering state to become false 193 * without user space's request but it is okay since the MGMT Discovery 194 * APIs do not promise that discovery should be done forever. Instead, 195 * the user space monitors the status of MGMT discovering and it may 196 * request for discovery again when this flag becomes false. 197 */ 198 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 199 /* Put this connection to "pending" state so that it will be 200 * executed after the inquiry cancel command complete event. 201 */ 202 conn->state = BT_CONNECT2; 203 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL); 204 return; 205 } 206 207 conn->state = BT_CONNECT; 208 conn->out = true; 209 conn->role = HCI_ROLE_MASTER; 210 211 conn->attempt++; 212 213 conn->link_policy = hdev->link_policy; 214 215 memset(&cp, 0, sizeof(cp)); 216 bacpy(&cp.bdaddr, &conn->dst); 217 cp.pscan_rep_mode = 0x02; 218 219 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 220 if (ie) { 221 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 222 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 223 cp.pscan_mode = ie->data.pscan_mode; 224 cp.clock_offset = ie->data.clock_offset | 225 cpu_to_le16(0x8000); 226 } 227 228 memcpy(conn->dev_class, ie->data.dev_class, 3); 229 } 230 231 cp.pkt_type = cpu_to_le16(conn->pkt_type); 232 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 233 cp.role_switch = 0x01; 234 else 235 cp.role_switch = 0x00; 236 237 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 238 } 239 240 int hci_disconnect(struct hci_conn *conn, __u8 reason) 241 { 242 BT_DBG("hcon %p", conn); 243 244 /* When we are central of an established connection and it enters 245 * the disconnect timeout, then go ahead and try to read the 246 * current clock offset. Processing of the result is done 247 * within the event handling and hci_clock_offset_evt function. 248 */ 249 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 250 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 251 struct hci_dev *hdev = conn->hdev; 252 struct hci_cp_read_clock_offset clkoff_cp; 253 254 clkoff_cp.handle = cpu_to_le16(conn->handle); 255 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 256 &clkoff_cp); 257 } 258 259 return hci_abort_conn(conn, reason); 260 } 261 262 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 263 { 264 struct hci_dev *hdev = conn->hdev; 265 struct hci_cp_add_sco cp; 266 267 BT_DBG("hcon %p", conn); 268 269 conn->state = BT_CONNECT; 270 conn->out = true; 271 272 conn->attempt++; 273 274 cp.handle = cpu_to_le16(handle); 275 cp.pkt_type = cpu_to_le16(conn->pkt_type); 276 277 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 278 } 279 280 static bool find_next_esco_param(struct hci_conn *conn, 281 const struct sco_param *esco_param, int size) 282 { 283 if (!conn->parent) 284 return false; 285 286 for (; conn->attempt <= size; conn->attempt++) { 287 if (lmp_esco_2m_capable(conn->parent) || 288 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 289 break; 290 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 291 conn, conn->attempt); 292 } 293 294 return conn->attempt <= size; 295 } 296 297 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 298 { 299 int err; 300 __u8 vnd_len, *vnd_data = NULL; 301 struct hci_op_configure_data_path *cmd = NULL; 302 303 if (!codec->data_path || !hdev->get_codec_config_data) 304 return 0; 305 306 /* Do not take me as error */ 307 if (!hdev->get_codec_config_data) 308 return 0; 309 310 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 311 &vnd_data); 312 if (err < 0) 313 goto error; 314 315 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 316 if (!cmd) { 317 err = -ENOMEM; 318 goto error; 319 } 320 321 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 322 if (err < 0) 323 goto error; 324 325 cmd->vnd_len = vnd_len; 326 memcpy(cmd->vnd_data, vnd_data, vnd_len); 327 328 cmd->direction = 0x00; 329 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 330 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 331 332 cmd->direction = 0x01; 333 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 334 sizeof(*cmd) + vnd_len, cmd, 335 HCI_CMD_TIMEOUT); 336 error: 337 338 kfree(cmd); 339 kfree(vnd_data); 340 return err; 341 } 342 343 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 344 { 345 struct conn_handle_t *conn_handle = data; 346 struct hci_conn *conn = conn_handle->conn; 347 __u16 handle = conn_handle->handle; 348 struct hci_cp_enhanced_setup_sync_conn cp; 349 const struct sco_param *param; 350 351 kfree(conn_handle); 352 353 bt_dev_dbg(hdev, "hcon %p", conn); 354 355 configure_datapath_sync(hdev, &conn->codec); 356 357 conn->state = BT_CONNECT; 358 conn->out = true; 359 360 conn->attempt++; 361 362 memset(&cp, 0x00, sizeof(cp)); 363 364 cp.handle = cpu_to_le16(handle); 365 366 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 367 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 368 369 switch (conn->codec.id) { 370 case BT_CODEC_MSBC: 371 if (!find_next_esco_param(conn, esco_param_msbc, 372 ARRAY_SIZE(esco_param_msbc))) 373 return -EINVAL; 374 375 param = &esco_param_msbc[conn->attempt - 1]; 376 cp.tx_coding_format.id = 0x05; 377 cp.rx_coding_format.id = 0x05; 378 cp.tx_codec_frame_size = __cpu_to_le16(60); 379 cp.rx_codec_frame_size = __cpu_to_le16(60); 380 cp.in_bandwidth = __cpu_to_le32(32000); 381 cp.out_bandwidth = __cpu_to_le32(32000); 382 cp.in_coding_format.id = 0x04; 383 cp.out_coding_format.id = 0x04; 384 cp.in_coded_data_size = __cpu_to_le16(16); 385 cp.out_coded_data_size = __cpu_to_le16(16); 386 cp.in_pcm_data_format = 2; 387 cp.out_pcm_data_format = 2; 388 cp.in_pcm_sample_payload_msb_pos = 0; 389 cp.out_pcm_sample_payload_msb_pos = 0; 390 cp.in_data_path = conn->codec.data_path; 391 cp.out_data_path = conn->codec.data_path; 392 cp.in_transport_unit_size = 1; 393 cp.out_transport_unit_size = 1; 394 break; 395 396 case BT_CODEC_TRANSPARENT: 397 if (!find_next_esco_param(conn, esco_param_msbc, 398 ARRAY_SIZE(esco_param_msbc))) 399 return false; 400 param = &esco_param_msbc[conn->attempt - 1]; 401 cp.tx_coding_format.id = 0x03; 402 cp.rx_coding_format.id = 0x03; 403 cp.tx_codec_frame_size = __cpu_to_le16(60); 404 cp.rx_codec_frame_size = __cpu_to_le16(60); 405 cp.in_bandwidth = __cpu_to_le32(0x1f40); 406 cp.out_bandwidth = __cpu_to_le32(0x1f40); 407 cp.in_coding_format.id = 0x03; 408 cp.out_coding_format.id = 0x03; 409 cp.in_coded_data_size = __cpu_to_le16(16); 410 cp.out_coded_data_size = __cpu_to_le16(16); 411 cp.in_pcm_data_format = 2; 412 cp.out_pcm_data_format = 2; 413 cp.in_pcm_sample_payload_msb_pos = 0; 414 cp.out_pcm_sample_payload_msb_pos = 0; 415 cp.in_data_path = conn->codec.data_path; 416 cp.out_data_path = conn->codec.data_path; 417 cp.in_transport_unit_size = 1; 418 cp.out_transport_unit_size = 1; 419 break; 420 421 case BT_CODEC_CVSD: 422 if (conn->parent && lmp_esco_capable(conn->parent)) { 423 if (!find_next_esco_param(conn, esco_param_cvsd, 424 ARRAY_SIZE(esco_param_cvsd))) 425 return -EINVAL; 426 param = &esco_param_cvsd[conn->attempt - 1]; 427 } else { 428 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 429 return -EINVAL; 430 param = &sco_param_cvsd[conn->attempt - 1]; 431 } 432 cp.tx_coding_format.id = 2; 433 cp.rx_coding_format.id = 2; 434 cp.tx_codec_frame_size = __cpu_to_le16(60); 435 cp.rx_codec_frame_size = __cpu_to_le16(60); 436 cp.in_bandwidth = __cpu_to_le32(16000); 437 cp.out_bandwidth = __cpu_to_le32(16000); 438 cp.in_coding_format.id = 4; 439 cp.out_coding_format.id = 4; 440 cp.in_coded_data_size = __cpu_to_le16(16); 441 cp.out_coded_data_size = __cpu_to_le16(16); 442 cp.in_pcm_data_format = 2; 443 cp.out_pcm_data_format = 2; 444 cp.in_pcm_sample_payload_msb_pos = 0; 445 cp.out_pcm_sample_payload_msb_pos = 0; 446 cp.in_data_path = conn->codec.data_path; 447 cp.out_data_path = conn->codec.data_path; 448 cp.in_transport_unit_size = 16; 449 cp.out_transport_unit_size = 16; 450 break; 451 default: 452 return -EINVAL; 453 } 454 455 cp.retrans_effort = param->retrans_effort; 456 cp.pkt_type = __cpu_to_le16(param->pkt_type); 457 cp.max_latency = __cpu_to_le16(param->max_latency); 458 459 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 460 return -EIO; 461 462 return 0; 463 } 464 465 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 466 { 467 struct hci_dev *hdev = conn->hdev; 468 struct hci_cp_setup_sync_conn cp; 469 const struct sco_param *param; 470 471 bt_dev_dbg(hdev, "hcon %p", conn); 472 473 conn->state = BT_CONNECT; 474 conn->out = true; 475 476 conn->attempt++; 477 478 cp.handle = cpu_to_le16(handle); 479 480 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 481 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 482 cp.voice_setting = cpu_to_le16(conn->setting); 483 484 switch (conn->setting & SCO_AIRMODE_MASK) { 485 case SCO_AIRMODE_TRANSP: 486 if (!find_next_esco_param(conn, esco_param_msbc, 487 ARRAY_SIZE(esco_param_msbc))) 488 return false; 489 param = &esco_param_msbc[conn->attempt - 1]; 490 break; 491 case SCO_AIRMODE_CVSD: 492 if (conn->parent && lmp_esco_capable(conn->parent)) { 493 if (!find_next_esco_param(conn, esco_param_cvsd, 494 ARRAY_SIZE(esco_param_cvsd))) 495 return false; 496 param = &esco_param_cvsd[conn->attempt - 1]; 497 } else { 498 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 499 return false; 500 param = &sco_param_cvsd[conn->attempt - 1]; 501 } 502 break; 503 default: 504 return false; 505 } 506 507 cp.retrans_effort = param->retrans_effort; 508 cp.pkt_type = __cpu_to_le16(param->pkt_type); 509 cp.max_latency = __cpu_to_le16(param->max_latency); 510 511 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 512 return false; 513 514 return true; 515 } 516 517 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 518 { 519 int result; 520 struct conn_handle_t *conn_handle; 521 522 if (enhanced_sync_conn_capable(conn->hdev)) { 523 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 524 525 if (!conn_handle) 526 return false; 527 528 conn_handle->conn = conn; 529 conn_handle->handle = handle; 530 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 531 conn_handle, NULL); 532 if (result < 0) 533 kfree(conn_handle); 534 535 return result == 0; 536 } 537 538 return hci_setup_sync_conn(conn, handle); 539 } 540 541 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 542 u16 to_multiplier) 543 { 544 struct hci_dev *hdev = conn->hdev; 545 struct hci_conn_params *params; 546 struct hci_cp_le_conn_update cp; 547 548 hci_dev_lock(hdev); 549 550 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 551 if (params) { 552 params->conn_min_interval = min; 553 params->conn_max_interval = max; 554 params->conn_latency = latency; 555 params->supervision_timeout = to_multiplier; 556 } 557 558 hci_dev_unlock(hdev); 559 560 memset(&cp, 0, sizeof(cp)); 561 cp.handle = cpu_to_le16(conn->handle); 562 cp.conn_interval_min = cpu_to_le16(min); 563 cp.conn_interval_max = cpu_to_le16(max); 564 cp.conn_latency = cpu_to_le16(latency); 565 cp.supervision_timeout = cpu_to_le16(to_multiplier); 566 cp.min_ce_len = cpu_to_le16(0x0000); 567 cp.max_ce_len = cpu_to_le16(0x0000); 568 569 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 570 571 if (params) 572 return 0x01; 573 574 return 0x00; 575 } 576 577 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 578 __u8 ltk[16], __u8 key_size) 579 { 580 struct hci_dev *hdev = conn->hdev; 581 struct hci_cp_le_start_enc cp; 582 583 BT_DBG("hcon %p", conn); 584 585 memset(&cp, 0, sizeof(cp)); 586 587 cp.handle = cpu_to_le16(conn->handle); 588 cp.rand = rand; 589 cp.ediv = ediv; 590 memcpy(cp.ltk, ltk, key_size); 591 592 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 593 } 594 595 /* Device _must_ be locked */ 596 void hci_sco_setup(struct hci_conn *conn, __u8 status) 597 { 598 struct hci_link *link; 599 600 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list); 601 if (!link || !link->conn) 602 return; 603 604 BT_DBG("hcon %p", conn); 605 606 if (!status) { 607 if (lmp_esco_capable(conn->hdev)) 608 hci_setup_sync(link->conn, conn->handle); 609 else 610 hci_add_sco(link->conn, conn->handle); 611 } else { 612 hci_connect_cfm(link->conn, status); 613 hci_conn_del(link->conn); 614 } 615 } 616 617 static void hci_conn_timeout(struct work_struct *work) 618 { 619 struct hci_conn *conn = container_of(work, struct hci_conn, 620 disc_work.work); 621 int refcnt = atomic_read(&conn->refcnt); 622 623 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 624 625 WARN_ON(refcnt < 0); 626 627 /* FIXME: It was observed that in pairing failed scenario, refcnt 628 * drops below 0. Probably this is because l2cap_conn_del calls 629 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 630 * dropped. After that loop hci_chan_del is called which also drops 631 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 632 * otherwise drop it. 633 */ 634 if (refcnt > 0) 635 return; 636 637 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 638 } 639 640 /* Enter sniff mode */ 641 static void hci_conn_idle(struct work_struct *work) 642 { 643 struct hci_conn *conn = container_of(work, struct hci_conn, 644 idle_work.work); 645 struct hci_dev *hdev = conn->hdev; 646 647 BT_DBG("hcon %p mode %d", conn, conn->mode); 648 649 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 650 return; 651 652 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 653 return; 654 655 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 656 struct hci_cp_sniff_subrate cp; 657 cp.handle = cpu_to_le16(conn->handle); 658 cp.max_latency = cpu_to_le16(0); 659 cp.min_remote_timeout = cpu_to_le16(0); 660 cp.min_local_timeout = cpu_to_le16(0); 661 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 662 } 663 664 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 665 struct hci_cp_sniff_mode cp; 666 cp.handle = cpu_to_le16(conn->handle); 667 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 668 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 669 cp.attempt = cpu_to_le16(4); 670 cp.timeout = cpu_to_le16(1); 671 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 672 } 673 } 674 675 static void hci_conn_auto_accept(struct work_struct *work) 676 { 677 struct hci_conn *conn = container_of(work, struct hci_conn, 678 auto_accept_work.work); 679 680 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 681 &conn->dst); 682 } 683 684 static void le_disable_advertising(struct hci_dev *hdev) 685 { 686 if (ext_adv_capable(hdev)) { 687 struct hci_cp_le_set_ext_adv_enable cp; 688 689 cp.enable = 0x00; 690 cp.num_of_sets = 0x00; 691 692 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 693 &cp); 694 } else { 695 u8 enable = 0x00; 696 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 697 &enable); 698 } 699 } 700 701 static void le_conn_timeout(struct work_struct *work) 702 { 703 struct hci_conn *conn = container_of(work, struct hci_conn, 704 le_conn_timeout.work); 705 struct hci_dev *hdev = conn->hdev; 706 707 BT_DBG(""); 708 709 /* We could end up here due to having done directed advertising, 710 * so clean up the state if necessary. This should however only 711 * happen with broken hardware or if low duty cycle was used 712 * (which doesn't have a timeout of its own). 713 */ 714 if (conn->role == HCI_ROLE_SLAVE) { 715 /* Disable LE Advertising */ 716 le_disable_advertising(hdev); 717 hci_dev_lock(hdev); 718 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 719 hci_dev_unlock(hdev); 720 return; 721 } 722 723 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 724 } 725 726 struct iso_cig_params { 727 struct hci_cp_le_set_cig_params cp; 728 struct hci_cis_params cis[0x1f]; 729 }; 730 731 struct iso_list_data { 732 union { 733 u8 cig; 734 u8 big; 735 }; 736 union { 737 u8 cis; 738 u8 bis; 739 u16 sync_handle; 740 }; 741 int count; 742 bool big_term; 743 bool pa_sync_term; 744 bool big_sync_term; 745 }; 746 747 static void bis_list(struct hci_conn *conn, void *data) 748 { 749 struct iso_list_data *d = data; 750 751 /* Skip if not broadcast/ANY address */ 752 if (bacmp(&conn->dst, BDADDR_ANY)) 753 return; 754 755 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET || 756 d->bis != conn->iso_qos.bcast.bis) 757 return; 758 759 d->count++; 760 } 761 762 static int terminate_big_sync(struct hci_dev *hdev, void *data) 763 { 764 struct iso_list_data *d = data; 765 766 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 767 768 hci_disable_per_advertising_sync(hdev, d->bis); 769 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 770 771 /* Only terminate BIG if it has been created */ 772 if (!d->big_term) 773 return 0; 774 775 return hci_le_terminate_big_sync(hdev, d->big, 776 HCI_ERROR_LOCAL_HOST_TERM); 777 } 778 779 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 780 { 781 kfree(data); 782 } 783 784 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn) 785 { 786 struct iso_list_data *d; 787 int ret; 788 789 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big, 790 conn->iso_qos.bcast.bis); 791 792 d = kzalloc(sizeof(*d), GFP_KERNEL); 793 if (!d) 794 return -ENOMEM; 795 796 d->big = conn->iso_qos.bcast.big; 797 d->bis = conn->iso_qos.bcast.bis; 798 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags); 799 800 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 801 terminate_big_destroy); 802 if (ret) 803 kfree(d); 804 805 return ret; 806 } 807 808 static int big_terminate_sync(struct hci_dev *hdev, void *data) 809 { 810 struct iso_list_data *d = data; 811 812 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 813 d->sync_handle); 814 815 if (d->big_sync_term) 816 hci_le_big_terminate_sync(hdev, d->big); 817 818 if (d->pa_sync_term) 819 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 820 821 return 0; 822 } 823 824 static void find_bis(struct hci_conn *conn, void *data) 825 { 826 struct iso_list_data *d = data; 827 828 /* Ignore if BIG doesn't match */ 829 if (d->big != conn->iso_qos.bcast.big) 830 return; 831 832 d->count++; 833 } 834 835 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn) 836 { 837 struct iso_list_data *d; 838 int ret; 839 840 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle); 841 842 d = kzalloc(sizeof(*d), GFP_KERNEL); 843 if (!d) 844 return -ENOMEM; 845 846 memset(d, 0, sizeof(*d)); 847 d->big = big; 848 d->sync_handle = conn->sync_handle; 849 850 if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) { 851 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK, 852 HCI_CONN_PA_SYNC, d); 853 854 if (!d->count) 855 d->pa_sync_term = true; 856 857 d->count = 0; 858 } 859 860 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) { 861 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK, 862 HCI_CONN_BIG_SYNC, d); 863 864 if (!d->count) 865 d->big_sync_term = true; 866 } 867 868 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 869 terminate_big_destroy); 870 if (ret) 871 kfree(d); 872 873 return ret; 874 } 875 876 /* Cleanup BIS connection 877 * 878 * Detects if there any BIS left connected in a BIG 879 * broadcaster: Remove advertising instance and terminate BIG. 880 * broadcaster receiver: Teminate BIG sync and terminate PA sync. 881 */ 882 static void bis_cleanup(struct hci_conn *conn) 883 { 884 struct hci_dev *hdev = conn->hdev; 885 struct hci_conn *bis; 886 887 bt_dev_dbg(hdev, "conn %p", conn); 888 889 if (conn->role == HCI_ROLE_MASTER) { 890 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 891 return; 892 893 /* Check if ISO connection is a BIS and terminate advertising 894 * set and BIG if there are no other connections using it. 895 */ 896 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big); 897 if (bis) 898 return; 899 900 hci_le_terminate_big(hdev, conn); 901 } else { 902 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 903 conn); 904 } 905 } 906 907 static int remove_cig_sync(struct hci_dev *hdev, void *data) 908 { 909 u8 handle = PTR_UINT(data); 910 911 return hci_le_remove_cig_sync(hdev, handle); 912 } 913 914 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 915 { 916 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 917 918 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle), 919 NULL); 920 } 921 922 static void find_cis(struct hci_conn *conn, void *data) 923 { 924 struct iso_list_data *d = data; 925 926 /* Ignore broadcast or if CIG don't match */ 927 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig) 928 return; 929 930 d->count++; 931 } 932 933 /* Cleanup CIS connection: 934 * 935 * Detects if there any CIS left connected in a CIG and remove it. 936 */ 937 static void cis_cleanup(struct hci_conn *conn) 938 { 939 struct hci_dev *hdev = conn->hdev; 940 struct iso_list_data d; 941 942 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET) 943 return; 944 945 memset(&d, 0, sizeof(d)); 946 d.cig = conn->iso_qos.ucast.cig; 947 948 /* Check if ISO connection is a CIS and remove CIG if there are 949 * no other connections using it. 950 */ 951 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d); 952 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d); 953 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d); 954 if (d.count) 955 return; 956 957 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig); 958 } 959 960 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev) 961 { 962 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1, 963 U16_MAX, GFP_ATOMIC); 964 } 965 966 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 967 u8 role, u16 handle) 968 { 969 struct hci_conn *conn; 970 971 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle); 972 973 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 974 if (!conn) 975 return NULL; 976 977 bacpy(&conn->dst, dst); 978 bacpy(&conn->src, &hdev->bdaddr); 979 conn->handle = handle; 980 conn->hdev = hdev; 981 conn->type = type; 982 conn->role = role; 983 conn->mode = HCI_CM_ACTIVE; 984 conn->state = BT_OPEN; 985 conn->auth_type = HCI_AT_GENERAL_BONDING; 986 conn->io_capability = hdev->io_capability; 987 conn->remote_auth = 0xff; 988 conn->key_type = 0xff; 989 conn->rssi = HCI_RSSI_INVALID; 990 conn->tx_power = HCI_TX_POWER_INVALID; 991 conn->max_tx_power = HCI_TX_POWER_INVALID; 992 conn->sync_handle = HCI_SYNC_HANDLE_INVALID; 993 994 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 995 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 996 997 /* Set Default Authenticated payload timeout to 30s */ 998 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 999 1000 if (conn->role == HCI_ROLE_MASTER) 1001 conn->out = true; 1002 1003 switch (type) { 1004 case ACL_LINK: 1005 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 1006 break; 1007 case LE_LINK: 1008 /* conn->src should reflect the local identity address */ 1009 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1010 break; 1011 case ISO_LINK: 1012 /* conn->src should reflect the local identity address */ 1013 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1014 1015 /* set proper cleanup function */ 1016 if (!bacmp(dst, BDADDR_ANY)) 1017 conn->cleanup = bis_cleanup; 1018 else if (conn->role == HCI_ROLE_MASTER) 1019 conn->cleanup = cis_cleanup; 1020 1021 break; 1022 case SCO_LINK: 1023 if (lmp_esco_capable(hdev)) 1024 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1025 (hdev->esco_type & EDR_ESCO_MASK); 1026 else 1027 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1028 break; 1029 case ESCO_LINK: 1030 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1031 break; 1032 } 1033 1034 skb_queue_head_init(&conn->data_q); 1035 1036 INIT_LIST_HEAD(&conn->chan_list); 1037 INIT_LIST_HEAD(&conn->link_list); 1038 1039 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1040 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1041 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1042 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1043 1044 atomic_set(&conn->refcnt, 0); 1045 1046 hci_dev_hold(hdev); 1047 1048 hci_conn_hash_add(hdev, conn); 1049 1050 /* The SCO and eSCO connections will only be notified when their 1051 * setup has been completed. This is different to ACL links which 1052 * can be notified right away. 1053 */ 1054 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1055 if (hdev->notify) 1056 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1057 } 1058 1059 hci_conn_init_sysfs(conn); 1060 1061 return conn; 1062 } 1063 1064 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type, 1065 bdaddr_t *dst, u8 role) 1066 { 1067 int handle; 1068 1069 bt_dev_dbg(hdev, "dst %pMR", dst); 1070 1071 handle = hci_conn_hash_alloc_unset(hdev); 1072 if (unlikely(handle < 0)) 1073 return NULL; 1074 1075 return hci_conn_add(hdev, type, dst, role, handle); 1076 } 1077 1078 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason) 1079 { 1080 if (!reason) 1081 reason = HCI_ERROR_REMOTE_USER_TERM; 1082 1083 /* Due to race, SCO/ISO conn might be not established yet at this point, 1084 * and nothing else will clean it up. In other cases it is done via HCI 1085 * events. 1086 */ 1087 switch (conn->type) { 1088 case SCO_LINK: 1089 case ESCO_LINK: 1090 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1091 hci_conn_failed(conn, reason); 1092 break; 1093 case ISO_LINK: 1094 if ((conn->state != BT_CONNECTED && 1095 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) || 1096 test_bit(HCI_CONN_BIG_CREATED, &conn->flags)) 1097 hci_conn_failed(conn, reason); 1098 break; 1099 } 1100 } 1101 1102 static void hci_conn_unlink(struct hci_conn *conn) 1103 { 1104 struct hci_dev *hdev = conn->hdev; 1105 1106 bt_dev_dbg(hdev, "hcon %p", conn); 1107 1108 if (!conn->parent) { 1109 struct hci_link *link, *t; 1110 1111 list_for_each_entry_safe(link, t, &conn->link_list, list) { 1112 struct hci_conn *child = link->conn; 1113 1114 hci_conn_unlink(child); 1115 1116 /* If hdev is down it means 1117 * hci_dev_close_sync/hci_conn_hash_flush is in progress 1118 * and links don't need to be cleanup as all connections 1119 * would be cleanup. 1120 */ 1121 if (!test_bit(HCI_UP, &hdev->flags)) 1122 continue; 1123 1124 hci_conn_cleanup_child(child, conn->abort_reason); 1125 } 1126 1127 return; 1128 } 1129 1130 if (!conn->link) 1131 return; 1132 1133 list_del_rcu(&conn->link->list); 1134 synchronize_rcu(); 1135 1136 hci_conn_drop(conn->parent); 1137 hci_conn_put(conn->parent); 1138 conn->parent = NULL; 1139 1140 kfree(conn->link); 1141 conn->link = NULL; 1142 } 1143 1144 void hci_conn_del(struct hci_conn *conn) 1145 { 1146 struct hci_dev *hdev = conn->hdev; 1147 1148 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1149 1150 hci_conn_unlink(conn); 1151 1152 cancel_delayed_work_sync(&conn->disc_work); 1153 cancel_delayed_work_sync(&conn->auto_accept_work); 1154 cancel_delayed_work_sync(&conn->idle_work); 1155 1156 if (conn->type == ACL_LINK) { 1157 /* Unacked frames */ 1158 hdev->acl_cnt += conn->sent; 1159 } else if (conn->type == LE_LINK) { 1160 cancel_delayed_work(&conn->le_conn_timeout); 1161 1162 if (hdev->le_pkts) 1163 hdev->le_cnt += conn->sent; 1164 else 1165 hdev->acl_cnt += conn->sent; 1166 } else { 1167 /* Unacked ISO frames */ 1168 if (conn->type == ISO_LINK) { 1169 if (hdev->iso_pkts) 1170 hdev->iso_cnt += conn->sent; 1171 else if (hdev->le_pkts) 1172 hdev->le_cnt += conn->sent; 1173 else 1174 hdev->acl_cnt += conn->sent; 1175 } 1176 } 1177 1178 if (conn->amp_mgr) 1179 amp_mgr_put(conn->amp_mgr); 1180 1181 skb_queue_purge(&conn->data_q); 1182 1183 /* Remove the connection from the list and cleanup its remaining 1184 * state. This is a separate function since for some cases like 1185 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1186 * rest of hci_conn_del. 1187 */ 1188 hci_conn_cleanup(conn); 1189 } 1190 1191 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1192 { 1193 int use_src = bacmp(src, BDADDR_ANY); 1194 struct hci_dev *hdev = NULL, *d; 1195 1196 BT_DBG("%pMR -> %pMR", src, dst); 1197 1198 read_lock(&hci_dev_list_lock); 1199 1200 list_for_each_entry(d, &hci_dev_list, list) { 1201 if (!test_bit(HCI_UP, &d->flags) || 1202 hci_dev_test_flag(d, HCI_USER_CHANNEL) || 1203 d->dev_type != HCI_PRIMARY) 1204 continue; 1205 1206 /* Simple routing: 1207 * No source address - find interface with bdaddr != dst 1208 * Source address - find interface with bdaddr == src 1209 */ 1210 1211 if (use_src) { 1212 bdaddr_t id_addr; 1213 u8 id_addr_type; 1214 1215 if (src_type == BDADDR_BREDR) { 1216 if (!lmp_bredr_capable(d)) 1217 continue; 1218 bacpy(&id_addr, &d->bdaddr); 1219 id_addr_type = BDADDR_BREDR; 1220 } else { 1221 if (!lmp_le_capable(d)) 1222 continue; 1223 1224 hci_copy_identity_address(d, &id_addr, 1225 &id_addr_type); 1226 1227 /* Convert from HCI to three-value type */ 1228 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1229 id_addr_type = BDADDR_LE_PUBLIC; 1230 else 1231 id_addr_type = BDADDR_LE_RANDOM; 1232 } 1233 1234 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1235 hdev = d; break; 1236 } 1237 } else { 1238 if (bacmp(&d->bdaddr, dst)) { 1239 hdev = d; break; 1240 } 1241 } 1242 } 1243 1244 if (hdev) 1245 hdev = hci_dev_hold(hdev); 1246 1247 read_unlock(&hci_dev_list_lock); 1248 return hdev; 1249 } 1250 EXPORT_SYMBOL(hci_get_route); 1251 1252 /* This function requires the caller holds hdev->lock */ 1253 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1254 { 1255 struct hci_dev *hdev = conn->hdev; 1256 1257 hci_connect_le_scan_cleanup(conn, status); 1258 1259 /* Enable advertising in case this was a failed connection 1260 * attempt as a peripheral. 1261 */ 1262 hci_enable_advertising(hdev); 1263 } 1264 1265 /* This function requires the caller holds hdev->lock */ 1266 void hci_conn_failed(struct hci_conn *conn, u8 status) 1267 { 1268 struct hci_dev *hdev = conn->hdev; 1269 1270 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1271 1272 switch (conn->type) { 1273 case LE_LINK: 1274 hci_le_conn_failed(conn, status); 1275 break; 1276 case ACL_LINK: 1277 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1278 conn->dst_type, status); 1279 break; 1280 } 1281 1282 /* In case of BIG/PA sync failed, clear conn flags so that 1283 * the conns will be correctly cleaned up by ISO layer 1284 */ 1285 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags); 1286 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags); 1287 1288 conn->state = BT_CLOSED; 1289 hci_connect_cfm(conn, status); 1290 hci_conn_del(conn); 1291 } 1292 1293 /* This function requires the caller holds hdev->lock */ 1294 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) 1295 { 1296 struct hci_dev *hdev = conn->hdev; 1297 1298 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); 1299 1300 if (conn->handle == handle) 1301 return 0; 1302 1303 if (handle > HCI_CONN_HANDLE_MAX) { 1304 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 1305 handle, HCI_CONN_HANDLE_MAX); 1306 return HCI_ERROR_INVALID_PARAMETERS; 1307 } 1308 1309 /* If abort_reason has been sent it means the connection is being 1310 * aborted and the handle shall not be changed. 1311 */ 1312 if (conn->abort_reason) 1313 return conn->abort_reason; 1314 1315 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1316 ida_free(&hdev->unset_handle_ida, conn->handle); 1317 1318 conn->handle = handle; 1319 1320 return 0; 1321 } 1322 1323 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) 1324 { 1325 struct hci_conn *conn; 1326 u16 handle = PTR_UINT(data); 1327 1328 conn = hci_conn_hash_lookup_handle(hdev, handle); 1329 if (!conn) 1330 return; 1331 1332 bt_dev_dbg(hdev, "err %d", err); 1333 1334 hci_dev_lock(hdev); 1335 1336 if (!err) { 1337 hci_connect_le_scan_cleanup(conn, 0x00); 1338 goto done; 1339 } 1340 1341 /* Check if connection is still pending */ 1342 if (conn != hci_lookup_le_connect(hdev)) 1343 goto done; 1344 1345 /* Flush to make sure we send create conn cancel command if needed */ 1346 flush_delayed_work(&conn->le_conn_timeout); 1347 hci_conn_failed(conn, bt_status(err)); 1348 1349 done: 1350 hci_dev_unlock(hdev); 1351 } 1352 1353 static int hci_connect_le_sync(struct hci_dev *hdev, void *data) 1354 { 1355 struct hci_conn *conn; 1356 u16 handle = PTR_UINT(data); 1357 1358 conn = hci_conn_hash_lookup_handle(hdev, handle); 1359 if (!conn) 1360 return 0; 1361 1362 bt_dev_dbg(hdev, "conn %p", conn); 1363 1364 clear_bit(HCI_CONN_SCANNING, &conn->flags); 1365 conn->state = BT_CONNECT; 1366 1367 return hci_le_create_conn_sync(hdev, conn); 1368 } 1369 1370 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1371 u8 dst_type, bool dst_resolved, u8 sec_level, 1372 u16 conn_timeout, u8 role) 1373 { 1374 struct hci_conn *conn; 1375 struct smp_irk *irk; 1376 int err; 1377 1378 /* Let's make sure that le is enabled.*/ 1379 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1380 if (lmp_le_capable(hdev)) 1381 return ERR_PTR(-ECONNREFUSED); 1382 1383 return ERR_PTR(-EOPNOTSUPP); 1384 } 1385 1386 /* Since the controller supports only one LE connection attempt at a 1387 * time, we return -EBUSY if there is any connection attempt running. 1388 */ 1389 if (hci_lookup_le_connect(hdev)) 1390 return ERR_PTR(-EBUSY); 1391 1392 /* If there's already a connection object but it's not in 1393 * scanning state it means it must already be established, in 1394 * which case we can't do anything else except report a failure 1395 * to connect. 1396 */ 1397 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1398 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1399 return ERR_PTR(-EBUSY); 1400 } 1401 1402 /* Check if the destination address has been resolved by the controller 1403 * since if it did then the identity address shall be used. 1404 */ 1405 if (!dst_resolved) { 1406 /* When given an identity address with existing identity 1407 * resolving key, the connection needs to be established 1408 * to a resolvable random address. 1409 * 1410 * Storing the resolvable random address is required here 1411 * to handle connection failures. The address will later 1412 * be resolved back into the original identity address 1413 * from the connect request. 1414 */ 1415 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1416 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1417 dst = &irk->rpa; 1418 dst_type = ADDR_LE_DEV_RANDOM; 1419 } 1420 } 1421 1422 if (conn) { 1423 bacpy(&conn->dst, dst); 1424 } else { 1425 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role); 1426 if (!conn) 1427 return ERR_PTR(-ENOMEM); 1428 hci_conn_hold(conn); 1429 conn->pending_sec_level = sec_level; 1430 } 1431 1432 conn->dst_type = dst_type; 1433 conn->sec_level = BT_SECURITY_LOW; 1434 conn->conn_timeout = conn_timeout; 1435 1436 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, 1437 UINT_PTR(conn->handle), 1438 create_le_conn_complete); 1439 if (err) { 1440 hci_conn_del(conn); 1441 return ERR_PTR(err); 1442 } 1443 1444 return conn; 1445 } 1446 1447 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1448 { 1449 struct hci_conn *conn; 1450 1451 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1452 if (!conn) 1453 return false; 1454 1455 if (conn->state != BT_CONNECTED) 1456 return false; 1457 1458 return true; 1459 } 1460 1461 /* This function requires the caller holds hdev->lock */ 1462 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1463 bdaddr_t *addr, u8 addr_type) 1464 { 1465 struct hci_conn_params *params; 1466 1467 if (is_connected(hdev, addr, addr_type)) 1468 return -EISCONN; 1469 1470 params = hci_conn_params_lookup(hdev, addr, addr_type); 1471 if (!params) { 1472 params = hci_conn_params_add(hdev, addr, addr_type); 1473 if (!params) 1474 return -ENOMEM; 1475 1476 /* If we created new params, mark them to be deleted in 1477 * hci_connect_le_scan_cleanup. It's different case than 1478 * existing disabled params, those will stay after cleanup. 1479 */ 1480 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1481 } 1482 1483 /* We're trying to connect, so make sure params are at pend_le_conns */ 1484 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1485 params->auto_connect == HCI_AUTO_CONN_REPORT || 1486 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1487 hci_pend_le_list_del_init(params); 1488 hci_pend_le_list_add(params, &hdev->pend_le_conns); 1489 } 1490 1491 params->explicit_connect = true; 1492 1493 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1494 params->auto_connect); 1495 1496 return 0; 1497 } 1498 1499 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1500 { 1501 struct hci_conn *conn; 1502 u8 big; 1503 1504 /* Allocate a BIG if not set */ 1505 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) { 1506 for (big = 0x00; big < 0xef; big++) { 1507 1508 conn = hci_conn_hash_lookup_big(hdev, big); 1509 if (!conn) 1510 break; 1511 } 1512 1513 if (big == 0xef) 1514 return -EADDRNOTAVAIL; 1515 1516 /* Update BIG */ 1517 qos->bcast.big = big; 1518 } 1519 1520 return 0; 1521 } 1522 1523 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1524 { 1525 struct hci_conn *conn; 1526 u8 bis; 1527 1528 /* Allocate BIS if not set */ 1529 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) { 1530 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) { 1531 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1532 1533 if (conn) { 1534 /* If the BIG handle is already matched to an advertising 1535 * handle, do not allocate a new one. 1536 */ 1537 qos->bcast.bis = conn->iso_qos.bcast.bis; 1538 return 0; 1539 } 1540 } 1541 1542 /* Find an unused adv set to advertise BIS, skip instance 0x00 1543 * since it is reserved as general purpose set. 1544 */ 1545 for (bis = 0x01; bis < hdev->le_num_of_adv_sets; 1546 bis++) { 1547 1548 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis); 1549 if (!conn) 1550 break; 1551 } 1552 1553 if (bis == hdev->le_num_of_adv_sets) 1554 return -EADDRNOTAVAIL; 1555 1556 /* Update BIS */ 1557 qos->bcast.bis = bis; 1558 } 1559 1560 return 0; 1561 } 1562 1563 /* This function requires the caller holds hdev->lock */ 1564 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1565 struct bt_iso_qos *qos, __u8 base_len, 1566 __u8 *base) 1567 { 1568 struct hci_conn *conn; 1569 int err; 1570 1571 /* Let's make sure that le is enabled.*/ 1572 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1573 if (lmp_le_capable(hdev)) 1574 return ERR_PTR(-ECONNREFUSED); 1575 return ERR_PTR(-EOPNOTSUPP); 1576 } 1577 1578 err = qos_set_big(hdev, qos); 1579 if (err) 1580 return ERR_PTR(err); 1581 1582 err = qos_set_bis(hdev, qos); 1583 if (err) 1584 return ERR_PTR(err); 1585 1586 /* Check if the LE Create BIG command has already been sent */ 1587 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big, 1588 qos->bcast.big); 1589 if (conn) 1590 return ERR_PTR(-EADDRINUSE); 1591 1592 /* Check BIS settings against other bound BISes, since all 1593 * BISes in a BIG must have the same value for all parameters 1594 */ 1595 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1596 1597 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) || 1598 base_len != conn->le_per_adv_data_len || 1599 memcmp(conn->le_per_adv_data, base, base_len))) 1600 return ERR_PTR(-EADDRINUSE); 1601 1602 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1603 if (!conn) 1604 return ERR_PTR(-ENOMEM); 1605 1606 conn->state = BT_CONNECT; 1607 1608 hci_conn_hold(conn); 1609 return conn; 1610 } 1611 1612 /* This function requires the caller holds hdev->lock */ 1613 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1614 u8 dst_type, u8 sec_level, 1615 u16 conn_timeout, 1616 enum conn_reasons conn_reason) 1617 { 1618 struct hci_conn *conn; 1619 1620 /* Let's make sure that le is enabled.*/ 1621 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1622 if (lmp_le_capable(hdev)) 1623 return ERR_PTR(-ECONNREFUSED); 1624 1625 return ERR_PTR(-EOPNOTSUPP); 1626 } 1627 1628 /* Some devices send ATT messages as soon as the physical link is 1629 * established. To be able to handle these ATT messages, the user- 1630 * space first establishes the connection and then starts the pairing 1631 * process. 1632 * 1633 * So if a hci_conn object already exists for the following connection 1634 * attempt, we simply update pending_sec_level and auth_type fields 1635 * and return the object found. 1636 */ 1637 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1638 if (conn) { 1639 if (conn->pending_sec_level < sec_level) 1640 conn->pending_sec_level = sec_level; 1641 goto done; 1642 } 1643 1644 BT_DBG("requesting refresh of dst_addr"); 1645 1646 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1647 if (!conn) 1648 return ERR_PTR(-ENOMEM); 1649 1650 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1651 hci_conn_del(conn); 1652 return ERR_PTR(-EBUSY); 1653 } 1654 1655 conn->state = BT_CONNECT; 1656 set_bit(HCI_CONN_SCANNING, &conn->flags); 1657 conn->dst_type = dst_type; 1658 conn->sec_level = BT_SECURITY_LOW; 1659 conn->pending_sec_level = sec_level; 1660 conn->conn_timeout = conn_timeout; 1661 conn->conn_reason = conn_reason; 1662 1663 hci_update_passive_scan(hdev); 1664 1665 done: 1666 hci_conn_hold(conn); 1667 return conn; 1668 } 1669 1670 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1671 u8 sec_level, u8 auth_type, 1672 enum conn_reasons conn_reason) 1673 { 1674 struct hci_conn *acl; 1675 1676 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1677 if (lmp_bredr_capable(hdev)) 1678 return ERR_PTR(-ECONNREFUSED); 1679 1680 return ERR_PTR(-EOPNOTSUPP); 1681 } 1682 1683 /* Reject outgoing connection to device with same BD ADDR against 1684 * CVE-2020-26555 1685 */ 1686 if (!bacmp(&hdev->bdaddr, dst)) { 1687 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 1688 dst); 1689 return ERR_PTR(-ECONNREFUSED); 1690 } 1691 1692 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1693 if (!acl) { 1694 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1695 if (!acl) 1696 return ERR_PTR(-ENOMEM); 1697 } 1698 1699 hci_conn_hold(acl); 1700 1701 acl->conn_reason = conn_reason; 1702 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1703 acl->sec_level = BT_SECURITY_LOW; 1704 acl->pending_sec_level = sec_level; 1705 acl->auth_type = auth_type; 1706 hci_acl_create_connection(acl); 1707 } 1708 1709 return acl; 1710 } 1711 1712 static struct hci_link *hci_conn_link(struct hci_conn *parent, 1713 struct hci_conn *conn) 1714 { 1715 struct hci_dev *hdev = parent->hdev; 1716 struct hci_link *link; 1717 1718 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn); 1719 1720 if (conn->link) 1721 return conn->link; 1722 1723 if (conn->parent) 1724 return NULL; 1725 1726 link = kzalloc(sizeof(*link), GFP_KERNEL); 1727 if (!link) 1728 return NULL; 1729 1730 link->conn = hci_conn_hold(conn); 1731 conn->link = link; 1732 conn->parent = hci_conn_get(parent); 1733 1734 /* Use list_add_tail_rcu append to the list */ 1735 list_add_tail_rcu(&link->list, &parent->link_list); 1736 1737 return link; 1738 } 1739 1740 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1741 __u16 setting, struct bt_codec *codec) 1742 { 1743 struct hci_conn *acl; 1744 struct hci_conn *sco; 1745 struct hci_link *link; 1746 1747 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1748 CONN_REASON_SCO_CONNECT); 1749 if (IS_ERR(acl)) 1750 return acl; 1751 1752 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1753 if (!sco) { 1754 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER); 1755 if (!sco) { 1756 hci_conn_drop(acl); 1757 return ERR_PTR(-ENOMEM); 1758 } 1759 } 1760 1761 link = hci_conn_link(acl, sco); 1762 if (!link) { 1763 hci_conn_drop(acl); 1764 hci_conn_drop(sco); 1765 return ERR_PTR(-ENOLINK); 1766 } 1767 1768 sco->setting = setting; 1769 sco->codec = *codec; 1770 1771 if (acl->state == BT_CONNECTED && 1772 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1773 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1774 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1775 1776 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1777 /* defer SCO setup until mode change completed */ 1778 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1779 return sco; 1780 } 1781 1782 hci_sco_setup(acl, 0x00); 1783 } 1784 1785 return sco; 1786 } 1787 1788 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1789 { 1790 struct hci_dev *hdev = conn->hdev; 1791 struct hci_cp_le_create_big cp; 1792 struct iso_list_data data; 1793 1794 memset(&cp, 0, sizeof(cp)); 1795 1796 data.big = qos->bcast.big; 1797 data.bis = qos->bcast.bis; 1798 data.count = 0; 1799 1800 /* Create a BIS for each bound connection */ 1801 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1802 BT_BOUND, &data); 1803 1804 cp.handle = qos->bcast.big; 1805 cp.adv_handle = qos->bcast.bis; 1806 cp.num_bis = data.count; 1807 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval); 1808 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu); 1809 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency); 1810 cp.bis.rtn = qos->bcast.out.rtn; 1811 cp.bis.phy = qos->bcast.out.phy; 1812 cp.bis.packing = qos->bcast.packing; 1813 cp.bis.framing = qos->bcast.framing; 1814 cp.bis.encryption = qos->bcast.encryption; 1815 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode)); 1816 1817 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1818 } 1819 1820 static int set_cig_params_sync(struct hci_dev *hdev, void *data) 1821 { 1822 u8 cig_id = PTR_UINT(data); 1823 struct hci_conn *conn; 1824 struct bt_iso_qos *qos; 1825 struct iso_cig_params pdu; 1826 u8 cis_id; 1827 1828 conn = hci_conn_hash_lookup_cig(hdev, cig_id); 1829 if (!conn) 1830 return 0; 1831 1832 memset(&pdu, 0, sizeof(pdu)); 1833 1834 qos = &conn->iso_qos; 1835 pdu.cp.cig_id = cig_id; 1836 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval); 1837 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval); 1838 pdu.cp.sca = qos->ucast.sca; 1839 pdu.cp.packing = qos->ucast.packing; 1840 pdu.cp.framing = qos->ucast.framing; 1841 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency); 1842 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency); 1843 1844 /* Reprogram all CIS(s) with the same CIG, valid range are: 1845 * num_cis: 0x00 to 0x1F 1846 * cis_id: 0x00 to 0xEF 1847 */ 1848 for (cis_id = 0x00; cis_id < 0xf0 && 1849 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) { 1850 struct hci_cis_params *cis; 1851 1852 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id); 1853 if (!conn) 1854 continue; 1855 1856 qos = &conn->iso_qos; 1857 1858 cis = &pdu.cis[pdu.cp.num_cis++]; 1859 cis->cis_id = cis_id; 1860 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu); 1861 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu); 1862 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : 1863 qos->ucast.in.phy; 1864 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : 1865 qos->ucast.out.phy; 1866 cis->c_rtn = qos->ucast.out.rtn; 1867 cis->p_rtn = qos->ucast.in.rtn; 1868 } 1869 1870 if (!pdu.cp.num_cis) 1871 return 0; 1872 1873 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1874 sizeof(pdu.cp) + 1875 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu, 1876 HCI_CMD_TIMEOUT); 1877 } 1878 1879 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1880 { 1881 struct hci_dev *hdev = conn->hdev; 1882 struct iso_list_data data; 1883 1884 memset(&data, 0, sizeof(data)); 1885 1886 /* Allocate first still reconfigurable CIG if not set */ 1887 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) { 1888 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) { 1889 data.count = 0; 1890 1891 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1892 BT_CONNECT, &data); 1893 if (data.count) 1894 continue; 1895 1896 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1897 BT_CONNECTED, &data); 1898 if (!data.count) 1899 break; 1900 } 1901 1902 if (data.cig == 0xf0) 1903 return false; 1904 1905 /* Update CIG */ 1906 qos->ucast.cig = data.cig; 1907 } 1908 1909 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) { 1910 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig, 1911 qos->ucast.cis)) 1912 return false; 1913 goto done; 1914 } 1915 1916 /* Allocate first available CIS if not set */ 1917 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0; 1918 data.cis++) { 1919 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig, 1920 data.cis)) { 1921 /* Update CIS */ 1922 qos->ucast.cis = data.cis; 1923 break; 1924 } 1925 } 1926 1927 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) 1928 return false; 1929 1930 done: 1931 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, 1932 UINT_PTR(qos->ucast.cig), NULL) < 0) 1933 return false; 1934 1935 return true; 1936 } 1937 1938 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1939 __u8 dst_type, struct bt_iso_qos *qos) 1940 { 1941 struct hci_conn *cis; 1942 1943 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig, 1944 qos->ucast.cis); 1945 if (!cis) { 1946 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1947 if (!cis) 1948 return ERR_PTR(-ENOMEM); 1949 cis->cleanup = cis_cleanup; 1950 cis->dst_type = dst_type; 1951 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET; 1952 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET; 1953 } 1954 1955 if (cis->state == BT_CONNECTED) 1956 return cis; 1957 1958 /* Check if CIS has been set and the settings matches */ 1959 if (cis->state == BT_BOUND && 1960 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1961 return cis; 1962 1963 /* Update LINK PHYs according to QoS preference */ 1964 cis->le_tx_phy = qos->ucast.out.phy; 1965 cis->le_rx_phy = qos->ucast.in.phy; 1966 1967 /* If output interval is not set use the input interval as it cannot be 1968 * 0x000000. 1969 */ 1970 if (!qos->ucast.out.interval) 1971 qos->ucast.out.interval = qos->ucast.in.interval; 1972 1973 /* If input interval is not set use the output interval as it cannot be 1974 * 0x000000. 1975 */ 1976 if (!qos->ucast.in.interval) 1977 qos->ucast.in.interval = qos->ucast.out.interval; 1978 1979 /* If output latency is not set use the input latency as it cannot be 1980 * 0x0000. 1981 */ 1982 if (!qos->ucast.out.latency) 1983 qos->ucast.out.latency = qos->ucast.in.latency; 1984 1985 /* If input latency is not set use the output latency as it cannot be 1986 * 0x0000. 1987 */ 1988 if (!qos->ucast.in.latency) 1989 qos->ucast.in.latency = qos->ucast.out.latency; 1990 1991 if (!hci_le_set_cig_params(cis, qos)) { 1992 hci_conn_drop(cis); 1993 return ERR_PTR(-EINVAL); 1994 } 1995 1996 hci_conn_hold(cis); 1997 1998 cis->iso_qos = *qos; 1999 cis->state = BT_BOUND; 2000 2001 return cis; 2002 } 2003 2004 bool hci_iso_setup_path(struct hci_conn *conn) 2005 { 2006 struct hci_dev *hdev = conn->hdev; 2007 struct hci_cp_le_setup_iso_path cmd; 2008 2009 memset(&cmd, 0, sizeof(cmd)); 2010 2011 if (conn->iso_qos.ucast.out.sdu) { 2012 cmd.handle = cpu_to_le16(conn->handle); 2013 cmd.direction = 0x00; /* Input (Host to Controller) */ 2014 cmd.path = 0x00; /* HCI path if enabled */ 2015 cmd.codec = 0x03; /* Transparent Data */ 2016 2017 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2018 &cmd) < 0) 2019 return false; 2020 } 2021 2022 if (conn->iso_qos.ucast.in.sdu) { 2023 cmd.handle = cpu_to_le16(conn->handle); 2024 cmd.direction = 0x01; /* Output (Controller to Host) */ 2025 cmd.path = 0x00; /* HCI path if enabled */ 2026 cmd.codec = 0x03; /* Transparent Data */ 2027 2028 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2029 &cmd) < 0) 2030 return false; 2031 } 2032 2033 return true; 2034 } 2035 2036 int hci_conn_check_create_cis(struct hci_conn *conn) 2037 { 2038 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY)) 2039 return -EINVAL; 2040 2041 if (!conn->parent || conn->parent->state != BT_CONNECTED || 2042 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle)) 2043 return 1; 2044 2045 return 0; 2046 } 2047 2048 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 2049 { 2050 return hci_le_create_cis_sync(hdev); 2051 } 2052 2053 int hci_le_create_cis_pending(struct hci_dev *hdev) 2054 { 2055 struct hci_conn *conn; 2056 bool pending = false; 2057 2058 rcu_read_lock(); 2059 2060 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2061 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) { 2062 rcu_read_unlock(); 2063 return -EBUSY; 2064 } 2065 2066 if (!hci_conn_check_create_cis(conn)) 2067 pending = true; 2068 } 2069 2070 rcu_read_unlock(); 2071 2072 if (!pending) 2073 return 0; 2074 2075 /* Queue Create CIS */ 2076 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL); 2077 } 2078 2079 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 2080 struct bt_iso_io_qos *qos, __u8 phy) 2081 { 2082 /* Only set MTU if PHY is enabled */ 2083 if (!qos->sdu && qos->phy) { 2084 if (hdev->iso_mtu > 0) 2085 qos->sdu = hdev->iso_mtu; 2086 else if (hdev->le_mtu > 0) 2087 qos->sdu = hdev->le_mtu; 2088 else 2089 qos->sdu = hdev->acl_mtu; 2090 } 2091 2092 /* Use the same PHY as ACL if set to any */ 2093 if (qos->phy == BT_ISO_PHY_ANY) 2094 qos->phy = phy; 2095 2096 /* Use LE ACL connection interval if not set */ 2097 if (!qos->interval) 2098 /* ACL interval unit in 1.25 ms to us */ 2099 qos->interval = conn->le_conn_interval * 1250; 2100 2101 /* Use LE ACL connection latency if not set */ 2102 if (!qos->latency) 2103 qos->latency = conn->le_conn_latency; 2104 } 2105 2106 static int create_big_sync(struct hci_dev *hdev, void *data) 2107 { 2108 struct hci_conn *conn = data; 2109 struct bt_iso_qos *qos = &conn->iso_qos; 2110 u16 interval, sync_interval = 0; 2111 u32 flags = 0; 2112 int err; 2113 2114 if (qos->bcast.out.phy == 0x02) 2115 flags |= MGMT_ADV_FLAG_SEC_2M; 2116 2117 /* Align intervals */ 2118 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor; 2119 2120 if (qos->bcast.bis) 2121 sync_interval = interval * 4; 2122 2123 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len, 2124 conn->le_per_adv_data, flags, interval, 2125 interval, sync_interval); 2126 if (err) 2127 return err; 2128 2129 return hci_le_create_big(conn, &conn->iso_qos); 2130 } 2131 2132 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2133 { 2134 struct hci_cp_le_pa_create_sync *cp = data; 2135 2136 bt_dev_dbg(hdev, ""); 2137 2138 if (err) 2139 bt_dev_err(hdev, "Unable to create PA: %d", err); 2140 2141 kfree(cp); 2142 } 2143 2144 static int create_pa_sync(struct hci_dev *hdev, void *data) 2145 { 2146 struct hci_cp_le_pa_create_sync *cp = data; 2147 int err; 2148 2149 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2150 sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2151 if (err) { 2152 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2153 return err; 2154 } 2155 2156 return hci_update_passive_scan_sync(hdev); 2157 } 2158 2159 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type, 2160 __u8 sid, struct bt_iso_qos *qos) 2161 { 2162 struct hci_cp_le_pa_create_sync *cp; 2163 2164 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2165 return -EBUSY; 2166 2167 cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2168 if (!cp) { 2169 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2170 return -ENOMEM; 2171 } 2172 2173 cp->options = qos->bcast.options; 2174 cp->sid = sid; 2175 cp->addr_type = dst_type; 2176 bacpy(&cp->addr, dst); 2177 cp->skip = cpu_to_le16(qos->bcast.skip); 2178 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2179 cp->sync_cte_type = qos->bcast.sync_cte_type; 2180 2181 /* Queue start pa_create_sync and scan */ 2182 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2183 } 2184 2185 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon, 2186 struct bt_iso_qos *qos, 2187 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2188 { 2189 struct _packed { 2190 struct hci_cp_le_big_create_sync cp; 2191 __u8 bis[0x11]; 2192 } pdu; 2193 int err; 2194 2195 if (num_bis < 0x01 || num_bis > sizeof(pdu.bis)) 2196 return -EINVAL; 2197 2198 err = qos_set_big(hdev, qos); 2199 if (err) 2200 return err; 2201 2202 if (hcon) 2203 hcon->iso_qos.bcast.big = qos->bcast.big; 2204 2205 memset(&pdu, 0, sizeof(pdu)); 2206 pdu.cp.handle = qos->bcast.big; 2207 pdu.cp.sync_handle = cpu_to_le16(sync_handle); 2208 pdu.cp.encryption = qos->bcast.encryption; 2209 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode)); 2210 pdu.cp.mse = qos->bcast.mse; 2211 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout); 2212 pdu.cp.num_bis = num_bis; 2213 memcpy(pdu.bis, bis, num_bis); 2214 2215 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2216 sizeof(pdu.cp) + num_bis, &pdu); 2217 } 2218 2219 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2220 { 2221 struct hci_conn *conn = data; 2222 2223 bt_dev_dbg(hdev, "conn %p", conn); 2224 2225 if (err) { 2226 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2227 hci_connect_cfm(conn, err); 2228 hci_conn_del(conn); 2229 } 2230 } 2231 2232 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, 2233 struct bt_iso_qos *qos, 2234 __u8 base_len, __u8 *base) 2235 { 2236 struct hci_conn *conn; 2237 struct hci_conn *parent; 2238 __u8 eir[HCI_MAX_PER_AD_LENGTH]; 2239 struct hci_link *link; 2240 2241 /* Look for any BIS that is open for rebinding */ 2242 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN); 2243 if (conn) { 2244 memcpy(qos, &conn->iso_qos, sizeof(*qos)); 2245 conn->state = BT_CONNECTED; 2246 return conn; 2247 } 2248 2249 if (base_len && base) 2250 base_len = eir_append_service_data(eir, 0, 0x1851, 2251 base, base_len); 2252 2253 /* We need hci_conn object using the BDADDR_ANY as dst */ 2254 conn = hci_add_bis(hdev, dst, qos, base_len, eir); 2255 if (IS_ERR(conn)) 2256 return conn; 2257 2258 /* Update LINK PHYs according to QoS preference */ 2259 conn->le_tx_phy = qos->bcast.out.phy; 2260 conn->le_tx_phy = qos->bcast.out.phy; 2261 2262 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2263 if (base_len && base) { 2264 memcpy(conn->le_per_adv_data, eir, sizeof(eir)); 2265 conn->le_per_adv_data_len = base_len; 2266 } 2267 2268 hci_iso_qos_setup(hdev, conn, &qos->bcast.out, 2269 conn->le_tx_phy ? conn->le_tx_phy : 2270 hdev->le_tx_def_phys); 2271 2272 conn->iso_qos = *qos; 2273 conn->state = BT_BOUND; 2274 2275 /* Link BISes together */ 2276 parent = hci_conn_hash_lookup_big(hdev, 2277 conn->iso_qos.bcast.big); 2278 if (parent && parent != conn) { 2279 link = hci_conn_link(parent, conn); 2280 if (!link) { 2281 hci_conn_drop(conn); 2282 return ERR_PTR(-ENOLINK); 2283 } 2284 2285 /* Link takes the refcount */ 2286 hci_conn_drop(conn); 2287 } 2288 2289 return conn; 2290 } 2291 2292 static void bis_mark_per_adv(struct hci_conn *conn, void *data) 2293 { 2294 struct iso_list_data *d = data; 2295 2296 /* Skip if not broadcast/ANY address */ 2297 if (bacmp(&conn->dst, BDADDR_ANY)) 2298 return; 2299 2300 if (d->big != conn->iso_qos.bcast.big || 2301 d->bis == BT_ISO_QOS_BIS_UNSET || 2302 d->bis != conn->iso_qos.bcast.bis) 2303 return; 2304 2305 set_bit(HCI_CONN_PER_ADV, &conn->flags); 2306 } 2307 2308 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2309 __u8 dst_type, struct bt_iso_qos *qos, 2310 __u8 base_len, __u8 *base) 2311 { 2312 struct hci_conn *conn; 2313 int err; 2314 struct iso_list_data data; 2315 2316 conn = hci_bind_bis(hdev, dst, qos, base_len, base); 2317 if (IS_ERR(conn)) 2318 return conn; 2319 2320 if (conn->state == BT_CONNECTED) 2321 return conn; 2322 2323 data.big = qos->bcast.big; 2324 data.bis = qos->bcast.bis; 2325 2326 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that 2327 * the start periodic advertising and create BIG commands have 2328 * been queued 2329 */ 2330 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK, 2331 BT_BOUND, &data); 2332 2333 /* Queue start periodic advertising and create BIG */ 2334 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2335 create_big_complete); 2336 if (err < 0) { 2337 hci_conn_drop(conn); 2338 return ERR_PTR(err); 2339 } 2340 2341 return conn; 2342 } 2343 2344 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2345 __u8 dst_type, struct bt_iso_qos *qos) 2346 { 2347 struct hci_conn *le; 2348 struct hci_conn *cis; 2349 struct hci_link *link; 2350 2351 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2352 le = hci_connect_le(hdev, dst, dst_type, false, 2353 BT_SECURITY_LOW, 2354 HCI_LE_CONN_TIMEOUT, 2355 HCI_ROLE_SLAVE); 2356 else 2357 le = hci_connect_le_scan(hdev, dst, dst_type, 2358 BT_SECURITY_LOW, 2359 HCI_LE_CONN_TIMEOUT, 2360 CONN_REASON_ISO_CONNECT); 2361 if (IS_ERR(le)) 2362 return le; 2363 2364 hci_iso_qos_setup(hdev, le, &qos->ucast.out, 2365 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2366 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2367 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2368 2369 cis = hci_bind_cis(hdev, dst, dst_type, qos); 2370 if (IS_ERR(cis)) { 2371 hci_conn_drop(le); 2372 return cis; 2373 } 2374 2375 link = hci_conn_link(le, cis); 2376 if (!link) { 2377 hci_conn_drop(le); 2378 hci_conn_drop(cis); 2379 return ERR_PTR(-ENOLINK); 2380 } 2381 2382 /* Link takes the refcount */ 2383 hci_conn_drop(cis); 2384 2385 cis->state = BT_CONNECT; 2386 2387 hci_le_create_cis_pending(hdev); 2388 2389 return cis; 2390 } 2391 2392 /* Check link security requirement */ 2393 int hci_conn_check_link_mode(struct hci_conn *conn) 2394 { 2395 BT_DBG("hcon %p", conn); 2396 2397 /* In Secure Connections Only mode, it is required that Secure 2398 * Connections is used and the link is encrypted with AES-CCM 2399 * using a P-256 authenticated combination key. 2400 */ 2401 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2402 if (!hci_conn_sc_enabled(conn) || 2403 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2404 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2405 return 0; 2406 } 2407 2408 /* AES encryption is required for Level 4: 2409 * 2410 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2411 * page 1319: 2412 * 2413 * 128-bit equivalent strength for link and encryption keys 2414 * required using FIPS approved algorithms (E0 not allowed, 2415 * SAFER+ not allowed, and P-192 not allowed; encryption key 2416 * not shortened) 2417 */ 2418 if (conn->sec_level == BT_SECURITY_FIPS && 2419 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2420 bt_dev_err(conn->hdev, 2421 "Invalid security: Missing AES-CCM usage"); 2422 return 0; 2423 } 2424 2425 if (hci_conn_ssp_enabled(conn) && 2426 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2427 return 0; 2428 2429 return 1; 2430 } 2431 2432 /* Authenticate remote device */ 2433 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2434 { 2435 BT_DBG("hcon %p", conn); 2436 2437 if (conn->pending_sec_level > sec_level) 2438 sec_level = conn->pending_sec_level; 2439 2440 if (sec_level > conn->sec_level) 2441 conn->pending_sec_level = sec_level; 2442 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2443 return 1; 2444 2445 /* Make sure we preserve an existing MITM requirement*/ 2446 auth_type |= (conn->auth_type & 0x01); 2447 2448 conn->auth_type = auth_type; 2449 2450 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2451 struct hci_cp_auth_requested cp; 2452 2453 cp.handle = cpu_to_le16(conn->handle); 2454 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2455 sizeof(cp), &cp); 2456 2457 /* Set the ENCRYPT_PEND to trigger encryption after 2458 * authentication. 2459 */ 2460 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2461 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2462 } 2463 2464 return 0; 2465 } 2466 2467 /* Encrypt the link */ 2468 static void hci_conn_encrypt(struct hci_conn *conn) 2469 { 2470 BT_DBG("hcon %p", conn); 2471 2472 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2473 struct hci_cp_set_conn_encrypt cp; 2474 cp.handle = cpu_to_le16(conn->handle); 2475 cp.encrypt = 0x01; 2476 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2477 &cp); 2478 } 2479 } 2480 2481 /* Enable security */ 2482 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2483 bool initiator) 2484 { 2485 BT_DBG("hcon %p", conn); 2486 2487 if (conn->type == LE_LINK) 2488 return smp_conn_security(conn, sec_level); 2489 2490 /* For sdp we don't need the link key. */ 2491 if (sec_level == BT_SECURITY_SDP) 2492 return 1; 2493 2494 /* For non 2.1 devices and low security level we don't need the link 2495 key. */ 2496 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2497 return 1; 2498 2499 /* For other security levels we need the link key. */ 2500 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2501 goto auth; 2502 2503 switch (conn->key_type) { 2504 case HCI_LK_AUTH_COMBINATION_P256: 2505 /* An authenticated FIPS approved combination key has 2506 * sufficient security for security level 4 or lower. 2507 */ 2508 if (sec_level <= BT_SECURITY_FIPS) 2509 goto encrypt; 2510 break; 2511 case HCI_LK_AUTH_COMBINATION_P192: 2512 /* An authenticated combination key has sufficient security for 2513 * security level 3 or lower. 2514 */ 2515 if (sec_level <= BT_SECURITY_HIGH) 2516 goto encrypt; 2517 break; 2518 case HCI_LK_UNAUTH_COMBINATION_P192: 2519 case HCI_LK_UNAUTH_COMBINATION_P256: 2520 /* An unauthenticated combination key has sufficient security 2521 * for security level 2 or lower. 2522 */ 2523 if (sec_level <= BT_SECURITY_MEDIUM) 2524 goto encrypt; 2525 break; 2526 case HCI_LK_COMBINATION: 2527 /* A combination key has always sufficient security for the 2528 * security levels 2 or lower. High security level requires the 2529 * combination key is generated using maximum PIN code length 2530 * (16). For pre 2.1 units. 2531 */ 2532 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16) 2533 goto encrypt; 2534 break; 2535 default: 2536 break; 2537 } 2538 2539 auth: 2540 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2541 return 0; 2542 2543 if (initiator) 2544 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2545 2546 if (!hci_conn_auth(conn, sec_level, auth_type)) 2547 return 0; 2548 2549 encrypt: 2550 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2551 /* Ensure that the encryption key size has been read, 2552 * otherwise stall the upper layer responses. 2553 */ 2554 if (!conn->enc_key_size) 2555 return 0; 2556 2557 /* Nothing else needed, all requirements are met */ 2558 return 1; 2559 } 2560 2561 hci_conn_encrypt(conn); 2562 return 0; 2563 } 2564 EXPORT_SYMBOL(hci_conn_security); 2565 2566 /* Check secure link requirement */ 2567 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2568 { 2569 BT_DBG("hcon %p", conn); 2570 2571 /* Accept if non-secure or higher security level is required */ 2572 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2573 return 1; 2574 2575 /* Accept if secure or higher security level is already present */ 2576 if (conn->sec_level == BT_SECURITY_HIGH || 2577 conn->sec_level == BT_SECURITY_FIPS) 2578 return 1; 2579 2580 /* Reject not secure link */ 2581 return 0; 2582 } 2583 EXPORT_SYMBOL(hci_conn_check_secure); 2584 2585 /* Switch role */ 2586 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2587 { 2588 BT_DBG("hcon %p", conn); 2589 2590 if (role == conn->role) 2591 return 1; 2592 2593 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2594 struct hci_cp_switch_role cp; 2595 bacpy(&cp.bdaddr, &conn->dst); 2596 cp.role = role; 2597 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2598 } 2599 2600 return 0; 2601 } 2602 EXPORT_SYMBOL(hci_conn_switch_role); 2603 2604 /* Enter active mode */ 2605 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2606 { 2607 struct hci_dev *hdev = conn->hdev; 2608 2609 BT_DBG("hcon %p mode %d", conn, conn->mode); 2610 2611 if (conn->mode != HCI_CM_SNIFF) 2612 goto timer; 2613 2614 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2615 goto timer; 2616 2617 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2618 struct hci_cp_exit_sniff_mode cp; 2619 cp.handle = cpu_to_le16(conn->handle); 2620 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2621 } 2622 2623 timer: 2624 if (hdev->idle_timeout > 0) 2625 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2626 msecs_to_jiffies(hdev->idle_timeout)); 2627 } 2628 2629 /* Drop all connection on the device */ 2630 void hci_conn_hash_flush(struct hci_dev *hdev) 2631 { 2632 struct list_head *head = &hdev->conn_hash.list; 2633 struct hci_conn *conn; 2634 2635 BT_DBG("hdev %s", hdev->name); 2636 2637 /* We should not traverse the list here, because hci_conn_del 2638 * can remove extra links, which may cause the list traversal 2639 * to hit items that have already been released. 2640 */ 2641 while ((conn = list_first_entry_or_null(head, 2642 struct hci_conn, 2643 list)) != NULL) { 2644 conn->state = BT_CLOSED; 2645 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); 2646 hci_conn_del(conn); 2647 } 2648 } 2649 2650 /* Check pending connect attempts */ 2651 void hci_conn_check_pending(struct hci_dev *hdev) 2652 { 2653 struct hci_conn *conn; 2654 2655 BT_DBG("hdev %s", hdev->name); 2656 2657 hci_dev_lock(hdev); 2658 2659 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 2660 if (conn) 2661 hci_acl_create_connection(conn); 2662 2663 hci_dev_unlock(hdev); 2664 } 2665 2666 static u32 get_link_mode(struct hci_conn *conn) 2667 { 2668 u32 link_mode = 0; 2669 2670 if (conn->role == HCI_ROLE_MASTER) 2671 link_mode |= HCI_LM_MASTER; 2672 2673 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2674 link_mode |= HCI_LM_ENCRYPT; 2675 2676 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2677 link_mode |= HCI_LM_AUTH; 2678 2679 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2680 link_mode |= HCI_LM_SECURE; 2681 2682 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2683 link_mode |= HCI_LM_FIPS; 2684 2685 return link_mode; 2686 } 2687 2688 int hci_get_conn_list(void __user *arg) 2689 { 2690 struct hci_conn *c; 2691 struct hci_conn_list_req req, *cl; 2692 struct hci_conn_info *ci; 2693 struct hci_dev *hdev; 2694 int n = 0, size, err; 2695 2696 if (copy_from_user(&req, arg, sizeof(req))) 2697 return -EFAULT; 2698 2699 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2700 return -EINVAL; 2701 2702 size = sizeof(req) + req.conn_num * sizeof(*ci); 2703 2704 cl = kmalloc(size, GFP_KERNEL); 2705 if (!cl) 2706 return -ENOMEM; 2707 2708 hdev = hci_dev_get(req.dev_id); 2709 if (!hdev) { 2710 kfree(cl); 2711 return -ENODEV; 2712 } 2713 2714 ci = cl->conn_info; 2715 2716 hci_dev_lock(hdev); 2717 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2718 bacpy(&(ci + n)->bdaddr, &c->dst); 2719 (ci + n)->handle = c->handle; 2720 (ci + n)->type = c->type; 2721 (ci + n)->out = c->out; 2722 (ci + n)->state = c->state; 2723 (ci + n)->link_mode = get_link_mode(c); 2724 if (++n >= req.conn_num) 2725 break; 2726 } 2727 hci_dev_unlock(hdev); 2728 2729 cl->dev_id = hdev->id; 2730 cl->conn_num = n; 2731 size = sizeof(req) + n * sizeof(*ci); 2732 2733 hci_dev_put(hdev); 2734 2735 err = copy_to_user(arg, cl, size); 2736 kfree(cl); 2737 2738 return err ? -EFAULT : 0; 2739 } 2740 2741 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2742 { 2743 struct hci_conn_info_req req; 2744 struct hci_conn_info ci; 2745 struct hci_conn *conn; 2746 char __user *ptr = arg + sizeof(req); 2747 2748 if (copy_from_user(&req, arg, sizeof(req))) 2749 return -EFAULT; 2750 2751 hci_dev_lock(hdev); 2752 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2753 if (conn) { 2754 bacpy(&ci.bdaddr, &conn->dst); 2755 ci.handle = conn->handle; 2756 ci.type = conn->type; 2757 ci.out = conn->out; 2758 ci.state = conn->state; 2759 ci.link_mode = get_link_mode(conn); 2760 } 2761 hci_dev_unlock(hdev); 2762 2763 if (!conn) 2764 return -ENOENT; 2765 2766 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2767 } 2768 2769 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2770 { 2771 struct hci_auth_info_req req; 2772 struct hci_conn *conn; 2773 2774 if (copy_from_user(&req, arg, sizeof(req))) 2775 return -EFAULT; 2776 2777 hci_dev_lock(hdev); 2778 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2779 if (conn) 2780 req.type = conn->auth_type; 2781 hci_dev_unlock(hdev); 2782 2783 if (!conn) 2784 return -ENOENT; 2785 2786 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2787 } 2788 2789 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2790 { 2791 struct hci_dev *hdev = conn->hdev; 2792 struct hci_chan *chan; 2793 2794 BT_DBG("%s hcon %p", hdev->name, conn); 2795 2796 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2797 BT_DBG("Refusing to create new hci_chan"); 2798 return NULL; 2799 } 2800 2801 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2802 if (!chan) 2803 return NULL; 2804 2805 chan->conn = hci_conn_get(conn); 2806 skb_queue_head_init(&chan->data_q); 2807 chan->state = BT_CONNECTED; 2808 2809 list_add_rcu(&chan->list, &conn->chan_list); 2810 2811 return chan; 2812 } 2813 2814 void hci_chan_del(struct hci_chan *chan) 2815 { 2816 struct hci_conn *conn = chan->conn; 2817 struct hci_dev *hdev = conn->hdev; 2818 2819 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2820 2821 list_del_rcu(&chan->list); 2822 2823 synchronize_rcu(); 2824 2825 /* Prevent new hci_chan's to be created for this hci_conn */ 2826 set_bit(HCI_CONN_DROP, &conn->flags); 2827 2828 hci_conn_put(conn); 2829 2830 skb_queue_purge(&chan->data_q); 2831 kfree(chan); 2832 } 2833 2834 void hci_chan_list_flush(struct hci_conn *conn) 2835 { 2836 struct hci_chan *chan, *n; 2837 2838 BT_DBG("hcon %p", conn); 2839 2840 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2841 hci_chan_del(chan); 2842 } 2843 2844 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2845 __u16 handle) 2846 { 2847 struct hci_chan *hchan; 2848 2849 list_for_each_entry(hchan, &hcon->chan_list, list) { 2850 if (hchan->handle == handle) 2851 return hchan; 2852 } 2853 2854 return NULL; 2855 } 2856 2857 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2858 { 2859 struct hci_conn_hash *h = &hdev->conn_hash; 2860 struct hci_conn *hcon; 2861 struct hci_chan *hchan = NULL; 2862 2863 rcu_read_lock(); 2864 2865 list_for_each_entry_rcu(hcon, &h->list, list) { 2866 hchan = __hci_chan_lookup_handle(hcon, handle); 2867 if (hchan) 2868 break; 2869 } 2870 2871 rcu_read_unlock(); 2872 2873 return hchan; 2874 } 2875 2876 u32 hci_conn_get_phy(struct hci_conn *conn) 2877 { 2878 u32 phys = 0; 2879 2880 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2881 * Table 6.2: Packets defined for synchronous, asynchronous, and 2882 * CPB logical transport types. 2883 */ 2884 switch (conn->type) { 2885 case SCO_LINK: 2886 /* SCO logical transport (1 Mb/s): 2887 * HV1, HV2, HV3 and DV. 2888 */ 2889 phys |= BT_PHY_BR_1M_1SLOT; 2890 2891 break; 2892 2893 case ACL_LINK: 2894 /* ACL logical transport (1 Mb/s) ptt=0: 2895 * DH1, DM3, DH3, DM5 and DH5. 2896 */ 2897 phys |= BT_PHY_BR_1M_1SLOT; 2898 2899 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2900 phys |= BT_PHY_BR_1M_3SLOT; 2901 2902 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2903 phys |= BT_PHY_BR_1M_5SLOT; 2904 2905 /* ACL logical transport (2 Mb/s) ptt=1: 2906 * 2-DH1, 2-DH3 and 2-DH5. 2907 */ 2908 if (!(conn->pkt_type & HCI_2DH1)) 2909 phys |= BT_PHY_EDR_2M_1SLOT; 2910 2911 if (!(conn->pkt_type & HCI_2DH3)) 2912 phys |= BT_PHY_EDR_2M_3SLOT; 2913 2914 if (!(conn->pkt_type & HCI_2DH5)) 2915 phys |= BT_PHY_EDR_2M_5SLOT; 2916 2917 /* ACL logical transport (3 Mb/s) ptt=1: 2918 * 3-DH1, 3-DH3 and 3-DH5. 2919 */ 2920 if (!(conn->pkt_type & HCI_3DH1)) 2921 phys |= BT_PHY_EDR_3M_1SLOT; 2922 2923 if (!(conn->pkt_type & HCI_3DH3)) 2924 phys |= BT_PHY_EDR_3M_3SLOT; 2925 2926 if (!(conn->pkt_type & HCI_3DH5)) 2927 phys |= BT_PHY_EDR_3M_5SLOT; 2928 2929 break; 2930 2931 case ESCO_LINK: 2932 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2933 phys |= BT_PHY_BR_1M_1SLOT; 2934 2935 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2936 phys |= BT_PHY_BR_1M_3SLOT; 2937 2938 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2939 if (!(conn->pkt_type & ESCO_2EV3)) 2940 phys |= BT_PHY_EDR_2M_1SLOT; 2941 2942 if (!(conn->pkt_type & ESCO_2EV5)) 2943 phys |= BT_PHY_EDR_2M_3SLOT; 2944 2945 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2946 if (!(conn->pkt_type & ESCO_3EV3)) 2947 phys |= BT_PHY_EDR_3M_1SLOT; 2948 2949 if (!(conn->pkt_type & ESCO_3EV5)) 2950 phys |= BT_PHY_EDR_3M_3SLOT; 2951 2952 break; 2953 2954 case LE_LINK: 2955 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2956 phys |= BT_PHY_LE_1M_TX; 2957 2958 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2959 phys |= BT_PHY_LE_1M_RX; 2960 2961 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2962 phys |= BT_PHY_LE_2M_TX; 2963 2964 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2965 phys |= BT_PHY_LE_2M_RX; 2966 2967 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2968 phys |= BT_PHY_LE_CODED_TX; 2969 2970 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2971 phys |= BT_PHY_LE_CODED_RX; 2972 2973 break; 2974 } 2975 2976 return phys; 2977 } 2978 2979 static int abort_conn_sync(struct hci_dev *hdev, void *data) 2980 { 2981 struct hci_conn *conn; 2982 u16 handle = PTR_UINT(data); 2983 2984 conn = hci_conn_hash_lookup_handle(hdev, handle); 2985 if (!conn) 2986 return 0; 2987 2988 return hci_abort_conn_sync(hdev, conn, conn->abort_reason); 2989 } 2990 2991 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2992 { 2993 struct hci_dev *hdev = conn->hdev; 2994 2995 /* If abort_reason has already been set it means the connection is 2996 * already being aborted so don't attempt to overwrite it. 2997 */ 2998 if (conn->abort_reason) 2999 return 0; 3000 3001 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); 3002 3003 conn->abort_reason = reason; 3004 3005 /* If the connection is pending check the command opcode since that 3006 * might be blocking on hci_cmd_sync_work while waiting its respective 3007 * event so we need to hci_cmd_sync_cancel to cancel it. 3008 * 3009 * hci_connect_le serializes the connection attempts so only one 3010 * connection can be in BT_CONNECT at time. 3011 */ 3012 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { 3013 switch (hci_skb_event(hdev->sent_cmd)) { 3014 case HCI_EV_LE_CONN_COMPLETE: 3015 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 3016 case HCI_EVT_LE_CIS_ESTABLISHED: 3017 hci_cmd_sync_cancel(hdev, -ECANCELED); 3018 break; 3019 } 3020 } 3021 3022 return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle), 3023 NULL); 3024 } 3025