1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * BlueZ - Bluetooth protocol stack for Linux 4 * 5 * Copyright (C) 2022 Intel Corporation 6 * Copyright 2023-2024 NXP 7 */ 8 9 #include <linux/module.h> 10 #include <linux/debugfs.h> 11 #include <linux/seq_file.h> 12 #include <linux/sched/signal.h> 13 14 #include <net/bluetooth/bluetooth.h> 15 #include <net/bluetooth/hci_core.h> 16 #include <net/bluetooth/iso.h> 17 #include "eir.h" 18 19 static const struct proto_ops iso_sock_ops; 20 21 static struct bt_sock_list iso_sk_list = { 22 .lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock) 23 }; 24 25 /* ---- ISO connections ---- */ 26 struct iso_conn { 27 struct hci_conn *hcon; 28 29 /* @lock: spinlock protecting changes to iso_conn fields */ 30 spinlock_t lock; 31 struct sock *sk; 32 33 struct delayed_work timeout_work; 34 35 struct sk_buff *rx_skb; 36 __u32 rx_len; 37 __u16 tx_sn; 38 struct kref ref; 39 }; 40 41 #define iso_conn_lock(c) spin_lock(&(c)->lock) 42 #define iso_conn_unlock(c) spin_unlock(&(c)->lock) 43 44 static void iso_sock_close(struct sock *sk); 45 static void iso_sock_kill(struct sock *sk); 46 47 /* ----- ISO socket info ----- */ 48 #define iso_pi(sk) ((struct iso_pinfo *)sk) 49 50 #define EIR_SERVICE_DATA_LENGTH 4 51 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH) 52 #define EIR_BAA_SERVICE_UUID 0x1851 53 54 /* iso_pinfo flags values */ 55 enum { 56 BT_SK_BIG_SYNC, 57 BT_SK_PA_SYNC, 58 }; 59 60 struct iso_pinfo { 61 struct bt_sock bt; 62 bdaddr_t src; 63 __u8 src_type; 64 bdaddr_t dst; 65 __u8 dst_type; 66 __u8 bc_sid; 67 __u8 bc_num_bis; 68 __u8 bc_bis[ISO_MAX_NUM_BIS]; 69 __u16 sync_handle; 70 unsigned long flags; 71 struct bt_iso_qos qos; 72 bool qos_user_set; 73 __u8 base_len; 74 __u8 base[BASE_MAX_LENGTH]; 75 struct iso_conn *conn; 76 }; 77 78 static struct bt_iso_qos default_qos; 79 80 static bool check_ucast_qos(struct bt_iso_qos *qos); 81 static bool check_bcast_qos(struct bt_iso_qos *qos); 82 static bool iso_match_sid(struct sock *sk, void *data); 83 static bool iso_match_sid_past(struct sock *sk, void *data); 84 static bool iso_match_sync_handle(struct sock *sk, void *data); 85 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data); 86 static void iso_sock_disconn(struct sock *sk); 87 88 typedef bool (*iso_sock_match_t)(struct sock *sk, void *data); 89 90 static struct sock *iso_get_sock(struct hci_dev *hdev, bdaddr_t *src, 91 bdaddr_t *dst, enum bt_sock_state state, 92 iso_sock_match_t match, void *data); 93 94 /* ---- ISO timers ---- */ 95 #define ISO_CONN_TIMEOUT secs_to_jiffies(20) 96 #define ISO_DISCONN_TIMEOUT secs_to_jiffies(2) 97 98 static void iso_conn_free(struct kref *ref) 99 { 100 struct iso_conn *conn = container_of(ref, struct iso_conn, ref); 101 102 BT_DBG("conn %p", conn); 103 104 if (conn->sk) 105 iso_pi(conn->sk)->conn = NULL; 106 107 if (conn->hcon) { 108 conn->hcon->iso_data = NULL; 109 hci_conn_drop(conn->hcon); 110 } 111 112 /* Ensure no more work items will run since hci_conn has been dropped */ 113 disable_delayed_work_sync(&conn->timeout_work); 114 115 kfree_skb(conn->rx_skb); 116 117 kfree(conn); 118 } 119 120 static void iso_conn_put(struct iso_conn *conn) 121 { 122 if (!conn) 123 return; 124 125 BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref)); 126 127 kref_put(&conn->ref, iso_conn_free); 128 } 129 130 static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn) 131 { 132 if (!conn) 133 return NULL; 134 135 BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref)); 136 137 if (!kref_get_unless_zero(&conn->ref)) 138 return NULL; 139 140 return conn; 141 } 142 143 static struct sock *iso_sock_hold(struct iso_conn *conn) 144 { 145 if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk)) 146 return NULL; 147 148 sock_hold(conn->sk); 149 150 return conn->sk; 151 } 152 153 static void iso_sock_timeout(struct work_struct *work) 154 { 155 struct iso_conn *conn = container_of(work, struct iso_conn, 156 timeout_work.work); 157 struct sock *sk; 158 159 conn = iso_conn_hold_unless_zero(conn); 160 if (!conn) 161 return; 162 163 iso_conn_lock(conn); 164 sk = iso_sock_hold(conn); 165 iso_conn_unlock(conn); 166 iso_conn_put(conn); 167 168 if (!sk) 169 return; 170 171 BT_DBG("sock %p state %d", sk, sk->sk_state); 172 173 lock_sock(sk); 174 sk->sk_err = ETIMEDOUT; 175 sk->sk_state_change(sk); 176 release_sock(sk); 177 sock_put(sk); 178 } 179 180 static void iso_sock_set_timer(struct sock *sk, long timeout) 181 { 182 if (!iso_pi(sk)->conn) 183 return; 184 185 BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout); 186 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work); 187 schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout); 188 } 189 190 static void iso_sock_clear_timer(struct sock *sk) 191 { 192 if (!iso_pi(sk)->conn) 193 return; 194 195 BT_DBG("sock %p state %d", sk, sk->sk_state); 196 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work); 197 } 198 199 /* ---- ISO connections ---- */ 200 static struct iso_conn *iso_conn_add(struct hci_conn *hcon) 201 { 202 struct iso_conn *conn = hcon->iso_data; 203 204 conn = iso_conn_hold_unless_zero(conn); 205 if (conn) { 206 if (!conn->hcon) { 207 iso_conn_lock(conn); 208 conn->hcon = hcon; 209 iso_conn_unlock(conn); 210 } 211 iso_conn_put(conn); 212 return conn; 213 } 214 215 conn = kzalloc_obj(*conn); 216 if (!conn) 217 return NULL; 218 219 kref_init(&conn->ref); 220 spin_lock_init(&conn->lock); 221 INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout); 222 223 hcon->iso_data = conn; 224 conn->hcon = hcon; 225 conn->tx_sn = 0; 226 227 BT_DBG("hcon %p conn %p", hcon, conn); 228 229 return conn; 230 } 231 232 /* Delete channel. Must be called on the locked socket. */ 233 static void iso_chan_del(struct sock *sk, int err) 234 { 235 struct iso_conn *conn; 236 struct sock *parent; 237 238 conn = iso_pi(sk)->conn; 239 iso_pi(sk)->conn = NULL; 240 241 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 242 243 if (conn) { 244 iso_conn_lock(conn); 245 conn->sk = NULL; 246 iso_conn_unlock(conn); 247 iso_conn_put(conn); 248 } 249 250 sk->sk_state = BT_CLOSED; 251 sk->sk_err = err; 252 253 parent = bt_sk(sk)->parent; 254 if (parent) { 255 bt_accept_unlink(sk); 256 parent->sk_data_ready(parent); 257 } else { 258 sk->sk_state_change(sk); 259 } 260 261 sock_set_flag(sk, SOCK_ZAPPED); 262 } 263 264 static void iso_conn_del(struct hci_conn *hcon, int err) 265 { 266 struct iso_conn *conn = hcon->iso_data; 267 struct sock *sk; 268 269 conn = iso_conn_hold_unless_zero(conn); 270 if (!conn) 271 return; 272 273 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 274 275 /* Kill socket */ 276 iso_conn_lock(conn); 277 sk = iso_sock_hold(conn); 278 iso_conn_unlock(conn); 279 iso_conn_put(conn); 280 281 if (!sk) { 282 iso_conn_put(conn); 283 return; 284 } 285 286 lock_sock(sk); 287 iso_sock_clear_timer(sk); 288 iso_chan_del(sk, err); 289 release_sock(sk); 290 sock_put(sk); 291 } 292 293 static int __iso_chan_add(struct iso_conn *conn, struct sock *sk, 294 struct sock *parent) 295 { 296 BT_DBG("conn %p", conn); 297 298 if (iso_pi(sk)->conn == conn && conn->sk == sk) 299 return 0; 300 301 if (conn->sk) { 302 BT_ERR("conn->sk already set"); 303 return -EBUSY; 304 } 305 306 iso_pi(sk)->conn = conn; 307 conn->sk = sk; 308 309 if (parent) 310 bt_accept_enqueue(parent, sk, true); 311 312 return 0; 313 } 314 315 static int iso_chan_add(struct iso_conn *conn, struct sock *sk, 316 struct sock *parent) 317 { 318 int err; 319 320 iso_conn_lock(conn); 321 err = __iso_chan_add(conn, sk, parent); 322 iso_conn_unlock(conn); 323 324 return err; 325 } 326 327 static inline u8 le_addr_type(u8 bdaddr_type) 328 { 329 if (bdaddr_type == BDADDR_LE_PUBLIC) 330 return ADDR_LE_DEV_PUBLIC; 331 else 332 return ADDR_LE_DEV_RANDOM; 333 } 334 335 static int iso_connect_bis(struct sock *sk) 336 { 337 struct iso_conn *conn; 338 struct hci_conn *hcon; 339 struct hci_dev *hdev; 340 bdaddr_t src, dst; 341 u8 src_type, bc_sid; 342 int err; 343 344 lock_sock(sk); 345 bacpy(&src, &iso_pi(sk)->src); 346 bacpy(&dst, &iso_pi(sk)->dst); 347 src_type = iso_pi(sk)->src_type; 348 bc_sid = iso_pi(sk)->bc_sid; 349 release_sock(sk); 350 351 BT_DBG("%pMR (SID 0x%2.2x)", &src, bc_sid); 352 353 hdev = hci_get_route(&dst, &src, src_type); 354 if (!hdev) 355 return -EHOSTUNREACH; 356 357 hci_dev_lock(hdev); 358 lock_sock(sk); 359 360 if (!bis_capable(hdev)) { 361 err = -EOPNOTSUPP; 362 goto unlock; 363 } 364 365 /* Fail if user set invalid QoS */ 366 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { 367 iso_pi(sk)->qos = default_qos; 368 err = -EINVAL; 369 goto unlock; 370 } 371 372 /* Fail if out PHYs are marked as disabled */ 373 if (!iso_pi(sk)->qos.bcast.out.phys) { 374 err = -EINVAL; 375 goto unlock; 376 } 377 378 /* Just bind if DEFER_SETUP has been set */ 379 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 380 hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid, 381 &iso_pi(sk)->qos, iso_pi(sk)->base_len, 382 iso_pi(sk)->base, 383 READ_ONCE(sk->sk_sndtimeo)); 384 if (IS_ERR(hcon)) { 385 err = PTR_ERR(hcon); 386 goto unlock; 387 } 388 } else { 389 hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst, 390 le_addr_type(iso_pi(sk)->dst_type), 391 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos, 392 iso_pi(sk)->base_len, iso_pi(sk)->base, 393 READ_ONCE(sk->sk_sndtimeo)); 394 if (IS_ERR(hcon)) { 395 err = PTR_ERR(hcon); 396 goto unlock; 397 } 398 399 /* Update SID if it was not set */ 400 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 401 iso_pi(sk)->bc_sid = hcon->sid; 402 } 403 404 conn = iso_conn_add(hcon); 405 if (!conn) { 406 hci_conn_drop(hcon); 407 err = -ENOMEM; 408 goto unlock; 409 } 410 411 err = iso_chan_add(conn, sk, NULL); 412 if (err) 413 goto unlock; 414 415 /* Update source addr of the socket */ 416 bacpy(&iso_pi(sk)->src, &hcon->src); 417 418 if (hcon->state == BT_CONNECTED) { 419 iso_sock_clear_timer(sk); 420 sk->sk_state = BT_CONNECTED; 421 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 422 iso_sock_clear_timer(sk); 423 sk->sk_state = BT_CONNECT; 424 } else { 425 sk->sk_state = BT_CONNECT; 426 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo)); 427 } 428 429 unlock: 430 release_sock(sk); 431 hci_dev_unlock(hdev); 432 hci_dev_put(hdev); 433 return err; 434 } 435 436 static int iso_connect_cis(struct sock *sk) 437 { 438 struct iso_conn *conn; 439 struct hci_conn *hcon; 440 struct hci_dev *hdev; 441 bdaddr_t src, dst; 442 u8 src_type; 443 int err; 444 445 lock_sock(sk); 446 bacpy(&src, &iso_pi(sk)->src); 447 bacpy(&dst, &iso_pi(sk)->dst); 448 src_type = iso_pi(sk)->src_type; 449 release_sock(sk); 450 451 BT_DBG("%pMR -> %pMR", &src, &dst); 452 453 hdev = hci_get_route(&dst, &src, src_type); 454 if (!hdev) 455 return -EHOSTUNREACH; 456 457 hci_dev_lock(hdev); 458 lock_sock(sk); 459 460 if (!cis_central_capable(hdev)) { 461 err = -EOPNOTSUPP; 462 goto unlock; 463 } 464 465 /* Fail if user set invalid QoS */ 466 if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) { 467 iso_pi(sk)->qos = default_qos; 468 err = -EINVAL; 469 goto unlock; 470 } 471 472 /* Fail if either PHYs are marked as disabled */ 473 if (!iso_pi(sk)->qos.ucast.in.phys && !iso_pi(sk)->qos.ucast.out.phys) { 474 err = -EINVAL; 475 goto unlock; 476 } 477 478 /* Check if there are available buffers for output/TX. */ 479 if (iso_pi(sk)->qos.ucast.out.sdu && !hci_iso_count(hdev) && 480 (hdev->iso_pkts && !hdev->iso_cnt)) { 481 err = -ENOBUFS; 482 goto unlock; 483 } 484 485 /* Just bind if DEFER_SETUP has been set */ 486 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 487 hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst, 488 le_addr_type(iso_pi(sk)->dst_type), 489 &iso_pi(sk)->qos, 490 READ_ONCE(sk->sk_sndtimeo)); 491 if (IS_ERR(hcon)) { 492 err = PTR_ERR(hcon); 493 goto unlock; 494 } 495 } else { 496 hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst, 497 le_addr_type(iso_pi(sk)->dst_type), 498 &iso_pi(sk)->qos, 499 READ_ONCE(sk->sk_sndtimeo)); 500 if (IS_ERR(hcon)) { 501 err = PTR_ERR(hcon); 502 goto unlock; 503 } 504 } 505 506 conn = iso_conn_add(hcon); 507 if (!conn) { 508 hci_conn_drop(hcon); 509 err = -ENOMEM; 510 goto unlock; 511 } 512 513 err = iso_chan_add(conn, sk, NULL); 514 if (err) 515 goto unlock; 516 517 /* Update source addr of the socket */ 518 bacpy(&iso_pi(sk)->src, &hcon->src); 519 520 if (hcon->state == BT_CONNECTED) { 521 iso_sock_clear_timer(sk); 522 sk->sk_state = BT_CONNECTED; 523 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 524 iso_sock_clear_timer(sk); 525 sk->sk_state = BT_CONNECT; 526 } else { 527 sk->sk_state = BT_CONNECT; 528 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo)); 529 } 530 531 unlock: 532 release_sock(sk); 533 hci_dev_unlock(hdev); 534 hci_dev_put(hdev); 535 return err; 536 } 537 538 static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk) 539 { 540 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2) 541 return &iso_pi(sk)->conn->hcon->iso_qos; 542 543 return &iso_pi(sk)->qos; 544 } 545 546 static int iso_send_frame(struct sock *sk, struct sk_buff *skb, 547 const struct sockcm_cookie *sockc) 548 { 549 struct iso_conn *conn = iso_pi(sk)->conn; 550 struct bt_iso_qos *qos = iso_sock_get_qos(sk); 551 struct hci_iso_data_hdr *hdr; 552 int len = 0; 553 554 BT_DBG("sk %p len %d", sk, skb->len); 555 556 if (skb->len > qos->ucast.out.sdu) 557 return -EMSGSIZE; 558 559 len = skb->len; 560 561 /* Push ISO data header */ 562 hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE); 563 hdr->sn = cpu_to_le16(conn->tx_sn++); 564 hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len, 565 HCI_ISO_STATUS_VALID)); 566 567 if (sk->sk_state == BT_CONNECTED) { 568 hci_setup_tx_timestamp(skb, 1, sockc); 569 hci_send_iso(conn->hcon, skb); 570 } else { 571 len = -ENOTCONN; 572 } 573 574 return len; 575 } 576 577 static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb) 578 { 579 struct sock *sk; 580 581 iso_conn_lock(conn); 582 sk = iso_sock_hold(conn); 583 iso_conn_unlock(conn); 584 585 if (!sk) 586 goto drop; 587 588 BT_DBG("sk %p len %d", sk, skb->len); 589 590 if (sk->sk_state != BT_CONNECTED) 591 goto drop_put; 592 593 if (!sock_queue_rcv_skb(sk, skb)) { 594 sock_put(sk); 595 return; 596 } 597 598 drop_put: 599 sock_put(sk); 600 drop: 601 kfree_skb(skb); 602 } 603 604 /* -------- Socket interface ---------- */ 605 static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst) 606 { 607 struct sock *sk; 608 609 sk_for_each(sk, &iso_sk_list.head) { 610 if (sk->sk_state != BT_LISTEN) 611 continue; 612 613 if (bacmp(&iso_pi(sk)->dst, dst)) 614 continue; 615 616 if (!bacmp(&iso_pi(sk)->src, src)) 617 return sk; 618 } 619 620 return NULL; 621 } 622 623 static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc, 624 __u8 sid) 625 { 626 struct sock *sk; 627 628 sk_for_each(sk, &iso_sk_list.head) { 629 if (sk->sk_state != BT_LISTEN) 630 continue; 631 632 if (bacmp(&iso_pi(sk)->src, ba)) 633 continue; 634 635 if (bacmp(&iso_pi(sk)->dst, bc)) 636 continue; 637 638 if (iso_pi(sk)->bc_sid == sid) 639 return sk; 640 } 641 642 return NULL; 643 } 644 645 /* Find socket in given state: 646 * source bdaddr (Unicast) 647 * destination bdaddr (Broadcast only) 648 * match func - pass NULL to ignore 649 * match func data - pass -1 to ignore 650 * Returns closest match. 651 */ 652 static struct sock *iso_get_sock(struct hci_dev *hdev, bdaddr_t *src, 653 bdaddr_t *dst, enum bt_sock_state state, 654 iso_sock_match_t match, void *data) 655 { 656 struct sock *sk = NULL, *sk1 = NULL; 657 658 read_lock(&iso_sk_list.lock); 659 660 sk_for_each(sk, &iso_sk_list.head) { 661 if (sk->sk_state != state) 662 continue; 663 664 /* Match Broadcast destination */ 665 if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst)) { 666 struct smp_irk *irk1, *irk2; 667 668 /* Check if destination is an RPA that we can resolve */ 669 irk1 = hci_find_irk_by_rpa(hdev, dst); 670 if (!irk1) 671 continue; 672 673 /* Match with identity address */ 674 if (bacmp(&iso_pi(sk)->dst, &irk1->bdaddr)) { 675 /* Check if socket destination address is also 676 * an RPA and if the IRK matches. 677 */ 678 irk2 = hci_find_irk_by_rpa(hdev, 679 &iso_pi(sk)->dst); 680 if (!irk2 || irk1 != irk2) 681 continue; 682 } 683 } 684 685 /* Use Match function if provided */ 686 if (match && !match(sk, data)) 687 continue; 688 689 /* Exact match. */ 690 if (!bacmp(&iso_pi(sk)->src, src)) { 691 sock_hold(sk); 692 break; 693 } 694 695 /* Closest match */ 696 if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) { 697 if (sk1) 698 sock_put(sk1); 699 700 sk1 = sk; 701 sock_hold(sk1); 702 } 703 } 704 705 if (sk && sk1) 706 sock_put(sk1); 707 708 read_unlock(&iso_sk_list.lock); 709 710 return sk ? sk : sk1; 711 } 712 713 static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src, 714 bdaddr_t *dst, uint8_t big) 715 { 716 struct sock *sk = NULL; 717 718 read_lock(&iso_sk_list.lock); 719 720 sk_for_each(sk, &iso_sk_list.head) { 721 if (match_sk == sk) 722 continue; 723 724 /* Look for sockets that have already been 725 * connected to the BIG 726 */ 727 if (sk->sk_state != BT_CONNECTED && 728 sk->sk_state != BT_CONNECT) 729 continue; 730 731 /* Match Broadcast destination */ 732 if (bacmp(&iso_pi(sk)->dst, dst)) 733 continue; 734 735 /* Match BIG handle */ 736 if (iso_pi(sk)->qos.bcast.big != big) 737 continue; 738 739 /* Match source address */ 740 if (bacmp(&iso_pi(sk)->src, src)) 741 continue; 742 743 sock_hold(sk); 744 break; 745 } 746 747 read_unlock(&iso_sk_list.lock); 748 749 return sk; 750 } 751 752 static void iso_sock_destruct(struct sock *sk) 753 { 754 BT_DBG("sk %p", sk); 755 756 iso_conn_put(iso_pi(sk)->conn); 757 758 skb_queue_purge(&sk->sk_receive_queue); 759 skb_queue_purge(&sk->sk_write_queue); 760 skb_queue_purge(&sk->sk_error_queue); 761 } 762 763 static void iso_sock_cleanup_listen(struct sock *parent) 764 { 765 struct sock *sk; 766 767 BT_DBG("parent %p", parent); 768 769 /* Close not yet accepted channels */ 770 while ((sk = bt_accept_dequeue(parent, NULL))) { 771 iso_sock_close(sk); 772 iso_sock_kill(sk); 773 /* Drop the reference handed back by bt_accept_dequeue(). */ 774 sock_put(sk); 775 } 776 777 /* If listening socket has a hcon, properly disconnect it */ 778 if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon) { 779 iso_sock_disconn(parent); 780 return; 781 } 782 783 parent->sk_state = BT_CLOSED; 784 sock_set_flag(parent, SOCK_ZAPPED); 785 } 786 787 /* Kill socket (only if zapped and orphan) 788 * Must be called on unlocked socket. 789 */ 790 static void iso_sock_kill(struct sock *sk) 791 { 792 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || 793 sock_flag(sk, SOCK_DEAD)) 794 return; 795 796 BT_DBG("sk %p state %d", sk, sk->sk_state); 797 798 /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ 799 if (iso_pi(sk)->conn) { 800 iso_conn_lock(iso_pi(sk)->conn); 801 iso_pi(sk)->conn->sk = NULL; 802 iso_conn_unlock(iso_pi(sk)->conn); 803 } 804 805 /* Kill poor orphan */ 806 bt_sock_unlink(&iso_sk_list, sk); 807 sock_set_flag(sk, SOCK_DEAD); 808 sock_put(sk); 809 } 810 811 static void iso_sock_disconn(struct sock *sk) 812 { 813 struct sock *bis_sk; 814 struct hci_conn *hcon = iso_pi(sk)->conn->hcon; 815 816 if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) { 817 bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src, 818 &iso_pi(sk)->dst, 819 iso_pi(sk)->qos.bcast.big); 820 821 /* If there are any other connected sockets for the 822 * same BIG, just delete the sk and leave the bis 823 * hcon active, in case later rebinding is needed. 824 */ 825 if (bis_sk) { 826 hcon->state = BT_OPEN; 827 hcon->iso_data = NULL; 828 iso_pi(sk)->conn->hcon = NULL; 829 iso_sock_clear_timer(sk); 830 iso_chan_del(sk, bt_to_errno(hcon->abort_reason)); 831 sock_put(bis_sk); 832 return; 833 } 834 } 835 836 sk->sk_state = BT_DISCONN; 837 iso_conn_lock(iso_pi(sk)->conn); 838 hci_conn_drop(iso_pi(sk)->conn->hcon); 839 iso_pi(sk)->conn->hcon = NULL; 840 iso_conn_unlock(iso_pi(sk)->conn); 841 } 842 843 static void __iso_sock_close(struct sock *sk) 844 { 845 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 846 847 switch (sk->sk_state) { 848 case BT_LISTEN: 849 iso_sock_cleanup_listen(sk); 850 break; 851 852 case BT_CONNECT: 853 case BT_CONNECTED: 854 case BT_CONFIG: 855 if (iso_pi(sk)->conn->hcon) 856 iso_sock_disconn(sk); 857 else 858 iso_chan_del(sk, ECONNRESET); 859 break; 860 861 case BT_CONNECT2: 862 if (iso_pi(sk)->conn->hcon && 863 (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) || 864 test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags))) 865 iso_sock_disconn(sk); 866 else 867 iso_chan_del(sk, ECONNRESET); 868 break; 869 case BT_DISCONN: 870 iso_chan_del(sk, ECONNRESET); 871 break; 872 873 default: 874 sock_set_flag(sk, SOCK_ZAPPED); 875 break; 876 } 877 } 878 879 /* Must be called on unlocked socket. */ 880 static void iso_sock_close(struct sock *sk) 881 { 882 lock_sock(sk); 883 iso_sock_clear_timer(sk); 884 __iso_sock_close(sk); 885 release_sock(sk); 886 iso_sock_kill(sk); 887 } 888 889 static void iso_sock_init(struct sock *sk, struct sock *parent) 890 { 891 BT_DBG("sk %p", sk); 892 893 if (parent) { 894 sk->sk_type = parent->sk_type; 895 bt_sk(sk)->flags = bt_sk(parent)->flags; 896 security_sk_clone(parent, sk); 897 } 898 } 899 900 static struct proto iso_proto = { 901 .name = "ISO", 902 .owner = THIS_MODULE, 903 .obj_size = sizeof(struct iso_pinfo) 904 }; 905 906 #define DEFAULT_IO_QOS \ 907 { \ 908 .interval = 10000u, \ 909 .latency = 10u, \ 910 .sdu = 40u, \ 911 .phys = BT_ISO_PHY_2M, \ 912 .rtn = 2u, \ 913 } 914 915 static struct bt_iso_qos default_qos = { 916 .bcast = { 917 .big = BT_ISO_QOS_BIG_UNSET, 918 .bis = BT_ISO_QOS_BIS_UNSET, 919 .sync_factor = 0x01, 920 .packing = 0x00, 921 .framing = 0x00, 922 .in = DEFAULT_IO_QOS, 923 .out = DEFAULT_IO_QOS, 924 .encryption = 0x00, 925 .bcode = {0x00}, 926 .options = 0x00, 927 .skip = 0x0000, 928 .sync_timeout = BT_ISO_SYNC_TIMEOUT, 929 .sync_cte_type = 0x00, 930 .mse = 0x00, 931 .timeout = BT_ISO_SYNC_TIMEOUT, 932 }, 933 }; 934 935 static struct sock *iso_sock_alloc(struct net *net, struct socket *sock, 936 int proto, gfp_t prio, int kern) 937 { 938 struct sock *sk; 939 940 sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern); 941 if (!sk) 942 return NULL; 943 944 sk->sk_destruct = iso_sock_destruct; 945 sk->sk_sndtimeo = ISO_CONN_TIMEOUT; 946 947 /* Set address type as public as default src address is BDADDR_ANY */ 948 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC; 949 950 iso_pi(sk)->qos = default_qos; 951 iso_pi(sk)->sync_handle = -1; 952 953 bt_sock_link(&iso_sk_list, sk); 954 return sk; 955 } 956 957 static int iso_sock_create(struct net *net, struct socket *sock, int protocol, 958 int kern) 959 { 960 struct sock *sk; 961 962 BT_DBG("sock %p", sock); 963 964 sock->state = SS_UNCONNECTED; 965 966 if (sock->type != SOCK_SEQPACKET) 967 return -ESOCKTNOSUPPORT; 968 969 sock->ops = &iso_sock_ops; 970 971 sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 972 if (!sk) 973 return -ENOMEM; 974 975 iso_sock_init(sk, NULL); 976 return 0; 977 } 978 979 static int iso_sock_bind_bc(struct socket *sock, struct sockaddr_unsized *addr, 980 int addr_len) 981 { 982 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 983 struct sock *sk = sock->sk; 984 int i; 985 986 BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid, 987 sa->iso_bc->bc_num_bis); 988 989 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) 990 return -EINVAL; 991 992 bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr); 993 994 /* Check if the address type is of LE type */ 995 if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type)) 996 return -EINVAL; 997 998 iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type; 999 1000 if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID) 1001 return -EINVAL; 1002 1003 iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid; 1004 1005 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) 1006 return -EINVAL; 1007 1008 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis; 1009 1010 for (i = 0; i < iso_pi(sk)->bc_num_bis; i++) 1011 if (sa->iso_bc->bc_bis[i] < 0x01 || 1012 sa->iso_bc->bc_bis[i] > 0x1f) 1013 return -EINVAL; 1014 1015 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis, 1016 iso_pi(sk)->bc_num_bis); 1017 1018 return 0; 1019 } 1020 1021 /* Must be called on the locked socket. */ 1022 static int iso_sock_rebind_bis(struct sock *sk, struct sockaddr_iso *sa, 1023 int addr_len) 1024 { 1025 int err = 0; 1026 1027 if (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) 1028 return -EBADFD; 1029 1030 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) { 1031 err = -EINVAL; 1032 goto done; 1033 } 1034 1035 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis; 1036 1037 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) 1038 if (sa->iso_bc->bc_bis[i] < 0x01 || 1039 sa->iso_bc->bc_bis[i] > 0x1f) { 1040 err = -EINVAL; 1041 goto done; 1042 } 1043 1044 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis, 1045 iso_pi(sk)->bc_num_bis); 1046 1047 done: 1048 return err; 1049 } 1050 1051 static struct hci_dev *iso_conn_get_hdev(struct iso_conn *conn) 1052 { 1053 struct hci_dev *hdev = NULL; 1054 1055 iso_conn_lock(conn); 1056 if (conn->hcon) 1057 hdev = hci_dev_hold(conn->hcon->hdev); 1058 iso_conn_unlock(conn); 1059 1060 return hdev; 1061 } 1062 1063 /* Must be called on the locked socket. */ 1064 static int iso_sock_rebind_bc(struct sock *sk, struct sockaddr_iso *sa, 1065 int addr_len) 1066 { 1067 struct hci_dev *hdev; 1068 struct hci_conn *bis; 1069 int err; 1070 1071 if (sk->sk_type != SOCK_SEQPACKET || !iso_pi(sk)->conn) 1072 return -EINVAL; 1073 1074 /* Check if it is really a Broadcast address being requested */ 1075 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) 1076 return -EINVAL; 1077 1078 /* Check if the address hasn't changed then perhaps only the number of 1079 * bis has changed. 1080 */ 1081 if (!bacmp(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr) || 1082 !bacmp(&sa->iso_bc->bc_bdaddr, BDADDR_ANY)) 1083 return iso_sock_rebind_bis(sk, sa, addr_len); 1084 1085 /* Check if the address type is of LE type */ 1086 if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type)) 1087 return -EINVAL; 1088 1089 hdev = iso_conn_get_hdev(iso_pi(sk)->conn); 1090 if (!hdev) 1091 return -EINVAL; 1092 1093 bis = iso_pi(sk)->conn->hcon; 1094 1095 /* Release the socket before lookups since that requires hci_dev_lock 1096 * which shall not be acquired while holding sock_lock for proper 1097 * ordering. 1098 */ 1099 release_sock(sk); 1100 hci_dev_lock(hdev); 1101 lock_sock(sk); 1102 1103 if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) { 1104 /* raced with iso_conn_del() or iso_disconn_sock() */ 1105 err = -ENOTCONN; 1106 goto unlock; 1107 } 1108 1109 BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bc->bc_bdaddr, 1110 sa->iso_bc->bc_bdaddr_type); 1111 1112 err = hci_past_bis(bis, &sa->iso_bc->bc_bdaddr, 1113 le_addr_type(sa->iso_bc->bc_bdaddr_type)); 1114 1115 unlock: 1116 hci_dev_unlock(hdev); 1117 hci_dev_put(hdev); 1118 1119 return err; 1120 } 1121 1122 static int iso_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, 1123 int addr_len) 1124 { 1125 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1126 struct sock *sk = sock->sk; 1127 int err = 0; 1128 1129 BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type); 1130 1131 if (!addr || addr_len < sizeof(struct sockaddr_iso) || 1132 addr->sa_family != AF_BLUETOOTH) 1133 return -EINVAL; 1134 1135 lock_sock(sk); 1136 1137 if ((sk->sk_state == BT_CONNECT2 || sk->sk_state == BT_CONNECTED) && 1138 addr_len > sizeof(*sa)) { 1139 /* Allow the user to rebind to a different address using 1140 * PAST procedures. 1141 */ 1142 err = iso_sock_rebind_bc(sk, sa, addr_len); 1143 goto done; 1144 } 1145 1146 if (sk->sk_state != BT_OPEN) { 1147 err = -EBADFD; 1148 goto done; 1149 } 1150 1151 if (sk->sk_type != SOCK_SEQPACKET) { 1152 err = -EINVAL; 1153 goto done; 1154 } 1155 1156 /* Check if the address type is of LE type */ 1157 if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) { 1158 err = -EINVAL; 1159 goto done; 1160 } 1161 1162 bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr); 1163 iso_pi(sk)->src_type = sa->iso_bdaddr_type; 1164 1165 /* Check for Broadcast address */ 1166 if (addr_len > sizeof(*sa)) { 1167 err = iso_sock_bind_bc(sock, addr, addr_len); 1168 if (err) 1169 goto done; 1170 } 1171 1172 sk->sk_state = BT_BOUND; 1173 1174 done: 1175 release_sock(sk); 1176 return err; 1177 } 1178 1179 static int iso_sock_connect(struct socket *sock, struct sockaddr_unsized *addr, 1180 int alen, int flags) 1181 { 1182 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1183 struct sock *sk = sock->sk; 1184 int err; 1185 1186 BT_DBG("sk %p", sk); 1187 1188 if (alen < sizeof(struct sockaddr_iso) || 1189 addr->sa_family != AF_BLUETOOTH) 1190 return -EINVAL; 1191 1192 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) 1193 return -EBADFD; 1194 1195 if (sk->sk_type != SOCK_SEQPACKET) 1196 return -EINVAL; 1197 1198 /* Check if the address type is of LE type */ 1199 if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) 1200 return -EINVAL; 1201 1202 lock_sock(sk); 1203 1204 bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr); 1205 iso_pi(sk)->dst_type = sa->iso_bdaddr_type; 1206 1207 release_sock(sk); 1208 1209 if (bacmp(&sa->iso_bdaddr, BDADDR_ANY)) 1210 err = iso_connect_cis(sk); 1211 else 1212 err = iso_connect_bis(sk); 1213 1214 if (err) 1215 return err; 1216 1217 lock_sock(sk); 1218 1219 if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1220 err = bt_sock_wait_state(sk, BT_CONNECTED, 1221 sock_sndtimeo(sk, flags & O_NONBLOCK)); 1222 } 1223 1224 release_sock(sk); 1225 return err; 1226 } 1227 1228 static int iso_listen_bis(struct sock *sk) 1229 { 1230 struct iso_conn *conn; 1231 struct hci_conn *hcon; 1232 struct hci_dev *hdev; 1233 bdaddr_t src, dst; 1234 u8 src_type, bc_sid; 1235 int err = 0; 1236 1237 lock_sock(sk); 1238 bacpy(&src, &iso_pi(sk)->src); 1239 bacpy(&dst, &iso_pi(sk)->dst); 1240 src_type = iso_pi(sk)->src_type; 1241 bc_sid = iso_pi(sk)->bc_sid; 1242 release_sock(sk); 1243 1244 BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &src, &dst, bc_sid); 1245 1246 write_lock(&iso_sk_list.lock); 1247 1248 if (__iso_get_sock_listen_by_sid(&src, &dst, bc_sid)) 1249 err = -EADDRINUSE; 1250 1251 write_unlock(&iso_sk_list.lock); 1252 1253 if (err) 1254 return err; 1255 1256 hdev = hci_get_route(&dst, &src, src_type); 1257 if (!hdev) 1258 return -EHOSTUNREACH; 1259 1260 hci_dev_lock(hdev); 1261 lock_sock(sk); 1262 1263 /* Fail if user set invalid QoS */ 1264 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { 1265 iso_pi(sk)->qos = default_qos; 1266 err = -EINVAL; 1267 goto unlock; 1268 } 1269 1270 hcon = hci_pa_create_sync(hdev, &iso_pi(sk)->dst, 1271 le_addr_type(iso_pi(sk)->dst_type), 1272 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos); 1273 if (IS_ERR(hcon)) { 1274 err = PTR_ERR(hcon); 1275 goto unlock; 1276 } 1277 1278 conn = iso_conn_add(hcon); 1279 if (!conn) { 1280 hci_conn_drop(hcon); 1281 err = -ENOMEM; 1282 goto unlock; 1283 } 1284 1285 err = iso_chan_add(conn, sk, NULL); 1286 if (err) { 1287 hci_conn_drop(hcon); 1288 goto unlock; 1289 } 1290 1291 unlock: 1292 release_sock(sk); 1293 hci_dev_unlock(hdev); 1294 hci_dev_put(hdev); 1295 return err; 1296 } 1297 1298 static int iso_listen_cis(struct sock *sk) 1299 { 1300 int err = 0; 1301 1302 BT_DBG("%pMR", &iso_pi(sk)->src); 1303 1304 write_lock(&iso_sk_list.lock); 1305 1306 if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst)) 1307 err = -EADDRINUSE; 1308 1309 write_unlock(&iso_sk_list.lock); 1310 1311 return err; 1312 } 1313 1314 static int iso_sock_listen(struct socket *sock, int backlog) 1315 { 1316 struct sock *sk = sock->sk; 1317 int err = 0; 1318 1319 BT_DBG("sk %p backlog %d", sk, backlog); 1320 1321 sock_hold(sk); 1322 lock_sock(sk); 1323 1324 if (sk->sk_state != BT_BOUND) { 1325 err = -EBADFD; 1326 goto done; 1327 } 1328 1329 if (sk->sk_type != SOCK_SEQPACKET) { 1330 err = -EINVAL; 1331 goto done; 1332 } 1333 1334 if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { 1335 err = iso_listen_cis(sk); 1336 } else { 1337 /* Drop sock lock to avoid potential 1338 * deadlock with the hdev lock. 1339 */ 1340 release_sock(sk); 1341 err = iso_listen_bis(sk); 1342 lock_sock(sk); 1343 } 1344 1345 if (err) 1346 goto done; 1347 1348 sk->sk_max_ack_backlog = backlog; 1349 sk->sk_ack_backlog = 0; 1350 1351 sk->sk_state = BT_LISTEN; 1352 1353 done: 1354 release_sock(sk); 1355 sock_put(sk); 1356 return err; 1357 } 1358 1359 static int iso_sock_accept(struct socket *sock, struct socket *newsock, 1360 struct proto_accept_arg *arg) 1361 { 1362 DEFINE_WAIT_FUNC(wait, woken_wake_function); 1363 struct sock *sk = sock->sk, *ch; 1364 long timeo; 1365 int err = 0; 1366 1367 /* Use explicit nested locking to avoid lockdep warnings generated 1368 * because the parent socket and the child socket are locked on the 1369 * same thread. 1370 */ 1371 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1372 1373 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 1374 1375 BT_DBG("sk %p timeo %ld", sk, timeo); 1376 1377 /* Wait for an incoming connection. (wake-one). */ 1378 add_wait_queue_exclusive(sk_sleep(sk), &wait); 1379 while (1) { 1380 if (sk->sk_state != BT_LISTEN) { 1381 err = -EBADFD; 1382 break; 1383 } 1384 1385 ch = bt_accept_dequeue(sk, newsock); 1386 if (ch) { 1387 /* Drop the bridging ref from bt_accept_dequeue(); 1388 * the grafted socket keeps ch alive from here. 1389 */ 1390 sock_put(ch); 1391 break; 1392 } 1393 1394 if (!timeo) { 1395 err = -EAGAIN; 1396 break; 1397 } 1398 1399 if (signal_pending(current)) { 1400 err = sock_intr_errno(timeo); 1401 break; 1402 } 1403 1404 release_sock(sk); 1405 1406 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 1407 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1408 } 1409 remove_wait_queue(sk_sleep(sk), &wait); 1410 1411 if (err) 1412 goto done; 1413 1414 newsock->state = SS_CONNECTED; 1415 1416 BT_DBG("new socket %p", ch); 1417 1418 /* A Broadcast Sink might require BIG sync to be terminated 1419 * and re-established multiple times, while keeping the same 1420 * PA sync handle active. To allow this, once all BIS 1421 * connections have been accepted on a PA sync parent socket, 1422 * "reset" socket state, to allow future BIG re-sync procedures. 1423 */ 1424 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1425 /* Iterate through the list of bound BIS indices 1426 * and clear each BIS as they are accepted by the 1427 * user space, one by one. 1428 */ 1429 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) { 1430 if (iso_pi(sk)->bc_bis[i] > 0) { 1431 iso_pi(sk)->bc_bis[i] = 0; 1432 iso_pi(sk)->bc_num_bis--; 1433 break; 1434 } 1435 } 1436 1437 if (iso_pi(sk)->bc_num_bis == 0) { 1438 /* Once the last BIS was accepted, reset parent 1439 * socket parameters to mark that the listening 1440 * process for BIS connections has been completed: 1441 * 1442 * 1. Reset the DEFER setup flag on the parent sk. 1443 * 2. Clear the flag marking that the BIG create 1444 * sync command is pending. 1445 * 3. Transition socket state from BT_LISTEN to 1446 * BT_CONNECTED. 1447 */ 1448 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1449 clear_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags); 1450 sk->sk_state = BT_CONNECTED; 1451 } 1452 } 1453 1454 done: 1455 release_sock(sk); 1456 return err; 1457 } 1458 1459 static int iso_sock_getname(struct socket *sock, struct sockaddr *addr, 1460 int peer) 1461 { 1462 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1463 struct sock *sk = sock->sk; 1464 int len = sizeof(struct sockaddr_iso); 1465 1466 BT_DBG("sock %p, sk %p", sock, sk); 1467 1468 addr->sa_family = AF_BLUETOOTH; 1469 1470 if (peer) { 1471 struct hci_conn *hcon = iso_pi(sk)->conn ? 1472 iso_pi(sk)->conn->hcon : NULL; 1473 1474 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst); 1475 sa->iso_bdaddr_type = iso_pi(sk)->dst_type; 1476 1477 if (hcon && (hcon->type == BIS_LINK || hcon->type == PA_LINK)) { 1478 sa->iso_bc->bc_sid = iso_pi(sk)->bc_sid; 1479 sa->iso_bc->bc_num_bis = iso_pi(sk)->bc_num_bis; 1480 memcpy(sa->iso_bc->bc_bis, iso_pi(sk)->bc_bis, 1481 ISO_MAX_NUM_BIS); 1482 len += sizeof(struct sockaddr_iso_bc); 1483 } 1484 } else { 1485 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src); 1486 sa->iso_bdaddr_type = iso_pi(sk)->src_type; 1487 } 1488 1489 return len; 1490 } 1491 1492 static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1493 size_t len) 1494 { 1495 struct sock *sk = sock->sk; 1496 struct sk_buff *skb, **frag; 1497 struct sockcm_cookie sockc; 1498 size_t mtu; 1499 int err; 1500 1501 BT_DBG("sock %p, sk %p", sock, sk); 1502 1503 err = sock_error(sk); 1504 if (err) 1505 return err; 1506 1507 if (msg->msg_flags & MSG_OOB) 1508 return -EOPNOTSUPP; 1509 1510 hci_sockcm_init(&sockc, sk); 1511 1512 if (msg->msg_controllen) { 1513 err = sock_cmsg_send(sk, msg, &sockc); 1514 if (err) 1515 return err; 1516 } 1517 1518 lock_sock(sk); 1519 1520 if (sk->sk_state != BT_CONNECTED) { 1521 release_sock(sk); 1522 return -ENOTCONN; 1523 } 1524 1525 mtu = iso_pi(sk)->conn->hcon->mtu; 1526 1527 release_sock(sk); 1528 1529 skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); 1530 if (IS_ERR(skb)) 1531 return PTR_ERR(skb); 1532 1533 len -= skb->len; 1534 1535 BT_DBG("skb %p len %d", sk, skb->len); 1536 1537 /* Continuation fragments */ 1538 frag = &skb_shinfo(skb)->frag_list; 1539 while (len) { 1540 struct sk_buff *tmp; 1541 1542 tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); 1543 if (IS_ERR(tmp)) { 1544 kfree_skb(skb); 1545 return PTR_ERR(tmp); 1546 } 1547 1548 *frag = tmp; 1549 1550 len -= tmp->len; 1551 1552 skb->len += tmp->len; 1553 skb->data_len += tmp->len; 1554 1555 BT_DBG("frag %p len %d", *frag, tmp->len); 1556 1557 frag = &(*frag)->next; 1558 } 1559 1560 lock_sock(sk); 1561 1562 if (sk->sk_state == BT_CONNECTED) 1563 err = iso_send_frame(sk, skb, &sockc); 1564 else 1565 err = -ENOTCONN; 1566 1567 release_sock(sk); 1568 1569 if (err < 0) 1570 kfree_skb(skb); 1571 return err; 1572 } 1573 1574 static void iso_conn_defer_accept(struct hci_conn *conn) 1575 { 1576 struct hci_cp_le_accept_cis cp; 1577 struct hci_dev *hdev = conn->hdev; 1578 1579 BT_DBG("conn %p", conn); 1580 1581 conn->state = BT_CONFIG; 1582 1583 cp.handle = cpu_to_le16(conn->handle); 1584 1585 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 1586 } 1587 1588 static void iso_conn_big_sync(struct sock *sk) 1589 { 1590 int err; 1591 struct hci_dev *hdev; 1592 bdaddr_t src, dst; 1593 u8 src_type; 1594 1595 lock_sock(sk); 1596 bacpy(&src, &iso_pi(sk)->src); 1597 bacpy(&dst, &iso_pi(sk)->dst); 1598 src_type = iso_pi(sk)->src_type; 1599 release_sock(sk); 1600 1601 hdev = hci_get_route(&dst, &src, src_type); 1602 1603 if (!hdev) 1604 return; 1605 1606 /* hci_le_big_create_sync requires hdev lock to be held, since 1607 * it enqueues the HCI LE BIG Create Sync command via 1608 * hci_cmd_sync_queue_once, which checks hdev flags that might 1609 * change. 1610 */ 1611 hci_dev_lock(hdev); 1612 lock_sock(sk); 1613 1614 if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { 1615 err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon, 1616 &iso_pi(sk)->qos, 1617 iso_pi(sk)->sync_handle, 1618 iso_pi(sk)->bc_num_bis, 1619 iso_pi(sk)->bc_bis); 1620 if (err) 1621 bt_dev_err(hdev, "hci_big_create_sync: %d", err); 1622 } 1623 1624 release_sock(sk); 1625 hci_dev_unlock(hdev); 1626 hci_dev_put(hdev); 1627 } 1628 1629 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1630 size_t len, int flags) 1631 { 1632 struct sock *sk = sock->sk; 1633 struct iso_pinfo *pi = iso_pi(sk); 1634 bool early_ret = false; 1635 int err = 0; 1636 1637 BT_DBG("sk %p", sk); 1638 1639 if (unlikely(flags & MSG_ERRQUEUE)) 1640 return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH, 1641 BT_SCM_ERROR); 1642 1643 if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1644 sock_hold(sk); 1645 lock_sock(sk); 1646 1647 switch (sk->sk_state) { 1648 case BT_CONNECT2: 1649 if (test_bit(BT_SK_PA_SYNC, &pi->flags)) { 1650 release_sock(sk); 1651 iso_conn_big_sync(sk); 1652 lock_sock(sk); 1653 1654 sk->sk_state = BT_LISTEN; 1655 } else { 1656 iso_conn_defer_accept(pi->conn->hcon); 1657 sk->sk_state = BT_CONFIG; 1658 } 1659 1660 early_ret = true; 1661 break; 1662 case BT_CONNECTED: 1663 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1664 release_sock(sk); 1665 iso_conn_big_sync(sk); 1666 lock_sock(sk); 1667 1668 sk->sk_state = BT_LISTEN; 1669 early_ret = true; 1670 } 1671 1672 break; 1673 case BT_CONNECT: 1674 release_sock(sk); 1675 err = iso_connect_cis(sk); 1676 lock_sock(sk); 1677 1678 early_ret = true; 1679 break; 1680 default: 1681 break; 1682 } 1683 1684 release_sock(sk); 1685 sock_put(sk); 1686 1687 if (early_ret) 1688 return err; 1689 } 1690 1691 return bt_sock_recvmsg(sock, msg, len, flags); 1692 } 1693 1694 static bool check_io_qos(struct bt_iso_io_qos *qos) 1695 { 1696 /* If no PHY is enable SDU must be 0 */ 1697 if (!qos->phys && qos->sdu) 1698 return false; 1699 1700 if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff)) 1701 return false; 1702 1703 if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0)) 1704 return false; 1705 1706 if (qos->phys > BT_ISO_PHY_ANY) 1707 return false; 1708 1709 return true; 1710 } 1711 1712 static bool check_ucast_qos(struct bt_iso_qos *qos) 1713 { 1714 if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET) 1715 return false; 1716 1717 if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) 1718 return false; 1719 1720 if (qos->ucast.sca > 0x07) 1721 return false; 1722 1723 if (qos->ucast.packing > 0x01) 1724 return false; 1725 1726 if (qos->ucast.framing > 0x01) 1727 return false; 1728 1729 if (!check_io_qos(&qos->ucast.in)) 1730 return false; 1731 1732 if (!check_io_qos(&qos->ucast.out)) 1733 return false; 1734 1735 return true; 1736 } 1737 1738 static bool check_bcast_qos(struct bt_iso_qos *qos) 1739 { 1740 if (!qos->bcast.sync_factor) 1741 qos->bcast.sync_factor = 0x01; 1742 1743 if (qos->bcast.packing > 0x01) 1744 return false; 1745 1746 if (qos->bcast.framing > 0x01) 1747 return false; 1748 1749 if (!check_io_qos(&qos->bcast.in)) 1750 return false; 1751 1752 if (!check_io_qos(&qos->bcast.out)) 1753 return false; 1754 1755 if (qos->bcast.encryption > 0x01) 1756 return false; 1757 1758 if (qos->bcast.options > 0x07) 1759 return false; 1760 1761 if (qos->bcast.skip > 0x01f3) 1762 return false; 1763 1764 if (!qos->bcast.sync_timeout) 1765 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; 1766 1767 if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000) 1768 return false; 1769 1770 if (qos->bcast.sync_cte_type > 0x1f) 1771 return false; 1772 1773 if (qos->bcast.mse > 0x1f) 1774 return false; 1775 1776 if (!qos->bcast.timeout) 1777 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; 1778 1779 if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000) 1780 return false; 1781 1782 return true; 1783 } 1784 1785 static int iso_sock_setsockopt(struct socket *sock, int level, int optname, 1786 sockptr_t optval, unsigned int optlen) 1787 { 1788 struct sock *sk = sock->sk; 1789 int err = 0; 1790 struct bt_iso_qos qos = default_qos; 1791 u32 opt; 1792 1793 BT_DBG("sk %p", sk); 1794 1795 lock_sock(sk); 1796 1797 switch (optname) { 1798 case BT_DEFER_SETUP: 1799 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 1800 err = -EINVAL; 1801 break; 1802 } 1803 1804 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1805 if (err) 1806 break; 1807 1808 if (opt) 1809 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1810 else 1811 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1812 break; 1813 1814 case BT_PKT_STATUS: 1815 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1816 if (err) 1817 break; 1818 1819 if (opt) 1820 set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); 1821 else 1822 clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); 1823 break; 1824 1825 case BT_PKT_SEQNUM: 1826 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1827 if (err) 1828 break; 1829 1830 if (opt) 1831 set_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags); 1832 else 1833 clear_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags); 1834 break; 1835 1836 case BT_ISO_QOS: 1837 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND && 1838 sk->sk_state != BT_CONNECT2 && 1839 (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags) || 1840 sk->sk_state != BT_CONNECTED)) { 1841 err = -EINVAL; 1842 break; 1843 } 1844 1845 err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen); 1846 if (err) 1847 break; 1848 1849 iso_pi(sk)->qos = qos; 1850 iso_pi(sk)->qos_user_set = true; 1851 1852 break; 1853 1854 case BT_ISO_BASE: 1855 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND && 1856 sk->sk_state != BT_CONNECT2) { 1857 err = -EINVAL; 1858 break; 1859 } 1860 1861 if (optlen > sizeof(iso_pi(sk)->base)) { 1862 err = -EINVAL; 1863 break; 1864 } 1865 1866 err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval, 1867 optlen); 1868 if (err) 1869 break; 1870 1871 iso_pi(sk)->base_len = optlen; 1872 1873 break; 1874 1875 default: 1876 err = -ENOPROTOOPT; 1877 break; 1878 } 1879 1880 release_sock(sk); 1881 return err; 1882 } 1883 1884 static int iso_sock_getsockopt(struct socket *sock, int level, int optname, 1885 char __user *optval, int __user *optlen) 1886 { 1887 struct sock *sk = sock->sk; 1888 int len, err = 0; 1889 struct bt_iso_qos *qos; 1890 u8 base_len; 1891 u8 *base; 1892 1893 BT_DBG("sk %p", sk); 1894 1895 if (get_user(len, optlen)) 1896 return -EFAULT; 1897 1898 lock_sock(sk); 1899 1900 switch (optname) { 1901 case BT_DEFER_SETUP: 1902 if (sk->sk_state == BT_CONNECTED) { 1903 err = -EINVAL; 1904 break; 1905 } 1906 1907 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 1908 (u32 __user *)optval)) 1909 err = -EFAULT; 1910 1911 break; 1912 1913 case BT_PKT_STATUS: 1914 if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags), 1915 (int __user *)optval)) 1916 err = -EFAULT; 1917 break; 1918 1919 case BT_ISO_QOS: 1920 qos = iso_sock_get_qos(sk); 1921 1922 len = min_t(unsigned int, len, sizeof(*qos)); 1923 if (copy_to_user(optval, qos, len)) 1924 err = -EFAULT; 1925 1926 break; 1927 1928 case BT_ISO_BASE: 1929 if (sk->sk_state == BT_CONNECTED && 1930 !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { 1931 base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len; 1932 base = iso_pi(sk)->conn->hcon->le_per_adv_data; 1933 } else { 1934 base_len = iso_pi(sk)->base_len; 1935 base = iso_pi(sk)->base; 1936 } 1937 1938 len = min_t(unsigned int, len, base_len); 1939 if (copy_to_user(optval, base, len)) 1940 err = -EFAULT; 1941 if (put_user(len, optlen)) 1942 err = -EFAULT; 1943 1944 break; 1945 1946 default: 1947 err = -ENOPROTOOPT; 1948 break; 1949 } 1950 1951 release_sock(sk); 1952 return err; 1953 } 1954 1955 static int iso_sock_shutdown(struct socket *sock, int how) 1956 { 1957 struct sock *sk = sock->sk; 1958 int err = 0; 1959 1960 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1961 1962 if (!sk) 1963 return 0; 1964 1965 sock_hold(sk); 1966 lock_sock(sk); 1967 1968 switch (how) { 1969 case SHUT_RD: 1970 if (sk->sk_shutdown & RCV_SHUTDOWN) 1971 goto unlock; 1972 sk->sk_shutdown |= RCV_SHUTDOWN; 1973 break; 1974 case SHUT_WR: 1975 if (sk->sk_shutdown & SEND_SHUTDOWN) 1976 goto unlock; 1977 sk->sk_shutdown |= SEND_SHUTDOWN; 1978 break; 1979 case SHUT_RDWR: 1980 if (sk->sk_shutdown & SHUTDOWN_MASK) 1981 goto unlock; 1982 sk->sk_shutdown |= SHUTDOWN_MASK; 1983 break; 1984 } 1985 1986 iso_sock_clear_timer(sk); 1987 __iso_sock_close(sk); 1988 1989 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1990 !(current->flags & PF_EXITING)) 1991 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 1992 1993 unlock: 1994 release_sock(sk); 1995 sock_put(sk); 1996 1997 return err; 1998 } 1999 2000 static int iso_sock_release(struct socket *sock) 2001 { 2002 struct sock *sk = sock->sk; 2003 int err = 0; 2004 2005 BT_DBG("sock %p, sk %p", sock, sk); 2006 2007 if (!sk) 2008 return 0; 2009 2010 iso_sock_close(sk); 2011 2012 if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) && 2013 !(current->flags & PF_EXITING)) { 2014 lock_sock(sk); 2015 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 2016 release_sock(sk); 2017 } 2018 2019 sock_orphan(sk); 2020 iso_sock_kill(sk); 2021 return err; 2022 } 2023 2024 static void iso_sock_ready(struct sock *sk) 2025 { 2026 BT_DBG("sk %p", sk); 2027 2028 if (!sk) 2029 return; 2030 2031 lock_sock(sk); 2032 iso_sock_clear_timer(sk); 2033 sk->sk_state = BT_CONNECTED; 2034 sk->sk_state_change(sk); 2035 release_sock(sk); 2036 } 2037 2038 static bool iso_match_big(struct sock *sk, void *data) 2039 { 2040 struct hci_evt_le_big_sync_established *ev = data; 2041 2042 return ev->handle == iso_pi(sk)->qos.bcast.big; 2043 } 2044 2045 static bool iso_match_big_hcon(struct sock *sk, void *data) 2046 { 2047 struct hci_conn *hcon = data; 2048 2049 return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big; 2050 } 2051 2052 static bool iso_match_pa_sync_flag(struct sock *sk, void *data) 2053 { 2054 return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags); 2055 } 2056 2057 static bool iso_match_dst(struct sock *sk, void *data) 2058 { 2059 return !bacmp(&iso_pi(sk)->dst, (bdaddr_t *)data); 2060 } 2061 2062 static void iso_conn_ready(struct iso_conn *conn) 2063 { 2064 struct sock *parent = NULL; 2065 struct sock *sk = conn->sk; 2066 struct hci_ev_le_big_sync_established *ev = NULL; 2067 struct hci_ev_le_pa_sync_established *ev2 = NULL; 2068 struct hci_ev_le_per_adv_report *ev3 = NULL; 2069 struct hci_conn *hcon; 2070 struct hci_dev *hdev; 2071 2072 BT_DBG("conn %p", conn); 2073 2074 if (sk) { 2075 /* Attempt to update source address in case of BIS Sender if 2076 * the advertisement is using a random address. 2077 */ 2078 if (conn->hcon->type == BIS_LINK && 2079 conn->hcon->role == HCI_ROLE_MASTER && 2080 !bacmp(&conn->hcon->dst, BDADDR_ANY)) { 2081 struct hci_conn *bis = conn->hcon; 2082 struct adv_info *adv; 2083 2084 adv = hci_find_adv_instance(bis->hdev, 2085 bis->iso_qos.bcast.bis); 2086 if (adv && bacmp(&adv->random_addr, BDADDR_ANY)) { 2087 lock_sock(sk); 2088 iso_pi(sk)->src_type = BDADDR_LE_RANDOM; 2089 bacpy(&iso_pi(sk)->src, &adv->random_addr); 2090 release_sock(sk); 2091 } 2092 } 2093 2094 iso_sock_ready(conn->sk); 2095 } else { 2096 hcon = conn->hcon; 2097 if (!hcon) 2098 return; 2099 2100 hdev = hcon->hdev; 2101 2102 if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) { 2103 /* A BIS slave hcon is notified to the ISO layer 2104 * after the Command Complete for the LE Setup 2105 * ISO Data Path command is received. Get the 2106 * parent socket that matches the hcon BIG handle. 2107 */ 2108 parent = iso_get_sock(hdev, &hcon->src, &hcon->dst, 2109 BT_LISTEN, iso_match_big_hcon, 2110 hcon); 2111 } else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) { 2112 ev = hci_recv_event_data(hcon->hdev, 2113 HCI_EVT_LE_BIG_SYNC_ESTABLISHED); 2114 2115 /* Get reference to PA sync parent socket, if it exists */ 2116 parent = iso_get_sock(hdev, &hcon->src, &hcon->dst, 2117 BT_LISTEN, 2118 iso_match_pa_sync_flag, 2119 NULL); 2120 if (!parent && ev) 2121 parent = iso_get_sock(hdev, &hcon->src, 2122 &hcon->dst, 2123 BT_LISTEN, 2124 iso_match_big, ev); 2125 } else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) { 2126 ev2 = hci_recv_event_data(hcon->hdev, 2127 HCI_EV_LE_PA_SYNC_ESTABLISHED); 2128 if (ev2) 2129 parent = iso_get_sock(hdev, &hcon->src, 2130 &hcon->dst, 2131 BT_LISTEN, 2132 iso_match_sid, ev2); 2133 } else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { 2134 ev3 = hci_recv_event_data(hcon->hdev, 2135 HCI_EV_LE_PER_ADV_REPORT); 2136 if (ev3) 2137 parent = iso_get_sock(hdev, &hcon->src, 2138 &hcon->dst, 2139 BT_LISTEN, 2140 iso_match_sync_handle_pa_report, 2141 ev3); 2142 } 2143 2144 if (!parent) 2145 parent = iso_get_sock(hdev, &hcon->src, BDADDR_ANY, 2146 BT_LISTEN, iso_match_dst, BDADDR_ANY); 2147 2148 if (!parent) 2149 return; 2150 2151 lock_sock(parent); 2152 2153 sk = iso_sock_alloc(sock_net(parent), NULL, 2154 BTPROTO_ISO, GFP_ATOMIC, 0); 2155 if (!sk) { 2156 release_sock(parent); 2157 return; 2158 } 2159 2160 iso_sock_init(sk, parent); 2161 2162 bacpy(&iso_pi(sk)->src, &hcon->src); 2163 2164 /* Convert from HCI to three-value type */ 2165 if (hcon->src_type == ADDR_LE_DEV_PUBLIC) 2166 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC; 2167 else 2168 iso_pi(sk)->src_type = BDADDR_LE_RANDOM; 2169 2170 /* If hcon has no destination address (BDADDR_ANY) it means it 2171 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or 2172 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using 2173 * the parent socket destination address. 2174 */ 2175 if (!bacmp(&hcon->dst, BDADDR_ANY)) { 2176 bacpy(&hcon->dst, &iso_pi(parent)->dst); 2177 hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type); 2178 } 2179 2180 if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { 2181 iso_pi(sk)->qos = iso_pi(parent)->qos; 2182 hcon->iso_qos = iso_pi(sk)->qos; 2183 iso_pi(sk)->bc_sid = iso_pi(parent)->bc_sid; 2184 iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis; 2185 memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis, 2186 ISO_MAX_NUM_BIS); 2187 set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags); 2188 } 2189 2190 bacpy(&iso_pi(sk)->dst, &hcon->dst); 2191 2192 /* Convert from HCI to three-value type */ 2193 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 2194 iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC; 2195 else 2196 iso_pi(sk)->dst_type = BDADDR_LE_RANDOM; 2197 2198 iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; 2199 memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); 2200 iso_pi(sk)->base_len = iso_pi(parent)->base_len; 2201 2202 hci_conn_hold(hcon); 2203 iso_chan_add(conn, sk, parent); 2204 2205 if ((ev && ((struct hci_evt_le_big_sync_established *)ev)->status) || 2206 (ev2 && ev2->status)) { 2207 /* Trigger error signal on child socket */ 2208 sk->sk_err = ECONNREFUSED; 2209 sk->sk_error_report(sk); 2210 } 2211 2212 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags)) 2213 sk->sk_state = BT_CONNECT2; 2214 else 2215 sk->sk_state = BT_CONNECTED; 2216 2217 /* Wake up parent */ 2218 parent->sk_data_ready(parent); 2219 2220 release_sock(parent); 2221 sock_put(parent); 2222 } 2223 } 2224 2225 static bool iso_match_sid(struct sock *sk, void *data) 2226 { 2227 struct hci_ev_le_pa_sync_established *ev = data; 2228 2229 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 2230 return true; 2231 2232 return ev->sid == iso_pi(sk)->bc_sid; 2233 } 2234 2235 static bool iso_match_sid_past(struct sock *sk, void *data) 2236 { 2237 struct hci_ev_le_past_received *ev = data; 2238 2239 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 2240 return true; 2241 2242 return ev->sid == iso_pi(sk)->bc_sid; 2243 } 2244 2245 static bool iso_match_sync_handle(struct sock *sk, void *data) 2246 { 2247 struct hci_evt_le_big_info_adv_report *ev = data; 2248 2249 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; 2250 } 2251 2252 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data) 2253 { 2254 struct hci_ev_le_per_adv_report *ev = data; 2255 2256 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; 2257 } 2258 2259 /* ----- ISO interface with lower layer (HCI) ----- */ 2260 2261 int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) 2262 { 2263 struct hci_ev_le_pa_sync_established *ev1; 2264 struct hci_ev_le_past_received *ev1a; 2265 struct hci_evt_le_big_info_adv_report *ev2; 2266 struct hci_ev_le_per_adv_report *ev3; 2267 struct sock *sk; 2268 2269 bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr); 2270 2271 /* Broadcast receiver requires handling of some events before it can 2272 * proceed to establishing a BIG sync: 2273 * 2274 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific 2275 * SID to listen to and once sync is established its handle needs to 2276 * be stored in iso_pi(sk)->sync_handle so it can be matched once 2277 * receiving the BIG Info. 2278 * 1a. HCI_EV_LE_PAST_RECEIVED: alternative to 1. 2279 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a 2280 * a BIG Info it attempts to check if there any listening socket with 2281 * the same sync_handle and if it does then attempt to create a sync. 2282 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored 2283 * in iso_pi(sk)->base so it can be passed up to user, in the case of a 2284 * broadcast sink. 2285 */ 2286 ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED); 2287 if (ev1) { 2288 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN, 2289 iso_match_sid, ev1); 2290 if (sk && !ev1->status) { 2291 lock_sock(sk); 2292 iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle); 2293 iso_pi(sk)->bc_sid = ev1->sid; 2294 release_sock(sk); 2295 } 2296 2297 goto done; 2298 } 2299 2300 ev1a = hci_recv_event_data(hdev, HCI_EV_LE_PAST_RECEIVED); 2301 if (ev1a) { 2302 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN, 2303 iso_match_sid_past, ev1a); 2304 if (sk && !ev1a->status) { 2305 lock_sock(sk); 2306 iso_pi(sk)->sync_handle = le16_to_cpu(ev1a->sync_handle); 2307 iso_pi(sk)->bc_sid = ev1a->sid; 2308 release_sock(sk); 2309 } 2310 2311 goto done; 2312 } 2313 2314 ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT); 2315 if (ev2) { 2316 /* Check if BIGInfo report has already been handled */ 2317 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_CONNECTED, 2318 iso_match_sync_handle, ev2); 2319 if (sk) { 2320 sock_put(sk); 2321 sk = NULL; 2322 goto done; 2323 } 2324 2325 /* Try to get PA sync socket, if it exists */ 2326 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_CONNECT2, 2327 iso_match_sync_handle, ev2); 2328 if (!sk) 2329 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, 2330 BT_LISTEN, 2331 iso_match_sync_handle, 2332 ev2); 2333 2334 if (sk) { 2335 int err = 0; 2336 bool big_sync; 2337 struct hci_conn *hcon; 2338 2339 lock_sock(sk); 2340 2341 hcon = iso_pi(sk)->conn->hcon; 2342 iso_pi(sk)->qos.bcast.encryption = ev2->encryption; 2343 2344 if (ev2->num_bis < iso_pi(sk)->bc_num_bis) 2345 iso_pi(sk)->bc_num_bis = ev2->num_bis; 2346 2347 big_sync = !test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) && 2348 !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags); 2349 2350 if (big_sync) 2351 err = hci_conn_big_create_sync(hdev, hcon, 2352 &iso_pi(sk)->qos, 2353 iso_pi(sk)->sync_handle, 2354 iso_pi(sk)->bc_num_bis, 2355 iso_pi(sk)->bc_bis); 2356 2357 release_sock(sk); 2358 2359 if (big_sync && err) { 2360 bt_dev_err(hdev, "hci_le_big_create_sync: %d", 2361 err); 2362 sock_put(sk); 2363 sk = NULL; 2364 } 2365 } 2366 2367 goto done; 2368 } 2369 2370 ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT); 2371 if (ev3) { 2372 size_t base_len = 0; 2373 u8 *base; 2374 struct hci_conn *hcon; 2375 2376 sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN, 2377 iso_match_sync_handle_pa_report, ev3); 2378 if (!sk) 2379 goto done; 2380 2381 hcon = iso_pi(sk)->conn->hcon; 2382 if (!hcon) 2383 goto done; 2384 2385 if (ev3->data_status == LE_PA_DATA_TRUNCATED) { 2386 /* The controller was unable to retrieve PA data. */ 2387 memset(hcon->le_per_adv_data, 0, 2388 HCI_MAX_PER_AD_TOT_LEN); 2389 hcon->le_per_adv_data_len = 0; 2390 hcon->le_per_adv_data_offset = 0; 2391 goto done; 2392 } 2393 2394 if (hcon->le_per_adv_data_offset + ev3->length > 2395 HCI_MAX_PER_AD_TOT_LEN) 2396 goto done; 2397 2398 memcpy(hcon->le_per_adv_data + hcon->le_per_adv_data_offset, 2399 ev3->data, ev3->length); 2400 hcon->le_per_adv_data_offset += ev3->length; 2401 2402 if (ev3->data_status == LE_PA_DATA_COMPLETE) { 2403 /* All PA data has been received. */ 2404 hcon->le_per_adv_data_len = 2405 hcon->le_per_adv_data_offset; 2406 hcon->le_per_adv_data_offset = 0; 2407 2408 /* Extract BASE */ 2409 base = eir_get_service_data(hcon->le_per_adv_data, 2410 hcon->le_per_adv_data_len, 2411 EIR_BAA_SERVICE_UUID, 2412 &base_len); 2413 2414 if (!base || base_len > BASE_MAX_LENGTH) 2415 goto done; 2416 2417 lock_sock(sk); 2418 memcpy(iso_pi(sk)->base, base, base_len); 2419 iso_pi(sk)->base_len = base_len; 2420 release_sock(sk); 2421 } else { 2422 /* This is a PA data fragment. Keep pa_data_len set to 0 2423 * until all data has been reassembled. 2424 */ 2425 hcon->le_per_adv_data_len = 0; 2426 } 2427 } else { 2428 sk = iso_get_sock(hdev, &hdev->bdaddr, BDADDR_ANY, 2429 BT_LISTEN, iso_match_dst, BDADDR_ANY); 2430 } 2431 2432 done: 2433 if (!sk) 2434 return 0; 2435 2436 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) 2437 *flags |= HCI_PROTO_DEFER; 2438 2439 sock_put(sk); 2440 2441 return HCI_LM_ACCEPT; 2442 } 2443 2444 static void iso_connect_cfm(struct hci_conn *hcon, __u8 status) 2445 { 2446 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK && 2447 hcon->type != PA_LINK) { 2448 if (hcon->type != LE_LINK) 2449 return; 2450 2451 /* Check if LE link has failed */ 2452 if (status) { 2453 struct hci_link *link, *t; 2454 2455 list_for_each_entry_safe(link, t, &hcon->link_list, 2456 list) 2457 iso_conn_del(link->conn, bt_to_errno(status)); 2458 2459 return; 2460 } 2461 2462 /* Create CIS if pending */ 2463 hci_le_create_cis_pending(hcon->hdev); 2464 return; 2465 } 2466 2467 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 2468 2469 /* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or 2470 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection 2471 * into the accept queue of the listening socket and wake up 2472 * userspace, to inform the user about the event. 2473 */ 2474 if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) || 2475 test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) { 2476 struct iso_conn *conn; 2477 2478 conn = iso_conn_add(hcon); 2479 if (conn) 2480 iso_conn_ready(conn); 2481 } else { 2482 iso_conn_del(hcon, bt_to_errno(status)); 2483 } 2484 } 2485 2486 static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason) 2487 { 2488 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK && 2489 hcon->type != PA_LINK) 2490 return; 2491 2492 BT_DBG("hcon %p reason %d", hcon, reason); 2493 2494 iso_conn_del(hcon, bt_to_errno(reason)); 2495 } 2496 2497 int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, u16 flags) 2498 { 2499 struct hci_conn *hcon; 2500 struct iso_conn *conn; 2501 struct skb_shared_hwtstamps *hwts; 2502 __u16 pb, ts, len, sn; 2503 2504 hci_dev_lock(hdev); 2505 2506 hcon = hci_conn_hash_lookup_handle(hdev, handle); 2507 if (!hcon) { 2508 hci_dev_unlock(hdev); 2509 kfree_skb(skb); 2510 return -ENOENT; 2511 } 2512 2513 conn = iso_conn_hold_unless_zero(hcon->iso_data); 2514 hcon = NULL; 2515 2516 hci_dev_unlock(hdev); 2517 2518 if (!conn) { 2519 kfree_skb(skb); 2520 return -EINVAL; 2521 } 2522 2523 pb = hci_iso_flags_pb(flags); 2524 ts = hci_iso_flags_ts(flags); 2525 2526 BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts); 2527 2528 switch (pb) { 2529 case ISO_START: 2530 case ISO_SINGLE: 2531 if (conn->rx_len) { 2532 BT_ERR("Unexpected start frame (len %d)", skb->len); 2533 kfree_skb(conn->rx_skb); 2534 conn->rx_skb = NULL; 2535 conn->rx_len = 0; 2536 } 2537 2538 if (ts) { 2539 struct hci_iso_ts_data_hdr *hdr; 2540 2541 hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE); 2542 if (!hdr) { 2543 BT_ERR("Frame is too short (len %d)", skb->len); 2544 goto drop; 2545 } 2546 2547 /* Record the timestamp to skb */ 2548 hwts = skb_hwtstamps(skb); 2549 hwts->hwtstamp = us_to_ktime(le32_to_cpu(hdr->ts)); 2550 2551 sn = __le16_to_cpu(hdr->sn); 2552 len = __le16_to_cpu(hdr->slen); 2553 } else { 2554 struct hci_iso_data_hdr *hdr; 2555 2556 hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE); 2557 if (!hdr) { 2558 BT_ERR("Frame is too short (len %d)", skb->len); 2559 goto drop; 2560 } 2561 2562 sn = __le16_to_cpu(hdr->sn); 2563 len = __le16_to_cpu(hdr->slen); 2564 } 2565 2566 flags = hci_iso_data_flags(len); 2567 len = hci_iso_data_len(len); 2568 2569 BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x sn %d", 2570 len, skb->len, flags, sn); 2571 2572 if (len == skb->len) { 2573 /* Complete frame received */ 2574 hci_skb_pkt_status(skb) = flags & 0x03; 2575 hci_skb_pkt_seqnum(skb) = sn; 2576 iso_recv_frame(conn, skb); 2577 goto done; 2578 } 2579 2580 if (pb == ISO_SINGLE) { 2581 BT_ERR("Frame malformed (len %d, expected len %d)", 2582 skb->len, len); 2583 goto drop; 2584 } 2585 2586 if (skb->len > len) { 2587 BT_ERR("Frame is too long (len %d, expected len %d)", 2588 skb->len, len); 2589 goto drop; 2590 } 2591 2592 /* Allocate skb for the complete frame (with header) */ 2593 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL); 2594 if (!conn->rx_skb) 2595 goto drop; 2596 2597 hci_skb_pkt_status(conn->rx_skb) = flags & 0x03; 2598 hci_skb_pkt_seqnum(conn->rx_skb) = sn; 2599 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2600 skb->len); 2601 conn->rx_len = len - skb->len; 2602 2603 /* Copy hw timestamp from skb to rx_skb if present */ 2604 if (ts) { 2605 hwts = skb_hwtstamps(conn->rx_skb); 2606 hwts->hwtstamp = skb_hwtstamps(skb)->hwtstamp; 2607 } 2608 2609 break; 2610 2611 case ISO_CONT: 2612 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, 2613 conn->rx_len); 2614 2615 if (!conn->rx_len) { 2616 BT_ERR("Unexpected continuation frame (len %d)", 2617 skb->len); 2618 goto drop; 2619 } 2620 2621 if (skb->len > conn->rx_len) { 2622 BT_ERR("Fragment is too long (len %d, expected %d)", 2623 skb->len, conn->rx_len); 2624 kfree_skb(conn->rx_skb); 2625 conn->rx_skb = NULL; 2626 conn->rx_len = 0; 2627 goto drop; 2628 } 2629 2630 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2631 skb->len); 2632 conn->rx_len -= skb->len; 2633 break; 2634 2635 case ISO_END: 2636 if (!conn->rx_len) { 2637 BT_ERR("Unexpected end frame (len %d)", skb->len); 2638 goto drop; 2639 } 2640 2641 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2642 skb->len); 2643 conn->rx_len -= skb->len; 2644 2645 if (!conn->rx_len) { 2646 struct sk_buff *rx_skb = conn->rx_skb; 2647 2648 /* Complete frame received. iso_recv_frame 2649 * takes ownership of the skb so set the global 2650 * rx_skb pointer to NULL first. 2651 */ 2652 conn->rx_skb = NULL; 2653 iso_recv_frame(conn, rx_skb); 2654 } 2655 break; 2656 } 2657 2658 drop: 2659 kfree_skb(skb); 2660 done: 2661 iso_conn_put(conn); 2662 return 0; 2663 } 2664 2665 static struct hci_cb iso_cb = { 2666 .name = "ISO", 2667 .connect_cfm = iso_connect_cfm, 2668 .disconn_cfm = iso_disconn_cfm, 2669 }; 2670 2671 static int iso_debugfs_show(struct seq_file *f, void *p) 2672 { 2673 struct sock *sk; 2674 2675 read_lock(&iso_sk_list.lock); 2676 2677 sk_for_each(sk, &iso_sk_list.head) { 2678 seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src, 2679 &iso_pi(sk)->dst, sk->sk_state); 2680 } 2681 2682 read_unlock(&iso_sk_list.lock); 2683 2684 return 0; 2685 } 2686 2687 DEFINE_SHOW_ATTRIBUTE(iso_debugfs); 2688 2689 static struct dentry *iso_debugfs; 2690 2691 static const struct proto_ops iso_sock_ops = { 2692 .family = PF_BLUETOOTH, 2693 .owner = THIS_MODULE, 2694 .release = iso_sock_release, 2695 .bind = iso_sock_bind, 2696 .connect = iso_sock_connect, 2697 .listen = iso_sock_listen, 2698 .accept = iso_sock_accept, 2699 .getname = iso_sock_getname, 2700 .sendmsg = iso_sock_sendmsg, 2701 .recvmsg = iso_sock_recvmsg, 2702 .poll = bt_sock_poll, 2703 .ioctl = bt_sock_ioctl, 2704 .mmap = sock_no_mmap, 2705 .socketpair = sock_no_socketpair, 2706 .shutdown = iso_sock_shutdown, 2707 .setsockopt = iso_sock_setsockopt, 2708 .getsockopt = iso_sock_getsockopt 2709 }; 2710 2711 static const struct net_proto_family iso_sock_family_ops = { 2712 .family = PF_BLUETOOTH, 2713 .owner = THIS_MODULE, 2714 .create = iso_sock_create, 2715 }; 2716 2717 static bool inited; 2718 2719 bool iso_inited(void) 2720 { 2721 return inited; 2722 } 2723 2724 int iso_init(void) 2725 { 2726 int err; 2727 2728 BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr)); 2729 2730 if (inited) 2731 return -EALREADY; 2732 2733 err = proto_register(&iso_proto, 0); 2734 if (err < 0) 2735 return err; 2736 2737 err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops); 2738 if (err < 0) { 2739 BT_ERR("ISO socket registration failed"); 2740 goto error; 2741 } 2742 2743 err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL); 2744 if (err < 0) { 2745 BT_ERR("Failed to create ISO proc file"); 2746 bt_sock_unregister(BTPROTO_ISO); 2747 goto error; 2748 } 2749 2750 BT_INFO("ISO socket layer initialized"); 2751 2752 hci_register_cb(&iso_cb); 2753 2754 if (!IS_ERR_OR_NULL(bt_debugfs)) 2755 iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs, 2756 NULL, &iso_debugfs_fops); 2757 2758 inited = true; 2759 2760 return 0; 2761 2762 error: 2763 proto_unregister(&iso_proto); 2764 return err; 2765 } 2766 2767 int iso_exit(void) 2768 { 2769 if (!inited) 2770 return -EALREADY; 2771 2772 bt_procfs_cleanup(&init_net, "iso"); 2773 2774 debugfs_remove(iso_debugfs); 2775 iso_debugfs = NULL; 2776 2777 hci_unregister_cb(&iso_cb); 2778 2779 bt_sock_unregister(BTPROTO_ISO); 2780 2781 proto_unregister(&iso_proto); 2782 2783 inited = false; 2784 2785 return 0; 2786 } 2787