2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI connection handling. */
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
37 #include "hci_request.h"
48 struct conn_handle_t {
49 struct hci_conn *conn;
53 static const struct sco_param esco_param_cvsd[] = {
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
56 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
57 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
58 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
61 static const struct sco_param sco_param_cvsd[] = {
62 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
63 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
66 static const struct sco_param esco_param_msbc[] = {
67 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
68 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
71 /* This function requires the caller holds hdev->lock */
72 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
74 struct hci_conn_params *params;
75 struct hci_dev *hdev = conn->hdev;
81 bdaddr_type = conn->dst_type;
83 /* Check if we need to convert to identity address */
84 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
86 bdaddr = &irk->bdaddr;
87 bdaddr_type = irk->addr_type;
90 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
96 hci_conn_drop(params->conn);
97 hci_conn_put(params->conn);
101 if (!params->explicit_connect)
104 /* If the status indicates successful cancellation of
105 * the attempt (i.e. Unknown Connection Id) there's no point of
106 * notifying failure since we'll go back to keep trying to
107 * connect. The only exception is explicit connect requests
108 * where a timeout + cancel does indicate an actual failure.
110 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
111 mgmt_connect_failed(hdev, &conn->dst, conn->type,
112 conn->dst_type, status);
114 /* The connection attempt was doing scan for new RPA, and is
115 * in scan phase. If params are not associated with any other
116 * autoconnect action, remove them completely. If they are, just unmark
117 * them as waiting for connection, by clearing explicit_connect field.
119 params->explicit_connect = false;
121 hci_pend_le_list_del_init(params);
123 switch (params->auto_connect) {
124 case HCI_AUTO_CONN_EXPLICIT:
125 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
126 /* return instead of break to avoid duplicate scan update */
128 case HCI_AUTO_CONN_DIRECT:
129 case HCI_AUTO_CONN_ALWAYS:
130 hci_pend_le_list_add(params, &hdev->pend_le_conns);
132 case HCI_AUTO_CONN_REPORT:
133 hci_pend_le_list_add(params, &hdev->pend_le_reports);
139 hci_update_passive_scan(hdev);
142 static void hci_conn_cleanup(struct hci_conn *conn)
144 struct hci_dev *hdev = conn->hdev;
146 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
147 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
149 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
150 hci_remove_link_key(hdev, &conn->dst);
152 hci_chan_list_flush(conn);
154 hci_conn_hash_del(hdev, conn);
156 if (HCI_CONN_HANDLE_UNSET(conn->handle))
157 ida_free(&hdev->unset_handle_ida, conn->handle);
162 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
163 switch (conn->setting & SCO_AIRMODE_MASK) {
164 case SCO_AIRMODE_CVSD:
165 case SCO_AIRMODE_TRANSP:
167 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
172 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
175 debugfs_remove_recursive(conn->debugfs);
177 hci_conn_del_sysfs(conn);
182 static void hci_acl_create_connection(struct hci_conn *conn)
184 struct hci_dev *hdev = conn->hdev;
185 struct inquiry_entry *ie;
186 struct hci_cp_create_conn cp;
188 BT_DBG("hcon %p", conn);
190 /* Many controllers disallow HCI Create Connection while it is doing
191 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
192 * Connection. This may cause the MGMT discovering state to become false
193 * without user space's request but it is okay since the MGMT Discovery
194 * APIs do not promise that discovery should be done forever. Instead,
195 * the user space monitors the status of MGMT discovering and it may
196 * request for discovery again when this flag becomes false.
198 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
199 /* Put this connection to "pending" state so that it will be
200 * executed after the inquiry cancel command complete event.
202 conn->state = BT_CONNECT2;
203 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
207 conn->state = BT_CONNECT;
209 conn->role = HCI_ROLE_MASTER;
213 conn->link_policy = hdev->link_policy;
215 memset(&cp, 0, sizeof(cp));
216 bacpy(&cp.bdaddr, &conn->dst);
217 cp.pscan_rep_mode = 0x02;
219 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
221 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
222 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
223 cp.pscan_mode = ie->data.pscan_mode;
224 cp.clock_offset = ie->data.clock_offset |
228 memcpy(conn->dev_class, ie->data.dev_class, 3);
231 cp.pkt_type = cpu_to_le16(conn->pkt_type);
232 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
233 cp.role_switch = 0x01;
235 cp.role_switch = 0x00;
237 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
240 int hci_disconnect(struct hci_conn *conn, __u8 reason)
242 BT_DBG("hcon %p", conn);
244 /* When we are central of an established connection and it enters
245 * the disconnect timeout, then go ahead and try to read the
246 * current clock offset. Processing of the result is done
247 * within the event handling and hci_clock_offset_evt function.
249 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
250 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
251 struct hci_dev *hdev = conn->hdev;
252 struct hci_cp_read_clock_offset clkoff_cp;
254 clkoff_cp.handle = cpu_to_le16(conn->handle);
255 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
259 return hci_abort_conn(conn, reason);
262 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
264 struct hci_dev *hdev = conn->hdev;
265 struct hci_cp_add_sco cp;
267 BT_DBG("hcon %p", conn);
269 conn->state = BT_CONNECT;
274 cp.handle = cpu_to_le16(handle);
275 cp.pkt_type = cpu_to_le16(conn->pkt_type);
277 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
280 static bool find_next_esco_param(struct hci_conn *conn,
281 const struct sco_param *esco_param, int size)
286 for (; conn->attempt <= size; conn->attempt++) {
287 if (lmp_esco_2m_capable(conn->parent) ||
288 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
290 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
291 conn, conn->attempt);
294 return conn->attempt <= size;
297 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
300 __u8 vnd_len, *vnd_data = NULL;
301 struct hci_op_configure_data_path *cmd = NULL;
303 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
308 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
314 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
318 cmd->vnd_len = vnd_len;
319 memcpy(cmd->vnd_data, vnd_data, vnd_len);
321 cmd->direction = 0x00;
322 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
323 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
325 cmd->direction = 0x01;
326 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
327 sizeof(*cmd) + vnd_len, cmd,
336 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
338 struct conn_handle_t *conn_handle = data;
339 struct hci_conn *conn = conn_handle->conn;
340 __u16 handle = conn_handle->handle;
341 struct hci_cp_enhanced_setup_sync_conn cp;
342 const struct sco_param *param;
346 bt_dev_dbg(hdev, "hcon %p", conn);
348 /* for offload use case, codec needs to configured before opening SCO */
349 if (conn->codec.data_path)
350 configure_datapath_sync(hdev, &conn->codec);
352 conn->state = BT_CONNECT;
357 memset(&cp, 0x00, sizeof(cp));
359 cp.handle = cpu_to_le16(handle);
361 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
362 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
364 switch (conn->codec.id) {
366 if (!find_next_esco_param(conn, esco_param_msbc,
367 ARRAY_SIZE(esco_param_msbc)))
370 param = &esco_param_msbc[conn->attempt - 1];
371 cp.tx_coding_format.id = 0x05;
372 cp.rx_coding_format.id = 0x05;
373 cp.tx_codec_frame_size = __cpu_to_le16(60);
374 cp.rx_codec_frame_size = __cpu_to_le16(60);
375 cp.in_bandwidth = __cpu_to_le32(32000);
376 cp.out_bandwidth = __cpu_to_le32(32000);
377 cp.in_coding_format.id = 0x04;
378 cp.out_coding_format.id = 0x04;
379 cp.in_coded_data_size = __cpu_to_le16(16);
380 cp.out_coded_data_size = __cpu_to_le16(16);
381 cp.in_pcm_data_format = 2;
382 cp.out_pcm_data_format = 2;
383 cp.in_pcm_sample_payload_msb_pos = 0;
384 cp.out_pcm_sample_payload_msb_pos = 0;
385 cp.in_data_path = conn->codec.data_path;
386 cp.out_data_path = conn->codec.data_path;
387 cp.in_transport_unit_size = 1;
388 cp.out_transport_unit_size = 1;
391 case BT_CODEC_TRANSPARENT:
392 if (!find_next_esco_param(conn, esco_param_msbc,
393 ARRAY_SIZE(esco_param_msbc)))
395 param = &esco_param_msbc[conn->attempt - 1];
396 cp.tx_coding_format.id = 0x03;
397 cp.rx_coding_format.id = 0x03;
398 cp.tx_codec_frame_size = __cpu_to_le16(60);
399 cp.rx_codec_frame_size = __cpu_to_le16(60);
400 cp.in_bandwidth = __cpu_to_le32(0x1f40);
401 cp.out_bandwidth = __cpu_to_le32(0x1f40);
402 cp.in_coding_format.id = 0x03;
403 cp.out_coding_format.id = 0x03;
404 cp.in_coded_data_size = __cpu_to_le16(16);
405 cp.out_coded_data_size = __cpu_to_le16(16);
406 cp.in_pcm_data_format = 2;
407 cp.out_pcm_data_format = 2;
408 cp.in_pcm_sample_payload_msb_pos = 0;
409 cp.out_pcm_sample_payload_msb_pos = 0;
410 cp.in_data_path = conn->codec.data_path;
411 cp.out_data_path = conn->codec.data_path;
412 cp.in_transport_unit_size = 1;
413 cp.out_transport_unit_size = 1;
417 if (conn->parent && lmp_esco_capable(conn->parent)) {
418 if (!find_next_esco_param(conn, esco_param_cvsd,
419 ARRAY_SIZE(esco_param_cvsd)))
421 param = &esco_param_cvsd[conn->attempt - 1];
423 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
425 param = &sco_param_cvsd[conn->attempt - 1];
427 cp.tx_coding_format.id = 2;
428 cp.rx_coding_format.id = 2;
429 cp.tx_codec_frame_size = __cpu_to_le16(60);
430 cp.rx_codec_frame_size = __cpu_to_le16(60);
431 cp.in_bandwidth = __cpu_to_le32(16000);
432 cp.out_bandwidth = __cpu_to_le32(16000);
433 cp.in_coding_format.id = 4;
434 cp.out_coding_format.id = 4;
435 cp.in_coded_data_size = __cpu_to_le16(16);
436 cp.out_coded_data_size = __cpu_to_le16(16);
437 cp.in_pcm_data_format = 2;
438 cp.out_pcm_data_format = 2;
439 cp.in_pcm_sample_payload_msb_pos = 0;
440 cp.out_pcm_sample_payload_msb_pos = 0;
441 cp.in_data_path = conn->codec.data_path;
442 cp.out_data_path = conn->codec.data_path;
443 cp.in_transport_unit_size = 16;
444 cp.out_transport_unit_size = 16;
450 cp.retrans_effort = param->retrans_effort;
451 cp.pkt_type = __cpu_to_le16(param->pkt_type);
452 cp.max_latency = __cpu_to_le16(param->max_latency);
454 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
460 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
462 struct hci_dev *hdev = conn->hdev;
463 struct hci_cp_setup_sync_conn cp;
464 const struct sco_param *param;
466 bt_dev_dbg(hdev, "hcon %p", conn);
468 conn->state = BT_CONNECT;
473 cp.handle = cpu_to_le16(handle);
475 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
476 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
477 cp.voice_setting = cpu_to_le16(conn->setting);
479 switch (conn->setting & SCO_AIRMODE_MASK) {
480 case SCO_AIRMODE_TRANSP:
481 if (!find_next_esco_param(conn, esco_param_msbc,
482 ARRAY_SIZE(esco_param_msbc)))
484 param = &esco_param_msbc[conn->attempt - 1];
486 case SCO_AIRMODE_CVSD:
487 if (conn->parent && lmp_esco_capable(conn->parent)) {
488 if (!find_next_esco_param(conn, esco_param_cvsd,
489 ARRAY_SIZE(esco_param_cvsd)))
491 param = &esco_param_cvsd[conn->attempt - 1];
493 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
495 param = &sco_param_cvsd[conn->attempt - 1];
502 cp.retrans_effort = param->retrans_effort;
503 cp.pkt_type = __cpu_to_le16(param->pkt_type);
504 cp.max_latency = __cpu_to_le16(param->max_latency);
506 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
512 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
515 struct conn_handle_t *conn_handle;
517 if (enhanced_sync_conn_capable(conn->hdev)) {
518 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
523 conn_handle->conn = conn;
524 conn_handle->handle = handle;
525 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
533 return hci_setup_sync_conn(conn, handle);
536 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
539 struct hci_dev *hdev = conn->hdev;
540 struct hci_conn_params *params;
541 struct hci_cp_le_conn_update cp;
545 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
547 params->conn_min_interval = min;
548 params->conn_max_interval = max;
549 params->conn_latency = latency;
550 params->supervision_timeout = to_multiplier;
553 hci_dev_unlock(hdev);
555 memset(&cp, 0, sizeof(cp));
556 cp.handle = cpu_to_le16(conn->handle);
557 cp.conn_interval_min = cpu_to_le16(min);
558 cp.conn_interval_max = cpu_to_le16(max);
559 cp.conn_latency = cpu_to_le16(latency);
560 cp.supervision_timeout = cpu_to_le16(to_multiplier);
561 cp.min_ce_len = cpu_to_le16(0x0000);
562 cp.max_ce_len = cpu_to_le16(0x0000);
564 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
572 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
573 __u8 ltk[16], __u8 key_size)
575 struct hci_dev *hdev = conn->hdev;
576 struct hci_cp_le_start_enc cp;
578 BT_DBG("hcon %p", conn);
580 memset(&cp, 0, sizeof(cp));
582 cp.handle = cpu_to_le16(conn->handle);
585 memcpy(cp.ltk, ltk, key_size);
587 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
590 /* Device _must_ be locked */
591 void hci_sco_setup(struct hci_conn *conn, __u8 status)
593 struct hci_link *link;
595 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
596 if (!link || !link->conn)
599 BT_DBG("hcon %p", conn);
602 if (lmp_esco_capable(conn->hdev))
603 hci_setup_sync(link->conn, conn->handle);
605 hci_add_sco(link->conn, conn->handle);
607 hci_connect_cfm(link->conn, status);
608 hci_conn_del(link->conn);
612 static void hci_conn_timeout(struct work_struct *work)
614 struct hci_conn *conn = container_of(work, struct hci_conn,
616 int refcnt = atomic_read(&conn->refcnt);
618 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
622 /* FIXME: It was observed that in pairing failed scenario, refcnt
623 * drops below 0. Probably this is because l2cap_conn_del calls
624 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
625 * dropped. After that loop hci_chan_del is called which also drops
626 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
632 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
635 /* Enter sniff mode */
636 static void hci_conn_idle(struct work_struct *work)
638 struct hci_conn *conn = container_of(work, struct hci_conn,
640 struct hci_dev *hdev = conn->hdev;
642 BT_DBG("hcon %p mode %d", conn, conn->mode);
644 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
647 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
650 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
651 struct hci_cp_sniff_subrate cp;
652 cp.handle = cpu_to_le16(conn->handle);
653 cp.max_latency = cpu_to_le16(0);
654 cp.min_remote_timeout = cpu_to_le16(0);
655 cp.min_local_timeout = cpu_to_le16(0);
656 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
659 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
660 struct hci_cp_sniff_mode cp;
661 cp.handle = cpu_to_le16(conn->handle);
662 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
663 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
664 cp.attempt = cpu_to_le16(4);
665 cp.timeout = cpu_to_le16(1);
666 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
670 static void hci_conn_auto_accept(struct work_struct *work)
672 struct hci_conn *conn = container_of(work, struct hci_conn,
673 auto_accept_work.work);
675 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
679 static void le_disable_advertising(struct hci_dev *hdev)
681 if (ext_adv_capable(hdev)) {
682 struct hci_cp_le_set_ext_adv_enable cp;
685 cp.num_of_sets = 0x00;
687 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
691 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
696 static void le_conn_timeout(struct work_struct *work)
698 struct hci_conn *conn = container_of(work, struct hci_conn,
699 le_conn_timeout.work);
700 struct hci_dev *hdev = conn->hdev;
704 /* We could end up here due to having done directed advertising,
705 * so clean up the state if necessary. This should however only
706 * happen with broken hardware or if low duty cycle was used
707 * (which doesn't have a timeout of its own).
709 if (conn->role == HCI_ROLE_SLAVE) {
710 /* Disable LE Advertising */
711 le_disable_advertising(hdev);
713 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
714 hci_dev_unlock(hdev);
718 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
721 struct iso_cig_params {
722 struct hci_cp_le_set_cig_params cp;
723 struct hci_cis_params cis[0x1f];
726 struct iso_list_data {
742 static void bis_list(struct hci_conn *conn, void *data)
744 struct iso_list_data *d = data;
746 /* Skip if not broadcast/ANY address */
747 if (bacmp(&conn->dst, BDADDR_ANY))
750 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
751 d->bis != conn->iso_qos.bcast.bis)
757 static int terminate_big_sync(struct hci_dev *hdev, void *data)
759 struct iso_list_data *d = data;
761 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
763 hci_disable_per_advertising_sync(hdev, d->bis);
764 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
766 /* Only terminate BIG if it has been created */
770 return hci_le_terminate_big_sync(hdev, d->big,
771 HCI_ERROR_LOCAL_HOST_TERM);
774 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
779 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
781 struct iso_list_data *d;
784 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
785 conn->iso_qos.bcast.bis);
787 d = kzalloc(sizeof(*d), GFP_KERNEL);
791 d->big = conn->iso_qos.bcast.big;
792 d->bis = conn->iso_qos.bcast.bis;
793 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
795 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
796 terminate_big_destroy);
803 static int big_terminate_sync(struct hci_dev *hdev, void *data)
805 struct iso_list_data *d = data;
807 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
810 if (d->big_sync_term)
811 hci_le_big_terminate_sync(hdev, d->big);
814 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
819 static void find_bis(struct hci_conn *conn, void *data)
821 struct iso_list_data *d = data;
823 /* Ignore if BIG doesn't match */
824 if (d->big != conn->iso_qos.bcast.big)
830 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
832 struct iso_list_data *d;
835 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
837 d = kzalloc(sizeof(*d), GFP_KERNEL);
841 memset(d, 0, sizeof(*d));
843 d->sync_handle = conn->sync_handle;
845 if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) {
846 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK,
847 HCI_CONN_PA_SYNC, d);
850 d->pa_sync_term = true;
855 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) {
856 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK,
857 HCI_CONN_BIG_SYNC, d);
860 d->big_sync_term = true;
863 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
864 terminate_big_destroy);
871 /* Cleanup BIS connection
873 * Detects if there any BIS left connected in a BIG
874 * broadcaster: Remove advertising instance and terminate BIG.
875 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
877 static void bis_cleanup(struct hci_conn *conn)
879 struct hci_dev *hdev = conn->hdev;
880 struct hci_conn *bis;
882 bt_dev_dbg(hdev, "conn %p", conn);
884 if (conn->role == HCI_ROLE_MASTER) {
885 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
888 /* Check if ISO connection is a BIS and terminate advertising
889 * set and BIG if there are no other connections using it.
891 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
895 hci_le_terminate_big(hdev, conn);
897 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
902 static int remove_cig_sync(struct hci_dev *hdev, void *data)
904 u8 handle = PTR_UINT(data);
906 return hci_le_remove_cig_sync(hdev, handle);
909 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
911 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
913 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
917 static void find_cis(struct hci_conn *conn, void *data)
919 struct iso_list_data *d = data;
921 /* Ignore broadcast or if CIG don't match */
922 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
928 /* Cleanup CIS connection:
930 * Detects if there any CIS left connected in a CIG and remove it.
932 static void cis_cleanup(struct hci_conn *conn)
934 struct hci_dev *hdev = conn->hdev;
935 struct iso_list_data d;
937 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
940 memset(&d, 0, sizeof(d));
941 d.cig = conn->iso_qos.ucast.cig;
943 /* Check if ISO connection is a CIS and remove CIG if there are
944 * no other connections using it.
946 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
947 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
948 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
952 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
955 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
957 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
958 U16_MAX, GFP_ATOMIC);
961 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
964 struct hci_conn *conn;
966 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
968 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
972 bacpy(&conn->dst, dst);
973 bacpy(&conn->src, &hdev->bdaddr);
974 conn->handle = handle;
978 conn->mode = HCI_CM_ACTIVE;
979 conn->state = BT_OPEN;
980 conn->auth_type = HCI_AT_GENERAL_BONDING;
981 conn->io_capability = hdev->io_capability;
982 conn->remote_auth = 0xff;
983 conn->key_type = 0xff;
984 conn->rssi = HCI_RSSI_INVALID;
985 conn->tx_power = HCI_TX_POWER_INVALID;
986 conn->max_tx_power = HCI_TX_POWER_INVALID;
987 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
989 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
990 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
992 /* Set Default Authenticated payload timeout to 30s */
993 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
995 if (conn->role == HCI_ROLE_MASTER)
1000 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
1003 /* conn->src should reflect the local identity address */
1004 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1007 /* conn->src should reflect the local identity address */
1008 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1010 /* set proper cleanup function */
1011 if (!bacmp(dst, BDADDR_ANY))
1012 conn->cleanup = bis_cleanup;
1013 else if (conn->role == HCI_ROLE_MASTER)
1014 conn->cleanup = cis_cleanup;
1018 if (lmp_esco_capable(hdev))
1019 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1020 (hdev->esco_type & EDR_ESCO_MASK);
1022 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1025 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1029 skb_queue_head_init(&conn->data_q);
1031 INIT_LIST_HEAD(&conn->chan_list);
1032 INIT_LIST_HEAD(&conn->link_list);
1034 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1035 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1036 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1037 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1039 atomic_set(&conn->refcnt, 0);
1043 hci_conn_hash_add(hdev, conn);
1045 /* The SCO and eSCO connections will only be notified when their
1046 * setup has been completed. This is different to ACL links which
1047 * can be notified right away.
1049 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1051 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1054 hci_conn_init_sysfs(conn);
1059 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1060 bdaddr_t *dst, u8 role)
1064 bt_dev_dbg(hdev, "dst %pMR", dst);
1066 handle = hci_conn_hash_alloc_unset(hdev);
1067 if (unlikely(handle < 0))
1070 return hci_conn_add(hdev, type, dst, role, handle);
1073 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1076 reason = HCI_ERROR_REMOTE_USER_TERM;
1078 /* Due to race, SCO/ISO conn might be not established yet at this point,
1079 * and nothing else will clean it up. In other cases it is done via HCI
1082 switch (conn->type) {
1085 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1086 hci_conn_failed(conn, reason);
1089 if (conn->state != BT_CONNECTED &&
1090 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
1091 hci_conn_failed(conn, reason);
1096 static void hci_conn_unlink(struct hci_conn *conn)
1098 struct hci_dev *hdev = conn->hdev;
1100 bt_dev_dbg(hdev, "hcon %p", conn);
1102 if (!conn->parent) {
1103 struct hci_link *link, *t;
1105 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1106 struct hci_conn *child = link->conn;
1108 hci_conn_unlink(child);
1110 /* If hdev is down it means
1111 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1112 * and links don't need to be cleanup as all connections
1115 if (!test_bit(HCI_UP, &hdev->flags))
1118 hci_conn_cleanup_child(child, conn->abort_reason);
1127 list_del_rcu(&conn->link->list);
1130 hci_conn_drop(conn->parent);
1131 hci_conn_put(conn->parent);
1132 conn->parent = NULL;
1138 void hci_conn_del(struct hci_conn *conn)
1140 struct hci_dev *hdev = conn->hdev;
1142 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1144 hci_conn_unlink(conn);
1146 cancel_delayed_work_sync(&conn->disc_work);
1147 cancel_delayed_work_sync(&conn->auto_accept_work);
1148 cancel_delayed_work_sync(&conn->idle_work);
1150 if (conn->type == ACL_LINK) {
1151 /* Unacked frames */
1152 hdev->acl_cnt += conn->sent;
1153 } else if (conn->type == LE_LINK) {
1154 cancel_delayed_work(&conn->le_conn_timeout);
1157 hdev->le_cnt += conn->sent;
1159 hdev->acl_cnt += conn->sent;
1161 /* Unacked ISO frames */
1162 if (conn->type == ISO_LINK) {
1164 hdev->iso_cnt += conn->sent;
1165 else if (hdev->le_pkts)
1166 hdev->le_cnt += conn->sent;
1168 hdev->acl_cnt += conn->sent;
1173 amp_mgr_put(conn->amp_mgr);
1175 skb_queue_purge(&conn->data_q);
1177 /* Remove the connection from the list and cleanup its remaining
1178 * state. This is a separate function since for some cases like
1179 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1180 * rest of hci_conn_del.
1182 hci_conn_cleanup(conn);
1185 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1187 int use_src = bacmp(src, BDADDR_ANY);
1188 struct hci_dev *hdev = NULL, *d;
1190 BT_DBG("%pMR -> %pMR", src, dst);
1192 read_lock(&hci_dev_list_lock);
1194 list_for_each_entry(d, &hci_dev_list, list) {
1195 if (!test_bit(HCI_UP, &d->flags) ||
1196 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
1197 d->dev_type != HCI_PRIMARY)
1201 * No source address - find interface with bdaddr != dst
1202 * Source address - find interface with bdaddr == src
1209 if (src_type == BDADDR_BREDR) {
1210 if (!lmp_bredr_capable(d))
1212 bacpy(&id_addr, &d->bdaddr);
1213 id_addr_type = BDADDR_BREDR;
1215 if (!lmp_le_capable(d))
1218 hci_copy_identity_address(d, &id_addr,
1221 /* Convert from HCI to three-value type */
1222 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1223 id_addr_type = BDADDR_LE_PUBLIC;
1225 id_addr_type = BDADDR_LE_RANDOM;
1228 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1232 if (bacmp(&d->bdaddr, dst)) {
1239 hdev = hci_dev_hold(hdev);
1241 read_unlock(&hci_dev_list_lock);
1244 EXPORT_SYMBOL(hci_get_route);
1246 /* This function requires the caller holds hdev->lock */
1247 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1249 struct hci_dev *hdev = conn->hdev;
1251 hci_connect_le_scan_cleanup(conn, status);
1253 /* Enable advertising in case this was a failed connection
1254 * attempt as a peripheral.
1256 hci_enable_advertising(hdev);
1259 /* This function requires the caller holds hdev->lock */
1260 void hci_conn_failed(struct hci_conn *conn, u8 status)
1262 struct hci_dev *hdev = conn->hdev;
1264 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1266 switch (conn->type) {
1268 hci_le_conn_failed(conn, status);
1271 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1272 conn->dst_type, status);
1276 /* In case of BIG/PA sync failed, clear conn flags so that
1277 * the conns will be correctly cleaned up by ISO layer
1279 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1280 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1282 conn->state = BT_CLOSED;
1283 hci_connect_cfm(conn, status);
1287 /* This function requires the caller holds hdev->lock */
1288 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1290 struct hci_dev *hdev = conn->hdev;
1292 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1294 if (conn->handle == handle)
1297 if (handle > HCI_CONN_HANDLE_MAX) {
1298 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1299 handle, HCI_CONN_HANDLE_MAX);
1300 return HCI_ERROR_INVALID_PARAMETERS;
1303 /* If abort_reason has been sent it means the connection is being
1304 * aborted and the handle shall not be changed.
1306 if (conn->abort_reason)
1307 return conn->abort_reason;
1309 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1310 ida_free(&hdev->unset_handle_ida, conn->handle);
1312 conn->handle = handle;
1317 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
1319 struct hci_conn *conn;
1320 u16 handle = PTR_UINT(data);
1322 conn = hci_conn_hash_lookup_handle(hdev, handle);
1326 bt_dev_dbg(hdev, "err %d", err);
1331 hci_connect_le_scan_cleanup(conn, 0x00);
1335 /* Check if connection is still pending */
1336 if (conn != hci_lookup_le_connect(hdev))
1339 /* Flush to make sure we send create conn cancel command if needed */
1340 flush_delayed_work(&conn->le_conn_timeout);
1341 hci_conn_failed(conn, bt_status(err));
1344 hci_dev_unlock(hdev);
1347 static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
1349 struct hci_conn *conn;
1350 u16 handle = PTR_UINT(data);
1352 conn = hci_conn_hash_lookup_handle(hdev, handle);
1356 bt_dev_dbg(hdev, "conn %p", conn);
1358 clear_bit(HCI_CONN_SCANNING, &conn->flags);
1359 conn->state = BT_CONNECT;
1361 return hci_le_create_conn_sync(hdev, conn);
1364 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1365 u8 dst_type, bool dst_resolved, u8 sec_level,
1366 u16 conn_timeout, u8 role)
1368 struct hci_conn *conn;
1369 struct smp_irk *irk;
1372 /* Let's make sure that le is enabled.*/
1373 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1374 if (lmp_le_capable(hdev))
1375 return ERR_PTR(-ECONNREFUSED);
1377 return ERR_PTR(-EOPNOTSUPP);
1380 /* Since the controller supports only one LE connection attempt at a
1381 * time, we return -EBUSY if there is any connection attempt running.
1383 if (hci_lookup_le_connect(hdev))
1384 return ERR_PTR(-EBUSY);
1386 /* If there's already a connection object but it's not in
1387 * scanning state it means it must already be established, in
1388 * which case we can't do anything else except report a failure
1391 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1392 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1393 return ERR_PTR(-EBUSY);
1396 /* Check if the destination address has been resolved by the controller
1397 * since if it did then the identity address shall be used.
1399 if (!dst_resolved) {
1400 /* When given an identity address with existing identity
1401 * resolving key, the connection needs to be established
1402 * to a resolvable random address.
1404 * Storing the resolvable random address is required here
1405 * to handle connection failures. The address will later
1406 * be resolved back into the original identity address
1407 * from the connect request.
1409 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1410 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1412 dst_type = ADDR_LE_DEV_RANDOM;
1417 bacpy(&conn->dst, dst);
1419 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1421 return ERR_PTR(-ENOMEM);
1422 hci_conn_hold(conn);
1423 conn->pending_sec_level = sec_level;
1426 conn->dst_type = dst_type;
1427 conn->sec_level = BT_SECURITY_LOW;
1428 conn->conn_timeout = conn_timeout;
1430 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
1431 UINT_PTR(conn->handle),
1432 create_le_conn_complete);
1435 return ERR_PTR(err);
1441 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1443 struct hci_conn *conn;
1445 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1449 if (conn->state != BT_CONNECTED)
1455 /* This function requires the caller holds hdev->lock */
1456 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1457 bdaddr_t *addr, u8 addr_type)
1459 struct hci_conn_params *params;
1461 if (is_connected(hdev, addr, addr_type))
1464 params = hci_conn_params_lookup(hdev, addr, addr_type);
1466 params = hci_conn_params_add(hdev, addr, addr_type);
1470 /* If we created new params, mark them to be deleted in
1471 * hci_connect_le_scan_cleanup. It's different case than
1472 * existing disabled params, those will stay after cleanup.
1474 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1477 /* We're trying to connect, so make sure params are at pend_le_conns */
1478 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1479 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1480 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1481 hci_pend_le_list_del_init(params);
1482 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1485 params->explicit_connect = true;
1487 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1488 params->auto_connect);
1493 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1495 struct hci_conn *conn;
1498 /* Allocate a BIG if not set */
1499 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1500 for (big = 0x00; big < 0xef; big++) {
1502 conn = hci_conn_hash_lookup_big(hdev, big);
1508 return -EADDRNOTAVAIL;
1511 qos->bcast.big = big;
1517 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1519 struct hci_conn *conn;
1522 /* Allocate BIS if not set */
1523 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1524 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) {
1525 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1528 /* If the BIG handle is already matched to an advertising
1529 * handle, do not allocate a new one.
1531 qos->bcast.bis = conn->iso_qos.bcast.bis;
1536 /* Find an unused adv set to advertise BIS, skip instance 0x00
1537 * since it is reserved as general purpose set.
1539 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1542 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1547 if (bis == hdev->le_num_of_adv_sets)
1548 return -EADDRNOTAVAIL;
1551 qos->bcast.bis = bis;
1557 /* This function requires the caller holds hdev->lock */
1558 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1559 struct bt_iso_qos *qos, __u8 base_len,
1562 struct hci_conn *conn;
1565 /* Let's make sure that le is enabled.*/
1566 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1567 if (lmp_le_capable(hdev))
1568 return ERR_PTR(-ECONNREFUSED);
1569 return ERR_PTR(-EOPNOTSUPP);
1572 err = qos_set_big(hdev, qos);
1574 return ERR_PTR(err);
1576 err = qos_set_bis(hdev, qos);
1578 return ERR_PTR(err);
1580 /* Check if the LE Create BIG command has already been sent */
1581 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1584 return ERR_PTR(-EADDRINUSE);
1586 /* Check BIS settings against other bound BISes, since all
1587 * BISes in a BIG must have the same value for all parameters
1589 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1591 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1592 base_len != conn->le_per_adv_data_len ||
1593 memcmp(conn->le_per_adv_data, base, base_len)))
1594 return ERR_PTR(-EADDRINUSE);
1596 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1598 return ERR_PTR(-ENOMEM);
1600 conn->state = BT_CONNECT;
1602 hci_conn_hold(conn);
1606 /* This function requires the caller holds hdev->lock */
1607 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1608 u8 dst_type, u8 sec_level,
1610 enum conn_reasons conn_reason)
1612 struct hci_conn *conn;
1614 /* Let's make sure that le is enabled.*/
1615 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1616 if (lmp_le_capable(hdev))
1617 return ERR_PTR(-ECONNREFUSED);
1619 return ERR_PTR(-EOPNOTSUPP);
1622 /* Some devices send ATT messages as soon as the physical link is
1623 * established. To be able to handle these ATT messages, the user-
1624 * space first establishes the connection and then starts the pairing
1627 * So if a hci_conn object already exists for the following connection
1628 * attempt, we simply update pending_sec_level and auth_type fields
1629 * and return the object found.
1631 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1633 if (conn->pending_sec_level < sec_level)
1634 conn->pending_sec_level = sec_level;
1638 BT_DBG("requesting refresh of dst_addr");
1640 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1642 return ERR_PTR(-ENOMEM);
1644 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1646 return ERR_PTR(-EBUSY);
1649 conn->state = BT_CONNECT;
1650 set_bit(HCI_CONN_SCANNING, &conn->flags);
1651 conn->dst_type = dst_type;
1652 conn->sec_level = BT_SECURITY_LOW;
1653 conn->pending_sec_level = sec_level;
1654 conn->conn_timeout = conn_timeout;
1655 conn->conn_reason = conn_reason;
1657 hci_update_passive_scan(hdev);
1660 hci_conn_hold(conn);
1664 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1665 u8 sec_level, u8 auth_type,
1666 enum conn_reasons conn_reason)
1668 struct hci_conn *acl;
1670 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1671 if (lmp_bredr_capable(hdev))
1672 return ERR_PTR(-ECONNREFUSED);
1674 return ERR_PTR(-EOPNOTSUPP);
1677 /* Reject outgoing connection to device with same BD ADDR against
1680 if (!bacmp(&hdev->bdaddr, dst)) {
1681 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1683 return ERR_PTR(-ECONNREFUSED);
1686 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1688 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1690 return ERR_PTR(-ENOMEM);
1695 acl->conn_reason = conn_reason;
1696 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1697 acl->sec_level = BT_SECURITY_LOW;
1698 acl->pending_sec_level = sec_level;
1699 acl->auth_type = auth_type;
1700 hci_acl_create_connection(acl);
1706 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1707 struct hci_conn *conn)
1709 struct hci_dev *hdev = parent->hdev;
1710 struct hci_link *link;
1712 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1720 link = kzalloc(sizeof(*link), GFP_KERNEL);
1724 link->conn = hci_conn_hold(conn);
1726 conn->parent = hci_conn_get(parent);
1728 /* Use list_add_tail_rcu append to the list */
1729 list_add_tail_rcu(&link->list, &parent->link_list);
1734 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1735 __u16 setting, struct bt_codec *codec)
1737 struct hci_conn *acl;
1738 struct hci_conn *sco;
1739 struct hci_link *link;
1741 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1742 CONN_REASON_SCO_CONNECT);
1746 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1748 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1751 return ERR_PTR(-ENOMEM);
1755 link = hci_conn_link(acl, sco);
1759 return ERR_PTR(-ENOLINK);
1762 sco->setting = setting;
1763 sco->codec = *codec;
1765 if (acl->state == BT_CONNECTED &&
1766 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1767 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1768 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1770 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1771 /* defer SCO setup until mode change completed */
1772 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1776 hci_sco_setup(acl, 0x00);
1782 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1784 struct hci_dev *hdev = conn->hdev;
1785 struct hci_cp_le_create_big cp;
1786 struct iso_list_data data;
1788 memset(&cp, 0, sizeof(cp));
1790 data.big = qos->bcast.big;
1791 data.bis = qos->bcast.bis;
1794 /* Create a BIS for each bound connection */
1795 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1798 cp.handle = qos->bcast.big;
1799 cp.adv_handle = qos->bcast.bis;
1800 cp.num_bis = data.count;
1801 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1802 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1803 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1804 cp.bis.rtn = qos->bcast.out.rtn;
1805 cp.bis.phy = qos->bcast.out.phy;
1806 cp.bis.packing = qos->bcast.packing;
1807 cp.bis.framing = qos->bcast.framing;
1808 cp.bis.encryption = qos->bcast.encryption;
1809 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1811 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1814 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1816 u8 cig_id = PTR_UINT(data);
1817 struct hci_conn *conn;
1818 struct bt_iso_qos *qos;
1819 struct iso_cig_params pdu;
1822 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1826 memset(&pdu, 0, sizeof(pdu));
1828 qos = &conn->iso_qos;
1829 pdu.cp.cig_id = cig_id;
1830 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval);
1831 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval);
1832 pdu.cp.sca = qos->ucast.sca;
1833 pdu.cp.packing = qos->ucast.packing;
1834 pdu.cp.framing = qos->ucast.framing;
1835 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency);
1836 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency);
1838 /* Reprogram all CIS(s) with the same CIG, valid range are:
1839 * num_cis: 0x00 to 0x1F
1840 * cis_id: 0x00 to 0xEF
1842 for (cis_id = 0x00; cis_id < 0xf0 &&
1843 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) {
1844 struct hci_cis_params *cis;
1846 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1850 qos = &conn->iso_qos;
1852 cis = &pdu.cis[pdu.cp.num_cis++];
1853 cis->cis_id = cis_id;
1854 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1855 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1856 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy :
1858 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy :
1860 cis->c_rtn = qos->ucast.out.rtn;
1861 cis->p_rtn = qos->ucast.in.rtn;
1864 if (!pdu.cp.num_cis)
1867 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1869 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu,
1873 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1875 struct hci_dev *hdev = conn->hdev;
1876 struct iso_list_data data;
1878 memset(&data, 0, sizeof(data));
1880 /* Allocate first still reconfigurable CIG if not set */
1881 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1882 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1885 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1890 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1891 BT_CONNECTED, &data);
1896 if (data.cig == 0xf0)
1900 qos->ucast.cig = data.cig;
1903 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1904 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1910 /* Allocate first available CIS if not set */
1911 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1913 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1916 qos->ucast.cis = data.cis;
1921 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1925 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1926 UINT_PTR(qos->ucast.cig), NULL) < 0)
1932 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1933 __u8 dst_type, struct bt_iso_qos *qos)
1935 struct hci_conn *cis;
1937 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1940 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1942 return ERR_PTR(-ENOMEM);
1943 cis->cleanup = cis_cleanup;
1944 cis->dst_type = dst_type;
1945 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1946 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1949 if (cis->state == BT_CONNECTED)
1952 /* Check if CIS has been set and the settings matches */
1953 if (cis->state == BT_BOUND &&
1954 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1957 /* Update LINK PHYs according to QoS preference */
1958 cis->le_tx_phy = qos->ucast.out.phy;
1959 cis->le_rx_phy = qos->ucast.in.phy;
1961 /* If output interval is not set use the input interval as it cannot be
1964 if (!qos->ucast.out.interval)
1965 qos->ucast.out.interval = qos->ucast.in.interval;
1967 /* If input interval is not set use the output interval as it cannot be
1970 if (!qos->ucast.in.interval)
1971 qos->ucast.in.interval = qos->ucast.out.interval;
1973 /* If output latency is not set use the input latency as it cannot be
1976 if (!qos->ucast.out.latency)
1977 qos->ucast.out.latency = qos->ucast.in.latency;
1979 /* If input latency is not set use the output latency as it cannot be
1982 if (!qos->ucast.in.latency)
1983 qos->ucast.in.latency = qos->ucast.out.latency;
1985 if (!hci_le_set_cig_params(cis, qos)) {
1987 return ERR_PTR(-EINVAL);
1992 cis->iso_qos = *qos;
1993 cis->state = BT_BOUND;
1998 bool hci_iso_setup_path(struct hci_conn *conn)
2000 struct hci_dev *hdev = conn->hdev;
2001 struct hci_cp_le_setup_iso_path cmd;
2003 memset(&cmd, 0, sizeof(cmd));
2005 if (conn->iso_qos.ucast.out.sdu) {
2006 cmd.handle = cpu_to_le16(conn->handle);
2007 cmd.direction = 0x00; /* Input (Host to Controller) */
2008 cmd.path = 0x00; /* HCI path if enabled */
2009 cmd.codec = 0x03; /* Transparent Data */
2011 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2016 if (conn->iso_qos.ucast.in.sdu) {
2017 cmd.handle = cpu_to_le16(conn->handle);
2018 cmd.direction = 0x01; /* Output (Controller to Host) */
2019 cmd.path = 0x00; /* HCI path if enabled */
2020 cmd.codec = 0x03; /* Transparent Data */
2022 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
2030 int hci_conn_check_create_cis(struct hci_conn *conn)
2032 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
2035 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
2036 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
2042 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
2044 return hci_le_create_cis_sync(hdev);
2047 int hci_le_create_cis_pending(struct hci_dev *hdev)
2049 struct hci_conn *conn;
2050 bool pending = false;
2054 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
2055 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
2060 if (!hci_conn_check_create_cis(conn))
2069 /* Queue Create CIS */
2070 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2073 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2074 struct bt_iso_io_qos *qos, __u8 phy)
2076 /* Only set MTU if PHY is enabled */
2077 if (!qos->sdu && qos->phy) {
2078 if (hdev->iso_mtu > 0)
2079 qos->sdu = hdev->iso_mtu;
2080 else if (hdev->le_mtu > 0)
2081 qos->sdu = hdev->le_mtu;
2083 qos->sdu = hdev->acl_mtu;
2086 /* Use the same PHY as ACL if set to any */
2087 if (qos->phy == BT_ISO_PHY_ANY)
2090 /* Use LE ACL connection interval if not set */
2092 /* ACL interval unit in 1.25 ms to us */
2093 qos->interval = conn->le_conn_interval * 1250;
2095 /* Use LE ACL connection latency if not set */
2097 qos->latency = conn->le_conn_latency;
2100 static int create_big_sync(struct hci_dev *hdev, void *data)
2102 struct hci_conn *conn = data;
2103 struct bt_iso_qos *qos = &conn->iso_qos;
2104 u16 interval, sync_interval = 0;
2108 if (qos->bcast.out.phy == 0x02)
2109 flags |= MGMT_ADV_FLAG_SEC_2M;
2111 /* Align intervals */
2112 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2115 sync_interval = interval * 4;
2117 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2118 conn->le_per_adv_data, flags, interval,
2119 interval, sync_interval);
2123 return hci_le_create_big(conn, &conn->iso_qos);
2126 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2128 struct hci_cp_le_pa_create_sync *cp = data;
2130 bt_dev_dbg(hdev, "");
2133 bt_dev_err(hdev, "Unable to create PA: %d", err);
2138 static int create_pa_sync(struct hci_dev *hdev, void *data)
2140 struct hci_cp_le_pa_create_sync *cp = data;
2143 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2144 sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2146 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2150 return hci_update_passive_scan_sync(hdev);
2153 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2154 __u8 sid, struct bt_iso_qos *qos)
2156 struct hci_cp_le_pa_create_sync *cp;
2158 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2161 cp = kzalloc(sizeof(*cp), GFP_KERNEL);
2163 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2167 cp->options = qos->bcast.options;
2169 cp->addr_type = dst_type;
2170 bacpy(&cp->addr, dst);
2171 cp->skip = cpu_to_le16(qos->bcast.skip);
2172 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
2173 cp->sync_cte_type = qos->bcast.sync_cte_type;
2175 /* Queue start pa_create_sync and scan */
2176 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2179 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2180 struct bt_iso_qos *qos,
2181 __u16 sync_handle, __u8 num_bis, __u8 bis[])
2184 struct hci_cp_le_big_create_sync cp;
2189 if (num_bis < 0x01 || num_bis > sizeof(pdu.bis))
2192 err = qos_set_big(hdev, qos);
2197 hcon->iso_qos.bcast.big = qos->bcast.big;
2199 memset(&pdu, 0, sizeof(pdu));
2200 pdu.cp.handle = qos->bcast.big;
2201 pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2202 pdu.cp.encryption = qos->bcast.encryption;
2203 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode));
2204 pdu.cp.mse = qos->bcast.mse;
2205 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout);
2206 pdu.cp.num_bis = num_bis;
2207 memcpy(pdu.bis, bis, num_bis);
2209 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2210 sizeof(pdu.cp) + num_bis, &pdu);
2213 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2215 struct hci_conn *conn = data;
2217 bt_dev_dbg(hdev, "conn %p", conn);
2220 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2221 hci_connect_cfm(conn, err);
2226 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2227 struct bt_iso_qos *qos,
2228 __u8 base_len, __u8 *base)
2230 struct hci_conn *conn;
2231 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2233 if (base_len && base)
2234 base_len = eir_append_service_data(eir, 0, 0x1851,
2237 /* We need hci_conn object using the BDADDR_ANY as dst */
2238 conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2242 /* Update LINK PHYs according to QoS preference */
2243 conn->le_tx_phy = qos->bcast.out.phy;
2244 conn->le_tx_phy = qos->bcast.out.phy;
2246 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2247 if (base_len && base) {
2248 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2249 conn->le_per_adv_data_len = base_len;
2252 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2253 conn->le_tx_phy ? conn->le_tx_phy :
2254 hdev->le_tx_def_phys);
2256 conn->iso_qos = *qos;
2257 conn->state = BT_BOUND;
2262 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2264 struct iso_list_data *d = data;
2266 /* Skip if not broadcast/ANY address */
2267 if (bacmp(&conn->dst, BDADDR_ANY))
2270 if (d->big != conn->iso_qos.bcast.big ||
2271 d->bis == BT_ISO_QOS_BIS_UNSET ||
2272 d->bis != conn->iso_qos.bcast.bis)
2275 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2278 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2279 __u8 dst_type, struct bt_iso_qos *qos,
2280 __u8 base_len, __u8 *base)
2282 struct hci_conn *conn;
2284 struct iso_list_data data;
2286 conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2290 data.big = qos->bcast.big;
2291 data.bis = qos->bcast.bis;
2293 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2294 * the start periodic advertising and create BIG commands have
2297 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2300 /* Queue start periodic advertising and create BIG */
2301 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2302 create_big_complete);
2304 hci_conn_drop(conn);
2305 return ERR_PTR(err);
2311 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2312 __u8 dst_type, struct bt_iso_qos *qos)
2314 struct hci_conn *le;
2315 struct hci_conn *cis;
2316 struct hci_link *link;
2318 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2319 le = hci_connect_le(hdev, dst, dst_type, false,
2321 HCI_LE_CONN_TIMEOUT,
2324 le = hci_connect_le_scan(hdev, dst, dst_type,
2326 HCI_LE_CONN_TIMEOUT,
2327 CONN_REASON_ISO_CONNECT);
2331 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2332 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2333 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2334 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2336 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2342 link = hci_conn_link(le, cis);
2346 return ERR_PTR(-ENOLINK);
2349 /* Link takes the refcount */
2352 cis->state = BT_CONNECT;
2354 hci_le_create_cis_pending(hdev);
2359 /* Check link security requirement */
2360 int hci_conn_check_link_mode(struct hci_conn *conn)
2362 BT_DBG("hcon %p", conn);
2364 /* In Secure Connections Only mode, it is required that Secure
2365 * Connections is used and the link is encrypted with AES-CCM
2366 * using a P-256 authenticated combination key.
2368 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2369 if (!hci_conn_sc_enabled(conn) ||
2370 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2371 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2375 /* AES encryption is required for Level 4:
2377 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2380 * 128-bit equivalent strength for link and encryption keys
2381 * required using FIPS approved algorithms (E0 not allowed,
2382 * SAFER+ not allowed, and P-192 not allowed; encryption key
2385 if (conn->sec_level == BT_SECURITY_FIPS &&
2386 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2387 bt_dev_err(conn->hdev,
2388 "Invalid security: Missing AES-CCM usage");
2392 if (hci_conn_ssp_enabled(conn) &&
2393 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2399 /* Authenticate remote device */
2400 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2402 BT_DBG("hcon %p", conn);
2404 if (conn->pending_sec_level > sec_level)
2405 sec_level = conn->pending_sec_level;
2407 if (sec_level > conn->sec_level)
2408 conn->pending_sec_level = sec_level;
2409 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2412 /* Make sure we preserve an existing MITM requirement*/
2413 auth_type |= (conn->auth_type & 0x01);
2415 conn->auth_type = auth_type;
2417 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2418 struct hci_cp_auth_requested cp;
2420 cp.handle = cpu_to_le16(conn->handle);
2421 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2424 /* If we're already encrypted set the REAUTH_PEND flag,
2425 * otherwise set the ENCRYPT_PEND.
2427 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2428 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2430 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2436 /* Encrypt the link */
2437 static void hci_conn_encrypt(struct hci_conn *conn)
2439 BT_DBG("hcon %p", conn);
2441 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2442 struct hci_cp_set_conn_encrypt cp;
2443 cp.handle = cpu_to_le16(conn->handle);
2445 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2450 /* Enable security */
2451 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2454 BT_DBG("hcon %p", conn);
2456 if (conn->type == LE_LINK)
2457 return smp_conn_security(conn, sec_level);
2459 /* For sdp we don't need the link key. */
2460 if (sec_level == BT_SECURITY_SDP)
2463 /* For non 2.1 devices and low security level we don't need the link
2465 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2468 /* For other security levels we need the link key. */
2469 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2472 switch (conn->key_type) {
2473 case HCI_LK_AUTH_COMBINATION_P256:
2474 /* An authenticated FIPS approved combination key has
2475 * sufficient security for security level 4 or lower.
2477 if (sec_level <= BT_SECURITY_FIPS)
2480 case HCI_LK_AUTH_COMBINATION_P192:
2481 /* An authenticated combination key has sufficient security for
2482 * security level 3 or lower.
2484 if (sec_level <= BT_SECURITY_HIGH)
2487 case HCI_LK_UNAUTH_COMBINATION_P192:
2488 case HCI_LK_UNAUTH_COMBINATION_P256:
2489 /* An unauthenticated combination key has sufficient security
2490 * for security level 2 or lower.
2492 if (sec_level <= BT_SECURITY_MEDIUM)
2495 case HCI_LK_COMBINATION:
2496 /* A combination key has always sufficient security for the
2497 * security levels 2 or lower. High security level requires the
2498 * combination key is generated using maximum PIN code length
2499 * (16). For pre 2.1 units.
2501 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2509 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2513 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2515 if (!hci_conn_auth(conn, sec_level, auth_type))
2519 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2520 /* Ensure that the encryption key size has been read,
2521 * otherwise stall the upper layer responses.
2523 if (!conn->enc_key_size)
2526 /* Nothing else needed, all requirements are met */
2530 hci_conn_encrypt(conn);
2533 EXPORT_SYMBOL(hci_conn_security);
2535 /* Check secure link requirement */
2536 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2538 BT_DBG("hcon %p", conn);
2540 /* Accept if non-secure or higher security level is required */
2541 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2544 /* Accept if secure or higher security level is already present */
2545 if (conn->sec_level == BT_SECURITY_HIGH ||
2546 conn->sec_level == BT_SECURITY_FIPS)
2549 /* Reject not secure link */
2552 EXPORT_SYMBOL(hci_conn_check_secure);
2555 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2557 BT_DBG("hcon %p", conn);
2559 if (role == conn->role)
2562 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2563 struct hci_cp_switch_role cp;
2564 bacpy(&cp.bdaddr, &conn->dst);
2566 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2571 EXPORT_SYMBOL(hci_conn_switch_role);
2573 /* Enter active mode */
2574 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2576 struct hci_dev *hdev = conn->hdev;
2578 BT_DBG("hcon %p mode %d", conn, conn->mode);
2580 if (conn->mode != HCI_CM_SNIFF)
2583 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2586 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2587 struct hci_cp_exit_sniff_mode cp;
2588 cp.handle = cpu_to_le16(conn->handle);
2589 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2593 if (hdev->idle_timeout > 0)
2594 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2595 msecs_to_jiffies(hdev->idle_timeout));
2598 /* Drop all connection on the device */
2599 void hci_conn_hash_flush(struct hci_dev *hdev)
2601 struct list_head *head = &hdev->conn_hash.list;
2602 struct hci_conn *conn;
2604 BT_DBG("hdev %s", hdev->name);
2606 /* We should not traverse the list here, because hci_conn_del
2607 * can remove extra links, which may cause the list traversal
2608 * to hit items that have already been released.
2610 while ((conn = list_first_entry_or_null(head,
2613 conn->state = BT_CLOSED;
2614 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2619 /* Check pending connect attempts */
2620 void hci_conn_check_pending(struct hci_dev *hdev)
2622 struct hci_conn *conn;
2624 BT_DBG("hdev %s", hdev->name);
2628 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
2630 hci_acl_create_connection(conn);
2632 hci_dev_unlock(hdev);
2635 static u32 get_link_mode(struct hci_conn *conn)
2639 if (conn->role == HCI_ROLE_MASTER)
2640 link_mode |= HCI_LM_MASTER;
2642 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2643 link_mode |= HCI_LM_ENCRYPT;
2645 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2646 link_mode |= HCI_LM_AUTH;
2648 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2649 link_mode |= HCI_LM_SECURE;
2651 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2652 link_mode |= HCI_LM_FIPS;
2657 int hci_get_conn_list(void __user *arg)
2660 struct hci_conn_list_req req, *cl;
2661 struct hci_conn_info *ci;
2662 struct hci_dev *hdev;
2663 int n = 0, size, err;
2665 if (copy_from_user(&req, arg, sizeof(req)))
2668 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2671 size = sizeof(req) + req.conn_num * sizeof(*ci);
2673 cl = kmalloc(size, GFP_KERNEL);
2677 hdev = hci_dev_get(req.dev_id);
2686 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2687 bacpy(&(ci + n)->bdaddr, &c->dst);
2688 (ci + n)->handle = c->handle;
2689 (ci + n)->type = c->type;
2690 (ci + n)->out = c->out;
2691 (ci + n)->state = c->state;
2692 (ci + n)->link_mode = get_link_mode(c);
2693 if (++n >= req.conn_num)
2696 hci_dev_unlock(hdev);
2698 cl->dev_id = hdev->id;
2700 size = sizeof(req) + n * sizeof(*ci);
2704 err = copy_to_user(arg, cl, size);
2707 return err ? -EFAULT : 0;
2710 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2712 struct hci_conn_info_req req;
2713 struct hci_conn_info ci;
2714 struct hci_conn *conn;
2715 char __user *ptr = arg + sizeof(req);
2717 if (copy_from_user(&req, arg, sizeof(req)))
2721 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2723 bacpy(&ci.bdaddr, &conn->dst);
2724 ci.handle = conn->handle;
2725 ci.type = conn->type;
2727 ci.state = conn->state;
2728 ci.link_mode = get_link_mode(conn);
2730 hci_dev_unlock(hdev);
2735 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2738 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2740 struct hci_auth_info_req req;
2741 struct hci_conn *conn;
2743 if (copy_from_user(&req, arg, sizeof(req)))
2747 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2749 req.type = conn->auth_type;
2750 hci_dev_unlock(hdev);
2755 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2758 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2760 struct hci_dev *hdev = conn->hdev;
2761 struct hci_chan *chan;
2763 BT_DBG("%s hcon %p", hdev->name, conn);
2765 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2766 BT_DBG("Refusing to create new hci_chan");
2770 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2774 chan->conn = hci_conn_get(conn);
2775 skb_queue_head_init(&chan->data_q);
2776 chan->state = BT_CONNECTED;
2778 list_add_rcu(&chan->list, &conn->chan_list);
2783 void hci_chan_del(struct hci_chan *chan)
2785 struct hci_conn *conn = chan->conn;
2786 struct hci_dev *hdev = conn->hdev;
2788 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2790 list_del_rcu(&chan->list);
2794 /* Prevent new hci_chan's to be created for this hci_conn */
2795 set_bit(HCI_CONN_DROP, &conn->flags);
2799 skb_queue_purge(&chan->data_q);
2803 void hci_chan_list_flush(struct hci_conn *conn)
2805 struct hci_chan *chan, *n;
2807 BT_DBG("hcon %p", conn);
2809 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2813 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2816 struct hci_chan *hchan;
2818 list_for_each_entry(hchan, &hcon->chan_list, list) {
2819 if (hchan->handle == handle)
2826 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2828 struct hci_conn_hash *h = &hdev->conn_hash;
2829 struct hci_conn *hcon;
2830 struct hci_chan *hchan = NULL;
2834 list_for_each_entry_rcu(hcon, &h->list, list) {
2835 hchan = __hci_chan_lookup_handle(hcon, handle);
2845 u32 hci_conn_get_phy(struct hci_conn *conn)
2849 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2850 * Table 6.2: Packets defined for synchronous, asynchronous, and
2851 * CPB logical transport types.
2853 switch (conn->type) {
2855 /* SCO logical transport (1 Mb/s):
2856 * HV1, HV2, HV3 and DV.
2858 phys |= BT_PHY_BR_1M_1SLOT;
2863 /* ACL logical transport (1 Mb/s) ptt=0:
2864 * DH1, DM3, DH3, DM5 and DH5.
2866 phys |= BT_PHY_BR_1M_1SLOT;
2868 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2869 phys |= BT_PHY_BR_1M_3SLOT;
2871 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2872 phys |= BT_PHY_BR_1M_5SLOT;
2874 /* ACL logical transport (2 Mb/s) ptt=1:
2875 * 2-DH1, 2-DH3 and 2-DH5.
2877 if (!(conn->pkt_type & HCI_2DH1))
2878 phys |= BT_PHY_EDR_2M_1SLOT;
2880 if (!(conn->pkt_type & HCI_2DH3))
2881 phys |= BT_PHY_EDR_2M_3SLOT;
2883 if (!(conn->pkt_type & HCI_2DH5))
2884 phys |= BT_PHY_EDR_2M_5SLOT;
2886 /* ACL logical transport (3 Mb/s) ptt=1:
2887 * 3-DH1, 3-DH3 and 3-DH5.
2889 if (!(conn->pkt_type & HCI_3DH1))
2890 phys |= BT_PHY_EDR_3M_1SLOT;
2892 if (!(conn->pkt_type & HCI_3DH3))
2893 phys |= BT_PHY_EDR_3M_3SLOT;
2895 if (!(conn->pkt_type & HCI_3DH5))
2896 phys |= BT_PHY_EDR_3M_5SLOT;
2901 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2902 phys |= BT_PHY_BR_1M_1SLOT;
2904 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2905 phys |= BT_PHY_BR_1M_3SLOT;
2907 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2908 if (!(conn->pkt_type & ESCO_2EV3))
2909 phys |= BT_PHY_EDR_2M_1SLOT;
2911 if (!(conn->pkt_type & ESCO_2EV5))
2912 phys |= BT_PHY_EDR_2M_3SLOT;
2914 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2915 if (!(conn->pkt_type & ESCO_3EV3))
2916 phys |= BT_PHY_EDR_3M_1SLOT;
2918 if (!(conn->pkt_type & ESCO_3EV5))
2919 phys |= BT_PHY_EDR_3M_3SLOT;
2924 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2925 phys |= BT_PHY_LE_1M_TX;
2927 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2928 phys |= BT_PHY_LE_1M_RX;
2930 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2931 phys |= BT_PHY_LE_2M_TX;
2933 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2934 phys |= BT_PHY_LE_2M_RX;
2936 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2937 phys |= BT_PHY_LE_CODED_TX;
2939 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2940 phys |= BT_PHY_LE_CODED_RX;
2948 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2950 struct hci_conn *conn;
2951 u16 handle = PTR_UINT(data);
2953 conn = hci_conn_hash_lookup_handle(hdev, handle);
2957 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2960 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2962 struct hci_dev *hdev = conn->hdev;
2964 /* If abort_reason has already been set it means the connection is
2965 * already being aborted so don't attempt to overwrite it.
2967 if (conn->abort_reason)
2970 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2972 conn->abort_reason = reason;
2974 /* If the connection is pending check the command opcode since that
2975 * might be blocking on hci_cmd_sync_work while waiting its respective
2976 * event so we need to hci_cmd_sync_cancel to cancel it.
2978 * hci_connect_le serializes the connection attempts so only one
2979 * connection can be in BT_CONNECT at time.
2981 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2982 switch (hci_skb_event(hdev->sent_cmd)) {
2983 case HCI_EV_LE_CONN_COMPLETE:
2984 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2985 case HCI_EVT_LE_CIS_ESTABLISHED:
2986 hci_cmd_sync_cancel(hdev, -ECANCELED);
2991 return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle),