• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI connection handling. */
26 
27 #include <linux/export.h>
28 #include <linux/debugfs.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 
34 #include "hci_request.h"
35 #include "smp.h"
36 #include "a2mp.h"
37 
38 struct sco_param {
39 	u16 pkt_type;
40 	u16 max_latency;
41 	u8  retrans_effort;
42 };
43 
44 static const struct sco_param esco_param_cvsd[] = {
45 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,	0x01 }, /* S3 */
46 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,	0x01 }, /* S2 */
47 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0007,	0x01 }, /* S1 */
48 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0x01 }, /* D1 */
49 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0x01 }, /* D0 */
50 };
51 
52 static const struct sco_param sco_param_cvsd[] = {
53 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0xff }, /* D1 */
54 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0xff }, /* D0 */
55 };
56 
57 static const struct sco_param esco_param_msbc[] = {
58 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,	0x02 }, /* T2 */
59 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0008,	0x02 }, /* T1 */
60 };
61 
62 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn)63 static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
64 {
65 	struct hci_conn_params *params;
66 	struct hci_dev *hdev = conn->hdev;
67 	struct smp_irk *irk;
68 	bdaddr_t *bdaddr;
69 	u8 bdaddr_type;
70 
71 	bdaddr = &conn->dst;
72 	bdaddr_type = conn->dst_type;
73 
74 	/* Check if we need to convert to identity address */
75 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
76 	if (irk) {
77 		bdaddr = &irk->bdaddr;
78 		bdaddr_type = irk->addr_type;
79 	}
80 
81 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
82 					   bdaddr_type);
83 	if (!params || !params->explicit_connect)
84 		return;
85 
86 	/* The connection attempt was doing scan for new RPA, and is
87 	 * in scan phase. If params are not associated with any other
88 	 * autoconnect action, remove them completely. If they are, just unmark
89 	 * them as waiting for connection, by clearing explicit_connect field.
90 	 */
91 	params->explicit_connect = false;
92 
93 	list_del_init(&params->action);
94 
95 	switch (params->auto_connect) {
96 	case HCI_AUTO_CONN_EXPLICIT:
97 		hci_conn_params_del(hdev, bdaddr, bdaddr_type);
98 		/* return instead of break to avoid duplicate scan update */
99 		return;
100 	case HCI_AUTO_CONN_DIRECT:
101 	case HCI_AUTO_CONN_ALWAYS:
102 		list_add(&params->action, &hdev->pend_le_conns);
103 		break;
104 	case HCI_AUTO_CONN_REPORT:
105 		list_add(&params->action, &hdev->pend_le_reports);
106 		break;
107 	default:
108 		break;
109 	}
110 
111 	hci_update_background_scan(hdev);
112 }
113 
hci_conn_cleanup(struct hci_conn * conn)114 static void hci_conn_cleanup(struct hci_conn *conn)
115 {
116 	struct hci_dev *hdev = conn->hdev;
117 
118 	if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
119 		hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
120 
121 	hci_chan_list_flush(conn);
122 
123 	hci_conn_hash_del(hdev, conn);
124 
125 	if (hdev->notify)
126 		hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
127 
128 	debugfs_remove_recursive(conn->debugfs);
129 
130 	hci_conn_del_sysfs(conn);
131 
132 	hci_dev_put(hdev);
133 }
134 
le_scan_cleanup(struct work_struct * work)135 static void le_scan_cleanup(struct work_struct *work)
136 {
137 	struct hci_conn *conn = container_of(work, struct hci_conn,
138 					     le_scan_cleanup);
139 	struct hci_dev *hdev = conn->hdev;
140 	struct hci_conn *c = NULL;
141 
142 	BT_DBG("%s hcon %p", hdev->name, conn);
143 
144 	hci_dev_lock(hdev);
145 
146 	/* Check that the hci_conn is still around */
147 	rcu_read_lock();
148 	list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
149 		if (c == conn)
150 			break;
151 	}
152 	rcu_read_unlock();
153 
154 	if (c == conn) {
155 		hci_connect_le_scan_cleanup(conn);
156 		hci_conn_cleanup(conn);
157 	}
158 
159 	hci_dev_unlock(hdev);
160 	hci_dev_put(hdev);
161 	hci_conn_put(conn);
162 }
163 
hci_connect_le_scan_remove(struct hci_conn * conn)164 static void hci_connect_le_scan_remove(struct hci_conn *conn)
165 {
166 	BT_DBG("%s hcon %p", conn->hdev->name, conn);
167 
168 	/* We can't call hci_conn_del/hci_conn_cleanup here since that
169 	 * could deadlock with another hci_conn_del() call that's holding
170 	 * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
171 	 * Instead, grab temporary extra references to the hci_dev and
172 	 * hci_conn and perform the necessary cleanup in a separate work
173 	 * callback.
174 	 */
175 
176 	hci_dev_hold(conn->hdev);
177 	hci_conn_get(conn);
178 
179 	/* Even though we hold a reference to the hdev, many other
180 	 * things might get cleaned up meanwhile, including the hdev's
181 	 * own workqueue, so we can't use that for scheduling.
182 	 */
183 	schedule_work(&conn->le_scan_cleanup);
184 }
185 
hci_acl_create_connection(struct hci_conn * conn)186 static void hci_acl_create_connection(struct hci_conn *conn)
187 {
188 	struct hci_dev *hdev = conn->hdev;
189 	struct inquiry_entry *ie;
190 	struct hci_cp_create_conn cp;
191 
192 	BT_DBG("hcon %p", conn);
193 
194 	conn->state = BT_CONNECT;
195 	conn->out = true;
196 	conn->role = HCI_ROLE_MASTER;
197 
198 	conn->attempt++;
199 
200 	conn->link_policy = hdev->link_policy;
201 
202 	memset(&cp, 0, sizeof(cp));
203 	bacpy(&cp.bdaddr, &conn->dst);
204 	cp.pscan_rep_mode = 0x02;
205 
206 	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
207 	if (ie) {
208 		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
209 			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
210 			cp.pscan_mode     = ie->data.pscan_mode;
211 			cp.clock_offset   = ie->data.clock_offset |
212 					    cpu_to_le16(0x8000);
213 		}
214 
215 		memcpy(conn->dev_class, ie->data.dev_class, 3);
216 		if (ie->data.ssp_mode > 0)
217 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
218 	}
219 
220 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
221 	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
222 		cp.role_switch = 0x01;
223 	else
224 		cp.role_switch = 0x00;
225 
226 	hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
227 }
228 
hci_disconnect(struct hci_conn * conn,__u8 reason)229 int hci_disconnect(struct hci_conn *conn, __u8 reason)
230 {
231 	BT_DBG("hcon %p", conn);
232 
233 	/* When we are master of an established connection and it enters
234 	 * the disconnect timeout, then go ahead and try to read the
235 	 * current clock offset.  Processing of the result is done
236 	 * within the event handling and hci_clock_offset_evt function.
237 	 */
238 	if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
239 	    (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
240 		struct hci_dev *hdev = conn->hdev;
241 		struct hci_cp_read_clock_offset clkoff_cp;
242 
243 		clkoff_cp.handle = cpu_to_le16(conn->handle);
244 		hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
245 			     &clkoff_cp);
246 	}
247 
248 	return hci_abort_conn(conn, reason);
249 }
250 
hci_add_sco(struct hci_conn * conn,__u16 handle)251 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
252 {
253 	struct hci_dev *hdev = conn->hdev;
254 	struct hci_cp_add_sco cp;
255 
256 	BT_DBG("hcon %p", conn);
257 
258 	conn->state = BT_CONNECT;
259 	conn->out = true;
260 
261 	conn->attempt++;
262 
263 	cp.handle   = cpu_to_le16(handle);
264 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
265 
266 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
267 }
268 
hci_setup_sync(struct hci_conn * conn,__u16 handle)269 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
270 {
271 	struct hci_dev *hdev = conn->hdev;
272 	struct hci_cp_setup_sync_conn cp;
273 	const struct sco_param *param;
274 
275 	BT_DBG("hcon %p", conn);
276 
277 	conn->state = BT_CONNECT;
278 	conn->out = true;
279 
280 	conn->attempt++;
281 
282 	cp.handle   = cpu_to_le16(handle);
283 
284 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
285 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
286 	cp.voice_setting  = cpu_to_le16(conn->setting);
287 
288 	switch (conn->setting & SCO_AIRMODE_MASK) {
289 	case SCO_AIRMODE_TRANSP:
290 		if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
291 			return false;
292 		param = &esco_param_msbc[conn->attempt - 1];
293 		break;
294 	case SCO_AIRMODE_CVSD:
295 		if (lmp_esco_capable(conn->link)) {
296 			if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
297 				return false;
298 			param = &esco_param_cvsd[conn->attempt - 1];
299 		} else {
300 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
301 				return false;
302 			param = &sco_param_cvsd[conn->attempt - 1];
303 		}
304 		break;
305 	default:
306 		return false;
307 	}
308 
309 	cp.retrans_effort = param->retrans_effort;
310 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
311 	cp.max_latency = __cpu_to_le16(param->max_latency);
312 
313 	if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
314 		return false;
315 
316 	return true;
317 }
318 
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)319 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
320 		      u16 to_multiplier)
321 {
322 	struct hci_dev *hdev = conn->hdev;
323 	struct hci_conn_params *params;
324 	struct hci_cp_le_conn_update cp;
325 
326 	hci_dev_lock(hdev);
327 
328 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
329 	if (params) {
330 		params->conn_min_interval = min;
331 		params->conn_max_interval = max;
332 		params->conn_latency = latency;
333 		params->supervision_timeout = to_multiplier;
334 	}
335 
336 	hci_dev_unlock(hdev);
337 
338 	memset(&cp, 0, sizeof(cp));
339 	cp.handle		= cpu_to_le16(conn->handle);
340 	cp.conn_interval_min	= cpu_to_le16(min);
341 	cp.conn_interval_max	= cpu_to_le16(max);
342 	cp.conn_latency		= cpu_to_le16(latency);
343 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
344 	cp.min_ce_len		= cpu_to_le16(0x0000);
345 	cp.max_ce_len		= cpu_to_le16(0x0000);
346 
347 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
348 
349 	if (params)
350 		return 0x01;
351 
352 	return 0x00;
353 }
354 
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)355 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
356 		      __u8 ltk[16], __u8 key_size)
357 {
358 	struct hci_dev *hdev = conn->hdev;
359 	struct hci_cp_le_start_enc cp;
360 
361 	BT_DBG("hcon %p", conn);
362 
363 	memset(&cp, 0, sizeof(cp));
364 
365 	cp.handle = cpu_to_le16(conn->handle);
366 	cp.rand = rand;
367 	cp.ediv = ediv;
368 	memcpy(cp.ltk, ltk, key_size);
369 
370 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
371 }
372 
373 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)374 void hci_sco_setup(struct hci_conn *conn, __u8 status)
375 {
376 	struct hci_conn *sco = conn->link;
377 
378 	if (!sco)
379 		return;
380 
381 	BT_DBG("hcon %p", conn);
382 
383 	if (!status) {
384 		if (lmp_esco_capable(conn->hdev))
385 			hci_setup_sync(sco, conn->handle);
386 		else
387 			hci_add_sco(sco, conn->handle);
388 	} else {
389 		hci_connect_cfm(sco, status);
390 		hci_conn_del(sco);
391 	}
392 }
393 
hci_conn_timeout(struct work_struct * work)394 static void hci_conn_timeout(struct work_struct *work)
395 {
396 	struct hci_conn *conn = container_of(work, struct hci_conn,
397 					     disc_work.work);
398 	int refcnt = atomic_read(&conn->refcnt);
399 
400 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
401 
402 	WARN_ON(refcnt < 0);
403 
404 	/* FIXME: It was observed that in pairing failed scenario, refcnt
405 	 * drops below 0. Probably this is because l2cap_conn_del calls
406 	 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
407 	 * dropped. After that loop hci_chan_del is called which also drops
408 	 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
409 	 * otherwise drop it.
410 	 */
411 	if (refcnt > 0)
412 		return;
413 
414 	/* LE connections in scanning state need special handling */
415 	if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
416 	    test_bit(HCI_CONN_SCANNING, &conn->flags)) {
417 		hci_connect_le_scan_remove(conn);
418 		return;
419 	}
420 
421 	hci_abort_conn(conn, hci_proto_disconn_ind(conn));
422 }
423 
424 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)425 static void hci_conn_idle(struct work_struct *work)
426 {
427 	struct hci_conn *conn = container_of(work, struct hci_conn,
428 					     idle_work.work);
429 	struct hci_dev *hdev = conn->hdev;
430 
431 	BT_DBG("hcon %p mode %d", conn, conn->mode);
432 
433 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
434 		return;
435 
436 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
437 		return;
438 
439 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
440 		struct hci_cp_sniff_subrate cp;
441 		cp.handle             = cpu_to_le16(conn->handle);
442 		cp.max_latency        = cpu_to_le16(0);
443 		cp.min_remote_timeout = cpu_to_le16(0);
444 		cp.min_local_timeout  = cpu_to_le16(0);
445 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
446 	}
447 
448 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
449 		struct hci_cp_sniff_mode cp;
450 		cp.handle       = cpu_to_le16(conn->handle);
451 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
452 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
453 		cp.attempt      = cpu_to_le16(4);
454 		cp.timeout      = cpu_to_le16(1);
455 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
456 	}
457 }
458 
hci_conn_auto_accept(struct work_struct * work)459 static void hci_conn_auto_accept(struct work_struct *work)
460 {
461 	struct hci_conn *conn = container_of(work, struct hci_conn,
462 					     auto_accept_work.work);
463 
464 	hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
465 		     &conn->dst);
466 }
467 
le_conn_timeout(struct work_struct * work)468 static void le_conn_timeout(struct work_struct *work)
469 {
470 	struct hci_conn *conn = container_of(work, struct hci_conn,
471 					     le_conn_timeout.work);
472 	struct hci_dev *hdev = conn->hdev;
473 
474 	BT_DBG("");
475 
476 	/* We could end up here due to having done directed advertising,
477 	 * so clean up the state if necessary. This should however only
478 	 * happen with broken hardware or if low duty cycle was used
479 	 * (which doesn't have a timeout of its own).
480 	 */
481 	if (conn->role == HCI_ROLE_SLAVE) {
482 		u8 enable = 0x00;
483 		hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
484 			     &enable);
485 		hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
486 		return;
487 	}
488 
489 	hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
490 }
491 
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)492 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
493 			      u8 role)
494 {
495 	struct hci_conn *conn;
496 
497 	BT_DBG("%s dst %pMR", hdev->name, dst);
498 
499 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
500 	if (!conn)
501 		return NULL;
502 
503 	bacpy(&conn->dst, dst);
504 	bacpy(&conn->src, &hdev->bdaddr);
505 	conn->hdev  = hdev;
506 	conn->type  = type;
507 	conn->role  = role;
508 	conn->mode  = HCI_CM_ACTIVE;
509 	conn->state = BT_OPEN;
510 	conn->auth_type = HCI_AT_GENERAL_BONDING;
511 	conn->io_capability = hdev->io_capability;
512 	conn->remote_auth = 0xff;
513 	conn->key_type = 0xff;
514 	conn->rssi = HCI_RSSI_INVALID;
515 	conn->tx_power = HCI_TX_POWER_INVALID;
516 	conn->max_tx_power = HCI_TX_POWER_INVALID;
517 
518 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
519 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
520 
521 	/* Set Default Authenticated payload timeout to 30s */
522 	conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
523 
524 	if (conn->role == HCI_ROLE_MASTER)
525 		conn->out = true;
526 
527 	switch (type) {
528 	case ACL_LINK:
529 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
530 		break;
531 	case LE_LINK:
532 		/* conn->src should reflect the local identity address */
533 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
534 		break;
535 	case SCO_LINK:
536 		if (lmp_esco_capable(hdev))
537 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
538 					(hdev->esco_type & EDR_ESCO_MASK);
539 		else
540 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
541 		break;
542 	case ESCO_LINK:
543 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
544 		break;
545 	}
546 
547 	skb_queue_head_init(&conn->data_q);
548 
549 	INIT_LIST_HEAD(&conn->chan_list);
550 
551 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
552 	INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
553 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
554 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
555 	INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
556 
557 	atomic_set(&conn->refcnt, 0);
558 
559 	hci_dev_hold(hdev);
560 
561 	hci_conn_hash_add(hdev, conn);
562 	if (hdev->notify)
563 		hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
564 
565 	hci_conn_init_sysfs(conn);
566 
567 	return conn;
568 }
569 
hci_conn_del(struct hci_conn * conn)570 int hci_conn_del(struct hci_conn *conn)
571 {
572 	struct hci_dev *hdev = conn->hdev;
573 
574 	BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
575 
576 	cancel_delayed_work_sync(&conn->disc_work);
577 	cancel_delayed_work_sync(&conn->auto_accept_work);
578 	cancel_delayed_work_sync(&conn->idle_work);
579 
580 	if (conn->type == ACL_LINK) {
581 		struct hci_conn *sco = conn->link;
582 		if (sco)
583 			sco->link = NULL;
584 
585 		/* Unacked frames */
586 		hdev->acl_cnt += conn->sent;
587 	} else if (conn->type == LE_LINK) {
588 		cancel_delayed_work(&conn->le_conn_timeout);
589 
590 		if (hdev->le_pkts)
591 			hdev->le_cnt += conn->sent;
592 		else
593 			hdev->acl_cnt += conn->sent;
594 	} else {
595 		struct hci_conn *acl = conn->link;
596 		if (acl) {
597 			acl->link = NULL;
598 			hci_conn_drop(acl);
599 		}
600 	}
601 
602 	if (conn->amp_mgr)
603 		amp_mgr_put(conn->amp_mgr);
604 
605 	skb_queue_purge(&conn->data_q);
606 
607 	/* Remove the connection from the list and cleanup its remaining
608 	 * state. This is a separate function since for some cases like
609 	 * BT_CONNECT_SCAN we *only* want the cleanup part without the
610 	 * rest of hci_conn_del.
611 	 */
612 	hci_conn_cleanup(conn);
613 
614 	return 0;
615 }
616 
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)617 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
618 {
619 	int use_src = bacmp(src, BDADDR_ANY);
620 	struct hci_dev *hdev = NULL, *d;
621 
622 	BT_DBG("%pMR -> %pMR", src, dst);
623 
624 	read_lock(&hci_dev_list_lock);
625 
626 	list_for_each_entry(d, &hci_dev_list, list) {
627 		if (!test_bit(HCI_UP, &d->flags) ||
628 		    hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
629 		    d->dev_type != HCI_PRIMARY)
630 			continue;
631 
632 		/* Simple routing:
633 		 *   No source address - find interface with bdaddr != dst
634 		 *   Source address    - find interface with bdaddr == src
635 		 */
636 
637 		if (use_src) {
638 			bdaddr_t id_addr;
639 			u8 id_addr_type;
640 
641 			if (src_type == BDADDR_BREDR) {
642 				if (!lmp_bredr_capable(d))
643 					continue;
644 				bacpy(&id_addr, &d->bdaddr);
645 				id_addr_type = BDADDR_BREDR;
646 			} else {
647 				if (!lmp_le_capable(d))
648 					continue;
649 
650 				hci_copy_identity_address(d, &id_addr,
651 							  &id_addr_type);
652 
653 				/* Convert from HCI to three-value type */
654 				if (id_addr_type == ADDR_LE_DEV_PUBLIC)
655 					id_addr_type = BDADDR_LE_PUBLIC;
656 				else
657 					id_addr_type = BDADDR_LE_RANDOM;
658 			}
659 
660 			if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
661 				hdev = d; break;
662 			}
663 		} else {
664 			if (bacmp(&d->bdaddr, dst)) {
665 				hdev = d; break;
666 			}
667 		}
668 	}
669 
670 	if (hdev)
671 		hdev = hci_dev_hold(hdev);
672 
673 	read_unlock(&hci_dev_list_lock);
674 	return hdev;
675 }
676 EXPORT_SYMBOL(hci_get_route);
677 
678 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)679 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
680 {
681 	struct hci_dev *hdev = conn->hdev;
682 	struct hci_conn_params *params;
683 
684 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
685 					   conn->dst_type);
686 	if (params && params->conn) {
687 		hci_conn_drop(params->conn);
688 		hci_conn_put(params->conn);
689 		params->conn = NULL;
690 	}
691 
692 	conn->state = BT_CLOSED;
693 
694 	/* If the status indicates successful cancellation of
695 	 * the attempt (i.e. Unkown Connection Id) there's no point of
696 	 * notifying failure since we'll go back to keep trying to
697 	 * connect. The only exception is explicit connect requests
698 	 * where a timeout + cancel does indicate an actual failure.
699 	 */
700 	if (status != HCI_ERROR_UNKNOWN_CONN_ID ||
701 	    (params && params->explicit_connect))
702 		mgmt_connect_failed(hdev, &conn->dst, conn->type,
703 				    conn->dst_type, status);
704 
705 	hci_connect_cfm(conn, status);
706 
707 	hci_conn_del(conn);
708 
709 	/* Since we may have temporarily stopped the background scanning in
710 	 * favor of connection establishment, we should restart it.
711 	 */
712 	hci_update_background_scan(hdev);
713 
714 	/* Re-enable advertising in case this was a failed connection
715 	 * attempt as a peripheral.
716 	 */
717 	hci_req_reenable_advertising(hdev);
718 }
719 
create_le_conn_complete(struct hci_dev * hdev,u8 status,u16 opcode)720 static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
721 {
722 	struct hci_conn *conn;
723 
724 	hci_dev_lock(hdev);
725 
726 	conn = hci_lookup_le_connect(hdev);
727 
728 	if (!status) {
729 		hci_connect_le_scan_cleanup(conn);
730 		goto done;
731 	}
732 
733 	bt_dev_err(hdev, "request failed to create LE connection: "
734 		   "status 0x%2.2x", status);
735 
736 	if (!conn)
737 		goto done;
738 
739 	hci_le_conn_failed(conn, status);
740 
741 done:
742 	hci_dev_unlock(hdev);
743 }
744 
conn_use_rpa(struct hci_conn * conn)745 static bool conn_use_rpa(struct hci_conn *conn)
746 {
747 	struct hci_dev *hdev = conn->hdev;
748 
749 	return hci_dev_test_flag(hdev, HCI_PRIVACY);
750 }
751 
set_ext_conn_params(struct hci_conn * conn,struct hci_cp_le_ext_conn_param * p)752 static void set_ext_conn_params(struct hci_conn *conn,
753 				struct hci_cp_le_ext_conn_param *p)
754 {
755 	struct hci_dev *hdev = conn->hdev;
756 
757 	memset(p, 0, sizeof(*p));
758 
759 	/* Set window to be the same value as the interval to
760 	 * enable continuous scanning.
761 	 */
762 	p->scan_interval = cpu_to_le16(hdev->le_scan_interval);
763 	p->scan_window = p->scan_interval;
764 	p->conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
765 	p->conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
766 	p->conn_latency = cpu_to_le16(conn->le_conn_latency);
767 	p->supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
768 	p->min_ce_len = cpu_to_le16(0x0000);
769 	p->max_ce_len = cpu_to_le16(0x0000);
770 }
771 
hci_req_add_le_create_conn(struct hci_request * req,struct hci_conn * conn,bdaddr_t * direct_rpa)772 static void hci_req_add_le_create_conn(struct hci_request *req,
773 				       struct hci_conn *conn,
774 				       bdaddr_t *direct_rpa)
775 {
776 	struct hci_dev *hdev = conn->hdev;
777 	u8 own_addr_type;
778 
779 	/* If direct address was provided we use it instead of current
780 	 * address.
781 	 */
782 	if (direct_rpa) {
783 		if (bacmp(&req->hdev->random_addr, direct_rpa))
784 			hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
785 								direct_rpa);
786 
787 		/* direct address is always RPA */
788 		own_addr_type = ADDR_LE_DEV_RANDOM;
789 	} else {
790 		/* Update random address, but set require_privacy to false so
791 		 * that we never connect with an non-resolvable address.
792 		 */
793 		if (hci_update_random_address(req, false, conn_use_rpa(conn),
794 					      &own_addr_type))
795 			return;
796 	}
797 
798 	if (use_ext_conn(hdev)) {
799 		struct hci_cp_le_ext_create_conn *cp;
800 		struct hci_cp_le_ext_conn_param *p;
801 		u8 data[sizeof(*cp) + sizeof(*p) * 3];
802 		u32 plen;
803 
804 		cp = (void *) data;
805 		p = (void *) cp->data;
806 
807 		memset(cp, 0, sizeof(*cp));
808 
809 		bacpy(&cp->peer_addr, &conn->dst);
810 		cp->peer_addr_type = conn->dst_type;
811 		cp->own_addr_type = own_addr_type;
812 
813 		plen = sizeof(*cp);
814 
815 		if (scan_1m(hdev)) {
816 			cp->phys |= LE_SCAN_PHY_1M;
817 			set_ext_conn_params(conn, p);
818 
819 			p++;
820 			plen += sizeof(*p);
821 		}
822 
823 		if (scan_2m(hdev)) {
824 			cp->phys |= LE_SCAN_PHY_2M;
825 			set_ext_conn_params(conn, p);
826 
827 			p++;
828 			plen += sizeof(*p);
829 		}
830 
831 		if (scan_coded(hdev)) {
832 			cp->phys |= LE_SCAN_PHY_CODED;
833 			set_ext_conn_params(conn, p);
834 
835 			plen += sizeof(*p);
836 		}
837 
838 		hci_req_add(req, HCI_OP_LE_EXT_CREATE_CONN, plen, data);
839 
840 	} else {
841 		struct hci_cp_le_create_conn cp;
842 
843 		memset(&cp, 0, sizeof(cp));
844 
845 		/* Set window to be the same value as the interval to enable
846 		 * continuous scanning.
847 		 */
848 		cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
849 		cp.scan_window = cp.scan_interval;
850 
851 		bacpy(&cp.peer_addr, &conn->dst);
852 		cp.peer_addr_type = conn->dst_type;
853 		cp.own_address_type = own_addr_type;
854 		cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
855 		cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
856 		cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
857 		cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
858 		cp.min_ce_len = cpu_to_le16(0x0000);
859 		cp.max_ce_len = cpu_to_le16(0x0000);
860 
861 		hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
862 	}
863 
864 	conn->state = BT_CONNECT;
865 	clear_bit(HCI_CONN_SCANNING, &conn->flags);
866 }
867 
hci_req_directed_advertising(struct hci_request * req,struct hci_conn * conn)868 static void hci_req_directed_advertising(struct hci_request *req,
869 					 struct hci_conn *conn)
870 {
871 	struct hci_dev *hdev = req->hdev;
872 	u8 own_addr_type;
873 	u8 enable;
874 
875 	if (ext_adv_capable(hdev)) {
876 		struct hci_cp_le_set_ext_adv_params cp;
877 		bdaddr_t random_addr;
878 
879 		/* Set require_privacy to false so that the remote device has a
880 		 * chance of identifying us.
881 		 */
882 		if (hci_get_random_address(hdev, false, conn_use_rpa(conn), NULL,
883 					   &own_addr_type, &random_addr) < 0)
884 			return;
885 
886 		memset(&cp, 0, sizeof(cp));
887 
888 		cp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_DIRECT_IND);
889 		cp.own_addr_type = own_addr_type;
890 		cp.channel_map = hdev->le_adv_channel_map;
891 		cp.tx_power = HCI_TX_POWER_INVALID;
892 		cp.primary_phy = HCI_ADV_PHY_1M;
893 		cp.secondary_phy = HCI_ADV_PHY_1M;
894 		cp.handle = 0; /* Use instance 0 for directed adv */
895 		cp.own_addr_type = own_addr_type;
896 		cp.peer_addr_type = conn->dst_type;
897 		bacpy(&cp.peer_addr, &conn->dst);
898 
899 		hci_req_add(req, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(cp), &cp);
900 
901 		if (own_addr_type == ADDR_LE_DEV_RANDOM &&
902 		    bacmp(&random_addr, BDADDR_ANY) &&
903 		    bacmp(&random_addr, &hdev->random_addr)) {
904 			struct hci_cp_le_set_adv_set_rand_addr cp;
905 
906 			memset(&cp, 0, sizeof(cp));
907 
908 			cp.handle = 0;
909 			bacpy(&cp.bdaddr, &random_addr);
910 
911 			hci_req_add(req,
912 				    HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
913 				    sizeof(cp), &cp);
914 		}
915 
916 		__hci_req_enable_ext_advertising(req, 0x00);
917 	} else {
918 		struct hci_cp_le_set_adv_param cp;
919 
920 		/* Clear the HCI_LE_ADV bit temporarily so that the
921 		 * hci_update_random_address knows that it's safe to go ahead
922 		 * and write a new random address. The flag will be set back on
923 		 * as soon as the SET_ADV_ENABLE HCI command completes.
924 		 */
925 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
926 
927 		/* Set require_privacy to false so that the remote device has a
928 		 * chance of identifying us.
929 		 */
930 		if (hci_update_random_address(req, false, conn_use_rpa(conn),
931 					      &own_addr_type) < 0)
932 			return;
933 
934 		memset(&cp, 0, sizeof(cp));
935 
936 		/* Some controllers might reject command if intervals are not
937 		 * within range for undirected advertising.
938 		 * BCM20702A0 is known to be affected by this.
939 		 */
940 		cp.min_interval = cpu_to_le16(0x0020);
941 		cp.max_interval = cpu_to_le16(0x0020);
942 
943 		cp.type = LE_ADV_DIRECT_IND;
944 		cp.own_address_type = own_addr_type;
945 		cp.direct_addr_type = conn->dst_type;
946 		bacpy(&cp.direct_addr, &conn->dst);
947 		cp.channel_map = hdev->le_adv_channel_map;
948 
949 		hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
950 
951 		enable = 0x01;
952 		hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
953 			    &enable);
954 	}
955 
956 	conn->state = BT_CONNECT;
957 }
958 
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,u8 role,bdaddr_t * direct_rpa)959 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
960 				u8 dst_type, u8 sec_level, u16 conn_timeout,
961 				u8 role, bdaddr_t *direct_rpa)
962 {
963 	struct hci_conn_params *params;
964 	struct hci_conn *conn;
965 	struct smp_irk *irk;
966 	struct hci_request req;
967 	int err;
968 
969 	/* Let's make sure that le is enabled.*/
970 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
971 		if (lmp_le_capable(hdev))
972 			return ERR_PTR(-ECONNREFUSED);
973 
974 		return ERR_PTR(-EOPNOTSUPP);
975 	}
976 
977 	/* Since the controller supports only one LE connection attempt at a
978 	 * time, we return -EBUSY if there is any connection attempt running.
979 	 */
980 	if (hci_lookup_le_connect(hdev))
981 		return ERR_PTR(-EBUSY);
982 
983 	/* If there's already a connection object but it's not in
984 	 * scanning state it means it must already be established, in
985 	 * which case we can't do anything else except report a failure
986 	 * to connect.
987 	 */
988 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
989 	if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
990 		return ERR_PTR(-EBUSY);
991 	}
992 
993 	/* When given an identity address with existing identity
994 	 * resolving key, the connection needs to be established
995 	 * to a resolvable random address.
996 	 *
997 	 * Storing the resolvable random address is required here
998 	 * to handle connection failures. The address will later
999 	 * be resolved back into the original identity address
1000 	 * from the connect request.
1001 	 */
1002 	irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1003 	if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1004 		dst = &irk->rpa;
1005 		dst_type = ADDR_LE_DEV_RANDOM;
1006 	}
1007 
1008 	if (conn) {
1009 		bacpy(&conn->dst, dst);
1010 	} else {
1011 		conn = hci_conn_add(hdev, LE_LINK, dst, role);
1012 		if (!conn)
1013 			return ERR_PTR(-ENOMEM);
1014 		hci_conn_hold(conn);
1015 		conn->pending_sec_level = sec_level;
1016 	}
1017 
1018 	conn->dst_type = dst_type;
1019 	conn->sec_level = BT_SECURITY_LOW;
1020 	conn->conn_timeout = conn_timeout;
1021 
1022 	hci_req_init(&req, hdev);
1023 
1024 	/* Disable advertising if we're active. For master role
1025 	 * connections most controllers will refuse to connect if
1026 	 * advertising is enabled, and for slave role connections we
1027 	 * anyway have to disable it in order to start directed
1028 	 * advertising.
1029 	 */
1030 	if (hci_dev_test_flag(hdev, HCI_LE_ADV)) {
1031 		u8 enable = 0x00;
1032 		hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
1033 			    &enable);
1034 	}
1035 
1036 	/* If requested to connect as slave use directed advertising */
1037 	if (conn->role == HCI_ROLE_SLAVE) {
1038 		/* If we're active scanning most controllers are unable
1039 		 * to initiate advertising. Simply reject the attempt.
1040 		 */
1041 		if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
1042 		    hdev->le_scan_type == LE_SCAN_ACTIVE) {
1043 			hci_req_purge(&req);
1044 			hci_conn_del(conn);
1045 			return ERR_PTR(-EBUSY);
1046 		}
1047 
1048 		hci_req_directed_advertising(&req, conn);
1049 		goto create_conn;
1050 	}
1051 
1052 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
1053 	if (params) {
1054 		conn->le_conn_min_interval = params->conn_min_interval;
1055 		conn->le_conn_max_interval = params->conn_max_interval;
1056 		conn->le_conn_latency = params->conn_latency;
1057 		conn->le_supv_timeout = params->supervision_timeout;
1058 	} else {
1059 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
1060 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
1061 		conn->le_conn_latency = hdev->le_conn_latency;
1062 		conn->le_supv_timeout = hdev->le_supv_timeout;
1063 	}
1064 
1065 	/* If controller is scanning, we stop it since some controllers are
1066 	 * not able to scan and connect at the same time. Also set the
1067 	 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
1068 	 * handler for scan disabling knows to set the correct discovery
1069 	 * state.
1070 	 */
1071 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
1072 		hci_req_add_le_scan_disable(&req);
1073 		hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
1074 	}
1075 
1076 	hci_req_add_le_create_conn(&req, conn, direct_rpa);
1077 
1078 create_conn:
1079 	err = hci_req_run(&req, create_le_conn_complete);
1080 	if (err) {
1081 		hci_conn_del(conn);
1082 		return ERR_PTR(err);
1083 	}
1084 
1085 	return conn;
1086 }
1087 
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1088 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1089 {
1090 	struct hci_conn *conn;
1091 
1092 	conn = hci_conn_hash_lookup_le(hdev, addr, type);
1093 	if (!conn)
1094 		return false;
1095 
1096 	if (conn->state != BT_CONNECTED)
1097 		return false;
1098 
1099 	return true;
1100 }
1101 
1102 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1103 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1104 					bdaddr_t *addr, u8 addr_type)
1105 {
1106 	struct hci_conn_params *params;
1107 
1108 	if (is_connected(hdev, addr, addr_type))
1109 		return -EISCONN;
1110 
1111 	params = hci_conn_params_lookup(hdev, addr, addr_type);
1112 	if (!params) {
1113 		params = hci_conn_params_add(hdev, addr, addr_type);
1114 		if (!params)
1115 			return -ENOMEM;
1116 
1117 		/* If we created new params, mark them to be deleted in
1118 		 * hci_connect_le_scan_cleanup. It's different case than
1119 		 * existing disabled params, those will stay after cleanup.
1120 		 */
1121 		params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1122 	}
1123 
1124 	/* We're trying to connect, so make sure params are at pend_le_conns */
1125 	if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1126 	    params->auto_connect == HCI_AUTO_CONN_REPORT ||
1127 	    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1128 		list_del_init(&params->action);
1129 		list_add(&params->action, &hdev->pend_le_conns);
1130 	}
1131 
1132 	params->explicit_connect = true;
1133 
1134 	BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1135 	       params->auto_connect);
1136 
1137 	return 0;
1138 }
1139 
1140 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout)1141 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1142 				     u8 dst_type, u8 sec_level,
1143 				     u16 conn_timeout)
1144 {
1145 	struct hci_conn *conn;
1146 
1147 	/* Let's make sure that le is enabled.*/
1148 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1149 		if (lmp_le_capable(hdev))
1150 			return ERR_PTR(-ECONNREFUSED);
1151 
1152 		return ERR_PTR(-EOPNOTSUPP);
1153 	}
1154 
1155 	/* Some devices send ATT messages as soon as the physical link is
1156 	 * established. To be able to handle these ATT messages, the user-
1157 	 * space first establishes the connection and then starts the pairing
1158 	 * process.
1159 	 *
1160 	 * So if a hci_conn object already exists for the following connection
1161 	 * attempt, we simply update pending_sec_level and auth_type fields
1162 	 * and return the object found.
1163 	 */
1164 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1165 	if (conn) {
1166 		if (conn->pending_sec_level < sec_level)
1167 			conn->pending_sec_level = sec_level;
1168 		goto done;
1169 	}
1170 
1171 	BT_DBG("requesting refresh of dst_addr");
1172 
1173 	conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1174 	if (!conn)
1175 		return ERR_PTR(-ENOMEM);
1176 
1177 	if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1178 		hci_conn_del(conn);
1179 		return ERR_PTR(-EBUSY);
1180 	}
1181 
1182 	conn->state = BT_CONNECT;
1183 	set_bit(HCI_CONN_SCANNING, &conn->flags);
1184 	conn->dst_type = dst_type;
1185 	conn->sec_level = BT_SECURITY_LOW;
1186 	conn->pending_sec_level = sec_level;
1187 	conn->conn_timeout = conn_timeout;
1188 
1189 	hci_update_background_scan(hdev);
1190 
1191 done:
1192 	hci_conn_hold(conn);
1193 	return conn;
1194 }
1195 
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type)1196 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1197 				 u8 sec_level, u8 auth_type)
1198 {
1199 	struct hci_conn *acl;
1200 
1201 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1202 		if (lmp_bredr_capable(hdev))
1203 			return ERR_PTR(-ECONNREFUSED);
1204 
1205 		return ERR_PTR(-EOPNOTSUPP);
1206 	}
1207 
1208 	/* Reject outgoing connection to device with same BD ADDR against
1209 	 * CVE-2020-26555
1210 	 */
1211 	if (!bacmp(&hdev->bdaddr, dst)) {
1212 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1213 			   dst);
1214 		return ERR_PTR(-ECONNREFUSED);
1215 	}
1216 
1217 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1218 	if (!acl) {
1219 		acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1220 		if (!acl)
1221 			return ERR_PTR(-ENOMEM);
1222 	}
1223 
1224 	hci_conn_hold(acl);
1225 
1226 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1227 		acl->sec_level = BT_SECURITY_LOW;
1228 		acl->pending_sec_level = sec_level;
1229 		acl->auth_type = auth_type;
1230 		hci_acl_create_connection(acl);
1231 	}
1232 
1233 	return acl;
1234 }
1235 
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting)1236 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1237 				 __u16 setting)
1238 {
1239 	struct hci_conn *acl;
1240 	struct hci_conn *sco;
1241 
1242 	acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
1243 	if (IS_ERR(acl))
1244 		return acl;
1245 
1246 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1247 	if (!sco) {
1248 		sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1249 		if (!sco) {
1250 			hci_conn_drop(acl);
1251 			return ERR_PTR(-ENOMEM);
1252 		}
1253 	}
1254 
1255 	acl->link = sco;
1256 	sco->link = acl;
1257 
1258 	hci_conn_hold(sco);
1259 
1260 	sco->setting = setting;
1261 
1262 	if (acl->state == BT_CONNECTED &&
1263 	    (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1264 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1265 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1266 
1267 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1268 			/* defer SCO setup until mode change completed */
1269 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1270 			return sco;
1271 		}
1272 
1273 		hci_sco_setup(acl, 0x00);
1274 	}
1275 
1276 	return sco;
1277 }
1278 
1279 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)1280 int hci_conn_check_link_mode(struct hci_conn *conn)
1281 {
1282 	BT_DBG("hcon %p", conn);
1283 
1284 	/* In Secure Connections Only mode, it is required that Secure
1285 	 * Connections is used and the link is encrypted with AES-CCM
1286 	 * using a P-256 authenticated combination key.
1287 	 */
1288 	if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
1289 		if (!hci_conn_sc_enabled(conn) ||
1290 		    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
1291 		    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
1292 			return 0;
1293 	}
1294 
1295 	 /* AES encryption is required for Level 4:
1296 	  *
1297 	  * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
1298 	  * page 1319:
1299 	  *
1300 	  * 128-bit equivalent strength for link and encryption keys
1301 	  * required using FIPS approved algorithms (E0 not allowed,
1302 	  * SAFER+ not allowed, and P-192 not allowed; encryption key
1303 	  * not shortened)
1304 	  */
1305 	if (conn->sec_level == BT_SECURITY_FIPS &&
1306 	    !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
1307 		bt_dev_err(conn->hdev,
1308 			   "Invalid security: Missing AES-CCM usage");
1309 		return 0;
1310 	}
1311 
1312 	if (hci_conn_ssp_enabled(conn) &&
1313 	    !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1314 		return 0;
1315 
1316 	return 1;
1317 }
1318 
1319 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)1320 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
1321 {
1322 	BT_DBG("hcon %p", conn);
1323 
1324 	if (conn->pending_sec_level > sec_level)
1325 		sec_level = conn->pending_sec_level;
1326 
1327 	if (sec_level > conn->sec_level)
1328 		conn->pending_sec_level = sec_level;
1329 	else if (test_bit(HCI_CONN_AUTH, &conn->flags))
1330 		return 1;
1331 
1332 	/* Make sure we preserve an existing MITM requirement*/
1333 	auth_type |= (conn->auth_type & 0x01);
1334 
1335 	conn->auth_type = auth_type;
1336 
1337 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1338 		struct hci_cp_auth_requested cp;
1339 
1340 		cp.handle = cpu_to_le16(conn->handle);
1341 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
1342 			     sizeof(cp), &cp);
1343 
1344 		/* Set the ENCRYPT_PEND to trigger encryption after
1345 		 * authentication.
1346 		 */
1347 		if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1348 			set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1349 	}
1350 
1351 	return 0;
1352 }
1353 
1354 /* Encrypt the the link */
hci_conn_encrypt(struct hci_conn * conn)1355 static void hci_conn_encrypt(struct hci_conn *conn)
1356 {
1357 	BT_DBG("hcon %p", conn);
1358 
1359 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
1360 		struct hci_cp_set_conn_encrypt cp;
1361 		cp.handle  = cpu_to_le16(conn->handle);
1362 		cp.encrypt = 0x01;
1363 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1364 			     &cp);
1365 	}
1366 }
1367 
1368 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)1369 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1370 		      bool initiator)
1371 {
1372 	BT_DBG("hcon %p", conn);
1373 
1374 	if (conn->type == LE_LINK)
1375 		return smp_conn_security(conn, sec_level);
1376 
1377 	/* For sdp we don't need the link key. */
1378 	if (sec_level == BT_SECURITY_SDP)
1379 		return 1;
1380 
1381 	/* For non 2.1 devices and low security level we don't need the link
1382 	   key. */
1383 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1384 		return 1;
1385 
1386 	/* For other security levels we need the link key. */
1387 	if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1388 		goto auth;
1389 
1390 	switch (conn->key_type) {
1391 	case HCI_LK_AUTH_COMBINATION_P256:
1392 		/* An authenticated FIPS approved combination key has
1393 		 * sufficient security for security level 4 or lower.
1394 		 */
1395 		if (sec_level <= BT_SECURITY_FIPS)
1396 			goto encrypt;
1397 		break;
1398 	case HCI_LK_AUTH_COMBINATION_P192:
1399 		/* An authenticated combination key has sufficient security for
1400 		 * security level 3 or lower.
1401 		 */
1402 		if (sec_level <= BT_SECURITY_HIGH)
1403 			goto encrypt;
1404 		break;
1405 	case HCI_LK_UNAUTH_COMBINATION_P192:
1406 	case HCI_LK_UNAUTH_COMBINATION_P256:
1407 		/* An unauthenticated combination key has sufficient security
1408 		 * for security level 2 or lower.
1409 		 */
1410 		if (sec_level <= BT_SECURITY_MEDIUM)
1411 			goto encrypt;
1412 		break;
1413 	case HCI_LK_COMBINATION:
1414 		/* A combination key has always sufficient security for the
1415 		 * security levels 2 or lower. High security level requires the
1416 		 * combination key is generated using maximum PIN code length
1417 		 * (16). For pre 2.1 units.
1418 		 */
1419 		if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
1420 			goto encrypt;
1421 		break;
1422 	default:
1423 		break;
1424 	}
1425 
1426 auth:
1427 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1428 		return 0;
1429 
1430 	if (initiator)
1431 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1432 
1433 	if (!hci_conn_auth(conn, sec_level, auth_type))
1434 		return 0;
1435 
1436 encrypt:
1437 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
1438 		/* Ensure that the encryption key size has been read,
1439 		 * otherwise stall the upper layer responses.
1440 		 */
1441 		if (!conn->enc_key_size)
1442 			return 0;
1443 
1444 		/* Nothing else needed, all requirements are met */
1445 		return 1;
1446 	}
1447 
1448 	hci_conn_encrypt(conn);
1449 	return 0;
1450 }
1451 EXPORT_SYMBOL(hci_conn_security);
1452 
1453 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)1454 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1455 {
1456 	BT_DBG("hcon %p", conn);
1457 
1458 	/* Accept if non-secure or higher security level is required */
1459 	if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1460 		return 1;
1461 
1462 	/* Accept if secure or higher security level is already present */
1463 	if (conn->sec_level == BT_SECURITY_HIGH ||
1464 	    conn->sec_level == BT_SECURITY_FIPS)
1465 		return 1;
1466 
1467 	/* Reject not secure link */
1468 	return 0;
1469 }
1470 EXPORT_SYMBOL(hci_conn_check_secure);
1471 
1472 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)1473 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1474 {
1475 	BT_DBG("hcon %p", conn);
1476 
1477 	if (role == conn->role)
1478 		return 1;
1479 
1480 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1481 		struct hci_cp_switch_role cp;
1482 		bacpy(&cp.bdaddr, &conn->dst);
1483 		cp.role = role;
1484 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1485 	}
1486 
1487 	return 0;
1488 }
1489 EXPORT_SYMBOL(hci_conn_switch_role);
1490 
1491 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)1492 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1493 {
1494 	struct hci_dev *hdev = conn->hdev;
1495 
1496 	BT_DBG("hcon %p mode %d", conn, conn->mode);
1497 
1498 	if (conn->mode != HCI_CM_SNIFF)
1499 		goto timer;
1500 
1501 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1502 		goto timer;
1503 
1504 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1505 		struct hci_cp_exit_sniff_mode cp;
1506 		cp.handle = cpu_to_le16(conn->handle);
1507 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1508 	}
1509 
1510 timer:
1511 	if (hdev->idle_timeout > 0)
1512 		queue_delayed_work(hdev->workqueue, &conn->idle_work,
1513 				   msecs_to_jiffies(hdev->idle_timeout));
1514 }
1515 
1516 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)1517 void hci_conn_hash_flush(struct hci_dev *hdev)
1518 {
1519 	struct hci_conn_hash *h = &hdev->conn_hash;
1520 	struct hci_conn *c, *n;
1521 
1522 	BT_DBG("hdev %s", hdev->name);
1523 
1524 	list_for_each_entry_safe(c, n, &h->list, list) {
1525 		c->state = BT_CLOSED;
1526 
1527 		hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1528 		hci_conn_del(c);
1529 	}
1530 }
1531 
1532 /* Check pending connect attempts */
hci_conn_check_pending(struct hci_dev * hdev)1533 void hci_conn_check_pending(struct hci_dev *hdev)
1534 {
1535 	struct hci_conn *conn;
1536 
1537 	BT_DBG("hdev %s", hdev->name);
1538 
1539 	hci_dev_lock(hdev);
1540 
1541 	conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1542 	if (conn)
1543 		hci_acl_create_connection(conn);
1544 
1545 	hci_dev_unlock(hdev);
1546 }
1547 
get_link_mode(struct hci_conn * conn)1548 static u32 get_link_mode(struct hci_conn *conn)
1549 {
1550 	u32 link_mode = 0;
1551 
1552 	if (conn->role == HCI_ROLE_MASTER)
1553 		link_mode |= HCI_LM_MASTER;
1554 
1555 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1556 		link_mode |= HCI_LM_ENCRYPT;
1557 
1558 	if (test_bit(HCI_CONN_AUTH, &conn->flags))
1559 		link_mode |= HCI_LM_AUTH;
1560 
1561 	if (test_bit(HCI_CONN_SECURE, &conn->flags))
1562 		link_mode |= HCI_LM_SECURE;
1563 
1564 	if (test_bit(HCI_CONN_FIPS, &conn->flags))
1565 		link_mode |= HCI_LM_FIPS;
1566 
1567 	return link_mode;
1568 }
1569 
hci_get_conn_list(void __user * arg)1570 int hci_get_conn_list(void __user *arg)
1571 {
1572 	struct hci_conn *c;
1573 	struct hci_conn_list_req req, *cl;
1574 	struct hci_conn_info *ci;
1575 	struct hci_dev *hdev;
1576 	int n = 0, size, err;
1577 
1578 	if (copy_from_user(&req, arg, sizeof(req)))
1579 		return -EFAULT;
1580 
1581 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1582 		return -EINVAL;
1583 
1584 	size = sizeof(req) + req.conn_num * sizeof(*ci);
1585 
1586 	cl = kmalloc(size, GFP_KERNEL);
1587 	if (!cl)
1588 		return -ENOMEM;
1589 
1590 	hdev = hci_dev_get(req.dev_id);
1591 	if (!hdev) {
1592 		kfree(cl);
1593 		return -ENODEV;
1594 	}
1595 
1596 	ci = cl->conn_info;
1597 
1598 	hci_dev_lock(hdev);
1599 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
1600 		bacpy(&(ci + n)->bdaddr, &c->dst);
1601 		(ci + n)->handle = c->handle;
1602 		(ci + n)->type  = c->type;
1603 		(ci + n)->out   = c->out;
1604 		(ci + n)->state = c->state;
1605 		(ci + n)->link_mode = get_link_mode(c);
1606 		if (++n >= req.conn_num)
1607 			break;
1608 	}
1609 	hci_dev_unlock(hdev);
1610 
1611 	cl->dev_id = hdev->id;
1612 	cl->conn_num = n;
1613 	size = sizeof(req) + n * sizeof(*ci);
1614 
1615 	hci_dev_put(hdev);
1616 
1617 	err = copy_to_user(arg, cl, size);
1618 	kfree(cl);
1619 
1620 	return err ? -EFAULT : 0;
1621 }
1622 
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)1623 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1624 {
1625 	struct hci_conn_info_req req;
1626 	struct hci_conn_info ci;
1627 	struct hci_conn *conn;
1628 	char __user *ptr = arg + sizeof(req);
1629 
1630 	if (copy_from_user(&req, arg, sizeof(req)))
1631 		return -EFAULT;
1632 
1633 	hci_dev_lock(hdev);
1634 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1635 	if (conn) {
1636 		bacpy(&ci.bdaddr, &conn->dst);
1637 		ci.handle = conn->handle;
1638 		ci.type  = conn->type;
1639 		ci.out   = conn->out;
1640 		ci.state = conn->state;
1641 		ci.link_mode = get_link_mode(conn);
1642 	}
1643 	hci_dev_unlock(hdev);
1644 
1645 	if (!conn)
1646 		return -ENOENT;
1647 
1648 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1649 }
1650 
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)1651 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1652 {
1653 	struct hci_auth_info_req req;
1654 	struct hci_conn *conn;
1655 
1656 	if (copy_from_user(&req, arg, sizeof(req)))
1657 		return -EFAULT;
1658 
1659 	hci_dev_lock(hdev);
1660 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1661 	if (conn)
1662 		req.type = conn->auth_type;
1663 	hci_dev_unlock(hdev);
1664 
1665 	if (!conn)
1666 		return -ENOENT;
1667 
1668 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1669 }
1670 
hci_chan_create(struct hci_conn * conn)1671 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1672 {
1673 	struct hci_dev *hdev = conn->hdev;
1674 	struct hci_chan *chan;
1675 
1676 	BT_DBG("%s hcon %p", hdev->name, conn);
1677 
1678 	if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1679 		BT_DBG("Refusing to create new hci_chan");
1680 		return NULL;
1681 	}
1682 
1683 	chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1684 	if (!chan)
1685 		return NULL;
1686 
1687 	chan->conn = hci_conn_get(conn);
1688 	skb_queue_head_init(&chan->data_q);
1689 	chan->state = BT_CONNECTED;
1690 
1691 	list_add_rcu(&chan->list, &conn->chan_list);
1692 
1693 	return chan;
1694 }
1695 
hci_chan_del(struct hci_chan * chan)1696 void hci_chan_del(struct hci_chan *chan)
1697 {
1698 	struct hci_conn *conn = chan->conn;
1699 	struct hci_dev *hdev = conn->hdev;
1700 
1701 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1702 
1703 	list_del_rcu(&chan->list);
1704 
1705 	synchronize_rcu();
1706 
1707 	/* Prevent new hci_chan's to be created for this hci_conn */
1708 	set_bit(HCI_CONN_DROP, &conn->flags);
1709 
1710 	hci_conn_put(conn);
1711 
1712 	skb_queue_purge(&chan->data_q);
1713 	kfree(chan);
1714 }
1715 
hci_chan_list_flush(struct hci_conn * conn)1716 void hci_chan_list_flush(struct hci_conn *conn)
1717 {
1718 	struct hci_chan *chan, *n;
1719 
1720 	BT_DBG("hcon %p", conn);
1721 
1722 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1723 		hci_chan_del(chan);
1724 }
1725 
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)1726 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1727 						 __u16 handle)
1728 {
1729 	struct hci_chan *hchan;
1730 
1731 	list_for_each_entry(hchan, &hcon->chan_list, list) {
1732 		if (hchan->handle == handle)
1733 			return hchan;
1734 	}
1735 
1736 	return NULL;
1737 }
1738 
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)1739 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1740 {
1741 	struct hci_conn_hash *h = &hdev->conn_hash;
1742 	struct hci_conn *hcon;
1743 	struct hci_chan *hchan = NULL;
1744 
1745 	rcu_read_lock();
1746 
1747 	list_for_each_entry_rcu(hcon, &h->list, list) {
1748 		hchan = __hci_chan_lookup_handle(hcon, handle);
1749 		if (hchan)
1750 			break;
1751 	}
1752 
1753 	rcu_read_unlock();
1754 
1755 	return hchan;
1756 }
1757