Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 Copyright 2023-2024 NXP
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth HCI connection handling. */
27
28#include <linux/export.h>
29#include <linux/debugfs.h>
30#include <linux/errqueue.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/l2cap.h>
35#include <net/bluetooth/iso.h>
36#include <net/bluetooth/mgmt.h>
37
38#include "smp.h"
39#include "eir.h"
40
41struct sco_param {
42 u16 pkt_type;
43 u16 max_latency;
44 u8 retrans_effort;
45};
46
47struct conn_handle_t {
48 struct hci_conn *conn;
49 __u16 handle;
50};
51
52static const struct sco_param esco_param_cvsd[] = {
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
58};
59
60static const struct sco_param sco_param_cvsd[] = {
61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
63};
64
65static const struct sco_param esco_param_msbc[] = {
66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
68};
69
70/* This function requires the caller holds hdev->lock */
71void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
72{
73 struct hci_conn_params *params;
74 struct hci_dev *hdev = conn->hdev;
75 struct smp_irk *irk;
76 bdaddr_t *bdaddr;
77 u8 bdaddr_type;
78
79 bdaddr = &conn->dst;
80 bdaddr_type = conn->dst_type;
81
82 /* Check if we need to convert to identity address */
83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
84 if (irk) {
85 bdaddr = &irk->bdaddr;
86 bdaddr_type = irk->addr_type;
87 }
88
89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
90 bdaddr_type);
91 if (!params)
92 return;
93
94 if (params->conn) {
95 hci_conn_drop(params->conn);
96 hci_conn_put(params->conn);
97 params->conn = NULL;
98 }
99
100 if (!params->explicit_connect)
101 return;
102
103 /* If the status indicates successful cancellation of
104 * the attempt (i.e. Unknown Connection Id) there's no point of
105 * notifying failure since we'll go back to keep trying to
106 * connect. The only exception is explicit connect requests
107 * where a timeout + cancel does indicate an actual failure.
108 */
109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 mgmt_connect_failed(hdev, conn, status);
111
112 /* The connection attempt was doing scan for new RPA, and is
113 * in scan phase. If params are not associated with any other
114 * autoconnect action, remove them completely. If they are, just unmark
115 * them as waiting for connection, by clearing explicit_connect field.
116 */
117 params->explicit_connect = false;
118
119 hci_pend_le_list_del_init(params);
120
121 switch (params->auto_connect) {
122 case HCI_AUTO_CONN_EXPLICIT:
123 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
124 /* return instead of break to avoid duplicate scan update */
125 return;
126 case HCI_AUTO_CONN_DIRECT:
127 case HCI_AUTO_CONN_ALWAYS:
128 hci_pend_le_list_add(params, &hdev->pend_le_conns);
129 break;
130 case HCI_AUTO_CONN_REPORT:
131 hci_pend_le_list_add(params, &hdev->pend_le_reports);
132 break;
133 default:
134 break;
135 }
136
137 hci_update_passive_scan(hdev);
138}
139
140static void hci_conn_cleanup(struct hci_conn *conn)
141{
142 struct hci_dev *hdev = conn->hdev;
143
144 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
145 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
146
147 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
148 hci_remove_link_key(hdev, &conn->dst);
149
150 hci_chan_list_flush(conn);
151
152 if (HCI_CONN_HANDLE_UNSET(conn->handle))
153 ida_free(&hdev->unset_handle_ida, conn->handle);
154
155 if (conn->cleanup)
156 conn->cleanup(conn);
157
158 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
159 switch (conn->setting & SCO_AIRMODE_MASK) {
160 case SCO_AIRMODE_CVSD:
161 case SCO_AIRMODE_TRANSP:
162 if (hdev->notify)
163 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
164 break;
165 }
166 } else {
167 if (hdev->notify)
168 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
169 }
170
171 debugfs_remove_recursive(conn->debugfs);
172
173 hci_conn_del_sysfs(conn);
174
175 hci_dev_put(hdev);
176}
177
178int hci_disconnect(struct hci_conn *conn, __u8 reason)
179{
180 BT_DBG("hcon %p", conn);
181
182 /* When we are central of an established connection and it enters
183 * the disconnect timeout, then go ahead and try to read the
184 * current clock offset. Processing of the result is done
185 * within the event handling and hci_clock_offset_evt function.
186 */
187 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
188 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
189 struct hci_dev *hdev = conn->hdev;
190 struct hci_cp_read_clock_offset clkoff_cp;
191
192 clkoff_cp.handle = cpu_to_le16(conn->handle);
193 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
194 &clkoff_cp);
195 }
196
197 return hci_abort_conn(conn, reason);
198}
199
200static void hci_add_sco(struct hci_conn *conn, __u16 handle)
201{
202 struct hci_dev *hdev = conn->hdev;
203 struct hci_cp_add_sco cp;
204
205 BT_DBG("hcon %p", conn);
206
207 conn->state = BT_CONNECT;
208 conn->out = true;
209
210 conn->attempt++;
211
212 cp.handle = cpu_to_le16(handle);
213 cp.pkt_type = cpu_to_le16(conn->pkt_type);
214
215 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
216}
217
218static bool find_next_esco_param(struct hci_conn *conn,
219 const struct sco_param *esco_param, int size)
220{
221 if (!conn->parent)
222 return false;
223
224 for (; conn->attempt <= size; conn->attempt++) {
225 if (lmp_esco_2m_capable(conn->parent) ||
226 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
227 break;
228 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
229 conn, conn->attempt);
230 }
231
232 return conn->attempt <= size;
233}
234
235static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
236{
237 int err;
238 __u8 vnd_len, *vnd_data = NULL;
239 struct hci_op_configure_data_path *cmd = NULL;
240
241 /* Do not take below 2 checks as error since the 1st means user do not
242 * want to use HFP offload mode and the 2nd means the vendor controller
243 * do not need to send below HCI command for offload mode.
244 */
245 if (!codec->data_path || !hdev->get_codec_config_data)
246 return 0;
247
248 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
249 &vnd_data);
250 if (err < 0)
251 goto error;
252
253 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
254 if (!cmd) {
255 err = -ENOMEM;
256 goto error;
257 }
258
259 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
260 if (err < 0)
261 goto error;
262
263 cmd->vnd_len = vnd_len;
264 memcpy(cmd->vnd_data, vnd_data, vnd_len);
265
266 cmd->direction = 0x00;
267 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
268 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
269
270 cmd->direction = 0x01;
271 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
272 sizeof(*cmd) + vnd_len, cmd,
273 HCI_CMD_TIMEOUT);
274error:
275
276 kfree(cmd);
277 kfree(vnd_data);
278 return err;
279}
280
281static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
282{
283 struct conn_handle_t *conn_handle = data;
284 struct hci_conn *conn = conn_handle->conn;
285 __u16 handle = conn_handle->handle;
286 struct hci_cp_enhanced_setup_sync_conn cp;
287 const struct sco_param *param;
288
289 kfree(conn_handle);
290
291 if (!hci_conn_valid(hdev, conn))
292 return -ECANCELED;
293
294 bt_dev_dbg(hdev, "hcon %p", conn);
295
296 configure_datapath_sync(hdev, &conn->codec);
297
298 conn->state = BT_CONNECT;
299 conn->out = true;
300
301 conn->attempt++;
302
303 memset(&cp, 0x00, sizeof(cp));
304
305 cp.handle = cpu_to_le16(handle);
306
307 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
308 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
309
310 switch (conn->codec.id) {
311 case BT_CODEC_MSBC:
312 if (!find_next_esco_param(conn, esco_param_msbc,
313 ARRAY_SIZE(esco_param_msbc)))
314 return -EINVAL;
315
316 param = &esco_param_msbc[conn->attempt - 1];
317 cp.tx_coding_format.id = 0x05;
318 cp.rx_coding_format.id = 0x05;
319 cp.tx_codec_frame_size = __cpu_to_le16(60);
320 cp.rx_codec_frame_size = __cpu_to_le16(60);
321 cp.in_bandwidth = __cpu_to_le32(32000);
322 cp.out_bandwidth = __cpu_to_le32(32000);
323 cp.in_coding_format.id = 0x04;
324 cp.out_coding_format.id = 0x04;
325 cp.in_coded_data_size = __cpu_to_le16(16);
326 cp.out_coded_data_size = __cpu_to_le16(16);
327 cp.in_pcm_data_format = 2;
328 cp.out_pcm_data_format = 2;
329 cp.in_pcm_sample_payload_msb_pos = 0;
330 cp.out_pcm_sample_payload_msb_pos = 0;
331 cp.in_data_path = conn->codec.data_path;
332 cp.out_data_path = conn->codec.data_path;
333 cp.in_transport_unit_size = 1;
334 cp.out_transport_unit_size = 1;
335 break;
336
337 case BT_CODEC_TRANSPARENT:
338 if (!find_next_esco_param(conn, esco_param_msbc,
339 ARRAY_SIZE(esco_param_msbc)))
340 return -EINVAL;
341
342 param = &esco_param_msbc[conn->attempt - 1];
343 cp.tx_coding_format.id = 0x03;
344 cp.rx_coding_format.id = 0x03;
345 cp.tx_codec_frame_size = __cpu_to_le16(60);
346 cp.rx_codec_frame_size = __cpu_to_le16(60);
347 cp.in_bandwidth = __cpu_to_le32(0x1f40);
348 cp.out_bandwidth = __cpu_to_le32(0x1f40);
349 cp.in_coding_format.id = 0x03;
350 cp.out_coding_format.id = 0x03;
351 cp.in_coded_data_size = __cpu_to_le16(16);
352 cp.out_coded_data_size = __cpu_to_le16(16);
353 cp.in_pcm_data_format = 2;
354 cp.out_pcm_data_format = 2;
355 cp.in_pcm_sample_payload_msb_pos = 0;
356 cp.out_pcm_sample_payload_msb_pos = 0;
357 cp.in_data_path = conn->codec.data_path;
358 cp.out_data_path = conn->codec.data_path;
359 cp.in_transport_unit_size = 1;
360 cp.out_transport_unit_size = 1;
361 break;
362
363 case BT_CODEC_CVSD:
364 if (conn->parent && lmp_esco_capable(conn->parent)) {
365 if (!find_next_esco_param(conn, esco_param_cvsd,
366 ARRAY_SIZE(esco_param_cvsd)))
367 return -EINVAL;
368 param = &esco_param_cvsd[conn->attempt - 1];
369 } else {
370 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
371 return -EINVAL;
372 param = &sco_param_cvsd[conn->attempt - 1];
373 }
374 cp.tx_coding_format.id = 2;
375 cp.rx_coding_format.id = 2;
376 cp.tx_codec_frame_size = __cpu_to_le16(60);
377 cp.rx_codec_frame_size = __cpu_to_le16(60);
378 cp.in_bandwidth = __cpu_to_le32(16000);
379 cp.out_bandwidth = __cpu_to_le32(16000);
380 cp.in_coding_format.id = 4;
381 cp.out_coding_format.id = 4;
382 cp.in_coded_data_size = __cpu_to_le16(16);
383 cp.out_coded_data_size = __cpu_to_le16(16);
384 cp.in_pcm_data_format = 2;
385 cp.out_pcm_data_format = 2;
386 cp.in_pcm_sample_payload_msb_pos = 0;
387 cp.out_pcm_sample_payload_msb_pos = 0;
388 cp.in_data_path = conn->codec.data_path;
389 cp.out_data_path = conn->codec.data_path;
390 cp.in_transport_unit_size = 16;
391 cp.out_transport_unit_size = 16;
392 break;
393 default:
394 return -EINVAL;
395 }
396
397 cp.retrans_effort = param->retrans_effort;
398 cp.pkt_type = __cpu_to_le16(param->pkt_type);
399 cp.max_latency = __cpu_to_le16(param->max_latency);
400
401 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
402 return -EIO;
403
404 return 0;
405}
406
407static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
408{
409 struct hci_dev *hdev = conn->hdev;
410 struct hci_cp_setup_sync_conn cp;
411 const struct sco_param *param;
412
413 bt_dev_dbg(hdev, "hcon %p", conn);
414
415 conn->state = BT_CONNECT;
416 conn->out = true;
417
418 conn->attempt++;
419
420 cp.handle = cpu_to_le16(handle);
421
422 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
423 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
424 cp.voice_setting = cpu_to_le16(conn->setting);
425
426 switch (conn->setting & SCO_AIRMODE_MASK) {
427 case SCO_AIRMODE_TRANSP:
428 if (!find_next_esco_param(conn, esco_param_msbc,
429 ARRAY_SIZE(esco_param_msbc)))
430 return false;
431 param = &esco_param_msbc[conn->attempt - 1];
432 break;
433 case SCO_AIRMODE_CVSD:
434 if (conn->parent && lmp_esco_capable(conn->parent)) {
435 if (!find_next_esco_param(conn, esco_param_cvsd,
436 ARRAY_SIZE(esco_param_cvsd)))
437 return false;
438 param = &esco_param_cvsd[conn->attempt - 1];
439 } else {
440 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
441 return false;
442 param = &sco_param_cvsd[conn->attempt - 1];
443 }
444 break;
445 default:
446 return false;
447 }
448
449 cp.retrans_effort = param->retrans_effort;
450 cp.pkt_type = __cpu_to_le16(param->pkt_type);
451 cp.max_latency = __cpu_to_le16(param->max_latency);
452
453 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
454 return false;
455
456 return true;
457}
458
459bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
460{
461 int result;
462 struct conn_handle_t *conn_handle;
463
464 if (enhanced_sync_conn_capable(conn->hdev)) {
465 conn_handle = kzalloc_obj(*conn_handle);
466
467 if (!conn_handle)
468 return false;
469
470 conn_handle->conn = conn;
471 conn_handle->handle = handle;
472 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
473 conn_handle, NULL);
474 if (result < 0)
475 kfree(conn_handle);
476
477 return result == 0;
478 }
479
480 return hci_setup_sync_conn(conn, handle);
481}
482
483struct le_conn_update_data {
484 struct hci_conn *conn;
485 u16 min;
486 u16 max;
487 u16 latency;
488 u16 to_multiplier;
489};
490
491static int le_conn_update_sync(struct hci_dev *hdev, void *data)
492{
493 struct le_conn_update_data *d = data;
494 struct hci_conn *conn = d->conn;
495 struct hci_conn_params *params;
496 struct hci_cp_le_conn_update cp;
497 u16 timeout;
498 u8 store_hint;
499 int err;
500
501 /* Verify connection is still alive and read conn fields under
502 * the same lock to prevent a concurrent disconnect from freeing
503 * or reusing the connection while we build the HCI command.
504 */
505 hci_dev_lock(hdev);
506
507 if (!hci_conn_valid(hdev, conn)) {
508 hci_dev_unlock(hdev);
509 return -ECANCELED;
510 }
511
512 memset(&cp, 0, sizeof(cp));
513 cp.handle = cpu_to_le16(conn->handle);
514 cp.conn_interval_min = cpu_to_le16(d->min);
515 cp.conn_interval_max = cpu_to_le16(d->max);
516 cp.conn_latency = cpu_to_le16(d->latency);
517 cp.supervision_timeout = cpu_to_le16(d->to_multiplier);
518 cp.min_ce_len = cpu_to_le16(0x0000);
519 cp.max_ce_len = cpu_to_le16(0x0000);
520 timeout = conn->conn_timeout;
521
522 hci_dev_unlock(hdev);
523
524 err = __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CONN_UPDATE,
525 sizeof(cp), &cp,
526 HCI_EV_LE_CONN_UPDATE_COMPLETE,
527 timeout, NULL);
528 if (err)
529 return err;
530
531 /* Update stored connection parameters after the controller has
532 * confirmed the update via the LE Connection Update Complete event.
533 */
534 hci_dev_lock(hdev);
535
536 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
537 if (params) {
538 params->conn_min_interval = d->min;
539 params->conn_max_interval = d->max;
540 params->conn_latency = d->latency;
541 params->supervision_timeout = d->to_multiplier;
542 store_hint = 0x01;
543 } else {
544 store_hint = 0x00;
545 }
546
547 hci_dev_unlock(hdev);
548
549 mgmt_new_conn_param(hdev, &conn->dst, conn->dst_type, store_hint,
550 d->min, d->max, d->latency, d->to_multiplier);
551
552 return 0;
553}
554
555static void le_conn_update_complete(struct hci_dev *hdev, void *data, int err)
556{
557 struct le_conn_update_data *d = data;
558
559 hci_conn_put(d->conn);
560 kfree(d);
561}
562
563void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
564 u16 to_multiplier)
565{
566 struct le_conn_update_data *d;
567
568 d = kzalloc_obj(*d);
569 if (!d)
570 return;
571
572 hci_conn_get(conn);
573 d->conn = conn;
574 d->min = min;
575 d->max = max;
576 d->latency = latency;
577 d->to_multiplier = to_multiplier;
578
579 if (hci_cmd_sync_queue(conn->hdev, le_conn_update_sync, d,
580 le_conn_update_complete) < 0) {
581 hci_conn_put(conn);
582 kfree(d);
583 }
584}
585
586void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
587 __u8 ltk[16], __u8 key_size)
588{
589 struct hci_dev *hdev = conn->hdev;
590 struct hci_cp_le_start_enc cp;
591
592 BT_DBG("hcon %p", conn);
593
594 memset(&cp, 0, sizeof(cp));
595
596 cp.handle = cpu_to_le16(conn->handle);
597 cp.rand = rand;
598 cp.ediv = ediv;
599 memcpy(cp.ltk, ltk, key_size);
600
601 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
602}
603
604/* Device _must_ be locked */
605void hci_sco_setup(struct hci_conn *conn, __u8 status)
606{
607 struct hci_link *link;
608
609 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
610 if (!link || !link->conn)
611 return;
612
613 BT_DBG("hcon %p", conn);
614
615 if (!status) {
616 if (lmp_esco_capable(conn->hdev))
617 hci_setup_sync(link->conn, conn->handle);
618 else
619 hci_add_sco(link->conn, conn->handle);
620 } else {
621 hci_connect_cfm(link->conn, status);
622 hci_conn_del(link->conn);
623 }
624}
625
626static void hci_conn_timeout(struct work_struct *work)
627{
628 struct hci_conn *conn = container_of(work, struct hci_conn,
629 disc_work.work);
630 int refcnt = atomic_read(&conn->refcnt);
631
632 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
633
634 WARN_ON(refcnt < 0);
635
636 /* FIXME: It was observed that in pairing failed scenario, refcnt
637 * drops below 0. Probably this is because l2cap_conn_del calls
638 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
639 * dropped. After that loop hci_chan_del is called which also drops
640 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
641 * otherwise drop it.
642 */
643 if (refcnt > 0)
644 return;
645
646 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
647}
648
649/* Enter sniff mode */
650static void hci_conn_idle(struct work_struct *work)
651{
652 struct hci_conn *conn = container_of(work, struct hci_conn,
653 idle_work.work);
654 struct hci_dev *hdev = conn->hdev;
655
656 BT_DBG("hcon %p mode %d", conn, conn->mode);
657
658 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
659 return;
660
661 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
662 return;
663
664 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
665 struct hci_cp_sniff_subrate cp;
666 cp.handle = cpu_to_le16(conn->handle);
667 cp.max_latency = cpu_to_le16(0);
668 cp.min_remote_timeout = cpu_to_le16(0);
669 cp.min_local_timeout = cpu_to_le16(0);
670 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
671 }
672
673 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
674 struct hci_cp_sniff_mode cp;
675 cp.handle = cpu_to_le16(conn->handle);
676 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
677 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
678 cp.attempt = cpu_to_le16(4);
679 cp.timeout = cpu_to_le16(1);
680 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
681 }
682}
683
684static void hci_conn_auto_accept(struct work_struct *work)
685{
686 struct hci_conn *conn = container_of(work, struct hci_conn,
687 auto_accept_work.work);
688
689 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
690 &conn->dst);
691}
692
693static void le_disable_advertising(struct hci_dev *hdev)
694{
695 if (ext_adv_capable(hdev)) {
696 struct hci_cp_le_set_ext_adv_enable cp;
697
698 cp.enable = 0x00;
699 cp.num_of_sets = 0x00;
700
701 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
702 &cp);
703 } else {
704 u8 enable = 0x00;
705 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
706 &enable);
707 }
708}
709
710static void le_conn_timeout(struct work_struct *work)
711{
712 struct hci_conn *conn = container_of(work, struct hci_conn,
713 le_conn_timeout.work);
714 struct hci_dev *hdev = conn->hdev;
715
716 BT_DBG("");
717
718 /* We could end up here due to having done directed advertising,
719 * so clean up the state if necessary. This should however only
720 * happen with broken hardware or if low duty cycle was used
721 * (which doesn't have a timeout of its own).
722 */
723 if (conn->role == HCI_ROLE_SLAVE) {
724 /* Disable LE Advertising */
725 le_disable_advertising(hdev);
726 hci_dev_lock(hdev);
727 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
728 hci_dev_unlock(hdev);
729 return;
730 }
731
732 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
733}
734
735struct iso_list_data {
736 union {
737 u8 cig;
738 u8 big;
739 };
740 union {
741 u8 cis;
742 u8 bis;
743 u16 sync_handle;
744 };
745 int count;
746 bool big_term;
747 bool pa_sync_term;
748 bool big_sync_term;
749};
750
751static void bis_list(struct hci_conn *conn, void *data)
752{
753 struct iso_list_data *d = data;
754
755 /* Skip if not broadcast/ANY address */
756 if (bacmp(&conn->dst, BDADDR_ANY))
757 return;
758
759 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
760 d->bis != conn->iso_qos.bcast.bis)
761 return;
762
763 d->count++;
764}
765
766static int terminate_big_sync(struct hci_dev *hdev, void *data)
767{
768 struct iso_list_data *d = data;
769
770 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
771
772 hci_disable_per_advertising_sync(hdev, d->bis);
773 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
774
775 /* Only terminate BIG if it has been created */
776 if (!d->big_term)
777 return 0;
778
779 return hci_le_terminate_big_sync(hdev, d->big,
780 HCI_ERROR_LOCAL_HOST_TERM);
781}
782
783static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
784{
785 kfree(data);
786}
787
788static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
789{
790 struct iso_list_data *d;
791 int ret;
792
793 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
794 conn->iso_qos.bcast.bis);
795
796 d = kzalloc_obj(*d);
797 if (!d)
798 return -ENOMEM;
799
800 d->big = conn->iso_qos.bcast.big;
801 d->bis = conn->iso_qos.bcast.bis;
802 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
803
804 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
805 terminate_big_destroy);
806 if (ret)
807 kfree(d);
808
809 return ret;
810}
811
812static int big_terminate_sync(struct hci_dev *hdev, void *data)
813{
814 struct iso_list_data *d = data;
815
816 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
817 d->sync_handle);
818
819 if (d->big_sync_term)
820 hci_le_big_terminate_sync(hdev, d->big);
821
822 if (d->pa_sync_term)
823 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
824
825 return 0;
826}
827
828static void find_bis(struct hci_conn *conn, void *data)
829{
830 struct iso_list_data *d = data;
831
832 /* Ignore if BIG doesn't match */
833 if (d->big != conn->iso_qos.bcast.big)
834 return;
835
836 d->count++;
837}
838
839static int hci_le_big_terminate(struct hci_dev *hdev, struct hci_conn *conn)
840{
841 struct iso_list_data *d;
842 int ret;
843
844 bt_dev_dbg(hdev, "hcon %p big 0x%2.2x sync_handle 0x%4.4x", conn,
845 conn->iso_qos.bcast.big, conn->sync_handle);
846
847 d = kzalloc_obj(*d);
848 if (!d)
849 return -ENOMEM;
850
851 d->big = conn->iso_qos.bcast.big;
852 d->sync_handle = conn->sync_handle;
853
854 if (conn->type == PA_LINK &&
855 test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) {
856 hci_conn_hash_list_flag(hdev, find_bis, PA_LINK,
857 HCI_CONN_PA_SYNC, d);
858
859 if (!d->count)
860 d->pa_sync_term = true;
861
862 d->count = 0;
863 }
864
865 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) {
866 hci_conn_hash_list_flag(hdev, find_bis, BIS_LINK,
867 HCI_CONN_BIG_SYNC, d);
868
869 if (!d->count)
870 d->big_sync_term = true;
871 }
872
873 if (!d->pa_sync_term && !d->big_sync_term)
874 return 0;
875
876 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
877 terminate_big_destroy);
878 if (ret)
879 kfree(d);
880
881 return ret;
882}
883
884/* Cleanup BIS connection
885 *
886 * Detects if there any BIS left connected in a BIG
887 * broadcaster: Remove advertising instance and terminate BIG.
888 * broadcaster receiver: Terminate BIG sync and terminate PA sync.
889 */
890static void bis_cleanup(struct hci_conn *conn)
891{
892 struct hci_dev *hdev = conn->hdev;
893 struct hci_conn *bis;
894
895 bt_dev_dbg(hdev, "conn %p", conn);
896
897 if (conn->role == HCI_ROLE_MASTER) {
898 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
899 return;
900
901 /* Check if ISO connection is a BIS and terminate advertising
902 * set and BIG if there are no other connections using it.
903 */
904 bis = hci_conn_hash_lookup_big_state(hdev,
905 conn->iso_qos.bcast.big,
906 BT_CONNECTED,
907 HCI_ROLE_MASTER);
908 if (bis)
909 return;
910
911 bis = hci_conn_hash_lookup_big_state(hdev,
912 conn->iso_qos.bcast.big,
913 BT_CONNECT,
914 HCI_ROLE_MASTER);
915 if (bis)
916 return;
917
918 bis = hci_conn_hash_lookup_big_state(hdev,
919 conn->iso_qos.bcast.big,
920 BT_OPEN,
921 HCI_ROLE_MASTER);
922 if (bis)
923 return;
924
925 hci_le_terminate_big(hdev, conn);
926 } else {
927 hci_le_big_terminate(hdev, conn);
928 }
929}
930
931static int remove_cig_sync(struct hci_dev *hdev, void *data)
932{
933 u8 handle = PTR_UINT(data);
934
935 return hci_le_remove_cig_sync(hdev, handle);
936}
937
938static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
939{
940 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
941
942 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
943 NULL);
944}
945
946static void find_cis(struct hci_conn *conn, void *data)
947{
948 struct iso_list_data *d = data;
949
950 /* Ignore broadcast or if CIG don't match */
951 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
952 return;
953
954 d->count++;
955}
956
957/* Cleanup CIS connection:
958 *
959 * Detects if there any CIS left connected in a CIG and remove it.
960 */
961static void cis_cleanup(struct hci_conn *conn)
962{
963 struct hci_dev *hdev = conn->hdev;
964 struct iso_list_data d;
965
966 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
967 return;
968
969 memset(&d, 0, sizeof(d));
970 d.cig = conn->iso_qos.ucast.cig;
971
972 /* Check if ISO connection is a CIS and remove CIG if there are
973 * no other connections using it.
974 */
975 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_BOUND, &d);
976 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECT,
977 &d);
978 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK, BT_CONNECTED,
979 &d);
980 if (d.count)
981 return;
982
983 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
984}
985
986static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
987{
988 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
989 U16_MAX, GFP_ATOMIC);
990}
991
992static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type,
993 bdaddr_t *dst, u8 dst_type,
994 u8 role, u16 handle)
995{
996 struct hci_conn *conn;
997 struct smp_irk *irk = NULL;
998
999 switch (type) {
1000 case ACL_LINK:
1001 if (!hdev->acl_mtu)
1002 return ERR_PTR(-ECONNREFUSED);
1003 break;
1004 case CIS_LINK:
1005 case BIS_LINK:
1006 case PA_LINK:
1007 if (!hdev->iso_mtu)
1008 return ERR_PTR(-ECONNREFUSED);
1009 irk = hci_get_irk(hdev, dst, dst_type);
1010 break;
1011 case LE_LINK:
1012 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
1013 return ERR_PTR(-ECONNREFUSED);
1014 if (!hdev->le_mtu && hdev->acl_mtu < HCI_MIN_LE_MTU)
1015 return ERR_PTR(-ECONNREFUSED);
1016 irk = hci_get_irk(hdev, dst, dst_type);
1017 break;
1018 case SCO_LINK:
1019 case ESCO_LINK:
1020 if (!hdev->sco_pkts)
1021 /* Controller does not support SCO or eSCO over HCI */
1022 return ERR_PTR(-ECONNREFUSED);
1023 break;
1024 default:
1025 return ERR_PTR(-ECONNREFUSED);
1026 }
1027
1028 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
1029
1030 conn = kzalloc_obj(*conn);
1031 if (!conn)
1032 return ERR_PTR(-ENOMEM);
1033
1034 /* If and IRK exists use its identity address */
1035 if (!irk) {
1036 bacpy(&conn->dst, dst);
1037 conn->dst_type = dst_type;
1038 } else {
1039 bacpy(&conn->dst, &irk->bdaddr);
1040 conn->dst_type = irk->addr_type;
1041 }
1042
1043 bacpy(&conn->src, &hdev->bdaddr);
1044 conn->handle = handle;
1045 conn->hdev = hdev;
1046 conn->type = type;
1047 conn->role = role;
1048 conn->mode = HCI_CM_ACTIVE;
1049 conn->state = BT_OPEN;
1050 conn->auth_type = HCI_AT_GENERAL_BONDING;
1051 conn->io_capability = hdev->io_capability;
1052 conn->remote_auth = 0xff;
1053 conn->key_type = 0xff;
1054 conn->rssi = HCI_RSSI_INVALID;
1055 conn->tx_power = HCI_TX_POWER_INVALID;
1056 conn->max_tx_power = HCI_TX_POWER_INVALID;
1057 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
1058 conn->sid = HCI_SID_INVALID;
1059
1060 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
1061 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1062
1063 /* Set Default Authenticated payload timeout to 30s */
1064 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
1065
1066 if (conn->role == HCI_ROLE_MASTER)
1067 conn->out = true;
1068
1069 switch (type) {
1070 case ACL_LINK:
1071 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
1072 conn->link_policy = hdev->link_policy;
1073 conn->mtu = hdev->acl_mtu;
1074 break;
1075 case LE_LINK:
1076 /* conn->src should reflect the local identity address */
1077 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1078 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu;
1079 /* Use the controller supported PHYS as default until the
1080 * remote features are resolved.
1081 */
1082 conn->le_tx_def_phys = hdev->le_tx_def_phys;
1083 conn->le_rx_def_phys = hdev->le_tx_def_phys;
1084 break;
1085 case CIS_LINK:
1086 /* conn->src should reflect the local identity address */
1087 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1088
1089 if (conn->role == HCI_ROLE_MASTER)
1090 conn->cleanup = cis_cleanup;
1091
1092 conn->mtu = hdev->iso_mtu;
1093 break;
1094 case PA_LINK:
1095 case BIS_LINK:
1096 /* conn->src should reflect the local identity address */
1097 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1098 conn->cleanup = bis_cleanup;
1099 conn->mtu = hdev->iso_mtu;
1100 break;
1101 case SCO_LINK:
1102 if (lmp_esco_capable(hdev))
1103 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1104 (hdev->esco_type & EDR_ESCO_MASK);
1105 else
1106 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1107
1108 conn->mtu = hdev->sco_mtu;
1109 break;
1110 case ESCO_LINK:
1111 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1112 conn->mtu = hdev->sco_mtu;
1113 break;
1114 }
1115
1116 skb_queue_head_init(&conn->data_q);
1117 skb_queue_head_init(&conn->tx_q.queue);
1118
1119 INIT_LIST_HEAD(&conn->chan_list);
1120 INIT_LIST_HEAD(&conn->link_list);
1121
1122 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1123 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1124 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1125 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1126
1127 atomic_set(&conn->refcnt, 0);
1128
1129 hci_dev_hold(hdev);
1130
1131 hci_conn_hash_add(hdev, conn);
1132
1133 /* The SCO and eSCO connections will only be notified when their
1134 * setup has been completed. This is different to ACL links which
1135 * can be notified right away.
1136 */
1137 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1138 if (hdev->notify)
1139 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1140 }
1141
1142 hci_conn_init_sysfs(conn);
1143 return conn;
1144}
1145
1146struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1147 bdaddr_t *dst, u8 dst_type, u8 role)
1148{
1149 int handle;
1150
1151 bt_dev_dbg(hdev, "dst %pMR", dst);
1152
1153 handle = hci_conn_hash_alloc_unset(hdev);
1154 if (unlikely(handle < 0))
1155 return ERR_PTR(-ECONNREFUSED);
1156
1157 return __hci_conn_add(hdev, type, dst, dst_type, role, handle);
1158}
1159
1160struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
1161 u8 dst_type, u8 role, u16 handle)
1162{
1163 if (handle > HCI_CONN_HANDLE_MAX)
1164 return ERR_PTR(-EINVAL);
1165
1166 return __hci_conn_add(hdev, type, dst, dst_type, role, handle);
1167}
1168
1169static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1170{
1171 if (!reason)
1172 reason = HCI_ERROR_REMOTE_USER_TERM;
1173
1174 /* Due to race, SCO/ISO conn might be not established yet at this point,
1175 * and nothing else will clean it up. In other cases it is done via HCI
1176 * events.
1177 */
1178 switch (conn->type) {
1179 case SCO_LINK:
1180 case ESCO_LINK:
1181 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1182 hci_conn_failed(conn, reason);
1183 break;
1184 case CIS_LINK:
1185 case BIS_LINK:
1186 case PA_LINK:
1187 if ((conn->state != BT_CONNECTED &&
1188 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ||
1189 test_bit(HCI_CONN_BIG_CREATED, &conn->flags))
1190 hci_conn_failed(conn, reason);
1191 break;
1192 }
1193}
1194
1195static void hci_conn_unlink(struct hci_conn *conn)
1196{
1197 struct hci_dev *hdev = conn->hdev;
1198
1199 bt_dev_dbg(hdev, "hcon %p", conn);
1200
1201 if (!conn->parent) {
1202 struct hci_link *link, *t;
1203
1204 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1205 struct hci_conn *child = link->conn;
1206
1207 hci_conn_unlink(child);
1208
1209 /* If hdev is down it means
1210 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1211 * and links don't need to be cleanup as all connections
1212 * would be cleanup.
1213 */
1214 if (!test_bit(HCI_UP, &hdev->flags))
1215 continue;
1216
1217 hci_conn_cleanup_child(child, conn->abort_reason);
1218 }
1219
1220 return;
1221 }
1222
1223 if (!conn->link)
1224 return;
1225
1226 list_del_rcu(&conn->link->list);
1227 synchronize_rcu();
1228
1229 hci_conn_drop(conn->parent);
1230 hci_conn_put(conn->parent);
1231 conn->parent = NULL;
1232
1233 kfree(conn->link);
1234 conn->link = NULL;
1235}
1236
1237void hci_conn_del(struct hci_conn *conn)
1238{
1239 struct hci_dev *hdev = conn->hdev;
1240
1241 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1242
1243 hci_conn_unlink(conn);
1244
1245 disable_delayed_work_sync(&conn->disc_work);
1246 disable_delayed_work_sync(&conn->auto_accept_work);
1247 disable_delayed_work_sync(&conn->idle_work);
1248
1249 /* Remove the connection from the list so unacked logic can detect when
1250 * a certain pool is not being utilized.
1251 */
1252 hci_conn_hash_del(hdev, conn);
1253
1254 /* Handle unacked frames:
1255 *
1256 * - In case there are no connection, or if restoring the buffers
1257 * considered in transist would overflow, restore all buffers to the
1258 * pool.
1259 * - Otherwise restore just the buffers considered in transit for the
1260 * hci_conn
1261 */
1262 switch (conn->type) {
1263 case ACL_LINK:
1264 if (!hci_conn_num(hdev, ACL_LINK) ||
1265 hdev->acl_cnt + conn->sent > hdev->acl_pkts)
1266 hdev->acl_cnt = hdev->acl_pkts;
1267 else
1268 hdev->acl_cnt += conn->sent;
1269 break;
1270 case LE_LINK:
1271 cancel_delayed_work(&conn->le_conn_timeout);
1272
1273 if (hdev->le_pkts) {
1274 if (!hci_conn_num(hdev, LE_LINK) ||
1275 hdev->le_cnt + conn->sent > hdev->le_pkts)
1276 hdev->le_cnt = hdev->le_pkts;
1277 else
1278 hdev->le_cnt += conn->sent;
1279 } else {
1280 if ((!hci_conn_num(hdev, LE_LINK) &&
1281 !hci_conn_num(hdev, ACL_LINK)) ||
1282 hdev->acl_cnt + conn->sent > hdev->acl_pkts)
1283 hdev->acl_cnt = hdev->acl_pkts;
1284 else
1285 hdev->acl_cnt += conn->sent;
1286 }
1287 break;
1288 case CIS_LINK:
1289 case BIS_LINK:
1290 case PA_LINK:
1291 if (!hci_iso_count(hdev) ||
1292 hdev->iso_cnt + conn->sent > hdev->iso_pkts)
1293 hdev->iso_cnt = hdev->iso_pkts;
1294 else
1295 hdev->iso_cnt += conn->sent;
1296 break;
1297 }
1298
1299 skb_queue_purge(&conn->data_q);
1300 skb_queue_purge(&conn->tx_q.queue);
1301
1302 /* Remove the connection from the list and cleanup its remaining
1303 * state. This is a separate function since for some cases like
1304 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1305 * rest of hci_conn_del.
1306 */
1307 hci_conn_cleanup(conn);
1308
1309 /* Dequeue callbacks using connection pointer as data */
1310 hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
1311}
1312
1313struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1314{
1315 int use_src = bacmp(src, BDADDR_ANY);
1316 struct hci_dev *hdev = NULL, *d;
1317
1318 BT_DBG("%pMR -> %pMR", src, dst);
1319
1320 read_lock(&hci_dev_list_lock);
1321
1322 list_for_each_entry(d, &hci_dev_list, list) {
1323 if (!test_bit(HCI_UP, &d->flags) ||
1324 hci_dev_test_flag(d, HCI_USER_CHANNEL))
1325 continue;
1326
1327 /* Simple routing:
1328 * No source address - find interface with bdaddr != dst
1329 * Source address - find interface with bdaddr == src
1330 */
1331
1332 if (use_src) {
1333 bdaddr_t id_addr;
1334 u8 id_addr_type;
1335
1336 if (src_type == BDADDR_BREDR) {
1337 if (!lmp_bredr_capable(d))
1338 continue;
1339 bacpy(&id_addr, &d->bdaddr);
1340 id_addr_type = BDADDR_BREDR;
1341 } else {
1342 if (!lmp_le_capable(d))
1343 continue;
1344
1345 hci_copy_identity_address(d, &id_addr,
1346 &id_addr_type);
1347
1348 /* Convert from HCI to three-value type */
1349 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1350 id_addr_type = BDADDR_LE_PUBLIC;
1351 else
1352 id_addr_type = BDADDR_LE_RANDOM;
1353 }
1354
1355 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1356 hdev = d; break;
1357 }
1358 } else {
1359 if (bacmp(&d->bdaddr, dst)) {
1360 hdev = d; break;
1361 }
1362 }
1363 }
1364
1365 if (hdev)
1366 hdev = hci_dev_hold(hdev);
1367
1368 read_unlock(&hci_dev_list_lock);
1369 return hdev;
1370}
1371EXPORT_SYMBOL(hci_get_route);
1372
1373/* This function requires the caller holds hdev->lock */
1374static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1375{
1376 struct hci_dev *hdev = conn->hdev;
1377
1378 hci_connect_le_scan_cleanup(conn, status);
1379
1380 /* Enable advertising in case this was a failed connection
1381 * attempt as a peripheral.
1382 */
1383 hci_enable_advertising(hdev);
1384}
1385
1386/* This function requires the caller holds hdev->lock */
1387void hci_conn_failed(struct hci_conn *conn, u8 status)
1388{
1389 struct hci_dev *hdev = conn->hdev;
1390
1391 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1392
1393 switch (conn->type) {
1394 case LE_LINK:
1395 hci_le_conn_failed(conn, status);
1396 break;
1397 case ACL_LINK:
1398 mgmt_connect_failed(hdev, conn, status);
1399 break;
1400 }
1401
1402 /* In case of BIG/PA sync failed, clear conn flags so that
1403 * the conns will be correctly cleaned up by ISO layer
1404 */
1405 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1406 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1407
1408 conn->state = BT_CLOSED;
1409 hci_connect_cfm(conn, status);
1410 hci_conn_del(conn);
1411}
1412
1413/* This function requires the caller holds hdev->lock */
1414u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1415{
1416 struct hci_dev *hdev = conn->hdev;
1417
1418 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1419
1420 if (conn->handle == handle)
1421 return 0;
1422
1423 if (handle > HCI_CONN_HANDLE_MAX) {
1424 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1425 handle, HCI_CONN_HANDLE_MAX);
1426 return HCI_ERROR_INVALID_PARAMETERS;
1427 }
1428
1429 /* If abort_reason has been sent it means the connection is being
1430 * aborted and the handle shall not be changed.
1431 */
1432 if (conn->abort_reason)
1433 return conn->abort_reason;
1434
1435 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1436 ida_free(&hdev->unset_handle_ida, conn->handle);
1437
1438 conn->handle = handle;
1439
1440 return 0;
1441}
1442
1443struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1444 u8 dst_type, bool dst_resolved, u8 sec_level,
1445 u16 conn_timeout, u8 role, u8 phy, u8 sec_phy)
1446{
1447 struct hci_conn *conn;
1448 struct smp_irk *irk;
1449 int err;
1450
1451 /* Let's make sure that le is enabled.*/
1452 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1453 if (lmp_le_capable(hdev))
1454 return ERR_PTR(-ECONNREFUSED);
1455
1456 return ERR_PTR(-EOPNOTSUPP);
1457 }
1458
1459 /* Since the controller supports only one LE connection attempt at a
1460 * time, we return -EBUSY if there is any connection attempt running.
1461 */
1462 if (hci_lookup_le_connect(hdev))
1463 return ERR_PTR(-EBUSY);
1464
1465 /* If there's already a connection object but it's not in
1466 * scanning state it means it must already be established, in
1467 * which case we can't do anything else except report a failure
1468 * to connect.
1469 */
1470 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1471 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1472 return ERR_PTR(-EBUSY);
1473 }
1474
1475 /* Check if the destination address has been resolved by the controller
1476 * since if it did then the identity address shall be used.
1477 */
1478 if (!dst_resolved) {
1479 /* When given an identity address with existing identity
1480 * resolving key, the connection needs to be established
1481 * to a resolvable random address.
1482 *
1483 * Storing the resolvable random address is required here
1484 * to handle connection failures. The address will later
1485 * be resolved back into the original identity address
1486 * from the connect request.
1487 */
1488 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1489 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1490 dst = &irk->rpa;
1491 dst_type = ADDR_LE_DEV_RANDOM;
1492 }
1493 }
1494
1495 if (conn) {
1496 bacpy(&conn->dst, dst);
1497 } else {
1498 conn = hci_conn_add_unset(hdev, LE_LINK, dst, dst_type, role);
1499 if (IS_ERR(conn))
1500 return conn;
1501 hci_conn_hold(conn);
1502 conn->pending_sec_level = sec_level;
1503 }
1504
1505 conn->sec_level = BT_SECURITY_LOW;
1506 conn->conn_timeout = conn_timeout;
1507 conn->le_adv_phy = phy;
1508 conn->le_adv_sec_phy = sec_phy;
1509
1510 err = hci_connect_le_sync(hdev, conn);
1511 if (err) {
1512 hci_conn_del(conn);
1513 return ERR_PTR(err);
1514 }
1515
1516 return conn;
1517}
1518
1519static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1520{
1521 struct hci_conn *conn;
1522
1523 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1524 if (!conn)
1525 return false;
1526
1527 if (conn->state != BT_CONNECTED)
1528 return false;
1529
1530 return true;
1531}
1532
1533/* This function requires the caller holds hdev->lock */
1534static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1535 bdaddr_t *addr, u8 addr_type)
1536{
1537 struct hci_conn_params *params;
1538
1539 if (is_connected(hdev, addr, addr_type))
1540 return -EISCONN;
1541
1542 params = hci_conn_params_lookup(hdev, addr, addr_type);
1543 if (!params) {
1544 params = hci_conn_params_add(hdev, addr, addr_type);
1545 if (!params)
1546 return -ENOMEM;
1547
1548 /* If we created new params, mark them to be deleted in
1549 * hci_connect_le_scan_cleanup. It's different case than
1550 * existing disabled params, those will stay after cleanup.
1551 */
1552 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1553 }
1554
1555 /* We're trying to connect, so make sure params are at pend_le_conns */
1556 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1557 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1558 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1559 hci_pend_le_list_del_init(params);
1560 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1561 }
1562
1563 params->explicit_connect = true;
1564
1565 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1566 params->auto_connect);
1567
1568 return 0;
1569}
1570
1571static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1572{
1573 struct hci_conn *conn;
1574 u8 big;
1575
1576 /* Allocate a BIG if not set */
1577 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1578 for (big = 0x00; big < 0xef; big++) {
1579
1580 conn = hci_conn_hash_lookup_big(hdev, big);
1581 if (!conn)
1582 break;
1583 }
1584
1585 if (big == 0xef)
1586 return -EADDRNOTAVAIL;
1587
1588 /* Update BIG */
1589 qos->bcast.big = big;
1590 }
1591
1592 return 0;
1593}
1594
1595static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1596{
1597 struct hci_conn *conn;
1598 u8 bis;
1599
1600 /* Allocate BIS if not set */
1601 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1602 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) {
1603 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1604
1605 if (conn) {
1606 /* If the BIG handle is already matched to an advertising
1607 * handle, do not allocate a new one.
1608 */
1609 qos->bcast.bis = conn->iso_qos.bcast.bis;
1610 return 0;
1611 }
1612 }
1613
1614 /* Find an unused adv set to advertise BIS, skip instance 0x00
1615 * since it is reserved as general purpose set.
1616 */
1617 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1618 bis++) {
1619
1620 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1621 if (!conn)
1622 break;
1623 }
1624
1625 if (bis == hdev->le_num_of_adv_sets)
1626 return -EADDRNOTAVAIL;
1627
1628 /* Update BIS */
1629 qos->bcast.bis = bis;
1630 }
1631
1632 return 0;
1633}
1634
1635/* This function requires the caller holds hdev->lock */
1636static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1637 __u8 sid, struct bt_iso_qos *qos,
1638 __u8 base_len, __u8 *base, u16 timeout)
1639{
1640 struct hci_conn *conn;
1641 int err;
1642
1643 /* Let's make sure that le is enabled.*/
1644 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1645 if (lmp_le_capable(hdev))
1646 return ERR_PTR(-ECONNREFUSED);
1647 return ERR_PTR(-EOPNOTSUPP);
1648 }
1649
1650 err = qos_set_big(hdev, qos);
1651 if (err)
1652 return ERR_PTR(err);
1653
1654 err = qos_set_bis(hdev, qos);
1655 if (err)
1656 return ERR_PTR(err);
1657
1658 /* Check if the LE Create BIG command has already been sent */
1659 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1660 qos->bcast.big);
1661 if (conn)
1662 return ERR_PTR(-EADDRINUSE);
1663
1664 /* Check BIS settings against other bound BISes, since all
1665 * BISes in a BIG must have the same value for all parameters
1666 */
1667 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1668
1669 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1670 base_len != conn->le_per_adv_data_len ||
1671 memcmp(conn->le_per_adv_data, base, base_len)))
1672 return ERR_PTR(-EADDRINUSE);
1673
1674 conn = hci_conn_add_unset(hdev, BIS_LINK, dst, 0, HCI_ROLE_MASTER);
1675 if (IS_ERR(conn))
1676 return conn;
1677
1678 conn->state = BT_CONNECT;
1679 conn->sid = sid;
1680 conn->conn_timeout = timeout;
1681
1682 hci_conn_hold(conn);
1683 return conn;
1684}
1685
1686/* This function requires the caller holds hdev->lock */
1687struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1688 u8 dst_type, u8 sec_level,
1689 u16 conn_timeout,
1690 enum conn_reasons conn_reason)
1691{
1692 struct hci_conn *conn;
1693
1694 /* Let's make sure that le is enabled.*/
1695 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1696 if (lmp_le_capable(hdev))
1697 return ERR_PTR(-ECONNREFUSED);
1698
1699 return ERR_PTR(-EOPNOTSUPP);
1700 }
1701
1702 /* Some devices send ATT messages as soon as the physical link is
1703 * established. To be able to handle these ATT messages, the user-
1704 * space first establishes the connection and then starts the pairing
1705 * process.
1706 *
1707 * So if a hci_conn object already exists for the following connection
1708 * attempt, we simply update pending_sec_level and auth_type fields
1709 * and return the object found.
1710 */
1711 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1712 if (conn) {
1713 if (conn->pending_sec_level < sec_level)
1714 conn->pending_sec_level = sec_level;
1715 goto done;
1716 }
1717
1718 BT_DBG("requesting refresh of dst_addr");
1719
1720 conn = hci_conn_add_unset(hdev, LE_LINK, dst, dst_type,
1721 HCI_ROLE_MASTER);
1722 if (IS_ERR(conn))
1723 return conn;
1724
1725 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1726 hci_conn_del(conn);
1727 return ERR_PTR(-EBUSY);
1728 }
1729
1730 conn->state = BT_CONNECT;
1731 set_bit(HCI_CONN_SCANNING, &conn->flags);
1732 conn->sec_level = BT_SECURITY_LOW;
1733 conn->pending_sec_level = sec_level;
1734 conn->conn_timeout = conn_timeout;
1735 conn->conn_reason = conn_reason;
1736
1737 hci_update_passive_scan(hdev);
1738
1739done:
1740 hci_conn_hold(conn);
1741 return conn;
1742}
1743
1744struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1745 u8 sec_level, u8 auth_type,
1746 enum conn_reasons conn_reason, u16 timeout)
1747{
1748 struct hci_conn *acl;
1749
1750 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1751 if (lmp_bredr_capable(hdev))
1752 return ERR_PTR(-ECONNREFUSED);
1753
1754 return ERR_PTR(-EOPNOTSUPP);
1755 }
1756
1757 /* Reject outgoing connection to device with same BD ADDR against
1758 * CVE-2020-26555
1759 */
1760 if (!bacmp(&hdev->bdaddr, dst)) {
1761 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1762 dst);
1763 return ERR_PTR(-ECONNREFUSED);
1764 }
1765
1766 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1767 if (!acl) {
1768 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, 0,
1769 HCI_ROLE_MASTER);
1770 if (IS_ERR(acl))
1771 return acl;
1772 }
1773
1774 hci_conn_hold(acl);
1775
1776 acl->conn_reason = conn_reason;
1777 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1778 int err;
1779
1780 acl->sec_level = BT_SECURITY_LOW;
1781 acl->pending_sec_level = sec_level;
1782 acl->auth_type = auth_type;
1783 acl->conn_timeout = timeout;
1784
1785 err = hci_connect_acl_sync(hdev, acl);
1786 if (err) {
1787 hci_conn_del(acl);
1788 return ERR_PTR(err);
1789 }
1790 }
1791
1792 return acl;
1793}
1794
1795static struct hci_link *hci_conn_link(struct hci_conn *parent,
1796 struct hci_conn *conn)
1797{
1798 struct hci_dev *hdev = parent->hdev;
1799 struct hci_link *link;
1800
1801 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1802
1803 if (conn->link)
1804 return conn->link;
1805
1806 if (conn->parent)
1807 return NULL;
1808
1809 link = kzalloc_obj(*link);
1810 if (!link)
1811 return NULL;
1812
1813 link->conn = hci_conn_hold(conn);
1814 conn->link = link;
1815 conn->parent = hci_conn_get(parent);
1816
1817 /* Use list_add_tail_rcu append to the list */
1818 list_add_tail_rcu(&link->list, &parent->link_list);
1819
1820 return link;
1821}
1822
1823struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1824 __u16 setting, struct bt_codec *codec,
1825 u16 timeout)
1826{
1827 struct hci_conn *acl;
1828 struct hci_conn *sco;
1829 struct hci_link *link;
1830
1831 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1832 CONN_REASON_SCO_CONNECT, timeout);
1833 if (IS_ERR(acl))
1834 return acl;
1835
1836 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1837 if (!sco) {
1838 sco = hci_conn_add_unset(hdev, type, dst, 0, HCI_ROLE_MASTER);
1839 if (IS_ERR(sco)) {
1840 hci_conn_drop(acl);
1841 return sco;
1842 }
1843 }
1844
1845 link = hci_conn_link(acl, sco);
1846 if (!link) {
1847 hci_conn_drop(acl);
1848 hci_conn_drop(sco);
1849 return ERR_PTR(-ENOLINK);
1850 }
1851
1852 sco->setting = setting;
1853 sco->codec = *codec;
1854
1855 if (acl->state == BT_CONNECTED &&
1856 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1857 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1858 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1859
1860 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1861 /* defer SCO setup until mode change completed */
1862 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1863 return sco;
1864 }
1865
1866 hci_sco_setup(acl, 0x00);
1867 }
1868
1869 return sco;
1870}
1871
1872static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1873{
1874 struct hci_dev *hdev = conn->hdev;
1875 struct hci_cp_le_create_big cp;
1876 struct iso_list_data data;
1877
1878 memset(&cp, 0, sizeof(cp));
1879
1880 data.big = qos->bcast.big;
1881 data.bis = qos->bcast.bis;
1882 data.count = 0;
1883
1884 /* Create a BIS for each bound connection */
1885 hci_conn_hash_list_state(hdev, bis_list, BIS_LINK,
1886 BT_BOUND, &data);
1887
1888 cp.handle = qos->bcast.big;
1889 cp.adv_handle = qos->bcast.bis;
1890 cp.num_bis = data.count;
1891 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1892 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1893 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1894 cp.bis.rtn = qos->bcast.out.rtn;
1895 cp.bis.phy = qos->bcast.out.phys;
1896 cp.bis.packing = qos->bcast.packing;
1897 cp.bis.framing = qos->bcast.framing;
1898 cp.bis.encryption = qos->bcast.encryption;
1899 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1900
1901 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1902}
1903
1904static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1905{
1906 DEFINE_FLEX(struct hci_cp_le_set_cig_params, pdu, cis, num_cis, 0x1f);
1907 u8 cig_id = PTR_UINT(data);
1908 struct hci_conn *conn;
1909 struct bt_iso_qos *qos;
1910 u8 aux_num_cis = 0;
1911 u8 cis_id;
1912
1913 hci_dev_lock(hdev);
1914
1915 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1916 if (!conn) {
1917 hci_dev_unlock(hdev);
1918 return 0;
1919 }
1920
1921 qos = &conn->iso_qos;
1922 pdu->cig_id = cig_id;
1923 hci_cpu_to_le24(qos->ucast.out.interval, pdu->c_interval);
1924 hci_cpu_to_le24(qos->ucast.in.interval, pdu->p_interval);
1925 pdu->sca = qos->ucast.sca;
1926 pdu->packing = qos->ucast.packing;
1927 pdu->framing = qos->ucast.framing;
1928 pdu->c_latency = cpu_to_le16(qos->ucast.out.latency);
1929 pdu->p_latency = cpu_to_le16(qos->ucast.in.latency);
1930
1931 /* Reprogram all CIS(s) with the same CIG, valid range are:
1932 * num_cis: 0x00 to 0x1F
1933 * cis_id: 0x00 to 0xEF
1934 */
1935 for (cis_id = 0x00; cis_id < 0xf0 &&
1936 aux_num_cis < pdu->num_cis; cis_id++) {
1937 struct hci_cis_params *cis;
1938
1939 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1940 if (!conn)
1941 continue;
1942
1943 qos = &conn->iso_qos;
1944
1945 cis = &pdu->cis[aux_num_cis++];
1946 cis->cis_id = cis_id;
1947 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1948 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1949 cis->c_phys = qos->ucast.out.phys ? qos->ucast.out.phys :
1950 qos->ucast.in.phys;
1951 cis->p_phys = qos->ucast.in.phys ? qos->ucast.in.phys :
1952 qos->ucast.out.phys;
1953 cis->c_rtn = qos->ucast.out.rtn;
1954 cis->p_rtn = qos->ucast.in.rtn;
1955 }
1956 pdu->num_cis = aux_num_cis;
1957
1958 hci_dev_unlock(hdev);
1959
1960 if (!pdu->num_cis)
1961 return 0;
1962
1963 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1964 struct_size(pdu, cis, pdu->num_cis),
1965 pdu, HCI_CMD_TIMEOUT);
1966}
1967
1968static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1969{
1970 struct hci_dev *hdev = conn->hdev;
1971 struct iso_list_data data;
1972
1973 memset(&data, 0, sizeof(data));
1974
1975 /* Allocate first still reconfigurable CIG if not set */
1976 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1977 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1978 data.count = 0;
1979
1980 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK,
1981 BT_CONNECT, &data);
1982 if (data.count)
1983 continue;
1984
1985 hci_conn_hash_list_state(hdev, find_cis, CIS_LINK,
1986 BT_CONNECTED, &data);
1987 if (!data.count)
1988 break;
1989 }
1990
1991 if (data.cig == 0xf0)
1992 return false;
1993
1994 /* Update CIG */
1995 qos->ucast.cig = data.cig;
1996 }
1997
1998 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1999 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
2000 qos->ucast.cis))
2001 return false;
2002 goto done;
2003 }
2004
2005 /* Allocate first available CIS if not set */
2006 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
2007 data.cis++) {
2008 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
2009 data.cis)) {
2010 /* Update CIS */
2011 qos->ucast.cis = data.cis;
2012 break;
2013 }
2014 }
2015
2016 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
2017 return false;
2018
2019done:
2020 conn->iso_qos = *qos;
2021
2022 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
2023 UINT_PTR(qos->ucast.cig), NULL) < 0)
2024 return false;
2025
2026 return true;
2027}
2028
2029struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
2030 __u8 dst_type, struct bt_iso_qos *qos,
2031 u16 timeout)
2032{
2033 struct hci_conn *cis;
2034
2035 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
2036 qos->ucast.cis);
2037 if (!cis) {
2038 cis = hci_conn_add_unset(hdev, CIS_LINK, dst, dst_type,
2039 HCI_ROLE_MASTER);
2040 if (IS_ERR(cis))
2041 return cis;
2042 cis->cleanup = cis_cleanup;
2043 cis->dst_type = dst_type;
2044 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
2045 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
2046 cis->conn_timeout = timeout;
2047 }
2048
2049 if (cis->state == BT_CONNECTED)
2050 return cis;
2051
2052 /* Check if CIS has been set and the settings matches */
2053 if (cis->state == BT_BOUND &&
2054 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
2055 return cis;
2056
2057 /* Update LINK PHYs according to QoS preference */
2058 cis->le_tx_phy = qos->ucast.out.phys;
2059 cis->le_rx_phy = qos->ucast.in.phys;
2060
2061 /* If output interval is not set use the input interval as it cannot be
2062 * 0x000000.
2063 */
2064 if (!qos->ucast.out.interval)
2065 qos->ucast.out.interval = qos->ucast.in.interval;
2066
2067 /* If input interval is not set use the output interval as it cannot be
2068 * 0x000000.
2069 */
2070 if (!qos->ucast.in.interval)
2071 qos->ucast.in.interval = qos->ucast.out.interval;
2072
2073 /* If output latency is not set use the input latency as it cannot be
2074 * 0x0000.
2075 */
2076 if (!qos->ucast.out.latency)
2077 qos->ucast.out.latency = qos->ucast.in.latency;
2078
2079 /* If input latency is not set use the output latency as it cannot be
2080 * 0x0000.
2081 */
2082 if (!qos->ucast.in.latency)
2083 qos->ucast.in.latency = qos->ucast.out.latency;
2084
2085 if (!hci_le_set_cig_params(cis, qos)) {
2086 hci_conn_drop(cis);
2087 return ERR_PTR(-EINVAL);
2088 }
2089
2090 hci_conn_hold(cis);
2091 cis->state = BT_BOUND;
2092
2093 return cis;
2094}
2095
2096bool hci_iso_setup_path(struct hci_conn *conn)
2097{
2098 struct hci_dev *hdev = conn->hdev;
2099 struct hci_cp_le_setup_iso_path cmd;
2100
2101 memset(&cmd, 0, sizeof(cmd));
2102
2103 if (conn->iso_qos.ucast.out.sdu) {
2104 cmd.handle = cpu_to_le16(conn->handle);
2105 cmd.direction = 0x00; /* Input (Host to Controller) */
2106 cmd.path = 0x00; /* HCI path if enabled */
2107 cmd.codec = 0x03; /* Transparent Data */
2108
2109 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2110 &cmd) < 0)
2111 return false;
2112 }
2113
2114 if (conn->iso_qos.ucast.in.sdu) {
2115 cmd.handle = cpu_to_le16(conn->handle);
2116 cmd.direction = 0x01; /* Output (Controller to Host) */
2117 cmd.path = 0x00; /* HCI path if enabled */
2118 cmd.codec = 0x03; /* Transparent Data */
2119
2120 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2121 &cmd) < 0)
2122 return false;
2123 }
2124
2125 return true;
2126}
2127
2128int hci_conn_check_create_cis(struct hci_conn *conn)
2129{
2130 if (conn->type != CIS_LINK)
2131 return -EINVAL;
2132
2133 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
2134 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
2135 return 1;
2136
2137 return 0;
2138}
2139
2140static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
2141{
2142 return hci_le_create_cis_sync(hdev);
2143}
2144
2145int hci_le_create_cis_pending(struct hci_dev *hdev)
2146{
2147 struct hci_conn *conn;
2148 bool pending = false;
2149
2150 rcu_read_lock();
2151
2152 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
2153 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
2154 rcu_read_unlock();
2155 return -EBUSY;
2156 }
2157
2158 if (!hci_conn_check_create_cis(conn))
2159 pending = true;
2160 }
2161
2162 rcu_read_unlock();
2163
2164 if (!pending)
2165 return 0;
2166
2167 /* Queue Create CIS */
2168 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2169}
2170
2171static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2172 struct bt_iso_io_qos *qos, __u8 phys)
2173{
2174 /* Only set MTU if PHY is enabled */
2175 if (!qos->sdu && qos->phys)
2176 qos->sdu = conn->mtu;
2177
2178 /* Use the same PHY as ACL if set to any */
2179 if (qos->phys == BT_ISO_PHY_ANY)
2180 qos->phys = phys;
2181
2182 /* Use LE ACL connection interval if not set */
2183 if (!qos->interval)
2184 /* ACL interval unit in 1.25 ms to us */
2185 qos->interval = conn->le_conn_interval * 1250;
2186
2187 /* Use LE ACL connection latency if not set */
2188 if (!qos->latency)
2189 qos->latency = conn->le_conn_latency;
2190}
2191
2192static int create_big_sync(struct hci_dev *hdev, void *data)
2193{
2194 struct hci_conn *conn = data;
2195 struct bt_iso_qos *qos = &conn->iso_qos;
2196 u16 interval, sync_interval = 0;
2197 u32 flags = 0;
2198 int err;
2199
2200 if (!hci_conn_valid(hdev, conn))
2201 return -ECANCELED;
2202
2203 if (qos->bcast.out.phys == BIT(1))
2204 flags |= MGMT_ADV_FLAG_SEC_2M;
2205
2206 /* Align intervals */
2207 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2208
2209 if (qos->bcast.bis)
2210 sync_interval = interval * 4;
2211
2212 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->sid,
2213 conn->le_per_adv_data_len,
2214 conn->le_per_adv_data, flags, interval,
2215 interval, sync_interval);
2216 if (err)
2217 return err;
2218
2219 return hci_le_create_big(conn, &conn->iso_qos);
2220}
2221
2222struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst,
2223 __u8 dst_type, __u8 sid,
2224 struct bt_iso_qos *qos)
2225{
2226 struct hci_conn *conn;
2227
2228 bt_dev_dbg(hdev, "dst %pMR type %d sid %d", dst, dst_type, sid);
2229
2230 conn = hci_conn_add_unset(hdev, PA_LINK, dst, dst_type, HCI_ROLE_SLAVE);
2231 if (IS_ERR(conn))
2232 return conn;
2233
2234 conn->iso_qos = *qos;
2235 conn->sid = sid;
2236 conn->state = BT_LISTEN;
2237 conn->conn_timeout = msecs_to_jiffies(qos->bcast.sync_timeout * 10);
2238
2239 hci_conn_hold(conn);
2240
2241 hci_connect_pa_sync(hdev, conn);
2242
2243 return conn;
2244}
2245
2246int hci_conn_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2247 struct bt_iso_qos *qos, __u16 sync_handle,
2248 __u8 num_bis, __u8 bis[])
2249{
2250 int err;
2251
2252 if (num_bis < 0x01 || num_bis > ISO_MAX_NUM_BIS)
2253 return -EINVAL;
2254
2255 err = qos_set_big(hdev, qos);
2256 if (err)
2257 return err;
2258
2259 if (hcon) {
2260 /* Update hcon QoS */
2261 hcon->iso_qos = *qos;
2262
2263 hcon->num_bis = num_bis;
2264 memcpy(hcon->bis, bis, num_bis);
2265 hcon->conn_timeout = msecs_to_jiffies(qos->bcast.timeout * 10);
2266 }
2267
2268 return hci_connect_big_sync(hdev, hcon);
2269}
2270
2271static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2272{
2273 struct hci_conn *conn = data;
2274
2275 bt_dev_dbg(hdev, "conn %p", conn);
2276
2277 if (err == -ECANCELED)
2278 goto done;
2279
2280 hci_dev_lock(hdev);
2281
2282 if (!hci_conn_valid(hdev, conn))
2283 goto unlock;
2284
2285 if (err) {
2286 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2287 hci_connect_cfm(conn, err);
2288 hci_conn_del(conn);
2289 }
2290
2291unlock:
2292 hci_dev_unlock(hdev);
2293done:
2294 hci_conn_put(conn);
2295}
2296
2297struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, __u8 sid,
2298 struct bt_iso_qos *qos,
2299 __u8 base_len, __u8 *base, u16 timeout)
2300{
2301 struct hci_conn *conn;
2302 struct hci_conn *parent;
2303 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2304 struct hci_link *link;
2305
2306 /* Look for any BIS that is open for rebinding */
2307 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN,
2308 HCI_ROLE_MASTER);
2309 if (conn) {
2310 memcpy(qos, &conn->iso_qos, sizeof(*qos));
2311 conn->state = BT_CONNECTED;
2312 return conn;
2313 }
2314
2315 if (base_len && base)
2316 base_len = eir_append_service_data(eir, 0, 0x1851,
2317 base, base_len);
2318
2319 /* We need hci_conn object using the BDADDR_ANY as dst */
2320 conn = hci_add_bis(hdev, dst, sid, qos, base_len, eir, timeout);
2321 if (IS_ERR(conn))
2322 return conn;
2323
2324 /* Update LINK PHYs according to QoS preference */
2325 conn->le_tx_def_phys = qos->bcast.out.phys;
2326
2327 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2328 if (base_len && base) {
2329 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2330 conn->le_per_adv_data_len = base_len;
2331 }
2332
2333 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2334 conn->le_tx_def_phys ? conn->le_tx_def_phys :
2335 hdev->le_tx_def_phys);
2336
2337 conn->iso_qos = *qos;
2338 conn->state = BT_BOUND;
2339
2340 /* Link BISes together */
2341 parent = hci_conn_hash_lookup_big(hdev,
2342 conn->iso_qos.bcast.big);
2343 if (parent && parent != conn) {
2344 link = hci_conn_link(parent, conn);
2345 hci_conn_drop(conn);
2346 if (!link)
2347 return ERR_PTR(-ENOLINK);
2348 }
2349
2350 return conn;
2351}
2352
2353int hci_past_bis(struct hci_conn *conn, bdaddr_t *dst, __u8 dst_type)
2354{
2355 struct hci_conn *le;
2356
2357 /* Lookup existing LE connection to rebind to */
2358 le = hci_conn_hash_lookup_le(conn->hdev, dst, dst_type);
2359 if (!le)
2360 return -EINVAL;
2361
2362 return hci_past_sync(conn, le);
2363}
2364
2365static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2366{
2367 struct iso_list_data *d = data;
2368
2369 /* Skip if not broadcast/ANY address */
2370 if (bacmp(&conn->dst, BDADDR_ANY))
2371 return;
2372
2373 if (d->big != conn->iso_qos.bcast.big ||
2374 d->bis == BT_ISO_QOS_BIS_UNSET ||
2375 d->bis != conn->iso_qos.bcast.bis)
2376 return;
2377
2378 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2379}
2380
2381struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2382 __u8 dst_type, __u8 sid,
2383 struct bt_iso_qos *qos,
2384 __u8 base_len, __u8 *base, u16 timeout)
2385{
2386 struct hci_conn *conn;
2387 int err;
2388 struct iso_list_data data;
2389
2390 conn = hci_bind_bis(hdev, dst, sid, qos, base_len, base, timeout);
2391 if (IS_ERR(conn))
2392 return conn;
2393
2394 if (conn->state == BT_CONNECTED)
2395 return conn;
2396
2397 /* Check if SID needs to be allocated then search for the first
2398 * available.
2399 */
2400 if (conn->sid == HCI_SID_INVALID) {
2401 u8 sid;
2402
2403 for (sid = 0; sid <= 0x0f; sid++) {
2404 if (!hci_find_adv_sid(hdev, sid)) {
2405 conn->sid = sid;
2406 break;
2407 }
2408 }
2409 }
2410
2411 data.big = qos->bcast.big;
2412 data.bis = qos->bcast.bis;
2413
2414 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2415 * the start periodic advertising and create BIG commands have
2416 * been queued
2417 */
2418 hci_conn_hash_list_state(hdev, bis_mark_per_adv, BIS_LINK,
2419 BT_BOUND, &data);
2420
2421 /* Queue start periodic advertising and create BIG */
2422 err = hci_cmd_sync_queue(hdev, create_big_sync, hci_conn_get(conn),
2423 create_big_complete);
2424 if (err < 0) {
2425 hci_conn_drop(conn);
2426 hci_conn_put(conn);
2427 return ERR_PTR(err);
2428 }
2429
2430 return conn;
2431}
2432
2433struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2434 __u8 dst_type, struct bt_iso_qos *qos,
2435 u16 timeout)
2436{
2437 struct hci_conn *le;
2438 struct hci_conn *cis;
2439 struct hci_link *link;
2440
2441 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2442 le = hci_connect_le(hdev, dst, dst_type, false,
2443 BT_SECURITY_LOW,
2444 HCI_LE_CONN_TIMEOUT,
2445 HCI_ROLE_SLAVE, 0, 0);
2446 else
2447 le = hci_connect_le_scan(hdev, dst, dst_type,
2448 BT_SECURITY_LOW,
2449 HCI_LE_CONN_TIMEOUT,
2450 CONN_REASON_ISO_CONNECT);
2451 if (IS_ERR(le))
2452 return le;
2453
2454 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2455 le->le_tx_def_phys ? le->le_tx_def_phys :
2456 hdev->le_tx_def_phys);
2457 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2458 le->le_rx_def_phys ? le->le_rx_def_phys :
2459 hdev->le_rx_def_phys);
2460
2461 cis = hci_bind_cis(hdev, dst, dst_type, qos, timeout);
2462 if (IS_ERR(cis)) {
2463 hci_conn_drop(le);
2464 return cis;
2465 }
2466
2467 link = hci_conn_link(le, cis);
2468 hci_conn_drop(cis);
2469 if (!link) {
2470 hci_conn_drop(le);
2471 return ERR_PTR(-ENOLINK);
2472 }
2473
2474 cis->state = BT_CONNECT;
2475
2476 hci_le_create_cis_pending(hdev);
2477
2478 return cis;
2479}
2480
2481/* Check link security requirement */
2482int hci_conn_check_link_mode(struct hci_conn *conn)
2483{
2484 BT_DBG("hcon %p", conn);
2485
2486 /* In Secure Connections Only mode, it is required that Secure
2487 * Connections is used and the link is encrypted with AES-CCM
2488 * using a P-256 authenticated combination key.
2489 */
2490 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2491 if (!hci_conn_sc_enabled(conn) ||
2492 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2493 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2494 return 0;
2495 }
2496
2497 /* AES encryption is required for Level 4:
2498 *
2499 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2500 * page 1319:
2501 *
2502 * 128-bit equivalent strength for link and encryption keys
2503 * required using FIPS approved algorithms (E0 not allowed,
2504 * SAFER+ not allowed, and P-192 not allowed; encryption key
2505 * not shortened)
2506 */
2507 if (conn->sec_level == BT_SECURITY_FIPS &&
2508 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2509 bt_dev_err(conn->hdev,
2510 "Invalid security: Missing AES-CCM usage");
2511 return 0;
2512 }
2513
2514 if (hci_conn_ssp_enabled(conn) &&
2515 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2516 return 0;
2517
2518 return 1;
2519}
2520
2521/* Authenticate remote device */
2522static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2523{
2524 BT_DBG("hcon %p", conn);
2525
2526 if (conn->pending_sec_level > sec_level)
2527 sec_level = conn->pending_sec_level;
2528
2529 if (sec_level > conn->sec_level)
2530 conn->pending_sec_level = sec_level;
2531 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2532 return 1;
2533
2534 /* Make sure we preserve an existing MITM requirement*/
2535 auth_type |= (conn->auth_type & 0x01);
2536
2537 conn->auth_type = auth_type;
2538
2539 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2540 struct hci_cp_auth_requested cp;
2541
2542 cp.handle = cpu_to_le16(conn->handle);
2543 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2544 sizeof(cp), &cp);
2545
2546 /* Set the ENCRYPT_PEND to trigger encryption after
2547 * authentication.
2548 */
2549 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2550 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2551 }
2552
2553 return 0;
2554}
2555
2556/* Encrypt the link */
2557static void hci_conn_encrypt(struct hci_conn *conn)
2558{
2559 BT_DBG("hcon %p", conn);
2560
2561 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2562 struct hci_cp_set_conn_encrypt cp;
2563 cp.handle = cpu_to_le16(conn->handle);
2564 cp.encrypt = 0x01;
2565 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2566 &cp);
2567 }
2568}
2569
2570/* Enable security */
2571int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2572 bool initiator)
2573{
2574 BT_DBG("hcon %p", conn);
2575
2576 if (conn->type == LE_LINK)
2577 return smp_conn_security(conn, sec_level);
2578
2579 /* For sdp we don't need the link key. */
2580 if (sec_level == BT_SECURITY_SDP)
2581 return 1;
2582
2583 /* For non 2.1 devices and low security level we don't need the link
2584 key. */
2585 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2586 return 1;
2587
2588 /* For other security levels we need the link key. */
2589 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2590 goto auth;
2591
2592 switch (conn->key_type) {
2593 case HCI_LK_AUTH_COMBINATION_P256:
2594 /* An authenticated FIPS approved combination key has
2595 * sufficient security for security level 4 or lower.
2596 */
2597 if (sec_level <= BT_SECURITY_FIPS)
2598 goto encrypt;
2599 break;
2600 case HCI_LK_AUTH_COMBINATION_P192:
2601 /* An authenticated combination key has sufficient security for
2602 * security level 3 or lower.
2603 */
2604 if (sec_level <= BT_SECURITY_HIGH)
2605 goto encrypt;
2606 break;
2607 case HCI_LK_UNAUTH_COMBINATION_P192:
2608 case HCI_LK_UNAUTH_COMBINATION_P256:
2609 /* An unauthenticated combination key has sufficient security
2610 * for security level 2 or lower.
2611 */
2612 if (sec_level <= BT_SECURITY_MEDIUM)
2613 goto encrypt;
2614 break;
2615 case HCI_LK_COMBINATION:
2616 /* A combination key has always sufficient security for the
2617 * security levels 2 or lower. High security level requires the
2618 * combination key is generated using maximum PIN code length
2619 * (16). For pre 2.1 units.
2620 */
2621 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2622 goto encrypt;
2623 break;
2624 default:
2625 break;
2626 }
2627
2628auth:
2629 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2630 return 0;
2631
2632 if (initiator)
2633 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2634
2635 if (!hci_conn_auth(conn, sec_level, auth_type))
2636 return 0;
2637
2638encrypt:
2639 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2640 /* Ensure that the encryption key size has been read,
2641 * otherwise stall the upper layer responses.
2642 */
2643 if (!conn->enc_key_size)
2644 return 0;
2645
2646 /* Nothing else needed, all requirements are met */
2647 return 1;
2648 }
2649
2650 hci_conn_encrypt(conn);
2651 return 0;
2652}
2653EXPORT_SYMBOL(hci_conn_security);
2654
2655/* Check secure link requirement */
2656int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2657{
2658 BT_DBG("hcon %p", conn);
2659
2660 /* Accept if non-secure or higher security level is required */
2661 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2662 return 1;
2663
2664 /* Accept if secure or higher security level is already present */
2665 if (conn->sec_level == BT_SECURITY_HIGH ||
2666 conn->sec_level == BT_SECURITY_FIPS)
2667 return 1;
2668
2669 /* Reject not secure link */
2670 return 0;
2671}
2672EXPORT_SYMBOL(hci_conn_check_secure);
2673
2674/* Switch role */
2675int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2676{
2677 BT_DBG("hcon %p", conn);
2678
2679 if (role == conn->role)
2680 return 1;
2681
2682 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2683 struct hci_cp_switch_role cp;
2684 bacpy(&cp.bdaddr, &conn->dst);
2685 cp.role = role;
2686 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2687 }
2688
2689 return 0;
2690}
2691EXPORT_SYMBOL(hci_conn_switch_role);
2692
2693/* Enter active mode */
2694void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2695{
2696 struct hci_dev *hdev = conn->hdev;
2697
2698 BT_DBG("hcon %p mode %d", conn, conn->mode);
2699
2700 if (conn->mode != HCI_CM_SNIFF)
2701 goto timer;
2702
2703 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2704 goto timer;
2705
2706 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2707 struct hci_cp_exit_sniff_mode cp;
2708 cp.handle = cpu_to_le16(conn->handle);
2709 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2710 }
2711
2712timer:
2713 if (hdev->idle_timeout > 0)
2714 mod_delayed_work(hdev->workqueue, &conn->idle_work,
2715 msecs_to_jiffies(hdev->idle_timeout));
2716}
2717
2718/* Drop all connection on the device */
2719void hci_conn_hash_flush(struct hci_dev *hdev)
2720{
2721 struct list_head *head = &hdev->conn_hash.list;
2722 struct hci_conn *conn;
2723
2724 BT_DBG("hdev %s", hdev->name);
2725
2726 /* We should not traverse the list here, because hci_conn_del
2727 * can remove extra links, which may cause the list traversal
2728 * to hit items that have already been released.
2729 */
2730 while ((conn = list_first_entry_or_null(head,
2731 struct hci_conn,
2732 list)) != NULL) {
2733 conn->state = BT_CLOSED;
2734 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2735 hci_conn_del(conn);
2736 }
2737}
2738
2739static u32 get_link_mode(struct hci_conn *conn)
2740{
2741 u32 link_mode = 0;
2742
2743 if (conn->role == HCI_ROLE_MASTER)
2744 link_mode |= HCI_LM_MASTER;
2745
2746 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2747 link_mode |= HCI_LM_ENCRYPT;
2748
2749 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2750 link_mode |= HCI_LM_AUTH;
2751
2752 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2753 link_mode |= HCI_LM_SECURE;
2754
2755 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2756 link_mode |= HCI_LM_FIPS;
2757
2758 return link_mode;
2759}
2760
2761int hci_get_conn_list(void __user *arg)
2762{
2763 struct hci_conn *c;
2764 struct hci_conn_list_req req, *cl;
2765 struct hci_conn_info *ci;
2766 struct hci_dev *hdev;
2767 int n = 0, size, err;
2768
2769 if (copy_from_user(&req, arg, sizeof(req)))
2770 return -EFAULT;
2771
2772 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2773 return -EINVAL;
2774
2775 size = sizeof(req) + req.conn_num * sizeof(*ci);
2776
2777 cl = kmalloc(size, GFP_KERNEL);
2778 if (!cl)
2779 return -ENOMEM;
2780
2781 hdev = hci_dev_get(req.dev_id);
2782 if (!hdev) {
2783 kfree(cl);
2784 return -ENODEV;
2785 }
2786
2787 ci = cl->conn_info;
2788
2789 hci_dev_lock(hdev);
2790 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2791 bacpy(&(ci + n)->bdaddr, &c->dst);
2792 (ci + n)->handle = c->handle;
2793 (ci + n)->type = c->type;
2794 (ci + n)->out = c->out;
2795 (ci + n)->state = c->state;
2796 (ci + n)->link_mode = get_link_mode(c);
2797 if (++n >= req.conn_num)
2798 break;
2799 }
2800 hci_dev_unlock(hdev);
2801
2802 cl->dev_id = hdev->id;
2803 cl->conn_num = n;
2804 size = sizeof(req) + n * sizeof(*ci);
2805
2806 hci_dev_put(hdev);
2807
2808 err = copy_to_user(arg, cl, size);
2809 kfree(cl);
2810
2811 return err ? -EFAULT : 0;
2812}
2813
2814int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2815{
2816 struct hci_conn_info_req req;
2817 struct hci_conn_info ci;
2818 struct hci_conn *conn;
2819 char __user *ptr = arg + sizeof(req);
2820
2821 if (copy_from_user(&req, arg, sizeof(req)))
2822 return -EFAULT;
2823
2824 hci_dev_lock(hdev);
2825 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2826 if (conn) {
2827 bacpy(&ci.bdaddr, &conn->dst);
2828 ci.handle = conn->handle;
2829 ci.type = conn->type;
2830 ci.out = conn->out;
2831 ci.state = conn->state;
2832 ci.link_mode = get_link_mode(conn);
2833 }
2834 hci_dev_unlock(hdev);
2835
2836 if (!conn)
2837 return -ENOENT;
2838
2839 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2840}
2841
2842int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2843{
2844 struct hci_auth_info_req req;
2845 struct hci_conn *conn;
2846
2847 if (copy_from_user(&req, arg, sizeof(req)))
2848 return -EFAULT;
2849
2850 hci_dev_lock(hdev);
2851 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2852 if (conn)
2853 req.type = conn->auth_type;
2854 hci_dev_unlock(hdev);
2855
2856 if (!conn)
2857 return -ENOENT;
2858
2859 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2860}
2861
2862struct hci_chan *hci_chan_create(struct hci_conn *conn)
2863{
2864 struct hci_dev *hdev = conn->hdev;
2865 struct hci_chan *chan;
2866
2867 BT_DBG("%s hcon %p", hdev->name, conn);
2868
2869 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2870 BT_DBG("Refusing to create new hci_chan");
2871 return NULL;
2872 }
2873
2874 chan = kzalloc_obj(*chan);
2875 if (!chan)
2876 return NULL;
2877
2878 chan->conn = hci_conn_get(conn);
2879 skb_queue_head_init(&chan->data_q);
2880 chan->state = BT_CONNECTED;
2881
2882 list_add_rcu(&chan->list, &conn->chan_list);
2883
2884 return chan;
2885}
2886
2887void hci_chan_del(struct hci_chan *chan)
2888{
2889 struct hci_conn *conn = chan->conn;
2890 struct hci_dev *hdev = conn->hdev;
2891
2892 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2893
2894 list_del_rcu(&chan->list);
2895
2896 synchronize_rcu();
2897
2898 /* Prevent new hci_chan's to be created for this hci_conn */
2899 set_bit(HCI_CONN_DROP, &conn->flags);
2900
2901 hci_conn_put(conn);
2902
2903 skb_queue_purge(&chan->data_q);
2904 kfree(chan);
2905}
2906
2907void hci_chan_list_flush(struct hci_conn *conn)
2908{
2909 struct hci_chan *chan, *n;
2910
2911 BT_DBG("hcon %p", conn);
2912
2913 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2914 hci_chan_del(chan);
2915}
2916
2917static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2918 __u16 handle)
2919{
2920 struct hci_chan *hchan;
2921
2922 list_for_each_entry(hchan, &hcon->chan_list, list) {
2923 if (hchan->handle == handle)
2924 return hchan;
2925 }
2926
2927 return NULL;
2928}
2929
2930struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2931{
2932 struct hci_conn_hash *h = &hdev->conn_hash;
2933 struct hci_conn *hcon;
2934 struct hci_chan *hchan = NULL;
2935
2936 rcu_read_lock();
2937
2938 list_for_each_entry_rcu(hcon, &h->list, list) {
2939 hchan = __hci_chan_lookup_handle(hcon, handle);
2940 if (hchan)
2941 break;
2942 }
2943
2944 rcu_read_unlock();
2945
2946 return hchan;
2947}
2948
2949u32 hci_conn_get_phy(struct hci_conn *conn)
2950{
2951 u32 phys = 0;
2952
2953 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2954 * Table 6.2: Packets defined for synchronous, asynchronous, and
2955 * CPB logical transport types.
2956 */
2957 switch (conn->type) {
2958 case SCO_LINK:
2959 /* SCO logical transport (1 Mb/s):
2960 * HV1, HV2, HV3 and DV.
2961 */
2962 phys |= BT_PHY_BR_1M_1SLOT;
2963
2964 break;
2965
2966 case ACL_LINK:
2967 /* ACL logical transport (1 Mb/s) ptt=0:
2968 * DH1, DM3, DH3, DM5 and DH5.
2969 */
2970 phys |= BT_PHY_BR_1M_1SLOT;
2971
2972 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2973 phys |= BT_PHY_BR_1M_3SLOT;
2974
2975 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2976 phys |= BT_PHY_BR_1M_5SLOT;
2977
2978 /* ACL logical transport (2 Mb/s) ptt=1:
2979 * 2-DH1, 2-DH3 and 2-DH5.
2980 */
2981 if (!(conn->pkt_type & HCI_2DH1))
2982 phys |= BT_PHY_EDR_2M_1SLOT;
2983
2984 if (!(conn->pkt_type & HCI_2DH3))
2985 phys |= BT_PHY_EDR_2M_3SLOT;
2986
2987 if (!(conn->pkt_type & HCI_2DH5))
2988 phys |= BT_PHY_EDR_2M_5SLOT;
2989
2990 /* ACL logical transport (3 Mb/s) ptt=1:
2991 * 3-DH1, 3-DH3 and 3-DH5.
2992 */
2993 if (!(conn->pkt_type & HCI_3DH1))
2994 phys |= BT_PHY_EDR_3M_1SLOT;
2995
2996 if (!(conn->pkt_type & HCI_3DH3))
2997 phys |= BT_PHY_EDR_3M_3SLOT;
2998
2999 if (!(conn->pkt_type & HCI_3DH5))
3000 phys |= BT_PHY_EDR_3M_5SLOT;
3001
3002 break;
3003
3004 case ESCO_LINK:
3005 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
3006 phys |= BT_PHY_BR_1M_1SLOT;
3007
3008 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
3009 phys |= BT_PHY_BR_1M_3SLOT;
3010
3011 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
3012 if (!(conn->pkt_type & ESCO_2EV3))
3013 phys |= BT_PHY_EDR_2M_1SLOT;
3014
3015 if (!(conn->pkt_type & ESCO_2EV5))
3016 phys |= BT_PHY_EDR_2M_3SLOT;
3017
3018 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
3019 if (!(conn->pkt_type & ESCO_3EV3))
3020 phys |= BT_PHY_EDR_3M_1SLOT;
3021
3022 if (!(conn->pkt_type & ESCO_3EV5))
3023 phys |= BT_PHY_EDR_3M_3SLOT;
3024
3025 break;
3026
3027 case LE_LINK:
3028 if (conn->le_tx_def_phys & HCI_LE_SET_PHY_1M)
3029 phys |= BT_PHY_LE_1M_TX;
3030
3031 if (conn->le_rx_def_phys & HCI_LE_SET_PHY_1M)
3032 phys |= BT_PHY_LE_1M_RX;
3033
3034 if (conn->le_tx_def_phys & HCI_LE_SET_PHY_2M)
3035 phys |= BT_PHY_LE_2M_TX;
3036
3037 if (conn->le_rx_def_phys & HCI_LE_SET_PHY_2M)
3038 phys |= BT_PHY_LE_2M_RX;
3039
3040 if (conn->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
3041 phys |= BT_PHY_LE_CODED_TX;
3042
3043 if (conn->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
3044 phys |= BT_PHY_LE_CODED_RX;
3045
3046 break;
3047 }
3048
3049 return phys;
3050}
3051
3052static u16 bt_phy_pkt_type(struct hci_conn *conn, u32 phys)
3053{
3054 u16 pkt_type = conn->pkt_type;
3055
3056 if (phys & BT_PHY_BR_1M_3SLOT)
3057 pkt_type |= HCI_DM3 | HCI_DH3;
3058 else
3059 pkt_type &= ~(HCI_DM3 | HCI_DH3);
3060
3061 if (phys & BT_PHY_BR_1M_5SLOT)
3062 pkt_type |= HCI_DM5 | HCI_DH5;
3063 else
3064 pkt_type &= ~(HCI_DM5 | HCI_DH5);
3065
3066 if (phys & BT_PHY_EDR_2M_1SLOT)
3067 pkt_type &= ~HCI_2DH1;
3068 else
3069 pkt_type |= HCI_2DH1;
3070
3071 if (phys & BT_PHY_EDR_2M_3SLOT)
3072 pkt_type &= ~HCI_2DH3;
3073 else
3074 pkt_type |= HCI_2DH3;
3075
3076 if (phys & BT_PHY_EDR_2M_5SLOT)
3077 pkt_type &= ~HCI_2DH5;
3078 else
3079 pkt_type |= HCI_2DH5;
3080
3081 if (phys & BT_PHY_EDR_3M_1SLOT)
3082 pkt_type &= ~HCI_3DH1;
3083 else
3084 pkt_type |= HCI_3DH1;
3085
3086 if (phys & BT_PHY_EDR_3M_3SLOT)
3087 pkt_type &= ~HCI_3DH3;
3088 else
3089 pkt_type |= HCI_3DH3;
3090
3091 if (phys & BT_PHY_EDR_3M_5SLOT)
3092 pkt_type &= ~HCI_3DH5;
3093 else
3094 pkt_type |= HCI_3DH5;
3095
3096 return pkt_type;
3097}
3098
3099static int bt_phy_le_phy(u32 phys, u8 *tx_phys, u8 *rx_phys)
3100{
3101 if (!tx_phys || !rx_phys)
3102 return -EINVAL;
3103
3104 *tx_phys = 0;
3105 *rx_phys = 0;
3106
3107 if (phys & BT_PHY_LE_1M_TX)
3108 *tx_phys |= HCI_LE_SET_PHY_1M;
3109
3110 if (phys & BT_PHY_LE_1M_RX)
3111 *rx_phys |= HCI_LE_SET_PHY_1M;
3112
3113 if (phys & BT_PHY_LE_2M_TX)
3114 *tx_phys |= HCI_LE_SET_PHY_2M;
3115
3116 if (phys & BT_PHY_LE_2M_RX)
3117 *rx_phys |= HCI_LE_SET_PHY_2M;
3118
3119 if (phys & BT_PHY_LE_CODED_TX)
3120 *tx_phys |= HCI_LE_SET_PHY_CODED;
3121
3122 if (phys & BT_PHY_LE_CODED_RX)
3123 *rx_phys |= HCI_LE_SET_PHY_CODED;
3124
3125 return 0;
3126}
3127
3128int hci_conn_set_phy(struct hci_conn *conn, u32 phys)
3129{
3130 u8 tx_phys, rx_phys;
3131
3132 switch (conn->type) {
3133 case SCO_LINK:
3134 case ESCO_LINK:
3135 return -EINVAL;
3136 case ACL_LINK:
3137 /* Only allow setting BR/EDR PHYs if link type is ACL */
3138 if (phys & ~BT_PHY_BREDR_MASK)
3139 return -EINVAL;
3140
3141 return hci_acl_change_pkt_type(conn,
3142 bt_phy_pkt_type(conn, phys));
3143 case LE_LINK:
3144 /* Only allow setting LE PHYs if link type is LE */
3145 if (phys & ~BT_PHY_LE_MASK)
3146 return -EINVAL;
3147
3148 if (bt_phy_le_phy(phys, &tx_phys, &rx_phys))
3149 return -EINVAL;
3150
3151 return hci_le_set_phy(conn, tx_phys, rx_phys);
3152 default:
3153 return -EINVAL;
3154 }
3155}
3156
3157static int abort_conn_sync(struct hci_dev *hdev, void *data)
3158{
3159 struct hci_conn *conn = data;
3160
3161 if (!hci_conn_valid(hdev, conn))
3162 return -ECANCELED;
3163
3164 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
3165}
3166
3167int hci_abort_conn(struct hci_conn *conn, u8 reason)
3168{
3169 struct hci_dev *hdev = conn->hdev;
3170 int err;
3171
3172 /* If abort_reason has already been set it means the connection is
3173 * already being aborted so don't attempt to overwrite it.
3174 */
3175 if (conn->abort_reason)
3176 return 0;
3177
3178 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
3179
3180 conn->abort_reason = reason;
3181
3182 /* If the connection is pending check the command opcode since that
3183 * might be blocking on hci_cmd_sync_work while waiting its respective
3184 * event so we need to hci_cmd_sync_cancel to cancel it.
3185 *
3186 * hci_connect_le serializes the connection attempts so only one
3187 * connection can be in BT_CONNECT at time.
3188 */
3189 if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
3190 switch (hci_skb_event(hdev->sent_cmd)) {
3191 case HCI_EV_CONN_COMPLETE:
3192 case HCI_EV_LE_CONN_COMPLETE:
3193 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
3194 case HCI_EVT_LE_CIS_ESTABLISHED:
3195 hci_cmd_sync_cancel(hdev, ECANCELED);
3196 break;
3197 }
3198 /* Cancel connect attempt if still queued/pending */
3199 } else if (!hci_cancel_connect_sync(hdev, conn)) {
3200 return 0;
3201 }
3202
3203 /* Run immediately if on cmd_sync_work since this may be called
3204 * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
3205 * already queue its callback on cmd_sync_work.
3206 */
3207 err = hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
3208 return (err == -EEXIST) ? 0 : err;
3209}
3210
3211void hci_setup_tx_timestamp(struct sk_buff *skb, size_t key_offset,
3212 const struct sockcm_cookie *sockc)
3213{
3214 struct sock *sk = skb ? skb->sk : NULL;
3215 int key;
3216
3217 /* This shall be called on a single skb of those generated by user
3218 * sendmsg(), and only when the sendmsg() does not return error to
3219 * user. This is required for keeping the tskey that increments here in
3220 * sync with possible sendmsg() counting by user.
3221 *
3222 * Stream sockets shall set key_offset to sendmsg() length in bytes
3223 * and call with the last fragment, others to 1 and first fragment.
3224 */
3225
3226 if (!skb || !sockc || !sk || !key_offset)
3227 return;
3228
3229 sock_tx_timestamp(sk, sockc, &skb_shinfo(skb)->tx_flags);
3230
3231 if (sk->sk_type == SOCK_STREAM)
3232 key = atomic_add_return(key_offset, &sk->sk_tskey);
3233
3234 if (sockc->tsflags & SOF_TIMESTAMPING_OPT_ID &&
3235 sockc->tsflags & SOF_TIMESTAMPING_TX_RECORD_MASK) {
3236 if (sockc->tsflags & SOCKCM_FLAG_TS_OPT_ID) {
3237 skb_shinfo(skb)->tskey = sockc->ts_opt_id;
3238 } else {
3239 if (sk->sk_type != SOCK_STREAM)
3240 key = atomic_inc_return(&sk->sk_tskey);
3241 skb_shinfo(skb)->tskey = key - 1;
3242 }
3243 }
3244}
3245
3246void hci_conn_tx_queue(struct hci_conn *conn, struct sk_buff *skb)
3247{
3248 struct tx_queue *comp = &conn->tx_q;
3249 bool track = false;
3250
3251 /* Emit SND now, ie. just before sending to driver */
3252 if (skb_shinfo(skb)->tx_flags & SKBTX_SW_TSTAMP)
3253 __skb_tstamp_tx(skb, NULL, NULL, skb->sk, SCM_TSTAMP_SND);
3254
3255 /* COMPLETION tstamp is emitted for tracked skb later in Number of
3256 * Completed Packets event. Available only for flow controlled cases.
3257 *
3258 * TODO: SCO support without flowctl (needs to be done in drivers)
3259 */
3260 switch (conn->type) {
3261 case CIS_LINK:
3262 case BIS_LINK:
3263 case PA_LINK:
3264 case ACL_LINK:
3265 case LE_LINK:
3266 break;
3267 case SCO_LINK:
3268 case ESCO_LINK:
3269 if (!hci_dev_test_flag(conn->hdev, HCI_SCO_FLOWCTL))
3270 return;
3271 break;
3272 default:
3273 return;
3274 }
3275
3276 if (skb->sk && (skb_shinfo(skb)->tx_flags & SKBTX_COMPLETION_TSTAMP))
3277 track = true;
3278
3279 /* If nothing is tracked, just count extra skbs at the queue head */
3280 if (!track && !comp->tracked) {
3281 comp->extra++;
3282 return;
3283 }
3284
3285 if (track) {
3286 skb = skb_clone_sk(skb);
3287 if (!skb)
3288 goto count_only;
3289
3290 comp->tracked++;
3291 } else {
3292 skb = skb_clone(skb, GFP_KERNEL);
3293 if (!skb)
3294 goto count_only;
3295 }
3296
3297 skb_queue_tail(&comp->queue, skb);
3298 return;
3299
3300count_only:
3301 /* Stop tracking skbs, and only count. This will not emit timestamps for
3302 * the packets, but if we get here something is more seriously wrong.
3303 */
3304 comp->tracked = 0;
3305 comp->extra += skb_queue_len(&comp->queue) + 1;
3306 skb_queue_purge(&comp->queue);
3307}
3308
3309void hci_conn_tx_dequeue(struct hci_conn *conn)
3310{
3311 struct tx_queue *comp = &conn->tx_q;
3312 struct sk_buff *skb;
3313
3314 /* If there are tracked skbs, the counted extra go before dequeuing real
3315 * skbs, to keep ordering. When nothing is tracked, the ordering doesn't
3316 * matter so dequeue real skbs first to get rid of them ASAP.
3317 */
3318 if (comp->extra && (comp->tracked || skb_queue_empty(&comp->queue))) {
3319 comp->extra--;
3320 return;
3321 }
3322
3323 skb = skb_dequeue(&comp->queue);
3324 if (!skb)
3325 return;
3326
3327 if (skb->sk) {
3328 comp->tracked--;
3329 __skb_tstamp_tx(skb, NULL, NULL, skb->sk,
3330 SCM_TSTAMP_COMPLETION);
3331 }
3332
3333 kfree_skb(skb);
3334}
3335
3336u8 *hci_conn_key_enc_size(struct hci_conn *conn)
3337{
3338 if (conn->type == ACL_LINK) {
3339 struct link_key *key;
3340
3341 key = hci_find_link_key(conn->hdev, &conn->dst);
3342 if (!key)
3343 return NULL;
3344
3345 return &key->pin_len;
3346 } else if (conn->type == LE_LINK) {
3347 struct smp_ltk *ltk;
3348
3349 ltk = hci_find_ltk(conn->hdev, &conn->dst, conn->dst_type,
3350 conn->role);
3351 if (!ltk)
3352 return NULL;
3353
3354 return <k->enc_size;
3355 }
3356
3357 return NULL;
3358}
3359
3360int hci_ethtool_ts_info(unsigned int index, int sk_proto,
3361 struct kernel_ethtool_ts_info *info)
3362{
3363 struct hci_dev *hdev;
3364
3365 hdev = hci_dev_get(index);
3366 if (!hdev)
3367 return -ENODEV;
3368
3369 info->so_timestamping =
3370 SOF_TIMESTAMPING_RX_SOFTWARE |
3371 SOF_TIMESTAMPING_SOFTWARE;
3372 info->phc_index = -1;
3373 info->tx_types = BIT(HWTSTAMP_TX_OFF);
3374 info->rx_filters = BIT(HWTSTAMP_FILTER_NONE);
3375
3376 switch (sk_proto) {
3377 case BTPROTO_ISO:
3378 case BTPROTO_L2CAP:
3379 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE;
3380 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION;
3381 break;
3382 case BTPROTO_SCO:
3383 info->so_timestamping |= SOF_TIMESTAMPING_TX_SOFTWARE;
3384 if (hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3385 info->so_timestamping |= SOF_TIMESTAMPING_TX_COMPLETION;
3386 break;
3387 }
3388
3389 hci_dev_put(hdev);
3390 return 0;
3391}