1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 Copyright 2023-2024 NXP
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI connection handling. */
27
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
36
37 #include "smp.h"
38 #include "eir.h"
39
40 struct sco_param {
41 u16 pkt_type;
42 u16 max_latency;
43 u8 retrans_effort;
44 };
45
46 struct conn_handle_t {
47 struct hci_conn *conn;
48 __u16 handle;
49 };
50
51 static const struct sco_param esco_param_cvsd[] = {
52 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
54 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
55 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
56 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
57 };
58
59 static const struct sco_param sco_param_cvsd[] = {
60 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
61 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
62 };
63
64 static const struct sco_param esco_param_msbc[] = {
65 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
66 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
67 };
68
69 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn,u8 status)70 void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
71 {
72 struct hci_conn_params *params;
73 struct hci_dev *hdev = conn->hdev;
74 struct smp_irk *irk;
75 bdaddr_t *bdaddr;
76 u8 bdaddr_type;
77
78 bdaddr = &conn->dst;
79 bdaddr_type = conn->dst_type;
80
81 /* Check if we need to convert to identity address */
82 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
83 if (irk) {
84 bdaddr = &irk->bdaddr;
85 bdaddr_type = irk->addr_type;
86 }
87
88 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
89 bdaddr_type);
90 if (!params)
91 return;
92
93 if (params->conn) {
94 hci_conn_drop(params->conn);
95 hci_conn_put(params->conn);
96 params->conn = NULL;
97 }
98
99 if (!params->explicit_connect)
100 return;
101
102 /* If the status indicates successful cancellation of
103 * the attempt (i.e. Unknown Connection Id) there's no point of
104 * notifying failure since we'll go back to keep trying to
105 * connect. The only exception is explicit connect requests
106 * where a timeout + cancel does indicate an actual failure.
107 */
108 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
109 mgmt_connect_failed(hdev, conn, status);
110
111 /* The connection attempt was doing scan for new RPA, and is
112 * in scan phase. If params are not associated with any other
113 * autoconnect action, remove them completely. If they are, just unmark
114 * them as waiting for connection, by clearing explicit_connect field.
115 */
116 params->explicit_connect = false;
117
118 hci_pend_le_list_del_init(params);
119
120 switch (params->auto_connect) {
121 case HCI_AUTO_CONN_EXPLICIT:
122 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
123 /* return instead of break to avoid duplicate scan update */
124 return;
125 case HCI_AUTO_CONN_DIRECT:
126 case HCI_AUTO_CONN_ALWAYS:
127 hci_pend_le_list_add(params, &hdev->pend_le_conns);
128 break;
129 case HCI_AUTO_CONN_REPORT:
130 hci_pend_le_list_add(params, &hdev->pend_le_reports);
131 break;
132 default:
133 break;
134 }
135
136 hci_update_passive_scan(hdev);
137 }
138
hci_conn_cleanup(struct hci_conn * conn)139 static void hci_conn_cleanup(struct hci_conn *conn)
140 {
141 struct hci_dev *hdev = conn->hdev;
142
143 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
144 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
145
146 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
147 hci_remove_link_key(hdev, &conn->dst);
148
149 hci_chan_list_flush(conn);
150
151 hci_conn_hash_del(hdev, conn);
152
153 if (HCI_CONN_HANDLE_UNSET(conn->handle))
154 ida_free(&hdev->unset_handle_ida, conn->handle);
155
156 if (conn->cleanup)
157 conn->cleanup(conn);
158
159 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
160 switch (conn->setting & SCO_AIRMODE_MASK) {
161 case SCO_AIRMODE_CVSD:
162 case SCO_AIRMODE_TRANSP:
163 if (hdev->notify)
164 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
165 break;
166 }
167 } else {
168 if (hdev->notify)
169 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
170 }
171
172 debugfs_remove_recursive(conn->debugfs);
173
174 hci_conn_del_sysfs(conn);
175
176 hci_dev_put(hdev);
177 }
178
hci_disconnect(struct hci_conn * conn,__u8 reason)179 int hci_disconnect(struct hci_conn *conn, __u8 reason)
180 {
181 BT_DBG("hcon %p", conn);
182
183 /* When we are central of an established connection and it enters
184 * the disconnect timeout, then go ahead and try to read the
185 * current clock offset. Processing of the result is done
186 * within the event handling and hci_clock_offset_evt function.
187 */
188 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
189 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
190 struct hci_dev *hdev = conn->hdev;
191 struct hci_cp_read_clock_offset clkoff_cp;
192
193 clkoff_cp.handle = cpu_to_le16(conn->handle);
194 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
195 &clkoff_cp);
196 }
197
198 return hci_abort_conn(conn, reason);
199 }
200
hci_add_sco(struct hci_conn * conn,__u16 handle)201 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
202 {
203 struct hci_dev *hdev = conn->hdev;
204 struct hci_cp_add_sco cp;
205
206 BT_DBG("hcon %p", conn);
207
208 conn->state = BT_CONNECT;
209 conn->out = true;
210
211 conn->attempt++;
212
213 cp.handle = cpu_to_le16(handle);
214 cp.pkt_type = cpu_to_le16(conn->pkt_type);
215
216 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
217 }
218
find_next_esco_param(struct hci_conn * conn,const struct sco_param * esco_param,int size)219 static bool find_next_esco_param(struct hci_conn *conn,
220 const struct sco_param *esco_param, int size)
221 {
222 if (!conn->parent)
223 return false;
224
225 for (; conn->attempt <= size; conn->attempt++) {
226 if (lmp_esco_2m_capable(conn->parent) ||
227 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
228 break;
229 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
230 conn, conn->attempt);
231 }
232
233 return conn->attempt <= size;
234 }
235
configure_datapath_sync(struct hci_dev * hdev,struct bt_codec * codec)236 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
237 {
238 int err;
239 __u8 vnd_len, *vnd_data = NULL;
240 struct hci_op_configure_data_path *cmd = NULL;
241
242 /* Do not take below 2 checks as error since the 1st means user do not
243 * want to use HFP offload mode and the 2nd means the vendor controller
244 * do not need to send below HCI command for offload mode.
245 */
246 if (!codec->data_path || !hdev->get_codec_config_data)
247 return 0;
248
249 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
250 &vnd_data);
251 if (err < 0)
252 goto error;
253
254 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
255 if (!cmd) {
256 err = -ENOMEM;
257 goto error;
258 }
259
260 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
261 if (err < 0)
262 goto error;
263
264 cmd->vnd_len = vnd_len;
265 memcpy(cmd->vnd_data, vnd_data, vnd_len);
266
267 cmd->direction = 0x00;
268 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
269 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
270
271 cmd->direction = 0x01;
272 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
273 sizeof(*cmd) + vnd_len, cmd,
274 HCI_CMD_TIMEOUT);
275 error:
276
277 kfree(cmd);
278 kfree(vnd_data);
279 return err;
280 }
281
hci_enhanced_setup_sync(struct hci_dev * hdev,void * data)282 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
283 {
284 struct conn_handle_t *conn_handle = data;
285 struct hci_conn *conn = conn_handle->conn;
286 __u16 handle = conn_handle->handle;
287 struct hci_cp_enhanced_setup_sync_conn cp;
288 const struct sco_param *param;
289
290 kfree(conn_handle);
291
292 if (!hci_conn_valid(hdev, conn))
293 return -ECANCELED;
294
295 bt_dev_dbg(hdev, "hcon %p", conn);
296
297 configure_datapath_sync(hdev, &conn->codec);
298
299 conn->state = BT_CONNECT;
300 conn->out = true;
301
302 conn->attempt++;
303
304 memset(&cp, 0x00, sizeof(cp));
305
306 cp.handle = cpu_to_le16(handle);
307
308 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
309 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
310
311 switch (conn->codec.id) {
312 case BT_CODEC_MSBC:
313 if (!find_next_esco_param(conn, esco_param_msbc,
314 ARRAY_SIZE(esco_param_msbc)))
315 return -EINVAL;
316
317 param = &esco_param_msbc[conn->attempt - 1];
318 cp.tx_coding_format.id = 0x05;
319 cp.rx_coding_format.id = 0x05;
320 cp.tx_codec_frame_size = __cpu_to_le16(60);
321 cp.rx_codec_frame_size = __cpu_to_le16(60);
322 cp.in_bandwidth = __cpu_to_le32(32000);
323 cp.out_bandwidth = __cpu_to_le32(32000);
324 cp.in_coding_format.id = 0x04;
325 cp.out_coding_format.id = 0x04;
326 cp.in_coded_data_size = __cpu_to_le16(16);
327 cp.out_coded_data_size = __cpu_to_le16(16);
328 cp.in_pcm_data_format = 2;
329 cp.out_pcm_data_format = 2;
330 cp.in_pcm_sample_payload_msb_pos = 0;
331 cp.out_pcm_sample_payload_msb_pos = 0;
332 cp.in_data_path = conn->codec.data_path;
333 cp.out_data_path = conn->codec.data_path;
334 cp.in_transport_unit_size = 1;
335 cp.out_transport_unit_size = 1;
336 break;
337
338 case BT_CODEC_TRANSPARENT:
339 if (!find_next_esco_param(conn, esco_param_msbc,
340 ARRAY_SIZE(esco_param_msbc)))
341 return -EINVAL;
342
343 param = &esco_param_msbc[conn->attempt - 1];
344 cp.tx_coding_format.id = 0x03;
345 cp.rx_coding_format.id = 0x03;
346 cp.tx_codec_frame_size = __cpu_to_le16(60);
347 cp.rx_codec_frame_size = __cpu_to_le16(60);
348 cp.in_bandwidth = __cpu_to_le32(0x1f40);
349 cp.out_bandwidth = __cpu_to_le32(0x1f40);
350 cp.in_coding_format.id = 0x03;
351 cp.out_coding_format.id = 0x03;
352 cp.in_coded_data_size = __cpu_to_le16(16);
353 cp.out_coded_data_size = __cpu_to_le16(16);
354 cp.in_pcm_data_format = 2;
355 cp.out_pcm_data_format = 2;
356 cp.in_pcm_sample_payload_msb_pos = 0;
357 cp.out_pcm_sample_payload_msb_pos = 0;
358 cp.in_data_path = conn->codec.data_path;
359 cp.out_data_path = conn->codec.data_path;
360 cp.in_transport_unit_size = 1;
361 cp.out_transport_unit_size = 1;
362 break;
363
364 case BT_CODEC_CVSD:
365 if (conn->parent && lmp_esco_capable(conn->parent)) {
366 if (!find_next_esco_param(conn, esco_param_cvsd,
367 ARRAY_SIZE(esco_param_cvsd)))
368 return -EINVAL;
369 param = &esco_param_cvsd[conn->attempt - 1];
370 } else {
371 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
372 return -EINVAL;
373 param = &sco_param_cvsd[conn->attempt - 1];
374 }
375 cp.tx_coding_format.id = 2;
376 cp.rx_coding_format.id = 2;
377 cp.tx_codec_frame_size = __cpu_to_le16(60);
378 cp.rx_codec_frame_size = __cpu_to_le16(60);
379 cp.in_bandwidth = __cpu_to_le32(16000);
380 cp.out_bandwidth = __cpu_to_le32(16000);
381 cp.in_coding_format.id = 4;
382 cp.out_coding_format.id = 4;
383 cp.in_coded_data_size = __cpu_to_le16(16);
384 cp.out_coded_data_size = __cpu_to_le16(16);
385 cp.in_pcm_data_format = 2;
386 cp.out_pcm_data_format = 2;
387 cp.in_pcm_sample_payload_msb_pos = 0;
388 cp.out_pcm_sample_payload_msb_pos = 0;
389 cp.in_data_path = conn->codec.data_path;
390 cp.out_data_path = conn->codec.data_path;
391 cp.in_transport_unit_size = 16;
392 cp.out_transport_unit_size = 16;
393 break;
394 default:
395 return -EINVAL;
396 }
397
398 cp.retrans_effort = param->retrans_effort;
399 cp.pkt_type = __cpu_to_le16(param->pkt_type);
400 cp.max_latency = __cpu_to_le16(param->max_latency);
401
402 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
403 return -EIO;
404
405 return 0;
406 }
407
hci_setup_sync_conn(struct hci_conn * conn,__u16 handle)408 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
409 {
410 struct hci_dev *hdev = conn->hdev;
411 struct hci_cp_setup_sync_conn cp;
412 const struct sco_param *param;
413
414 bt_dev_dbg(hdev, "hcon %p", conn);
415
416 conn->state = BT_CONNECT;
417 conn->out = true;
418
419 conn->attempt++;
420
421 cp.handle = cpu_to_le16(handle);
422
423 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
424 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
425 cp.voice_setting = cpu_to_le16(conn->setting);
426
427 switch (conn->setting & SCO_AIRMODE_MASK) {
428 case SCO_AIRMODE_TRANSP:
429 if (!find_next_esco_param(conn, esco_param_msbc,
430 ARRAY_SIZE(esco_param_msbc)))
431 return false;
432 param = &esco_param_msbc[conn->attempt - 1];
433 break;
434 case SCO_AIRMODE_CVSD:
435 if (conn->parent && lmp_esco_capable(conn->parent)) {
436 if (!find_next_esco_param(conn, esco_param_cvsd,
437 ARRAY_SIZE(esco_param_cvsd)))
438 return false;
439 param = &esco_param_cvsd[conn->attempt - 1];
440 } else {
441 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
442 return false;
443 param = &sco_param_cvsd[conn->attempt - 1];
444 }
445 break;
446 default:
447 return false;
448 }
449
450 cp.retrans_effort = param->retrans_effort;
451 cp.pkt_type = __cpu_to_le16(param->pkt_type);
452 cp.max_latency = __cpu_to_le16(param->max_latency);
453
454 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
455 return false;
456
457 return true;
458 }
459
hci_setup_sync(struct hci_conn * conn,__u16 handle)460 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
461 {
462 int result;
463 struct conn_handle_t *conn_handle;
464
465 if (enhanced_sync_conn_capable(conn->hdev)) {
466 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
467
468 if (!conn_handle)
469 return false;
470
471 conn_handle->conn = conn;
472 conn_handle->handle = handle;
473 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
474 conn_handle, NULL);
475 if (result < 0)
476 kfree(conn_handle);
477
478 return result == 0;
479 }
480
481 return hci_setup_sync_conn(conn, handle);
482 }
483
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)484 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
485 u16 to_multiplier)
486 {
487 struct hci_dev *hdev = conn->hdev;
488 struct hci_conn_params *params;
489 struct hci_cp_le_conn_update cp;
490
491 hci_dev_lock(hdev);
492
493 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
494 if (params) {
495 params->conn_min_interval = min;
496 params->conn_max_interval = max;
497 params->conn_latency = latency;
498 params->supervision_timeout = to_multiplier;
499 }
500
501 hci_dev_unlock(hdev);
502
503 memset(&cp, 0, sizeof(cp));
504 cp.handle = cpu_to_le16(conn->handle);
505 cp.conn_interval_min = cpu_to_le16(min);
506 cp.conn_interval_max = cpu_to_le16(max);
507 cp.conn_latency = cpu_to_le16(latency);
508 cp.supervision_timeout = cpu_to_le16(to_multiplier);
509 cp.min_ce_len = cpu_to_le16(0x0000);
510 cp.max_ce_len = cpu_to_le16(0x0000);
511
512 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
513
514 if (params)
515 return 0x01;
516
517 return 0x00;
518 }
519
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)520 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
521 __u8 ltk[16], __u8 key_size)
522 {
523 struct hci_dev *hdev = conn->hdev;
524 struct hci_cp_le_start_enc cp;
525
526 BT_DBG("hcon %p", conn);
527
528 memset(&cp, 0, sizeof(cp));
529
530 cp.handle = cpu_to_le16(conn->handle);
531 cp.rand = rand;
532 cp.ediv = ediv;
533 memcpy(cp.ltk, ltk, key_size);
534
535 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
536 }
537
538 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)539 void hci_sco_setup(struct hci_conn *conn, __u8 status)
540 {
541 struct hci_link *link;
542
543 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
544 if (!link || !link->conn)
545 return;
546
547 BT_DBG("hcon %p", conn);
548
549 if (!status) {
550 if (lmp_esco_capable(conn->hdev))
551 hci_setup_sync(link->conn, conn->handle);
552 else
553 hci_add_sco(link->conn, conn->handle);
554 } else {
555 hci_connect_cfm(link->conn, status);
556 hci_conn_del(link->conn);
557 }
558 }
559
hci_conn_timeout(struct work_struct * work)560 static void hci_conn_timeout(struct work_struct *work)
561 {
562 struct hci_conn *conn = container_of(work, struct hci_conn,
563 disc_work.work);
564 int refcnt = atomic_read(&conn->refcnt);
565
566 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
567
568 WARN_ON(refcnt < 0);
569
570 /* FIXME: It was observed that in pairing failed scenario, refcnt
571 * drops below 0. Probably this is because l2cap_conn_del calls
572 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
573 * dropped. After that loop hci_chan_del is called which also drops
574 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
575 * otherwise drop it.
576 */
577 if (refcnt > 0)
578 return;
579
580 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
581 }
582
583 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)584 static void hci_conn_idle(struct work_struct *work)
585 {
586 struct hci_conn *conn = container_of(work, struct hci_conn,
587 idle_work.work);
588 struct hci_dev *hdev = conn->hdev;
589
590 BT_DBG("hcon %p mode %d", conn, conn->mode);
591
592 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
593 return;
594
595 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
596 return;
597
598 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
599 struct hci_cp_sniff_subrate cp;
600 cp.handle = cpu_to_le16(conn->handle);
601 cp.max_latency = cpu_to_le16(0);
602 cp.min_remote_timeout = cpu_to_le16(0);
603 cp.min_local_timeout = cpu_to_le16(0);
604 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
605 }
606
607 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
608 struct hci_cp_sniff_mode cp;
609 cp.handle = cpu_to_le16(conn->handle);
610 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
611 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
612 cp.attempt = cpu_to_le16(4);
613 cp.timeout = cpu_to_le16(1);
614 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
615 }
616 }
617
hci_conn_auto_accept(struct work_struct * work)618 static void hci_conn_auto_accept(struct work_struct *work)
619 {
620 struct hci_conn *conn = container_of(work, struct hci_conn,
621 auto_accept_work.work);
622
623 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
624 &conn->dst);
625 }
626
le_disable_advertising(struct hci_dev * hdev)627 static void le_disable_advertising(struct hci_dev *hdev)
628 {
629 if (ext_adv_capable(hdev)) {
630 struct hci_cp_le_set_ext_adv_enable cp;
631
632 cp.enable = 0x00;
633 cp.num_of_sets = 0x00;
634
635 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
636 &cp);
637 } else {
638 u8 enable = 0x00;
639 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
640 &enable);
641 }
642 }
643
le_conn_timeout(struct work_struct * work)644 static void le_conn_timeout(struct work_struct *work)
645 {
646 struct hci_conn *conn = container_of(work, struct hci_conn,
647 le_conn_timeout.work);
648 struct hci_dev *hdev = conn->hdev;
649
650 BT_DBG("");
651
652 /* We could end up here due to having done directed advertising,
653 * so clean up the state if necessary. This should however only
654 * happen with broken hardware or if low duty cycle was used
655 * (which doesn't have a timeout of its own).
656 */
657 if (conn->role == HCI_ROLE_SLAVE) {
658 /* Disable LE Advertising */
659 le_disable_advertising(hdev);
660 hci_dev_lock(hdev);
661 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
662 hci_dev_unlock(hdev);
663 return;
664 }
665
666 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
667 }
668
669 struct iso_list_data {
670 union {
671 u8 cig;
672 u8 big;
673 };
674 union {
675 u8 cis;
676 u8 bis;
677 u16 sync_handle;
678 };
679 int count;
680 bool big_term;
681 bool pa_sync_term;
682 bool big_sync_term;
683 };
684
bis_list(struct hci_conn * conn,void * data)685 static void bis_list(struct hci_conn *conn, void *data)
686 {
687 struct iso_list_data *d = data;
688
689 /* Skip if not broadcast/ANY address */
690 if (bacmp(&conn->dst, BDADDR_ANY))
691 return;
692
693 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
694 d->bis != conn->iso_qos.bcast.bis)
695 return;
696
697 d->count++;
698 }
699
terminate_big_sync(struct hci_dev * hdev,void * data)700 static int terminate_big_sync(struct hci_dev *hdev, void *data)
701 {
702 struct iso_list_data *d = data;
703
704 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
705
706 hci_disable_per_advertising_sync(hdev, d->bis);
707 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
708
709 /* Only terminate BIG if it has been created */
710 if (!d->big_term)
711 return 0;
712
713 return hci_le_terminate_big_sync(hdev, d->big,
714 HCI_ERROR_LOCAL_HOST_TERM);
715 }
716
terminate_big_destroy(struct hci_dev * hdev,void * data,int err)717 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
718 {
719 kfree(data);
720 }
721
hci_le_terminate_big(struct hci_dev * hdev,struct hci_conn * conn)722 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
723 {
724 struct iso_list_data *d;
725 int ret;
726
727 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
728 conn->iso_qos.bcast.bis);
729
730 d = kzalloc(sizeof(*d), GFP_KERNEL);
731 if (!d)
732 return -ENOMEM;
733
734 d->big = conn->iso_qos.bcast.big;
735 d->bis = conn->iso_qos.bcast.bis;
736 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
737
738 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
739 terminate_big_destroy);
740 if (ret)
741 kfree(d);
742
743 return ret;
744 }
745
big_terminate_sync(struct hci_dev * hdev,void * data)746 static int big_terminate_sync(struct hci_dev *hdev, void *data)
747 {
748 struct iso_list_data *d = data;
749
750 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
751 d->sync_handle);
752
753 if (d->big_sync_term)
754 hci_le_big_terminate_sync(hdev, d->big);
755
756 if (d->pa_sync_term)
757 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
758
759 return 0;
760 }
761
find_bis(struct hci_conn * conn,void * data)762 static void find_bis(struct hci_conn *conn, void *data)
763 {
764 struct iso_list_data *d = data;
765
766 /* Ignore if BIG doesn't match */
767 if (d->big != conn->iso_qos.bcast.big)
768 return;
769
770 d->count++;
771 }
772
hci_le_big_terminate(struct hci_dev * hdev,u8 big,struct hci_conn * conn)773 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
774 {
775 struct iso_list_data *d;
776 int ret;
777
778 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
779
780 d = kzalloc(sizeof(*d), GFP_KERNEL);
781 if (!d)
782 return -ENOMEM;
783
784 d->big = big;
785 d->sync_handle = conn->sync_handle;
786
787 if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) {
788 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK,
789 HCI_CONN_PA_SYNC, d);
790
791 if (!d->count)
792 d->pa_sync_term = true;
793
794 d->count = 0;
795 }
796
797 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) {
798 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK,
799 HCI_CONN_BIG_SYNC, d);
800
801 if (!d->count)
802 d->big_sync_term = true;
803 }
804
805 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
806 terminate_big_destroy);
807 if (ret)
808 kfree(d);
809
810 return ret;
811 }
812
813 /* Cleanup BIS connection
814 *
815 * Detects if there any BIS left connected in a BIG
816 * broadcaster: Remove advertising instance and terminate BIG.
817 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
818 */
bis_cleanup(struct hci_conn * conn)819 static void bis_cleanup(struct hci_conn *conn)
820 {
821 struct hci_dev *hdev = conn->hdev;
822 struct hci_conn *bis;
823
824 bt_dev_dbg(hdev, "conn %p", conn);
825
826 if (conn->role == HCI_ROLE_MASTER) {
827 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
828 return;
829
830 /* Check if ISO connection is a BIS and terminate advertising
831 * set and BIG if there are no other connections using it.
832 */
833 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
834 if (bis)
835 return;
836
837 hci_le_terminate_big(hdev, conn);
838 } else {
839 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
840 conn);
841 }
842 }
843
remove_cig_sync(struct hci_dev * hdev,void * data)844 static int remove_cig_sync(struct hci_dev *hdev, void *data)
845 {
846 u8 handle = PTR_UINT(data);
847
848 return hci_le_remove_cig_sync(hdev, handle);
849 }
850
hci_le_remove_cig(struct hci_dev * hdev,u8 handle)851 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
852 {
853 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
854
855 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
856 NULL);
857 }
858
find_cis(struct hci_conn * conn,void * data)859 static void find_cis(struct hci_conn *conn, void *data)
860 {
861 struct iso_list_data *d = data;
862
863 /* Ignore broadcast or if CIG don't match */
864 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
865 return;
866
867 d->count++;
868 }
869
870 /* Cleanup CIS connection:
871 *
872 * Detects if there any CIS left connected in a CIG and remove it.
873 */
cis_cleanup(struct hci_conn * conn)874 static void cis_cleanup(struct hci_conn *conn)
875 {
876 struct hci_dev *hdev = conn->hdev;
877 struct iso_list_data d;
878
879 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
880 return;
881
882 memset(&d, 0, sizeof(d));
883 d.cig = conn->iso_qos.ucast.cig;
884
885 /* Check if ISO connection is a CIS and remove CIG if there are
886 * no other connections using it.
887 */
888 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
889 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
890 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
891 if (d.count)
892 return;
893
894 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
895 }
896
hci_conn_hash_alloc_unset(struct hci_dev * hdev)897 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
898 {
899 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
900 U16_MAX, GFP_ATOMIC);
901 }
902
__hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)903 static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
904 u8 role, u16 handle)
905 {
906 struct hci_conn *conn;
907
908 switch (type) {
909 case ACL_LINK:
910 if (!hdev->acl_mtu)
911 return ERR_PTR(-ECONNREFUSED);
912 break;
913 case ISO_LINK:
914 if (hdev->iso_mtu)
915 /* Dedicated ISO Buffer exists */
916 break;
917 fallthrough;
918 case LE_LINK:
919 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
920 return ERR_PTR(-ECONNREFUSED);
921 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU)
922 return ERR_PTR(-ECONNREFUSED);
923 break;
924 case SCO_LINK:
925 case ESCO_LINK:
926 if (!hdev->sco_pkts)
927 /* Controller does not support SCO or eSCO over HCI */
928 return ERR_PTR(-ECONNREFUSED);
929 break;
930 default:
931 return ERR_PTR(-ECONNREFUSED);
932 }
933
934 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
935
936 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
937 if (!conn)
938 return ERR_PTR(-ENOMEM);
939
940 bacpy(&conn->dst, dst);
941 bacpy(&conn->src, &hdev->bdaddr);
942 conn->handle = handle;
943 conn->hdev = hdev;
944 conn->type = type;
945 conn->role = role;
946 conn->mode = HCI_CM_ACTIVE;
947 conn->state = BT_OPEN;
948 conn->auth_type = HCI_AT_GENERAL_BONDING;
949 conn->io_capability = hdev->io_capability;
950 conn->remote_auth = 0xff;
951 conn->key_type = 0xff;
952 conn->rssi = HCI_RSSI_INVALID;
953 conn->tx_power = HCI_TX_POWER_INVALID;
954 conn->max_tx_power = HCI_TX_POWER_INVALID;
955 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
956 conn->sid = HCI_SID_INVALID;
957
958 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
959 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
960
961 /* Set Default Authenticated payload timeout to 30s */
962 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
963
964 if (conn->role == HCI_ROLE_MASTER)
965 conn->out = true;
966
967 switch (type) {
968 case ACL_LINK:
969 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
970 conn->mtu = hdev->acl_mtu;
971 break;
972 case LE_LINK:
973 /* conn->src should reflect the local identity address */
974 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
975 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
976 break;
977 case ISO_LINK:
978 /* conn->src should reflect the local identity address */
979 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
980
981 /* set proper cleanup function */
982 if (!bacmp(dst, BDADDR_ANY))
983 conn->cleanup = bis_cleanup;
984 else if (conn->role == HCI_ROLE_MASTER)
985 conn->cleanup = cis_cleanup;
986
987 conn->mtu = hdev->iso_mtu ? hdev->iso_mtu :
988 hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
989 break;
990 case SCO_LINK:
991 if (lmp_esco_capable(hdev))
992 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
993 (hdev->esco_type & EDR_ESCO_MASK);
994 else
995 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
996
997 conn->mtu = hdev->sco_mtu;
998 break;
999 case ESCO_LINK:
1000 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1001 conn->mtu = hdev->sco_mtu;
1002 break;
1003 }
1004
1005 skb_queue_head_init(&conn->data_q);
1006
1007 INIT_LIST_HEAD(&conn->chan_list);
1008 INIT_LIST_HEAD(&conn->link_list);
1009
1010 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1011 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1012 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1013 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1014
1015 atomic_set(&conn->refcnt, 0);
1016
1017 hci_dev_hold(hdev);
1018
1019 hci_conn_hash_add(hdev, conn);
1020
1021 /* The SCO and eSCO connections will only be notified when their
1022 * setup has been completed. This is different to ACL links which
1023 * can be notified right away.
1024 */
1025 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1026 if (hdev->notify)
1027 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1028 }
1029
1030 hci_conn_init_sysfs(conn);
1031
1032 return conn;
1033 }
1034
hci_conn_add_unset(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)1035 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1036 bdaddr_t *dst, u8 role)
1037 {
1038 int handle;
1039
1040 bt_dev_dbg(hdev, "dst %pMR", dst);
1041
1042 handle = hci_conn_hash_alloc_unset(hdev);
1043 if (unlikely(handle < 0))
1044 return ERR_PTR(-ECONNREFUSED);
1045
1046 return __hci_conn_add(hdev, type, dst, role, handle);
1047 }
1048
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role,u16 handle)1049 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
1050 u8 role, u16 handle)
1051 {
1052 if (handle > HCI_CONN_HANDLE_MAX)
1053 return ERR_PTR(-EINVAL);
1054
1055 return __hci_conn_add(hdev, type, dst, role, handle);
1056 }
1057
hci_conn_cleanup_child(struct hci_conn * conn,u8 reason)1058 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1059 {
1060 if (!reason)
1061 reason = HCI_ERROR_REMOTE_USER_TERM;
1062
1063 /* Due to race, SCO/ISO conn might be not established yet at this point,
1064 * and nothing else will clean it up. In other cases it is done via HCI
1065 * events.
1066 */
1067 switch (conn->type) {
1068 case SCO_LINK:
1069 case ESCO_LINK:
1070 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1071 hci_conn_failed(conn, reason);
1072 break;
1073 case ISO_LINK:
1074 if ((conn->state != BT_CONNECTED &&
1075 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ||
1076 test_bit(HCI_CONN_BIG_CREATED, &conn->flags))
1077 hci_conn_failed(conn, reason);
1078 break;
1079 }
1080 }
1081
hci_conn_unlink(struct hci_conn * conn)1082 static void hci_conn_unlink(struct hci_conn *conn)
1083 {
1084 struct hci_dev *hdev = conn->hdev;
1085
1086 bt_dev_dbg(hdev, "hcon %p", conn);
1087
1088 if (!conn->parent) {
1089 struct hci_link *link, *t;
1090
1091 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1092 struct hci_conn *child = link->conn;
1093
1094 hci_conn_unlink(child);
1095
1096 /* If hdev is down it means
1097 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1098 * and links don't need to be cleanup as all connections
1099 * would be cleanup.
1100 */
1101 if (!test_bit(HCI_UP, &hdev->flags))
1102 continue;
1103
1104 hci_conn_cleanup_child(child, conn->abort_reason);
1105 }
1106
1107 return;
1108 }
1109
1110 if (!conn->link)
1111 return;
1112
1113 list_del_rcu(&conn->link->list);
1114 synchronize_rcu();
1115
1116 hci_conn_drop(conn->parent);
1117 hci_conn_put(conn->parent);
1118 conn->parent = NULL;
1119
1120 kfree(conn->link);
1121 conn->link = NULL;
1122 }
1123
hci_conn_del(struct hci_conn * conn)1124 void hci_conn_del(struct hci_conn *conn)
1125 {
1126 struct hci_dev *hdev = conn->hdev;
1127
1128 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1129
1130 hci_conn_unlink(conn);
1131
1132 disable_delayed_work_sync(&conn->disc_work);
1133 disable_delayed_work_sync(&conn->auto_accept_work);
1134 disable_delayed_work_sync(&conn->idle_work);
1135
1136 if (conn->type == ACL_LINK) {
1137 /* Unacked frames */
1138 hdev->acl_cnt += conn->sent;
1139 } else if (conn->type == LE_LINK) {
1140 cancel_delayed_work(&conn->le_conn_timeout);
1141
1142 if (hdev->le_pkts)
1143 hdev->le_cnt += conn->sent;
1144 else
1145 hdev->acl_cnt += conn->sent;
1146 } else {
1147 /* Unacked ISO frames */
1148 if (conn->type == ISO_LINK) {
1149 if (hdev->iso_pkts)
1150 hdev->iso_cnt += conn->sent;
1151 else if (hdev->le_pkts)
1152 hdev->le_cnt += conn->sent;
1153 else
1154 hdev->acl_cnt += conn->sent;
1155 }
1156 }
1157
1158 skb_queue_purge(&conn->data_q);
1159
1160 /* Remove the connection from the list and cleanup its remaining
1161 * state. This is a separate function since for some cases like
1162 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1163 * rest of hci_conn_del.
1164 */
1165 hci_conn_cleanup(conn);
1166
1167 /* Dequeue callbacks using connection pointer as data */
1168 hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
1169 }
1170
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)1171 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1172 {
1173 int use_src = bacmp(src, BDADDR_ANY);
1174 struct hci_dev *hdev = NULL, *d;
1175
1176 BT_DBG("%pMR -> %pMR", src, dst);
1177
1178 read_lock(&hci_dev_list_lock);
1179
1180 list_for_each_entry(d, &hci_dev_list, list) {
1181 if (!test_bit(HCI_UP, &d->flags) ||
1182 hci_dev_test_flag(d, HCI_USER_CHANNEL))
1183 continue;
1184
1185 /* Simple routing:
1186 * No source address - find interface with bdaddr != dst
1187 * Source address - find interface with bdaddr == src
1188 */
1189
1190 if (use_src) {
1191 bdaddr_t id_addr;
1192 u8 id_addr_type;
1193
1194 if (src_type == BDADDR_BREDR) {
1195 if (!lmp_bredr_capable(d))
1196 continue;
1197 bacpy(&id_addr, &d->bdaddr);
1198 id_addr_type = BDADDR_BREDR;
1199 } else {
1200 if (!lmp_le_capable(d))
1201 continue;
1202
1203 hci_copy_identity_address(d, &id_addr,
1204 &id_addr_type);
1205
1206 /* Convert from HCI to three-value type */
1207 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1208 id_addr_type = BDADDR_LE_PUBLIC;
1209 else
1210 id_addr_type = BDADDR_LE_RANDOM;
1211 }
1212
1213 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1214 hdev = d; break;
1215 }
1216 } else {
1217 if (bacmp(&d->bdaddr, dst)) {
1218 hdev = d; break;
1219 }
1220 }
1221 }
1222
1223 if (hdev)
1224 hdev = hci_dev_hold(hdev);
1225
1226 read_unlock(&hci_dev_list_lock);
1227 return hdev;
1228 }
1229 EXPORT_SYMBOL(hci_get_route);
1230
1231 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)1232 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1233 {
1234 struct hci_dev *hdev = conn->hdev;
1235
1236 hci_connect_le_scan_cleanup(conn, status);
1237
1238 /* Enable advertising in case this was a failed connection
1239 * attempt as a peripheral.
1240 */
1241 hci_enable_advertising(hdev);
1242 }
1243
1244 /* This function requires the caller holds hdev->lock */
hci_conn_failed(struct hci_conn * conn,u8 status)1245 void hci_conn_failed(struct hci_conn *conn, u8 status)
1246 {
1247 struct hci_dev *hdev = conn->hdev;
1248
1249 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1250
1251 switch (conn->type) {
1252 case LE_LINK:
1253 hci_le_conn_failed(conn, status);
1254 break;
1255 case ACL_LINK:
1256 mgmt_connect_failed(hdev, conn, status);
1257 break;
1258 }
1259
1260 /* In case of BIG/PA sync failed, clear conn flags so that
1261 * the conns will be correctly cleaned up by ISO layer
1262 */
1263 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1264 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1265
1266 conn->state = BT_CLOSED;
1267 hci_connect_cfm(conn, status);
1268 hci_conn_del(conn);
1269 }
1270
1271 /* This function requires the caller holds hdev->lock */
hci_conn_set_handle(struct hci_conn * conn,u16 handle)1272 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1273 {
1274 struct hci_dev *hdev = conn->hdev;
1275
1276 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1277
1278 if (conn->handle == handle)
1279 return 0;
1280
1281 if (handle > HCI_CONN_HANDLE_MAX) {
1282 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1283 handle, HCI_CONN_HANDLE_MAX);
1284 return HCI_ERROR_INVALID_PARAMETERS;
1285 }
1286
1287 /* If abort_reason has been sent it means the connection is being
1288 * aborted and the handle shall not be changed.
1289 */
1290 if (conn->abort_reason)
1291 return conn->abort_reason;
1292
1293 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1294 ida_free(&hdev->unset_handle_ida, conn->handle);
1295
1296 conn->handle = handle;
1297
1298 return 0;
1299 }
1300
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,bool dst_resolved,u8 sec_level,u16 conn_timeout,u8 role,u8 phy,u8 sec_phy)1301 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1302 u8 dst_type, bool dst_resolved, u8 sec_level,
1303 u16 conn_timeout, u8 role, u8 phy, u8 sec_phy)
1304 {
1305 struct hci_conn *conn;
1306 struct smp_irk *irk;
1307 int err;
1308
1309 /* Let's make sure that le is enabled.*/
1310 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1311 if (lmp_le_capable(hdev))
1312 return ERR_PTR(-ECONNREFUSED);
1313
1314 return ERR_PTR(-EOPNOTSUPP);
1315 }
1316
1317 /* Since the controller supports only one LE connection attempt at a
1318 * time, we return -EBUSY if there is any connection attempt running.
1319 */
1320 if (hci_lookup_le_connect(hdev))
1321 return ERR_PTR(-EBUSY);
1322
1323 /* If there's already a connection object but it's not in
1324 * scanning state it means it must already be established, in
1325 * which case we can't do anything else except report a failure
1326 * to connect.
1327 */
1328 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1329 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1330 return ERR_PTR(-EBUSY);
1331 }
1332
1333 /* Check if the destination address has been resolved by the controller
1334 * since if it did then the identity address shall be used.
1335 */
1336 if (!dst_resolved) {
1337 /* When given an identity address with existing identity
1338 * resolving key, the connection needs to be established
1339 * to a resolvable random address.
1340 *
1341 * Storing the resolvable random address is required here
1342 * to handle connection failures. The address will later
1343 * be resolved back into the original identity address
1344 * from the connect request.
1345 */
1346 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1347 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1348 dst = &irk->rpa;
1349 dst_type = ADDR_LE_DEV_RANDOM;
1350 }
1351 }
1352
1353 if (conn) {
1354 bacpy(&conn->dst, dst);
1355 } else {
1356 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1357 if (IS_ERR(conn))
1358 return conn;
1359 hci_conn_hold(conn);
1360 conn->pending_sec_level = sec_level;
1361 }
1362
1363 conn->dst_type = dst_type;
1364 conn->sec_level = BT_SECURITY_LOW;
1365 conn->conn_timeout = conn_timeout;
1366 conn->le_adv_phy = phy;
1367 conn->le_adv_sec_phy = sec_phy;
1368
1369 err = hci_connect_le_sync(hdev, conn);
1370 if (err) {
1371 hci_conn_del(conn);
1372 return ERR_PTR(err);
1373 }
1374
1375 return conn;
1376 }
1377
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1378 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1379 {
1380 struct hci_conn *conn;
1381
1382 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1383 if (!conn)
1384 return false;
1385
1386 if (conn->state != BT_CONNECTED)
1387 return false;
1388
1389 return true;
1390 }
1391
1392 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1393 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1394 bdaddr_t *addr, u8 addr_type)
1395 {
1396 struct hci_conn_params *params;
1397
1398 if (is_connected(hdev, addr, addr_type))
1399 return -EISCONN;
1400
1401 params = hci_conn_params_lookup(hdev, addr, addr_type);
1402 if (!params) {
1403 params = hci_conn_params_add(hdev, addr, addr_type);
1404 if (!params)
1405 return -ENOMEM;
1406
1407 /* If we created new params, mark them to be deleted in
1408 * hci_connect_le_scan_cleanup. It's different case than
1409 * existing disabled params, those will stay after cleanup.
1410 */
1411 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1412 }
1413
1414 /* We're trying to connect, so make sure params are at pend_le_conns */
1415 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1416 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1417 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1418 hci_pend_le_list_del_init(params);
1419 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1420 }
1421
1422 params->explicit_connect = true;
1423
1424 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1425 params->auto_connect);
1426
1427 return 0;
1428 }
1429
qos_set_big(struct hci_dev * hdev,struct bt_iso_qos * qos)1430 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1431 {
1432 struct hci_conn *conn;
1433 u8 big;
1434
1435 /* Allocate a BIG if not set */
1436 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1437 for (big = 0x00; big < 0xef; big++) {
1438
1439 conn = hci_conn_hash_lookup_big(hdev, big);
1440 if (!conn)
1441 break;
1442 }
1443
1444 if (big == 0xef)
1445 return -EADDRNOTAVAIL;
1446
1447 /* Update BIG */
1448 qos->bcast.big = big;
1449 }
1450
1451 return 0;
1452 }
1453
qos_set_bis(struct hci_dev * hdev,struct bt_iso_qos * qos)1454 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1455 {
1456 struct hci_conn *conn;
1457 u8 bis;
1458
1459 /* Allocate BIS if not set */
1460 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1461 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) {
1462 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1463
1464 if (conn) {
1465 /* If the BIG handle is already matched to an advertising
1466 * handle, do not allocate a new one.
1467 */
1468 qos->bcast.bis = conn->iso_qos.bcast.bis;
1469 return 0;
1470 }
1471 }
1472
1473 /* Find an unused adv set to advertise BIS, skip instance 0x00
1474 * since it is reserved as general purpose set.
1475 */
1476 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1477 bis++) {
1478
1479 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1480 if (!conn)
1481 break;
1482 }
1483
1484 if (bis == hdev->le_num_of_adv_sets)
1485 return -EADDRNOTAVAIL;
1486
1487 /* Update BIS */
1488 qos->bcast.bis = bis;
1489 }
1490
1491 return 0;
1492 }
1493
1494 /* This function requires the caller holds hdev->lock */
hci_add_bis(struct hci_dev * hdev,bdaddr_t * dst,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)1495 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1496 struct bt_iso_qos *qos, __u8 base_len,
1497 __u8 *base)
1498 {
1499 struct hci_conn *conn;
1500 int err;
1501
1502 /* Let's make sure that le is enabled.*/
1503 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1504 if (lmp_le_capable(hdev))
1505 return ERR_PTR(-ECONNREFUSED);
1506 return ERR_PTR(-EOPNOTSUPP);
1507 }
1508
1509 err = qos_set_big(hdev, qos);
1510 if (err)
1511 return ERR_PTR(err);
1512
1513 err = qos_set_bis(hdev, qos);
1514 if (err)
1515 return ERR_PTR(err);
1516
1517 /* Check if the LE Create BIG command has already been sent */
1518 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1519 qos->bcast.big);
1520 if (conn)
1521 return ERR_PTR(-EADDRINUSE);
1522
1523 /* Check BIS settings against other bound BISes, since all
1524 * BISes in a BIG must have the same value for all parameters
1525 */
1526 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1527
1528 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1529 base_len != conn->le_per_adv_data_len ||
1530 memcmp(conn->le_per_adv_data, base, base_len)))
1531 return ERR_PTR(-EADDRINUSE);
1532
1533 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1534 if (IS_ERR(conn))
1535 return conn;
1536
1537 conn->state = BT_CONNECT;
1538
1539 hci_conn_hold(conn);
1540 return conn;
1541 }
1542
1543 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,enum conn_reasons conn_reason)1544 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1545 u8 dst_type, u8 sec_level,
1546 u16 conn_timeout,
1547 enum conn_reasons conn_reason)
1548 {
1549 struct hci_conn *conn;
1550
1551 /* Let's make sure that le is enabled.*/
1552 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1553 if (lmp_le_capable(hdev))
1554 return ERR_PTR(-ECONNREFUSED);
1555
1556 return ERR_PTR(-EOPNOTSUPP);
1557 }
1558
1559 /* Some devices send ATT messages as soon as the physical link is
1560 * established. To be able to handle these ATT messages, the user-
1561 * space first establishes the connection and then starts the pairing
1562 * process.
1563 *
1564 * So if a hci_conn object already exists for the following connection
1565 * attempt, we simply update pending_sec_level and auth_type fields
1566 * and return the object found.
1567 */
1568 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1569 if (conn) {
1570 if (conn->pending_sec_level < sec_level)
1571 conn->pending_sec_level = sec_level;
1572 goto done;
1573 }
1574
1575 BT_DBG("requesting refresh of dst_addr");
1576
1577 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1578 if (IS_ERR(conn))
1579 return conn;
1580
1581 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1582 hci_conn_del(conn);
1583 return ERR_PTR(-EBUSY);
1584 }
1585
1586 conn->state = BT_CONNECT;
1587 set_bit(HCI_CONN_SCANNING, &conn->flags);
1588 conn->dst_type = dst_type;
1589 conn->sec_level = BT_SECURITY_LOW;
1590 conn->pending_sec_level = sec_level;
1591 conn->conn_timeout = conn_timeout;
1592 conn->conn_reason = conn_reason;
1593
1594 hci_update_passive_scan(hdev);
1595
1596 done:
1597 hci_conn_hold(conn);
1598 return conn;
1599 }
1600
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type,enum conn_reasons conn_reason,u16 timeout)1601 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1602 u8 sec_level, u8 auth_type,
1603 enum conn_reasons conn_reason, u16 timeout)
1604 {
1605 struct hci_conn *acl;
1606
1607 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1608 if (lmp_bredr_capable(hdev))
1609 return ERR_PTR(-ECONNREFUSED);
1610
1611 return ERR_PTR(-EOPNOTSUPP);
1612 }
1613
1614 /* Reject outgoing connection to device with same BD ADDR against
1615 * CVE-2020-26555
1616 */
1617 if (!bacmp(&hdev->bdaddr, dst)) {
1618 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1619 dst);
1620 return ERR_PTR(-ECONNREFUSED);
1621 }
1622
1623 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1624 if (!acl) {
1625 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1626 if (IS_ERR(acl))
1627 return acl;
1628 }
1629
1630 hci_conn_hold(acl);
1631
1632 acl->conn_reason = conn_reason;
1633 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1634 int err;
1635
1636 acl->sec_level = BT_SECURITY_LOW;
1637 acl->pending_sec_level = sec_level;
1638 acl->auth_type = auth_type;
1639 acl->conn_timeout = timeout;
1640
1641 err = hci_connect_acl_sync(hdev, acl);
1642 if (err) {
1643 hci_conn_del(acl);
1644 return ERR_PTR(err);
1645 }
1646 }
1647
1648 return acl;
1649 }
1650
hci_conn_link(struct hci_conn * parent,struct hci_conn * conn)1651 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1652 struct hci_conn *conn)
1653 {
1654 struct hci_dev *hdev = parent->hdev;
1655 struct hci_link *link;
1656
1657 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1658
1659 if (conn->link)
1660 return conn->link;
1661
1662 if (conn->parent)
1663 return NULL;
1664
1665 link = kzalloc(sizeof(*link), GFP_KERNEL);
1666 if (!link)
1667 return NULL;
1668
1669 link->conn = hci_conn_hold(conn);
1670 conn->link = link;
1671 conn->parent = hci_conn_get(parent);
1672
1673 /* Use list_add_tail_rcu append to the list */
1674 list_add_tail_rcu(&link->list, &parent->link_list);
1675
1676 return link;
1677 }
1678
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting,struct bt_codec * codec,u16 timeout)1679 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1680 __u16 setting, struct bt_codec *codec,
1681 u16 timeout)
1682 {
1683 struct hci_conn *acl;
1684 struct hci_conn *sco;
1685 struct hci_link *link;
1686
1687 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1688 CONN_REASON_SCO_CONNECT, timeout);
1689 if (IS_ERR(acl))
1690 return acl;
1691
1692 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1693 if (!sco) {
1694 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1695 if (IS_ERR(sco)) {
1696 hci_conn_drop(acl);
1697 return sco;
1698 }
1699 }
1700
1701 link = hci_conn_link(acl, sco);
1702 if (!link) {
1703 hci_conn_drop(acl);
1704 hci_conn_drop(sco);
1705 return ERR_PTR(-ENOLINK);
1706 }
1707
1708 sco->setting = setting;
1709 sco->codec = *codec;
1710
1711 if (acl->state == BT_CONNECTED &&
1712 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1713 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1714 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1715
1716 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1717 /* defer SCO setup until mode change completed */
1718 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1719 return sco;
1720 }
1721
1722 hci_sco_setup(acl, 0x00);
1723 }
1724
1725 return sco;
1726 }
1727
hci_le_create_big(struct hci_conn * conn,struct bt_iso_qos * qos)1728 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1729 {
1730 struct hci_dev *hdev = conn->hdev;
1731 struct hci_cp_le_create_big cp;
1732 struct iso_list_data data;
1733
1734 memset(&cp, 0, sizeof(cp));
1735
1736 data.big = qos->bcast.big;
1737 data.bis = qos->bcast.bis;
1738 data.count = 0;
1739
1740 /* Create a BIS for each bound connection */
1741 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1742 BT_BOUND, &data);
1743
1744 cp.handle = qos->bcast.big;
1745 cp.adv_handle = qos->bcast.bis;
1746 cp.num_bis = data.count;
1747 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1748 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1749 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1750 cp.bis.rtn = qos->bcast.out.rtn;
1751 cp.bis.phy = qos->bcast.out.phy;
1752 cp.bis.packing = qos->bcast.packing;
1753 cp.bis.framing = qos->bcast.framing;
1754 cp.bis.encryption = qos->bcast.encryption;
1755 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1756
1757 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1758 }
1759
set_cig_params_sync(struct hci_dev * hdev,void * data)1760 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1761 {
1762 DEFINE_FLEX(struct hci_cp_le_set_cig_params, pdu, cis, num_cis, 0x1f);
1763 u8 cig_id = PTR_UINT(data);
1764 struct hci_conn *conn;
1765 struct bt_iso_qos *qos;
1766 u8 aux_num_cis = 0;
1767 u8 cis_id;
1768
1769 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1770 if (!conn)
1771 return 0;
1772
1773 qos = &conn->iso_qos;
1774 pdu->cig_id = cig_id;
1775 hci_cpu_to_le24(qos->ucast.out.interval, pdu->c_interval);
1776 hci_cpu_to_le24(qos->ucast.in.interval, pdu->p_interval);
1777 pdu->sca = qos->ucast.sca;
1778 pdu->packing = qos->ucast.packing;
1779 pdu->framing = qos->ucast.framing;
1780 pdu->c_latency = cpu_to_le16(qos->ucast.out.latency);
1781 pdu->p_latency = cpu_to_le16(qos->ucast.in.latency);
1782
1783 /* Reprogram all CIS(s) with the same CIG, valid range are:
1784 * num_cis: 0x00 to 0x1F
1785 * cis_id: 0x00 to 0xEF
1786 */
1787 for (cis_id = 0x00; cis_id < 0xf0 &&
1788 aux_num_cis < pdu->num_cis; cis_id++) {
1789 struct hci_cis_params *cis;
1790
1791 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1792 if (!conn)
1793 continue;
1794
1795 qos = &conn->iso_qos;
1796
1797 cis = &pdu->cis[aux_num_cis++];
1798 cis->cis_id = cis_id;
1799 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1800 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1801 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy :
1802 qos->ucast.in.phy;
1803 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy :
1804 qos->ucast.out.phy;
1805 cis->c_rtn = qos->ucast.out.rtn;
1806 cis->p_rtn = qos->ucast.in.rtn;
1807 }
1808 pdu->num_cis = aux_num_cis;
1809
1810 if (!pdu->num_cis)
1811 return 0;
1812
1813 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1814 struct_size(pdu, cis, pdu->num_cis),
1815 pdu, HCI_CMD_TIMEOUT);
1816 }
1817
hci_le_set_cig_params(struct hci_conn * conn,struct bt_iso_qos * qos)1818 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1819 {
1820 struct hci_dev *hdev = conn->hdev;
1821 struct iso_list_data data;
1822
1823 memset(&data, 0, sizeof(data));
1824
1825 /* Allocate first still reconfigurable CIG if not set */
1826 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1827 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1828 data.count = 0;
1829
1830 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1831 BT_CONNECT, &data);
1832 if (data.count)
1833 continue;
1834
1835 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1836 BT_CONNECTED, &data);
1837 if (!data.count)
1838 break;
1839 }
1840
1841 if (data.cig == 0xf0)
1842 return false;
1843
1844 /* Update CIG */
1845 qos->ucast.cig = data.cig;
1846 }
1847
1848 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1849 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1850 qos->ucast.cis))
1851 return false;
1852 goto done;
1853 }
1854
1855 /* Allocate first available CIS if not set */
1856 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1857 data.cis++) {
1858 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1859 data.cis)) {
1860 /* Update CIS */
1861 qos->ucast.cis = data.cis;
1862 break;
1863 }
1864 }
1865
1866 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1867 return false;
1868
1869 done:
1870 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1871 UINT_PTR(qos->ucast.cig), NULL) < 0)
1872 return false;
1873
1874 return true;
1875 }
1876
hci_bind_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)1877 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1878 __u8 dst_type, struct bt_iso_qos *qos)
1879 {
1880 struct hci_conn *cis;
1881
1882 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1883 qos->ucast.cis);
1884 if (!cis) {
1885 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1886 if (IS_ERR(cis))
1887 return cis;
1888 cis->cleanup = cis_cleanup;
1889 cis->dst_type = dst_type;
1890 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1891 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1892 }
1893
1894 if (cis->state == BT_CONNECTED)
1895 return cis;
1896
1897 /* Check if CIS has been set and the settings matches */
1898 if (cis->state == BT_BOUND &&
1899 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1900 return cis;
1901
1902 /* Update LINK PHYs according to QoS preference */
1903 cis->le_tx_phy = qos->ucast.out.phy;
1904 cis->le_rx_phy = qos->ucast.in.phy;
1905
1906 /* If output interval is not set use the input interval as it cannot be
1907 * 0x000000.
1908 */
1909 if (!qos->ucast.out.interval)
1910 qos->ucast.out.interval = qos->ucast.in.interval;
1911
1912 /* If input interval is not set use the output interval as it cannot be
1913 * 0x000000.
1914 */
1915 if (!qos->ucast.in.interval)
1916 qos->ucast.in.interval = qos->ucast.out.interval;
1917
1918 /* If output latency is not set use the input latency as it cannot be
1919 * 0x0000.
1920 */
1921 if (!qos->ucast.out.latency)
1922 qos->ucast.out.latency = qos->ucast.in.latency;
1923
1924 /* If input latency is not set use the output latency as it cannot be
1925 * 0x0000.
1926 */
1927 if (!qos->ucast.in.latency)
1928 qos->ucast.in.latency = qos->ucast.out.latency;
1929
1930 if (!hci_le_set_cig_params(cis, qos)) {
1931 hci_conn_drop(cis);
1932 return ERR_PTR(-EINVAL);
1933 }
1934
1935 hci_conn_hold(cis);
1936
1937 cis->iso_qos = *qos;
1938 cis->state = BT_BOUND;
1939
1940 return cis;
1941 }
1942
hci_iso_setup_path(struct hci_conn * conn)1943 bool hci_iso_setup_path(struct hci_conn *conn)
1944 {
1945 struct hci_dev *hdev = conn->hdev;
1946 struct hci_cp_le_setup_iso_path cmd;
1947
1948 memset(&cmd, 0, sizeof(cmd));
1949
1950 if (conn->iso_qos.ucast.out.sdu) {
1951 cmd.handle = cpu_to_le16(conn->handle);
1952 cmd.direction = 0x00; /* Input (Host to Controller) */
1953 cmd.path = 0x00; /* HCI path if enabled */
1954 cmd.codec = 0x03; /* Transparent Data */
1955
1956 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1957 &cmd) < 0)
1958 return false;
1959 }
1960
1961 if (conn->iso_qos.ucast.in.sdu) {
1962 cmd.handle = cpu_to_le16(conn->handle);
1963 cmd.direction = 0x01; /* Output (Controller to Host) */
1964 cmd.path = 0x00; /* HCI path if enabled */
1965 cmd.codec = 0x03; /* Transparent Data */
1966
1967 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1968 &cmd) < 0)
1969 return false;
1970 }
1971
1972 return true;
1973 }
1974
hci_conn_check_create_cis(struct hci_conn * conn)1975 int hci_conn_check_create_cis(struct hci_conn *conn)
1976 {
1977 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
1978 return -EINVAL;
1979
1980 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
1981 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
1982 return 1;
1983
1984 return 0;
1985 }
1986
hci_create_cis_sync(struct hci_dev * hdev,void * data)1987 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1988 {
1989 return hci_le_create_cis_sync(hdev);
1990 }
1991
hci_le_create_cis_pending(struct hci_dev * hdev)1992 int hci_le_create_cis_pending(struct hci_dev *hdev)
1993 {
1994 struct hci_conn *conn;
1995 bool pending = false;
1996
1997 rcu_read_lock();
1998
1999 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
2000 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
2001 rcu_read_unlock();
2002 return -EBUSY;
2003 }
2004
2005 if (!hci_conn_check_create_cis(conn))
2006 pending = true;
2007 }
2008
2009 rcu_read_unlock();
2010
2011 if (!pending)
2012 return 0;
2013
2014 /* Queue Create CIS */
2015 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2016 }
2017
hci_iso_qos_setup(struct hci_dev * hdev,struct hci_conn * conn,struct bt_iso_io_qos * qos,__u8 phy)2018 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2019 struct bt_iso_io_qos *qos, __u8 phy)
2020 {
2021 /* Only set MTU if PHY is enabled */
2022 if (!qos->sdu && qos->phy)
2023 qos->sdu = conn->mtu;
2024
2025 /* Use the same PHY as ACL if set to any */
2026 if (qos->phy == BT_ISO_PHY_ANY)
2027 qos->phy = phy;
2028
2029 /* Use LE ACL connection interval if not set */
2030 if (!qos->interval)
2031 /* ACL interval unit in 1.25 ms to us */
2032 qos->interval = conn->le_conn_interval * 1250;
2033
2034 /* Use LE ACL connection latency if not set */
2035 if (!qos->latency)
2036 qos->latency = conn->le_conn_latency;
2037 }
2038
create_big_sync(struct hci_dev * hdev,void * data)2039 static int create_big_sync(struct hci_dev *hdev, void *data)
2040 {
2041 struct hci_conn *conn = data;
2042 struct bt_iso_qos *qos = &conn->iso_qos;
2043 u16 interval, sync_interval = 0;
2044 u32 flags = 0;
2045 int err;
2046
2047 if (qos->bcast.out.phy == 0x02)
2048 flags |= MGMT_ADV_FLAG_SEC_2M;
2049
2050 /* Align intervals */
2051 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2052
2053 if (qos->bcast.bis)
2054 sync_interval = interval * 4;
2055
2056 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2057 conn->le_per_adv_data, flags, interval,
2058 interval, sync_interval);
2059 if (err)
2060 return err;
2061
2062 return hci_le_create_big(conn, &conn->iso_qos);
2063 }
2064
hci_pa_create_sync(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid,struct bt_iso_qos * qos)2065 struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst,
2066 __u8 dst_type, __u8 sid,
2067 struct bt_iso_qos *qos)
2068 {
2069 struct hci_conn *conn;
2070
2071 bt_dev_dbg(hdev, "dst %pMR type %d sid %d", dst, dst_type, sid);
2072
2073 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_SLAVE);
2074 if (IS_ERR(conn))
2075 return conn;
2076
2077 conn->iso_qos = *qos;
2078 conn->dst_type = dst_type;
2079 conn->sid = sid;
2080 conn->state = BT_LISTEN;
2081 conn->conn_timeout = msecs_to_jiffies(qos->bcast.sync_timeout * 10);
2082
2083 hci_conn_hold(conn);
2084
2085 hci_connect_pa_sync(hdev, conn);
2086
2087 return conn;
2088 }
2089
hci_conn_big_create_sync(struct hci_dev * hdev,struct hci_conn * hcon,struct bt_iso_qos * qos,__u16 sync_handle,__u8 num_bis,__u8 bis[])2090 int hci_conn_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2091 struct bt_iso_qos *qos, __u16 sync_handle,
2092 __u8 num_bis, __u8 bis[])
2093 {
2094 int err;
2095
2096 if (num_bis < 0x01 || num_bis > ISO_MAX_NUM_BIS)
2097 return -EINVAL;
2098
2099 err = qos_set_big(hdev, qos);
2100 if (err)
2101 return err;
2102
2103 if (hcon) {
2104 /* Update hcon QoS */
2105 hcon->iso_qos = *qos;
2106
2107 hcon->num_bis = num_bis;
2108 memcpy(hcon->bis, bis, num_bis);
2109 hcon->conn_timeout = msecs_to_jiffies(qos->bcast.timeout * 10);
2110 }
2111
2112 return hci_connect_big_sync(hdev, hcon);
2113 }
2114
create_big_complete(struct hci_dev * hdev,void * data,int err)2115 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2116 {
2117 struct hci_conn *conn = data;
2118
2119 bt_dev_dbg(hdev, "conn %p", conn);
2120
2121 if (err) {
2122 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2123 hci_connect_cfm(conn, err);
2124 hci_conn_del(conn);
2125 }
2126 }
2127
hci_bind_bis(struct hci_dev * hdev,bdaddr_t * dst,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2128 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2129 struct bt_iso_qos *qos,
2130 __u8 base_len, __u8 *base)
2131 {
2132 struct hci_conn *conn;
2133 struct hci_conn *parent;
2134 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2135 struct hci_link *link;
2136
2137 /* Look for any BIS that is open for rebinding */
2138 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN);
2139 if (conn) {
2140 memcpy(qos, &conn->iso_qos, sizeof(*qos));
2141 conn->state = BT_CONNECTED;
2142 return conn;
2143 }
2144
2145 if (base_len && base)
2146 base_len = eir_append_service_data(eir, 0, 0x1851,
2147 base, base_len);
2148
2149 /* We need hci_conn object using the BDADDR_ANY as dst */
2150 conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2151 if (IS_ERR(conn))
2152 return conn;
2153
2154 /* Update LINK PHYs according to QoS preference */
2155 conn->le_tx_phy = qos->bcast.out.phy;
2156 conn->le_tx_phy = qos->bcast.out.phy;
2157
2158 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2159 if (base_len && base) {
2160 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2161 conn->le_per_adv_data_len = base_len;
2162 }
2163
2164 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2165 conn->le_tx_phy ? conn->le_tx_phy :
2166 hdev->le_tx_def_phys);
2167
2168 conn->iso_qos = *qos;
2169 conn->state = BT_BOUND;
2170
2171 /* Link BISes together */
2172 parent = hci_conn_hash_lookup_big(hdev,
2173 conn->iso_qos.bcast.big);
2174 if (parent && parent != conn) {
2175 link = hci_conn_link(parent, conn);
2176 hci_conn_drop(conn);
2177 if (!link)
2178 return ERR_PTR(-ENOLINK);
2179 }
2180
2181 return conn;
2182 }
2183
bis_mark_per_adv(struct hci_conn * conn,void * data)2184 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2185 {
2186 struct iso_list_data *d = data;
2187
2188 /* Skip if not broadcast/ANY address */
2189 if (bacmp(&conn->dst, BDADDR_ANY))
2190 return;
2191
2192 if (d->big != conn->iso_qos.bcast.big ||
2193 d->bis == BT_ISO_QOS_BIS_UNSET ||
2194 d->bis != conn->iso_qos.bcast.bis)
2195 return;
2196
2197 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2198 }
2199
hci_connect_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2200 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2201 __u8 dst_type, struct bt_iso_qos *qos,
2202 __u8 base_len, __u8 *base)
2203 {
2204 struct hci_conn *conn;
2205 int err;
2206 struct iso_list_data data;
2207
2208 conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2209 if (IS_ERR(conn))
2210 return conn;
2211
2212 if (conn->state == BT_CONNECTED)
2213 return conn;
2214
2215 data.big = qos->bcast.big;
2216 data.bis = qos->bcast.bis;
2217
2218 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2219 * the start periodic advertising and create BIG commands have
2220 * been queued
2221 */
2222 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2223 BT_BOUND, &data);
2224
2225 /* Queue start periodic advertising and create BIG */
2226 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2227 create_big_complete);
2228 if (err < 0) {
2229 hci_conn_drop(conn);
2230 return ERR_PTR(err);
2231 }
2232
2233 return conn;
2234 }
2235
hci_connect_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)2236 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2237 __u8 dst_type, struct bt_iso_qos *qos)
2238 {
2239 struct hci_conn *le;
2240 struct hci_conn *cis;
2241 struct hci_link *link;
2242
2243 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2244 le = hci_connect_le(hdev, dst, dst_type, false,
2245 BT_SECURITY_LOW,
2246 HCI_LE_CONN_TIMEOUT,
2247 HCI_ROLE_SLAVE, 0, 0);
2248 else
2249 le = hci_connect_le_scan(hdev, dst, dst_type,
2250 BT_SECURITY_LOW,
2251 HCI_LE_CONN_TIMEOUT,
2252 CONN_REASON_ISO_CONNECT);
2253 if (IS_ERR(le))
2254 return le;
2255
2256 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2257 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2258 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2259 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2260
2261 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2262 if (IS_ERR(cis)) {
2263 hci_conn_drop(le);
2264 return cis;
2265 }
2266
2267 link = hci_conn_link(le, cis);
2268 hci_conn_drop(cis);
2269 if (!link) {
2270 hci_conn_drop(le);
2271 return ERR_PTR(-ENOLINK);
2272 }
2273
2274 cis->state = BT_CONNECT;
2275
2276 hci_le_create_cis_pending(hdev);
2277
2278 return cis;
2279 }
2280
2281 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)2282 int hci_conn_check_link_mode(struct hci_conn *conn)
2283 {
2284 BT_DBG("hcon %p", conn);
2285
2286 /* In Secure Connections Only mode, it is required that Secure
2287 * Connections is used and the link is encrypted with AES-CCM
2288 * using a P-256 authenticated combination key.
2289 */
2290 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2291 if (!hci_conn_sc_enabled(conn) ||
2292 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2293 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2294 return 0;
2295 }
2296
2297 /* AES encryption is required for Level 4:
2298 *
2299 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2300 * page 1319:
2301 *
2302 * 128-bit equivalent strength for link and encryption keys
2303 * required using FIPS approved algorithms (E0 not allowed,
2304 * SAFER+ not allowed, and P-192 not allowed; encryption key
2305 * not shortened)
2306 */
2307 if (conn->sec_level == BT_SECURITY_FIPS &&
2308 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2309 bt_dev_err(conn->hdev,
2310 "Invalid security: Missing AES-CCM usage");
2311 return 0;
2312 }
2313
2314 if (hci_conn_ssp_enabled(conn) &&
2315 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2316 return 0;
2317
2318 return 1;
2319 }
2320
2321 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)2322 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2323 {
2324 BT_DBG("hcon %p", conn);
2325
2326 if (conn->pending_sec_level > sec_level)
2327 sec_level = conn->pending_sec_level;
2328
2329 if (sec_level > conn->sec_level)
2330 conn->pending_sec_level = sec_level;
2331 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2332 return 1;
2333
2334 /* Make sure we preserve an existing MITM requirement*/
2335 auth_type |= (conn->auth_type & 0x01);
2336
2337 conn->auth_type = auth_type;
2338
2339 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2340 struct hci_cp_auth_requested cp;
2341
2342 cp.handle = cpu_to_le16(conn->handle);
2343 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2344 sizeof(cp), &cp);
2345
2346 /* Set the ENCRYPT_PEND to trigger encryption after
2347 * authentication.
2348 */
2349 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2350 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2351 }
2352
2353 return 0;
2354 }
2355
2356 /* Encrypt the link */
hci_conn_encrypt(struct hci_conn * conn)2357 static void hci_conn_encrypt(struct hci_conn *conn)
2358 {
2359 BT_DBG("hcon %p", conn);
2360
2361 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2362 struct hci_cp_set_conn_encrypt cp;
2363 cp.handle = cpu_to_le16(conn->handle);
2364 cp.encrypt = 0x01;
2365 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2366 &cp);
2367 }
2368 }
2369
2370 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)2371 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2372 bool initiator)
2373 {
2374 BT_DBG("hcon %p", conn);
2375
2376 if (conn->type == LE_LINK)
2377 return smp_conn_security(conn, sec_level);
2378
2379 /* For sdp we don't need the link key. */
2380 if (sec_level == BT_SECURITY_SDP)
2381 return 1;
2382
2383 /* For non 2.1 devices and low security level we don't need the link
2384 key. */
2385 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2386 return 1;
2387
2388 /* For other security levels we need the link key. */
2389 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2390 goto auth;
2391
2392 switch (conn->key_type) {
2393 case HCI_LK_AUTH_COMBINATION_P256:
2394 /* An authenticated FIPS approved combination key has
2395 * sufficient security for security level 4 or lower.
2396 */
2397 if (sec_level <= BT_SECURITY_FIPS)
2398 goto encrypt;
2399 break;
2400 case HCI_LK_AUTH_COMBINATION_P192:
2401 /* An authenticated combination key has sufficient security for
2402 * security level 3 or lower.
2403 */
2404 if (sec_level <= BT_SECURITY_HIGH)
2405 goto encrypt;
2406 break;
2407 case HCI_LK_UNAUTH_COMBINATION_P192:
2408 case HCI_LK_UNAUTH_COMBINATION_P256:
2409 /* An unauthenticated combination key has sufficient security
2410 * for security level 2 or lower.
2411 */
2412 if (sec_level <= BT_SECURITY_MEDIUM)
2413 goto encrypt;
2414 break;
2415 case HCI_LK_COMBINATION:
2416 /* A combination key has always sufficient security for the
2417 * security levels 2 or lower. High security level requires the
2418 * combination key is generated using maximum PIN code length
2419 * (16). For pre 2.1 units.
2420 */
2421 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2422 goto encrypt;
2423 break;
2424 default:
2425 break;
2426 }
2427
2428 auth:
2429 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2430 return 0;
2431
2432 if (initiator)
2433 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2434
2435 if (!hci_conn_auth(conn, sec_level, auth_type))
2436 return 0;
2437
2438 encrypt:
2439 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2440 /* Ensure that the encryption key size has been read,
2441 * otherwise stall the upper layer responses.
2442 */
2443 if (!conn->enc_key_size)
2444 return 0;
2445
2446 /* Nothing else needed, all requirements are met */
2447 return 1;
2448 }
2449
2450 hci_conn_encrypt(conn);
2451 return 0;
2452 }
2453 EXPORT_SYMBOL(hci_conn_security);
2454
2455 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)2456 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2457 {
2458 BT_DBG("hcon %p", conn);
2459
2460 /* Accept if non-secure or higher security level is required */
2461 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2462 return 1;
2463
2464 /* Accept if secure or higher security level is already present */
2465 if (conn->sec_level == BT_SECURITY_HIGH ||
2466 conn->sec_level == BT_SECURITY_FIPS)
2467 return 1;
2468
2469 /* Reject not secure link */
2470 return 0;
2471 }
2472 EXPORT_SYMBOL(hci_conn_check_secure);
2473
2474 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)2475 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2476 {
2477 BT_DBG("hcon %p", conn);
2478
2479 if (role == conn->role)
2480 return 1;
2481
2482 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2483 struct hci_cp_switch_role cp;
2484 bacpy(&cp.bdaddr, &conn->dst);
2485 cp.role = role;
2486 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2487 }
2488
2489 return 0;
2490 }
2491 EXPORT_SYMBOL(hci_conn_switch_role);
2492
2493 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)2494 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2495 {
2496 struct hci_dev *hdev = conn->hdev;
2497
2498 BT_DBG("hcon %p mode %d", conn, conn->mode);
2499
2500 if (conn->mode != HCI_CM_SNIFF)
2501 goto timer;
2502
2503 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2504 goto timer;
2505
2506 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2507 struct hci_cp_exit_sniff_mode cp;
2508 cp.handle = cpu_to_le16(conn->handle);
2509 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2510 }
2511
2512 timer:
2513 if (hdev->idle_timeout > 0)
2514 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2515 msecs_to_jiffies(hdev->idle_timeout));
2516 }
2517
2518 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)2519 void hci_conn_hash_flush(struct hci_dev *hdev)
2520 {
2521 struct list_head *head = &hdev->conn_hash.list;
2522 struct hci_conn *conn;
2523
2524 BT_DBG("hdev %s", hdev->name);
2525
2526 /* We should not traverse the list here, because hci_conn_del
2527 * can remove extra links, which may cause the list traversal
2528 * to hit items that have already been released.
2529 */
2530 while ((conn = list_first_entry_or_null(head,
2531 struct hci_conn,
2532 list)) != NULL) {
2533 conn->state = BT_CLOSED;
2534 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2535 hci_conn_del(conn);
2536 }
2537 }
2538
get_link_mode(struct hci_conn * conn)2539 static u32 get_link_mode(struct hci_conn *conn)
2540 {
2541 u32 link_mode = 0;
2542
2543 if (conn->role == HCI_ROLE_MASTER)
2544 link_mode |= HCI_LM_MASTER;
2545
2546 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2547 link_mode |= HCI_LM_ENCRYPT;
2548
2549 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2550 link_mode |= HCI_LM_AUTH;
2551
2552 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2553 link_mode |= HCI_LM_SECURE;
2554
2555 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2556 link_mode |= HCI_LM_FIPS;
2557
2558 return link_mode;
2559 }
2560
hci_get_conn_list(void __user * arg)2561 int hci_get_conn_list(void __user *arg)
2562 {
2563 struct hci_conn *c;
2564 struct hci_conn_list_req req, *cl;
2565 struct hci_conn_info *ci;
2566 struct hci_dev *hdev;
2567 int n = 0, size, err;
2568
2569 if (copy_from_user(&req, arg, sizeof(req)))
2570 return -EFAULT;
2571
2572 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2573 return -EINVAL;
2574
2575 size = sizeof(req) + req.conn_num * sizeof(*ci);
2576
2577 cl = kmalloc(size, GFP_KERNEL);
2578 if (!cl)
2579 return -ENOMEM;
2580
2581 hdev = hci_dev_get(req.dev_id);
2582 if (!hdev) {
2583 kfree(cl);
2584 return -ENODEV;
2585 }
2586
2587 ci = cl->conn_info;
2588
2589 hci_dev_lock(hdev);
2590 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2591 bacpy(&(ci + n)->bdaddr, &c->dst);
2592 (ci + n)->handle = c->handle;
2593 (ci + n)->type = c->type;
2594 (ci + n)->out = c->out;
2595 (ci + n)->state = c->state;
2596 (ci + n)->link_mode = get_link_mode(c);
2597 if (++n >= req.conn_num)
2598 break;
2599 }
2600 hci_dev_unlock(hdev);
2601
2602 cl->dev_id = hdev->id;
2603 cl->conn_num = n;
2604 size = sizeof(req) + n * sizeof(*ci);
2605
2606 hci_dev_put(hdev);
2607
2608 err = copy_to_user(arg, cl, size);
2609 kfree(cl);
2610
2611 return err ? -EFAULT : 0;
2612 }
2613
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)2614 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2615 {
2616 struct hci_conn_info_req req;
2617 struct hci_conn_info ci;
2618 struct hci_conn *conn;
2619 char __user *ptr = arg + sizeof(req);
2620
2621 if (copy_from_user(&req, arg, sizeof(req)))
2622 return -EFAULT;
2623
2624 hci_dev_lock(hdev);
2625 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2626 if (conn) {
2627 bacpy(&ci.bdaddr, &conn->dst);
2628 ci.handle = conn->handle;
2629 ci.type = conn->type;
2630 ci.out = conn->out;
2631 ci.state = conn->state;
2632 ci.link_mode = get_link_mode(conn);
2633 }
2634 hci_dev_unlock(hdev);
2635
2636 if (!conn)
2637 return -ENOENT;
2638
2639 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2640 }
2641
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)2642 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2643 {
2644 struct hci_auth_info_req req;
2645 struct hci_conn *conn;
2646
2647 if (copy_from_user(&req, arg, sizeof(req)))
2648 return -EFAULT;
2649
2650 hci_dev_lock(hdev);
2651 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2652 if (conn)
2653 req.type = conn->auth_type;
2654 hci_dev_unlock(hdev);
2655
2656 if (!conn)
2657 return -ENOENT;
2658
2659 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2660 }
2661
hci_chan_create(struct hci_conn * conn)2662 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2663 {
2664 struct hci_dev *hdev = conn->hdev;
2665 struct hci_chan *chan;
2666
2667 BT_DBG("%s hcon %p", hdev->name, conn);
2668
2669 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2670 BT_DBG("Refusing to create new hci_chan");
2671 return NULL;
2672 }
2673
2674 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2675 if (!chan)
2676 return NULL;
2677
2678 chan->conn = hci_conn_get(conn);
2679 skb_queue_head_init(&chan->data_q);
2680 chan->state = BT_CONNECTED;
2681
2682 list_add_rcu(&chan->list, &conn->chan_list);
2683
2684 return chan;
2685 }
2686
hci_chan_del(struct hci_chan * chan)2687 void hci_chan_del(struct hci_chan *chan)
2688 {
2689 struct hci_conn *conn = chan->conn;
2690 struct hci_dev *hdev = conn->hdev;
2691
2692 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2693
2694 list_del_rcu(&chan->list);
2695
2696 synchronize_rcu();
2697
2698 /* Prevent new hci_chan's to be created for this hci_conn */
2699 set_bit(HCI_CONN_DROP, &conn->flags);
2700
2701 hci_conn_put(conn);
2702
2703 skb_queue_purge(&chan->data_q);
2704 kfree(chan);
2705 }
2706
hci_chan_list_flush(struct hci_conn * conn)2707 void hci_chan_list_flush(struct hci_conn *conn)
2708 {
2709 struct hci_chan *chan, *n;
2710
2711 BT_DBG("hcon %p", conn);
2712
2713 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2714 hci_chan_del(chan);
2715 }
2716
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)2717 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2718 __u16 handle)
2719 {
2720 struct hci_chan *hchan;
2721
2722 list_for_each_entry(hchan, &hcon->chan_list, list) {
2723 if (hchan->handle == handle)
2724 return hchan;
2725 }
2726
2727 return NULL;
2728 }
2729
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)2730 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2731 {
2732 struct hci_conn_hash *h = &hdev->conn_hash;
2733 struct hci_conn *hcon;
2734 struct hci_chan *hchan = NULL;
2735
2736 rcu_read_lock();
2737
2738 list_for_each_entry_rcu(hcon, &h->list, list) {
2739 hchan = __hci_chan_lookup_handle(hcon, handle);
2740 if (hchan)
2741 break;
2742 }
2743
2744 rcu_read_unlock();
2745
2746 return hchan;
2747 }
2748
hci_conn_get_phy(struct hci_conn * conn)2749 u32 hci_conn_get_phy(struct hci_conn *conn)
2750 {
2751 u32 phys = 0;
2752
2753 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2754 * Table 6.2: Packets defined for synchronous, asynchronous, and
2755 * CPB logical transport types.
2756 */
2757 switch (conn->type) {
2758 case SCO_LINK:
2759 /* SCO logical transport (1 Mb/s):
2760 * HV1, HV2, HV3 and DV.
2761 */
2762 phys |= BT_PHY_BR_1M_1SLOT;
2763
2764 break;
2765
2766 case ACL_LINK:
2767 /* ACL logical transport (1 Mb/s) ptt=0:
2768 * DH1, DM3, DH3, DM5 and DH5.
2769 */
2770 phys |= BT_PHY_BR_1M_1SLOT;
2771
2772 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2773 phys |= BT_PHY_BR_1M_3SLOT;
2774
2775 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2776 phys |= BT_PHY_BR_1M_5SLOT;
2777
2778 /* ACL logical transport (2 Mb/s) ptt=1:
2779 * 2-DH1, 2-DH3 and 2-DH5.
2780 */
2781 if (!(conn->pkt_type & HCI_2DH1))
2782 phys |= BT_PHY_EDR_2M_1SLOT;
2783
2784 if (!(conn->pkt_type & HCI_2DH3))
2785 phys |= BT_PHY_EDR_2M_3SLOT;
2786
2787 if (!(conn->pkt_type & HCI_2DH5))
2788 phys |= BT_PHY_EDR_2M_5SLOT;
2789
2790 /* ACL logical transport (3 Mb/s) ptt=1:
2791 * 3-DH1, 3-DH3 and 3-DH5.
2792 */
2793 if (!(conn->pkt_type & HCI_3DH1))
2794 phys |= BT_PHY_EDR_3M_1SLOT;
2795
2796 if (!(conn->pkt_type & HCI_3DH3))
2797 phys |= BT_PHY_EDR_3M_3SLOT;
2798
2799 if (!(conn->pkt_type & HCI_3DH5))
2800 phys |= BT_PHY_EDR_3M_5SLOT;
2801
2802 break;
2803
2804 case ESCO_LINK:
2805 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2806 phys |= BT_PHY_BR_1M_1SLOT;
2807
2808 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2809 phys |= BT_PHY_BR_1M_3SLOT;
2810
2811 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2812 if (!(conn->pkt_type & ESCO_2EV3))
2813 phys |= BT_PHY_EDR_2M_1SLOT;
2814
2815 if (!(conn->pkt_type & ESCO_2EV5))
2816 phys |= BT_PHY_EDR_2M_3SLOT;
2817
2818 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2819 if (!(conn->pkt_type & ESCO_3EV3))
2820 phys |= BT_PHY_EDR_3M_1SLOT;
2821
2822 if (!(conn->pkt_type & ESCO_3EV5))
2823 phys |= BT_PHY_EDR_3M_3SLOT;
2824
2825 break;
2826
2827 case LE_LINK:
2828 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2829 phys |= BT_PHY_LE_1M_TX;
2830
2831 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2832 phys |= BT_PHY_LE_1M_RX;
2833
2834 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2835 phys |= BT_PHY_LE_2M_TX;
2836
2837 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2838 phys |= BT_PHY_LE_2M_RX;
2839
2840 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2841 phys |= BT_PHY_LE_CODED_TX;
2842
2843 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2844 phys |= BT_PHY_LE_CODED_RX;
2845
2846 break;
2847 }
2848
2849 return phys;
2850 }
2851
abort_conn_sync(struct hci_dev * hdev,void * data)2852 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2853 {
2854 struct hci_conn *conn = data;
2855
2856 if (!hci_conn_valid(hdev, conn))
2857 return -ECANCELED;
2858
2859 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2860 }
2861
hci_abort_conn(struct hci_conn * conn,u8 reason)2862 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2863 {
2864 struct hci_dev *hdev = conn->hdev;
2865
2866 /* If abort_reason has already been set it means the connection is
2867 * already being aborted so don't attempt to overwrite it.
2868 */
2869 if (conn->abort_reason)
2870 return 0;
2871
2872 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2873
2874 conn->abort_reason = reason;
2875
2876 /* If the connection is pending check the command opcode since that
2877 * might be blocking on hci_cmd_sync_work while waiting its respective
2878 * event so we need to hci_cmd_sync_cancel to cancel it.
2879 *
2880 * hci_connect_le serializes the connection attempts so only one
2881 * connection can be in BT_CONNECT at time.
2882 */
2883 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2884 switch (hci_skb_event(hdev->sent_cmd)) {
2885 case HCI_EV_CONN_COMPLETE:
2886 case HCI_EV_LE_CONN_COMPLETE:
2887 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2888 case HCI_EVT_LE_CIS_ESTABLISHED:
2889 hci_cmd_sync_cancel(hdev, ECANCELED);
2890 break;
2891 }
2892 /* Cancel connect attempt if still queued/pending */
2893 } else if (!hci_cancel_connect_sync(hdev, conn)) {
2894 return 0;
2895 }
2896
2897 /* Run immediately if on cmd_sync_work since this may be called
2898 * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
2899 * already queue its callback on cmd_sync_work.
2900 */
2901 return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
2902 }
2903