2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI connection handling. */
27 #include <linux/export.h>
28 #include <linux/debugfs.h>
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/iso.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
47 struct conn_handle_t {
48 struct hci_conn *conn;
52 static const struct sco_param esco_param_cvsd[] = {
53 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a, 0x01 }, /* S3 */
54 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007, 0x01 }, /* S2 */
55 { EDR_ESCO_MASK | ESCO_EV3, 0x0007, 0x01 }, /* S1 */
56 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0x01 }, /* D1 */
57 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0x01 }, /* D0 */
60 static const struct sco_param sco_param_cvsd[] = {
61 { EDR_ESCO_MASK | ESCO_HV3, 0xffff, 0xff }, /* D1 */
62 { EDR_ESCO_MASK | ESCO_HV1, 0xffff, 0xff }, /* D0 */
65 static const struct sco_param esco_param_msbc[] = {
66 { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d, 0x02 }, /* T2 */
67 { EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
70 /* This function requires the caller holds hdev->lock */
71 static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
73 struct hci_conn_params *params;
74 struct hci_dev *hdev = conn->hdev;
80 bdaddr_type = conn->dst_type;
82 /* Check if we need to convert to identity address */
83 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
85 bdaddr = &irk->bdaddr;
86 bdaddr_type = irk->addr_type;
89 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
95 hci_conn_drop(params->conn);
96 hci_conn_put(params->conn);
100 if (!params->explicit_connect)
103 /* If the status indicates successful cancellation of
104 * the attempt (i.e. Unknown Connection Id) there's no point of
105 * notifying failure since we'll go back to keep trying to
106 * connect. The only exception is explicit connect requests
107 * where a timeout + cancel does indicate an actual failure.
109 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
110 mgmt_connect_failed(hdev, &conn->dst, conn->type,
111 conn->dst_type, status);
113 /* The connection attempt was doing scan for new RPA, and is
114 * in scan phase. If params are not associated with any other
115 * autoconnect action, remove them completely. If they are, just unmark
116 * them as waiting for connection, by clearing explicit_connect field.
118 params->explicit_connect = false;
120 hci_pend_le_list_del_init(params);
122 switch (params->auto_connect) {
123 case HCI_AUTO_CONN_EXPLICIT:
124 hci_conn_params_del(hdev, bdaddr, bdaddr_type);
125 /* return instead of break to avoid duplicate scan update */
127 case HCI_AUTO_CONN_DIRECT:
128 case HCI_AUTO_CONN_ALWAYS:
129 hci_pend_le_list_add(params, &hdev->pend_le_conns);
131 case HCI_AUTO_CONN_REPORT:
132 hci_pend_le_list_add(params, &hdev->pend_le_reports);
138 hci_update_passive_scan(hdev);
141 static void hci_conn_cleanup(struct hci_conn *conn)
143 struct hci_dev *hdev = conn->hdev;
145 if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
146 hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
148 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
149 hci_remove_link_key(hdev, &conn->dst);
151 hci_chan_list_flush(conn);
153 hci_conn_hash_del(hdev, conn);
158 if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
159 switch (conn->setting & SCO_AIRMODE_MASK) {
160 case SCO_AIRMODE_CVSD:
161 case SCO_AIRMODE_TRANSP:
163 hdev->notify(hdev, HCI_NOTIFY_DISABLE_SCO);
168 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
171 debugfs_remove_recursive(conn->debugfs);
173 hci_conn_del_sysfs(conn);
178 static void hci_acl_create_connection(struct hci_conn *conn)
180 struct hci_dev *hdev = conn->hdev;
181 struct inquiry_entry *ie;
182 struct hci_cp_create_conn cp;
184 BT_DBG("hcon %p", conn);
186 /* Many controllers disallow HCI Create Connection while it is doing
187 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
188 * Connection. This may cause the MGMT discovering state to become false
189 * without user space's request but it is okay since the MGMT Discovery
190 * APIs do not promise that discovery should be done forever. Instead,
191 * the user space monitors the status of MGMT discovering and it may
192 * request for discovery again when this flag becomes false.
194 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
195 /* Put this connection to "pending" state so that it will be
196 * executed after the inquiry cancel command complete event.
198 conn->state = BT_CONNECT2;
199 hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
203 conn->state = BT_CONNECT;
205 conn->role = HCI_ROLE_MASTER;
209 conn->link_policy = hdev->link_policy;
211 memset(&cp, 0, sizeof(cp));
212 bacpy(&cp.bdaddr, &conn->dst);
213 cp.pscan_rep_mode = 0x02;
215 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
217 if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
218 cp.pscan_rep_mode = ie->data.pscan_rep_mode;
219 cp.pscan_mode = ie->data.pscan_mode;
220 cp.clock_offset = ie->data.clock_offset |
224 memcpy(conn->dev_class, ie->data.dev_class, 3);
227 cp.pkt_type = cpu_to_le16(conn->pkt_type);
228 if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
229 cp.role_switch = 0x01;
231 cp.role_switch = 0x00;
233 hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
236 int hci_disconnect(struct hci_conn *conn, __u8 reason)
238 BT_DBG("hcon %p", conn);
240 /* When we are central of an established connection and it enters
241 * the disconnect timeout, then go ahead and try to read the
242 * current clock offset. Processing of the result is done
243 * within the event handling and hci_clock_offset_evt function.
245 if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
246 (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
247 struct hci_dev *hdev = conn->hdev;
248 struct hci_cp_read_clock_offset clkoff_cp;
250 clkoff_cp.handle = cpu_to_le16(conn->handle);
251 hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
255 return hci_abort_conn(conn, reason);
258 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
260 struct hci_dev *hdev = conn->hdev;
261 struct hci_cp_add_sco cp;
263 BT_DBG("hcon %p", conn);
265 conn->state = BT_CONNECT;
270 cp.handle = cpu_to_le16(handle);
271 cp.pkt_type = cpu_to_le16(conn->pkt_type);
273 hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
276 static bool find_next_esco_param(struct hci_conn *conn,
277 const struct sco_param *esco_param, int size)
279 for (; conn->attempt <= size; conn->attempt++) {
280 if (lmp_esco_2m_capable(conn->link) ||
281 (esco_param[conn->attempt - 1].pkt_type & ESCO_2EV3))
283 BT_DBG("hcon %p skipped attempt %d, eSCO 2M not supported",
284 conn, conn->attempt);
287 return conn->attempt <= size;
290 static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
293 __u8 vnd_len, *vnd_data = NULL;
294 struct hci_op_configure_data_path *cmd = NULL;
296 err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
301 cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
307 err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
311 cmd->vnd_len = vnd_len;
312 memcpy(cmd->vnd_data, vnd_data, vnd_len);
314 cmd->direction = 0x00;
315 __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
316 sizeof(*cmd) + vnd_len, cmd, HCI_CMD_TIMEOUT);
318 cmd->direction = 0x01;
319 err = __hci_cmd_sync_status(hdev, HCI_CONFIGURE_DATA_PATH,
320 sizeof(*cmd) + vnd_len, cmd,
329 static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
331 struct conn_handle_t *conn_handle = data;
332 struct hci_conn *conn = conn_handle->conn;
333 __u16 handle = conn_handle->handle;
334 struct hci_cp_enhanced_setup_sync_conn cp;
335 const struct sco_param *param;
339 bt_dev_dbg(hdev, "hcon %p", conn);
341 /* for offload use case, codec needs to configured before opening SCO */
342 if (conn->codec.data_path)
343 configure_datapath_sync(hdev, &conn->codec);
345 conn->state = BT_CONNECT;
350 memset(&cp, 0x00, sizeof(cp));
352 cp.handle = cpu_to_le16(handle);
354 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
355 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
357 switch (conn->codec.id) {
359 if (!find_next_esco_param(conn, esco_param_msbc,
360 ARRAY_SIZE(esco_param_msbc)))
363 param = &esco_param_msbc[conn->attempt - 1];
364 cp.tx_coding_format.id = 0x05;
365 cp.rx_coding_format.id = 0x05;
366 cp.tx_codec_frame_size = __cpu_to_le16(60);
367 cp.rx_codec_frame_size = __cpu_to_le16(60);
368 cp.in_bandwidth = __cpu_to_le32(32000);
369 cp.out_bandwidth = __cpu_to_le32(32000);
370 cp.in_coding_format.id = 0x04;
371 cp.out_coding_format.id = 0x04;
372 cp.in_coded_data_size = __cpu_to_le16(16);
373 cp.out_coded_data_size = __cpu_to_le16(16);
374 cp.in_pcm_data_format = 2;
375 cp.out_pcm_data_format = 2;
376 cp.in_pcm_sample_payload_msb_pos = 0;
377 cp.out_pcm_sample_payload_msb_pos = 0;
378 cp.in_data_path = conn->codec.data_path;
379 cp.out_data_path = conn->codec.data_path;
380 cp.in_transport_unit_size = 1;
381 cp.out_transport_unit_size = 1;
384 case BT_CODEC_TRANSPARENT:
385 if (!find_next_esco_param(conn, esco_param_msbc,
386 ARRAY_SIZE(esco_param_msbc)))
388 param = &esco_param_msbc[conn->attempt - 1];
389 cp.tx_coding_format.id = 0x03;
390 cp.rx_coding_format.id = 0x03;
391 cp.tx_codec_frame_size = __cpu_to_le16(60);
392 cp.rx_codec_frame_size = __cpu_to_le16(60);
393 cp.in_bandwidth = __cpu_to_le32(0x1f40);
394 cp.out_bandwidth = __cpu_to_le32(0x1f40);
395 cp.in_coding_format.id = 0x03;
396 cp.out_coding_format.id = 0x03;
397 cp.in_coded_data_size = __cpu_to_le16(16);
398 cp.out_coded_data_size = __cpu_to_le16(16);
399 cp.in_pcm_data_format = 2;
400 cp.out_pcm_data_format = 2;
401 cp.in_pcm_sample_payload_msb_pos = 0;
402 cp.out_pcm_sample_payload_msb_pos = 0;
403 cp.in_data_path = conn->codec.data_path;
404 cp.out_data_path = conn->codec.data_path;
405 cp.in_transport_unit_size = 1;
406 cp.out_transport_unit_size = 1;
410 if (lmp_esco_capable(conn->link)) {
411 if (!find_next_esco_param(conn, esco_param_cvsd,
412 ARRAY_SIZE(esco_param_cvsd)))
414 param = &esco_param_cvsd[conn->attempt - 1];
416 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
418 param = &sco_param_cvsd[conn->attempt - 1];
420 cp.tx_coding_format.id = 2;
421 cp.rx_coding_format.id = 2;
422 cp.tx_codec_frame_size = __cpu_to_le16(60);
423 cp.rx_codec_frame_size = __cpu_to_le16(60);
424 cp.in_bandwidth = __cpu_to_le32(16000);
425 cp.out_bandwidth = __cpu_to_le32(16000);
426 cp.in_coding_format.id = 4;
427 cp.out_coding_format.id = 4;
428 cp.in_coded_data_size = __cpu_to_le16(16);
429 cp.out_coded_data_size = __cpu_to_le16(16);
430 cp.in_pcm_data_format = 2;
431 cp.out_pcm_data_format = 2;
432 cp.in_pcm_sample_payload_msb_pos = 0;
433 cp.out_pcm_sample_payload_msb_pos = 0;
434 cp.in_data_path = conn->codec.data_path;
435 cp.out_data_path = conn->codec.data_path;
436 cp.in_transport_unit_size = 16;
437 cp.out_transport_unit_size = 16;
443 cp.retrans_effort = param->retrans_effort;
444 cp.pkt_type = __cpu_to_le16(param->pkt_type);
445 cp.max_latency = __cpu_to_le16(param->max_latency);
447 if (hci_send_cmd(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
453 static bool hci_setup_sync_conn(struct hci_conn *conn, __u16 handle)
455 struct hci_dev *hdev = conn->hdev;
456 struct hci_cp_setup_sync_conn cp;
457 const struct sco_param *param;
459 bt_dev_dbg(hdev, "hcon %p", conn);
461 conn->state = BT_CONNECT;
466 cp.handle = cpu_to_le16(handle);
468 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
469 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
470 cp.voice_setting = cpu_to_le16(conn->setting);
472 switch (conn->setting & SCO_AIRMODE_MASK) {
473 case SCO_AIRMODE_TRANSP:
474 if (!find_next_esco_param(conn, esco_param_msbc,
475 ARRAY_SIZE(esco_param_msbc)))
477 param = &esco_param_msbc[conn->attempt - 1];
479 case SCO_AIRMODE_CVSD:
480 if (lmp_esco_capable(conn->link)) {
481 if (!find_next_esco_param(conn, esco_param_cvsd,
482 ARRAY_SIZE(esco_param_cvsd)))
484 param = &esco_param_cvsd[conn->attempt - 1];
486 if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
488 param = &sco_param_cvsd[conn->attempt - 1];
495 cp.retrans_effort = param->retrans_effort;
496 cp.pkt_type = __cpu_to_le16(param->pkt_type);
497 cp.max_latency = __cpu_to_le16(param->max_latency);
499 if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
505 bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
508 struct conn_handle_t *conn_handle;
510 if (enhanced_sync_conn_capable(conn->hdev)) {
511 conn_handle = kzalloc(sizeof(*conn_handle), GFP_KERNEL);
516 conn_handle->conn = conn;
517 conn_handle->handle = handle;
518 result = hci_cmd_sync_queue(conn->hdev, hci_enhanced_setup_sync,
526 return hci_setup_sync_conn(conn, handle);
529 u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
532 struct hci_dev *hdev = conn->hdev;
533 struct hci_conn_params *params;
534 struct hci_cp_le_conn_update cp;
538 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
540 params->conn_min_interval = min;
541 params->conn_max_interval = max;
542 params->conn_latency = latency;
543 params->supervision_timeout = to_multiplier;
546 hci_dev_unlock(hdev);
548 memset(&cp, 0, sizeof(cp));
549 cp.handle = cpu_to_le16(conn->handle);
550 cp.conn_interval_min = cpu_to_le16(min);
551 cp.conn_interval_max = cpu_to_le16(max);
552 cp.conn_latency = cpu_to_le16(latency);
553 cp.supervision_timeout = cpu_to_le16(to_multiplier);
554 cp.min_ce_len = cpu_to_le16(0x0000);
555 cp.max_ce_len = cpu_to_le16(0x0000);
557 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
565 void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
566 __u8 ltk[16], __u8 key_size)
568 struct hci_dev *hdev = conn->hdev;
569 struct hci_cp_le_start_enc cp;
571 BT_DBG("hcon %p", conn);
573 memset(&cp, 0, sizeof(cp));
575 cp.handle = cpu_to_le16(conn->handle);
578 memcpy(cp.ltk, ltk, key_size);
580 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
583 /* Device _must_ be locked */
584 void hci_sco_setup(struct hci_conn *conn, __u8 status)
586 struct hci_conn *sco = conn->link;
591 BT_DBG("hcon %p", conn);
594 if (lmp_esco_capable(conn->hdev))
595 hci_setup_sync(sco, conn->handle);
597 hci_add_sco(sco, conn->handle);
599 hci_connect_cfm(sco, status);
604 static void hci_conn_timeout(struct work_struct *work)
606 struct hci_conn *conn = container_of(work, struct hci_conn,
608 int refcnt = atomic_read(&conn->refcnt);
610 BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
614 /* FIXME: It was observed that in pairing failed scenario, refcnt
615 * drops below 0. Probably this is because l2cap_conn_del calls
616 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
617 * dropped. After that loop hci_chan_del is called which also drops
618 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
624 hci_abort_conn(conn, hci_proto_disconn_ind(conn));
627 /* Enter sniff mode */
628 static void hci_conn_idle(struct work_struct *work)
630 struct hci_conn *conn = container_of(work, struct hci_conn,
632 struct hci_dev *hdev = conn->hdev;
634 BT_DBG("hcon %p mode %d", conn, conn->mode);
636 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
639 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
642 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
643 struct hci_cp_sniff_subrate cp;
644 cp.handle = cpu_to_le16(conn->handle);
645 cp.max_latency = cpu_to_le16(0);
646 cp.min_remote_timeout = cpu_to_le16(0);
647 cp.min_local_timeout = cpu_to_le16(0);
648 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
651 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
652 struct hci_cp_sniff_mode cp;
653 cp.handle = cpu_to_le16(conn->handle);
654 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
655 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
656 cp.attempt = cpu_to_le16(4);
657 cp.timeout = cpu_to_le16(1);
658 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
662 static void hci_conn_auto_accept(struct work_struct *work)
664 struct hci_conn *conn = container_of(work, struct hci_conn,
665 auto_accept_work.work);
667 hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
671 static void le_disable_advertising(struct hci_dev *hdev)
673 if (ext_adv_capable(hdev)) {
674 struct hci_cp_le_set_ext_adv_enable cp;
677 cp.num_of_sets = 0x00;
679 hci_send_cmd(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE, sizeof(cp),
683 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
688 static void le_conn_timeout(struct work_struct *work)
690 struct hci_conn *conn = container_of(work, struct hci_conn,
691 le_conn_timeout.work);
692 struct hci_dev *hdev = conn->hdev;
696 /* We could end up here due to having done directed advertising,
697 * so clean up the state if necessary. This should however only
698 * happen with broken hardware or if low duty cycle was used
699 * (which doesn't have a timeout of its own).
701 if (conn->role == HCI_ROLE_SLAVE) {
702 /* Disable LE Advertising */
703 le_disable_advertising(hdev);
705 hci_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
706 hci_dev_unlock(hdev);
710 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
713 struct iso_cig_params {
714 struct hci_cp_le_set_cig_params cp;
715 struct hci_cis_params cis[0x1f];
718 struct iso_list_data {
729 struct iso_cig_params pdu;
732 static void bis_list(struct hci_conn *conn, void *data)
734 struct iso_list_data *d = data;
736 /* Skip if not broadcast/ANY address */
737 if (bacmp(&conn->dst, BDADDR_ANY))
740 if (d->big != conn->iso_qos.big || d->bis == BT_ISO_QOS_BIS_UNSET ||
741 d->bis != conn->iso_qos.bis)
747 static void find_bis(struct hci_conn *conn, void *data)
749 struct iso_list_data *d = data;
752 if (bacmp(&conn->dst, BDADDR_ANY))
758 static int terminate_big_sync(struct hci_dev *hdev, void *data)
760 struct iso_list_data *d = data;
762 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", d->big, d->bis);
764 hci_remove_ext_adv_instance_sync(hdev, d->bis, NULL);
766 /* Check if ISO connection is a BIS and terminate BIG if there are
767 * no other connections using it.
769 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d);
773 return hci_le_terminate_big_sync(hdev, d->big,
774 HCI_ERROR_LOCAL_HOST_TERM);
777 static void terminate_big_destroy(struct hci_dev *hdev, void *data, int err)
782 static int hci_le_terminate_big(struct hci_dev *hdev, u8 big, u8 bis)
784 struct iso_list_data *d;
787 bt_dev_dbg(hdev, "big 0x%2.2x bis 0x%2.2x", big, bis);
789 d = kmalloc(sizeof(*d), GFP_KERNEL);
793 memset(d, 0, sizeof(*d));
797 ret = hci_cmd_sync_queue(hdev, terminate_big_sync, d,
798 terminate_big_destroy);
805 static int big_terminate_sync(struct hci_dev *hdev, void *data)
807 struct iso_list_data *d = data;
809 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", d->big,
812 /* Check if ISO connection is a BIS and terminate BIG if there are
813 * no other connections using it.
815 hci_conn_hash_list_state(hdev, find_bis, ISO_LINK, BT_CONNECTED, d);
819 hci_le_big_terminate_sync(hdev, d->big);
821 return hci_le_pa_terminate_sync(hdev, d->sync_handle);
824 static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, u16 sync_handle)
826 struct iso_list_data *d;
829 bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, sync_handle);
831 d = kmalloc(sizeof(*d), GFP_KERNEL);
835 memset(d, 0, sizeof(*d));
837 d->sync_handle = sync_handle;
839 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
840 terminate_big_destroy);
847 /* Cleanup BIS connection
849 * Detects if there any BIS left connected in a BIG
850 * broadcaster: Remove advertising instance and terminate BIG.
851 * broadcaster receiver: Teminate BIG sync and terminate PA sync.
853 static void bis_cleanup(struct hci_conn *conn)
855 struct hci_dev *hdev = conn->hdev;
857 bt_dev_dbg(hdev, "conn %p", conn);
859 if (conn->role == HCI_ROLE_MASTER) {
860 if (!test_and_clear_bit(HCI_CONN_PER_ADV, &conn->flags))
863 hci_le_terminate_big(hdev, conn->iso_qos.big,
866 hci_le_big_terminate(hdev, conn->iso_qos.big,
871 static int remove_cig_sync(struct hci_dev *hdev, void *data)
873 u8 handle = PTR_ERR(data);
875 return hci_le_remove_cig_sync(hdev, handle);
878 static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
880 bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
882 return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL);
885 static void find_cis(struct hci_conn *conn, void *data)
887 struct iso_list_data *d = data;
889 /* Ignore broadcast */
890 if (!bacmp(&conn->dst, BDADDR_ANY))
896 /* Cleanup CIS connection:
898 * Detects if there any CIS left connected in a CIG and remove it.
900 static void cis_cleanup(struct hci_conn *conn)
902 struct hci_dev *hdev = conn->hdev;
903 struct iso_list_data d;
905 memset(&d, 0, sizeof(d));
906 d.cig = conn->iso_qos.cig;
908 /* Check if ISO connection is a CIS and remove CIG if there are
909 * no other connections using it.
911 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_BOUND, &d);
912 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECT, &d);
913 hci_conn_hash_list_state(hdev, find_cis, ISO_LINK, BT_CONNECTED, &d);
917 hci_le_remove_cig(hdev, conn->iso_qos.cig);
920 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
923 struct hci_conn *conn;
925 BT_DBG("%s dst %pMR", hdev->name, dst);
927 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
931 bacpy(&conn->dst, dst);
932 bacpy(&conn->src, &hdev->bdaddr);
933 conn->handle = HCI_CONN_HANDLE_UNSET;
937 conn->mode = HCI_CM_ACTIVE;
938 conn->state = BT_OPEN;
939 conn->auth_type = HCI_AT_GENERAL_BONDING;
940 conn->io_capability = hdev->io_capability;
941 conn->remote_auth = 0xff;
942 conn->key_type = 0xff;
943 conn->rssi = HCI_RSSI_INVALID;
944 conn->tx_power = HCI_TX_POWER_INVALID;
945 conn->max_tx_power = HCI_TX_POWER_INVALID;
947 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
948 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
950 /* Set Default Authenticated payload timeout to 30s */
951 conn->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
953 if (conn->role == HCI_ROLE_MASTER)
958 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
961 /* conn->src should reflect the local identity address */
962 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
965 /* conn->src should reflect the local identity address */
966 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
968 /* set proper cleanup function */
969 if (!bacmp(dst, BDADDR_ANY))
970 conn->cleanup = bis_cleanup;
971 else if (conn->role == HCI_ROLE_MASTER)
972 conn->cleanup = cis_cleanup;
976 if (lmp_esco_capable(hdev))
977 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
978 (hdev->esco_type & EDR_ESCO_MASK);
980 conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
983 conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
987 skb_queue_head_init(&conn->data_q);
989 INIT_LIST_HEAD(&conn->chan_list);
991 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
992 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
993 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
994 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
996 atomic_set(&conn->refcnt, 0);
1000 hci_conn_hash_add(hdev, conn);
1002 /* The SCO and eSCO connections will only be notified when their
1003 * setup has been completed. This is different to ACL links which
1004 * can be notified right away.
1006 if (conn->type != SCO_LINK && conn->type != ESCO_LINK) {
1008 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
1011 hci_conn_init_sysfs(conn);
1016 static bool hci_conn_unlink(struct hci_conn *conn)
1021 conn->link->link = NULL;
1027 int hci_conn_del(struct hci_conn *conn)
1029 struct hci_dev *hdev = conn->hdev;
1031 BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
1033 cancel_delayed_work_sync(&conn->disc_work);
1034 cancel_delayed_work_sync(&conn->auto_accept_work);
1035 cancel_delayed_work_sync(&conn->idle_work);
1037 if (conn->type == ACL_LINK) {
1038 struct hci_conn *link = conn->link;
1041 hci_conn_unlink(conn);
1042 /* Due to race, SCO connection might be not established
1043 * yet at this point. Delete it now, otherwise it is
1044 * possible for it to be stuck and can't be deleted.
1046 if (link->handle == HCI_CONN_HANDLE_UNSET)
1050 /* Unacked frames */
1051 hdev->acl_cnt += conn->sent;
1052 } else if (conn->type == LE_LINK) {
1053 cancel_delayed_work(&conn->le_conn_timeout);
1056 hdev->le_cnt += conn->sent;
1058 hdev->acl_cnt += conn->sent;
1060 struct hci_conn *acl = conn->link;
1063 hci_conn_unlink(conn);
1067 /* Unacked ISO frames */
1068 if (conn->type == ISO_LINK) {
1070 hdev->iso_cnt += conn->sent;
1071 else if (hdev->le_pkts)
1072 hdev->le_cnt += conn->sent;
1074 hdev->acl_cnt += conn->sent;
1079 amp_mgr_put(conn->amp_mgr);
1081 skb_queue_purge(&conn->data_q);
1083 /* Remove the connection from the list and cleanup its remaining
1084 * state. This is a separate function since for some cases like
1085 * BT_CONNECT_SCAN we *only* want the cleanup part without the
1086 * rest of hci_conn_del.
1088 hci_conn_cleanup(conn);
1093 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
1095 int use_src = bacmp(src, BDADDR_ANY);
1096 struct hci_dev *hdev = NULL, *d;
1098 BT_DBG("%pMR -> %pMR", src, dst);
1100 read_lock(&hci_dev_list_lock);
1102 list_for_each_entry(d, &hci_dev_list, list) {
1103 if (!test_bit(HCI_UP, &d->flags) ||
1104 hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
1105 d->dev_type != HCI_PRIMARY)
1109 * No source address - find interface with bdaddr != dst
1110 * Source address - find interface with bdaddr == src
1117 if (src_type == BDADDR_BREDR) {
1118 if (!lmp_bredr_capable(d))
1120 bacpy(&id_addr, &d->bdaddr);
1121 id_addr_type = BDADDR_BREDR;
1123 if (!lmp_le_capable(d))
1126 hci_copy_identity_address(d, &id_addr,
1129 /* Convert from HCI to three-value type */
1130 if (id_addr_type == ADDR_LE_DEV_PUBLIC)
1131 id_addr_type = BDADDR_LE_PUBLIC;
1133 id_addr_type = BDADDR_LE_RANDOM;
1136 if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
1140 if (bacmp(&d->bdaddr, dst)) {
1147 hdev = hci_dev_hold(hdev);
1149 read_unlock(&hci_dev_list_lock);
1152 EXPORT_SYMBOL(hci_get_route);
1154 /* This function requires the caller holds hdev->lock */
1155 static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
1157 struct hci_dev *hdev = conn->hdev;
1159 hci_connect_le_scan_cleanup(conn, status);
1161 /* Enable advertising in case this was a failed connection
1162 * attempt as a peripheral.
1164 hci_enable_advertising(hdev);
1167 /* This function requires the caller holds hdev->lock */
1168 void hci_conn_failed(struct hci_conn *conn, u8 status)
1170 struct hci_dev *hdev = conn->hdev;
1172 bt_dev_dbg(hdev, "status 0x%2.2x", status);
1174 switch (conn->type) {
1176 hci_le_conn_failed(conn, status);
1179 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1180 conn->dst_type, status);
1184 conn->state = BT_CLOSED;
1185 hci_connect_cfm(conn, status);
1189 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
1191 struct hci_conn *conn = data;
1193 bt_dev_dbg(hdev, "err %d", err);
1198 hci_connect_le_scan_cleanup(conn, 0x00);
1202 /* Check if connection is still pending */
1203 if (conn != hci_lookup_le_connect(hdev))
1206 hci_conn_failed(conn, bt_status(err));
1209 hci_dev_unlock(hdev);
1212 static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
1214 struct hci_conn *conn = data;
1216 bt_dev_dbg(hdev, "conn %p", conn);
1218 return hci_le_create_conn_sync(hdev, conn);
1221 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
1222 u8 dst_type, bool dst_resolved, u8 sec_level,
1223 u16 conn_timeout, u8 role)
1225 struct hci_conn *conn;
1226 struct smp_irk *irk;
1229 /* Let's make sure that le is enabled.*/
1230 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1231 if (lmp_le_capable(hdev))
1232 return ERR_PTR(-ECONNREFUSED);
1234 return ERR_PTR(-EOPNOTSUPP);
1237 /* Since the controller supports only one LE connection attempt at a
1238 * time, we return -EBUSY if there is any connection attempt running.
1240 if (hci_lookup_le_connect(hdev))
1241 return ERR_PTR(-EBUSY);
1243 /* If there's already a connection object but it's not in
1244 * scanning state it means it must already be established, in
1245 * which case we can't do anything else except report a failure
1248 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1249 if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
1250 return ERR_PTR(-EBUSY);
1253 /* Check if the destination address has been resolved by the controller
1254 * since if it did then the identity address shall be used.
1256 if (!dst_resolved) {
1257 /* When given an identity address with existing identity
1258 * resolving key, the connection needs to be established
1259 * to a resolvable random address.
1261 * Storing the resolvable random address is required here
1262 * to handle connection failures. The address will later
1263 * be resolved back into the original identity address
1264 * from the connect request.
1266 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
1267 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
1269 dst_type = ADDR_LE_DEV_RANDOM;
1274 bacpy(&conn->dst, dst);
1276 conn = hci_conn_add(hdev, LE_LINK, dst, role);
1278 return ERR_PTR(-ENOMEM);
1279 hci_conn_hold(conn);
1280 conn->pending_sec_level = sec_level;
1283 conn->dst_type = dst_type;
1284 conn->sec_level = BT_SECURITY_LOW;
1285 conn->conn_timeout = conn_timeout;
1287 conn->state = BT_CONNECT;
1288 clear_bit(HCI_CONN_SCANNING, &conn->flags);
1290 err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn,
1291 create_le_conn_complete);
1294 return ERR_PTR(err);
1300 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
1302 struct hci_conn *conn;
1304 conn = hci_conn_hash_lookup_le(hdev, addr, type);
1308 if (conn->state != BT_CONNECTED)
1314 /* This function requires the caller holds hdev->lock */
1315 static int hci_explicit_conn_params_set(struct hci_dev *hdev,
1316 bdaddr_t *addr, u8 addr_type)
1318 struct hci_conn_params *params;
1320 if (is_connected(hdev, addr, addr_type))
1323 params = hci_conn_params_lookup(hdev, addr, addr_type);
1325 params = hci_conn_params_add(hdev, addr, addr_type);
1329 /* If we created new params, mark them to be deleted in
1330 * hci_connect_le_scan_cleanup. It's different case than
1331 * existing disabled params, those will stay after cleanup.
1333 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1336 /* We're trying to connect, so make sure params are at pend_le_conns */
1337 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1338 params->auto_connect == HCI_AUTO_CONN_REPORT ||
1339 params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1340 hci_pend_le_list_del_init(params);
1341 hci_pend_le_list_add(params, &hdev->pend_le_conns);
1344 params->explicit_connect = true;
1346 BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1347 params->auto_connect);
1352 static int qos_set_big(struct hci_dev *hdev, struct bt_iso_qos *qos)
1354 struct iso_list_data data;
1356 /* Allocate a BIG if not set */
1357 if (qos->big == BT_ISO_QOS_BIG_UNSET) {
1358 for (data.big = 0x00; data.big < 0xef; data.big++) {
1362 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1368 if (data.big == 0xef)
1369 return -EADDRNOTAVAIL;
1372 qos->big = data.big;
1378 static int qos_set_bis(struct hci_dev *hdev, struct bt_iso_qos *qos)
1380 struct iso_list_data data;
1382 /* Allocate BIS if not set */
1383 if (qos->bis == BT_ISO_QOS_BIS_UNSET) {
1384 /* Find an unused adv set to advertise BIS, skip instance 0x00
1385 * since it is reserved as general purpose set.
1387 for (data.bis = 0x01; data.bis < hdev->le_num_of_adv_sets;
1391 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK,
1397 if (data.bis == hdev->le_num_of_adv_sets)
1398 return -EADDRNOTAVAIL;
1401 qos->bis = data.bis;
1407 /* This function requires the caller holds hdev->lock */
1408 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst,
1409 struct bt_iso_qos *qos)
1411 struct hci_conn *conn;
1412 struct iso_list_data data;
1415 /* Let's make sure that le is enabled.*/
1416 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1417 if (lmp_le_capable(hdev))
1418 return ERR_PTR(-ECONNREFUSED);
1419 return ERR_PTR(-EOPNOTSUPP);
1422 err = qos_set_big(hdev, qos);
1424 return ERR_PTR(err);
1426 err = qos_set_bis(hdev, qos);
1428 return ERR_PTR(err);
1430 data.big = qos->big;
1431 data.bis = qos->bis;
1434 /* Check if there is already a matching BIG/BIS */
1435 hci_conn_hash_list_state(hdev, bis_list, ISO_LINK, BT_BOUND, &data);
1437 return ERR_PTR(-EADDRINUSE);
1439 conn = hci_conn_hash_lookup_bis(hdev, dst, qos->big, qos->bis);
1441 return ERR_PTR(-EADDRINUSE);
1443 conn = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1445 return ERR_PTR(-ENOMEM);
1447 set_bit(HCI_CONN_PER_ADV, &conn->flags);
1448 conn->state = BT_CONNECT;
1450 hci_conn_hold(conn);
1454 /* This function requires the caller holds hdev->lock */
1455 struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1456 u8 dst_type, u8 sec_level,
1458 enum conn_reasons conn_reason)
1460 struct hci_conn *conn;
1462 /* Let's make sure that le is enabled.*/
1463 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1464 if (lmp_le_capable(hdev))
1465 return ERR_PTR(-ECONNREFUSED);
1467 return ERR_PTR(-EOPNOTSUPP);
1470 /* Some devices send ATT messages as soon as the physical link is
1471 * established. To be able to handle these ATT messages, the user-
1472 * space first establishes the connection and then starts the pairing
1475 * So if a hci_conn object already exists for the following connection
1476 * attempt, we simply update pending_sec_level and auth_type fields
1477 * and return the object found.
1479 conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1481 if (conn->pending_sec_level < sec_level)
1482 conn->pending_sec_level = sec_level;
1486 BT_DBG("requesting refresh of dst_addr");
1488 conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1490 return ERR_PTR(-ENOMEM);
1492 if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
1494 return ERR_PTR(-EBUSY);
1497 conn->state = BT_CONNECT;
1498 set_bit(HCI_CONN_SCANNING, &conn->flags);
1499 conn->dst_type = dst_type;
1500 conn->sec_level = BT_SECURITY_LOW;
1501 conn->pending_sec_level = sec_level;
1502 conn->conn_timeout = conn_timeout;
1503 conn->conn_reason = conn_reason;
1505 hci_update_passive_scan(hdev);
1508 hci_conn_hold(conn);
1512 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1513 u8 sec_level, u8 auth_type,
1514 enum conn_reasons conn_reason)
1516 struct hci_conn *acl;
1518 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1519 if (lmp_bredr_capable(hdev))
1520 return ERR_PTR(-ECONNREFUSED);
1522 return ERR_PTR(-EOPNOTSUPP);
1525 /* Reject outgoing connection to device with same BD ADDR against
1528 if (!bacmp(&hdev->bdaddr, dst)) {
1529 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1531 return ERR_PTR(-ECONNREFUSED);
1534 acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1536 acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1538 return ERR_PTR(-ENOMEM);
1543 acl->conn_reason = conn_reason;
1544 if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1545 acl->sec_level = BT_SECURITY_LOW;
1546 acl->pending_sec_level = sec_level;
1547 acl->auth_type = auth_type;
1548 hci_acl_create_connection(acl);
1554 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1555 __u16 setting, struct bt_codec *codec)
1557 struct hci_conn *acl;
1558 struct hci_conn *sco;
1560 acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
1561 CONN_REASON_SCO_CONNECT);
1565 sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1567 sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1570 return ERR_PTR(-ENOMEM);
1579 sco->setting = setting;
1580 sco->codec = *codec;
1582 if (acl->state == BT_CONNECTED &&
1583 (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1584 set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1585 hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1587 if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1588 /* defer SCO setup until mode change completed */
1589 set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1593 hci_sco_setup(acl, 0x00);
1599 static void cis_add(struct iso_list_data *d, struct bt_iso_qos *qos)
1601 struct hci_cis_params *cis = &d->pdu.cis[d->pdu.cp.num_cis];
1603 cis->cis_id = qos->cis;
1604 cis->c_sdu = cpu_to_le16(qos->out.sdu);
1605 cis->p_sdu = cpu_to_le16(qos->in.sdu);
1606 cis->c_phy = qos->out.phy ? qos->out.phy : qos->in.phy;
1607 cis->p_phy = qos->in.phy ? qos->in.phy : qos->out.phy;
1608 cis->c_rtn = qos->out.rtn;
1609 cis->p_rtn = qos->in.rtn;
1611 d->pdu.cp.num_cis++;
1614 static void cis_list(struct hci_conn *conn, void *data)
1616 struct iso_list_data *d = data;
1618 /* Skip if broadcast/ANY address */
1619 if (!bacmp(&conn->dst, BDADDR_ANY))
1622 if (d->cig != conn->iso_qos.cig || d->cis == BT_ISO_QOS_CIS_UNSET ||
1623 d->cis != conn->iso_qos.cis)
1628 if (d->pdu.cp.cig_id == BT_ISO_QOS_CIG_UNSET ||
1629 d->count >= ARRAY_SIZE(d->pdu.cis))
1632 cis_add(d, &conn->iso_qos);
1635 static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
1637 struct hci_dev *hdev = conn->hdev;
1638 struct hci_cp_le_create_big cp;
1640 memset(&cp, 0, sizeof(cp));
1642 cp.handle = qos->big;
1643 cp.adv_handle = qos->bis;
1645 hci_cpu_to_le24(qos->out.interval, cp.bis.sdu_interval);
1646 cp.bis.sdu = cpu_to_le16(qos->out.sdu);
1647 cp.bis.latency = cpu_to_le16(qos->out.latency);
1648 cp.bis.rtn = qos->out.rtn;
1649 cp.bis.phy = qos->out.phy;
1650 cp.bis.packing = qos->packing;
1651 cp.bis.framing = qos->framing;
1652 cp.bis.encryption = 0x00;
1653 memset(&cp.bis.bcode, 0, sizeof(cp.bis.bcode));
1655 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_BIG, sizeof(cp), &cp);
1658 static void set_cig_params_complete(struct hci_dev *hdev, void *data, int err)
1660 struct iso_cig_params *pdu = data;
1662 bt_dev_dbg(hdev, "");
1665 bt_dev_err(hdev, "Unable to set CIG parameters: %d", err);
1670 static int set_cig_params_sync(struct hci_dev *hdev, void *data)
1672 struct iso_cig_params *pdu = data;
1675 plen = sizeof(pdu->cp) + pdu->cp.num_cis * sizeof(pdu->cis[0]);
1676 return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_CIG_PARAMS, plen, pdu,
1680 static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
1682 struct hci_dev *hdev = conn->hdev;
1683 struct iso_list_data data;
1684 struct iso_cig_params *pdu;
1686 memset(&data, 0, sizeof(data));
1688 /* Allocate a CIG if not set */
1689 if (qos->cig == BT_ISO_QOS_CIG_UNSET) {
1690 for (data.cig = 0x00; data.cig < 0xff; data.cig++) {
1694 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK,
1699 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK,
1700 BT_CONNECTED, &data);
1705 if (data.cig == 0xff)
1709 qos->cig = data.cig;
1712 data.pdu.cp.cig_id = qos->cig;
1713 hci_cpu_to_le24(qos->out.interval, data.pdu.cp.c_interval);
1714 hci_cpu_to_le24(qos->in.interval, data.pdu.cp.p_interval);
1715 data.pdu.cp.sca = qos->sca;
1716 data.pdu.cp.packing = qos->packing;
1717 data.pdu.cp.framing = qos->framing;
1718 data.pdu.cp.c_latency = cpu_to_le16(qos->out.latency);
1719 data.pdu.cp.p_latency = cpu_to_le16(qos->in.latency);
1721 if (qos->cis != BT_ISO_QOS_CIS_UNSET) {
1723 data.cig = qos->cig;
1724 data.cis = qos->cis;
1726 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1731 cis_add(&data, qos);
1734 /* Reprogram all CIS(s) with the same CIG */
1735 for (data.cig = qos->cig, data.cis = 0x00; data.cis < 0x11;
1739 hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,
1744 /* Allocate a CIS if not set */
1745 if (qos->cis == BT_ISO_QOS_CIS_UNSET) {
1747 qos->cis = data.cis;
1748 cis_add(&data, qos);
1752 if (qos->cis == BT_ISO_QOS_CIS_UNSET || !data.pdu.cp.num_cis)
1755 pdu = kzalloc(sizeof(*pdu), GFP_KERNEL);
1759 memcpy(pdu, &data.pdu, sizeof(*pdu));
1761 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, pdu,
1762 set_cig_params_complete) < 0) {
1770 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
1771 __u8 dst_type, struct bt_iso_qos *qos)
1773 struct hci_conn *cis;
1775 cis = hci_conn_hash_lookup_cis(hdev, dst, dst_type);
1777 cis = hci_conn_add(hdev, ISO_LINK, dst, HCI_ROLE_MASTER);
1779 return ERR_PTR(-ENOMEM);
1780 cis->cleanup = cis_cleanup;
1781 cis->dst_type = dst_type;
1784 if (cis->state == BT_CONNECTED)
1787 /* Check if CIS has been set and the settings matches */
1788 if (cis->state == BT_BOUND &&
1789 !memcmp(&cis->iso_qos, qos, sizeof(*qos)))
1792 /* Update LINK PHYs according to QoS preference */
1793 cis->le_tx_phy = qos->out.phy;
1794 cis->le_rx_phy = qos->in.phy;
1796 /* If output interval is not set use the input interval as it cannot be
1799 if (!qos->out.interval)
1800 qos->out.interval = qos->in.interval;
1802 /* If input interval is not set use the output interval as it cannot be
1805 if (!qos->in.interval)
1806 qos->in.interval = qos->out.interval;
1808 /* If output latency is not set use the input latency as it cannot be
1811 if (!qos->out.latency)
1812 qos->out.latency = qos->in.latency;
1814 /* If input latency is not set use the output latency as it cannot be
1817 if (!qos->in.latency)
1818 qos->in.latency = qos->out.latency;
1820 if (!hci_le_set_cig_params(cis, qos)) {
1822 return ERR_PTR(-EINVAL);
1825 cis->iso_qos = *qos;
1826 cis->state = BT_BOUND;
1831 bool hci_iso_setup_path(struct hci_conn *conn)
1833 struct hci_dev *hdev = conn->hdev;
1834 struct hci_cp_le_setup_iso_path cmd;
1836 memset(&cmd, 0, sizeof(cmd));
1838 if (conn->iso_qos.out.sdu) {
1839 cmd.handle = cpu_to_le16(conn->handle);
1840 cmd.direction = 0x00; /* Input (Host to Controller) */
1841 cmd.path = 0x00; /* HCI path if enabled */
1842 cmd.codec = 0x03; /* Transparent Data */
1844 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1849 if (conn->iso_qos.in.sdu) {
1850 cmd.handle = cpu_to_le16(conn->handle);
1851 cmd.direction = 0x01; /* Output (Controller to Host) */
1852 cmd.path = 0x00; /* HCI path if enabled */
1853 cmd.codec = 0x03; /* Transparent Data */
1855 if (hci_send_cmd(hdev, HCI_OP_LE_SETUP_ISO_PATH, sizeof(cmd),
1863 static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
1866 struct hci_cp_le_create_cis cp;
1867 struct hci_cis cis[0x1f];
1869 struct hci_conn *conn = data;
1872 memset(&cmd, 0, sizeof(cmd));
1873 cmd.cis[0].acl_handle = cpu_to_le16(conn->link->handle);
1874 cmd.cis[0].cis_handle = cpu_to_le16(conn->handle);
1876 cig = conn->iso_qos.cig;
1882 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
1883 struct hci_cis *cis = &cmd.cis[cmd.cp.num_cis];
1885 if (conn == data || conn->type != ISO_LINK ||
1886 conn->state == BT_CONNECTED || conn->iso_qos.cig != cig)
1889 /* Check if all CIS(s) belonging to a CIG are ready */
1890 if (!conn->link || conn->link->state != BT_CONNECTED ||
1891 conn->state != BT_CONNECT) {
1896 /* Group all CIS with state BT_CONNECT since the spec don't
1897 * allow to send them individually:
1899 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
1902 * If the Host issues this command before all the
1903 * HCI_LE_CIS_Established events from the previous use of the
1904 * command have been generated, the Controller shall return the
1905 * error code Command Disallowed (0x0C).
1907 cis->acl_handle = cpu_to_le16(conn->link->handle);
1908 cis->cis_handle = cpu_to_le16(conn->handle);
1914 hci_dev_unlock(hdev);
1916 if (!cmd.cp.num_cis)
1919 return hci_send_cmd(hdev, HCI_OP_LE_CREATE_CIS, sizeof(cmd.cp) +
1920 sizeof(cmd.cis[0]) * cmd.cp.num_cis, &cmd);
1923 int hci_le_create_cis(struct hci_conn *conn)
1925 struct hci_conn *cis;
1926 struct hci_dev *hdev = conn->hdev;
1929 switch (conn->type) {
1931 if (!conn->link || conn->state != BT_CONNECTED)
1942 if (cis->state == BT_CONNECT)
1945 /* Queue Create CIS */
1946 err = hci_cmd_sync_queue(hdev, hci_create_cis_sync, cis, NULL);
1950 cis->state = BT_CONNECT;
1955 static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
1956 struct bt_iso_io_qos *qos, __u8 phy)
1958 /* Only set MTU if PHY is enabled */
1959 if (!qos->sdu && qos->phy) {
1960 if (hdev->iso_mtu > 0)
1961 qos->sdu = hdev->iso_mtu;
1962 else if (hdev->le_mtu > 0)
1963 qos->sdu = hdev->le_mtu;
1965 qos->sdu = hdev->acl_mtu;
1968 /* Use the same PHY as ACL if set to any */
1969 if (qos->phy == BT_ISO_PHY_ANY)
1972 /* Use LE ACL connection interval if not set */
1974 /* ACL interval unit in 1.25 ms to us */
1975 qos->interval = conn->le_conn_interval * 1250;
1977 /* Use LE ACL connection latency if not set */
1979 qos->latency = conn->le_conn_latency;
1982 static void hci_bind_bis(struct hci_conn *conn,
1983 struct bt_iso_qos *qos)
1985 /* Update LINK PHYs according to QoS preference */
1986 conn->le_tx_phy = qos->out.phy;
1987 conn->le_tx_phy = qos->out.phy;
1988 conn->iso_qos = *qos;
1989 conn->state = BT_BOUND;
1992 static int create_big_sync(struct hci_dev *hdev, void *data)
1994 struct hci_conn *conn = data;
1995 struct bt_iso_qos *qos = &conn->iso_qos;
1996 u16 interval, sync_interval = 0;
2000 if (qos->out.phy == 0x02)
2001 flags |= MGMT_ADV_FLAG_SEC_2M;
2003 /* Align intervals */
2004 interval = qos->out.interval / 1250;
2007 sync_interval = qos->sync_interval * 1600;
2009 err = hci_start_per_adv_sync(hdev, qos->bis, conn->le_per_adv_data_len,
2010 conn->le_per_adv_data, flags, interval,
2011 interval, sync_interval);
2015 return hci_le_create_big(conn, &conn->iso_qos);
2018 static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
2020 struct hci_cp_le_pa_create_sync *cp = data;
2022 bt_dev_dbg(hdev, "");
2025 bt_dev_err(hdev, "Unable to create PA: %d", err);
2030 static int create_pa_sync(struct hci_dev *hdev, void *data)
2032 struct hci_cp_le_pa_create_sync *cp = data;
2035 err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC,
2036 sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2038 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2042 return hci_update_passive_scan_sync(hdev);
2045 int hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, __u8 dst_type,
2048 struct hci_cp_le_pa_create_sync *cp;
2050 if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
2053 cp = kmalloc(sizeof(*cp), GFP_KERNEL);
2055 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
2059 /* Convert from ISO socket address type to HCI address type */
2060 if (dst_type == BDADDR_LE_PUBLIC)
2061 dst_type = ADDR_LE_DEV_PUBLIC;
2063 dst_type = ADDR_LE_DEV_RANDOM;
2065 memset(cp, 0, sizeof(*cp));
2067 cp->addr_type = dst_type;
2068 bacpy(&cp->addr, dst);
2070 /* Queue start pa_create_sync and scan */
2071 return hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete);
2074 int hci_le_big_create_sync(struct hci_dev *hdev, struct bt_iso_qos *qos,
2075 __u16 sync_handle, __u8 num_bis, __u8 bis[])
2078 struct hci_cp_le_big_create_sync cp;
2083 if (num_bis > sizeof(pdu.bis))
2086 err = qos_set_big(hdev, qos);
2090 memset(&pdu, 0, sizeof(pdu));
2091 pdu.cp.handle = qos->big;
2092 pdu.cp.sync_handle = cpu_to_le16(sync_handle);
2093 pdu.cp.num_bis = num_bis;
2094 memcpy(pdu.bis, bis, num_bis);
2096 return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
2097 sizeof(pdu.cp) + num_bis, &pdu);
2100 static void create_big_complete(struct hci_dev *hdev, void *data, int err)
2102 struct hci_conn *conn = data;
2104 bt_dev_dbg(hdev, "conn %p", conn);
2107 bt_dev_err(hdev, "Unable to create BIG: %d", err);
2108 hci_connect_cfm(conn, err);
2113 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
2114 __u8 dst_type, struct bt_iso_qos *qos,
2115 __u8 base_len, __u8 *base)
2117 struct hci_conn *conn;
2120 /* We need hci_conn object using the BDADDR_ANY as dst */
2121 conn = hci_add_bis(hdev, dst, qos);
2125 hci_bind_bis(conn, qos);
2127 /* Add Basic Announcement into Peridic Adv Data if BASE is set */
2128 if (base_len && base) {
2129 base_len = eir_append_service_data(conn->le_per_adv_data, 0,
2130 0x1851, base, base_len);
2131 conn->le_per_adv_data_len = base_len;
2134 /* Queue start periodic advertising and create BIG */
2135 err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
2136 create_big_complete);
2138 hci_conn_drop(conn);
2139 return ERR_PTR(err);
2142 hci_iso_qos_setup(hdev, conn, &qos->out,
2143 conn->le_tx_phy ? conn->le_tx_phy :
2144 hdev->le_tx_def_phys);
2149 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
2150 __u8 dst_type, struct bt_iso_qos *qos)
2152 struct hci_conn *le;
2153 struct hci_conn *cis;
2155 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
2156 le = hci_connect_le(hdev, dst, dst_type, false,
2158 HCI_LE_CONN_TIMEOUT,
2161 le = hci_connect_le_scan(hdev, dst, dst_type,
2163 HCI_LE_CONN_TIMEOUT,
2164 CONN_REASON_ISO_CONNECT);
2168 hci_iso_qos_setup(hdev, le, &qos->out,
2169 le->le_tx_phy ? le->le_tx_phy : hdev->le_tx_def_phys);
2170 hci_iso_qos_setup(hdev, le, &qos->in,
2171 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys);
2173 cis = hci_bind_cis(hdev, dst, dst_type, qos);
2184 /* If LE is already connected and CIS handle is already set proceed to
2185 * Create CIS immediately.
2187 if (le->state == BT_CONNECTED && cis->handle != HCI_CONN_HANDLE_UNSET)
2188 hci_le_create_cis(le);
2193 /* Check link security requirement */
2194 int hci_conn_check_link_mode(struct hci_conn *conn)
2196 BT_DBG("hcon %p", conn);
2198 /* In Secure Connections Only mode, it is required that Secure
2199 * Connections is used and the link is encrypted with AES-CCM
2200 * using a P-256 authenticated combination key.
2202 if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
2203 if (!hci_conn_sc_enabled(conn) ||
2204 !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2205 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
2209 /* AES encryption is required for Level 4:
2211 * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C
2214 * 128-bit equivalent strength for link and encryption keys
2215 * required using FIPS approved algorithms (E0 not allowed,
2216 * SAFER+ not allowed, and P-192 not allowed; encryption key
2219 if (conn->sec_level == BT_SECURITY_FIPS &&
2220 !test_bit(HCI_CONN_AES_CCM, &conn->flags)) {
2221 bt_dev_err(conn->hdev,
2222 "Invalid security: Missing AES-CCM usage");
2226 if (hci_conn_ssp_enabled(conn) &&
2227 !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2233 /* Authenticate remote device */
2234 static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
2236 BT_DBG("hcon %p", conn);
2238 if (conn->pending_sec_level > sec_level)
2239 sec_level = conn->pending_sec_level;
2241 if (sec_level > conn->sec_level)
2242 conn->pending_sec_level = sec_level;
2243 else if (test_bit(HCI_CONN_AUTH, &conn->flags))
2246 /* Make sure we preserve an existing MITM requirement*/
2247 auth_type |= (conn->auth_type & 0x01);
2249 conn->auth_type = auth_type;
2251 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2252 struct hci_cp_auth_requested cp;
2254 cp.handle = cpu_to_le16(conn->handle);
2255 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2258 /* Set the ENCRYPT_PEND to trigger encryption after
2261 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2262 set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2268 /* Encrypt the link */
2269 static void hci_conn_encrypt(struct hci_conn *conn)
2271 BT_DBG("hcon %p", conn);
2273 if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2274 struct hci_cp_set_conn_encrypt cp;
2275 cp.handle = cpu_to_le16(conn->handle);
2277 hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2282 /* Enable security */
2283 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
2286 BT_DBG("hcon %p", conn);
2288 if (conn->type == LE_LINK)
2289 return smp_conn_security(conn, sec_level);
2291 /* For sdp we don't need the link key. */
2292 if (sec_level == BT_SECURITY_SDP)
2295 /* For non 2.1 devices and low security level we don't need the link
2297 if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
2300 /* For other security levels we need the link key. */
2301 if (!test_bit(HCI_CONN_AUTH, &conn->flags))
2304 switch (conn->key_type) {
2305 case HCI_LK_AUTH_COMBINATION_P256:
2306 /* An authenticated FIPS approved combination key has
2307 * sufficient security for security level 4 or lower.
2309 if (sec_level <= BT_SECURITY_FIPS)
2312 case HCI_LK_AUTH_COMBINATION_P192:
2313 /* An authenticated combination key has sufficient security for
2314 * security level 3 or lower.
2316 if (sec_level <= BT_SECURITY_HIGH)
2319 case HCI_LK_UNAUTH_COMBINATION_P192:
2320 case HCI_LK_UNAUTH_COMBINATION_P256:
2321 /* An unauthenticated combination key has sufficient security
2322 * for security level 2 or lower.
2324 if (sec_level <= BT_SECURITY_MEDIUM)
2327 case HCI_LK_COMBINATION:
2328 /* A combination key has always sufficient security for the
2329 * security levels 2 or lower. High security level requires the
2330 * combination key is generated using maximum PIN code length
2331 * (16). For pre 2.1 units.
2333 if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
2341 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
2345 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2347 if (!hci_conn_auth(conn, sec_level, auth_type))
2351 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
2352 /* Ensure that the encryption key size has been read,
2353 * otherwise stall the upper layer responses.
2355 if (!conn->enc_key_size)
2358 /* Nothing else needed, all requirements are met */
2362 hci_conn_encrypt(conn);
2365 EXPORT_SYMBOL(hci_conn_security);
2367 /* Check secure link requirement */
2368 int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
2370 BT_DBG("hcon %p", conn);
2372 /* Accept if non-secure or higher security level is required */
2373 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
2376 /* Accept if secure or higher security level is already present */
2377 if (conn->sec_level == BT_SECURITY_HIGH ||
2378 conn->sec_level == BT_SECURITY_FIPS)
2381 /* Reject not secure link */
2384 EXPORT_SYMBOL(hci_conn_check_secure);
2387 int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
2389 BT_DBG("hcon %p", conn);
2391 if (role == conn->role)
2394 if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
2395 struct hci_cp_switch_role cp;
2396 bacpy(&cp.bdaddr, &conn->dst);
2398 hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
2403 EXPORT_SYMBOL(hci_conn_switch_role);
2405 /* Enter active mode */
2406 void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
2408 struct hci_dev *hdev = conn->hdev;
2410 BT_DBG("hcon %p mode %d", conn, conn->mode);
2412 if (conn->mode != HCI_CM_SNIFF)
2415 if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
2418 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
2419 struct hci_cp_exit_sniff_mode cp;
2420 cp.handle = cpu_to_le16(conn->handle);
2421 hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
2425 if (hdev->idle_timeout > 0)
2426 queue_delayed_work(hdev->workqueue, &conn->idle_work,
2427 msecs_to_jiffies(hdev->idle_timeout));
2430 /* Drop all connection on the device */
2431 void hci_conn_hash_flush(struct hci_dev *hdev)
2433 struct hci_conn_hash *h = &hdev->conn_hash;
2434 struct hci_conn *c, *n;
2436 BT_DBG("hdev %s", hdev->name);
2438 list_for_each_entry_safe(c, n, &h->list, list) {
2439 c->state = BT_CLOSED;
2441 hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
2443 /* Unlink before deleting otherwise it is possible that
2444 * hci_conn_del removes the link which may cause the list to
2445 * contain items already freed.
2452 /* Check pending connect attempts */
2453 void hci_conn_check_pending(struct hci_dev *hdev)
2455 struct hci_conn *conn;
2457 BT_DBG("hdev %s", hdev->name);
2461 conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
2463 hci_acl_create_connection(conn);
2465 hci_dev_unlock(hdev);
2468 static u32 get_link_mode(struct hci_conn *conn)
2472 if (conn->role == HCI_ROLE_MASTER)
2473 link_mode |= HCI_LM_MASTER;
2475 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2476 link_mode |= HCI_LM_ENCRYPT;
2478 if (test_bit(HCI_CONN_AUTH, &conn->flags))
2479 link_mode |= HCI_LM_AUTH;
2481 if (test_bit(HCI_CONN_SECURE, &conn->flags))
2482 link_mode |= HCI_LM_SECURE;
2484 if (test_bit(HCI_CONN_FIPS, &conn->flags))
2485 link_mode |= HCI_LM_FIPS;
2490 int hci_get_conn_list(void __user *arg)
2493 struct hci_conn_list_req req, *cl;
2494 struct hci_conn_info *ci;
2495 struct hci_dev *hdev;
2496 int n = 0, size, err;
2498 if (copy_from_user(&req, arg, sizeof(req)))
2501 if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
2504 size = sizeof(req) + req.conn_num * sizeof(*ci);
2506 cl = kmalloc(size, GFP_KERNEL);
2510 hdev = hci_dev_get(req.dev_id);
2519 list_for_each_entry(c, &hdev->conn_hash.list, list) {
2520 bacpy(&(ci + n)->bdaddr, &c->dst);
2521 (ci + n)->handle = c->handle;
2522 (ci + n)->type = c->type;
2523 (ci + n)->out = c->out;
2524 (ci + n)->state = c->state;
2525 (ci + n)->link_mode = get_link_mode(c);
2526 if (++n >= req.conn_num)
2529 hci_dev_unlock(hdev);
2531 cl->dev_id = hdev->id;
2533 size = sizeof(req) + n * sizeof(*ci);
2537 err = copy_to_user(arg, cl, size);
2540 return err ? -EFAULT : 0;
2543 int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
2545 struct hci_conn_info_req req;
2546 struct hci_conn_info ci;
2547 struct hci_conn *conn;
2548 char __user *ptr = arg + sizeof(req);
2550 if (copy_from_user(&req, arg, sizeof(req)))
2554 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
2556 bacpy(&ci.bdaddr, &conn->dst);
2557 ci.handle = conn->handle;
2558 ci.type = conn->type;
2560 ci.state = conn->state;
2561 ci.link_mode = get_link_mode(conn);
2563 hci_dev_unlock(hdev);
2568 return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
2571 int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
2573 struct hci_auth_info_req req;
2574 struct hci_conn *conn;
2576 if (copy_from_user(&req, arg, sizeof(req)))
2580 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
2582 req.type = conn->auth_type;
2583 hci_dev_unlock(hdev);
2588 return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
2591 struct hci_chan *hci_chan_create(struct hci_conn *conn)
2593 struct hci_dev *hdev = conn->hdev;
2594 struct hci_chan *chan;
2596 BT_DBG("%s hcon %p", hdev->name, conn);
2598 if (test_bit(HCI_CONN_DROP, &conn->flags)) {
2599 BT_DBG("Refusing to create new hci_chan");
2603 chan = kzalloc(sizeof(*chan), GFP_KERNEL);
2607 chan->conn = hci_conn_get(conn);
2608 skb_queue_head_init(&chan->data_q);
2609 chan->state = BT_CONNECTED;
2611 list_add_rcu(&chan->list, &conn->chan_list);
2616 void hci_chan_del(struct hci_chan *chan)
2618 struct hci_conn *conn = chan->conn;
2619 struct hci_dev *hdev = conn->hdev;
2621 BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
2623 list_del_rcu(&chan->list);
2627 /* Prevent new hci_chan's to be created for this hci_conn */
2628 set_bit(HCI_CONN_DROP, &conn->flags);
2632 skb_queue_purge(&chan->data_q);
2636 void hci_chan_list_flush(struct hci_conn *conn)
2638 struct hci_chan *chan, *n;
2640 BT_DBG("hcon %p", conn);
2642 list_for_each_entry_safe(chan, n, &conn->chan_list, list)
2646 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
2649 struct hci_chan *hchan;
2651 list_for_each_entry(hchan, &hcon->chan_list, list) {
2652 if (hchan->handle == handle)
2659 struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
2661 struct hci_conn_hash *h = &hdev->conn_hash;
2662 struct hci_conn *hcon;
2663 struct hci_chan *hchan = NULL;
2667 list_for_each_entry_rcu(hcon, &h->list, list) {
2668 hchan = __hci_chan_lookup_handle(hcon, handle);
2678 u32 hci_conn_get_phy(struct hci_conn *conn)
2682 /* BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part B page 471:
2683 * Table 6.2: Packets defined for synchronous, asynchronous, and
2684 * CPB logical transport types.
2686 switch (conn->type) {
2688 /* SCO logical transport (1 Mb/s):
2689 * HV1, HV2, HV3 and DV.
2691 phys |= BT_PHY_BR_1M_1SLOT;
2696 /* ACL logical transport (1 Mb/s) ptt=0:
2697 * DH1, DM3, DH3, DM5 and DH5.
2699 phys |= BT_PHY_BR_1M_1SLOT;
2701 if (conn->pkt_type & (HCI_DM3 | HCI_DH3))
2702 phys |= BT_PHY_BR_1M_3SLOT;
2704 if (conn->pkt_type & (HCI_DM5 | HCI_DH5))
2705 phys |= BT_PHY_BR_1M_5SLOT;
2707 /* ACL logical transport (2 Mb/s) ptt=1:
2708 * 2-DH1, 2-DH3 and 2-DH5.
2710 if (!(conn->pkt_type & HCI_2DH1))
2711 phys |= BT_PHY_EDR_2M_1SLOT;
2713 if (!(conn->pkt_type & HCI_2DH3))
2714 phys |= BT_PHY_EDR_2M_3SLOT;
2716 if (!(conn->pkt_type & HCI_2DH5))
2717 phys |= BT_PHY_EDR_2M_5SLOT;
2719 /* ACL logical transport (3 Mb/s) ptt=1:
2720 * 3-DH1, 3-DH3 and 3-DH5.
2722 if (!(conn->pkt_type & HCI_3DH1))
2723 phys |= BT_PHY_EDR_3M_1SLOT;
2725 if (!(conn->pkt_type & HCI_3DH3))
2726 phys |= BT_PHY_EDR_3M_3SLOT;
2728 if (!(conn->pkt_type & HCI_3DH5))
2729 phys |= BT_PHY_EDR_3M_5SLOT;
2734 /* eSCO logical transport (1 Mb/s): EV3, EV4 and EV5 */
2735 phys |= BT_PHY_BR_1M_1SLOT;
2737 if (!(conn->pkt_type & (ESCO_EV4 | ESCO_EV5)))
2738 phys |= BT_PHY_BR_1M_3SLOT;
2740 /* eSCO logical transport (2 Mb/s): 2-EV3, 2-EV5 */
2741 if (!(conn->pkt_type & ESCO_2EV3))
2742 phys |= BT_PHY_EDR_2M_1SLOT;
2744 if (!(conn->pkt_type & ESCO_2EV5))
2745 phys |= BT_PHY_EDR_2M_3SLOT;
2747 /* eSCO logical transport (3 Mb/s): 3-EV3, 3-EV5 */
2748 if (!(conn->pkt_type & ESCO_3EV3))
2749 phys |= BT_PHY_EDR_3M_1SLOT;
2751 if (!(conn->pkt_type & ESCO_3EV5))
2752 phys |= BT_PHY_EDR_3M_3SLOT;
2757 if (conn->le_tx_phy & HCI_LE_SET_PHY_1M)
2758 phys |= BT_PHY_LE_1M_TX;
2760 if (conn->le_rx_phy & HCI_LE_SET_PHY_1M)
2761 phys |= BT_PHY_LE_1M_RX;
2763 if (conn->le_tx_phy & HCI_LE_SET_PHY_2M)
2764 phys |= BT_PHY_LE_2M_TX;
2766 if (conn->le_rx_phy & HCI_LE_SET_PHY_2M)
2767 phys |= BT_PHY_LE_2M_RX;
2769 if (conn->le_tx_phy & HCI_LE_SET_PHY_CODED)
2770 phys |= BT_PHY_LE_CODED_TX;
2772 if (conn->le_rx_phy & HCI_LE_SET_PHY_CODED)
2773 phys |= BT_PHY_LE_CODED_RX;
2781 static int abort_conn_sync(struct hci_dev *hdev, void *data)
2783 struct hci_conn *conn;
2784 u16 handle = PTR_ERR(data);
2786 conn = hci_conn_hash_lookup_handle(hdev, handle);
2790 return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
2793 int hci_abort_conn(struct hci_conn *conn, u8 reason)
2795 struct hci_dev *hdev = conn->hdev;
2797 /* If abort_reason has already been set it means the connection is
2798 * already being aborted so don't attempt to overwrite it.
2800 if (conn->abort_reason)
2803 bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
2805 conn->abort_reason = reason;
2807 /* If the connection is pending check the command opcode since that
2808 * might be blocking on hci_cmd_sync_work while waiting its respective
2809 * event so we need to hci_cmd_sync_cancel to cancel it.
2811 if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
2812 switch (hci_skb_event(hdev->sent_cmd)) {
2813 case HCI_EV_LE_CONN_COMPLETE:
2814 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
2815 case HCI_EVT_LE_CIS_ESTABLISHED:
2816 hci_cmd_sync_cancel(hdev, ECANCELED);
2821 return hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),