2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI connection handling. */
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/iso.h>
35 #include <net/bluetooth/mgmt.h>
37 #include "hci_request.h"
48 struct conn_handle_t {
49 struct hci_conn *conn;
53 static const struct sco_param esco_param_cvsd[] = {
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
55 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
56 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
57 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
58 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
61 static const struct sco_param sco_param_cvsd[] = {
62 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
63 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
66 static const struct sco_param esco_param_msbc[] = {
67 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
68 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
71 /* This function requires the caller holds hdev->lock */
72 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
74 struct hci_conn_params *params;
75 struct hci_dev *hdev = conn->hdev;
81 bdaddr_type = conn->dst_type;
83 /* Check if we need to convert to identity address */
84 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
86 bdaddr = &irk->bdaddr;
87 bdaddr_type = irk->addr_type;
90 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
96 hci_conn_drop(params->conn);
97 hci_conn_put(params->conn);
101 if (!params->explicit_connect)
104 /* If the status indicates successful cancellation of
105 * the attempt (i.e. Unknown Connection Id) there's no point of
106 * notifying failure since we'll go back to keep trying to
107 * connect. The only exception is explicit connect requests
108 * where a timeout + cancel does indicate an actual failure.
110 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
111 mgmt_connect_failed(hdev, &conn->dst, conn->type,
112 conn->dst_type, status);
114 /* The connection attempt was doing scan for new RPA, and is
115 * in scan phase. If params are not associated with any other
116 * autoconnect action, remove them completely. If they are, just unmark
117 * them as waiting for connection, by clearing explicit_connect field.
119 params->explicit_connect = false;
121 hci_pend_le_list_del_init(params);
123 switch (params->auto_connect) {
124 case HCI_AUTO_CONN_EXPLICIT:
125 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
126 /* return instead of break to avoid duplicate scan update */
128 case HCI_AUTO_CONN_DIRECT:
129 case HCI_AUTO_CONN_ALWAYS:
130 hci_pend_le_list_add(params, &hdev->pend_le_conns);
132 case HCI_AUTO_CONN_REPORT:
133 hci_pend_le_list_add(params, &hdev->pend_le_reports);
139 hci_update_passive_scan(hdev);
142 static void hci_conn_cleanup(struct hci_conn *conn)
144 struct hci_dev *hdev = conn->hdev;
146 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
147 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
149 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
150 hci_remove_link_key(hdev, &conn->dst);
152 hci_chan_list_flush(conn);
154 hci_conn_hash_del(hdev, conn);
159 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
160 switch (conn->setting & SCO_AIRMODE_MASK) {
161 case SCO_AIRMODE_CVSD:
162 case SCO_AIRMODE_TRANSP:
164 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
169 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
172 hci_conn_del_sysfs(conn);
174 debugfs_remove_recursive(conn->debugfs);
181 static void hci_acl_create_connection(struct hci_conn *conn)
183 struct hci_dev *hdev = conn->hdev;
184 struct inquiry_entry *ie;
185 struct hci_cp_create_conn cp;
187 BT_DBG("hcon %p", conn);
189 /* Many controllers disallow HCI Create Connection while it is doing
190 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
191 * Connection. This may cause the MGMT discovering state to become false
192 * without user space's request but it is okay since the MGMT Discovery
193 * APIs do not promise that discovery should be done forever. Instead,
194 * the user space monitors the status of MGMT discovering and it may
195 * request for discovery again when this flag becomes false.
197 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
198 /* Put this connection to "pending" state so that it will be
199 * executed after the inquiry cancel command complete event.
201 conn->state = BT_CONNECT2;
202 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
206 conn->state = BT_CONNECT;
208 conn->role = HCI_ROLE_MASTER;
212 conn->link_policy = hdev->link_policy;
214 memset(&cp, 0, sizeof(cp));
215 bacpy(&cp.bdaddr, &conn->dst);
216 cp.pscan_rep_mode = 0x02;
218 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
220 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
221 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
222 cp.pscan_mode = ie->data.pscan_mode;
223 cp.clock_offset = ie->data.clock_offset |
227 memcpy(conn->dev_class, ie->data.dev_class, 3);
230 cp.pkt_type = cpu_to_le16(conn->pkt_type);
231 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
232 cp.role_switch = 0x01;
234 cp.role_switch = 0x00;
236 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
239 int hci_disconnect(struct hci_conn *conn, __u8 reason)
241 BT_DBG("hcon %p", conn);
243 /* When we are central of an established connection and it enters
244 * the disconnect timeout, then go ahead and try to read the
245 * current clock offset. Processing of the result is done
246 * within the event handling and hci_clock_offset_evt function.
248 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
249 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
250 struct hci_dev *hdev = conn->hdev;
251 struct hci_cp_read_clock_offset clkoff_cp;
253 clkoff_cp.handle = cpu_to_le16(conn->handle);
254 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
258 return hci_abort_conn(conn, reason);
261 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
263 struct hci_dev *hdev = conn->hdev;
264 struct hci_cp_add_sco cp;
266 BT_DBG("hcon %p", conn);
268 conn->state = BT_CONNECT;
273 cp.handle = cpu_to_le16(handle);
274 cp.pkt_type = cpu_to_le16(conn->pkt_type);
276 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
279 static bool find_next_esco_param(struct hci_conn *conn,
280 const struct sco_param *esco_param, int size)
285 for (; conn->attempt <= size; conn->attempt++) {
286 if (lmp_esco_2m_capable(conn->parent) ||
287 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
289 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
290 conn, conn->attempt);
293 return conn->attempt <= size;
296 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
299 __u8 vnd_len, *vnd_data = NULL;
300 struct hci_op_configure_data_path *cmd = NULL;
302 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
307 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
313 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
317 cmd->vnd_len = vnd_len;
318 memcpy(cmd->vnd_data, vnd_data, vnd_len);
320 cmd->direction = 0x00;
321 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
322 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
324 cmd->direction = 0x01;
325 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
326 sizeof(*cmd) + vnd_len, cmd,
335 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
337 struct conn_handle_t *conn_handle = data;
338 struct hci_conn *conn = conn_handle->conn;
339 __u16 handle = conn_handle->handle;
340 struct hci_cp_enhanced_setup_sync_conn cp;
341 const struct sco_param *param;
345 bt_dev_dbg(hdev, "hcon %p", conn);
347 /* for offload use case, codec needs to configured before opening SCO */
348 if (conn->codec.data_path)
349 configure_datapath_sync(hdev, &conn->codec);
351 conn->state = BT_CONNECT;
356 memset(&cp, 0x00, sizeof(cp));
358 cp.handle = cpu_to_le16(handle);
360 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
361 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
363 switch (conn->codec.id) {
365 if (!find_next_esco_param(conn, esco_param_msbc,
366 ARRAY_SIZE(esco_param_msbc)))
369 param = &esco_param_msbc[conn->attempt - 1];
370 cp.tx_coding_format.id = 0x05;
371 cp.rx_coding_format.id = 0x05;
372 cp.tx_codec_frame_size = __cpu_to_le16(60);
373 cp.rx_codec_frame_size = __cpu_to_le16(60);
374 cp.in_bandwidth = __cpu_to_le32(32000);
375 cp.out_bandwidth = __cpu_to_le32(32000);
376 cp.in_coding_format.id = 0x04;
377 cp.out_coding_format.id = 0x04;
378 cp.in_coded_data_size = __cpu_to_le16(16);
379 cp.out_coded_data_size = __cpu_to_le16(16);
380 cp.in_pcm_data_format = 2;
381 cp.out_pcm_data_format = 2;
382 cp.in_pcm_sample_payload_msb_pos = 0;
383 cp.out_pcm_sample_payload_msb_pos = 0;
384 cp.in_data_path = conn->codec.data_path;
385 cp.out_data_path = conn->codec.data_path;
386 cp.in_transport_unit_size = 1;
387 cp.out_transport_unit_size = 1;
390 case BT_CODEC_TRANSPARENT:
391 if (!find_next_esco_param(conn, esco_param_msbc,
392 ARRAY_SIZE(esco_param_msbc)))
394 param = &esco_param_msbc[conn->attempt - 1];
395 cp.tx_coding_format.id = 0x03;
396 cp.rx_coding_format.id = 0x03;
397 cp.tx_codec_frame_size = __cpu_to_le16(60);
398 cp.rx_codec_frame_size = __cpu_to_le16(60);
399 cp.in_bandwidth = __cpu_to_le32(0x1f40);
400 cp.out_bandwidth = __cpu_to_le32(0x1f40);
401 cp.in_coding_format.id = 0x03;
402 cp.out_coding_format.id = 0x03;
403 cp.in_coded_data_size = __cpu_to_le16(16);
404 cp.out_coded_data_size = __cpu_to_le16(16);
405 cp.in_pcm_data_format = 2;
406 cp.out_pcm_data_format = 2;
407 cp.in_pcm_sample_payload_msb_pos = 0;
408 cp.out_pcm_sample_payload_msb_pos = 0;
409 cp.in_data_path = conn->codec.data_path;
410 cp.out_data_path = conn->codec.data_path;
411 cp.in_transport_unit_size = 1;
412 cp.out_transport_unit_size = 1;
416 if (conn->parent && lmp_esco_capable(conn->parent)) {
417 if (!find_next_esco_param(conn, esco_param_cvsd,
418 ARRAY_SIZE(esco_param_cvsd)))
420 param = &esco_param_cvsd[conn->attempt - 1];
422 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
424 param = &sco_param_cvsd[conn->attempt - 1];
426 cp.tx_coding_format.id = 2;
427 cp.rx_coding_format.id = 2;
428 cp.tx_codec_frame_size = __cpu_to_le16(60);
429 cp.rx_codec_frame_size = __cpu_to_le16(60);
430 cp.in_bandwidth = __cpu_to_le32(16000);
431 cp.out_bandwidth = __cpu_to_le32(16000);
432 cp.in_coding_format.id = 4;
433 cp.out_coding_format.id = 4;
434 cp.in_coded_data_size = __cpu_to_le16(16);
435 cp.out_coded_data_size = __cpu_to_le16(16);
436 cp.in_pcm_data_format = 2;
437 cp.out_pcm_data_format = 2;
438 cp.in_pcm_sample_payload_msb_pos = 0;
439 cp.out_pcm_sample_payload_msb_pos = 0;
440 cp.in_data_path = conn->codec.data_path;
441 cp.out_data_path = conn->codec.data_path;
442 cp.in_transport_unit_size = 16;
443 cp.out_transport_unit_size = 16;
449 cp.retrans_effort = param->retrans_effort;
450 cp.pkt_type = __cpu_to_le16(param->pkt_type);
451 cp.max_latency = __cpu_to_le16(param->max_latency);
453 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
459 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
461 struct hci_dev *hdev = conn->hdev;
462 struct hci_cp_setup_sync_conn cp;
463 const struct sco_param *param;
465 bt_dev_dbg(hdev, "hcon %p", conn);
467 conn->state = BT_CONNECT;
472 cp.handle = cpu_to_le16(handle);
474 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
475 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
476 cp.voice_setting = cpu_to_le16(conn->setting);
478 switch (conn->setting & SCO_AIRMODE_MASK) {
479 case SCO_AIRMODE_TRANSP:
480 if (!find_next_esco_param(conn, esco_param_msbc,
481 ARRAY_SIZE(esco_param_msbc)))
483 param = &esco_param_msbc[conn->attempt - 1];
485 case SCO_AIRMODE_CVSD:
486 if (conn->parent && lmp_esco_capable(conn->parent)) {
487 if (!find_next_esco_param(conn, esco_param_cvsd,
488 ARRAY_SIZE(esco_param_cvsd)))
490 param = &esco_param_cvsd[conn->attempt - 1];
492 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
494 param = &sco_param_cvsd[conn->attempt - 1];
501 cp.retrans_effort = param->retrans_effort;
502 cp.pkt_type = __cpu_to_le16(param->pkt_type);
503 cp.max_latency = __cpu_to_le16(param->max_latency);
505 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
511 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
514 struct conn_handle_t *conn_handle;
516 if (enhanced_sync_conn_capable(conn->hdev)) {
517 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
522 conn_handle->conn = conn;
523 conn_handle->handle = handle;
524 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
532 return hci_setup_sync_conn(conn, handle);
535 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
538 struct hci_dev *hdev = conn->hdev;
539 struct hci_conn_params *params;
540 struct hci_cp_le_conn_update cp;
544 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
546 params->conn_min_interval = min;
547 params->conn_max_interval = max;
548 params->conn_latency = latency;
549 params->supervision_timeout = to_multiplier;
552 hci_dev_unlock(hdev);
554 memset(&cp, 0, sizeof(cp));
555 cp.handle = cpu_to_le16(conn->handle);
556 cp.conn_interval_min = cpu_to_le16(min);
557 cp.conn_interval_max = cpu_to_le16(max);
558 cp.conn_latency = cpu_to_le16(latency);
559 cp.supervision_timeout = cpu_to_le16(to_multiplier);
560 cp.min_ce_len = cpu_to_le16(0x0000);
561 cp.max_ce_len = cpu_to_le16(0x0000);
563 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
571 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
572 __u8 ltk[16], __u8 key_size)
574 struct hci_dev *hdev = conn->hdev;
575 struct hci_cp_le_start_enc cp;
577 BT_DBG("hcon %p", conn);
579 memset(&cp, 0, sizeof(cp));
581 cp.handle = cpu_to_le16(conn->handle);
584 memcpy(cp.ltk, ltk, key_size);
586 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
589 /* Device _must_ be locked */
590 void hci_sco_setup(struct hci_conn *conn, __u8 status)
592 struct hci_link *link;
594 link = list_first_entry_or_null(&conn->link_list, struct hci_link, list);
595 if (!link || !link->conn)
598 BT_DBG("hcon %p", conn);
601 if (lmp_esco_capable(conn->hdev))
602 hci_setup_sync(link->conn, conn->handle);
604 hci_add_sco(link->conn, conn->handle);
606 hci_connect_cfm(link->conn, status);
607 hci_conn_del(link->conn);
611 static void hci_conn_timeout(struct work_struct *work)
613 struct hci_conn *conn = container_of(work, struct hci_conn,
615 int refcnt = atomic_read(&conn->refcnt);
617 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
621 /* FIXME: It was observed that in pairing failed scenario, refcnt
622 * drops below 0. Probably this is because l2cap_conn_del calls
623 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
624 * dropped. After that loop hci_chan_del is called which also drops
625 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
631 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
634 /* Enter sniff mode */
635 static void hci_conn_idle(struct work_struct *work)
637 struct hci_conn *conn = container_of(work, struct hci_conn,
639 struct hci_dev *hdev = conn->hdev;
641 BT_DBG("hcon %p mode %d", conn, conn->mode);
643 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
646 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
649 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
650 struct hci_cp_sniff_subrate cp;
651 cp.handle = cpu_to_le16(conn->handle);
652 cp.max_latency = cpu_to_le16(0);
653 cp.min_remote_timeout = cpu_to_le16(0);
654 cp.min_local_timeout = cpu_to_le16(0);
655 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
658 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
659 struct hci_cp_sniff_mode cp;
660 cp.handle = cpu_to_le16(conn->handle);
661 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
662 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
663 cp.attempt = cpu_to_le16(4);
664 cp.timeout = cpu_to_le16(1);
665 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
669 static void hci_conn_auto_accept(struct work_struct *work)
671 struct hci_conn *conn = container_of(work, struct hci_conn,
672 auto_accept_work.work);
674 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
678 static void le_disable_advertising(struct hci_dev *hdev)
680 if (ext_adv_capable(hdev)) {
681 struct hci_cp_le_set_ext_adv_enable cp;
684 cp.num_of_sets = 0x00;
686 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
690 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
695 static void le_conn_timeout(struct work_struct *work)
697 struct hci_conn *conn = container_of(work, struct hci_conn,
698 le_conn_timeout.work);
699 struct hci_dev *hdev = conn->hdev;
703 /* We could end up here due to having done directed advertising,
704 * so clean up the state if necessary. This should however only
705 * happen with broken hardware or if low duty cycle was used
706 * (which doesn't have a timeout of its own).
708 if (conn->role == HCI_ROLE_SLAVE) {
709 /* Disable LE Advertising */
710 le_disable_advertising(hdev);
712 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
713 hci_dev_unlock(hdev);
717 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
720 struct iso_cig_params {
721 struct hci_cp_le_set_cig_params cp;
722 struct hci_cis_params cis[0x1f];
725 struct iso_list_data {
741 static void bis_list(struct hci_conn *conn, void *data)
743 struct iso_list_data *d = data;
745 /* Skip if not broadcast/ANY address */
746 if (bacmp(&conn->dst, BDADDR_ANY))
749 if (d->big != conn->iso_qos.bcast.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
750 d->bis != conn->iso_qos.bcast.bis)
756 static int terminate_big_sync(struct hci_dev *hdev, void *data)
758 struct iso_list_data *d = data;
760 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
762 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
764 /* Only terminate BIG if it has been created */
768 return hci_le_terminate_big_sync(hdev, d->big,
769 HCI_ERROR_LOCAL_HOST_TERM);
772 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
777 static int hci_le_terminate_big(struct hci_dev *hdev, struct hci_conn *conn)
779 struct iso_list_data *d;
782 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", conn->iso_qos.bcast.big,
783 conn->iso_qos.bcast.bis);
785 d = kzalloc(sizeof(*d), GFP_KERNEL);
789 d->big = conn->iso_qos.bcast.big;
790 d->bis = conn->iso_qos.bcast.bis;
791 d->big_term = test_and_clear_bit(HCI_CONN_BIG_CREATED, &conn->flags);
793 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
794 terminate_big_destroy);
801 static int big_terminate_sync(struct hci_dev *hdev, void *data)
803 struct iso_list_data *d = data;
805 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
808 if (d->big_sync_term)
809 hci_le_big_terminate_sync(hdev, d->big);
812 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
817 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn)
819 struct iso_list_data *d;
822 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle);
824 d = kzalloc(sizeof(*d), GFP_KERNEL);
829 d->sync_handle = conn->sync_handle;
830 d->pa_sync_term = test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags);
831 d->big_sync_term = test_and_clear_bit(HCI_CONN_BIG_SYNC, &conn->flags);
833 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
834 terminate_big_destroy);
841 /* Cleanup BIS connection
843 * Detects if there any BIS left connected in a BIG
844 * broadcaster: Remove advertising instance and terminate BIG.
845 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
847 static void bis_cleanup(struct hci_conn *conn)
849 struct hci_dev *hdev = conn->hdev;
850 struct hci_conn *bis;
852 bt_dev_dbg(hdev, "conn %p", conn);
854 if (conn->role == HCI_ROLE_MASTER) {
855 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
858 /* Check if ISO connection is a BIS and terminate advertising
859 * set and BIG if there are no other connections using it.
861 bis = hci_conn_hash_lookup_big(hdev, conn->iso_qos.bcast.big);
865 hci_le_terminate_big(hdev, conn);
867 bis = hci_conn_hash_lookup_big_any_dst(hdev,
868 conn->iso_qos.bcast.big);
873 hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
878 static int remove_cig_sync(struct hci_dev *hdev, void *data)
880 u8 handle = PTR_UINT(data);
882 return hci_le_remove_cig_sync(hdev, handle);
885 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
887 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
889 return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
893 static void find_cis(struct hci_conn *conn, void *data)
895 struct iso_list_data *d = data;
897 /* Ignore broadcast or if CIG don't match */
898 if (!bacmp(&conn->dst, BDADDR_ANY) || d->cig != conn->iso_qos.ucast.cig)
904 /* Cleanup CIS connection:
906 * Detects if there any CIS left connected in a CIG and remove it.
908 static void cis_cleanup(struct hci_conn *conn)
910 struct hci_dev *hdev = conn->hdev;
911 struct iso_list_data d;
913 if (conn->iso_qos.ucast.cig == BT_ISO_QOS_CIG_UNSET)
916 memset(&d, 0, sizeof(d));
917 d.cig = conn->iso_qos.ucast.cig;
919 /* Check if ISO connection is a CIS and remove CIG if there are
920 * no other connections using it.
922 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
923 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
924 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
928 hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
931 static u16 hci_conn_hash_alloc_unset(struct hci_dev *hdev)
933 struct hci_conn_hash *h = &hdev->conn_hash;
935 u16 handle = HCI_CONN_HANDLE_MAX + 1;
939 list_for_each_entry_rcu(c, &h->list, list) {
940 /* Find the first unused handle */
941 if (handle == 0xffff || c->handle != handle)
950 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
953 struct hci_conn *conn;
955 BT_DBG("%s dst %pMR", hdev->name, dst);
957 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
961 bacpy(&conn->dst, dst);
962 bacpy(&conn->src, &hdev->bdaddr);
963 conn->handle = hci_conn_hash_alloc_unset(hdev);
967 conn->mode = HCI_CM_ACTIVE;
968 conn->state = BT_OPEN;
969 conn->auth_type = HCI_AT_GENERAL_BONDING;
970 conn->io_capability = hdev->io_capability;
971 conn->remote_auth = 0xff;
972 conn->key_type = 0xff;
973 conn->rssi = HCI_RSSI_INVALID;
974 conn->tx_power = HCI_TX_POWER_INVALID;
975 conn->max_tx_power = HCI_TX_POWER_INVALID;
976 conn->sync_handle = HCI_SYNC_HANDLE_INVALID;
978 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
979 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
981 /* Set Default Authenticated payload timeout to 30s */
982 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
984 if (conn->role == HCI_ROLE_MASTER)
989 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
992 /* conn->src should reflect the local identity address */
993 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
996 /* conn->src should reflect the local identity address */
997 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
999 /* set proper cleanup function */
1000 if (!bacmp(dst, BDADDR_ANY))
1001 conn->cleanup = bis_cleanup;
1002 else if (conn->role == HCI_ROLE_MASTER)
1003 conn->cleanup = cis_cleanup;
1007 if (lmp_esco_capable(hdev))
1008 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
1009 (hdev->esco_type & EDR_ESCO_MASK);
1011 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
1014 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
1018 skb_queue_head_init(&conn->data_q);
1020 INIT_LIST_HEAD(&conn->chan_list);
1021 INIT_LIST_HEAD(&conn->link_list);
1023 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
1024 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
1025 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
1026 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
1028 atomic_set(&conn->refcnt, 0);
1032 hci_conn_hash_add(hdev, conn);
1034 /* The SCO and eSCO connections will only be notified when their
1035 * setup has been completed. This is different to ACL links which
1036 * can be notified right away.
1038 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1040 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1043 hci_conn_init_sysfs(conn);
1048 static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
1051 reason = HCI_ERROR_REMOTE_USER_TERM;
1053 /* Due to race, SCO/ISO conn might be not established yet at this point,
1054 * and nothing else will clean it up. In other cases it is done via HCI
1057 switch (conn->type) {
1060 if (HCI_CONN_HANDLE_UNSET(conn->handle))
1061 hci_conn_failed(conn, reason);
1064 if (conn->state != BT_CONNECTED &&
1065 !test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
1066 hci_conn_failed(conn, reason);
1071 static void hci_conn_unlink(struct hci_conn *conn)
1073 struct hci_dev *hdev = conn->hdev;
1075 bt_dev_dbg(hdev, "hcon %p", conn);
1077 if (!conn->parent) {
1078 struct hci_link *link, *t;
1080 list_for_each_entry_safe(link, t, &conn->link_list, list) {
1081 struct hci_conn *child = link->conn;
1083 hci_conn_unlink(child);
1085 /* If hdev is down it means
1086 * hci_dev_close_sync/hci_conn_hash_flush is in progress
1087 * and links don't need to be cleanup as all connections
1090 if (!test_bit(HCI_UP, &hdev->flags))
1093 hci_conn_cleanup_child(child, conn->abort_reason);
1102 list_del_rcu(&conn->link->list);
1105 hci_conn_drop(conn->parent);
1106 hci_conn_put(conn->parent);
1107 conn->parent = NULL;
1113 void hci_conn_del(struct hci_conn *conn)
1115 struct hci_dev *hdev = conn->hdev;
1117 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1119 hci_conn_unlink(conn);
1121 cancel_delayed_work_sync(&conn->disc_work);
1122 cancel_delayed_work_sync(&conn->auto_accept_work);
1123 cancel_delayed_work_sync(&conn->idle_work);
1125 if (conn->type == ACL_LINK) {
1126 /* Unacked frames */
1127 hdev->acl_cnt += conn->sent;
1128 } else if (conn->type == LE_LINK) {
1129 cancel_delayed_work(&conn->le_conn_timeout);
1132 hdev->le_cnt += conn->sent;
1134 hdev->acl_cnt += conn->sent;
1136 /* Unacked ISO frames */
1137 if (conn->type == ISO_LINK) {
1139 hdev->iso_cnt += conn->sent;
1140 else if (hdev->le_pkts)
1141 hdev->le_cnt += conn->sent;
1143 hdev->acl_cnt += conn->sent;
1148 amp_mgr_put(conn->amp_mgr);
1150 skb_queue_purge(&conn->data_q);
1152 /* Remove the connection from the list and cleanup its remaining
1153 * state. This is a separate function since for some cases like
1154 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1155 * rest of hci_conn_del.
1157 hci_conn_cleanup(conn);
1160 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1162 int use_src = bacmp(src, BDADDR_ANY);
1163 struct hci_dev *hdev = NULL, *d;
1165 BT_DBG("%pMR -> %pMR", src, dst);
1167 read_lock(&hci_dev_list_lock);
1169 list_for_each_entry(d, &hci_dev_list, list) {
1170 if (!test_bit(HCI_UP, &d->flags) ||
1171 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
1172 d->dev_type != HCI_PRIMARY)
1176 * No source address - find interface with bdaddr != dst
1177 * Source address - find interface with bdaddr == src
1184 if (src_type == BDADDR_BREDR) {
1185 if (!lmp_bredr_capable(d))
1187 bacpy(&id_addr, &d->bdaddr);
1188 id_addr_type = BDADDR_BREDR;
1190 if (!lmp_le_capable(d))
1193 hci_copy_identity_address(d, &id_addr,
1196 /* Convert from HCI to three-value type */
1197 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1198 id_addr_type = BDADDR_LE_PUBLIC;
1200 id_addr_type = BDADDR_LE_RANDOM;
1203 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1207 if (bacmp(&d->bdaddr, dst)) {
1214 hdev = hci_dev_hold(hdev);
1216 read_unlock(&hci_dev_list_lock);
1219 EXPORT_SYMBOL(hci_get_route);
1221 /* This function requires the caller holds hdev->lock */
1222 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1224 struct hci_dev *hdev = conn->hdev;
1226 hci_connect_le_scan_cleanup(conn, status);
1228 /* Enable advertising in case this was a failed connection
1229 * attempt as a peripheral.
1231 hci_enable_advertising(hdev);
1234 /* This function requires the caller holds hdev->lock */
1235 void hci_conn_failed(struct hci_conn *conn, u8 status)
1237 struct hci_dev *hdev = conn->hdev;
1239 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1241 switch (conn->type) {
1243 hci_le_conn_failed(conn, status);
1246 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1247 conn->dst_type, status);
1251 conn->state = BT_CLOSED;
1252 hci_connect_cfm(conn, status);
1256 /* This function requires the caller holds hdev->lock */
1257 u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
1259 struct hci_dev *hdev = conn->hdev;
1261 bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
1263 if (conn->handle == handle)
1266 if (handle > HCI_CONN_HANDLE_MAX) {
1267 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
1268 handle, HCI_CONN_HANDLE_MAX);
1269 return HCI_ERROR_INVALID_PARAMETERS;
1272 /* If abort_reason has been sent it means the connection is being
1273 * aborted and the handle shall not be changed.
1275 if (conn->abort_reason)
1276 return conn->abort_reason;
1278 conn->handle = handle;
1283 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
1285 struct hci_conn *conn;
1286 u16 handle = PTR_UINT(data);
1288 conn = hci_conn_hash_lookup_handle(hdev, handle);
1292 bt_dev_dbg(hdev, "err %d", err);
1297 hci_connect_le_scan_cleanup(conn, 0x00);
1301 /* Check if connection is still pending */
1302 if (conn != hci_lookup_le_connect(hdev))
1305 /* Flush to make sure we send create conn cancel command if needed */
1306 flush_delayed_work(&conn->le_conn_timeout);
1307 hci_conn_failed(conn, bt_status(err));
1310 hci_dev_unlock(hdev);
1313 static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
1315 struct hci_conn *conn;
1316 u16 handle = PTR_UINT(data);
1318 conn = hci_conn_hash_lookup_handle(hdev, handle);
1322 bt_dev_dbg(hdev, "conn %p", conn);
1324 clear_bit(HCI_CONN_SCANNING, &conn->flags);
1325 conn->state = BT_CONNECT;
1327 return hci_le_create_conn_sync(hdev, conn);
1330 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1331 u8 dst_type, bool dst_resolved, u8 sec_level,
1332 u16 conn_timeout, u8 role)
1334 struct hci_conn *conn;
1335 struct smp_irk *irk;
1338 /* Let's make sure that le is enabled.*/
1339 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1340 if (lmp_le_capable(hdev))
1341 return ERR_PTR(-ECONNREFUSED);
1343 return ERR_PTR(-EOPNOTSUPP);
1346 /* Since the controller supports only one LE connection attempt at a
1347 * time, we return -EBUSY if there is any connection attempt running.
1349 if (hci_lookup_le_connect(hdev))
1350 return ERR_PTR(-EBUSY);
1352 /* If there's already a connection object but it's not in
1353 * scanning state it means it must already be established, in
1354 * which case we can't do anything else except report a failure
1357 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1358 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1359 return ERR_PTR(-EBUSY);
1362 /* Check if the destination address has been resolved by the controller
1363 * since if it did then the identity address shall be used.
1365 if (!dst_resolved) {
1366 /* When given an identity address with existing identity
1367 * resolving key, the connection needs to be established
1368 * to a resolvable random address.
1370 * Storing the resolvable random address is required here
1371 * to handle connection failures. The address will later
1372 * be resolved back into the original identity address
1373 * from the connect request.
1375 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1376 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1378 dst_type = ADDR_LE_DEV_RANDOM;
1383 bacpy(&conn->dst, dst);
1385 conn = hci_conn_add(hdev, LE_LINK, dst, role);
1387 return ERR_PTR(-ENOMEM);
1388 hci_conn_hold(conn);
1389 conn->pending_sec_level = sec_level;
1392 conn->dst_type = dst_type;
1393 conn->sec_level = BT_SECURITY_LOW;
1394 conn->conn_timeout = conn_timeout;
1396 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
1397 UINT_PTR(conn->handle),
1398 create_le_conn_complete);
1401 return ERR_PTR(err);
1407 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1409 struct hci_conn *conn;
1411 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1415 if (conn->state != BT_CONNECTED)
1421 /* This function requires the caller holds hdev->lock */
1422 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1423 bdaddr_t *addr, u8 addr_type)
1425 struct hci_conn_params *params;
1427 if (is_connected(hdev, addr, addr_type))
1430 params = hci_conn_params_lookup(hdev, addr, addr_type);
1432 params = hci_conn_params_add(hdev, addr, addr_type);
1436 /* If we created new params, mark them to be deleted in
1437 * hci_connect_le_scan_cleanup. It's different case than
1438 * existing disabled params, those will stay after cleanup.
1440 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1443 /* We're trying to connect, so make sure params are at pend_le_conns */
1444 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1445 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1446 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1447 hci_pend_le_list_del_init(params);
1448 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1451 params->explicit_connect = true;
1453 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1454 params->auto_connect);
1459 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1461 struct hci_conn *conn;
1464 /* Allocate a BIG if not set */
1465 if (qos->bcast.big == BT_ISO_QOS_BIG_UNSET) {
1466 for (big = 0x00; big < 0xef; big++) {
1468 conn = hci_conn_hash_lookup_big(hdev, big);
1474 return -EADDRNOTAVAIL;
1477 qos->bcast.big = big;
1483 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1485 struct hci_conn *conn;
1488 /* Allocate BIS if not set */
1489 if (qos->bcast.bis == BT_ISO_QOS_BIS_UNSET) {
1490 /* Find an unused adv set to advertise BIS, skip instance 0x00
1491 * since it is reserved as general purpose set.
1493 for (bis = 0x01; bis < hdev->le_num_of_adv_sets;
1496 conn = hci_conn_hash_lookup_bis(hdev, BDADDR_ANY, bis);
1501 if (bis == hdev->le_num_of_adv_sets)
1502 return -EADDRNOTAVAIL;
1505 qos->bcast.bis = bis;
1511 /* This function requires the caller holds hdev->lock */
1512 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1513 struct bt_iso_qos *qos, __u8 base_len,
1516 struct hci_conn *conn;
1519 /* Let's make sure that le is enabled.*/
1520 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1521 if (lmp_le_capable(hdev))
1522 return ERR_PTR(-ECONNREFUSED);
1523 return ERR_PTR(-EOPNOTSUPP);
1526 err = qos_set_big(hdev, qos);
1528 return ERR_PTR(err);
1530 err = qos_set_bis(hdev, qos);
1532 return ERR_PTR(err);
1534 /* Check if the LE Create BIG command has already been sent */
1535 conn = hci_conn_hash_lookup_per_adv_bis(hdev, dst, qos->bcast.big,
1538 return ERR_PTR(-EADDRINUSE);
1540 /* Check BIS settings against other bound BISes, since all
1541 * BISes in a BIG must have the same value for all parameters
1543 conn = hci_conn_hash_lookup_big(hdev, qos->bcast.big);
1545 if (conn && (memcmp(qos, &conn->iso_qos, sizeof(*qos)) ||
1546 base_len != conn->le_per_adv_data_len ||
1547 memcmp(conn->le_per_adv_data, base, base_len)))
1548 return ERR_PTR(-EADDRINUSE);
1550 conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1552 return ERR_PTR(-ENOMEM);
1554 conn->state = BT_CONNECT;
1556 hci_conn_hold(conn);
1560 /* This function requires the caller holds hdev->lock */
1561 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1562 u8 dst_type, u8 sec_level,
1564 enum conn_reasons conn_reason)
1566 struct hci_conn *conn;
1568 /* Let's make sure that le is enabled.*/
1569 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1570 if (lmp_le_capable(hdev))
1571 return ERR_PTR(-ECONNREFUSED);
1573 return ERR_PTR(-EOPNOTSUPP);
1576 /* Some devices send ATT messages as soon as the physical link is
1577 * established. To be able to handle these ATT messages, the user-
1578 * space first establishes the connection and then starts the pairing
1581 * So if a hci_conn object already exists for the following connection
1582 * attempt, we simply update pending_sec_level and auth_type fields
1583 * and return the object found.
1585 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1587 if (conn->pending_sec_level < sec_level)
1588 conn->pending_sec_level = sec_level;
1592 BT_DBG("requesting refresh of dst_addr");
1594 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1596 return ERR_PTR(-ENOMEM);
1598 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1600 return ERR_PTR(-EBUSY);
1603 conn->state = BT_CONNECT;
1604 set_bit(HCI_CONN_SCANNING, &conn->flags);
1605 conn->dst_type = dst_type;
1606 conn->sec_level = BT_SECURITY_LOW;
1607 conn->pending_sec_level = sec_level;
1608 conn->conn_timeout = conn_timeout;
1609 conn->conn_reason = conn_reason;
1611 hci_update_passive_scan(hdev);
1614 hci_conn_hold(conn);
1618 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1619 u8 sec_level, u8 auth_type,
1620 enum conn_reasons conn_reason)
1622 struct hci_conn *acl;
1624 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1625 if (lmp_bredr_capable(hdev))
1626 return ERR_PTR(-ECONNREFUSED);
1628 return ERR_PTR(-EOPNOTSUPP);
1631 /* Reject outgoing connection to device with same BD ADDR against
1634 if (!bacmp(&hdev->bdaddr, dst)) {
1635 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1637 return ERR_PTR(-ECONNREFUSED);
1640 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1642 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1644 return ERR_PTR(-ENOMEM);
1649 acl->conn_reason = conn_reason;
1650 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1651 acl->sec_level = BT_SECURITY_LOW;
1652 acl->pending_sec_level = sec_level;
1653 acl->auth_type = auth_type;
1654 hci_acl_create_connection(acl);
1660 static struct hci_link *hci_conn_link(struct hci_conn *parent,
1661 struct hci_conn *conn)
1663 struct hci_dev *hdev = parent->hdev;
1664 struct hci_link *link;
1666 bt_dev_dbg(hdev, "parent %p hcon %p", parent, conn);
1674 link = kzalloc(sizeof(*link), GFP_KERNEL);
1678 link->conn = hci_conn_hold(conn);
1680 conn->parent = hci_conn_get(parent);
1682 /* Use list_add_tail_rcu append to the list */
1683 list_add_tail_rcu(&link->list, &parent->link_list);
1688 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1689 __u16 setting, struct bt_codec *codec)
1691 struct hci_conn *acl;
1692 struct hci_conn *sco;
1693 struct hci_link *link;
1695 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1696 CONN_REASON_SCO_CONNECT);
1700 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1702 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1705 return ERR_PTR(-ENOMEM);
1709 link = hci_conn_link(acl, sco);
1713 return ERR_PTR(-ENOLINK);
1716 sco->setting = setting;
1717 sco->codec = *codec;
1719 if (acl->state == BT_CONNECTED &&
1720 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1721 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1722 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1724 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1725 /* defer SCO setup until mode change completed */
1726 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1730 hci_sco_setup(acl, 0x00);
1736 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1738 struct hci_dev *hdev = conn->hdev;
1739 struct hci_cp_le_create_big cp;
1740 struct iso_list_data data;
1742 memset(&cp, 0, sizeof(cp));
1744 data.big = qos->bcast.big;
1745 data.bis = qos->bcast.bis;
1748 /* Create a BIS for each bound connection */
1749 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1752 cp.handle = qos->bcast.big;
1753 cp.adv_handle = qos->bcast.bis;
1754 cp.num_bis = data.count;
1755 hci_cpu_to_le24(qos->bcast.out.interval, cp.bis.sdu_interval);
1756 cp.bis.sdu = cpu_to_le16(qos->bcast.out.sdu);
1757 cp.bis.latency = cpu_to_le16(qos->bcast.out.latency);
1758 cp.bis.rtn = qos->bcast.out.rtn;
1759 cp.bis.phy = qos->bcast.out.phy;
1760 cp.bis.packing = qos->bcast.packing;
1761 cp.bis.framing = qos->bcast.framing;
1762 cp.bis.encryption = qos->bcast.encryption;
1763 memcpy(cp.bis.bcode, qos->bcast.bcode, sizeof(cp.bis.bcode));
1765 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1768 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1770 u8 cig_id = PTR_UINT(data);
1771 struct hci_conn *conn;
1772 struct bt_iso_qos *qos;
1773 struct iso_cig_params pdu;
1776 conn = hci_conn_hash_lookup_cig(hdev, cig_id);
1780 memset(&pdu, 0, sizeof(pdu));
1782 qos = &conn->iso_qos;
1783 pdu.cp.cig_id = cig_id;
1784 hci_cpu_to_le24(qos->ucast.out.interval, pdu.cp.c_interval);
1785 hci_cpu_to_le24(qos->ucast.in.interval, pdu.cp.p_interval);
1786 pdu.cp.sca = qos->ucast.sca;
1787 pdu.cp.packing = qos->ucast.packing;
1788 pdu.cp.framing = qos->ucast.framing;
1789 pdu.cp.c_latency = cpu_to_le16(qos->ucast.out.latency);
1790 pdu.cp.p_latency = cpu_to_le16(qos->ucast.in.latency);
1792 /* Reprogram all CIS(s) with the same CIG, valid range are:
1793 * num_cis: 0x00 to 0x1F
1794 * cis_id: 0x00 to 0xEF
1796 for (cis_id = 0x00; cis_id < 0xf0 &&
1797 pdu.cp.num_cis < ARRAY_SIZE(pdu.cis); cis_id++) {
1798 struct hci_cis_params *cis;
1800 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, cig_id, cis_id);
1804 qos = &conn->iso_qos;
1806 cis = &pdu.cis[pdu.cp.num_cis++];
1807 cis->cis_id = cis_id;
1808 cis->c_sdu = cpu_to_le16(conn->iso_qos.ucast.out.sdu);
1809 cis->p_sdu = cpu_to_le16(conn->iso_qos.ucast.in.sdu);
1810 cis->c_phy = qos->ucast.out.phy ? qos->ucast.out.phy :
1812 cis->p_phy = qos->ucast.in.phy ? qos->ucast.in.phy :
1814 cis->c_rtn = qos->ucast.out.rtn;
1815 cis->p_rtn = qos->ucast.in.rtn;
1818 if (!pdu.cp.num_cis)
1821 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS,
1823 pdu.cp.num_cis * sizeof(pdu.cis[0]), &pdu,
1827 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1829 struct hci_dev *hdev = conn->hdev;
1830 struct iso_list_data data;
1832 memset(&data, 0, sizeof(data));
1834 /* Allocate first still reconfigurable CIG if not set */
1835 if (qos->ucast.cig == BT_ISO_QOS_CIG_UNSET) {
1836 for (data.cig = 0x00; data.cig < 0xf0; data.cig++) {
1839 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1844 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK,
1845 BT_CONNECTED, &data);
1850 if (data.cig == 0xf0)
1854 qos->ucast.cig = data.cig;
1857 if (qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) {
1858 if (hci_conn_hash_lookup_cis(hdev, NULL, 0, qos->ucast.cig,
1864 /* Allocate first available CIS if not set */
1865 for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0;
1867 if (!hci_conn_hash_lookup_cis(hdev, NULL, 0, data.cig,
1870 qos->ucast.cis = data.cis;
1875 if (qos->ucast.cis == BT_ISO_QOS_CIS_UNSET)
1879 if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
1880 UINT_PTR(qos->ucast.cig), NULL) < 0)
1886 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1887 __u8 dst_type, struct bt_iso_qos *qos)
1889 struct hci_conn *cis;
1891 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type, qos->ucast.cig,
1894 cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1896 return ERR_PTR(-ENOMEM);
1897 cis->cleanup = cis_cleanup;
1898 cis->dst_type = dst_type;
1899 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET;
1900 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET;
1903 if (cis->state == BT_CONNECTED)
1906 /* Check if CIS has been set and the settings matches */
1907 if (cis->state == BT_BOUND &&
1908 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1911 /* Update LINK PHYs according to QoS preference */
1912 cis->le_tx_phy = qos->ucast.out.phy;
1913 cis->le_rx_phy = qos->ucast.in.phy;
1915 /* If output interval is not set use the input interval as it cannot be
1918 if (!qos->ucast.out.interval)
1919 qos->ucast.out.interval = qos->ucast.in.interval;
1921 /* If input interval is not set use the output interval as it cannot be
1924 if (!qos->ucast.in.interval)
1925 qos->ucast.in.interval = qos->ucast.out.interval;
1927 /* If output latency is not set use the input latency as it cannot be
1930 if (!qos->ucast.out.latency)
1931 qos->ucast.out.latency = qos->ucast.in.latency;
1933 /* If input latency is not set use the output latency as it cannot be
1936 if (!qos->ucast.in.latency)
1937 qos->ucast.in.latency = qos->ucast.out.latency;
1939 if (!hci_le_set_cig_params(cis, qos)) {
1941 return ERR_PTR(-EINVAL);
1946 cis->iso_qos = *qos;
1947 cis->state = BT_BOUND;
1952 bool hci_iso_setup_path(struct hci_conn *conn)
1954 struct hci_dev *hdev = conn->hdev;
1955 struct hci_cp_le_setup_iso_path cmd;
1957 memset(&cmd, 0, sizeof(cmd));
1959 if (conn->iso_qos.ucast.out.sdu) {
1960 cmd.handle = cpu_to_le16(conn->handle);
1961 cmd.direction = 0x00; /* Input (Host to Controller) */
1962 cmd.path = 0x00; /* HCI path if enabled */
1963 cmd.codec = 0x03; /* Transparent Data */
1965 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1970 if (conn->iso_qos.ucast.in.sdu) {
1971 cmd.handle = cpu_to_le16(conn->handle);
1972 cmd.direction = 0x01; /* Output (Controller to Host) */
1973 cmd.path = 0x00; /* HCI path if enabled */
1974 cmd.codec = 0x03; /* Transparent Data */
1976 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1984 int hci_conn_check_create_cis(struct hci_conn *conn)
1986 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY))
1989 if (!conn->parent || conn->parent->state != BT_CONNECTED ||
1990 conn->state != BT_CONNECT || HCI_CONN_HANDLE_UNSET(conn->handle))
1996 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1998 return hci_le_create_cis_sync(hdev);
2001 int hci_le_create_cis_pending(struct hci_dev *hdev)
2003 struct hci_conn *conn;
2004 bool pending = false;
2008 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
2009 if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) {
2014 if (!hci_conn_check_create_cis(conn))
2023 /* Queue Create CIS */
2024 return hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
2027 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
2028 struct bt_iso_io_qos *qos, __u8 phy)
2030 /* Only set MTU if PHY is enabled */
2031 if (!qos->sdu && qos->phy) {
2032 if (hdev->iso_mtu > 0)
2033 qos->sdu = hdev->iso_mtu;
2034 else if (hdev->le_mtu > 0)
2035 qos->sdu = hdev->le_mtu;
2037 qos->sdu = hdev->acl_mtu;
2040 /* Use the same PHY as ACL if set to any */
2041 if (qos->phy == BT_ISO_PHY_ANY)
2044 /* Use LE ACL connection interval if not set */
2046 /* ACL interval unit in 1.25 ms to us */
2047 qos->interval = conn->le_conn_interval * 1250;
2049 /* Use LE ACL connection latency if not set */
2051 qos->latency = conn->le_conn_latency;
2054 static int create_big_sync(struct hci_dev *hdev, void *data)
2056 struct hci_conn *conn = data;
2057 struct bt_iso_qos *qos = &conn->iso_qos;
2058 u16 interval, sync_interval = 0;
2062 if (qos->bcast.out.phy == 0x02)
2063 flags |= MGMT_ADV_FLAG_SEC_2M;
2065 /* Align intervals */
2066 interval = (qos->bcast.out.interval / 1250) * qos->bcast.sync_factor;
2069 sync_interval = interval * 4;
2071 err = hci_start_per_adv_sync(hdev, qos->bcast.bis, conn->le_per_adv_data_len,
2072 conn->le_per_adv_data, flags, interval,
2073 interval, sync_interval);
2077 return hci_le_create_big(conn, &conn->iso_qos);
2080 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2082 struct hci_cp_le_pa_create_sync *cp = data;
2084 bt_dev_dbg(hdev, "");
2087 bt_dev_err(hdev, "Unable to create PA: %d", err);
2092 static int create_pa_sync(struct hci_dev *hdev, void *data)
2094 struct hci_cp_le_pa_create_sync *cp = data;
2097 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2098 sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2100 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2104 return hci_update_passive_scan_sync(hdev);
2107 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2108 __u8 sid, struct bt_iso_qos *qos)
2110 struct hci_cp_le_pa_create_sync *cp;
2112 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2115 cp = kzalloc(sizeof(*cp), GFP_KERNEL);
2117 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2121 cp->options = qos->bcast.options;
2123 cp->addr_type = dst_type;
2124 bacpy(&cp->addr, dst);
2125 cp->skip = cpu_to_le16(qos->bcast.skip);
2126 cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
2127 cp->sync_cte_type = qos->bcast.sync_cte_type;
2129 /* Queue start pa_create_sync and scan */
2130 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2133 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
2134 struct bt_iso_qos *qos,
2135 __u16 sync_handle, __u8 num_bis, __u8 bis[])
2138 struct hci_cp_le_big_create_sync cp;
2143 if (num_bis > sizeof(pdu.bis))
2146 err = qos_set_big(hdev, qos);
2151 hcon->iso_qos.bcast.big = qos->bcast.big;
2153 memset(&pdu, 0, sizeof(pdu));
2154 pdu.cp.handle = qos->bcast.big;
2155 pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2156 pdu.cp.encryption = qos->bcast.encryption;
2157 memcpy(pdu.cp.bcode, qos->bcast.bcode, sizeof(pdu.cp.bcode));
2158 pdu.cp.mse = qos->bcast.mse;
2159 pdu.cp.timeout = cpu_to_le16(qos->bcast.timeout);
2160 pdu.cp.num_bis = num_bis;
2161 memcpy(pdu.bis, bis, num_bis);
2163 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2164 sizeof(pdu.cp) + num_bis, &pdu);
2167 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2169 struct hci_conn *conn = data;
2171 bt_dev_dbg(hdev, "conn %p", conn);
2174 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2175 hci_connect_cfm(conn, err);
2180 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
2181 struct bt_iso_qos *qos,
2182 __u8 base_len, __u8 *base)
2184 struct hci_conn *conn;
2185 __u8 eir[HCI_MAX_PER_AD_LENGTH];
2187 if (base_len && base)
2188 base_len = eir_append_service_data(eir, 0, 0x1851,
2191 /* We need hci_conn object using the BDADDR_ANY as dst */
2192 conn = hci_add_bis(hdev, dst, qos, base_len, eir);
2196 /* Update LINK PHYs according to QoS preference */
2197 conn->le_tx_phy = qos->bcast.out.phy;
2198 conn->le_tx_phy = qos->bcast.out.phy;
2200 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2201 if (base_len && base) {
2202 memcpy(conn->le_per_adv_data, eir, sizeof(eir));
2203 conn->le_per_adv_data_len = base_len;
2206 hci_iso_qos_setup(hdev, conn, &qos->bcast.out,
2207 conn->le_tx_phy ? conn->le_tx_phy :
2208 hdev->le_tx_def_phys);
2210 conn->iso_qos = *qos;
2211 conn->state = BT_BOUND;
2216 static void bis_mark_per_adv(struct hci_conn *conn, void *data)
2218 struct iso_list_data *d = data;
2220 /* Skip if not broadcast/ANY address */
2221 if (bacmp(&conn->dst, BDADDR_ANY))
2224 if (d->big != conn->iso_qos.bcast.big ||
2225 d->bis == BT_ISO_QOS_BIS_UNSET ||
2226 d->bis != conn->iso_qos.bcast.bis)
2229 set_bit(HCI_CONN_PER_ADV, &conn->flags);
2232 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2233 __u8 dst_type, struct bt_iso_qos *qos,
2234 __u8 base_len, __u8 *base)
2236 struct hci_conn *conn;
2238 struct iso_list_data data;
2240 conn = hci_bind_bis(hdev, dst, qos, base_len, base);
2244 data.big = qos->bcast.big;
2245 data.bis = qos->bcast.bis;
2247 /* Set HCI_CONN_PER_ADV for all bound connections, to mark that
2248 * the start periodic advertising and create BIG commands have
2251 hci_conn_hash_list_state(hdev, bis_mark_per_adv, ISO_LINK,
2254 /* Queue start periodic advertising and create BIG */
2255 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2256 create_big_complete);
2258 hci_conn_drop(conn);
2259 return ERR_PTR(err);
2265 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2266 __u8 dst_type, struct bt_iso_qos *qos)
2268 struct hci_conn *le;
2269 struct hci_conn *cis;
2270 struct hci_link *link;
2272 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2273 le = hci_connect_le(hdev, dst, dst_type, false,
2275 HCI_LE_CONN_TIMEOUT,
2278 le = hci_connect_le_scan(hdev, dst, dst_type,
2280 HCI_LE_CONN_TIMEOUT,
2281 CONN_REASON_ISO_CONNECT);
2285 hci_iso_qos_setup(hdev, le, &qos->ucast.out,
2286 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2287 hci_iso_qos_setup(hdev, le, &qos->ucast.in,
2288 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2290 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2296 link = hci_conn_link(le, cis);
2300 return ERR_PTR(-ENOLINK);
2303 /* Link takes the refcount */
2306 cis->state = BT_CONNECT;
2308 hci_le_create_cis_pending(hdev);
2313 /* Check link security requirement */
2314 int hci_conn_check_link_mode(struct hci_conn *conn)
2316 BT_DBG("hcon %p", conn);
2318 /* In Secure Connections Only mode, it is required that Secure
2319 * Connections is used and the link is encrypted with AES-CCM
2320 * using a P-256 authenticated combination key.
2322 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2323 if (!hci_conn_sc_enabled(conn) ||
2324 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2325 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2329 /* AES encryption is required for Level 4:
2331 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2334 * 128-bit equivalent strength for link and encryption keys
2335 * required using FIPS approved algorithms (E0 not allowed,
2336 * SAFER+ not allowed, and P-192 not allowed; encryption key
2339 if (conn->sec_level == BT_SECURITY_FIPS &&
2340 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2341 bt_dev_err(conn->hdev,
2342 "Invalid security: Missing AES-CCM usage");
2346 if (hci_conn_ssp_enabled(conn) &&
2347 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2353 /* Authenticate remote device */
2354 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2356 BT_DBG("hcon %p", conn);
2358 if (conn->pending_sec_level > sec_level)
2359 sec_level = conn->pending_sec_level;
2361 if (sec_level > conn->sec_level)
2362 conn->pending_sec_level = sec_level;
2363 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2366 /* Make sure we preserve an existing MITM requirement*/
2367 auth_type |= (conn->auth_type & 0x01);
2369 conn->auth_type = auth_type;
2371 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2372 struct hci_cp_auth_requested cp;
2374 cp.handle = cpu_to_le16(conn->handle);
2375 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2378 /* If we're already encrypted set the REAUTH_PEND flag,
2379 * otherwise set the ENCRYPT_PEND.
2381 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2382 set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2384 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2390 /* Encrypt the link */
2391 static void hci_conn_encrypt(struct hci_conn *conn)
2393 BT_DBG("hcon %p", conn);
2395 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2396 struct hci_cp_set_conn_encrypt cp;
2397 cp.handle = cpu_to_le16(conn->handle);
2399 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2404 /* Enable security */
2405 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2408 BT_DBG("hcon %p", conn);
2410 if (conn->type == LE_LINK)
2411 return smp_conn_security(conn, sec_level);
2413 /* For sdp we don't need the link key. */
2414 if (sec_level == BT_SECURITY_SDP)
2417 /* For non 2.1 devices and low security level we don't need the link
2419 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2422 /* For other security levels we need the link key. */
2423 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2426 switch (conn->key_type) {
2427 case HCI_LK_AUTH_COMBINATION_P256:
2428 /* An authenticated FIPS approved combination key has
2429 * sufficient security for security level 4 or lower.
2431 if (sec_level <= BT_SECURITY_FIPS)
2434 case HCI_LK_AUTH_COMBINATION_P192:
2435 /* An authenticated combination key has sufficient security for
2436 * security level 3 or lower.
2438 if (sec_level <= BT_SECURITY_HIGH)
2441 case HCI_LK_UNAUTH_COMBINATION_P192:
2442 case HCI_LK_UNAUTH_COMBINATION_P256:
2443 /* An unauthenticated combination key has sufficient security
2444 * for security level 2 or lower.
2446 if (sec_level <= BT_SECURITY_MEDIUM)
2449 case HCI_LK_COMBINATION:
2450 /* A combination key has always sufficient security for the
2451 * security levels 2 or lower. High security level requires the
2452 * combination key is generated using maximum PIN code length
2453 * (16). For pre 2.1 units.
2455 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2463 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2467 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2469 if (!hci_conn_auth(conn, sec_level, auth_type))
2473 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2474 /* Ensure that the encryption key size has been read,
2475 * otherwise stall the upper layer responses.
2477 if (!conn->enc_key_size)
2480 /* Nothing else needed, all requirements are met */
2484 hci_conn_encrypt(conn);
2487 EXPORT_SYMBOL(hci_conn_security);
2489 /* Check secure link requirement */
2490 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2492 BT_DBG("hcon %p", conn);
2494 /* Accept if non-secure or higher security level is required */
2495 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2498 /* Accept if secure or higher security level is already present */
2499 if (conn->sec_level == BT_SECURITY_HIGH ||
2500 conn->sec_level == BT_SECURITY_FIPS)
2503 /* Reject not secure link */
2506 EXPORT_SYMBOL(hci_conn_check_secure);
2509 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2511 BT_DBG("hcon %p", conn);
2513 if (role == conn->role)
2516 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2517 struct hci_cp_switch_role cp;
2518 bacpy(&cp.bdaddr, &conn->dst);
2520 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2525 EXPORT_SYMBOL(hci_conn_switch_role);
2527 /* Enter active mode */
2528 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2530 struct hci_dev *hdev = conn->hdev;
2532 BT_DBG("hcon %p mode %d", conn, conn->mode);
2534 if (conn->mode != HCI_CM_SNIFF)
2537 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2540 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2541 struct hci_cp_exit_sniff_mode cp;
2542 cp.handle = cpu_to_le16(conn->handle);
2543 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2547 if (hdev->idle_timeout > 0)
2548 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2549 msecs_to_jiffies(hdev->idle_timeout));
2552 /* Drop all connection on the device */
2553 void hci_conn_hash_flush(struct hci_dev *hdev)
2555 struct list_head *head = &hdev->conn_hash.list;
2556 struct hci_conn *conn;
2558 BT_DBG("hdev %s", hdev->name);
2560 /* We should not traverse the list here, because hci_conn_del
2561 * can remove extra links, which may cause the list traversal
2562 * to hit items that have already been released.
2564 while ((conn = list_first_entry_or_null(head,
2567 conn->state = BT_CLOSED;
2568 hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
2573 /* Check pending connect attempts */
2574 void hci_conn_check_pending(struct hci_dev *hdev)
2576 struct hci_conn *conn;
2578 BT_DBG("hdev %s", hdev->name);
2582 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
2584 hci_acl_create_connection(conn);
2586 hci_dev_unlock(hdev);
2589 static u32 get_link_mode(struct hci_conn *conn)
2593 if (conn->role == HCI_ROLE_MASTER)
2594 link_mode |= HCI_LM_MASTER;
2596 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2597 link_mode |= HCI_LM_ENCRYPT;
2599 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2600 link_mode |= HCI_LM_AUTH;
2602 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2603 link_mode |= HCI_LM_SECURE;
2605 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2606 link_mode |= HCI_LM_FIPS;
2611 int hci_get_conn_list(void __user *arg)
2614 struct hci_conn_list_req req, *cl;
2615 struct hci_conn_info *ci;
2616 struct hci_dev *hdev;
2617 int n = 0, size, err;
2619 if (copy_from_user(&req, arg, sizeof(req)))
2622 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2625 size = sizeof(req) + req.conn_num * sizeof(*ci);
2627 cl = kmalloc(size, GFP_KERNEL);
2631 hdev = hci_dev_get(req.dev_id);
2640 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2641 bacpy(&(ci + n)->bdaddr, &c->dst);
2642 (ci + n)->handle = c->handle;
2643 (ci + n)->type = c->type;
2644 (ci + n)->out = c->out;
2645 (ci + n)->state = c->state;
2646 (ci + n)->link_mode = get_link_mode(c);
2647 if (++n >= req.conn_num)
2650 hci_dev_unlock(hdev);
2652 cl->dev_id = hdev->id;
2654 size = sizeof(req) + n * sizeof(*ci);
2658 err = copy_to_user(arg, cl, size);
2661 return err ? -EFAULT : 0;
2664 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2666 struct hci_conn_info_req req;
2667 struct hci_conn_info ci;
2668 struct hci_conn *conn;
2669 char __user *ptr = arg + sizeof(req);
2671 if (copy_from_user(&req, arg, sizeof(req)))
2675 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2677 bacpy(&ci.bdaddr, &conn->dst);
2678 ci.handle = conn->handle;
2679 ci.type = conn->type;
2681 ci.state = conn->state;
2682 ci.link_mode = get_link_mode(conn);
2684 hci_dev_unlock(hdev);
2689 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2692 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2694 struct hci_auth_info_req req;
2695 struct hci_conn *conn;
2697 if (copy_from_user(&req, arg, sizeof(req)))
2701 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2703 req.type = conn->auth_type;
2704 hci_dev_unlock(hdev);
2709 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2712 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2714 struct hci_dev *hdev = conn->hdev;
2715 struct hci_chan *chan;
2717 BT_DBG("%s hcon %p", hdev->name, conn);
2719 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2720 BT_DBG("Refusing to create new hci_chan");
2724 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2728 chan->conn = hci_conn_get(conn);
2729 skb_queue_head_init(&chan->data_q);
2730 chan->state = BT_CONNECTED;
2732 list_add_rcu(&chan->list, &conn->chan_list);
2737 void hci_chan_del(struct hci_chan *chan)
2739 struct hci_conn *conn = chan->conn;
2740 struct hci_dev *hdev = conn->hdev;
2742 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2744 list_del_rcu(&chan->list);
2748 /* Prevent new hci_chan's to be created for this hci_conn */
2749 set_bit(HCI_CONN_DROP, &conn->flags);
2753 skb_queue_purge(&chan->data_q);
2757 void hci_chan_list_flush(struct hci_conn *conn)
2759 struct hci_chan *chan, *n;
2761 BT_DBG("hcon %p", conn);
2763 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2767 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2770 struct hci_chan *hchan;
2772 list_for_each_entry(hchan, &hcon->chan_list, list) {
2773 if (hchan->handle == handle)
2780 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2782 struct hci_conn_hash *h = &hdev->conn_hash;
2783 struct hci_conn *hcon;
2784 struct hci_chan *hchan = NULL;
2788 list_for_each_entry_rcu(hcon, &h->list, list) {
2789 hchan = __hci_chan_lookup_handle(hcon, handle);
2799 u32 hci_conn_get_phy(struct hci_conn *conn)
2803 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2804 * Table 6.2: Packets defined for synchronous, asynchronous, and
2805 * CPB logical transport types.
2807 switch (conn->type) {
2809 /* SCO logical transport (1 Mb/s):
2810 * HV1, HV2, HV3 and DV.
2812 phys |= BT_PHY_BR_1M_1SLOT;
2817 /* ACL logical transport (1 Mb/s) ptt=0:
2818 * DH1, DM3, DH3, DM5 and DH5.
2820 phys |= BT_PHY_BR_1M_1SLOT;
2822 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2823 phys |= BT_PHY_BR_1M_3SLOT;
2825 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2826 phys |= BT_PHY_BR_1M_5SLOT;
2828 /* ACL logical transport (2 Mb/s) ptt=1:
2829 * 2-DH1, 2-DH3 and 2-DH5.
2831 if (!(conn->pkt_type & HCI_2DH1))
2832 phys |= BT_PHY_EDR_2M_1SLOT;
2834 if (!(conn->pkt_type & HCI_2DH3))
2835 phys |= BT_PHY_EDR_2M_3SLOT;
2837 if (!(conn->pkt_type & HCI_2DH5))
2838 phys |= BT_PHY_EDR_2M_5SLOT;
2840 /* ACL logical transport (3 Mb/s) ptt=1:
2841 * 3-DH1, 3-DH3 and 3-DH5.
2843 if (!(conn->pkt_type & HCI_3DH1))
2844 phys |= BT_PHY_EDR_3M_1SLOT;
2846 if (!(conn->pkt_type & HCI_3DH3))
2847 phys |= BT_PHY_EDR_3M_3SLOT;
2849 if (!(conn->pkt_type & HCI_3DH5))
2850 phys |= BT_PHY_EDR_3M_5SLOT;
2855 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2856 phys |= BT_PHY_BR_1M_1SLOT;
2858 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2859 phys |= BT_PHY_BR_1M_3SLOT;
2861 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2862 if (!(conn->pkt_type & ESCO_2EV3))
2863 phys |= BT_PHY_EDR_2M_1SLOT;
2865 if (!(conn->pkt_type & ESCO_2EV5))
2866 phys |= BT_PHY_EDR_2M_3SLOT;
2868 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2869 if (!(conn->pkt_type & ESCO_3EV3))
2870 phys |= BT_PHY_EDR_3M_1SLOT;
2872 if (!(conn->pkt_type & ESCO_3EV5))
2873 phys |= BT_PHY_EDR_3M_3SLOT;
2878 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2879 phys |= BT_PHY_LE_1M_TX;
2881 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2882 phys |= BT_PHY_LE_1M_RX;
2884 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2885 phys |= BT_PHY_LE_2M_TX;
2887 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2888 phys |= BT_PHY_LE_2M_RX;
2890 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2891 phys |= BT_PHY_LE_CODED_TX;
2893 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2894 phys |= BT_PHY_LE_CODED_RX;
2902 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2904 struct hci_conn *conn;
2905 u16 handle = PTR_UINT(data);
2907 conn = hci_conn_hash_lookup_handle(hdev, handle);
2911 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2914 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2916 struct hci_dev *hdev = conn->hdev;
2918 /* If abort_reason has already been set it means the connection is
2919 * already being aborted so don't attempt to overwrite it.
2921 if (conn->abort_reason)
2924 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2926 conn->abort_reason = reason;
2928 /* If the connection is pending check the command opcode since that
2929 * might be blocking on hci_cmd_sync_work while waiting its respective
2930 * event so we need to hci_cmd_sync_cancel to cancel it.
2932 * hci_connect_le serializes the connection attempts so only one
2933 * connection can be in BT_CONNECT at time.
2935 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2936 switch (hci_skb_event(hdev->sent_cmd)) {
2937 case HCI_EV_LE_CONN_COMPLETE:
2938 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2939 case HCI_EVT_LE_CIS_ESTABLISHED:
2940 hci_cmd_sync_cancel(hdev, -ECANCELED);
2945 return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle),