1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * BlueZ - Bluetooth protocol stack for Linux 4 * 5 * Copyright (C) 2022 Intel Corporation 6 * Copyright 2023-2024 NXP 7 */ 8 9 #include <linux/module.h> 10 #include <linux/debugfs.h> 11 #include <linux/seq_file.h> 12 #include <linux/sched/signal.h> 13 14 #include <net/bluetooth/bluetooth.h> 15 #include <net/bluetooth/hci_core.h> 16 #include <net/bluetooth/iso.h> 17 #include "eir.h" 18 19 static const struct proto_ops iso_sock_ops; 20 21 static struct bt_sock_list iso_sk_list = { 22 .lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock) 23 }; 24 25 /* ---- ISO connections ---- */ 26 struct iso_conn { 27 struct hci_conn *hcon; 28 29 /* @lock: spinlock protecting changes to iso_conn fields */ 30 spinlock_t lock; 31 struct sock *sk; 32 33 struct delayed_work timeout_work; 34 35 struct sk_buff *rx_skb; 36 __u32 rx_len; 37 __u16 tx_sn; 38 struct kref ref; 39 }; 40 41 #define iso_conn_lock(c) spin_lock(&(c)->lock) 42 #define iso_conn_unlock(c) spin_unlock(&(c)->lock) 43 44 static void iso_sock_close(struct sock *sk); 45 static void iso_sock_kill(struct sock *sk); 46 47 /* ----- ISO socket info ----- */ 48 #define iso_pi(sk) ((struct iso_pinfo *)sk) 49 50 #define EIR_SERVICE_DATA_LENGTH 4 51 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH) 52 #define EIR_BAA_SERVICE_UUID 0x1851 53 54 /* iso_pinfo flags values */ 55 enum { 56 BT_SK_BIG_SYNC, 57 BT_SK_PA_SYNC, 58 }; 59 60 struct iso_pinfo { 61 struct bt_sock bt; 62 bdaddr_t src; 63 __u8 src_type; 64 bdaddr_t dst; 65 __u8 dst_type; 66 __u8 bc_sid; 67 __u8 bc_num_bis; 68 __u8 bc_bis[ISO_MAX_NUM_BIS]; 69 __u16 sync_handle; 70 unsigned long flags; 71 struct bt_iso_qos qos; 72 bool qos_user_set; 73 __u8 base_len; 74 __u8 base[BASE_MAX_LENGTH]; 75 struct iso_conn *conn; 76 }; 77 78 static struct bt_iso_qos default_qos; 79 80 static bool check_ucast_qos(struct bt_iso_qos *qos); 81 static bool check_bcast_qos(struct bt_iso_qos *qos); 82 static bool iso_match_sid(struct sock *sk, void *data); 83 static bool iso_match_sync_handle(struct sock *sk, void *data); 84 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data); 85 static void iso_sock_disconn(struct sock *sk); 86 87 typedef bool (*iso_sock_match_t)(struct sock *sk, void *data); 88 89 static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst, 90 enum bt_sock_state state, 91 iso_sock_match_t match, void *data); 92 93 /* ---- ISO timers ---- */ 94 #define ISO_CONN_TIMEOUT secs_to_jiffies(20) 95 #define ISO_DISCONN_TIMEOUT secs_to_jiffies(2) 96 97 static void iso_conn_free(struct kref *ref) 98 { 99 struct iso_conn *conn = container_of(ref, struct iso_conn, ref); 100 101 BT_DBG("conn %p", conn); 102 103 if (conn->sk) 104 iso_pi(conn->sk)->conn = NULL; 105 106 if (conn->hcon) { 107 conn->hcon->iso_data = NULL; 108 hci_conn_drop(conn->hcon); 109 } 110 111 /* Ensure no more work items will run since hci_conn has been dropped */ 112 disable_delayed_work_sync(&conn->timeout_work); 113 114 kfree_skb(conn->rx_skb); 115 116 kfree(conn); 117 } 118 119 static void iso_conn_put(struct iso_conn *conn) 120 { 121 if (!conn) 122 return; 123 124 BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref)); 125 126 kref_put(&conn->ref, iso_conn_free); 127 } 128 129 static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn) 130 { 131 if (!conn) 132 return NULL; 133 134 BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref)); 135 136 if (!kref_get_unless_zero(&conn->ref)) 137 return NULL; 138 139 return conn; 140 } 141 142 static struct sock *iso_sock_hold(struct iso_conn *conn) 143 { 144 if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk)) 145 return NULL; 146 147 sock_hold(conn->sk); 148 149 return conn->sk; 150 } 151 152 static void iso_sock_timeout(struct work_struct *work) 153 { 154 struct iso_conn *conn = container_of(work, struct iso_conn, 155 timeout_work.work); 156 struct sock *sk; 157 158 conn = iso_conn_hold_unless_zero(conn); 159 if (!conn) 160 return; 161 162 iso_conn_lock(conn); 163 sk = iso_sock_hold(conn); 164 iso_conn_unlock(conn); 165 iso_conn_put(conn); 166 167 if (!sk) 168 return; 169 170 BT_DBG("sock %p state %d", sk, sk->sk_state); 171 172 lock_sock(sk); 173 sk->sk_err = ETIMEDOUT; 174 sk->sk_state_change(sk); 175 release_sock(sk); 176 sock_put(sk); 177 } 178 179 static void iso_sock_set_timer(struct sock *sk, long timeout) 180 { 181 if (!iso_pi(sk)->conn) 182 return; 183 184 BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout); 185 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work); 186 schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout); 187 } 188 189 static void iso_sock_clear_timer(struct sock *sk) 190 { 191 if (!iso_pi(sk)->conn) 192 return; 193 194 BT_DBG("sock %p state %d", sk, sk->sk_state); 195 cancel_delayed_work(&iso_pi(sk)->conn->timeout_work); 196 } 197 198 /* ---- ISO connections ---- */ 199 static struct iso_conn *iso_conn_add(struct hci_conn *hcon) 200 { 201 struct iso_conn *conn = hcon->iso_data; 202 203 conn = iso_conn_hold_unless_zero(conn); 204 if (conn) { 205 if (!conn->hcon) { 206 iso_conn_lock(conn); 207 conn->hcon = hcon; 208 iso_conn_unlock(conn); 209 } 210 iso_conn_put(conn); 211 return conn; 212 } 213 214 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 215 if (!conn) 216 return NULL; 217 218 kref_init(&conn->ref); 219 spin_lock_init(&conn->lock); 220 INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout); 221 222 hcon->iso_data = conn; 223 conn->hcon = hcon; 224 conn->tx_sn = 0; 225 226 BT_DBG("hcon %p conn %p", hcon, conn); 227 228 return conn; 229 } 230 231 /* Delete channel. Must be called on the locked socket. */ 232 static void iso_chan_del(struct sock *sk, int err) 233 { 234 struct iso_conn *conn; 235 struct sock *parent; 236 237 conn = iso_pi(sk)->conn; 238 iso_pi(sk)->conn = NULL; 239 240 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 241 242 if (conn) { 243 iso_conn_lock(conn); 244 conn->sk = NULL; 245 iso_conn_unlock(conn); 246 iso_conn_put(conn); 247 } 248 249 sk->sk_state = BT_CLOSED; 250 sk->sk_err = err; 251 252 parent = bt_sk(sk)->parent; 253 if (parent) { 254 bt_accept_unlink(sk); 255 parent->sk_data_ready(parent); 256 } else { 257 sk->sk_state_change(sk); 258 } 259 260 sock_set_flag(sk, SOCK_ZAPPED); 261 } 262 263 static void iso_conn_del(struct hci_conn *hcon, int err) 264 { 265 struct iso_conn *conn = hcon->iso_data; 266 struct sock *sk; 267 268 conn = iso_conn_hold_unless_zero(conn); 269 if (!conn) 270 return; 271 272 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 273 274 /* Kill socket */ 275 iso_conn_lock(conn); 276 sk = iso_sock_hold(conn); 277 iso_conn_unlock(conn); 278 iso_conn_put(conn); 279 280 if (!sk) { 281 iso_conn_put(conn); 282 return; 283 } 284 285 lock_sock(sk); 286 iso_sock_clear_timer(sk); 287 iso_chan_del(sk, err); 288 release_sock(sk); 289 sock_put(sk); 290 } 291 292 static int __iso_chan_add(struct iso_conn *conn, struct sock *sk, 293 struct sock *parent) 294 { 295 BT_DBG("conn %p", conn); 296 297 if (iso_pi(sk)->conn == conn && conn->sk == sk) 298 return 0; 299 300 if (conn->sk) { 301 BT_ERR("conn->sk already set"); 302 return -EBUSY; 303 } 304 305 iso_pi(sk)->conn = conn; 306 conn->sk = sk; 307 308 if (parent) 309 bt_accept_enqueue(parent, sk, true); 310 311 return 0; 312 } 313 314 static int iso_chan_add(struct iso_conn *conn, struct sock *sk, 315 struct sock *parent) 316 { 317 int err; 318 319 iso_conn_lock(conn); 320 err = __iso_chan_add(conn, sk, parent); 321 iso_conn_unlock(conn); 322 323 return err; 324 } 325 326 static inline u8 le_addr_type(u8 bdaddr_type) 327 { 328 if (bdaddr_type == BDADDR_LE_PUBLIC) 329 return ADDR_LE_DEV_PUBLIC; 330 else 331 return ADDR_LE_DEV_RANDOM; 332 } 333 334 static int iso_connect_bis(struct sock *sk) 335 { 336 struct iso_conn *conn; 337 struct hci_conn *hcon; 338 struct hci_dev *hdev; 339 int err; 340 341 BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid); 342 343 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 344 iso_pi(sk)->src_type); 345 if (!hdev) 346 return -EHOSTUNREACH; 347 348 hci_dev_lock(hdev); 349 350 if (!bis_capable(hdev)) { 351 err = -EOPNOTSUPP; 352 goto unlock; 353 } 354 355 /* Fail if user set invalid QoS */ 356 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { 357 iso_pi(sk)->qos = default_qos; 358 err = -EINVAL; 359 goto unlock; 360 } 361 362 /* Fail if out PHYs are marked as disabled */ 363 if (!iso_pi(sk)->qos.bcast.out.phy) { 364 err = -EINVAL; 365 goto unlock; 366 } 367 368 /* Just bind if DEFER_SETUP has been set */ 369 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 370 hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid, 371 &iso_pi(sk)->qos, iso_pi(sk)->base_len, 372 iso_pi(sk)->base, 373 READ_ONCE(sk->sk_sndtimeo)); 374 if (IS_ERR(hcon)) { 375 err = PTR_ERR(hcon); 376 goto unlock; 377 } 378 } else { 379 hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst, 380 le_addr_type(iso_pi(sk)->dst_type), 381 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos, 382 iso_pi(sk)->base_len, iso_pi(sk)->base, 383 READ_ONCE(sk->sk_sndtimeo)); 384 if (IS_ERR(hcon)) { 385 err = PTR_ERR(hcon); 386 goto unlock; 387 } 388 389 /* Update SID if it was not set */ 390 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 391 iso_pi(sk)->bc_sid = hcon->sid; 392 } 393 394 conn = iso_conn_add(hcon); 395 if (!conn) { 396 hci_conn_drop(hcon); 397 err = -ENOMEM; 398 goto unlock; 399 } 400 401 lock_sock(sk); 402 403 err = iso_chan_add(conn, sk, NULL); 404 if (err) { 405 release_sock(sk); 406 goto unlock; 407 } 408 409 /* Update source addr of the socket */ 410 bacpy(&iso_pi(sk)->src, &hcon->src); 411 412 if (hcon->state == BT_CONNECTED) { 413 iso_sock_clear_timer(sk); 414 sk->sk_state = BT_CONNECTED; 415 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 416 iso_sock_clear_timer(sk); 417 sk->sk_state = BT_CONNECT; 418 } else { 419 sk->sk_state = BT_CONNECT; 420 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo)); 421 } 422 423 release_sock(sk); 424 425 unlock: 426 hci_dev_unlock(hdev); 427 hci_dev_put(hdev); 428 return err; 429 } 430 431 static int iso_connect_cis(struct sock *sk) 432 { 433 struct iso_conn *conn; 434 struct hci_conn *hcon; 435 struct hci_dev *hdev; 436 int err; 437 438 BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst); 439 440 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 441 iso_pi(sk)->src_type); 442 if (!hdev) 443 return -EHOSTUNREACH; 444 445 hci_dev_lock(hdev); 446 447 if (!cis_central_capable(hdev)) { 448 err = -EOPNOTSUPP; 449 goto unlock; 450 } 451 452 /* Fail if user set invalid QoS */ 453 if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) { 454 iso_pi(sk)->qos = default_qos; 455 err = -EINVAL; 456 goto unlock; 457 } 458 459 /* Fail if either PHYs are marked as disabled */ 460 if (!iso_pi(sk)->qos.ucast.in.phy && !iso_pi(sk)->qos.ucast.out.phy) { 461 err = -EINVAL; 462 goto unlock; 463 } 464 465 /* Check if there are available buffers for output/TX. */ 466 if (iso_pi(sk)->qos.ucast.out.sdu && !hci_iso_count(hdev) && 467 (hdev->iso_pkts && !hdev->iso_cnt)) { 468 err = -ENOBUFS; 469 goto unlock; 470 } 471 472 /* Just bind if DEFER_SETUP has been set */ 473 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 474 hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst, 475 le_addr_type(iso_pi(sk)->dst_type), 476 &iso_pi(sk)->qos, 477 READ_ONCE(sk->sk_sndtimeo)); 478 if (IS_ERR(hcon)) { 479 err = PTR_ERR(hcon); 480 goto unlock; 481 } 482 } else { 483 hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst, 484 le_addr_type(iso_pi(sk)->dst_type), 485 &iso_pi(sk)->qos, 486 READ_ONCE(sk->sk_sndtimeo)); 487 if (IS_ERR(hcon)) { 488 err = PTR_ERR(hcon); 489 goto unlock; 490 } 491 } 492 493 conn = iso_conn_add(hcon); 494 if (!conn) { 495 hci_conn_drop(hcon); 496 err = -ENOMEM; 497 goto unlock; 498 } 499 500 lock_sock(sk); 501 502 err = iso_chan_add(conn, sk, NULL); 503 if (err) { 504 release_sock(sk); 505 goto unlock; 506 } 507 508 /* Update source addr of the socket */ 509 bacpy(&iso_pi(sk)->src, &hcon->src); 510 511 if (hcon->state == BT_CONNECTED) { 512 iso_sock_clear_timer(sk); 513 sk->sk_state = BT_CONNECTED; 514 } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 515 iso_sock_clear_timer(sk); 516 sk->sk_state = BT_CONNECT; 517 } else { 518 sk->sk_state = BT_CONNECT; 519 iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo)); 520 } 521 522 release_sock(sk); 523 524 unlock: 525 hci_dev_unlock(hdev); 526 hci_dev_put(hdev); 527 return err; 528 } 529 530 static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk) 531 { 532 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2) 533 return &iso_pi(sk)->conn->hcon->iso_qos; 534 535 return &iso_pi(sk)->qos; 536 } 537 538 static int iso_send_frame(struct sock *sk, struct sk_buff *skb, 539 const struct sockcm_cookie *sockc) 540 { 541 struct iso_conn *conn = iso_pi(sk)->conn; 542 struct bt_iso_qos *qos = iso_sock_get_qos(sk); 543 struct hci_iso_data_hdr *hdr; 544 int len = 0; 545 546 BT_DBG("sk %p len %d", sk, skb->len); 547 548 if (skb->len > qos->ucast.out.sdu) 549 return -EMSGSIZE; 550 551 len = skb->len; 552 553 /* Push ISO data header */ 554 hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE); 555 hdr->sn = cpu_to_le16(conn->tx_sn++); 556 hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len, 557 HCI_ISO_STATUS_VALID)); 558 559 if (sk->sk_state == BT_CONNECTED) { 560 hci_setup_tx_timestamp(skb, 1, sockc); 561 hci_send_iso(conn->hcon, skb); 562 } else { 563 len = -ENOTCONN; 564 } 565 566 return len; 567 } 568 569 static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb) 570 { 571 struct sock *sk; 572 573 iso_conn_lock(conn); 574 sk = conn->sk; 575 iso_conn_unlock(conn); 576 577 if (!sk) 578 goto drop; 579 580 BT_DBG("sk %p len %d", sk, skb->len); 581 582 if (sk->sk_state != BT_CONNECTED) 583 goto drop; 584 585 if (!sock_queue_rcv_skb(sk, skb)) 586 return; 587 588 drop: 589 kfree_skb(skb); 590 } 591 592 /* -------- Socket interface ---------- */ 593 static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst) 594 { 595 struct sock *sk; 596 597 sk_for_each(sk, &iso_sk_list.head) { 598 if (sk->sk_state != BT_LISTEN) 599 continue; 600 601 if (bacmp(&iso_pi(sk)->dst, dst)) 602 continue; 603 604 if (!bacmp(&iso_pi(sk)->src, src)) 605 return sk; 606 } 607 608 return NULL; 609 } 610 611 static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc, 612 __u8 sid) 613 { 614 struct sock *sk; 615 616 sk_for_each(sk, &iso_sk_list.head) { 617 if (sk->sk_state != BT_LISTEN) 618 continue; 619 620 if (bacmp(&iso_pi(sk)->src, ba)) 621 continue; 622 623 if (bacmp(&iso_pi(sk)->dst, bc)) 624 continue; 625 626 if (iso_pi(sk)->bc_sid == sid) 627 return sk; 628 } 629 630 return NULL; 631 } 632 633 /* Find socket in given state: 634 * source bdaddr (Unicast) 635 * destination bdaddr (Broadcast only) 636 * match func - pass NULL to ignore 637 * match func data - pass -1 to ignore 638 * Returns closest match. 639 */ 640 static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst, 641 enum bt_sock_state state, 642 iso_sock_match_t match, void *data) 643 { 644 struct sock *sk = NULL, *sk1 = NULL; 645 646 read_lock(&iso_sk_list.lock); 647 648 sk_for_each(sk, &iso_sk_list.head) { 649 if (sk->sk_state != state) 650 continue; 651 652 /* Match Broadcast destination */ 653 if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst)) 654 continue; 655 656 /* Use Match function if provided */ 657 if (match && !match(sk, data)) 658 continue; 659 660 /* Exact match. */ 661 if (!bacmp(&iso_pi(sk)->src, src)) { 662 sock_hold(sk); 663 break; 664 } 665 666 /* Closest match */ 667 if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) { 668 if (sk1) 669 sock_put(sk1); 670 671 sk1 = sk; 672 sock_hold(sk1); 673 } 674 } 675 676 if (sk && sk1) 677 sock_put(sk1); 678 679 read_unlock(&iso_sk_list.lock); 680 681 return sk ? sk : sk1; 682 } 683 684 static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src, 685 bdaddr_t *dst, uint8_t big) 686 { 687 struct sock *sk = NULL; 688 689 read_lock(&iso_sk_list.lock); 690 691 sk_for_each(sk, &iso_sk_list.head) { 692 if (match_sk == sk) 693 continue; 694 695 /* Look for sockets that have already been 696 * connected to the BIG 697 */ 698 if (sk->sk_state != BT_CONNECTED && 699 sk->sk_state != BT_CONNECT) 700 continue; 701 702 /* Match Broadcast destination */ 703 if (bacmp(&iso_pi(sk)->dst, dst)) 704 continue; 705 706 /* Match BIG handle */ 707 if (iso_pi(sk)->qos.bcast.big != big) 708 continue; 709 710 /* Match source address */ 711 if (bacmp(&iso_pi(sk)->src, src)) 712 continue; 713 714 sock_hold(sk); 715 break; 716 } 717 718 read_unlock(&iso_sk_list.lock); 719 720 return sk; 721 } 722 723 static void iso_sock_destruct(struct sock *sk) 724 { 725 BT_DBG("sk %p", sk); 726 727 iso_conn_put(iso_pi(sk)->conn); 728 729 skb_queue_purge(&sk->sk_receive_queue); 730 skb_queue_purge(&sk->sk_write_queue); 731 } 732 733 static void iso_sock_cleanup_listen(struct sock *parent) 734 { 735 struct sock *sk; 736 737 BT_DBG("parent %p", parent); 738 739 /* Close not yet accepted channels */ 740 while ((sk = bt_accept_dequeue(parent, NULL))) { 741 iso_sock_close(sk); 742 iso_sock_kill(sk); 743 } 744 745 /* If listening socket has a hcon, properly disconnect it */ 746 if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon) { 747 iso_sock_disconn(parent); 748 return; 749 } 750 751 parent->sk_state = BT_CLOSED; 752 sock_set_flag(parent, SOCK_ZAPPED); 753 } 754 755 /* Kill socket (only if zapped and orphan) 756 * Must be called on unlocked socket. 757 */ 758 static void iso_sock_kill(struct sock *sk) 759 { 760 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || 761 sock_flag(sk, SOCK_DEAD)) 762 return; 763 764 BT_DBG("sk %p state %d", sk, sk->sk_state); 765 766 /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ 767 if (iso_pi(sk)->conn) { 768 iso_conn_lock(iso_pi(sk)->conn); 769 iso_pi(sk)->conn->sk = NULL; 770 iso_conn_unlock(iso_pi(sk)->conn); 771 } 772 773 /* Kill poor orphan */ 774 bt_sock_unlink(&iso_sk_list, sk); 775 sock_set_flag(sk, SOCK_DEAD); 776 sock_put(sk); 777 } 778 779 static void iso_sock_disconn(struct sock *sk) 780 { 781 struct sock *bis_sk; 782 struct hci_conn *hcon = iso_pi(sk)->conn->hcon; 783 784 if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) { 785 bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src, 786 &iso_pi(sk)->dst, 787 iso_pi(sk)->qos.bcast.big); 788 789 /* If there are any other connected sockets for the 790 * same BIG, just delete the sk and leave the bis 791 * hcon active, in case later rebinding is needed. 792 */ 793 if (bis_sk) { 794 hcon->state = BT_OPEN; 795 hcon->iso_data = NULL; 796 iso_pi(sk)->conn->hcon = NULL; 797 iso_sock_clear_timer(sk); 798 iso_chan_del(sk, bt_to_errno(hcon->abort_reason)); 799 sock_put(bis_sk); 800 return; 801 } 802 } 803 804 sk->sk_state = BT_DISCONN; 805 iso_conn_lock(iso_pi(sk)->conn); 806 hci_conn_drop(iso_pi(sk)->conn->hcon); 807 iso_pi(sk)->conn->hcon = NULL; 808 iso_conn_unlock(iso_pi(sk)->conn); 809 } 810 811 static void __iso_sock_close(struct sock *sk) 812 { 813 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 814 815 switch (sk->sk_state) { 816 case BT_LISTEN: 817 iso_sock_cleanup_listen(sk); 818 break; 819 820 case BT_CONNECT: 821 case BT_CONNECTED: 822 case BT_CONFIG: 823 if (iso_pi(sk)->conn->hcon) 824 iso_sock_disconn(sk); 825 else 826 iso_chan_del(sk, ECONNRESET); 827 break; 828 829 case BT_CONNECT2: 830 if (iso_pi(sk)->conn->hcon && 831 (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) || 832 test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags))) 833 iso_sock_disconn(sk); 834 else 835 iso_chan_del(sk, ECONNRESET); 836 break; 837 case BT_DISCONN: 838 iso_chan_del(sk, ECONNRESET); 839 break; 840 841 default: 842 sock_set_flag(sk, SOCK_ZAPPED); 843 break; 844 } 845 } 846 847 /* Must be called on unlocked socket. */ 848 static void iso_sock_close(struct sock *sk) 849 { 850 iso_sock_clear_timer(sk); 851 lock_sock(sk); 852 __iso_sock_close(sk); 853 release_sock(sk); 854 iso_sock_kill(sk); 855 } 856 857 static void iso_sock_init(struct sock *sk, struct sock *parent) 858 { 859 BT_DBG("sk %p", sk); 860 861 if (parent) { 862 sk->sk_type = parent->sk_type; 863 bt_sk(sk)->flags = bt_sk(parent)->flags; 864 security_sk_clone(parent, sk); 865 } 866 } 867 868 static struct proto iso_proto = { 869 .name = "ISO", 870 .owner = THIS_MODULE, 871 .obj_size = sizeof(struct iso_pinfo) 872 }; 873 874 #define DEFAULT_IO_QOS \ 875 { \ 876 .interval = 10000u, \ 877 .latency = 10u, \ 878 .sdu = 40u, \ 879 .phy = BT_ISO_PHY_2M, \ 880 .rtn = 2u, \ 881 } 882 883 static struct bt_iso_qos default_qos = { 884 .bcast = { 885 .big = BT_ISO_QOS_BIG_UNSET, 886 .bis = BT_ISO_QOS_BIS_UNSET, 887 .sync_factor = 0x01, 888 .packing = 0x00, 889 .framing = 0x00, 890 .in = DEFAULT_IO_QOS, 891 .out = DEFAULT_IO_QOS, 892 .encryption = 0x00, 893 .bcode = {0x00}, 894 .options = 0x00, 895 .skip = 0x0000, 896 .sync_timeout = BT_ISO_SYNC_TIMEOUT, 897 .sync_cte_type = 0x00, 898 .mse = 0x00, 899 .timeout = BT_ISO_SYNC_TIMEOUT, 900 }, 901 }; 902 903 static struct sock *iso_sock_alloc(struct net *net, struct socket *sock, 904 int proto, gfp_t prio, int kern) 905 { 906 struct sock *sk; 907 908 sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern); 909 if (!sk) 910 return NULL; 911 912 sk->sk_destruct = iso_sock_destruct; 913 sk->sk_sndtimeo = ISO_CONN_TIMEOUT; 914 915 /* Set address type as public as default src address is BDADDR_ANY */ 916 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC; 917 918 iso_pi(sk)->qos = default_qos; 919 iso_pi(sk)->sync_handle = -1; 920 921 bt_sock_link(&iso_sk_list, sk); 922 return sk; 923 } 924 925 static int iso_sock_create(struct net *net, struct socket *sock, int protocol, 926 int kern) 927 { 928 struct sock *sk; 929 930 BT_DBG("sock %p", sock); 931 932 sock->state = SS_UNCONNECTED; 933 934 if (sock->type != SOCK_SEQPACKET) 935 return -ESOCKTNOSUPPORT; 936 937 sock->ops = &iso_sock_ops; 938 939 sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 940 if (!sk) 941 return -ENOMEM; 942 943 iso_sock_init(sk, NULL); 944 return 0; 945 } 946 947 static int iso_sock_bind_bc(struct socket *sock, struct sockaddr *addr, 948 int addr_len) 949 { 950 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 951 struct sock *sk = sock->sk; 952 int i; 953 954 BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid, 955 sa->iso_bc->bc_num_bis); 956 957 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) 958 return -EINVAL; 959 960 bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr); 961 962 /* Check if the address type is of LE type */ 963 if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type)) 964 return -EINVAL; 965 966 iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type; 967 968 if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID) 969 return -EINVAL; 970 971 iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid; 972 973 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) 974 return -EINVAL; 975 976 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis; 977 978 for (i = 0; i < iso_pi(sk)->bc_num_bis; i++) 979 if (sa->iso_bc->bc_bis[i] < 0x01 || 980 sa->iso_bc->bc_bis[i] > 0x1f) 981 return -EINVAL; 982 983 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis, 984 iso_pi(sk)->bc_num_bis); 985 986 return 0; 987 } 988 989 static int iso_sock_bind_pa_sk(struct sock *sk, struct sockaddr_iso *sa, 990 int addr_len) 991 { 992 int err = 0; 993 994 if (sk->sk_type != SOCK_SEQPACKET) { 995 err = -EINVAL; 996 goto done; 997 } 998 999 if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) { 1000 err = -EINVAL; 1001 goto done; 1002 } 1003 1004 if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) { 1005 err = -EINVAL; 1006 goto done; 1007 } 1008 1009 iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis; 1010 1011 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) 1012 if (sa->iso_bc->bc_bis[i] < 0x01 || 1013 sa->iso_bc->bc_bis[i] > 0x1f) { 1014 err = -EINVAL; 1015 goto done; 1016 } 1017 1018 memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis, 1019 iso_pi(sk)->bc_num_bis); 1020 1021 done: 1022 return err; 1023 } 1024 1025 static int iso_sock_bind(struct socket *sock, struct sockaddr *addr, 1026 int addr_len) 1027 { 1028 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1029 struct sock *sk = sock->sk; 1030 int err = 0; 1031 1032 BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type); 1033 1034 if (!addr || addr_len < sizeof(struct sockaddr_iso) || 1035 addr->sa_family != AF_BLUETOOTH) 1036 return -EINVAL; 1037 1038 lock_sock(sk); 1039 1040 /* Allow the user to bind a PA sync socket to a number 1041 * of BISes to sync to. 1042 */ 1043 if ((sk->sk_state == BT_CONNECT2 || 1044 sk->sk_state == BT_CONNECTED) && 1045 test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1046 err = iso_sock_bind_pa_sk(sk, sa, addr_len); 1047 goto done; 1048 } 1049 1050 if (sk->sk_state != BT_OPEN) { 1051 err = -EBADFD; 1052 goto done; 1053 } 1054 1055 if (sk->sk_type != SOCK_SEQPACKET) { 1056 err = -EINVAL; 1057 goto done; 1058 } 1059 1060 /* Check if the address type is of LE type */ 1061 if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) { 1062 err = -EINVAL; 1063 goto done; 1064 } 1065 1066 bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr); 1067 iso_pi(sk)->src_type = sa->iso_bdaddr_type; 1068 1069 /* Check for Broadcast address */ 1070 if (addr_len > sizeof(*sa)) { 1071 err = iso_sock_bind_bc(sock, addr, addr_len); 1072 if (err) 1073 goto done; 1074 } 1075 1076 sk->sk_state = BT_BOUND; 1077 1078 done: 1079 release_sock(sk); 1080 return err; 1081 } 1082 1083 static int iso_sock_connect(struct socket *sock, struct sockaddr *addr, 1084 int alen, int flags) 1085 { 1086 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1087 struct sock *sk = sock->sk; 1088 int err; 1089 1090 BT_DBG("sk %p", sk); 1091 1092 if (alen < sizeof(struct sockaddr_iso) || 1093 addr->sa_family != AF_BLUETOOTH) 1094 return -EINVAL; 1095 1096 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) 1097 return -EBADFD; 1098 1099 if (sk->sk_type != SOCK_SEQPACKET) 1100 return -EINVAL; 1101 1102 /* Check if the address type is of LE type */ 1103 if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) 1104 return -EINVAL; 1105 1106 lock_sock(sk); 1107 1108 bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr); 1109 iso_pi(sk)->dst_type = sa->iso_bdaddr_type; 1110 1111 release_sock(sk); 1112 1113 if (bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) 1114 err = iso_connect_cis(sk); 1115 else 1116 err = iso_connect_bis(sk); 1117 1118 if (err) 1119 return err; 1120 1121 lock_sock(sk); 1122 1123 if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1124 err = bt_sock_wait_state(sk, BT_CONNECTED, 1125 sock_sndtimeo(sk, flags & O_NONBLOCK)); 1126 } 1127 1128 release_sock(sk); 1129 return err; 1130 } 1131 1132 static int iso_listen_bis(struct sock *sk) 1133 { 1134 struct hci_dev *hdev; 1135 int err = 0; 1136 struct iso_conn *conn; 1137 struct hci_conn *hcon; 1138 1139 BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src, 1140 &iso_pi(sk)->dst, iso_pi(sk)->bc_sid); 1141 1142 write_lock(&iso_sk_list.lock); 1143 1144 if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst, 1145 iso_pi(sk)->bc_sid)) 1146 err = -EADDRINUSE; 1147 1148 write_unlock(&iso_sk_list.lock); 1149 1150 if (err) 1151 return err; 1152 1153 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 1154 iso_pi(sk)->src_type); 1155 if (!hdev) 1156 return -EHOSTUNREACH; 1157 1158 hci_dev_lock(hdev); 1159 lock_sock(sk); 1160 1161 /* Fail if user set invalid QoS */ 1162 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { 1163 iso_pi(sk)->qos = default_qos; 1164 err = -EINVAL; 1165 goto unlock; 1166 } 1167 1168 hcon = hci_pa_create_sync(hdev, &iso_pi(sk)->dst, 1169 le_addr_type(iso_pi(sk)->dst_type), 1170 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos); 1171 if (IS_ERR(hcon)) { 1172 err = PTR_ERR(hcon); 1173 goto unlock; 1174 } 1175 1176 conn = iso_conn_add(hcon); 1177 if (!conn) { 1178 hci_conn_drop(hcon); 1179 err = -ENOMEM; 1180 goto unlock; 1181 } 1182 1183 err = iso_chan_add(conn, sk, NULL); 1184 if (err) { 1185 hci_conn_drop(hcon); 1186 goto unlock; 1187 } 1188 1189 unlock: 1190 release_sock(sk); 1191 hci_dev_unlock(hdev); 1192 hci_dev_put(hdev); 1193 return err; 1194 } 1195 1196 static int iso_listen_cis(struct sock *sk) 1197 { 1198 int err = 0; 1199 1200 BT_DBG("%pMR", &iso_pi(sk)->src); 1201 1202 write_lock(&iso_sk_list.lock); 1203 1204 if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst)) 1205 err = -EADDRINUSE; 1206 1207 write_unlock(&iso_sk_list.lock); 1208 1209 return err; 1210 } 1211 1212 static int iso_sock_listen(struct socket *sock, int backlog) 1213 { 1214 struct sock *sk = sock->sk; 1215 int err = 0; 1216 1217 BT_DBG("sk %p backlog %d", sk, backlog); 1218 1219 sock_hold(sk); 1220 lock_sock(sk); 1221 1222 if (sk->sk_state != BT_BOUND) { 1223 err = -EBADFD; 1224 goto done; 1225 } 1226 1227 if (sk->sk_type != SOCK_SEQPACKET) { 1228 err = -EINVAL; 1229 goto done; 1230 } 1231 1232 if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { 1233 err = iso_listen_cis(sk); 1234 } else { 1235 /* Drop sock lock to avoid potential 1236 * deadlock with the hdev lock. 1237 */ 1238 release_sock(sk); 1239 err = iso_listen_bis(sk); 1240 lock_sock(sk); 1241 } 1242 1243 if (err) 1244 goto done; 1245 1246 sk->sk_max_ack_backlog = backlog; 1247 sk->sk_ack_backlog = 0; 1248 1249 sk->sk_state = BT_LISTEN; 1250 1251 done: 1252 release_sock(sk); 1253 sock_put(sk); 1254 return err; 1255 } 1256 1257 static int iso_sock_accept(struct socket *sock, struct socket *newsock, 1258 struct proto_accept_arg *arg) 1259 { 1260 DEFINE_WAIT_FUNC(wait, woken_wake_function); 1261 struct sock *sk = sock->sk, *ch; 1262 long timeo; 1263 int err = 0; 1264 1265 /* Use explicit nested locking to avoid lockdep warnings generated 1266 * because the parent socket and the child socket are locked on the 1267 * same thread. 1268 */ 1269 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1270 1271 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 1272 1273 BT_DBG("sk %p timeo %ld", sk, timeo); 1274 1275 /* Wait for an incoming connection. (wake-one). */ 1276 add_wait_queue_exclusive(sk_sleep(sk), &wait); 1277 while (1) { 1278 if (sk->sk_state != BT_LISTEN) { 1279 err = -EBADFD; 1280 break; 1281 } 1282 1283 ch = bt_accept_dequeue(sk, newsock); 1284 if (ch) 1285 break; 1286 1287 if (!timeo) { 1288 err = -EAGAIN; 1289 break; 1290 } 1291 1292 if (signal_pending(current)) { 1293 err = sock_intr_errno(timeo); 1294 break; 1295 } 1296 1297 release_sock(sk); 1298 1299 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 1300 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1301 } 1302 remove_wait_queue(sk_sleep(sk), &wait); 1303 1304 if (err) 1305 goto done; 1306 1307 newsock->state = SS_CONNECTED; 1308 1309 BT_DBG("new socket %p", ch); 1310 1311 /* A Broadcast Sink might require BIG sync to be terminated 1312 * and re-established multiple times, while keeping the same 1313 * PA sync handle active. To allow this, once all BIS 1314 * connections have been accepted on a PA sync parent socket, 1315 * "reset" socket state, to allow future BIG re-sync procedures. 1316 */ 1317 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1318 /* Iterate through the list of bound BIS indices 1319 * and clear each BIS as they are accepted by the 1320 * user space, one by one. 1321 */ 1322 for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) { 1323 if (iso_pi(sk)->bc_bis[i] > 0) { 1324 iso_pi(sk)->bc_bis[i] = 0; 1325 iso_pi(sk)->bc_num_bis--; 1326 break; 1327 } 1328 } 1329 1330 if (iso_pi(sk)->bc_num_bis == 0) { 1331 /* Once the last BIS was accepted, reset parent 1332 * socket parameters to mark that the listening 1333 * process for BIS connections has been completed: 1334 * 1335 * 1. Reset the DEFER setup flag on the parent sk. 1336 * 2. Clear the flag marking that the BIG create 1337 * sync command is pending. 1338 * 3. Transition socket state from BT_LISTEN to 1339 * BT_CONNECTED. 1340 */ 1341 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1342 clear_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags); 1343 sk->sk_state = BT_CONNECTED; 1344 } 1345 } 1346 1347 done: 1348 release_sock(sk); 1349 return err; 1350 } 1351 1352 static int iso_sock_getname(struct socket *sock, struct sockaddr *addr, 1353 int peer) 1354 { 1355 struct sockaddr_iso *sa = (struct sockaddr_iso *)addr; 1356 struct sock *sk = sock->sk; 1357 int len = sizeof(struct sockaddr_iso); 1358 1359 BT_DBG("sock %p, sk %p", sock, sk); 1360 1361 addr->sa_family = AF_BLUETOOTH; 1362 1363 if (peer) { 1364 struct hci_conn *hcon = iso_pi(sk)->conn ? 1365 iso_pi(sk)->conn->hcon : NULL; 1366 1367 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst); 1368 sa->iso_bdaddr_type = iso_pi(sk)->dst_type; 1369 1370 if (hcon && (hcon->type == BIS_LINK || hcon->type == PA_LINK)) { 1371 sa->iso_bc->bc_sid = iso_pi(sk)->bc_sid; 1372 sa->iso_bc->bc_num_bis = iso_pi(sk)->bc_num_bis; 1373 memcpy(sa->iso_bc->bc_bis, iso_pi(sk)->bc_bis, 1374 ISO_MAX_NUM_BIS); 1375 len += sizeof(struct sockaddr_iso_bc); 1376 } 1377 } else { 1378 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src); 1379 sa->iso_bdaddr_type = iso_pi(sk)->src_type; 1380 } 1381 1382 return len; 1383 } 1384 1385 static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1386 size_t len) 1387 { 1388 struct sock *sk = sock->sk; 1389 struct sk_buff *skb, **frag; 1390 struct sockcm_cookie sockc; 1391 size_t mtu; 1392 int err; 1393 1394 BT_DBG("sock %p, sk %p", sock, sk); 1395 1396 err = sock_error(sk); 1397 if (err) 1398 return err; 1399 1400 if (msg->msg_flags & MSG_OOB) 1401 return -EOPNOTSUPP; 1402 1403 hci_sockcm_init(&sockc, sk); 1404 1405 if (msg->msg_controllen) { 1406 err = sock_cmsg_send(sk, msg, &sockc); 1407 if (err) 1408 return err; 1409 } 1410 1411 lock_sock(sk); 1412 1413 if (sk->sk_state != BT_CONNECTED) { 1414 release_sock(sk); 1415 return -ENOTCONN; 1416 } 1417 1418 mtu = iso_pi(sk)->conn->hcon->mtu; 1419 1420 release_sock(sk); 1421 1422 skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); 1423 if (IS_ERR(skb)) 1424 return PTR_ERR(skb); 1425 1426 len -= skb->len; 1427 1428 BT_DBG("skb %p len %d", sk, skb->len); 1429 1430 /* Continuation fragments */ 1431 frag = &skb_shinfo(skb)->frag_list; 1432 while (len) { 1433 struct sk_buff *tmp; 1434 1435 tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); 1436 if (IS_ERR(tmp)) { 1437 kfree_skb(skb); 1438 return PTR_ERR(tmp); 1439 } 1440 1441 *frag = tmp; 1442 1443 len -= tmp->len; 1444 1445 skb->len += tmp->len; 1446 skb->data_len += tmp->len; 1447 1448 BT_DBG("frag %p len %d", *frag, tmp->len); 1449 1450 frag = &(*frag)->next; 1451 } 1452 1453 lock_sock(sk); 1454 1455 if (sk->sk_state == BT_CONNECTED) 1456 err = iso_send_frame(sk, skb, &sockc); 1457 else 1458 err = -ENOTCONN; 1459 1460 release_sock(sk); 1461 1462 if (err < 0) 1463 kfree_skb(skb); 1464 return err; 1465 } 1466 1467 static void iso_conn_defer_accept(struct hci_conn *conn) 1468 { 1469 struct hci_cp_le_accept_cis cp; 1470 struct hci_dev *hdev = conn->hdev; 1471 1472 BT_DBG("conn %p", conn); 1473 1474 conn->state = BT_CONFIG; 1475 1476 cp.handle = cpu_to_le16(conn->handle); 1477 1478 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 1479 } 1480 1481 static void iso_conn_big_sync(struct sock *sk) 1482 { 1483 int err; 1484 struct hci_dev *hdev; 1485 1486 hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, 1487 iso_pi(sk)->src_type); 1488 1489 if (!hdev) 1490 return; 1491 1492 /* hci_le_big_create_sync requires hdev lock to be held, since 1493 * it enqueues the HCI LE BIG Create Sync command via 1494 * hci_cmd_sync_queue_once, which checks hdev flags that might 1495 * change. 1496 */ 1497 hci_dev_lock(hdev); 1498 lock_sock(sk); 1499 1500 if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { 1501 err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon, 1502 &iso_pi(sk)->qos, 1503 iso_pi(sk)->sync_handle, 1504 iso_pi(sk)->bc_num_bis, 1505 iso_pi(sk)->bc_bis); 1506 if (err) 1507 bt_dev_err(hdev, "hci_big_create_sync: %d", err); 1508 } 1509 1510 release_sock(sk); 1511 hci_dev_unlock(hdev); 1512 } 1513 1514 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1515 size_t len, int flags) 1516 { 1517 struct sock *sk = sock->sk; 1518 struct iso_pinfo *pi = iso_pi(sk); 1519 bool early_ret = false; 1520 int err = 0; 1521 1522 BT_DBG("sk %p", sk); 1523 1524 if (unlikely(flags & MSG_ERRQUEUE)) 1525 return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH, 1526 BT_SCM_ERROR); 1527 1528 if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1529 sock_hold(sk); 1530 lock_sock(sk); 1531 1532 switch (sk->sk_state) { 1533 case BT_CONNECT2: 1534 if (test_bit(BT_SK_PA_SYNC, &pi->flags)) { 1535 release_sock(sk); 1536 iso_conn_big_sync(sk); 1537 lock_sock(sk); 1538 1539 sk->sk_state = BT_LISTEN; 1540 } else { 1541 iso_conn_defer_accept(pi->conn->hcon); 1542 sk->sk_state = BT_CONFIG; 1543 } 1544 1545 early_ret = true; 1546 break; 1547 case BT_CONNECTED: 1548 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1549 release_sock(sk); 1550 iso_conn_big_sync(sk); 1551 lock_sock(sk); 1552 1553 sk->sk_state = BT_LISTEN; 1554 early_ret = true; 1555 } 1556 1557 break; 1558 case BT_CONNECT: 1559 release_sock(sk); 1560 err = iso_connect_cis(sk); 1561 lock_sock(sk); 1562 1563 early_ret = true; 1564 break; 1565 default: 1566 break; 1567 } 1568 1569 release_sock(sk); 1570 sock_put(sk); 1571 1572 if (early_ret) 1573 return err; 1574 } 1575 1576 return bt_sock_recvmsg(sock, msg, len, flags); 1577 } 1578 1579 static bool check_io_qos(struct bt_iso_io_qos *qos) 1580 { 1581 /* If no PHY is enable SDU must be 0 */ 1582 if (!qos->phy && qos->sdu) 1583 return false; 1584 1585 if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff)) 1586 return false; 1587 1588 if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0)) 1589 return false; 1590 1591 if (qos->phy > BT_ISO_PHY_ANY) 1592 return false; 1593 1594 return true; 1595 } 1596 1597 static bool check_ucast_qos(struct bt_iso_qos *qos) 1598 { 1599 if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET) 1600 return false; 1601 1602 if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) 1603 return false; 1604 1605 if (qos->ucast.sca > 0x07) 1606 return false; 1607 1608 if (qos->ucast.packing > 0x01) 1609 return false; 1610 1611 if (qos->ucast.framing > 0x01) 1612 return false; 1613 1614 if (!check_io_qos(&qos->ucast.in)) 1615 return false; 1616 1617 if (!check_io_qos(&qos->ucast.out)) 1618 return false; 1619 1620 return true; 1621 } 1622 1623 static bool check_bcast_qos(struct bt_iso_qos *qos) 1624 { 1625 if (!qos->bcast.sync_factor) 1626 qos->bcast.sync_factor = 0x01; 1627 1628 if (qos->bcast.packing > 0x01) 1629 return false; 1630 1631 if (qos->bcast.framing > 0x01) 1632 return false; 1633 1634 if (!check_io_qos(&qos->bcast.in)) 1635 return false; 1636 1637 if (!check_io_qos(&qos->bcast.out)) 1638 return false; 1639 1640 if (qos->bcast.encryption > 0x01) 1641 return false; 1642 1643 if (qos->bcast.options > 0x07) 1644 return false; 1645 1646 if (qos->bcast.skip > 0x01f3) 1647 return false; 1648 1649 if (!qos->bcast.sync_timeout) 1650 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; 1651 1652 if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000) 1653 return false; 1654 1655 if (qos->bcast.sync_cte_type > 0x1f) 1656 return false; 1657 1658 if (qos->bcast.mse > 0x1f) 1659 return false; 1660 1661 if (!qos->bcast.timeout) 1662 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT; 1663 1664 if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000) 1665 return false; 1666 1667 return true; 1668 } 1669 1670 static int iso_sock_setsockopt(struct socket *sock, int level, int optname, 1671 sockptr_t optval, unsigned int optlen) 1672 { 1673 struct sock *sk = sock->sk; 1674 int err = 0; 1675 struct bt_iso_qos qos = default_qos; 1676 u32 opt; 1677 1678 BT_DBG("sk %p", sk); 1679 1680 lock_sock(sk); 1681 1682 switch (optname) { 1683 case BT_DEFER_SETUP: 1684 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 1685 err = -EINVAL; 1686 break; 1687 } 1688 1689 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1690 if (err) 1691 break; 1692 1693 if (opt) 1694 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1695 else 1696 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1697 break; 1698 1699 case BT_PKT_STATUS: 1700 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1701 if (err) 1702 break; 1703 1704 if (opt) 1705 set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); 1706 else 1707 clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); 1708 break; 1709 1710 case BT_PKT_SEQNUM: 1711 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1712 if (err) 1713 break; 1714 1715 if (opt) 1716 set_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags); 1717 else 1718 clear_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags); 1719 break; 1720 1721 case BT_ISO_QOS: 1722 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND && 1723 sk->sk_state != BT_CONNECT2 && 1724 (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags) || 1725 sk->sk_state != BT_CONNECTED)) { 1726 err = -EINVAL; 1727 break; 1728 } 1729 1730 err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen); 1731 if (err) 1732 break; 1733 1734 iso_pi(sk)->qos = qos; 1735 iso_pi(sk)->qos_user_set = true; 1736 1737 break; 1738 1739 case BT_ISO_BASE: 1740 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND && 1741 sk->sk_state != BT_CONNECT2) { 1742 err = -EINVAL; 1743 break; 1744 } 1745 1746 if (optlen > sizeof(iso_pi(sk)->base)) { 1747 err = -EINVAL; 1748 break; 1749 } 1750 1751 err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval, 1752 optlen); 1753 if (err) 1754 break; 1755 1756 iso_pi(sk)->base_len = optlen; 1757 1758 break; 1759 1760 default: 1761 err = -ENOPROTOOPT; 1762 break; 1763 } 1764 1765 release_sock(sk); 1766 return err; 1767 } 1768 1769 static int iso_sock_getsockopt(struct socket *sock, int level, int optname, 1770 char __user *optval, int __user *optlen) 1771 { 1772 struct sock *sk = sock->sk; 1773 int len, err = 0; 1774 struct bt_iso_qos *qos; 1775 u8 base_len; 1776 u8 *base; 1777 1778 BT_DBG("sk %p", sk); 1779 1780 if (get_user(len, optlen)) 1781 return -EFAULT; 1782 1783 lock_sock(sk); 1784 1785 switch (optname) { 1786 case BT_DEFER_SETUP: 1787 if (sk->sk_state == BT_CONNECTED) { 1788 err = -EINVAL; 1789 break; 1790 } 1791 1792 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 1793 (u32 __user *)optval)) 1794 err = -EFAULT; 1795 1796 break; 1797 1798 case BT_PKT_STATUS: 1799 if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags), 1800 (int __user *)optval)) 1801 err = -EFAULT; 1802 break; 1803 1804 case BT_ISO_QOS: 1805 qos = iso_sock_get_qos(sk); 1806 1807 len = min_t(unsigned int, len, sizeof(*qos)); 1808 if (copy_to_user(optval, qos, len)) 1809 err = -EFAULT; 1810 1811 break; 1812 1813 case BT_ISO_BASE: 1814 if (sk->sk_state == BT_CONNECTED && 1815 !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { 1816 base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len; 1817 base = iso_pi(sk)->conn->hcon->le_per_adv_data; 1818 } else { 1819 base_len = iso_pi(sk)->base_len; 1820 base = iso_pi(sk)->base; 1821 } 1822 1823 len = min_t(unsigned int, len, base_len); 1824 if (copy_to_user(optval, base, len)) 1825 err = -EFAULT; 1826 if (put_user(len, optlen)) 1827 err = -EFAULT; 1828 1829 break; 1830 1831 default: 1832 err = -ENOPROTOOPT; 1833 break; 1834 } 1835 1836 release_sock(sk); 1837 return err; 1838 } 1839 1840 static int iso_sock_shutdown(struct socket *sock, int how) 1841 { 1842 struct sock *sk = sock->sk; 1843 int err = 0; 1844 1845 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1846 1847 if (!sk) 1848 return 0; 1849 1850 sock_hold(sk); 1851 lock_sock(sk); 1852 1853 switch (how) { 1854 case SHUT_RD: 1855 if (sk->sk_shutdown & RCV_SHUTDOWN) 1856 goto unlock; 1857 sk->sk_shutdown |= RCV_SHUTDOWN; 1858 break; 1859 case SHUT_WR: 1860 if (sk->sk_shutdown & SEND_SHUTDOWN) 1861 goto unlock; 1862 sk->sk_shutdown |= SEND_SHUTDOWN; 1863 break; 1864 case SHUT_RDWR: 1865 if (sk->sk_shutdown & SHUTDOWN_MASK) 1866 goto unlock; 1867 sk->sk_shutdown |= SHUTDOWN_MASK; 1868 break; 1869 } 1870 1871 iso_sock_clear_timer(sk); 1872 __iso_sock_close(sk); 1873 1874 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1875 !(current->flags & PF_EXITING)) 1876 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 1877 1878 unlock: 1879 release_sock(sk); 1880 sock_put(sk); 1881 1882 return err; 1883 } 1884 1885 static int iso_sock_release(struct socket *sock) 1886 { 1887 struct sock *sk = sock->sk; 1888 int err = 0; 1889 1890 BT_DBG("sock %p, sk %p", sock, sk); 1891 1892 if (!sk) 1893 return 0; 1894 1895 iso_sock_close(sk); 1896 1897 if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) && 1898 !(current->flags & PF_EXITING)) { 1899 lock_sock(sk); 1900 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 1901 release_sock(sk); 1902 } 1903 1904 sock_orphan(sk); 1905 iso_sock_kill(sk); 1906 return err; 1907 } 1908 1909 static void iso_sock_ready(struct sock *sk) 1910 { 1911 BT_DBG("sk %p", sk); 1912 1913 if (!sk) 1914 return; 1915 1916 lock_sock(sk); 1917 iso_sock_clear_timer(sk); 1918 sk->sk_state = BT_CONNECTED; 1919 sk->sk_state_change(sk); 1920 release_sock(sk); 1921 } 1922 1923 static bool iso_match_big(struct sock *sk, void *data) 1924 { 1925 struct hci_evt_le_big_sync_established *ev = data; 1926 1927 return ev->handle == iso_pi(sk)->qos.bcast.big; 1928 } 1929 1930 static bool iso_match_big_hcon(struct sock *sk, void *data) 1931 { 1932 struct hci_conn *hcon = data; 1933 1934 return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big; 1935 } 1936 1937 static bool iso_match_pa_sync_flag(struct sock *sk, void *data) 1938 { 1939 return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags); 1940 } 1941 1942 static void iso_conn_ready(struct iso_conn *conn) 1943 { 1944 struct sock *parent = NULL; 1945 struct sock *sk = conn->sk; 1946 struct hci_ev_le_big_sync_established *ev = NULL; 1947 struct hci_ev_le_pa_sync_established *ev2 = NULL; 1948 struct hci_ev_le_per_adv_report *ev3 = NULL; 1949 struct hci_conn *hcon; 1950 1951 BT_DBG("conn %p", conn); 1952 1953 if (sk) { 1954 iso_sock_ready(conn->sk); 1955 } else { 1956 hcon = conn->hcon; 1957 if (!hcon) 1958 return; 1959 1960 if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) { 1961 /* A BIS slave hcon is notified to the ISO layer 1962 * after the Command Complete for the LE Setup 1963 * ISO Data Path command is received. Get the 1964 * parent socket that matches the hcon BIG handle. 1965 */ 1966 parent = iso_get_sock(&hcon->src, &hcon->dst, 1967 BT_LISTEN, iso_match_big_hcon, 1968 hcon); 1969 } else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) { 1970 ev = hci_recv_event_data(hcon->hdev, 1971 HCI_EVT_LE_BIG_SYNC_ESTABLISHED); 1972 1973 /* Get reference to PA sync parent socket, if it exists */ 1974 parent = iso_get_sock(&hcon->src, &hcon->dst, 1975 BT_LISTEN, 1976 iso_match_pa_sync_flag, 1977 NULL); 1978 if (!parent && ev) 1979 parent = iso_get_sock(&hcon->src, 1980 &hcon->dst, 1981 BT_LISTEN, 1982 iso_match_big, ev); 1983 } else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) { 1984 ev2 = hci_recv_event_data(hcon->hdev, 1985 HCI_EV_LE_PA_SYNC_ESTABLISHED); 1986 if (ev2) 1987 parent = iso_get_sock(&hcon->src, 1988 &hcon->dst, 1989 BT_LISTEN, 1990 iso_match_sid, ev2); 1991 } else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { 1992 ev3 = hci_recv_event_data(hcon->hdev, 1993 HCI_EV_LE_PER_ADV_REPORT); 1994 if (ev3) 1995 parent = iso_get_sock(&hcon->src, 1996 &hcon->dst, 1997 BT_LISTEN, 1998 iso_match_sync_handle_pa_report, 1999 ev3); 2000 } 2001 2002 if (!parent) 2003 parent = iso_get_sock(&hcon->src, BDADDR_ANY, 2004 BT_LISTEN, NULL, NULL); 2005 2006 if (!parent) 2007 return; 2008 2009 lock_sock(parent); 2010 2011 sk = iso_sock_alloc(sock_net(parent), NULL, 2012 BTPROTO_ISO, GFP_ATOMIC, 0); 2013 if (!sk) { 2014 release_sock(parent); 2015 return; 2016 } 2017 2018 iso_sock_init(sk, parent); 2019 2020 bacpy(&iso_pi(sk)->src, &hcon->src); 2021 2022 /* Convert from HCI to three-value type */ 2023 if (hcon->src_type == ADDR_LE_DEV_PUBLIC) 2024 iso_pi(sk)->src_type = BDADDR_LE_PUBLIC; 2025 else 2026 iso_pi(sk)->src_type = BDADDR_LE_RANDOM; 2027 2028 /* If hcon has no destination address (BDADDR_ANY) it means it 2029 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or 2030 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using 2031 * the parent socket destination address. 2032 */ 2033 if (!bacmp(&hcon->dst, BDADDR_ANY)) { 2034 bacpy(&hcon->dst, &iso_pi(parent)->dst); 2035 hcon->dst_type = iso_pi(parent)->dst_type; 2036 } 2037 2038 if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { 2039 iso_pi(sk)->qos = iso_pi(parent)->qos; 2040 hcon->iso_qos = iso_pi(sk)->qos; 2041 iso_pi(sk)->bc_sid = iso_pi(parent)->bc_sid; 2042 iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis; 2043 memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis, 2044 ISO_MAX_NUM_BIS); 2045 set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags); 2046 } 2047 2048 bacpy(&iso_pi(sk)->dst, &hcon->dst); 2049 iso_pi(sk)->dst_type = hcon->dst_type; 2050 iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; 2051 memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); 2052 iso_pi(sk)->base_len = iso_pi(parent)->base_len; 2053 2054 hci_conn_hold(hcon); 2055 iso_chan_add(conn, sk, parent); 2056 2057 if ((ev && ((struct hci_evt_le_big_sync_established *)ev)->status) || 2058 (ev2 && ev2->status)) { 2059 /* Trigger error signal on child socket */ 2060 sk->sk_err = ECONNREFUSED; 2061 sk->sk_error_report(sk); 2062 } 2063 2064 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags)) 2065 sk->sk_state = BT_CONNECT2; 2066 else 2067 sk->sk_state = BT_CONNECTED; 2068 2069 /* Wake up parent */ 2070 parent->sk_data_ready(parent); 2071 2072 release_sock(parent); 2073 sock_put(parent); 2074 } 2075 } 2076 2077 static bool iso_match_sid(struct sock *sk, void *data) 2078 { 2079 struct hci_ev_le_pa_sync_established *ev = data; 2080 2081 if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) 2082 return true; 2083 2084 return ev->sid == iso_pi(sk)->bc_sid; 2085 } 2086 2087 static bool iso_match_sync_handle(struct sock *sk, void *data) 2088 { 2089 struct hci_evt_le_big_info_adv_report *ev = data; 2090 2091 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; 2092 } 2093 2094 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data) 2095 { 2096 struct hci_ev_le_per_adv_report *ev = data; 2097 2098 return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; 2099 } 2100 2101 /* ----- ISO interface with lower layer (HCI) ----- */ 2102 2103 int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) 2104 { 2105 struct hci_ev_le_pa_sync_established *ev1; 2106 struct hci_evt_le_big_info_adv_report *ev2; 2107 struct hci_ev_le_per_adv_report *ev3; 2108 struct sock *sk; 2109 2110 bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr); 2111 2112 /* Broadcast receiver requires handling of some events before it can 2113 * proceed to establishing a BIG sync: 2114 * 2115 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific 2116 * SID to listen to and once sync is established its handle needs to 2117 * be stored in iso_pi(sk)->sync_handle so it can be matched once 2118 * receiving the BIG Info. 2119 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a 2120 * a BIG Info it attempts to check if there any listening socket with 2121 * the same sync_handle and if it does then attempt to create a sync. 2122 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored 2123 * in iso_pi(sk)->base so it can be passed up to user, in the case of a 2124 * broadcast sink. 2125 */ 2126 ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED); 2127 if (ev1) { 2128 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN, 2129 iso_match_sid, ev1); 2130 if (sk && !ev1->status) { 2131 iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle); 2132 iso_pi(sk)->bc_sid = ev1->sid; 2133 } 2134 2135 goto done; 2136 } 2137 2138 ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT); 2139 if (ev2) { 2140 /* Check if BIGInfo report has already been handled */ 2141 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECTED, 2142 iso_match_sync_handle, ev2); 2143 if (sk) { 2144 sock_put(sk); 2145 sk = NULL; 2146 goto done; 2147 } 2148 2149 /* Try to get PA sync socket, if it exists */ 2150 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECT2, 2151 iso_match_sync_handle, ev2); 2152 if (!sk) 2153 sk = iso_get_sock(&hdev->bdaddr, bdaddr, 2154 BT_LISTEN, 2155 iso_match_sync_handle, 2156 ev2); 2157 2158 if (sk) { 2159 int err; 2160 struct hci_conn *hcon = iso_pi(sk)->conn->hcon; 2161 2162 iso_pi(sk)->qos.bcast.encryption = ev2->encryption; 2163 2164 if (ev2->num_bis < iso_pi(sk)->bc_num_bis) 2165 iso_pi(sk)->bc_num_bis = ev2->num_bis; 2166 2167 if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) && 2168 !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { 2169 err = hci_conn_big_create_sync(hdev, hcon, 2170 &iso_pi(sk)->qos, 2171 iso_pi(sk)->sync_handle, 2172 iso_pi(sk)->bc_num_bis, 2173 iso_pi(sk)->bc_bis); 2174 if (err) { 2175 bt_dev_err(hdev, "hci_le_big_create_sync: %d", 2176 err); 2177 sock_put(sk); 2178 sk = NULL; 2179 } 2180 } 2181 } 2182 2183 goto done; 2184 } 2185 2186 ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT); 2187 if (ev3) { 2188 size_t base_len = 0; 2189 u8 *base; 2190 struct hci_conn *hcon; 2191 2192 sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN, 2193 iso_match_sync_handle_pa_report, ev3); 2194 if (!sk) 2195 goto done; 2196 2197 hcon = iso_pi(sk)->conn->hcon; 2198 if (!hcon) 2199 goto done; 2200 2201 if (ev3->data_status == LE_PA_DATA_TRUNCATED) { 2202 /* The controller was unable to retrieve PA data. */ 2203 memset(hcon->le_per_adv_data, 0, 2204 HCI_MAX_PER_AD_TOT_LEN); 2205 hcon->le_per_adv_data_len = 0; 2206 hcon->le_per_adv_data_offset = 0; 2207 goto done; 2208 } 2209 2210 if (hcon->le_per_adv_data_offset + ev3->length > 2211 HCI_MAX_PER_AD_TOT_LEN) 2212 goto done; 2213 2214 memcpy(hcon->le_per_adv_data + hcon->le_per_adv_data_offset, 2215 ev3->data, ev3->length); 2216 hcon->le_per_adv_data_offset += ev3->length; 2217 2218 if (ev3->data_status == LE_PA_DATA_COMPLETE) { 2219 /* All PA data has been received. */ 2220 hcon->le_per_adv_data_len = 2221 hcon->le_per_adv_data_offset; 2222 hcon->le_per_adv_data_offset = 0; 2223 2224 /* Extract BASE */ 2225 base = eir_get_service_data(hcon->le_per_adv_data, 2226 hcon->le_per_adv_data_len, 2227 EIR_BAA_SERVICE_UUID, 2228 &base_len); 2229 2230 if (!base || base_len > BASE_MAX_LENGTH) 2231 goto done; 2232 2233 memcpy(iso_pi(sk)->base, base, base_len); 2234 iso_pi(sk)->base_len = base_len; 2235 } else { 2236 /* This is a PA data fragment. Keep pa_data_len set to 0 2237 * until all data has been reassembled. 2238 */ 2239 hcon->le_per_adv_data_len = 0; 2240 } 2241 } else { 2242 sk = iso_get_sock(&hdev->bdaddr, BDADDR_ANY, 2243 BT_LISTEN, NULL, NULL); 2244 } 2245 2246 done: 2247 if (!sk) 2248 return 0; 2249 2250 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) 2251 *flags |= HCI_PROTO_DEFER; 2252 2253 sock_put(sk); 2254 2255 return HCI_LM_ACCEPT; 2256 } 2257 2258 static void iso_connect_cfm(struct hci_conn *hcon, __u8 status) 2259 { 2260 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK && 2261 hcon->type != PA_LINK) { 2262 if (hcon->type != LE_LINK) 2263 return; 2264 2265 /* Check if LE link has failed */ 2266 if (status) { 2267 struct hci_link *link, *t; 2268 2269 list_for_each_entry_safe(link, t, &hcon->link_list, 2270 list) 2271 iso_conn_del(link->conn, bt_to_errno(status)); 2272 2273 return; 2274 } 2275 2276 /* Create CIS if pending */ 2277 hci_le_create_cis_pending(hcon->hdev); 2278 return; 2279 } 2280 2281 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 2282 2283 /* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or 2284 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection 2285 * into the accept queue of the listening socket and wake up 2286 * userspace, to inform the user about the event. 2287 */ 2288 if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) || 2289 test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) { 2290 struct iso_conn *conn; 2291 2292 conn = iso_conn_add(hcon); 2293 if (conn) 2294 iso_conn_ready(conn); 2295 } else { 2296 iso_conn_del(hcon, bt_to_errno(status)); 2297 } 2298 } 2299 2300 static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason) 2301 { 2302 if (hcon->type != CIS_LINK && hcon->type != BIS_LINK && 2303 hcon->type != PA_LINK) 2304 return; 2305 2306 BT_DBG("hcon %p reason %d", hcon, reason); 2307 2308 iso_conn_del(hcon, bt_to_errno(reason)); 2309 } 2310 2311 void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 2312 { 2313 struct iso_conn *conn = hcon->iso_data; 2314 struct skb_shared_hwtstamps *hwts; 2315 __u16 pb, ts, len, sn; 2316 2317 if (!conn) 2318 goto drop; 2319 2320 pb = hci_iso_flags_pb(flags); 2321 ts = hci_iso_flags_ts(flags); 2322 2323 BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts); 2324 2325 switch (pb) { 2326 case ISO_START: 2327 case ISO_SINGLE: 2328 if (conn->rx_len) { 2329 BT_ERR("Unexpected start frame (len %d)", skb->len); 2330 kfree_skb(conn->rx_skb); 2331 conn->rx_skb = NULL; 2332 conn->rx_len = 0; 2333 } 2334 2335 if (ts) { 2336 struct hci_iso_ts_data_hdr *hdr; 2337 2338 hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE); 2339 if (!hdr) { 2340 BT_ERR("Frame is too short (len %d)", skb->len); 2341 goto drop; 2342 } 2343 2344 /* Record the timestamp to skb */ 2345 hwts = skb_hwtstamps(skb); 2346 hwts->hwtstamp = us_to_ktime(le32_to_cpu(hdr->ts)); 2347 2348 sn = __le16_to_cpu(hdr->sn); 2349 len = __le16_to_cpu(hdr->slen); 2350 } else { 2351 struct hci_iso_data_hdr *hdr; 2352 2353 hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE); 2354 if (!hdr) { 2355 BT_ERR("Frame is too short (len %d)", skb->len); 2356 goto drop; 2357 } 2358 2359 sn = __le16_to_cpu(hdr->sn); 2360 len = __le16_to_cpu(hdr->slen); 2361 } 2362 2363 flags = hci_iso_data_flags(len); 2364 len = hci_iso_data_len(len); 2365 2366 BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x sn %d", 2367 len, skb->len, flags, sn); 2368 2369 if (len == skb->len) { 2370 /* Complete frame received */ 2371 hci_skb_pkt_status(skb) = flags & 0x03; 2372 hci_skb_pkt_seqnum(skb) = sn; 2373 iso_recv_frame(conn, skb); 2374 return; 2375 } 2376 2377 if (pb == ISO_SINGLE) { 2378 BT_ERR("Frame malformed (len %d, expected len %d)", 2379 skb->len, len); 2380 goto drop; 2381 } 2382 2383 if (skb->len > len) { 2384 BT_ERR("Frame is too long (len %d, expected len %d)", 2385 skb->len, len); 2386 goto drop; 2387 } 2388 2389 /* Allocate skb for the complete frame (with header) */ 2390 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL); 2391 if (!conn->rx_skb) 2392 goto drop; 2393 2394 hci_skb_pkt_status(conn->rx_skb) = flags & 0x03; 2395 hci_skb_pkt_seqnum(conn->rx_skb) = sn; 2396 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2397 skb->len); 2398 conn->rx_len = len - skb->len; 2399 2400 /* Copy hw timestamp from skb to rx_skb if present */ 2401 if (ts) { 2402 hwts = skb_hwtstamps(conn->rx_skb); 2403 hwts->hwtstamp = skb_hwtstamps(skb)->hwtstamp; 2404 } 2405 2406 break; 2407 2408 case ISO_CONT: 2409 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, 2410 conn->rx_len); 2411 2412 if (!conn->rx_len) { 2413 BT_ERR("Unexpected continuation frame (len %d)", 2414 skb->len); 2415 goto drop; 2416 } 2417 2418 if (skb->len > conn->rx_len) { 2419 BT_ERR("Fragment is too long (len %d, expected %d)", 2420 skb->len, conn->rx_len); 2421 kfree_skb(conn->rx_skb); 2422 conn->rx_skb = NULL; 2423 conn->rx_len = 0; 2424 goto drop; 2425 } 2426 2427 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2428 skb->len); 2429 conn->rx_len -= skb->len; 2430 break; 2431 2432 case ISO_END: 2433 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2434 skb->len); 2435 conn->rx_len -= skb->len; 2436 2437 if (!conn->rx_len) { 2438 struct sk_buff *rx_skb = conn->rx_skb; 2439 2440 /* Complete frame received. iso_recv_frame 2441 * takes ownership of the skb so set the global 2442 * rx_skb pointer to NULL first. 2443 */ 2444 conn->rx_skb = NULL; 2445 iso_recv_frame(conn, rx_skb); 2446 } 2447 break; 2448 } 2449 2450 drop: 2451 kfree_skb(skb); 2452 } 2453 2454 static struct hci_cb iso_cb = { 2455 .name = "ISO", 2456 .connect_cfm = iso_connect_cfm, 2457 .disconn_cfm = iso_disconn_cfm, 2458 }; 2459 2460 static int iso_debugfs_show(struct seq_file *f, void *p) 2461 { 2462 struct sock *sk; 2463 2464 read_lock(&iso_sk_list.lock); 2465 2466 sk_for_each(sk, &iso_sk_list.head) { 2467 seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src, 2468 &iso_pi(sk)->dst, sk->sk_state); 2469 } 2470 2471 read_unlock(&iso_sk_list.lock); 2472 2473 return 0; 2474 } 2475 2476 DEFINE_SHOW_ATTRIBUTE(iso_debugfs); 2477 2478 static struct dentry *iso_debugfs; 2479 2480 static const struct proto_ops iso_sock_ops = { 2481 .family = PF_BLUETOOTH, 2482 .owner = THIS_MODULE, 2483 .release = iso_sock_release, 2484 .bind = iso_sock_bind, 2485 .connect = iso_sock_connect, 2486 .listen = iso_sock_listen, 2487 .accept = iso_sock_accept, 2488 .getname = iso_sock_getname, 2489 .sendmsg = iso_sock_sendmsg, 2490 .recvmsg = iso_sock_recvmsg, 2491 .poll = bt_sock_poll, 2492 .ioctl = bt_sock_ioctl, 2493 .mmap = sock_no_mmap, 2494 .socketpair = sock_no_socketpair, 2495 .shutdown = iso_sock_shutdown, 2496 .setsockopt = iso_sock_setsockopt, 2497 .getsockopt = iso_sock_getsockopt 2498 }; 2499 2500 static const struct net_proto_family iso_sock_family_ops = { 2501 .family = PF_BLUETOOTH, 2502 .owner = THIS_MODULE, 2503 .create = iso_sock_create, 2504 }; 2505 2506 static bool inited; 2507 2508 bool iso_inited(void) 2509 { 2510 return inited; 2511 } 2512 2513 int iso_init(void) 2514 { 2515 int err; 2516 2517 BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr)); 2518 2519 if (inited) 2520 return -EALREADY; 2521 2522 err = proto_register(&iso_proto, 0); 2523 if (err < 0) 2524 return err; 2525 2526 err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops); 2527 if (err < 0) { 2528 BT_ERR("ISO socket registration failed"); 2529 goto error; 2530 } 2531 2532 err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL); 2533 if (err < 0) { 2534 BT_ERR("Failed to create ISO proc file"); 2535 bt_sock_unregister(BTPROTO_ISO); 2536 goto error; 2537 } 2538 2539 BT_INFO("ISO socket layer initialized"); 2540 2541 hci_register_cb(&iso_cb); 2542 2543 if (!IS_ERR_OR_NULL(bt_debugfs)) 2544 iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs, 2545 NULL, &iso_debugfs_fops); 2546 2547 inited = true; 2548 2549 return 0; 2550 2551 error: 2552 proto_unregister(&iso_proto); 2553 return err; 2554 } 2555 2556 int iso_exit(void) 2557 { 2558 if (!inited) 2559 return -EALREADY; 2560 2561 bt_procfs_cleanup(&init_net, "iso"); 2562 2563 debugfs_remove(iso_debugfs); 2564 iso_debugfs = NULL; 2565 2566 hci_unregister_cb(&iso_cb); 2567 2568 bt_sock_unregister(BTPROTO_ISO); 2569 2570 proto_unregister(&iso_proto); 2571 2572 inited = false; 2573 2574 return 0; 2575 } 2576