CoCalc -- iso.c

GitHub Repository: torvalds/linux
Path: blob/master/net/bluetooth/iso.c
²⁹²⁶⁶ views
1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * BlueZ - Bluetooth protocol stack for Linux
4
 *
5
 * Copyright (C) 2022 Intel Corporation
6
 * Copyright 2023-2024 NXP
7
 */
8

9
#include <linux/module.h>
10
#include <linux/debugfs.h>
11
#include <linux/seq_file.h>
12
#include <linux/sched/signal.h>
13

14
#include <net/bluetooth/bluetooth.h>
15
#include <net/bluetooth/hci_core.h>
16
#include <net/bluetooth/iso.h>
17
#include "eir.h"
18

19
static const struct proto_ops iso_sock_ops;
20

21
static struct bt_sock_list iso_sk_list = {
22
	.lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock)
23
};
24

25
/* ---- ISO connections ---- */
26
struct iso_conn {
27
	struct hci_conn	*hcon;
28

29
	/* @lock: spinlock protecting changes to iso_conn fields */
30
	spinlock_t	lock;
31
	struct sock	*sk;
32

33
	struct delayed_work	timeout_work;
34

35
	struct sk_buff	*rx_skb;
36
	__u32		rx_len;
37
	__u16		tx_sn;
38
	struct kref	ref;
39
};
40

41
#define iso_conn_lock(c)	spin_lock(&(c)->lock)
42
#define iso_conn_unlock(c)	spin_unlock(&(c)->lock)
43

44
static void iso_sock_close(struct sock *sk);
45
static void iso_sock_kill(struct sock *sk);
46

47
/* ----- ISO socket info ----- */
48
#define iso_pi(sk) ((struct iso_pinfo *)sk)
49

50
#define EIR_SERVICE_DATA_LENGTH 4
51
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
52
#define EIR_BAA_SERVICE_UUID	0x1851
53

54
/* iso_pinfo flags values */
55
enum {
56
	BT_SK_BIG_SYNC,
57
	BT_SK_PA_SYNC,
58
};
59

60
struct iso_pinfo {
61
	struct bt_sock		bt;
62
	bdaddr_t		src;
63
	__u8			src_type;
64
	bdaddr_t		dst;
65
	__u8			dst_type;
66
	__u8			bc_sid;
67
	__u8			bc_num_bis;
68
	__u8			bc_bis[ISO_MAX_NUM_BIS];
69
	__u16			sync_handle;
70
	unsigned long		flags;
71
	struct bt_iso_qos	qos;
72
	bool			qos_user_set;
73
	__u8			base_len;
74
	__u8			base[BASE_MAX_LENGTH];
75
	struct iso_conn		*conn;
76
};
77

78
static struct bt_iso_qos default_qos;
79

80
static bool check_ucast_qos(struct bt_iso_qos *qos);
81
static bool check_bcast_qos(struct bt_iso_qos *qos);
82
static bool iso_match_sid(struct sock *sk, void *data);
83
static bool iso_match_sync_handle(struct sock *sk, void *data);
84
static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data);
85
static void iso_sock_disconn(struct sock *sk);
86

87
typedef bool (*iso_sock_match_t)(struct sock *sk, void *data);
88

89
static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst,
90
				 enum bt_sock_state state,
91
				 iso_sock_match_t match, void *data);
92

93
/* ---- ISO timers ---- */
94
#define ISO_CONN_TIMEOUT	secs_to_jiffies(20)
95
#define ISO_DISCONN_TIMEOUT	secs_to_jiffies(2)
96

97
static void iso_conn_free(struct kref *ref)
98
{
99
	struct iso_conn *conn = container_of(ref, struct iso_conn, ref);
100

101
	BT_DBG("conn %p", conn);
102

103
	if (conn->sk)
104
		iso_pi(conn->sk)->conn = NULL;
105

106
	if (conn->hcon) {
107
		conn->hcon->iso_data = NULL;
108
		hci_conn_drop(conn->hcon);
109
	}
110

111
	/* Ensure no more work items will run since hci_conn has been dropped */
112
	disable_delayed_work_sync(&conn->timeout_work);
113

114
	kfree_skb(conn->rx_skb);
115

116
	kfree(conn);
117
}
118

119
static void iso_conn_put(struct iso_conn *conn)
120
{
121
	if (!conn)
122
		return;
123

124
	BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref));
125

126
	kref_put(&conn->ref, iso_conn_free);
127
}
128

129
static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn)
130
{
131
	if (!conn)
132
		return NULL;
133

134
	BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref));
135

136
	if (!kref_get_unless_zero(&conn->ref))
137
		return NULL;
138

139
	return conn;
140
}
141

142
static struct sock *iso_sock_hold(struct iso_conn *conn)
143
{
144
	if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk))
145
		return NULL;
146

147
	sock_hold(conn->sk);
148

149
	return conn->sk;
150
}
151

152
static void iso_sock_timeout(struct work_struct *work)
153
{
154
	struct iso_conn *conn = container_of(work, struct iso_conn,
155
					     timeout_work.work);
156
	struct sock *sk;
157

158
	conn = iso_conn_hold_unless_zero(conn);
159
	if (!conn)
160
		return;
161

162
	iso_conn_lock(conn);
163
	sk = iso_sock_hold(conn);
164
	iso_conn_unlock(conn);
165
	iso_conn_put(conn);
166

167
	if (!sk)
168
		return;
169

170
	BT_DBG("sock %p state %d", sk, sk->sk_state);
171

172
	lock_sock(sk);
173
	sk->sk_err = ETIMEDOUT;
174
	sk->sk_state_change(sk);
175
	release_sock(sk);
176
	sock_put(sk);
177
}
178

179
static void iso_sock_set_timer(struct sock *sk, long timeout)
180
{
181
	if (!iso_pi(sk)->conn)
182
		return;
183

184
	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
185
	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
186
	schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout);
187
}
188

189
static void iso_sock_clear_timer(struct sock *sk)
190
{
191
	if (!iso_pi(sk)->conn)
192
		return;
193

194
	BT_DBG("sock %p state %d", sk, sk->sk_state);
195
	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
196
}
197

198
/* ---- ISO connections ---- */
199
static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
200
{
201
	struct iso_conn *conn = hcon->iso_data;
202

203
	conn = iso_conn_hold_unless_zero(conn);
204
	if (conn) {
205
		if (!conn->hcon) {
206
			iso_conn_lock(conn);
207
			conn->hcon = hcon;
208
			iso_conn_unlock(conn);
209
		}
210
		iso_conn_put(conn);
211
		return conn;
212
	}
213

214
	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
215
	if (!conn)
216
		return NULL;
217

218
	kref_init(&conn->ref);
219
	spin_lock_init(&conn->lock);
220
	INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout);
221

222
	hcon->iso_data = conn;
223
	conn->hcon = hcon;
224
	conn->tx_sn = 0;
225

226
	BT_DBG("hcon %p conn %p", hcon, conn);
227

228
	return conn;
229
}
230

231
/* Delete channel. Must be called on the locked socket. */
232
static void iso_chan_del(struct sock *sk, int err)
233
{
234
	struct iso_conn *conn;
235
	struct sock *parent;
236

237
	conn = iso_pi(sk)->conn;
238
	iso_pi(sk)->conn = NULL;
239

240
	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
241

242
	if (conn) {
243
		iso_conn_lock(conn);
244
		conn->sk = NULL;
245
		iso_conn_unlock(conn);
246
		iso_conn_put(conn);
247
	}
248

249
	sk->sk_state = BT_CLOSED;
250
	sk->sk_err   = err;
251

252
	parent = bt_sk(sk)->parent;
253
	if (parent) {
254
		bt_accept_unlink(sk);
255
		parent->sk_data_ready(parent);
256
	} else {
257
		sk->sk_state_change(sk);
258
	}
259

260
	sock_set_flag(sk, SOCK_ZAPPED);
261
}
262

263
static void iso_conn_del(struct hci_conn *hcon, int err)
264
{
265
	struct iso_conn *conn = hcon->iso_data;
266
	struct sock *sk;
267

268
	conn = iso_conn_hold_unless_zero(conn);
269
	if (!conn)
270
		return;
271

272
	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
273

274
	/* Kill socket */
275
	iso_conn_lock(conn);
276
	sk = iso_sock_hold(conn);
277
	iso_conn_unlock(conn);
278
	iso_conn_put(conn);
279

280
	if (!sk) {
281
		iso_conn_put(conn);
282
		return;
283
	}
284

285
	lock_sock(sk);
286
	iso_sock_clear_timer(sk);
287
	iso_chan_del(sk, err);
288
	release_sock(sk);
289
	sock_put(sk);
290
}
291

292
static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
293
			  struct sock *parent)
294
{
295
	BT_DBG("conn %p", conn);
296

297
	if (iso_pi(sk)->conn == conn && conn->sk == sk)
298
		return 0;
299

300
	if (conn->sk) {
301
		BT_ERR("conn->sk already set");
302
		return -EBUSY;
303
	}
304

305
	iso_pi(sk)->conn = conn;
306
	conn->sk = sk;
307

308
	if (parent)
309
		bt_accept_enqueue(parent, sk, true);
310

311
	return 0;
312
}
313

314
static int iso_chan_add(struct iso_conn *conn, struct sock *sk,
315
			struct sock *parent)
316
{
317
	int err;
318

319
	iso_conn_lock(conn);
320
	err = __iso_chan_add(conn, sk, parent);
321
	iso_conn_unlock(conn);
322

323
	return err;
324
}
325

326
static inline u8 le_addr_type(u8 bdaddr_type)
327
{
328
	if (bdaddr_type == BDADDR_LE_PUBLIC)
329
		return ADDR_LE_DEV_PUBLIC;
330
	else
331
		return ADDR_LE_DEV_RANDOM;
332
}
333

334
static int iso_connect_bis(struct sock *sk)
335
{
336
	struct iso_conn *conn;
337
	struct hci_conn *hcon;
338
	struct hci_dev  *hdev;
339
	int err;
340

341
	BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid);
342

343
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
344
			     iso_pi(sk)->src_type);
345
	if (!hdev)
346
		return -EHOSTUNREACH;
347

348
	hci_dev_lock(hdev);
349

350
	if (!bis_capable(hdev)) {
351
		err = -EOPNOTSUPP;
352
		goto unlock;
353
	}
354

355
	/* Fail if user set invalid QoS */
356
	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
357
		iso_pi(sk)->qos = default_qos;
358
		err = -EINVAL;
359
		goto unlock;
360
	}
361

362
	/* Fail if out PHYs are marked as disabled */
363
	if (!iso_pi(sk)->qos.bcast.out.phy) {
364
		err = -EINVAL;
365
		goto unlock;
366
	}
367

368
	/* Just bind if DEFER_SETUP has been set */
369
	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
370
		hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid,
371
				    &iso_pi(sk)->qos, iso_pi(sk)->base_len,
372
				    iso_pi(sk)->base,
373
				    READ_ONCE(sk->sk_sndtimeo));
374
		if (IS_ERR(hcon)) {
375
			err = PTR_ERR(hcon);
376
			goto unlock;
377
		}
378
	} else {
379
		hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst,
380
				       le_addr_type(iso_pi(sk)->dst_type),
381
				       iso_pi(sk)->bc_sid, &iso_pi(sk)->qos,
382
				       iso_pi(sk)->base_len, iso_pi(sk)->base,
383
				       READ_ONCE(sk->sk_sndtimeo));
384
		if (IS_ERR(hcon)) {
385
			err = PTR_ERR(hcon);
386
			goto unlock;
387
		}
388

389
		/* Update SID if it was not set */
390
		if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
391
			iso_pi(sk)->bc_sid = hcon->sid;
392
	}
393

394
	conn = iso_conn_add(hcon);
395
	if (!conn) {
396
		hci_conn_drop(hcon);
397
		err = -ENOMEM;
398
		goto unlock;
399
	}
400

401
	lock_sock(sk);
402

403
	err = iso_chan_add(conn, sk, NULL);
404
	if (err) {
405
		release_sock(sk);
406
		goto unlock;
407
	}
408

409
	/* Update source addr of the socket */
410
	bacpy(&iso_pi(sk)->src, &hcon->src);
411

412
	if (hcon->state == BT_CONNECTED) {
413
		iso_sock_clear_timer(sk);
414
		sk->sk_state = BT_CONNECTED;
415
	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
416
		iso_sock_clear_timer(sk);
417
		sk->sk_state = BT_CONNECT;
418
	} else {
419
		sk->sk_state = BT_CONNECT;
420
		iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
421
	}
422

423
	release_sock(sk);
424

425
unlock:
426
	hci_dev_unlock(hdev);
427
	hci_dev_put(hdev);
428
	return err;
429
}
430

431
static int iso_connect_cis(struct sock *sk)
432
{
433
	struct iso_conn *conn;
434
	struct hci_conn *hcon;
435
	struct hci_dev  *hdev;
436
	int err;
437

438
	BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst);
439

440
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
441
			     iso_pi(sk)->src_type);
442
	if (!hdev)
443
		return -EHOSTUNREACH;
444

445
	hci_dev_lock(hdev);
446

447
	if (!cis_central_capable(hdev)) {
448
		err = -EOPNOTSUPP;
449
		goto unlock;
450
	}
451

452
	/* Fail if user set invalid QoS */
453
	if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) {
454
		iso_pi(sk)->qos = default_qos;
455
		err = -EINVAL;
456
		goto unlock;
457
	}
458

459
	/* Fail if either PHYs are marked as disabled */
460
	if (!iso_pi(sk)->qos.ucast.in.phy && !iso_pi(sk)->qos.ucast.out.phy) {
461
		err = -EINVAL;
462
		goto unlock;
463
	}
464

465
	/* Check if there are available buffers for output/TX. */
466
	if (iso_pi(sk)->qos.ucast.out.sdu && !hci_iso_count(hdev) &&
467
	    (hdev->iso_pkts && !hdev->iso_cnt)) {
468
		err = -ENOBUFS;
469
		goto unlock;
470
	}
471

472
	/* Just bind if DEFER_SETUP has been set */
473
	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
474
		hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst,
475
				    le_addr_type(iso_pi(sk)->dst_type),
476
				    &iso_pi(sk)->qos,
477
				    READ_ONCE(sk->sk_sndtimeo));
478
		if (IS_ERR(hcon)) {
479
			err = PTR_ERR(hcon);
480
			goto unlock;
481
		}
482
	} else {
483
		hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst,
484
				       le_addr_type(iso_pi(sk)->dst_type),
485
				       &iso_pi(sk)->qos,
486
				       READ_ONCE(sk->sk_sndtimeo));
487
		if (IS_ERR(hcon)) {
488
			err = PTR_ERR(hcon);
489
			goto unlock;
490
		}
491
	}
492

493
	conn = iso_conn_add(hcon);
494
	if (!conn) {
495
		hci_conn_drop(hcon);
496
		err = -ENOMEM;
497
		goto unlock;
498
	}
499

500
	lock_sock(sk);
501

502
	err = iso_chan_add(conn, sk, NULL);
503
	if (err) {
504
		release_sock(sk);
505
		goto unlock;
506
	}
507

508
	/* Update source addr of the socket */
509
	bacpy(&iso_pi(sk)->src, &hcon->src);
510

511
	if (hcon->state == BT_CONNECTED) {
512
		iso_sock_clear_timer(sk);
513
		sk->sk_state = BT_CONNECTED;
514
	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
515
		iso_sock_clear_timer(sk);
516
		sk->sk_state = BT_CONNECT;
517
	} else {
518
		sk->sk_state = BT_CONNECT;
519
		iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
520
	}
521

522
	release_sock(sk);
523

524
unlock:
525
	hci_dev_unlock(hdev);
526
	hci_dev_put(hdev);
527
	return err;
528
}
529

530
static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk)
531
{
532
	if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
533
		return &iso_pi(sk)->conn->hcon->iso_qos;
534

535
	return &iso_pi(sk)->qos;
536
}
537

538
static int iso_send_frame(struct sock *sk, struct sk_buff *skb,
539
			  const struct sockcm_cookie *sockc)
540
{
541
	struct iso_conn *conn = iso_pi(sk)->conn;
542
	struct bt_iso_qos *qos = iso_sock_get_qos(sk);
543
	struct hci_iso_data_hdr *hdr;
544
	int len = 0;
545

546
	BT_DBG("sk %p len %d", sk, skb->len);
547

548
	if (skb->len > qos->ucast.out.sdu)
549
		return -EMSGSIZE;
550

551
	len = skb->len;
552

553
	/* Push ISO data header */
554
	hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE);
555
	hdr->sn = cpu_to_le16(conn->tx_sn++);
556
	hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len,
557
						      HCI_ISO_STATUS_VALID));
558

559
	if (sk->sk_state == BT_CONNECTED) {
560
		hci_setup_tx_timestamp(skb, 1, sockc);
561
		hci_send_iso(conn->hcon, skb);
562
	} else {
563
		len = -ENOTCONN;
564
	}
565

566
	return len;
567
}
568

569
static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
570
{
571
	struct sock *sk;
572

573
	iso_conn_lock(conn);
574
	sk = conn->sk;
575
	iso_conn_unlock(conn);
576

577
	if (!sk)
578
		goto drop;
579

580
	BT_DBG("sk %p len %d", sk, skb->len);
581

582
	if (sk->sk_state != BT_CONNECTED)
583
		goto drop;
584

585
	if (!sock_queue_rcv_skb(sk, skb))
586
		return;
587

588
drop:
589
	kfree_skb(skb);
590
}
591

592
/* -------- Socket interface ---------- */
593
static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst)
594
{
595
	struct sock *sk;
596

597
	sk_for_each(sk, &iso_sk_list.head) {
598
		if (sk->sk_state != BT_LISTEN)
599
			continue;
600

601
		if (bacmp(&iso_pi(sk)->dst, dst))
602
			continue;
603

604
		if (!bacmp(&iso_pi(sk)->src, src))
605
			return sk;
606
	}
607

608
	return NULL;
609
}
610

611
static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc,
612
						 __u8 sid)
613
{
614
	struct sock *sk;
615

616
	sk_for_each(sk, &iso_sk_list.head) {
617
		if (sk->sk_state != BT_LISTEN)
618
			continue;
619

620
		if (bacmp(&iso_pi(sk)->src, ba))
621
			continue;
622

623
		if (bacmp(&iso_pi(sk)->dst, bc))
624
			continue;
625

626
		if (iso_pi(sk)->bc_sid == sid)
627
			return sk;
628
	}
629

630
	return NULL;
631
}
632

633
/* Find socket in given state:
634
 * source bdaddr (Unicast)
635
 * destination bdaddr (Broadcast only)
636
 * match func - pass NULL to ignore
637
 * match func data - pass -1 to ignore
638
 * Returns closest match.
639
 */
640
static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst,
641
				 enum bt_sock_state state,
642
				 iso_sock_match_t match, void *data)
643
{
644
	struct sock *sk = NULL, *sk1 = NULL;
645

646
	read_lock(&iso_sk_list.lock);
647

648
	sk_for_each(sk, &iso_sk_list.head) {
649
		if (sk->sk_state != state)
650
			continue;
651

652
		/* Match Broadcast destination */
653
		if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst))
654
			continue;
655

656
		/* Use Match function if provided */
657
		if (match && !match(sk, data))
658
			continue;
659

660
		/* Exact match. */
661
		if (!bacmp(&iso_pi(sk)->src, src)) {
662
			sock_hold(sk);
663
			break;
664
		}
665

666
		/* Closest match */
667
		if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) {
668
			if (sk1)
669
				sock_put(sk1);
670

671
			sk1 = sk;
672
			sock_hold(sk1);
673
		}
674
	}
675

676
	if (sk && sk1)
677
		sock_put(sk1);
678

679
	read_unlock(&iso_sk_list.lock);
680

681
	return sk ? sk : sk1;
682
}
683

684
static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src,
685
				     bdaddr_t *dst, uint8_t big)
686
{
687
	struct sock *sk = NULL;
688

689
	read_lock(&iso_sk_list.lock);
690

691
	sk_for_each(sk, &iso_sk_list.head) {
692
		if (match_sk == sk)
693
			continue;
694

695
		/* Look for sockets that have already been
696
		 * connected to the BIG
697
		 */
698
		if (sk->sk_state != BT_CONNECTED &&
699
		    sk->sk_state != BT_CONNECT)
700
			continue;
701

702
		/* Match Broadcast destination */
703
		if (bacmp(&iso_pi(sk)->dst, dst))
704
			continue;
705

706
		/* Match BIG handle */
707
		if (iso_pi(sk)->qos.bcast.big != big)
708
			continue;
709

710
		/* Match source address */
711
		if (bacmp(&iso_pi(sk)->src, src))
712
			continue;
713

714
		sock_hold(sk);
715
		break;
716
	}
717

718
	read_unlock(&iso_sk_list.lock);
719

720
	return sk;
721
}
722

723
static void iso_sock_destruct(struct sock *sk)
724
{
725
	BT_DBG("sk %p", sk);
726

727
	iso_conn_put(iso_pi(sk)->conn);
728

729
	skb_queue_purge(&sk->sk_receive_queue);
730
	skb_queue_purge(&sk->sk_write_queue);
731
}
732

733
static void iso_sock_cleanup_listen(struct sock *parent)
734
{
735
	struct sock *sk;
736

737
	BT_DBG("parent %p", parent);
738

739
	/* Close not yet accepted channels */
740
	while ((sk = bt_accept_dequeue(parent, NULL))) {
741
		iso_sock_close(sk);
742
		iso_sock_kill(sk);
743
	}
744

745
	/* If listening socket has a hcon, properly disconnect it */
746
	if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon) {
747
		iso_sock_disconn(parent);
748
		return;
749
	}
750

751
	parent->sk_state  = BT_CLOSED;
752
	sock_set_flag(parent, SOCK_ZAPPED);
753
}
754

755
/* Kill socket (only if zapped and orphan)
756
 * Must be called on unlocked socket.
757
 */
758
static void iso_sock_kill(struct sock *sk)
759
{
760
	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
761
	    sock_flag(sk, SOCK_DEAD))
762
		return;
763

764
	BT_DBG("sk %p state %d", sk, sk->sk_state);
765

766
	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
767
	if (iso_pi(sk)->conn) {
768
		iso_conn_lock(iso_pi(sk)->conn);
769
		iso_pi(sk)->conn->sk = NULL;
770
		iso_conn_unlock(iso_pi(sk)->conn);
771
	}
772

773
	/* Kill poor orphan */
774
	bt_sock_unlink(&iso_sk_list, sk);
775
	sock_set_flag(sk, SOCK_DEAD);
776
	sock_put(sk);
777
}
778

779
static void iso_sock_disconn(struct sock *sk)
780
{
781
	struct sock *bis_sk;
782
	struct hci_conn *hcon = iso_pi(sk)->conn->hcon;
783

784
	if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) {
785
		bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src,
786
					  &iso_pi(sk)->dst,
787
					  iso_pi(sk)->qos.bcast.big);
788

789
		/* If there are any other connected sockets for the
790
		 * same BIG, just delete the sk and leave the bis
791
		 * hcon active, in case later rebinding is needed.
792
		 */
793
		if (bis_sk) {
794
			hcon->state = BT_OPEN;
795
			hcon->iso_data = NULL;
796
			iso_pi(sk)->conn->hcon = NULL;
797
			iso_sock_clear_timer(sk);
798
			iso_chan_del(sk, bt_to_errno(hcon->abort_reason));
799
			sock_put(bis_sk);
800
			return;
801
		}
802
	}
803

804
	sk->sk_state = BT_DISCONN;
805
	iso_conn_lock(iso_pi(sk)->conn);
806
	hci_conn_drop(iso_pi(sk)->conn->hcon);
807
	iso_pi(sk)->conn->hcon = NULL;
808
	iso_conn_unlock(iso_pi(sk)->conn);
809
}
810

811
static void __iso_sock_close(struct sock *sk)
812
{
813
	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
814

815
	switch (sk->sk_state) {
816
	case BT_LISTEN:
817
		iso_sock_cleanup_listen(sk);
818
		break;
819

820
	case BT_CONNECT:
821
	case BT_CONNECTED:
822
	case BT_CONFIG:
823
		if (iso_pi(sk)->conn->hcon)
824
			iso_sock_disconn(sk);
825
		else
826
			iso_chan_del(sk, ECONNRESET);
827
		break;
828

829
	case BT_CONNECT2:
830
		if (iso_pi(sk)->conn->hcon &&
831
		    (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
832
		    test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
833
			iso_sock_disconn(sk);
834
		else
835
			iso_chan_del(sk, ECONNRESET);
836
		break;
837
	case BT_DISCONN:
838
		iso_chan_del(sk, ECONNRESET);
839
		break;
840

841
	default:
842
		sock_set_flag(sk, SOCK_ZAPPED);
843
		break;
844
	}
845
}
846

847
/* Must be called on unlocked socket. */
848
static void iso_sock_close(struct sock *sk)
849
{
850
	iso_sock_clear_timer(sk);
851
	lock_sock(sk);
852
	__iso_sock_close(sk);
853
	release_sock(sk);
854
	iso_sock_kill(sk);
855
}
856

857
static void iso_sock_init(struct sock *sk, struct sock *parent)
858
{
859
	BT_DBG("sk %p", sk);
860

861
	if (parent) {
862
		sk->sk_type = parent->sk_type;
863
		bt_sk(sk)->flags = bt_sk(parent)->flags;
864
		security_sk_clone(parent, sk);
865
	}
866
}
867

868
static struct proto iso_proto = {
869
	.name		= "ISO",
870
	.owner		= THIS_MODULE,
871
	.obj_size	= sizeof(struct iso_pinfo)
872
};
873

874
#define DEFAULT_IO_QOS \
875
{ \
876
	.interval	= 10000u, \
877
	.latency	= 10u, \
878
	.sdu		= 40u, \
879
	.phy		= BT_ISO_PHY_2M, \
880
	.rtn		= 2u, \
881
}
882

883
static struct bt_iso_qos default_qos = {
884
	.bcast = {
885
		.big			= BT_ISO_QOS_BIG_UNSET,
886
		.bis			= BT_ISO_QOS_BIS_UNSET,
887
		.sync_factor		= 0x01,
888
		.packing		= 0x00,
889
		.framing		= 0x00,
890
		.in			= DEFAULT_IO_QOS,
891
		.out			= DEFAULT_IO_QOS,
892
		.encryption		= 0x00,
893
		.bcode			= {0x00},
894
		.options		= 0x00,
895
		.skip			= 0x0000,
896
		.sync_timeout		= BT_ISO_SYNC_TIMEOUT,
897
		.sync_cte_type		= 0x00,
898
		.mse			= 0x00,
899
		.timeout		= BT_ISO_SYNC_TIMEOUT,
900
	},
901
};
902

903
static struct sock *iso_sock_alloc(struct net *net, struct socket *sock,
904
				   int proto, gfp_t prio, int kern)
905
{
906
	struct sock *sk;
907

908
	sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern);
909
	if (!sk)
910
		return NULL;
911

912
	sk->sk_destruct = iso_sock_destruct;
913
	sk->sk_sndtimeo = ISO_CONN_TIMEOUT;
914

915
	/* Set address type as public as default src address is BDADDR_ANY */
916
	iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
917

918
	iso_pi(sk)->qos = default_qos;
919
	iso_pi(sk)->sync_handle = -1;
920

921
	bt_sock_link(&iso_sk_list, sk);
922
	return sk;
923
}
924

925
static int iso_sock_create(struct net *net, struct socket *sock, int protocol,
926
			   int kern)
927
{
928
	struct sock *sk;
929

930
	BT_DBG("sock %p", sock);
931

932
	sock->state = SS_UNCONNECTED;
933

934
	if (sock->type != SOCK_SEQPACKET)
935
		return -ESOCKTNOSUPPORT;
936

937
	sock->ops = &iso_sock_ops;
938

939
	sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
940
	if (!sk)
941
		return -ENOMEM;
942

943
	iso_sock_init(sk, NULL);
944
	return 0;
945
}
946

947
static int iso_sock_bind_bc(struct socket *sock, struct sockaddr *addr,
948
			    int addr_len)
949
{
950
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
951
	struct sock *sk = sock->sk;
952
	int i;
953

954
	BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid,
955
	       sa->iso_bc->bc_num_bis);
956

957
	if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc))
958
		return -EINVAL;
959

960
	bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr);
961

962
	/* Check if the address type is of LE type */
963
	if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type))
964
		return -EINVAL;
965

966
	iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type;
967

968
	if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID)
969
		return -EINVAL;
970

971
	iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid;
972

973
	if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS)
974
		return -EINVAL;
975

976
	iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
977

978
	for (i = 0; i < iso_pi(sk)->bc_num_bis; i++)
979
		if (sa->iso_bc->bc_bis[i] < 0x01 ||
980
		    sa->iso_bc->bc_bis[i] > 0x1f)
981
			return -EINVAL;
982

983
	memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
984
	       iso_pi(sk)->bc_num_bis);
985

986
	return 0;
987
}
988

989
static int iso_sock_bind_pa_sk(struct sock *sk, struct sockaddr_iso *sa,
990
			       int addr_len)
991
{
992
	int err = 0;
993

994
	if (sk->sk_type != SOCK_SEQPACKET) {
995
		err = -EINVAL;
996
		goto done;
997
	}
998

999
	if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) {
1000
		err = -EINVAL;
1001
		goto done;
1002
	}
1003

1004
	if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) {
1005
		err = -EINVAL;
1006
		goto done;
1007
	}
1008

1009
	iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
1010

1011
	for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++)
1012
		if (sa->iso_bc->bc_bis[i] < 0x01 ||
1013
		    sa->iso_bc->bc_bis[i] > 0x1f) {
1014
			err = -EINVAL;
1015
			goto done;
1016
		}
1017

1018
	memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
1019
	       iso_pi(sk)->bc_num_bis);
1020

1021
done:
1022
	return err;
1023
}
1024

1025
static int iso_sock_bind(struct socket *sock, struct sockaddr *addr,
1026
			 int addr_len)
1027
{
1028
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1029
	struct sock *sk = sock->sk;
1030
	int err = 0;
1031

1032
	BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type);
1033

1034
	if (!addr || addr_len < sizeof(struct sockaddr_iso) ||
1035
	    addr->sa_family != AF_BLUETOOTH)
1036
		return -EINVAL;
1037

1038
	lock_sock(sk);
1039

1040
	/* Allow the user to bind a PA sync socket to a number
1041
	 * of BISes to sync to.
1042
	 */
1043
	if ((sk->sk_state == BT_CONNECT2 ||
1044
	     sk->sk_state == BT_CONNECTED) &&
1045
	    test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1046
		err = iso_sock_bind_pa_sk(sk, sa, addr_len);
1047
		goto done;
1048
	}
1049

1050
	if (sk->sk_state != BT_OPEN) {
1051
		err = -EBADFD;
1052
		goto done;
1053
	}
1054

1055
	if (sk->sk_type != SOCK_SEQPACKET) {
1056
		err = -EINVAL;
1057
		goto done;
1058
	}
1059

1060
	/* Check if the address type is of LE type */
1061
	if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) {
1062
		err = -EINVAL;
1063
		goto done;
1064
	}
1065

1066
	bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr);
1067
	iso_pi(sk)->src_type = sa->iso_bdaddr_type;
1068

1069
	/* Check for Broadcast address */
1070
	if (addr_len > sizeof(*sa)) {
1071
		err = iso_sock_bind_bc(sock, addr, addr_len);
1072
		if (err)
1073
			goto done;
1074
	}
1075

1076
	sk->sk_state = BT_BOUND;
1077

1078
done:
1079
	release_sock(sk);
1080
	return err;
1081
}
1082

1083
static int iso_sock_connect(struct socket *sock, struct sockaddr *addr,
1084
			    int alen, int flags)
1085
{
1086
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1087
	struct sock *sk = sock->sk;
1088
	int err;
1089

1090
	BT_DBG("sk %p", sk);
1091

1092
	if (alen < sizeof(struct sockaddr_iso) ||
1093
	    addr->sa_family != AF_BLUETOOTH)
1094
		return -EINVAL;
1095

1096
	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
1097
		return -EBADFD;
1098

1099
	if (sk->sk_type != SOCK_SEQPACKET)
1100
		return -EINVAL;
1101

1102
	/* Check if the address type is of LE type */
1103
	if (!bdaddr_type_is_le(sa->iso_bdaddr_type))
1104
		return -EINVAL;
1105

1106
	lock_sock(sk);
1107

1108
	bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr);
1109
	iso_pi(sk)->dst_type = sa->iso_bdaddr_type;
1110

1111
	release_sock(sk);
1112

1113
	if (bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
1114
		err = iso_connect_cis(sk);
1115
	else
1116
		err = iso_connect_bis(sk);
1117

1118
	if (err)
1119
		return err;
1120

1121
	lock_sock(sk);
1122

1123
	if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1124
		err = bt_sock_wait_state(sk, BT_CONNECTED,
1125
					 sock_sndtimeo(sk, flags & O_NONBLOCK));
1126
	}
1127

1128
	release_sock(sk);
1129
	return err;
1130
}
1131

1132
static int iso_listen_bis(struct sock *sk)
1133
{
1134
	struct hci_dev *hdev;
1135
	int err = 0;
1136
	struct iso_conn *conn;
1137
	struct hci_conn *hcon;
1138

1139
	BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src,
1140
	       &iso_pi(sk)->dst, iso_pi(sk)->bc_sid);
1141

1142
	write_lock(&iso_sk_list.lock);
1143

1144
	if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst,
1145
					 iso_pi(sk)->bc_sid))
1146
		err = -EADDRINUSE;
1147

1148
	write_unlock(&iso_sk_list.lock);
1149

1150
	if (err)
1151
		return err;
1152

1153
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1154
			     iso_pi(sk)->src_type);
1155
	if (!hdev)
1156
		return -EHOSTUNREACH;
1157

1158
	hci_dev_lock(hdev);
1159
	lock_sock(sk);
1160

1161
	/* Fail if user set invalid QoS */
1162
	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
1163
		iso_pi(sk)->qos = default_qos;
1164
		err = -EINVAL;
1165
		goto unlock;
1166
	}
1167

1168
	hcon = hci_pa_create_sync(hdev, &iso_pi(sk)->dst,
1169
				  le_addr_type(iso_pi(sk)->dst_type),
1170
				  iso_pi(sk)->bc_sid, &iso_pi(sk)->qos);
1171
	if (IS_ERR(hcon)) {
1172
		err = PTR_ERR(hcon);
1173
		goto unlock;
1174
	}
1175

1176
	conn = iso_conn_add(hcon);
1177
	if (!conn) {
1178
		hci_conn_drop(hcon);
1179
		err = -ENOMEM;
1180
		goto unlock;
1181
	}
1182

1183
	err = iso_chan_add(conn, sk, NULL);
1184
	if (err) {
1185
		hci_conn_drop(hcon);
1186
		goto unlock;
1187
	}
1188

1189
unlock:
1190
	release_sock(sk);
1191
	hci_dev_unlock(hdev);
1192
	hci_dev_put(hdev);
1193
	return err;
1194
}
1195

1196
static int iso_listen_cis(struct sock *sk)
1197
{
1198
	int err = 0;
1199

1200
	BT_DBG("%pMR", &iso_pi(sk)->src);
1201

1202
	write_lock(&iso_sk_list.lock);
1203

1204
	if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst))
1205
		err = -EADDRINUSE;
1206

1207
	write_unlock(&iso_sk_list.lock);
1208

1209
	return err;
1210
}
1211

1212
static int iso_sock_listen(struct socket *sock, int backlog)
1213
{
1214
	struct sock *sk = sock->sk;
1215
	int err = 0;
1216

1217
	BT_DBG("sk %p backlog %d", sk, backlog);
1218

1219
	sock_hold(sk);
1220
	lock_sock(sk);
1221

1222
	if (sk->sk_state != BT_BOUND) {
1223
		err = -EBADFD;
1224
		goto done;
1225
	}
1226

1227
	if (sk->sk_type != SOCK_SEQPACKET) {
1228
		err = -EINVAL;
1229
		goto done;
1230
	}
1231

1232
	if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1233
		err = iso_listen_cis(sk);
1234
	} else {
1235
		/* Drop sock lock to avoid potential
1236
		 * deadlock with the hdev lock.
1237
		 */
1238
		release_sock(sk);
1239
		err = iso_listen_bis(sk);
1240
		lock_sock(sk);
1241
	}
1242

1243
	if (err)
1244
		goto done;
1245

1246
	sk->sk_max_ack_backlog = backlog;
1247
	sk->sk_ack_backlog = 0;
1248

1249
	sk->sk_state = BT_LISTEN;
1250

1251
done:
1252
	release_sock(sk);
1253
	sock_put(sk);
1254
	return err;
1255
}
1256

1257
static int iso_sock_accept(struct socket *sock, struct socket *newsock,
1258
			   struct proto_accept_arg *arg)
1259
{
1260
	DEFINE_WAIT_FUNC(wait, woken_wake_function);
1261
	struct sock *sk = sock->sk, *ch;
1262
	long timeo;
1263
	int err = 0;
1264

1265
	/* Use explicit nested locking to avoid lockdep warnings generated
1266
	 * because the parent socket and the child socket are locked on the
1267
	 * same thread.
1268
	 */
1269
	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1270

1271
	timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
1272

1273
	BT_DBG("sk %p timeo %ld", sk, timeo);
1274

1275
	/* Wait for an incoming connection. (wake-one). */
1276
	add_wait_queue_exclusive(sk_sleep(sk), &wait);
1277
	while (1) {
1278
		if (sk->sk_state != BT_LISTEN) {
1279
			err = -EBADFD;
1280
			break;
1281
		}
1282

1283
		ch = bt_accept_dequeue(sk, newsock);
1284
		if (ch)
1285
			break;
1286

1287
		if (!timeo) {
1288
			err = -EAGAIN;
1289
			break;
1290
		}
1291

1292
		if (signal_pending(current)) {
1293
			err = sock_intr_errno(timeo);
1294
			break;
1295
		}
1296

1297
		release_sock(sk);
1298

1299
		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
1300
		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1301
	}
1302
	remove_wait_queue(sk_sleep(sk), &wait);
1303

1304
	if (err)
1305
		goto done;
1306

1307
	newsock->state = SS_CONNECTED;
1308

1309
	BT_DBG("new socket %p", ch);
1310

1311
	/* A Broadcast Sink might require BIG sync to be terminated
1312
	 * and re-established multiple times, while keeping the same
1313
	 * PA sync handle active. To allow this, once all BIS
1314
	 * connections have been accepted on a PA sync parent socket,
1315
	 * "reset" socket state, to allow future BIG re-sync procedures.
1316
	 */
1317
	if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1318
		/* Iterate through the list of bound BIS indices
1319
		 * and clear each BIS as they are accepted by the
1320
		 * user space, one by one.
1321
		 */
1322
		for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) {
1323
			if (iso_pi(sk)->bc_bis[i] > 0) {
1324
				iso_pi(sk)->bc_bis[i] = 0;
1325
				iso_pi(sk)->bc_num_bis--;
1326
				break;
1327
			}
1328
		}
1329

1330
		if (iso_pi(sk)->bc_num_bis == 0) {
1331
			/* Once the last BIS was accepted, reset parent
1332
			 * socket parameters to mark that the listening
1333
			 * process for BIS connections has been completed:
1334
			 *
1335
			 * 1. Reset the DEFER setup flag on the parent sk.
1336
			 * 2. Clear the flag marking that the BIG create
1337
			 *    sync command is pending.
1338
			 * 3. Transition socket state from BT_LISTEN to
1339
			 *    BT_CONNECTED.
1340
			 */
1341
			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1342
			clear_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags);
1343
			sk->sk_state = BT_CONNECTED;
1344
		}
1345
	}
1346

1347
done:
1348
	release_sock(sk);
1349
	return err;
1350
}
1351

1352
static int iso_sock_getname(struct socket *sock, struct sockaddr *addr,
1353
			    int peer)
1354
{
1355
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1356
	struct sock *sk = sock->sk;
1357
	int len = sizeof(struct sockaddr_iso);
1358

1359
	BT_DBG("sock %p, sk %p", sock, sk);
1360

1361
	addr->sa_family = AF_BLUETOOTH;
1362

1363
	if (peer) {
1364
		struct hci_conn *hcon = iso_pi(sk)->conn ?
1365
					iso_pi(sk)->conn->hcon : NULL;
1366

1367
		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst);
1368
		sa->iso_bdaddr_type = iso_pi(sk)->dst_type;
1369

1370
		if (hcon && (hcon->type == BIS_LINK || hcon->type == PA_LINK)) {
1371
			sa->iso_bc->bc_sid = iso_pi(sk)->bc_sid;
1372
			sa->iso_bc->bc_num_bis = iso_pi(sk)->bc_num_bis;
1373
			memcpy(sa->iso_bc->bc_bis, iso_pi(sk)->bc_bis,
1374
			       ISO_MAX_NUM_BIS);
1375
			len += sizeof(struct sockaddr_iso_bc);
1376
		}
1377
	} else {
1378
		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src);
1379
		sa->iso_bdaddr_type = iso_pi(sk)->src_type;
1380
	}
1381

1382
	return len;
1383
}
1384

1385
static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1386
			    size_t len)
1387
{
1388
	struct sock *sk = sock->sk;
1389
	struct sk_buff *skb, **frag;
1390
	struct sockcm_cookie sockc;
1391
	size_t mtu;
1392
	int err;
1393

1394
	BT_DBG("sock %p, sk %p", sock, sk);
1395

1396
	err = sock_error(sk);
1397
	if (err)
1398
		return err;
1399

1400
	if (msg->msg_flags & MSG_OOB)
1401
		return -EOPNOTSUPP;
1402

1403
	hci_sockcm_init(&sockc, sk);
1404

1405
	if (msg->msg_controllen) {
1406
		err = sock_cmsg_send(sk, msg, &sockc);
1407
		if (err)
1408
			return err;
1409
	}
1410

1411
	lock_sock(sk);
1412

1413
	if (sk->sk_state != BT_CONNECTED) {
1414
		release_sock(sk);
1415
		return -ENOTCONN;
1416
	}
1417

1418
	mtu = iso_pi(sk)->conn->hcon->mtu;
1419

1420
	release_sock(sk);
1421

1422
	skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0);
1423
	if (IS_ERR(skb))
1424
		return PTR_ERR(skb);
1425

1426
	len -= skb->len;
1427

1428
	BT_DBG("skb %p len %d", sk, skb->len);
1429

1430
	/* Continuation fragments */
1431
	frag = &skb_shinfo(skb)->frag_list;
1432
	while (len) {
1433
		struct sk_buff *tmp;
1434

1435
		tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0);
1436
		if (IS_ERR(tmp)) {
1437
			kfree_skb(skb);
1438
			return PTR_ERR(tmp);
1439
		}
1440

1441
		*frag = tmp;
1442

1443
		len  -= tmp->len;
1444

1445
		skb->len += tmp->len;
1446
		skb->data_len += tmp->len;
1447

1448
		BT_DBG("frag %p len %d", *frag, tmp->len);
1449

1450
		frag = &(*frag)->next;
1451
	}
1452

1453
	lock_sock(sk);
1454

1455
	if (sk->sk_state == BT_CONNECTED)
1456
		err = iso_send_frame(sk, skb, &sockc);
1457
	else
1458
		err = -ENOTCONN;
1459

1460
	release_sock(sk);
1461

1462
	if (err < 0)
1463
		kfree_skb(skb);
1464
	return err;
1465
}
1466

1467
static void iso_conn_defer_accept(struct hci_conn *conn)
1468
{
1469
	struct hci_cp_le_accept_cis cp;
1470
	struct hci_dev *hdev = conn->hdev;
1471

1472
	BT_DBG("conn %p", conn);
1473

1474
	conn->state = BT_CONFIG;
1475

1476
	cp.handle = cpu_to_le16(conn->handle);
1477

1478
	hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
1479
}
1480

1481
static void iso_conn_big_sync(struct sock *sk)
1482
{
1483
	int err;
1484
	struct hci_dev *hdev;
1485

1486
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1487
			     iso_pi(sk)->src_type);
1488

1489
	if (!hdev)
1490
		return;
1491

1492
	/* hci_le_big_create_sync requires hdev lock to be held, since
1493
	 * it enqueues the HCI LE BIG Create Sync command via
1494
	 * hci_cmd_sync_queue_once, which checks hdev flags that might
1495
	 * change.
1496
	 */
1497
	hci_dev_lock(hdev);
1498
	lock_sock(sk);
1499

1500
	if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1501
		err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
1502
					       &iso_pi(sk)->qos,
1503
					       iso_pi(sk)->sync_handle,
1504
					       iso_pi(sk)->bc_num_bis,
1505
					       iso_pi(sk)->bc_bis);
1506
		if (err)
1507
			bt_dev_err(hdev, "hci_big_create_sync: %d", err);
1508
	}
1509

1510
	release_sock(sk);
1511
	hci_dev_unlock(hdev);
1512
}
1513

1514
static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1515
			    size_t len, int flags)
1516
{
1517
	struct sock *sk = sock->sk;
1518
	struct iso_pinfo *pi = iso_pi(sk);
1519
	bool early_ret = false;
1520
	int err = 0;
1521

1522
	BT_DBG("sk %p", sk);
1523

1524
	if (unlikely(flags & MSG_ERRQUEUE))
1525
		return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1526
					  BT_SCM_ERROR);
1527

1528
	if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1529
		sock_hold(sk);
1530
		lock_sock(sk);
1531

1532
		switch (sk->sk_state) {
1533
		case BT_CONNECT2:
1534
			if (test_bit(BT_SK_PA_SYNC, &pi->flags)) {
1535
				release_sock(sk);
1536
				iso_conn_big_sync(sk);
1537
				lock_sock(sk);
1538

1539
				sk->sk_state = BT_LISTEN;
1540
			} else {
1541
				iso_conn_defer_accept(pi->conn->hcon);
1542
				sk->sk_state = BT_CONFIG;
1543
			}
1544

1545
			early_ret = true;
1546
			break;
1547
		case BT_CONNECTED:
1548
			if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1549
				release_sock(sk);
1550
				iso_conn_big_sync(sk);
1551
				lock_sock(sk);
1552

1553
				sk->sk_state = BT_LISTEN;
1554
				early_ret = true;
1555
			}
1556

1557
			break;
1558
		case BT_CONNECT:
1559
			release_sock(sk);
1560
			err = iso_connect_cis(sk);
1561
			lock_sock(sk);
1562

1563
			early_ret = true;
1564
			break;
1565
		default:
1566
			break;
1567
		}
1568

1569
		release_sock(sk);
1570
		sock_put(sk);
1571

1572
		if (early_ret)
1573
			return err;
1574
	}
1575

1576
	return bt_sock_recvmsg(sock, msg, len, flags);
1577
}
1578

1579
static bool check_io_qos(struct bt_iso_io_qos *qos)
1580
{
1581
	/* If no PHY is enable SDU must be 0 */
1582
	if (!qos->phy && qos->sdu)
1583
		return false;
1584

1585
	if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff))
1586
		return false;
1587

1588
	if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0))
1589
		return false;
1590

1591
	if (qos->phy > BT_ISO_PHY_ANY)
1592
		return false;
1593

1594
	return true;
1595
}
1596

1597
static bool check_ucast_qos(struct bt_iso_qos *qos)
1598
{
1599
	if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET)
1600
		return false;
1601

1602
	if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET)
1603
		return false;
1604

1605
	if (qos->ucast.sca > 0x07)
1606
		return false;
1607

1608
	if (qos->ucast.packing > 0x01)
1609
		return false;
1610

1611
	if (qos->ucast.framing > 0x01)
1612
		return false;
1613

1614
	if (!check_io_qos(&qos->ucast.in))
1615
		return false;
1616

1617
	if (!check_io_qos(&qos->ucast.out))
1618
		return false;
1619

1620
	return true;
1621
}
1622

1623
static bool check_bcast_qos(struct bt_iso_qos *qos)
1624
{
1625
	if (!qos->bcast.sync_factor)
1626
		qos->bcast.sync_factor = 0x01;
1627

1628
	if (qos->bcast.packing > 0x01)
1629
		return false;
1630

1631
	if (qos->bcast.framing > 0x01)
1632
		return false;
1633

1634
	if (!check_io_qos(&qos->bcast.in))
1635
		return false;
1636

1637
	if (!check_io_qos(&qos->bcast.out))
1638
		return false;
1639

1640
	if (qos->bcast.encryption > 0x01)
1641
		return false;
1642

1643
	if (qos->bcast.options > 0x07)
1644
		return false;
1645

1646
	if (qos->bcast.skip > 0x01f3)
1647
		return false;
1648

1649
	if (!qos->bcast.sync_timeout)
1650
		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1651

1652
	if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000)
1653
		return false;
1654

1655
	if (qos->bcast.sync_cte_type > 0x1f)
1656
		return false;
1657

1658
	if (qos->bcast.mse > 0x1f)
1659
		return false;
1660

1661
	if (!qos->bcast.timeout)
1662
		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1663

1664
	if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000)
1665
		return false;
1666

1667
	return true;
1668
}
1669

1670
static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
1671
			       sockptr_t optval, unsigned int optlen)
1672
{
1673
	struct sock *sk = sock->sk;
1674
	int err = 0;
1675
	struct bt_iso_qos qos = default_qos;
1676
	u32 opt;
1677

1678
	BT_DBG("sk %p", sk);
1679

1680
	lock_sock(sk);
1681

1682
	switch (optname) {
1683
	case BT_DEFER_SETUP:
1684
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1685
			err = -EINVAL;
1686
			break;
1687
		}
1688

1689
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1690
		if (err)
1691
			break;
1692

1693
		if (opt)
1694
			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1695
		else
1696
			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1697
		break;
1698

1699
	case BT_PKT_STATUS:
1700
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1701
		if (err)
1702
			break;
1703

1704
		if (opt)
1705
			set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1706
		else
1707
			clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1708
		break;
1709

1710
	case BT_PKT_SEQNUM:
1711
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1712
		if (err)
1713
			break;
1714

1715
		if (opt)
1716
			set_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1717
		else
1718
			clear_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1719
		break;
1720

1721
	case BT_ISO_QOS:
1722
		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1723
		    sk->sk_state != BT_CONNECT2 &&
1724
		    (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags) ||
1725
		    sk->sk_state != BT_CONNECTED)) {
1726
			err = -EINVAL;
1727
			break;
1728
		}
1729

1730
		err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen);
1731
		if (err)
1732
			break;
1733

1734
		iso_pi(sk)->qos = qos;
1735
		iso_pi(sk)->qos_user_set = true;
1736

1737
		break;
1738

1739
	case BT_ISO_BASE:
1740
		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1741
		    sk->sk_state != BT_CONNECT2) {
1742
			err = -EINVAL;
1743
			break;
1744
		}
1745

1746
		if (optlen > sizeof(iso_pi(sk)->base)) {
1747
			err = -EINVAL;
1748
			break;
1749
		}
1750

1751
		err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval,
1752
					     optlen);
1753
		if (err)
1754
			break;
1755

1756
		iso_pi(sk)->base_len = optlen;
1757

1758
		break;
1759

1760
	default:
1761
		err = -ENOPROTOOPT;
1762
		break;
1763
	}
1764

1765
	release_sock(sk);
1766
	return err;
1767
}
1768

1769
static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
1770
			       char __user *optval, int __user *optlen)
1771
{
1772
	struct sock *sk = sock->sk;
1773
	int len, err = 0;
1774
	struct bt_iso_qos *qos;
1775
	u8 base_len;
1776
	u8 *base;
1777

1778
	BT_DBG("sk %p", sk);
1779

1780
	if (get_user(len, optlen))
1781
		return -EFAULT;
1782

1783
	lock_sock(sk);
1784

1785
	switch (optname) {
1786
	case BT_DEFER_SETUP:
1787
		if (sk->sk_state == BT_CONNECTED) {
1788
			err = -EINVAL;
1789
			break;
1790
		}
1791

1792
		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
1793
			     (u32 __user *)optval))
1794
			err = -EFAULT;
1795

1796
		break;
1797

1798
	case BT_PKT_STATUS:
1799
		if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags),
1800
			     (int __user *)optval))
1801
			err = -EFAULT;
1802
		break;
1803

1804
	case BT_ISO_QOS:
1805
		qos = iso_sock_get_qos(sk);
1806

1807
		len = min_t(unsigned int, len, sizeof(*qos));
1808
		if (copy_to_user(optval, qos, len))
1809
			err = -EFAULT;
1810

1811
		break;
1812

1813
	case BT_ISO_BASE:
1814
		if (sk->sk_state == BT_CONNECTED &&
1815
		    !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1816
			base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len;
1817
			base = iso_pi(sk)->conn->hcon->le_per_adv_data;
1818
		} else {
1819
			base_len = iso_pi(sk)->base_len;
1820
			base = iso_pi(sk)->base;
1821
		}
1822

1823
		len = min_t(unsigned int, len, base_len);
1824
		if (copy_to_user(optval, base, len))
1825
			err = -EFAULT;
1826
		if (put_user(len, optlen))
1827
			err = -EFAULT;
1828

1829
		break;
1830

1831
	default:
1832
		err = -ENOPROTOOPT;
1833
		break;
1834
	}
1835

1836
	release_sock(sk);
1837
	return err;
1838
}
1839

1840
static int iso_sock_shutdown(struct socket *sock, int how)
1841
{
1842
	struct sock *sk = sock->sk;
1843
	int err = 0;
1844

1845
	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1846

1847
	if (!sk)
1848
		return 0;
1849

1850
	sock_hold(sk);
1851
	lock_sock(sk);
1852

1853
	switch (how) {
1854
	case SHUT_RD:
1855
		if (sk->sk_shutdown & RCV_SHUTDOWN)
1856
			goto unlock;
1857
		sk->sk_shutdown |= RCV_SHUTDOWN;
1858
		break;
1859
	case SHUT_WR:
1860
		if (sk->sk_shutdown & SEND_SHUTDOWN)
1861
			goto unlock;
1862
		sk->sk_shutdown |= SEND_SHUTDOWN;
1863
		break;
1864
	case SHUT_RDWR:
1865
		if (sk->sk_shutdown & SHUTDOWN_MASK)
1866
			goto unlock;
1867
		sk->sk_shutdown |= SHUTDOWN_MASK;
1868
		break;
1869
	}
1870

1871
	iso_sock_clear_timer(sk);
1872
	__iso_sock_close(sk);
1873

1874
	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1875
	    !(current->flags & PF_EXITING))
1876
		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1877

1878
unlock:
1879
	release_sock(sk);
1880
	sock_put(sk);
1881

1882
	return err;
1883
}
1884

1885
static int iso_sock_release(struct socket *sock)
1886
{
1887
	struct sock *sk = sock->sk;
1888
	int err = 0;
1889

1890
	BT_DBG("sock %p, sk %p", sock, sk);
1891

1892
	if (!sk)
1893
		return 0;
1894

1895
	iso_sock_close(sk);
1896

1897
	if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) &&
1898
	    !(current->flags & PF_EXITING)) {
1899
		lock_sock(sk);
1900
		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1901
		release_sock(sk);
1902
	}
1903

1904
	sock_orphan(sk);
1905
	iso_sock_kill(sk);
1906
	return err;
1907
}
1908

1909
static void iso_sock_ready(struct sock *sk)
1910
{
1911
	BT_DBG("sk %p", sk);
1912

1913
	if (!sk)
1914
		return;
1915

1916
	lock_sock(sk);
1917
	iso_sock_clear_timer(sk);
1918
	sk->sk_state = BT_CONNECTED;
1919
	sk->sk_state_change(sk);
1920
	release_sock(sk);
1921
}
1922

1923
static bool iso_match_big(struct sock *sk, void *data)
1924
{
1925
	struct hci_evt_le_big_sync_established *ev = data;
1926

1927
	return ev->handle == iso_pi(sk)->qos.bcast.big;
1928
}
1929

1930
static bool iso_match_big_hcon(struct sock *sk, void *data)
1931
{
1932
	struct hci_conn *hcon = data;
1933

1934
	return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big;
1935
}
1936

1937
static bool iso_match_pa_sync_flag(struct sock *sk, void *data)
1938
{
1939
	return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
1940
}
1941

1942
static void iso_conn_ready(struct iso_conn *conn)
1943
{
1944
	struct sock *parent = NULL;
1945
	struct sock *sk = conn->sk;
1946
	struct hci_ev_le_big_sync_established *ev = NULL;
1947
	struct hci_ev_le_pa_sync_established *ev2 = NULL;
1948
	struct hci_ev_le_per_adv_report *ev3 = NULL;
1949
	struct hci_conn *hcon;
1950

1951
	BT_DBG("conn %p", conn);
1952

1953
	if (sk) {
1954
		iso_sock_ready(conn->sk);
1955
	} else {
1956
		hcon = conn->hcon;
1957
		if (!hcon)
1958
			return;
1959

1960
		if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) {
1961
			/* A BIS slave hcon is notified to the ISO layer
1962
			 * after the Command Complete for the LE Setup
1963
			 * ISO Data Path command is received. Get the
1964
			 * parent socket that matches the hcon BIG handle.
1965
			 */
1966
			parent = iso_get_sock(&hcon->src, &hcon->dst,
1967
					      BT_LISTEN, iso_match_big_hcon,
1968
					      hcon);
1969
		} else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) {
1970
			ev = hci_recv_event_data(hcon->hdev,
1971
						 HCI_EVT_LE_BIG_SYNC_ESTABLISHED);
1972

1973
			/* Get reference to PA sync parent socket, if it exists */
1974
			parent = iso_get_sock(&hcon->src, &hcon->dst,
1975
					      BT_LISTEN,
1976
					      iso_match_pa_sync_flag,
1977
					      NULL);
1978
			if (!parent && ev)
1979
				parent = iso_get_sock(&hcon->src,
1980
						      &hcon->dst,
1981
						      BT_LISTEN,
1982
						      iso_match_big, ev);
1983
		} else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
1984
			ev2 = hci_recv_event_data(hcon->hdev,
1985
						  HCI_EV_LE_PA_SYNC_ESTABLISHED);
1986
			if (ev2)
1987
				parent = iso_get_sock(&hcon->src,
1988
						      &hcon->dst,
1989
						      BT_LISTEN,
1990
						      iso_match_sid, ev2);
1991
		} else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
1992
			ev3 = hci_recv_event_data(hcon->hdev,
1993
						  HCI_EV_LE_PER_ADV_REPORT);
1994
			if (ev3)
1995
				parent = iso_get_sock(&hcon->src,
1996
						      &hcon->dst,
1997
						      BT_LISTEN,
1998
						      iso_match_sync_handle_pa_report,
1999
						      ev3);
2000
		}
2001

2002
		if (!parent)
2003
			parent = iso_get_sock(&hcon->src, BDADDR_ANY,
2004
					      BT_LISTEN, NULL, NULL);
2005

2006
		if (!parent)
2007
			return;
2008

2009
		lock_sock(parent);
2010

2011
		sk = iso_sock_alloc(sock_net(parent), NULL,
2012
				    BTPROTO_ISO, GFP_ATOMIC, 0);
2013
		if (!sk) {
2014
			release_sock(parent);
2015
			return;
2016
		}
2017

2018
		iso_sock_init(sk, parent);
2019

2020
		bacpy(&iso_pi(sk)->src, &hcon->src);
2021

2022
		/* Convert from HCI to three-value type */
2023
		if (hcon->src_type == ADDR_LE_DEV_PUBLIC)
2024
			iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
2025
		else
2026
			iso_pi(sk)->src_type = BDADDR_LE_RANDOM;
2027

2028
		/* If hcon has no destination address (BDADDR_ANY) it means it
2029
		 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or
2030
		 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using
2031
		 * the parent socket destination address.
2032
		 */
2033
		if (!bacmp(&hcon->dst, BDADDR_ANY)) {
2034
			bacpy(&hcon->dst, &iso_pi(parent)->dst);
2035
			hcon->dst_type = iso_pi(parent)->dst_type;
2036
		}
2037

2038
		if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
2039
			iso_pi(sk)->qos = iso_pi(parent)->qos;
2040
			hcon->iso_qos = iso_pi(sk)->qos;
2041
			iso_pi(sk)->bc_sid = iso_pi(parent)->bc_sid;
2042
			iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis;
2043
			memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis,
2044
			       ISO_MAX_NUM_BIS);
2045
			set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
2046
		}
2047

2048
		bacpy(&iso_pi(sk)->dst, &hcon->dst);
2049
		iso_pi(sk)->dst_type = hcon->dst_type;
2050
		iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
2051
		memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
2052
		iso_pi(sk)->base_len = iso_pi(parent)->base_len;
2053

2054
		hci_conn_hold(hcon);
2055
		iso_chan_add(conn, sk, parent);
2056

2057
		if ((ev && ((struct hci_evt_le_big_sync_established *)ev)->status) ||
2058
		    (ev2 && ev2->status)) {
2059
			/* Trigger error signal on child socket */
2060
			sk->sk_err = ECONNREFUSED;
2061
			sk->sk_error_report(sk);
2062
		}
2063

2064
		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
2065
			sk->sk_state = BT_CONNECT2;
2066
		else
2067
			sk->sk_state = BT_CONNECTED;
2068

2069
		/* Wake up parent */
2070
		parent->sk_data_ready(parent);
2071

2072
		release_sock(parent);
2073
		sock_put(parent);
2074
	}
2075
}
2076

2077
static bool iso_match_sid(struct sock *sk, void *data)
2078
{
2079
	struct hci_ev_le_pa_sync_established *ev = data;
2080

2081
	if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
2082
		return true;
2083

2084
	return ev->sid == iso_pi(sk)->bc_sid;
2085
}
2086

2087
static bool iso_match_sync_handle(struct sock *sk, void *data)
2088
{
2089
	struct hci_evt_le_big_info_adv_report *ev = data;
2090

2091
	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2092
}
2093

2094
static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data)
2095
{
2096
	struct hci_ev_le_per_adv_report *ev = data;
2097

2098
	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2099
}
2100

2101
/* ----- ISO interface with lower layer (HCI) ----- */
2102

2103
int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
2104
{
2105
	struct hci_ev_le_pa_sync_established *ev1;
2106
	struct hci_evt_le_big_info_adv_report *ev2;
2107
	struct hci_ev_le_per_adv_report *ev3;
2108
	struct sock *sk;
2109

2110
	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
2111

2112
	/* Broadcast receiver requires handling of some events before it can
2113
	 * proceed to establishing a BIG sync:
2114
	 *
2115
	 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific
2116
	 * SID to listen to and once sync is established its handle needs to
2117
	 * be stored in iso_pi(sk)->sync_handle so it can be matched once
2118
	 * receiving the BIG Info.
2119
	 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a
2120
	 * a BIG Info it attempts to check if there any listening socket with
2121
	 * the same sync_handle and if it does then attempt to create a sync.
2122
	 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored
2123
	 * in iso_pi(sk)->base so it can be passed up to user, in the case of a
2124
	 * broadcast sink.
2125
	 */
2126
	ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED);
2127
	if (ev1) {
2128
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN,
2129
				  iso_match_sid, ev1);
2130
		if (sk && !ev1->status) {
2131
			iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle);
2132
			iso_pi(sk)->bc_sid = ev1->sid;
2133
		}
2134

2135
		goto done;
2136
	}
2137

2138
	ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT);
2139
	if (ev2) {
2140
		/* Check if BIGInfo report has already been handled */
2141
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECTED,
2142
				  iso_match_sync_handle, ev2);
2143
		if (sk) {
2144
			sock_put(sk);
2145
			sk = NULL;
2146
			goto done;
2147
		}
2148

2149
		/* Try to get PA sync socket, if it exists */
2150
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECT2,
2151
				  iso_match_sync_handle, ev2);
2152
		if (!sk)
2153
			sk = iso_get_sock(&hdev->bdaddr, bdaddr,
2154
					  BT_LISTEN,
2155
					  iso_match_sync_handle,
2156
					  ev2);
2157

2158
		if (sk) {
2159
			int err;
2160
			struct hci_conn	*hcon = iso_pi(sk)->conn->hcon;
2161

2162
			iso_pi(sk)->qos.bcast.encryption = ev2->encryption;
2163

2164
			if (ev2->num_bis < iso_pi(sk)->bc_num_bis)
2165
				iso_pi(sk)->bc_num_bis = ev2->num_bis;
2166

2167
			if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) &&
2168
			    !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
2169
				err = hci_conn_big_create_sync(hdev, hcon,
2170
							       &iso_pi(sk)->qos,
2171
							       iso_pi(sk)->sync_handle,
2172
							       iso_pi(sk)->bc_num_bis,
2173
							       iso_pi(sk)->bc_bis);
2174
				if (err) {
2175
					bt_dev_err(hdev, "hci_le_big_create_sync: %d",
2176
						   err);
2177
					sock_put(sk);
2178
					sk = NULL;
2179
				}
2180
			}
2181
		}
2182

2183
		goto done;
2184
	}
2185

2186
	ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
2187
	if (ev3) {
2188
		size_t base_len = 0;
2189
		u8 *base;
2190
		struct hci_conn *hcon;
2191

2192
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN,
2193
				  iso_match_sync_handle_pa_report, ev3);
2194
		if (!sk)
2195
			goto done;
2196

2197
		hcon = iso_pi(sk)->conn->hcon;
2198
		if (!hcon)
2199
			goto done;
2200

2201
		if (ev3->data_status == LE_PA_DATA_TRUNCATED) {
2202
			/* The controller was unable to retrieve PA data. */
2203
			memset(hcon->le_per_adv_data, 0,
2204
			       HCI_MAX_PER_AD_TOT_LEN);
2205
			hcon->le_per_adv_data_len = 0;
2206
			hcon->le_per_adv_data_offset = 0;
2207
			goto done;
2208
		}
2209

2210
		if (hcon->le_per_adv_data_offset + ev3->length >
2211
		    HCI_MAX_PER_AD_TOT_LEN)
2212
			goto done;
2213

2214
		memcpy(hcon->le_per_adv_data + hcon->le_per_adv_data_offset,
2215
		       ev3->data, ev3->length);
2216
		hcon->le_per_adv_data_offset += ev3->length;
2217

2218
		if (ev3->data_status == LE_PA_DATA_COMPLETE) {
2219
			/* All PA data has been received. */
2220
			hcon->le_per_adv_data_len =
2221
				hcon->le_per_adv_data_offset;
2222
			hcon->le_per_adv_data_offset = 0;
2223

2224
			/* Extract BASE */
2225
			base = eir_get_service_data(hcon->le_per_adv_data,
2226
						    hcon->le_per_adv_data_len,
2227
						    EIR_BAA_SERVICE_UUID,
2228
						    &base_len);
2229

2230
			if (!base || base_len > BASE_MAX_LENGTH)
2231
				goto done;
2232

2233
			memcpy(iso_pi(sk)->base, base, base_len);
2234
			iso_pi(sk)->base_len = base_len;
2235
		} else {
2236
			/* This is a PA data fragment. Keep pa_data_len set to 0
2237
			 * until all data has been reassembled.
2238
			 */
2239
			hcon->le_per_adv_data_len = 0;
2240
		}
2241
	} else {
2242
		sk = iso_get_sock(&hdev->bdaddr, BDADDR_ANY,
2243
				  BT_LISTEN, NULL, NULL);
2244
	}
2245

2246
done:
2247
	if (!sk)
2248
		return 0;
2249

2250
	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
2251
		*flags |= HCI_PROTO_DEFER;
2252

2253
	sock_put(sk);
2254

2255
	return HCI_LM_ACCEPT;
2256
}
2257

2258
static void iso_connect_cfm(struct hci_conn *hcon, __u8 status)
2259
{
2260
	if (hcon->type != CIS_LINK && hcon->type != BIS_LINK &&
2261
	    hcon->type != PA_LINK) {
2262
		if (hcon->type != LE_LINK)
2263
			return;
2264

2265
		/* Check if LE link has failed */
2266
		if (status) {
2267
			struct hci_link *link, *t;
2268

2269
			list_for_each_entry_safe(link, t, &hcon->link_list,
2270
						 list)
2271
				iso_conn_del(link->conn, bt_to_errno(status));
2272

2273
			return;
2274
		}
2275

2276
		/* Create CIS if pending */
2277
		hci_le_create_cis_pending(hcon->hdev);
2278
		return;
2279
	}
2280

2281
	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
2282

2283
	/* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or
2284
	 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection
2285
	 * into the accept queue of the listening socket and wake up
2286
	 * userspace, to inform the user about the event.
2287
	 */
2288
	if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) ||
2289
	    test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
2290
		struct iso_conn *conn;
2291

2292
		conn = iso_conn_add(hcon);
2293
		if (conn)
2294
			iso_conn_ready(conn);
2295
	} else {
2296
		iso_conn_del(hcon, bt_to_errno(status));
2297
	}
2298
}
2299

2300
static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
2301
{
2302
	if (hcon->type != CIS_LINK && hcon->type !=  BIS_LINK &&
2303
	    hcon->type != PA_LINK)
2304
		return;
2305

2306
	BT_DBG("hcon %p reason %d", hcon, reason);
2307

2308
	iso_conn_del(hcon, bt_to_errno(reason));
2309
}
2310

2311
void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2312
{
2313
	struct iso_conn *conn = hcon->iso_data;
2314
	struct skb_shared_hwtstamps *hwts;
2315
	__u16 pb, ts, len, sn;
2316

2317
	if (!conn)
2318
		goto drop;
2319

2320
	pb     = hci_iso_flags_pb(flags);
2321
	ts     = hci_iso_flags_ts(flags);
2322

2323
	BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts);
2324

2325
	switch (pb) {
2326
	case ISO_START:
2327
	case ISO_SINGLE:
2328
		if (conn->rx_len) {
2329
			BT_ERR("Unexpected start frame (len %d)", skb->len);
2330
			kfree_skb(conn->rx_skb);
2331
			conn->rx_skb = NULL;
2332
			conn->rx_len = 0;
2333
		}
2334

2335
		if (ts) {
2336
			struct hci_iso_ts_data_hdr *hdr;
2337

2338
			hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE);
2339
			if (!hdr) {
2340
				BT_ERR("Frame is too short (len %d)", skb->len);
2341
				goto drop;
2342
			}
2343

2344
			/*  Record the timestamp to skb */
2345
			hwts = skb_hwtstamps(skb);
2346
			hwts->hwtstamp = us_to_ktime(le32_to_cpu(hdr->ts));
2347

2348
			sn = __le16_to_cpu(hdr->sn);
2349
			len = __le16_to_cpu(hdr->slen);
2350
		} else {
2351
			struct hci_iso_data_hdr *hdr;
2352

2353
			hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE);
2354
			if (!hdr) {
2355
				BT_ERR("Frame is too short (len %d)", skb->len);
2356
				goto drop;
2357
			}
2358

2359
			sn = __le16_to_cpu(hdr->sn);
2360
			len = __le16_to_cpu(hdr->slen);
2361
		}
2362

2363
		flags  = hci_iso_data_flags(len);
2364
		len    = hci_iso_data_len(len);
2365

2366
		BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x sn %d",
2367
		       len, skb->len, flags, sn);
2368

2369
		if (len == skb->len) {
2370
			/* Complete frame received */
2371
			hci_skb_pkt_status(skb) = flags & 0x03;
2372
			hci_skb_pkt_seqnum(skb) = sn;
2373
			iso_recv_frame(conn, skb);
2374
			return;
2375
		}
2376

2377
		if (pb == ISO_SINGLE) {
2378
			BT_ERR("Frame malformed (len %d, expected len %d)",
2379
			       skb->len, len);
2380
			goto drop;
2381
		}
2382

2383
		if (skb->len > len) {
2384
			BT_ERR("Frame is too long (len %d, expected len %d)",
2385
			       skb->len, len);
2386
			goto drop;
2387
		}
2388

2389
		/* Allocate skb for the complete frame (with header) */
2390
		conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
2391
		if (!conn->rx_skb)
2392
			goto drop;
2393

2394
		hci_skb_pkt_status(conn->rx_skb) = flags & 0x03;
2395
		hci_skb_pkt_seqnum(conn->rx_skb) = sn;
2396
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2397
					  skb->len);
2398
		conn->rx_len = len - skb->len;
2399

2400
		/* Copy hw timestamp from skb to rx_skb if present */
2401
		if (ts) {
2402
			hwts = skb_hwtstamps(conn->rx_skb);
2403
			hwts->hwtstamp = skb_hwtstamps(skb)->hwtstamp;
2404
		}
2405

2406
		break;
2407

2408
	case ISO_CONT:
2409
		BT_DBG("Cont: frag len %d (expecting %d)", skb->len,
2410
		       conn->rx_len);
2411

2412
		if (!conn->rx_len) {
2413
			BT_ERR("Unexpected continuation frame (len %d)",
2414
			       skb->len);
2415
			goto drop;
2416
		}
2417

2418
		if (skb->len > conn->rx_len) {
2419
			BT_ERR("Fragment is too long (len %d, expected %d)",
2420
			       skb->len, conn->rx_len);
2421
			kfree_skb(conn->rx_skb);
2422
			conn->rx_skb = NULL;
2423
			conn->rx_len = 0;
2424
			goto drop;
2425
		}
2426

2427
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2428
					  skb->len);
2429
		conn->rx_len -= skb->len;
2430
		break;
2431

2432
	case ISO_END:
2433
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2434
					  skb->len);
2435
		conn->rx_len -= skb->len;
2436

2437
		if (!conn->rx_len) {
2438
			struct sk_buff *rx_skb = conn->rx_skb;
2439

2440
			/* Complete frame received. iso_recv_frame
2441
			 * takes ownership of the skb so set the global
2442
			 * rx_skb pointer to NULL first.
2443
			 */
2444
			conn->rx_skb = NULL;
2445
			iso_recv_frame(conn, rx_skb);
2446
		}
2447
		break;
2448
	}
2449

2450
drop:
2451
	kfree_skb(skb);
2452
}
2453

2454
static struct hci_cb iso_cb = {
2455
	.name		= "ISO",
2456
	.connect_cfm	= iso_connect_cfm,
2457
	.disconn_cfm	= iso_disconn_cfm,
2458
};
2459

2460
static int iso_debugfs_show(struct seq_file *f, void *p)
2461
{
2462
	struct sock *sk;
2463

2464
	read_lock(&iso_sk_list.lock);
2465

2466
	sk_for_each(sk, &iso_sk_list.head) {
2467
		seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src,
2468
			   &iso_pi(sk)->dst, sk->sk_state);
2469
	}
2470

2471
	read_unlock(&iso_sk_list.lock);
2472

2473
	return 0;
2474
}
2475

2476
DEFINE_SHOW_ATTRIBUTE(iso_debugfs);
2477

2478
static struct dentry *iso_debugfs;
2479

2480
static const struct proto_ops iso_sock_ops = {
2481
	.family		= PF_BLUETOOTH,
2482
	.owner		= THIS_MODULE,
2483
	.release	= iso_sock_release,
2484
	.bind		= iso_sock_bind,
2485
	.connect	= iso_sock_connect,
2486
	.listen		= iso_sock_listen,
2487
	.accept		= iso_sock_accept,
2488
	.getname	= iso_sock_getname,
2489
	.sendmsg	= iso_sock_sendmsg,
2490
	.recvmsg	= iso_sock_recvmsg,
2491
	.poll		= bt_sock_poll,
2492
	.ioctl		= bt_sock_ioctl,
2493
	.mmap		= sock_no_mmap,
2494
	.socketpair	= sock_no_socketpair,
2495
	.shutdown	= iso_sock_shutdown,
2496
	.setsockopt	= iso_sock_setsockopt,
2497
	.getsockopt	= iso_sock_getsockopt
2498
};
2499

2500
static const struct net_proto_family iso_sock_family_ops = {
2501
	.family	= PF_BLUETOOTH,
2502
	.owner	= THIS_MODULE,
2503
	.create	= iso_sock_create,
2504
};
2505

2506
static bool inited;
2507

2508
bool iso_inited(void)
2509
{
2510
	return inited;
2511
}
2512

2513
int iso_init(void)
2514
{
2515
	int err;
2516

2517
	BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr));
2518

2519
	if (inited)
2520
		return -EALREADY;
2521

2522
	err = proto_register(&iso_proto, 0);
2523
	if (err < 0)
2524
		return err;
2525

2526
	err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops);
2527
	if (err < 0) {
2528
		BT_ERR("ISO socket registration failed");
2529
		goto error;
2530
	}
2531

2532
	err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL);
2533
	if (err < 0) {
2534
		BT_ERR("Failed to create ISO proc file");
2535
		bt_sock_unregister(BTPROTO_ISO);
2536
		goto error;
2537
	}
2538

2539
	BT_INFO("ISO socket layer initialized");
2540

2541
	hci_register_cb(&iso_cb);
2542

2543
	if (!IS_ERR_OR_NULL(bt_debugfs))
2544
		iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs,
2545
						  NULL, &iso_debugfs_fops);
2546

2547
	inited = true;
2548

2549
	return 0;
2550

2551
error:
2552
	proto_unregister(&iso_proto);
2553
	return err;
2554
}
2555

2556
int iso_exit(void)
2557
{
2558
	if (!inited)
2559
		return -EALREADY;
2560

2561
	bt_procfs_cleanup(&init_net, "iso");
2562

2563
	debugfs_remove(iso_debugfs);
2564
	iso_debugfs = NULL;
2565

2566
	hci_unregister_cb(&iso_cb);
2567

2568
	bt_sock_unregister(BTPROTO_ISO);
2569

2570
	proto_unregister(&iso_proto);
2571

2572
	inited = false;
2573

2574
	return 0;
2575
}
2576

2577
Product

Resources

Company
