2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 Copyright 2023-2024 NXP
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI connection handling. */
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
37 #include "hci_request.h"
47 struct conn_handle_t {
48 struct hci_conn *conn;
52 static const struct sco_param esco_param_cvsd[] = {
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
60 static const struct sco_param sco_param_cvsd[] = {
61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
65 static const struct sco_param esco_param_msbc[] = {
66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
70 /* This function requires the caller holds hdev->lock */
71 void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
73 struct hci_conn_params *params;
74 struct hci_dev *hdev = conn->hdev;
80 bdaddr_type = conn->dst_type;
82 /* Check if we need to convert to identity address */
83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
85 bdaddr = &irk->bdaddr;
86 bdaddr_type = irk->addr_type;
89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
95 hci_conn_drop(params->conn);
96 hci_conn_put(params->conn);
100 if (!params->explicit_connect)
103 /* If the status indicates successful cancellation of
104 * the attempt (i.e. Unknown Connection Id) there's no point of
105 * notifying failure since we'll go back to keep trying to
106 * connect. The only exception is explicit connect requests
107 * where a timeout + cancel does indicate an actual failure.
109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 mgmt_connect_failed(hdev, &conn->dst, conn->type,
111 conn->dst_type, status);
113 /* The connection attempt was doing scan for new RPA, and is
114 * in scan phase. If params are not associated with any other
115 * autoconnect action, remove them completely. If they are, just unmark
116 * them as waiting for connection, by clearing explicit_connect field.
118 params->explicit_connect = false;
120 hci_pend_le_list_del_init(params);
122 switch (params->auto_connect) {
123 case HCI_AUTO_CONN_EXPLICIT:
124 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
125 /* return instead of break to avoid duplicate scan update */
127 case HCI_AUTO_CONN_DIRECT:
128 case HCI_AUTO_CONN_ALWAYS:
129 hci_pend_le_list_add(params, &hdev->pend_le_conns);
131 case HCI_AUTO_CONN_REPORT:
132 hci_pend_le_list_add(params, &hdev->pend_le_reports);
138 hci_update_passive_scan(hdev);
141 static void hci_conn_cleanup(struct hci_conn *conn)
143 struct hci_dev *hdev = conn->hdev;
145 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
146 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
148 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
149 hci_remove_link_key(hdev, &conn->dst);
151 hci_chan_list_flush(conn);
153 hci_conn_hash_del(hdev, conn);
155 if (HCI_CONN_HANDLE_UNSET(conn->handle))
156 ida_free(&hdev->unset_handle_ida, conn->handle);
161 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
162 switch (conn->setting & SCO_AIRMODE_MASK) {
163 case SCO_AIRMODE_CVSD:
164 case SCO_AIRMODE_TRANSP:
166 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
171 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
174 debugfs_remove_recursive(conn->debugfs);
176 hci_conn_del_sysfs(conn);
181 int hci_disconnect(struct hci_conn *conn, __u8 reason)
183 BT_DBG("hcon %p", conn);
185 /* When we are central of an established connection and it enters
186 * the disconnect timeout, then go ahead and try to read the
187 * current clock offset. Processing of the result is done
188 * within the event handling and hci_clock_offset_evt function.
190 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
191 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
192 struct hci_dev *hdev = conn->hdev;
193 struct hci_cp_read_clock_offset clkoff_cp;
195 clkoff_cp.handle = cpu_to_le16(conn->handle);
196 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
200 return hci_abort_conn(conn, reason);
203 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
205 struct hci_dev *hdev = conn->hdev;
206 struct hci_cp_add_sco cp;
208 BT_DBG("hcon %p", conn);
210 conn->state = BT_CONNECT;
215 cp.handle = cpu_to_le16(handle);
216 cp.pkt_type = cpu_to_le16(conn->pkt_type);
218 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
221 static bool find_next_esco_param(struct hci_conn *conn,
222 const struct sco_param *esco_param, int size)
227 for (; conn->attempt <= size; conn->attempt++) {
228 if (lmp_esco_2m_capable(conn->parent) ||
229 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
231 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
232 conn, conn->attempt);
235 return conn->attempt <= size;
238 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
241 __u8 vnd_len, *vnd_data = NULL;
242 struct hci_op_configure_data_path *cmd = NULL;
244 if (!codec->data_path || !hdev->get_codec_config_data)
247 /* Do not take me as error */
248 if (!hdev->get_codec_config_data)
251 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
256 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
262 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
266 cmd->vnd_len = vnd_len;
267 memcpy(cmd->vnd_data, vnd_data, vnd_len);
269 cmd->direction = 0x00;
270 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
271 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
273 cmd->direction = 0x01;
274 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
275 sizeof(*cmd) + vnd_len, cmd,
284 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
286 struct conn_handle_t *conn_handle = data;
287 struct hci_conn *conn = conn_handle->conn;
288 __u16 handle = conn_handle->handle;
289 struct hci_cp_enhanced_setup_sync_conn cp;
290 const struct sco_param *param;
294 bt_dev_dbg(hdev, "hcon %p", conn);
296 configure_datapath_sync(hdev, &conn->codec);
298 conn->state = BT_CONNECT;
303 memset(&cp, 0x00, sizeof(cp));
305 cp.handle = cpu_to_le16(handle);
307 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
308 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
310 switch (conn->codec.id) {
312 if (!find_next_esco_param(conn, esco_param_msbc,
313 ARRAY_SIZE(esco_param_msbc)))
316 param = &esco_param_msbc[conn->attempt - 1];
317 cp.tx_coding_format.id = 0x05;
318 cp.rx_coding_format.id = 0x05;
319 cp.tx_codec_frame_size = __cpu_to_le16(60);
320 cp.rx_codec_frame_size = __cpu_to_le16(60);
321 cp.in_bandwidth = __cpu_to_le32(32000);
322 cp.out_bandwidth = __cpu_to_le32(32000);
323 cp.in_coding_format.id = 0x04;
324 cp.out_coding_format.id = 0x04;
325 cp.in_coded_data_size = __cpu_to_le16(16);
326 cp.out_coded_data_size = __cpu_to_le16(16);
327 cp.in_pcm_data_format = 2;
328 cp.out_pcm_data_format = 2;
329 cp.in_pcm_sample_payload_msb_pos = 0;
330 cp.out_pcm_sample_payload_msb_pos = 0;
331 cp.in_data_path = conn->codec.data_path;
332 cp.out_data_path = conn->codec.data_path;
333 cp.in_transport_unit_size = 1;
334 cp.out_transport_unit_size = 1;
337 case BT_CODEC_TRANSPARENT:
338 if (!find_next_esco_param(conn, esco_param_msbc,
339 ARRAY_SIZE(esco_param_msbc)))
341 param = &esco_param_msbc[conn->attempt - 1];
342 cp.tx_coding_format.id = 0x03;
343 cp.rx_coding_format.id = 0x03;
344 cp.tx_codec_frame_size = __cpu_to_le16(60);
345 cp.rx_codec_frame_size = __cpu_to_le16(60);
346 cp.in_bandwidth = __cpu_to_le32(0x1f40);
347 cp.out_bandwidth = __cpu_to_le32(0x1f40);
348 cp.in_coding_format.id = 0x03;
349 cp.out_coding_format.id = 0x03;
350 cp.in_coded_data_size = __cpu_to_le16(16);
351 cp.out_coded_data_size = __cpu_to_le16(16);
352 cp.in_pcm_data_format = 2;
353 cp.out_pcm_data_format = 2;
354 cp.in_pcm_sample_payload_msb_pos = 0;
355 cp.out_pcm_sample_payload_msb_pos = 0;
356 cp.in_data_path = conn->codec.data_path;
357 cp.out_data_path = conn->codec.data_path;
358 cp.in_transport_unit_size = 1;
359 cp.out_transport_unit_size = 1;
363 if (conn->parent && lmp_esco_capable(conn->parent)) {
364 if (!find_next_esco_param(conn, esco_param_cvsd,
365 ARRAY_SIZE(esco_param_cvsd)))
367 param = &esco_param_cvsd[conn->attempt - 1];
369 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
371 param = &sco_param_cvsd[conn->attempt - 1];
373 cp.tx_coding_format.id = 2;
374 cp.rx_coding_format.id = 2;
375 cp.tx_codec_frame_size = __cpu_to_le16(60);
376 cp.rx_codec_frame_size = __cpu_to_le16(60);
377 cp.in_bandwidth = __cpu_to_le32(16000);
378 cp.out_bandwidth = __cpu_to_le32(16000);
379 cp.in_coding_format.id = 4;
380 cp.out_coding_format.id = 4;
381 cp.in_coded_data_size = __cpu_to_le16(16);
382 cp.out_coded_data_size = __cpu_to_le16(16);
383 cp.in_pcm_data_format = 2;
384 cp.out_pcm_data_format = 2;
385 cp.in_pcm_sample_payload_msb_pos = 0;
386 cp.out_pcm_sample_payload_msb_pos = 0;
387 cp.in_data_path = conn->codec.data_path;
388 cp.out_data_path = conn->codec.data_path;
389 cp.in_transport_unit_size = 16;
390 cp.out_transport_unit_size = 16;
396 cp.retrans_effort = param->retrans_effort;
397 cp.pkt_type = __cpu_to_le16(param->pkt_type);
398 cp.max_latency = __cpu_to_le16(param->max_latency);
400 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
406 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
408 struct hci_dev *hdev = conn->hdev;
409 struct hci_cp_setup_sync_conn cp;
410 const struct sco_param *param;
412 bt_dev_dbg(hdev, "hcon %p", conn);
414 conn->state = BT_CONNECT;
419 cp.handle = cpu_to_le16(handle);
421 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
422 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
423 cp.voice_setting = cpu_to_le16(conn->setting);
425 switch (conn->setting & SCO_AIRMODE_MASK) {
426 case SCO_AIRMODE_TRANSP:
427 if (!find_next_esco_param(conn, esco_param_msbc,
428 ARRAY_SIZE(esco_param_msbc)))
430 param = &esco_param_msbc[conn->attempt - 1];
432 case SCO_AIRMODE_CVSD:
433 if (conn->parent && lmp_esco_capable(conn->parent)) {
434 if (!find_next_esco_param(conn, esco_param_cvsd,
435 ARRAY_SIZE(esco_param_cvsd)))
437 param = &esco_param_cvsd[conn->attempt - 1];
439 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
441 param = &sco_param_cvsd[conn->attempt - 1];
448 cp.retrans_effort = param->retrans_effort;
449 cp.pkt_type = __cpu_to_le16(param->pkt_type);
450 cp.max_latency = __cpu_to_le16(param->max_latency);
452 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
458 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
461 struct conn_handle_t *conn_handle;
463 if (enhanced_sync_conn_capable(conn->hdev)) {
464 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
469 conn_handle->conn = conn;
470 conn_handle->handle = handle;
471 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
479 return hci_setup_sync_conn(conn, handle);
482 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
485 struct hci_dev *hdev = conn->hdev;
486 struct hci_conn_params *params;
487 struct hci_cp_le_conn_update cp;
491 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
493 params->conn_min_interval = min;
494 params->conn_max_interval = max;
495 params->conn_latency = latency;
496 params->supervision_timeout = to_multiplier;
499 hci_dev_unlock(hdev);
501 memset(&cp, 0, sizeof(cp));
502 cp.handle = cpu_to_le16(conn->handle);
503 cp.conn_interval_min = cpu_to_le16(min);
504 cp.conn_interval_max = cpu_to_le16(max);
505 cp.conn_latency = cpu_to_le16(latency);
506 cp.supervision_timeout = cpu_to_le16(to_multiplier);
507 cp.min_ce_len = cpu_to_le16(0x0000);
508 cp.max_ce_len = cpu_to_le16(0x0000);
510 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
518 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
519 __u8 ltk[16], __u8 key_size)
521 struct hci_dev *hdev = conn->hdev;
522 struct hci_cp_le_start_enc cp;
524 BT_DBG("hcon %p", conn);
526 memset(&cp, 0, sizeof(cp));
528 cp.handle = cpu_to_le16(conn->handle);
531 memcpy(cp.ltk, ltk, key_size);
533 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
536 /* Device _must_ be locked */
537 void hci_sco_setup(struct hci_conn *conn, __u8 status)
539 struct hci_link *link;
541 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
542 if (!link || !link->conn)
545 BT_DBG("hcon %p", conn);
548 if (lmp_esco_capable(conn->hdev))
549 hci_setup_sync(link->conn, conn->handle);
551 hci_add_sco(link->conn, conn->handle);
553 hci_connect_cfm(link->conn, status);
554 hci_conn_del(link->conn);
558 static void hci_conn_timeout(struct work_struct *work)
560 struct hci_conn *conn = container_of(work, struct hci_conn,
562 int refcnt = atomic_read(&conn->refcnt);
564 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
568 /* FIXME: It was observed that in pairing failed scenario, refcnt
569 * drops below 0. Probably this is because l2cap_conn_del calls
570 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
571 * dropped. After that loop hci_chan_del is called which also drops
572 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
578 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
581 /* Enter sniff mode */
582 static void hci_conn_idle(struct work_struct *work)
584 struct hci_conn *conn = container_of(work, struct hci_conn,
586 struct hci_dev *hdev = conn->hdev;
588 BT_DBG("hcon %p mode %d", conn, conn->mode);
590 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
593 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
596 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
597 struct hci_cp_sniff_subrate cp;
598 cp.handle = cpu_to_le16(conn->handle);
599 cp.max_latency = cpu_to_le16(0);
600 cp.min_remote_timeout = cpu_to_le16(0);
601 cp.min_local_timeout = cpu_to_le16(0);
602 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
605 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
606 struct hci_cp_sniff_mode cp;
607 cp.handle = cpu_to_le16(conn->handle);
608 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
609 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
610 cp.attempt = cpu_to_le16(4);
611 cp.timeout = cpu_to_le16(1);
612 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
616 static void hci_conn_auto_accept(struct work_struct *work)
618 struct hci_conn *conn = container_of(work, struct hci_conn,
619 auto_accept_work.work);
621 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
625 static void le_disable_advertising(struct hci_dev *hdev)
627 if (ext_adv_capable(hdev)) {
628 struct hci_cp_le_set_ext_adv_enable cp;
631 cp.num_of_sets = 0x00;
633 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
637 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
642 static void le_conn_timeout(struct work_struct *work)
644 struct hci_conn *conn = container_of(work, struct hci_conn,
645 le_conn_timeout.work);
646 struct hci_dev *hdev = conn->hdev;
650 /* We could end up here due to having done directed advertising,
651 * so clean up the state if necessary. This should however only
652 * happen with broken hardware or if low duty cycle was used
653 * (which doesn't have a timeout of its own).
655 if (conn->role == HCI_ROLE_SLAVE) {
656 /* Disable LE Advertising */
657 le_disable_advertising(hdev);
659 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
660 hci_dev_unlock(hdev);
664 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
667 struct iso_cig_params {
668 struct hci_cp_le_set_cig_params cp;
669 struct hci_cis_params cis[0x1f];
672 struct iso_list_data {
688 static void bis_list(struct hci_conn *conn, void *data)
690 struct iso_list_data *d = data;
692 /* Skip if not broadcast/ANY address */
693 if (bacmp(&conn->dst, BDADDR_ANY))
696 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
697 d->bis != conn->iso_qos.bcast.bis)
703 static int terminate_big_sync(struct hci_dev *hdev, void *data)
705 struct iso_list_data *d = data;
707 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
709 hci_disable_per_advertising_sync(hdev, d->bis);
710 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
712 /* Only terminate BIG if it has been created */
716 return hci_le_terminate_big_sync(hdev, d->big,
717 HCI_ERROR_LOCAL_HOST_TERM);
720 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
725 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
727 struct iso_list_data *d;
730 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
731 conn->iso_qos.bcast.bis);
733 d = kzalloc(sizeof(*d), GFP_KERNEL);
737 d->big = conn->iso_qos.bcast.big;
738 d->bis = conn->iso_qos.bcast.bis;
739 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
741 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
742 terminate_big_destroy);
749 static int big_terminate_sync(struct hci_dev *hdev, void *data)
751 struct iso_list_data *d = data;
753 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
756 if (d->big_sync_term)
757 hci_le_big_terminate_sync(hdev, d->big);
760 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
765 static void find_bis(struct hci_conn *conn, void *data)
767 struct iso_list_data *d = data;
769 /* Ignore if BIG doesn't match */
770 if (d->big != conn->iso_qos.bcast.big)
776 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
778 struct iso_list_data *d;
781 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
783 d = kzalloc(sizeof(*d), GFP_KERNEL);
787 memset(d, 0, sizeof(*d));
789 d->sync_handle = conn->sync_handle;
791 if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) {
792 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK,
793 HCI_CONN_PA_SYNC, d);
796 d->pa_sync_term = true;
801 if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags)) {
802 hci_conn_hash_list_flag(hdev, find_bis, ISO_LINK,
803 HCI_CONN_BIG_SYNC, d);
806 d->big_sync_term = true;
809 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
810 terminate_big_destroy);
817 /* Cleanup BIS connection
819 * Detects if there any BIS left connected in a BIG
820 * broadcaster: Remove advertising instance and terminate BIG.
821 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
823 static void bis_cleanup(struct hci_conn *conn)
825 struct hci_dev *hdev = conn->hdev;
826 struct hci_conn *bis;
828 bt_dev_dbg(hdev, "conn %p", conn);
830 if (conn->role == HCI_ROLE_MASTER) {
831 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
834 /* Check if ISO connection is a BIS and terminate advertising
835 * set and BIG if there are no other connections using it.
837 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
841 hci_le_terminate_big(hdev, conn);
843 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
848 static int remove_cig_sync(struct hci_dev *hdev, void *data)
850 u8 handle = PTR_UINT(data);
852 return hci_le_remove_cig_sync(hdev, handle);
855 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
857 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
859 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
863 static void find_cis(struct hci_conn *conn, void *data)
865 struct iso_list_data *d = data;
867 /* Ignore broadcast or if CIG don't match */
868 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
874 /* Cleanup CIS connection:
876 * Detects if there any CIS left connected in a CIG and remove it.
878 static void cis_cleanup(struct hci_conn *conn)
880 struct hci_dev *hdev = conn->hdev;
881 struct iso_list_data d;
883 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
886 memset(&d, 0, sizeof(d));
887 d.cig = conn->iso_qos.ucast.cig;
889 /* Check if ISO connection is a CIS and remove CIG if there are
890 * no other connections using it.
892 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
893 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
894 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
898 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
901 static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
903 return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
904 U16_MAX, GFP_ATOMIC);
907 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
910 struct hci_conn *conn;
912 bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
914 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
918 bacpy(&conn->dst, dst);
919 bacpy(&conn->src, &hdev->bdaddr);
920 conn->handle = handle;
924 conn->mode = HCI_CM_ACTIVE;
925 conn->state = BT_OPEN;
926 conn->auth_type = HCI_AT_GENERAL_BONDING;
927 conn->io_capability = hdev->io_capability;
928 conn->remote_auth = 0xff;
929 conn->key_type = 0xff;
930 conn->rssi = HCI_RSSI_INVALID;
931 conn->tx_power = HCI_TX_POWER_INVALID;
932 conn->max_tx_power = HCI_TX_POWER_INVALID;
933 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
935 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
936 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
938 /* Set Default Authenticated payload timeout to 30s */
939 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
941 if (conn->role == HCI_ROLE_MASTER)
946 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
949 /* conn->src should reflect the local identity address */
950 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
953 /* conn->src should reflect the local identity address */
954 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
956 /* set proper cleanup function */
957 if (!bacmp(dst, BDADDR_ANY))
958 conn->cleanup = bis_cleanup;
959 else if (conn->role == HCI_ROLE_MASTER)
960 conn->cleanup = cis_cleanup;
964 if (lmp_esco_capable(hdev))
965 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
966 (hdev->esco_type & EDR_ESCO_MASK);
968 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
971 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
975 skb_queue_head_init(&conn->data_q);
977 INIT_LIST_HEAD(&conn->chan_list);
978 INIT_LIST_HEAD(&conn->link_list);
980 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
981 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
982 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
983 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
985 atomic_set(&conn->refcnt, 0);
989 hci_conn_hash_add(hdev, conn);
991 /* The SCO and eSCO connections will only be notified when their
992 * setup has been completed. This is different to ACL links which
993 * can be notified right away.
995 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
997 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1000 hci_conn_init_sysfs(conn);
1005 struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
1006 bdaddr_t *dst, u8 role)
1010 bt_dev_dbg(hdev, "dst %pMR", dst);
1012 handle = hci_conn_hash_alloc_unset(hdev);
1013 if (unlikely(handle < 0))
1016 return hci_conn_add(hdev, type, dst, role, handle);
1019 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1022 reason = HCI_ERROR_REMOTE_USER_TERM;
1024 /* Due to race, SCO/ISO conn might be not established yet at this point,
1025 * and nothing else will clean it up. In other cases it is done via HCI
1028 switch (conn->type) {
1031 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1032 hci_conn_failed(conn, reason);
1035 if ((conn->state != BT_CONNECTED &&
1036 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ||
1037 test_bit(HCI_CONN_BIG_CREATED, &conn->flags))
1038 hci_conn_failed(conn, reason);
1043 static void hci_conn_unlink(struct hci_conn *conn)
1045 struct hci_dev *hdev = conn->hdev;
1047 bt_dev_dbg(hdev, "hcon %p", conn);
1049 if (!conn->parent) {
1050 struct hci_link *link, *t;
1052 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1053 struct hci_conn *child = link->conn;
1055 hci_conn_unlink(child);
1057 /* If hdev is down it means
1058 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1059 * and links don't need to be cleanup as all connections
1062 if (!test_bit(HCI_UP, &hdev->flags))
1065 hci_conn_cleanup_child(child, conn->abort_reason);
1074 list_del_rcu(&conn->link->list);
1077 hci_conn_drop(conn->parent);
1078 hci_conn_put(conn->parent);
1079 conn->parent = NULL;
1085 void hci_conn_del(struct hci_conn *conn)
1087 struct hci_dev *hdev = conn->hdev;
1089 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1091 hci_conn_unlink(conn);
1093 cancel_delayed_work_sync(&conn->disc_work);
1094 cancel_delayed_work_sync(&conn->auto_accept_work);
1095 cancel_delayed_work_sync(&conn->idle_work);
1097 if (conn->type == ACL_LINK) {
1098 /* Unacked frames */
1099 hdev->acl_cnt += conn->sent;
1100 } else if (conn->type == LE_LINK) {
1101 cancel_delayed_work(&conn->le_conn_timeout);
1104 hdev->le_cnt += conn->sent;
1106 hdev->acl_cnt += conn->sent;
1108 /* Unacked ISO frames */
1109 if (conn->type == ISO_LINK) {
1111 hdev->iso_cnt += conn->sent;
1112 else if (hdev->le_pkts)
1113 hdev->le_cnt += conn->sent;
1115 hdev->acl_cnt += conn->sent;
1119 skb_queue_purge(&conn->data_q);
1121 /* Remove the connection from the list and cleanup its remaining
1122 * state. This is a separate function since for some cases like
1123 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1124 * rest of hci_conn_del.
1126 hci_conn_cleanup(conn);
1128 /* Dequeue callbacks using connection pointer as data */
1129 hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
1132 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1134 int use_src = bacmp(src, BDADDR_ANY);
1135 struct hci_dev *hdev = NULL, *d;
1137 BT_DBG("%pMR -> %pMR", src, dst);
1139 read_lock(&hci_dev_list_lock);
1141 list_for_each_entry(d, &hci_dev_list, list) {
1142 if (!test_bit(HCI_UP, &d->flags) ||
1143 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
1144 d->dev_type != HCI_PRIMARY)
1148 * No source address - find interface with bdaddr != dst
1149 * Source address - find interface with bdaddr == src
1156 if (src_type == BDADDR_BREDR) {
1157 if (!lmp_bredr_capable(d))
1159 bacpy(&id_addr, &d->bdaddr);
1160 id_addr_type = BDADDR_BREDR;
1162 if (!lmp_le_capable(d))
1165 hci_copy_identity_address(d, &id_addr,
1168 /* Convert from HCI to three-value type */
1169 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1170 id_addr_type = BDADDR_LE_PUBLIC;
1172 id_addr_type = BDADDR_LE_RANDOM;
1175 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1179 if (bacmp(&d->bdaddr, dst)) {
1186 hdev = hci_dev_hold(hdev);
1188 read_unlock(&hci_dev_list_lock);
1191 EXPORT_SYMBOL(hci_get_route);
1193 /* This function requires the caller holds hdev->lock */
1194 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1196 struct hci_dev *hdev = conn->hdev;
1198 hci_connect_le_scan_cleanup(conn, status);
1200 /* Enable advertising in case this was a failed connection
1201 * attempt as a peripheral.
1203 hci_enable_advertising(hdev);
1206 /* This function requires the caller holds hdev->lock */
1207 void hci_conn_failed(struct hci_conn *conn, u8 status)
1209 struct hci_dev *hdev = conn->hdev;
1211 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1213 switch (conn->type) {
1215 hci_le_conn_failed(conn, status);
1218 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1219 conn->dst_type, status);
1223 /* In case of BIG/PA sync failed, clear conn flags so that
1224 * the conns will be correctly cleaned up by ISO layer
1226 test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags);
1227 test_and_clear_bit(HCI_CONN_PA_SYNC_FAILED, &conn->flags);
1229 conn->state = BT_CLOSED;
1230 hci_connect_cfm(conn, status);
1234 /* This function requires the caller holds hdev->lock */
1235 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1237 struct hci_dev *hdev = conn->hdev;
1239 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1241 if (conn->handle == handle)
1244 if (handle > HCI_CONN_HANDLE_MAX) {
1245 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1246 handle, HCI_CONN_HANDLE_MAX);
1247 return HCI_ERROR_INVALID_PARAMETERS;
1250 /* If abort_reason has been sent it means the connection is being
1251 * aborted and the handle shall not be changed.
1253 if (conn->abort_reason)
1254 return conn->abort_reason;
1256 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1257 ida_free(&hdev->unset_handle_ida, conn->handle);
1259 conn->handle = handle;
1264 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1265 u8 dst_type, bool dst_resolved, u8 sec_level,
1266 u16 conn_timeout, u8 role)
1268 struct hci_conn *conn;
1269 struct smp_irk *irk;
1272 /* Let's make sure that le is enabled.*/
1273 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1274 if (lmp_le_capable(hdev))
1275 return ERR_PTR(-ECONNREFUSED);
1277 return ERR_PTR(-EOPNOTSUPP);
1280 /* Since the controller supports only one LE connection attempt at a
1281 * time, we return -EBUSY if there is any connection attempt running.
1283 if (hci_lookup_le_connect(hdev))
1284 return ERR_PTR(-EBUSY);
1286 /* If there's already a connection object but it's not in
1287 * scanning state it means it must already be established, in
1288 * which case we can't do anything else except report a failure
1291 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1292 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1293 return ERR_PTR(-EBUSY);
1296 /* Check if the destination address has been resolved by the controller
1297 * since if it did then the identity address shall be used.
1299 if (!dst_resolved) {
1300 /* When given an identity address with existing identity
1301 * resolving key, the connection needs to be established
1302 * to a resolvable random address.
1304 * Storing the resolvable random address is required here
1305 * to handle connection failures. The address will later
1306 * be resolved back into the original identity address
1307 * from the connect request.
1309 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1310 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1312 dst_type = ADDR_LE_DEV_RANDOM;
1317 bacpy(&conn->dst, dst);
1319 conn = hci_conn_add_unset(hdev, LE_LINK, dst, role);
1321 return ERR_PTR(-ENOMEM);
1322 hci_conn_hold(conn);
1323 conn->pending_sec_level = sec_level;
1326 conn->dst_type = dst_type;
1327 conn->sec_level = BT_SECURITY_LOW;
1328 conn->conn_timeout = conn_timeout;
1330 err = hci_connect_le_sync(hdev, conn);
1333 return ERR_PTR(err);
1339 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1341 struct hci_conn *conn;
1343 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1347 if (conn->state != BT_CONNECTED)
1353 /* This function requires the caller holds hdev->lock */
1354 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1355 bdaddr_t *addr, u8 addr_type)
1357 struct hci_conn_params *params;
1359 if (is_connected(hdev, addr, addr_type))
1362 params = hci_conn_params_lookup(hdev, addr, addr_type);
1364 params = hci_conn_params_add(hdev, addr, addr_type);
1368 /* If we created new params, mark them to be deleted in
1369 * hci_connect_le_scan_cleanup. It's different case than
1370 * existing disabled params, those will stay after cleanup.
1372 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1375 /* We're trying to connect, so make sure params are at pend_le_conns */
1376 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1377 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1378 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1379 hci_pend_le_list_del_init(params);
1380 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1383 params->explicit_connect = true;
1385 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1386 params->auto_connect);
1391 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1393 struct hci_conn *conn;
1396 /* Allocate a BIG if not set */
1397 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1398 for (big = 0x00; big < 0xef; big++) {
1400 conn = hci_conn_hash_lookup_big(hdev, big);
1406 return -EADDRNOTAVAIL;
1409 qos->bcast.big = big;
1415 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1417 struct hci_conn *conn;
1420 /* Allocate BIS if not set */
1421 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1422 if (qos->bcast.big != BT_ISO_QOS_BIG_UNSET) {
1423 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1426 /* If the BIG handle is already matched to an advertising
1427 * handle, do not allocate a new one.
1429 qos->bcast.bis = conn->iso_qos.bcast.bis;
1434 /* Find an unused adv set to advertise BIS, skip instance 0x00
1435 * since it is reserved as general purpose set.
1437 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1440 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1445 if (bis == hdev->le_num_of_adv_sets)
1446 return -EADDRNOTAVAIL;
1449 qos->bcast.bis = bis;
1455 /* This function requires the caller holds hdev->lock */
1456 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1457 struct bt_iso_qos *qos, __u8 base_len,
1460 struct hci_conn *conn;
1463 /* Let's make sure that le is enabled.*/
1464 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1465 if (lmp_le_capable(hdev))
1466 return ERR_PTR(-ECONNREFUSED);
1467 return ERR_PTR(-EOPNOTSUPP);
1470 err = qos_set_big(hdev, qos);
1472 return ERR_PTR(err);
1474 err = qos_set_bis(hdev, qos);
1476 return ERR_PTR(err);
1478 /* Check if the LE Create BIG command has already been sent */
1479 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1482 return ERR_PTR(-EADDRINUSE);
1484 /* Check BIS settings against other bound BISes, since all
1485 * BISes in a BIG must have the same value for all parameters
1487 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1489 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1490 base_len != conn->le_per_adv_data_len ||
1491 memcmp(conn->le_per_adv_data, base, base_len)))
1492 return ERR_PTR(-EADDRINUSE);
1494 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1496 return ERR_PTR(-ENOMEM);
1498 conn->state = BT_CONNECT;
1500 hci_conn_hold(conn);
1504 /* This function requires the caller holds hdev->lock */
1505 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1506 u8 dst_type, u8 sec_level,
1508 enum conn_reasons conn_reason)
1510 struct hci_conn *conn;
1512 /* Let's make sure that le is enabled.*/
1513 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1514 if (lmp_le_capable(hdev))
1515 return ERR_PTR(-ECONNREFUSED);
1517 return ERR_PTR(-EOPNOTSUPP);
1520 /* Some devices send ATT messages as soon as the physical link is
1521 * established. To be able to handle these ATT messages, the user-
1522 * space first establishes the connection and then starts the pairing
1525 * So if a hci_conn object already exists for the following connection
1526 * attempt, we simply update pending_sec_level and auth_type fields
1527 * and return the object found.
1529 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1531 if (conn->pending_sec_level < sec_level)
1532 conn->pending_sec_level = sec_level;
1536 BT_DBG("requesting refresh of dst_addr");
1538 conn = hci_conn_add_unset(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1540 return ERR_PTR(-ENOMEM);
1542 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1544 return ERR_PTR(-EBUSY);
1547 conn->state = BT_CONNECT;
1548 set_bit(HCI_CONN_SCANNING, &conn->flags);
1549 conn->dst_type = dst_type;
1550 conn->sec_level = BT_SECURITY_LOW;
1551 conn->pending_sec_level = sec_level;
1552 conn->conn_timeout = conn_timeout;
1553 conn->conn_reason = conn_reason;
1555 hci_update_passive_scan(hdev);
1558 hci_conn_hold(conn);
1562 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1563 u8 sec_level, u8 auth_type,
1564 enum conn_reasons conn_reason, u16 timeout)
1566 struct hci_conn *acl;
1568 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1569 if (lmp_bredr_capable(hdev))
1570 return ERR_PTR(-ECONNREFUSED);
1572 return ERR_PTR(-EOPNOTSUPP);
1575 /* Reject outgoing connection to device with same BD ADDR against
1578 if (!bacmp(&hdev->bdaddr, dst)) {
1579 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1581 return ERR_PTR(-ECONNREFUSED);
1584 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1586 acl = hci_conn_add_unset(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1588 return ERR_PTR(-ENOMEM);
1593 acl->conn_reason = conn_reason;
1594 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1597 acl->sec_level = BT_SECURITY_LOW;
1598 acl->pending_sec_level = sec_level;
1599 acl->auth_type = auth_type;
1600 acl->conn_timeout = timeout;
1602 err = hci_connect_acl_sync(hdev, acl);
1605 return ERR_PTR(err);
1612 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1613 struct hci_conn *conn)
1615 struct hci_dev *hdev = parent->hdev;
1616 struct hci_link *link;
1618 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1626 link = kzalloc(sizeof(*link), GFP_KERNEL);
1630 link->conn = hci_conn_hold(conn);
1632 conn->parent = hci_conn_get(parent);
1634 /* Use list_add_tail_rcu append to the list */
1635 list_add_tail_rcu(&link->list, &parent->link_list);
1640 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1641 __u16 setting, struct bt_codec *codec,
1644 struct hci_conn *acl;
1645 struct hci_conn *sco;
1646 struct hci_link *link;
1648 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1649 CONN_REASON_SCO_CONNECT, timeout);
1653 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1655 sco = hci_conn_add_unset(hdev, type, dst, HCI_ROLE_MASTER);
1658 return ERR_PTR(-ENOMEM);
1662 link = hci_conn_link(acl, sco);
1666 return ERR_PTR(-ENOLINK);
1669 sco->setting = setting;
1670 sco->codec = *codec;
1672 if (acl->state == BT_CONNECTED &&
1673 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1674 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1675 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1677 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1678 /* defer SCO setup until mode change completed */
1679 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1683 hci_sco_setup(acl, 0x00);
1689 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1691 struct hci_dev *hdev = conn->hdev;
1692 struct hci_cp_le_create_big cp;
1693 struct iso_list_data data;
1695 memset(&cp, 0, sizeof(cp));
1697 data.big = qos->bcast.big;
1698 data.bis = qos->bcast.bis;
1701 /* Create a BIS for each bound connection */
1702 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1705 cp.handle = qos->bcast.big;
1706 cp.adv_handle = qos->bcast.bis;
1707 cp.num_bis = data.count;
1708 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1709 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1710 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1711 cp.bis.rtn = qos->bcast.out.rtn;
1712 cp.bis.phy = qos->bcast.out.phy;
1713 cp.bis.packing = qos->bcast.packing;
1714 cp.bis.framing = qos->bcast.framing;
1715 cp.bis.encryption = qos->bcast.encryption;
1716 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1718 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1721 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1723 u8 cig_id = PTR_UINT(data);
1724 struct hci_conn *conn;
1725 struct bt_iso_qos *qos;
1726 struct iso_cig_params pdu;
1729 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1733 memset(&pdu, 0, sizeof(pdu));
1735 qos = &conn->iso_qos;
1736 pdu.cp.cig_id = cig_id;
1737 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval);
1738 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval);
1739 pdu.cp.sca = qos->ucast.sca;
1740 pdu.cp.packing = qos->ucast.packing;
1741 pdu.cp.framing = qos->ucast.framing;
1742 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency);
1743 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency);
1745 /* Reprogram all CIS(s) with the same CIG, valid range are:
1746 * num_cis: 0x00 to 0x1F
1747 * cis_id: 0x00 to 0xEF
1749 for (cis_id = 0x00; cis_id < 0xf0 &&
1750 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) {
1751 struct hci_cis_params *cis;
1753 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1757 qos = &conn->iso_qos;
1759 cis = &pdu.cis[pdu.cp.num_cis++];
1760 cis->cis_id = cis_id;
1761 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1762 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1763 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy :
1765 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy :
1767 cis->c_rtn = qos->ucast.out.rtn;
1768 cis->p_rtn = qos->ucast.in.rtn;
1771 if (!pdu.cp.num_cis)
1774 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1776 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu,
1780 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1782 struct hci_dev *hdev = conn->hdev;
1783 struct iso_list_data data;
1785 memset(&data, 0, sizeof(data));
1787 /* Allocate first still reconfigurable CIG if not set */
1788 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1789 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1792 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1797 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1798 BT_CONNECTED, &data);
1803 if (data.cig == 0xf0)
1807 qos->ucast.cig = data.cig;
1810 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1811 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1817 /* Allocate first available CIS if not set */
1818 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1820 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1823 qos->ucast.cis = data.cis;
1828 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1832 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1833 UINT_PTR(qos->ucast.cig), NULL) < 0)
1839 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1840 __u8 dst_type, struct bt_iso_qos *qos)
1842 struct hci_conn *cis;
1844 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1847 cis = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1849 return ERR_PTR(-ENOMEM);
1850 cis->cleanup = cis_cleanup;
1851 cis->dst_type = dst_type;
1852 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1853 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1856 if (cis->state == BT_CONNECTED)
1859 /* Check if CIS has been set and the settings matches */
1860 if (cis->state == BT_BOUND &&
1861 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1864 /* Update LINK PHYs according to QoS preference */
1865 cis->le_tx_phy = qos->ucast.out.phy;
1866 cis->le_rx_phy = qos->ucast.in.phy;
1868 /* If output interval is not set use the input interval as it cannot be
1871 if (!qos->ucast.out.interval)
1872 qos->ucast.out.interval = qos->ucast.in.interval;
1874 /* If input interval is not set use the output interval as it cannot be
1877 if (!qos->ucast.in.interval)
1878 qos->ucast.in.interval = qos->ucast.out.interval;
1880 /* If output latency is not set use the input latency as it cannot be
1883 if (!qos->ucast.out.latency)
1884 qos->ucast.out.latency = qos->ucast.in.latency;
1886 /* If input latency is not set use the output latency as it cannot be
1889 if (!qos->ucast.in.latency)
1890 qos->ucast.in.latency = qos->ucast.out.latency;
1892 if (!hci_le_set_cig_params(cis, qos)) {
1894 return ERR_PTR(-EINVAL);
1899 cis->iso_qos = *qos;
1900 cis->state = BT_BOUND;
1905 bool hci_iso_setup_path(struct hci_conn *conn)
1907 struct hci_dev *hdev = conn->hdev;
1908 struct hci_cp_le_setup_iso_path cmd;
1910 memset(&cmd, 0, sizeof(cmd));
1912 if (conn->iso_qos.ucast.out.sdu) {
1913 cmd.handle = cpu_to_le16(conn->handle);
1914 cmd.direction = 0x00; /* Input (Host to Controller) */
1915 cmd.path = 0x00; /* HCI path if enabled */
1916 cmd.codec = 0x03; /* Transparent Data */
1918 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1923 if (conn->iso_qos.ucast.in.sdu) {
1924 cmd.handle = cpu_to_le16(conn->handle);
1925 cmd.direction = 0x01; /* Output (Controller to Host) */
1926 cmd.path = 0x00; /* HCI path if enabled */
1927 cmd.codec = 0x03; /* Transparent Data */
1929 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1937 int hci_conn_check_create_cis(struct hci_conn *conn)
1939 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
1942 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
1943 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
1949 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1951 return hci_le_create_cis_sync(hdev);
1954 int hci_le_create_cis_pending(struct hci_dev *hdev)
1956 struct hci_conn *conn;
1957 bool pending = false;
1961 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
1962 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
1967 if (!hci_conn_check_create_cis(conn))
1976 /* Queue Create CIS */
1977 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
1980 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
1981 struct bt_iso_io_qos *qos, __u8 phy)
1983 /* Only set MTU if PHY is enabled */
1984 if (!qos->sdu && qos->phy) {
1985 if (hdev->iso_mtu > 0)
1986 qos->sdu = hdev->iso_mtu;
1987 else if (hdev->le_mtu > 0)
1988 qos->sdu = hdev->le_mtu;
1990 qos->sdu = hdev->acl_mtu;
1993 /* Use the same PHY as ACL if set to any */
1994 if (qos->phy == BT_ISO_PHY_ANY)
1997 /* Use LE ACL connection interval if not set */
1999 /* ACL interval unit in 1.25 ms to us */
2000 qos->interval = conn->le_conn_interval * 1250;
2002 /* Use LE ACL connection latency if not set */
2004 qos->latency = conn->le_conn_latency;
2007 static int create_big_sync(struct hci_dev *hdev, void *data)
2009 struct hci_conn *conn = data;
2010 struct bt_iso_qos *qos = &conn->iso_qos;
2011 u16 interval, sync_interval = 0;
2015 if (qos->bcast.out.phy == 0x02)
2016 flags |= MGMT_ADV_FLAG_SEC_2M;
2018 /* Align intervals */
2019 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2022 sync_interval = interval * 4;
2024 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2025 conn->le_per_adv_data, flags, interval,
2026 interval, sync_interval);
2030 return hci_le_create_big(conn, &conn->iso_qos);
2033 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2035 struct hci_cp_le_pa_create_sync *cp = data;
2037 bt_dev_dbg(hdev, "");
2040 bt_dev_err(hdev, "Unable to create PA: %d", err);
2045 static int create_pa_sync(struct hci_dev *hdev, void *data)
2047 struct hci_cp_le_pa_create_sync *cp = data;
2050 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2051 sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2053 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2057 return hci_update_passive_scan_sync(hdev);
2060 struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst,
2061 __u8 dst_type, __u8 sid,
2062 struct bt_iso_qos *qos)
2064 struct hci_cp_le_pa_create_sync *cp;
2065 struct hci_conn *conn;
2068 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2069 return ERR_PTR(-EBUSY);
2071 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_SLAVE);
2073 return ERR_PTR(-ENOMEM);
2075 conn->iso_qos = *qos;
2076 conn->state = BT_LISTEN;
2078 hci_conn_hold(conn);
2080 cp = kzalloc(sizeof(*cp), GFP_KERNEL);
2082 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2083 hci_conn_drop(conn);
2084 return ERR_PTR(-ENOMEM);
2087 cp->options = qos->bcast.options;
2089 cp->addr_type = dst_type;
2090 bacpy(&cp->addr, dst);
2091 cp->skip = cpu_to_le16(qos->bcast.skip);
2092 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
2093 cp->sync_cte_type = qos->bcast.sync_cte_type;
2095 /* Queue start pa_create_sync and scan */
2096 err = hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2098 hci_conn_drop(conn);
2100 return ERR_PTR(err);
2106 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2107 struct bt_iso_qos *qos,
2108 __u16 sync_handle, __u8 num_bis, __u8 bis[])
2111 struct hci_cp_le_big_create_sync cp;
2116 if (num_bis < 0x01 || num_bis > sizeof(pdu.bis))
2119 err = qos_set_big(hdev, qos);
2124 hcon->iso_qos.bcast.big = qos->bcast.big;
2126 memset(&pdu, 0, sizeof(pdu));
2127 pdu.cp.handle = qos->bcast.big;
2128 pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2129 pdu.cp.encryption = qos->bcast.encryption;
2130 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode));
2131 pdu.cp.mse = qos->bcast.mse;
2132 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout);
2133 pdu.cp.num_bis = num_bis;
2134 memcpy(pdu.bis, bis, num_bis);
2136 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2137 sizeof(pdu.cp) + num_bis, &pdu);
2140 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2142 struct hci_conn *conn = data;
2144 bt_dev_dbg(hdev, "conn %p", conn);
2147 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2148 hci_connect_cfm(conn, err);
2153 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2154 struct bt_iso_qos *qos,
2155 __u8 base_len, __u8 *base)
2157 struct hci_conn *conn;
2158 struct hci_conn *parent;
2159 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2160 struct hci_link *link;
2162 /* Look for any BIS that is open for rebinding */
2163 conn = hci_conn_hash_lookup_big_state(hdev, qos->bcast.big, BT_OPEN);
2165 memcpy(qos, &conn->iso_qos, sizeof(*qos));
2166 conn->state = BT_CONNECTED;
2170 if (base_len && base)
2171 base_len = eir_append_service_data(eir, 0, 0x1851,
2174 /* We need hci_conn object using the BDADDR_ANY as dst */
2175 conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2179 /* Update LINK PHYs according to QoS preference */
2180 conn->le_tx_phy = qos->bcast.out.phy;
2181 conn->le_tx_phy = qos->bcast.out.phy;
2183 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2184 if (base_len && base) {
2185 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2186 conn->le_per_adv_data_len = base_len;
2189 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2190 conn->le_tx_phy ? conn->le_tx_phy :
2191 hdev->le_tx_def_phys);
2193 conn->iso_qos = *qos;
2194 conn->state = BT_BOUND;
2196 /* Link BISes together */
2197 parent = hci_conn_hash_lookup_big(hdev,
2198 conn->iso_qos.bcast.big);
2199 if (parent && parent != conn) {
2200 link = hci_conn_link(parent, conn);
2202 hci_conn_drop(conn);
2203 return ERR_PTR(-ENOLINK);
2206 /* Link takes the refcount */
2207 hci_conn_drop(conn);
2213 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2215 struct iso_list_data *d = data;
2217 /* Skip if not broadcast/ANY address */
2218 if (bacmp(&conn->dst, BDADDR_ANY))
2221 if (d->big != conn->iso_qos.bcast.big ||
2222 d->bis == BT_ISO_QOS_BIS_UNSET ||
2223 d->bis != conn->iso_qos.bcast.bis)
2226 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2229 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2230 __u8 dst_type, struct bt_iso_qos *qos,
2231 __u8 base_len, __u8 *base)
2233 struct hci_conn *conn;
2235 struct iso_list_data data;
2237 conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2241 if (conn->state == BT_CONNECTED)
2244 data.big = qos->bcast.big;
2245 data.bis = qos->bcast.bis;
2247 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2248 * the start periodic advertising and create BIG commands have
2251 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2254 /* Queue start periodic advertising and create BIG */
2255 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2256 create_big_complete);
2258 hci_conn_drop(conn);
2259 return ERR_PTR(err);
2265 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2266 __u8 dst_type, struct bt_iso_qos *qos)
2268 struct hci_conn *le;
2269 struct hci_conn *cis;
2270 struct hci_link *link;
2272 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2273 le = hci_connect_le(hdev, dst, dst_type, false,
2275 HCI_LE_CONN_TIMEOUT,
2278 le = hci_connect_le_scan(hdev, dst, dst_type,
2280 HCI_LE_CONN_TIMEOUT,
2281 CONN_REASON_ISO_CONNECT);
2285 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2286 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2287 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2288 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2290 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2296 link = hci_conn_link(le, cis);
2300 return ERR_PTR(-ENOLINK);
2303 /* Link takes the refcount */
2306 cis->state = BT_CONNECT;
2308 hci_le_create_cis_pending(hdev);
2313 /* Check link security requirement */
2314 int hci_conn_check_link_mode(struct hci_conn *conn)
2316 BT_DBG("hcon %p", conn);
2318 /* In Secure Connections Only mode, it is required that Secure
2319 * Connections is used and the link is encrypted with AES-CCM
2320 * using a P-256 authenticated combination key.
2322 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2323 if (!hci_conn_sc_enabled(conn) ||
2324 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2325 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2329 /* AES encryption is required for Level 4:
2331 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2334 * 128-bit equivalent strength for link and encryption keys
2335 * required using FIPS approved algorithms (E0 not allowed,
2336 * SAFER+ not allowed, and P-192 not allowed; encryption key
2339 if (conn->sec_level == BT_SECURITY_FIPS &&
2340 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2341 bt_dev_err(conn->hdev,
2342 "Invalid security: Missing AES-CCM usage");
2346 if (hci_conn_ssp_enabled(conn) &&
2347 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2353 /* Authenticate remote device */
2354 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2356 BT_DBG("hcon %p", conn);
2358 if (conn->pending_sec_level > sec_level)
2359 sec_level = conn->pending_sec_level;
2361 if (sec_level > conn->sec_level)
2362 conn->pending_sec_level = sec_level;
2363 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2366 /* Make sure we preserve an existing MITM requirement*/
2367 auth_type |= (conn->auth_type & 0x01);
2369 conn->auth_type = auth_type;
2371 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2372 struct hci_cp_auth_requested cp;
2374 cp.handle = cpu_to_le16(conn->handle);
2375 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2378 /* Set the ENCRYPT_PEND to trigger encryption after
2381 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2382 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2388 /* Encrypt the link */
2389 static void hci_conn_encrypt(struct hci_conn *conn)
2391 BT_DBG("hcon %p", conn);
2393 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2394 struct hci_cp_set_conn_encrypt cp;
2395 cp.handle = cpu_to_le16(conn->handle);
2397 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2402 /* Enable security */
2403 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2406 BT_DBG("hcon %p", conn);
2408 if (conn->type == LE_LINK)
2409 return smp_conn_security(conn, sec_level);
2411 /* For sdp we don't need the link key. */
2412 if (sec_level == BT_SECURITY_SDP)
2415 /* For non 2.1 devices and low security level we don't need the link
2417 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2420 /* For other security levels we need the link key. */
2421 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2424 switch (conn->key_type) {
2425 case HCI_LK_AUTH_COMBINATION_P256:
2426 /* An authenticated FIPS approved combination key has
2427 * sufficient security for security level 4 or lower.
2429 if (sec_level <= BT_SECURITY_FIPS)
2432 case HCI_LK_AUTH_COMBINATION_P192:
2433 /* An authenticated combination key has sufficient security for
2434 * security level 3 or lower.
2436 if (sec_level <= BT_SECURITY_HIGH)
2439 case HCI_LK_UNAUTH_COMBINATION_P192:
2440 case HCI_LK_UNAUTH_COMBINATION_P256:
2441 /* An unauthenticated combination key has sufficient security
2442 * for security level 2 or lower.
2444 if (sec_level <= BT_SECURITY_MEDIUM)
2447 case HCI_LK_COMBINATION:
2448 /* A combination key has always sufficient security for the
2449 * security levels 2 or lower. High security level requires the
2450 * combination key is generated using maximum PIN code length
2451 * (16). For pre 2.1 units.
2453 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2461 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2465 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2467 if (!hci_conn_auth(conn, sec_level, auth_type))
2471 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2472 /* Ensure that the encryption key size has been read,
2473 * otherwise stall the upper layer responses.
2475 if (!conn->enc_key_size)
2478 /* Nothing else needed, all requirements are met */
2482 hci_conn_encrypt(conn);
2485 EXPORT_SYMBOL(hci_conn_security);
2487 /* Check secure link requirement */
2488 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2490 BT_DBG("hcon %p", conn);
2492 /* Accept if non-secure or higher security level is required */
2493 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2496 /* Accept if secure or higher security level is already present */
2497 if (conn->sec_level == BT_SECURITY_HIGH ||
2498 conn->sec_level == BT_SECURITY_FIPS)
2501 /* Reject not secure link */
2504 EXPORT_SYMBOL(hci_conn_check_secure);
2507 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2509 BT_DBG("hcon %p", conn);
2511 if (role == conn->role)
2514 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2515 struct hci_cp_switch_role cp;
2516 bacpy(&cp.bdaddr, &conn->dst);
2518 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2523 EXPORT_SYMBOL(hci_conn_switch_role);
2525 /* Enter active mode */
2526 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2528 struct hci_dev *hdev = conn->hdev;
2530 BT_DBG("hcon %p mode %d", conn, conn->mode);
2532 if (conn->mode != HCI_CM_SNIFF)
2535 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2538 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2539 struct hci_cp_exit_sniff_mode cp;
2540 cp.handle = cpu_to_le16(conn->handle);
2541 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2545 if (hdev->idle_timeout > 0)
2546 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2547 msecs_to_jiffies(hdev->idle_timeout));
2550 /* Drop all connection on the device */
2551 void hci_conn_hash_flush(struct hci_dev *hdev)
2553 struct list_head *head = &hdev->conn_hash.list;
2554 struct hci_conn *conn;
2556 BT_DBG("hdev %s", hdev->name);
2558 /* We should not traverse the list here, because hci_conn_del
2559 * can remove extra links, which may cause the list traversal
2560 * to hit items that have already been released.
2562 while ((conn = list_first_entry_or_null(head,
2565 conn->state = BT_CLOSED;
2566 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2571 static u32 get_link_mode(struct hci_conn *conn)
2575 if (conn->role == HCI_ROLE_MASTER)
2576 link_mode |= HCI_LM_MASTER;
2578 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2579 link_mode |= HCI_LM_ENCRYPT;
2581 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2582 link_mode |= HCI_LM_AUTH;
2584 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2585 link_mode |= HCI_LM_SECURE;
2587 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2588 link_mode |= HCI_LM_FIPS;
2593 int hci_get_conn_list(void __user *arg)
2596 struct hci_conn_list_req req, *cl;
2597 struct hci_conn_info *ci;
2598 struct hci_dev *hdev;
2599 int n = 0, size, err;
2601 if (copy_from_user(&req, arg, sizeof(req)))
2604 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2607 size = sizeof(req) + req.conn_num * sizeof(*ci);
2609 cl = kmalloc(size, GFP_KERNEL);
2613 hdev = hci_dev_get(req.dev_id);
2622 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2623 bacpy(&(ci + n)->bdaddr, &c->dst);
2624 (ci + n)->handle = c->handle;
2625 (ci + n)->type = c->type;
2626 (ci + n)->out = c->out;
2627 (ci + n)->state = c->state;
2628 (ci + n)->link_mode = get_link_mode(c);
2629 if (++n >= req.conn_num)
2632 hci_dev_unlock(hdev);
2634 cl->dev_id = hdev->id;
2636 size = sizeof(req) + n * sizeof(*ci);
2640 err = copy_to_user(arg, cl, size);
2643 return err ? -EFAULT : 0;
2646 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2648 struct hci_conn_info_req req;
2649 struct hci_conn_info ci;
2650 struct hci_conn *conn;
2651 char __user *ptr = arg + sizeof(req);
2653 if (copy_from_user(&req, arg, sizeof(req)))
2657 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2659 bacpy(&ci.bdaddr, &conn->dst);
2660 ci.handle = conn->handle;
2661 ci.type = conn->type;
2663 ci.state = conn->state;
2664 ci.link_mode = get_link_mode(conn);
2666 hci_dev_unlock(hdev);
2671 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2674 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2676 struct hci_auth_info_req req;
2677 struct hci_conn *conn;
2679 if (copy_from_user(&req, arg, sizeof(req)))
2683 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2685 req.type = conn->auth_type;
2686 hci_dev_unlock(hdev);
2691 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2694 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2696 struct hci_dev *hdev = conn->hdev;
2697 struct hci_chan *chan;
2699 BT_DBG("%s hcon %p", hdev->name, conn);
2701 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2702 BT_DBG("Refusing to create new hci_chan");
2706 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2710 chan->conn = hci_conn_get(conn);
2711 skb_queue_head_init(&chan->data_q);
2712 chan->state = BT_CONNECTED;
2714 list_add_rcu(&chan->list, &conn->chan_list);
2719 void hci_chan_del(struct hci_chan *chan)
2721 struct hci_conn *conn = chan->conn;
2722 struct hci_dev *hdev = conn->hdev;
2724 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2726 list_del_rcu(&chan->list);
2730 /* Prevent new hci_chan's to be created for this hci_conn */
2731 set_bit(HCI_CONN_DROP, &conn->flags);
2735 skb_queue_purge(&chan->data_q);
2739 void hci_chan_list_flush(struct hci_conn *conn)
2741 struct hci_chan *chan, *n;
2743 BT_DBG("hcon %p", conn);
2745 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2749 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2752 struct hci_chan *hchan;
2754 list_for_each_entry(hchan, &hcon->chan_list, list) {
2755 if (hchan->handle == handle)
2762 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2764 struct hci_conn_hash *h = &hdev->conn_hash;
2765 struct hci_conn *hcon;
2766 struct hci_chan *hchan = NULL;
2770 list_for_each_entry_rcu(hcon, &h->list, list) {
2771 hchan = __hci_chan_lookup_handle(hcon, handle);
2781 u32 hci_conn_get_phy(struct hci_conn *conn)
2785 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2786 * Table 6.2: Packets defined for synchronous, asynchronous, and
2787 * CPB logical transport types.
2789 switch (conn->type) {
2791 /* SCO logical transport (1 Mb/s):
2792 * HV1, HV2, HV3 and DV.
2794 phys |= BT_PHY_BR_1M_1SLOT;
2799 /* ACL logical transport (1 Mb/s) ptt=0:
2800 * DH1, DM3, DH3, DM5 and DH5.
2802 phys |= BT_PHY_BR_1M_1SLOT;
2804 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2805 phys |= BT_PHY_BR_1M_3SLOT;
2807 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2808 phys |= BT_PHY_BR_1M_5SLOT;
2810 /* ACL logical transport (2 Mb/s) ptt=1:
2811 * 2-DH1, 2-DH3 and 2-DH5.
2813 if (!(conn->pkt_type & HCI_2DH1))
2814 phys |= BT_PHY_EDR_2M_1SLOT;
2816 if (!(conn->pkt_type & HCI_2DH3))
2817 phys |= BT_PHY_EDR_2M_3SLOT;
2819 if (!(conn->pkt_type & HCI_2DH5))
2820 phys |= BT_PHY_EDR_2M_5SLOT;
2822 /* ACL logical transport (3 Mb/s) ptt=1:
2823 * 3-DH1, 3-DH3 and 3-DH5.
2825 if (!(conn->pkt_type & HCI_3DH1))
2826 phys |= BT_PHY_EDR_3M_1SLOT;
2828 if (!(conn->pkt_type & HCI_3DH3))
2829 phys |= BT_PHY_EDR_3M_3SLOT;
2831 if (!(conn->pkt_type & HCI_3DH5))
2832 phys |= BT_PHY_EDR_3M_5SLOT;
2837 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2838 phys |= BT_PHY_BR_1M_1SLOT;
2840 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2841 phys |= BT_PHY_BR_1M_3SLOT;
2843 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2844 if (!(conn->pkt_type & ESCO_2EV3))
2845 phys |= BT_PHY_EDR_2M_1SLOT;
2847 if (!(conn->pkt_type & ESCO_2EV5))
2848 phys |= BT_PHY_EDR_2M_3SLOT;
2850 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2851 if (!(conn->pkt_type & ESCO_3EV3))
2852 phys |= BT_PHY_EDR_3M_1SLOT;
2854 if (!(conn->pkt_type & ESCO_3EV5))
2855 phys |= BT_PHY_EDR_3M_3SLOT;
2860 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2861 phys |= BT_PHY_LE_1M_TX;
2863 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2864 phys |= BT_PHY_LE_1M_RX;
2866 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2867 phys |= BT_PHY_LE_2M_TX;
2869 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2870 phys |= BT_PHY_LE_2M_RX;
2872 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2873 phys |= BT_PHY_LE_CODED_TX;
2875 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2876 phys |= BT_PHY_LE_CODED_RX;
2884 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2886 struct hci_conn *conn = data;
2888 if (!hci_conn_valid(hdev, conn))
2891 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2894 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2896 struct hci_dev *hdev = conn->hdev;
2898 /* If abort_reason has already been set it means the connection is
2899 * already being aborted so don't attempt to overwrite it.
2901 if (conn->abort_reason)
2904 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2906 conn->abort_reason = reason;
2908 /* If the connection is pending check the command opcode since that
2909 * might be blocking on hci_cmd_sync_work while waiting its respective
2910 * event so we need to hci_cmd_sync_cancel to cancel it.
2912 * hci_connect_le serializes the connection attempts so only one
2913 * connection can be in BT_CONNECT at time.
2915 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2916 switch (hci_skb_event(hdev->sent_cmd)) {
2917 case HCI_EV_CONN_COMPLETE:
2918 case HCI_EV_LE_CONN_COMPLETE:
2919 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2920 case HCI_EVT_LE_CIS_ESTABLISHED:
2921 hci_cmd_sync_cancel(hdev, ECANCELED);
2924 /* Cancel connect attempt if still queued/pending */
2925 } else if (!hci_cancel_connect_sync(hdev, conn)) {
2929 return hci_cmd_sync_queue_once(hdev, abort_conn_sync, conn, NULL);