1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI connection handling. */ 27 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/iso.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "hci_request.h" 38 #include "smp.h" 39 #include "a2mp.h" 40 #include "eir.h" 41 42 struct sco_param { 43 u16 pkt_type; 44 u16 max_latency; 45 u8 retrans_effort; 46 }; 47 48 struct conn_handle_t { 49 struct hci_conn *conn; 50 __u16 handle; 51 }; 52 53 static const struct sco_param esco_param_cvsd[] = { 54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */ 55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */ 56 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */ 57 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */ 58 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */ 59 }; 60 61 static const struct sco_param sco_param_cvsd[] = { 62 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */ 63 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */ 64 }; 65 66 static const struct sco_param esco_param_msbc[] = { 67 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */ 68 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */ 69 }; 70 71 /* This function requires the caller holds hdev->lock */ 72 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) 73 { 74 struct hci_conn_params *params; 75 struct hci_dev *hdev = conn->hdev; 76 struct smp_irk *irk; 77 bdaddr_t *bdaddr; 78 u8 bdaddr_type; 79 80 bdaddr = &conn->dst; 81 bdaddr_type = conn->dst_type; 82 83 /* Check if we need to convert to identity address */ 84 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 85 if (irk) { 86 bdaddr = &irk->bdaddr; 87 bdaddr_type = irk->addr_type; 88 } 89 90 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr, 91 bdaddr_type); 92 if (!params) 93 return; 94 95 if (params->conn) { 96 hci_conn_drop(params->conn); 97 hci_conn_put(params->conn); 98 params->conn = NULL; 99 } 100 101 if (!params->explicit_connect) 102 return; 103 104 /* If the status indicates successful cancellation of 105 * the attempt (i.e. Unknown Connection Id) there's no point of 106 * notifying failure since we'll go back to keep trying to 107 * connect. The only exception is explicit connect requests 108 * where a timeout + cancel does indicate an actual failure. 109 */ 110 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) 111 mgmt_connect_failed(hdev, &conn->dst, conn->type, 112 conn->dst_type, status); 113 114 /* The connection attempt was doing scan for new RPA, and is 115 * in scan phase. If params are not associated with any other 116 * autoconnect action, remove them completely. If they are, just unmark 117 * them as waiting for connection, by clearing explicit_connect field. 118 */ 119 params->explicit_connect = false; 120 121 hci_pend_le_list_del_init(params); 122 123 switch (params->auto_connect) { 124 case HCI_AUTO_CONN_EXPLICIT: 125 hci_conn_params_del(hdev, bdaddr, bdaddr_type); 126 /* return instead of break to avoid duplicate scan update */ 127 return; 128 case HCI_AUTO_CONN_DIRECT: 129 case HCI_AUTO_CONN_ALWAYS: 130 hci_pend_le_list_add(params, &hdev->pend_le_conns); 131 break; 132 case HCI_AUTO_CONN_REPORT: 133 hci_pend_le_list_add(params, &hdev->pend_le_reports); 134 break; 135 default: 136 break; 137 } 138 139 hci_update_passive_scan(hdev); 140 } 141 142 static void hci_conn_cleanup(struct hci_conn *conn) 143 { 144 struct hci_dev *hdev = conn->hdev; 145 146 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags)) 147 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type); 148 149 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 150 hci_remove_link_key(hdev, &conn->dst); 151 152 hci_chan_list_flush(conn); 153 154 hci_conn_hash_del(hdev, conn); 155 156 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 157 ida_free(&hdev->unset_handle_ida, conn->handle); 158 159 if (conn->cleanup) 160 conn->cleanup(conn); 161 162 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) { 163 switch (conn->setting & SCO_AIRMODE_MASK) { 164 case SCO_AIRMODE_CVSD: 165 case SCO_AIRMODE_TRANSP: 166 if (hdev->notify) 167 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO); 168 break; 169 } 170 } else { 171 if (hdev->notify) 172 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 173 } 174 175 debugfs_remove_recursive(conn->debugfs); 176 177 hci_conn_del_sysfs(conn); 178 179 hci_dev_put(hdev); 180 } 181 182 static void hci_acl_create_connection(struct hci_conn *conn) 183 { 184 struct hci_dev *hdev = conn->hdev; 185 struct inquiry_entry *ie; 186 struct hci_cp_create_conn cp; 187 188 BT_DBG("hcon %p", conn); 189 190 /* Many controllers disallow HCI Create Connection while it is doing 191 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create 192 * Connection. This may cause the MGMT discovering state to become false 193 * without user space's request but it is okay since the MGMT Discovery 194 * APIs do not promise that discovery should be done forever. Instead, 195 * the user space monitors the status of MGMT discovering and it may 196 * request for discovery again when this flag becomes false. 197 */ 198 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 199 /* Put this connection to "pending" state so that it will be 200 * executed after the inquiry cancel command complete event. 201 */ 202 conn->state = BT_CONNECT2; 203 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL); 204 return; 205 } 206 207 conn->state = BT_CONNECT; 208 conn->out = true; 209 conn->role = HCI_ROLE_MASTER; 210 211 conn->attempt++; 212 213 conn->link_policy = hdev->link_policy; 214 215 memset(&cp, 0, sizeof(cp)); 216 bacpy(&cp.bdaddr, &conn->dst); 217 cp.pscan_rep_mode = 0x02; 218 219 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 220 if (ie) { 221 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) { 222 cp.pscan_rep_mode = ie->data.pscan_rep_mode; 223 cp.pscan_mode = ie->data.pscan_mode; 224 cp.clock_offset = ie->data.clock_offset | 225 cpu_to_le16(0x8000); 226 } 227 228 memcpy(conn->dev_class, ie->data.dev_class, 3); 229 } 230 231 cp.pkt_type = cpu_to_le16(conn->pkt_type); 232 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER)) 233 cp.role_switch = 0x01; 234 else 235 cp.role_switch = 0x00; 236 237 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); 238 } 239 240 int hci_disconnect(struct hci_conn *conn, __u8 reason) 241 { 242 BT_DBG("hcon %p", conn); 243 244 /* When we are central of an established connection and it enters 245 * the disconnect timeout, then go ahead and try to read the 246 * current clock offset. Processing of the result is done 247 * within the event handling and hci_clock_offset_evt function. 248 */ 249 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER && 250 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) { 251 struct hci_dev *hdev = conn->hdev; 252 struct hci_cp_read_clock_offset clkoff_cp; 253 254 clkoff_cp.handle = cpu_to_le16(conn->handle); 255 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp), 256 &clkoff_cp); 257 } 258 259 return hci_abort_conn(conn, reason); 260 } 261 262 static void hci_add_sco(struct hci_conn *conn, __u16 handle) 263 { 264 struct hci_dev *hdev = conn->hdev; 265 struct hci_cp_add_sco cp; 266 267 BT_DBG("hcon %p", conn); 268 269 conn->state = BT_CONNECT; 270 conn->out = true; 271 272 conn->attempt++; 273 274 cp.handle = cpu_to_le16(handle); 275 cp.pkt_type = cpu_to_le16(conn->pkt_type); 276 277 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp); 278 } 279 280 static bool find_next_esco_param(struct hci_conn *conn, 281 const struct sco_param *esco_param, int size) 282 { 283 if (!conn->parent) 284 return false; 285 286 for (; conn->attempt <= size; conn->attempt++) { 287 if (lmp_esco_2m_capable(conn->parent) || 288 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3)) 289 break; 290 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported", 291 conn, conn->attempt); 292 } 293 294 return conn->attempt <= size; 295 } 296 297 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec) 298 { 299 int err; 300 __u8 vnd_len, *vnd_data = NULL; 301 struct hci_op_configure_data_path *cmd = NULL; 302 303 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len, 304 &vnd_data); 305 if (err < 0) 306 goto error; 307 308 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); 309 if (!cmd) { 310 err = -ENOMEM; 311 goto error; 312 } 313 314 err = hdev->get_data_path_id(hdev, &cmd->data_path_id); 315 if (err < 0) 316 goto error; 317 318 cmd->vnd_len = vnd_len; 319 memcpy(cmd->vnd_data, vnd_data, vnd_len); 320 321 cmd->direction = 0x00; 322 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 323 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT); 324 325 cmd->direction = 0x01; 326 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH, 327 sizeof(*cmd) + vnd_len, cmd, 328 HCI_CMD_TIMEOUT); 329 error: 330 331 kfree(cmd); 332 kfree(vnd_data); 333 return err; 334 } 335 336 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 337 { 338 struct conn_handle_t *conn_handle = data; 339 struct hci_conn *conn = conn_handle->conn; 340 __u16 handle = conn_handle->handle; 341 struct hci_cp_enhanced_setup_sync_conn cp; 342 const struct sco_param *param; 343 344 kfree(conn_handle); 345 346 bt_dev_dbg(hdev, "hcon %p", conn); 347 348 /* for offload use case, codec needs to configured before opening SCO */ 349 if (conn->codec.data_path) 350 configure_datapath_sync(hdev, &conn->codec); 351 352 conn->state = BT_CONNECT; 353 conn->out = true; 354 355 conn->attempt++; 356 357 memset(&cp, 0x00, sizeof(cp)); 358 359 cp.handle = cpu_to_le16(handle); 360 361 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 362 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 363 364 switch (conn->codec.id) { 365 case BT_CODEC_MSBC: 366 if (!find_next_esco_param(conn, esco_param_msbc, 367 ARRAY_SIZE(esco_param_msbc))) 368 return -EINVAL; 369 370 param = &esco_param_msbc[conn->attempt - 1]; 371 cp.tx_coding_format.id = 0x05; 372 cp.rx_coding_format.id = 0x05; 373 cp.tx_codec_frame_size = __cpu_to_le16(60); 374 cp.rx_codec_frame_size = __cpu_to_le16(60); 375 cp.in_bandwidth = __cpu_to_le32(32000); 376 cp.out_bandwidth = __cpu_to_le32(32000); 377 cp.in_coding_format.id = 0x04; 378 cp.out_coding_format.id = 0x04; 379 cp.in_coded_data_size = __cpu_to_le16(16); 380 cp.out_coded_data_size = __cpu_to_le16(16); 381 cp.in_pcm_data_format = 2; 382 cp.out_pcm_data_format = 2; 383 cp.in_pcm_sample_payload_msb_pos = 0; 384 cp.out_pcm_sample_payload_msb_pos = 0; 385 cp.in_data_path = conn->codec.data_path; 386 cp.out_data_path = conn->codec.data_path; 387 cp.in_transport_unit_size = 1; 388 cp.out_transport_unit_size = 1; 389 break; 390 391 case BT_CODEC_TRANSPARENT: 392 if (!find_next_esco_param(conn, esco_param_msbc, 393 ARRAY_SIZE(esco_param_msbc))) 394 return false; 395 param = &esco_param_msbc[conn->attempt - 1]; 396 cp.tx_coding_format.id = 0x03; 397 cp.rx_coding_format.id = 0x03; 398 cp.tx_codec_frame_size = __cpu_to_le16(60); 399 cp.rx_codec_frame_size = __cpu_to_le16(60); 400 cp.in_bandwidth = __cpu_to_le32(0x1f40); 401 cp.out_bandwidth = __cpu_to_le32(0x1f40); 402 cp.in_coding_format.id = 0x03; 403 cp.out_coding_format.id = 0x03; 404 cp.in_coded_data_size = __cpu_to_le16(16); 405 cp.out_coded_data_size = __cpu_to_le16(16); 406 cp.in_pcm_data_format = 2; 407 cp.out_pcm_data_format = 2; 408 cp.in_pcm_sample_payload_msb_pos = 0; 409 cp.out_pcm_sample_payload_msb_pos = 0; 410 cp.in_data_path = conn->codec.data_path; 411 cp.out_data_path = conn->codec.data_path; 412 cp.in_transport_unit_size = 1; 413 cp.out_transport_unit_size = 1; 414 break; 415 416 case BT_CODEC_CVSD: 417 if (conn->parent && lmp_esco_capable(conn->parent)) { 418 if (!find_next_esco_param(conn, esco_param_cvsd, 419 ARRAY_SIZE(esco_param_cvsd))) 420 return -EINVAL; 421 param = &esco_param_cvsd[conn->attempt - 1]; 422 } else { 423 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 424 return -EINVAL; 425 param = &sco_param_cvsd[conn->attempt - 1]; 426 } 427 cp.tx_coding_format.id = 2; 428 cp.rx_coding_format.id = 2; 429 cp.tx_codec_frame_size = __cpu_to_le16(60); 430 cp.rx_codec_frame_size = __cpu_to_le16(60); 431 cp.in_bandwidth = __cpu_to_le32(16000); 432 cp.out_bandwidth = __cpu_to_le32(16000); 433 cp.in_coding_format.id = 4; 434 cp.out_coding_format.id = 4; 435 cp.in_coded_data_size = __cpu_to_le16(16); 436 cp.out_coded_data_size = __cpu_to_le16(16); 437 cp.in_pcm_data_format = 2; 438 cp.out_pcm_data_format = 2; 439 cp.in_pcm_sample_payload_msb_pos = 0; 440 cp.out_pcm_sample_payload_msb_pos = 0; 441 cp.in_data_path = conn->codec.data_path; 442 cp.out_data_path = conn->codec.data_path; 443 cp.in_transport_unit_size = 16; 444 cp.out_transport_unit_size = 16; 445 break; 446 default: 447 return -EINVAL; 448 } 449 450 cp.retrans_effort = param->retrans_effort; 451 cp.pkt_type = __cpu_to_le16(param->pkt_type); 452 cp.max_latency = __cpu_to_le16(param->max_latency); 453 454 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 455 return -EIO; 456 457 return 0; 458 } 459 460 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle) 461 { 462 struct hci_dev *hdev = conn->hdev; 463 struct hci_cp_setup_sync_conn cp; 464 const struct sco_param *param; 465 466 bt_dev_dbg(hdev, "hcon %p", conn); 467 468 conn->state = BT_CONNECT; 469 conn->out = true; 470 471 conn->attempt++; 472 473 cp.handle = cpu_to_le16(handle); 474 475 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 476 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 477 cp.voice_setting = cpu_to_le16(conn->setting); 478 479 switch (conn->setting & SCO_AIRMODE_MASK) { 480 case SCO_AIRMODE_TRANSP: 481 if (!find_next_esco_param(conn, esco_param_msbc, 482 ARRAY_SIZE(esco_param_msbc))) 483 return false; 484 param = &esco_param_msbc[conn->attempt - 1]; 485 break; 486 case SCO_AIRMODE_CVSD: 487 if (conn->parent && lmp_esco_capable(conn->parent)) { 488 if (!find_next_esco_param(conn, esco_param_cvsd, 489 ARRAY_SIZE(esco_param_cvsd))) 490 return false; 491 param = &esco_param_cvsd[conn->attempt - 1]; 492 } else { 493 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd)) 494 return false; 495 param = &sco_param_cvsd[conn->attempt - 1]; 496 } 497 break; 498 default: 499 return false; 500 } 501 502 cp.retrans_effort = param->retrans_effort; 503 cp.pkt_type = __cpu_to_le16(param->pkt_type); 504 cp.max_latency = __cpu_to_le16(param->max_latency); 505 506 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0) 507 return false; 508 509 return true; 510 } 511 512 bool hci_setup_sync(struct hci_conn *conn, __u16 handle) 513 { 514 int result; 515 struct conn_handle_t *conn_handle; 516 517 if (enhanced_sync_conn_capable(conn->hdev)) { 518 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL); 519 520 if (!conn_handle) 521 return false; 522 523 conn_handle->conn = conn; 524 conn_handle->handle = handle; 525 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync, 526 conn_handle, NULL); 527 if (result < 0) 528 kfree(conn_handle); 529 530 return result == 0; 531 } 532 533 return hci_setup_sync_conn(conn, handle); 534 } 535 536 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency, 537 u16 to_multiplier) 538 { 539 struct hci_dev *hdev = conn->hdev; 540 struct hci_conn_params *params; 541 struct hci_cp_le_conn_update cp; 542 543 hci_dev_lock(hdev); 544 545 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 546 if (params) { 547 params->conn_min_interval = min; 548 params->conn_max_interval = max; 549 params->conn_latency = latency; 550 params->supervision_timeout = to_multiplier; 551 } 552 553 hci_dev_unlock(hdev); 554 555 memset(&cp, 0, sizeof(cp)); 556 cp.handle = cpu_to_le16(conn->handle); 557 cp.conn_interval_min = cpu_to_le16(min); 558 cp.conn_interval_max = cpu_to_le16(max); 559 cp.conn_latency = cpu_to_le16(latency); 560 cp.supervision_timeout = cpu_to_le16(to_multiplier); 561 cp.min_ce_len = cpu_to_le16(0x0000); 562 cp.max_ce_len = cpu_to_le16(0x0000); 563 564 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 565 566 if (params) 567 return 0x01; 568 569 return 0x00; 570 } 571 572 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, 573 __u8 ltk[16], __u8 key_size) 574 { 575 struct hci_dev *hdev = conn->hdev; 576 struct hci_cp_le_start_enc cp; 577 578 BT_DBG("hcon %p", conn); 579 580 memset(&cp, 0, sizeof(cp)); 581 582 cp.handle = cpu_to_le16(conn->handle); 583 cp.rand = rand; 584 cp.ediv = ediv; 585 memcpy(cp.ltk, ltk, key_size); 586 587 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 588 } 589 590 /* Device _must_ be locked */ 591 void hci_sco_setup(struct hci_conn *conn, __u8 status) 592 { 593 struct hci_link *link; 594 595 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list); 596 if (!link || !link->conn) 597 return; 598 599 BT_DBG("hcon %p", conn); 600 601 if (!status) { 602 if (lmp_esco_capable(conn->hdev)) 603 hci_setup_sync(link->conn, conn->handle); 604 else 605 hci_add_sco(link->conn, conn->handle); 606 } else { 607 hci_connect_cfm(link->conn, status); 608 hci_conn_del(link->conn); 609 } 610 } 611 612 static void hci_conn_timeout(struct work_struct *work) 613 { 614 struct hci_conn *conn = container_of(work, struct hci_conn, 615 disc_work.work); 616 int refcnt = atomic_read(&conn->refcnt); 617 618 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state)); 619 620 WARN_ON(refcnt < 0); 621 622 /* FIXME: It was observed that in pairing failed scenario, refcnt 623 * drops below 0. Probably this is because l2cap_conn_del calls 624 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is 625 * dropped. After that loop hci_chan_del is called which also drops 626 * conn. For now make sure that ACL is alive if refcnt is higher then 0, 627 * otherwise drop it. 628 */ 629 if (refcnt > 0) 630 return; 631 632 hci_abort_conn(conn, hci_proto_disconn_ind(conn)); 633 } 634 635 /* Enter sniff mode */ 636 static void hci_conn_idle(struct work_struct *work) 637 { 638 struct hci_conn *conn = container_of(work, struct hci_conn, 639 idle_work.work); 640 struct hci_dev *hdev = conn->hdev; 641 642 BT_DBG("hcon %p mode %d", conn, conn->mode); 643 644 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn)) 645 return; 646 647 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF)) 648 return; 649 650 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) { 651 struct hci_cp_sniff_subrate cp; 652 cp.handle = cpu_to_le16(conn->handle); 653 cp.max_latency = cpu_to_le16(0); 654 cp.min_remote_timeout = cpu_to_le16(0); 655 cp.min_local_timeout = cpu_to_le16(0); 656 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp); 657 } 658 659 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 660 struct hci_cp_sniff_mode cp; 661 cp.handle = cpu_to_le16(conn->handle); 662 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval); 663 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval); 664 cp.attempt = cpu_to_le16(4); 665 cp.timeout = cpu_to_le16(1); 666 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp); 667 } 668 } 669 670 static void hci_conn_auto_accept(struct work_struct *work) 671 { 672 struct hci_conn *conn = container_of(work, struct hci_conn, 673 auto_accept_work.work); 674 675 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 676 &conn->dst); 677 } 678 679 static void le_disable_advertising(struct hci_dev *hdev) 680 { 681 if (ext_adv_capable(hdev)) { 682 struct hci_cp_le_set_ext_adv_enable cp; 683 684 cp.enable = 0x00; 685 cp.num_of_sets = 0x00; 686 687 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp), 688 &cp); 689 } else { 690 u8 enable = 0x00; 691 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), 692 &enable); 693 } 694 } 695 696 static void le_conn_timeout(struct work_struct *work) 697 { 698 struct hci_conn *conn = container_of(work, struct hci_conn, 699 le_conn_timeout.work); 700 struct hci_dev *hdev = conn->hdev; 701 702 BT_DBG(""); 703 704 /* We could end up here due to having done directed advertising, 705 * so clean up the state if necessary. This should however only 706 * happen with broken hardware or if low duty cycle was used 707 * (which doesn't have a timeout of its own). 708 */ 709 if (conn->role == HCI_ROLE_SLAVE) { 710 /* Disable LE Advertising */ 711 le_disable_advertising(hdev); 712 hci_dev_lock(hdev); 713 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT); 714 hci_dev_unlock(hdev); 715 return; 716 } 717 718 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); 719 } 720 721 struct iso_cig_params { 722 struct hci_cp_le_set_cig_params cp; 723 struct hci_cis_params cis[0x1f]; 724 }; 725 726 struct iso_list_data { 727 union { 728 u8 cig; 729 u8 big; 730 }; 731 union { 732 u8 cis; 733 u8 bis; 734 u16 sync_handle; 735 }; 736 int count; 737 bool big_term; 738 bool pa_sync_term; 739 bool big_sync_term; 740 }; 741 742 static void bis_list(struct hci_conn *conn, void *data) 743 { 744 struct iso_list_data *d = data; 745 746 /* Skip if not broadcast/ANY address */ 747 if (bacmp(&conn->dst, BDADDR_ANY)) 748 return; 749 750 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET || 751 d->bis != conn->iso_qos.bcast.bis) 752 return; 753 754 d->count++; 755 } 756 757 static int terminate_big_sync(struct hci_dev *hdev, void *data) 758 { 759 struct iso_list_data *d = data; 760 761 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis); 762 763 hci_disable_per_advertising_sync(hdev, d->bis); 764 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL); 765 766 /* Only terminate BIG if it has been created */ 767 if (!d->big_term) 768 return 0; 769 770 return hci_le_terminate_big_sync(hdev, d->big, 771 HCI_ERROR_LOCAL_HOST_TERM); 772 } 773 774 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err) 775 { 776 kfree(data); 777 } 778 779 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn) 780 { 781 struct iso_list_data *d; 782 int ret; 783 784 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big, 785 conn->iso_qos.bcast.bis); 786 787 d = kzalloc(sizeof(*d), GFP_KERNEL); 788 if (!d) 789 return -ENOMEM; 790 791 d->big = conn->iso_qos.bcast.big; 792 d->bis = conn->iso_qos.bcast.bis; 793 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags); 794 795 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d, 796 terminate_big_destroy); 797 if (ret) 798 kfree(d); 799 800 return ret; 801 } 802 803 static int big_terminate_sync(struct hci_dev *hdev, void *data) 804 { 805 struct iso_list_data *d = data; 806 807 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big, 808 d->sync_handle); 809 810 if (d->big_sync_term) 811 hci_le_big_terminate_sync(hdev, d->big); 812 813 if (d->pa_sync_term) 814 return hci_le_pa_terminate_sync(hdev, d->sync_handle); 815 816 return 0; 817 } 818 819 static void find_bis(struct hci_conn *conn, void *data) 820 { 821 struct iso_list_data *d = data; 822 823 /* Ignore if BIG doesn't match */ 824 if (d->big != conn->iso_qos.bcast.big) 825 return; 826 827 d->count++; 828 } 829 830 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn) 831 { 832 struct iso_list_data *d; 833 int ret; 834 835 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle); 836 837 d = kzalloc(sizeof(*d), GFP_KERNEL); 838 if (!d) 839 return -ENOMEM; 840 841 memset(d, 0, sizeof(*d)); 842 d->big = big; 843 d->sync_handle = conn->sync_handle; 844 845 if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) { 846 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK, 847 HCI_CONN_PA_SYNC, d); 848 849 if (!d->count) 850 d->pa_sync_term = true; 851 852 d->count = 0; 853 } 854 855 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) { 856 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK, 857 HCI_CONN_BIG_SYNC, d); 858 859 if (!d->count) 860 d->big_sync_term = true; 861 } 862 863 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 864 terminate_big_destroy); 865 if (ret) 866 kfree(d); 867 868 return ret; 869 } 870 871 /* Cleanup BIS connection 872 * 873 * Detects if there any BIS left connected in a BIG 874 * broadcaster: Remove advertising instance and terminate BIG. 875 * broadcaster receiver: Teminate BIG sync and terminate PA sync. 876 */ 877 static void bis_cleanup(struct hci_conn *conn) 878 { 879 struct hci_dev *hdev = conn->hdev; 880 struct hci_conn *bis; 881 882 bt_dev_dbg(hdev, "conn %p", conn); 883 884 if (conn->role == HCI_ROLE_MASTER) { 885 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags)) 886 return; 887 888 /* Check if ISO connection is a BIS and terminate advertising 889 * set and BIG if there are no other connections using it. 890 */ 891 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big); 892 if (bis) 893 return; 894 895 hci_le_terminate_big(hdev, conn); 896 } else { 897 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 898 conn); 899 } 900 } 901 902 static int remove_cig_sync(struct hci_dev *hdev, void *data) 903 { 904 u8 handle = PTR_UINT(data); 905 906 return hci_le_remove_cig_sync(hdev, handle); 907 } 908 909 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) 910 { 911 bt_dev_dbg(hdev, "handle 0x%2.2x", handle); 912 913 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle), 914 NULL); 915 } 916 917 static void find_cis(struct hci_conn *conn, void *data) 918 { 919 struct iso_list_data *d = data; 920 921 /* Ignore broadcast or if CIG don't match */ 922 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig) 923 return; 924 925 d->count++; 926 } 927 928 /* Cleanup CIS connection: 929 * 930 * Detects if there any CIS left connected in a CIG and remove it. 931 */ 932 static void cis_cleanup(struct hci_conn *conn) 933 { 934 struct hci_dev *hdev = conn->hdev; 935 struct iso_list_data d; 936 937 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET) 938 return; 939 940 memset(&d, 0, sizeof(d)); 941 d.cig = conn->iso_qos.ucast.cig; 942 943 /* Check if ISO connection is a CIS and remove CIG if there are 944 * no other connections using it. 945 */ 946 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d); 947 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d); 948 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d); 949 if (d.count) 950 return; 951 952 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig); 953 } 954 955 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev) 956 { 957 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1, 958 U16_MAX, GFP_ATOMIC); 959 } 960 961 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, 962 u8 role, u16 handle) 963 { 964 struct hci_conn *conn; 965 966 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle); 967 968 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 969 if (!conn) 970 return NULL; 971 972 bacpy(&conn->dst, dst); 973 bacpy(&conn->src, &hdev->bdaddr); 974 conn->handle = handle; 975 conn->hdev = hdev; 976 conn->type = type; 977 conn->role = role; 978 conn->mode = HCI_CM_ACTIVE; 979 conn->state = BT_OPEN; 980 conn->auth_type = HCI_AT_GENERAL_BONDING; 981 conn->io_capability = hdev->io_capability; 982 conn->remote_auth = 0xff; 983 conn->key_type = 0xff; 984 conn->rssi = HCI_RSSI_INVALID; 985 conn->tx_power = HCI_TX_POWER_INVALID; 986 conn->max_tx_power = HCI_TX_POWER_INVALID; 987 conn->sync_handle = HCI_SYNC_HANDLE_INVALID; 988 989 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 990 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 991 992 /* Set Default Authenticated payload timeout to 30s */ 993 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 994 995 if (conn->role == HCI_ROLE_MASTER) 996 conn->out = true; 997 998 switch (type) { 999 case ACL_LINK: 1000 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 1001 break; 1002 case LE_LINK: 1003 /* conn->src should reflect the local identity address */ 1004 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1005 break; 1006 case ISO_LINK: 1007 /* conn->src should reflect the local identity address */ 1008 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1009 1010 /* set proper cleanup function */ 1011 if (!bacmp(dst, BDADDR_ANY)) 1012 conn->cleanup = bis_cleanup; 1013 else if (conn->role == HCI_ROLE_MASTER) 1014 conn->cleanup = cis_cleanup; 1015 1016 break; 1017 case SCO_LINK: 1018 if (lmp_esco_capable(hdev)) 1019 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 1020 (hdev->esco_type & EDR_ESCO_MASK); 1021 else 1022 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK; 1023 break; 1024 case ESCO_LINK: 1025 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK; 1026 break; 1027 } 1028 1029 skb_queue_head_init(&conn->data_q); 1030 1031 INIT_LIST_HEAD(&conn->chan_list); 1032 INIT_LIST_HEAD(&conn->link_list); 1033 1034 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 1035 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 1036 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 1037 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); 1038 1039 atomic_set(&conn->refcnt, 0); 1040 1041 hci_dev_hold(hdev); 1042 1043 hci_conn_hash_add(hdev, conn); 1044 1045 /* The SCO and eSCO connections will only be notified when their 1046 * setup has been completed. This is different to ACL links which 1047 * can be notified right away. 1048 */ 1049 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) { 1050 if (hdev->notify) 1051 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 1052 } 1053 1054 hci_conn_init_sysfs(conn); 1055 1056 return conn; 1057 } 1058 1059 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type, 1060 bdaddr_t *dst, u8 role) 1061 { 1062 int handle; 1063 1064 bt_dev_dbg(hdev, "dst %pMR", dst); 1065 1066 handle = hci_conn_hash_alloc_unset(hdev); 1067 if (unlikely(handle < 0)) 1068 return NULL; 1069 1070 return hci_conn_add(hdev, type, dst, role, handle); 1071 } 1072 1073 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason) 1074 { 1075 if (!reason) 1076 reason = HCI_ERROR_REMOTE_USER_TERM; 1077 1078 /* Due to race, SCO/ISO conn might be not established yet at this point, 1079 * and nothing else will clean it up. In other cases it is done via HCI 1080 * events. 1081 */ 1082 switch (conn->type) { 1083 case SCO_LINK: 1084 case ESCO_LINK: 1085 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1086 hci_conn_failed(conn, reason); 1087 break; 1088 case ISO_LINK: 1089 if (conn->state != BT_CONNECTED && 1090 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) 1091 hci_conn_failed(conn, reason); 1092 break; 1093 } 1094 } 1095 1096 static void hci_conn_unlink(struct hci_conn *conn) 1097 { 1098 struct hci_dev *hdev = conn->hdev; 1099 1100 bt_dev_dbg(hdev, "hcon %p", conn); 1101 1102 if (!conn->parent) { 1103 struct hci_link *link, *t; 1104 1105 list_for_each_entry_safe(link, t, &conn->link_list, list) { 1106 struct hci_conn *child = link->conn; 1107 1108 hci_conn_unlink(child); 1109 1110 /* If hdev is down it means 1111 * hci_dev_close_sync/hci_conn_hash_flush is in progress 1112 * and links don't need to be cleanup as all connections 1113 * would be cleanup. 1114 */ 1115 if (!test_bit(HCI_UP, &hdev->flags)) 1116 continue; 1117 1118 hci_conn_cleanup_child(child, conn->abort_reason); 1119 } 1120 1121 return; 1122 } 1123 1124 if (!conn->link) 1125 return; 1126 1127 list_del_rcu(&conn->link->list); 1128 synchronize_rcu(); 1129 1130 hci_conn_drop(conn->parent); 1131 hci_conn_put(conn->parent); 1132 conn->parent = NULL; 1133 1134 kfree(conn->link); 1135 conn->link = NULL; 1136 } 1137 1138 void hci_conn_del(struct hci_conn *conn) 1139 { 1140 struct hci_dev *hdev = conn->hdev; 1141 1142 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); 1143 1144 hci_conn_unlink(conn); 1145 1146 cancel_delayed_work_sync(&conn->disc_work); 1147 cancel_delayed_work_sync(&conn->auto_accept_work); 1148 cancel_delayed_work_sync(&conn->idle_work); 1149 1150 if (conn->type == ACL_LINK) { 1151 /* Unacked frames */ 1152 hdev->acl_cnt += conn->sent; 1153 } else if (conn->type == LE_LINK) { 1154 cancel_delayed_work(&conn->le_conn_timeout); 1155 1156 if (hdev->le_pkts) 1157 hdev->le_cnt += conn->sent; 1158 else 1159 hdev->acl_cnt += conn->sent; 1160 } else { 1161 /* Unacked ISO frames */ 1162 if (conn->type == ISO_LINK) { 1163 if (hdev->iso_pkts) 1164 hdev->iso_cnt += conn->sent; 1165 else if (hdev->le_pkts) 1166 hdev->le_cnt += conn->sent; 1167 else 1168 hdev->acl_cnt += conn->sent; 1169 } 1170 } 1171 1172 if (conn->amp_mgr) 1173 amp_mgr_put(conn->amp_mgr); 1174 1175 skb_queue_purge(&conn->data_q); 1176 1177 /* Remove the connection from the list and cleanup its remaining 1178 * state. This is a separate function since for some cases like 1179 * BT_CONNECT_SCAN we *only* want the cleanup part without the 1180 * rest of hci_conn_del. 1181 */ 1182 hci_conn_cleanup(conn); 1183 } 1184 1185 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) 1186 { 1187 int use_src = bacmp(src, BDADDR_ANY); 1188 struct hci_dev *hdev = NULL, *d; 1189 1190 BT_DBG("%pMR -> %pMR", src, dst); 1191 1192 read_lock(&hci_dev_list_lock); 1193 1194 list_for_each_entry(d, &hci_dev_list, list) { 1195 if (!test_bit(HCI_UP, &d->flags) || 1196 hci_dev_test_flag(d, HCI_USER_CHANNEL) || 1197 d->dev_type != HCI_PRIMARY) 1198 continue; 1199 1200 /* Simple routing: 1201 * No source address - find interface with bdaddr != dst 1202 * Source address - find interface with bdaddr == src 1203 */ 1204 1205 if (use_src) { 1206 bdaddr_t id_addr; 1207 u8 id_addr_type; 1208 1209 if (src_type == BDADDR_BREDR) { 1210 if (!lmp_bredr_capable(d)) 1211 continue; 1212 bacpy(&id_addr, &d->bdaddr); 1213 id_addr_type = BDADDR_BREDR; 1214 } else { 1215 if (!lmp_le_capable(d)) 1216 continue; 1217 1218 hci_copy_identity_address(d, &id_addr, 1219 &id_addr_type); 1220 1221 /* Convert from HCI to three-value type */ 1222 if (id_addr_type == ADDR_LE_DEV_PUBLIC) 1223 id_addr_type = BDADDR_LE_PUBLIC; 1224 else 1225 id_addr_type = BDADDR_LE_RANDOM; 1226 } 1227 1228 if (!bacmp(&id_addr, src) && id_addr_type == src_type) { 1229 hdev = d; break; 1230 } 1231 } else { 1232 if (bacmp(&d->bdaddr, dst)) { 1233 hdev = d; break; 1234 } 1235 } 1236 } 1237 1238 if (hdev) 1239 hdev = hci_dev_hold(hdev); 1240 1241 read_unlock(&hci_dev_list_lock); 1242 return hdev; 1243 } 1244 EXPORT_SYMBOL(hci_get_route); 1245 1246 /* This function requires the caller holds hdev->lock */ 1247 static void hci_le_conn_failed(struct hci_conn *conn, u8 status) 1248 { 1249 struct hci_dev *hdev = conn->hdev; 1250 1251 hci_connect_le_scan_cleanup(conn, status); 1252 1253 /* Enable advertising in case this was a failed connection 1254 * attempt as a peripheral. 1255 */ 1256 hci_enable_advertising(hdev); 1257 } 1258 1259 /* This function requires the caller holds hdev->lock */ 1260 void hci_conn_failed(struct hci_conn *conn, u8 status) 1261 { 1262 struct hci_dev *hdev = conn->hdev; 1263 1264 bt_dev_dbg(hdev, "status 0x%2.2x", status); 1265 1266 switch (conn->type) { 1267 case LE_LINK: 1268 hci_le_conn_failed(conn, status); 1269 break; 1270 case ACL_LINK: 1271 mgmt_connect_failed(hdev, &conn->dst, conn->type, 1272 conn->dst_type, status); 1273 break; 1274 } 1275 1276 /* In case of BIG/PA sync failed, clear conn flags so that 1277 * the conns will be correctly cleaned up by ISO layer 1278 */ 1279 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags); 1280 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags); 1281 1282 conn->state = BT_CLOSED; 1283 hci_connect_cfm(conn, status); 1284 hci_conn_del(conn); 1285 } 1286 1287 /* This function requires the caller holds hdev->lock */ 1288 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) 1289 { 1290 struct hci_dev *hdev = conn->hdev; 1291 1292 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); 1293 1294 if (conn->handle == handle) 1295 return 0; 1296 1297 if (handle > HCI_CONN_HANDLE_MAX) { 1298 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 1299 handle, HCI_CONN_HANDLE_MAX); 1300 return HCI_ERROR_INVALID_PARAMETERS; 1301 } 1302 1303 /* If abort_reason has been sent it means the connection is being 1304 * aborted and the handle shall not be changed. 1305 */ 1306 if (conn->abort_reason) 1307 return conn->abort_reason; 1308 1309 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 1310 ida_free(&hdev->unset_handle_ida, conn->handle); 1311 1312 conn->handle = handle; 1313 1314 return 0; 1315 } 1316 1317 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) 1318 { 1319 struct hci_conn *conn; 1320 u16 handle = PTR_UINT(data); 1321 1322 conn = hci_conn_hash_lookup_handle(hdev, handle); 1323 if (!conn) 1324 return; 1325 1326 bt_dev_dbg(hdev, "err %d", err); 1327 1328 hci_dev_lock(hdev); 1329 1330 if (!err) { 1331 hci_connect_le_scan_cleanup(conn, 0x00); 1332 goto done; 1333 } 1334 1335 /* Check if connection is still pending */ 1336 if (conn != hci_lookup_le_connect(hdev)) 1337 goto done; 1338 1339 /* Flush to make sure we send create conn cancel command if needed */ 1340 flush_delayed_work(&conn->le_conn_timeout); 1341 hci_conn_failed(conn, bt_status(err)); 1342 1343 done: 1344 hci_dev_unlock(hdev); 1345 } 1346 1347 static int hci_connect_le_sync(struct hci_dev *hdev, void *data) 1348 { 1349 struct hci_conn *conn; 1350 u16 handle = PTR_UINT(data); 1351 1352 conn = hci_conn_hash_lookup_handle(hdev, handle); 1353 if (!conn) 1354 return 0; 1355 1356 bt_dev_dbg(hdev, "conn %p", conn); 1357 1358 clear_bit(HCI_CONN_SCANNING, &conn->flags); 1359 conn->state = BT_CONNECT; 1360 1361 return hci_le_create_conn_sync(hdev, conn); 1362 } 1363 1364 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 1365 u8 dst_type, bool dst_resolved, u8 sec_level, 1366 u16 conn_timeout, u8 role) 1367 { 1368 struct hci_conn *conn; 1369 struct smp_irk *irk; 1370 int err; 1371 1372 /* Let's make sure that le is enabled.*/ 1373 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1374 if (lmp_le_capable(hdev)) 1375 return ERR_PTR(-ECONNREFUSED); 1376 1377 return ERR_PTR(-EOPNOTSUPP); 1378 } 1379 1380 /* Since the controller supports only one LE connection attempt at a 1381 * time, we return -EBUSY if there is any connection attempt running. 1382 */ 1383 if (hci_lookup_le_connect(hdev)) 1384 return ERR_PTR(-EBUSY); 1385 1386 /* If there's already a connection object but it's not in 1387 * scanning state it means it must already be established, in 1388 * which case we can't do anything else except report a failure 1389 * to connect. 1390 */ 1391 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1392 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) { 1393 return ERR_PTR(-EBUSY); 1394 } 1395 1396 /* Check if the destination address has been resolved by the controller 1397 * since if it did then the identity address shall be used. 1398 */ 1399 if (!dst_resolved) { 1400 /* When given an identity address with existing identity 1401 * resolving key, the connection needs to be established 1402 * to a resolvable random address. 1403 * 1404 * Storing the resolvable random address is required here 1405 * to handle connection failures. The address will later 1406 * be resolved back into the original identity address 1407 * from the connect request. 1408 */ 1409 irk = hci_find_irk_by_addr(hdev, dst, dst_type); 1410 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) { 1411 dst = &irk->rpa; 1412 dst_type = ADDR_LE_DEV_RANDOM; 1413 } 1414 } 1415 1416 if (conn) { 1417 bacpy(&conn->dst, dst); 1418 } else { 1419 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role); 1420 if (!conn) 1421 return ERR_PTR(-ENOMEM); 1422 hci_conn_hold(conn); 1423 conn->pending_sec_level = sec_level; 1424 } 1425 1426 conn->dst_type = dst_type; 1427 conn->sec_level = BT_SECURITY_LOW; 1428 conn->conn_timeout = conn_timeout; 1429 1430 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, 1431 UINT_PTR(conn->handle), 1432 create_le_conn_complete); 1433 if (err) { 1434 hci_conn_del(conn); 1435 return ERR_PTR(err); 1436 } 1437 1438 return conn; 1439 } 1440 1441 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type) 1442 { 1443 struct hci_conn *conn; 1444 1445 conn = hci_conn_hash_lookup_le(hdev, addr, type); 1446 if (!conn) 1447 return false; 1448 1449 if (conn->state != BT_CONNECTED) 1450 return false; 1451 1452 return true; 1453 } 1454 1455 /* This function requires the caller holds hdev->lock */ 1456 static int hci_explicit_conn_params_set(struct hci_dev *hdev, 1457 bdaddr_t *addr, u8 addr_type) 1458 { 1459 struct hci_conn_params *params; 1460 1461 if (is_connected(hdev, addr, addr_type)) 1462 return -EISCONN; 1463 1464 params = hci_conn_params_lookup(hdev, addr, addr_type); 1465 if (!params) { 1466 params = hci_conn_params_add(hdev, addr, addr_type); 1467 if (!params) 1468 return -ENOMEM; 1469 1470 /* If we created new params, mark them to be deleted in 1471 * hci_connect_le_scan_cleanup. It's different case than 1472 * existing disabled params, those will stay after cleanup. 1473 */ 1474 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 1475 } 1476 1477 /* We're trying to connect, so make sure params are at pend_le_conns */ 1478 if (params->auto_connect == HCI_AUTO_CONN_DISABLED || 1479 params->auto_connect == HCI_AUTO_CONN_REPORT || 1480 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { 1481 hci_pend_le_list_del_init(params); 1482 hci_pend_le_list_add(params, &hdev->pend_le_conns); 1483 } 1484 1485 params->explicit_connect = true; 1486 1487 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type, 1488 params->auto_connect); 1489 1490 return 0; 1491 } 1492 1493 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos) 1494 { 1495 struct hci_conn *conn; 1496 u8 big; 1497 1498 /* Allocate a BIG if not set */ 1499 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) { 1500 for (big = 0x00; big < 0xef; big++) { 1501 1502 conn = hci_conn_hash_lookup_big(hdev, big); 1503 if (!conn) 1504 break; 1505 } 1506 1507 if (big == 0xef) 1508 return -EADDRNOTAVAIL; 1509 1510 /* Update BIG */ 1511 qos->bcast.big = big; 1512 } 1513 1514 return 0; 1515 } 1516 1517 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos) 1518 { 1519 struct hci_conn *conn; 1520 u8 bis; 1521 1522 /* Allocate BIS if not set */ 1523 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) { 1524 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) { 1525 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1526 1527 if (conn) { 1528 /* If the BIG handle is already matched to an advertising 1529 * handle, do not allocate a new one. 1530 */ 1531 qos->bcast.bis = conn->iso_qos.bcast.bis; 1532 return 0; 1533 } 1534 } 1535 1536 /* Find an unused adv set to advertise BIS, skip instance 0x00 1537 * since it is reserved as general purpose set. 1538 */ 1539 for (bis = 0x01; bis < hdev->le_num_of_adv_sets; 1540 bis++) { 1541 1542 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis); 1543 if (!conn) 1544 break; 1545 } 1546 1547 if (bis == hdev->le_num_of_adv_sets) 1548 return -EADDRNOTAVAIL; 1549 1550 /* Update BIS */ 1551 qos->bcast.bis = bis; 1552 } 1553 1554 return 0; 1555 } 1556 1557 /* This function requires the caller holds hdev->lock */ 1558 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1559 struct bt_iso_qos *qos, __u8 base_len, 1560 __u8 *base) 1561 { 1562 struct hci_conn *conn; 1563 int err; 1564 1565 /* Let's make sure that le is enabled.*/ 1566 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1567 if (lmp_le_capable(hdev)) 1568 return ERR_PTR(-ECONNREFUSED); 1569 return ERR_PTR(-EOPNOTSUPP); 1570 } 1571 1572 err = qos_set_big(hdev, qos); 1573 if (err) 1574 return ERR_PTR(err); 1575 1576 err = qos_set_bis(hdev, qos); 1577 if (err) 1578 return ERR_PTR(err); 1579 1580 /* Check if the LE Create BIG command has already been sent */ 1581 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big, 1582 qos->bcast.big); 1583 if (conn) 1584 return ERR_PTR(-EADDRINUSE); 1585 1586 /* Check BIS settings against other bound BISes, since all 1587 * BISes in a BIG must have the same value for all parameters 1588 */ 1589 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big); 1590 1591 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) || 1592 base_len != conn->le_per_adv_data_len || 1593 memcmp(conn->le_per_adv_data, base, base_len))) 1594 return ERR_PTR(-EADDRINUSE); 1595 1596 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1597 if (!conn) 1598 return ERR_PTR(-ENOMEM); 1599 1600 conn->state = BT_CONNECT; 1601 1602 hci_conn_hold(conn); 1603 return conn; 1604 } 1605 1606 /* This function requires the caller holds hdev->lock */ 1607 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, 1608 u8 dst_type, u8 sec_level, 1609 u16 conn_timeout, 1610 enum conn_reasons conn_reason) 1611 { 1612 struct hci_conn *conn; 1613 1614 /* Let's make sure that le is enabled.*/ 1615 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) { 1616 if (lmp_le_capable(hdev)) 1617 return ERR_PTR(-ECONNREFUSED); 1618 1619 return ERR_PTR(-EOPNOTSUPP); 1620 } 1621 1622 /* Some devices send ATT messages as soon as the physical link is 1623 * established. To be able to handle these ATT messages, the user- 1624 * space first establishes the connection and then starts the pairing 1625 * process. 1626 * 1627 * So if a hci_conn object already exists for the following connection 1628 * attempt, we simply update pending_sec_level and auth_type fields 1629 * and return the object found. 1630 */ 1631 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type); 1632 if (conn) { 1633 if (conn->pending_sec_level < sec_level) 1634 conn->pending_sec_level = sec_level; 1635 goto done; 1636 } 1637 1638 BT_DBG("requesting refresh of dst_addr"); 1639 1640 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER); 1641 if (!conn) 1642 return ERR_PTR(-ENOMEM); 1643 1644 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { 1645 hci_conn_del(conn); 1646 return ERR_PTR(-EBUSY); 1647 } 1648 1649 conn->state = BT_CONNECT; 1650 set_bit(HCI_CONN_SCANNING, &conn->flags); 1651 conn->dst_type = dst_type; 1652 conn->sec_level = BT_SECURITY_LOW; 1653 conn->pending_sec_level = sec_level; 1654 conn->conn_timeout = conn_timeout; 1655 conn->conn_reason = conn_reason; 1656 1657 hci_update_passive_scan(hdev); 1658 1659 done: 1660 hci_conn_hold(conn); 1661 return conn; 1662 } 1663 1664 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 1665 u8 sec_level, u8 auth_type, 1666 enum conn_reasons conn_reason) 1667 { 1668 struct hci_conn *acl; 1669 1670 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 1671 if (lmp_bredr_capable(hdev)) 1672 return ERR_PTR(-ECONNREFUSED); 1673 1674 return ERR_PTR(-EOPNOTSUPP); 1675 } 1676 1677 /* Reject outgoing connection to device with same BD ADDR against 1678 * CVE-2020-26555 1679 */ 1680 if (!bacmp(&hdev->bdaddr, dst)) { 1681 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 1682 dst); 1683 return ERR_PTR(-ECONNREFUSED); 1684 } 1685 1686 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 1687 if (!acl) { 1688 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); 1689 if (!acl) 1690 return ERR_PTR(-ENOMEM); 1691 } 1692 1693 hci_conn_hold(acl); 1694 1695 acl->conn_reason = conn_reason; 1696 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) { 1697 acl->sec_level = BT_SECURITY_LOW; 1698 acl->pending_sec_level = sec_level; 1699 acl->auth_type = auth_type; 1700 hci_acl_create_connection(acl); 1701 } 1702 1703 return acl; 1704 } 1705 1706 static struct hci_link *hci_conn_link(struct hci_conn *parent, 1707 struct hci_conn *conn) 1708 { 1709 struct hci_dev *hdev = parent->hdev; 1710 struct hci_link *link; 1711 1712 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn); 1713 1714 if (conn->link) 1715 return conn->link; 1716 1717 if (conn->parent) 1718 return NULL; 1719 1720 link = kzalloc(sizeof(*link), GFP_KERNEL); 1721 if (!link) 1722 return NULL; 1723 1724 link->conn = hci_conn_hold(conn); 1725 conn->link = link; 1726 conn->parent = hci_conn_get(parent); 1727 1728 /* Use list_add_tail_rcu append to the list */ 1729 list_add_tail_rcu(&link->list, &parent->link_list); 1730 1731 return link; 1732 } 1733 1734 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 1735 __u16 setting, struct bt_codec *codec) 1736 { 1737 struct hci_conn *acl; 1738 struct hci_conn *sco; 1739 struct hci_link *link; 1740 1741 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING, 1742 CONN_REASON_SCO_CONNECT); 1743 if (IS_ERR(acl)) 1744 return acl; 1745 1746 sco = hci_conn_hash_lookup_ba(hdev, type, dst); 1747 if (!sco) { 1748 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER); 1749 if (!sco) { 1750 hci_conn_drop(acl); 1751 return ERR_PTR(-ENOMEM); 1752 } 1753 } 1754 1755 link = hci_conn_link(acl, sco); 1756 if (!link) { 1757 hci_conn_drop(acl); 1758 hci_conn_drop(sco); 1759 return ERR_PTR(-ENOLINK); 1760 } 1761 1762 sco->setting = setting; 1763 sco->codec = *codec; 1764 1765 if (acl->state == BT_CONNECTED && 1766 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) { 1767 set_bit(HCI_CONN_POWER_SAVE, &acl->flags); 1768 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON); 1769 1770 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) { 1771 /* defer SCO setup until mode change completed */ 1772 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags); 1773 return sco; 1774 } 1775 1776 hci_sco_setup(acl, 0x00); 1777 } 1778 1779 return sco; 1780 } 1781 1782 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) 1783 { 1784 struct hci_dev *hdev = conn->hdev; 1785 struct hci_cp_le_create_big cp; 1786 struct iso_list_data data; 1787 1788 memset(&cp, 0, sizeof(cp)); 1789 1790 data.big = qos->bcast.big; 1791 data.bis = qos->bcast.bis; 1792 data.count = 0; 1793 1794 /* Create a BIS for each bound connection */ 1795 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, 1796 BT_BOUND, &data); 1797 1798 cp.handle = qos->bcast.big; 1799 cp.adv_handle = qos->bcast.bis; 1800 cp.num_bis = data.count; 1801 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval); 1802 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu); 1803 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency); 1804 cp.bis.rtn = qos->bcast.out.rtn; 1805 cp.bis.phy = qos->bcast.out.phy; 1806 cp.bis.packing = qos->bcast.packing; 1807 cp.bis.framing = qos->bcast.framing; 1808 cp.bis.encryption = qos->bcast.encryption; 1809 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode)); 1810 1811 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp); 1812 } 1813 1814 static int set_cig_params_sync(struct hci_dev *hdev, void *data) 1815 { 1816 u8 cig_id = PTR_UINT(data); 1817 struct hci_conn *conn; 1818 struct bt_iso_qos *qos; 1819 struct iso_cig_params pdu; 1820 u8 cis_id; 1821 1822 conn = hci_conn_hash_lookup_cig(hdev, cig_id); 1823 if (!conn) 1824 return 0; 1825 1826 memset(&pdu, 0, sizeof(pdu)); 1827 1828 qos = &conn->iso_qos; 1829 pdu.cp.cig_id = cig_id; 1830 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval); 1831 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval); 1832 pdu.cp.sca = qos->ucast.sca; 1833 pdu.cp.packing = qos->ucast.packing; 1834 pdu.cp.framing = qos->ucast.framing; 1835 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency); 1836 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency); 1837 1838 /* Reprogram all CIS(s) with the same CIG, valid range are: 1839 * num_cis: 0x00 to 0x1F 1840 * cis_id: 0x00 to 0xEF 1841 */ 1842 for (cis_id = 0x00; cis_id < 0xf0 && 1843 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) { 1844 struct hci_cis_params *cis; 1845 1846 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id); 1847 if (!conn) 1848 continue; 1849 1850 qos = &conn->iso_qos; 1851 1852 cis = &pdu.cis[pdu.cp.num_cis++]; 1853 cis->cis_id = cis_id; 1854 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu); 1855 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu); 1856 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : 1857 qos->ucast.in.phy; 1858 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : 1859 qos->ucast.out.phy; 1860 cis->c_rtn = qos->ucast.out.rtn; 1861 cis->p_rtn = qos->ucast.in.rtn; 1862 } 1863 1864 if (!pdu.cp.num_cis) 1865 return 0; 1866 1867 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, 1868 sizeof(pdu.cp) + 1869 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu, 1870 HCI_CMD_TIMEOUT); 1871 } 1872 1873 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) 1874 { 1875 struct hci_dev *hdev = conn->hdev; 1876 struct iso_list_data data; 1877 1878 memset(&data, 0, sizeof(data)); 1879 1880 /* Allocate first still reconfigurable CIG if not set */ 1881 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) { 1882 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) { 1883 data.count = 0; 1884 1885 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1886 BT_CONNECT, &data); 1887 if (data.count) 1888 continue; 1889 1890 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, 1891 BT_CONNECTED, &data); 1892 if (!data.count) 1893 break; 1894 } 1895 1896 if (data.cig == 0xf0) 1897 return false; 1898 1899 /* Update CIG */ 1900 qos->ucast.cig = data.cig; 1901 } 1902 1903 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) { 1904 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig, 1905 qos->ucast.cis)) 1906 return false; 1907 goto done; 1908 } 1909 1910 /* Allocate first available CIS if not set */ 1911 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0; 1912 data.cis++) { 1913 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig, 1914 data.cis)) { 1915 /* Update CIS */ 1916 qos->ucast.cis = data.cis; 1917 break; 1918 } 1919 } 1920 1921 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) 1922 return false; 1923 1924 done: 1925 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, 1926 UINT_PTR(qos->ucast.cig), NULL) < 0) 1927 return false; 1928 1929 return true; 1930 } 1931 1932 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1933 __u8 dst_type, struct bt_iso_qos *qos) 1934 { 1935 struct hci_conn *cis; 1936 1937 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig, 1938 qos->ucast.cis); 1939 if (!cis) { 1940 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER); 1941 if (!cis) 1942 return ERR_PTR(-ENOMEM); 1943 cis->cleanup = cis_cleanup; 1944 cis->dst_type = dst_type; 1945 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET; 1946 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET; 1947 } 1948 1949 if (cis->state == BT_CONNECTED) 1950 return cis; 1951 1952 /* Check if CIS has been set and the settings matches */ 1953 if (cis->state == BT_BOUND && 1954 !memcmp(&cis->iso_qos, qos, sizeof(*qos))) 1955 return cis; 1956 1957 /* Update LINK PHYs according to QoS preference */ 1958 cis->le_tx_phy = qos->ucast.out.phy; 1959 cis->le_rx_phy = qos->ucast.in.phy; 1960 1961 /* If output interval is not set use the input interval as it cannot be 1962 * 0x000000. 1963 */ 1964 if (!qos->ucast.out.interval) 1965 qos->ucast.out.interval = qos->ucast.in.interval; 1966 1967 /* If input interval is not set use the output interval as it cannot be 1968 * 0x000000. 1969 */ 1970 if (!qos->ucast.in.interval) 1971 qos->ucast.in.interval = qos->ucast.out.interval; 1972 1973 /* If output latency is not set use the input latency as it cannot be 1974 * 0x0000. 1975 */ 1976 if (!qos->ucast.out.latency) 1977 qos->ucast.out.latency = qos->ucast.in.latency; 1978 1979 /* If input latency is not set use the output latency as it cannot be 1980 * 0x0000. 1981 */ 1982 if (!qos->ucast.in.latency) 1983 qos->ucast.in.latency = qos->ucast.out.latency; 1984 1985 if (!hci_le_set_cig_params(cis, qos)) { 1986 hci_conn_drop(cis); 1987 return ERR_PTR(-EINVAL); 1988 } 1989 1990 hci_conn_hold(cis); 1991 1992 cis->iso_qos = *qos; 1993 cis->state = BT_BOUND; 1994 1995 return cis; 1996 } 1997 1998 bool hci_iso_setup_path(struct hci_conn *conn) 1999 { 2000 struct hci_dev *hdev = conn->hdev; 2001 struct hci_cp_le_setup_iso_path cmd; 2002 2003 memset(&cmd, 0, sizeof(cmd)); 2004 2005 if (conn->iso_qos.ucast.out.sdu) { 2006 cmd.handle = cpu_to_le16(conn->handle); 2007 cmd.direction = 0x00; /* Input (Host to Controller) */ 2008 cmd.path = 0x00; /* HCI path if enabled */ 2009 cmd.codec = 0x03; /* Transparent Data */ 2010 2011 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2012 &cmd) < 0) 2013 return false; 2014 } 2015 2016 if (conn->iso_qos.ucast.in.sdu) { 2017 cmd.handle = cpu_to_le16(conn->handle); 2018 cmd.direction = 0x01; /* Output (Controller to Host) */ 2019 cmd.path = 0x00; /* HCI path if enabled */ 2020 cmd.codec = 0x03; /* Transparent Data */ 2021 2022 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd), 2023 &cmd) < 0) 2024 return false; 2025 } 2026 2027 return true; 2028 } 2029 2030 int hci_conn_check_create_cis(struct hci_conn *conn) 2031 { 2032 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY)) 2033 return -EINVAL; 2034 2035 if (!conn->parent || conn->parent->state != BT_CONNECTED || 2036 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle)) 2037 return 1; 2038 2039 return 0; 2040 } 2041 2042 static int hci_create_cis_sync(struct hci_dev *hdev, void *data) 2043 { 2044 return hci_le_create_cis_sync(hdev); 2045 } 2046 2047 int hci_le_create_cis_pending(struct hci_dev *hdev) 2048 { 2049 struct hci_conn *conn; 2050 bool pending = false; 2051 2052 rcu_read_lock(); 2053 2054 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2055 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) { 2056 rcu_read_unlock(); 2057 return -EBUSY; 2058 } 2059 2060 if (!hci_conn_check_create_cis(conn)) 2061 pending = true; 2062 } 2063 2064 rcu_read_unlock(); 2065 2066 if (!pending) 2067 return 0; 2068 2069 /* Queue Create CIS */ 2070 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL); 2071 } 2072 2073 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn, 2074 struct bt_iso_io_qos *qos, __u8 phy) 2075 { 2076 /* Only set MTU if PHY is enabled */ 2077 if (!qos->sdu && qos->phy) { 2078 if (hdev->iso_mtu > 0) 2079 qos->sdu = hdev->iso_mtu; 2080 else if (hdev->le_mtu > 0) 2081 qos->sdu = hdev->le_mtu; 2082 else 2083 qos->sdu = hdev->acl_mtu; 2084 } 2085 2086 /* Use the same PHY as ACL if set to any */ 2087 if (qos->phy == BT_ISO_PHY_ANY) 2088 qos->phy = phy; 2089 2090 /* Use LE ACL connection interval if not set */ 2091 if (!qos->interval) 2092 /* ACL interval unit in 1.25 ms to us */ 2093 qos->interval = conn->le_conn_interval * 1250; 2094 2095 /* Use LE ACL connection latency if not set */ 2096 if (!qos->latency) 2097 qos->latency = conn->le_conn_latency; 2098 } 2099 2100 static int create_big_sync(struct hci_dev *hdev, void *data) 2101 { 2102 struct hci_conn *conn = data; 2103 struct bt_iso_qos *qos = &conn->iso_qos; 2104 u16 interval, sync_interval = 0; 2105 u32 flags = 0; 2106 int err; 2107 2108 if (qos->bcast.out.phy == 0x02) 2109 flags |= MGMT_ADV_FLAG_SEC_2M; 2110 2111 /* Align intervals */ 2112 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor; 2113 2114 if (qos->bcast.bis) 2115 sync_interval = interval * 4; 2116 2117 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len, 2118 conn->le_per_adv_data, flags, interval, 2119 interval, sync_interval); 2120 if (err) 2121 return err; 2122 2123 return hci_le_create_big(conn, &conn->iso_qos); 2124 } 2125 2126 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2127 { 2128 struct hci_cp_le_pa_create_sync *cp = data; 2129 2130 bt_dev_dbg(hdev, ""); 2131 2132 if (err) 2133 bt_dev_err(hdev, "Unable to create PA: %d", err); 2134 2135 kfree(cp); 2136 } 2137 2138 static int create_pa_sync(struct hci_dev *hdev, void *data) 2139 { 2140 struct hci_cp_le_pa_create_sync *cp = data; 2141 int err; 2142 2143 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2144 sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2145 if (err) { 2146 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2147 return err; 2148 } 2149 2150 return hci_update_passive_scan_sync(hdev); 2151 } 2152 2153 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type, 2154 __u8 sid, struct bt_iso_qos *qos) 2155 { 2156 struct hci_cp_le_pa_create_sync *cp; 2157 2158 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2159 return -EBUSY; 2160 2161 cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2162 if (!cp) { 2163 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2164 return -ENOMEM; 2165 } 2166 2167 cp->options = qos->bcast.options; 2168 cp->sid = sid; 2169 cp->addr_type = dst_type; 2170 bacpy(&cp->addr, dst); 2171 cp->skip = cpu_to_le16(qos->bcast.skip); 2172 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2173 cp->sync_cte_type = qos->bcast.sync_cte_type; 2174 2175 /* Queue start pa_create_sync and scan */ 2176 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2177 } 2178 2179 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon, 2180 struct bt_iso_qos *qos, 2181 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2182 { 2183 struct _packed { 2184 struct hci_cp_le_big_create_sync cp; 2185 __u8 bis[0x11]; 2186 } pdu; 2187 int err; 2188 2189 if (num_bis < 0x01 || num_bis > sizeof(pdu.bis)) 2190 return -EINVAL; 2191 2192 err = qos_set_big(hdev, qos); 2193 if (err) 2194 return err; 2195 2196 if (hcon) 2197 hcon->iso_qos.bcast.big = qos->bcast.big; 2198 2199 memset(&pdu, 0, sizeof(pdu)); 2200 pdu.cp.handle = qos->bcast.big; 2201 pdu.cp.sync_handle = cpu_to_le16(sync_handle); 2202 pdu.cp.encryption = qos->bcast.encryption; 2203 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode)); 2204 pdu.cp.mse = qos->bcast.mse; 2205 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout); 2206 pdu.cp.num_bis = num_bis; 2207 memcpy(pdu.bis, bis, num_bis); 2208 2209 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2210 sizeof(pdu.cp) + num_bis, &pdu); 2211 } 2212 2213 static void create_big_complete(struct hci_dev *hdev, void *data, int err) 2214 { 2215 struct hci_conn *conn = data; 2216 2217 bt_dev_dbg(hdev, "conn %p", conn); 2218 2219 if (err) { 2220 bt_dev_err(hdev, "Unable to create BIG: %d", err); 2221 hci_connect_cfm(conn, err); 2222 hci_conn_del(conn); 2223 } 2224 } 2225 2226 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, 2227 struct bt_iso_qos *qos, 2228 __u8 base_len, __u8 *base) 2229 { 2230 struct hci_conn *conn; 2231 __u8 eir[HCI_MAX_PER_AD_LENGTH]; 2232 2233 if (base_len && base) 2234 base_len = eir_append_service_data(eir, 0, 0x1851, 2235 base, base_len); 2236 2237 /* We need hci_conn object using the BDADDR_ANY as dst */ 2238 conn = hci_add_bis(hdev, dst, qos, base_len, eir); 2239 if (IS_ERR(conn)) 2240 return conn; 2241 2242 /* Update LINK PHYs according to QoS preference */ 2243 conn->le_tx_phy = qos->bcast.out.phy; 2244 conn->le_tx_phy = qos->bcast.out.phy; 2245 2246 /* Add Basic Announcement into Peridic Adv Data if BASE is set */ 2247 if (base_len && base) { 2248 memcpy(conn->le_per_adv_data, eir, sizeof(eir)); 2249 conn->le_per_adv_data_len = base_len; 2250 } 2251 2252 hci_iso_qos_setup(hdev, conn, &qos->bcast.out, 2253 conn->le_tx_phy ? conn->le_tx_phy : 2254 hdev->le_tx_def_phys); 2255 2256 conn->iso_qos = *qos; 2257 conn->state = BT_BOUND; 2258 2259 return conn; 2260 } 2261 2262 static void bis_mark_per_adv(struct hci_conn *conn, void *data) 2263 { 2264 struct iso_list_data *d = data; 2265 2266 /* Skip if not broadcast/ANY address */ 2267 if (bacmp(&conn->dst, BDADDR_ANY)) 2268 return; 2269 2270 if (d->big != conn->iso_qos.bcast.big || 2271 d->bis == BT_ISO_QOS_BIS_UNSET || 2272 d->bis != conn->iso_qos.bcast.bis) 2273 return; 2274 2275 set_bit(HCI_CONN_PER_ADV, &conn->flags); 2276 } 2277 2278 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2279 __u8 dst_type, struct bt_iso_qos *qos, 2280 __u8 base_len, __u8 *base) 2281 { 2282 struct hci_conn *conn; 2283 int err; 2284 struct iso_list_data data; 2285 2286 conn = hci_bind_bis(hdev, dst, qos, base_len, base); 2287 if (IS_ERR(conn)) 2288 return conn; 2289 2290 data.big = qos->bcast.big; 2291 data.bis = qos->bcast.bis; 2292 2293 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that 2294 * the start periodic advertising and create BIG commands have 2295 * been queued 2296 */ 2297 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK, 2298 BT_BOUND, &data); 2299 2300 /* Queue start periodic advertising and create BIG */ 2301 err = hci_cmd_sync_queue(hdev, create_big_sync, conn, 2302 create_big_complete); 2303 if (err < 0) { 2304 hci_conn_drop(conn); 2305 return ERR_PTR(err); 2306 } 2307 2308 return conn; 2309 } 2310 2311 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2312 __u8 dst_type, struct bt_iso_qos *qos) 2313 { 2314 struct hci_conn *le; 2315 struct hci_conn *cis; 2316 struct hci_link *link; 2317 2318 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 2319 le = hci_connect_le(hdev, dst, dst_type, false, 2320 BT_SECURITY_LOW, 2321 HCI_LE_CONN_TIMEOUT, 2322 HCI_ROLE_SLAVE); 2323 else 2324 le = hci_connect_le_scan(hdev, dst, dst_type, 2325 BT_SECURITY_LOW, 2326 HCI_LE_CONN_TIMEOUT, 2327 CONN_REASON_ISO_CONNECT); 2328 if (IS_ERR(le)) 2329 return le; 2330 2331 hci_iso_qos_setup(hdev, le, &qos->ucast.out, 2332 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys); 2333 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2334 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2335 2336 cis = hci_bind_cis(hdev, dst, dst_type, qos); 2337 if (IS_ERR(cis)) { 2338 hci_conn_drop(le); 2339 return cis; 2340 } 2341 2342 link = hci_conn_link(le, cis); 2343 if (!link) { 2344 hci_conn_drop(le); 2345 hci_conn_drop(cis); 2346 return ERR_PTR(-ENOLINK); 2347 } 2348 2349 /* Link takes the refcount */ 2350 hci_conn_drop(cis); 2351 2352 cis->state = BT_CONNECT; 2353 2354 hci_le_create_cis_pending(hdev); 2355 2356 return cis; 2357 } 2358 2359 /* Check link security requirement */ 2360 int hci_conn_check_link_mode(struct hci_conn *conn) 2361 { 2362 BT_DBG("hcon %p", conn); 2363 2364 /* In Secure Connections Only mode, it is required that Secure 2365 * Connections is used and the link is encrypted with AES-CCM 2366 * using a P-256 authenticated combination key. 2367 */ 2368 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) { 2369 if (!hci_conn_sc_enabled(conn) || 2370 !test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2371 conn->key_type != HCI_LK_AUTH_COMBINATION_P256) 2372 return 0; 2373 } 2374 2375 /* AES encryption is required for Level 4: 2376 * 2377 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C 2378 * page 1319: 2379 * 2380 * 128-bit equivalent strength for link and encryption keys 2381 * required using FIPS approved algorithms (E0 not allowed, 2382 * SAFER+ not allowed, and P-192 not allowed; encryption key 2383 * not shortened) 2384 */ 2385 if (conn->sec_level == BT_SECURITY_FIPS && 2386 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { 2387 bt_dev_err(conn->hdev, 2388 "Invalid security: Missing AES-CCM usage"); 2389 return 0; 2390 } 2391 2392 if (hci_conn_ssp_enabled(conn) && 2393 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2394 return 0; 2395 2396 return 1; 2397 } 2398 2399 /* Authenticate remote device */ 2400 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) 2401 { 2402 BT_DBG("hcon %p", conn); 2403 2404 if (conn->pending_sec_level > sec_level) 2405 sec_level = conn->pending_sec_level; 2406 2407 if (sec_level > conn->sec_level) 2408 conn->pending_sec_level = sec_level; 2409 else if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2410 return 1; 2411 2412 /* Make sure we preserve an existing MITM requirement*/ 2413 auth_type |= (conn->auth_type & 0x01); 2414 2415 conn->auth_type = auth_type; 2416 2417 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2418 struct hci_cp_auth_requested cp; 2419 2420 cp.handle = cpu_to_le16(conn->handle); 2421 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, 2422 sizeof(cp), &cp); 2423 2424 /* If we're already encrypted set the REAUTH_PEND flag, 2425 * otherwise set the ENCRYPT_PEND. 2426 */ 2427 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2428 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2429 else 2430 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2431 } 2432 2433 return 0; 2434 } 2435 2436 /* Encrypt the link */ 2437 static void hci_conn_encrypt(struct hci_conn *conn) 2438 { 2439 BT_DBG("hcon %p", conn); 2440 2441 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2442 struct hci_cp_set_conn_encrypt cp; 2443 cp.handle = cpu_to_le16(conn->handle); 2444 cp.encrypt = 0x01; 2445 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2446 &cp); 2447 } 2448 } 2449 2450 /* Enable security */ 2451 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, 2452 bool initiator) 2453 { 2454 BT_DBG("hcon %p", conn); 2455 2456 if (conn->type == LE_LINK) 2457 return smp_conn_security(conn, sec_level); 2458 2459 /* For sdp we don't need the link key. */ 2460 if (sec_level == BT_SECURITY_SDP) 2461 return 1; 2462 2463 /* For non 2.1 devices and low security level we don't need the link 2464 key. */ 2465 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn)) 2466 return 1; 2467 2468 /* For other security levels we need the link key. */ 2469 if (!test_bit(HCI_CONN_AUTH, &conn->flags)) 2470 goto auth; 2471 2472 switch (conn->key_type) { 2473 case HCI_LK_AUTH_COMBINATION_P256: 2474 /* An authenticated FIPS approved combination key has 2475 * sufficient security for security level 4 or lower. 2476 */ 2477 if (sec_level <= BT_SECURITY_FIPS) 2478 goto encrypt; 2479 break; 2480 case HCI_LK_AUTH_COMBINATION_P192: 2481 /* An authenticated combination key has sufficient security for 2482 * security level 3 or lower. 2483 */ 2484 if (sec_level <= BT_SECURITY_HIGH) 2485 goto encrypt; 2486 break; 2487 case HCI_LK_UNAUTH_COMBINATION_P192: 2488 case HCI_LK_UNAUTH_COMBINATION_P256: 2489 /* An unauthenticated combination key has sufficient security 2490 * for security level 2 or lower. 2491 */ 2492 if (sec_level <= BT_SECURITY_MEDIUM) 2493 goto encrypt; 2494 break; 2495 case HCI_LK_COMBINATION: 2496 /* A combination key has always sufficient security for the 2497 * security levels 2 or lower. High security level requires the 2498 * combination key is generated using maximum PIN code length 2499 * (16). For pre 2.1 units. 2500 */ 2501 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16) 2502 goto encrypt; 2503 break; 2504 default: 2505 break; 2506 } 2507 2508 auth: 2509 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) 2510 return 0; 2511 2512 if (initiator) 2513 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2514 2515 if (!hci_conn_auth(conn, sec_level, auth_type)) 2516 return 0; 2517 2518 encrypt: 2519 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 2520 /* Ensure that the encryption key size has been read, 2521 * otherwise stall the upper layer responses. 2522 */ 2523 if (!conn->enc_key_size) 2524 return 0; 2525 2526 /* Nothing else needed, all requirements are met */ 2527 return 1; 2528 } 2529 2530 hci_conn_encrypt(conn); 2531 return 0; 2532 } 2533 EXPORT_SYMBOL(hci_conn_security); 2534 2535 /* Check secure link requirement */ 2536 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level) 2537 { 2538 BT_DBG("hcon %p", conn); 2539 2540 /* Accept if non-secure or higher security level is required */ 2541 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS) 2542 return 1; 2543 2544 /* Accept if secure or higher security level is already present */ 2545 if (conn->sec_level == BT_SECURITY_HIGH || 2546 conn->sec_level == BT_SECURITY_FIPS) 2547 return 1; 2548 2549 /* Reject not secure link */ 2550 return 0; 2551 } 2552 EXPORT_SYMBOL(hci_conn_check_secure); 2553 2554 /* Switch role */ 2555 int hci_conn_switch_role(struct hci_conn *conn, __u8 role) 2556 { 2557 BT_DBG("hcon %p", conn); 2558 2559 if (role == conn->role) 2560 return 1; 2561 2562 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) { 2563 struct hci_cp_switch_role cp; 2564 bacpy(&cp.bdaddr, &conn->dst); 2565 cp.role = role; 2566 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp); 2567 } 2568 2569 return 0; 2570 } 2571 EXPORT_SYMBOL(hci_conn_switch_role); 2572 2573 /* Enter active mode */ 2574 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) 2575 { 2576 struct hci_dev *hdev = conn->hdev; 2577 2578 BT_DBG("hcon %p mode %d", conn, conn->mode); 2579 2580 if (conn->mode != HCI_CM_SNIFF) 2581 goto timer; 2582 2583 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active) 2584 goto timer; 2585 2586 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) { 2587 struct hci_cp_exit_sniff_mode cp; 2588 cp.handle = cpu_to_le16(conn->handle); 2589 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp); 2590 } 2591 2592 timer: 2593 if (hdev->idle_timeout > 0) 2594 queue_delayed_work(hdev->workqueue, &conn->idle_work, 2595 msecs_to_jiffies(hdev->idle_timeout)); 2596 } 2597 2598 /* Drop all connection on the device */ 2599 void hci_conn_hash_flush(struct hci_dev *hdev) 2600 { 2601 struct list_head *head = &hdev->conn_hash.list; 2602 struct hci_conn *conn; 2603 2604 BT_DBG("hdev %s", hdev->name); 2605 2606 /* We should not traverse the list here, because hci_conn_del 2607 * can remove extra links, which may cause the list traversal 2608 * to hit items that have already been released. 2609 */ 2610 while ((conn = list_first_entry_or_null(head, 2611 struct hci_conn, 2612 list)) != NULL) { 2613 conn->state = BT_CLOSED; 2614 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); 2615 hci_conn_del(conn); 2616 } 2617 } 2618 2619 /* Check pending connect attempts */ 2620 void hci_conn_check_pending(struct hci_dev *hdev) 2621 { 2622 struct hci_conn *conn; 2623 2624 BT_DBG("hdev %s", hdev->name); 2625 2626 hci_dev_lock(hdev); 2627 2628 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2); 2629 if (conn) 2630 hci_acl_create_connection(conn); 2631 2632 hci_dev_unlock(hdev); 2633 } 2634 2635 static u32 get_link_mode(struct hci_conn *conn) 2636 { 2637 u32 link_mode = 0; 2638 2639 if (conn->role == HCI_ROLE_MASTER) 2640 link_mode |= HCI_LM_MASTER; 2641 2642 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2643 link_mode |= HCI_LM_ENCRYPT; 2644 2645 if (test_bit(HCI_CONN_AUTH, &conn->flags)) 2646 link_mode |= HCI_LM_AUTH; 2647 2648 if (test_bit(HCI_CONN_SECURE, &conn->flags)) 2649 link_mode |= HCI_LM_SECURE; 2650 2651 if (test_bit(HCI_CONN_FIPS, &conn->flags)) 2652 link_mode |= HCI_LM_FIPS; 2653 2654 return link_mode; 2655 } 2656 2657 int hci_get_conn_list(void __user *arg) 2658 { 2659 struct hci_conn *c; 2660 struct hci_conn_list_req req, *cl; 2661 struct hci_conn_info *ci; 2662 struct hci_dev *hdev; 2663 int n = 0, size, err; 2664 2665 if (copy_from_user(&req, arg, sizeof(req))) 2666 return -EFAULT; 2667 2668 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci)) 2669 return -EINVAL; 2670 2671 size = sizeof(req) + req.conn_num * sizeof(*ci); 2672 2673 cl = kmalloc(size, GFP_KERNEL); 2674 if (!cl) 2675 return -ENOMEM; 2676 2677 hdev = hci_dev_get(req.dev_id); 2678 if (!hdev) { 2679 kfree(cl); 2680 return -ENODEV; 2681 } 2682 2683 ci = cl->conn_info; 2684 2685 hci_dev_lock(hdev); 2686 list_for_each_entry(c, &hdev->conn_hash.list, list) { 2687 bacpy(&(ci + n)->bdaddr, &c->dst); 2688 (ci + n)->handle = c->handle; 2689 (ci + n)->type = c->type; 2690 (ci + n)->out = c->out; 2691 (ci + n)->state = c->state; 2692 (ci + n)->link_mode = get_link_mode(c); 2693 if (++n >= req.conn_num) 2694 break; 2695 } 2696 hci_dev_unlock(hdev); 2697 2698 cl->dev_id = hdev->id; 2699 cl->conn_num = n; 2700 size = sizeof(req) + n * sizeof(*ci); 2701 2702 hci_dev_put(hdev); 2703 2704 err = copy_to_user(arg, cl, size); 2705 kfree(cl); 2706 2707 return err ? -EFAULT : 0; 2708 } 2709 2710 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) 2711 { 2712 struct hci_conn_info_req req; 2713 struct hci_conn_info ci; 2714 struct hci_conn *conn; 2715 char __user *ptr = arg + sizeof(req); 2716 2717 if (copy_from_user(&req, arg, sizeof(req))) 2718 return -EFAULT; 2719 2720 hci_dev_lock(hdev); 2721 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 2722 if (conn) { 2723 bacpy(&ci.bdaddr, &conn->dst); 2724 ci.handle = conn->handle; 2725 ci.type = conn->type; 2726 ci.out = conn->out; 2727 ci.state = conn->state; 2728 ci.link_mode = get_link_mode(conn); 2729 } 2730 hci_dev_unlock(hdev); 2731 2732 if (!conn) 2733 return -ENOENT; 2734 2735 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0; 2736 } 2737 2738 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) 2739 { 2740 struct hci_auth_info_req req; 2741 struct hci_conn *conn; 2742 2743 if (copy_from_user(&req, arg, sizeof(req))) 2744 return -EFAULT; 2745 2746 hci_dev_lock(hdev); 2747 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 2748 if (conn) 2749 req.type = conn->auth_type; 2750 hci_dev_unlock(hdev); 2751 2752 if (!conn) 2753 return -ENOENT; 2754 2755 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0; 2756 } 2757 2758 struct hci_chan *hci_chan_create(struct hci_conn *conn) 2759 { 2760 struct hci_dev *hdev = conn->hdev; 2761 struct hci_chan *chan; 2762 2763 BT_DBG("%s hcon %p", hdev->name, conn); 2764 2765 if (test_bit(HCI_CONN_DROP, &conn->flags)) { 2766 BT_DBG("Refusing to create new hci_chan"); 2767 return NULL; 2768 } 2769 2770 chan = kzalloc(sizeof(*chan), GFP_KERNEL); 2771 if (!chan) 2772 return NULL; 2773 2774 chan->conn = hci_conn_get(conn); 2775 skb_queue_head_init(&chan->data_q); 2776 chan->state = BT_CONNECTED; 2777 2778 list_add_rcu(&chan->list, &conn->chan_list); 2779 2780 return chan; 2781 } 2782 2783 void hci_chan_del(struct hci_chan *chan) 2784 { 2785 struct hci_conn *conn = chan->conn; 2786 struct hci_dev *hdev = conn->hdev; 2787 2788 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan); 2789 2790 list_del_rcu(&chan->list); 2791 2792 synchronize_rcu(); 2793 2794 /* Prevent new hci_chan's to be created for this hci_conn */ 2795 set_bit(HCI_CONN_DROP, &conn->flags); 2796 2797 hci_conn_put(conn); 2798 2799 skb_queue_purge(&chan->data_q); 2800 kfree(chan); 2801 } 2802 2803 void hci_chan_list_flush(struct hci_conn *conn) 2804 { 2805 struct hci_chan *chan, *n; 2806 2807 BT_DBG("hcon %p", conn); 2808 2809 list_for_each_entry_safe(chan, n, &conn->chan_list, list) 2810 hci_chan_del(chan); 2811 } 2812 2813 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon, 2814 __u16 handle) 2815 { 2816 struct hci_chan *hchan; 2817 2818 list_for_each_entry(hchan, &hcon->chan_list, list) { 2819 if (hchan->handle == handle) 2820 return hchan; 2821 } 2822 2823 return NULL; 2824 } 2825 2826 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle) 2827 { 2828 struct hci_conn_hash *h = &hdev->conn_hash; 2829 struct hci_conn *hcon; 2830 struct hci_chan *hchan = NULL; 2831 2832 rcu_read_lock(); 2833 2834 list_for_each_entry_rcu(hcon, &h->list, list) { 2835 hchan = __hci_chan_lookup_handle(hcon, handle); 2836 if (hchan) 2837 break; 2838 } 2839 2840 rcu_read_unlock(); 2841 2842 return hchan; 2843 } 2844 2845 u32 hci_conn_get_phy(struct hci_conn *conn) 2846 { 2847 u32 phys = 0; 2848 2849 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471: 2850 * Table 6.2: Packets defined for synchronous, asynchronous, and 2851 * CPB logical transport types. 2852 */ 2853 switch (conn->type) { 2854 case SCO_LINK: 2855 /* SCO logical transport (1 Mb/s): 2856 * HV1, HV2, HV3 and DV. 2857 */ 2858 phys |= BT_PHY_BR_1M_1SLOT; 2859 2860 break; 2861 2862 case ACL_LINK: 2863 /* ACL logical transport (1 Mb/s) ptt=0: 2864 * DH1, DM3, DH3, DM5 and DH5. 2865 */ 2866 phys |= BT_PHY_BR_1M_1SLOT; 2867 2868 if (conn->pkt_type & (HCI_DM3 | HCI_DH3)) 2869 phys |= BT_PHY_BR_1M_3SLOT; 2870 2871 if (conn->pkt_type & (HCI_DM5 | HCI_DH5)) 2872 phys |= BT_PHY_BR_1M_5SLOT; 2873 2874 /* ACL logical transport (2 Mb/s) ptt=1: 2875 * 2-DH1, 2-DH3 and 2-DH5. 2876 */ 2877 if (!(conn->pkt_type & HCI_2DH1)) 2878 phys |= BT_PHY_EDR_2M_1SLOT; 2879 2880 if (!(conn->pkt_type & HCI_2DH3)) 2881 phys |= BT_PHY_EDR_2M_3SLOT; 2882 2883 if (!(conn->pkt_type & HCI_2DH5)) 2884 phys |= BT_PHY_EDR_2M_5SLOT; 2885 2886 /* ACL logical transport (3 Mb/s) ptt=1: 2887 * 3-DH1, 3-DH3 and 3-DH5. 2888 */ 2889 if (!(conn->pkt_type & HCI_3DH1)) 2890 phys |= BT_PHY_EDR_3M_1SLOT; 2891 2892 if (!(conn->pkt_type & HCI_3DH3)) 2893 phys |= BT_PHY_EDR_3M_3SLOT; 2894 2895 if (!(conn->pkt_type & HCI_3DH5)) 2896 phys |= BT_PHY_EDR_3M_5SLOT; 2897 2898 break; 2899 2900 case ESCO_LINK: 2901 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */ 2902 phys |= BT_PHY_BR_1M_1SLOT; 2903 2904 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5))) 2905 phys |= BT_PHY_BR_1M_3SLOT; 2906 2907 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */ 2908 if (!(conn->pkt_type & ESCO_2EV3)) 2909 phys |= BT_PHY_EDR_2M_1SLOT; 2910 2911 if (!(conn->pkt_type & ESCO_2EV5)) 2912 phys |= BT_PHY_EDR_2M_3SLOT; 2913 2914 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */ 2915 if (!(conn->pkt_type & ESCO_3EV3)) 2916 phys |= BT_PHY_EDR_3M_1SLOT; 2917 2918 if (!(conn->pkt_type & ESCO_3EV5)) 2919 phys |= BT_PHY_EDR_3M_3SLOT; 2920 2921 break; 2922 2923 case LE_LINK: 2924 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M) 2925 phys |= BT_PHY_LE_1M_TX; 2926 2927 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M) 2928 phys |= BT_PHY_LE_1M_RX; 2929 2930 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M) 2931 phys |= BT_PHY_LE_2M_TX; 2932 2933 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M) 2934 phys |= BT_PHY_LE_2M_RX; 2935 2936 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED) 2937 phys |= BT_PHY_LE_CODED_TX; 2938 2939 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED) 2940 phys |= BT_PHY_LE_CODED_RX; 2941 2942 break; 2943 } 2944 2945 return phys; 2946 } 2947 2948 static int abort_conn_sync(struct hci_dev *hdev, void *data) 2949 { 2950 struct hci_conn *conn; 2951 u16 handle = PTR_UINT(data); 2952 2953 conn = hci_conn_hash_lookup_handle(hdev, handle); 2954 if (!conn) 2955 return 0; 2956 2957 return hci_abort_conn_sync(hdev, conn, conn->abort_reason); 2958 } 2959 2960 int hci_abort_conn(struct hci_conn *conn, u8 reason) 2961 { 2962 struct hci_dev *hdev = conn->hdev; 2963 2964 /* If abort_reason has already been set it means the connection is 2965 * already being aborted so don't attempt to overwrite it. 2966 */ 2967 if (conn->abort_reason) 2968 return 0; 2969 2970 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); 2971 2972 conn->abort_reason = reason; 2973 2974 /* If the connection is pending check the command opcode since that 2975 * might be blocking on hci_cmd_sync_work while waiting its respective 2976 * event so we need to hci_cmd_sync_cancel to cancel it. 2977 * 2978 * hci_connect_le serializes the connection attempts so only one 2979 * connection can be in BT_CONNECT at time. 2980 */ 2981 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { 2982 switch (hci_skb_event(hdev->sent_cmd)) { 2983 case HCI_EV_LE_CONN_COMPLETE: 2984 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 2985 case HCI_EVT_LE_CIS_ESTABLISHED: 2986 hci_cmd_sync_cancel(hdev, -ECANCELED); 2987 break; 2988 } 2989 } 2990 2991 return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle), 2992 NULL); 2993 } 2994