1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI connection handling. */
26
27 #include <linux/export.h>
28 #include <linux/debugfs.h>
29
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33
34 #include "hci_request.h"
35 #include "smp.h"
36 #include "a2mp.h"
37
38 struct sco_param {
39 u16 pkt_type;
40 u16 max_latency;
41 u8 retrans_effort;
42 };
43
44 static const struct sco_param esco_param_cvsd[] = {
45 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
46 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
47 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
48 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
49 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
50 };
51
52 static const struct sco_param sco_param_cvsd[] = {
53 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
54 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
55 };
56
57 static const struct sco_param esco_param_msbc[] = {
58 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
59 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
60 };
61
62 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn)63 static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
64 {
65 struct hci_conn_params *params;
66 struct hci_dev *hdev = conn->hdev;
67 struct smp_irk *irk;
68 bdaddr_t *bdaddr;
69 u8 bdaddr_type;
70
71 bdaddr = &conn->dst;
72 bdaddr_type = conn->dst_type;
73
74 /* Check if we need to convert to identity address */
75 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
76 if (irk) {
77 bdaddr = &irk->bdaddr;
78 bdaddr_type = irk->addr_type;
79 }
80
81 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
82 bdaddr_type);
83 if (!params || !params->explicit_connect)
84 return;
85
86 /* The connection attempt was doing scan for new RPA, and is
87 * in scan phase. If params are not associated with any other
88 * autoconnect action, remove them completely. If they are, just unmark
89 * them as waiting for connection, by clearing explicit_connect field.
90 */
91 params->explicit_connect = false;
92
93 list_del_init(¶ms->action);
94
95 switch (params->auto_connect) {
96 case HCI_AUTO_CONN_EXPLICIT:
97 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
98 /* return instead of break to avoid duplicate scan update */
99 return;
100 case HCI_AUTO_CONN_DIRECT:
101 case HCI_AUTO_CONN_ALWAYS:
102 list_add(¶ms->action, &hdev->pend_le_conns);
103 break;
104 case HCI_AUTO_CONN_REPORT:
105 list_add(¶ms->action, &hdev->pend_le_reports);
106 break;
107 default:
108 break;
109 }
110
111 hci_update_background_scan(hdev);
112 }
113
hci_conn_cleanup(struct hci_conn * conn)114 static void hci_conn_cleanup(struct hci_conn *conn)
115 {
116 struct hci_dev *hdev = conn->hdev;
117
118 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
119 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
120
121 hci_chan_list_flush(conn);
122
123 hci_conn_hash_del(hdev, conn);
124
125 if (hdev->notify)
126 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
127
128 debugfs_remove_recursive(conn->debugfs);
129
130 hci_conn_del_sysfs(conn);
131
132 hci_dev_put(hdev);
133 }
134
le_scan_cleanup(struct work_struct * work)135 static void le_scan_cleanup(struct work_struct *work)
136 {
137 struct hci_conn *conn = container_of(work, struct hci_conn,
138 le_scan_cleanup);
139 struct hci_dev *hdev = conn->hdev;
140 struct hci_conn *c = NULL;
141
142 BT_DBG("%s hcon %p", hdev->name, conn);
143
144 hci_dev_lock(hdev);
145
146 /* Check that the hci_conn is still around */
147 rcu_read_lock();
148 list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
149 if (c == conn)
150 break;
151 }
152 rcu_read_unlock();
153
154 if (c == conn) {
155 hci_connect_le_scan_cleanup(conn);
156 hci_conn_cleanup(conn);
157 }
158
159 hci_dev_unlock(hdev);
160 hci_dev_put(hdev);
161 hci_conn_put(conn);
162 }
163
hci_connect_le_scan_remove(struct hci_conn * conn)164 static void hci_connect_le_scan_remove(struct hci_conn *conn)
165 {
166 BT_DBG("%s hcon %p", conn->hdev->name, conn);
167
168 /* We can't call hci_conn_del/hci_conn_cleanup here since that
169 * could deadlock with another hci_conn_del() call that's holding
170 * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
171 * Instead, grab temporary extra references to the hci_dev and
172 * hci_conn and perform the necessary cleanup in a separate work
173 * callback.
174 */
175
176 hci_dev_hold(conn->hdev);
177 hci_conn_get(conn);
178
179 /* Even though we hold a reference to the hdev, many other
180 * things might get cleaned up meanwhile, including the hdev's
181 * own workqueue, so we can't use that for scheduling.
182 */
183 schedule_work(&conn->le_scan_cleanup);
184 }
185
hci_acl_create_connection(struct hci_conn * conn)186 static void hci_acl_create_connection(struct hci_conn *conn)
187 {
188 struct hci_dev *hdev = conn->hdev;
189 struct inquiry_entry *ie;
190 struct hci_cp_create_conn cp;
191
192 BT_DBG("hcon %p", conn);
193
194 conn->state = BT_CONNECT;
195 conn->out = true;
196 conn->role = HCI_ROLE_MASTER;
197
198 conn->attempt++;
199
200 conn->link_policy = hdev->link_policy;
201
202 memset(&cp, 0, sizeof(cp));
203 bacpy(&cp.bdaddr, &conn->dst);
204 cp.pscan_rep_mode = 0x02;
205
206 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
207 if (ie) {
208 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
209 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
210 cp.pscan_mode = ie->data.pscan_mode;
211 cp.clock_offset = ie->data.clock_offset |
212 cpu_to_le16(0x8000);
213 }
214
215 memcpy(conn->dev_class, ie->data.dev_class, 3);
216 if (ie->data.ssp_mode > 0)
217 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
218 }
219
220 cp.pkt_type = cpu_to_le16(conn->pkt_type);
221 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
222 cp.role_switch = 0x01;
223 else
224 cp.role_switch = 0x00;
225
226 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
227 }
228
hci_disconnect(struct hci_conn * conn,__u8 reason)229 int hci_disconnect(struct hci_conn *conn, __u8 reason)
230 {
231 BT_DBG("hcon %p", conn);
232
233 /* When we are master of an established connection and it enters
234 * the disconnect timeout, then go ahead and try to read the
235 * current clock offset. Processing of the result is done
236 * within the event handling and hci_clock_offset_evt function.
237 */
238 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
239 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
240 struct hci_dev *hdev = conn->hdev;
241 struct hci_cp_read_clock_offset clkoff_cp;
242
243 clkoff_cp.handle = cpu_to_le16(conn->handle);
244 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
245 &clkoff_cp);
246 }
247
248 return hci_abort_conn(conn, reason);
249 }
250
hci_add_sco(struct hci_conn * conn,__u16 handle)251 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
252 {
253 struct hci_dev *hdev = conn->hdev;
254 struct hci_cp_add_sco cp;
255
256 BT_DBG("hcon %p", conn);
257
258 conn->state = BT_CONNECT;
259 conn->out = true;
260
261 conn->attempt++;
262
263 cp.handle = cpu_to_le16(handle);
264 cp.pkt_type = cpu_to_le16(conn->pkt_type);
265
266 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
267 }
268
hci_setup_sync(struct hci_conn * conn,__u16 handle)269 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
270 {
271 struct hci_dev *hdev = conn->hdev;
272 struct hci_cp_setup_sync_conn cp;
273 const struct sco_param *param;
274
275 BT_DBG("hcon %p", conn);
276
277 conn->state = BT_CONNECT;
278 conn->out = true;
279
280 conn->attempt++;
281
282 cp.handle = cpu_to_le16(handle);
283
284 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
285 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
286 cp.voice_setting = cpu_to_le16(conn->setting);
287
288 switch (conn->setting & SCO_AIRMODE_MASK) {
289 case SCO_AIRMODE_TRANSP:
290 if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
291 return false;
292 param = &esco_param_msbc[conn->attempt - 1];
293 break;
294 case SCO_AIRMODE_CVSD:
295 if (lmp_esco_capable(conn->link)) {
296 if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
297 return false;
298 param = &esco_param_cvsd[conn->attempt - 1];
299 } else {
300 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
301 return false;
302 param = &sco_param_cvsd[conn->attempt - 1];
303 }
304 break;
305 default:
306 return false;
307 }
308
309 cp.retrans_effort = param->retrans_effort;
310 cp.pkt_type = __cpu_to_le16(param->pkt_type);
311 cp.max_latency = __cpu_to_le16(param->max_latency);
312
313 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
314 return false;
315
316 return true;
317 }
318
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)319 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
320 u16 to_multiplier)
321 {
322 struct hci_dev *hdev = conn->hdev;
323 struct hci_conn_params *params;
324 struct hci_cp_le_conn_update cp;
325
326 hci_dev_lock(hdev);
327
328 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
329 if (params) {
330 params->conn_min_interval = min;
331 params->conn_max_interval = max;
332 params->conn_latency = latency;
333 params->supervision_timeout = to_multiplier;
334 }
335
336 hci_dev_unlock(hdev);
337
338 memset(&cp, 0, sizeof(cp));
339 cp.handle = cpu_to_le16(conn->handle);
340 cp.conn_interval_min = cpu_to_le16(min);
341 cp.conn_interval_max = cpu_to_le16(max);
342 cp.conn_latency = cpu_to_le16(latency);
343 cp.supervision_timeout = cpu_to_le16(to_multiplier);
344 cp.min_ce_len = cpu_to_le16(0x0000);
345 cp.max_ce_len = cpu_to_le16(0x0000);
346
347 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
348
349 if (params)
350 return 0x01;
351
352 return 0x00;
353 }
354
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)355 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
356 __u8 ltk[16], __u8 key_size)
357 {
358 struct hci_dev *hdev = conn->hdev;
359 struct hci_cp_le_start_enc cp;
360
361 BT_DBG("hcon %p", conn);
362
363 memset(&cp, 0, sizeof(cp));
364
365 cp.handle = cpu_to_le16(conn->handle);
366 cp.rand = rand;
367 cp.ediv = ediv;
368 memcpy(cp.ltk, ltk, key_size);
369
370 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
371 }
372
373 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)374 void hci_sco_setup(struct hci_conn *conn, __u8 status)
375 {
376 struct hci_conn *sco = conn->link;
377
378 if (!sco)
379 return;
380
381 BT_DBG("hcon %p", conn);
382
383 if (!status) {
384 if (lmp_esco_capable(conn->hdev))
385 hci_setup_sync(sco, conn->handle);
386 else
387 hci_add_sco(sco, conn->handle);
388 } else {
389 hci_connect_cfm(sco, status);
390 hci_conn_del(sco);
391 }
392 }
393
hci_conn_timeout(struct work_struct * work)394 static void hci_conn_timeout(struct work_struct *work)
395 {
396 struct hci_conn *conn = container_of(work, struct hci_conn,
397 disc_work.work);
398 int refcnt = atomic_read(&conn->refcnt);
399
400 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
401
402 WARN_ON(refcnt < 0);
403
404 /* FIXME: It was observed that in pairing failed scenario, refcnt
405 * drops below 0. Probably this is because l2cap_conn_del calls
406 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
407 * dropped. After that loop hci_chan_del is called which also drops
408 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
409 * otherwise drop it.
410 */
411 if (refcnt > 0)
412 return;
413
414 /* LE connections in scanning state need special handling */
415 if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
416 test_bit(HCI_CONN_SCANNING, &conn->flags)) {
417 hci_connect_le_scan_remove(conn);
418 return;
419 }
420
421 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
422 }
423
424 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)425 static void hci_conn_idle(struct work_struct *work)
426 {
427 struct hci_conn *conn = container_of(work, struct hci_conn,
428 idle_work.work);
429 struct hci_dev *hdev = conn->hdev;
430
431 BT_DBG("hcon %p mode %d", conn, conn->mode);
432
433 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
434 return;
435
436 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
437 return;
438
439 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
440 struct hci_cp_sniff_subrate cp;
441 cp.handle = cpu_to_le16(conn->handle);
442 cp.max_latency = cpu_to_le16(0);
443 cp.min_remote_timeout = cpu_to_le16(0);
444 cp.min_local_timeout = cpu_to_le16(0);
445 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
446 }
447
448 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
449 struct hci_cp_sniff_mode cp;
450 cp.handle = cpu_to_le16(conn->handle);
451 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
452 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
453 cp.attempt = cpu_to_le16(4);
454 cp.timeout = cpu_to_le16(1);
455 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
456 }
457 }
458
hci_conn_auto_accept(struct work_struct * work)459 static void hci_conn_auto_accept(struct work_struct *work)
460 {
461 struct hci_conn *conn = container_of(work, struct hci_conn,
462 auto_accept_work.work);
463
464 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
465 &conn->dst);
466 }
467
le_conn_timeout(struct work_struct * work)468 static void le_conn_timeout(struct work_struct *work)
469 {
470 struct hci_conn *conn = container_of(work, struct hci_conn,
471 le_conn_timeout.work);
472 struct hci_dev *hdev = conn->hdev;
473
474 BT_DBG("");
475
476 /* We could end up here due to having done directed advertising,
477 * so clean up the state if necessary. This should however only
478 * happen with broken hardware or if low duty cycle was used
479 * (which doesn't have a timeout of its own).
480 */
481 if (conn->role == HCI_ROLE_SLAVE) {
482 u8 enable = 0x00;
483 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
484 &enable);
485 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
486 return;
487 }
488
489 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
490 }
491
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)492 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
493 u8 role)
494 {
495 struct hci_conn *conn;
496
497 BT_DBG("%s dst %pMR", hdev->name, dst);
498
499 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
500 if (!conn)
501 return NULL;
502
503 bacpy(&conn->dst, dst);
504 bacpy(&conn->src, &hdev->bdaddr);
505 conn->hdev = hdev;
506 conn->type = type;
507 conn->role = role;
508 conn->mode = HCI_CM_ACTIVE;
509 conn->state = BT_OPEN;
510 conn->auth_type = HCI_AT_GENERAL_BONDING;
511 conn->io_capability = hdev->io_capability;
512 conn->remote_auth = 0xff;
513 conn->key_type = 0xff;
514 conn->rssi = HCI_RSSI_INVALID;
515 conn->tx_power = HCI_TX_POWER_INVALID;
516 conn->max_tx_power = HCI_TX_POWER_INVALID;
517
518 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
519 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
520
521 /* Set Default Authenticated payload timeout to 30s */
522 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
523
524 if (conn->role == HCI_ROLE_MASTER)
525 conn->out = true;
526
527 switch (type) {
528 case ACL_LINK:
529 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
530 break;
531 case LE_LINK:
532 /* conn->src should reflect the local identity address */
533 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
534 break;
535 case SCO_LINK:
536 if (lmp_esco_capable(hdev))
537 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
538 (hdev->esco_type & EDR_ESCO_MASK);
539 else
540 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
541 break;
542 case ESCO_LINK:
543 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
544 break;
545 }
546
547 skb_queue_head_init(&conn->data_q);
548
549 INIT_LIST_HEAD(&conn->chan_list);
550
551 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
552 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
553 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
554 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
555 INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
556
557 atomic_set(&conn->refcnt, 0);
558
559 hci_dev_hold(hdev);
560
561 hci_conn_hash_add(hdev, conn);
562 if (hdev->notify)
563 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
564
565 hci_conn_init_sysfs(conn);
566
567 return conn;
568 }
569
hci_conn_del(struct hci_conn * conn)570 int hci_conn_del(struct hci_conn *conn)
571 {
572 struct hci_dev *hdev = conn->hdev;
573
574 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
575
576 cancel_delayed_work_sync(&conn->disc_work);
577 cancel_delayed_work_sync(&conn->auto_accept_work);
578 cancel_delayed_work_sync(&conn->idle_work);
579
580 if (conn->type == ACL_LINK) {
581 struct hci_conn *sco = conn->link;
582 if (sco)
583 sco->link = NULL;
584
585 /* Unacked frames */
586 hdev->acl_cnt += conn->sent;
587 } else if (conn->type == LE_LINK) {
588 cancel_delayed_work(&conn->le_conn_timeout);
589
590 if (hdev->le_pkts)
591 hdev->le_cnt += conn->sent;
592 else
593 hdev->acl_cnt += conn->sent;
594 } else {
595 struct hci_conn *acl = conn->link;
596 if (acl) {
597 acl->link = NULL;
598 hci_conn_drop(acl);
599 }
600 }
601
602 if (conn->amp_mgr)
603 amp_mgr_put(conn->amp_mgr);
604
605 skb_queue_purge(&conn->data_q);
606
607 /* Remove the connection from the list and cleanup its remaining
608 * state. This is a separate function since for some cases like
609 * BT_CONNECT_SCAN we *only* want the cleanup part without the
610 * rest of hci_conn_del.
611 */
612 hci_conn_cleanup(conn);
613
614 return 0;
615 }
616
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)617 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
618 {
619 int use_src = bacmp(src, BDADDR_ANY);
620 struct hci_dev *hdev = NULL, *d;
621
622 BT_DBG("%pMR -> %pMR", src, dst);
623
624 read_lock(&hci_dev_list_lock);
625
626 list_for_each_entry(d, &hci_dev_list, list) {
627 if (!test_bit(HCI_UP, &d->flags) ||
628 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
629 d->dev_type != HCI_PRIMARY)
630 continue;
631
632 /* Simple routing:
633 * No source address - find interface with bdaddr != dst
634 * Source address - find interface with bdaddr == src
635 */
636
637 if (use_src) {
638 bdaddr_t id_addr;
639 u8 id_addr_type;
640
641 if (src_type == BDADDR_BREDR) {
642 if (!lmp_bredr_capable(d))
643 continue;
644 bacpy(&id_addr, &d->bdaddr);
645 id_addr_type = BDADDR_BREDR;
646 } else {
647 if (!lmp_le_capable(d))
648 continue;
649
650 hci_copy_identity_address(d, &id_addr,
651 &id_addr_type);
652
653 /* Convert from HCI to three-value type */
654 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
655 id_addr_type = BDADDR_LE_PUBLIC;
656 else
657 id_addr_type = BDADDR_LE_RANDOM;
658 }
659
660 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
661 hdev = d; break;
662 }
663 } else {
664 if (bacmp(&d->bdaddr, dst)) {
665 hdev = d; break;
666 }
667 }
668 }
669
670 if (hdev)
671 hdev = hci_dev_hold(hdev);
672
673 read_unlock(&hci_dev_list_lock);
674 return hdev;
675 }
676 EXPORT_SYMBOL(hci_get_route);
677
678 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)679 void hci_le_conn_failed(struct hci_conn *conn, u8 status)
680 {
681 struct hci_dev *hdev = conn->hdev;
682 struct hci_conn_params *params;
683
684 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
685 conn->dst_type);
686 if (params && params->conn) {
687 hci_conn_drop(params->conn);
688 hci_conn_put(params->conn);
689 params->conn = NULL;
690 }
691
692 conn->state = BT_CLOSED;
693
694 /* If the status indicates successful cancellation of
695 * the attempt (i.e. Unkown Connection Id) there's no point of
696 * notifying failure since we'll go back to keep trying to
697 * connect. The only exception is explicit connect requests
698 * where a timeout + cancel does indicate an actual failure.
699 */
700 if (status != HCI_ERROR_UNKNOWN_CONN_ID ||
701 (params && params->explicit_connect))
702 mgmt_connect_failed(hdev, &conn->dst, conn->type,
703 conn->dst_type, status);
704
705 hci_connect_cfm(conn, status);
706
707 hci_conn_del(conn);
708
709 /* Since we may have temporarily stopped the background scanning in
710 * favor of connection establishment, we should restart it.
711 */
712 hci_update_background_scan(hdev);
713
714 /* Re-enable advertising in case this was a failed connection
715 * attempt as a peripheral.
716 */
717 hci_req_reenable_advertising(hdev);
718 }
719
create_le_conn_complete(struct hci_dev * hdev,u8 status,u16 opcode)720 static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
721 {
722 struct hci_conn *conn;
723
724 hci_dev_lock(hdev);
725
726 conn = hci_lookup_le_connect(hdev);
727
728 if (!status) {
729 hci_connect_le_scan_cleanup(conn);
730 goto done;
731 }
732
733 bt_dev_err(hdev, "request failed to create LE connection: "
734 "status 0x%2.2x", status);
735
736 if (!conn)
737 goto done;
738
739 hci_le_conn_failed(conn, status);
740
741 done:
742 hci_dev_unlock(hdev);
743 }
744
conn_use_rpa(struct hci_conn * conn)745 static bool conn_use_rpa(struct hci_conn *conn)
746 {
747 struct hci_dev *hdev = conn->hdev;
748
749 return hci_dev_test_flag(hdev, HCI_PRIVACY);
750 }
751
set_ext_conn_params(struct hci_conn * conn,struct hci_cp_le_ext_conn_param * p)752 static void set_ext_conn_params(struct hci_conn *conn,
753 struct hci_cp_le_ext_conn_param *p)
754 {
755 struct hci_dev *hdev = conn->hdev;
756
757 memset(p, 0, sizeof(*p));
758
759 /* Set window to be the same value as the interval to
760 * enable continuous scanning.
761 */
762 p->scan_interval = cpu_to_le16(hdev->le_scan_interval);
763 p->scan_window = p->scan_interval;
764 p->conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
765 p->conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
766 p->conn_latency = cpu_to_le16(conn->le_conn_latency);
767 p->supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
768 p->min_ce_len = cpu_to_le16(0x0000);
769 p->max_ce_len = cpu_to_le16(0x0000);
770 }
771
hci_req_add_le_create_conn(struct hci_request * req,struct hci_conn * conn,bdaddr_t * direct_rpa)772 static void hci_req_add_le_create_conn(struct hci_request *req,
773 struct hci_conn *conn,
774 bdaddr_t *direct_rpa)
775 {
776 struct hci_dev *hdev = conn->hdev;
777 u8 own_addr_type;
778
779 /* If direct address was provided we use it instead of current
780 * address.
781 */
782 if (direct_rpa) {
783 if (bacmp(&req->hdev->random_addr, direct_rpa))
784 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
785 direct_rpa);
786
787 /* direct address is always RPA */
788 own_addr_type = ADDR_LE_DEV_RANDOM;
789 } else {
790 /* Update random address, but set require_privacy to false so
791 * that we never connect with an non-resolvable address.
792 */
793 if (hci_update_random_address(req, false, conn_use_rpa(conn),
794 &own_addr_type))
795 return;
796 }
797
798 if (use_ext_conn(hdev)) {
799 struct hci_cp_le_ext_create_conn *cp;
800 struct hci_cp_le_ext_conn_param *p;
801 u8 data[sizeof(*cp) + sizeof(*p) * 3];
802 u32 plen;
803
804 cp = (void *) data;
805 p = (void *) cp->data;
806
807 memset(cp, 0, sizeof(*cp));
808
809 bacpy(&cp->peer_addr, &conn->dst);
810 cp->peer_addr_type = conn->dst_type;
811 cp->own_addr_type = own_addr_type;
812
813 plen = sizeof(*cp);
814
815 if (scan_1m(hdev)) {
816 cp->phys |= LE_SCAN_PHY_1M;
817 set_ext_conn_params(conn, p);
818
819 p++;
820 plen += sizeof(*p);
821 }
822
823 if (scan_2m(hdev)) {
824 cp->phys |= LE_SCAN_PHY_2M;
825 set_ext_conn_params(conn, p);
826
827 p++;
828 plen += sizeof(*p);
829 }
830
831 if (scan_coded(hdev)) {
832 cp->phys |= LE_SCAN_PHY_CODED;
833 set_ext_conn_params(conn, p);
834
835 plen += sizeof(*p);
836 }
837
838 hci_req_add(req, HCI_OP_LE_EXT_CREATE_CONN, plen, data);
839
840 } else {
841 struct hci_cp_le_create_conn cp;
842
843 memset(&cp, 0, sizeof(cp));
844
845 /* Set window to be the same value as the interval to enable
846 * continuous scanning.
847 */
848 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
849 cp.scan_window = cp.scan_interval;
850
851 bacpy(&cp.peer_addr, &conn->dst);
852 cp.peer_addr_type = conn->dst_type;
853 cp.own_address_type = own_addr_type;
854 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
855 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
856 cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
857 cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
858 cp.min_ce_len = cpu_to_le16(0x0000);
859 cp.max_ce_len = cpu_to_le16(0x0000);
860
861 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
862 }
863
864 conn->state = BT_CONNECT;
865 clear_bit(HCI_CONN_SCANNING, &conn->flags);
866 }
867
hci_req_directed_advertising(struct hci_request * req,struct hci_conn * conn)868 static void hci_req_directed_advertising(struct hci_request *req,
869 struct hci_conn *conn)
870 {
871 struct hci_dev *hdev = req->hdev;
872 u8 own_addr_type;
873 u8 enable;
874
875 if (ext_adv_capable(hdev)) {
876 struct hci_cp_le_set_ext_adv_params cp;
877 bdaddr_t random_addr;
878
879 /* Set require_privacy to false so that the remote device has a
880 * chance of identifying us.
881 */
882 if (hci_get_random_address(hdev, false, conn_use_rpa(conn), NULL,
883 &own_addr_type, &random_addr) < 0)
884 return;
885
886 memset(&cp, 0, sizeof(cp));
887
888 cp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_DIRECT_IND);
889 cp.own_addr_type = own_addr_type;
890 cp.channel_map = hdev->le_adv_channel_map;
891 cp.tx_power = HCI_TX_POWER_INVALID;
892 cp.primary_phy = HCI_ADV_PHY_1M;
893 cp.secondary_phy = HCI_ADV_PHY_1M;
894 cp.handle = 0; /* Use instance 0 for directed adv */
895 cp.own_addr_type = own_addr_type;
896 cp.peer_addr_type = conn->dst_type;
897 bacpy(&cp.peer_addr, &conn->dst);
898
899 hci_req_add(req, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(cp), &cp);
900
901 if (own_addr_type == ADDR_LE_DEV_RANDOM &&
902 bacmp(&random_addr, BDADDR_ANY) &&
903 bacmp(&random_addr, &hdev->random_addr)) {
904 struct hci_cp_le_set_adv_set_rand_addr cp;
905
906 memset(&cp, 0, sizeof(cp));
907
908 cp.handle = 0;
909 bacpy(&cp.bdaddr, &random_addr);
910
911 hci_req_add(req,
912 HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
913 sizeof(cp), &cp);
914 }
915
916 __hci_req_enable_ext_advertising(req, 0x00);
917 } else {
918 struct hci_cp_le_set_adv_param cp;
919
920 /* Clear the HCI_LE_ADV bit temporarily so that the
921 * hci_update_random_address knows that it's safe to go ahead
922 * and write a new random address. The flag will be set back on
923 * as soon as the SET_ADV_ENABLE HCI command completes.
924 */
925 hci_dev_clear_flag(hdev, HCI_LE_ADV);
926
927 /* Set require_privacy to false so that the remote device has a
928 * chance of identifying us.
929 */
930 if (hci_update_random_address(req, false, conn_use_rpa(conn),
931 &own_addr_type) < 0)
932 return;
933
934 memset(&cp, 0, sizeof(cp));
935
936 /* Some controllers might reject command if intervals are not
937 * within range for undirected advertising.
938 * BCM20702A0 is known to be affected by this.
939 */
940 cp.min_interval = cpu_to_le16(0x0020);
941 cp.max_interval = cpu_to_le16(0x0020);
942
943 cp.type = LE_ADV_DIRECT_IND;
944 cp.own_address_type = own_addr_type;
945 cp.direct_addr_type = conn->dst_type;
946 bacpy(&cp.direct_addr, &conn->dst);
947 cp.channel_map = hdev->le_adv_channel_map;
948
949 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
950
951 enable = 0x01;
952 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
953 &enable);
954 }
955
956 conn->state = BT_CONNECT;
957 }
958
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,u8 role,bdaddr_t * direct_rpa)959 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
960 u8 dst_type, u8 sec_level, u16 conn_timeout,
961 u8 role, bdaddr_t *direct_rpa)
962 {
963 struct hci_conn_params *params;
964 struct hci_conn *conn;
965 struct smp_irk *irk;
966 struct hci_request req;
967 int err;
968
969 /* Let's make sure that le is enabled.*/
970 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
971 if (lmp_le_capable(hdev))
972 return ERR_PTR(-ECONNREFUSED);
973
974 return ERR_PTR(-EOPNOTSUPP);
975 }
976
977 /* Since the controller supports only one LE connection attempt at a
978 * time, we return -EBUSY if there is any connection attempt running.
979 */
980 if (hci_lookup_le_connect(hdev))
981 return ERR_PTR(-EBUSY);
982
983 /* If there's already a connection object but it's not in
984 * scanning state it means it must already be established, in
985 * which case we can't do anything else except report a failure
986 * to connect.
987 */
988 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
989 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
990 return ERR_PTR(-EBUSY);
991 }
992
993 /* When given an identity address with existing identity
994 * resolving key, the connection needs to be established
995 * to a resolvable random address.
996 *
997 * Storing the resolvable random address is required here
998 * to handle connection failures. The address will later
999 * be resolved back into the original identity address
1000 * from the connect request.
1001 */
1002 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1003 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1004 dst = &irk->rpa;
1005 dst_type = ADDR_LE_DEV_RANDOM;
1006 }
1007
1008 if (conn) {
1009 bacpy(&conn->dst, dst);
1010 } else {
1011 conn = hci_conn_add(hdev, LE_LINK, dst, role);
1012 if (!conn)
1013 return ERR_PTR(-ENOMEM);
1014 hci_conn_hold(conn);
1015 conn->pending_sec_level = sec_level;
1016 }
1017
1018 conn->dst_type = dst_type;
1019 conn->sec_level = BT_SECURITY_LOW;
1020 conn->conn_timeout = conn_timeout;
1021
1022 hci_req_init(&req, hdev);
1023
1024 /* Disable advertising if we're active. For master role
1025 * connections most controllers will refuse to connect if
1026 * advertising is enabled, and for slave role connections we
1027 * anyway have to disable it in order to start directed
1028 * advertising.
1029 */
1030 if (hci_dev_test_flag(hdev, HCI_LE_ADV)) {
1031 u8 enable = 0x00;
1032 hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
1033 &enable);
1034 }
1035
1036 /* If requested to connect as slave use directed advertising */
1037 if (conn->role == HCI_ROLE_SLAVE) {
1038 /* If we're active scanning most controllers are unable
1039 * to initiate advertising. Simply reject the attempt.
1040 */
1041 if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
1042 hdev->le_scan_type == LE_SCAN_ACTIVE) {
1043 hci_req_purge(&req);
1044 hci_conn_del(conn);
1045 return ERR_PTR(-EBUSY);
1046 }
1047
1048 hci_req_directed_advertising(&req, conn);
1049 goto create_conn;
1050 }
1051
1052 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
1053 if (params) {
1054 conn->le_conn_min_interval = params->conn_min_interval;
1055 conn->le_conn_max_interval = params->conn_max_interval;
1056 conn->le_conn_latency = params->conn_latency;
1057 conn->le_supv_timeout = params->supervision_timeout;
1058 } else {
1059 conn->le_conn_min_interval = hdev->le_conn_min_interval;
1060 conn->le_conn_max_interval = hdev->le_conn_max_interval;
1061 conn->le_conn_latency = hdev->le_conn_latency;
1062 conn->le_supv_timeout = hdev->le_supv_timeout;
1063 }
1064
1065 /* If controller is scanning, we stop it since some controllers are
1066 * not able to scan and connect at the same time. Also set the
1067 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
1068 * handler for scan disabling knows to set the correct discovery
1069 * state.
1070 */
1071 if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
1072 hci_req_add_le_scan_disable(&req);
1073 hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
1074 }
1075
1076 hci_req_add_le_create_conn(&req, conn, direct_rpa);
1077
1078 create_conn:
1079 err = hci_req_run(&req, create_le_conn_complete);
1080 if (err) {
1081 hci_conn_del(conn);
1082 return ERR_PTR(err);
1083 }
1084
1085 return conn;
1086 }
1087
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1088 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1089 {
1090 struct hci_conn *conn;
1091
1092 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1093 if (!conn)
1094 return false;
1095
1096 if (conn->state != BT_CONNECTED)
1097 return false;
1098
1099 return true;
1100 }
1101
1102 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1103 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1104 bdaddr_t *addr, u8 addr_type)
1105 {
1106 struct hci_conn_params *params;
1107
1108 if (is_connected(hdev, addr, addr_type))
1109 return -EISCONN;
1110
1111 params = hci_conn_params_lookup(hdev, addr, addr_type);
1112 if (!params) {
1113 params = hci_conn_params_add(hdev, addr, addr_type);
1114 if (!params)
1115 return -ENOMEM;
1116
1117 /* If we created new params, mark them to be deleted in
1118 * hci_connect_le_scan_cleanup. It's different case than
1119 * existing disabled params, those will stay after cleanup.
1120 */
1121 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1122 }
1123
1124 /* We're trying to connect, so make sure params are at pend_le_conns */
1125 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1126 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1127 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1128 list_del_init(¶ms->action);
1129 list_add(¶ms->action, &hdev->pend_le_conns);
1130 }
1131
1132 params->explicit_connect = true;
1133
1134 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1135 params->auto_connect);
1136
1137 return 0;
1138 }
1139
1140 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout)1141 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1142 u8 dst_type, u8 sec_level,
1143 u16 conn_timeout)
1144 {
1145 struct hci_conn *conn;
1146
1147 /* Let's make sure that le is enabled.*/
1148 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1149 if (lmp_le_capable(hdev))
1150 return ERR_PTR(-ECONNREFUSED);
1151
1152 return ERR_PTR(-EOPNOTSUPP);
1153 }
1154
1155 /* Some devices send ATT messages as soon as the physical link is
1156 * established. To be able to handle these ATT messages, the user-
1157 * space first establishes the connection and then starts the pairing
1158 * process.
1159 *
1160 * So if a hci_conn object already exists for the following connection
1161 * attempt, we simply update pending_sec_level and auth_type fields
1162 * and return the object found.
1163 */
1164 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1165 if (conn) {
1166 if (conn->pending_sec_level < sec_level)
1167 conn->pending_sec_level = sec_level;
1168 goto done;
1169 }
1170
1171 BT_DBG("requesting refresh of dst_addr");
1172
1173 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1174 if (!conn)
1175 return ERR_PTR(-ENOMEM);
1176
1177 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1178 hci_conn_del(conn);
1179 return ERR_PTR(-EBUSY);
1180 }
1181
1182 conn->state = BT_CONNECT;
1183 set_bit(HCI_CONN_SCANNING, &conn->flags);
1184 conn->dst_type = dst_type;
1185 conn->sec_level = BT_SECURITY_LOW;
1186 conn->pending_sec_level = sec_level;
1187 conn->conn_timeout = conn_timeout;
1188
1189 hci_update_background_scan(hdev);
1190
1191 done:
1192 hci_conn_hold(conn);
1193 return conn;
1194 }
1195
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type)1196 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1197 u8 sec_level, u8 auth_type)
1198 {
1199 struct hci_conn *acl;
1200
1201 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1202 if (lmp_bredr_capable(hdev))
1203 return ERR_PTR(-ECONNREFUSED);
1204
1205 return ERR_PTR(-EOPNOTSUPP);
1206 }
1207
1208 /* Reject outgoing connection to device with same BD ADDR against
1209 * CVE-2020-26555
1210 */
1211 if (!bacmp(&hdev->bdaddr, dst)) {
1212 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1213 dst);
1214 return ERR_PTR(-ECONNREFUSED);
1215 }
1216
1217 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1218 if (!acl) {
1219 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1220 if (!acl)
1221 return ERR_PTR(-ENOMEM);
1222 }
1223
1224 hci_conn_hold(acl);
1225
1226 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1227 acl->sec_level = BT_SECURITY_LOW;
1228 acl->pending_sec_level = sec_level;
1229 acl->auth_type = auth_type;
1230 hci_acl_create_connection(acl);
1231 }
1232
1233 return acl;
1234 }
1235
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting)1236 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1237 __u16 setting)
1238 {
1239 struct hci_conn *acl;
1240 struct hci_conn *sco;
1241
1242 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
1243 if (IS_ERR(acl))
1244 return acl;
1245
1246 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1247 if (!sco) {
1248 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1249 if (!sco) {
1250 hci_conn_drop(acl);
1251 return ERR_PTR(-ENOMEM);
1252 }
1253 }
1254
1255 acl->link = sco;
1256 sco->link = acl;
1257
1258 hci_conn_hold(sco);
1259
1260 sco->setting = setting;
1261
1262 if (acl->state == BT_CONNECTED &&
1263 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1264 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1265 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1266
1267 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1268 /* defer SCO setup until mode change completed */
1269 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1270 return sco;
1271 }
1272
1273 hci_sco_setup(acl, 0x00);
1274 }
1275
1276 return sco;
1277 }
1278
1279 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)1280 int hci_conn_check_link_mode(struct hci_conn *conn)
1281 {
1282 BT_DBG("hcon %p", conn);
1283
1284 /* In Secure Connections Only mode, it is required that Secure
1285 * Connections is used and the link is encrypted with AES-CCM
1286 * using a P-256 authenticated combination key.
1287 */
1288 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
1289 if (!hci_conn_sc_enabled(conn) ||
1290 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
1291 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
1292 return 0;
1293 }
1294
1295 /* AES encryption is required for Level 4:
1296 *
1297 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
1298 * page 1319:
1299 *
1300 * 128-bit equivalent strength for link and encryption keys
1301 * required using FIPS approved algorithms (E0 not allowed,
1302 * SAFER+ not allowed, and P-192 not allowed; encryption key
1303 * not shortened)
1304 */
1305 if (conn->sec_level == BT_SECURITY_FIPS &&
1306 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
1307 bt_dev_err(conn->hdev,
1308 "Invalid security: Missing AES-CCM usage");
1309 return 0;
1310 }
1311
1312 if (hci_conn_ssp_enabled(conn) &&
1313 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1314 return 0;
1315
1316 return 1;
1317 }
1318
1319 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)1320 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
1321 {
1322 BT_DBG("hcon %p", conn);
1323
1324 if (conn->pending_sec_level > sec_level)
1325 sec_level = conn->pending_sec_level;
1326
1327 if (sec_level > conn->sec_level)
1328 conn->pending_sec_level = sec_level;
1329 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
1330 return 1;
1331
1332 /* Make sure we preserve an existing MITM requirement*/
1333 auth_type |= (conn->auth_type & 0x01);
1334
1335 conn->auth_type = auth_type;
1336
1337 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1338 struct hci_cp_auth_requested cp;
1339
1340 cp.handle = cpu_to_le16(conn->handle);
1341 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
1342 sizeof(cp), &cp);
1343
1344 /* Set the ENCRYPT_PEND to trigger encryption after
1345 * authentication.
1346 */
1347 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1348 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1349 }
1350
1351 return 0;
1352 }
1353
1354 /* Encrypt the the link */
hci_conn_encrypt(struct hci_conn * conn)1355 static void hci_conn_encrypt(struct hci_conn *conn)
1356 {
1357 BT_DBG("hcon %p", conn);
1358
1359 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
1360 struct hci_cp_set_conn_encrypt cp;
1361 cp.handle = cpu_to_le16(conn->handle);
1362 cp.encrypt = 0x01;
1363 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1364 &cp);
1365 }
1366 }
1367
1368 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)1369 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1370 bool initiator)
1371 {
1372 BT_DBG("hcon %p", conn);
1373
1374 if (conn->type == LE_LINK)
1375 return smp_conn_security(conn, sec_level);
1376
1377 /* For sdp we don't need the link key. */
1378 if (sec_level == BT_SECURITY_SDP)
1379 return 1;
1380
1381 /* For non 2.1 devices and low security level we don't need the link
1382 key. */
1383 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1384 return 1;
1385
1386 /* For other security levels we need the link key. */
1387 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1388 goto auth;
1389
1390 switch (conn->key_type) {
1391 case HCI_LK_AUTH_COMBINATION_P256:
1392 /* An authenticated FIPS approved combination key has
1393 * sufficient security for security level 4 or lower.
1394 */
1395 if (sec_level <= BT_SECURITY_FIPS)
1396 goto encrypt;
1397 break;
1398 case HCI_LK_AUTH_COMBINATION_P192:
1399 /* An authenticated combination key has sufficient security for
1400 * security level 3 or lower.
1401 */
1402 if (sec_level <= BT_SECURITY_HIGH)
1403 goto encrypt;
1404 break;
1405 case HCI_LK_UNAUTH_COMBINATION_P192:
1406 case HCI_LK_UNAUTH_COMBINATION_P256:
1407 /* An unauthenticated combination key has sufficient security
1408 * for security level 2 or lower.
1409 */
1410 if (sec_level <= BT_SECURITY_MEDIUM)
1411 goto encrypt;
1412 break;
1413 case HCI_LK_COMBINATION:
1414 /* A combination key has always sufficient security for the
1415 * security levels 2 or lower. High security level requires the
1416 * combination key is generated using maximum PIN code length
1417 * (16). For pre 2.1 units.
1418 */
1419 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
1420 goto encrypt;
1421 break;
1422 default:
1423 break;
1424 }
1425
1426 auth:
1427 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1428 return 0;
1429
1430 if (initiator)
1431 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1432
1433 if (!hci_conn_auth(conn, sec_level, auth_type))
1434 return 0;
1435
1436 encrypt:
1437 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
1438 /* Ensure that the encryption key size has been read,
1439 * otherwise stall the upper layer responses.
1440 */
1441 if (!conn->enc_key_size)
1442 return 0;
1443
1444 /* Nothing else needed, all requirements are met */
1445 return 1;
1446 }
1447
1448 hci_conn_encrypt(conn);
1449 return 0;
1450 }
1451 EXPORT_SYMBOL(hci_conn_security);
1452
1453 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)1454 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1455 {
1456 BT_DBG("hcon %p", conn);
1457
1458 /* Accept if non-secure or higher security level is required */
1459 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1460 return 1;
1461
1462 /* Accept if secure or higher security level is already present */
1463 if (conn->sec_level == BT_SECURITY_HIGH ||
1464 conn->sec_level == BT_SECURITY_FIPS)
1465 return 1;
1466
1467 /* Reject not secure link */
1468 return 0;
1469 }
1470 EXPORT_SYMBOL(hci_conn_check_secure);
1471
1472 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)1473 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1474 {
1475 BT_DBG("hcon %p", conn);
1476
1477 if (role == conn->role)
1478 return 1;
1479
1480 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1481 struct hci_cp_switch_role cp;
1482 bacpy(&cp.bdaddr, &conn->dst);
1483 cp.role = role;
1484 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1485 }
1486
1487 return 0;
1488 }
1489 EXPORT_SYMBOL(hci_conn_switch_role);
1490
1491 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)1492 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1493 {
1494 struct hci_dev *hdev = conn->hdev;
1495
1496 BT_DBG("hcon %p mode %d", conn, conn->mode);
1497
1498 if (conn->mode != HCI_CM_SNIFF)
1499 goto timer;
1500
1501 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1502 goto timer;
1503
1504 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1505 struct hci_cp_exit_sniff_mode cp;
1506 cp.handle = cpu_to_le16(conn->handle);
1507 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1508 }
1509
1510 timer:
1511 if (hdev->idle_timeout > 0)
1512 queue_delayed_work(hdev->workqueue, &conn->idle_work,
1513 msecs_to_jiffies(hdev->idle_timeout));
1514 }
1515
1516 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)1517 void hci_conn_hash_flush(struct hci_dev *hdev)
1518 {
1519 struct hci_conn_hash *h = &hdev->conn_hash;
1520 struct hci_conn *c, *n;
1521
1522 BT_DBG("hdev %s", hdev->name);
1523
1524 list_for_each_entry_safe(c, n, &h->list, list) {
1525 c->state = BT_CLOSED;
1526
1527 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1528 hci_conn_del(c);
1529 }
1530 }
1531
1532 /* Check pending connect attempts */
hci_conn_check_pending(struct hci_dev * hdev)1533 void hci_conn_check_pending(struct hci_dev *hdev)
1534 {
1535 struct hci_conn *conn;
1536
1537 BT_DBG("hdev %s", hdev->name);
1538
1539 hci_dev_lock(hdev);
1540
1541 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1542 if (conn)
1543 hci_acl_create_connection(conn);
1544
1545 hci_dev_unlock(hdev);
1546 }
1547
get_link_mode(struct hci_conn * conn)1548 static u32 get_link_mode(struct hci_conn *conn)
1549 {
1550 u32 link_mode = 0;
1551
1552 if (conn->role == HCI_ROLE_MASTER)
1553 link_mode |= HCI_LM_MASTER;
1554
1555 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1556 link_mode |= HCI_LM_ENCRYPT;
1557
1558 if (test_bit(HCI_CONN_AUTH, &conn->flags))
1559 link_mode |= HCI_LM_AUTH;
1560
1561 if (test_bit(HCI_CONN_SECURE, &conn->flags))
1562 link_mode |= HCI_LM_SECURE;
1563
1564 if (test_bit(HCI_CONN_FIPS, &conn->flags))
1565 link_mode |= HCI_LM_FIPS;
1566
1567 return link_mode;
1568 }
1569
hci_get_conn_list(void __user * arg)1570 int hci_get_conn_list(void __user *arg)
1571 {
1572 struct hci_conn *c;
1573 struct hci_conn_list_req req, *cl;
1574 struct hci_conn_info *ci;
1575 struct hci_dev *hdev;
1576 int n = 0, size, err;
1577
1578 if (copy_from_user(&req, arg, sizeof(req)))
1579 return -EFAULT;
1580
1581 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1582 return -EINVAL;
1583
1584 size = sizeof(req) + req.conn_num * sizeof(*ci);
1585
1586 cl = kmalloc(size, GFP_KERNEL);
1587 if (!cl)
1588 return -ENOMEM;
1589
1590 hdev = hci_dev_get(req.dev_id);
1591 if (!hdev) {
1592 kfree(cl);
1593 return -ENODEV;
1594 }
1595
1596 ci = cl->conn_info;
1597
1598 hci_dev_lock(hdev);
1599 list_for_each_entry(c, &hdev->conn_hash.list, list) {
1600 bacpy(&(ci + n)->bdaddr, &c->dst);
1601 (ci + n)->handle = c->handle;
1602 (ci + n)->type = c->type;
1603 (ci + n)->out = c->out;
1604 (ci + n)->state = c->state;
1605 (ci + n)->link_mode = get_link_mode(c);
1606 if (++n >= req.conn_num)
1607 break;
1608 }
1609 hci_dev_unlock(hdev);
1610
1611 cl->dev_id = hdev->id;
1612 cl->conn_num = n;
1613 size = sizeof(req) + n * sizeof(*ci);
1614
1615 hci_dev_put(hdev);
1616
1617 err = copy_to_user(arg, cl, size);
1618 kfree(cl);
1619
1620 return err ? -EFAULT : 0;
1621 }
1622
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)1623 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1624 {
1625 struct hci_conn_info_req req;
1626 struct hci_conn_info ci;
1627 struct hci_conn *conn;
1628 char __user *ptr = arg + sizeof(req);
1629
1630 if (copy_from_user(&req, arg, sizeof(req)))
1631 return -EFAULT;
1632
1633 hci_dev_lock(hdev);
1634 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1635 if (conn) {
1636 bacpy(&ci.bdaddr, &conn->dst);
1637 ci.handle = conn->handle;
1638 ci.type = conn->type;
1639 ci.out = conn->out;
1640 ci.state = conn->state;
1641 ci.link_mode = get_link_mode(conn);
1642 }
1643 hci_dev_unlock(hdev);
1644
1645 if (!conn)
1646 return -ENOENT;
1647
1648 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1649 }
1650
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)1651 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1652 {
1653 struct hci_auth_info_req req;
1654 struct hci_conn *conn;
1655
1656 if (copy_from_user(&req, arg, sizeof(req)))
1657 return -EFAULT;
1658
1659 hci_dev_lock(hdev);
1660 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1661 if (conn)
1662 req.type = conn->auth_type;
1663 hci_dev_unlock(hdev);
1664
1665 if (!conn)
1666 return -ENOENT;
1667
1668 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1669 }
1670
hci_chan_create(struct hci_conn * conn)1671 struct hci_chan *hci_chan_create(struct hci_conn *conn)
1672 {
1673 struct hci_dev *hdev = conn->hdev;
1674 struct hci_chan *chan;
1675
1676 BT_DBG("%s hcon %p", hdev->name, conn);
1677
1678 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1679 BT_DBG("Refusing to create new hci_chan");
1680 return NULL;
1681 }
1682
1683 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1684 if (!chan)
1685 return NULL;
1686
1687 chan->conn = hci_conn_get(conn);
1688 skb_queue_head_init(&chan->data_q);
1689 chan->state = BT_CONNECTED;
1690
1691 list_add_rcu(&chan->list, &conn->chan_list);
1692
1693 return chan;
1694 }
1695
hci_chan_del(struct hci_chan * chan)1696 void hci_chan_del(struct hci_chan *chan)
1697 {
1698 struct hci_conn *conn = chan->conn;
1699 struct hci_dev *hdev = conn->hdev;
1700
1701 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1702
1703 list_del_rcu(&chan->list);
1704
1705 synchronize_rcu();
1706
1707 /* Prevent new hci_chan's to be created for this hci_conn */
1708 set_bit(HCI_CONN_DROP, &conn->flags);
1709
1710 hci_conn_put(conn);
1711
1712 skb_queue_purge(&chan->data_q);
1713 kfree(chan);
1714 }
1715
hci_chan_list_flush(struct hci_conn * conn)1716 void hci_chan_list_flush(struct hci_conn *conn)
1717 {
1718 struct hci_chan *chan, *n;
1719
1720 BT_DBG("hcon %p", conn);
1721
1722 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1723 hci_chan_del(chan);
1724 }
1725
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)1726 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1727 __u16 handle)
1728 {
1729 struct hci_chan *hchan;
1730
1731 list_for_each_entry(hchan, &hcon->chan_list, list) {
1732 if (hchan->handle == handle)
1733 return hchan;
1734 }
1735
1736 return NULL;
1737 }
1738
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)1739 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1740 {
1741 struct hci_conn_hash *h = &hdev->conn_hash;
1742 struct hci_conn *hcon;
1743 struct hci_chan *hchan = NULL;
1744
1745 rcu_read_lock();
1746
1747 list_for_each_entry_rcu(hcon, &h->list, list) {
1748 hchan = __hci_chan_lookup_handle(hcon, handle);
1749 if (hchan)
1750 break;
1751 }
1752
1753 rcu_read_unlock();
1754
1755 return hchan;
1756 }
1757