CoCalc -- iso.c

GitHub Repository: torvalds/linux
Path: blob/master/net/bluetooth/iso.c
²⁶²⁷⁸ views
1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * BlueZ - Bluetooth protocol stack for Linux
4
 *
5
 * Copyright (C) 2022 Intel Corporation
6
 * Copyright 2023-2024 NXP
7
 */
8

9
#include <linux/module.h>
10
#include <linux/debugfs.h>
11
#include <linux/seq_file.h>
12
#include <linux/sched/signal.h>
13

14
#include <net/bluetooth/bluetooth.h>
15
#include <net/bluetooth/hci_core.h>
16
#include <net/bluetooth/iso.h>
17
#include "eir.h"
18

19
static const struct proto_ops iso_sock_ops;
20

21
static struct bt_sock_list iso_sk_list = {
22
	.lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock)
23
};
24

25
/* ---- ISO connections ---- */
26
struct iso_conn {
27
	struct hci_conn	*hcon;
28

29
	/* @lock: spinlock protecting changes to iso_conn fields */
30
	spinlock_t	lock;
31
	struct sock	*sk;
32

33
	struct delayed_work	timeout_work;
34

35
	struct sk_buff	*rx_skb;
36
	__u32		rx_len;
37
	__u16		tx_sn;
38
	struct kref	ref;
39
};
40

41
#define iso_conn_lock(c)	spin_lock(&(c)->lock)
42
#define iso_conn_unlock(c)	spin_unlock(&(c)->lock)
43

44
static void iso_sock_close(struct sock *sk);
45
static void iso_sock_kill(struct sock *sk);
46

47
/* ----- ISO socket info ----- */
48
#define iso_pi(sk) ((struct iso_pinfo *)sk)
49

50
#define EIR_SERVICE_DATA_LENGTH 4
51
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
52
#define EIR_BAA_SERVICE_UUID	0x1851
53

54
/* iso_pinfo flags values */
55
enum {
56
	BT_SK_BIG_SYNC,
57
	BT_SK_PA_SYNC,
58
};
59

60
struct iso_pinfo {
61
	struct bt_sock		bt;
62
	bdaddr_t		src;
63
	__u8			src_type;
64
	bdaddr_t		dst;
65
	__u8			dst_type;
66
	__u8			bc_sid;
67
	__u8			bc_num_bis;
68
	__u8			bc_bis[ISO_MAX_NUM_BIS];
69
	__u16			sync_handle;
70
	unsigned long		flags;
71
	struct bt_iso_qos	qos;
72
	bool			qos_user_set;
73
	__u8			base_len;
74
	__u8			base[BASE_MAX_LENGTH];
75
	struct iso_conn		*conn;
76
};
77

78
static struct bt_iso_qos default_qos;
79

80
static bool check_ucast_qos(struct bt_iso_qos *qos);
81
static bool check_bcast_qos(struct bt_iso_qos *qos);
82
static bool iso_match_sid(struct sock *sk, void *data);
83
static bool iso_match_sync_handle(struct sock *sk, void *data);
84
static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data);
85
static void iso_sock_disconn(struct sock *sk);
86

87
typedef bool (*iso_sock_match_t)(struct sock *sk, void *data);
88

89
static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst,
90
				 enum bt_sock_state state,
91
				 iso_sock_match_t match, void *data);
92

93
/* ---- ISO timers ---- */
94
#define ISO_CONN_TIMEOUT	(HZ * 40)
95
#define ISO_DISCONN_TIMEOUT	(HZ * 2)
96

97
static void iso_conn_free(struct kref *ref)
98
{
99
	struct iso_conn *conn = container_of(ref, struct iso_conn, ref);
100

101
	BT_DBG("conn %p", conn);
102

103
	if (conn->sk)
104
		iso_pi(conn->sk)->conn = NULL;
105

106
	if (conn->hcon) {
107
		conn->hcon->iso_data = NULL;
108
		hci_conn_drop(conn->hcon);
109
	}
110

111
	/* Ensure no more work items will run since hci_conn has been dropped */
112
	disable_delayed_work_sync(&conn->timeout_work);
113

114
	kfree(conn);
115
}
116

117
static void iso_conn_put(struct iso_conn *conn)
118
{
119
	if (!conn)
120
		return;
121

122
	BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref));
123

124
	kref_put(&conn->ref, iso_conn_free);
125
}
126

127
static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn)
128
{
129
	if (!conn)
130
		return NULL;
131

132
	BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref));
133

134
	if (!kref_get_unless_zero(&conn->ref))
135
		return NULL;
136

137
	return conn;
138
}
139

140
static struct sock *iso_sock_hold(struct iso_conn *conn)
141
{
142
	if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk))
143
		return NULL;
144

145
	sock_hold(conn->sk);
146

147
	return conn->sk;
148
}
149

150
static void iso_sock_timeout(struct work_struct *work)
151
{
152
	struct iso_conn *conn = container_of(work, struct iso_conn,
153
					     timeout_work.work);
154
	struct sock *sk;
155

156
	conn = iso_conn_hold_unless_zero(conn);
157
	if (!conn)
158
		return;
159

160
	iso_conn_lock(conn);
161
	sk = iso_sock_hold(conn);
162
	iso_conn_unlock(conn);
163
	iso_conn_put(conn);
164

165
	if (!sk)
166
		return;
167

168
	BT_DBG("sock %p state %d", sk, sk->sk_state);
169

170
	lock_sock(sk);
171
	sk->sk_err = ETIMEDOUT;
172
	sk->sk_state_change(sk);
173
	release_sock(sk);
174
	sock_put(sk);
175
}
176

177
static void iso_sock_set_timer(struct sock *sk, long timeout)
178
{
179
	if (!iso_pi(sk)->conn)
180
		return;
181

182
	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
183
	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
184
	schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout);
185
}
186

187
static void iso_sock_clear_timer(struct sock *sk)
188
{
189
	if (!iso_pi(sk)->conn)
190
		return;
191

192
	BT_DBG("sock %p state %d", sk, sk->sk_state);
193
	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
194
}
195

196
/* ---- ISO connections ---- */
197
static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
198
{
199
	struct iso_conn *conn = hcon->iso_data;
200

201
	conn = iso_conn_hold_unless_zero(conn);
202
	if (conn) {
203
		if (!conn->hcon) {
204
			iso_conn_lock(conn);
205
			conn->hcon = hcon;
206
			iso_conn_unlock(conn);
207
		}
208
		iso_conn_put(conn);
209
		return conn;
210
	}
211

212
	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
213
	if (!conn)
214
		return NULL;
215

216
	kref_init(&conn->ref);
217
	spin_lock_init(&conn->lock);
218
	INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout);
219

220
	hcon->iso_data = conn;
221
	conn->hcon = hcon;
222
	conn->tx_sn = 0;
223

224
	BT_DBG("hcon %p conn %p", hcon, conn);
225

226
	return conn;
227
}
228

229
/* Delete channel. Must be called on the locked socket. */
230
static void iso_chan_del(struct sock *sk, int err)
231
{
232
	struct iso_conn *conn;
233
	struct sock *parent;
234

235
	conn = iso_pi(sk)->conn;
236
	iso_pi(sk)->conn = NULL;
237

238
	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
239

240
	if (conn) {
241
		iso_conn_lock(conn);
242
		conn->sk = NULL;
243
		iso_conn_unlock(conn);
244
		iso_conn_put(conn);
245
	}
246

247
	sk->sk_state = BT_CLOSED;
248
	sk->sk_err   = err;
249

250
	parent = bt_sk(sk)->parent;
251
	if (parent) {
252
		bt_accept_unlink(sk);
253
		parent->sk_data_ready(parent);
254
	} else {
255
		sk->sk_state_change(sk);
256
	}
257

258
	sock_set_flag(sk, SOCK_ZAPPED);
259
}
260

261
static void iso_conn_del(struct hci_conn *hcon, int err)
262
{
263
	struct iso_conn *conn = hcon->iso_data;
264
	struct sock *sk;
265

266
	conn = iso_conn_hold_unless_zero(conn);
267
	if (!conn)
268
		return;
269

270
	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
271

272
	/* Kill socket */
273
	iso_conn_lock(conn);
274
	sk = iso_sock_hold(conn);
275
	iso_conn_unlock(conn);
276
	iso_conn_put(conn);
277

278
	if (!sk) {
279
		iso_conn_put(conn);
280
		return;
281
	}
282

283
	lock_sock(sk);
284
	iso_sock_clear_timer(sk);
285
	iso_chan_del(sk, err);
286
	release_sock(sk);
287
	sock_put(sk);
288
}
289

290
static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
291
			  struct sock *parent)
292
{
293
	BT_DBG("conn %p", conn);
294

295
	if (iso_pi(sk)->conn == conn && conn->sk == sk)
296
		return 0;
297

298
	if (conn->sk) {
299
		BT_ERR("conn->sk already set");
300
		return -EBUSY;
301
	}
302

303
	iso_pi(sk)->conn = conn;
304
	conn->sk = sk;
305

306
	if (parent)
307
		bt_accept_enqueue(parent, sk, true);
308

309
	return 0;
310
}
311

312
static int iso_chan_add(struct iso_conn *conn, struct sock *sk,
313
			struct sock *parent)
314
{
315
	int err;
316

317
	iso_conn_lock(conn);
318
	err = __iso_chan_add(conn, sk, parent);
319
	iso_conn_unlock(conn);
320

321
	return err;
322
}
323

324
static inline u8 le_addr_type(u8 bdaddr_type)
325
{
326
	if (bdaddr_type == BDADDR_LE_PUBLIC)
327
		return ADDR_LE_DEV_PUBLIC;
328
	else
329
		return ADDR_LE_DEV_RANDOM;
330
}
331

332
static int iso_connect_bis(struct sock *sk)
333
{
334
	struct iso_conn *conn;
335
	struct hci_conn *hcon;
336
	struct hci_dev  *hdev;
337
	int err;
338

339
	BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid);
340

341
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
342
			     iso_pi(sk)->src_type);
343
	if (!hdev)
344
		return -EHOSTUNREACH;
345

346
	hci_dev_lock(hdev);
347

348
	if (!bis_capable(hdev)) {
349
		err = -EOPNOTSUPP;
350
		goto unlock;
351
	}
352

353
	/* Fail if user set invalid QoS */
354
	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
355
		iso_pi(sk)->qos = default_qos;
356
		err = -EINVAL;
357
		goto unlock;
358
	}
359

360
	/* Fail if out PHYs are marked as disabled */
361
	if (!iso_pi(sk)->qos.bcast.out.phy) {
362
		err = -EINVAL;
363
		goto unlock;
364
	}
365

366
	/* Just bind if DEFER_SETUP has been set */
367
	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
368
		hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid,
369
				    &iso_pi(sk)->qos, iso_pi(sk)->base_len,
370
				    iso_pi(sk)->base);
371
		if (IS_ERR(hcon)) {
372
			err = PTR_ERR(hcon);
373
			goto unlock;
374
		}
375
	} else {
376
		hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst,
377
				       le_addr_type(iso_pi(sk)->dst_type),
378
				       iso_pi(sk)->bc_sid, &iso_pi(sk)->qos,
379
				       iso_pi(sk)->base_len, iso_pi(sk)->base);
380
		if (IS_ERR(hcon)) {
381
			err = PTR_ERR(hcon);
382
			goto unlock;
383
		}
384

385
		/* Update SID if it was not set */
386
		if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
387
			iso_pi(sk)->bc_sid = hcon->sid;
388
	}
389

390
	conn = iso_conn_add(hcon);
391
	if (!conn) {
392
		hci_conn_drop(hcon);
393
		err = -ENOMEM;
394
		goto unlock;
395
	}
396

397
	lock_sock(sk);
398

399
	err = iso_chan_add(conn, sk, NULL);
400
	if (err) {
401
		release_sock(sk);
402
		goto unlock;
403
	}
404

405
	/* Update source addr of the socket */
406
	bacpy(&iso_pi(sk)->src, &hcon->src);
407

408
	if (hcon->state == BT_CONNECTED) {
409
		iso_sock_clear_timer(sk);
410
		sk->sk_state = BT_CONNECTED;
411
	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
412
		iso_sock_clear_timer(sk);
413
		sk->sk_state = BT_CONNECT;
414
	} else {
415
		sk->sk_state = BT_CONNECT;
416
		iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
417
	}
418

419
	release_sock(sk);
420

421
unlock:
422
	hci_dev_unlock(hdev);
423
	hci_dev_put(hdev);
424
	return err;
425
}
426

427
static int iso_connect_cis(struct sock *sk)
428
{
429
	struct iso_conn *conn;
430
	struct hci_conn *hcon;
431
	struct hci_dev  *hdev;
432
	int err;
433

434
	BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst);
435

436
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
437
			     iso_pi(sk)->src_type);
438
	if (!hdev)
439
		return -EHOSTUNREACH;
440

441
	hci_dev_lock(hdev);
442

443
	if (!cis_central_capable(hdev)) {
444
		err = -EOPNOTSUPP;
445
		goto unlock;
446
	}
447

448
	/* Fail if user set invalid QoS */
449
	if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) {
450
		iso_pi(sk)->qos = default_qos;
451
		err = -EINVAL;
452
		goto unlock;
453
	}
454

455
	/* Fail if either PHYs are marked as disabled */
456
	if (!iso_pi(sk)->qos.ucast.in.phy && !iso_pi(sk)->qos.ucast.out.phy) {
457
		err = -EINVAL;
458
		goto unlock;
459
	}
460

461
	/* Just bind if DEFER_SETUP has been set */
462
	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
463
		hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst,
464
				    le_addr_type(iso_pi(sk)->dst_type),
465
				    &iso_pi(sk)->qos);
466
		if (IS_ERR(hcon)) {
467
			err = PTR_ERR(hcon);
468
			goto unlock;
469
		}
470
	} else {
471
		hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst,
472
				       le_addr_type(iso_pi(sk)->dst_type),
473
				       &iso_pi(sk)->qos);
474
		if (IS_ERR(hcon)) {
475
			err = PTR_ERR(hcon);
476
			goto unlock;
477
		}
478
	}
479

480
	conn = iso_conn_add(hcon);
481
	if (!conn) {
482
		hci_conn_drop(hcon);
483
		err = -ENOMEM;
484
		goto unlock;
485
	}
486

487
	lock_sock(sk);
488

489
	err = iso_chan_add(conn, sk, NULL);
490
	if (err) {
491
		release_sock(sk);
492
		goto unlock;
493
	}
494

495
	/* Update source addr of the socket */
496
	bacpy(&iso_pi(sk)->src, &hcon->src);
497

498
	if (hcon->state == BT_CONNECTED) {
499
		iso_sock_clear_timer(sk);
500
		sk->sk_state = BT_CONNECTED;
501
	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
502
		iso_sock_clear_timer(sk);
503
		sk->sk_state = BT_CONNECT;
504
	} else {
505
		sk->sk_state = BT_CONNECT;
506
		iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
507
	}
508

509
	release_sock(sk);
510

511
unlock:
512
	hci_dev_unlock(hdev);
513
	hci_dev_put(hdev);
514
	return err;
515
}
516

517
static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk)
518
{
519
	if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
520
		return &iso_pi(sk)->conn->hcon->iso_qos;
521

522
	return &iso_pi(sk)->qos;
523
}
524

525
static int iso_send_frame(struct sock *sk, struct sk_buff *skb,
526
			  const struct sockcm_cookie *sockc)
527
{
528
	struct iso_conn *conn = iso_pi(sk)->conn;
529
	struct bt_iso_qos *qos = iso_sock_get_qos(sk);
530
	struct hci_iso_data_hdr *hdr;
531
	int len = 0;
532

533
	BT_DBG("sk %p len %d", sk, skb->len);
534

535
	if (skb->len > qos->ucast.out.sdu)
536
		return -EMSGSIZE;
537

538
	len = skb->len;
539

540
	/* Push ISO data header */
541
	hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE);
542
	hdr->sn = cpu_to_le16(conn->tx_sn++);
543
	hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len,
544
						      HCI_ISO_STATUS_VALID));
545

546
	if (sk->sk_state == BT_CONNECTED) {
547
		hci_setup_tx_timestamp(skb, 1, sockc);
548
		hci_send_iso(conn->hcon, skb);
549
	} else {
550
		len = -ENOTCONN;
551
	}
552

553
	return len;
554
}
555

556
static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
557
{
558
	struct sock *sk;
559

560
	iso_conn_lock(conn);
561
	sk = conn->sk;
562
	iso_conn_unlock(conn);
563

564
	if (!sk)
565
		goto drop;
566

567
	BT_DBG("sk %p len %d", sk, skb->len);
568

569
	if (sk->sk_state != BT_CONNECTED)
570
		goto drop;
571

572
	if (!sock_queue_rcv_skb(sk, skb))
573
		return;
574

575
drop:
576
	kfree_skb(skb);
577
}
578

579
/* -------- Socket interface ---------- */
580
static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst)
581
{
582
	struct sock *sk;
583

584
	sk_for_each(sk, &iso_sk_list.head) {
585
		if (sk->sk_state != BT_LISTEN)
586
			continue;
587

588
		if (bacmp(&iso_pi(sk)->dst, dst))
589
			continue;
590

591
		if (!bacmp(&iso_pi(sk)->src, src))
592
			return sk;
593
	}
594

595
	return NULL;
596
}
597

598
static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc,
599
						 __u8 sid)
600
{
601
	struct sock *sk;
602

603
	sk_for_each(sk, &iso_sk_list.head) {
604
		if (sk->sk_state != BT_LISTEN)
605
			continue;
606

607
		if (bacmp(&iso_pi(sk)->src, ba))
608
			continue;
609

610
		if (bacmp(&iso_pi(sk)->dst, bc))
611
			continue;
612

613
		if (iso_pi(sk)->bc_sid == sid)
614
			return sk;
615
	}
616

617
	return NULL;
618
}
619

620
/* Find socket in given state:
621
 * source bdaddr (Unicast)
622
 * destination bdaddr (Broadcast only)
623
 * match func - pass NULL to ignore
624
 * match func data - pass -1 to ignore
625
 * Returns closest match.
626
 */
627
static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst,
628
				 enum bt_sock_state state,
629
				 iso_sock_match_t match, void *data)
630
{
631
	struct sock *sk = NULL, *sk1 = NULL;
632

633
	read_lock(&iso_sk_list.lock);
634

635
	sk_for_each(sk, &iso_sk_list.head) {
636
		if (sk->sk_state != state)
637
			continue;
638

639
		/* Match Broadcast destination */
640
		if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst))
641
			continue;
642

643
		/* Use Match function if provided */
644
		if (match && !match(sk, data))
645
			continue;
646

647
		/* Exact match. */
648
		if (!bacmp(&iso_pi(sk)->src, src)) {
649
			sock_hold(sk);
650
			break;
651
		}
652

653
		/* Closest match */
654
		if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) {
655
			if (sk1)
656
				sock_put(sk1);
657

658
			sk1 = sk;
659
			sock_hold(sk1);
660
		}
661
	}
662

663
	if (sk && sk1)
664
		sock_put(sk1);
665

666
	read_unlock(&iso_sk_list.lock);
667

668
	return sk ? sk : sk1;
669
}
670

671
static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src,
672
				     bdaddr_t *dst, uint8_t big)
673
{
674
	struct sock *sk = NULL;
675

676
	read_lock(&iso_sk_list.lock);
677

678
	sk_for_each(sk, &iso_sk_list.head) {
679
		if (match_sk == sk)
680
			continue;
681

682
		/* Look for sockets that have already been
683
		 * connected to the BIG
684
		 */
685
		if (sk->sk_state != BT_CONNECTED &&
686
		    sk->sk_state != BT_CONNECT)
687
			continue;
688

689
		/* Match Broadcast destination */
690
		if (bacmp(&iso_pi(sk)->dst, dst))
691
			continue;
692

693
		/* Match BIG handle */
694
		if (iso_pi(sk)->qos.bcast.big != big)
695
			continue;
696

697
		/* Match source address */
698
		if (bacmp(&iso_pi(sk)->src, src))
699
			continue;
700

701
		sock_hold(sk);
702
		break;
703
	}
704

705
	read_unlock(&iso_sk_list.lock);
706

707
	return sk;
708
}
709

710
static void iso_sock_destruct(struct sock *sk)
711
{
712
	BT_DBG("sk %p", sk);
713

714
	iso_conn_put(iso_pi(sk)->conn);
715

716
	skb_queue_purge(&sk->sk_receive_queue);
717
	skb_queue_purge(&sk->sk_write_queue);
718
}
719

720
static void iso_sock_cleanup_listen(struct sock *parent)
721
{
722
	struct sock *sk;
723

724
	BT_DBG("parent %p", parent);
725

726
	/* Close not yet accepted channels */
727
	while ((sk = bt_accept_dequeue(parent, NULL))) {
728
		iso_sock_close(sk);
729
		iso_sock_kill(sk);
730
	}
731

732
	/* If listening socket has a hcon, properly disconnect it */
733
	if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon) {
734
		iso_sock_disconn(parent);
735
		return;
736
	}
737

738
	parent->sk_state  = BT_CLOSED;
739
	sock_set_flag(parent, SOCK_ZAPPED);
740
}
741

742
/* Kill socket (only if zapped and orphan)
743
 * Must be called on unlocked socket.
744
 */
745
static void iso_sock_kill(struct sock *sk)
746
{
747
	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
748
	    sock_flag(sk, SOCK_DEAD))
749
		return;
750

751
	BT_DBG("sk %p state %d", sk, sk->sk_state);
752

753
	/* Kill poor orphan */
754
	bt_sock_unlink(&iso_sk_list, sk);
755
	sock_set_flag(sk, SOCK_DEAD);
756
	sock_put(sk);
757
}
758

759
static void iso_sock_disconn(struct sock *sk)
760
{
761
	struct sock *bis_sk;
762
	struct hci_conn *hcon = iso_pi(sk)->conn->hcon;
763

764
	if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) {
765
		bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src,
766
					  &iso_pi(sk)->dst,
767
					  iso_pi(sk)->qos.bcast.big);
768

769
		/* If there are any other connected sockets for the
770
		 * same BIG, just delete the sk and leave the bis
771
		 * hcon active, in case later rebinding is needed.
772
		 */
773
		if (bis_sk) {
774
			hcon->state = BT_OPEN;
775
			hcon->iso_data = NULL;
776
			iso_pi(sk)->conn->hcon = NULL;
777
			iso_sock_clear_timer(sk);
778
			iso_chan_del(sk, bt_to_errno(hcon->abort_reason));
779
			sock_put(bis_sk);
780
			return;
781
		}
782
	}
783

784
	sk->sk_state = BT_DISCONN;
785
	iso_conn_lock(iso_pi(sk)->conn);
786
	hci_conn_drop(iso_pi(sk)->conn->hcon);
787
	iso_pi(sk)->conn->hcon = NULL;
788
	iso_conn_unlock(iso_pi(sk)->conn);
789
}
790

791
static void __iso_sock_close(struct sock *sk)
792
{
793
	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
794

795
	switch (sk->sk_state) {
796
	case BT_LISTEN:
797
		iso_sock_cleanup_listen(sk);
798
		break;
799

800
	case BT_CONNECT:
801
	case BT_CONNECTED:
802
	case BT_CONFIG:
803
		if (iso_pi(sk)->conn->hcon)
804
			iso_sock_disconn(sk);
805
		else
806
			iso_chan_del(sk, ECONNRESET);
807
		break;
808

809
	case BT_CONNECT2:
810
		if (iso_pi(sk)->conn->hcon &&
811
		    (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
812
		    test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
813
			iso_sock_disconn(sk);
814
		else
815
			iso_chan_del(sk, ECONNRESET);
816
		break;
817
	case BT_DISCONN:
818
		iso_chan_del(sk, ECONNRESET);
819
		break;
820

821
	default:
822
		sock_set_flag(sk, SOCK_ZAPPED);
823
		break;
824
	}
825
}
826

827
/* Must be called on unlocked socket. */
828
static void iso_sock_close(struct sock *sk)
829
{
830
	iso_sock_clear_timer(sk);
831
	lock_sock(sk);
832
	__iso_sock_close(sk);
833
	release_sock(sk);
834
	iso_sock_kill(sk);
835
}
836

837
static void iso_sock_init(struct sock *sk, struct sock *parent)
838
{
839
	BT_DBG("sk %p", sk);
840

841
	if (parent) {
842
		sk->sk_type = parent->sk_type;
843
		bt_sk(sk)->flags = bt_sk(parent)->flags;
844
		security_sk_clone(parent, sk);
845
	}
846
}
847

848
static struct proto iso_proto = {
849
	.name		= "ISO",
850
	.owner		= THIS_MODULE,
851
	.obj_size	= sizeof(struct iso_pinfo)
852
};
853

854
#define DEFAULT_IO_QOS \
855
{ \
856
	.interval	= 10000u, \
857
	.latency	= 10u, \
858
	.sdu		= 40u, \
859
	.phy		= BT_ISO_PHY_2M, \
860
	.rtn		= 2u, \
861
}
862

863
static struct bt_iso_qos default_qos = {
864
	.bcast = {
865
		.big			= BT_ISO_QOS_BIG_UNSET,
866
		.bis			= BT_ISO_QOS_BIS_UNSET,
867
		.sync_factor		= 0x01,
868
		.packing		= 0x00,
869
		.framing		= 0x00,
870
		.in			= DEFAULT_IO_QOS,
871
		.out			= DEFAULT_IO_QOS,
872
		.encryption		= 0x00,
873
		.bcode			= {0x00},
874
		.options		= 0x00,
875
		.skip			= 0x0000,
876
		.sync_timeout		= BT_ISO_SYNC_TIMEOUT,
877
		.sync_cte_type		= 0x00,
878
		.mse			= 0x00,
879
		.timeout		= BT_ISO_SYNC_TIMEOUT,
880
	},
881
};
882

883
static struct sock *iso_sock_alloc(struct net *net, struct socket *sock,
884
				   int proto, gfp_t prio, int kern)
885
{
886
	struct sock *sk;
887

888
	sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern);
889
	if (!sk)
890
		return NULL;
891

892
	sk->sk_destruct = iso_sock_destruct;
893
	sk->sk_sndtimeo = ISO_CONN_TIMEOUT;
894

895
	/* Set address type as public as default src address is BDADDR_ANY */
896
	iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
897

898
	iso_pi(sk)->qos = default_qos;
899
	iso_pi(sk)->sync_handle = -1;
900

901
	bt_sock_link(&iso_sk_list, sk);
902
	return sk;
903
}
904

905
static int iso_sock_create(struct net *net, struct socket *sock, int protocol,
906
			   int kern)
907
{
908
	struct sock *sk;
909

910
	BT_DBG("sock %p", sock);
911

912
	sock->state = SS_UNCONNECTED;
913

914
	if (sock->type != SOCK_SEQPACKET)
915
		return -ESOCKTNOSUPPORT;
916

917
	sock->ops = &iso_sock_ops;
918

919
	sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
920
	if (!sk)
921
		return -ENOMEM;
922

923
	iso_sock_init(sk, NULL);
924
	return 0;
925
}
926

927
static int iso_sock_bind_bc(struct socket *sock, struct sockaddr *addr,
928
			    int addr_len)
929
{
930
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
931
	struct sock *sk = sock->sk;
932
	int i;
933

934
	BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid,
935
	       sa->iso_bc->bc_num_bis);
936

937
	if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc))
938
		return -EINVAL;
939

940
	bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr);
941

942
	/* Check if the address type is of LE type */
943
	if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type))
944
		return -EINVAL;
945

946
	iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type;
947

948
	if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID)
949
		return -EINVAL;
950

951
	iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid;
952

953
	if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS)
954
		return -EINVAL;
955

956
	iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
957

958
	for (i = 0; i < iso_pi(sk)->bc_num_bis; i++)
959
		if (sa->iso_bc->bc_bis[i] < 0x01 ||
960
		    sa->iso_bc->bc_bis[i] > 0x1f)
961
			return -EINVAL;
962

963
	memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
964
	       iso_pi(sk)->bc_num_bis);
965

966
	return 0;
967
}
968

969
static int iso_sock_bind_pa_sk(struct sock *sk, struct sockaddr_iso *sa,
970
			       int addr_len)
971
{
972
	int err = 0;
973

974
	if (sk->sk_type != SOCK_SEQPACKET) {
975
		err = -EINVAL;
976
		goto done;
977
	}
978

979
	if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) {
980
		err = -EINVAL;
981
		goto done;
982
	}
983

984
	if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) {
985
		err = -EINVAL;
986
		goto done;
987
	}
988

989
	iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
990

991
	for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++)
992
		if (sa->iso_bc->bc_bis[i] < 0x01 ||
993
		    sa->iso_bc->bc_bis[i] > 0x1f) {
994
			err = -EINVAL;
995
			goto done;
996
		}
997

998
	memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
999
	       iso_pi(sk)->bc_num_bis);
1000

1001
done:
1002
	return err;
1003
}
1004

1005
static int iso_sock_bind(struct socket *sock, struct sockaddr *addr,
1006
			 int addr_len)
1007
{
1008
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1009
	struct sock *sk = sock->sk;
1010
	int err = 0;
1011

1012
	BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type);
1013

1014
	if (!addr || addr_len < sizeof(struct sockaddr_iso) ||
1015
	    addr->sa_family != AF_BLUETOOTH)
1016
		return -EINVAL;
1017

1018
	lock_sock(sk);
1019

1020
	/* Allow the user to bind a PA sync socket to a number
1021
	 * of BISes to sync to.
1022
	 */
1023
	if ((sk->sk_state == BT_CONNECT2 ||
1024
	     sk->sk_state == BT_CONNECTED) &&
1025
	    test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1026
		err = iso_sock_bind_pa_sk(sk, sa, addr_len);
1027
		goto done;
1028
	}
1029

1030
	if (sk->sk_state != BT_OPEN) {
1031
		err = -EBADFD;
1032
		goto done;
1033
	}
1034

1035
	if (sk->sk_type != SOCK_SEQPACKET) {
1036
		err = -EINVAL;
1037
		goto done;
1038
	}
1039

1040
	/* Check if the address type is of LE type */
1041
	if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) {
1042
		err = -EINVAL;
1043
		goto done;
1044
	}
1045

1046
	bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr);
1047
	iso_pi(sk)->src_type = sa->iso_bdaddr_type;
1048

1049
	/* Check for Broadcast address */
1050
	if (addr_len > sizeof(*sa)) {
1051
		err = iso_sock_bind_bc(sock, addr, addr_len);
1052
		if (err)
1053
			goto done;
1054
	}
1055

1056
	sk->sk_state = BT_BOUND;
1057

1058
done:
1059
	release_sock(sk);
1060
	return err;
1061
}
1062

1063
static int iso_sock_connect(struct socket *sock, struct sockaddr *addr,
1064
			    int alen, int flags)
1065
{
1066
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1067
	struct sock *sk = sock->sk;
1068
	int err;
1069

1070
	BT_DBG("sk %p", sk);
1071

1072
	if (alen < sizeof(struct sockaddr_iso) ||
1073
	    addr->sa_family != AF_BLUETOOTH)
1074
		return -EINVAL;
1075

1076
	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
1077
		return -EBADFD;
1078

1079
	if (sk->sk_type != SOCK_SEQPACKET)
1080
		return -EINVAL;
1081

1082
	/* Check if the address type is of LE type */
1083
	if (!bdaddr_type_is_le(sa->iso_bdaddr_type))
1084
		return -EINVAL;
1085

1086
	lock_sock(sk);
1087

1088
	bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr);
1089
	iso_pi(sk)->dst_type = sa->iso_bdaddr_type;
1090

1091
	release_sock(sk);
1092

1093
	if (bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
1094
		err = iso_connect_cis(sk);
1095
	else
1096
		err = iso_connect_bis(sk);
1097

1098
	if (err)
1099
		return err;
1100

1101
	lock_sock(sk);
1102

1103
	if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1104
		err = bt_sock_wait_state(sk, BT_CONNECTED,
1105
					 sock_sndtimeo(sk, flags & O_NONBLOCK));
1106
	}
1107

1108
	release_sock(sk);
1109
	return err;
1110
}
1111

1112
static int iso_listen_bis(struct sock *sk)
1113
{
1114
	struct hci_dev *hdev;
1115
	int err = 0;
1116
	struct iso_conn *conn;
1117
	struct hci_conn *hcon;
1118

1119
	BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src,
1120
	       &iso_pi(sk)->dst, iso_pi(sk)->bc_sid);
1121

1122
	write_lock(&iso_sk_list.lock);
1123

1124
	if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst,
1125
					 iso_pi(sk)->bc_sid))
1126
		err = -EADDRINUSE;
1127

1128
	write_unlock(&iso_sk_list.lock);
1129

1130
	if (err)
1131
		return err;
1132

1133
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1134
			     iso_pi(sk)->src_type);
1135
	if (!hdev)
1136
		return -EHOSTUNREACH;
1137

1138
	hci_dev_lock(hdev);
1139
	lock_sock(sk);
1140

1141
	/* Fail if user set invalid QoS */
1142
	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
1143
		iso_pi(sk)->qos = default_qos;
1144
		err = -EINVAL;
1145
		goto unlock;
1146
	}
1147

1148
	hcon = hci_pa_create_sync(hdev, &iso_pi(sk)->dst,
1149
				  le_addr_type(iso_pi(sk)->dst_type),
1150
				  iso_pi(sk)->bc_sid, &iso_pi(sk)->qos);
1151
	if (IS_ERR(hcon)) {
1152
		err = PTR_ERR(hcon);
1153
		goto unlock;
1154
	}
1155

1156
	conn = iso_conn_add(hcon);
1157
	if (!conn) {
1158
		hci_conn_drop(hcon);
1159
		err = -ENOMEM;
1160
		goto unlock;
1161
	}
1162

1163
	err = iso_chan_add(conn, sk, NULL);
1164
	if (err) {
1165
		hci_conn_drop(hcon);
1166
		goto unlock;
1167
	}
1168

1169
unlock:
1170
	release_sock(sk);
1171
	hci_dev_unlock(hdev);
1172
	hci_dev_put(hdev);
1173
	return err;
1174
}
1175

1176
static int iso_listen_cis(struct sock *sk)
1177
{
1178
	int err = 0;
1179

1180
	BT_DBG("%pMR", &iso_pi(sk)->src);
1181

1182
	write_lock(&iso_sk_list.lock);
1183

1184
	if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst))
1185
		err = -EADDRINUSE;
1186

1187
	write_unlock(&iso_sk_list.lock);
1188

1189
	return err;
1190
}
1191

1192
static int iso_sock_listen(struct socket *sock, int backlog)
1193
{
1194
	struct sock *sk = sock->sk;
1195
	int err = 0;
1196

1197
	BT_DBG("sk %p backlog %d", sk, backlog);
1198

1199
	sock_hold(sk);
1200
	lock_sock(sk);
1201

1202
	if (sk->sk_state != BT_BOUND) {
1203
		err = -EBADFD;
1204
		goto done;
1205
	}
1206

1207
	if (sk->sk_type != SOCK_SEQPACKET) {
1208
		err = -EINVAL;
1209
		goto done;
1210
	}
1211

1212
	if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1213
		err = iso_listen_cis(sk);
1214
	} else {
1215
		/* Drop sock lock to avoid potential
1216
		 * deadlock with the hdev lock.
1217
		 */
1218
		release_sock(sk);
1219
		err = iso_listen_bis(sk);
1220
		lock_sock(sk);
1221
	}
1222

1223
	if (err)
1224
		goto done;
1225

1226
	sk->sk_max_ack_backlog = backlog;
1227
	sk->sk_ack_backlog = 0;
1228

1229
	sk->sk_state = BT_LISTEN;
1230

1231
done:
1232
	release_sock(sk);
1233
	sock_put(sk);
1234
	return err;
1235
}
1236

1237
static int iso_sock_accept(struct socket *sock, struct socket *newsock,
1238
			   struct proto_accept_arg *arg)
1239
{
1240
	DEFINE_WAIT_FUNC(wait, woken_wake_function);
1241
	struct sock *sk = sock->sk, *ch;
1242
	long timeo;
1243
	int err = 0;
1244

1245
	/* Use explicit nested locking to avoid lockdep warnings generated
1246
	 * because the parent socket and the child socket are locked on the
1247
	 * same thread.
1248
	 */
1249
	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1250

1251
	timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
1252

1253
	BT_DBG("sk %p timeo %ld", sk, timeo);
1254

1255
	/* Wait for an incoming connection. (wake-one). */
1256
	add_wait_queue_exclusive(sk_sleep(sk), &wait);
1257
	while (1) {
1258
		if (sk->sk_state != BT_LISTEN) {
1259
			err = -EBADFD;
1260
			break;
1261
		}
1262

1263
		ch = bt_accept_dequeue(sk, newsock);
1264
		if (ch)
1265
			break;
1266

1267
		if (!timeo) {
1268
			err = -EAGAIN;
1269
			break;
1270
		}
1271

1272
		if (signal_pending(current)) {
1273
			err = sock_intr_errno(timeo);
1274
			break;
1275
		}
1276

1277
		release_sock(sk);
1278

1279
		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
1280
		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1281
	}
1282
	remove_wait_queue(sk_sleep(sk), &wait);
1283

1284
	if (err)
1285
		goto done;
1286

1287
	newsock->state = SS_CONNECTED;
1288

1289
	BT_DBG("new socket %p", ch);
1290

1291
	/* A Broadcast Sink might require BIG sync to be terminated
1292
	 * and re-established multiple times, while keeping the same
1293
	 * PA sync handle active. To allow this, once all BIS
1294
	 * connections have been accepted on a PA sync parent socket,
1295
	 * "reset" socket state, to allow future BIG re-sync procedures.
1296
	 */
1297
	if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1298
		/* Iterate through the list of bound BIS indices
1299
		 * and clear each BIS as they are accepted by the
1300
		 * user space, one by one.
1301
		 */
1302
		for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) {
1303
			if (iso_pi(sk)->bc_bis[i] > 0) {
1304
				iso_pi(sk)->bc_bis[i] = 0;
1305
				iso_pi(sk)->bc_num_bis--;
1306
				break;
1307
			}
1308
		}
1309

1310
		if (iso_pi(sk)->bc_num_bis == 0) {
1311
			/* Once the last BIS was accepted, reset parent
1312
			 * socket parameters to mark that the listening
1313
			 * process for BIS connections has been completed:
1314
			 *
1315
			 * 1. Reset the DEFER setup flag on the parent sk.
1316
			 * 2. Clear the flag marking that the BIG create
1317
			 *    sync command is pending.
1318
			 * 3. Transition socket state from BT_LISTEN to
1319
			 *    BT_CONNECTED.
1320
			 */
1321
			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1322
			clear_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags);
1323
			sk->sk_state = BT_CONNECTED;
1324
		}
1325
	}
1326

1327
done:
1328
	release_sock(sk);
1329
	return err;
1330
}
1331

1332
static int iso_sock_getname(struct socket *sock, struct sockaddr *addr,
1333
			    int peer)
1334
{
1335
	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1336
	struct sock *sk = sock->sk;
1337
	int len = sizeof(struct sockaddr_iso);
1338

1339
	BT_DBG("sock %p, sk %p", sock, sk);
1340

1341
	addr->sa_family = AF_BLUETOOTH;
1342

1343
	if (peer) {
1344
		struct hci_conn *hcon = iso_pi(sk)->conn ?
1345
					iso_pi(sk)->conn->hcon : NULL;
1346

1347
		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst);
1348
		sa->iso_bdaddr_type = iso_pi(sk)->dst_type;
1349

1350
		if (hcon && (hcon->type == BIS_LINK || hcon->type == PA_LINK)) {
1351
			sa->iso_bc->bc_sid = iso_pi(sk)->bc_sid;
1352
			sa->iso_bc->bc_num_bis = iso_pi(sk)->bc_num_bis;
1353
			memcpy(sa->iso_bc->bc_bis, iso_pi(sk)->bc_bis,
1354
			       ISO_MAX_NUM_BIS);
1355
			len += sizeof(struct sockaddr_iso_bc);
1356
		}
1357
	} else {
1358
		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src);
1359
		sa->iso_bdaddr_type = iso_pi(sk)->src_type;
1360
	}
1361

1362
	return len;
1363
}
1364

1365
static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1366
			    size_t len)
1367
{
1368
	struct sock *sk = sock->sk;
1369
	struct sk_buff *skb, **frag;
1370
	struct sockcm_cookie sockc;
1371
	size_t mtu;
1372
	int err;
1373

1374
	BT_DBG("sock %p, sk %p", sock, sk);
1375

1376
	err = sock_error(sk);
1377
	if (err)
1378
		return err;
1379

1380
	if (msg->msg_flags & MSG_OOB)
1381
		return -EOPNOTSUPP;
1382

1383
	hci_sockcm_init(&sockc, sk);
1384

1385
	if (msg->msg_controllen) {
1386
		err = sock_cmsg_send(sk, msg, &sockc);
1387
		if (err)
1388
			return err;
1389
	}
1390

1391
	lock_sock(sk);
1392

1393
	if (sk->sk_state != BT_CONNECTED) {
1394
		release_sock(sk);
1395
		return -ENOTCONN;
1396
	}
1397

1398
	mtu = iso_pi(sk)->conn->hcon->mtu;
1399

1400
	release_sock(sk);
1401

1402
	skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0);
1403
	if (IS_ERR(skb))
1404
		return PTR_ERR(skb);
1405

1406
	len -= skb->len;
1407

1408
	BT_DBG("skb %p len %d", sk, skb->len);
1409

1410
	/* Continuation fragments */
1411
	frag = &skb_shinfo(skb)->frag_list;
1412
	while (len) {
1413
		struct sk_buff *tmp;
1414

1415
		tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0);
1416
		if (IS_ERR(tmp)) {
1417
			kfree_skb(skb);
1418
			return PTR_ERR(tmp);
1419
		}
1420

1421
		*frag = tmp;
1422

1423
		len  -= tmp->len;
1424

1425
		skb->len += tmp->len;
1426
		skb->data_len += tmp->len;
1427

1428
		BT_DBG("frag %p len %d", *frag, tmp->len);
1429

1430
		frag = &(*frag)->next;
1431
	}
1432

1433
	lock_sock(sk);
1434

1435
	if (sk->sk_state == BT_CONNECTED)
1436
		err = iso_send_frame(sk, skb, &sockc);
1437
	else
1438
		err = -ENOTCONN;
1439

1440
	release_sock(sk);
1441

1442
	if (err < 0)
1443
		kfree_skb(skb);
1444
	return err;
1445
}
1446

1447
static void iso_conn_defer_accept(struct hci_conn *conn)
1448
{
1449
	struct hci_cp_le_accept_cis cp;
1450
	struct hci_dev *hdev = conn->hdev;
1451

1452
	BT_DBG("conn %p", conn);
1453

1454
	conn->state = BT_CONFIG;
1455

1456
	cp.handle = cpu_to_le16(conn->handle);
1457

1458
	hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
1459
}
1460

1461
static void iso_conn_big_sync(struct sock *sk)
1462
{
1463
	int err;
1464
	struct hci_dev *hdev;
1465

1466
	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1467
			     iso_pi(sk)->src_type);
1468

1469
	if (!hdev)
1470
		return;
1471

1472
	/* hci_le_big_create_sync requires hdev lock to be held, since
1473
	 * it enqueues the HCI LE BIG Create Sync command via
1474
	 * hci_cmd_sync_queue_once, which checks hdev flags that might
1475
	 * change.
1476
	 */
1477
	hci_dev_lock(hdev);
1478
	lock_sock(sk);
1479

1480
	if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1481
		err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
1482
					       &iso_pi(sk)->qos,
1483
					       iso_pi(sk)->sync_handle,
1484
					       iso_pi(sk)->bc_num_bis,
1485
					       iso_pi(sk)->bc_bis);
1486
		if (err)
1487
			bt_dev_err(hdev, "hci_big_create_sync: %d", err);
1488
	}
1489

1490
	release_sock(sk);
1491
	hci_dev_unlock(hdev);
1492
}
1493

1494
static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1495
			    size_t len, int flags)
1496
{
1497
	struct sock *sk = sock->sk;
1498
	struct iso_pinfo *pi = iso_pi(sk);
1499
	bool early_ret = false;
1500
	int err = 0;
1501

1502
	BT_DBG("sk %p", sk);
1503

1504
	if (unlikely(flags & MSG_ERRQUEUE))
1505
		return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1506
					  BT_SCM_ERROR);
1507

1508
	if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1509
		sock_hold(sk);
1510
		lock_sock(sk);
1511

1512
		switch (sk->sk_state) {
1513
		case BT_CONNECT2:
1514
			if (test_bit(BT_SK_PA_SYNC, &pi->flags)) {
1515
				release_sock(sk);
1516
				iso_conn_big_sync(sk);
1517
				lock_sock(sk);
1518

1519
				sk->sk_state = BT_LISTEN;
1520
			} else {
1521
				iso_conn_defer_accept(pi->conn->hcon);
1522
				sk->sk_state = BT_CONFIG;
1523
			}
1524

1525
			early_ret = true;
1526
			break;
1527
		case BT_CONNECTED:
1528
			if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1529
				release_sock(sk);
1530
				iso_conn_big_sync(sk);
1531
				lock_sock(sk);
1532

1533
				sk->sk_state = BT_LISTEN;
1534
				early_ret = true;
1535
			}
1536

1537
			break;
1538
		case BT_CONNECT:
1539
			release_sock(sk);
1540
			err = iso_connect_cis(sk);
1541
			lock_sock(sk);
1542

1543
			early_ret = true;
1544
			break;
1545
		default:
1546
			break;
1547
		}
1548

1549
		release_sock(sk);
1550
		sock_put(sk);
1551

1552
		if (early_ret)
1553
			return err;
1554
	}
1555

1556
	return bt_sock_recvmsg(sock, msg, len, flags);
1557
}
1558

1559
static bool check_io_qos(struct bt_iso_io_qos *qos)
1560
{
1561
	/* If no PHY is enable SDU must be 0 */
1562
	if (!qos->phy && qos->sdu)
1563
		return false;
1564

1565
	if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff))
1566
		return false;
1567

1568
	if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0))
1569
		return false;
1570

1571
	if (qos->phy > BT_ISO_PHY_ANY)
1572
		return false;
1573

1574
	return true;
1575
}
1576

1577
static bool check_ucast_qos(struct bt_iso_qos *qos)
1578
{
1579
	if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET)
1580
		return false;
1581

1582
	if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET)
1583
		return false;
1584

1585
	if (qos->ucast.sca > 0x07)
1586
		return false;
1587

1588
	if (qos->ucast.packing > 0x01)
1589
		return false;
1590

1591
	if (qos->ucast.framing > 0x01)
1592
		return false;
1593

1594
	if (!check_io_qos(&qos->ucast.in))
1595
		return false;
1596

1597
	if (!check_io_qos(&qos->ucast.out))
1598
		return false;
1599

1600
	return true;
1601
}
1602

1603
static bool check_bcast_qos(struct bt_iso_qos *qos)
1604
{
1605
	if (!qos->bcast.sync_factor)
1606
		qos->bcast.sync_factor = 0x01;
1607

1608
	if (qos->bcast.packing > 0x01)
1609
		return false;
1610

1611
	if (qos->bcast.framing > 0x01)
1612
		return false;
1613

1614
	if (!check_io_qos(&qos->bcast.in))
1615
		return false;
1616

1617
	if (!check_io_qos(&qos->bcast.out))
1618
		return false;
1619

1620
	if (qos->bcast.encryption > 0x01)
1621
		return false;
1622

1623
	if (qos->bcast.options > 0x07)
1624
		return false;
1625

1626
	if (qos->bcast.skip > 0x01f3)
1627
		return false;
1628

1629
	if (!qos->bcast.sync_timeout)
1630
		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1631

1632
	if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000)
1633
		return false;
1634

1635
	if (qos->bcast.sync_cte_type > 0x1f)
1636
		return false;
1637

1638
	if (qos->bcast.mse > 0x1f)
1639
		return false;
1640

1641
	if (!qos->bcast.timeout)
1642
		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1643

1644
	if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000)
1645
		return false;
1646

1647
	return true;
1648
}
1649

1650
static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
1651
			       sockptr_t optval, unsigned int optlen)
1652
{
1653
	struct sock *sk = sock->sk;
1654
	int err = 0;
1655
	struct bt_iso_qos qos = default_qos;
1656
	u32 opt;
1657

1658
	BT_DBG("sk %p", sk);
1659

1660
	lock_sock(sk);
1661

1662
	switch (optname) {
1663
	case BT_DEFER_SETUP:
1664
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1665
			err = -EINVAL;
1666
			break;
1667
		}
1668

1669
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1670
		if (err)
1671
			break;
1672

1673
		if (opt)
1674
			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1675
		else
1676
			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1677
		break;
1678

1679
	case BT_PKT_STATUS:
1680
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1681
		if (err)
1682
			break;
1683

1684
		if (opt)
1685
			set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1686
		else
1687
			clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1688
		break;
1689

1690
	case BT_PKT_SEQNUM:
1691
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1692
		if (err)
1693
			break;
1694

1695
		if (opt)
1696
			set_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1697
		else
1698
			clear_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1699
		break;
1700

1701
	case BT_ISO_QOS:
1702
		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1703
		    sk->sk_state != BT_CONNECT2 &&
1704
		    (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags) ||
1705
		    sk->sk_state != BT_CONNECTED)) {
1706
			err = -EINVAL;
1707
			break;
1708
		}
1709

1710
		err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen);
1711
		if (err)
1712
			break;
1713

1714
		iso_pi(sk)->qos = qos;
1715
		iso_pi(sk)->qos_user_set = true;
1716

1717
		break;
1718

1719
	case BT_ISO_BASE:
1720
		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1721
		    sk->sk_state != BT_CONNECT2) {
1722
			err = -EINVAL;
1723
			break;
1724
		}
1725

1726
		if (optlen > sizeof(iso_pi(sk)->base)) {
1727
			err = -EINVAL;
1728
			break;
1729
		}
1730

1731
		err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval,
1732
					     optlen);
1733
		if (err)
1734
			break;
1735

1736
		iso_pi(sk)->base_len = optlen;
1737

1738
		break;
1739

1740
	default:
1741
		err = -ENOPROTOOPT;
1742
		break;
1743
	}
1744

1745
	release_sock(sk);
1746
	return err;
1747
}
1748

1749
static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
1750
			       char __user *optval, int __user *optlen)
1751
{
1752
	struct sock *sk = sock->sk;
1753
	int len, err = 0;
1754
	struct bt_iso_qos *qos;
1755
	u8 base_len;
1756
	u8 *base;
1757

1758
	BT_DBG("sk %p", sk);
1759

1760
	if (get_user(len, optlen))
1761
		return -EFAULT;
1762

1763
	lock_sock(sk);
1764

1765
	switch (optname) {
1766
	case BT_DEFER_SETUP:
1767
		if (sk->sk_state == BT_CONNECTED) {
1768
			err = -EINVAL;
1769
			break;
1770
		}
1771

1772
		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
1773
			     (u32 __user *)optval))
1774
			err = -EFAULT;
1775

1776
		break;
1777

1778
	case BT_PKT_STATUS:
1779
		if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags),
1780
			     (int __user *)optval))
1781
			err = -EFAULT;
1782
		break;
1783

1784
	case BT_ISO_QOS:
1785
		qos = iso_sock_get_qos(sk);
1786

1787
		len = min_t(unsigned int, len, sizeof(*qos));
1788
		if (copy_to_user(optval, qos, len))
1789
			err = -EFAULT;
1790

1791
		break;
1792

1793
	case BT_ISO_BASE:
1794
		if (sk->sk_state == BT_CONNECTED &&
1795
		    !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1796
			base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len;
1797
			base = iso_pi(sk)->conn->hcon->le_per_adv_data;
1798
		} else {
1799
			base_len = iso_pi(sk)->base_len;
1800
			base = iso_pi(sk)->base;
1801
		}
1802

1803
		len = min_t(unsigned int, len, base_len);
1804
		if (copy_to_user(optval, base, len))
1805
			err = -EFAULT;
1806
		if (put_user(len, optlen))
1807
			err = -EFAULT;
1808

1809
		break;
1810

1811
	default:
1812
		err = -ENOPROTOOPT;
1813
		break;
1814
	}
1815

1816
	release_sock(sk);
1817
	return err;
1818
}
1819

1820
static int iso_sock_shutdown(struct socket *sock, int how)
1821
{
1822
	struct sock *sk = sock->sk;
1823
	int err = 0;
1824

1825
	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1826

1827
	if (!sk)
1828
		return 0;
1829

1830
	sock_hold(sk);
1831
	lock_sock(sk);
1832

1833
	switch (how) {
1834
	case SHUT_RD:
1835
		if (sk->sk_shutdown & RCV_SHUTDOWN)
1836
			goto unlock;
1837
		sk->sk_shutdown |= RCV_SHUTDOWN;
1838
		break;
1839
	case SHUT_WR:
1840
		if (sk->sk_shutdown & SEND_SHUTDOWN)
1841
			goto unlock;
1842
		sk->sk_shutdown |= SEND_SHUTDOWN;
1843
		break;
1844
	case SHUT_RDWR:
1845
		if (sk->sk_shutdown & SHUTDOWN_MASK)
1846
			goto unlock;
1847
		sk->sk_shutdown |= SHUTDOWN_MASK;
1848
		break;
1849
	}
1850

1851
	iso_sock_clear_timer(sk);
1852
	__iso_sock_close(sk);
1853

1854
	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1855
	    !(current->flags & PF_EXITING))
1856
		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1857

1858
unlock:
1859
	release_sock(sk);
1860
	sock_put(sk);
1861

1862
	return err;
1863
}
1864

1865
static int iso_sock_release(struct socket *sock)
1866
{
1867
	struct sock *sk = sock->sk;
1868
	int err = 0;
1869

1870
	BT_DBG("sock %p, sk %p", sock, sk);
1871

1872
	if (!sk)
1873
		return 0;
1874

1875
	iso_sock_close(sk);
1876

1877
	if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) &&
1878
	    !(current->flags & PF_EXITING)) {
1879
		lock_sock(sk);
1880
		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1881
		release_sock(sk);
1882
	}
1883

1884
	sock_orphan(sk);
1885
	iso_sock_kill(sk);
1886
	return err;
1887
}
1888

1889
static void iso_sock_ready(struct sock *sk)
1890
{
1891
	BT_DBG("sk %p", sk);
1892

1893
	if (!sk)
1894
		return;
1895

1896
	lock_sock(sk);
1897
	iso_sock_clear_timer(sk);
1898
	sk->sk_state = BT_CONNECTED;
1899
	sk->sk_state_change(sk);
1900
	release_sock(sk);
1901
}
1902

1903
static bool iso_match_big(struct sock *sk, void *data)
1904
{
1905
	struct hci_evt_le_big_sync_established *ev = data;
1906

1907
	return ev->handle == iso_pi(sk)->qos.bcast.big;
1908
}
1909

1910
static bool iso_match_big_hcon(struct sock *sk, void *data)
1911
{
1912
	struct hci_conn *hcon = data;
1913

1914
	return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big;
1915
}
1916

1917
static bool iso_match_pa_sync_flag(struct sock *sk, void *data)
1918
{
1919
	return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
1920
}
1921

1922
static void iso_conn_ready(struct iso_conn *conn)
1923
{
1924
	struct sock *parent = NULL;
1925
	struct sock *sk = conn->sk;
1926
	struct hci_ev_le_big_sync_established *ev = NULL;
1927
	struct hci_ev_le_pa_sync_established *ev2 = NULL;
1928
	struct hci_ev_le_per_adv_report *ev3 = NULL;
1929
	struct hci_conn *hcon;
1930

1931
	BT_DBG("conn %p", conn);
1932

1933
	if (sk) {
1934
		iso_sock_ready(conn->sk);
1935
	} else {
1936
		hcon = conn->hcon;
1937
		if (!hcon)
1938
			return;
1939

1940
		if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) {
1941
			/* A BIS slave hcon is notified to the ISO layer
1942
			 * after the Command Complete for the LE Setup
1943
			 * ISO Data Path command is received. Get the
1944
			 * parent socket that matches the hcon BIG handle.
1945
			 */
1946
			parent = iso_get_sock(&hcon->src, &hcon->dst,
1947
					      BT_LISTEN, iso_match_big_hcon,
1948
					      hcon);
1949
		} else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) {
1950
			ev = hci_recv_event_data(hcon->hdev,
1951
						 HCI_EVT_LE_BIG_SYNC_ESTABLISHED);
1952

1953
			/* Get reference to PA sync parent socket, if it exists */
1954
			parent = iso_get_sock(&hcon->src, &hcon->dst,
1955
					      BT_LISTEN,
1956
					      iso_match_pa_sync_flag,
1957
					      NULL);
1958
			if (!parent && ev)
1959
				parent = iso_get_sock(&hcon->src,
1960
						      &hcon->dst,
1961
						      BT_LISTEN,
1962
						      iso_match_big, ev);
1963
		} else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
1964
			ev2 = hci_recv_event_data(hcon->hdev,
1965
						  HCI_EV_LE_PA_SYNC_ESTABLISHED);
1966
			if (ev2)
1967
				parent = iso_get_sock(&hcon->src,
1968
						      &hcon->dst,
1969
						      BT_LISTEN,
1970
						      iso_match_sid, ev2);
1971
		} else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
1972
			ev3 = hci_recv_event_data(hcon->hdev,
1973
						  HCI_EV_LE_PER_ADV_REPORT);
1974
			if (ev3)
1975
				parent = iso_get_sock(&hcon->src,
1976
						      &hcon->dst,
1977
						      BT_LISTEN,
1978
						      iso_match_sync_handle_pa_report,
1979
						      ev3);
1980
		}
1981

1982
		if (!parent)
1983
			parent = iso_get_sock(&hcon->src, BDADDR_ANY,
1984
					      BT_LISTEN, NULL, NULL);
1985

1986
		if (!parent)
1987
			return;
1988

1989
		lock_sock(parent);
1990

1991
		sk = iso_sock_alloc(sock_net(parent), NULL,
1992
				    BTPROTO_ISO, GFP_ATOMIC, 0);
1993
		if (!sk) {
1994
			release_sock(parent);
1995
			return;
1996
		}
1997

1998
		iso_sock_init(sk, parent);
1999

2000
		bacpy(&iso_pi(sk)->src, &hcon->src);
2001

2002
		/* Convert from HCI to three-value type */
2003
		if (hcon->src_type == ADDR_LE_DEV_PUBLIC)
2004
			iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
2005
		else
2006
			iso_pi(sk)->src_type = BDADDR_LE_RANDOM;
2007

2008
		/* If hcon has no destination address (BDADDR_ANY) it means it
2009
		 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or
2010
		 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using
2011
		 * the parent socket destination address.
2012
		 */
2013
		if (!bacmp(&hcon->dst, BDADDR_ANY)) {
2014
			bacpy(&hcon->dst, &iso_pi(parent)->dst);
2015
			hcon->dst_type = iso_pi(parent)->dst_type;
2016
		}
2017

2018
		if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
2019
			iso_pi(sk)->qos = iso_pi(parent)->qos;
2020
			hcon->iso_qos = iso_pi(sk)->qos;
2021
			iso_pi(sk)->bc_sid = iso_pi(parent)->bc_sid;
2022
			iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis;
2023
			memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis,
2024
			       ISO_MAX_NUM_BIS);
2025
			set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
2026
		}
2027

2028
		bacpy(&iso_pi(sk)->dst, &hcon->dst);
2029
		iso_pi(sk)->dst_type = hcon->dst_type;
2030
		iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
2031
		memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
2032
		iso_pi(sk)->base_len = iso_pi(parent)->base_len;
2033

2034
		hci_conn_hold(hcon);
2035
		iso_chan_add(conn, sk, parent);
2036

2037
		if ((ev && ((struct hci_evt_le_big_sync_established *)ev)->status) ||
2038
		    (ev2 && ev2->status)) {
2039
			/* Trigger error signal on child socket */
2040
			sk->sk_err = ECONNREFUSED;
2041
			sk->sk_error_report(sk);
2042
		}
2043

2044
		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
2045
			sk->sk_state = BT_CONNECT2;
2046
		else
2047
			sk->sk_state = BT_CONNECTED;
2048

2049
		/* Wake up parent */
2050
		parent->sk_data_ready(parent);
2051

2052
		release_sock(parent);
2053
		sock_put(parent);
2054
	}
2055
}
2056

2057
static bool iso_match_sid(struct sock *sk, void *data)
2058
{
2059
	struct hci_ev_le_pa_sync_established *ev = data;
2060

2061
	if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
2062
		return true;
2063

2064
	return ev->sid == iso_pi(sk)->bc_sid;
2065
}
2066

2067
static bool iso_match_sync_handle(struct sock *sk, void *data)
2068
{
2069
	struct hci_evt_le_big_info_adv_report *ev = data;
2070

2071
	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2072
}
2073

2074
static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data)
2075
{
2076
	struct hci_ev_le_per_adv_report *ev = data;
2077

2078
	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2079
}
2080

2081
/* ----- ISO interface with lower layer (HCI) ----- */
2082

2083
int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
2084
{
2085
	struct hci_ev_le_pa_sync_established *ev1;
2086
	struct hci_evt_le_big_info_adv_report *ev2;
2087
	struct hci_ev_le_per_adv_report *ev3;
2088
	struct sock *sk;
2089

2090
	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
2091

2092
	/* Broadcast receiver requires handling of some events before it can
2093
	 * proceed to establishing a BIG sync:
2094
	 *
2095
	 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific
2096
	 * SID to listen to and once sync is established its handle needs to
2097
	 * be stored in iso_pi(sk)->sync_handle so it can be matched once
2098
	 * receiving the BIG Info.
2099
	 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a
2100
	 * a BIG Info it attempts to check if there any listening socket with
2101
	 * the same sync_handle and if it does then attempt to create a sync.
2102
	 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored
2103
	 * in iso_pi(sk)->base so it can be passed up to user, in the case of a
2104
	 * broadcast sink.
2105
	 */
2106
	ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED);
2107
	if (ev1) {
2108
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN,
2109
				  iso_match_sid, ev1);
2110
		if (sk && !ev1->status) {
2111
			iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle);
2112
			iso_pi(sk)->bc_sid = ev1->sid;
2113
		}
2114

2115
		goto done;
2116
	}
2117

2118
	ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT);
2119
	if (ev2) {
2120
		/* Check if BIGInfo report has already been handled */
2121
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECTED,
2122
				  iso_match_sync_handle, ev2);
2123
		if (sk) {
2124
			sock_put(sk);
2125
			sk = NULL;
2126
			goto done;
2127
		}
2128

2129
		/* Try to get PA sync socket, if it exists */
2130
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_CONNECT2,
2131
				  iso_match_sync_handle, ev2);
2132
		if (!sk)
2133
			sk = iso_get_sock(&hdev->bdaddr, bdaddr,
2134
					  BT_LISTEN,
2135
					  iso_match_sync_handle,
2136
					  ev2);
2137

2138
		if (sk) {
2139
			int err;
2140
			struct hci_conn	*hcon = iso_pi(sk)->conn->hcon;
2141

2142
			iso_pi(sk)->qos.bcast.encryption = ev2->encryption;
2143

2144
			if (ev2->num_bis < iso_pi(sk)->bc_num_bis)
2145
				iso_pi(sk)->bc_num_bis = ev2->num_bis;
2146

2147
			if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) &&
2148
			    !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
2149
				err = hci_conn_big_create_sync(hdev, hcon,
2150
							       &iso_pi(sk)->qos,
2151
							       iso_pi(sk)->sync_handle,
2152
							       iso_pi(sk)->bc_num_bis,
2153
							       iso_pi(sk)->bc_bis);
2154
				if (err) {
2155
					bt_dev_err(hdev, "hci_le_big_create_sync: %d",
2156
						   err);
2157
					sock_put(sk);
2158
					sk = NULL;
2159
				}
2160
			}
2161
		}
2162

2163
		goto done;
2164
	}
2165

2166
	ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
2167
	if (ev3) {
2168
		size_t base_len = 0;
2169
		u8 *base;
2170
		struct hci_conn *hcon;
2171

2172
		sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN,
2173
				  iso_match_sync_handle_pa_report, ev3);
2174
		if (!sk)
2175
			goto done;
2176

2177
		hcon = iso_pi(sk)->conn->hcon;
2178
		if (!hcon)
2179
			goto done;
2180

2181
		if (ev3->data_status == LE_PA_DATA_TRUNCATED) {
2182
			/* The controller was unable to retrieve PA data. */
2183
			memset(hcon->le_per_adv_data, 0,
2184
			       HCI_MAX_PER_AD_TOT_LEN);
2185
			hcon->le_per_adv_data_len = 0;
2186
			hcon->le_per_adv_data_offset = 0;
2187
			goto done;
2188
		}
2189

2190
		if (hcon->le_per_adv_data_offset + ev3->length >
2191
		    HCI_MAX_PER_AD_TOT_LEN)
2192
			goto done;
2193

2194
		memcpy(hcon->le_per_adv_data + hcon->le_per_adv_data_offset,
2195
		       ev3->data, ev3->length);
2196
		hcon->le_per_adv_data_offset += ev3->length;
2197

2198
		if (ev3->data_status == LE_PA_DATA_COMPLETE) {
2199
			/* All PA data has been received. */
2200
			hcon->le_per_adv_data_len =
2201
				hcon->le_per_adv_data_offset;
2202
			hcon->le_per_adv_data_offset = 0;
2203

2204
			/* Extract BASE */
2205
			base = eir_get_service_data(hcon->le_per_adv_data,
2206
						    hcon->le_per_adv_data_len,
2207
						    EIR_BAA_SERVICE_UUID,
2208
						    &base_len);
2209

2210
			if (!base || base_len > BASE_MAX_LENGTH)
2211
				goto done;
2212

2213
			memcpy(iso_pi(sk)->base, base, base_len);
2214
			iso_pi(sk)->base_len = base_len;
2215
		} else {
2216
			/* This is a PA data fragment. Keep pa_data_len set to 0
2217
			 * until all data has been reassembled.
2218
			 */
2219
			hcon->le_per_adv_data_len = 0;
2220
		}
2221
	} else {
2222
		sk = iso_get_sock(&hdev->bdaddr, BDADDR_ANY,
2223
				  BT_LISTEN, NULL, NULL);
2224
	}
2225

2226
done:
2227
	if (!sk)
2228
		return 0;
2229

2230
	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
2231
		*flags |= HCI_PROTO_DEFER;
2232

2233
	sock_put(sk);
2234

2235
	return HCI_LM_ACCEPT;
2236
}
2237

2238
static void iso_connect_cfm(struct hci_conn *hcon, __u8 status)
2239
{
2240
	if (hcon->type != CIS_LINK && hcon->type != BIS_LINK &&
2241
	    hcon->type != PA_LINK) {
2242
		if (hcon->type != LE_LINK)
2243
			return;
2244

2245
		/* Check if LE link has failed */
2246
		if (status) {
2247
			struct hci_link *link, *t;
2248

2249
			list_for_each_entry_safe(link, t, &hcon->link_list,
2250
						 list)
2251
				iso_conn_del(link->conn, bt_to_errno(status));
2252

2253
			return;
2254
		}
2255

2256
		/* Create CIS if pending */
2257
		hci_le_create_cis_pending(hcon->hdev);
2258
		return;
2259
	}
2260

2261
	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
2262

2263
	/* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or
2264
	 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection
2265
	 * into the accept queue of the listening socket and wake up
2266
	 * userspace, to inform the user about the event.
2267
	 */
2268
	if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) ||
2269
	    test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
2270
		struct iso_conn *conn;
2271

2272
		conn = iso_conn_add(hcon);
2273
		if (conn)
2274
			iso_conn_ready(conn);
2275
	} else {
2276
		iso_conn_del(hcon, bt_to_errno(status));
2277
	}
2278
}
2279

2280
static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
2281
{
2282
	if (hcon->type != CIS_LINK && hcon->type !=  BIS_LINK &&
2283
	    hcon->type != PA_LINK)
2284
		return;
2285

2286
	BT_DBG("hcon %p reason %d", hcon, reason);
2287

2288
	iso_conn_del(hcon, bt_to_errno(reason));
2289
}
2290

2291
void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2292
{
2293
	struct iso_conn *conn = hcon->iso_data;
2294
	struct skb_shared_hwtstamps *hwts;
2295
	__u16 pb, ts, len, sn;
2296

2297
	if (!conn)
2298
		goto drop;
2299

2300
	pb     = hci_iso_flags_pb(flags);
2301
	ts     = hci_iso_flags_ts(flags);
2302

2303
	BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts);
2304

2305
	switch (pb) {
2306
	case ISO_START:
2307
	case ISO_SINGLE:
2308
		if (conn->rx_len) {
2309
			BT_ERR("Unexpected start frame (len %d)", skb->len);
2310
			kfree_skb(conn->rx_skb);
2311
			conn->rx_skb = NULL;
2312
			conn->rx_len = 0;
2313
		}
2314

2315
		if (ts) {
2316
			struct hci_iso_ts_data_hdr *hdr;
2317

2318
			hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE);
2319
			if (!hdr) {
2320
				BT_ERR("Frame is too short (len %d)", skb->len);
2321
				goto drop;
2322
			}
2323

2324
			/*  Record the timestamp to skb */
2325
			hwts = skb_hwtstamps(skb);
2326
			hwts->hwtstamp = us_to_ktime(le32_to_cpu(hdr->ts));
2327

2328
			sn = __le16_to_cpu(hdr->sn);
2329
			len = __le16_to_cpu(hdr->slen);
2330
		} else {
2331
			struct hci_iso_data_hdr *hdr;
2332

2333
			hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE);
2334
			if (!hdr) {
2335
				BT_ERR("Frame is too short (len %d)", skb->len);
2336
				goto drop;
2337
			}
2338

2339
			sn = __le16_to_cpu(hdr->sn);
2340
			len = __le16_to_cpu(hdr->slen);
2341
		}
2342

2343
		flags  = hci_iso_data_flags(len);
2344
		len    = hci_iso_data_len(len);
2345

2346
		BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x sn %d",
2347
		       len, skb->len, flags, sn);
2348

2349
		if (len == skb->len) {
2350
			/* Complete frame received */
2351
			hci_skb_pkt_status(skb) = flags & 0x03;
2352
			hci_skb_pkt_seqnum(skb) = sn;
2353
			iso_recv_frame(conn, skb);
2354
			return;
2355
		}
2356

2357
		if (pb == ISO_SINGLE) {
2358
			BT_ERR("Frame malformed (len %d, expected len %d)",
2359
			       skb->len, len);
2360
			goto drop;
2361
		}
2362

2363
		if (skb->len > len) {
2364
			BT_ERR("Frame is too long (len %d, expected len %d)",
2365
			       skb->len, len);
2366
			goto drop;
2367
		}
2368

2369
		/* Allocate skb for the complete frame (with header) */
2370
		conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
2371
		if (!conn->rx_skb)
2372
			goto drop;
2373

2374
		hci_skb_pkt_status(conn->rx_skb) = flags & 0x03;
2375
		hci_skb_pkt_seqnum(conn->rx_skb) = sn;
2376
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2377
					  skb->len);
2378
		conn->rx_len = len - skb->len;
2379

2380
		/* Copy hw timestamp from skb to rx_skb if present */
2381
		if (ts) {
2382
			hwts = skb_hwtstamps(conn->rx_skb);
2383
			hwts->hwtstamp = skb_hwtstamps(skb)->hwtstamp;
2384
		}
2385

2386
		break;
2387

2388
	case ISO_CONT:
2389
		BT_DBG("Cont: frag len %d (expecting %d)", skb->len,
2390
		       conn->rx_len);
2391

2392
		if (!conn->rx_len) {
2393
			BT_ERR("Unexpected continuation frame (len %d)",
2394
			       skb->len);
2395
			goto drop;
2396
		}
2397

2398
		if (skb->len > conn->rx_len) {
2399
			BT_ERR("Fragment is too long (len %d, expected %d)",
2400
			       skb->len, conn->rx_len);
2401
			kfree_skb(conn->rx_skb);
2402
			conn->rx_skb = NULL;
2403
			conn->rx_len = 0;
2404
			goto drop;
2405
		}
2406

2407
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2408
					  skb->len);
2409
		conn->rx_len -= skb->len;
2410
		return;
2411

2412
	case ISO_END:
2413
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2414
					  skb->len);
2415
		conn->rx_len -= skb->len;
2416

2417
		if (!conn->rx_len) {
2418
			struct sk_buff *rx_skb = conn->rx_skb;
2419

2420
			/* Complete frame received. iso_recv_frame
2421
			 * takes ownership of the skb so set the global
2422
			 * rx_skb pointer to NULL first.
2423
			 */
2424
			conn->rx_skb = NULL;
2425
			iso_recv_frame(conn, rx_skb);
2426
		}
2427
		break;
2428
	}
2429

2430
drop:
2431
	kfree_skb(skb);
2432
}
2433

2434
static struct hci_cb iso_cb = {
2435
	.name		= "ISO",
2436
	.connect_cfm	= iso_connect_cfm,
2437
	.disconn_cfm	= iso_disconn_cfm,
2438
};
2439

2440
static int iso_debugfs_show(struct seq_file *f, void *p)
2441
{
2442
	struct sock *sk;
2443

2444
	read_lock(&iso_sk_list.lock);
2445

2446
	sk_for_each(sk, &iso_sk_list.head) {
2447
		seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src,
2448
			   &iso_pi(sk)->dst, sk->sk_state);
2449
	}
2450

2451
	read_unlock(&iso_sk_list.lock);
2452

2453
	return 0;
2454
}
2455

2456
DEFINE_SHOW_ATTRIBUTE(iso_debugfs);
2457

2458
static struct dentry *iso_debugfs;
2459

2460
static const struct proto_ops iso_sock_ops = {
2461
	.family		= PF_BLUETOOTH,
2462
	.owner		= THIS_MODULE,
2463
	.release	= iso_sock_release,
2464
	.bind		= iso_sock_bind,
2465
	.connect	= iso_sock_connect,
2466
	.listen		= iso_sock_listen,
2467
	.accept		= iso_sock_accept,
2468
	.getname	= iso_sock_getname,
2469
	.sendmsg	= iso_sock_sendmsg,
2470
	.recvmsg	= iso_sock_recvmsg,
2471
	.poll		= bt_sock_poll,
2472
	.ioctl		= bt_sock_ioctl,
2473
	.mmap		= sock_no_mmap,
2474
	.socketpair	= sock_no_socketpair,
2475
	.shutdown	= iso_sock_shutdown,
2476
	.setsockopt	= iso_sock_setsockopt,
2477
	.getsockopt	= iso_sock_getsockopt
2478
};
2479

2480
static const struct net_proto_family iso_sock_family_ops = {
2481
	.family	= PF_BLUETOOTH,
2482
	.owner	= THIS_MODULE,
2483
	.create	= iso_sock_create,
2484
};
2485

2486
static bool inited;
2487

2488
bool iso_inited(void)
2489
{
2490
	return inited;
2491
}
2492

2493
int iso_init(void)
2494
{
2495
	int err;
2496

2497
	BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr));
2498

2499
	if (inited)
2500
		return -EALREADY;
2501

2502
	err = proto_register(&iso_proto, 0);
2503
	if (err < 0)
2504
		return err;
2505

2506
	err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops);
2507
	if (err < 0) {
2508
		BT_ERR("ISO socket registration failed");
2509
		goto error;
2510
	}
2511

2512
	err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL);
2513
	if (err < 0) {
2514
		BT_ERR("Failed to create ISO proc file");
2515
		bt_sock_unregister(BTPROTO_ISO);
2516
		goto error;
2517
	}
2518

2519
	BT_INFO("ISO socket layer initialized");
2520

2521
	hci_register_cb(&iso_cb);
2522

2523
	if (!IS_ERR_OR_NULL(bt_debugfs))
2524
		iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs,
2525
						  NULL, &iso_debugfs_fops);
2526

2527
	inited = true;
2528

2529
	return 0;
2530

2531
error:
2532
	proto_unregister(&iso_proto);
2533
	return err;
2534
}
2535

2536
int iso_exit(void)
2537
{
2538
	if (!inited)
2539
		return -EALREADY;
2540

2541
	bt_procfs_cleanup(&init_net, "iso");
2542

2543
	debugfs_remove(iso_debugfs);
2544
	iso_debugfs = NULL;
2545

2546
	hci_unregister_cb(&iso_cb);
2547

2548
	bt_sock_unregister(BTPROTO_ISO);
2549

2550
	proto_unregister(&iso_proto);
2551

2552
	inited = false;
2553

2554
	return 0;
2555
}
2556

2557
Product

Resources

Company
