1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * BlueZ - Bluetooth protocol stack for Linux 4 * 5 * Copyright (C) 2022 Intel Corporation 6 * Copyright 2023-2024 NXP 7 */ 8 9 #include <linux/module.h> 10 #include <linux/debugfs.h> 11 #include <linux/seq_file.h> 12 #include <linux/sched/signal.h> 13 14 #include <net/bluetooth/bluetooth.h> 15 #include <net/bluetooth/hci_core.h> 16 #include <net/bluetooth/iso.h> 17 #include "eir.h" 18 19 static const struct proto_ops iso_sock_ops; 20 21 static struct bt_sock_list iso_sk_list = { 22 .lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock) 23 }; 24 25 /* ---- ISO connections ---- */ 26 struct iso_conn { 27 struct hci_conn *hcon; 28 29 /* @lock: spinlock protecting changes to iso_conn fields */ 30 spinlock_t lock; 31 struct sock *sk; 32 33 struct delayed_work timeout_work; 34 35 struct sk_buff *rx_skb; 36 __u32 rx_len; 37 __u16 tx_sn; 38 struct kref ref; 39 }; 40 41 #define iso_conn_lock(c) spin_lock(&(c)->lock) 42 #define iso_conn_unlock(c) spin_unlock(&(c)->lock) 43 44 static void iso_sock_close(struct sock *sk); 45 static void iso_sock_kill(struct sock *sk); 46 47 /* ----- ISO socket info ----- */ 48 #define iso_pi(sk) ((struct iso_pinfo *)sk) 49 50 #define EIR_SERVICE_DATA_LENGTH 4 51 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH) 52 #define EIR_BAA_SERVICE_UUID 0x1851 53 54 /* iso_pinfo flags values */ 55 enum { 56 BT_SK_BIG_SYNC, 57 BT_SK_PA_SYNC, 58 }; 59 60 struct iso_pinfo { 61 struct bt_sock bt; 62 bdaddr_t src; 63 __u8 src_type; 64 bdaddr_t dst; 65 __u8 dst_type; 66 __u8 bc_sid; 67 __u8 bc_num_bis; 68 __u8 bc_bis[ISO_MAX_NUM_BIS]; 69 __u16 sync_handle; 70 unsigned long flags; 71 struct bt_iso_qos qos; 72 bool qos_user_set; 73 __u8 base_len; 74 __u8 base[BASE_MAX_LENGTH]; 75 struct iso_conn *conn; 76 }; 77 78 static struct bt_iso_qos default_qos; 79 80 static bool check_ucast_qos(struct bt_iso_qos *qos); 81 static bool check_bcast_qos(struct bt_iso_qos *qos); 82 static bool iso_match_sid(struct sock *sk, void *data); 83 static bool iso_match_sid_past(struct sock *sk, void *data); 84 static bool iso_match_sync_handle(struct sock *sk, void *data); 85 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data); 86 static void iso_sock_disconn(struct sock *sk); 87 88 typedef bool (*iso_sock_match_t)(struct sock *sk, void *data); 89 90 static struct sock *iso_get_sock(struct hci_dev *hdev, bdaddr_t *src, 91 bdaddr_t *dst, enum bt_sock_state state, 92 iso_sock_match_t match, void *data); 93 94 /* ---- ISO timers ---- */ 95 #define ISO_CONN_TIMEOUT secs_to_jiffies(20) 96 #define ISO_DISCONN_TIMEOUT secs_to_jiffies(2) 97 98 static void iso_conn_free(struct kref *ref) 99 { 100 struct iso_conn *conn = container_of(ref, struct iso_conn, ref); 101 102 BT_DBG("conn %p", conn); 103 104 if (conn->sk) 105 iso_pi(conn->sk)->conn = NULL; 106 107 if (conn->hcon) { 108 conn->hcon->iso_data = NULL; 109 hci_conn_drop(conn->hcon); 110 } 111 112 /* Ensure no more work items will run since hci_conn has been dropped */ 113 disable_delayed_work_sync(&conn->timeout_work); 114 115 kfree_skb(conn->rx_skb); 116 117 kfree(conn); 118 } 119 120 static void iso_conn_put(struct iso_conn *conn) 121 { 122 if (!conn) 123 return; 124 125 BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref)); 126 127 kref_put(&conn->ref, iso_conn_free); 128 } 129 130 static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn) 131 { 132 if (!conn) 133 return NULL; 134 135 BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref)); 136 137 if (!kref_get_unless_zero(&conn->ref)) 138 return NULL; 139 140 return conn; 141 } 142 143 static struct sock *iso_sock_hold(struct iso_conn *conn) 144 { 145 if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk)) 146 return NULL; 147 148 sock_hold(conn->sk); 149 150 return conn->sk; 151 } 152 153 static void iso_sock_timeout(struct work_struct *work) 154 { 155 struct iso_conn *conn = container_of(work, struct iso_conn, 156 timeout_work.work); 157 struct sock *sk; 158 159 conn = iso_conn_hold_unless_zero(conn); 160 if (!conn) 161 return; 162 163 iso_conn_lock(conn); 164 sk = iso_sock_hold(conn); 165 iso_conn_unlock(conn); 166 iso_conn_put(conn); 167 168 if (!sk) 169 return; 170 171 BT_DBG("sock %p state %d", sk, sk->sk_state); 172 173 lock_sock(sk); 174 sk->sk_err = ETIMEDOUT; 175 sk->sk_state_change(sk); 176 release_sock(sk); 177 sock_put(sk); 178 } 179 180 static void iso_sock_set_timer(struct sock *sk, long timeout) 181 { 182 if (!iso_pi(sk)->conn) 183 return; 184 185 BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout); 186 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work); 187 schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout); 188 } 189 190 static void iso_sock_clear_timer(struct sock *sk) 191 { 192 if (!iso_pi(sk)->conn) 193 return; 194 195 BT_DBG("sock %p state %d", sk, sk->sk_state); 196 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work); 197 } 198 199 /* ---- ISO connections ---- */ 200 static struct iso_conn *iso_conn_add(struct hci_conn *hcon) 201 { 202 struct iso_conn *conn = hcon->iso_data; 203 204 conn = iso_conn_hold_unless_zero(conn); 205 if (conn) { 206 if (!conn->hcon) { 207 iso_conn_lock(conn); 208 conn->hcon = hcon; 209 iso_conn_unlock(conn); 210 } 211 iso_conn_put(conn); 212 return conn; 213 } 214 215 conn = kzalloc_obj(*conn); 216 if (!conn) 217 return NULL; 218 219 kref_init(&conn->ref); 220 spin_lock_init(&conn->lock); 221 INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout); 222 223 hcon->iso_data = conn; 224 conn->hcon = hcon; 225 conn->tx_sn = 0; 226 227 BT_DBG("hcon %p conn %p", hcon, conn); 228 229 return conn; 230 } 231 232 /* Delete channel. Must be called on the locked socket. */ 233 static void iso_chan_del(struct sock *sk, int err) 234 { 235 struct iso_conn *conn; 236 struct sock *parent; 237 238 conn = iso_pi(sk)->conn; 239 iso_pi(sk)->conn = NULL; 240 241 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 242 243 if (conn) { 244 iso_conn_lock(conn); 245 conn->sk = NULL; 246 iso_conn_unlock(conn); 247 iso_conn_put(conn); 248 } 249 250 sk->sk_state = BT_CLOSED; 251 sk->sk_err = err; 252 253 parent = bt_sk(sk)->parent; 254 if (parent) { 255 bt_accept_unlink(sk); 256 parent->sk_data_ready(parent); 257 } else { 258 sk->sk_state_change(sk); 259 } 260 261 sock_set_flag(sk, SOCK_ZAPPED); 262 } 263 264 static void iso_conn_del(struct hci_conn *hcon, int err) 265 { 266 struct iso_conn *conn = hcon->iso_data; 267 struct sock *sk; 268 269 conn = iso_conn_hold_unless_zero(conn); 270 if (!conn) 271 return; 272 273 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 274 275 /* Kill socket */ 276 iso_conn_lock(conn); 277 sk = iso_sock_hold(conn); 278 iso_conn_unlock(conn); 279 iso_conn_put(conn); 280 281 if (!sk) { 282 iso_conn_put(conn); 283 return; 284 } 285 286 lock_sock(sk); 287 iso_sock_clear_timer(sk); 288 iso_chan_del(sk, err); 289 release_sock(sk); 290 sock_put(sk); 291 } 292 293 static int __iso_chan_add(struct iso_conn *conn, struct sock *sk, 294 struct sock *parent) 295 { 296 BT_DBG("conn %p", conn); 297 298 if (iso_pi(sk)->conn == conn && conn->sk == sk) 299 return 0; 300 301 if (conn->sk) { 302 BT_ERR("conn->sk already set"); 303 return -EBUSY; 304 } 305 306 iso_pi(sk)->conn = conn; 307 conn->sk = sk; 308 309 if (parent) 310 bt_accept_enqueue(parent, sk, true); 311 312 return 0; 313 } 314 315 static int iso_chan_add(struct iso_conn *conn, struct sock *sk, 316 struct sock *parent) 317 { 318 int err; 319 320 iso_conn_lock(conn); 321 err = __iso_chan_add(conn, sk, parent); 322 iso_conn_unlock(conn); 323 324 return err; 325 } 326 327 static inline u8 le_addr_type(u8 bdaddr_type) 328 { 329 if (bdaddr_type == BDADDR_LE_PUBLIC) 330 return ADDR_LE_DEV_PUBLIC; 331 else 332 return ADDR_LE_DEV_RANDOM; 333 } 334 335 static int iso_connect_bis(struct sock *sk) 336 { 337 struct iso_conn *conn; 338 struct hci_conn *hcon; 339 struct hci_dev *hdev; 340 int err; 341 342 BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid); 343 344 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 345 iso_pi(sk)->src_type); 346 if (!hdev) 347 return -EHOSTUNREACH; 348 349 hci_dev_lock(hdev); 350 lock_sock(sk); 351 352 if (!bis_capable(hdev)) { 353 err = -EOPNOTSUPP; 354 goto unlock; 355 } 356 357 /* Fail if user set invalid QoS */ 358 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { 359 iso_pi(sk)->qos = default_qos; 360 err = -EINVAL; 361 goto unlock; 362 } 363 364 /* Fail if out PHYs are marked as disabled */ 365 if (!iso_pi(sk)->qos.bcast.out.phys) { 366 err = -EINVAL; 367 goto unlock; 368 } 369 370 /* Just bind if DEFER_SETUP has been set */ 371 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 372 hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid, 373 &iso_pi(sk)->qos, iso_pi(sk)->base_len, 374 iso_pi(sk)->base, 375 READ_ONCE(sk->sk_sndtimeo)); 376 if (IS_ERR(hcon)) { 377 err = PTR_ERR(hcon); 378 goto unlock; 379 } 380 } else { 381 hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst, 382 le_addr_type(iso_pi(sk)->dst_type), 383 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos, 384 iso_pi(sk)->base_len, iso_pi(sk)->base, 385 READ_ONCE(sk->sk_sndtimeo)); 386 if (IS_ERR(hcon)) { 387 err = PTR_ERR(hcon); 388 goto unlock; 389 } 390 391 /* Update SID if it was not set */ 392 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 393 iso_pi(sk)->bc_sid = hcon->sid; 394 } 395 396 conn = iso_conn_add(hcon); 397 if (!conn) { 398 hci_conn_drop(hcon); 399 err = -ENOMEM; 400 goto unlock; 401 } 402 403 err = iso_chan_add(conn, sk, NULL); 404 if (err) 405 goto unlock; 406 407 /* Update source addr of the socket */ 408 bacpy(&iso_pi(sk)->src, &hcon->src); 409 410 if (hcon->state == BT_CONNECTED) { 411 iso_sock_clear_timer(sk); 412 sk->sk_state = BT_CONNECTED; 413 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 414 iso_sock_clear_timer(sk); 415 sk->sk_state = BT_CONNECT; 416 } else { 417 sk->sk_state = BT_CONNECT; 418 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo)); 419 } 420 421 unlock: 422 release_sock(sk); 423 hci_dev_unlock(hdev); 424 hci_dev_put(hdev); 425 return err; 426 } 427 428 static int iso_connect_cis(struct sock *sk) 429 { 430 struct iso_conn *conn; 431 struct hci_conn *hcon; 432 struct hci_dev *hdev; 433 int err; 434 435 BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst); 436 437 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 438 iso_pi(sk)->src_type); 439 if (!hdev) 440 return -EHOSTUNREACH; 441 442 hci_dev_lock(hdev); 443 lock_sock(sk); 444 445 if (!cis_central_capable(hdev)) { 446 err = -EOPNOTSUPP; 447 goto unlock; 448 } 449 450 /* Fail if user set invalid QoS */ 451 if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) { 452 iso_pi(sk)->qos = default_qos; 453 err = -EINVAL; 454 goto unlock; 455 } 456 457 /* Fail if either PHYs are marked as disabled */ 458 if (!iso_pi(sk)->qos.ucast.in.phys && !iso_pi(sk)->qos.ucast.out.phys) { 459 err = -EINVAL; 460 goto unlock; 461 } 462 463 /* Check if there are available buffers for output/TX. */ 464 if (iso_pi(sk)->qos.ucast.out.sdu && !hci_iso_count(hdev) && 465 (hdev->iso_pkts && !hdev->iso_cnt)) { 466 err = -ENOBUFS; 467 goto unlock; 468 } 469 470 /* Just bind if DEFER_SETUP has been set */ 471 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 472 hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst, 473 le_addr_type(iso_pi(sk)->dst_type), 474 &iso_pi(sk)->qos, 475 READ_ONCE(sk->sk_sndtimeo)); 476 if (IS_ERR(hcon)) { 477 err = PTR_ERR(hcon); 478 goto unlock; 479 } 480 } else { 481 hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst, 482 le_addr_type(iso_pi(sk)->dst_type), 483 &iso_pi(sk)->qos, 484 READ_ONCE(sk->sk_sndtimeo)); 485 if (IS_ERR(hcon)) { 486 err = PTR_ERR(hcon); 487 goto unlock; 488 } 489 } 490 491 conn = iso_conn_add(hcon); 492 if (!conn) { 493 hci_conn_drop(hcon); 494 err = -ENOMEM; 495 goto unlock; 496 } 497 498 err = iso_chan_add(conn, sk, NULL); 499 if (err) 500 goto unlock; 501 502 /* Update source addr of the socket */ 503 bacpy(&iso_pi(sk)->src, &hcon->src); 504 505 if (hcon->state == BT_CONNECTED) { 506 iso_sock_clear_timer(sk); 507 sk->sk_state = BT_CONNECTED; 508 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 509 iso_sock_clear_timer(sk); 510 sk->sk_state = BT_CONNECT; 511 } else { 512 sk->sk_state = BT_CONNECT; 513 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo)); 514 } 515 516 unlock: 517 release_sock(sk); 518 hci_dev_unlock(hdev); 519 hci_dev_put(hdev); 520 return err; 521 } 522 523 static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk) 524 { 525 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2) 526 return &iso_pi(sk)->conn->hcon->iso_qos; 527 528 return &iso_pi(sk)->qos; 529 } 530 531 static int iso_send_frame(struct sock *sk, struct sk_buff *skb, 532 const struct sockcm_cookie *sockc) 533 { 534 struct iso_conn *conn = iso_pi(sk)->conn; 535 struct bt_iso_qos *qos = iso_sock_get_qos(sk); 536 struct hci_iso_data_hdr *hdr; 537 int len = 0; 538 539 BT_DBG("sk %p len %d", sk, skb->len); 540 541 if (skb->len > qos->ucast.out.sdu) 542 return -EMSGSIZE; 543 544 len = skb->len; 545 546 /* Push ISO data header */ 547 hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE); 548 hdr->sn = cpu_to_le16(conn->tx_sn++); 549 hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len, 550 HCI_ISO_STATUS_VALID)); 551 552 if (sk->sk_state == BT_CONNECTED) { 553 hci_setup_tx_timestamp(skb, 1, sockc); 554 hci_send_iso(conn->hcon, skb); 555 } else { 556 len = -ENOTCONN; 557 } 558 559 return len; 560 } 561 562 static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb) 563 { 564 struct sock *sk; 565 566 iso_conn_lock(conn); 567 sk = conn->sk; 568 iso_conn_unlock(conn); 569 570 if (!sk) 571 goto drop; 572 573 BT_DBG("sk %p len %d", sk, skb->len); 574 575 if (sk->sk_state != BT_CONNECTED) 576 goto drop; 577 578 if (!sock_queue_rcv_skb(sk, skb)) 579 return; 580 581 drop: 582 kfree_skb(skb); 583 } 584 585 /* -------- Socket interface ---------- */ 586 static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst) 587 { 588 struct sock *sk; 589 590 sk_for_each(sk, &iso_sk_list.head) { 591 if (sk->sk_state != BT_LISTEN) 592 continue; 593 594 if (bacmp(&iso_pi(sk)->dst, dst)) 595 continue; 596 597 if (!bacmp(&iso_pi(sk)->src, src)) 598 return sk; 599 } 600 601 return NULL; 602 } 603 604 static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc, 605 __u8 sid) 606 { 607 struct sock *sk; 608 609 sk_for_each(sk, &iso_sk_list.head) { 610 if (sk->sk_state != BT_LISTEN) 611 continue; 612 613 if (bacmp(&iso_pi(sk)->src, ba)) 614 continue; 615 616 if (bacmp(&iso_pi(sk)->dst, bc)) 617 continue; 618 619 if (iso_pi(sk)->bc_sid == sid) 620 return sk; 621 } 622 623 return NULL; 624 } 625 626 /* Find socket in given state: 627 * source bdaddr (Unicast) 628 * destination bdaddr (Broadcast only) 629 * match func - pass NULL to ignore 630 * match func data - pass -1 to ignore 631 * Returns closest match. 632 */ 633 static struct sock *iso_get_sock(struct hci_dev *hdev, bdaddr_t *src, 634 bdaddr_t *dst, enum bt_sock_state state, 635 iso_sock_match_t match, void *data) 636 { 637 struct sock *sk = NULL, *sk1 = NULL; 638 639 read_lock(&iso_sk_list.lock); 640 641 sk_for_each(sk, &iso_sk_list.head) { 642 if (sk->sk_state != state) 643 continue; 644 645 /* Match Broadcast destination */ 646 if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst)) { 647 struct smp_irk *irk1, *irk2; 648 649 /* Check if destination is an RPA that we can resolve */ 650 irk1 = hci_find_irk_by_rpa(hdev, dst); 651 if (!irk1) 652 continue; 653 654 /* Match with identity address */ 655 if (bacmp(&iso_pi(sk)->dst, &irk1->bdaddr)) { 656 /* Check if socket destination address is also 657 * an RPA and if the IRK matches. 658 */ 659 irk2 = hci_find_irk_by_rpa(hdev, 660 &iso_pi(sk)->dst); 661 if (!irk2 || irk1 != irk2) 662 continue; 663 } 664 } 665 666 /* Use Match function if provided */ 667 if (match && !match(sk, data)) 668 continue; 669 670 /* Exact match. */ 671 if (!bacmp(&iso_pi(sk)->src, src)) { 672 sock_hold(sk); 673 break; 674 } 675 676 /* Closest match */ 677 if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) { 678 if (sk1) 679 sock_put(sk1); 680 681 sk1 = sk; 682 sock_hold(sk1); 683 } 684 } 685 686 if (sk && sk1) 687 sock_put(sk1); 688 689 read_unlock(&iso_sk_list.lock); 690 691 return sk ? sk : sk1; 692 } 693 694 static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src, 695 bdaddr_t *dst, uint8_t big) 696 { 697 struct sock *sk = NULL; 698 699 read_lock(&iso_sk_list.lock); 700 701 sk_for_each(sk, &iso_sk_list.head) { 702 if (match_sk == sk) 703 continue; 704 705 /* Look for sockets that have already been 706 * connected to the BIG 707 */ 708 if (sk->sk_state != BT_CONNECTED && 709 sk->sk_state != BT_CONNECT) 710 continue; 711 712 /* Match Broadcast destination */ 713 if (bacmp(&iso_pi(sk)->dst, dst)) 714 continue; 715 716 /* Match BIG handle */ 717 if (iso_pi(sk)->qos.bcast.big != big) 718 continue; 719 720 /* Match source address */ 721 if (bacmp(&iso_pi(sk)->src, src)) 722 continue; 723 724 sock_hold(sk); 725 break; 726 } 727 728 read_unlock(&iso_sk_list.lock); 729 730 return sk; 731 } 732 733 static void iso_sock_destruct(struct sock *sk) 734 { 735 BT_DBG("sk %p", sk); 736 737 iso_conn_put(iso_pi(sk)->conn); 738 739 skb_queue_purge(&sk->sk_receive_queue); 740 skb_queue_purge(&sk->sk_write_queue); 741 skb_queue_purge(&sk->sk_error_queue); 742 } 743 744 static void iso_sock_cleanup_listen(struct sock *parent) 745 { 746 struct sock *sk; 747 748 BT_DBG("parent %p", parent); 749 750 /* Close not yet accepted channels */ 751 while ((sk = bt_accept_dequeue(parent, NULL))) { 752 iso_sock_close(sk); 753 iso_sock_kill(sk); 754 } 755 756 /* If listening socket has a hcon, properly disconnect it */ 757 if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon) { 758 iso_sock_disconn(parent); 759 return; 760 } 761 762 parent->sk_state = BT_CLOSED; 763 sock_set_flag(parent, SOCK_ZAPPED); 764 } 765 766 /* Kill socket (only if zapped and orphan) 767 * Must be called on unlocked socket. 768 */ 769 static void iso_sock_kill(struct sock *sk) 770 { 771 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || 772 sock_flag(sk, SOCK_DEAD)) 773 return; 774 775 BT_DBG("sk %p state %d", sk, sk->sk_state); 776 777 /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ 778 if (iso_pi(sk)->conn) { 779 iso_conn_lock(iso_pi(sk)->conn); 780 iso_pi(sk)->conn->sk = NULL; 781 iso_conn_unlock(iso_pi(sk)->conn); 782 } 783 784 /* Kill poor orphan */ 785 bt_sock_unlink(&iso_sk_list, sk); 786 sock_set_flag(sk, SOCK_DEAD); 787 sock_put(sk); 788 } 789 790 static void iso_sock_disconn(struct sock *sk) 791 { 792 struct sock *bis_sk; 793 struct hci_conn *hcon = iso_pi(sk)->conn->hcon; 794 795 if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) { 796 bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src, 797 &iso_pi(sk)->dst, 798 iso_pi(sk)->qos.bcast.big); 799 800 /* If there are any other connected sockets for the 801 * same BIG, just delete the sk and leave the bis 802 * hcon active, in case later rebinding is needed. 803 */ 804 if (bis_sk) { 805 hcon->state = BT_OPEN; 806 hcon->iso_data = NULL; 807 iso_pi(sk)->conn->hcon = NULL; 808 iso_sock_clear_timer(sk); 809 iso_chan_del(sk, bt_to_errno(hcon->abort_reason)); 810 sock_put(bis_sk); 811 return; 812 } 813 } 814 815 sk->sk_state = BT_DISCONN; 816 iso_conn_lock(iso_pi(sk)->conn); 817 hci_conn_drop(iso_pi(sk)->conn->hcon); 818 iso_pi(sk)->conn->hcon = NULL; 819 iso_conn_unlock(iso_pi(sk)->conn); 820 } 821 822 static void __iso_sock_close(struct sock *sk) 823 { 824 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 825 826 switch (sk->sk_state) { 827 case BT_LISTEN: 828 iso_sock_cleanup_listen(sk); 829 break; 830 831 case BT_CONNECT: 832 case BT_CONNECTED: 833 case BT_CONFIG: 834 if (iso_pi(sk)->conn->hcon) 835 iso_sock_disconn(sk); 836 else 837 iso_chan_del(sk, ECONNRESET); 838 break; 839 840 case BT_CONNECT2: 841 if (iso_pi(sk)->conn->hcon && 842 (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) || 843 test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags))) 844 iso_sock_disconn(sk); 845 else 846 iso_chan_del(sk, ECONNRESET); 847 break; 848 case BT_DISCONN: 849 iso_chan_del(sk, ECONNRESET); 850 break; 851 852 default: 853 sock_set_flag(sk, SOCK_ZAPPED); 854 break; 855 } 856 } 857 858 /* Must be called on unlocked socket. */ 859 static void iso_sock_close(struct sock *sk) 860 { 861 iso_sock_clear_timer(sk); 862 lock_sock(sk); 863 __iso_sock_close(sk); 864 release_sock(sk); 865 iso_sock_kill(sk); 866 } 867 868 static void iso_sock_init(struct sock *sk, struct sock *parent) 869 { 870 BT_DBG("sk %p", sk); 871 872 if (parent) { 873 sk->sk_type = parent->sk_type; 874 bt_sk(sk)->flags = bt_sk(parent)->flags; 875 security_sk_clone(parent, sk); 876 } 877 } 878 879 static struct proto iso_proto = { 880 .name = "ISO", 881 .owner = THIS_MODULE, 882 .obj_size = sizeof(struct iso_pinfo) 883 }; 884 885 #define DEFAULT_IO_QOS \ 886 { \ 887 .interval = 10000u, \ 888 .latency = 10u, \ 889 .sdu = 40u, \ 890 .phys = BT_ISO_PHY_2M, \ 891 .rtn = 2u, \ 892 } 893 894 static struct bt_iso_qos default_qos = { 895 .bcast = { 896 .big = BT_ISO_QOS_BIG_UNSET, 897 .bis = BT_ISO_QOS_BIS_UNSET, 898 .sync_factor = 0x01, 899 .packing = 0x00, 900 .framing = 0x00, 901 .in = DEFAULT_IO_QOS, 902 .out = DEFAULT_IO_QOS, 903 .encryption = 0x00, 904 .bcode = {0x00}, 905 .options = 0x00, 906 .skip = 0x0000, 907 .sync_timeout = BT_ISO_SYNC_TIMEOUT, 908 .sync_cte_type = 0x00, 909 .mse = 0x00, 910 .timeout = BT_ISO_SYNC_TIMEOUT, 911 }, 912 }; 913 914 static struct sock *iso_sock_alloc(struct net *net, struct socket *sock, 915 int proto, gfp_t prio, int kern) 916 { 917 struct sock *sk; 918 919 sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern); 920 if (!sk) 921 return NULL; 922 923 sk->sk_destruct = iso_sock_destruct; 924 sk->sk_sndtimeo = ISO_CONN_TIMEOUT; 925 926 /* Set address type as public as default src address is BDADDR_ANY */ 927 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC; 928 929 iso_pi(sk)->qos = default_qos; 930 iso_pi(sk)->sync_handle = -1; 931 932 bt_sock_link(&iso_sk_list, sk); 933 return sk; 934 } 935 936 static int iso_sock_create(struct net *net, struct socket *sock, int protocol, 937 int kern) 938 { 939 struct sock *sk; 940 941 BT_DBG("sock %p", sock); 942 943 sock->state = SS_UNCONNECTED; 944 945 if (sock->type != SOCK_SEQPACKET) 946 return -ESOCKTNOSUPPORT; 947 948 sock->ops = &iso_sock_ops; 949 950 sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 951 if (!sk) 952 return -ENOMEM; 953 954 iso_sock_init(sk, NULL); 955 return 0; 956 } 957 958 static int iso_sock_bind_bc(struct socket *sock, struct sockaddr_unsized *addr, 959 int addr_len) 960 { 961 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 962 struct sock *sk = sock->sk; 963 int i; 964 965 BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid, 966 sa->iso_bc->bc_num_bis); 967 968 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) 969 return -EINVAL; 970 971 bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr); 972 973 /* Check if the address type is of LE type */ 974 if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type)) 975 return -EINVAL; 976 977 iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type; 978 979 if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID) 980 return -EINVAL; 981 982 iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid; 983 984 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) 985 return -EINVAL; 986 987 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis; 988 989 for (i = 0; i < iso_pi(sk)->bc_num_bis; i++) 990 if (sa->iso_bc->bc_bis[i] < 0x01 || 991 sa->iso_bc->bc_bis[i] > 0x1f) 992 return -EINVAL; 993 994 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis, 995 iso_pi(sk)->bc_num_bis); 996 997 return 0; 998 } 999 1000 /* Must be called on the locked socket. */ 1001 static int iso_sock_rebind_bis(struct sock *sk, struct sockaddr_iso *sa, 1002 int addr_len) 1003 { 1004 int err = 0; 1005 1006 if (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) 1007 return -EBADFD; 1008 1009 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) { 1010 err = -EINVAL; 1011 goto done; 1012 } 1013 1014 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis; 1015 1016 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) 1017 if (sa->iso_bc->bc_bis[i] < 0x01 || 1018 sa->iso_bc->bc_bis[i] > 0x1f) { 1019 err = -EINVAL; 1020 goto done; 1021 } 1022 1023 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis, 1024 iso_pi(sk)->bc_num_bis); 1025 1026 done: 1027 return err; 1028 } 1029 1030 static struct hci_dev *iso_conn_get_hdev(struct iso_conn *conn) 1031 { 1032 struct hci_dev *hdev = NULL; 1033 1034 iso_conn_lock(conn); 1035 if (conn->hcon) 1036 hdev = hci_dev_hold(conn->hcon->hdev); 1037 iso_conn_unlock(conn); 1038 1039 return hdev; 1040 } 1041 1042 /* Must be called on the locked socket. */ 1043 static int iso_sock_rebind_bc(struct sock *sk, struct sockaddr_iso *sa, 1044 int addr_len) 1045 { 1046 struct hci_dev *hdev; 1047 struct hci_conn *bis; 1048 int err; 1049 1050 if (sk->sk_type != SOCK_SEQPACKET || !iso_pi(sk)->conn) 1051 return -EINVAL; 1052 1053 /* Check if it is really a Broadcast address being requested */ 1054 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) 1055 return -EINVAL; 1056 1057 /* Check if the address hasn't changed then perhaps only the number of 1058 * bis has changed. 1059 */ 1060 if (!bacmp(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr) || 1061 !bacmp(&sa->iso_bc->bc_bdaddr, BDADDR_ANY)) 1062 return iso_sock_rebind_bis(sk, sa, addr_len); 1063 1064 /* Check if the address type is of LE type */ 1065 if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type)) 1066 return -EINVAL; 1067 1068 hdev = iso_conn_get_hdev(iso_pi(sk)->conn); 1069 if (!hdev) 1070 return -EINVAL; 1071 1072 bis = iso_pi(sk)->conn->hcon; 1073 1074 /* Release the socket before lookups since that requires hci_dev_lock 1075 * which shall not be acquired while holding sock_lock for proper 1076 * ordering. 1077 */ 1078 release_sock(sk); 1079 hci_dev_lock(bis->hdev); 1080 lock_sock(sk); 1081 1082 if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) { 1083 /* raced with iso_conn_del() or iso_disconn_sock() */ 1084 err = -ENOTCONN; 1085 goto unlock; 1086 } 1087 1088 BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bc->bc_bdaddr, 1089 sa->iso_bc->bc_bdaddr_type); 1090 1091 err = hci_past_bis(bis, &sa->iso_bc->bc_bdaddr, 1092 le_addr_type(sa->iso_bc->bc_bdaddr_type)); 1093 1094 unlock: 1095 hci_dev_unlock(hdev); 1096 hci_dev_put(hdev); 1097 1098 return err; 1099 } 1100 1101 static int iso_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, 1102 int addr_len) 1103 { 1104 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1105 struct sock *sk = sock->sk; 1106 int err = 0; 1107 1108 BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type); 1109 1110 if (!addr || addr_len < sizeof(struct sockaddr_iso) || 1111 addr->sa_family != AF_BLUETOOTH) 1112 return -EINVAL; 1113 1114 lock_sock(sk); 1115 1116 if ((sk->sk_state == BT_CONNECT2 || sk->sk_state == BT_CONNECTED) && 1117 addr_len > sizeof(*sa)) { 1118 /* Allow the user to rebind to a different address using 1119 * PAST procedures. 1120 */ 1121 err = iso_sock_rebind_bc(sk, sa, addr_len); 1122 goto done; 1123 } 1124 1125 if (sk->sk_state != BT_OPEN) { 1126 err = -EBADFD; 1127 goto done; 1128 } 1129 1130 if (sk->sk_type != SOCK_SEQPACKET) { 1131 err = -EINVAL; 1132 goto done; 1133 } 1134 1135 /* Check if the address type is of LE type */ 1136 if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) { 1137 err = -EINVAL; 1138 goto done; 1139 } 1140 1141 bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr); 1142 iso_pi(sk)->src_type = sa->iso_bdaddr_type; 1143 1144 /* Check for Broadcast address */ 1145 if (addr_len > sizeof(*sa)) { 1146 err = iso_sock_bind_bc(sock, addr, addr_len); 1147 if (err) 1148 goto done; 1149 } 1150 1151 sk->sk_state = BT_BOUND; 1152 1153 done: 1154 release_sock(sk); 1155 return err; 1156 } 1157 1158 static int iso_sock_connect(struct socket *sock, struct sockaddr_unsized *addr, 1159 int alen, int flags) 1160 { 1161 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1162 struct sock *sk = sock->sk; 1163 int err; 1164 1165 BT_DBG("sk %p", sk); 1166 1167 if (alen < sizeof(struct sockaddr_iso) || 1168 addr->sa_family != AF_BLUETOOTH) 1169 return -EINVAL; 1170 1171 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) 1172 return -EBADFD; 1173 1174 if (sk->sk_type != SOCK_SEQPACKET) 1175 return -EINVAL; 1176 1177 /* Check if the address type is of LE type */ 1178 if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) 1179 return -EINVAL; 1180 1181 lock_sock(sk); 1182 1183 bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr); 1184 iso_pi(sk)->dst_type = sa->iso_bdaddr_type; 1185 1186 release_sock(sk); 1187 1188 if (bacmp(&sa->iso_bdaddr, BDADDR_ANY)) 1189 err = iso_connect_cis(sk); 1190 else 1191 err = iso_connect_bis(sk); 1192 1193 if (err) 1194 return err; 1195 1196 lock_sock(sk); 1197 1198 if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1199 err = bt_sock_wait_state(sk, BT_CONNECTED, 1200 sock_sndtimeo(sk, flags & O_NONBLOCK)); 1201 } 1202 1203 release_sock(sk); 1204 return err; 1205 } 1206 1207 static int iso_listen_bis(struct sock *sk) 1208 { 1209 struct hci_dev *hdev; 1210 int err = 0; 1211 struct iso_conn *conn; 1212 struct hci_conn *hcon; 1213 1214 BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src, 1215 &iso_pi(sk)->dst, iso_pi(sk)->bc_sid); 1216 1217 write_lock(&iso_sk_list.lock); 1218 1219 if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst, 1220 iso_pi(sk)->bc_sid)) 1221 err = -EADDRINUSE; 1222 1223 write_unlock(&iso_sk_list.lock); 1224 1225 if (err) 1226 return err; 1227 1228 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 1229 iso_pi(sk)->src_type); 1230 if (!hdev) 1231 return -EHOSTUNREACH; 1232 1233 hci_dev_lock(hdev); 1234 lock_sock(sk); 1235 1236 /* Fail if user set invalid QoS */ 1237 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { 1238 iso_pi(sk)->qos = default_qos; 1239 err = -EINVAL; 1240 goto unlock; 1241 } 1242 1243 hcon = hci_pa_create_sync(hdev, &iso_pi(sk)->dst, 1244 le_addr_type(iso_pi(sk)->dst_type), 1245 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos); 1246 if (IS_ERR(hcon)) { 1247 err = PTR_ERR(hcon); 1248 goto unlock; 1249 } 1250 1251 conn = iso_conn_add(hcon); 1252 if (!conn) { 1253 hci_conn_drop(hcon); 1254 err = -ENOMEM; 1255 goto unlock; 1256 } 1257 1258 err = iso_chan_add(conn, sk, NULL); 1259 if (err) { 1260 hci_conn_drop(hcon); 1261 goto unlock; 1262 } 1263 1264 unlock: 1265 release_sock(sk); 1266 hci_dev_unlock(hdev); 1267 hci_dev_put(hdev); 1268 return err; 1269 } 1270 1271 static int iso_listen_cis(struct sock *sk) 1272 { 1273 int err = 0; 1274 1275 BT_DBG("%pMR", &iso_pi(sk)->src); 1276 1277 write_lock(&iso_sk_list.lock); 1278 1279 if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst)) 1280 err = -EADDRINUSE; 1281 1282 write_unlock(&iso_sk_list.lock); 1283 1284 return err; 1285 } 1286 1287 static int iso_sock_listen(struct socket *sock, int backlog) 1288 { 1289 struct sock *sk = sock->sk; 1290 int err = 0; 1291 1292 BT_DBG("sk %p backlog %d", sk, backlog); 1293 1294 sock_hold(sk); 1295 lock_sock(sk); 1296 1297 if (sk->sk_state != BT_BOUND) { 1298 err = -EBADFD; 1299 goto done; 1300 } 1301 1302 if (sk->sk_type != SOCK_SEQPACKET) { 1303 err = -EINVAL; 1304 goto done; 1305 } 1306 1307 if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { 1308 err = iso_listen_cis(sk); 1309 } else { 1310 /* Drop sock lock to avoid potential 1311 * deadlock with the hdev lock. 1312 */ 1313 release_sock(sk); 1314 err = iso_listen_bis(sk); 1315 lock_sock(sk); 1316 } 1317 1318 if (err) 1319 goto done; 1320 1321 sk->sk_max_ack_backlog = backlog; 1322 sk->sk_ack_backlog = 0; 1323 1324 sk->sk_state = BT_LISTEN; 1325 1326 done: 1327 release_sock(sk); 1328 sock_put(sk); 1329 return err; 1330 } 1331 1332 static int iso_sock_accept(struct socket *sock, struct socket *newsock, 1333 struct proto_accept_arg *arg) 1334 { 1335 DEFINE_WAIT_FUNC(wait, woken_wake_function); 1336 struct sock *sk = sock->sk, *ch; 1337 long timeo; 1338 int err = 0; 1339 1340 /* Use explicit nested locking to avoid lockdep warnings generated 1341 * because the parent socket and the child socket are locked on the 1342 * same thread. 1343 */ 1344 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1345 1346 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 1347 1348 BT_DBG("sk %p timeo %ld", sk, timeo); 1349 1350 /* Wait for an incoming connection. (wake-one). */ 1351 add_wait_queue_exclusive(sk_sleep(sk), &wait); 1352 while (1) { 1353 if (sk->sk_state != BT_LISTEN) { 1354 err = -EBADFD; 1355 break; 1356 } 1357 1358 ch = bt_accept_dequeue(sk, newsock); 1359 if (ch) 1360 break; 1361 1362 if (!timeo) { 1363 err = -EAGAIN; 1364 break; 1365 } 1366 1367 if (signal_pending(current)) { 1368 err = sock_intr_errno(timeo); 1369 break; 1370 } 1371 1372 release_sock(sk); 1373 1374 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 1375 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1376 } 1377 remove_wait_queue(sk_sleep(sk), &wait); 1378 1379 if (err) 1380 goto done; 1381 1382 newsock->state = SS_CONNECTED; 1383 1384 BT_DBG("new socket %p", ch); 1385 1386 /* A Broadcast Sink might require BIG sync to be terminated 1387 * and re-established multiple times, while keeping the same 1388 * PA sync handle active. To allow this, once all BIS 1389 * connections have been accepted on a PA sync parent socket, 1390 * "reset" socket state, to allow future BIG re-sync procedures. 1391 */ 1392 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1393 /* Iterate through the list of bound BIS indices 1394 * and clear each BIS as they are accepted by the 1395 * user space, one by one. 1396 */ 1397 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) { 1398 if (iso_pi(sk)->bc_bis[i] > 0) { 1399 iso_pi(sk)->bc_bis[i] = 0; 1400 iso_pi(sk)->bc_num_bis--; 1401 break; 1402 } 1403 } 1404 1405 if (iso_pi(sk)->bc_num_bis == 0) { 1406 /* Once the last BIS was accepted, reset parent 1407 * socket parameters to mark that the listening 1408 * process for BIS connections has been completed: 1409 * 1410 * 1. Reset the DEFER setup flag on the parent sk. 1411 * 2. Clear the flag marking that the BIG create 1412 * sync command is pending. 1413 * 3. Transition socket state from BT_LISTEN to 1414 * BT_CONNECTED. 1415 */ 1416 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1417 clear_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags); 1418 sk->sk_state = BT_CONNECTED; 1419 } 1420 } 1421 1422 done: 1423 release_sock(sk); 1424 return err; 1425 } 1426 1427 static int iso_sock_getname(struct socket *sock, struct sockaddr *addr, 1428 int peer) 1429 { 1430 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1431 struct sock *sk = sock->sk; 1432 int len = sizeof(struct sockaddr_iso); 1433 1434 BT_DBG("sock %p, sk %p", sock, sk); 1435 1436 addr->sa_family = AF_BLUETOOTH; 1437 1438 if (peer) { 1439 struct hci_conn *hcon = iso_pi(sk)->conn ? 1440 iso_pi(sk)->conn->hcon : NULL; 1441 1442 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst); 1443 sa->iso_bdaddr_type = iso_pi(sk)->dst_type; 1444 1445 if (hcon && (hcon->type == BIS_LINK || hcon->type == PA_LINK)) { 1446 sa->iso_bc->bc_sid = iso_pi(sk)->bc_sid; 1447 sa->iso_bc->bc_num_bis = iso_pi(sk)->bc_num_bis; 1448 memcpy(sa->iso_bc->bc_bis, iso_pi(sk)->bc_bis, 1449 ISO_MAX_NUM_BIS); 1450 len += sizeof(struct sockaddr_iso_bc); 1451 } 1452 } else { 1453 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src); 1454 sa->iso_bdaddr_type = iso_pi(sk)->src_type; 1455 } 1456 1457 return len; 1458 } 1459 1460 static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1461 size_t len) 1462 { 1463 struct sock *sk = sock->sk; 1464 struct sk_buff *skb, **frag; 1465 struct sockcm_cookie sockc; 1466 size_t mtu; 1467 int err; 1468 1469 BT_DBG("sock %p, sk %p", sock, sk); 1470 1471 err = sock_error(sk); 1472 if (err) 1473 return err; 1474 1475 if (msg->msg_flags & MSG_OOB) 1476 return -EOPNOTSUPP; 1477 1478 hci_sockcm_init(&sockc, sk); 1479 1480 if (msg->msg_controllen) { 1481 err = sock_cmsg_send(sk, msg, &sockc); 1482 if (err) 1483 return err; 1484 } 1485 1486 lock_sock(sk); 1487 1488 if (sk->sk_state != BT_CONNECTED) { 1489 release_sock(sk); 1490 return -ENOTCONN; 1491 } 1492 1493 mtu = iso_pi(sk)->conn->hcon->mtu; 1494 1495 release_sock(sk); 1496 1497 skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); 1498 if (IS_ERR(skb)) 1499 return PTR_ERR(skb); 1500 1501 len -= skb->len; 1502 1503 BT_DBG("skb %p len %d", sk, skb->len); 1504 1505 /* Continuation fragments */ 1506 frag = &skb_shinfo(skb)->frag_list; 1507 while (len) { 1508 struct sk_buff *tmp; 1509 1510 tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); 1511 if (IS_ERR(tmp)) { 1512 kfree_skb(skb); 1513 return PTR_ERR(tmp); 1514 } 1515 1516 *frag = tmp; 1517 1518 len -= tmp->len; 1519 1520 skb->len += tmp->len; 1521 skb->data_len += tmp->len; 1522 1523 BT_DBG("frag %p len %d", *frag, tmp->len); 1524 1525 frag = &(*frag)->next; 1526 } 1527 1528 lock_sock(sk); 1529 1530 if (sk->sk_state == BT_CONNECTED) 1531 err = iso_send_frame(sk, skb, &sockc); 1532 else 1533 err = -ENOTCONN; 1534 1535 release_sock(sk); 1536 1537 if (err < 0) 1538 kfree_skb(skb); 1539 return err; 1540 } 1541 1542 static void iso_conn_defer_accept(struct hci_conn *conn) 1543 { 1544 struct hci_cp_le_accept_cis cp; 1545 struct hci_dev *hdev = conn->hdev; 1546 1547 BT_DBG("conn %p", conn); 1548 1549 conn->state = BT_CONFIG; 1550 1551 cp.handle = cpu_to_le16(conn->handle); 1552 1553 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 1554 } 1555 1556 static void iso_conn_big_sync(struct sock *sk) 1557 { 1558 int err; 1559 struct hci_dev *hdev; 1560 1561 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 1562 iso_pi(sk)->src_type); 1563 1564 if (!hdev) 1565 return; 1566 1567 /* hci_le_big_create_sync requires hdev lock to be held, since 1568 * it enqueues the HCI LE BIG Create Sync command via 1569 * hci_cmd_sync_queue_once, which checks hdev flags that might 1570 * change. 1571 */ 1572 hci_dev_lock(hdev); 1573 lock_sock(sk); 1574 1575 if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { 1576 err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon, 1577 &iso_pi(sk)->qos, 1578 iso_pi(sk)->sync_handle, 1579 iso_pi(sk)->bc_num_bis, 1580 iso_pi(sk)->bc_bis); 1581 if (err) 1582 bt_dev_err(hdev, "hci_big_create_sync: %d", err); 1583 } 1584 1585 release_sock(sk); 1586 hci_dev_unlock(hdev); 1587 } 1588 1589 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1590 size_t len, int flags) 1591 { 1592 struct sock *sk = sock->sk; 1593 struct iso_pinfo *pi = iso_pi(sk); 1594 bool early_ret = false; 1595 int err = 0; 1596 1597 BT_DBG("sk %p", sk); 1598 1599 if (unlikely(flags & MSG_ERRQUEUE)) 1600 return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH, 1601 BT_SCM_ERROR); 1602 1603 if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1604 sock_hold(sk); 1605 lock_sock(sk); 1606 1607 switch (sk->sk_state) { 1608 case BT_CONNECT2: 1609 if (test_bit(BT_SK_PA_SYNC, &pi->flags)) { 1610 release_sock(sk); 1611 iso_conn_big_sync(sk); 1612 lock_sock(sk); 1613 1614 sk->sk_state = BT_LISTEN; 1615 } else { 1616 iso_conn_defer_accept(pi->conn->hcon); 1617 sk->sk_state = BT_CONFIG; 1618 } 1619 1620 early_ret = true; 1621 break; 1622 case BT_CONNECTED: 1623 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1624 release_sock(sk); 1625 iso_conn_big_sync(sk); 1626 lock_sock(sk); 1627 1628 sk->sk_state = BT_LISTEN; 1629 early_ret = true; 1630 } 1631 1632 break; 1633 case BT_CONNECT: 1634 release_sock(sk); 1635 err = iso_connect_cis(sk); 1636 lock_sock(sk); 1637 1638 early_ret = true; 1639 break; 1640 default: 1641 break; 1642 } 1643 1644 release_sock(sk); 1645 sock_put(sk); 1646 1647 if (early_ret) 1648 return err; 1649 } 1650 1651 return bt_sock_recvmsg(sock, msg, len, flags); 1652 } 1653 1654 static bool check_io_qos(struct bt_iso_io_qos *qos) 1655 { 1656 /* If no PHY is enable SDU must be 0 */ 1657 if (!qos->phys && qos->sdu) 1658 return false; 1659 1660 if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff)) 1661 return false; 1662 1663 if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0)) 1664 return false; 1665 1666 if (qos->phys > BT_ISO_PHY_ANY) 1667 return false; 1668 1669 return true; 1670 } 1671 1672 static bool check_ucast_qos(struct bt_iso_qos *qos) 1673 { 1674 if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET) 1675 return false; 1676 1677 if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) 1678 return false; 1679 1680 if (qos->ucast.sca > 0x07) 1681 return false; 1682 1683 if (qos->ucast.packing > 0x01) 1684 return false; 1685 1686 if (qos->ucast.framing > 0x01) 1687 return false; 1688 1689 if (!check_io_qos(&qos->ucast.in)) 1690 return false; 1691 1692 if (!check_io_qos(&qos->ucast.out)) 1693 return false; 1694 1695 return true; 1696 } 1697 1698 static bool check_bcast_qos(struct bt_iso_qos *qos) 1699 { 1700 if (!qos->bcast.sync_factor) 1701 qos->bcast.sync_factor = 0x01; 1702 1703 if (qos->bcast.packing > 0x01) 1704 return false; 1705 1706 if (qos->bcast.framing > 0x01) 1707 return false; 1708 1709 if (!check_io_qos(&qos->bcast.in)) 1710 return false; 1711 1712 if (!check_io_qos(&qos->bcast.out)) 1713 return false; 1714 1715 if (qos->bcast.encryption > 0x01) 1716 return false; 1717 1718 if (qos->bcast.options > 0x07) 1719 return false; 1720 1721 if (qos->bcast.skip > 0x01f3) 1722 return false; 1723 1724 if (!qos->bcast.sync_timeout) 1725 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; 1726 1727 if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000) 1728 return false; 1729 1730 if (qos->bcast.sync_cte_type > 0x1f) 1731 return false; 1732 1733 if (qos->bcast.mse > 0x1f) 1734 return false; 1735 1736 if (!qos->bcast.timeout) 1737 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; 1738 1739 if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000) 1740 return false; 1741 1742 return true; 1743 } 1744 1745 static int iso_sock_setsockopt(struct socket *sock, int level, int optname, 1746 sockptr_t optval, unsigned int optlen) 1747 { 1748 struct sock *sk = sock->sk; 1749 int err = 0; 1750 struct bt_iso_qos qos = default_qos; 1751 u32 opt; 1752 1753 BT_DBG("sk %p", sk); 1754 1755 lock_sock(sk); 1756 1757 switch (optname) { 1758 case BT_DEFER_SETUP: 1759 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 1760 err = -EINVAL; 1761 break; 1762 } 1763 1764 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1765 if (err) 1766 break; 1767 1768 if (opt) 1769 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1770 else 1771 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1772 break; 1773 1774 case BT_PKT_STATUS: 1775 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1776 if (err) 1777 break; 1778 1779 if (opt) 1780 set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); 1781 else 1782 clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); 1783 break; 1784 1785 case BT_PKT_SEQNUM: 1786 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1787 if (err) 1788 break; 1789 1790 if (opt) 1791 set_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags); 1792 else 1793 clear_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags); 1794 break; 1795 1796 case BT_ISO_QOS: 1797 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND && 1798 sk->sk_state != BT_CONNECT2 && 1799 (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags) || 1800 sk->sk_state != BT_CONNECTED)) { 1801 err = -EINVAL; 1802 break; 1803 } 1804 1805 err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen); 1806 if (err) 1807 break; 1808 1809 iso_pi(sk)->qos = qos; 1810 iso_pi(sk)->qos_user_set = true; 1811 1812 break; 1813 1814 case BT_ISO_BASE: 1815 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND && 1816 sk->sk_state != BT_CONNECT2) { 1817 err = -EINVAL; 1818 break; 1819 } 1820 1821 if (optlen > sizeof(iso_pi(sk)->base)) { 1822 err = -EINVAL; 1823 break; 1824 } 1825 1826 err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval, 1827 optlen); 1828 if (err) 1829 break; 1830 1831 iso_pi(sk)->base_len = optlen; 1832 1833 break; 1834 1835 default: 1836 err = -ENOPROTOOPT; 1837 break; 1838 } 1839 1840 release_sock(sk); 1841 return err; 1842 } 1843 1844 static int iso_sock_getsockopt(struct socket *sock, int level, int optname, 1845 char __user *optval, int __user *optlen) 1846 { 1847 struct sock *sk = sock->sk; 1848 int len, err = 0; 1849 struct bt_iso_qos *qos; 1850 u8 base_len; 1851 u8 *base; 1852 1853 BT_DBG("sk %p", sk); 1854 1855 if (get_user(len, optlen)) 1856 return -EFAULT; 1857 1858 lock_sock(sk); 1859 1860 switch (optname) { 1861 case BT_DEFER_SETUP: 1862 if (sk->sk_state == BT_CONNECTED) { 1863 err = -EINVAL; 1864 break; 1865 } 1866 1867 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 1868 (u32 __user *)optval)) 1869 err = -EFAULT; 1870 1871 break; 1872 1873 case BT_PKT_STATUS: 1874 if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags), 1875 (int __user *)optval)) 1876 err = -EFAULT; 1877 break; 1878 1879 case BT_ISO_QOS: 1880 qos = iso_sock_get_qos(sk); 1881 1882 len = min_t(unsigned int, len, sizeof(*qos)); 1883 if (copy_to_user(optval, qos, len)) 1884 err = -EFAULT; 1885 1886 break; 1887 1888 case BT_ISO_BASE: 1889 if (sk->sk_state == BT_CONNECTED && 1890 !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { 1891 base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len; 1892 base = iso_pi(sk)->conn->hcon->le_per_adv_data; 1893 } else { 1894 base_len = iso_pi(sk)->base_len; 1895 base = iso_pi(sk)->base; 1896 } 1897 1898 len = min_t(unsigned int, len, base_len); 1899 if (copy_to_user(optval, base, len)) 1900 err = -EFAULT; 1901 if (put_user(len, optlen)) 1902 err = -EFAULT; 1903 1904 break; 1905 1906 default: 1907 err = -ENOPROTOOPT; 1908 break; 1909 } 1910 1911 release_sock(sk); 1912 return err; 1913 } 1914 1915 static int iso_sock_shutdown(struct socket *sock, int how) 1916 { 1917 struct sock *sk = sock->sk; 1918 int err = 0; 1919 1920 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1921 1922 if (!sk) 1923 return 0; 1924 1925 sock_hold(sk); 1926 lock_sock(sk); 1927 1928 switch (how) { 1929 case SHUT_RD: 1930 if (sk->sk_shutdown & RCV_SHUTDOWN) 1931 goto unlock; 1932 sk->sk_shutdown |= RCV_SHUTDOWN; 1933 break; 1934 case SHUT_WR: 1935 if (sk->sk_shutdown & SEND_SHUTDOWN) 1936 goto unlock; 1937 sk->sk_shutdown |= SEND_SHUTDOWN; 1938 break; 1939 case SHUT_RDWR: 1940 if (sk->sk_shutdown & SHUTDOWN_MASK) 1941 goto unlock; 1942 sk->sk_shutdown |= SHUTDOWN_MASK; 1943 break; 1944 } 1945 1946 iso_sock_clear_timer(sk); 1947 __iso_sock_close(sk); 1948 1949 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1950 !(current->flags & PF_EXITING)) 1951 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 1952 1953 unlock: 1954 release_sock(sk); 1955 sock_put(sk); 1956 1957 return err; 1958 } 1959 1960 static int iso_sock_release(struct socket *sock) 1961 { 1962 struct sock *sk = sock->sk; 1963 int err = 0; 1964 1965 BT_DBG("sock %p, sk %p", sock, sk); 1966 1967 if (!sk) 1968 return 0; 1969 1970 iso_sock_close(sk); 1971 1972 if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) && 1973 !(current->flags & PF_EXITING)) { 1974 lock_sock(sk); 1975 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 1976 release_sock(sk); 1977 } 1978 1979 sock_orphan(sk); 1980 iso_sock_kill(sk); 1981 return err; 1982 } 1983 1984 static void iso_sock_ready(struct sock *sk) 1985 { 1986 BT_DBG("sk %p", sk); 1987 1988 if (!sk) 1989 return; 1990 1991 lock_sock(sk); 1992 iso_sock_clear_timer(sk); 1993 sk->sk_state = BT_CONNECTED; 1994 sk->sk_state_change(sk); 1995 release_sock(sk); 1996 } 1997 1998 static bool iso_match_big(struct sock *sk, void *data) 1999 { 2000 struct hci_evt_le_big_sync_established *ev = data; 2001 2002 return ev->handle == iso_pi(sk)->qos.bcast.big; 2003 } 2004 2005 static bool iso_match_big_hcon(struct sock *sk, void *data) 2006 { 2007 struct hci_conn *hcon = data; 2008 2009 return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big; 2010 } 2011 2012 static bool iso_match_pa_sync_flag(struct sock *sk, void *data) 2013 { 2014 return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags); 2015 } 2016 2017 static bool iso_match_dst(struct sock *sk, void *data) 2018 { 2019 return !bacmp(&iso_pi(sk)->dst, (bdaddr_t *)data); 2020 } 2021 2022 static void iso_conn_ready(struct iso_conn *conn) 2023 { 2024 struct sock *parent = NULL; 2025 struct sock *sk = conn->sk; 2026 struct hci_ev_le_big_sync_established *ev = NULL; 2027 struct hci_ev_le_pa_sync_established *ev2 = NULL; 2028 struct hci_ev_le_per_adv_report *ev3 = NULL; 2029 struct hci_conn *hcon; 2030 struct hci_dev *hdev; 2031 2032 BT_DBG("conn %p", conn); 2033 2034 if (sk) { 2035 /* Attempt to update source address in case of BIS Sender if 2036 * the advertisement is using a random address. 2037 */ 2038 if (conn->hcon->type == BIS_LINK && 2039 conn->hcon->role == HCI_ROLE_MASTER && 2040 !bacmp(&conn->hcon->dst, BDADDR_ANY)) { 2041 struct hci_conn *bis = conn->hcon; 2042 struct adv_info *adv; 2043 2044 adv = hci_find_adv_instance(bis->hdev, 2045 bis->iso_qos.bcast.bis); 2046 if (adv && bacmp(&adv->random_addr, BDADDR_ANY)) { 2047 lock_sock(sk); 2048 iso_pi(sk)->src_type = BDADDR_LE_RANDOM; 2049 bacpy(&iso_pi(sk)->src, &adv->random_addr); 2050 release_sock(sk); 2051 } 2052 } 2053 2054 iso_sock_ready(conn->sk); 2055 } else { 2056 hcon = conn->hcon; 2057 if (!hcon) 2058 return; 2059 2060 hdev = hcon->hdev; 2061 2062 if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) { 2063 /* A BIS slave hcon is notified to the ISO layer 2064 * after the Command Complete for the LE Setup 2065 * ISO Data Path command is received. Get the 2066 * parent socket that matches the hcon BIG handle. 2067 */ 2068 parent = iso_get_sock(hdev, &hcon->src, &hcon->dst, 2069 BT_LISTEN, iso_match_big_hcon, 2070 hcon); 2071 } else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) { 2072 ev = hci_recv_event_data(hcon->hdev, 2073 HCI_EVT_LE_BIG_SYNC_ESTABLISHED); 2074 2075 /* Get reference to PA sync parent socket, if it exists */ 2076 parent = iso_get_sock(hdev, &hcon->src, &hcon->dst, 2077 BT_LISTEN, 2078 iso_match_pa_sync_flag, 2079 NULL); 2080 if (!parent && ev) 2081 parent = iso_get_sock(hdev, &hcon->src, 2082 &hcon->dst, 2083 BT_LISTEN, 2084 iso_match_big, ev); 2085 } else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) { 2086 ev2 = hci_recv_event_data(hcon->hdev, 2087 HCI_EV_LE_PA_SYNC_ESTABLISHED); 2088 if (ev2) 2089 parent = iso_get_sock(hdev, &hcon->src, 2090 &hcon->dst, 2091 BT_LISTEN, 2092 iso_match_sid, ev2); 2093 } else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { 2094 ev3 = hci_recv_event_data(hcon->hdev, 2095 HCI_EV_LE_PER_ADV_REPORT); 2096 if (ev3) 2097 parent = iso_get_sock(hdev, &hcon->src, 2098 &hcon->dst, 2099 BT_LISTEN, 2100 iso_match_sync_handle_pa_report, 2101 ev3); 2102 } 2103 2104 if (!parent) 2105 parent = iso_get_sock(hdev, &hcon->src, BDADDR_ANY, 2106 BT_LISTEN, iso_match_dst, BDADDR_ANY); 2107 2108 if (!parent) 2109 return; 2110 2111 lock_sock(parent); 2112 2113 sk = iso_sock_alloc(sock_net(parent), NULL, 2114 BTPROTO_ISO, GFP_ATOMIC, 0); 2115 if (!sk) { 2116 release_sock(parent); 2117 return; 2118 } 2119 2120 iso_sock_init(sk, parent); 2121 2122 bacpy(&iso_pi(sk)->src, &hcon->src); 2123 2124 /* Convert from HCI to three-value type */ 2125 if (hcon->src_type == ADDR_LE_DEV_PUBLIC) 2126 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC; 2127 else 2128 iso_pi(sk)->src_type = BDADDR_LE_RANDOM; 2129 2130 /* If hcon has no destination address (BDADDR_ANY) it means it 2131 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or 2132 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using 2133 * the parent socket destination address. 2134 */ 2135 if (!bacmp(&hcon->dst, BDADDR_ANY)) { 2136 bacpy(&hcon->dst, &iso_pi(parent)->dst); 2137 hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type); 2138 } 2139 2140 if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { 2141 iso_pi(sk)->qos = iso_pi(parent)->qos; 2142 hcon->iso_qos = iso_pi(sk)->qos; 2143 iso_pi(sk)->bc_sid = iso_pi(parent)->bc_sid; 2144 iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis; 2145 memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis, 2146 ISO_MAX_NUM_BIS); 2147 set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags); 2148 } 2149 2150 bacpy(&iso_pi(sk)->dst, &hcon->dst); 2151 2152 /* Convert from HCI to three-value type */ 2153 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 2154 iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC; 2155 else 2156 iso_pi(sk)->dst_type = BDADDR_LE_RANDOM; 2157 2158 iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; 2159 memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); 2160 iso_pi(sk)->base_len = iso_pi(parent)->base_len; 2161 2162 hci_conn_hold(hcon); 2163 iso_chan_add(conn, sk, parent); 2164 2165 if ((ev && ((struct hci_evt_le_big_sync_established *)ev)->status) || 2166 (ev2 && ev2->status)) { 2167 /* Trigger error signal on child socket */ 2168 sk->sk_err = ECONNREFUSED; 2169 sk->sk_error_report(sk); 2170 } 2171 2172 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags)) 2173 sk->sk_state = BT_CONNECT2; 2174 else 2175 sk->sk_state = BT_CONNECTED; 2176 2177 /* Wake up parent */ 2178 parent->sk_data_ready(parent); 2179 2180 release_sock(parent); 2181 sock_put(parent); 2182 } 2183 } 2184 2185 static bool iso_match_sid(struct sock *sk, void *data) 2186 { 2187 struct hci_ev_le_pa_sync_established *ev = data; 2188 2189 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 2190 return true; 2191 2192 return ev->sid == iso_pi(sk)->bc_sid; 2193 } 2194 2195 static bool iso_match_sid_past(struct sock *sk, void *data) 2196 { 2197 struct hci_ev_le_past_received *ev = data; 2198 2199 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 2200 return true; 2201 2202 return ev->sid == iso_pi(sk)->bc_sid; 2203 } 2204 2205 static bool iso_match_sync_handle(struct sock *sk, void *data) 2206 { 2207 struct hci_evt_le_big_info_adv_report *ev = data; 2208 2209 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; 2210 } 2211 2212 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data) 2213 { 2214 struct hci_ev_le_per_adv_report *ev = data; 2215 2216 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; 2217 } 2218 2219 /* ----- ISO interface with lower layer (HCI) ----- */ 2220 2221 int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) 2222 { 2223 struct hci_ev_le_pa_sync_established *ev1; 2224 struct hci_ev_le_past_received *ev1a; 2225 struct hci_evt_le_big_info_adv_report *ev2; 2226 struct hci_ev_le_per_adv_report *ev3; 2227 struct sock *sk; 2228 2229 bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr); 2230 2231 /* Broadcast receiver requires handling of some events before it can 2232 * proceed to establishing a BIG sync: 2233 * 2234 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific 2235 * SID to listen to and once sync is established its handle needs to 2236 * be stored in iso_pi(sk)->sync_handle so it can be matched once 2237 * receiving the BIG Info. 2238 * 1a. HCI_EV_LE_PAST_RECEIVED: alternative to 1. 2239 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a 2240 * a BIG Info it attempts to check if there any listening socket with 2241 * the same sync_handle and if it does then attempt to create a sync. 2242 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored 2243 * in iso_pi(sk)->base so it can be passed up to user, in the case of a 2244 * broadcast sink. 2245 */ 2246 ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED); 2247 if (ev1) { 2248 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN, 2249 iso_match_sid, ev1); 2250 if (sk && !ev1->status) { 2251 lock_sock(sk); 2252 iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle); 2253 iso_pi(sk)->bc_sid = ev1->sid; 2254 release_sock(sk); 2255 } 2256 2257 goto done; 2258 } 2259 2260 ev1a = hci_recv_event_data(hdev, HCI_EV_LE_PAST_RECEIVED); 2261 if (ev1a) { 2262 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN, 2263 iso_match_sid_past, ev1a); 2264 if (sk && !ev1a->status) { 2265 lock_sock(sk); 2266 iso_pi(sk)->sync_handle = le16_to_cpu(ev1a->sync_handle); 2267 iso_pi(sk)->bc_sid = ev1a->sid; 2268 release_sock(sk); 2269 } 2270 2271 goto done; 2272 } 2273 2274 ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT); 2275 if (ev2) { 2276 /* Check if BIGInfo report has already been handled */ 2277 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_CONNECTED, 2278 iso_match_sync_handle, ev2); 2279 if (sk) { 2280 sock_put(sk); 2281 sk = NULL; 2282 goto done; 2283 } 2284 2285 /* Try to get PA sync socket, if it exists */ 2286 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_CONNECT2, 2287 iso_match_sync_handle, ev2); 2288 if (!sk) 2289 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, 2290 BT_LISTEN, 2291 iso_match_sync_handle, 2292 ev2); 2293 2294 if (sk) { 2295 int err = 0; 2296 bool big_sync; 2297 struct hci_conn *hcon; 2298 2299 lock_sock(sk); 2300 2301 hcon = iso_pi(sk)->conn->hcon; 2302 iso_pi(sk)->qos.bcast.encryption = ev2->encryption; 2303 2304 if (ev2->num_bis < iso_pi(sk)->bc_num_bis) 2305 iso_pi(sk)->bc_num_bis = ev2->num_bis; 2306 2307 big_sync = !test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) && 2308 !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags); 2309 2310 if (big_sync) 2311 err = hci_conn_big_create_sync(hdev, hcon, 2312 &iso_pi(sk)->qos, 2313 iso_pi(sk)->sync_handle, 2314 iso_pi(sk)->bc_num_bis, 2315 iso_pi(sk)->bc_bis); 2316 2317 release_sock(sk); 2318 2319 if (big_sync && err) { 2320 bt_dev_err(hdev, "hci_le_big_create_sync: %d", 2321 err); 2322 sock_put(sk); 2323 sk = NULL; 2324 } 2325 } 2326 2327 goto done; 2328 } 2329 2330 ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT); 2331 if (ev3) { 2332 size_t base_len = 0; 2333 u8 *base; 2334 struct hci_conn *hcon; 2335 2336 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN, 2337 iso_match_sync_handle_pa_report, ev3); 2338 if (!sk) 2339 goto done; 2340 2341 hcon = iso_pi(sk)->conn->hcon; 2342 if (!hcon) 2343 goto done; 2344 2345 if (ev3->data_status == LE_PA_DATA_TRUNCATED) { 2346 /* The controller was unable to retrieve PA data. */ 2347 memset(hcon->le_per_adv_data, 0, 2348 HCI_MAX_PER_AD_TOT_LEN); 2349 hcon->le_per_adv_data_len = 0; 2350 hcon->le_per_adv_data_offset = 0; 2351 goto done; 2352 } 2353 2354 if (hcon->le_per_adv_data_offset + ev3->length > 2355 HCI_MAX_PER_AD_TOT_LEN) 2356 goto done; 2357 2358 memcpy(hcon->le_per_adv_data + hcon->le_per_adv_data_offset, 2359 ev3->data, ev3->length); 2360 hcon->le_per_adv_data_offset += ev3->length; 2361 2362 if (ev3->data_status == LE_PA_DATA_COMPLETE) { 2363 /* All PA data has been received. */ 2364 hcon->le_per_adv_data_len = 2365 hcon->le_per_adv_data_offset; 2366 hcon->le_per_adv_data_offset = 0; 2367 2368 /* Extract BASE */ 2369 base = eir_get_service_data(hcon->le_per_adv_data, 2370 hcon->le_per_adv_data_len, 2371 EIR_BAA_SERVICE_UUID, 2372 &base_len); 2373 2374 if (!base || base_len > BASE_MAX_LENGTH) 2375 goto done; 2376 2377 lock_sock(sk); 2378 memcpy(iso_pi(sk)->base, base, base_len); 2379 iso_pi(sk)->base_len = base_len; 2380 release_sock(sk); 2381 } else { 2382 /* This is a PA data fragment. Keep pa_data_len set to 0 2383 * until all data has been reassembled. 2384 */ 2385 hcon->le_per_adv_data_len = 0; 2386 } 2387 } else { 2388 sk = iso_get_sock(hdev, &hdev->bdaddr, BDADDR_ANY, 2389 BT_LISTEN, iso_match_dst, BDADDR_ANY); 2390 } 2391 2392 done: 2393 if (!sk) 2394 return 0; 2395 2396 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) 2397 *flags |= HCI_PROTO_DEFER; 2398 2399 sock_put(sk); 2400 2401 return HCI_LM_ACCEPT; 2402 } 2403 2404 static void iso_connect_cfm(struct hci_conn *hcon, __u8 status) 2405 { 2406 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK && 2407 hcon->type != PA_LINK) { 2408 if (hcon->type != LE_LINK) 2409 return; 2410 2411 /* Check if LE link has failed */ 2412 if (status) { 2413 struct hci_link *link, *t; 2414 2415 list_for_each_entry_safe(link, t, &hcon->link_list, 2416 list) 2417 iso_conn_del(link->conn, bt_to_errno(status)); 2418 2419 return; 2420 } 2421 2422 /* Create CIS if pending */ 2423 hci_le_create_cis_pending(hcon->hdev); 2424 return; 2425 } 2426 2427 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 2428 2429 /* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or 2430 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection 2431 * into the accept queue of the listening socket and wake up 2432 * userspace, to inform the user about the event. 2433 */ 2434 if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) || 2435 test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) { 2436 struct iso_conn *conn; 2437 2438 conn = iso_conn_add(hcon); 2439 if (conn) 2440 iso_conn_ready(conn); 2441 } else { 2442 iso_conn_del(hcon, bt_to_errno(status)); 2443 } 2444 } 2445 2446 static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason) 2447 { 2448 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK && 2449 hcon->type != PA_LINK) 2450 return; 2451 2452 BT_DBG("hcon %p reason %d", hcon, reason); 2453 2454 iso_conn_del(hcon, bt_to_errno(reason)); 2455 } 2456 2457 int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, u16 flags) 2458 { 2459 struct hci_conn *hcon; 2460 struct iso_conn *conn; 2461 struct skb_shared_hwtstamps *hwts; 2462 __u16 pb, ts, len, sn; 2463 2464 hci_dev_lock(hdev); 2465 2466 hcon = hci_conn_hash_lookup_handle(hdev, handle); 2467 if (!hcon) { 2468 hci_dev_unlock(hdev); 2469 kfree_skb(skb); 2470 return -ENOENT; 2471 } 2472 2473 conn = iso_conn_hold_unless_zero(hcon->iso_data); 2474 hcon = NULL; 2475 2476 hci_dev_unlock(hdev); 2477 2478 if (!conn) { 2479 kfree_skb(skb); 2480 return -EINVAL; 2481 } 2482 2483 pb = hci_iso_flags_pb(flags); 2484 ts = hci_iso_flags_ts(flags); 2485 2486 BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts); 2487 2488 switch (pb) { 2489 case ISO_START: 2490 case ISO_SINGLE: 2491 if (conn->rx_len) { 2492 BT_ERR("Unexpected start frame (len %d)", skb->len); 2493 kfree_skb(conn->rx_skb); 2494 conn->rx_skb = NULL; 2495 conn->rx_len = 0; 2496 } 2497 2498 if (ts) { 2499 struct hci_iso_ts_data_hdr *hdr; 2500 2501 hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE); 2502 if (!hdr) { 2503 BT_ERR("Frame is too short (len %d)", skb->len); 2504 goto drop; 2505 } 2506 2507 /* Record the timestamp to skb */ 2508 hwts = skb_hwtstamps(skb); 2509 hwts->hwtstamp = us_to_ktime(le32_to_cpu(hdr->ts)); 2510 2511 sn = __le16_to_cpu(hdr->sn); 2512 len = __le16_to_cpu(hdr->slen); 2513 } else { 2514 struct hci_iso_data_hdr *hdr; 2515 2516 hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE); 2517 if (!hdr) { 2518 BT_ERR("Frame is too short (len %d)", skb->len); 2519 goto drop; 2520 } 2521 2522 sn = __le16_to_cpu(hdr->sn); 2523 len = __le16_to_cpu(hdr->slen); 2524 } 2525 2526 flags = hci_iso_data_flags(len); 2527 len = hci_iso_data_len(len); 2528 2529 BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x sn %d", 2530 len, skb->len, flags, sn); 2531 2532 if (len == skb->len) { 2533 /* Complete frame received */ 2534 hci_skb_pkt_status(skb) = flags & 0x03; 2535 hci_skb_pkt_seqnum(skb) = sn; 2536 iso_recv_frame(conn, skb); 2537 goto done; 2538 } 2539 2540 if (pb == ISO_SINGLE) { 2541 BT_ERR("Frame malformed (len %d, expected len %d)", 2542 skb->len, len); 2543 goto drop; 2544 } 2545 2546 if (skb->len > len) { 2547 BT_ERR("Frame is too long (len %d, expected len %d)", 2548 skb->len, len); 2549 goto drop; 2550 } 2551 2552 /* Allocate skb for the complete frame (with header) */ 2553 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL); 2554 if (!conn->rx_skb) 2555 goto drop; 2556 2557 hci_skb_pkt_status(conn->rx_skb) = flags & 0x03; 2558 hci_skb_pkt_seqnum(conn->rx_skb) = sn; 2559 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2560 skb->len); 2561 conn->rx_len = len - skb->len; 2562 2563 /* Copy hw timestamp from skb to rx_skb if present */ 2564 if (ts) { 2565 hwts = skb_hwtstamps(conn->rx_skb); 2566 hwts->hwtstamp = skb_hwtstamps(skb)->hwtstamp; 2567 } 2568 2569 break; 2570 2571 case ISO_CONT: 2572 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, 2573 conn->rx_len); 2574 2575 if (!conn->rx_len) { 2576 BT_ERR("Unexpected continuation frame (len %d)", 2577 skb->len); 2578 goto drop; 2579 } 2580 2581 if (skb->len > conn->rx_len) { 2582 BT_ERR("Fragment is too long (len %d, expected %d)", 2583 skb->len, conn->rx_len); 2584 kfree_skb(conn->rx_skb); 2585 conn->rx_skb = NULL; 2586 conn->rx_len = 0; 2587 goto drop; 2588 } 2589 2590 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2591 skb->len); 2592 conn->rx_len -= skb->len; 2593 break; 2594 2595 case ISO_END: 2596 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2597 skb->len); 2598 conn->rx_len -= skb->len; 2599 2600 if (!conn->rx_len) { 2601 struct sk_buff *rx_skb = conn->rx_skb; 2602 2603 /* Complete frame received. iso_recv_frame 2604 * takes ownership of the skb so set the global 2605 * rx_skb pointer to NULL first. 2606 */ 2607 conn->rx_skb = NULL; 2608 iso_recv_frame(conn, rx_skb); 2609 } 2610 break; 2611 } 2612 2613 drop: 2614 kfree_skb(skb); 2615 done: 2616 iso_conn_put(conn); 2617 return 0; 2618 } 2619 2620 static struct hci_cb iso_cb = { 2621 .name = "ISO", 2622 .connect_cfm = iso_connect_cfm, 2623 .disconn_cfm = iso_disconn_cfm, 2624 }; 2625 2626 static int iso_debugfs_show(struct seq_file *f, void *p) 2627 { 2628 struct sock *sk; 2629 2630 read_lock(&iso_sk_list.lock); 2631 2632 sk_for_each(sk, &iso_sk_list.head) { 2633 seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src, 2634 &iso_pi(sk)->dst, sk->sk_state); 2635 } 2636 2637 read_unlock(&iso_sk_list.lock); 2638 2639 return 0; 2640 } 2641 2642 DEFINE_SHOW_ATTRIBUTE(iso_debugfs); 2643 2644 static struct dentry *iso_debugfs; 2645 2646 static const struct proto_ops iso_sock_ops = { 2647 .family = PF_BLUETOOTH, 2648 .owner = THIS_MODULE, 2649 .release = iso_sock_release, 2650 .bind = iso_sock_bind, 2651 .connect = iso_sock_connect, 2652 .listen = iso_sock_listen, 2653 .accept = iso_sock_accept, 2654 .getname = iso_sock_getname, 2655 .sendmsg = iso_sock_sendmsg, 2656 .recvmsg = iso_sock_recvmsg, 2657 .poll = bt_sock_poll, 2658 .ioctl = bt_sock_ioctl, 2659 .mmap = sock_no_mmap, 2660 .socketpair = sock_no_socketpair, 2661 .shutdown = iso_sock_shutdown, 2662 .setsockopt = iso_sock_setsockopt, 2663 .getsockopt = iso_sock_getsockopt 2664 }; 2665 2666 static const struct net_proto_family iso_sock_family_ops = { 2667 .family = PF_BLUETOOTH, 2668 .owner = THIS_MODULE, 2669 .create = iso_sock_create, 2670 }; 2671 2672 static bool inited; 2673 2674 bool iso_inited(void) 2675 { 2676 return inited; 2677 } 2678 2679 int iso_init(void) 2680 { 2681 int err; 2682 2683 BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr)); 2684 2685 if (inited) 2686 return -EALREADY; 2687 2688 err = proto_register(&iso_proto, 0); 2689 if (err < 0) 2690 return err; 2691 2692 err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops); 2693 if (err < 0) { 2694 BT_ERR("ISO socket registration failed"); 2695 goto error; 2696 } 2697 2698 err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL); 2699 if (err < 0) { 2700 BT_ERR("Failed to create ISO proc file"); 2701 bt_sock_unregister(BTPROTO_ISO); 2702 goto error; 2703 } 2704 2705 BT_INFO("ISO socket layer initialized"); 2706 2707 hci_register_cb(&iso_cb); 2708 2709 if (!IS_ERR_OR_NULL(bt_debugfs)) 2710 iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs, 2711 NULL, &iso_debugfs_fops); 2712 2713 inited = true; 2714 2715 return 0; 2716 2717 error: 2718 proto_unregister(&iso_proto); 2719 return err; 2720 } 2721 2722 int iso_exit(void) 2723 { 2724 if (!inited) 2725 return -EALREADY; 2726 2727 bt_procfs_cleanup(&init_net, "iso"); 2728 2729 debugfs_remove(iso_debugfs); 2730 iso_debugfs = NULL; 2731 2732 hci_unregister_cb(&iso_cb); 2733 2734 bt_sock_unregister(BTPROTO_ISO); 2735 2736 proto_unregister(&iso_proto); 2737 2738 inited = false; 2739 2740 return 0; 2741 } 2742