1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * BlueZ - Bluetooth protocol stack for Linux
4 *
5 * Copyright (C) 2022 Intel Corporation
6 * Copyright 2023-2024 NXP
7 */
8
9 #include <linux/module.h>
10 #include <linux/debugfs.h>
11 #include <linux/seq_file.h>
12 #include <linux/sched/signal.h>
13
14 #include <net/bluetooth/bluetooth.h>
15 #include <net/bluetooth/hci_core.h>
16 #include <net/bluetooth/iso.h>
17 #include "eir.h"
18
19 static const struct proto_ops iso_sock_ops;
20
21 static struct bt_sock_list iso_sk_list = {
22 .lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock)
23 };
24
25 /* ---- ISO connections ---- */
26 struct iso_conn {
27 struct hci_conn *hcon;
28
29 /* @lock: spinlock protecting changes to iso_conn fields */
30 spinlock_t lock;
31 struct sock *sk;
32
33 struct delayed_work timeout_work;
34
35 struct sk_buff *rx_skb;
36 __u32 rx_len;
37 __u16 tx_sn;
38 struct kref ref;
39 };
40
41 #define iso_conn_lock(c) spin_lock(&(c)->lock)
42 #define iso_conn_unlock(c) spin_unlock(&(c)->lock)
43
44 static void iso_sock_close(struct sock *sk);
45 static void iso_sock_kill(struct sock *sk);
46
47 /* ----- ISO socket info ----- */
48 #define iso_pi(sk) ((struct iso_pinfo *)sk)
49
50 #define EIR_SERVICE_DATA_LENGTH 4
51 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
52 #define EIR_BAA_SERVICE_UUID 0x1851
53
54 /* iso_pinfo flags values */
55 enum {
56 BT_SK_BIG_SYNC,
57 BT_SK_PA_SYNC,
58 };
59
60 struct iso_pinfo {
61 struct bt_sock bt;
62 bdaddr_t src;
63 __u8 src_type;
64 bdaddr_t dst;
65 __u8 dst_type;
66 __u8 bc_sid;
67 __u8 bc_num_bis;
68 __u8 bc_bis[ISO_MAX_NUM_BIS];
69 __u16 sync_handle;
70 unsigned long flags;
71 struct bt_iso_qos qos;
72 bool qos_user_set;
73 __u8 base_len;
74 __u8 base[BASE_MAX_LENGTH];
75 struct iso_conn *conn;
76 };
77
78 static struct bt_iso_qos default_qos;
79
80 static bool check_ucast_qos(struct bt_iso_qos *qos);
81 static bool check_bcast_qos(struct bt_iso_qos *qos);
82 static bool iso_match_sid(struct sock *sk, void *data);
83 static bool iso_match_sync_handle(struct sock *sk, void *data);
84 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data);
85 static void iso_sock_disconn(struct sock *sk);
86
87 typedef bool (*iso_sock_match_t)(struct sock *sk, void *data);
88
89 static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst,
90 enum bt_sock_state state,
91 iso_sock_match_t match, void *data);
92
93 /* ---- ISO timers ---- */
94 #define ISO_CONN_TIMEOUT secs_to_jiffies(20)
95 #define ISO_DISCONN_TIMEOUT secs_to_jiffies(2)
96
iso_conn_free(struct kref * ref)97 static void iso_conn_free(struct kref *ref)
98 {
99 struct iso_conn *conn = container_of(ref, struct iso_conn, ref);
100
101 BT_DBG("conn %p", conn);
102
103 if (conn->sk)
104 iso_pi(conn->sk)->conn = NULL;
105
106 if (conn->hcon) {
107 conn->hcon->iso_data = NULL;
108 hci_conn_drop(conn->hcon);
109 }
110
111 /* Ensure no more work items will run since hci_conn has been dropped */
112 disable_delayed_work_sync(&conn->timeout_work);
113
114 kfree_skb(conn->rx_skb);
115
116 kfree(conn);
117 }
118
iso_conn_put(struct iso_conn * conn)119 static void iso_conn_put(struct iso_conn *conn)
120 {
121 if (!conn)
122 return;
123
124 BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref));
125
126 kref_put(&conn->ref, iso_conn_free);
127 }
128
iso_conn_hold_unless_zero(struct iso_conn * conn)129 static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn)
130 {
131 if (!conn)
132 return NULL;
133
134 BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref));
135
136 if (!kref_get_unless_zero(&conn->ref))
137 return NULL;
138
139 return conn;
140 }
141
iso_sock_hold(struct iso_conn * conn)142 static struct sock *iso_sock_hold(struct iso_conn *conn)
143 {
144 if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk))
145 return NULL;
146
147 sock_hold(conn->sk);
148
149 return conn->sk;
150 }
151
iso_sock_timeout(struct work_struct * work)152 static void iso_sock_timeout(struct work_struct *work)
153 {
154 struct iso_conn *conn = container_of(work, struct iso_conn,
155 timeout_work.work);
156 struct sock *sk;
157
158 conn = iso_conn_hold_unless_zero(conn);
159 if (!conn)
160 return;
161
162 iso_conn_lock(conn);
163 sk = iso_sock_hold(conn);
164 iso_conn_unlock(conn);
165 iso_conn_put(conn);
166
167 if (!sk)
168 return;
169
170 BT_DBG("sock %p state %d", sk, sk->sk_state);
171
172 lock_sock(sk);
173 sk->sk_err = ETIMEDOUT;
174 sk->sk_state_change(sk);
175 release_sock(sk);
176 sock_put(sk);
177 }
178
iso_sock_set_timer(struct sock * sk,long timeout)179 static void iso_sock_set_timer(struct sock *sk, long timeout)
180 {
181 if (!iso_pi(sk)->conn)
182 return;
183
184 BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
185 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
186 schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout);
187 }
188
iso_sock_clear_timer(struct sock * sk)189 static void iso_sock_clear_timer(struct sock *sk)
190 {
191 if (!iso_pi(sk)->conn)
192 return;
193
194 BT_DBG("sock %p state %d", sk, sk->sk_state);
195 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
196 }
197
198 /* ---- ISO connections ---- */
iso_conn_add(struct hci_conn * hcon)199 static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
200 {
201 struct iso_conn *conn = hcon->iso_data;
202
203 conn = iso_conn_hold_unless_zero(conn);
204 if (conn) {
205 if (!conn->hcon) {
206 iso_conn_lock(conn);
207 conn->hcon = hcon;
208 iso_conn_unlock(conn);
209 }
210 iso_conn_put(conn);
211 return conn;
212 }
213
214 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
215 if (!conn)
216 return NULL;
217
218 kref_init(&conn->ref);
219 spin_lock_init(&conn->lock);
220 INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout);
221
222 hcon->iso_data = conn;
223 conn->hcon = hcon;
224 conn->tx_sn = 0;
225
226 BT_DBG("hcon %p conn %p", hcon, conn);
227
228 return conn;
229 }
230
231 /* Delete channel. Must be called on the locked socket. */
iso_chan_del(struct sock * sk,int err)232 static void iso_chan_del(struct sock *sk, int err)
233 {
234 struct iso_conn *conn;
235 struct sock *parent;
236
237 conn = iso_pi(sk)->conn;
238 iso_pi(sk)->conn = NULL;
239
240 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
241
242 if (conn) {
243 iso_conn_lock(conn);
244 conn->sk = NULL;
245 iso_conn_unlock(conn);
246 iso_conn_put(conn);
247 }
248
249 sk->sk_state = BT_CLOSED;
250 sk->sk_err = err;
251
252 parent = bt_sk(sk)->parent;
253 if (parent) {
254 bt_accept_unlink(sk);
255 parent->sk_data_ready(parent);
256 } else {
257 sk->sk_state_change(sk);
258 }
259
260 sock_set_flag(sk, SOCK_ZAPPED);
261 }
262
iso_conn_del(struct hci_conn * hcon,int err)263 static void iso_conn_del(struct hci_conn *hcon, int err)
264 {
265 struct iso_conn *conn = hcon->iso_data;
266 struct sock *sk;
267
268 conn = iso_conn_hold_unless_zero(conn);
269 if (!conn)
270 return;
271
272 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
273
274 /* Kill socket */
275 iso_conn_lock(conn);
276 sk = iso_sock_hold(conn);
277 iso_conn_unlock(conn);
278 iso_conn_put(conn);
279
280 if (!sk) {
281 iso_conn_put(conn);
282 return;
283 }
284
285 lock_sock(sk);
286 iso_sock_clear_timer(sk);
287 iso_chan_del(sk, err);
288 release_sock(sk);
289 sock_put(sk);
290 }
291
__iso_chan_add(struct iso_conn * conn,struct sock * sk,struct sock * parent)292 static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
293 struct sock *parent)
294 {
295 BT_DBG("conn %p", conn);
296
297 if (iso_pi(sk)->conn == conn && conn->sk == sk)
298 return 0;
299
300 if (conn->sk) {
301 BT_ERR("conn->sk already set");
302 return -EBUSY;
303 }
304
305 iso_pi(sk)->conn = conn;
306 conn->sk = sk;
307
308 if (parent)
309 bt_accept_enqueue(parent, sk, true);
310
311 return 0;
312 }
313
iso_chan_add(struct iso_conn * conn,struct sock * sk,struct sock * parent)314 static int iso_chan_add(struct iso_conn *conn, struct sock *sk,
315 struct sock *parent)
316 {
317 int err;
318
319 iso_conn_lock(conn);
320 err = __iso_chan_add(conn, sk, parent);
321 iso_conn_unlock(conn);
322
323 return err;
324 }
325
le_addr_type(u8 bdaddr_type)326 static inline u8 le_addr_type(u8 bdaddr_type)
327 {
328 if (bdaddr_type == BDADDR_LE_PUBLIC)
329 return ADDR_LE_DEV_PUBLIC;
330 else
331 return ADDR_LE_DEV_RANDOM;
332 }
333
iso_connect_bis(struct sock * sk)334 static int iso_connect_bis(struct sock *sk)
335 {
336 struct iso_conn *conn;
337 struct hci_conn *hcon;
338 struct hci_dev *hdev;
339 int err;
340
341 BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid);
342
343 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
344 iso_pi(sk)->src_type);
345 if (!hdev)
346 return -EHOSTUNREACH;
347
348 hci_dev_lock(hdev);
349
350 if (!bis_capable(hdev)) {
351 err = -EOPNOTSUPP;
352 goto unlock;
353 }
354
355 /* Fail if user set invalid QoS */
356 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
357 iso_pi(sk)->qos = default_qos;
358 err = -EINVAL;
359 goto unlock;
360 }
361
362 /* Fail if out PHYs are marked as disabled */
363 if (!iso_pi(sk)->qos.bcast.out.phy) {
364 err = -EINVAL;
365 goto unlock;
366 }
367
368 /* Just bind if DEFER_SETUP has been set */
369 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
370 hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid,
371 &iso_pi(sk)->qos, iso_pi(sk)->base_len,
372 iso_pi(sk)->base,
373 READ_ONCE(sk->sk_sndtimeo));
374 if (IS_ERR(hcon)) {
375 err = PTR_ERR(hcon);
376 goto unlock;
377 }
378 } else {
379 hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst,
380 le_addr_type(iso_pi(sk)->dst_type),
381 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos,
382 iso_pi(sk)->base_len, iso_pi(sk)->base,
383 READ_ONCE(sk->sk_sndtimeo));
384 if (IS_ERR(hcon)) {
385 err = PTR_ERR(hcon);
386 goto unlock;
387 }
388
389 /* Update SID if it was not set */
390 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
391 iso_pi(sk)->bc_sid = hcon->sid;
392 }
393
394 conn = iso_conn_add(hcon);
395 if (!conn) {
396 hci_conn_drop(hcon);
397 err = -ENOMEM;
398 goto unlock;
399 }
400
401 lock_sock(sk);
402
403 err = iso_chan_add(conn, sk, NULL);
404 if (err) {
405 release_sock(sk);
406 goto unlock;
407 }
408
409 /* Update source addr of the socket */
410 bacpy(&iso_pi(sk)->src, &hcon->src);
411
412 if (hcon->state == BT_CONNECTED) {
413 iso_sock_clear_timer(sk);
414 sk->sk_state = BT_CONNECTED;
415 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
416 iso_sock_clear_timer(sk);
417 sk->sk_state = BT_CONNECT;
418 } else {
419 sk->sk_state = BT_CONNECT;
420 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
421 }
422
423 release_sock(sk);
424
425 unlock:
426 hci_dev_unlock(hdev);
427 hci_dev_put(hdev);
428 return err;
429 }
430
iso_connect_cis(struct sock * sk)431 static int iso_connect_cis(struct sock *sk)
432 {
433 struct iso_conn *conn;
434 struct hci_conn *hcon;
435 struct hci_dev *hdev;
436 int err;
437
438 BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst);
439
440 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
441 iso_pi(sk)->src_type);
442 if (!hdev)
443 return -EHOSTUNREACH;
444
445 hci_dev_lock(hdev);
446
447 if (!cis_central_capable(hdev)) {
448 err = -EOPNOTSUPP;
449 goto unlock;
450 }
451
452 /* Fail if user set invalid QoS */
453 if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) {
454 iso_pi(sk)->qos = default_qos;
455 err = -EINVAL;
456 goto unlock;
457 }
458
459 /* Fail if either PHYs are marked as disabled */
460 if (!iso_pi(sk)->qos.ucast.in.phy && !iso_pi(sk)->qos.ucast.out.phy) {
461 err = -EINVAL;
462 goto unlock;
463 }
464
465 /* Check if there are available buffers for output/TX. */
466 if (iso_pi(sk)->qos.ucast.out.sdu && !hci_iso_count(hdev) &&
467 (hdev->iso_pkts && !hdev->iso_cnt)) {
468 err = -ENOBUFS;
469 goto unlock;
470 }
471
472 /* Just bind if DEFER_SETUP has been set */
473 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
474 hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst,
475 le_addr_type(iso_pi(sk)->dst_type),
476 &iso_pi(sk)->qos,
477 READ_ONCE(sk->sk_sndtimeo));
478 if (IS_ERR(hcon)) {
479 err = PTR_ERR(hcon);
480 goto unlock;
481 }
482 } else {
483 hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst,
484 le_addr_type(iso_pi(sk)->dst_type),
485 &iso_pi(sk)->qos,
486 READ_ONCE(sk->sk_sndtimeo));
487 if (IS_ERR(hcon)) {
488 err = PTR_ERR(hcon);
489 goto unlock;
490 }
491 }
492
493 conn = iso_conn_add(hcon);
494 if (!conn) {
495 hci_conn_drop(hcon);
496 err = -ENOMEM;
497 goto unlock;
498 }
499
500 lock_sock(sk);
501
502 err = iso_chan_add(conn, sk, NULL);
503 if (err) {
504 release_sock(sk);
505 goto unlock;
506 }
507
508 /* Update source addr of the socket */
509 bacpy(&iso_pi(sk)->src, &hcon->src);
510
511 if (hcon->state == BT_CONNECTED) {
512 iso_sock_clear_timer(sk);
513 sk->sk_state = BT_CONNECTED;
514 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
515 iso_sock_clear_timer(sk);
516 sk->sk_state = BT_CONNECT;
517 } else {
518 sk->sk_state = BT_CONNECT;
519 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
520 }
521
522 release_sock(sk);
523
524 unlock:
525 hci_dev_unlock(hdev);
526 hci_dev_put(hdev);
527 return err;
528 }
529
iso_sock_get_qos(struct sock * sk)530 static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk)
531 {
532 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
533 return &iso_pi(sk)->conn->hcon->iso_qos;
534
535 return &iso_pi(sk)->qos;
536 }
537
iso_send_frame(struct sock * sk,struct sk_buff * skb,const struct sockcm_cookie * sockc)538 static int iso_send_frame(struct sock *sk, struct sk_buff *skb,
539 const struct sockcm_cookie *sockc)
540 {
541 struct iso_conn *conn = iso_pi(sk)->conn;
542 struct bt_iso_qos *qos = iso_sock_get_qos(sk);
543 struct hci_iso_data_hdr *hdr;
544 int len = 0;
545
546 BT_DBG("sk %p len %d", sk, skb->len);
547
548 if (skb->len > qos->ucast.out.sdu)
549 return -EMSGSIZE;
550
551 len = skb->len;
552
553 /* Push ISO data header */
554 hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE);
555 hdr->sn = cpu_to_le16(conn->tx_sn++);
556 hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len,
557 HCI_ISO_STATUS_VALID));
558
559 if (sk->sk_state == BT_CONNECTED) {
560 hci_setup_tx_timestamp(skb, 1, sockc);
561 hci_send_iso(conn->hcon, skb);
562 } else {
563 len = -ENOTCONN;
564 }
565
566 return len;
567 }
568
iso_recv_frame(struct iso_conn * conn,struct sk_buff * skb)569 static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
570 {
571 struct sock *sk;
572
573 iso_conn_lock(conn);
574 sk = conn->sk;
575 iso_conn_unlock(conn);
576
577 if (!sk)
578 goto drop;
579
580 BT_DBG("sk %p len %d", sk, skb->len);
581
582 if (sk->sk_state != BT_CONNECTED)
583 goto drop;
584
585 if (!sock_queue_rcv_skb(sk, skb))
586 return;
587
588 drop:
589 kfree_skb(skb);
590 }
591
592 /* -------- Socket interface ---------- */
__iso_get_sock_listen_by_addr(bdaddr_t * src,bdaddr_t * dst)593 static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst)
594 {
595 struct sock *sk;
596
597 sk_for_each(sk, &iso_sk_list.head) {
598 if (sk->sk_state != BT_LISTEN)
599 continue;
600
601 if (bacmp(&iso_pi(sk)->dst, dst))
602 continue;
603
604 if (!bacmp(&iso_pi(sk)->src, src))
605 return sk;
606 }
607
608 return NULL;
609 }
610
__iso_get_sock_listen_by_sid(bdaddr_t * ba,bdaddr_t * bc,__u8 sid)611 static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc,
612 __u8 sid)
613 {
614 struct sock *sk;
615
616 sk_for_each(sk, &iso_sk_list.head) {
617 if (sk->sk_state != BT_LISTEN)
618 continue;
619
620 if (bacmp(&iso_pi(sk)->src, ba))
621 continue;
622
623 if (bacmp(&iso_pi(sk)->dst, bc))
624 continue;
625
626 if (iso_pi(sk)->bc_sid == sid)
627 return sk;
628 }
629
630 return NULL;
631 }
632
633 /* Find socket in given state:
634 * source bdaddr (Unicast)
635 * destination bdaddr (Broadcast only)
636 * match func - pass NULL to ignore
637 * match func data - pass -1 to ignore
638 * Returns closest match.
639 */
iso_get_sock(bdaddr_t * src,bdaddr_t * dst,enum bt_sock_state state,iso_sock_match_t match,void * data)640 static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst,
641 enum bt_sock_state state,
642 iso_sock_match_t match, void *data)
643 {
644 struct sock *sk = NULL, *sk1 = NULL;
645
646 read_lock(&iso_sk_list.lock);
647
648 sk_for_each(sk, &iso_sk_list.head) {
649 if (sk->sk_state != state)
650 continue;
651
652 /* Match Broadcast destination */
653 if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst))
654 continue;
655
656 /* Use Match function if provided */
657 if (match && !match(sk, data))
658 continue;
659
660 /* Exact match. */
661 if (!bacmp(&iso_pi(sk)->src, src)) {
662 sock_hold(sk);
663 break;
664 }
665
666 /* Closest match */
667 if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) {
668 if (sk1)
669 sock_put(sk1);
670
671 sk1 = sk;
672 sock_hold(sk1);
673 }
674 }
675
676 if (sk && sk1)
677 sock_put(sk1);
678
679 read_unlock(&iso_sk_list.lock);
680
681 return sk ? sk : sk1;
682 }
683
iso_get_sock_big(struct sock * match_sk,bdaddr_t * src,bdaddr_t * dst,uint8_t big)684 static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src,
685 bdaddr_t *dst, uint8_t big)
686 {
687 struct sock *sk = NULL;
688
689 read_lock(&iso_sk_list.lock);
690
691 sk_for_each(sk, &iso_sk_list.head) {
692 if (match_sk == sk)
693 continue;
694
695 /* Look for sockets that have already been
696 * connected to the BIG
697 */
698 if (sk->sk_state != BT_CONNECTED &&
699 sk->sk_state != BT_CONNECT)
700 continue;
701
702 /* Match Broadcast destination */
703 if (bacmp(&iso_pi(sk)->dst, dst))
704 continue;
705
706 /* Match BIG handle */
707 if (iso_pi(sk)->qos.bcast.big != big)
708 continue;
709
710 /* Match source address */
711 if (bacmp(&iso_pi(sk)->src, src))
712 continue;
713
714 sock_hold(sk);
715 break;
716 }
717
718 read_unlock(&iso_sk_list.lock);
719
720 return sk;
721 }
722
iso_sock_destruct(struct sock * sk)723 static void iso_sock_destruct(struct sock *sk)
724 {
725 BT_DBG("sk %p", sk);
726
727 iso_conn_put(iso_pi(sk)->conn);
728
729 skb_queue_purge(&sk->sk_receive_queue);
730 skb_queue_purge(&sk->sk_write_queue);
731 }
732
iso_sock_cleanup_listen(struct sock * parent)733 static void iso_sock_cleanup_listen(struct sock *parent)
734 {
735 struct sock *sk;
736
737 BT_DBG("parent %p", parent);
738
739 /* Close not yet accepted channels */
740 while ((sk = bt_accept_dequeue(parent, NULL))) {
741 iso_sock_close(sk);
742 iso_sock_kill(sk);
743 }
744
745 /* If listening socket has a hcon, properly disconnect it */
746 if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon) {
747 iso_sock_disconn(parent);
748 return;
749 }
750
751 parent->sk_state = BT_CLOSED;
752 sock_set_flag(parent, SOCK_ZAPPED);
753 }
754
755 /* Kill socket (only if zapped and orphan)
756 * Must be called on unlocked socket.
757 */
iso_sock_kill(struct sock * sk)758 static void iso_sock_kill(struct sock *sk)
759 {
760 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
761 sock_flag(sk, SOCK_DEAD))
762 return;
763
764 BT_DBG("sk %p state %d", sk, sk->sk_state);
765
766 /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
767 if (iso_pi(sk)->conn) {
768 iso_conn_lock(iso_pi(sk)->conn);
769 iso_pi(sk)->conn->sk = NULL;
770 iso_conn_unlock(iso_pi(sk)->conn);
771 }
772
773 /* Kill poor orphan */
774 bt_sock_unlink(&iso_sk_list, sk);
775 sock_set_flag(sk, SOCK_DEAD);
776 sock_put(sk);
777 }
778
iso_sock_disconn(struct sock * sk)779 static void iso_sock_disconn(struct sock *sk)
780 {
781 struct sock *bis_sk;
782 struct hci_conn *hcon = iso_pi(sk)->conn->hcon;
783
784 if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) {
785 bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src,
786 &iso_pi(sk)->dst,
787 iso_pi(sk)->qos.bcast.big);
788
789 /* If there are any other connected sockets for the
790 * same BIG, just delete the sk and leave the bis
791 * hcon active, in case later rebinding is needed.
792 */
793 if (bis_sk) {
794 hcon->state = BT_OPEN;
795 hcon->iso_data = NULL;
796 iso_pi(sk)->conn->hcon = NULL;
797 iso_sock_clear_timer(sk);
798 iso_chan_del(sk, bt_to_errno(hcon->abort_reason));
799 sock_put(bis_sk);
800 return;
801 }
802 }
803
804 sk->sk_state = BT_DISCONN;
805 iso_conn_lock(iso_pi(sk)->conn);
806 hci_conn_drop(iso_pi(sk)->conn->hcon);
807 iso_pi(sk)->conn->hcon = NULL;
808 iso_conn_unlock(iso_pi(sk)->conn);
809 }
810
__iso_sock_close(struct sock * sk)811 static void __iso_sock_close(struct sock *sk)
812 {
813 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
814
815 switch (sk->sk_state) {
816 case BT_LISTEN:
817 iso_sock_cleanup_listen(sk);
818 break;
819
820 case BT_CONNECT:
821 case BT_CONNECTED:
822 case BT_CONFIG:
823 if (iso_pi(sk)->conn->hcon)
824 iso_sock_disconn(sk);
825 else
826 iso_chan_del(sk, ECONNRESET);
827 break;
828
829 case BT_CONNECT2:
830 if (iso_pi(sk)->conn->hcon &&
831 (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
832 test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
833 iso_sock_disconn(sk);
834 else
835 iso_chan_del(sk, ECONNRESET);
836 break;
837 case BT_DISCONN:
838 iso_chan_del(sk, ECONNRESET);
839 break;
840
841 default:
842 sock_set_flag(sk, SOCK_ZAPPED);
843 break;
844 }
845 }
846
847 /* Must be called on unlocked socket. */
iso_sock_close(struct sock * sk)848 static void iso_sock_close(struct sock *sk)
849 {
850 iso_sock_clear_timer(sk);
851 lock_sock(sk);
852 __iso_sock_close(sk);
853 release_sock(sk);
854 iso_sock_kill(sk);
855 }
856
iso_sock_init(struct sock * sk,struct sock * parent)857 static void iso_sock_init(struct sock *sk, struct sock *parent)
858 {
859 BT_DBG("sk %p", sk);
860
861 if (parent) {
862 sk->sk_type = parent->sk_type;
863 bt_sk(sk)->flags = bt_sk(parent)->flags;
864 security_sk_clone(parent, sk);
865 }
866 }
867
868 static struct proto iso_proto = {
869 .name = "ISO",
870 .owner = THIS_MODULE,
871 .obj_size = sizeof(struct iso_pinfo)
872 };
873
874 #define DEFAULT_IO_QOS \
875 { \
876 .interval = 10000u, \
877 .latency = 10u, \
878 .sdu = 40u, \
879 .phy = BT_ISO_PHY_2M, \
880 .rtn = 2u, \
881 }
882
883 static struct bt_iso_qos default_qos = {
884 .bcast = {
885 .big = BT_ISO_QOS_BIG_UNSET,
886 .bis = BT_ISO_QOS_BIS_UNSET,
887 .sync_factor = 0x01,
888 .packing = 0x00,
889 .framing = 0x00,
890 .in = DEFAULT_IO_QOS,
891 .out = DEFAULT_IO_QOS,
892 .encryption = 0x00,
893 .bcode = {0x00},
894 .options = 0x00,
895 .skip = 0x0000,
896 .sync_timeout = BT_ISO_SYNC_TIMEOUT,
897 .sync_cte_type = 0x00,
898 .mse = 0x00,
899 .timeout = BT_ISO_SYNC_TIMEOUT,
900 },
901 };
902
iso_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)903 static struct sock *iso_sock_alloc(struct net *net, struct socket *sock,
904 int proto, gfp_t prio, int kern)
905 {
906 struct sock *sk;
907
908 sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern);
909 if (!sk)
910 return NULL;
911
912 sk->sk_destruct = iso_sock_destruct;
913 sk->sk_sndtimeo = ISO_CONN_TIMEOUT;
914
915 /* Set address type as public as default src address is BDADDR_ANY */
916 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
917
918 iso_pi(sk)->qos = default_qos;
919 iso_pi(sk)->sync_handle = -1;
920
921 bt_sock_link(&iso_sk_list, sk);
922 return sk;
923 }
924
iso_sock_create(struct net * net,struct socket * sock,int protocol,int kern)925 static int iso_sock_create(struct net *net, struct socket *sock, int protocol,
926 int kern)
927 {
928 struct sock *sk;
929
930 BT_DBG("sock %p", sock);
931
932 sock->state = SS_UNCONNECTED;
933
934 if (sock->type != SOCK_SEQPACKET)
935 return -ESOCKTNOSUPPORT;
936
937 sock->ops = &iso_sock_ops;
938
939 sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
940 if (!sk)
941 return -ENOMEM;
942
943 iso_sock_init(sk, NULL);
944 return 0;
945 }
946
iso_sock_bind_bc(struct socket * sock,struct sockaddr * addr,int addr_len)947 static int iso_sock_bind_bc(struct socket *sock, struct sockaddr *addr,
948 int addr_len)
949 {
950 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
951 struct sock *sk = sock->sk;
952 int i;
953
954 BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid,
955 sa->iso_bc->bc_num_bis);
956
957 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc))
958 return -EINVAL;
959
960 bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr);
961
962 /* Check if the address type is of LE type */
963 if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type))
964 return -EINVAL;
965
966 iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type;
967
968 if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID)
969 return -EINVAL;
970
971 iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid;
972
973 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS)
974 return -EINVAL;
975
976 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
977
978 for (i = 0; i < iso_pi(sk)->bc_num_bis; i++)
979 if (sa->iso_bc->bc_bis[i] < 0x01 ||
980 sa->iso_bc->bc_bis[i] > 0x1f)
981 return -EINVAL;
982
983 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
984 iso_pi(sk)->bc_num_bis);
985
986 return 0;
987 }
988
iso_sock_bind_pa_sk(struct sock * sk,struct sockaddr_iso * sa,int addr_len)989 static int iso_sock_bind_pa_sk(struct sock *sk, struct sockaddr_iso *sa,
990 int addr_len)
991 {
992 int err = 0;
993
994 if (sk->sk_type != SOCK_SEQPACKET) {
995 err = -EINVAL;
996 goto done;
997 }
998
999 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) {
1000 err = -EINVAL;
1001 goto done;
1002 }
1003
1004 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) {
1005 err = -EINVAL;
1006 goto done;
1007 }
1008
1009 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
1010
1011 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++)
1012 if (sa->iso_bc->bc_bis[i] < 0x01 ||
1013 sa->iso_bc->bc_bis[i] > 0x1f) {
1014 err = -EINVAL;
1015 goto done;
1016 }
1017
1018 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
1019 iso_pi(sk)->bc_num_bis);
1020
1021 done:
1022 return err;
1023 }
1024
iso_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)1025 static int iso_sock_bind(struct socket *sock, struct sockaddr *addr,
1026 int addr_len)
1027 {
1028 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1029 struct sock *sk = sock->sk;
1030 int err = 0;
1031
1032 BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type);
1033
1034 if (!addr || addr_len < sizeof(struct sockaddr_iso) ||
1035 addr->sa_family != AF_BLUETOOTH)
1036 return -EINVAL;
1037
1038 lock_sock(sk);
1039
1040 /* Allow the user to bind a PA sync socket to a number
1041 * of BISes to sync to.
1042 */
1043 if ((sk->sk_state == BT_CONNECT2 ||
1044 sk->sk_state == BT_CONNECTED) &&
1045 test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1046 err = iso_sock_bind_pa_sk(sk, sa, addr_len);
1047 goto done;
1048 }
1049
1050 if (sk->sk_state != BT_OPEN) {
1051 err = -EBADFD;
1052 goto done;
1053 }
1054
1055 if (sk->sk_type != SOCK_SEQPACKET) {
1056 err = -EINVAL;
1057 goto done;
1058 }
1059
1060 /* Check if the address type is of LE type */
1061 if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) {
1062 err = -EINVAL;
1063 goto done;
1064 }
1065
1066 bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr);
1067 iso_pi(sk)->src_type = sa->iso_bdaddr_type;
1068
1069 /* Check for Broadcast address */
1070 if (addr_len > sizeof(*sa)) {
1071 err = iso_sock_bind_bc(sock, addr, addr_len);
1072 if (err)
1073 goto done;
1074 }
1075
1076 sk->sk_state = BT_BOUND;
1077
1078 done:
1079 release_sock(sk);
1080 return err;
1081 }
1082
iso_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)1083 static int iso_sock_connect(struct socket *sock, struct sockaddr *addr,
1084 int alen, int flags)
1085 {
1086 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1087 struct sock *sk = sock->sk;
1088 int err;
1089
1090 BT_DBG("sk %p", sk);
1091
1092 if (alen < sizeof(struct sockaddr_iso) ||
1093 addr->sa_family != AF_BLUETOOTH)
1094 return -EINVAL;
1095
1096 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
1097 return -EBADFD;
1098
1099 if (sk->sk_type != SOCK_SEQPACKET)
1100 return -EINVAL;
1101
1102 /* Check if the address type is of LE type */
1103 if (!bdaddr_type_is_le(sa->iso_bdaddr_type))
1104 return -EINVAL;
1105
1106 lock_sock(sk);
1107
1108 bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr);
1109 iso_pi(sk)->dst_type = sa->iso_bdaddr_type;
1110
1111 release_sock(sk);
1112
1113 if (bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
1114 err = iso_connect_cis(sk);
1115 else
1116 err = iso_connect_bis(sk);
1117
1118 if (err)
1119 return err;
1120
1121 lock_sock(sk);
1122
1123 if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1124 err = bt_sock_wait_state(sk, BT_CONNECTED,
1125 sock_sndtimeo(sk, flags & O_NONBLOCK));
1126 }
1127
1128 release_sock(sk);
1129 return err;
1130 }
1131
iso_listen_bis(struct sock * sk)1132 static int iso_listen_bis(struct sock *sk)
1133 {
1134 struct hci_dev *hdev;
1135 int err = 0;
1136 struct iso_conn *conn;
1137 struct hci_conn *hcon;
1138
1139 BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src,
1140 &iso_pi(sk)->dst, iso_pi(sk)->bc_sid);
1141
1142 write_lock(&iso_sk_list.lock);
1143
1144 if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst,
1145 iso_pi(sk)->bc_sid))
1146 err = -EADDRINUSE;
1147
1148 write_unlock(&iso_sk_list.lock);
1149
1150 if (err)
1151 return err;
1152
1153 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1154 iso_pi(sk)->src_type);
1155 if (!hdev)
1156 return -EHOSTUNREACH;
1157
1158 hci_dev_lock(hdev);
1159 lock_sock(sk);
1160
1161 /* Fail if user set invalid QoS */
1162 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
1163 iso_pi(sk)->qos = default_qos;
1164 err = -EINVAL;
1165 goto unlock;
1166 }
1167
1168 hcon = hci_pa_create_sync(hdev, &iso_pi(sk)->dst,
1169 le_addr_type(iso_pi(sk)->dst_type),
1170 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos);
1171 if (IS_ERR(hcon)) {
1172 err = PTR_ERR(hcon);
1173 goto unlock;
1174 }
1175
1176 conn = iso_conn_add(hcon);
1177 if (!conn) {
1178 hci_conn_drop(hcon);
1179 err = -ENOMEM;
1180 goto unlock;
1181 }
1182
1183 err = iso_chan_add(conn, sk, NULL);
1184 if (err) {
1185 hci_conn_drop(hcon);
1186 goto unlock;
1187 }
1188
1189 unlock:
1190 release_sock(sk);
1191 hci_dev_unlock(hdev);
1192 hci_dev_put(hdev);
1193 return err;
1194 }
1195
iso_listen_cis(struct sock * sk)1196 static int iso_listen_cis(struct sock *sk)
1197 {
1198 int err = 0;
1199
1200 BT_DBG("%pMR", &iso_pi(sk)->src);
1201
1202 write_lock(&iso_sk_list.lock);
1203
1204 if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst))
1205 err = -EADDRINUSE;
1206
1207 write_unlock(&iso_sk_list.lock);
1208
1209 return err;
1210 }
1211
iso_sock_listen(struct socket * sock,int backlog)1212 static int iso_sock_listen(struct socket *sock, int backlog)
1213 {
1214 struct sock *sk = sock->sk;
1215 int err = 0;
1216
1217 BT_DBG("sk %p backlog %d", sk, backlog);
1218
1219 sock_hold(sk);
1220 lock_sock(sk);
1221
1222 if (sk->sk_state != BT_BOUND) {
1223 err = -EBADFD;
1224 goto done;
1225 }
1226
1227 if (sk->sk_type != SOCK_SEQPACKET) {
1228 err = -EINVAL;
1229 goto done;
1230 }
1231
1232 if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1233 err = iso_listen_cis(sk);
1234 } else {
1235 /* Drop sock lock to avoid potential
1236 * deadlock with the hdev lock.
1237 */
1238 release_sock(sk);
1239 err = iso_listen_bis(sk);
1240 lock_sock(sk);
1241 }
1242
1243 if (err)
1244 goto done;
1245
1246 sk->sk_max_ack_backlog = backlog;
1247 sk->sk_ack_backlog = 0;
1248
1249 sk->sk_state = BT_LISTEN;
1250
1251 done:
1252 release_sock(sk);
1253 sock_put(sk);
1254 return err;
1255 }
1256
iso_sock_accept(struct socket * sock,struct socket * newsock,struct proto_accept_arg * arg)1257 static int iso_sock_accept(struct socket *sock, struct socket *newsock,
1258 struct proto_accept_arg *arg)
1259 {
1260 DEFINE_WAIT_FUNC(wait, woken_wake_function);
1261 struct sock *sk = sock->sk, *ch;
1262 long timeo;
1263 int err = 0;
1264
1265 /* Use explicit nested locking to avoid lockdep warnings generated
1266 * because the parent socket and the child socket are locked on the
1267 * same thread.
1268 */
1269 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1270
1271 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
1272
1273 BT_DBG("sk %p timeo %ld", sk, timeo);
1274
1275 /* Wait for an incoming connection. (wake-one). */
1276 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1277 while (1) {
1278 if (sk->sk_state != BT_LISTEN) {
1279 err = -EBADFD;
1280 break;
1281 }
1282
1283 ch = bt_accept_dequeue(sk, newsock);
1284 if (ch)
1285 break;
1286
1287 if (!timeo) {
1288 err = -EAGAIN;
1289 break;
1290 }
1291
1292 if (signal_pending(current)) {
1293 err = sock_intr_errno(timeo);
1294 break;
1295 }
1296
1297 release_sock(sk);
1298
1299 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
1300 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1301 }
1302 remove_wait_queue(sk_sleep(sk), &wait);
1303
1304 if (err)
1305 goto done;
1306
1307 newsock->state = SS_CONNECTED;
1308
1309 BT_DBG("new socket %p", ch);
1310
1311 /* A Broadcast Sink might require BIG sync to be terminated
1312 * and re-established multiple times, while keeping the same
1313 * PA sync handle active. To allow this, once all BIS
1314 * connections have been accepted on a PA sync parent socket,
1315 * "reset" socket state, to allow future BIG re-sync procedures.
1316 */
1317 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1318 /* Iterate through the list of bound BIS indices
1319 * and clear each BIS as they are accepted by the
1320 * user space, one by one.
1321 */
1322 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) {
1323 if (iso_pi(sk)->bc_bis[i] > 0) {
1324 iso_pi(sk)->bc_bis[i] = 0;
1325 iso_pi(sk)->bc_num_bis--;
1326 break;
1327 }
1328 }
1329
1330 if (iso_pi(sk)->bc_num_bis == 0) {
1331 /* Once the last BIS was accepted, reset parent
1332 * socket parameters to mark that the listening
1333 * process for BIS connections has been completed:
1334 *
1335 * 1. Reset the DEFER setup flag on the parent sk.
1336 * 2. Clear the flag marking that the BIG create
1337 * sync command is pending.
1338 * 3. Transition socket state from BT_LISTEN to
1339 * BT_CONNECTED.
1340 */
1341 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1342 clear_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags);
1343 sk->sk_state = BT_CONNECTED;
1344 }
1345 }
1346
1347 done:
1348 release_sock(sk);
1349 return err;
1350 }
1351
iso_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)1352 static int iso_sock_getname(struct socket *sock, struct sockaddr *addr,
1353 int peer)
1354 {
1355 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1356 struct sock *sk = sock->sk;
1357 int len = sizeof(struct sockaddr_iso);
1358
1359 BT_DBG("sock %p, sk %p", sock, sk);
1360
1361 addr->sa_family = AF_BLUETOOTH;
1362
1363 if (peer) {
1364 struct hci_conn *hcon = iso_pi(sk)->conn ?
1365 iso_pi(sk)->conn->hcon : NULL;
1366
1367 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst);
1368 sa->iso_bdaddr_type = iso_pi(sk)->dst_type;
1369
1370 if (hcon && (hcon->type == BIS_LINK || hcon->type == PA_LINK)) {
1371 sa->iso_bc->bc_sid = iso_pi(sk)->bc_sid;
1372 sa->iso_bc->bc_num_bis = iso_pi(sk)->bc_num_bis;
1373 memcpy(sa->iso_bc->bc_bis, iso_pi(sk)->bc_bis,
1374 ISO_MAX_NUM_BIS);
1375 len += sizeof(struct sockaddr_iso_bc);
1376 }
1377 } else {
1378 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src);
1379 sa->iso_bdaddr_type = iso_pi(sk)->src_type;
1380 }
1381
1382 return len;
1383 }
1384
iso_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1385 static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1386 size_t len)
1387 {
1388 struct sock *sk = sock->sk;
1389 struct sk_buff *skb, **frag;
1390 struct sockcm_cookie sockc;
1391 size_t mtu;
1392 int err;
1393
1394 BT_DBG("sock %p, sk %p", sock, sk);
1395
1396 err = sock_error(sk);
1397 if (err)
1398 return err;
1399
1400 if (msg->msg_flags & MSG_OOB)
1401 return -EOPNOTSUPP;
1402
1403 hci_sockcm_init(&sockc, sk);
1404
1405 if (msg->msg_controllen) {
1406 err = sock_cmsg_send(sk, msg, &sockc);
1407 if (err)
1408 return err;
1409 }
1410
1411 lock_sock(sk);
1412
1413 if (sk->sk_state != BT_CONNECTED) {
1414 release_sock(sk);
1415 return -ENOTCONN;
1416 }
1417
1418 mtu = iso_pi(sk)->conn->hcon->mtu;
1419
1420 release_sock(sk);
1421
1422 skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0);
1423 if (IS_ERR(skb))
1424 return PTR_ERR(skb);
1425
1426 len -= skb->len;
1427
1428 BT_DBG("skb %p len %d", sk, skb->len);
1429
1430 /* Continuation fragments */
1431 frag = &skb_shinfo(skb)->frag_list;
1432 while (len) {
1433 struct sk_buff *tmp;
1434
1435 tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0);
1436 if (IS_ERR(tmp)) {
1437 kfree_skb(skb);
1438 return PTR_ERR(tmp);
1439 }
1440
1441 *frag = tmp;
1442
1443 len -= tmp->len;
1444
1445 skb->len += tmp->len;
1446 skb->data_len += tmp->len;
1447
1448 BT_DBG("frag %p len %d", *frag, tmp->len);
1449
1450 frag = &(*frag)->next;
1451 }
1452
1453 lock_sock(sk);
1454
1455 if (sk->sk_state == BT_CONNECTED)
1456 err = iso_send_frame(sk, skb, &sockc);
1457 else
1458 err = -ENOTCONN;
1459
1460 release_sock(sk);
1461
1462 if (err < 0)
1463 kfree_skb(skb);
1464 return err;
1465 }
1466
iso_conn_defer_accept(struct hci_conn * conn)1467 static void iso_conn_defer_accept(struct hci_conn *conn)
1468 {
1469 struct hci_cp_le_accept_cis cp;
1470 struct hci_dev *hdev = conn->hdev;
1471
1472 BT_DBG("conn %p", conn);
1473
1474 conn->state = BT_CONFIG;
1475
1476 cp.handle = cpu_to_le16(conn->handle);
1477
1478 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
1479 }
1480
iso_conn_big_sync(struct sock * sk)1481 static void iso_conn_big_sync(struct sock *sk)
1482 {
1483 int err;
1484 struct hci_dev *hdev;
1485
1486 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1487 iso_pi(sk)->src_type);
1488
1489 if (!hdev)
1490 return;
1491
1492 /* hci_le_big_create_sync requires hdev lock to be held, since
1493 * it enqueues the HCI LE BIG Create Sync command via
1494 * hci_cmd_sync_queue_once, which checks hdev flags that might
1495 * change.
1496 */
1497 hci_dev_lock(hdev);
1498 lock_sock(sk);
1499
1500 if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1501 err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
1502 &iso_pi(sk)->qos,
1503 iso_pi(sk)->sync_handle,
1504 iso_pi(sk)->bc_num_bis,
1505 iso_pi(sk)->bc_bis);
1506 if (err)
1507 bt_dev_err(hdev, "hci_big_create_sync: %d", err);
1508 }
1509
1510 release_sock(sk);
1511 hci_dev_unlock(hdev);
1512 }
1513
iso_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1514 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1515 size_t len, int flags)
1516 {
1517 struct sock *sk = sock->sk;
1518 struct iso_pinfo *pi = iso_pi(sk);
1519 bool early_ret = false;
1520 int err = 0;
1521
1522 BT_DBG("sk %p", sk);
1523
1524 if (unlikely(flags & MSG_ERRQUEUE))
1525 return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1526 BT_SCM_ERROR);
1527
1528 if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1529 sock_hold(sk);
1530 lock_sock(sk);
1531
1532 switch (sk->sk_state) {
1533 case BT_CONNECT2:
1534 if (test_bit(BT_SK_PA_SYNC, &pi->flags)) {
1535 release_sock(sk);
1536 iso_conn_big_sync(sk);
1537 lock_sock(sk);
1538
1539 sk->sk_state = BT_LISTEN;
1540 } else {
1541 iso_conn_defer_accept(pi->conn->hcon);
1542 sk->sk_state = BT_CONFIG;
1543 }
1544
1545 early_ret = true;
1546 break;
1547 case BT_CONNECTED:
1548 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1549 release_sock(sk);
1550 iso_conn_big_sync(sk);
1551 lock_sock(sk);
1552
1553 sk->sk_state = BT_LISTEN;
1554 early_ret = true;
1555 }
1556
1557 break;
1558 case BT_CONNECT:
1559 release_sock(sk);
1560 err = iso_connect_cis(sk);
1561 lock_sock(sk);
1562
1563 early_ret = true;
1564 break;
1565 default:
1566 break;
1567 }
1568
1569 release_sock(sk);
1570 sock_put(sk);
1571
1572 if (early_ret)
1573 return err;
1574 }
1575
1576 return bt_sock_recvmsg(sock, msg, len, flags);
1577 }
1578
check_io_qos(struct bt_iso_io_qos * qos)1579 static bool check_io_qos(struct bt_iso_io_qos *qos)
1580 {
1581 /* If no PHY is enable SDU must be 0 */
1582 if (!qos->phy && qos->sdu)
1583 return false;
1584
1585 if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff))
1586 return false;
1587
1588 if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0))
1589 return false;
1590
1591 if (qos->phy > BT_ISO_PHY_ANY)
1592 return false;
1593
1594 return true;
1595 }
1596
check_ucast_qos(struct bt_iso_qos * qos)1597 static bool check_ucast_qos(struct bt_iso_qos *qos)
1598 {
1599 if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET)
1600 return false;
1601
1602 if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET)
1603 return false;
1604
1605 if (qos->ucast.sca > 0x07)
1606 return false;
1607
1608 if (qos->ucast.packing > 0x01)
1609 return false;
1610
1611 if (qos->ucast.framing > 0x01)
1612 return false;
1613
1614 if (!check_io_qos(&qos->ucast.in))
1615 return false;
1616
1617 if (!check_io_qos(&qos->ucast.out))
1618 return false;
1619
1620 return true;
1621 }
1622
check_bcast_qos(struct bt_iso_qos * qos)1623 static bool check_bcast_qos(struct bt_iso_qos *qos)
1624 {
1625 if (!qos->bcast.sync_factor)
1626 qos->bcast.sync_factor = 0x01;
1627
1628 if (qos->bcast.packing > 0x01)
1629 return false;
1630
1631 if (qos->bcast.framing > 0x01)
1632 return false;
1633
1634 if (!check_io_qos(&qos->bcast.in))
1635 return false;
1636
1637 if (!check_io_qos(&qos->bcast.out))
1638 return false;
1639
1640 if (qos->bcast.encryption > 0x01)
1641 return false;
1642
1643 if (qos->bcast.options > 0x07)
1644 return false;
1645
1646 if (qos->bcast.skip > 0x01f3)
1647 return false;
1648
1649 if (!qos->bcast.sync_timeout)
1650 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1651
1652 if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000)
1653 return false;
1654
1655 if (qos->bcast.sync_cte_type > 0x1f)
1656 return false;
1657
1658 if (qos->bcast.mse > 0x1f)
1659 return false;
1660
1661 if (!qos->bcast.timeout)
1662 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1663
1664 if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000)
1665 return false;
1666
1667 return true;
1668 }
1669
iso_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)1670 static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
1671 sockptr_t optval, unsigned int optlen)
1672 {
1673 struct sock *sk = sock->sk;
1674 int err = 0;
1675 struct bt_iso_qos qos = default_qos;
1676 u32 opt;
1677
1678 BT_DBG("sk %p", sk);
1679
1680 lock_sock(sk);
1681
1682 switch (optname) {
1683 case BT_DEFER_SETUP:
1684 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1685 err = -EINVAL;
1686 break;
1687 }
1688
1689 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1690 if (err)
1691 break;
1692
1693 if (opt)
1694 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1695 else
1696 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1697 break;
1698
1699 case BT_PKT_STATUS:
1700 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1701 if (err)
1702 break;
1703
1704 if (opt)
1705 set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1706 else
1707 clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1708 break;
1709
1710 case BT_PKT_SEQNUM:
1711 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1712 if (err)
1713 break;
1714
1715 if (opt)
1716 set_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1717 else
1718 clear_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1719 break;
1720
1721 case BT_ISO_QOS:
1722 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1723 sk->sk_state != BT_CONNECT2 &&
1724 (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags) ||
1725 sk->sk_state != BT_CONNECTED)) {
1726 err = -EINVAL;
1727 break;
1728 }
1729
1730 err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen);
1731 if (err)
1732 break;
1733
1734 iso_pi(sk)->qos = qos;
1735 iso_pi(sk)->qos_user_set = true;
1736
1737 break;
1738
1739 case BT_ISO_BASE:
1740 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1741 sk->sk_state != BT_CONNECT2) {
1742 err = -EINVAL;
1743 break;
1744 }
1745
1746 if (optlen > sizeof(iso_pi(sk)->base)) {
1747 err = -EINVAL;
1748 break;
1749 }
1750
1751 err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval,
1752 optlen);
1753 if (err)
1754 break;
1755
1756 iso_pi(sk)->base_len = optlen;
1757
1758 break;
1759
1760 default:
1761 err = -ENOPROTOOPT;
1762 break;
1763 }
1764
1765 release_sock(sk);
1766 return err;
1767 }
1768
iso_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)1769 static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
1770 char __user *optval, int __user *optlen)
1771 {
1772 struct sock *sk = sock->sk;
1773 int len, err = 0;
1774 struct bt_iso_qos *qos;
1775 u8 base_len;
1776 u8 *base;
1777
1778 BT_DBG("sk %p", sk);
1779
1780 if (get_user(len, optlen))
1781 return -EFAULT;
1782
1783 lock_sock(sk);
1784
1785 switch (optname) {
1786 case BT_DEFER_SETUP:
1787 if (sk->sk_state == BT_CONNECTED) {
1788 err = -EINVAL;
1789 break;
1790 }
1791
1792 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
1793 (u32 __user *)optval))
1794 err = -EFAULT;
1795
1796 break;
1797
1798 case BT_PKT_STATUS:
1799 if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags),
1800 (int __user *)optval))
1801 err = -EFAULT;
1802 break;
1803
1804 case BT_ISO_QOS:
1805 qos = iso_sock_get_qos(sk);
1806
1807 len = min_t(unsigned int, len, sizeof(*qos));
1808 if (copy_to_user(optval, qos, len))
1809 err = -EFAULT;
1810
1811 break;
1812
1813 case BT_ISO_BASE:
1814 if (sk->sk_state == BT_CONNECTED &&
1815 !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1816 base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len;
1817 base = iso_pi(sk)->conn->hcon->le_per_adv_data;
1818 } else {
1819 base_len = iso_pi(sk)->base_len;
1820 base = iso_pi(sk)->base;
1821 }
1822
1823 len = min_t(unsigned int, len, base_len);
1824 if (copy_to_user(optval, base, len))
1825 err = -EFAULT;
1826 if (put_user(len, optlen))
1827 err = -EFAULT;
1828
1829 break;
1830
1831 default:
1832 err = -ENOPROTOOPT;
1833 break;
1834 }
1835
1836 release_sock(sk);
1837 return err;
1838 }
1839
iso_sock_shutdown(struct socket * sock,int how)1840 static int iso_sock_shutdown(struct socket *sock, int how)
1841 {
1842 struct sock *sk = sock->sk;
1843 int err = 0;
1844
1845 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1846
1847 if (!sk)
1848 return 0;
1849
1850 sock_hold(sk);
1851 lock_sock(sk);
1852
1853 switch (how) {
1854 case SHUT_RD:
1855 if (sk->sk_shutdown & RCV_SHUTDOWN)
1856 goto unlock;
1857 sk->sk_shutdown |= RCV_SHUTDOWN;
1858 break;
1859 case SHUT_WR:
1860 if (sk->sk_shutdown & SEND_SHUTDOWN)
1861 goto unlock;
1862 sk->sk_shutdown |= SEND_SHUTDOWN;
1863 break;
1864 case SHUT_RDWR:
1865 if (sk->sk_shutdown & SHUTDOWN_MASK)
1866 goto unlock;
1867 sk->sk_shutdown |= SHUTDOWN_MASK;
1868 break;
1869 }
1870
1871 iso_sock_clear_timer(sk);
1872 __iso_sock_close(sk);
1873
1874 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1875 !(current->flags & PF_EXITING))
1876 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1877
1878 unlock:
1879 release_sock(sk);
1880 sock_put(sk);
1881
1882 return err;
1883 }
1884
iso_sock_release(struct socket * sock)1885 static int iso_sock_release(struct socket *sock)
1886 {
1887 struct sock *sk = sock->sk;
1888 int err = 0;
1889
1890 BT_DBG("sock %p, sk %p", sock, sk);
1891
1892 if (!sk)
1893 return 0;
1894
1895 iso_sock_close(sk);
1896
1897 if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) &&
1898 !(current->flags & PF_EXITING)) {
1899 lock_sock(sk);
1900 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1901 release_sock(sk);
1902 }
1903
1904 sock_orphan(sk);
1905 iso_sock_kill(sk);
1906 return err;
1907 }
1908
iso_sock_ready(struct sock * sk)1909 static void iso_sock_ready(struct sock *sk)
1910 {
1911 BT_DBG("sk %p", sk);
1912
1913 if (!sk)
1914 return;
1915
1916 lock_sock(sk);
1917 iso_sock_clear_timer(sk);
1918 sk->sk_state = BT_CONNECTED;
1919 sk->sk_state_change(sk);
1920 release_sock(sk);
1921 }
1922
iso_match_big(struct sock * sk,void * data)1923 static bool iso_match_big(struct sock *sk, void *data)
1924 {
1925 struct hci_evt_le_big_sync_established *ev = data;
1926
1927 return ev->handle == iso_pi(sk)->qos.bcast.big;
1928 }
1929
iso_match_big_hcon(struct sock * sk,void * data)1930 static bool iso_match_big_hcon(struct sock *sk, void *data)
1931 {
1932 struct hci_conn *hcon = data;
1933
1934 return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big;
1935 }
1936
iso_match_pa_sync_flag(struct sock * sk,void * data)1937 static bool iso_match_pa_sync_flag(struct sock *sk, void *data)
1938 {
1939 return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
1940 }
1941
iso_conn_ready(struct iso_conn * conn)1942 static void iso_conn_ready(struct iso_conn *conn)
1943 {
1944 struct sock *parent = NULL;
1945 struct sock *sk = conn->sk;
1946 struct hci_ev_le_big_sync_established *ev = NULL;
1947 struct hci_ev_le_pa_sync_established *ev2 = NULL;
1948 struct hci_ev_le_per_adv_report *ev3 = NULL;
1949 struct hci_conn *hcon;
1950
1951 BT_DBG("conn %p", conn);
1952
1953 if (sk) {
1954 iso_sock_ready(conn->sk);
1955 } else {
1956 hcon = conn->hcon;
1957 if (!hcon)
1958 return;
1959
1960 if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) {
1961 /* A BIS slave hcon is notified to the ISO layer
1962 * after the Command Complete for the LE Setup
1963 * ISO Data Path command is received. Get the
1964 * parent socket that matches the hcon BIG handle.
1965 */
1966 parent = iso_get_sock(&hcon->src, &hcon->dst,
1967 BT_LISTEN, iso_match_big_hcon,
1968 hcon);
1969 } else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) {
1970 ev = hci_recv_event_data(hcon->hdev,
1971 HCI_EVT_LE_BIG_SYNC_ESTABLISHED);
1972
1973 /* Get reference to PA sync parent socket, if it exists */
1974 parent = iso_get_sock(&hcon->src, &hcon->dst,
1975 BT_LISTEN,
1976 iso_match_pa_sync_flag,
1977 NULL);
1978 if (!parent && ev)
1979 parent = iso_get_sock(&hcon->src,
1980 &hcon->dst,
1981 BT_LISTEN,
1982 iso_match_big, ev);
1983 } else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
1984 ev2 = hci_recv_event_data(hcon->hdev,
1985 HCI_EV_LE_PA_SYNC_ESTABLISHED);
1986 if (ev2)
1987 parent = iso_get_sock(&hcon->src,
1988 &hcon->dst,
1989 BT_LISTEN,
1990 iso_match_sid, ev2);
1991 } else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
1992 ev3 = hci_recv_event_data(hcon->hdev,
1993 HCI_EV_LE_PER_ADV_REPORT);
1994 if (ev3)
1995 parent = iso_get_sock(&hcon->src,
1996 &hcon->dst,
1997 BT_LISTEN,
1998 iso_match_sync_handle_pa_report,
1999 ev3);
2000 }
2001
2002 if (!parent)
2003 parent = iso_get_sock(&hcon->src, BDADDR_ANY,
2004 BT_LISTEN, NULL, NULL);
2005
2006 if (!parent)
2007 return;
2008
2009 lock_sock(parent);
2010
2011 sk = iso_sock_alloc(sock_net(parent), NULL,
2012 BTPROTO_ISO, GFP_ATOMIC, 0);
2013 if (!sk) {
2014 release_sock(parent);
2015 return;
2016 }
2017
2018 iso_sock_init(sk, parent);
2019
2020 bacpy(&iso_pi(sk)->src, &hcon->src);
2021
2022 /* Convert from HCI to three-value type */
2023 if (hcon->src_type == ADDR_LE_DEV_PUBLIC)
2024 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
2025 else
2026 iso_pi(sk)->src_type = BDADDR_LE_RANDOM;
2027
2028 /* If hcon has no destination address (BDADDR_ANY) it means it
2029 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or
2030 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using
2031 * the parent socket destination address.
2032 */
2033 if (!bacmp(&hcon->dst, BDADDR_ANY)) {
2034 bacpy(&hcon->dst, &iso_pi(parent)->dst);
2035 hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type);
2036 }
2037
2038 if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
2039 iso_pi(sk)->qos = iso_pi(parent)->qos;
2040 hcon->iso_qos = iso_pi(sk)->qos;
2041 iso_pi(sk)->bc_sid = iso_pi(parent)->bc_sid;
2042 iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis;
2043 memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis,
2044 ISO_MAX_NUM_BIS);
2045 set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
2046 }
2047
2048 bacpy(&iso_pi(sk)->dst, &hcon->dst);
2049
2050 /* Convert from HCI to three-value type */
2051 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
2052 iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC;
2053 else
2054 iso_pi(sk)->dst_type = BDADDR_LE_RANDOM;
2055
2056 iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
2057 memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
2058 iso_pi(sk)->base_len = iso_pi(parent)->base_len;
2059
2060 hci_conn_hold(hcon);
2061 iso_chan_add(conn, sk, parent);
2062
2063 if ((ev && ((struct hci_evt_le_big_sync_established *)ev)->status) ||
2064 (ev2 && ev2->status)) {
2065 /* Trigger error signal on child socket */
2066 sk->sk_err = ECONNREFUSED;
2067 sk->sk_error_report(sk);
2068 }
2069
2070 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
2071 sk->sk_state = BT_CONNECT2;
2072 else
2073 sk->sk_state = BT_CONNECTED;
2074
2075 /* Wake up parent */
2076 parent->sk_data_ready(parent);
2077
2078 release_sock(parent);
2079 sock_put(parent);
2080 }
2081 }
2082
iso_match_sid(struct sock * sk,void * data)2083 static bool iso_match_sid(struct sock *sk, void *data)
2084 {
2085 struct hci_ev_le_pa_sync_established *ev = data;
2086
2087 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
2088 return true;
2089
2090 return ev->sid == iso_pi(sk)->bc_sid;
2091 }
2092
iso_match_sync_handle(struct sock * sk,void * data)2093 static bool iso_match_sync_handle(struct sock *sk, void *data)
2094 {
2095 struct hci_evt_le_big_info_adv_report *ev = data;
2096
2097 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2098 }
2099
iso_match_sync_handle_pa_report(struct sock * sk,void * data)2100 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data)
2101 {
2102 struct hci_ev_le_per_adv_report *ev = data;
2103
2104 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2105 }
2106
2107 /* ----- ISO interface with lower layer (HCI) ----- */
2108
iso_connect_ind(struct hci_dev * hdev,bdaddr_t * bdaddr,__u8 * flags)2109 int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
2110 {
2111 struct hci_ev_le_pa_sync_established *ev1;
2112 struct hci_evt_le_big_info_adv_report *ev2;
2113 struct hci_ev_le_per_adv_report *ev3;
2114 struct sock *sk;
2115
2116 bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
2117
2118 /* Broadcast receiver requires handling of some events before it can
2119 * proceed to establishing a BIG sync:
2120 *
2121 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific
2122 * SID to listen to and once sync is established its handle needs to
2123 * be stored in iso_pi(sk)->sync_handle so it can be matched once
2124 * receiving the BIG Info.
2125 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a
2126 * a BIG Info it attempts to check if there any listening socket with
2127 * the same sync_handle and if it does then attempt to create a sync.
2128 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored
2129 * in iso_pi(sk)->base so it can be passed up to user, in the case of a
2130 * broadcast sink.
2131 */
2132 ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED);
2133 if (ev1) {
2134 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN,
2135 iso_match_sid, ev1);
2136 if (sk && !ev1->status) {
2137 iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle);
2138 iso_pi(sk)->bc_sid = ev1->sid;
2139 }
2140
2141 goto done;
2142 }
2143
2144 ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT);
2145 if (ev2) {
2146 /* Check if BIGInfo report has already been handled */
2147 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECTED,
2148 iso_match_sync_handle, ev2);
2149 if (sk) {
2150 sock_put(sk);
2151 sk = NULL;
2152 goto done;
2153 }
2154
2155 /* Try to get PA sync socket, if it exists */
2156 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECT2,
2157 iso_match_sync_handle, ev2);
2158 if (!sk)
2159 sk = iso_get_sock(&hdev->bdaddr, bdaddr,
2160 BT_LISTEN,
2161 iso_match_sync_handle,
2162 ev2);
2163
2164 if (sk) {
2165 int err;
2166 struct hci_conn *hcon = iso_pi(sk)->conn->hcon;
2167
2168 iso_pi(sk)->qos.bcast.encryption = ev2->encryption;
2169
2170 if (ev2->num_bis < iso_pi(sk)->bc_num_bis)
2171 iso_pi(sk)->bc_num_bis = ev2->num_bis;
2172
2173 if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) &&
2174 !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
2175 err = hci_conn_big_create_sync(hdev, hcon,
2176 &iso_pi(sk)->qos,
2177 iso_pi(sk)->sync_handle,
2178 iso_pi(sk)->bc_num_bis,
2179 iso_pi(sk)->bc_bis);
2180 if (err) {
2181 bt_dev_err(hdev, "hci_le_big_create_sync: %d",
2182 err);
2183 sock_put(sk);
2184 sk = NULL;
2185 }
2186 }
2187 }
2188
2189 goto done;
2190 }
2191
2192 ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
2193 if (ev3) {
2194 size_t base_len = 0;
2195 u8 *base;
2196 struct hci_conn *hcon;
2197
2198 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN,
2199 iso_match_sync_handle_pa_report, ev3);
2200 if (!sk)
2201 goto done;
2202
2203 hcon = iso_pi(sk)->conn->hcon;
2204 if (!hcon)
2205 goto done;
2206
2207 if (ev3->data_status == LE_PA_DATA_TRUNCATED) {
2208 /* The controller was unable to retrieve PA data. */
2209 memset(hcon->le_per_adv_data, 0,
2210 HCI_MAX_PER_AD_TOT_LEN);
2211 hcon->le_per_adv_data_len = 0;
2212 hcon->le_per_adv_data_offset = 0;
2213 goto done;
2214 }
2215
2216 if (hcon->le_per_adv_data_offset + ev3->length >
2217 HCI_MAX_PER_AD_TOT_LEN)
2218 goto done;
2219
2220 memcpy(hcon->le_per_adv_data + hcon->le_per_adv_data_offset,
2221 ev3->data, ev3->length);
2222 hcon->le_per_adv_data_offset += ev3->length;
2223
2224 if (ev3->data_status == LE_PA_DATA_COMPLETE) {
2225 /* All PA data has been received. */
2226 hcon->le_per_adv_data_len =
2227 hcon->le_per_adv_data_offset;
2228 hcon->le_per_adv_data_offset = 0;
2229
2230 /* Extract BASE */
2231 base = eir_get_service_data(hcon->le_per_adv_data,
2232 hcon->le_per_adv_data_len,
2233 EIR_BAA_SERVICE_UUID,
2234 &base_len);
2235
2236 if (!base || base_len > BASE_MAX_LENGTH)
2237 goto done;
2238
2239 memcpy(iso_pi(sk)->base, base, base_len);
2240 iso_pi(sk)->base_len = base_len;
2241 } else {
2242 /* This is a PA data fragment. Keep pa_data_len set to 0
2243 * until all data has been reassembled.
2244 */
2245 hcon->le_per_adv_data_len = 0;
2246 }
2247 } else {
2248 sk = iso_get_sock(&hdev->bdaddr, BDADDR_ANY,
2249 BT_LISTEN, NULL, NULL);
2250 }
2251
2252 done:
2253 if (!sk)
2254 return 0;
2255
2256 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
2257 *flags |= HCI_PROTO_DEFER;
2258
2259 sock_put(sk);
2260
2261 return HCI_LM_ACCEPT;
2262 }
2263
iso_connect_cfm(struct hci_conn * hcon,__u8 status)2264 static void iso_connect_cfm(struct hci_conn *hcon, __u8 status)
2265 {
2266 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK &&
2267 hcon->type != PA_LINK) {
2268 if (hcon->type != LE_LINK)
2269 return;
2270
2271 /* Check if LE link has failed */
2272 if (status) {
2273 struct hci_link *link, *t;
2274
2275 list_for_each_entry_safe(link, t, &hcon->link_list,
2276 list)
2277 iso_conn_del(link->conn, bt_to_errno(status));
2278
2279 return;
2280 }
2281
2282 /* Create CIS if pending */
2283 hci_le_create_cis_pending(hcon->hdev);
2284 return;
2285 }
2286
2287 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
2288
2289 /* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or
2290 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection
2291 * into the accept queue of the listening socket and wake up
2292 * userspace, to inform the user about the event.
2293 */
2294 if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) ||
2295 test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
2296 struct iso_conn *conn;
2297
2298 conn = iso_conn_add(hcon);
2299 if (conn)
2300 iso_conn_ready(conn);
2301 } else {
2302 iso_conn_del(hcon, bt_to_errno(status));
2303 }
2304 }
2305
iso_disconn_cfm(struct hci_conn * hcon,__u8 reason)2306 static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
2307 {
2308 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK &&
2309 hcon->type != PA_LINK)
2310 return;
2311
2312 BT_DBG("hcon %p reason %d", hcon, reason);
2313
2314 iso_conn_del(hcon, bt_to_errno(reason));
2315 }
2316
iso_recv(struct hci_conn * hcon,struct sk_buff * skb,u16 flags)2317 void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2318 {
2319 struct iso_conn *conn = hcon->iso_data;
2320 struct skb_shared_hwtstamps *hwts;
2321 __u16 pb, ts, len, sn;
2322
2323 if (!conn)
2324 goto drop;
2325
2326 pb = hci_iso_flags_pb(flags);
2327 ts = hci_iso_flags_ts(flags);
2328
2329 BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts);
2330
2331 switch (pb) {
2332 case ISO_START:
2333 case ISO_SINGLE:
2334 if (conn->rx_len) {
2335 BT_ERR("Unexpected start frame (len %d)", skb->len);
2336 kfree_skb(conn->rx_skb);
2337 conn->rx_skb = NULL;
2338 conn->rx_len = 0;
2339 }
2340
2341 if (ts) {
2342 struct hci_iso_ts_data_hdr *hdr;
2343
2344 hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE);
2345 if (!hdr) {
2346 BT_ERR("Frame is too short (len %d)", skb->len);
2347 goto drop;
2348 }
2349
2350 /* Record the timestamp to skb */
2351 hwts = skb_hwtstamps(skb);
2352 hwts->hwtstamp = us_to_ktime(le32_to_cpu(hdr->ts));
2353
2354 sn = __le16_to_cpu(hdr->sn);
2355 len = __le16_to_cpu(hdr->slen);
2356 } else {
2357 struct hci_iso_data_hdr *hdr;
2358
2359 hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE);
2360 if (!hdr) {
2361 BT_ERR("Frame is too short (len %d)", skb->len);
2362 goto drop;
2363 }
2364
2365 sn = __le16_to_cpu(hdr->sn);
2366 len = __le16_to_cpu(hdr->slen);
2367 }
2368
2369 flags = hci_iso_data_flags(len);
2370 len = hci_iso_data_len(len);
2371
2372 BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x sn %d",
2373 len, skb->len, flags, sn);
2374
2375 if (len == skb->len) {
2376 /* Complete frame received */
2377 hci_skb_pkt_status(skb) = flags & 0x03;
2378 hci_skb_pkt_seqnum(skb) = sn;
2379 iso_recv_frame(conn, skb);
2380 return;
2381 }
2382
2383 if (pb == ISO_SINGLE) {
2384 BT_ERR("Frame malformed (len %d, expected len %d)",
2385 skb->len, len);
2386 goto drop;
2387 }
2388
2389 if (skb->len > len) {
2390 BT_ERR("Frame is too long (len %d, expected len %d)",
2391 skb->len, len);
2392 goto drop;
2393 }
2394
2395 /* Allocate skb for the complete frame (with header) */
2396 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
2397 if (!conn->rx_skb)
2398 goto drop;
2399
2400 hci_skb_pkt_status(conn->rx_skb) = flags & 0x03;
2401 hci_skb_pkt_seqnum(conn->rx_skb) = sn;
2402 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2403 skb->len);
2404 conn->rx_len = len - skb->len;
2405
2406 /* Copy hw timestamp from skb to rx_skb if present */
2407 if (ts) {
2408 hwts = skb_hwtstamps(conn->rx_skb);
2409 hwts->hwtstamp = skb_hwtstamps(skb)->hwtstamp;
2410 }
2411
2412 break;
2413
2414 case ISO_CONT:
2415 BT_DBG("Cont: frag len %d (expecting %d)", skb->len,
2416 conn->rx_len);
2417
2418 if (!conn->rx_len) {
2419 BT_ERR("Unexpected continuation frame (len %d)",
2420 skb->len);
2421 goto drop;
2422 }
2423
2424 if (skb->len > conn->rx_len) {
2425 BT_ERR("Fragment is too long (len %d, expected %d)",
2426 skb->len, conn->rx_len);
2427 kfree_skb(conn->rx_skb);
2428 conn->rx_skb = NULL;
2429 conn->rx_len = 0;
2430 goto drop;
2431 }
2432
2433 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2434 skb->len);
2435 conn->rx_len -= skb->len;
2436 break;
2437
2438 case ISO_END:
2439 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2440 skb->len);
2441 conn->rx_len -= skb->len;
2442
2443 if (!conn->rx_len) {
2444 struct sk_buff *rx_skb = conn->rx_skb;
2445
2446 /* Complete frame received. iso_recv_frame
2447 * takes ownership of the skb so set the global
2448 * rx_skb pointer to NULL first.
2449 */
2450 conn->rx_skb = NULL;
2451 iso_recv_frame(conn, rx_skb);
2452 }
2453 break;
2454 }
2455
2456 drop:
2457 kfree_skb(skb);
2458 }
2459
2460 static struct hci_cb iso_cb = {
2461 .name = "ISO",
2462 .connect_cfm = iso_connect_cfm,
2463 .disconn_cfm = iso_disconn_cfm,
2464 };
2465
iso_debugfs_show(struct seq_file * f,void * p)2466 static int iso_debugfs_show(struct seq_file *f, void *p)
2467 {
2468 struct sock *sk;
2469
2470 read_lock(&iso_sk_list.lock);
2471
2472 sk_for_each(sk, &iso_sk_list.head) {
2473 seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src,
2474 &iso_pi(sk)->dst, sk->sk_state);
2475 }
2476
2477 read_unlock(&iso_sk_list.lock);
2478
2479 return 0;
2480 }
2481
2482 DEFINE_SHOW_ATTRIBUTE(iso_debugfs);
2483
2484 static struct dentry *iso_debugfs;
2485
2486 static const struct proto_ops iso_sock_ops = {
2487 .family = PF_BLUETOOTH,
2488 .owner = THIS_MODULE,
2489 .release = iso_sock_release,
2490 .bind = iso_sock_bind,
2491 .connect = iso_sock_connect,
2492 .listen = iso_sock_listen,
2493 .accept = iso_sock_accept,
2494 .getname = iso_sock_getname,
2495 .sendmsg = iso_sock_sendmsg,
2496 .recvmsg = iso_sock_recvmsg,
2497 .poll = bt_sock_poll,
2498 .ioctl = bt_sock_ioctl,
2499 .mmap = sock_no_mmap,
2500 .socketpair = sock_no_socketpair,
2501 .shutdown = iso_sock_shutdown,
2502 .setsockopt = iso_sock_setsockopt,
2503 .getsockopt = iso_sock_getsockopt
2504 };
2505
2506 static const struct net_proto_family iso_sock_family_ops = {
2507 .family = PF_BLUETOOTH,
2508 .owner = THIS_MODULE,
2509 .create = iso_sock_create,
2510 };
2511
2512 static bool inited;
2513
iso_inited(void)2514 bool iso_inited(void)
2515 {
2516 return inited;
2517 }
2518
iso_init(void)2519 int iso_init(void)
2520 {
2521 int err;
2522
2523 BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr));
2524
2525 if (inited)
2526 return -EALREADY;
2527
2528 err = proto_register(&iso_proto, 0);
2529 if (err < 0)
2530 return err;
2531
2532 err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops);
2533 if (err < 0) {
2534 BT_ERR("ISO socket registration failed");
2535 goto error;
2536 }
2537
2538 err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL);
2539 if (err < 0) {
2540 BT_ERR("Failed to create ISO proc file");
2541 bt_sock_unregister(BTPROTO_ISO);
2542 goto error;
2543 }
2544
2545 BT_INFO("ISO socket layer initialized");
2546
2547 hci_register_cb(&iso_cb);
2548
2549 if (!IS_ERR_OR_NULL(bt_debugfs))
2550 iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs,
2551 NULL, &iso_debugfs_fops);
2552
2553 inited = true;
2554
2555 return 0;
2556
2557 error:
2558 proto_unregister(&iso_proto);
2559 return err;
2560 }
2561
iso_exit(void)2562 int iso_exit(void)
2563 {
2564 if (!inited)
2565 return -EALREADY;
2566
2567 bt_procfs_cleanup(&init_net, "iso");
2568
2569 debugfs_remove(iso_debugfs);
2570 iso_debugfs = NULL;
2571
2572 hci_unregister_cb(&iso_cb);
2573
2574 bt_sock_unregister(BTPROTO_ISO);
2575
2576 proto_unregister(&iso_proto);
2577
2578 inited = false;
2579
2580 return 0;
2581 }
2582