2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI connection handling. */
27 #include <linux/export.h>
28 #include <linux/debugfs.h>
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/iso.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
47 struct conn_handle_t {
48 struct hci_conn *conn;
52 static const struct sco_param esco_param_cvsd[] = {
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
60 static const struct sco_param sco_param_cvsd[] = {
61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
65 static const struct sco_param esco_param_msbc[] = {
66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
70 /* This function requires the caller holds hdev->lock */
71 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
73 struct hci_conn_params *params;
74 struct hci_dev *hdev = conn->hdev;
80 bdaddr_type = conn->dst_type;
82 /* Check if we need to convert to identity address */
83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
85 bdaddr = &irk->bdaddr;
86 bdaddr_type = irk->addr_type;
89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
95 hci_conn_drop(params->conn);
96 hci_conn_put(params->conn);
100 if (!params->explicit_connect)
103 /* If the status indicates successful cancellation of
104 * the attempt (i.e. Unknown Connection Id) there's no point of
105 * notifying failure since we'll go back to keep trying to
106 * connect. The only exception is explicit connect requests
107 * where a timeout + cancel does indicate an actual failure.
109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 mgmt_connect_failed(hdev, &conn->dst, conn->type,
111 conn->dst_type, status);
113 /* The connection attempt was doing scan for new RPA, and is
114 * in scan phase. If params are not associated with any other
115 * autoconnect action, remove them completely. If they are, just unmark
116 * them as waiting for connection, by clearing explicit_connect field.
118 params->explicit_connect = false;
120 list_del_init(¶ms->action);
122 switch (params->auto_connect) {
123 case HCI_AUTO_CONN_EXPLICIT:
124 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
125 /* return instead of break to avoid duplicate scan update */
127 case HCI_AUTO_CONN_DIRECT:
128 case HCI_AUTO_CONN_ALWAYS:
129 list_add(¶ms->action, &hdev->pend_le_conns);
131 case HCI_AUTO_CONN_REPORT:
132 list_add(¶ms->action, &hdev->pend_le_reports);
138 hci_update_passive_scan(hdev);
141 static void hci_conn_cleanup(struct hci_conn *conn)
143 struct hci_dev *hdev = conn->hdev;
145 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
146 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
148 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
149 hci_remove_link_key(hdev, &conn->dst);
151 hci_chan_list_flush(conn);
153 hci_conn_hash_del(hdev, conn);
158 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
159 switch (conn->setting & SCO_AIRMODE_MASK) {
160 case SCO_AIRMODE_CVSD:
161 case SCO_AIRMODE_TRANSP:
163 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
168 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
171 hci_conn_del_sysfs(conn);
173 debugfs_remove_recursive(conn->debugfs);
180 static void le_scan_cleanup(struct work_struct *work)
182 struct hci_conn *conn = container_of(work, struct hci_conn,
184 struct hci_dev *hdev = conn->hdev;
185 struct hci_conn *c = NULL;
187 BT_DBG("%s hcon %p", hdev->name, conn);
191 /* Check that the hci_conn is still around */
193 list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
200 hci_connect_le_scan_cleanup(conn, 0x00);
201 hci_conn_cleanup(conn);
204 hci_dev_unlock(hdev);
209 static void hci_connect_le_scan_remove(struct hci_conn *conn)
211 BT_DBG("%s hcon %p", conn->hdev->name, conn);
213 /* We can't call hci_conn_del/hci_conn_cleanup here since that
214 * could deadlock with another hci_conn_del() call that's holding
215 * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
216 * Instead, grab temporary extra references to the hci_dev and
217 * hci_conn and perform the necessary cleanup in a separate work
221 hci_dev_hold(conn->hdev);
224 /* Even though we hold a reference to the hdev, many other
225 * things might get cleaned up meanwhile, including the hdev's
226 * own workqueue, so we can't use that for scheduling.
228 schedule_work(&conn->le_scan_cleanup);
231 static void hci_acl_create_connection(struct hci_conn *conn)
233 struct hci_dev *hdev = conn->hdev;
234 struct inquiry_entry *ie;
235 struct hci_cp_create_conn cp;
237 BT_DBG("hcon %p", conn);
239 /* Many controllers disallow HCI Create Connection while it is doing
240 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
241 * Connection. This may cause the MGMT discovering state to become false
242 * without user space's request but it is okay since the MGMT Discovery
243 * APIs do not promise that discovery should be done forever. Instead,
244 * the user space monitors the status of MGMT discovering and it may
245 * request for discovery again when this flag becomes false.
247 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
248 /* Put this connection to "pending" state so that it will be
249 * executed after the inquiry cancel command complete event.
251 conn->state = BT_CONNECT2;
252 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
256 conn->state = BT_CONNECT;
258 conn->role = HCI_ROLE_MASTER;
262 conn->link_policy = hdev->link_policy;
264 memset(&cp, 0, sizeof(cp));
265 bacpy(&cp.bdaddr, &conn->dst);
266 cp.pscan_rep_mode = 0x02;
268 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
270 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
271 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
272 cp.pscan_mode = ie->data.pscan_mode;
273 cp.clock_offset = ie->data.clock_offset |
277 memcpy(conn->dev_class, ie->data.dev_class, 3);
280 cp.pkt_type = cpu_to_le16(conn->pkt_type);
281 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
282 cp.role_switch = 0x01;
284 cp.role_switch = 0x00;
286 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
289 int hci_disconnect(struct hci_conn *conn, __u8 reason)
291 BT_DBG("hcon %p", conn);
293 /* When we are central of an established connection and it enters
294 * the disconnect timeout, then go ahead and try to read the
295 * current clock offset. Processing of the result is done
296 * within the event handling and hci_clock_offset_evt function.
298 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
299 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
300 struct hci_dev *hdev = conn->hdev;
301 struct hci_cp_read_clock_offset clkoff_cp;
303 clkoff_cp.handle = cpu_to_le16(conn->handle);
304 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
308 return hci_abort_conn(conn, reason);
311 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
313 struct hci_dev *hdev = conn->hdev;
314 struct hci_cp_add_sco cp;
316 BT_DBG("hcon %p", conn);
318 conn->state = BT_CONNECT;
323 cp.handle = cpu_to_le16(handle);
324 cp.pkt_type = cpu_to_le16(conn->pkt_type);
326 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
329 static bool find_next_esco_param(struct hci_conn *conn,
330 const struct sco_param *esco_param, int size)
332 for (; conn->attempt <= size; conn->attempt++) {
333 if (lmp_esco_2m_capable(conn->link) ||
334 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
336 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
337 conn, conn->attempt);
340 return conn->attempt <= size;
343 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
346 __u8 vnd_len, *vnd_data = NULL;
347 struct hci_op_configure_data_path *cmd = NULL;
349 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
354 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
360 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
364 cmd->vnd_len = vnd_len;
365 memcpy(cmd->vnd_data, vnd_data, vnd_len);
367 cmd->direction = 0x00;
368 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
369 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
371 cmd->direction = 0x01;
372 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
373 sizeof(*cmd) + vnd_len, cmd,
382 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
384 struct conn_handle_t *conn_handle = data;
385 struct hci_conn *conn = conn_handle->conn;
386 __u16 handle = conn_handle->handle;
387 struct hci_cp_enhanced_setup_sync_conn cp;
388 const struct sco_param *param;
392 bt_dev_dbg(hdev, "hcon %p", conn);
394 /* for offload use case, codec needs to configured before opening SCO */
395 if (conn->codec.data_path)
396 configure_datapath_sync(hdev, &conn->codec);
398 conn->state = BT_CONNECT;
403 memset(&cp, 0x00, sizeof(cp));
405 cp.handle = cpu_to_le16(handle);
407 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
408 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
410 switch (conn->codec.id) {
412 if (!find_next_esco_param(conn, esco_param_msbc,
413 ARRAY_SIZE(esco_param_msbc)))
416 param = &esco_param_msbc[conn->attempt - 1];
417 cp.tx_coding_format.id = 0x05;
418 cp.rx_coding_format.id = 0x05;
419 cp.tx_codec_frame_size = __cpu_to_le16(60);
420 cp.rx_codec_frame_size = __cpu_to_le16(60);
421 cp.in_bandwidth = __cpu_to_le32(32000);
422 cp.out_bandwidth = __cpu_to_le32(32000);
423 cp.in_coding_format.id = 0x04;
424 cp.out_coding_format.id = 0x04;
425 cp.in_coded_data_size = __cpu_to_le16(16);
426 cp.out_coded_data_size = __cpu_to_le16(16);
427 cp.in_pcm_data_format = 2;
428 cp.out_pcm_data_format = 2;
429 cp.in_pcm_sample_payload_msb_pos = 0;
430 cp.out_pcm_sample_payload_msb_pos = 0;
431 cp.in_data_path = conn->codec.data_path;
432 cp.out_data_path = conn->codec.data_path;
433 cp.in_transport_unit_size = 1;
434 cp.out_transport_unit_size = 1;
437 case BT_CODEC_TRANSPARENT:
438 if (!find_next_esco_param(conn, esco_param_msbc,
439 ARRAY_SIZE(esco_param_msbc)))
441 param = &esco_param_msbc[conn->attempt - 1];
442 cp.tx_coding_format.id = 0x03;
443 cp.rx_coding_format.id = 0x03;
444 cp.tx_codec_frame_size = __cpu_to_le16(60);
445 cp.rx_codec_frame_size = __cpu_to_le16(60);
446 cp.in_bandwidth = __cpu_to_le32(0x1f40);
447 cp.out_bandwidth = __cpu_to_le32(0x1f40);
448 cp.in_coding_format.id = 0x03;
449 cp.out_coding_format.id = 0x03;
450 cp.in_coded_data_size = __cpu_to_le16(16);
451 cp.out_coded_data_size = __cpu_to_le16(16);
452 cp.in_pcm_data_format = 2;
453 cp.out_pcm_data_format = 2;
454 cp.in_pcm_sample_payload_msb_pos = 0;
455 cp.out_pcm_sample_payload_msb_pos = 0;
456 cp.in_data_path = conn->codec.data_path;
457 cp.out_data_path = conn->codec.data_path;
458 cp.in_transport_unit_size = 1;
459 cp.out_transport_unit_size = 1;
463 if (lmp_esco_capable(conn->link)) {
464 if (!find_next_esco_param(conn, esco_param_cvsd,
465 ARRAY_SIZE(esco_param_cvsd)))
467 param = &esco_param_cvsd[conn->attempt - 1];
469 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
471 param = &sco_param_cvsd[conn->attempt - 1];
473 cp.tx_coding_format.id = 2;
474 cp.rx_coding_format.id = 2;
475 cp.tx_codec_frame_size = __cpu_to_le16(60);
476 cp.rx_codec_frame_size = __cpu_to_le16(60);
477 cp.in_bandwidth = __cpu_to_le32(16000);
478 cp.out_bandwidth = __cpu_to_le32(16000);
479 cp.in_coding_format.id = 4;
480 cp.out_coding_format.id = 4;
481 cp.in_coded_data_size = __cpu_to_le16(16);
482 cp.out_coded_data_size = __cpu_to_le16(16);
483 cp.in_pcm_data_format = 2;
484 cp.out_pcm_data_format = 2;
485 cp.in_pcm_sample_payload_msb_pos = 0;
486 cp.out_pcm_sample_payload_msb_pos = 0;
487 cp.in_data_path = conn->codec.data_path;
488 cp.out_data_path = conn->codec.data_path;
489 cp.in_transport_unit_size = 16;
490 cp.out_transport_unit_size = 16;
496 cp.retrans_effort = param->retrans_effort;
497 cp.pkt_type = __cpu_to_le16(param->pkt_type);
498 cp.max_latency = __cpu_to_le16(param->max_latency);
500 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
506 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
508 struct hci_dev *hdev = conn->hdev;
509 struct hci_cp_setup_sync_conn cp;
510 const struct sco_param *param;
512 bt_dev_dbg(hdev, "hcon %p", conn);
514 conn->state = BT_CONNECT;
519 cp.handle = cpu_to_le16(handle);
521 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
522 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
523 cp.voice_setting = cpu_to_le16(conn->setting);
525 switch (conn->setting & SCO_AIRMODE_MASK) {
526 case SCO_AIRMODE_TRANSP:
527 if (!find_next_esco_param(conn, esco_param_msbc,
528 ARRAY_SIZE(esco_param_msbc)))
530 param = &esco_param_msbc[conn->attempt - 1];
532 case SCO_AIRMODE_CVSD:
533 if (lmp_esco_capable(conn->link)) {
534 if (!find_next_esco_param(conn, esco_param_cvsd,
535 ARRAY_SIZE(esco_param_cvsd)))
537 param = &esco_param_cvsd[conn->attempt - 1];
539 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
541 param = &sco_param_cvsd[conn->attempt - 1];
548 cp.retrans_effort = param->retrans_effort;
549 cp.pkt_type = __cpu_to_le16(param->pkt_type);
550 cp.max_latency = __cpu_to_le16(param->max_latency);
552 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
558 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
561 struct conn_handle_t *conn_handle;
563 if (enhanced_sync_conn_capable(conn->hdev)) {
564 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
569 conn_handle->conn = conn;
570 conn_handle->handle = handle;
571 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
579 return hci_setup_sync_conn(conn, handle);
582 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
585 struct hci_dev *hdev = conn->hdev;
586 struct hci_conn_params *params;
587 struct hci_cp_le_conn_update cp;
591 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
593 params->conn_min_interval = min;
594 params->conn_max_interval = max;
595 params->conn_latency = latency;
596 params->supervision_timeout = to_multiplier;
599 hci_dev_unlock(hdev);
601 memset(&cp, 0, sizeof(cp));
602 cp.handle = cpu_to_le16(conn->handle);
603 cp.conn_interval_min = cpu_to_le16(min);
604 cp.conn_interval_max = cpu_to_le16(max);
605 cp.conn_latency = cpu_to_le16(latency);
606 cp.supervision_timeout = cpu_to_le16(to_multiplier);
607 cp.min_ce_len = cpu_to_le16(0x0000);
608 cp.max_ce_len = cpu_to_le16(0x0000);
610 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
618 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
619 __u8 ltk[16], __u8 key_size)
621 struct hci_dev *hdev = conn->hdev;
622 struct hci_cp_le_start_enc cp;
624 BT_DBG("hcon %p", conn);
626 memset(&cp, 0, sizeof(cp));
628 cp.handle = cpu_to_le16(conn->handle);
631 memcpy(cp.ltk, ltk, key_size);
633 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
636 /* Device _must_ be locked */
637 void hci_sco_setup(struct hci_conn *conn, __u8 status)
639 struct hci_conn *sco = conn->link;
644 BT_DBG("hcon %p", conn);
647 if (lmp_esco_capable(conn->hdev))
648 hci_setup_sync(sco, conn->handle);
650 hci_add_sco(sco, conn->handle);
652 hci_connect_cfm(sco, status);
657 static void hci_conn_timeout(struct work_struct *work)
659 struct hci_conn *conn = container_of(work, struct hci_conn,
661 int refcnt = atomic_read(&conn->refcnt);
663 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
667 /* FIXME: It was observed that in pairing failed scenario, refcnt
668 * drops below 0. Probably this is because l2cap_conn_del calls
669 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
670 * dropped. After that loop hci_chan_del is called which also drops
671 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
677 /* LE connections in scanning state need special handling */
678 if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
679 test_bit(HCI_CONN_SCANNING, &conn->flags)) {
680 hci_connect_le_scan_remove(conn);
684 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
687 /* Enter sniff mode */
688 static void hci_conn_idle(struct work_struct *work)
690 struct hci_conn *conn = container_of(work, struct hci_conn,
692 struct hci_dev *hdev = conn->hdev;
694 BT_DBG("hcon %p mode %d", conn, conn->mode);
696 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
699 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
702 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
703 struct hci_cp_sniff_subrate cp;
704 cp.handle = cpu_to_le16(conn->handle);
705 cp.max_latency = cpu_to_le16(0);
706 cp.min_remote_timeout = cpu_to_le16(0);
707 cp.min_local_timeout = cpu_to_le16(0);
708 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
711 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
712 struct hci_cp_sniff_mode cp;
713 cp.handle = cpu_to_le16(conn->handle);
714 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
715 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
716 cp.attempt = cpu_to_le16(4);
717 cp.timeout = cpu_to_le16(1);
718 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
722 static void hci_conn_auto_accept(struct work_struct *work)
724 struct hci_conn *conn = container_of(work, struct hci_conn,
725 auto_accept_work.work);
727 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
731 static void le_disable_advertising(struct hci_dev *hdev)
733 if (ext_adv_capable(hdev)) {
734 struct hci_cp_le_set_ext_adv_enable cp;
737 cp.num_of_sets = 0x00;
739 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
743 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
748 static void le_conn_timeout(struct work_struct *work)
750 struct hci_conn *conn = container_of(work, struct hci_conn,
751 le_conn_timeout.work);
752 struct hci_dev *hdev = conn->hdev;
756 /* We could end up here due to having done directed advertising,
757 * so clean up the state if necessary. This should however only
758 * happen with broken hardware or if low duty cycle was used
759 * (which doesn't have a timeout of its own).
761 if (conn->role == HCI_ROLE_SLAVE) {
762 /* Disable LE Advertising */
763 le_disable_advertising(hdev);
765 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
766 hci_dev_unlock(hdev);
770 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
773 struct iso_list_data {
785 struct hci_cp_le_set_cig_params cp;
786 struct hci_cis_params cis[0x11];
790 static void bis_list(struct hci_conn *conn, void *data)
792 struct iso_list_data *d = data;
794 /* Skip if not broadcast/ANY address */
795 if (bacmp(&conn->dst, BDADDR_ANY))
798 if (d->big != conn->iso_qos.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
799 d->bis != conn->iso_qos.bis)
805 static void find_bis(struct hci_conn *conn, void *data)
807 struct iso_list_data *d = data;
810 if (bacmp(&conn->dst, BDADDR_ANY))
816 static int terminate_big_sync(struct hci_dev *hdev, void *data)
818 struct iso_list_data *d = data;
820 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
822 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
824 /* Check if ISO connection is a BIS and terminate BIG if there are
825 * no other connections using it.
827 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d);
831 return hci_le_terminate_big_sync(hdev, d->big,
832 HCI_ERROR_LOCAL_HOST_TERM);
835 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
840 static int hci_le_terminate_big(struct hci_dev *hdev, u8 big, u8 bis)
842 struct iso_list_data *d;
845 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", big, bis);
847 d = kmalloc(sizeof(*d), GFP_KERNEL);
851 memset(d, 0, sizeof(*d));
855 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
856 terminate_big_destroy);
863 static int big_terminate_sync(struct hci_dev *hdev, void *data)
865 struct iso_list_data *d = data;
867 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
870 /* Check if ISO connection is a BIS and terminate BIG if there are
871 * no other connections using it.
873 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d);
877 hci_le_big_terminate_sync(hdev, d->big);
879 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
882 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, u16 sync_handle)
884 struct iso_list_data *d;
887 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, sync_handle);
889 d = kmalloc(sizeof(*d), GFP_KERNEL);
893 memset(d, 0, sizeof(*d));
895 d->sync_handle = sync_handle;
897 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
898 terminate_big_destroy);
905 /* Cleanup BIS connection
907 * Detects if there any BIS left connected in a BIG
908 * broadcaster: Remove advertising instance and terminate BIG.
909 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
911 static void bis_cleanup(struct hci_conn *conn)
913 struct hci_dev *hdev = conn->hdev;
915 bt_dev_dbg(hdev, "conn %p", conn);
917 if (conn->role == HCI_ROLE_MASTER) {
918 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
921 hci_le_terminate_big(hdev, conn->iso_qos.big,
924 hci_le_big_terminate(hdev, conn->iso_qos.big,
929 static int remove_cig_sync(struct hci_dev *hdev, void *data)
931 u8 handle = PTR_ERR(data);
933 return hci_le_remove_cig_sync(hdev, handle);
936 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
938 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
940 return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL);
943 static void find_cis(struct hci_conn *conn, void *data)
945 struct iso_list_data *d = data;
947 /* Ignore broadcast */
948 if (!bacmp(&conn->dst, BDADDR_ANY))
954 /* Cleanup CIS connection:
956 * Detects if there any CIS left connected in a CIG and remove it.
958 static void cis_cleanup(struct hci_conn *conn)
960 struct hci_dev *hdev = conn->hdev;
961 struct iso_list_data d;
963 memset(&d, 0, sizeof(d));
964 d.cig = conn->iso_qos.cig;
966 /* Check if ISO connection is a CIS and remove CIG if there are
967 * no other connections using it.
969 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
970 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
971 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
975 hci_le_remove_cig(hdev, conn->iso_qos.cig);
978 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
981 struct hci_conn *conn;
983 BT_DBG("%s dst %pMR", hdev->name, dst);
985 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
989 bacpy(&conn->dst, dst);
990 bacpy(&conn->src, &hdev->bdaddr);
991 conn->handle = HCI_CONN_HANDLE_UNSET;
995 conn->mode = HCI_CM_ACTIVE;
996 conn->state = BT_OPEN;
997 conn->auth_type = HCI_AT_GENERAL_BONDING;
998 conn->io_capability = hdev->io_capability;
999 conn->remote_auth = 0xff;
1000 conn->key_type = 0xff;
1001 conn->rssi = HCI_RSSI_INVALID;
1002 conn->tx_power = HCI_TX_POWER_INVALID;
1003 conn->max_tx_power = HCI_TX_POWER_INVALID;
1005 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
1006 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1008 /* Set Default Authenticated payload timeout to 30s */
1009 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
1011 if (conn->role == HCI_ROLE_MASTER)
1016 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
1019 /* conn->src should reflect the local identity address */
1020 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1023 /* conn->src should reflect the local identity address */
1024 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
1026 /* set proper cleanup function */
1027 if (!bacmp(dst, BDADDR_ANY))
1028 conn->cleanup = bis_cleanup;
1029 else if (conn->role == HCI_ROLE_MASTER)
1030 conn->cleanup = cis_cleanup;
1034 if (lmp_esco_capable(hdev))
1035 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1036 (hdev->esco_type & EDR_ESCO_MASK);
1038 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1041 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1045 skb_queue_head_init(&conn->data_q);
1047 INIT_LIST_HEAD(&conn->chan_list);
1049 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1050 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1051 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1052 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1053 INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
1055 atomic_set(&conn->refcnt, 0);
1059 hci_conn_hash_add(hdev, conn);
1061 /* The SCO and eSCO connections will only be notified when their
1062 * setup has been completed. This is different to ACL links which
1063 * can be notified right away.
1065 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1067 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1070 hci_conn_init_sysfs(conn);
1075 static bool hci_conn_unlink(struct hci_conn *conn)
1080 conn->link->link = NULL;
1086 int hci_conn_del(struct hci_conn *conn)
1088 struct hci_dev *hdev = conn->hdev;
1090 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1092 cancel_delayed_work_sync(&conn->disc_work);
1093 cancel_delayed_work_sync(&conn->auto_accept_work);
1094 cancel_delayed_work_sync(&conn->idle_work);
1096 if (conn->type == ACL_LINK) {
1097 struct hci_conn *link = conn->link;
1100 hci_conn_unlink(conn);
1101 /* Due to race, SCO connection might be not established
1102 * yet at this point. Delete it now, otherwise it is
1103 * possible for it to be stuck and can't be deleted.
1105 if (link->handle == HCI_CONN_HANDLE_UNSET)
1109 /* Unacked frames */
1110 hdev->acl_cnt += conn->sent;
1111 } else if (conn->type == LE_LINK) {
1112 cancel_delayed_work(&conn->le_conn_timeout);
1115 hdev->le_cnt += conn->sent;
1117 hdev->acl_cnt += conn->sent;
1119 struct hci_conn *acl = conn->link;
1122 hci_conn_unlink(conn);
1126 /* Unacked ISO frames */
1127 if (conn->type == ISO_LINK) {
1129 hdev->iso_cnt += conn->sent;
1130 else if (hdev->le_pkts)
1131 hdev->le_cnt += conn->sent;
1133 hdev->acl_cnt += conn->sent;
1138 amp_mgr_put(conn->amp_mgr);
1140 skb_queue_purge(&conn->data_q);
1142 /* Remove the connection from the list and cleanup its remaining
1143 * state. This is a separate function since for some cases like
1144 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1145 * rest of hci_conn_del.
1147 hci_conn_cleanup(conn);
1152 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1154 int use_src = bacmp(src, BDADDR_ANY);
1155 struct hci_dev *hdev = NULL, *d;
1157 BT_DBG("%pMR -> %pMR", src, dst);
1159 read_lock(&hci_dev_list_lock);
1161 list_for_each_entry(d, &hci_dev_list, list) {
1162 if (!test_bit(HCI_UP, &d->flags) ||
1163 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
1164 d->dev_type != HCI_PRIMARY)
1168 * No source address - find interface with bdaddr != dst
1169 * Source address - find interface with bdaddr == src
1176 if (src_type == BDADDR_BREDR) {
1177 if (!lmp_bredr_capable(d))
1179 bacpy(&id_addr, &d->bdaddr);
1180 id_addr_type = BDADDR_BREDR;
1182 if (!lmp_le_capable(d))
1185 hci_copy_identity_address(d, &id_addr,
1188 /* Convert from HCI to three-value type */
1189 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1190 id_addr_type = BDADDR_LE_PUBLIC;
1192 id_addr_type = BDADDR_LE_RANDOM;
1195 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1199 if (bacmp(&d->bdaddr, dst)) {
1206 hdev = hci_dev_hold(hdev);
1208 read_unlock(&hci_dev_list_lock);
1211 EXPORT_SYMBOL(hci_get_route);
1213 /* This function requires the caller holds hdev->lock */
1214 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1216 struct hci_dev *hdev = conn->hdev;
1218 hci_connect_le_scan_cleanup(conn, status);
1220 /* Enable advertising in case this was a failed connection
1221 * attempt as a peripheral.
1223 hci_enable_advertising(hdev);
1226 /* This function requires the caller holds hdev->lock */
1227 void hci_conn_failed(struct hci_conn *conn, u8 status)
1229 struct hci_dev *hdev = conn->hdev;
1231 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1233 switch (conn->type) {
1235 hci_le_conn_failed(conn, status);
1238 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1239 conn->dst_type, status);
1243 conn->state = BT_CLOSED;
1244 hci_connect_cfm(conn, status);
1248 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
1250 struct hci_conn *conn = data;
1252 bt_dev_dbg(hdev, "err %d", err);
1257 hci_connect_le_scan_cleanup(conn, 0x00);
1261 /* Check if connection is still pending */
1262 if (conn != hci_lookup_le_connect(hdev))
1265 hci_conn_failed(conn, bt_status(err));
1268 hci_dev_unlock(hdev);
1271 static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
1273 struct hci_conn *conn = data;
1275 bt_dev_dbg(hdev, "conn %p", conn);
1277 return hci_le_create_conn_sync(hdev, conn);
1280 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1281 u8 dst_type, bool dst_resolved, u8 sec_level,
1282 u16 conn_timeout, u8 role)
1284 struct hci_conn *conn;
1285 struct smp_irk *irk;
1288 /* Let's make sure that le is enabled.*/
1289 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1290 if (lmp_le_capable(hdev))
1291 return ERR_PTR(-ECONNREFUSED);
1293 return ERR_PTR(-EOPNOTSUPP);
1296 /* Since the controller supports only one LE connection attempt at a
1297 * time, we return -EBUSY if there is any connection attempt running.
1299 if (hci_lookup_le_connect(hdev))
1300 return ERR_PTR(-EBUSY);
1302 /* If there's already a connection object but it's not in
1303 * scanning state it means it must already be established, in
1304 * which case we can't do anything else except report a failure
1307 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1308 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1309 return ERR_PTR(-EBUSY);
1312 /* Check if the destination address has been resolved by the controller
1313 * since if it did then the identity address shall be used.
1315 if (!dst_resolved) {
1316 /* When given an identity address with existing identity
1317 * resolving key, the connection needs to be established
1318 * to a resolvable random address.
1320 * Storing the resolvable random address is required here
1321 * to handle connection failures. The address will later
1322 * be resolved back into the original identity address
1323 * from the connect request.
1325 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1326 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1328 dst_type = ADDR_LE_DEV_RANDOM;
1333 bacpy(&conn->dst, dst);
1335 conn = hci_conn_add(hdev, LE_LINK, dst, role);
1337 return ERR_PTR(-ENOMEM);
1338 hci_conn_hold(conn);
1339 conn->pending_sec_level = sec_level;
1342 conn->dst_type = dst_type;
1343 conn->sec_level = BT_SECURITY_LOW;
1344 conn->conn_timeout = conn_timeout;
1346 conn->state = BT_CONNECT;
1347 clear_bit(HCI_CONN_SCANNING, &conn->flags);
1349 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn,
1350 create_le_conn_complete);
1353 return ERR_PTR(err);
1359 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1361 struct hci_conn *conn;
1363 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1367 if (conn->state != BT_CONNECTED)
1373 /* This function requires the caller holds hdev->lock */
1374 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1375 bdaddr_t *addr, u8 addr_type)
1377 struct hci_conn_params *params;
1379 if (is_connected(hdev, addr, addr_type))
1382 params = hci_conn_params_lookup(hdev, addr, addr_type);
1384 params = hci_conn_params_add(hdev, addr, addr_type);
1388 /* If we created new params, mark them to be deleted in
1389 * hci_connect_le_scan_cleanup. It's different case than
1390 * existing disabled params, those will stay after cleanup.
1392 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1395 /* We're trying to connect, so make sure params are at pend_le_conns */
1396 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1397 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1398 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1399 list_del_init(¶ms->action);
1400 list_add(¶ms->action, &hdev->pend_le_conns);
1403 params->explicit_connect = true;
1405 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1406 params->auto_connect);
1411 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1413 struct iso_list_data data;
1415 /* Allocate a BIG if not set */
1416 if (qos->big == BT_ISO_QOS_BIG_UNSET) {
1417 for (data.big = 0x00; data.big < 0xef; data.big++) {
1421 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1427 if (data.big == 0xef)
1428 return -EADDRNOTAVAIL;
1431 qos->big = data.big;
1437 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1439 struct iso_list_data data;
1441 /* Allocate BIS if not set */
1442 if (qos->bis == BT_ISO_QOS_BIS_UNSET) {
1443 /* Find an unused adv set to advertise BIS, skip instance 0x00
1444 * since it is reserved as general purpose set.
1446 for (data.bis = 0x01; data.bis < hdev->le_num_of_adv_sets;
1450 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1456 if (data.bis == hdev->le_num_of_adv_sets)
1457 return -EADDRNOTAVAIL;
1460 qos->bis = data.bis;
1466 /* This function requires the caller holds hdev->lock */
1467 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1468 struct bt_iso_qos *qos)
1470 struct hci_conn *conn;
1471 struct iso_list_data data;
1474 /* Let's make sure that le is enabled.*/
1475 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1476 if (lmp_le_capable(hdev))
1477 return ERR_PTR(-ECONNREFUSED);
1478 return ERR_PTR(-EOPNOTSUPP);
1481 err = qos_set_big(hdev, qos);
1483 return ERR_PTR(err);
1485 err = qos_set_bis(hdev, qos);
1487 return ERR_PTR(err);
1489 data.big = qos->big;
1490 data.bis = qos->bis;
1493 /* Check if there is already a matching BIG/BIS */
1494 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, BT_BOUND, &data);
1496 return ERR_PTR(-EADDRINUSE);
1498 conn = hci_conn_hash_lookup_bis(hdev, dst, qos->big, qos->bis);
1500 return ERR_PTR(-EADDRINUSE);
1502 conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1504 return ERR_PTR(-ENOMEM);
1506 set_bit(HCI_CONN_PER_ADV, &conn->flags);
1507 conn->state = BT_CONNECT;
1509 hci_conn_hold(conn);
1513 /* This function requires the caller holds hdev->lock */
1514 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1515 u8 dst_type, u8 sec_level,
1517 enum conn_reasons conn_reason)
1519 struct hci_conn *conn;
1521 /* Let's make sure that le is enabled.*/
1522 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1523 if (lmp_le_capable(hdev))
1524 return ERR_PTR(-ECONNREFUSED);
1526 return ERR_PTR(-EOPNOTSUPP);
1529 /* Some devices send ATT messages as soon as the physical link is
1530 * established. To be able to handle these ATT messages, the user-
1531 * space first establishes the connection and then starts the pairing
1534 * So if a hci_conn object already exists for the following connection
1535 * attempt, we simply update pending_sec_level and auth_type fields
1536 * and return the object found.
1538 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1540 if (conn->pending_sec_level < sec_level)
1541 conn->pending_sec_level = sec_level;
1545 BT_DBG("requesting refresh of dst_addr");
1547 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1549 return ERR_PTR(-ENOMEM);
1551 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1553 return ERR_PTR(-EBUSY);
1556 conn->state = BT_CONNECT;
1557 set_bit(HCI_CONN_SCANNING, &conn->flags);
1558 conn->dst_type = dst_type;
1559 conn->sec_level = BT_SECURITY_LOW;
1560 conn->pending_sec_level = sec_level;
1561 conn->conn_timeout = conn_timeout;
1562 conn->conn_reason = conn_reason;
1564 hci_update_passive_scan(hdev);
1567 hci_conn_hold(conn);
1571 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1572 u8 sec_level, u8 auth_type,
1573 enum conn_reasons conn_reason)
1575 struct hci_conn *acl;
1577 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1578 if (lmp_bredr_capable(hdev))
1579 return ERR_PTR(-ECONNREFUSED);
1581 return ERR_PTR(-EOPNOTSUPP);
1584 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1586 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1588 return ERR_PTR(-ENOMEM);
1593 acl->conn_reason = conn_reason;
1594 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1595 acl->sec_level = BT_SECURITY_LOW;
1596 acl->pending_sec_level = sec_level;
1597 acl->auth_type = auth_type;
1598 hci_acl_create_connection(acl);
1604 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1605 __u16 setting, struct bt_codec *codec)
1607 struct hci_conn *acl;
1608 struct hci_conn *sco;
1610 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1611 CONN_REASON_SCO_CONNECT);
1615 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1617 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1620 return ERR_PTR(-ENOMEM);
1629 sco->setting = setting;
1630 sco->codec = *codec;
1632 if (acl->state == BT_CONNECTED &&
1633 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1634 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1635 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1637 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1638 /* defer SCO setup until mode change completed */
1639 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1643 hci_sco_setup(acl, 0x00);
1649 static void cis_add(struct iso_list_data *d, struct bt_iso_qos *qos)
1651 struct hci_cis_params *cis = &d->pdu.cis[d->pdu.cp.num_cis];
1653 cis->cis_id = qos->cis;
1654 cis->c_sdu = cpu_to_le16(qos->out.sdu);
1655 cis->p_sdu = cpu_to_le16(qos->in.sdu);
1656 cis->c_phy = qos->out.phy ? qos->out.phy : qos->in.phy;
1657 cis->p_phy = qos->in.phy ? qos->in.phy : qos->out.phy;
1658 cis->c_rtn = qos->out.rtn;
1659 cis->p_rtn = qos->in.rtn;
1661 d->pdu.cp.num_cis++;
1664 static void cis_list(struct hci_conn *conn, void *data)
1666 struct iso_list_data *d = data;
1668 /* Skip if broadcast/ANY address */
1669 if (!bacmp(&conn->dst, BDADDR_ANY))
1672 if (d->cig != conn->iso_qos.cig || d->cis == BT_ISO_QOS_CIS_UNSET ||
1673 d->cis != conn->iso_qos.cis)
1678 if (d->pdu.cp.cig_id == BT_ISO_QOS_CIG_UNSET ||
1679 d->count >= ARRAY_SIZE(d->pdu.cis))
1682 cis_add(d, &conn->iso_qos);
1685 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1687 struct hci_dev *hdev = conn->hdev;
1688 struct hci_cp_le_create_big cp;
1690 memset(&cp, 0, sizeof(cp));
1692 cp.handle = qos->big;
1693 cp.adv_handle = qos->bis;
1695 hci_cpu_to_le24(qos->out.interval, cp.bis.sdu_interval);
1696 cp.bis.sdu = cpu_to_le16(qos->out.sdu);
1697 cp.bis.latency = cpu_to_le16(qos->out.latency);
1698 cp.bis.rtn = qos->out.rtn;
1699 cp.bis.phy = qos->out.phy;
1700 cp.bis.packing = qos->packing;
1701 cp.bis.framing = qos->framing;
1702 cp.bis.encryption = 0x00;
1703 memset(&cp.bis.bcode, 0, sizeof(cp.bis.bcode));
1705 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1708 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1710 struct hci_dev *hdev = conn->hdev;
1711 struct iso_list_data data;
1713 memset(&data, 0, sizeof(data));
1715 /* Allocate a CIG if not set */
1716 if (qos->cig == BT_ISO_QOS_CIG_UNSET) {
1717 for (data.cig = 0x00; data.cig < 0xff; data.cig++) {
1721 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK,
1726 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK,
1727 BT_CONNECTED, &data);
1732 if (data.cig == 0xff)
1736 qos->cig = data.cig;
1739 data.pdu.cp.cig_id = qos->cig;
1740 hci_cpu_to_le24(qos->out.interval, data.pdu.cp.c_interval);
1741 hci_cpu_to_le24(qos->in.interval, data.pdu.cp.p_interval);
1742 data.pdu.cp.sca = qos->sca;
1743 data.pdu.cp.packing = qos->packing;
1744 data.pdu.cp.framing = qos->framing;
1745 data.pdu.cp.c_latency = cpu_to_le16(qos->out.latency);
1746 data.pdu.cp.p_latency = cpu_to_le16(qos->in.latency);
1748 if (qos->cis != BT_ISO_QOS_CIS_UNSET) {
1750 data.cig = qos->cig;
1751 data.cis = qos->cis;
1753 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1758 cis_add(&data, qos);
1761 /* Reprogram all CIS(s) with the same CIG */
1762 for (data.cig = qos->cig, data.cis = 0x00; data.cis < 0x11;
1766 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1771 /* Allocate a CIS if not set */
1772 if (qos->cis == BT_ISO_QOS_CIS_UNSET) {
1774 qos->cis = data.cis;
1775 cis_add(&data, qos);
1779 if (qos->cis == BT_ISO_QOS_CIS_UNSET || !data.pdu.cp.num_cis)
1782 if (hci_send_cmd(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1783 sizeof(data.pdu.cp) +
1784 (data.pdu.cp.num_cis * sizeof(*data.pdu.cis)),
1791 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1792 __u8 dst_type, struct bt_iso_qos *qos)
1794 struct hci_conn *cis;
1796 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type);
1798 cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1800 return ERR_PTR(-ENOMEM);
1801 cis->cleanup = cis_cleanup;
1802 cis->dst_type = dst_type;
1805 if (cis->state == BT_CONNECTED)
1808 /* Check if CIS has been set and the settings matches */
1809 if (cis->state == BT_BOUND &&
1810 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1813 /* Update LINK PHYs according to QoS preference */
1814 cis->le_tx_phy = qos->out.phy;
1815 cis->le_rx_phy = qos->in.phy;
1817 /* If output interval is not set use the input interval as it cannot be
1820 if (!qos->out.interval)
1821 qos->out.interval = qos->in.interval;
1823 /* If input interval is not set use the output interval as it cannot be
1826 if (!qos->in.interval)
1827 qos->in.interval = qos->out.interval;
1829 /* If output latency is not set use the input latency as it cannot be
1832 if (!qos->out.latency)
1833 qos->out.latency = qos->in.latency;
1835 /* If input latency is not set use the output latency as it cannot be
1838 if (!qos->in.latency)
1839 qos->in.latency = qos->out.latency;
1841 if (!hci_le_set_cig_params(cis, qos)) {
1843 return ERR_PTR(-EINVAL);
1846 cis->iso_qos = *qos;
1847 cis->state = BT_BOUND;
1852 bool hci_iso_setup_path(struct hci_conn *conn)
1854 struct hci_dev *hdev = conn->hdev;
1855 struct hci_cp_le_setup_iso_path cmd;
1857 memset(&cmd, 0, sizeof(cmd));
1859 if (conn->iso_qos.out.sdu) {
1860 cmd.handle = cpu_to_le16(conn->handle);
1861 cmd.direction = 0x00; /* Input (Host to Controller) */
1862 cmd.path = 0x00; /* HCI path if enabled */
1863 cmd.codec = 0x03; /* Transparent Data */
1865 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1870 if (conn->iso_qos.in.sdu) {
1871 cmd.handle = cpu_to_le16(conn->handle);
1872 cmd.direction = 0x01; /* Output (Controller to Host) */
1873 cmd.path = 0x00; /* HCI path if enabled */
1874 cmd.codec = 0x03; /* Transparent Data */
1876 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1884 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1887 struct hci_cp_le_create_cis cp;
1888 struct hci_cis cis[0x1f];
1890 struct hci_conn *conn = data;
1893 memset(&cmd, 0, sizeof(cmd));
1894 cmd.cis[0].acl_handle = cpu_to_le16(conn->link->handle);
1895 cmd.cis[0].cis_handle = cpu_to_le16(conn->handle);
1897 cig = conn->iso_qos.cig;
1903 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
1904 struct hci_cis *cis = &cmd.cis[cmd.cp.num_cis];
1906 if (conn == data || conn->type != ISO_LINK ||
1907 conn->state == BT_CONNECTED || conn->iso_qos.cig != cig)
1910 /* Check if all CIS(s) belonging to a CIG are ready */
1911 if (!conn->link || conn->link->state != BT_CONNECTED ||
1912 conn->state != BT_CONNECT) {
1917 /* Group all CIS with state BT_CONNECT since the spec don't
1918 * allow to send them individually:
1920 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
1923 * If the Host issues this command before all the
1924 * HCI_LE_CIS_Established events from the previous use of the
1925 * command have been generated, the Controller shall return the
1926 * error code Command Disallowed (0x0C).
1928 cis->acl_handle = cpu_to_le16(conn->link->handle);
1929 cis->cis_handle = cpu_to_le16(conn->handle);
1935 hci_dev_unlock(hdev);
1937 if (!cmd.cp.num_cis)
1940 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_CIS, sizeof(cmd.cp) +
1941 sizeof(cmd.cis[0]) * cmd.cp.num_cis, &cmd);
1944 int hci_le_create_cis(struct hci_conn *conn)
1946 struct hci_conn *cis;
1947 struct hci_dev *hdev = conn->hdev;
1950 switch (conn->type) {
1952 if (!conn->link || conn->state != BT_CONNECTED)
1963 if (cis->state == BT_CONNECT)
1966 /* Queue Create CIS */
1967 err = hci_cmd_sync_queue(hdev, hci_create_cis_sync, cis, NULL);
1971 cis->state = BT_CONNECT;
1976 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
1977 struct bt_iso_io_qos *qos, __u8 phy)
1979 /* Only set MTU if PHY is enabled */
1980 if (!qos->sdu && qos->phy) {
1981 if (hdev->iso_mtu > 0)
1982 qos->sdu = hdev->iso_mtu;
1983 else if (hdev->le_mtu > 0)
1984 qos->sdu = hdev->le_mtu;
1986 qos->sdu = hdev->acl_mtu;
1989 /* Use the same PHY as ACL if set to any */
1990 if (qos->phy == BT_ISO_PHY_ANY)
1993 /* Use LE ACL connection interval if not set */
1995 /* ACL interval unit in 1.25 ms to us */
1996 qos->interval = conn->le_conn_interval * 1250;
1998 /* Use LE ACL connection latency if not set */
2000 qos->latency = conn->le_conn_latency;
2003 static void hci_bind_bis(struct hci_conn *conn,
2004 struct bt_iso_qos *qos)
2006 /* Update LINK PHYs according to QoS preference */
2007 conn->le_tx_phy = qos->out.phy;
2008 conn->le_tx_phy = qos->out.phy;
2009 conn->iso_qos = *qos;
2010 conn->state = BT_BOUND;
2013 static int create_big_sync(struct hci_dev *hdev, void *data)
2015 struct hci_conn *conn = data;
2016 struct bt_iso_qos *qos = &conn->iso_qos;
2017 u16 interval, sync_interval = 0;
2021 if (qos->out.phy == 0x02)
2022 flags |= MGMT_ADV_FLAG_SEC_2M;
2024 /* Align intervals */
2025 interval = qos->out.interval / 1250;
2028 sync_interval = qos->sync_interval * 1600;
2030 err = hci_start_per_adv_sync(hdev, qos->bis, conn->le_per_adv_data_len,
2031 conn->le_per_adv_data, flags, interval,
2032 interval, sync_interval);
2036 return hci_le_create_big(conn, &conn->iso_qos);
2039 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2041 struct hci_cp_le_pa_create_sync *cp = data;
2043 bt_dev_dbg(hdev, "");
2046 bt_dev_err(hdev, "Unable to create PA: %d", err);
2051 static int create_pa_sync(struct hci_dev *hdev, void *data)
2053 struct hci_cp_le_pa_create_sync *cp = data;
2056 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2057 sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2059 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2063 return hci_update_passive_scan_sync(hdev);
2066 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2069 struct hci_cp_le_pa_create_sync *cp;
2071 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2074 cp = kmalloc(sizeof(*cp), GFP_KERNEL);
2076 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2080 /* Convert from ISO socket address type to HCI address type */
2081 if (dst_type == BDADDR_LE_PUBLIC)
2082 dst_type = ADDR_LE_DEV_PUBLIC;
2084 dst_type = ADDR_LE_DEV_RANDOM;
2086 memset(cp, 0, sizeof(*cp));
2088 cp->addr_type = dst_type;
2089 bacpy(&cp->addr, dst);
2091 /* Queue start pa_create_sync and scan */
2092 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2095 int hci_le_big_create_sync(struct hci_dev *hdev, struct bt_iso_qos *qos,
2096 __u16 sync_handle, __u8 num_bis, __u8 bis[])
2099 struct hci_cp_le_big_create_sync cp;
2104 if (num_bis > sizeof(pdu.bis))
2107 err = qos_set_big(hdev, qos);
2111 memset(&pdu, 0, sizeof(pdu));
2112 pdu.cp.handle = qos->big;
2113 pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2114 pdu.cp.num_bis = num_bis;
2115 memcpy(pdu.bis, bis, num_bis);
2117 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2118 sizeof(pdu.cp) + num_bis, &pdu);
2121 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2123 struct hci_conn *conn = data;
2125 bt_dev_dbg(hdev, "conn %p", conn);
2128 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2129 hci_connect_cfm(conn, err);
2134 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2135 __u8 dst_type, struct bt_iso_qos *qos,
2136 __u8 base_len, __u8 *base)
2138 struct hci_conn *conn;
2141 /* We need hci_conn object using the BDADDR_ANY as dst */
2142 conn = hci_add_bis(hdev, dst, qos);
2146 hci_bind_bis(conn, qos);
2148 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2149 if (base_len && base) {
2150 base_len = eir_append_service_data(conn->le_per_adv_data, 0,
2151 0x1851, base, base_len);
2152 conn->le_per_adv_data_len = base_len;
2155 /* Queue start periodic advertising and create BIG */
2156 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2157 create_big_complete);
2159 hci_conn_drop(conn);
2160 return ERR_PTR(err);
2163 hci_iso_qos_setup(hdev, conn, &qos->out,
2164 conn->le_tx_phy ? conn->le_tx_phy :
2165 hdev->le_tx_def_phys);
2170 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2171 __u8 dst_type, struct bt_iso_qos *qos)
2173 struct hci_conn *le;
2174 struct hci_conn *cis;
2176 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2177 le = hci_connect_le(hdev, dst, dst_type, false,
2179 HCI_LE_CONN_TIMEOUT,
2182 le = hci_connect_le_scan(hdev, dst, dst_type,
2184 HCI_LE_CONN_TIMEOUT,
2185 CONN_REASON_ISO_CONNECT);
2189 hci_iso_qos_setup(hdev, le, &qos->out,
2190 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2191 hci_iso_qos_setup(hdev, le, &qos->in,
2192 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2194 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2205 /* If LE is already connected and CIS handle is already set proceed to
2206 * Create CIS immediately.
2208 if (le->state == BT_CONNECTED && cis->handle != HCI_CONN_HANDLE_UNSET)
2209 hci_le_create_cis(le);
2214 /* Check link security requirement */
2215 int hci_conn_check_link_mode(struct hci_conn *conn)
2217 BT_DBG("hcon %p", conn);
2219 /* In Secure Connections Only mode, it is required that Secure
2220 * Connections is used and the link is encrypted with AES-CCM
2221 * using a P-256 authenticated combination key.
2223 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2224 if (!hci_conn_sc_enabled(conn) ||
2225 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2226 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2230 /* AES encryption is required for Level 4:
2232 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2235 * 128-bit equivalent strength for link and encryption keys
2236 * required using FIPS approved algorithms (E0 not allowed,
2237 * SAFER+ not allowed, and P-192 not allowed; encryption key
2240 if (conn->sec_level == BT_SECURITY_FIPS &&
2241 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2242 bt_dev_err(conn->hdev,
2243 "Invalid security: Missing AES-CCM usage");
2247 if (hci_conn_ssp_enabled(conn) &&
2248 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2254 /* Authenticate remote device */
2255 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2257 BT_DBG("hcon %p", conn);
2259 if (conn->pending_sec_level > sec_level)
2260 sec_level = conn->pending_sec_level;
2262 if (sec_level > conn->sec_level)
2263 conn->pending_sec_level = sec_level;
2264 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2267 /* Make sure we preserve an existing MITM requirement*/
2268 auth_type |= (conn->auth_type & 0x01);
2270 conn->auth_type = auth_type;
2272 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2273 struct hci_cp_auth_requested cp;
2275 cp.handle = cpu_to_le16(conn->handle);
2276 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2279 /* If we're already encrypted set the REAUTH_PEND flag,
2280 * otherwise set the ENCRYPT_PEND.
2282 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2283 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2285 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2291 /* Encrypt the link */
2292 static void hci_conn_encrypt(struct hci_conn *conn)
2294 BT_DBG("hcon %p", conn);
2296 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2297 struct hci_cp_set_conn_encrypt cp;
2298 cp.handle = cpu_to_le16(conn->handle);
2300 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2305 /* Enable security */
2306 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2309 BT_DBG("hcon %p", conn);
2311 if (conn->type == LE_LINK)
2312 return smp_conn_security(conn, sec_level);
2314 /* For sdp we don't need the link key. */
2315 if (sec_level == BT_SECURITY_SDP)
2318 /* For non 2.1 devices and low security level we don't need the link
2320 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2323 /* For other security levels we need the link key. */
2324 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2327 /* An authenticated FIPS approved combination key has sufficient
2328 * security for security level 4. */
2329 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
2330 sec_level == BT_SECURITY_FIPS)
2333 /* An authenticated combination key has sufficient security for
2334 security level 3. */
2335 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
2336 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
2337 sec_level == BT_SECURITY_HIGH)
2340 /* An unauthenticated combination key has sufficient security for
2341 security level 1 and 2. */
2342 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
2343 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
2344 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
2347 /* A combination key has always sufficient security for the security
2348 levels 1 or 2. High security level requires the combination key
2349 is generated using maximum PIN code length (16).
2350 For pre 2.1 units. */
2351 if (conn->key_type == HCI_LK_COMBINATION &&
2352 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
2353 conn->pin_length == 16))
2357 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2361 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2363 if (!hci_conn_auth(conn, sec_level, auth_type))
2367 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2368 /* Ensure that the encryption key size has been read,
2369 * otherwise stall the upper layer responses.
2371 if (!conn->enc_key_size)
2374 /* Nothing else needed, all requirements are met */
2378 hci_conn_encrypt(conn);
2381 EXPORT_SYMBOL(hci_conn_security);
2383 /* Check secure link requirement */
2384 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2386 BT_DBG("hcon %p", conn);
2388 /* Accept if non-secure or higher security level is required */
2389 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2392 /* Accept if secure or higher security level is already present */
2393 if (conn->sec_level == BT_SECURITY_HIGH ||
2394 conn->sec_level == BT_SECURITY_FIPS)
2397 /* Reject not secure link */
2400 EXPORT_SYMBOL(hci_conn_check_secure);
2403 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2405 BT_DBG("hcon %p", conn);
2407 if (role == conn->role)
2410 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2411 struct hci_cp_switch_role cp;
2412 bacpy(&cp.bdaddr, &conn->dst);
2414 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2419 EXPORT_SYMBOL(hci_conn_switch_role);
2421 /* Enter active mode */
2422 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2424 struct hci_dev *hdev = conn->hdev;
2426 BT_DBG("hcon %p mode %d", conn, conn->mode);
2428 if (conn->mode != HCI_CM_SNIFF)
2431 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2434 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2435 struct hci_cp_exit_sniff_mode cp;
2436 cp.handle = cpu_to_le16(conn->handle);
2437 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2441 if (hdev->idle_timeout > 0)
2442 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2443 msecs_to_jiffies(hdev->idle_timeout));
2446 /* Drop all connection on the device */
2447 void hci_conn_hash_flush(struct hci_dev *hdev)
2449 struct hci_conn_hash *h = &hdev->conn_hash;
2450 struct hci_conn *c, *n;
2452 BT_DBG("hdev %s", hdev->name);
2454 list_for_each_entry_safe(c, n, &h->list, list) {
2455 c->state = BT_CLOSED;
2457 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
2459 /* Unlink before deleting otherwise it is possible that
2460 * hci_conn_del removes the link which may cause the list to
2461 * contain items already freed.
2468 /* Check pending connect attempts */
2469 void hci_conn_check_pending(struct hci_dev *hdev)
2471 struct hci_conn *conn;
2473 BT_DBG("hdev %s", hdev->name);
2477 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
2479 hci_acl_create_connection(conn);
2481 hci_dev_unlock(hdev);
2484 static u32 get_link_mode(struct hci_conn *conn)
2488 if (conn->role == HCI_ROLE_MASTER)
2489 link_mode |= HCI_LM_MASTER;
2491 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2492 link_mode |= HCI_LM_ENCRYPT;
2494 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2495 link_mode |= HCI_LM_AUTH;
2497 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2498 link_mode |= HCI_LM_SECURE;
2500 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2501 link_mode |= HCI_LM_FIPS;
2506 int hci_get_conn_list(void __user *arg)
2509 struct hci_conn_list_req req, *cl;
2510 struct hci_conn_info *ci;
2511 struct hci_dev *hdev;
2512 int n = 0, size, err;
2514 if (copy_from_user(&req, arg, sizeof(req)))
2517 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2520 size = sizeof(req) + req.conn_num * sizeof(*ci);
2522 cl = kmalloc(size, GFP_KERNEL);
2526 hdev = hci_dev_get(req.dev_id);
2535 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2536 bacpy(&(ci + n)->bdaddr, &c->dst);
2537 (ci + n)->handle = c->handle;
2538 (ci + n)->type = c->type;
2539 (ci + n)->out = c->out;
2540 (ci + n)->state = c->state;
2541 (ci + n)->link_mode = get_link_mode(c);
2542 if (++n >= req.conn_num)
2545 hci_dev_unlock(hdev);
2547 cl->dev_id = hdev->id;
2549 size = sizeof(req) + n * sizeof(*ci);
2553 err = copy_to_user(arg, cl, size);
2556 return err ? -EFAULT : 0;
2559 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2561 struct hci_conn_info_req req;
2562 struct hci_conn_info ci;
2563 struct hci_conn *conn;
2564 char __user *ptr = arg + sizeof(req);
2566 if (copy_from_user(&req, arg, sizeof(req)))
2570 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2572 bacpy(&ci.bdaddr, &conn->dst);
2573 ci.handle = conn->handle;
2574 ci.type = conn->type;
2576 ci.state = conn->state;
2577 ci.link_mode = get_link_mode(conn);
2579 hci_dev_unlock(hdev);
2584 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2587 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2589 struct hci_auth_info_req req;
2590 struct hci_conn *conn;
2592 if (copy_from_user(&req, arg, sizeof(req)))
2596 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2598 req.type = conn->auth_type;
2599 hci_dev_unlock(hdev);
2604 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2607 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2609 struct hci_dev *hdev = conn->hdev;
2610 struct hci_chan *chan;
2612 BT_DBG("%s hcon %p", hdev->name, conn);
2614 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2615 BT_DBG("Refusing to create new hci_chan");
2619 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2623 chan->conn = hci_conn_get(conn);
2624 skb_queue_head_init(&chan->data_q);
2625 chan->state = BT_CONNECTED;
2627 list_add_rcu(&chan->list, &conn->chan_list);
2632 void hci_chan_del(struct hci_chan *chan)
2634 struct hci_conn *conn = chan->conn;
2635 struct hci_dev *hdev = conn->hdev;
2637 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2639 list_del_rcu(&chan->list);
2643 /* Prevent new hci_chan's to be created for this hci_conn */
2644 set_bit(HCI_CONN_DROP, &conn->flags);
2648 skb_queue_purge(&chan->data_q);
2652 void hci_chan_list_flush(struct hci_conn *conn)
2654 struct hci_chan *chan, *n;
2656 BT_DBG("hcon %p", conn);
2658 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2662 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2665 struct hci_chan *hchan;
2667 list_for_each_entry(hchan, &hcon->chan_list, list) {
2668 if (hchan->handle == handle)
2675 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2677 struct hci_conn_hash *h = &hdev->conn_hash;
2678 struct hci_conn *hcon;
2679 struct hci_chan *hchan = NULL;
2683 list_for_each_entry_rcu(hcon, &h->list, list) {
2684 hchan = __hci_chan_lookup_handle(hcon, handle);
2694 u32 hci_conn_get_phy(struct hci_conn *conn)
2698 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2699 * Table 6.2: Packets defined for synchronous, asynchronous, and
2700 * CPB logical transport types.
2702 switch (conn->type) {
2704 /* SCO logical transport (1 Mb/s):
2705 * HV1, HV2, HV3 and DV.
2707 phys |= BT_PHY_BR_1M_1SLOT;
2712 /* ACL logical transport (1 Mb/s) ptt=0:
2713 * DH1, DM3, DH3, DM5 and DH5.
2715 phys |= BT_PHY_BR_1M_1SLOT;
2717 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2718 phys |= BT_PHY_BR_1M_3SLOT;
2720 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2721 phys |= BT_PHY_BR_1M_5SLOT;
2723 /* ACL logical transport (2 Mb/s) ptt=1:
2724 * 2-DH1, 2-DH3 and 2-DH5.
2726 if (!(conn->pkt_type & HCI_2DH1))
2727 phys |= BT_PHY_EDR_2M_1SLOT;
2729 if (!(conn->pkt_type & HCI_2DH3))
2730 phys |= BT_PHY_EDR_2M_3SLOT;
2732 if (!(conn->pkt_type & HCI_2DH5))
2733 phys |= BT_PHY_EDR_2M_5SLOT;
2735 /* ACL logical transport (3 Mb/s) ptt=1:
2736 * 3-DH1, 3-DH3 and 3-DH5.
2738 if (!(conn->pkt_type & HCI_3DH1))
2739 phys |= BT_PHY_EDR_3M_1SLOT;
2741 if (!(conn->pkt_type & HCI_3DH3))
2742 phys |= BT_PHY_EDR_3M_3SLOT;
2744 if (!(conn->pkt_type & HCI_3DH5))
2745 phys |= BT_PHY_EDR_3M_5SLOT;
2750 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2751 phys |= BT_PHY_BR_1M_1SLOT;
2753 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2754 phys |= BT_PHY_BR_1M_3SLOT;
2756 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2757 if (!(conn->pkt_type & ESCO_2EV3))
2758 phys |= BT_PHY_EDR_2M_1SLOT;
2760 if (!(conn->pkt_type & ESCO_2EV5))
2761 phys |= BT_PHY_EDR_2M_3SLOT;
2763 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2764 if (!(conn->pkt_type & ESCO_3EV3))
2765 phys |= BT_PHY_EDR_3M_1SLOT;
2767 if (!(conn->pkt_type & ESCO_3EV5))
2768 phys |= BT_PHY_EDR_3M_3SLOT;
2773 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2774 phys |= BT_PHY_LE_1M_TX;
2776 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2777 phys |= BT_PHY_LE_1M_RX;
2779 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2780 phys |= BT_PHY_LE_2M_TX;
2782 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2783 phys |= BT_PHY_LE_2M_RX;
2785 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2786 phys |= BT_PHY_LE_CODED_TX;
2788 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2789 phys |= BT_PHY_LE_CODED_RX;
2797 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2801 if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags))
2804 switch (conn->state) {
2807 if (conn->type == AMP_LINK) {
2808 struct hci_cp_disconn_phy_link cp;
2810 cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
2812 r = hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
2815 struct hci_cp_disconnect dc;
2817 dc.handle = cpu_to_le16(conn->handle);
2819 r = hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT,
2823 conn->state = BT_DISCONN;
2827 if (conn->type == LE_LINK) {
2828 if (test_bit(HCI_CONN_SCANNING, &conn->flags))
2830 r = hci_send_cmd(conn->hdev,
2831 HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
2832 } else if (conn->type == ACL_LINK) {
2833 if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
2835 r = hci_send_cmd(conn->hdev,
2836 HCI_OP_CREATE_CONN_CANCEL,
2841 if (conn->type == ACL_LINK) {
2842 struct hci_cp_reject_conn_req rej;
2844 bacpy(&rej.bdaddr, &conn->dst);
2845 rej.reason = reason;
2847 r = hci_send_cmd(conn->hdev,
2848 HCI_OP_REJECT_CONN_REQ,
2850 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
2851 struct hci_cp_reject_sync_conn_req rej;
2853 bacpy(&rej.bdaddr, &conn->dst);
2855 /* SCO rejection has its own limited set of
2856 * allowed error values (0x0D-0x0F) which isn't
2857 * compatible with most values passed to this
2858 * function. To be safe hard-code one of the
2859 * values that's suitable for SCO.
2861 rej.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
2863 r = hci_send_cmd(conn->hdev,
2864 HCI_OP_REJECT_SYNC_CONN_REQ,
2869 conn->state = BT_CLOSED;