2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI connection handling. */
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
37 #include "hci_request.h"
48 struct conn_handle_t {
49 struct hci_conn *conn;
53 static const struct sco_param esco_param_cvsd[] = {
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
56 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
57 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
58 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
61 static const struct sco_param sco_param_cvsd[] = {
62 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
63 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
66 static const struct sco_param esco_param_msbc[] = {
67 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
68 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
71 /* This function requires the caller holds hdev->lock */
72 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
74 struct hci_conn_params *params;
75 struct hci_dev *hdev = conn->hdev;
81 bdaddr_type = conn->dst_type;
83 /* Check if we need to convert to identity address */
84 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
86 bdaddr = &irk->bdaddr;
87 bdaddr_type = irk->addr_type;
90 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
96 hci_conn_drop(params->conn);
97 hci_conn_put(params->conn);
101 if (!params->explicit_connect)
104 /* If the status indicates successful cancellation of
105 * the attempt (i.e. Unknown Connection Id) there's no point of
106 * notifying failure since we'll go back to keep trying to
107 * connect. The only exception is explicit connect requests
108 * where a timeout + cancel does indicate an actual failure.
110 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
111 mgmt_connect_failed(hdev, &conn->dst, conn->type,
112 conn->dst_type, status);
114 /* The connection attempt was doing scan for new RPA, and is
115 * in scan phase. If params are not associated with any other
116 * autoconnect action, remove them completely. If they are, just unmark
117 * them as waiting for connection, by clearing explicit_connect field.
119 params->explicit_connect = false;
121 hci_pend_le_list_del_init(params);
123 switch (params->auto_connect) {
124 case HCI_AUTO_CONN_EXPLICIT:
125 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
126 /* return instead of break to avoid duplicate scan update */
128 case HCI_AUTO_CONN_DIRECT:
129 case HCI_AUTO_CONN_ALWAYS:
130 hci_pend_le_list_add(params, &hdev->pend_le_conns);
132 case HCI_AUTO_CONN_REPORT:
133 hci_pend_le_list_add(params, &hdev->pend_le_reports);
139 hci_update_passive_scan(hdev);
142 static void hci_conn_cleanup(struct hci_conn *conn)
144 struct hci_dev *hdev = conn->hdev;
146 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
147 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
149 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
150 hci_remove_link_key(hdev, &conn->dst);
152 hci_chan_list_flush(conn);
154 hci_conn_hash_del(hdev, conn);
159 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
160 switch (conn->setting & SCO_AIRMODE_MASK) {
161 case SCO_AIRMODE_CVSD:
162 case SCO_AIRMODE_TRANSP:
164 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
169 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
172 hci_conn_del_sysfs(conn);
174 debugfs_remove_recursive(conn->debugfs);
181 static void hci_acl_create_connection(struct hci_conn *conn)
183 struct hci_dev *hdev = conn->hdev;
184 struct inquiry_entry *ie;
185 struct hci_cp_create_conn cp;
187 BT_DBG("hcon %p", conn);
189 /* Many controllers disallow HCI Create Connection while it is doing
190 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
191 * Connection. This may cause the MGMT discovering state to become false
192 * without user space's request but it is okay since the MGMT Discovery
193 * APIs do not promise that discovery should be done forever. Instead,
194 * the user space monitors the status of MGMT discovering and it may
195 * request for discovery again when this flag becomes false.
197 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
198 /* Put this connection to "pending" state so that it will be
199 * executed after the inquiry cancel command complete event.
201 conn->state = BT_CONNECT2;
202 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
206 conn->state = BT_CONNECT;
208 conn->role = HCI_ROLE_MASTER;
212 conn->link_policy = hdev->link_policy;
214 memset(&cp, 0, sizeof(cp));
215 bacpy(&cp.bdaddr, &conn->dst);
216 cp.pscan_rep_mode = 0x02;
218 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
220 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
221 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
222 cp.pscan_mode = ie->data.pscan_mode;
223 cp.clock_offset = ie->data.clock_offset |
227 memcpy(conn->dev_class, ie->data.dev_class, 3);
230 cp.pkt_type = cpu_to_le16(conn->pkt_type);
231 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
232 cp.role_switch = 0x01;
234 cp.role_switch = 0x00;
236 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
239 int hci_disconnect(struct hci_conn *conn, __u8 reason)
241 BT_DBG("hcon %p", conn);
243 /* When we are central of an established connection and it enters
244 * the disconnect timeout, then go ahead and try to read the
245 * current clock offset. Processing of the result is done
246 * within the event handling and hci_clock_offset_evt function.
248 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
249 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
250 struct hci_dev *hdev = conn->hdev;
251 struct hci_cp_read_clock_offset clkoff_cp;
253 clkoff_cp.handle = cpu_to_le16(conn->handle);
254 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
258 return hci_abort_conn(conn, reason);
261 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
263 struct hci_dev *hdev = conn->hdev;
264 struct hci_cp_add_sco cp;
266 BT_DBG("hcon %p", conn);
268 conn->state = BT_CONNECT;
273 cp.handle = cpu_to_le16(handle);
274 cp.pkt_type = cpu_to_le16(conn->pkt_type);
276 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
279 static bool find_next_esco_param(struct hci_conn *conn,
280 const struct sco_param *esco_param, int size)
285 for (; conn->attempt <= size; conn->attempt++) {
286 if (lmp_esco_2m_capable(conn->parent) ||
287 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
289 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
290 conn, conn->attempt);
293 return conn->attempt <= size;
296 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
299 __u8 vnd_len, *vnd_data = NULL;
300 struct hci_op_configure_data_path *cmd = NULL;
302 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
307 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
313 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
317 cmd->vnd_len = vnd_len;
318 memcpy(cmd->vnd_data, vnd_data, vnd_len);
320 cmd->direction = 0x00;
321 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
322 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
324 cmd->direction = 0x01;
325 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
326 sizeof(*cmd) + vnd_len, cmd,
335 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
337 struct conn_handle_t *conn_handle = data;
338 struct hci_conn *conn = conn_handle->conn;
339 __u16 handle = conn_handle->handle;
340 struct hci_cp_enhanced_setup_sync_conn cp;
341 const struct sco_param *param;
345 bt_dev_dbg(hdev, "hcon %p", conn);
347 /* for offload use case, codec needs to configured before opening SCO */
348 if (conn->codec.data_path)
349 configure_datapath_sync(hdev, &conn->codec);
351 conn->state = BT_CONNECT;
356 memset(&cp, 0x00, sizeof(cp));
358 cp.handle = cpu_to_le16(handle);
360 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
361 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
363 switch (conn->codec.id) {
365 if (!find_next_esco_param(conn, esco_param_msbc,
366 ARRAY_SIZE(esco_param_msbc)))
369 param = &esco_param_msbc[conn->attempt - 1];
370 cp.tx_coding_format.id = 0x05;
371 cp.rx_coding_format.id = 0x05;
372 cp.tx_codec_frame_size = __cpu_to_le16(60);
373 cp.rx_codec_frame_size = __cpu_to_le16(60);
374 cp.in_bandwidth = __cpu_to_le32(32000);
375 cp.out_bandwidth = __cpu_to_le32(32000);
376 cp.in_coding_format.id = 0x04;
377 cp.out_coding_format.id = 0x04;
378 cp.in_coded_data_size = __cpu_to_le16(16);
379 cp.out_coded_data_size = __cpu_to_le16(16);
380 cp.in_pcm_data_format = 2;
381 cp.out_pcm_data_format = 2;
382 cp.in_pcm_sample_payload_msb_pos = 0;
383 cp.out_pcm_sample_payload_msb_pos = 0;
384 cp.in_data_path = conn->codec.data_path;
385 cp.out_data_path = conn->codec.data_path;
386 cp.in_transport_unit_size = 1;
387 cp.out_transport_unit_size = 1;
390 case BT_CODEC_TRANSPARENT:
391 if (!find_next_esco_param(conn, esco_param_msbc,
392 ARRAY_SIZE(esco_param_msbc)))
394 param = &esco_param_msbc[conn->attempt - 1];
395 cp.tx_coding_format.id = 0x03;
396 cp.rx_coding_format.id = 0x03;
397 cp.tx_codec_frame_size = __cpu_to_le16(60);
398 cp.rx_codec_frame_size = __cpu_to_le16(60);
399 cp.in_bandwidth = __cpu_to_le32(0x1f40);
400 cp.out_bandwidth = __cpu_to_le32(0x1f40);
401 cp.in_coding_format.id = 0x03;
402 cp.out_coding_format.id = 0x03;
403 cp.in_coded_data_size = __cpu_to_le16(16);
404 cp.out_coded_data_size = __cpu_to_le16(16);
405 cp.in_pcm_data_format = 2;
406 cp.out_pcm_data_format = 2;
407 cp.in_pcm_sample_payload_msb_pos = 0;
408 cp.out_pcm_sample_payload_msb_pos = 0;
409 cp.in_data_path = conn->codec.data_path;
410 cp.out_data_path = conn->codec.data_path;
411 cp.in_transport_unit_size = 1;
412 cp.out_transport_unit_size = 1;
416 if (conn->parent && lmp_esco_capable(conn->parent)) {
417 if (!find_next_esco_param(conn, esco_param_cvsd,
418 ARRAY_SIZE(esco_param_cvsd)))
420 param = &esco_param_cvsd[conn->attempt - 1];
422 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
424 param = &sco_param_cvsd[conn->attempt - 1];
426 cp.tx_coding_format.id = 2;
427 cp.rx_coding_format.id = 2;
428 cp.tx_codec_frame_size = __cpu_to_le16(60);
429 cp.rx_codec_frame_size = __cpu_to_le16(60);
430 cp.in_bandwidth = __cpu_to_le32(16000);
431 cp.out_bandwidth = __cpu_to_le32(16000);
432 cp.in_coding_format.id = 4;
433 cp.out_coding_format.id = 4;
434 cp.in_coded_data_size = __cpu_to_le16(16);
435 cp.out_coded_data_size = __cpu_to_le16(16);
436 cp.in_pcm_data_format = 2;
437 cp.out_pcm_data_format = 2;
438 cp.in_pcm_sample_payload_msb_pos = 0;
439 cp.out_pcm_sample_payload_msb_pos = 0;
440 cp.in_data_path = conn->codec.data_path;
441 cp.out_data_path = conn->codec.data_path;
442 cp.in_transport_unit_size = 16;
443 cp.out_transport_unit_size = 16;
449 cp.retrans_effort = param->retrans_effort;
450 cp.pkt_type = __cpu_to_le16(param->pkt_type);
451 cp.max_latency = __cpu_to_le16(param->max_latency);
453 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
459 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
461 struct hci_dev *hdev = conn->hdev;
462 struct hci_cp_setup_sync_conn cp;
463 const struct sco_param *param;
465 bt_dev_dbg(hdev, "hcon %p", conn);
467 conn->state = BT_CONNECT;
472 cp.handle = cpu_to_le16(handle);
474 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
475 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
476 cp.voice_setting = cpu_to_le16(conn->setting);
478 switch (conn->setting & SCO_AIRMODE_MASK) {
479 case SCO_AIRMODE_TRANSP:
480 if (!find_next_esco_param(conn, esco_param_msbc,
481 ARRAY_SIZE(esco_param_msbc)))
483 param = &esco_param_msbc[conn->attempt - 1];
485 case SCO_AIRMODE_CVSD:
486 if (conn->parent && lmp_esco_capable(conn->parent)) {
487 if (!find_next_esco_param(conn, esco_param_cvsd,
488 ARRAY_SIZE(esco_param_cvsd)))
490 param = &esco_param_cvsd[conn->attempt - 1];
492 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
494 param = &sco_param_cvsd[conn->attempt - 1];
501 cp.retrans_effort = param->retrans_effort;
502 cp.pkt_type = __cpu_to_le16(param->pkt_type);
503 cp.max_latency = __cpu_to_le16(param->max_latency);
505 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
511 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
514 struct conn_handle_t *conn_handle;
516 if (enhanced_sync_conn_capable(conn->hdev)) {
517 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
522 conn_handle->conn = conn;
523 conn_handle->handle = handle;
524 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
532 return hci_setup_sync_conn(conn, handle);
535 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
538 struct hci_dev *hdev = conn->hdev;
539 struct hci_conn_params *params;
540 struct hci_cp_le_conn_update cp;
544 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
546 params->conn_min_interval = min;
547 params->conn_max_interval = max;
548 params->conn_latency = latency;
549 params->supervision_timeout = to_multiplier;
552 hci_dev_unlock(hdev);
554 memset(&cp, 0, sizeof(cp));
555 cp.handle = cpu_to_le16(conn->handle);
556 cp.conn_interval_min = cpu_to_le16(min);
557 cp.conn_interval_max = cpu_to_le16(max);
558 cp.conn_latency = cpu_to_le16(latency);
559 cp.supervision_timeout = cpu_to_le16(to_multiplier);
560 cp.min_ce_len = cpu_to_le16(0x0000);
561 cp.max_ce_len = cpu_to_le16(0x0000);
563 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
571 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
572 __u8 ltk[16], __u8 key_size)
574 struct hci_dev *hdev = conn->hdev;
575 struct hci_cp_le_start_enc cp;
577 BT_DBG("hcon %p", conn);
579 memset(&cp, 0, sizeof(cp));
581 cp.handle = cpu_to_le16(conn->handle);
584 memcpy(cp.ltk, ltk, key_size);
586 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
589 /* Device _must_ be locked */
590 void hci_sco_setup(struct hci_conn *conn, __u8 status)
592 struct hci_link *link;
594 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
595 if (!link || !link->conn)
598 BT_DBG("hcon %p", conn);
601 if (lmp_esco_capable(conn->hdev))
602 hci_setup_sync(link->conn, conn->handle);
604 hci_add_sco(link->conn, conn->handle);
606 hci_connect_cfm(link->conn, status);
607 hci_conn_del(link->conn);
611 static void hci_conn_timeout(struct work_struct *work)
613 struct hci_conn *conn = container_of(work, struct hci_conn,
615 int refcnt = atomic_read(&conn->refcnt);
617 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
621 /* FIXME: It was observed that in pairing failed scenario, refcnt
622 * drops below 0. Probably this is because l2cap_conn_del calls
623 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
624 * dropped. After that loop hci_chan_del is called which also drops
625 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
631 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
634 /* Enter sniff mode */
635 static void hci_conn_idle(struct work_struct *work)
637 struct hci_conn *conn = container_of(work, struct hci_conn,
639 struct hci_dev *hdev = conn->hdev;
641 BT_DBG("hcon %p mode %d", conn, conn->mode);
643 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
646 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
649 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
650 struct hci_cp_sniff_subrate cp;
651 cp.handle = cpu_to_le16(conn->handle);
652 cp.max_latency = cpu_to_le16(0);
653 cp.min_remote_timeout = cpu_to_le16(0);
654 cp.min_local_timeout = cpu_to_le16(0);
655 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
658 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
659 struct hci_cp_sniff_mode cp;
660 cp.handle = cpu_to_le16(conn->handle);
661 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
662 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
663 cp.attempt = cpu_to_le16(4);
664 cp.timeout = cpu_to_le16(1);
665 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
669 static void hci_conn_auto_accept(struct work_struct *work)
671 struct hci_conn *conn = container_of(work, struct hci_conn,
672 auto_accept_work.work);
674 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
678 static void le_disable_advertising(struct hci_dev *hdev)
680 if (ext_adv_capable(hdev)) {
681 struct hci_cp_le_set_ext_adv_enable cp;
684 cp.num_of_sets = 0x00;
686 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
690 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
695 static void le_conn_timeout(struct work_struct *work)
697 struct hci_conn *conn = container_of(work, struct hci_conn,
698 le_conn_timeout.work);
699 struct hci_dev *hdev = conn->hdev;
703 /* We could end up here due to having done directed advertising,
704 * so clean up the state if necessary. This should however only
705 * happen with broken hardware or if low duty cycle was used
706 * (which doesn't have a timeout of its own).
708 if (conn->role == HCI_ROLE_SLAVE) {
709 /* Disable LE Advertising */
710 le_disable_advertising(hdev);
712 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
713 hci_dev_unlock(hdev);
717 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
720 struct iso_cig_params {
721 struct hci_cp_le_set_cig_params cp;
722 struct hci_cis_params cis[0x1f];
725 struct iso_list_data {
736 struct iso_cig_params pdu;
740 static void bis_list(struct hci_conn *conn, void *data)
742 struct iso_list_data *d = data;
744 /* Skip if not broadcast/ANY address */
745 if (bacmp(&conn->dst, BDADDR_ANY))
748 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
749 d->bis != conn->iso_qos.bcast.bis)
755 static void find_bis(struct hci_conn *conn, void *data)
757 struct iso_list_data *d = data;
760 if (bacmp(&conn->dst, BDADDR_ANY))
766 static int terminate_big_sync(struct hci_dev *hdev, void *data)
768 struct iso_list_data *d = data;
770 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
772 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
774 /* Only terminate BIG if it has been created */
778 return hci_le_terminate_big_sync(hdev, d->big,
779 HCI_ERROR_LOCAL_HOST_TERM);
782 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
787 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
789 struct iso_list_data *d;
792 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
793 conn->iso_qos.bcast.bis);
795 d = kzalloc(sizeof(*d), GFP_KERNEL);
799 d->big = conn->iso_qos.bcast.big;
800 d->bis = conn->iso_qos.bcast.bis;
801 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
803 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
804 terminate_big_destroy);
811 static int big_terminate_sync(struct hci_dev *hdev, void *data)
813 struct iso_list_data *d = data;
815 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
818 /* Check if ISO connection is a BIS and terminate BIG if there are
819 * no other connections using it.
821 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d);
825 hci_le_big_terminate_sync(hdev, d->big);
827 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
830 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, u16 sync_handle)
832 struct iso_list_data *d;
835 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, sync_handle);
837 d = kzalloc(sizeof(*d), GFP_KERNEL);
842 d->sync_handle = sync_handle;
844 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
845 terminate_big_destroy);
852 /* Cleanup BIS connection
854 * Detects if there any BIS left connected in a BIG
855 * broadcaster: Remove advertising instance and terminate BIG.
856 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
858 static void bis_cleanup(struct hci_conn *conn)
860 struct hci_dev *hdev = conn->hdev;
861 struct hci_conn *bis;
863 bt_dev_dbg(hdev, "conn %p", conn);
865 if (conn->role == HCI_ROLE_MASTER) {
866 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
869 /* Check if ISO connection is a BIS and terminate advertising
870 * set and BIG if there are no other connections using it.
872 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
876 hci_le_terminate_big(hdev, conn);
878 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
883 static int remove_cig_sync(struct hci_dev *hdev, void *data)
885 u8 handle = PTR_ERR(data);
887 return hci_le_remove_cig_sync(hdev, handle);
890 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
892 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
894 return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL);
897 static void find_cis(struct hci_conn *conn, void *data)
899 struct iso_list_data *d = data;
901 /* Ignore broadcast or if CIG don't match */
902 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
908 /* Cleanup CIS connection:
910 * Detects if there any CIS left connected in a CIG and remove it.
912 static void cis_cleanup(struct hci_conn *conn)
914 struct hci_dev *hdev = conn->hdev;
915 struct iso_list_data d;
917 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
920 memset(&d, 0, sizeof(d));
921 d.cig = conn->iso_qos.ucast.cig;
923 /* Check if ISO connection is a CIS and remove CIG if there are
924 * no other connections using it.
926 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
927 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
928 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
932 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
935 static u16 hci_conn_hash_alloc_unset(struct hci_dev *hdev)
937 struct hci_conn_hash *h = &hdev->conn_hash;
939 u16 handle = HCI_CONN_HANDLE_MAX + 1;
943 list_for_each_entry_rcu(c, &h->list, list) {
944 /* Find the first unused handle */
945 if (handle == 0xffff || c->handle != handle)
954 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
957 struct hci_conn *conn;
959 BT_DBG("%s dst %pMR", hdev->name, dst);
961 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
965 bacpy(&conn->dst, dst);
966 bacpy(&conn->src, &hdev->bdaddr);
967 conn->handle = hci_conn_hash_alloc_unset(hdev);
971 conn->mode = HCI_CM_ACTIVE;
972 conn->state = BT_OPEN;
973 conn->auth_type = HCI_AT_GENERAL_BONDING;
974 conn->io_capability = hdev->io_capability;
975 conn->remote_auth = 0xff;
976 conn->key_type = 0xff;
977 conn->rssi = HCI_RSSI_INVALID;
978 conn->tx_power = HCI_TX_POWER_INVALID;
979 conn->max_tx_power = HCI_TX_POWER_INVALID;
981 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
982 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
984 /* Set Default Authenticated payload timeout to 30s */
985 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
987 if (conn->role == HCI_ROLE_MASTER)
992 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
995 /* conn->src should reflect the local identity address */
996 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
999 /* conn->src should reflect the local identity address */
1000 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1002 /* set proper cleanup function */
1003 if (!bacmp(dst, BDADDR_ANY))
1004 conn->cleanup = bis_cleanup;
1005 else if (conn->role == HCI_ROLE_MASTER)
1006 conn->cleanup = cis_cleanup;
1010 if (lmp_esco_capable(hdev))
1011 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1012 (hdev->esco_type & EDR_ESCO_MASK);
1014 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1017 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1021 skb_queue_head_init(&conn->data_q);
1023 INIT_LIST_HEAD(&conn->chan_list);
1024 INIT_LIST_HEAD(&conn->link_list);
1026 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1027 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1028 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1029 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1031 atomic_set(&conn->refcnt, 0);
1035 hci_conn_hash_add(hdev, conn);
1037 /* The SCO and eSCO connections will only be notified when their
1038 * setup has been completed. This is different to ACL links which
1039 * can be notified right away.
1041 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1043 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1046 hci_conn_init_sysfs(conn);
1051 static void hci_conn_unlink(struct hci_conn *conn)
1053 struct hci_dev *hdev = conn->hdev;
1055 bt_dev_dbg(hdev, "hcon %p", conn);
1057 if (!conn->parent) {
1058 struct hci_link *link, *t;
1060 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1061 struct hci_conn *child = link->conn;
1063 hci_conn_unlink(child);
1065 /* If hdev is down it means
1066 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1067 * and links don't need to be cleanup as all connections
1070 if (!test_bit(HCI_UP, &hdev->flags))
1073 /* Due to race, SCO connection might be not established
1074 * yet at this point. Delete it now, otherwise it is
1075 * possible for it to be stuck and can't be deleted.
1077 if ((child->type == SCO_LINK ||
1078 child->type == ESCO_LINK) &&
1079 HCI_CONN_HANDLE_UNSET(child->handle))
1080 hci_conn_del(child);
1089 list_del_rcu(&conn->link->list);
1092 hci_conn_drop(conn->parent);
1093 hci_conn_put(conn->parent);
1094 conn->parent = NULL;
1100 void hci_conn_del(struct hci_conn *conn)
1102 struct hci_dev *hdev = conn->hdev;
1104 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1106 hci_conn_unlink(conn);
1108 cancel_delayed_work_sync(&conn->disc_work);
1109 cancel_delayed_work_sync(&conn->auto_accept_work);
1110 cancel_delayed_work_sync(&conn->idle_work);
1112 if (conn->type == ACL_LINK) {
1113 /* Unacked frames */
1114 hdev->acl_cnt += conn->sent;
1115 } else if (conn->type == LE_LINK) {
1116 cancel_delayed_work(&conn->le_conn_timeout);
1119 hdev->le_cnt += conn->sent;
1121 hdev->acl_cnt += conn->sent;
1123 /* Unacked ISO frames */
1124 if (conn->type == ISO_LINK) {
1126 hdev->iso_cnt += conn->sent;
1127 else if (hdev->le_pkts)
1128 hdev->le_cnt += conn->sent;
1130 hdev->acl_cnt += conn->sent;
1135 amp_mgr_put(conn->amp_mgr);
1137 skb_queue_purge(&conn->data_q);
1139 /* Remove the connection from the list and cleanup its remaining
1140 * state. This is a separate function since for some cases like
1141 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1142 * rest of hci_conn_del.
1144 hci_conn_cleanup(conn);
1147 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1149 int use_src = bacmp(src, BDADDR_ANY);
1150 struct hci_dev *hdev = NULL, *d;
1152 BT_DBG("%pMR -> %pMR", src, dst);
1154 read_lock(&hci_dev_list_lock);
1156 list_for_each_entry(d, &hci_dev_list, list) {
1157 if (!test_bit(HCI_UP, &d->flags) ||
1158 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
1159 d->dev_type != HCI_PRIMARY)
1163 * No source address - find interface with bdaddr != dst
1164 * Source address - find interface with bdaddr == src
1171 if (src_type == BDADDR_BREDR) {
1172 if (!lmp_bredr_capable(d))
1174 bacpy(&id_addr, &d->bdaddr);
1175 id_addr_type = BDADDR_BREDR;
1177 if (!lmp_le_capable(d))
1180 hci_copy_identity_address(d, &id_addr,
1183 /* Convert from HCI to three-value type */
1184 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1185 id_addr_type = BDADDR_LE_PUBLIC;
1187 id_addr_type = BDADDR_LE_RANDOM;
1190 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1194 if (bacmp(&d->bdaddr, dst)) {
1201 hdev = hci_dev_hold(hdev);
1203 read_unlock(&hci_dev_list_lock);
1206 EXPORT_SYMBOL(hci_get_route);
1208 /* This function requires the caller holds hdev->lock */
1209 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1211 struct hci_dev *hdev = conn->hdev;
1213 hci_connect_le_scan_cleanup(conn, status);
1215 /* Enable advertising in case this was a failed connection
1216 * attempt as a peripheral.
1218 hci_enable_advertising(hdev);
1221 /* This function requires the caller holds hdev->lock */
1222 void hci_conn_failed(struct hci_conn *conn, u8 status)
1224 struct hci_dev *hdev = conn->hdev;
1226 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1228 switch (conn->type) {
1230 hci_le_conn_failed(conn, status);
1233 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1234 conn->dst_type, status);
1238 conn->state = BT_CLOSED;
1239 hci_connect_cfm(conn, status);
1243 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
1245 struct hci_conn *conn;
1246 u16 handle = PTR_ERR(data);
1248 conn = hci_conn_hash_lookup_handle(hdev, handle);
1252 bt_dev_dbg(hdev, "err %d", err);
1257 hci_connect_le_scan_cleanup(conn, 0x00);
1261 /* Check if connection is still pending */
1262 if (conn != hci_lookup_le_connect(hdev))
1265 /* Flush to make sure we send create conn cancel command if needed */
1266 flush_delayed_work(&conn->le_conn_timeout);
1267 hci_conn_failed(conn, bt_status(err));
1270 hci_dev_unlock(hdev);
1273 static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
1275 struct hci_conn *conn;
1276 u16 handle = PTR_ERR(data);
1278 conn = hci_conn_hash_lookup_handle(hdev, handle);
1282 bt_dev_dbg(hdev, "conn %p", conn);
1284 conn->state = BT_CONNECT;
1286 return hci_le_create_conn_sync(hdev, conn);
1289 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1290 u8 dst_type, bool dst_resolved, u8 sec_level,
1291 u16 conn_timeout, u8 role)
1293 struct hci_conn *conn;
1294 struct smp_irk *irk;
1297 /* Let's make sure that le is enabled.*/
1298 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1299 if (lmp_le_capable(hdev))
1300 return ERR_PTR(-ECONNREFUSED);
1302 return ERR_PTR(-EOPNOTSUPP);
1305 /* Since the controller supports only one LE connection attempt at a
1306 * time, we return -EBUSY if there is any connection attempt running.
1308 if (hci_lookup_le_connect(hdev))
1309 return ERR_PTR(-EBUSY);
1311 /* If there's already a connection object but it's not in
1312 * scanning state it means it must already be established, in
1313 * which case we can't do anything else except report a failure
1316 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1317 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1318 return ERR_PTR(-EBUSY);
1321 /* Check if the destination address has been resolved by the controller
1322 * since if it did then the identity address shall be used.
1324 if (!dst_resolved) {
1325 /* When given an identity address with existing identity
1326 * resolving key, the connection needs to be established
1327 * to a resolvable random address.
1329 * Storing the resolvable random address is required here
1330 * to handle connection failures. The address will later
1331 * be resolved back into the original identity address
1332 * from the connect request.
1334 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1335 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1337 dst_type = ADDR_LE_DEV_RANDOM;
1342 bacpy(&conn->dst, dst);
1344 conn = hci_conn_add(hdev, LE_LINK, dst, role);
1346 return ERR_PTR(-ENOMEM);
1347 hci_conn_hold(conn);
1348 conn->pending_sec_level = sec_level;
1351 conn->dst_type = dst_type;
1352 conn->sec_level = BT_SECURITY_LOW;
1353 conn->conn_timeout = conn_timeout;
1355 clear_bit(HCI_CONN_SCANNING, &conn->flags);
1357 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
1358 ERR_PTR(conn->handle),
1359 create_le_conn_complete);
1362 return ERR_PTR(err);
1368 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1370 struct hci_conn *conn;
1372 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1376 if (conn->state != BT_CONNECTED)
1382 /* This function requires the caller holds hdev->lock */
1383 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1384 bdaddr_t *addr, u8 addr_type)
1386 struct hci_conn_params *params;
1388 if (is_connected(hdev, addr, addr_type))
1391 params = hci_conn_params_lookup(hdev, addr, addr_type);
1393 params = hci_conn_params_add(hdev, addr, addr_type);
1397 /* If we created new params, mark them to be deleted in
1398 * hci_connect_le_scan_cleanup. It's different case than
1399 * existing disabled params, those will stay after cleanup.
1401 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1404 /* We're trying to connect, so make sure params are at pend_le_conns */
1405 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1406 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1407 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1408 hci_pend_le_list_del_init(params);
1409 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1412 params->explicit_connect = true;
1414 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1415 params->auto_connect);
1420 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1422 struct hci_conn *conn;
1425 /* Allocate a BIG if not set */
1426 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1427 for (big = 0x00; big < 0xef; big++) {
1429 conn = hci_conn_hash_lookup_big(hdev, big);
1435 return -EADDRNOTAVAIL;
1438 qos->bcast.big = big;
1444 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1446 struct hci_conn *conn;
1449 /* Allocate BIS if not set */
1450 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1451 /* Find an unused adv set to advertise BIS, skip instance 0x00
1452 * since it is reserved as general purpose set.
1454 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1457 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1462 if (bis == hdev->le_num_of_adv_sets)
1463 return -EADDRNOTAVAIL;
1466 qos->bcast.bis = bis;
1472 /* This function requires the caller holds hdev->lock */
1473 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1474 struct bt_iso_qos *qos, __u8 base_len,
1477 struct hci_conn *conn;
1480 /* Let's make sure that le is enabled.*/
1481 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1482 if (lmp_le_capable(hdev))
1483 return ERR_PTR(-ECONNREFUSED);
1484 return ERR_PTR(-EOPNOTSUPP);
1487 err = qos_set_big(hdev, qos);
1489 return ERR_PTR(err);
1491 err = qos_set_bis(hdev, qos);
1493 return ERR_PTR(err);
1495 /* Check if the LE Create BIG command has already been sent */
1496 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1499 return ERR_PTR(-EADDRINUSE);
1501 /* Check BIS settings against other bound BISes, since all
1502 * BISes in a BIG must have the same value for all parameters
1504 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1506 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1507 base_len != conn->le_per_adv_data_len ||
1508 memcmp(conn->le_per_adv_data, base, base_len)))
1509 return ERR_PTR(-EADDRINUSE);
1511 conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1513 return ERR_PTR(-ENOMEM);
1515 conn->state = BT_CONNECT;
1517 hci_conn_hold(conn);
1521 /* This function requires the caller holds hdev->lock */
1522 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1523 u8 dst_type, u8 sec_level,
1525 enum conn_reasons conn_reason)
1527 struct hci_conn *conn;
1529 /* Let's make sure that le is enabled.*/
1530 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1531 if (lmp_le_capable(hdev))
1532 return ERR_PTR(-ECONNREFUSED);
1534 return ERR_PTR(-EOPNOTSUPP);
1537 /* Some devices send ATT messages as soon as the physical link is
1538 * established. To be able to handle these ATT messages, the user-
1539 * space first establishes the connection and then starts the pairing
1542 * So if a hci_conn object already exists for the following connection
1543 * attempt, we simply update pending_sec_level and auth_type fields
1544 * and return the object found.
1546 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1548 if (conn->pending_sec_level < sec_level)
1549 conn->pending_sec_level = sec_level;
1553 BT_DBG("requesting refresh of dst_addr");
1555 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1557 return ERR_PTR(-ENOMEM);
1559 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1561 return ERR_PTR(-EBUSY);
1564 conn->state = BT_CONNECT;
1565 set_bit(HCI_CONN_SCANNING, &conn->flags);
1566 conn->dst_type = dst_type;
1567 conn->sec_level = BT_SECURITY_LOW;
1568 conn->pending_sec_level = sec_level;
1569 conn->conn_timeout = conn_timeout;
1570 conn->conn_reason = conn_reason;
1572 hci_update_passive_scan(hdev);
1575 hci_conn_hold(conn);
1579 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1580 u8 sec_level, u8 auth_type,
1581 enum conn_reasons conn_reason)
1583 struct hci_conn *acl;
1585 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1586 if (lmp_bredr_capable(hdev))
1587 return ERR_PTR(-ECONNREFUSED);
1589 return ERR_PTR(-EOPNOTSUPP);
1592 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1594 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1596 return ERR_PTR(-ENOMEM);
1601 acl->conn_reason = conn_reason;
1602 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1603 acl->sec_level = BT_SECURITY_LOW;
1604 acl->pending_sec_level = sec_level;
1605 acl->auth_type = auth_type;
1606 hci_acl_create_connection(acl);
1612 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1613 struct hci_conn *conn)
1615 struct hci_dev *hdev = parent->hdev;
1616 struct hci_link *link;
1618 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1626 link = kzalloc(sizeof(*link), GFP_KERNEL);
1630 link->conn = hci_conn_hold(conn);
1632 conn->parent = hci_conn_get(parent);
1634 /* Use list_add_tail_rcu append to the list */
1635 list_add_tail_rcu(&link->list, &parent->link_list);
1640 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1641 __u16 setting, struct bt_codec *codec)
1643 struct hci_conn *acl;
1644 struct hci_conn *sco;
1645 struct hci_link *link;
1647 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1648 CONN_REASON_SCO_CONNECT);
1652 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1654 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1657 return ERR_PTR(-ENOMEM);
1661 link = hci_conn_link(acl, sco);
1665 return ERR_PTR(-ENOLINK);
1668 sco->setting = setting;
1669 sco->codec = *codec;
1671 if (acl->state == BT_CONNECTED &&
1672 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1673 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1674 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1676 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1677 /* defer SCO setup until mode change completed */
1678 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1682 hci_sco_setup(acl, 0x00);
1688 static void cis_add(struct iso_list_data *d, struct bt_iso_qos *qos)
1690 struct hci_cis_params *cis = &d->pdu.cis[d->pdu.cp.num_cis];
1692 cis->cis_id = qos->ucast.cis;
1693 cis->c_sdu = cpu_to_le16(qos->ucast.out.sdu);
1694 cis->p_sdu = cpu_to_le16(qos->ucast.in.sdu);
1695 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy : qos->ucast.in.phy;
1696 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy : qos->ucast.out.phy;
1697 cis->c_rtn = qos->ucast.out.rtn;
1698 cis->p_rtn = qos->ucast.in.rtn;
1700 d->pdu.cp.num_cis++;
1703 static void cis_list(struct hci_conn *conn, void *data)
1705 struct iso_list_data *d = data;
1707 /* Skip if broadcast/ANY address */
1708 if (!bacmp(&conn->dst, BDADDR_ANY))
1711 if (d->cig != conn->iso_qos.ucast.cig || d->cis == BT_ISO_QOS_CIS_UNSET ||
1712 d->cis != conn->iso_qos.ucast.cis)
1717 if (d->pdu.cp.cig_id == BT_ISO_QOS_CIG_UNSET ||
1718 d->count >= ARRAY_SIZE(d->pdu.cis))
1721 cis_add(d, &conn->iso_qos);
1724 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1726 struct hci_dev *hdev = conn->hdev;
1727 struct hci_cp_le_create_big cp;
1728 struct iso_list_data data;
1730 memset(&cp, 0, sizeof(cp));
1732 data.big = qos->bcast.big;
1733 data.bis = qos->bcast.bis;
1736 /* Create a BIS for each bound connection */
1737 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1740 cp.handle = qos->bcast.big;
1741 cp.adv_handle = qos->bcast.bis;
1742 cp.num_bis = data.count;
1743 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1744 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1745 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1746 cp.bis.rtn = qos->bcast.out.rtn;
1747 cp.bis.phy = qos->bcast.out.phy;
1748 cp.bis.packing = qos->bcast.packing;
1749 cp.bis.framing = qos->bcast.framing;
1750 cp.bis.encryption = qos->bcast.encryption;
1751 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1753 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1756 static void set_cig_params_complete(struct hci_dev *hdev, void *data, int err)
1758 struct iso_cig_params *pdu = data;
1760 bt_dev_dbg(hdev, "");
1763 bt_dev_err(hdev, "Unable to set CIG parameters: %d", err);
1768 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1770 struct iso_cig_params *pdu = data;
1773 plen = sizeof(pdu->cp) + pdu->cp.num_cis * sizeof(pdu->cis[0]);
1774 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, plen, pdu,
1778 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1780 struct hci_dev *hdev = conn->hdev;
1781 struct iso_list_data data;
1782 struct iso_cig_params *pdu;
1784 memset(&data, 0, sizeof(data));
1786 /* Allocate first still reconfigurable CIG if not set */
1787 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1788 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1791 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1796 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1797 BT_CONNECTED, &data);
1802 if (data.cig == 0xf0)
1806 qos->ucast.cig = data.cig;
1809 data.pdu.cp.cig_id = qos->ucast.cig;
1810 hci_cpu_to_le24(qos->ucast.out.interval, data.pdu.cp.c_interval);
1811 hci_cpu_to_le24(qos->ucast.in.interval, data.pdu.cp.p_interval);
1812 data.pdu.cp.sca = qos->ucast.sca;
1813 data.pdu.cp.packing = qos->ucast.packing;
1814 data.pdu.cp.framing = qos->ucast.framing;
1815 data.pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency);
1816 data.pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency);
1818 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1820 data.cig = qos->ucast.cig;
1821 data.cis = qos->ucast.cis;
1823 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1828 cis_add(&data, qos);
1831 /* Reprogram all CIS(s) with the same CIG */
1832 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0x11;
1836 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1841 /* Allocate a CIS if not set */
1842 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET) {
1844 qos->ucast.cis = data.cis;
1845 cis_add(&data, qos);
1849 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET || !data.pdu.cp.num_cis)
1852 pdu = kmemdup(&data.pdu, sizeof(*pdu), GFP_KERNEL);
1856 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, pdu,
1857 set_cig_params_complete) < 0) {
1865 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1866 __u8 dst_type, struct bt_iso_qos *qos)
1868 struct hci_conn *cis;
1870 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1873 cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1875 return ERR_PTR(-ENOMEM);
1876 cis->cleanup = cis_cleanup;
1877 cis->dst_type = dst_type;
1880 if (cis->state == BT_CONNECTED)
1883 /* Check if CIS has been set and the settings matches */
1884 if (cis->state == BT_BOUND &&
1885 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1888 /* Update LINK PHYs according to QoS preference */
1889 cis->le_tx_phy = qos->ucast.out.phy;
1890 cis->le_rx_phy = qos->ucast.in.phy;
1892 /* If output interval is not set use the input interval as it cannot be
1895 if (!qos->ucast.out.interval)
1896 qos->ucast.out.interval = qos->ucast.in.interval;
1898 /* If input interval is not set use the output interval as it cannot be
1901 if (!qos->ucast.in.interval)
1902 qos->ucast.in.interval = qos->ucast.out.interval;
1904 /* If output latency is not set use the input latency as it cannot be
1907 if (!qos->ucast.out.latency)
1908 qos->ucast.out.latency = qos->ucast.in.latency;
1910 /* If input latency is not set use the output latency as it cannot be
1913 if (!qos->ucast.in.latency)
1914 qos->ucast.in.latency = qos->ucast.out.latency;
1916 if (!hci_le_set_cig_params(cis, qos)) {
1918 return ERR_PTR(-EINVAL);
1921 cis->iso_qos = *qos;
1922 cis->state = BT_BOUND;
1927 bool hci_iso_setup_path(struct hci_conn *conn)
1929 struct hci_dev *hdev = conn->hdev;
1930 struct hci_cp_le_setup_iso_path cmd;
1932 memset(&cmd, 0, sizeof(cmd));
1934 if (conn->iso_qos.ucast.out.sdu) {
1935 cmd.handle = cpu_to_le16(conn->handle);
1936 cmd.direction = 0x00; /* Input (Host to Controller) */
1937 cmd.path = 0x00; /* HCI path if enabled */
1938 cmd.codec = 0x03; /* Transparent Data */
1940 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1945 if (conn->iso_qos.ucast.in.sdu) {
1946 cmd.handle = cpu_to_le16(conn->handle);
1947 cmd.direction = 0x01; /* Output (Controller to Host) */
1948 cmd.path = 0x00; /* HCI path if enabled */
1949 cmd.codec = 0x03; /* Transparent Data */
1951 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1959 int hci_conn_check_create_cis(struct hci_conn *conn)
1961 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
1964 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
1965 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
1971 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1973 return hci_le_create_cis_sync(hdev);
1976 int hci_le_create_cis_pending(struct hci_dev *hdev)
1978 struct hci_conn *conn;
1979 bool pending = false;
1983 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
1984 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
1989 if (!hci_conn_check_create_cis(conn))
1998 /* Queue Create CIS */
1999 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2002 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2003 struct bt_iso_io_qos *qos, __u8 phy)
2005 /* Only set MTU if PHY is enabled */
2006 if (!qos->sdu && qos->phy) {
2007 if (hdev->iso_mtu > 0)
2008 qos->sdu = hdev->iso_mtu;
2009 else if (hdev->le_mtu > 0)
2010 qos->sdu = hdev->le_mtu;
2012 qos->sdu = hdev->acl_mtu;
2015 /* Use the same PHY as ACL if set to any */
2016 if (qos->phy == BT_ISO_PHY_ANY)
2019 /* Use LE ACL connection interval if not set */
2021 /* ACL interval unit in 1.25 ms to us */
2022 qos->interval = conn->le_conn_interval * 1250;
2024 /* Use LE ACL connection latency if not set */
2026 qos->latency = conn->le_conn_latency;
2029 static int create_big_sync(struct hci_dev *hdev, void *data)
2031 struct hci_conn *conn = data;
2032 struct bt_iso_qos *qos = &conn->iso_qos;
2033 u16 interval, sync_interval = 0;
2037 if (qos->bcast.out.phy == 0x02)
2038 flags |= MGMT_ADV_FLAG_SEC_2M;
2040 /* Align intervals */
2041 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2044 sync_interval = interval * 4;
2046 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2047 conn->le_per_adv_data, flags, interval,
2048 interval, sync_interval);
2052 return hci_le_create_big(conn, &conn->iso_qos);
2055 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2057 struct hci_cp_le_pa_create_sync *cp = data;
2059 bt_dev_dbg(hdev, "");
2062 bt_dev_err(hdev, "Unable to create PA: %d", err);
2067 static int create_pa_sync(struct hci_dev *hdev, void *data)
2069 struct hci_cp_le_pa_create_sync *cp = data;
2072 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2073 sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2075 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2079 return hci_update_passive_scan_sync(hdev);
2082 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2083 __u8 sid, struct bt_iso_qos *qos)
2085 struct hci_cp_le_pa_create_sync *cp;
2087 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2090 cp = kzalloc(sizeof(*cp), GFP_KERNEL);
2092 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2096 cp->options = qos->bcast.options;
2098 cp->addr_type = dst_type;
2099 bacpy(&cp->addr, dst);
2100 cp->skip = cpu_to_le16(qos->bcast.skip);
2101 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
2102 cp->sync_cte_type = qos->bcast.sync_cte_type;
2104 /* Queue start pa_create_sync and scan */
2105 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2108 int hci_le_big_create_sync(struct hci_dev *hdev, struct bt_iso_qos *qos,
2109 __u16 sync_handle, __u8 num_bis, __u8 bis[])
2112 struct hci_cp_le_big_create_sync cp;
2117 if (num_bis > sizeof(pdu.bis))
2120 err = qos_set_big(hdev, qos);
2124 memset(&pdu, 0, sizeof(pdu));
2125 pdu.cp.handle = qos->bcast.big;
2126 pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2127 pdu.cp.encryption = qos->bcast.encryption;
2128 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode));
2129 pdu.cp.mse = qos->bcast.mse;
2130 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout);
2131 pdu.cp.num_bis = num_bis;
2132 memcpy(pdu.bis, bis, num_bis);
2134 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2135 sizeof(pdu.cp) + num_bis, &pdu);
2138 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2140 struct hci_conn *conn = data;
2142 bt_dev_dbg(hdev, "conn %p", conn);
2145 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2146 hci_connect_cfm(conn, err);
2151 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2152 struct bt_iso_qos *qos,
2153 __u8 base_len, __u8 *base)
2155 struct hci_conn *conn;
2156 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2158 if (base_len && base)
2159 base_len = eir_append_service_data(eir, 0, 0x1851,
2162 /* We need hci_conn object using the BDADDR_ANY as dst */
2163 conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2167 /* Update LINK PHYs according to QoS preference */
2168 conn->le_tx_phy = qos->bcast.out.phy;
2169 conn->le_tx_phy = qos->bcast.out.phy;
2171 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2172 if (base_len && base) {
2173 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2174 conn->le_per_adv_data_len = base_len;
2177 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2178 conn->le_tx_phy ? conn->le_tx_phy :
2179 hdev->le_tx_def_phys);
2181 conn->iso_qos = *qos;
2182 conn->state = BT_BOUND;
2187 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2189 struct iso_list_data *d = data;
2191 /* Skip if not broadcast/ANY address */
2192 if (bacmp(&conn->dst, BDADDR_ANY))
2195 if (d->big != conn->iso_qos.bcast.big ||
2196 d->bis == BT_ISO_QOS_BIS_UNSET ||
2197 d->bis != conn->iso_qos.bcast.bis)
2200 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2203 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2204 __u8 dst_type, struct bt_iso_qos *qos,
2205 __u8 base_len, __u8 *base)
2207 struct hci_conn *conn;
2209 struct iso_list_data data;
2211 conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2215 data.big = qos->bcast.big;
2216 data.bis = qos->bcast.bis;
2218 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2219 * the start periodic advertising and create BIG commands have
2222 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2225 /* Queue start periodic advertising and create BIG */
2226 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2227 create_big_complete);
2229 hci_conn_drop(conn);
2230 return ERR_PTR(err);
2236 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2237 __u8 dst_type, struct bt_iso_qos *qos)
2239 struct hci_conn *le;
2240 struct hci_conn *cis;
2241 struct hci_link *link;
2243 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2244 le = hci_connect_le(hdev, dst, dst_type, false,
2246 HCI_LE_CONN_TIMEOUT,
2249 le = hci_connect_le_scan(hdev, dst, dst_type,
2251 HCI_LE_CONN_TIMEOUT,
2252 CONN_REASON_ISO_CONNECT);
2256 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2257 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2258 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2259 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2261 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2267 link = hci_conn_link(le, cis);
2271 return ERR_PTR(-ENOLINK);
2274 cis->state = BT_CONNECT;
2276 hci_le_create_cis_pending(hdev);
2281 /* Check link security requirement */
2282 int hci_conn_check_link_mode(struct hci_conn *conn)
2284 BT_DBG("hcon %p", conn);
2286 /* In Secure Connections Only mode, it is required that Secure
2287 * Connections is used and the link is encrypted with AES-CCM
2288 * using a P-256 authenticated combination key.
2290 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2291 if (!hci_conn_sc_enabled(conn) ||
2292 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2293 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2297 /* AES encryption is required for Level 4:
2299 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2302 * 128-bit equivalent strength for link and encryption keys
2303 * required using FIPS approved algorithms (E0 not allowed,
2304 * SAFER+ not allowed, and P-192 not allowed; encryption key
2307 if (conn->sec_level == BT_SECURITY_FIPS &&
2308 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2309 bt_dev_err(conn->hdev,
2310 "Invalid security: Missing AES-CCM usage");
2314 if (hci_conn_ssp_enabled(conn) &&
2315 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2321 /* Authenticate remote device */
2322 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2324 BT_DBG("hcon %p", conn);
2326 if (conn->pending_sec_level > sec_level)
2327 sec_level = conn->pending_sec_level;
2329 if (sec_level > conn->sec_level)
2330 conn->pending_sec_level = sec_level;
2331 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2334 /* Make sure we preserve an existing MITM requirement*/
2335 auth_type |= (conn->auth_type & 0x01);
2337 conn->auth_type = auth_type;
2339 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2340 struct hci_cp_auth_requested cp;
2342 cp.handle = cpu_to_le16(conn->handle);
2343 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2346 /* If we're already encrypted set the REAUTH_PEND flag,
2347 * otherwise set the ENCRYPT_PEND.
2349 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2350 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2352 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2358 /* Encrypt the link */
2359 static void hci_conn_encrypt(struct hci_conn *conn)
2361 BT_DBG("hcon %p", conn);
2363 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2364 struct hci_cp_set_conn_encrypt cp;
2365 cp.handle = cpu_to_le16(conn->handle);
2367 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2372 /* Enable security */
2373 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2376 BT_DBG("hcon %p", conn);
2378 if (conn->type == LE_LINK)
2379 return smp_conn_security(conn, sec_level);
2381 /* For sdp we don't need the link key. */
2382 if (sec_level == BT_SECURITY_SDP)
2385 /* For non 2.1 devices and low security level we don't need the link
2387 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2390 /* For other security levels we need the link key. */
2391 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2394 /* An authenticated FIPS approved combination key has sufficient
2395 * security for security level 4. */
2396 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
2397 sec_level == BT_SECURITY_FIPS)
2400 /* An authenticated combination key has sufficient security for
2401 security level 3. */
2402 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
2403 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
2404 sec_level == BT_SECURITY_HIGH)
2407 /* An unauthenticated combination key has sufficient security for
2408 security level 1 and 2. */
2409 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
2410 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
2411 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
2414 /* A combination key has always sufficient security for the security
2415 levels 1 or 2. High security level requires the combination key
2416 is generated using maximum PIN code length (16).
2417 For pre 2.1 units. */
2418 if (conn->key_type == HCI_LK_COMBINATION &&
2419 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
2420 conn->pin_length == 16))
2424 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2428 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2430 if (!hci_conn_auth(conn, sec_level, auth_type))
2434 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2435 /* Ensure that the encryption key size has been read,
2436 * otherwise stall the upper layer responses.
2438 if (!conn->enc_key_size)
2441 /* Nothing else needed, all requirements are met */
2445 hci_conn_encrypt(conn);
2448 EXPORT_SYMBOL(hci_conn_security);
2450 /* Check secure link requirement */
2451 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2453 BT_DBG("hcon %p", conn);
2455 /* Accept if non-secure or higher security level is required */
2456 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2459 /* Accept if secure or higher security level is already present */
2460 if (conn->sec_level == BT_SECURITY_HIGH ||
2461 conn->sec_level == BT_SECURITY_FIPS)
2464 /* Reject not secure link */
2467 EXPORT_SYMBOL(hci_conn_check_secure);
2470 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2472 BT_DBG("hcon %p", conn);
2474 if (role == conn->role)
2477 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2478 struct hci_cp_switch_role cp;
2479 bacpy(&cp.bdaddr, &conn->dst);
2481 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2486 EXPORT_SYMBOL(hci_conn_switch_role);
2488 /* Enter active mode */
2489 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2491 struct hci_dev *hdev = conn->hdev;
2493 BT_DBG("hcon %p mode %d", conn, conn->mode);
2495 if (conn->mode != HCI_CM_SNIFF)
2498 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2501 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2502 struct hci_cp_exit_sniff_mode cp;
2503 cp.handle = cpu_to_le16(conn->handle);
2504 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2508 if (hdev->idle_timeout > 0)
2509 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2510 msecs_to_jiffies(hdev->idle_timeout));
2513 /* Drop all connection on the device */
2514 void hci_conn_hash_flush(struct hci_dev *hdev)
2516 struct list_head *head = &hdev->conn_hash.list;
2517 struct hci_conn *conn;
2519 BT_DBG("hdev %s", hdev->name);
2521 /* We should not traverse the list here, because hci_conn_del
2522 * can remove extra links, which may cause the list traversal
2523 * to hit items that have already been released.
2525 while ((conn = list_first_entry_or_null(head,
2528 conn->state = BT_CLOSED;
2529 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2534 /* Check pending connect attempts */
2535 void hci_conn_check_pending(struct hci_dev *hdev)
2537 struct hci_conn *conn;
2539 BT_DBG("hdev %s", hdev->name);
2543 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
2545 hci_acl_create_connection(conn);
2547 hci_dev_unlock(hdev);
2550 static u32 get_link_mode(struct hci_conn *conn)
2554 if (conn->role == HCI_ROLE_MASTER)
2555 link_mode |= HCI_LM_MASTER;
2557 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2558 link_mode |= HCI_LM_ENCRYPT;
2560 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2561 link_mode |= HCI_LM_AUTH;
2563 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2564 link_mode |= HCI_LM_SECURE;
2566 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2567 link_mode |= HCI_LM_FIPS;
2572 int hci_get_conn_list(void __user *arg)
2575 struct hci_conn_list_req req, *cl;
2576 struct hci_conn_info *ci;
2577 struct hci_dev *hdev;
2578 int n = 0, size, err;
2580 if (copy_from_user(&req, arg, sizeof(req)))
2583 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2586 size = sizeof(req) + req.conn_num * sizeof(*ci);
2588 cl = kmalloc(size, GFP_KERNEL);
2592 hdev = hci_dev_get(req.dev_id);
2601 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2602 bacpy(&(ci + n)->bdaddr, &c->dst);
2603 (ci + n)->handle = c->handle;
2604 (ci + n)->type = c->type;
2605 (ci + n)->out = c->out;
2606 (ci + n)->state = c->state;
2607 (ci + n)->link_mode = get_link_mode(c);
2608 if (++n >= req.conn_num)
2611 hci_dev_unlock(hdev);
2613 cl->dev_id = hdev->id;
2615 size = sizeof(req) + n * sizeof(*ci);
2619 err = copy_to_user(arg, cl, size);
2622 return err ? -EFAULT : 0;
2625 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2627 struct hci_conn_info_req req;
2628 struct hci_conn_info ci;
2629 struct hci_conn *conn;
2630 char __user *ptr = arg + sizeof(req);
2632 if (copy_from_user(&req, arg, sizeof(req)))
2636 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2638 bacpy(&ci.bdaddr, &conn->dst);
2639 ci.handle = conn->handle;
2640 ci.type = conn->type;
2642 ci.state = conn->state;
2643 ci.link_mode = get_link_mode(conn);
2645 hci_dev_unlock(hdev);
2650 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2653 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2655 struct hci_auth_info_req req;
2656 struct hci_conn *conn;
2658 if (copy_from_user(&req, arg, sizeof(req)))
2662 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2664 req.type = conn->auth_type;
2665 hci_dev_unlock(hdev);
2670 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2673 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2675 struct hci_dev *hdev = conn->hdev;
2676 struct hci_chan *chan;
2678 BT_DBG("%s hcon %p", hdev->name, conn);
2680 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2681 BT_DBG("Refusing to create new hci_chan");
2685 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2689 chan->conn = hci_conn_get(conn);
2690 skb_queue_head_init(&chan->data_q);
2691 chan->state = BT_CONNECTED;
2693 list_add_rcu(&chan->list, &conn->chan_list);
2698 void hci_chan_del(struct hci_chan *chan)
2700 struct hci_conn *conn = chan->conn;
2701 struct hci_dev *hdev = conn->hdev;
2703 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2705 list_del_rcu(&chan->list);
2709 /* Prevent new hci_chan's to be created for this hci_conn */
2710 set_bit(HCI_CONN_DROP, &conn->flags);
2714 skb_queue_purge(&chan->data_q);
2718 void hci_chan_list_flush(struct hci_conn *conn)
2720 struct hci_chan *chan, *n;
2722 BT_DBG("hcon %p", conn);
2724 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2728 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2731 struct hci_chan *hchan;
2733 list_for_each_entry(hchan, &hcon->chan_list, list) {
2734 if (hchan->handle == handle)
2741 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2743 struct hci_conn_hash *h = &hdev->conn_hash;
2744 struct hci_conn *hcon;
2745 struct hci_chan *hchan = NULL;
2749 list_for_each_entry_rcu(hcon, &h->list, list) {
2750 hchan = __hci_chan_lookup_handle(hcon, handle);
2760 u32 hci_conn_get_phy(struct hci_conn *conn)
2764 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2765 * Table 6.2: Packets defined for synchronous, asynchronous, and
2766 * CPB logical transport types.
2768 switch (conn->type) {
2770 /* SCO logical transport (1 Mb/s):
2771 * HV1, HV2, HV3 and DV.
2773 phys |= BT_PHY_BR_1M_1SLOT;
2778 /* ACL logical transport (1 Mb/s) ptt=0:
2779 * DH1, DM3, DH3, DM5 and DH5.
2781 phys |= BT_PHY_BR_1M_1SLOT;
2783 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2784 phys |= BT_PHY_BR_1M_3SLOT;
2786 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2787 phys |= BT_PHY_BR_1M_5SLOT;
2789 /* ACL logical transport (2 Mb/s) ptt=1:
2790 * 2-DH1, 2-DH3 and 2-DH5.
2792 if (!(conn->pkt_type & HCI_2DH1))
2793 phys |= BT_PHY_EDR_2M_1SLOT;
2795 if (!(conn->pkt_type & HCI_2DH3))
2796 phys |= BT_PHY_EDR_2M_3SLOT;
2798 if (!(conn->pkt_type & HCI_2DH5))
2799 phys |= BT_PHY_EDR_2M_5SLOT;
2801 /* ACL logical transport (3 Mb/s) ptt=1:
2802 * 3-DH1, 3-DH3 and 3-DH5.
2804 if (!(conn->pkt_type & HCI_3DH1))
2805 phys |= BT_PHY_EDR_3M_1SLOT;
2807 if (!(conn->pkt_type & HCI_3DH3))
2808 phys |= BT_PHY_EDR_3M_3SLOT;
2810 if (!(conn->pkt_type & HCI_3DH5))
2811 phys |= BT_PHY_EDR_3M_5SLOT;
2816 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2817 phys |= BT_PHY_BR_1M_1SLOT;
2819 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2820 phys |= BT_PHY_BR_1M_3SLOT;
2822 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2823 if (!(conn->pkt_type & ESCO_2EV3))
2824 phys |= BT_PHY_EDR_2M_1SLOT;
2826 if (!(conn->pkt_type & ESCO_2EV5))
2827 phys |= BT_PHY_EDR_2M_3SLOT;
2829 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2830 if (!(conn->pkt_type & ESCO_3EV3))
2831 phys |= BT_PHY_EDR_3M_1SLOT;
2833 if (!(conn->pkt_type & ESCO_3EV5))
2834 phys |= BT_PHY_EDR_3M_3SLOT;
2839 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2840 phys |= BT_PHY_LE_1M_TX;
2842 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2843 phys |= BT_PHY_LE_1M_RX;
2845 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2846 phys |= BT_PHY_LE_2M_TX;
2848 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2849 phys |= BT_PHY_LE_2M_RX;
2851 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2852 phys |= BT_PHY_LE_CODED_TX;
2854 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2855 phys |= BT_PHY_LE_CODED_RX;
2863 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2865 struct hci_conn *conn;
2866 u16 handle = PTR_ERR(data);
2868 conn = hci_conn_hash_lookup_handle(hdev, handle);
2872 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2875 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2877 struct hci_dev *hdev = conn->hdev;
2879 /* If abort_reason has already been set it means the connection is
2880 * already being aborted so don't attempt to overwrite it.
2882 if (conn->abort_reason)
2885 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2887 conn->abort_reason = reason;
2889 /* If the connection is pending check the command opcode since that
2890 * might be blocking on hci_cmd_sync_work while waiting its respective
2891 * event so we need to hci_cmd_sync_cancel to cancel it.
2893 * hci_connect_le serializes the connection attempts so only one
2894 * connection can be in BT_CONNECT at time.
2896 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2897 switch (hci_skb_event(hdev->sent_cmd)) {
2898 case HCI_EV_LE_CONN_COMPLETE:
2899 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2900 case HCI_EVT_LE_CIS_ESTABLISHED:
2901 hci_cmd_sync_cancel(hdev, -ECANCELED);
2906 return hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),