1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI connection handling. */
26 
27 #include <linux/export.h>
28 #include <linux/debugfs.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/iso.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "a2mp.h"
39 #include "eir.h"
40 
41 struct sco_param {
42 	u16 pkt_type;
43 	u16 max_latency;
44 	u8  retrans_effort;
45 };
46 
47 struct conn_handle_t {
48 	struct hci_conn *conn;
49 	__u16 handle;
50 };
51 
52 static const struct sco_param esco_param_cvsd[] = {
53 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,	0x01 }, /* S3 */
54 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,	0x01 }, /* S2 */
55 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0007,	0x01 }, /* S1 */
56 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0x01 }, /* D1 */
57 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0x01 }, /* D0 */
58 };
59 
60 static const struct sco_param sco_param_cvsd[] = {
61 	{ EDR_ESCO_MASK | ESCO_HV3,   0xffff,	0xff }, /* D1 */
62 	{ EDR_ESCO_MASK | ESCO_HV1,   0xffff,	0xff }, /* D0 */
63 };
64 
65 static const struct sco_param esco_param_msbc[] = {
66 	{ EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,	0x02 }, /* T2 */
67 	{ EDR_ESCO_MASK | ESCO_EV3,   0x0008,	0x02 }, /* T1 */
68 };
69 
70 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan_cleanup(struct hci_conn * conn)71 static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
72 {
73 	struct hci_conn_params *params;
74 	struct hci_dev *hdev = conn->hdev;
75 	struct smp_irk *irk;
76 	bdaddr_t *bdaddr;
77 	u8 bdaddr_type;
78 
79 	bdaddr = &conn->dst;
80 	bdaddr_type = conn->dst_type;
81 
82 	/* Check if we need to convert to identity address */
83 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
84 	if (irk) {
85 		bdaddr = &irk->bdaddr;
86 		bdaddr_type = irk->addr_type;
87 	}
88 
89 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
90 					   bdaddr_type);
91 	if (!params || !params->explicit_connect)
92 		return;
93 
94 	/* The connection attempt was doing scan for new RPA, and is
95 	 * in scan phase. If params are not associated with any other
96 	 * autoconnect action, remove them completely. If they are, just unmark
97 	 * them as waiting for connection, by clearing explicit_connect field.
98 	 */
99 	params->explicit_connect = false;
100 
101 	list_del_init(&params->action);
102 
103 	switch (params->auto_connect) {
104 	case HCI_AUTO_CONN_EXPLICIT:
105 		hci_conn_params_del(hdev, bdaddr, bdaddr_type);
106 		/* return instead of break to avoid duplicate scan update */
107 		return;
108 	case HCI_AUTO_CONN_DIRECT:
109 	case HCI_AUTO_CONN_ALWAYS:
110 		list_add(&params->action, &hdev->pend_le_conns);
111 		break;
112 	case HCI_AUTO_CONN_REPORT:
113 		list_add(&params->action, &hdev->pend_le_reports);
114 		break;
115 	default:
116 		break;
117 	}
118 
119 	hci_update_passive_scan(hdev);
120 }
121 
hci_conn_cleanup(struct hci_conn * conn)122 static void hci_conn_cleanup(struct hci_conn *conn)
123 {
124 	struct hci_dev *hdev = conn->hdev;
125 
126 	if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
127 		hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
128 
129 	if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
130 		hci_remove_link_key(hdev, &conn->dst);
131 
132 	hci_chan_list_flush(conn);
133 
134 	hci_conn_hash_del(hdev, conn);
135 
136 	if (conn->cleanup)
137 		conn->cleanup(conn);
138 
139 	if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
140 		switch (conn->setting & SCO_AIRMODE_MASK) {
141 		case SCO_AIRMODE_CVSD:
142 		case SCO_AIRMODE_TRANSP:
143 			if (hdev->notify)
144 				hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
145 			break;
146 		}
147 	} else {
148 		if (hdev->notify)
149 			hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
150 	}
151 
152 	hci_conn_del_sysfs(conn);
153 
154 	debugfs_remove_recursive(conn->debugfs);
155 
156 	hci_dev_put(hdev);
157 
158 	hci_conn_put(conn);
159 }
160 
le_scan_cleanup(struct work_struct * work)161 static void le_scan_cleanup(struct work_struct *work)
162 {
163 	struct hci_conn *conn = container_of(work, struct hci_conn,
164 					     le_scan_cleanup);
165 	struct hci_dev *hdev = conn->hdev;
166 	struct hci_conn *c = NULL;
167 
168 	BT_DBG("%s hcon %p", hdev->name, conn);
169 
170 	hci_dev_lock(hdev);
171 
172 	/* Check that the hci_conn is still around */
173 	rcu_read_lock();
174 	list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
175 		if (c == conn)
176 			break;
177 	}
178 	rcu_read_unlock();
179 
180 	if (c == conn) {
181 		hci_connect_le_scan_cleanup(conn);
182 		hci_conn_cleanup(conn);
183 	}
184 
185 	hci_dev_unlock(hdev);
186 	hci_dev_put(hdev);
187 	hci_conn_put(conn);
188 }
189 
hci_connect_le_scan_remove(struct hci_conn * conn)190 static void hci_connect_le_scan_remove(struct hci_conn *conn)
191 {
192 	BT_DBG("%s hcon %p", conn->hdev->name, conn);
193 
194 	/* We can't call hci_conn_del/hci_conn_cleanup here since that
195 	 * could deadlock with another hci_conn_del() call that's holding
196 	 * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
197 	 * Instead, grab temporary extra references to the hci_dev and
198 	 * hci_conn and perform the necessary cleanup in a separate work
199 	 * callback.
200 	 */
201 
202 	hci_dev_hold(conn->hdev);
203 	hci_conn_get(conn);
204 
205 	/* Even though we hold a reference to the hdev, many other
206 	 * things might get cleaned up meanwhile, including the hdev's
207 	 * own workqueue, so we can't use that for scheduling.
208 	 */
209 	schedule_work(&conn->le_scan_cleanup);
210 }
211 
hci_acl_create_connection(struct hci_conn * conn)212 static void hci_acl_create_connection(struct hci_conn *conn)
213 {
214 	struct hci_dev *hdev = conn->hdev;
215 	struct inquiry_entry *ie;
216 	struct hci_cp_create_conn cp;
217 
218 	BT_DBG("hcon %p", conn);
219 
220 	/* Many controllers disallow HCI Create Connection while it is doing
221 	 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
222 	 * Connection. This may cause the MGMT discovering state to become false
223 	 * without user space's request but it is okay since the MGMT Discovery
224 	 * APIs do not promise that discovery should be done forever. Instead,
225 	 * the user space monitors the status of MGMT discovering and it may
226 	 * request for discovery again when this flag becomes false.
227 	 */
228 	if (test_bit(HCI_INQUIRY, &hdev->flags)) {
229 		/* Put this connection to "pending" state so that it will be
230 		 * executed after the inquiry cancel command complete event.
231 		 */
232 		conn->state = BT_CONNECT2;
233 		hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
234 		return;
235 	}
236 
237 	conn->state = BT_CONNECT;
238 	conn->out = true;
239 	conn->role = HCI_ROLE_MASTER;
240 
241 	conn->attempt++;
242 
243 	conn->link_policy = hdev->link_policy;
244 
245 	memset(&cp, 0, sizeof(cp));
246 	bacpy(&cp.bdaddr, &conn->dst);
247 	cp.pscan_rep_mode = 0x02;
248 
249 	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
250 	if (ie) {
251 		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
252 			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
253 			cp.pscan_mode     = ie->data.pscan_mode;
254 			cp.clock_offset   = ie->data.clock_offset |
255 					    cpu_to_le16(0x8000);
256 		}
257 
258 		memcpy(conn->dev_class, ie->data.dev_class, 3);
259 	}
260 
261 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
262 	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
263 		cp.role_switch = 0x01;
264 	else
265 		cp.role_switch = 0x00;
266 
267 	hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
268 }
269 
hci_disconnect(struct hci_conn * conn,__u8 reason)270 int hci_disconnect(struct hci_conn *conn, __u8 reason)
271 {
272 	BT_DBG("hcon %p", conn);
273 
274 	/* When we are central of an established connection and it enters
275 	 * the disconnect timeout, then go ahead and try to read the
276 	 * current clock offset.  Processing of the result is done
277 	 * within the event handling and hci_clock_offset_evt function.
278 	 */
279 	if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
280 	    (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
281 		struct hci_dev *hdev = conn->hdev;
282 		struct hci_cp_read_clock_offset clkoff_cp;
283 
284 		clkoff_cp.handle = cpu_to_le16(conn->handle);
285 		hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
286 			     &clkoff_cp);
287 	}
288 
289 	return hci_abort_conn(conn, reason);
290 }
291 
hci_add_sco(struct hci_conn * conn,__u16 handle)292 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
293 {
294 	struct hci_dev *hdev = conn->hdev;
295 	struct hci_cp_add_sco cp;
296 
297 	BT_DBG("hcon %p", conn);
298 
299 	conn->state = BT_CONNECT;
300 	conn->out = true;
301 
302 	conn->attempt++;
303 
304 	cp.handle   = cpu_to_le16(handle);
305 	cp.pkt_type = cpu_to_le16(conn->pkt_type);
306 
307 	hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
308 }
309 
find_next_esco_param(struct hci_conn * conn,const struct sco_param * esco_param,int size)310 static bool find_next_esco_param(struct hci_conn *conn,
311 				 const struct sco_param *esco_param, int size)
312 {
313 	for (; conn->attempt <= size; conn->attempt++) {
314 		if (lmp_esco_2m_capable(conn->link) ||
315 		    (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
316 			break;
317 		BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
318 		       conn, conn->attempt);
319 	}
320 
321 	return conn->attempt <= size;
322 }
323 
configure_datapath_sync(struct hci_dev * hdev,struct bt_codec * codec)324 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
325 {
326 	int err;
327 	__u8 vnd_len, *vnd_data = NULL;
328 	struct hci_op_configure_data_path *cmd = NULL;
329 
330 	err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
331 					  &vnd_data);
332 	if (err < 0)
333 		goto error;
334 
335 	cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
336 	if (!cmd) {
337 		err = -ENOMEM;
338 		goto error;
339 	}
340 
341 	err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
342 	if (err < 0)
343 		goto error;
344 
345 	cmd->vnd_len = vnd_len;
346 	memcpy(cmd->vnd_data, vnd_data, vnd_len);
347 
348 	cmd->direction = 0x00;
349 	__hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
350 			      sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
351 
352 	cmd->direction = 0x01;
353 	err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
354 				    sizeof(*cmd) + vnd_len, cmd,
355 				    HCI_CMD_TIMEOUT);
356 error:
357 
358 	kfree(cmd);
359 	kfree(vnd_data);
360 	return err;
361 }
362 
hci_enhanced_setup_sync(struct hci_dev * hdev,void * data)363 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
364 {
365 	struct conn_handle_t *conn_handle = data;
366 	struct hci_conn *conn = conn_handle->conn;
367 	__u16 handle = conn_handle->handle;
368 	struct hci_cp_enhanced_setup_sync_conn cp;
369 	const struct sco_param *param;
370 
371 	kfree(conn_handle);
372 
373 	bt_dev_dbg(hdev, "hcon %p", conn);
374 
375 	/* for offload use case, codec needs to configured before opening SCO */
376 	if (conn->codec.data_path)
377 		configure_datapath_sync(hdev, &conn->codec);
378 
379 	conn->state = BT_CONNECT;
380 	conn->out = true;
381 
382 	conn->attempt++;
383 
384 	memset(&cp, 0x00, sizeof(cp));
385 
386 	cp.handle   = cpu_to_le16(handle);
387 
388 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
389 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
390 
391 	switch (conn->codec.id) {
392 	case BT_CODEC_MSBC:
393 		if (!find_next_esco_param(conn, esco_param_msbc,
394 					  ARRAY_SIZE(esco_param_msbc)))
395 			return -EINVAL;
396 
397 		param = &esco_param_msbc[conn->attempt - 1];
398 		cp.tx_coding_format.id = 0x05;
399 		cp.rx_coding_format.id = 0x05;
400 		cp.tx_codec_frame_size = __cpu_to_le16(60);
401 		cp.rx_codec_frame_size = __cpu_to_le16(60);
402 		cp.in_bandwidth = __cpu_to_le32(32000);
403 		cp.out_bandwidth = __cpu_to_le32(32000);
404 		cp.in_coding_format.id = 0x04;
405 		cp.out_coding_format.id = 0x04;
406 		cp.in_coded_data_size = __cpu_to_le16(16);
407 		cp.out_coded_data_size = __cpu_to_le16(16);
408 		cp.in_pcm_data_format = 2;
409 		cp.out_pcm_data_format = 2;
410 		cp.in_pcm_sample_payload_msb_pos = 0;
411 		cp.out_pcm_sample_payload_msb_pos = 0;
412 		cp.in_data_path = conn->codec.data_path;
413 		cp.out_data_path = conn->codec.data_path;
414 		cp.in_transport_unit_size = 1;
415 		cp.out_transport_unit_size = 1;
416 		break;
417 
418 	case BT_CODEC_TRANSPARENT:
419 		if (!find_next_esco_param(conn, esco_param_msbc,
420 					  ARRAY_SIZE(esco_param_msbc)))
421 			return false;
422 		param = &esco_param_msbc[conn->attempt - 1];
423 		cp.tx_coding_format.id = 0x03;
424 		cp.rx_coding_format.id = 0x03;
425 		cp.tx_codec_frame_size = __cpu_to_le16(60);
426 		cp.rx_codec_frame_size = __cpu_to_le16(60);
427 		cp.in_bandwidth = __cpu_to_le32(0x1f40);
428 		cp.out_bandwidth = __cpu_to_le32(0x1f40);
429 		cp.in_coding_format.id = 0x03;
430 		cp.out_coding_format.id = 0x03;
431 		cp.in_coded_data_size = __cpu_to_le16(16);
432 		cp.out_coded_data_size = __cpu_to_le16(16);
433 		cp.in_pcm_data_format = 2;
434 		cp.out_pcm_data_format = 2;
435 		cp.in_pcm_sample_payload_msb_pos = 0;
436 		cp.out_pcm_sample_payload_msb_pos = 0;
437 		cp.in_data_path = conn->codec.data_path;
438 		cp.out_data_path = conn->codec.data_path;
439 		cp.in_transport_unit_size = 1;
440 		cp.out_transport_unit_size = 1;
441 		break;
442 
443 	case BT_CODEC_CVSD:
444 		if (lmp_esco_capable(conn->link)) {
445 			if (!find_next_esco_param(conn, esco_param_cvsd,
446 						  ARRAY_SIZE(esco_param_cvsd)))
447 				return -EINVAL;
448 			param = &esco_param_cvsd[conn->attempt - 1];
449 		} else {
450 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
451 				return -EINVAL;
452 			param = &sco_param_cvsd[conn->attempt - 1];
453 		}
454 		cp.tx_coding_format.id = 2;
455 		cp.rx_coding_format.id = 2;
456 		cp.tx_codec_frame_size = __cpu_to_le16(60);
457 		cp.rx_codec_frame_size = __cpu_to_le16(60);
458 		cp.in_bandwidth = __cpu_to_le32(16000);
459 		cp.out_bandwidth = __cpu_to_le32(16000);
460 		cp.in_coding_format.id = 4;
461 		cp.out_coding_format.id = 4;
462 		cp.in_coded_data_size = __cpu_to_le16(16);
463 		cp.out_coded_data_size = __cpu_to_le16(16);
464 		cp.in_pcm_data_format = 2;
465 		cp.out_pcm_data_format = 2;
466 		cp.in_pcm_sample_payload_msb_pos = 0;
467 		cp.out_pcm_sample_payload_msb_pos = 0;
468 		cp.in_data_path = conn->codec.data_path;
469 		cp.out_data_path = conn->codec.data_path;
470 		cp.in_transport_unit_size = 16;
471 		cp.out_transport_unit_size = 16;
472 		break;
473 	default:
474 		return -EINVAL;
475 	}
476 
477 	cp.retrans_effort = param->retrans_effort;
478 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
479 	cp.max_latency = __cpu_to_le16(param->max_latency);
480 
481 	if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
482 		return -EIO;
483 
484 	return 0;
485 }
486 
hci_setup_sync_conn(struct hci_conn * conn,__u16 handle)487 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
488 {
489 	struct hci_dev *hdev = conn->hdev;
490 	struct hci_cp_setup_sync_conn cp;
491 	const struct sco_param *param;
492 
493 	bt_dev_dbg(hdev, "hcon %p", conn);
494 
495 	conn->state = BT_CONNECT;
496 	conn->out = true;
497 
498 	conn->attempt++;
499 
500 	cp.handle   = cpu_to_le16(handle);
501 
502 	cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
503 	cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
504 	cp.voice_setting  = cpu_to_le16(conn->setting);
505 
506 	switch (conn->setting & SCO_AIRMODE_MASK) {
507 	case SCO_AIRMODE_TRANSP:
508 		if (!find_next_esco_param(conn, esco_param_msbc,
509 					  ARRAY_SIZE(esco_param_msbc)))
510 			return false;
511 		param = &esco_param_msbc[conn->attempt - 1];
512 		break;
513 	case SCO_AIRMODE_CVSD:
514 		if (lmp_esco_capable(conn->link)) {
515 			if (!find_next_esco_param(conn, esco_param_cvsd,
516 						  ARRAY_SIZE(esco_param_cvsd)))
517 				return false;
518 			param = &esco_param_cvsd[conn->attempt - 1];
519 		} else {
520 			if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
521 				return false;
522 			param = &sco_param_cvsd[conn->attempt - 1];
523 		}
524 		break;
525 	default:
526 		return false;
527 	}
528 
529 	cp.retrans_effort = param->retrans_effort;
530 	cp.pkt_type = __cpu_to_le16(param->pkt_type);
531 	cp.max_latency = __cpu_to_le16(param->max_latency);
532 
533 	if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
534 		return false;
535 
536 	return true;
537 }
538 
hci_setup_sync(struct hci_conn * conn,__u16 handle)539 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
540 {
541 	int result;
542 	struct conn_handle_t *conn_handle;
543 
544 	if (enhanced_sync_conn_capable(conn->hdev)) {
545 		conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
546 
547 		if (!conn_handle)
548 			return false;
549 
550 		conn_handle->conn = conn;
551 		conn_handle->handle = handle;
552 		result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
553 					    conn_handle, NULL);
554 		if (result < 0)
555 			kfree(conn_handle);
556 
557 		return result == 0;
558 	}
559 
560 	return hci_setup_sync_conn(conn, handle);
561 }
562 
hci_le_conn_update(struct hci_conn * conn,u16 min,u16 max,u16 latency,u16 to_multiplier)563 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
564 		      u16 to_multiplier)
565 {
566 	struct hci_dev *hdev = conn->hdev;
567 	struct hci_conn_params *params;
568 	struct hci_cp_le_conn_update cp;
569 
570 	hci_dev_lock(hdev);
571 
572 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
573 	if (params) {
574 		params->conn_min_interval = min;
575 		params->conn_max_interval = max;
576 		params->conn_latency = latency;
577 		params->supervision_timeout = to_multiplier;
578 	}
579 
580 	hci_dev_unlock(hdev);
581 
582 	memset(&cp, 0, sizeof(cp));
583 	cp.handle		= cpu_to_le16(conn->handle);
584 	cp.conn_interval_min	= cpu_to_le16(min);
585 	cp.conn_interval_max	= cpu_to_le16(max);
586 	cp.conn_latency		= cpu_to_le16(latency);
587 	cp.supervision_timeout	= cpu_to_le16(to_multiplier);
588 	cp.min_ce_len		= cpu_to_le16(0x0000);
589 	cp.max_ce_len		= cpu_to_le16(0x0000);
590 
591 	hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
592 
593 	if (params)
594 		return 0x01;
595 
596 	return 0x00;
597 }
598 
hci_le_start_enc(struct hci_conn * conn,__le16 ediv,__le64 rand,__u8 ltk[16],__u8 key_size)599 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
600 		      __u8 ltk[16], __u8 key_size)
601 {
602 	struct hci_dev *hdev = conn->hdev;
603 	struct hci_cp_le_start_enc cp;
604 
605 	BT_DBG("hcon %p", conn);
606 
607 	memset(&cp, 0, sizeof(cp));
608 
609 	cp.handle = cpu_to_le16(conn->handle);
610 	cp.rand = rand;
611 	cp.ediv = ediv;
612 	memcpy(cp.ltk, ltk, key_size);
613 
614 	hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
615 }
616 
617 /* Device _must_ be locked */
hci_sco_setup(struct hci_conn * conn,__u8 status)618 void hci_sco_setup(struct hci_conn *conn, __u8 status)
619 {
620 	struct hci_conn *sco = conn->link;
621 
622 	if (!sco)
623 		return;
624 
625 	BT_DBG("hcon %p", conn);
626 
627 	if (!status) {
628 		if (lmp_esco_capable(conn->hdev))
629 			hci_setup_sync(sco, conn->handle);
630 		else
631 			hci_add_sco(sco, conn->handle);
632 	} else {
633 		hci_connect_cfm(sco, status);
634 		hci_conn_del(sco);
635 	}
636 }
637 
hci_conn_timeout(struct work_struct * work)638 static void hci_conn_timeout(struct work_struct *work)
639 {
640 	struct hci_conn *conn = container_of(work, struct hci_conn,
641 					     disc_work.work);
642 	int refcnt = atomic_read(&conn->refcnt);
643 
644 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
645 
646 	WARN_ON(refcnt < 0);
647 
648 	/* FIXME: It was observed that in pairing failed scenario, refcnt
649 	 * drops below 0. Probably this is because l2cap_conn_del calls
650 	 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
651 	 * dropped. After that loop hci_chan_del is called which also drops
652 	 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
653 	 * otherwise drop it.
654 	 */
655 	if (refcnt > 0)
656 		return;
657 
658 	/* LE connections in scanning state need special handling */
659 	if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
660 	    test_bit(HCI_CONN_SCANNING, &conn->flags)) {
661 		hci_connect_le_scan_remove(conn);
662 		return;
663 	}
664 
665 	hci_abort_conn(conn, hci_proto_disconn_ind(conn));
666 }
667 
668 /* Enter sniff mode */
hci_conn_idle(struct work_struct * work)669 static void hci_conn_idle(struct work_struct *work)
670 {
671 	struct hci_conn *conn = container_of(work, struct hci_conn,
672 					     idle_work.work);
673 	struct hci_dev *hdev = conn->hdev;
674 
675 	BT_DBG("hcon %p mode %d", conn, conn->mode);
676 
677 	if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
678 		return;
679 
680 	if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
681 		return;
682 
683 	if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
684 		struct hci_cp_sniff_subrate cp;
685 		cp.handle             = cpu_to_le16(conn->handle);
686 		cp.max_latency        = cpu_to_le16(0);
687 		cp.min_remote_timeout = cpu_to_le16(0);
688 		cp.min_local_timeout  = cpu_to_le16(0);
689 		hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
690 	}
691 
692 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
693 		struct hci_cp_sniff_mode cp;
694 		cp.handle       = cpu_to_le16(conn->handle);
695 		cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
696 		cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
697 		cp.attempt      = cpu_to_le16(4);
698 		cp.timeout      = cpu_to_le16(1);
699 		hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
700 	}
701 }
702 
hci_conn_auto_accept(struct work_struct * work)703 static void hci_conn_auto_accept(struct work_struct *work)
704 {
705 	struct hci_conn *conn = container_of(work, struct hci_conn,
706 					     auto_accept_work.work);
707 
708 	hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
709 		     &conn->dst);
710 }
711 
le_disable_advertising(struct hci_dev * hdev)712 static void le_disable_advertising(struct hci_dev *hdev)
713 {
714 	if (ext_adv_capable(hdev)) {
715 		struct hci_cp_le_set_ext_adv_enable cp;
716 
717 		cp.enable = 0x00;
718 		cp.num_of_sets = 0x00;
719 
720 		hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
721 			     &cp);
722 	} else {
723 		u8 enable = 0x00;
724 		hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
725 			     &enable);
726 	}
727 }
728 
le_conn_timeout(struct work_struct * work)729 static void le_conn_timeout(struct work_struct *work)
730 {
731 	struct hci_conn *conn = container_of(work, struct hci_conn,
732 					     le_conn_timeout.work);
733 	struct hci_dev *hdev = conn->hdev;
734 
735 	BT_DBG("");
736 
737 	/* We could end up here due to having done directed advertising,
738 	 * so clean up the state if necessary. This should however only
739 	 * happen with broken hardware or if low duty cycle was used
740 	 * (which doesn't have a timeout of its own).
741 	 */
742 	if (conn->role == HCI_ROLE_SLAVE) {
743 		/* Disable LE Advertising */
744 		le_disable_advertising(hdev);
745 		hci_dev_lock(hdev);
746 		hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
747 		hci_dev_unlock(hdev);
748 		return;
749 	}
750 
751 	hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
752 }
753 
754 struct iso_list_data {
755 	union {
756 		u8  cig;
757 		u8  big;
758 	};
759 	union {
760 		u8  cis;
761 		u8  bis;
762 		u16 sync_handle;
763 	};
764 	int count;
765 	struct {
766 		struct hci_cp_le_set_cig_params cp;
767 		struct hci_cis_params cis[0x11];
768 	} pdu;
769 };
770 
bis_list(struct hci_conn * conn,void * data)771 static void bis_list(struct hci_conn *conn, void *data)
772 {
773 	struct iso_list_data *d = data;
774 
775 	/* Skip if not broadcast/ANY address */
776 	if (bacmp(&conn->dst, BDADDR_ANY))
777 		return;
778 
779 	if (d->big != conn->iso_qos.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
780 	    d->bis != conn->iso_qos.bis)
781 		return;
782 
783 	d->count++;
784 }
785 
find_bis(struct hci_conn * conn,void * data)786 static void find_bis(struct hci_conn *conn, void *data)
787 {
788 	struct iso_list_data *d = data;
789 
790 	/* Ignore unicast */
791 	if (bacmp(&conn->dst, BDADDR_ANY))
792 		return;
793 
794 	d->count++;
795 }
796 
terminate_big_sync(struct hci_dev * hdev,void * data)797 static int terminate_big_sync(struct hci_dev *hdev, void *data)
798 {
799 	struct iso_list_data *d = data;
800 
801 	bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
802 
803 	hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
804 
805 	/* Check if ISO connection is a BIS and terminate BIG if there are
806 	 * no other connections using it.
807 	 */
808 	hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d);
809 	if (d->count)
810 		return 0;
811 
812 	return hci_le_terminate_big_sync(hdev, d->big,
813 					 HCI_ERROR_LOCAL_HOST_TERM);
814 }
815 
terminate_big_destroy(struct hci_dev * hdev,void * data,int err)816 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
817 {
818 	kfree(data);
819 }
820 
hci_le_terminate_big(struct hci_dev * hdev,u8 big,u8 bis)821 static int hci_le_terminate_big(struct hci_dev *hdev, u8 big, u8 bis)
822 {
823 	struct iso_list_data *d;
824 
825 	bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", big, bis);
826 
827 	d = kmalloc(sizeof(*d), GFP_KERNEL);
828 	if (!d)
829 		return -ENOMEM;
830 
831 	memset(d, 0, sizeof(*d));
832 	d->big = big;
833 	d->bis = bis;
834 
835 	return hci_cmd_sync_queue(hdev, terminate_big_sync, d,
836 				  terminate_big_destroy);
837 }
838 
big_terminate_sync(struct hci_dev * hdev,void * data)839 static int big_terminate_sync(struct hci_dev *hdev, void *data)
840 {
841 	struct iso_list_data *d = data;
842 
843 	bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
844 		   d->sync_handle);
845 
846 	/* Check if ISO connection is a BIS and terminate BIG if there are
847 	 * no other connections using it.
848 	 */
849 	hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d);
850 	if (d->count)
851 		return 0;
852 
853 	hci_le_big_terminate_sync(hdev, d->big);
854 
855 	return hci_le_pa_terminate_sync(hdev, d->sync_handle);
856 }
857 
hci_le_big_terminate(struct hci_dev * hdev,u8 big,u16 sync_handle)858 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, u16 sync_handle)
859 {
860 	struct iso_list_data *d;
861 
862 	bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, sync_handle);
863 
864 	d = kmalloc(sizeof(*d), GFP_KERNEL);
865 	if (!d)
866 		return -ENOMEM;
867 
868 	memset(d, 0, sizeof(*d));
869 	d->big = big;
870 	d->sync_handle = sync_handle;
871 
872 	return hci_cmd_sync_queue(hdev, big_terminate_sync, d,
873 				  terminate_big_destroy);
874 }
875 
876 /* Cleanup BIS connection
877  *
878  * Detects if there any BIS left connected in a BIG
879  * broadcaster: Remove advertising instance and terminate BIG.
880  * broadcaster receiver: Teminate BIG sync and terminate PA sync.
881  */
bis_cleanup(struct hci_conn * conn)882 static void bis_cleanup(struct hci_conn *conn)
883 {
884 	struct hci_dev *hdev = conn->hdev;
885 
886 	bt_dev_dbg(hdev, "conn %p", conn);
887 
888 	if (conn->role == HCI_ROLE_MASTER) {
889 		if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
890 			return;
891 
892 		hci_le_terminate_big(hdev, conn->iso_qos.big,
893 				     conn->iso_qos.bis);
894 	} else {
895 		hci_le_big_terminate(hdev, conn->iso_qos.big,
896 				     conn->sync_handle);
897 	}
898 }
899 
remove_cig_sync(struct hci_dev * hdev,void * data)900 static int remove_cig_sync(struct hci_dev *hdev, void *data)
901 {
902 	u8 handle = PTR_ERR(data);
903 
904 	return hci_le_remove_cig_sync(hdev, handle);
905 }
906 
hci_le_remove_cig(struct hci_dev * hdev,u8 handle)907 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
908 {
909 	bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
910 
911 	return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL);
912 }
913 
find_cis(struct hci_conn * conn,void * data)914 static void find_cis(struct hci_conn *conn, void *data)
915 {
916 	struct iso_list_data *d = data;
917 
918 	/* Ignore broadcast */
919 	if (!bacmp(&conn->dst, BDADDR_ANY))
920 		return;
921 
922 	d->count++;
923 }
924 
925 /* Cleanup CIS connection:
926  *
927  * Detects if there any CIS left connected in a CIG and remove it.
928  */
cis_cleanup(struct hci_conn * conn)929 static void cis_cleanup(struct hci_conn *conn)
930 {
931 	struct hci_dev *hdev = conn->hdev;
932 	struct iso_list_data d;
933 
934 	memset(&d, 0, sizeof(d));
935 	d.cig = conn->iso_qos.cig;
936 
937 	/* Check if ISO connection is a CIS and remove CIG if there are
938 	 * no other connections using it.
939 	 */
940 	hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
941 	if (d.count)
942 		return;
943 
944 	hci_le_remove_cig(hdev, conn->iso_qos.cig);
945 }
946 
hci_conn_add(struct hci_dev * hdev,int type,bdaddr_t * dst,u8 role)947 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
948 			      u8 role)
949 {
950 	struct hci_conn *conn;
951 
952 	BT_DBG("%s dst %pMR", hdev->name, dst);
953 
954 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
955 	if (!conn)
956 		return NULL;
957 
958 	bacpy(&conn->dst, dst);
959 	bacpy(&conn->src, &hdev->bdaddr);
960 	conn->handle = HCI_CONN_HANDLE_UNSET;
961 	conn->hdev  = hdev;
962 	conn->type  = type;
963 	conn->role  = role;
964 	conn->mode  = HCI_CM_ACTIVE;
965 	conn->state = BT_OPEN;
966 	conn->auth_type = HCI_AT_GENERAL_BONDING;
967 	conn->io_capability = hdev->io_capability;
968 	conn->remote_auth = 0xff;
969 	conn->key_type = 0xff;
970 	conn->rssi = HCI_RSSI_INVALID;
971 	conn->tx_power = HCI_TX_POWER_INVALID;
972 	conn->max_tx_power = HCI_TX_POWER_INVALID;
973 
974 	set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
975 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
976 
977 	/* Set Default Authenticated payload timeout to 30s */
978 	conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
979 
980 	if (conn->role == HCI_ROLE_MASTER)
981 		conn->out = true;
982 
983 	switch (type) {
984 	case ACL_LINK:
985 		conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
986 		break;
987 	case LE_LINK:
988 		/* conn->src should reflect the local identity address */
989 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
990 		break;
991 	case ISO_LINK:
992 		/* conn->src should reflect the local identity address */
993 		hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
994 
995 		/* set proper cleanup function */
996 		if (!bacmp(dst, BDADDR_ANY))
997 			conn->cleanup = bis_cleanup;
998 		else if (conn->role == HCI_ROLE_MASTER)
999 			conn->cleanup = cis_cleanup;
1000 
1001 		break;
1002 	case SCO_LINK:
1003 		if (lmp_esco_capable(hdev))
1004 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1005 					(hdev->esco_type & EDR_ESCO_MASK);
1006 		else
1007 			conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1008 		break;
1009 	case ESCO_LINK:
1010 		conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1011 		break;
1012 	}
1013 
1014 	skb_queue_head_init(&conn->data_q);
1015 
1016 	INIT_LIST_HEAD(&conn->chan_list);
1017 
1018 	INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1019 	INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1020 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1021 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1022 	INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
1023 
1024 	atomic_set(&conn->refcnt, 0);
1025 
1026 	hci_dev_hold(hdev);
1027 
1028 	hci_conn_hash_add(hdev, conn);
1029 
1030 	/* The SCO and eSCO connections will only be notified when their
1031 	 * setup has been completed. This is different to ACL links which
1032 	 * can be notified right away.
1033 	 */
1034 	if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1035 		if (hdev->notify)
1036 			hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1037 	}
1038 
1039 	hci_conn_init_sysfs(conn);
1040 
1041 	return conn;
1042 }
1043 
hci_conn_del(struct hci_conn * conn)1044 int hci_conn_del(struct hci_conn *conn)
1045 {
1046 	struct hci_dev *hdev = conn->hdev;
1047 
1048 	BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1049 
1050 	cancel_delayed_work_sync(&conn->disc_work);
1051 	cancel_delayed_work_sync(&conn->auto_accept_work);
1052 	cancel_delayed_work_sync(&conn->idle_work);
1053 
1054 	if (conn->type == ACL_LINK) {
1055 		struct hci_conn *sco = conn->link;
1056 		if (sco)
1057 			sco->link = NULL;
1058 
1059 		/* Unacked frames */
1060 		hdev->acl_cnt += conn->sent;
1061 	} else if (conn->type == LE_LINK) {
1062 		cancel_delayed_work(&conn->le_conn_timeout);
1063 
1064 		if (hdev->le_pkts)
1065 			hdev->le_cnt += conn->sent;
1066 		else
1067 			hdev->acl_cnt += conn->sent;
1068 	} else {
1069 		struct hci_conn *acl = conn->link;
1070 
1071 		if (acl) {
1072 			acl->link = NULL;
1073 			hci_conn_drop(acl);
1074 		}
1075 
1076 		/* Unacked ISO frames */
1077 		if (conn->type == ISO_LINK) {
1078 			if (hdev->iso_pkts)
1079 				hdev->iso_cnt += conn->sent;
1080 			else if (hdev->le_pkts)
1081 				hdev->le_cnt += conn->sent;
1082 			else
1083 				hdev->acl_cnt += conn->sent;
1084 		}
1085 	}
1086 
1087 	if (conn->amp_mgr)
1088 		amp_mgr_put(conn->amp_mgr);
1089 
1090 	skb_queue_purge(&conn->data_q);
1091 
1092 	/* Remove the connection from the list and cleanup its remaining
1093 	 * state. This is a separate function since for some cases like
1094 	 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1095 	 * rest of hci_conn_del.
1096 	 */
1097 	hci_conn_cleanup(conn);
1098 
1099 	return 0;
1100 }
1101 
hci_get_route(bdaddr_t * dst,bdaddr_t * src,uint8_t src_type)1102 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1103 {
1104 	int use_src = bacmp(src, BDADDR_ANY);
1105 	struct hci_dev *hdev = NULL, *d;
1106 
1107 	BT_DBG("%pMR -> %pMR", src, dst);
1108 
1109 	read_lock(&hci_dev_list_lock);
1110 
1111 	list_for_each_entry(d, &hci_dev_list, list) {
1112 		if (!test_bit(HCI_UP, &d->flags) ||
1113 		    hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
1114 		    d->dev_type != HCI_PRIMARY)
1115 			continue;
1116 
1117 		/* Simple routing:
1118 		 *   No source address - find interface with bdaddr != dst
1119 		 *   Source address    - find interface with bdaddr == src
1120 		 */
1121 
1122 		if (use_src) {
1123 			bdaddr_t id_addr;
1124 			u8 id_addr_type;
1125 
1126 			if (src_type == BDADDR_BREDR) {
1127 				if (!lmp_bredr_capable(d))
1128 					continue;
1129 				bacpy(&id_addr, &d->bdaddr);
1130 				id_addr_type = BDADDR_BREDR;
1131 			} else {
1132 				if (!lmp_le_capable(d))
1133 					continue;
1134 
1135 				hci_copy_identity_address(d, &id_addr,
1136 							  &id_addr_type);
1137 
1138 				/* Convert from HCI to three-value type */
1139 				if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1140 					id_addr_type = BDADDR_LE_PUBLIC;
1141 				else
1142 					id_addr_type = BDADDR_LE_RANDOM;
1143 			}
1144 
1145 			if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1146 				hdev = d; break;
1147 			}
1148 		} else {
1149 			if (bacmp(&d->bdaddr, dst)) {
1150 				hdev = d; break;
1151 			}
1152 		}
1153 	}
1154 
1155 	if (hdev)
1156 		hdev = hci_dev_hold(hdev);
1157 
1158 	read_unlock(&hci_dev_list_lock);
1159 	return hdev;
1160 }
1161 EXPORT_SYMBOL(hci_get_route);
1162 
1163 /* This function requires the caller holds hdev->lock */
hci_le_conn_failed(struct hci_conn * conn,u8 status)1164 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1165 {
1166 	struct hci_dev *hdev = conn->hdev;
1167 	struct hci_conn_params *params;
1168 
1169 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
1170 					   conn->dst_type);
1171 	if (params && params->conn) {
1172 		hci_conn_drop(params->conn);
1173 		hci_conn_put(params->conn);
1174 		params->conn = NULL;
1175 	}
1176 
1177 	/* If the status indicates successful cancellation of
1178 	 * the attempt (i.e. Unknown Connection Id) there's no point of
1179 	 * notifying failure since we'll go back to keep trying to
1180 	 * connect. The only exception is explicit connect requests
1181 	 * where a timeout + cancel does indicate an actual failure.
1182 	 */
1183 	if (status != HCI_ERROR_UNKNOWN_CONN_ID ||
1184 	    (params && params->explicit_connect))
1185 		mgmt_connect_failed(hdev, &conn->dst, conn->type,
1186 				    conn->dst_type, status);
1187 
1188 	/* Since we may have temporarily stopped the background scanning in
1189 	 * favor of connection establishment, we should restart it.
1190 	 */
1191 	hci_update_passive_scan(hdev);
1192 
1193 	/* Enable advertising in case this was a failed connection
1194 	 * attempt as a peripheral.
1195 	 */
1196 	hci_enable_advertising(hdev);
1197 }
1198 
1199 /* This function requires the caller holds hdev->lock */
hci_conn_failed(struct hci_conn * conn,u8 status)1200 void hci_conn_failed(struct hci_conn *conn, u8 status)
1201 {
1202 	struct hci_dev *hdev = conn->hdev;
1203 
1204 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
1205 
1206 	switch (conn->type) {
1207 	case LE_LINK:
1208 		hci_le_conn_failed(conn, status);
1209 		break;
1210 	case ACL_LINK:
1211 		mgmt_connect_failed(hdev, &conn->dst, conn->type,
1212 				    conn->dst_type, status);
1213 		break;
1214 	}
1215 
1216 	conn->state = BT_CLOSED;
1217 	hci_connect_cfm(conn, status);
1218 	hci_conn_del(conn);
1219 }
1220 
create_le_conn_complete(struct hci_dev * hdev,void * data,int err)1221 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
1222 {
1223 	struct hci_conn *conn = data;
1224 
1225 	hci_dev_lock(hdev);
1226 
1227 	if (!err) {
1228 		hci_connect_le_scan_cleanup(conn);
1229 		goto done;
1230 	}
1231 
1232 	bt_dev_err(hdev, "request failed to create LE connection: err %d", err);
1233 
1234 	/* Check if connection is still pending */
1235 	if (conn != hci_lookup_le_connect(hdev))
1236 		goto done;
1237 
1238 	hci_conn_failed(conn, bt_status(err));
1239 
1240 done:
1241 	hci_dev_unlock(hdev);
1242 }
1243 
hci_connect_le_sync(struct hci_dev * hdev,void * data)1244 static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
1245 {
1246 	struct hci_conn *conn = data;
1247 
1248 	bt_dev_dbg(hdev, "conn %p", conn);
1249 
1250 	return hci_le_create_conn_sync(hdev, conn);
1251 }
1252 
hci_connect_le(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,bool dst_resolved,u8 sec_level,u16 conn_timeout,u8 role)1253 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1254 				u8 dst_type, bool dst_resolved, u8 sec_level,
1255 				u16 conn_timeout, u8 role)
1256 {
1257 	struct hci_conn *conn;
1258 	struct smp_irk *irk;
1259 	int err;
1260 
1261 	/* Let's make sure that le is enabled.*/
1262 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1263 		if (lmp_le_capable(hdev))
1264 			return ERR_PTR(-ECONNREFUSED);
1265 
1266 		return ERR_PTR(-EOPNOTSUPP);
1267 	}
1268 
1269 	/* Since the controller supports only one LE connection attempt at a
1270 	 * time, we return -EBUSY if there is any connection attempt running.
1271 	 */
1272 	if (hci_lookup_le_connect(hdev))
1273 		return ERR_PTR(-EBUSY);
1274 
1275 	/* If there's already a connection object but it's not in
1276 	 * scanning state it means it must already be established, in
1277 	 * which case we can't do anything else except report a failure
1278 	 * to connect.
1279 	 */
1280 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1281 	if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1282 		return ERR_PTR(-EBUSY);
1283 	}
1284 
1285 	/* Check if the destination address has been resolved by the controller
1286 	 * since if it did then the identity address shall be used.
1287 	 */
1288 	if (!dst_resolved) {
1289 		/* When given an identity address with existing identity
1290 		 * resolving key, the connection needs to be established
1291 		 * to a resolvable random address.
1292 		 *
1293 		 * Storing the resolvable random address is required here
1294 		 * to handle connection failures. The address will later
1295 		 * be resolved back into the original identity address
1296 		 * from the connect request.
1297 		 */
1298 		irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1299 		if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1300 			dst = &irk->rpa;
1301 			dst_type = ADDR_LE_DEV_RANDOM;
1302 		}
1303 	}
1304 
1305 	if (conn) {
1306 		bacpy(&conn->dst, dst);
1307 	} else {
1308 		conn = hci_conn_add(hdev, LE_LINK, dst, role);
1309 		if (!conn)
1310 			return ERR_PTR(-ENOMEM);
1311 		hci_conn_hold(conn);
1312 		conn->pending_sec_level = sec_level;
1313 	}
1314 
1315 	conn->dst_type = dst_type;
1316 	conn->sec_level = BT_SECURITY_LOW;
1317 	conn->conn_timeout = conn_timeout;
1318 
1319 	conn->state = BT_CONNECT;
1320 	clear_bit(HCI_CONN_SCANNING, &conn->flags);
1321 
1322 	err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn,
1323 				 create_le_conn_complete);
1324 	if (err) {
1325 		hci_conn_del(conn);
1326 		return ERR_PTR(err);
1327 	}
1328 
1329 	return conn;
1330 }
1331 
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)1332 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1333 {
1334 	struct hci_conn *conn;
1335 
1336 	conn = hci_conn_hash_lookup_le(hdev, addr, type);
1337 	if (!conn)
1338 		return false;
1339 
1340 	if (conn->state != BT_CONNECTED)
1341 		return false;
1342 
1343 	return true;
1344 }
1345 
1346 /* This function requires the caller holds hdev->lock */
hci_explicit_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)1347 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1348 					bdaddr_t *addr, u8 addr_type)
1349 {
1350 	struct hci_conn_params *params;
1351 
1352 	if (is_connected(hdev, addr, addr_type))
1353 		return -EISCONN;
1354 
1355 	params = hci_conn_params_lookup(hdev, addr, addr_type);
1356 	if (!params) {
1357 		params = hci_conn_params_add(hdev, addr, addr_type);
1358 		if (!params)
1359 			return -ENOMEM;
1360 
1361 		/* If we created new params, mark them to be deleted in
1362 		 * hci_connect_le_scan_cleanup. It's different case than
1363 		 * existing disabled params, those will stay after cleanup.
1364 		 */
1365 		params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1366 	}
1367 
1368 	/* We're trying to connect, so make sure params are at pend_le_conns */
1369 	if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1370 	    params->auto_connect == HCI_AUTO_CONN_REPORT ||
1371 	    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1372 		list_del_init(&params->action);
1373 		list_add(&params->action, &hdev->pend_le_conns);
1374 	}
1375 
1376 	params->explicit_connect = true;
1377 
1378 	BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1379 	       params->auto_connect);
1380 
1381 	return 0;
1382 }
1383 
qos_set_big(struct hci_dev * hdev,struct bt_iso_qos * qos)1384 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1385 {
1386 	struct iso_list_data data;
1387 
1388 	/* Allocate a BIG if not set */
1389 	if (qos->big == BT_ISO_QOS_BIG_UNSET) {
1390 		for (data.big = 0x00; data.big < 0xef; data.big++) {
1391 			data.count = 0;
1392 			data.bis = 0xff;
1393 
1394 			hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1395 						 BT_BOUND, &data);
1396 			if (!data.count)
1397 				break;
1398 		}
1399 
1400 		if (data.big == 0xef)
1401 			return -EADDRNOTAVAIL;
1402 
1403 		/* Update BIG */
1404 		qos->big = data.big;
1405 	}
1406 
1407 	return 0;
1408 }
1409 
qos_set_bis(struct hci_dev * hdev,struct bt_iso_qos * qos)1410 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1411 {
1412 	struct iso_list_data data;
1413 
1414 	/* Allocate BIS if not set */
1415 	if (qos->bis == BT_ISO_QOS_BIS_UNSET) {
1416 		/* Find an unused adv set to advertise BIS, skip instance 0x00
1417 		 * since it is reserved as general purpose set.
1418 		 */
1419 		for (data.bis = 0x01; data.bis < hdev->le_num_of_adv_sets;
1420 		     data.bis++) {
1421 			data.count = 0;
1422 
1423 			hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1424 						 BT_BOUND, &data);
1425 			if (!data.count)
1426 				break;
1427 		}
1428 
1429 		if (data.bis == hdev->le_num_of_adv_sets)
1430 			return -EADDRNOTAVAIL;
1431 
1432 		/* Update BIS */
1433 		qos->bis = data.bis;
1434 	}
1435 
1436 	return 0;
1437 }
1438 
1439 /* This function requires the caller holds hdev->lock */
hci_add_bis(struct hci_dev * hdev,bdaddr_t * dst,struct bt_iso_qos * qos)1440 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1441 				    struct bt_iso_qos *qos)
1442 {
1443 	struct hci_conn *conn;
1444 	struct iso_list_data data;
1445 	int err;
1446 
1447 	/* Let's make sure that le is enabled.*/
1448 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1449 		if (lmp_le_capable(hdev))
1450 			return ERR_PTR(-ECONNREFUSED);
1451 		return ERR_PTR(-EOPNOTSUPP);
1452 	}
1453 
1454 	err = qos_set_big(hdev, qos);
1455 	if (err)
1456 		return ERR_PTR(err);
1457 
1458 	err = qos_set_bis(hdev, qos);
1459 	if (err)
1460 		return ERR_PTR(err);
1461 
1462 	data.big = qos->big;
1463 	data.bis = qos->bis;
1464 	data.count = 0;
1465 
1466 	/* Check if there is already a matching BIG/BIS */
1467 	hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, BT_BOUND, &data);
1468 	if (data.count)
1469 		return ERR_PTR(-EADDRINUSE);
1470 
1471 	conn = hci_conn_hash_lookup_bis(hdev, dst, qos->big, qos->bis);
1472 	if (conn)
1473 		return ERR_PTR(-EADDRINUSE);
1474 
1475 	conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1476 	if (!conn)
1477 		return ERR_PTR(-ENOMEM);
1478 
1479 	set_bit(HCI_CONN_PER_ADV, &conn->flags);
1480 	conn->state = BT_CONNECT;
1481 
1482 	hci_conn_hold(conn);
1483 	return conn;
1484 }
1485 
1486 /* This function requires the caller holds hdev->lock */
hci_connect_le_scan(struct hci_dev * hdev,bdaddr_t * dst,u8 dst_type,u8 sec_level,u16 conn_timeout,enum conn_reasons conn_reason)1487 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1488 				     u8 dst_type, u8 sec_level,
1489 				     u16 conn_timeout,
1490 				     enum conn_reasons conn_reason)
1491 {
1492 	struct hci_conn *conn;
1493 
1494 	/* Let's make sure that le is enabled.*/
1495 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1496 		if (lmp_le_capable(hdev))
1497 			return ERR_PTR(-ECONNREFUSED);
1498 
1499 		return ERR_PTR(-EOPNOTSUPP);
1500 	}
1501 
1502 	/* Some devices send ATT messages as soon as the physical link is
1503 	 * established. To be able to handle these ATT messages, the user-
1504 	 * space first establishes the connection and then starts the pairing
1505 	 * process.
1506 	 *
1507 	 * So if a hci_conn object already exists for the following connection
1508 	 * attempt, we simply update pending_sec_level and auth_type fields
1509 	 * and return the object found.
1510 	 */
1511 	conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1512 	if (conn) {
1513 		if (conn->pending_sec_level < sec_level)
1514 			conn->pending_sec_level = sec_level;
1515 		goto done;
1516 	}
1517 
1518 	BT_DBG("requesting refresh of dst_addr");
1519 
1520 	conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1521 	if (!conn)
1522 		return ERR_PTR(-ENOMEM);
1523 
1524 	if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1525 		hci_conn_del(conn);
1526 		return ERR_PTR(-EBUSY);
1527 	}
1528 
1529 	conn->state = BT_CONNECT;
1530 	set_bit(HCI_CONN_SCANNING, &conn->flags);
1531 	conn->dst_type = dst_type;
1532 	conn->sec_level = BT_SECURITY_LOW;
1533 	conn->pending_sec_level = sec_level;
1534 	conn->conn_timeout = conn_timeout;
1535 	conn->conn_reason = conn_reason;
1536 
1537 	hci_update_passive_scan(hdev);
1538 
1539 done:
1540 	hci_conn_hold(conn);
1541 	return conn;
1542 }
1543 
hci_connect_acl(struct hci_dev * hdev,bdaddr_t * dst,u8 sec_level,u8 auth_type,enum conn_reasons conn_reason)1544 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1545 				 u8 sec_level, u8 auth_type,
1546 				 enum conn_reasons conn_reason)
1547 {
1548 	struct hci_conn *acl;
1549 
1550 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1551 		if (lmp_bredr_capable(hdev))
1552 			return ERR_PTR(-ECONNREFUSED);
1553 
1554 		return ERR_PTR(-EOPNOTSUPP);
1555 	}
1556 
1557 	acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1558 	if (!acl) {
1559 		acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1560 		if (!acl)
1561 			return ERR_PTR(-ENOMEM);
1562 	}
1563 
1564 	hci_conn_hold(acl);
1565 
1566 	acl->conn_reason = conn_reason;
1567 	if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1568 		acl->sec_level = BT_SECURITY_LOW;
1569 		acl->pending_sec_level = sec_level;
1570 		acl->auth_type = auth_type;
1571 		hci_acl_create_connection(acl);
1572 	}
1573 
1574 	return acl;
1575 }
1576 
hci_connect_sco(struct hci_dev * hdev,int type,bdaddr_t * dst,__u16 setting,struct bt_codec * codec)1577 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1578 				 __u16 setting, struct bt_codec *codec)
1579 {
1580 	struct hci_conn *acl;
1581 	struct hci_conn *sco;
1582 
1583 	acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1584 			      CONN_REASON_SCO_CONNECT);
1585 	if (IS_ERR(acl))
1586 		return acl;
1587 
1588 	sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1589 	if (!sco) {
1590 		sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1591 		if (!sco) {
1592 			hci_conn_drop(acl);
1593 			return ERR_PTR(-ENOMEM);
1594 		}
1595 	}
1596 
1597 	acl->link = sco;
1598 	sco->link = acl;
1599 
1600 	hci_conn_hold(sco);
1601 
1602 	sco->setting = setting;
1603 	sco->codec = *codec;
1604 
1605 	if (acl->state == BT_CONNECTED &&
1606 	    (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1607 		set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1608 		hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1609 
1610 		if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1611 			/* defer SCO setup until mode change completed */
1612 			set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1613 			return sco;
1614 		}
1615 
1616 		hci_sco_setup(acl, 0x00);
1617 	}
1618 
1619 	return sco;
1620 }
1621 
cis_add(struct iso_list_data * d,struct bt_iso_qos * qos)1622 static void cis_add(struct iso_list_data *d, struct bt_iso_qos *qos)
1623 {
1624 	struct hci_cis_params *cis = &d->pdu.cis[d->pdu.cp.num_cis];
1625 
1626 	cis->cis_id = qos->cis;
1627 	cis->c_sdu  = cpu_to_le16(qos->out.sdu);
1628 	cis->p_sdu  = cpu_to_le16(qos->in.sdu);
1629 	cis->c_phy  = qos->out.phy ? qos->out.phy : qos->in.phy;
1630 	cis->p_phy  = qos->in.phy ? qos->in.phy : qos->out.phy;
1631 	cis->c_rtn  = qos->out.rtn;
1632 	cis->p_rtn  = qos->in.rtn;
1633 
1634 	d->pdu.cp.num_cis++;
1635 }
1636 
cis_list(struct hci_conn * conn,void * data)1637 static void cis_list(struct hci_conn *conn, void *data)
1638 {
1639 	struct iso_list_data *d = data;
1640 
1641 	/* Skip if broadcast/ANY address */
1642 	if (!bacmp(&conn->dst, BDADDR_ANY))
1643 		return;
1644 
1645 	if (d->cig != conn->iso_qos.cig || d->cis == BT_ISO_QOS_CIS_UNSET ||
1646 	    d->cis != conn->iso_qos.cis)
1647 		return;
1648 
1649 	d->count++;
1650 
1651 	if (d->pdu.cp.cig_id == BT_ISO_QOS_CIG_UNSET ||
1652 	    d->count >= ARRAY_SIZE(d->pdu.cis))
1653 		return;
1654 
1655 	cis_add(d, &conn->iso_qos);
1656 }
1657 
hci_le_create_big(struct hci_conn * conn,struct bt_iso_qos * qos)1658 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1659 {
1660 	struct hci_dev *hdev = conn->hdev;
1661 	struct hci_cp_le_create_big cp;
1662 
1663 	memset(&cp, 0, sizeof(cp));
1664 
1665 	cp.handle = qos->big;
1666 	cp.adv_handle = qos->bis;
1667 	cp.num_bis  = 0x01;
1668 	hci_cpu_to_le24(qos->out.interval, cp.bis.sdu_interval);
1669 	cp.bis.sdu = cpu_to_le16(qos->out.sdu);
1670 	cp.bis.latency =  cpu_to_le16(qos->out.latency);
1671 	cp.bis.rtn  = qos->out.rtn;
1672 	cp.bis.phy  = qos->out.phy;
1673 	cp.bis.packing = qos->packing;
1674 	cp.bis.framing = qos->framing;
1675 	cp.bis.encryption = 0x00;
1676 	memset(&cp.bis.bcode, 0, sizeof(cp.bis.bcode));
1677 
1678 	return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1679 }
1680 
hci_le_set_cig_params(struct hci_conn * conn,struct bt_iso_qos * qos)1681 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1682 {
1683 	struct hci_dev *hdev = conn->hdev;
1684 	struct iso_list_data data;
1685 
1686 	memset(&data, 0, sizeof(data));
1687 
1688 	/* Allocate a CIG if not set */
1689 	if (qos->cig == BT_ISO_QOS_CIG_UNSET) {
1690 		for (data.cig = 0x00; data.cig < 0xff; data.cig++) {
1691 			data.count = 0;
1692 			data.cis = 0xff;
1693 
1694 			hci_conn_hash_list_state(hdev, cis_list, ISO_LINK,
1695 						 BT_BOUND, &data);
1696 			if (data.count)
1697 				continue;
1698 
1699 			hci_conn_hash_list_state(hdev, cis_list, ISO_LINK,
1700 						 BT_CONNECTED, &data);
1701 			if (!data.count)
1702 				break;
1703 		}
1704 
1705 		if (data.cig == 0xff)
1706 			return false;
1707 
1708 		/* Update CIG */
1709 		qos->cig = data.cig;
1710 	}
1711 
1712 	data.pdu.cp.cig_id = qos->cig;
1713 	hci_cpu_to_le24(qos->out.interval, data.pdu.cp.c_interval);
1714 	hci_cpu_to_le24(qos->in.interval, data.pdu.cp.p_interval);
1715 	data.pdu.cp.sca = qos->sca;
1716 	data.pdu.cp.packing = qos->packing;
1717 	data.pdu.cp.framing = qos->framing;
1718 	data.pdu.cp.c_latency = cpu_to_le16(qos->out.latency);
1719 	data.pdu.cp.p_latency = cpu_to_le16(qos->in.latency);
1720 
1721 	if (qos->cis != BT_ISO_QOS_CIS_UNSET) {
1722 		data.count = 0;
1723 		data.cig = qos->cig;
1724 		data.cis = qos->cis;
1725 
1726 		hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1727 					 &data);
1728 		if (data.count)
1729 			return false;
1730 
1731 		cis_add(&data, qos);
1732 	}
1733 
1734 	/* Reprogram all CIS(s) with the same CIG */
1735 	for (data.cig = qos->cig, data.cis = 0x00; data.cis < 0x11;
1736 	     data.cis++) {
1737 		data.count = 0;
1738 
1739 		hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1740 					 &data);
1741 		if (data.count)
1742 			continue;
1743 
1744 		/* Allocate a CIS if not set */
1745 		if (qos->cis == BT_ISO_QOS_CIS_UNSET) {
1746 			/* Update CIS */
1747 			qos->cis = data.cis;
1748 			cis_add(&data, qos);
1749 		}
1750 	}
1751 
1752 	if (qos->cis == BT_ISO_QOS_CIS_UNSET || !data.pdu.cp.num_cis)
1753 		return false;
1754 
1755 	if (hci_send_cmd(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1756 			 sizeof(data.pdu.cp) +
1757 			 (data.pdu.cp.num_cis * sizeof(*data.pdu.cis)),
1758 			 &data.pdu) < 0)
1759 		return false;
1760 
1761 	return true;
1762 }
1763 
hci_bind_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)1764 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1765 			      __u8 dst_type, struct bt_iso_qos *qos)
1766 {
1767 	struct hci_conn *cis;
1768 
1769 	cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type);
1770 	if (!cis) {
1771 		cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1772 		if (!cis)
1773 			return ERR_PTR(-ENOMEM);
1774 		cis->cleanup = cis_cleanup;
1775 		cis->dst_type = dst_type;
1776 	}
1777 
1778 	if (cis->state == BT_CONNECTED)
1779 		return cis;
1780 
1781 	/* Check if CIS has been set and the settings matches */
1782 	if (cis->state == BT_BOUND &&
1783 	    !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1784 		return cis;
1785 
1786 	/* Update LINK PHYs according to QoS preference */
1787 	cis->le_tx_phy = qos->out.phy;
1788 	cis->le_rx_phy = qos->in.phy;
1789 
1790 	/* If output interval is not set use the input interval as it cannot be
1791 	 * 0x000000.
1792 	 */
1793 	if (!qos->out.interval)
1794 		qos->out.interval = qos->in.interval;
1795 
1796 	/* If input interval is not set use the output interval as it cannot be
1797 	 * 0x000000.
1798 	 */
1799 	if (!qos->in.interval)
1800 		qos->in.interval = qos->out.interval;
1801 
1802 	/* If output latency is not set use the input latency as it cannot be
1803 	 * 0x0000.
1804 	 */
1805 	if (!qos->out.latency)
1806 		qos->out.latency = qos->in.latency;
1807 
1808 	/* If input latency is not set use the output latency as it cannot be
1809 	 * 0x0000.
1810 	 */
1811 	if (!qos->in.latency)
1812 		qos->in.latency = qos->out.latency;
1813 
1814 	if (!hci_le_set_cig_params(cis, qos)) {
1815 		hci_conn_drop(cis);
1816 		return ERR_PTR(-EINVAL);
1817 	}
1818 
1819 	cis->iso_qos = *qos;
1820 	cis->state = BT_BOUND;
1821 
1822 	return cis;
1823 }
1824 
hci_iso_setup_path(struct hci_conn * conn)1825 bool hci_iso_setup_path(struct hci_conn *conn)
1826 {
1827 	struct hci_dev *hdev = conn->hdev;
1828 	struct hci_cp_le_setup_iso_path cmd;
1829 
1830 	memset(&cmd, 0, sizeof(cmd));
1831 
1832 	if (conn->iso_qos.out.sdu) {
1833 		cmd.handle = cpu_to_le16(conn->handle);
1834 		cmd.direction = 0x00; /* Input (Host to Controller) */
1835 		cmd.path = 0x00; /* HCI path if enabled */
1836 		cmd.codec = 0x03; /* Transparent Data */
1837 
1838 		if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1839 				 &cmd) < 0)
1840 			return false;
1841 	}
1842 
1843 	if (conn->iso_qos.in.sdu) {
1844 		cmd.handle = cpu_to_le16(conn->handle);
1845 		cmd.direction = 0x01; /* Output (Controller to Host) */
1846 		cmd.path = 0x00; /* HCI path if enabled */
1847 		cmd.codec = 0x03; /* Transparent Data */
1848 
1849 		if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1850 				 &cmd) < 0)
1851 			return false;
1852 	}
1853 
1854 	return true;
1855 }
1856 
hci_create_cis_sync(struct hci_dev * hdev,void * data)1857 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1858 {
1859 	struct {
1860 		struct hci_cp_le_create_cis cp;
1861 		struct hci_cis cis[0x1f];
1862 	} cmd;
1863 	struct hci_conn *conn = data;
1864 	u8 cig;
1865 
1866 	memset(&cmd, 0, sizeof(cmd));
1867 	cmd.cis[0].acl_handle = cpu_to_le16(conn->link->handle);
1868 	cmd.cis[0].cis_handle = cpu_to_le16(conn->handle);
1869 	cmd.cp.num_cis++;
1870 	cig = conn->iso_qos.cig;
1871 
1872 	hci_dev_lock(hdev);
1873 
1874 	rcu_read_lock();
1875 
1876 	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
1877 		struct hci_cis *cis = &cmd.cis[cmd.cp.num_cis];
1878 
1879 		if (conn == data || conn->type != ISO_LINK ||
1880 		    conn->state == BT_CONNECTED || conn->iso_qos.cig != cig)
1881 			continue;
1882 
1883 		/* Check if all CIS(s) belonging to a CIG are ready */
1884 		if (conn->link->state != BT_CONNECTED ||
1885 		    conn->state != BT_CONNECT) {
1886 			cmd.cp.num_cis = 0;
1887 			break;
1888 		}
1889 
1890 		/* Group all CIS with state BT_CONNECT since the spec don't
1891 		 * allow to send them individually:
1892 		 *
1893 		 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
1894 		 * page 2566:
1895 		 *
1896 		 * If the Host issues this command before all the
1897 		 * HCI_LE_CIS_Established events from the previous use of the
1898 		 * command have been generated, the Controller shall return the
1899 		 * error code Command Disallowed (0x0C).
1900 		 */
1901 		cis->acl_handle = cpu_to_le16(conn->link->handle);
1902 		cis->cis_handle = cpu_to_le16(conn->handle);
1903 		cmd.cp.num_cis++;
1904 	}
1905 
1906 	rcu_read_unlock();
1907 
1908 	hci_dev_unlock(hdev);
1909 
1910 	if (!cmd.cp.num_cis)
1911 		return 0;
1912 
1913 	return hci_send_cmd(hdev, HCI_OP_LE_CREATE_CIS, sizeof(cmd.cp) +
1914 			    sizeof(cmd.cis[0]) * cmd.cp.num_cis, &cmd);
1915 }
1916 
hci_le_create_cis(struct hci_conn * conn)1917 int hci_le_create_cis(struct hci_conn *conn)
1918 {
1919 	struct hci_conn *cis;
1920 	struct hci_dev *hdev = conn->hdev;
1921 	int err;
1922 
1923 	switch (conn->type) {
1924 	case LE_LINK:
1925 		if (!conn->link || conn->state != BT_CONNECTED)
1926 			return -EINVAL;
1927 		cis = conn->link;
1928 		break;
1929 	case ISO_LINK:
1930 		cis = conn;
1931 		break;
1932 	default:
1933 		return -EINVAL;
1934 	}
1935 
1936 	if (cis->state == BT_CONNECT)
1937 		return 0;
1938 
1939 	/* Queue Create CIS */
1940 	err = hci_cmd_sync_queue(hdev, hci_create_cis_sync, cis, NULL);
1941 	if (err)
1942 		return err;
1943 
1944 	cis->state = BT_CONNECT;
1945 
1946 	return 0;
1947 }
1948 
hci_iso_qos_setup(struct hci_dev * hdev,struct hci_conn * conn,struct bt_iso_io_qos * qos,__u8 phy)1949 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
1950 			      struct bt_iso_io_qos *qos, __u8 phy)
1951 {
1952 	/* Only set MTU if PHY is enabled */
1953 	if (!qos->sdu && qos->phy) {
1954 		if (hdev->iso_mtu > 0)
1955 			qos->sdu = hdev->iso_mtu;
1956 		else if (hdev->le_mtu > 0)
1957 			qos->sdu = hdev->le_mtu;
1958 		else
1959 			qos->sdu = hdev->acl_mtu;
1960 	}
1961 
1962 	/* Use the same PHY as ACL if set to any */
1963 	if (qos->phy == BT_ISO_PHY_ANY)
1964 		qos->phy = phy;
1965 
1966 	/* Use LE ACL connection interval if not set */
1967 	if (!qos->interval)
1968 		/* ACL interval unit in 1.25 ms to us */
1969 		qos->interval = conn->le_conn_interval * 1250;
1970 
1971 	/* Use LE ACL connection latency if not set */
1972 	if (!qos->latency)
1973 		qos->latency = conn->le_conn_latency;
1974 }
1975 
hci_bind_bis(struct hci_conn * conn,struct bt_iso_qos * qos)1976 static struct hci_conn *hci_bind_bis(struct hci_conn *conn,
1977 				     struct bt_iso_qos *qos)
1978 {
1979 	/* Update LINK PHYs according to QoS preference */
1980 	conn->le_tx_phy = qos->out.phy;
1981 	conn->le_tx_phy = qos->out.phy;
1982 	conn->iso_qos = *qos;
1983 	conn->state = BT_BOUND;
1984 
1985 	return conn;
1986 }
1987 
create_big_sync(struct hci_dev * hdev,void * data)1988 static int create_big_sync(struct hci_dev *hdev, void *data)
1989 {
1990 	struct hci_conn *conn = data;
1991 	struct bt_iso_qos *qos = &conn->iso_qos;
1992 	u16 interval, sync_interval = 0;
1993 	u32 flags = 0;
1994 	int err;
1995 
1996 	if (qos->out.phy == 0x02)
1997 		flags |= MGMT_ADV_FLAG_SEC_2M;
1998 
1999 	/* Align intervals */
2000 	interval = qos->out.interval / 1250;
2001 
2002 	if (qos->bis)
2003 		sync_interval = qos->sync_interval * 1600;
2004 
2005 	err = hci_start_per_adv_sync(hdev, qos->bis, conn->le_per_adv_data_len,
2006 				     conn->le_per_adv_data, flags, interval,
2007 				     interval, sync_interval);
2008 	if (err)
2009 		return err;
2010 
2011 	return hci_le_create_big(conn, &conn->iso_qos);
2012 }
2013 
create_pa_complete(struct hci_dev * hdev,void * data,int err)2014 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2015 {
2016 	struct hci_cp_le_pa_create_sync *cp = data;
2017 
2018 	bt_dev_dbg(hdev, "");
2019 
2020 	if (err)
2021 		bt_dev_err(hdev, "Unable to create PA: %d", err);
2022 
2023 	kfree(cp);
2024 }
2025 
create_pa_sync(struct hci_dev * hdev,void * data)2026 static int create_pa_sync(struct hci_dev *hdev, void *data)
2027 {
2028 	struct hci_cp_le_pa_create_sync *cp = data;
2029 	int err;
2030 
2031 	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2032 				    sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2033 	if (err) {
2034 		hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2035 		return err;
2036 	}
2037 
2038 	return hci_update_passive_scan_sync(hdev);
2039 }
2040 
hci_pa_create_sync(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,__u8 sid)2041 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2042 		       __u8 sid)
2043 {
2044 	struct hci_cp_le_pa_create_sync *cp;
2045 
2046 	if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2047 		return -EBUSY;
2048 
2049 	cp = kmalloc(sizeof(*cp), GFP_KERNEL);
2050 	if (!cp) {
2051 		hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2052 		return -ENOMEM;
2053 	}
2054 
2055 	/* Convert from ISO socket address type to HCI address type  */
2056 	if (dst_type == BDADDR_LE_PUBLIC)
2057 		dst_type = ADDR_LE_DEV_PUBLIC;
2058 	else
2059 		dst_type = ADDR_LE_DEV_RANDOM;
2060 
2061 	memset(cp, 0, sizeof(*cp));
2062 	cp->sid = sid;
2063 	cp->addr_type = dst_type;
2064 	bacpy(&cp->addr, dst);
2065 
2066 	/* Queue start pa_create_sync and scan */
2067 	return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2068 }
2069 
hci_le_big_create_sync(struct hci_dev * hdev,struct bt_iso_qos * qos,__u16 sync_handle,__u8 num_bis,__u8 bis[])2070 int hci_le_big_create_sync(struct hci_dev *hdev, struct bt_iso_qos *qos,
2071 			   __u16 sync_handle, __u8 num_bis, __u8 bis[])
2072 {
2073 	struct _packed {
2074 		struct hci_cp_le_big_create_sync cp;
2075 		__u8  bis[0x11];
2076 	} pdu;
2077 	int err;
2078 
2079 	if (num_bis > sizeof(pdu.bis))
2080 		return -EINVAL;
2081 
2082 	err = qos_set_big(hdev, qos);
2083 	if (err)
2084 		return err;
2085 
2086 	memset(&pdu, 0, sizeof(pdu));
2087 	pdu.cp.handle = qos->big;
2088 	pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2089 	pdu.cp.num_bis = num_bis;
2090 	memcpy(pdu.bis, bis, num_bis);
2091 
2092 	return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2093 			    sizeof(pdu.cp) + num_bis, &pdu);
2094 }
2095 
create_big_complete(struct hci_dev * hdev,void * data,int err)2096 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2097 {
2098 	struct hci_conn *conn = data;
2099 
2100 	bt_dev_dbg(hdev, "conn %p", conn);
2101 
2102 	if (err) {
2103 		bt_dev_err(hdev, "Unable to create BIG: %d", err);
2104 		hci_connect_cfm(conn, err);
2105 		hci_conn_del(conn);
2106 	}
2107 }
2108 
hci_connect_bis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos,__u8 base_len,__u8 * base)2109 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2110 				 __u8 dst_type, struct bt_iso_qos *qos,
2111 				 __u8 base_len, __u8 *base)
2112 {
2113 	struct hci_conn *conn;
2114 	int err;
2115 
2116 	/* We need hci_conn object using the BDADDR_ANY as dst */
2117 	conn = hci_add_bis(hdev, dst, qos);
2118 	if (IS_ERR(conn))
2119 		return conn;
2120 
2121 	conn = hci_bind_bis(conn, qos);
2122 	if (!conn) {
2123 		hci_conn_drop(conn);
2124 		return ERR_PTR(-ENOMEM);
2125 	}
2126 
2127 	/* Add Basic Announcement into Peridic Adv Data if BASE is set */
2128 	if (base_len && base) {
2129 		base_len = eir_append_service_data(conn->le_per_adv_data, 0,
2130 						   0x1851, base, base_len);
2131 		conn->le_per_adv_data_len = base_len;
2132 	}
2133 
2134 	/* Queue start periodic advertising and create BIG */
2135 	err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2136 				 create_big_complete);
2137 	if (err < 0) {
2138 		hci_conn_drop(conn);
2139 		return ERR_PTR(err);
2140 	}
2141 
2142 	hci_iso_qos_setup(hdev, conn, &qos->out,
2143 			  conn->le_tx_phy ? conn->le_tx_phy :
2144 			  hdev->le_tx_def_phys);
2145 
2146 	return conn;
2147 }
2148 
hci_connect_cis(struct hci_dev * hdev,bdaddr_t * dst,__u8 dst_type,struct bt_iso_qos * qos)2149 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2150 				 __u8 dst_type, struct bt_iso_qos *qos)
2151 {
2152 	struct hci_conn *le;
2153 	struct hci_conn *cis;
2154 
2155 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2156 		le = hci_connect_le(hdev, dst, dst_type, false,
2157 				    BT_SECURITY_LOW,
2158 				    HCI_LE_CONN_TIMEOUT,
2159 				    HCI_ROLE_SLAVE);
2160 	else
2161 		le = hci_connect_le_scan(hdev, dst, dst_type,
2162 					 BT_SECURITY_LOW,
2163 					 HCI_LE_CONN_TIMEOUT,
2164 					 CONN_REASON_ISO_CONNECT);
2165 	if (IS_ERR(le))
2166 		return le;
2167 
2168 	hci_iso_qos_setup(hdev, le, &qos->out,
2169 			  le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2170 	hci_iso_qos_setup(hdev, le, &qos->in,
2171 			  le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2172 
2173 	cis = hci_bind_cis(hdev, dst, dst_type, qos);
2174 	if (IS_ERR(cis)) {
2175 		hci_conn_drop(le);
2176 		return cis;
2177 	}
2178 
2179 	le->link = cis;
2180 	cis->link = le;
2181 
2182 	hci_conn_hold(cis);
2183 
2184 	/* If LE is already connected and CIS handle is already set proceed to
2185 	 * Create CIS immediately.
2186 	 */
2187 	if (le->state == BT_CONNECTED && cis->handle != HCI_CONN_HANDLE_UNSET)
2188 		hci_le_create_cis(le);
2189 
2190 	return cis;
2191 }
2192 
2193 /* Check link security requirement */
hci_conn_check_link_mode(struct hci_conn * conn)2194 int hci_conn_check_link_mode(struct hci_conn *conn)
2195 {
2196 	BT_DBG("hcon %p", conn);
2197 
2198 	/* In Secure Connections Only mode, it is required that Secure
2199 	 * Connections is used and the link is encrypted with AES-CCM
2200 	 * using a P-256 authenticated combination key.
2201 	 */
2202 	if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2203 		if (!hci_conn_sc_enabled(conn) ||
2204 		    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2205 		    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2206 			return 0;
2207 	}
2208 
2209 	 /* AES encryption is required for Level 4:
2210 	  *
2211 	  * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2212 	  * page 1319:
2213 	  *
2214 	  * 128-bit equivalent strength for link and encryption keys
2215 	  * required using FIPS approved algorithms (E0 not allowed,
2216 	  * SAFER+ not allowed, and P-192 not allowed; encryption key
2217 	  * not shortened)
2218 	  */
2219 	if (conn->sec_level == BT_SECURITY_FIPS &&
2220 	    !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2221 		bt_dev_err(conn->hdev,
2222 			   "Invalid security: Missing AES-CCM usage");
2223 		return 0;
2224 	}
2225 
2226 	if (hci_conn_ssp_enabled(conn) &&
2227 	    !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2228 		return 0;
2229 
2230 	return 1;
2231 }
2232 
2233 /* Authenticate remote device */
hci_conn_auth(struct hci_conn * conn,__u8 sec_level,__u8 auth_type)2234 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2235 {
2236 	BT_DBG("hcon %p", conn);
2237 
2238 	if (conn->pending_sec_level > sec_level)
2239 		sec_level = conn->pending_sec_level;
2240 
2241 	if (sec_level > conn->sec_level)
2242 		conn->pending_sec_level = sec_level;
2243 	else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2244 		return 1;
2245 
2246 	/* Make sure we preserve an existing MITM requirement*/
2247 	auth_type |= (conn->auth_type & 0x01);
2248 
2249 	conn->auth_type = auth_type;
2250 
2251 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2252 		struct hci_cp_auth_requested cp;
2253 
2254 		cp.handle = cpu_to_le16(conn->handle);
2255 		hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2256 			     sizeof(cp), &cp);
2257 
2258 		/* If we're already encrypted set the REAUTH_PEND flag,
2259 		 * otherwise set the ENCRYPT_PEND.
2260 		 */
2261 		if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2262 			set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2263 		else
2264 			set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2265 	}
2266 
2267 	return 0;
2268 }
2269 
2270 /* Encrypt the link */
hci_conn_encrypt(struct hci_conn * conn)2271 static void hci_conn_encrypt(struct hci_conn *conn)
2272 {
2273 	BT_DBG("hcon %p", conn);
2274 
2275 	if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2276 		struct hci_cp_set_conn_encrypt cp;
2277 		cp.handle  = cpu_to_le16(conn->handle);
2278 		cp.encrypt = 0x01;
2279 		hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2280 			     &cp);
2281 	}
2282 }
2283 
2284 /* Enable security */
hci_conn_security(struct hci_conn * conn,__u8 sec_level,__u8 auth_type,bool initiator)2285 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2286 		      bool initiator)
2287 {
2288 	BT_DBG("hcon %p", conn);
2289 
2290 	if (conn->type == LE_LINK)
2291 		return smp_conn_security(conn, sec_level);
2292 
2293 	/* For sdp we don't need the link key. */
2294 	if (sec_level == BT_SECURITY_SDP)
2295 		return 1;
2296 
2297 	/* For non 2.1 devices and low security level we don't need the link
2298 	   key. */
2299 	if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2300 		return 1;
2301 
2302 	/* For other security levels we need the link key. */
2303 	if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2304 		goto auth;
2305 
2306 	/* An authenticated FIPS approved combination key has sufficient
2307 	 * security for security level 4. */
2308 	if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
2309 	    sec_level == BT_SECURITY_FIPS)
2310 		goto encrypt;
2311 
2312 	/* An authenticated combination key has sufficient security for
2313 	   security level 3. */
2314 	if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
2315 	     conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
2316 	    sec_level == BT_SECURITY_HIGH)
2317 		goto encrypt;
2318 
2319 	/* An unauthenticated combination key has sufficient security for
2320 	   security level 1 and 2. */
2321 	if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
2322 	     conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
2323 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
2324 		goto encrypt;
2325 
2326 	/* A combination key has always sufficient security for the security
2327 	   levels 1 or 2. High security level requires the combination key
2328 	   is generated using maximum PIN code length (16).
2329 	   For pre 2.1 units. */
2330 	if (conn->key_type == HCI_LK_COMBINATION &&
2331 	    (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
2332 	     conn->pin_length == 16))
2333 		goto encrypt;
2334 
2335 auth:
2336 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2337 		return 0;
2338 
2339 	if (initiator)
2340 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2341 
2342 	if (!hci_conn_auth(conn, sec_level, auth_type))
2343 		return 0;
2344 
2345 encrypt:
2346 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2347 		/* Ensure that the encryption key size has been read,
2348 		 * otherwise stall the upper layer responses.
2349 		 */
2350 		if (!conn->enc_key_size)
2351 			return 0;
2352 
2353 		/* Nothing else needed, all requirements are met */
2354 		return 1;
2355 	}
2356 
2357 	hci_conn_encrypt(conn);
2358 	return 0;
2359 }
2360 EXPORT_SYMBOL(hci_conn_security);
2361 
2362 /* Check secure link requirement */
hci_conn_check_secure(struct hci_conn * conn,__u8 sec_level)2363 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2364 {
2365 	BT_DBG("hcon %p", conn);
2366 
2367 	/* Accept if non-secure or higher security level is required */
2368 	if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2369 		return 1;
2370 
2371 	/* Accept if secure or higher security level is already present */
2372 	if (conn->sec_level == BT_SECURITY_HIGH ||
2373 	    conn->sec_level == BT_SECURITY_FIPS)
2374 		return 1;
2375 
2376 	/* Reject not secure link */
2377 	return 0;
2378 }
2379 EXPORT_SYMBOL(hci_conn_check_secure);
2380 
2381 /* Switch role */
hci_conn_switch_role(struct hci_conn * conn,__u8 role)2382 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2383 {
2384 	BT_DBG("hcon %p", conn);
2385 
2386 	if (role == conn->role)
2387 		return 1;
2388 
2389 	if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2390 		struct hci_cp_switch_role cp;
2391 		bacpy(&cp.bdaddr, &conn->dst);
2392 		cp.role = role;
2393 		hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2394 	}
2395 
2396 	return 0;
2397 }
2398 EXPORT_SYMBOL(hci_conn_switch_role);
2399 
2400 /* Enter active mode */
hci_conn_enter_active_mode(struct hci_conn * conn,__u8 force_active)2401 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2402 {
2403 	struct hci_dev *hdev = conn->hdev;
2404 
2405 	BT_DBG("hcon %p mode %d", conn, conn->mode);
2406 
2407 	if (conn->mode != HCI_CM_SNIFF)
2408 		goto timer;
2409 
2410 	if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2411 		goto timer;
2412 
2413 	if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2414 		struct hci_cp_exit_sniff_mode cp;
2415 		cp.handle = cpu_to_le16(conn->handle);
2416 		hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2417 	}
2418 
2419 timer:
2420 	if (hdev->idle_timeout > 0)
2421 		queue_delayed_work(hdev->workqueue, &conn->idle_work,
2422 				   msecs_to_jiffies(hdev->idle_timeout));
2423 }
2424 
2425 /* Drop all connection on the device */
hci_conn_hash_flush(struct hci_dev * hdev)2426 void hci_conn_hash_flush(struct hci_dev *hdev)
2427 {
2428 	struct hci_conn_hash *h = &hdev->conn_hash;
2429 	struct hci_conn *c, *n;
2430 
2431 	BT_DBG("hdev %s", hdev->name);
2432 
2433 	list_for_each_entry_safe(c, n, &h->list, list) {
2434 		c->state = BT_CLOSED;
2435 
2436 		hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
2437 		hci_conn_del(c);
2438 	}
2439 }
2440 
2441 /* Check pending connect attempts */
hci_conn_check_pending(struct hci_dev * hdev)2442 void hci_conn_check_pending(struct hci_dev *hdev)
2443 {
2444 	struct hci_conn *conn;
2445 
2446 	BT_DBG("hdev %s", hdev->name);
2447 
2448 	hci_dev_lock(hdev);
2449 
2450 	conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
2451 	if (conn)
2452 		hci_acl_create_connection(conn);
2453 
2454 	hci_dev_unlock(hdev);
2455 }
2456 
get_link_mode(struct hci_conn * conn)2457 static u32 get_link_mode(struct hci_conn *conn)
2458 {
2459 	u32 link_mode = 0;
2460 
2461 	if (conn->role == HCI_ROLE_MASTER)
2462 		link_mode |= HCI_LM_MASTER;
2463 
2464 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2465 		link_mode |= HCI_LM_ENCRYPT;
2466 
2467 	if (test_bit(HCI_CONN_AUTH, &conn->flags))
2468 		link_mode |= HCI_LM_AUTH;
2469 
2470 	if (test_bit(HCI_CONN_SECURE, &conn->flags))
2471 		link_mode |= HCI_LM_SECURE;
2472 
2473 	if (test_bit(HCI_CONN_FIPS, &conn->flags))
2474 		link_mode |= HCI_LM_FIPS;
2475 
2476 	return link_mode;
2477 }
2478 
hci_get_conn_list(void __user * arg)2479 int hci_get_conn_list(void __user *arg)
2480 {
2481 	struct hci_conn *c;
2482 	struct hci_conn_list_req req, *cl;
2483 	struct hci_conn_info *ci;
2484 	struct hci_dev *hdev;
2485 	int n = 0, size, err;
2486 
2487 	if (copy_from_user(&req, arg, sizeof(req)))
2488 		return -EFAULT;
2489 
2490 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2491 		return -EINVAL;
2492 
2493 	size = sizeof(req) + req.conn_num * sizeof(*ci);
2494 
2495 	cl = kmalloc(size, GFP_KERNEL);
2496 	if (!cl)
2497 		return -ENOMEM;
2498 
2499 	hdev = hci_dev_get(req.dev_id);
2500 	if (!hdev) {
2501 		kfree(cl);
2502 		return -ENODEV;
2503 	}
2504 
2505 	ci = cl->conn_info;
2506 
2507 	hci_dev_lock(hdev);
2508 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2509 		bacpy(&(ci + n)->bdaddr, &c->dst);
2510 		(ci + n)->handle = c->handle;
2511 		(ci + n)->type  = c->type;
2512 		(ci + n)->out   = c->out;
2513 		(ci + n)->state = c->state;
2514 		(ci + n)->link_mode = get_link_mode(c);
2515 		if (++n >= req.conn_num)
2516 			break;
2517 	}
2518 	hci_dev_unlock(hdev);
2519 
2520 	cl->dev_id = hdev->id;
2521 	cl->conn_num = n;
2522 	size = sizeof(req) + n * sizeof(*ci);
2523 
2524 	hci_dev_put(hdev);
2525 
2526 	err = copy_to_user(arg, cl, size);
2527 	kfree(cl);
2528 
2529 	return err ? -EFAULT : 0;
2530 }
2531 
hci_get_conn_info(struct hci_dev * hdev,void __user * arg)2532 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2533 {
2534 	struct hci_conn_info_req req;
2535 	struct hci_conn_info ci;
2536 	struct hci_conn *conn;
2537 	char __user *ptr = arg + sizeof(req);
2538 
2539 	if (copy_from_user(&req, arg, sizeof(req)))
2540 		return -EFAULT;
2541 
2542 	hci_dev_lock(hdev);
2543 	conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2544 	if (conn) {
2545 		bacpy(&ci.bdaddr, &conn->dst);
2546 		ci.handle = conn->handle;
2547 		ci.type  = conn->type;
2548 		ci.out   = conn->out;
2549 		ci.state = conn->state;
2550 		ci.link_mode = get_link_mode(conn);
2551 	}
2552 	hci_dev_unlock(hdev);
2553 
2554 	if (!conn)
2555 		return -ENOENT;
2556 
2557 	return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2558 }
2559 
hci_get_auth_info(struct hci_dev * hdev,void __user * arg)2560 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2561 {
2562 	struct hci_auth_info_req req;
2563 	struct hci_conn *conn;
2564 
2565 	if (copy_from_user(&req, arg, sizeof(req)))
2566 		return -EFAULT;
2567 
2568 	hci_dev_lock(hdev);
2569 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2570 	if (conn)
2571 		req.type = conn->auth_type;
2572 	hci_dev_unlock(hdev);
2573 
2574 	if (!conn)
2575 		return -ENOENT;
2576 
2577 	return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2578 }
2579 
hci_chan_create(struct hci_conn * conn)2580 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2581 {
2582 	struct hci_dev *hdev = conn->hdev;
2583 	struct hci_chan *chan;
2584 
2585 	BT_DBG("%s hcon %p", hdev->name, conn);
2586 
2587 	if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2588 		BT_DBG("Refusing to create new hci_chan");
2589 		return NULL;
2590 	}
2591 
2592 	chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2593 	if (!chan)
2594 		return NULL;
2595 
2596 	chan->conn = hci_conn_get(conn);
2597 	skb_queue_head_init(&chan->data_q);
2598 	chan->state = BT_CONNECTED;
2599 
2600 	list_add_rcu(&chan->list, &conn->chan_list);
2601 
2602 	return chan;
2603 }
2604 
hci_chan_del(struct hci_chan * chan)2605 void hci_chan_del(struct hci_chan *chan)
2606 {
2607 	struct hci_conn *conn = chan->conn;
2608 	struct hci_dev *hdev = conn->hdev;
2609 
2610 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2611 
2612 	list_del_rcu(&chan->list);
2613 
2614 	synchronize_rcu();
2615 
2616 	/* Prevent new hci_chan's to be created for this hci_conn */
2617 	set_bit(HCI_CONN_DROP, &conn->flags);
2618 
2619 	hci_conn_put(conn);
2620 
2621 	skb_queue_purge(&chan->data_q);
2622 	kfree(chan);
2623 }
2624 
hci_chan_list_flush(struct hci_conn * conn)2625 void hci_chan_list_flush(struct hci_conn *conn)
2626 {
2627 	struct hci_chan *chan, *n;
2628 
2629 	BT_DBG("hcon %p", conn);
2630 
2631 	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2632 		hci_chan_del(chan);
2633 }
2634 
__hci_chan_lookup_handle(struct hci_conn * hcon,__u16 handle)2635 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2636 						 __u16 handle)
2637 {
2638 	struct hci_chan *hchan;
2639 
2640 	list_for_each_entry(hchan, &hcon->chan_list, list) {
2641 		if (hchan->handle == handle)
2642 			return hchan;
2643 	}
2644 
2645 	return NULL;
2646 }
2647 
hci_chan_lookup_handle(struct hci_dev * hdev,__u16 handle)2648 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2649 {
2650 	struct hci_conn_hash *h = &hdev->conn_hash;
2651 	struct hci_conn *hcon;
2652 	struct hci_chan *hchan = NULL;
2653 
2654 	rcu_read_lock();
2655 
2656 	list_for_each_entry_rcu(hcon, &h->list, list) {
2657 		hchan = __hci_chan_lookup_handle(hcon, handle);
2658 		if (hchan)
2659 			break;
2660 	}
2661 
2662 	rcu_read_unlock();
2663 
2664 	return hchan;
2665 }
2666 
hci_conn_get_phy(struct hci_conn * conn)2667 u32 hci_conn_get_phy(struct hci_conn *conn)
2668 {
2669 	u32 phys = 0;
2670 
2671 	/* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2672 	 * Table 6.2: Packets defined for synchronous, asynchronous, and
2673 	 * CPB logical transport types.
2674 	 */
2675 	switch (conn->type) {
2676 	case SCO_LINK:
2677 		/* SCO logical transport (1 Mb/s):
2678 		 * HV1, HV2, HV3 and DV.
2679 		 */
2680 		phys |= BT_PHY_BR_1M_1SLOT;
2681 
2682 		break;
2683 
2684 	case ACL_LINK:
2685 		/* ACL logical transport (1 Mb/s) ptt=0:
2686 		 * DH1, DM3, DH3, DM5 and DH5.
2687 		 */
2688 		phys |= BT_PHY_BR_1M_1SLOT;
2689 
2690 		if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2691 			phys |= BT_PHY_BR_1M_3SLOT;
2692 
2693 		if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2694 			phys |= BT_PHY_BR_1M_5SLOT;
2695 
2696 		/* ACL logical transport (2 Mb/s) ptt=1:
2697 		 * 2-DH1, 2-DH3 and 2-DH5.
2698 		 */
2699 		if (!(conn->pkt_type & HCI_2DH1))
2700 			phys |= BT_PHY_EDR_2M_1SLOT;
2701 
2702 		if (!(conn->pkt_type & HCI_2DH3))
2703 			phys |= BT_PHY_EDR_2M_3SLOT;
2704 
2705 		if (!(conn->pkt_type & HCI_2DH5))
2706 			phys |= BT_PHY_EDR_2M_5SLOT;
2707 
2708 		/* ACL logical transport (3 Mb/s) ptt=1:
2709 		 * 3-DH1, 3-DH3 and 3-DH5.
2710 		 */
2711 		if (!(conn->pkt_type & HCI_3DH1))
2712 			phys |= BT_PHY_EDR_3M_1SLOT;
2713 
2714 		if (!(conn->pkt_type & HCI_3DH3))
2715 			phys |= BT_PHY_EDR_3M_3SLOT;
2716 
2717 		if (!(conn->pkt_type & HCI_3DH5))
2718 			phys |= BT_PHY_EDR_3M_5SLOT;
2719 
2720 		break;
2721 
2722 	case ESCO_LINK:
2723 		/* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2724 		phys |= BT_PHY_BR_1M_1SLOT;
2725 
2726 		if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2727 			phys |= BT_PHY_BR_1M_3SLOT;
2728 
2729 		/* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2730 		if (!(conn->pkt_type & ESCO_2EV3))
2731 			phys |= BT_PHY_EDR_2M_1SLOT;
2732 
2733 		if (!(conn->pkt_type & ESCO_2EV5))
2734 			phys |= BT_PHY_EDR_2M_3SLOT;
2735 
2736 		/* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2737 		if (!(conn->pkt_type & ESCO_3EV3))
2738 			phys |= BT_PHY_EDR_3M_1SLOT;
2739 
2740 		if (!(conn->pkt_type & ESCO_3EV5))
2741 			phys |= BT_PHY_EDR_3M_3SLOT;
2742 
2743 		break;
2744 
2745 	case LE_LINK:
2746 		if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2747 			phys |= BT_PHY_LE_1M_TX;
2748 
2749 		if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2750 			phys |= BT_PHY_LE_1M_RX;
2751 
2752 		if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2753 			phys |= BT_PHY_LE_2M_TX;
2754 
2755 		if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2756 			phys |= BT_PHY_LE_2M_RX;
2757 
2758 		if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2759 			phys |= BT_PHY_LE_CODED_TX;
2760 
2761 		if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2762 			phys |= BT_PHY_LE_CODED_RX;
2763 
2764 		break;
2765 	}
2766 
2767 	return phys;
2768 }
2769 
hci_abort_conn(struct hci_conn * conn,u8 reason)2770 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2771 {
2772 	int r = 0;
2773 
2774 	switch (conn->state) {
2775 	case BT_CONNECTED:
2776 	case BT_CONFIG:
2777 		if (conn->type == AMP_LINK) {
2778 			struct hci_cp_disconn_phy_link cp;
2779 
2780 			cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
2781 			cp.reason = reason;
2782 			r = hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
2783 					 sizeof(cp), &cp);
2784 		} else {
2785 			struct hci_cp_disconnect dc;
2786 
2787 			dc.handle = cpu_to_le16(conn->handle);
2788 			dc.reason = reason;
2789 			r = hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT,
2790 					 sizeof(dc), &dc);
2791 		}
2792 
2793 		conn->state = BT_DISCONN;
2794 
2795 		break;
2796 	case BT_CONNECT:
2797 		if (conn->type == LE_LINK) {
2798 			if (test_bit(HCI_CONN_SCANNING, &conn->flags))
2799 				break;
2800 			r = hci_send_cmd(conn->hdev,
2801 					 HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
2802 		} else if (conn->type == ACL_LINK) {
2803 			if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
2804 				break;
2805 			r = hci_send_cmd(conn->hdev,
2806 					 HCI_OP_CREATE_CONN_CANCEL,
2807 					 6, &conn->dst);
2808 		}
2809 		break;
2810 	case BT_CONNECT2:
2811 		if (conn->type == ACL_LINK) {
2812 			struct hci_cp_reject_conn_req rej;
2813 
2814 			bacpy(&rej.bdaddr, &conn->dst);
2815 			rej.reason = reason;
2816 
2817 			r = hci_send_cmd(conn->hdev,
2818 					 HCI_OP_REJECT_CONN_REQ,
2819 					 sizeof(rej), &rej);
2820 		} else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
2821 			struct hci_cp_reject_sync_conn_req rej;
2822 
2823 			bacpy(&rej.bdaddr, &conn->dst);
2824 
2825 			/* SCO rejection has its own limited set of
2826 			 * allowed error values (0x0D-0x0F) which isn't
2827 			 * compatible with most values passed to this
2828 			 * function. To be safe hard-code one of the
2829 			 * values that's suitable for SCO.
2830 			 */
2831 			rej.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
2832 
2833 			r = hci_send_cmd(conn->hdev,
2834 					 HCI_OP_REJECT_SYNC_CONN_REQ,
2835 					 sizeof(rej), &rej);
2836 		}
2837 		break;
2838 	default:
2839 		conn->state = BT_CLOSED;
2840 		break;
2841 	}
2842 
2843 	return r;
2844 }
2845