xref: /openbmc/linux/net/bluetooth/iso.c (revision 16f6ccde74a6f8538c62f127f17207c75f4dba7a)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * BlueZ - Bluetooth protocol stack for Linux
4  *
5  * Copyright (C) 2022 Intel Corporation
6  * Copyright 2023 NXP
7  */
8 
9 #include <linux/module.h>
10 #include <linux/debugfs.h>
11 #include <linux/seq_file.h>
12 #include <linux/sched/signal.h>
13 
14 #include <net/bluetooth/bluetooth.h>
15 #include <net/bluetooth/hci_core.h>
16 #include <net/bluetooth/iso.h>
17 
18 static const struct proto_ops iso_sock_ops;
19 
20 static struct bt_sock_list iso_sk_list = {
21 	.lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock)
22 };
23 
24 /* ---- ISO connections ---- */
25 struct iso_conn {
26 	struct hci_conn	*hcon;
27 
28 	/* @lock: spinlock protecting changes to iso_conn fields */
29 	spinlock_t	lock;
30 	struct sock	*sk;
31 
32 	struct delayed_work	timeout_work;
33 
34 	struct sk_buff	*rx_skb;
35 	__u32		rx_len;
36 	__u16		tx_sn;
37 };
38 
39 #define iso_conn_lock(c)	spin_lock(&(c)->lock)
40 #define iso_conn_unlock(c)	spin_unlock(&(c)->lock)
41 
42 static void iso_sock_close(struct sock *sk);
43 static void iso_sock_kill(struct sock *sk);
44 
45 /* ----- ISO socket info ----- */
46 #define iso_pi(sk) ((struct iso_pinfo *)sk)
47 
48 #define EIR_SERVICE_DATA_LENGTH 4
49 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
50 
51 /* iso_pinfo flags values */
52 enum {
53 	BT_SK_BIG_SYNC,
54 	BT_SK_PA_SYNC,
55 	BT_SK_PA_SYNC_TERM,
56 };
57 
58 struct iso_pinfo {
59 	struct bt_sock		bt;
60 	bdaddr_t		src;
61 	__u8			src_type;
62 	bdaddr_t		dst;
63 	__u8			dst_type;
64 	__u8			bc_sid;
65 	__u8			bc_num_bis;
66 	__u8			bc_bis[ISO_MAX_NUM_BIS];
67 	__u16			sync_handle;
68 	unsigned long		flags;
69 	struct bt_iso_qos	qos;
70 	bool			qos_user_set;
71 	__u8			base_len;
72 	__u8			base[BASE_MAX_LENGTH];
73 	struct iso_conn		*conn;
74 };
75 
76 static struct bt_iso_qos default_qos;
77 
78 static bool check_ucast_qos(struct bt_iso_qos *qos);
79 static bool check_bcast_qos(struct bt_iso_qos *qos);
80 static bool iso_match_sid(struct sock *sk, void *data);
81 static bool iso_match_sync_handle(struct sock *sk, void *data);
82 static void iso_sock_disconn(struct sock *sk);
83 
84 typedef bool (*iso_sock_match_t)(struct sock *sk, void *data);
85 
86 static struct sock *iso_get_sock_listen(bdaddr_t *src, bdaddr_t *dst,
87 					iso_sock_match_t match, void *data);
88 
89 /* ---- ISO timers ---- */
90 #define ISO_CONN_TIMEOUT	(HZ * 40)
91 #define ISO_DISCONN_TIMEOUT	(HZ * 2)
92 
iso_sock_hold(struct iso_conn * conn)93 static struct sock *iso_sock_hold(struct iso_conn *conn)
94 {
95 	if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk))
96 		return NULL;
97 
98 	sock_hold(conn->sk);
99 
100 	return conn->sk;
101 }
102 
iso_sock_timeout(struct work_struct * work)103 static void iso_sock_timeout(struct work_struct *work)
104 {
105 	struct iso_conn *conn = container_of(work, struct iso_conn,
106 					     timeout_work.work);
107 	struct sock *sk;
108 
109 	iso_conn_lock(conn);
110 	sk = iso_sock_hold(conn);
111 	iso_conn_unlock(conn);
112 
113 	if (!sk)
114 		return;
115 
116 	BT_DBG("sock %p state %d", sk, sk->sk_state);
117 
118 	lock_sock(sk);
119 	sk->sk_err = ETIMEDOUT;
120 	sk->sk_state_change(sk);
121 	release_sock(sk);
122 	sock_put(sk);
123 }
124 
iso_sock_set_timer(struct sock * sk,long timeout)125 static void iso_sock_set_timer(struct sock *sk, long timeout)
126 {
127 	if (!iso_pi(sk)->conn)
128 		return;
129 
130 	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
131 	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
132 	schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout);
133 }
134 
iso_sock_clear_timer(struct sock * sk)135 static void iso_sock_clear_timer(struct sock *sk)
136 {
137 	if (!iso_pi(sk)->conn)
138 		return;
139 
140 	BT_DBG("sock %p state %d", sk, sk->sk_state);
141 	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
142 }
143 
144 /* ---- ISO connections ---- */
iso_conn_add(struct hci_conn * hcon)145 static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
146 {
147 	struct iso_conn *conn = hcon->iso_data;
148 
149 	if (conn) {
150 		if (!conn->hcon)
151 			conn->hcon = hcon;
152 		return conn;
153 	}
154 
155 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
156 	if (!conn)
157 		return NULL;
158 
159 	spin_lock_init(&conn->lock);
160 	INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout);
161 
162 	hcon->iso_data = conn;
163 	conn->hcon = hcon;
164 	conn->tx_sn = 0;
165 
166 	BT_DBG("hcon %p conn %p", hcon, conn);
167 
168 	return conn;
169 }
170 
171 /* Delete channel. Must be called on the locked socket. */
iso_chan_del(struct sock * sk,int err)172 static void iso_chan_del(struct sock *sk, int err)
173 {
174 	struct iso_conn *conn;
175 	struct sock *parent;
176 
177 	conn = iso_pi(sk)->conn;
178 
179 	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
180 
181 	if (conn) {
182 		iso_conn_lock(conn);
183 		conn->sk = NULL;
184 		iso_pi(sk)->conn = NULL;
185 		iso_conn_unlock(conn);
186 
187 		if (conn->hcon)
188 			hci_conn_drop(conn->hcon);
189 	}
190 
191 	sk->sk_state = BT_CLOSED;
192 	sk->sk_err   = err;
193 
194 	parent = bt_sk(sk)->parent;
195 	if (parent) {
196 		bt_accept_unlink(sk);
197 		parent->sk_data_ready(parent);
198 	} else {
199 		sk->sk_state_change(sk);
200 	}
201 
202 	sock_set_flag(sk, SOCK_ZAPPED);
203 }
204 
iso_match_conn_sync_handle(struct sock * sk,void * data)205 static bool iso_match_conn_sync_handle(struct sock *sk, void *data)
206 {
207 	struct hci_conn *hcon = data;
208 
209 	if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags))
210 		return false;
211 
212 	return hcon->sync_handle == iso_pi(sk)->sync_handle;
213 }
214 
iso_conn_del(struct hci_conn * hcon,int err)215 static void iso_conn_del(struct hci_conn *hcon, int err)
216 {
217 	struct iso_conn *conn = hcon->iso_data;
218 	struct sock *sk;
219 	struct sock *parent;
220 
221 	if (!conn)
222 		return;
223 
224 	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
225 
226 	/* Kill socket */
227 	iso_conn_lock(conn);
228 	sk = iso_sock_hold(conn);
229 	iso_conn_unlock(conn);
230 
231 	if (sk) {
232 		lock_sock(sk);
233 
234 		/* While a PA sync hcon is in the process of closing,
235 		 * mark parent socket with a flag, so that any residual
236 		 * BIGInfo adv reports that arrive before PA sync is
237 		 * terminated are not processed anymore.
238 		 */
239 		if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
240 			parent = iso_get_sock_listen(&hcon->src,
241 						     &hcon->dst,
242 						     iso_match_conn_sync_handle,
243 						     hcon);
244 
245 			if (parent) {
246 				set_bit(BT_SK_PA_SYNC_TERM,
247 					&iso_pi(parent)->flags);
248 				sock_put(parent);
249 			}
250 		}
251 
252 		iso_sock_clear_timer(sk);
253 		iso_chan_del(sk, err);
254 		release_sock(sk);
255 		sock_put(sk);
256 	}
257 
258 	/* Ensure no more work items will run before freeing conn. */
259 	cancel_delayed_work_sync(&conn->timeout_work);
260 
261 	hcon->iso_data = NULL;
262 	kfree(conn);
263 }
264 
__iso_chan_add(struct iso_conn * conn,struct sock * sk,struct sock * parent)265 static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
266 			  struct sock *parent)
267 {
268 	BT_DBG("conn %p", conn);
269 
270 	if (iso_pi(sk)->conn == conn && conn->sk == sk)
271 		return 0;
272 
273 	if (conn->sk) {
274 		BT_ERR("conn->sk already set");
275 		return -EBUSY;
276 	}
277 
278 	iso_pi(sk)->conn = conn;
279 	conn->sk = sk;
280 
281 	if (parent)
282 		bt_accept_enqueue(parent, sk, true);
283 
284 	return 0;
285 }
286 
iso_chan_add(struct iso_conn * conn,struct sock * sk,struct sock * parent)287 static int iso_chan_add(struct iso_conn *conn, struct sock *sk,
288 			struct sock *parent)
289 {
290 	int err;
291 
292 	iso_conn_lock(conn);
293 	err = __iso_chan_add(conn, sk, parent);
294 	iso_conn_unlock(conn);
295 
296 	return err;
297 }
298 
le_addr_type(u8 bdaddr_type)299 static inline u8 le_addr_type(u8 bdaddr_type)
300 {
301 	if (bdaddr_type == BDADDR_LE_PUBLIC)
302 		return ADDR_LE_DEV_PUBLIC;
303 	else
304 		return ADDR_LE_DEV_RANDOM;
305 }
306 
iso_connect_bis(struct sock * sk)307 static int iso_connect_bis(struct sock *sk)
308 {
309 	struct iso_conn *conn;
310 	struct hci_conn *hcon;
311 	struct hci_dev  *hdev;
312 	int err;
313 
314 	BT_DBG("%pMR", &iso_pi(sk)->src);
315 
316 	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
317 			     iso_pi(sk)->src_type);
318 	if (!hdev)
319 		return -EHOSTUNREACH;
320 
321 	hci_dev_lock(hdev);
322 
323 	if (!bis_capable(hdev)) {
324 		err = -EOPNOTSUPP;
325 		goto unlock;
326 	}
327 
328 	/* Fail if user set invalid QoS */
329 	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
330 		iso_pi(sk)->qos = default_qos;
331 		err = -EINVAL;
332 		goto unlock;
333 	}
334 
335 	/* Fail if out PHYs are marked as disabled */
336 	if (!iso_pi(sk)->qos.bcast.out.phy) {
337 		err = -EINVAL;
338 		goto unlock;
339 	}
340 
341 	/* Just bind if DEFER_SETUP has been set */
342 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
343 		hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst,
344 				    &iso_pi(sk)->qos, iso_pi(sk)->base_len,
345 				    iso_pi(sk)->base);
346 		if (IS_ERR(hcon)) {
347 			err = PTR_ERR(hcon);
348 			goto unlock;
349 		}
350 	} else {
351 		hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst,
352 				       le_addr_type(iso_pi(sk)->dst_type),
353 				       &iso_pi(sk)->qos, iso_pi(sk)->base_len,
354 				       iso_pi(sk)->base);
355 		if (IS_ERR(hcon)) {
356 			err = PTR_ERR(hcon);
357 			goto unlock;
358 		}
359 	}
360 
361 	conn = iso_conn_add(hcon);
362 	if (!conn) {
363 		hci_conn_drop(hcon);
364 		err = -ENOMEM;
365 		goto unlock;
366 	}
367 
368 	lock_sock(sk);
369 
370 	err = iso_chan_add(conn, sk, NULL);
371 	if (err) {
372 		release_sock(sk);
373 		goto unlock;
374 	}
375 
376 	/* Update source addr of the socket */
377 	bacpy(&iso_pi(sk)->src, &hcon->src);
378 
379 	if (hcon->state == BT_CONNECTED) {
380 		iso_sock_clear_timer(sk);
381 		sk->sk_state = BT_CONNECTED;
382 	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
383 		iso_sock_clear_timer(sk);
384 		sk->sk_state = BT_CONNECT;
385 	} else {
386 		sk->sk_state = BT_CONNECT;
387 		iso_sock_set_timer(sk, sk->sk_sndtimeo);
388 	}
389 
390 	release_sock(sk);
391 
392 unlock:
393 	hci_dev_unlock(hdev);
394 	hci_dev_put(hdev);
395 	return err;
396 }
397 
iso_connect_cis(struct sock * sk)398 static int iso_connect_cis(struct sock *sk)
399 {
400 	struct iso_conn *conn;
401 	struct hci_conn *hcon;
402 	struct hci_dev  *hdev;
403 	int err;
404 
405 	BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst);
406 
407 	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
408 			     iso_pi(sk)->src_type);
409 	if (!hdev)
410 		return -EHOSTUNREACH;
411 
412 	hci_dev_lock(hdev);
413 
414 	if (!cis_central_capable(hdev)) {
415 		err = -EOPNOTSUPP;
416 		goto unlock;
417 	}
418 
419 	/* Fail if user set invalid QoS */
420 	if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) {
421 		iso_pi(sk)->qos = default_qos;
422 		err = -EINVAL;
423 		goto unlock;
424 	}
425 
426 	/* Fail if either PHYs are marked as disabled */
427 	if (!iso_pi(sk)->qos.ucast.in.phy && !iso_pi(sk)->qos.ucast.out.phy) {
428 		err = -EINVAL;
429 		goto unlock;
430 	}
431 
432 	/* Just bind if DEFER_SETUP has been set */
433 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
434 		hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst,
435 				    le_addr_type(iso_pi(sk)->dst_type),
436 				    &iso_pi(sk)->qos);
437 		if (IS_ERR(hcon)) {
438 			err = PTR_ERR(hcon);
439 			goto unlock;
440 		}
441 	} else {
442 		hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst,
443 				       le_addr_type(iso_pi(sk)->dst_type),
444 				       &iso_pi(sk)->qos);
445 		if (IS_ERR(hcon)) {
446 			err = PTR_ERR(hcon);
447 			goto unlock;
448 		}
449 	}
450 
451 	conn = iso_conn_add(hcon);
452 	if (!conn) {
453 		hci_conn_drop(hcon);
454 		err = -ENOMEM;
455 		goto unlock;
456 	}
457 
458 	lock_sock(sk);
459 
460 	err = iso_chan_add(conn, sk, NULL);
461 	if (err) {
462 		release_sock(sk);
463 		goto unlock;
464 	}
465 
466 	/* Update source addr of the socket */
467 	bacpy(&iso_pi(sk)->src, &hcon->src);
468 
469 	if (hcon->state == BT_CONNECTED) {
470 		iso_sock_clear_timer(sk);
471 		sk->sk_state = BT_CONNECTED;
472 	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
473 		iso_sock_clear_timer(sk);
474 		sk->sk_state = BT_CONNECT;
475 	} else {
476 		sk->sk_state = BT_CONNECT;
477 		iso_sock_set_timer(sk, sk->sk_sndtimeo);
478 	}
479 
480 	release_sock(sk);
481 
482 unlock:
483 	hci_dev_unlock(hdev);
484 	hci_dev_put(hdev);
485 	return err;
486 }
487 
iso_sock_get_qos(struct sock * sk)488 static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk)
489 {
490 	if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
491 		return &iso_pi(sk)->conn->hcon->iso_qos;
492 
493 	return &iso_pi(sk)->qos;
494 }
495 
iso_send_frame(struct sock * sk,struct sk_buff * skb)496 static int iso_send_frame(struct sock *sk, struct sk_buff *skb)
497 {
498 	struct iso_conn *conn = iso_pi(sk)->conn;
499 	struct bt_iso_qos *qos = iso_sock_get_qos(sk);
500 	struct hci_iso_data_hdr *hdr;
501 	int len = 0;
502 
503 	BT_DBG("sk %p len %d", sk, skb->len);
504 
505 	if (skb->len > qos->ucast.out.sdu)
506 		return -EMSGSIZE;
507 
508 	len = skb->len;
509 
510 	/* Push ISO data header */
511 	hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE);
512 	hdr->sn = cpu_to_le16(conn->tx_sn++);
513 	hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len,
514 						      HCI_ISO_STATUS_VALID));
515 
516 	if (sk->sk_state == BT_CONNECTED)
517 		hci_send_iso(conn->hcon, skb);
518 	else
519 		len = -ENOTCONN;
520 
521 	return len;
522 }
523 
iso_recv_frame(struct iso_conn * conn,struct sk_buff * skb)524 static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
525 {
526 	struct sock *sk;
527 
528 	iso_conn_lock(conn);
529 	sk = conn->sk;
530 	iso_conn_unlock(conn);
531 
532 	if (!sk)
533 		goto drop;
534 
535 	BT_DBG("sk %p len %d", sk, skb->len);
536 
537 	if (sk->sk_state != BT_CONNECTED)
538 		goto drop;
539 
540 	if (!sock_queue_rcv_skb(sk, skb))
541 		return;
542 
543 drop:
544 	kfree_skb(skb);
545 }
546 
547 /* -------- Socket interface ---------- */
__iso_get_sock_listen_by_addr(bdaddr_t * src,bdaddr_t * dst)548 static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst)
549 {
550 	struct sock *sk;
551 
552 	sk_for_each(sk, &iso_sk_list.head) {
553 		if (sk->sk_state != BT_LISTEN)
554 			continue;
555 
556 		if (bacmp(&iso_pi(sk)->dst, dst))
557 			continue;
558 
559 		if (!bacmp(&iso_pi(sk)->src, src))
560 			return sk;
561 	}
562 
563 	return NULL;
564 }
565 
__iso_get_sock_listen_by_sid(bdaddr_t * ba,bdaddr_t * bc,__u8 sid)566 static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc,
567 						 __u8 sid)
568 {
569 	struct sock *sk;
570 
571 	sk_for_each(sk, &iso_sk_list.head) {
572 		if (sk->sk_state != BT_LISTEN)
573 			continue;
574 
575 		if (bacmp(&iso_pi(sk)->src, ba))
576 			continue;
577 
578 		if (bacmp(&iso_pi(sk)->dst, bc))
579 			continue;
580 
581 		if (iso_pi(sk)->bc_sid == sid)
582 			return sk;
583 	}
584 
585 	return NULL;
586 }
587 
588 /* Find socket listening:
589  * source bdaddr (Unicast)
590  * destination bdaddr (Broadcast only)
591  * match func - pass NULL to ignore
592  * match func data - pass -1 to ignore
593  * Returns closest match.
594  */
iso_get_sock_listen(bdaddr_t * src,bdaddr_t * dst,iso_sock_match_t match,void * data)595 static struct sock *iso_get_sock_listen(bdaddr_t *src, bdaddr_t *dst,
596 					iso_sock_match_t match, void *data)
597 {
598 	struct sock *sk = NULL, *sk1 = NULL;
599 
600 	read_lock(&iso_sk_list.lock);
601 
602 	sk_for_each(sk, &iso_sk_list.head) {
603 		if (sk->sk_state != BT_LISTEN)
604 			continue;
605 
606 		/* Match Broadcast destination */
607 		if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst))
608 			continue;
609 
610 		/* Use Match function if provided */
611 		if (match && !match(sk, data))
612 			continue;
613 
614 		/* Exact match. */
615 		if (!bacmp(&iso_pi(sk)->src, src)) {
616 			sock_hold(sk);
617 			break;
618 		}
619 
620 		/* Closest match */
621 		if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) {
622 			if (sk1)
623 				sock_put(sk1);
624 
625 			sk1 = sk;
626 			sock_hold(sk1);
627 		}
628 	}
629 
630 	if (sk && sk1)
631 		sock_put(sk1);
632 
633 	read_unlock(&iso_sk_list.lock);
634 
635 	return sk ? sk : sk1;
636 }
637 
iso_get_sock_big(struct sock * match_sk,bdaddr_t * src,bdaddr_t * dst,uint8_t big)638 static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src,
639 				     bdaddr_t *dst, uint8_t big)
640 {
641 	struct sock *sk = NULL;
642 
643 	read_lock(&iso_sk_list.lock);
644 
645 	sk_for_each(sk, &iso_sk_list.head) {
646 		if (match_sk == sk)
647 			continue;
648 
649 		/* Look for sockets that have already been
650 		 * connected to the BIG
651 		 */
652 		if (sk->sk_state != BT_CONNECTED &&
653 		    sk->sk_state != BT_CONNECT)
654 			continue;
655 
656 		/* Match Broadcast destination */
657 		if (bacmp(&iso_pi(sk)->dst, dst))
658 			continue;
659 
660 		/* Match BIG handle */
661 		if (iso_pi(sk)->qos.bcast.big != big)
662 			continue;
663 
664 		/* Match source address */
665 		if (bacmp(&iso_pi(sk)->src, src))
666 			continue;
667 
668 		sock_hold(sk);
669 		break;
670 	}
671 
672 	read_unlock(&iso_sk_list.lock);
673 
674 	return sk;
675 }
676 
iso_sock_destruct(struct sock * sk)677 static void iso_sock_destruct(struct sock *sk)
678 {
679 	BT_DBG("sk %p", sk);
680 
681 	skb_queue_purge(&sk->sk_receive_queue);
682 	skb_queue_purge(&sk->sk_write_queue);
683 }
684 
iso_sock_cleanup_listen(struct sock * parent)685 static void iso_sock_cleanup_listen(struct sock *parent)
686 {
687 	struct sock *sk;
688 
689 	BT_DBG("parent %p", parent);
690 
691 	/* Close not yet accepted channels */
692 	while ((sk = bt_accept_dequeue(parent, NULL))) {
693 		iso_sock_close(sk);
694 		iso_sock_kill(sk);
695 	}
696 
697 	/* If listening socket stands for a PA sync connection,
698 	 * properly disconnect the hcon and socket.
699 	 */
700 	if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon &&
701 	    test_bit(HCI_CONN_PA_SYNC, &iso_pi(parent)->conn->hcon->flags)) {
702 		iso_sock_disconn(parent);
703 		return;
704 	}
705 
706 	parent->sk_state  = BT_CLOSED;
707 	sock_set_flag(parent, SOCK_ZAPPED);
708 }
709 
710 /* Kill socket (only if zapped and orphan)
711  * Must be called on unlocked socket.
712  */
iso_sock_kill(struct sock * sk)713 static void iso_sock_kill(struct sock *sk)
714 {
715 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
716 	    sock_flag(sk, SOCK_DEAD))
717 		return;
718 
719 	BT_DBG("sk %p state %d", sk, sk->sk_state);
720 
721 	/* Kill poor orphan */
722 	bt_sock_unlink(&iso_sk_list, sk);
723 	sock_set_flag(sk, SOCK_DEAD);
724 	sock_put(sk);
725 }
726 
iso_sock_disconn(struct sock * sk)727 static void iso_sock_disconn(struct sock *sk)
728 {
729 	struct sock *bis_sk;
730 	struct hci_conn *hcon = iso_pi(sk)->conn->hcon;
731 
732 	if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) {
733 		bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src,
734 					  &iso_pi(sk)->dst,
735 					  iso_pi(sk)->qos.bcast.big);
736 
737 		/* If there are any other connected sockets for the
738 		 * same BIG, just delete the sk and leave the bis
739 		 * hcon active, in case later rebinding is needed.
740 		 */
741 		if (bis_sk) {
742 			hcon->state = BT_OPEN;
743 			iso_pi(sk)->conn->hcon = NULL;
744 			iso_sock_clear_timer(sk);
745 			iso_chan_del(sk, bt_to_errno(hcon->abort_reason));
746 			sock_put(bis_sk);
747 			return;
748 		}
749 	}
750 
751 	sk->sk_state = BT_DISCONN;
752 	iso_sock_set_timer(sk, ISO_DISCONN_TIMEOUT);
753 	iso_conn_lock(iso_pi(sk)->conn);
754 	hci_conn_drop(iso_pi(sk)->conn->hcon);
755 	iso_pi(sk)->conn->hcon = NULL;
756 	iso_conn_unlock(iso_pi(sk)->conn);
757 }
758 
__iso_sock_close(struct sock * sk)759 static void __iso_sock_close(struct sock *sk)
760 {
761 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
762 
763 	switch (sk->sk_state) {
764 	case BT_LISTEN:
765 		iso_sock_cleanup_listen(sk);
766 		break;
767 
768 	case BT_CONNECT:
769 	case BT_CONNECTED:
770 	case BT_CONFIG:
771 		if (iso_pi(sk)->conn->hcon)
772 			iso_sock_disconn(sk);
773 		else
774 			iso_chan_del(sk, ECONNRESET);
775 		break;
776 
777 	case BT_CONNECT2:
778 		if (iso_pi(sk)->conn->hcon &&
779 		    (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
780 		    test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
781 			iso_sock_disconn(sk);
782 		else
783 			iso_chan_del(sk, ECONNRESET);
784 		break;
785 	case BT_DISCONN:
786 		iso_chan_del(sk, ECONNRESET);
787 		break;
788 
789 	default:
790 		sock_set_flag(sk, SOCK_ZAPPED);
791 		break;
792 	}
793 }
794 
795 /* Must be called on unlocked socket. */
iso_sock_close(struct sock * sk)796 static void iso_sock_close(struct sock *sk)
797 {
798 	iso_sock_clear_timer(sk);
799 	lock_sock(sk);
800 	__iso_sock_close(sk);
801 	release_sock(sk);
802 	iso_sock_kill(sk);
803 }
804 
iso_sock_init(struct sock * sk,struct sock * parent)805 static void iso_sock_init(struct sock *sk, struct sock *parent)
806 {
807 	BT_DBG("sk %p", sk);
808 
809 	if (parent) {
810 		sk->sk_type = parent->sk_type;
811 		bt_sk(sk)->flags = bt_sk(parent)->flags;
812 		security_sk_clone(parent, sk);
813 	}
814 }
815 
816 static struct proto iso_proto = {
817 	.name		= "ISO",
818 	.owner		= THIS_MODULE,
819 	.obj_size	= sizeof(struct iso_pinfo)
820 };
821 
822 #define DEFAULT_IO_QOS \
823 { \
824 	.interval	= 10000u, \
825 	.latency	= 10u, \
826 	.sdu		= 40u, \
827 	.phy		= BT_ISO_PHY_2M, \
828 	.rtn		= 2u, \
829 }
830 
831 static struct bt_iso_qos default_qos = {
832 	.bcast = {
833 		.big			= BT_ISO_QOS_BIG_UNSET,
834 		.bis			= BT_ISO_QOS_BIS_UNSET,
835 		.sync_factor		= 0x01,
836 		.packing		= 0x00,
837 		.framing		= 0x00,
838 		.in			= DEFAULT_IO_QOS,
839 		.out			= DEFAULT_IO_QOS,
840 		.encryption		= 0x00,
841 		.bcode			= {0x00},
842 		.options		= 0x00,
843 		.skip			= 0x0000,
844 		.sync_timeout		= BT_ISO_SYNC_TIMEOUT,
845 		.sync_cte_type		= 0x00,
846 		.mse			= 0x00,
847 		.timeout		= BT_ISO_SYNC_TIMEOUT,
848 	},
849 };
850 
iso_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)851 static struct sock *iso_sock_alloc(struct net *net, struct socket *sock,
852 				   int proto, gfp_t prio, int kern)
853 {
854 	struct sock *sk;
855 
856 	sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern);
857 	if (!sk)
858 		return NULL;
859 
860 	sk->sk_destruct = iso_sock_destruct;
861 	sk->sk_sndtimeo = ISO_CONN_TIMEOUT;
862 
863 	/* Set address type as public as default src address is BDADDR_ANY */
864 	iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
865 
866 	iso_pi(sk)->qos = default_qos;
867 
868 	bt_sock_link(&iso_sk_list, sk);
869 	return sk;
870 }
871 
iso_sock_create(struct net * net,struct socket * sock,int protocol,int kern)872 static int iso_sock_create(struct net *net, struct socket *sock, int protocol,
873 			   int kern)
874 {
875 	struct sock *sk;
876 
877 	BT_DBG("sock %p", sock);
878 
879 	sock->state = SS_UNCONNECTED;
880 
881 	if (sock->type != SOCK_SEQPACKET)
882 		return -ESOCKTNOSUPPORT;
883 
884 	sock->ops = &iso_sock_ops;
885 
886 	sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
887 	if (!sk)
888 		return -ENOMEM;
889 
890 	iso_sock_init(sk, NULL);
891 	return 0;
892 }
893 
iso_sock_bind_bc(struct socket * sock,struct sockaddr * addr,int addr_len)894 static int iso_sock_bind_bc(struct socket *sock, struct sockaddr *addr,
895 			    int addr_len)
896 {
897 	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
898 	struct sock *sk = sock->sk;
899 	int i;
900 
901 	BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid,
902 	       sa->iso_bc->bc_num_bis);
903 
904 	if (addr_len > sizeof(*sa) + sizeof(*sa->iso_bc) ||
905 	    sa->iso_bc->bc_num_bis < 0x01 || sa->iso_bc->bc_num_bis > 0x1f)
906 		return -EINVAL;
907 
908 	bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr);
909 	iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type;
910 	iso_pi(sk)->sync_handle = -1;
911 	iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid;
912 	iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
913 
914 	for (i = 0; i < iso_pi(sk)->bc_num_bis; i++) {
915 		if (sa->iso_bc->bc_bis[i] < 0x01 ||
916 		    sa->iso_bc->bc_bis[i] > 0x1f)
917 			return -EINVAL;
918 
919 		memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
920 		       iso_pi(sk)->bc_num_bis);
921 	}
922 
923 	return 0;
924 }
925 
iso_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)926 static int iso_sock_bind(struct socket *sock, struct sockaddr *addr,
927 			 int addr_len)
928 {
929 	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
930 	struct sock *sk = sock->sk;
931 	int err = 0;
932 
933 	BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type);
934 
935 	if (!addr || addr_len < sizeof(struct sockaddr_iso) ||
936 	    addr->sa_family != AF_BLUETOOTH)
937 		return -EINVAL;
938 
939 	lock_sock(sk);
940 
941 	if (sk->sk_state != BT_OPEN) {
942 		err = -EBADFD;
943 		goto done;
944 	}
945 
946 	if (sk->sk_type != SOCK_SEQPACKET) {
947 		err = -EINVAL;
948 		goto done;
949 	}
950 
951 	/* Check if the address type is of LE type */
952 	if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) {
953 		err = -EINVAL;
954 		goto done;
955 	}
956 
957 	bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr);
958 	iso_pi(sk)->src_type = sa->iso_bdaddr_type;
959 
960 	/* Check for Broadcast address */
961 	if (addr_len > sizeof(*sa)) {
962 		err = iso_sock_bind_bc(sock, addr, addr_len);
963 		if (err)
964 			goto done;
965 	}
966 
967 	sk->sk_state = BT_BOUND;
968 
969 done:
970 	release_sock(sk);
971 	return err;
972 }
973 
iso_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)974 static int iso_sock_connect(struct socket *sock, struct sockaddr *addr,
975 			    int alen, int flags)
976 {
977 	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
978 	struct sock *sk = sock->sk;
979 	int err;
980 
981 	BT_DBG("sk %p", sk);
982 
983 	if (alen < sizeof(struct sockaddr_iso) ||
984 	    addr->sa_family != AF_BLUETOOTH)
985 		return -EINVAL;
986 
987 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
988 		return -EBADFD;
989 
990 	if (sk->sk_type != SOCK_SEQPACKET)
991 		return -EINVAL;
992 
993 	/* Check if the address type is of LE type */
994 	if (!bdaddr_type_is_le(sa->iso_bdaddr_type))
995 		return -EINVAL;
996 
997 	lock_sock(sk);
998 
999 	bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr);
1000 	iso_pi(sk)->dst_type = sa->iso_bdaddr_type;
1001 
1002 	release_sock(sk);
1003 
1004 	if (bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
1005 		err = iso_connect_cis(sk);
1006 	else
1007 		err = iso_connect_bis(sk);
1008 
1009 	if (err)
1010 		return err;
1011 
1012 	lock_sock(sk);
1013 
1014 	if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1015 		err = bt_sock_wait_state(sk, BT_CONNECTED,
1016 					 sock_sndtimeo(sk, flags & O_NONBLOCK));
1017 	}
1018 
1019 	release_sock(sk);
1020 	return err;
1021 }
1022 
iso_listen_bis(struct sock * sk)1023 static int iso_listen_bis(struct sock *sk)
1024 {
1025 	struct hci_dev *hdev;
1026 	int err = 0;
1027 
1028 	BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src,
1029 	       &iso_pi(sk)->dst, iso_pi(sk)->bc_sid);
1030 
1031 	write_lock(&iso_sk_list.lock);
1032 
1033 	if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst,
1034 					 iso_pi(sk)->bc_sid))
1035 		err = -EADDRINUSE;
1036 
1037 	write_unlock(&iso_sk_list.lock);
1038 
1039 	if (err)
1040 		return err;
1041 
1042 	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1043 			     iso_pi(sk)->src_type);
1044 	if (!hdev)
1045 		return -EHOSTUNREACH;
1046 
1047 	/* Fail if user set invalid QoS */
1048 	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
1049 		iso_pi(sk)->qos = default_qos;
1050 		return -EINVAL;
1051 	}
1052 
1053 	err = hci_pa_create_sync(hdev, &iso_pi(sk)->dst,
1054 				 le_addr_type(iso_pi(sk)->dst_type),
1055 				 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos);
1056 
1057 	hci_dev_put(hdev);
1058 
1059 	return err;
1060 }
1061 
iso_listen_cis(struct sock * sk)1062 static int iso_listen_cis(struct sock *sk)
1063 {
1064 	int err = 0;
1065 
1066 	BT_DBG("%pMR", &iso_pi(sk)->src);
1067 
1068 	write_lock(&iso_sk_list.lock);
1069 
1070 	if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst))
1071 		err = -EADDRINUSE;
1072 
1073 	write_unlock(&iso_sk_list.lock);
1074 
1075 	return err;
1076 }
1077 
iso_sock_listen(struct socket * sock,int backlog)1078 static int iso_sock_listen(struct socket *sock, int backlog)
1079 {
1080 	struct sock *sk = sock->sk;
1081 	int err = 0;
1082 
1083 	BT_DBG("sk %p backlog %d", sk, backlog);
1084 
1085 	lock_sock(sk);
1086 
1087 	if (sk->sk_state != BT_BOUND) {
1088 		err = -EBADFD;
1089 		goto done;
1090 	}
1091 
1092 	if (sk->sk_type != SOCK_SEQPACKET) {
1093 		err = -EINVAL;
1094 		goto done;
1095 	}
1096 
1097 	if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
1098 		err = iso_listen_cis(sk);
1099 	else
1100 		err = iso_listen_bis(sk);
1101 
1102 	if (err)
1103 		goto done;
1104 
1105 	sk->sk_max_ack_backlog = backlog;
1106 	sk->sk_ack_backlog = 0;
1107 
1108 	sk->sk_state = BT_LISTEN;
1109 
1110 done:
1111 	release_sock(sk);
1112 	return err;
1113 }
1114 
iso_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)1115 static int iso_sock_accept(struct socket *sock, struct socket *newsock,
1116 			   int flags, bool kern)
1117 {
1118 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
1119 	struct sock *sk = sock->sk, *ch;
1120 	long timeo;
1121 	int err = 0;
1122 
1123 	/* Use explicit nested locking to avoid lockdep warnings generated
1124 	 * because the parent socket and the child socket are locked on the
1125 	 * same thread.
1126 	 */
1127 	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1128 
1129 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1130 
1131 	BT_DBG("sk %p timeo %ld", sk, timeo);
1132 
1133 	/* Wait for an incoming connection. (wake-one). */
1134 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
1135 	while (1) {
1136 		if (sk->sk_state != BT_LISTEN) {
1137 			err = -EBADFD;
1138 			break;
1139 		}
1140 
1141 		ch = bt_accept_dequeue(sk, newsock);
1142 		if (ch)
1143 			break;
1144 
1145 		if (!timeo) {
1146 			err = -EAGAIN;
1147 			break;
1148 		}
1149 
1150 		if (signal_pending(current)) {
1151 			err = sock_intr_errno(timeo);
1152 			break;
1153 		}
1154 
1155 		release_sock(sk);
1156 
1157 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
1158 		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1159 	}
1160 	remove_wait_queue(sk_sleep(sk), &wait);
1161 
1162 	if (err)
1163 		goto done;
1164 
1165 	newsock->state = SS_CONNECTED;
1166 
1167 	BT_DBG("new socket %p", ch);
1168 
1169 done:
1170 	release_sock(sk);
1171 	return err;
1172 }
1173 
iso_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)1174 static int iso_sock_getname(struct socket *sock, struct sockaddr *addr,
1175 			    int peer)
1176 {
1177 	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1178 	struct sock *sk = sock->sk;
1179 
1180 	BT_DBG("sock %p, sk %p", sock, sk);
1181 
1182 	addr->sa_family = AF_BLUETOOTH;
1183 
1184 	if (peer) {
1185 		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst);
1186 		sa->iso_bdaddr_type = iso_pi(sk)->dst_type;
1187 	} else {
1188 		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src);
1189 		sa->iso_bdaddr_type = iso_pi(sk)->src_type;
1190 	}
1191 
1192 	return sizeof(struct sockaddr_iso);
1193 }
1194 
iso_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1195 static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1196 			    size_t len)
1197 {
1198 	struct sock *sk = sock->sk;
1199 	struct sk_buff *skb, **frag;
1200 	size_t mtu;
1201 	int err;
1202 
1203 	BT_DBG("sock %p, sk %p", sock, sk);
1204 
1205 	err = sock_error(sk);
1206 	if (err)
1207 		return err;
1208 
1209 	if (msg->msg_flags & MSG_OOB)
1210 		return -EOPNOTSUPP;
1211 
1212 	lock_sock(sk);
1213 
1214 	if (sk->sk_state != BT_CONNECTED) {
1215 		release_sock(sk);
1216 		return -ENOTCONN;
1217 	}
1218 
1219 	mtu = iso_pi(sk)->conn->hcon->mtu;
1220 
1221 	release_sock(sk);
1222 
1223 	skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0);
1224 	if (IS_ERR(skb))
1225 		return PTR_ERR(skb);
1226 
1227 	len -= skb->len;
1228 
1229 	BT_DBG("skb %p len %d", sk, skb->len);
1230 
1231 	/* Continuation fragments */
1232 	frag = &skb_shinfo(skb)->frag_list;
1233 	while (len) {
1234 		struct sk_buff *tmp;
1235 
1236 		tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0);
1237 		if (IS_ERR(tmp)) {
1238 			kfree_skb(skb);
1239 			return PTR_ERR(tmp);
1240 		}
1241 
1242 		*frag = tmp;
1243 
1244 		len  -= tmp->len;
1245 
1246 		skb->len += tmp->len;
1247 		skb->data_len += tmp->len;
1248 
1249 		BT_DBG("frag %p len %d", *frag, tmp->len);
1250 
1251 		frag = &(*frag)->next;
1252 	}
1253 
1254 	lock_sock(sk);
1255 
1256 	if (sk->sk_state == BT_CONNECTED)
1257 		err = iso_send_frame(sk, skb);
1258 	else
1259 		err = -ENOTCONN;
1260 
1261 	release_sock(sk);
1262 
1263 	if (err < 0)
1264 		kfree_skb(skb);
1265 	return err;
1266 }
1267 
iso_conn_defer_accept(struct hci_conn * conn)1268 static void iso_conn_defer_accept(struct hci_conn *conn)
1269 {
1270 	struct hci_cp_le_accept_cis cp;
1271 	struct hci_dev *hdev = conn->hdev;
1272 
1273 	BT_DBG("conn %p", conn);
1274 
1275 	conn->state = BT_CONFIG;
1276 
1277 	cp.handle = cpu_to_le16(conn->handle);
1278 
1279 	hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
1280 }
1281 
iso_conn_big_sync(struct sock * sk)1282 static void iso_conn_big_sync(struct sock *sk)
1283 {
1284 	int err;
1285 	struct hci_dev *hdev;
1286 
1287 	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1288 			     iso_pi(sk)->src_type);
1289 
1290 	if (!hdev)
1291 		return;
1292 
1293 	if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1294 		err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
1295 					     &iso_pi(sk)->qos,
1296 					     iso_pi(sk)->sync_handle,
1297 					     iso_pi(sk)->bc_num_bis,
1298 					     iso_pi(sk)->bc_bis);
1299 		if (err)
1300 			bt_dev_err(hdev, "hci_le_big_create_sync: %d",
1301 				   err);
1302 	}
1303 }
1304 
iso_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1305 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1306 			    size_t len, int flags)
1307 {
1308 	struct sock *sk = sock->sk;
1309 	struct iso_pinfo *pi = iso_pi(sk);
1310 
1311 	BT_DBG("sk %p", sk);
1312 
1313 	if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1314 		lock_sock(sk);
1315 		switch (sk->sk_state) {
1316 		case BT_CONNECT2:
1317 			if (test_bit(BT_SK_PA_SYNC, &pi->flags)) {
1318 				iso_conn_big_sync(sk);
1319 				sk->sk_state = BT_LISTEN;
1320 			} else {
1321 				iso_conn_defer_accept(pi->conn->hcon);
1322 				sk->sk_state = BT_CONFIG;
1323 			}
1324 			release_sock(sk);
1325 			return 0;
1326 		case BT_CONNECT:
1327 			release_sock(sk);
1328 			return iso_connect_cis(sk);
1329 		default:
1330 			release_sock(sk);
1331 			break;
1332 		}
1333 	}
1334 
1335 	return bt_sock_recvmsg(sock, msg, len, flags);
1336 }
1337 
check_io_qos(struct bt_iso_io_qos * qos)1338 static bool check_io_qos(struct bt_iso_io_qos *qos)
1339 {
1340 	/* If no PHY is enable SDU must be 0 */
1341 	if (!qos->phy && qos->sdu)
1342 		return false;
1343 
1344 	if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff))
1345 		return false;
1346 
1347 	if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0))
1348 		return false;
1349 
1350 	if (qos->phy > BT_ISO_PHY_ANY)
1351 		return false;
1352 
1353 	return true;
1354 }
1355 
check_ucast_qos(struct bt_iso_qos * qos)1356 static bool check_ucast_qos(struct bt_iso_qos *qos)
1357 {
1358 	if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET)
1359 		return false;
1360 
1361 	if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET)
1362 		return false;
1363 
1364 	if (qos->ucast.sca > 0x07)
1365 		return false;
1366 
1367 	if (qos->ucast.packing > 0x01)
1368 		return false;
1369 
1370 	if (qos->ucast.framing > 0x01)
1371 		return false;
1372 
1373 	if (!check_io_qos(&qos->ucast.in))
1374 		return false;
1375 
1376 	if (!check_io_qos(&qos->ucast.out))
1377 		return false;
1378 
1379 	return true;
1380 }
1381 
check_bcast_qos(struct bt_iso_qos * qos)1382 static bool check_bcast_qos(struct bt_iso_qos *qos)
1383 {
1384 	if (!qos->bcast.sync_factor)
1385 		qos->bcast.sync_factor = 0x01;
1386 
1387 	if (qos->bcast.packing > 0x01)
1388 		return false;
1389 
1390 	if (qos->bcast.framing > 0x01)
1391 		return false;
1392 
1393 	if (!check_io_qos(&qos->bcast.in))
1394 		return false;
1395 
1396 	if (!check_io_qos(&qos->bcast.out))
1397 		return false;
1398 
1399 	if (qos->bcast.encryption > 0x01)
1400 		return false;
1401 
1402 	if (qos->bcast.options > 0x07)
1403 		return false;
1404 
1405 	if (qos->bcast.skip > 0x01f3)
1406 		return false;
1407 
1408 	if (!qos->bcast.sync_timeout)
1409 		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1410 
1411 	if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000)
1412 		return false;
1413 
1414 	if (qos->bcast.sync_cte_type > 0x1f)
1415 		return false;
1416 
1417 	if (qos->bcast.mse > 0x1f)
1418 		return false;
1419 
1420 	if (!qos->bcast.timeout)
1421 		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1422 
1423 	if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000)
1424 		return false;
1425 
1426 	return true;
1427 }
1428 
iso_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)1429 static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
1430 			       sockptr_t optval, unsigned int optlen)
1431 {
1432 	struct sock *sk = sock->sk;
1433 	int err = 0;
1434 	struct bt_iso_qos qos = default_qos;
1435 	u32 opt;
1436 
1437 	BT_DBG("sk %p", sk);
1438 
1439 	lock_sock(sk);
1440 
1441 	switch (optname) {
1442 	case BT_DEFER_SETUP:
1443 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1444 			err = -EINVAL;
1445 			break;
1446 		}
1447 
1448 		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1449 		if (err)
1450 			break;
1451 
1452 		if (opt)
1453 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1454 		else
1455 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1456 		break;
1457 
1458 	case BT_PKT_STATUS:
1459 		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1460 		if (err)
1461 			break;
1462 
1463 		if (opt)
1464 			set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1465 		else
1466 			clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1467 		break;
1468 
1469 	case BT_ISO_QOS:
1470 		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1471 		    sk->sk_state != BT_CONNECT2) {
1472 			err = -EINVAL;
1473 			break;
1474 		}
1475 
1476 		err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen);
1477 		if (err)
1478 			break;
1479 
1480 		iso_pi(sk)->qos = qos;
1481 		iso_pi(sk)->qos_user_set = true;
1482 
1483 		break;
1484 
1485 	case BT_ISO_BASE:
1486 		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1487 		    sk->sk_state != BT_CONNECT2) {
1488 			err = -EINVAL;
1489 			break;
1490 		}
1491 
1492 		if (optlen > sizeof(iso_pi(sk)->base)) {
1493 			err = -EINVAL;
1494 			break;
1495 		}
1496 
1497 		err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval,
1498 					   optlen);
1499 		if (err)
1500 			break;
1501 
1502 		iso_pi(sk)->base_len = optlen;
1503 
1504 		break;
1505 
1506 	default:
1507 		err = -ENOPROTOOPT;
1508 		break;
1509 	}
1510 
1511 	release_sock(sk);
1512 	return err;
1513 }
1514 
iso_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)1515 static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
1516 			       char __user *optval, int __user *optlen)
1517 {
1518 	struct sock *sk = sock->sk;
1519 	int len, err = 0;
1520 	struct bt_iso_qos *qos;
1521 	u8 base_len;
1522 	u8 *base;
1523 
1524 	BT_DBG("sk %p", sk);
1525 
1526 	if (get_user(len, optlen))
1527 		return -EFAULT;
1528 
1529 	lock_sock(sk);
1530 
1531 	switch (optname) {
1532 	case BT_DEFER_SETUP:
1533 		if (sk->sk_state == BT_CONNECTED) {
1534 			err = -EINVAL;
1535 			break;
1536 		}
1537 
1538 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
1539 			     (u32 __user *)optval))
1540 			err = -EFAULT;
1541 
1542 		break;
1543 
1544 	case BT_PKT_STATUS:
1545 		if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags),
1546 			     (int __user *)optval))
1547 			err = -EFAULT;
1548 		break;
1549 
1550 	case BT_ISO_QOS:
1551 		qos = iso_sock_get_qos(sk);
1552 
1553 		len = min_t(unsigned int, len, sizeof(*qos));
1554 		if (copy_to_user(optval, qos, len))
1555 			err = -EFAULT;
1556 
1557 		break;
1558 
1559 	case BT_ISO_BASE:
1560 		if (sk->sk_state == BT_CONNECTED &&
1561 		    !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1562 			base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len;
1563 			base = iso_pi(sk)->conn->hcon->le_per_adv_data;
1564 		} else {
1565 			base_len = iso_pi(sk)->base_len;
1566 			base = iso_pi(sk)->base;
1567 		}
1568 
1569 		len = min_t(unsigned int, len, base_len);
1570 		if (copy_to_user(optval, base, len))
1571 			err = -EFAULT;
1572 
1573 		break;
1574 
1575 	default:
1576 		err = -ENOPROTOOPT;
1577 		break;
1578 	}
1579 
1580 	release_sock(sk);
1581 	return err;
1582 }
1583 
iso_sock_shutdown(struct socket * sock,int how)1584 static int iso_sock_shutdown(struct socket *sock, int how)
1585 {
1586 	struct sock *sk = sock->sk;
1587 	int err = 0;
1588 
1589 	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1590 
1591 	if (!sk)
1592 		return 0;
1593 
1594 	sock_hold(sk);
1595 	lock_sock(sk);
1596 
1597 	switch (how) {
1598 	case SHUT_RD:
1599 		if (sk->sk_shutdown & RCV_SHUTDOWN)
1600 			goto unlock;
1601 		sk->sk_shutdown |= RCV_SHUTDOWN;
1602 		break;
1603 	case SHUT_WR:
1604 		if (sk->sk_shutdown & SEND_SHUTDOWN)
1605 			goto unlock;
1606 		sk->sk_shutdown |= SEND_SHUTDOWN;
1607 		break;
1608 	case SHUT_RDWR:
1609 		if (sk->sk_shutdown & SHUTDOWN_MASK)
1610 			goto unlock;
1611 		sk->sk_shutdown |= SHUTDOWN_MASK;
1612 		break;
1613 	}
1614 
1615 	iso_sock_clear_timer(sk);
1616 	__iso_sock_close(sk);
1617 
1618 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1619 	    !(current->flags & PF_EXITING))
1620 		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1621 
1622 unlock:
1623 	release_sock(sk);
1624 	sock_put(sk);
1625 
1626 	return err;
1627 }
1628 
iso_sock_release(struct socket * sock)1629 static int iso_sock_release(struct socket *sock)
1630 {
1631 	struct sock *sk = sock->sk;
1632 	int err = 0;
1633 
1634 	BT_DBG("sock %p, sk %p", sock, sk);
1635 
1636 	if (!sk)
1637 		return 0;
1638 
1639 	iso_sock_close(sk);
1640 
1641 	if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) &&
1642 	    !(current->flags & PF_EXITING)) {
1643 		lock_sock(sk);
1644 		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1645 		release_sock(sk);
1646 	}
1647 
1648 	sock_orphan(sk);
1649 	iso_sock_kill(sk);
1650 	return err;
1651 }
1652 
iso_sock_ready(struct sock * sk)1653 static void iso_sock_ready(struct sock *sk)
1654 {
1655 	BT_DBG("sk %p", sk);
1656 
1657 	if (!sk)
1658 		return;
1659 
1660 	lock_sock(sk);
1661 	iso_sock_clear_timer(sk);
1662 	sk->sk_state = BT_CONNECTED;
1663 	sk->sk_state_change(sk);
1664 	release_sock(sk);
1665 }
1666 
1667 struct iso_list_data {
1668 	struct hci_conn *hcon;
1669 	int count;
1670 };
1671 
iso_match_big(struct sock * sk,void * data)1672 static bool iso_match_big(struct sock *sk, void *data)
1673 {
1674 	struct hci_evt_le_big_sync_estabilished *ev = data;
1675 
1676 	return ev->handle == iso_pi(sk)->qos.bcast.big;
1677 }
1678 
iso_match_pa_sync_flag(struct sock * sk,void * data)1679 static bool iso_match_pa_sync_flag(struct sock *sk, void *data)
1680 {
1681 	return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
1682 }
1683 
iso_conn_ready(struct iso_conn * conn)1684 static void iso_conn_ready(struct iso_conn *conn)
1685 {
1686 	struct sock *parent = NULL;
1687 	struct sock *sk = conn->sk;
1688 	struct hci_ev_le_big_sync_estabilished *ev = NULL;
1689 	struct hci_ev_le_pa_sync_established *ev2 = NULL;
1690 	struct hci_evt_le_big_info_adv_report *ev3 = NULL;
1691 	struct hci_conn *hcon;
1692 
1693 	BT_DBG("conn %p", conn);
1694 
1695 	if (sk) {
1696 		iso_sock_ready(conn->sk);
1697 	} else {
1698 		hcon = conn->hcon;
1699 		if (!hcon)
1700 			return;
1701 
1702 		if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags) ||
1703 		    test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) {
1704 			ev = hci_recv_event_data(hcon->hdev,
1705 						 HCI_EVT_LE_BIG_SYNC_ESTABILISHED);
1706 
1707 			/* Get reference to PA sync parent socket, if it exists */
1708 			parent = iso_get_sock_listen(&hcon->src,
1709 						     &hcon->dst,
1710 						     iso_match_pa_sync_flag, NULL);
1711 			if (!parent && ev)
1712 				parent = iso_get_sock_listen(&hcon->src,
1713 							     &hcon->dst,
1714 							     iso_match_big, ev);
1715 		} else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
1716 			ev2 = hci_recv_event_data(hcon->hdev,
1717 						  HCI_EV_LE_PA_SYNC_ESTABLISHED);
1718 			if (ev2)
1719 				parent = iso_get_sock_listen(&hcon->src,
1720 							     &hcon->dst,
1721 							     iso_match_sid, ev2);
1722 		} else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
1723 			ev3 = hci_recv_event_data(hcon->hdev,
1724 						  HCI_EVT_LE_BIG_INFO_ADV_REPORT);
1725 			if (ev3)
1726 				parent = iso_get_sock_listen(&hcon->src,
1727 							     &hcon->dst,
1728 							     iso_match_sync_handle, ev3);
1729 		}
1730 
1731 		if (!parent)
1732 			parent = iso_get_sock_listen(&hcon->src,
1733 							BDADDR_ANY, NULL, NULL);
1734 
1735 		if (!parent)
1736 			return;
1737 
1738 		lock_sock(parent);
1739 
1740 		sk = iso_sock_alloc(sock_net(parent), NULL,
1741 				    BTPROTO_ISO, GFP_ATOMIC, 0);
1742 		if (!sk) {
1743 			release_sock(parent);
1744 			return;
1745 		}
1746 
1747 		iso_sock_init(sk, parent);
1748 
1749 		bacpy(&iso_pi(sk)->src, &hcon->src);
1750 
1751 		/* Convert from HCI to three-value type */
1752 		if (hcon->src_type == ADDR_LE_DEV_PUBLIC)
1753 			iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
1754 		else
1755 			iso_pi(sk)->src_type = BDADDR_LE_RANDOM;
1756 
1757 		/* If hcon has no destination address (BDADDR_ANY) it means it
1758 		 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or
1759 		 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using
1760 		 * the parent socket destination address.
1761 		 */
1762 		if (!bacmp(&hcon->dst, BDADDR_ANY)) {
1763 			bacpy(&hcon->dst, &iso_pi(parent)->dst);
1764 			hcon->dst_type = iso_pi(parent)->dst_type;
1765 			hcon->sync_handle = iso_pi(parent)->sync_handle;
1766 		}
1767 
1768 		if (ev3) {
1769 			iso_pi(sk)->qos = iso_pi(parent)->qos;
1770 			iso_pi(sk)->qos.bcast.encryption = ev3->encryption;
1771 			hcon->iso_qos = iso_pi(sk)->qos;
1772 			iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis;
1773 			memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis, ISO_MAX_NUM_BIS);
1774 			set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
1775 		}
1776 
1777 		bacpy(&iso_pi(sk)->dst, &hcon->dst);
1778 		iso_pi(sk)->dst_type = hcon->dst_type;
1779 		iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
1780 		memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
1781 		iso_pi(sk)->base_len = iso_pi(parent)->base_len;
1782 
1783 		hci_conn_hold(hcon);
1784 		iso_chan_add(conn, sk, parent);
1785 
1786 		if ((ev && ((struct hci_evt_le_big_sync_estabilished *)ev)->status) ||
1787 		    (ev2 && ev2->status)) {
1788 			/* Trigger error signal on child socket */
1789 			sk->sk_err = ECONNREFUSED;
1790 			sk->sk_error_report(sk);
1791 		}
1792 
1793 		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1794 			sk->sk_state = BT_CONNECT2;
1795 		else
1796 			sk->sk_state = BT_CONNECTED;
1797 
1798 		/* Wake up parent */
1799 		parent->sk_data_ready(parent);
1800 
1801 		release_sock(parent);
1802 		sock_put(parent);
1803 	}
1804 }
1805 
iso_match_sid(struct sock * sk,void * data)1806 static bool iso_match_sid(struct sock *sk, void *data)
1807 {
1808 	struct hci_ev_le_pa_sync_established *ev = data;
1809 
1810 	return ev->sid == iso_pi(sk)->bc_sid;
1811 }
1812 
iso_match_sync_handle(struct sock * sk,void * data)1813 static bool iso_match_sync_handle(struct sock *sk, void *data)
1814 {
1815 	struct hci_evt_le_big_info_adv_report *ev = data;
1816 
1817 	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
1818 }
1819 
iso_match_sync_handle_pa_report(struct sock * sk,void * data)1820 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data)
1821 {
1822 	struct hci_ev_le_per_adv_report *ev = data;
1823 
1824 	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
1825 }
1826 
1827 /* ----- ISO interface with lower layer (HCI) ----- */
1828 
iso_connect_ind(struct hci_dev * hdev,bdaddr_t * bdaddr,__u8 * flags)1829 int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
1830 {
1831 	struct hci_ev_le_pa_sync_established *ev1;
1832 	struct hci_evt_le_big_info_adv_report *ev2;
1833 	struct hci_ev_le_per_adv_report *ev3;
1834 	struct sock *sk;
1835 	int lm = 0;
1836 
1837 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
1838 
1839 	/* Broadcast receiver requires handling of some events before it can
1840 	 * proceed to establishing a BIG sync:
1841 	 *
1842 	 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific
1843 	 * SID to listen to and once sync is estabilished its handle needs to
1844 	 * be stored in iso_pi(sk)->sync_handle so it can be matched once
1845 	 * receiving the BIG Info.
1846 	 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a
1847 	 * a BIG Info it attempts to check if there any listening socket with
1848 	 * the same sync_handle and if it does then attempt to create a sync.
1849 	 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored
1850 	 * in iso_pi(sk)->base so it can be passed up to user, in the case of a
1851 	 * broadcast sink.
1852 	 */
1853 	ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED);
1854 	if (ev1) {
1855 		sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr, iso_match_sid,
1856 					 ev1);
1857 		if (sk && !ev1->status)
1858 			iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle);
1859 
1860 		goto done;
1861 	}
1862 
1863 	ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT);
1864 	if (ev2) {
1865 		/* Try to get PA sync listening socket, if it exists */
1866 		sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
1867 						iso_match_pa_sync_flag, NULL);
1868 
1869 		if (!sk) {
1870 			sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
1871 						 iso_match_sync_handle, ev2);
1872 
1873 			/* If PA Sync is in process of terminating,
1874 			 * do not handle any more BIGInfo adv reports.
1875 			 */
1876 
1877 			if (sk && test_bit(BT_SK_PA_SYNC_TERM,
1878 					   &iso_pi(sk)->flags))
1879 				return lm;
1880 		}
1881 
1882 		if (sk) {
1883 			int err;
1884 
1885 			if (ev2->num_bis < iso_pi(sk)->bc_num_bis)
1886 				iso_pi(sk)->bc_num_bis = ev2->num_bis;
1887 
1888 			if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) &&
1889 			    !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1890 				err = hci_le_big_create_sync(hdev, NULL,
1891 							     &iso_pi(sk)->qos,
1892 							     iso_pi(sk)->sync_handle,
1893 							     iso_pi(sk)->bc_num_bis,
1894 							     iso_pi(sk)->bc_bis);
1895 				if (err) {
1896 					bt_dev_err(hdev, "hci_le_big_create_sync: %d",
1897 						   err);
1898 					sock_put(sk);
1899 					sk = NULL;
1900 				}
1901 			}
1902 		}
1903 	}
1904 
1905 	ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
1906 	if (ev3) {
1907 		sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
1908 					 iso_match_sync_handle_pa_report, ev3);
1909 
1910 		if (sk) {
1911 			memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
1912 			iso_pi(sk)->base_len = ev3->length;
1913 		}
1914 	} else {
1915 		sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
1916 	}
1917 
1918 done:
1919 	if (!sk)
1920 		return lm;
1921 
1922 	lm |= HCI_LM_ACCEPT;
1923 
1924 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
1925 		*flags |= HCI_PROTO_DEFER;
1926 
1927 	sock_put(sk);
1928 
1929 	return lm;
1930 }
1931 
iso_connect_cfm(struct hci_conn * hcon,__u8 status)1932 static void iso_connect_cfm(struct hci_conn *hcon, __u8 status)
1933 {
1934 	if (hcon->type != ISO_LINK) {
1935 		if (hcon->type != LE_LINK)
1936 			return;
1937 
1938 		/* Check if LE link has failed */
1939 		if (status) {
1940 			struct hci_link *link, *t;
1941 
1942 			list_for_each_entry_safe(link, t, &hcon->link_list,
1943 						 list)
1944 				iso_conn_del(link->conn, bt_to_errno(status));
1945 
1946 			return;
1947 		}
1948 
1949 		/* Create CIS if pending */
1950 		hci_le_create_cis_pending(hcon->hdev);
1951 		return;
1952 	}
1953 
1954 	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1955 
1956 	/* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or
1957 	 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection
1958 	 * into the accept queue of the listening socket and wake up
1959 	 * userspace, to inform the user about the event.
1960 	 */
1961 	if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) ||
1962 	    test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
1963 		struct iso_conn *conn;
1964 
1965 		conn = iso_conn_add(hcon);
1966 		if (conn)
1967 			iso_conn_ready(conn);
1968 	} else {
1969 		iso_conn_del(hcon, bt_to_errno(status));
1970 	}
1971 }
1972 
iso_disconn_cfm(struct hci_conn * hcon,__u8 reason)1973 static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
1974 {
1975 	if (hcon->type != ISO_LINK)
1976 		return;
1977 
1978 	BT_DBG("hcon %p reason %d", hcon, reason);
1979 
1980 	iso_conn_del(hcon, bt_to_errno(reason));
1981 }
1982 
iso_recv(struct hci_conn * hcon,struct sk_buff * skb,u16 flags)1983 void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1984 {
1985 	struct iso_conn *conn = hcon->iso_data;
1986 	__u16 pb, ts, len;
1987 
1988 	if (!conn)
1989 		goto drop;
1990 
1991 	pb     = hci_iso_flags_pb(flags);
1992 	ts     = hci_iso_flags_ts(flags);
1993 
1994 	BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts);
1995 
1996 	switch (pb) {
1997 	case ISO_START:
1998 	case ISO_SINGLE:
1999 		if (conn->rx_len) {
2000 			BT_ERR("Unexpected start frame (len %d)", skb->len);
2001 			kfree_skb(conn->rx_skb);
2002 			conn->rx_skb = NULL;
2003 			conn->rx_len = 0;
2004 		}
2005 
2006 		if (ts) {
2007 			struct hci_iso_ts_data_hdr *hdr;
2008 
2009 			/* TODO: add timestamp to the packet? */
2010 			hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE);
2011 			if (!hdr) {
2012 				BT_ERR("Frame is too short (len %d)", skb->len);
2013 				goto drop;
2014 			}
2015 
2016 			len = __le16_to_cpu(hdr->slen);
2017 		} else {
2018 			struct hci_iso_data_hdr *hdr;
2019 
2020 			hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE);
2021 			if (!hdr) {
2022 				BT_ERR("Frame is too short (len %d)", skb->len);
2023 				goto drop;
2024 			}
2025 
2026 			len = __le16_to_cpu(hdr->slen);
2027 		}
2028 
2029 		flags  = hci_iso_data_flags(len);
2030 		len    = hci_iso_data_len(len);
2031 
2032 		BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x", len,
2033 		       skb->len, flags);
2034 
2035 		if (len == skb->len) {
2036 			/* Complete frame received */
2037 			hci_skb_pkt_status(skb) = flags & 0x03;
2038 			iso_recv_frame(conn, skb);
2039 			return;
2040 		}
2041 
2042 		if (pb == ISO_SINGLE) {
2043 			BT_ERR("Frame malformed (len %d, expected len %d)",
2044 			       skb->len, len);
2045 			goto drop;
2046 		}
2047 
2048 		if (skb->len > len) {
2049 			BT_ERR("Frame is too long (len %d, expected len %d)",
2050 			       skb->len, len);
2051 			goto drop;
2052 		}
2053 
2054 		/* Allocate skb for the complete frame (with header) */
2055 		conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
2056 		if (!conn->rx_skb)
2057 			goto drop;
2058 
2059 		hci_skb_pkt_status(conn->rx_skb) = flags & 0x03;
2060 		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2061 					  skb->len);
2062 		conn->rx_len = len - skb->len;
2063 		break;
2064 
2065 	case ISO_CONT:
2066 		BT_DBG("Cont: frag len %d (expecting %d)", skb->len,
2067 		       conn->rx_len);
2068 
2069 		if (!conn->rx_len) {
2070 			BT_ERR("Unexpected continuation frame (len %d)",
2071 			       skb->len);
2072 			goto drop;
2073 		}
2074 
2075 		if (skb->len > conn->rx_len) {
2076 			BT_ERR("Fragment is too long (len %d, expected %d)",
2077 			       skb->len, conn->rx_len);
2078 			kfree_skb(conn->rx_skb);
2079 			conn->rx_skb = NULL;
2080 			conn->rx_len = 0;
2081 			goto drop;
2082 		}
2083 
2084 		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2085 					  skb->len);
2086 		conn->rx_len -= skb->len;
2087 		return;
2088 
2089 	case ISO_END:
2090 		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2091 					  skb->len);
2092 		conn->rx_len -= skb->len;
2093 
2094 		if (!conn->rx_len) {
2095 			struct sk_buff *rx_skb = conn->rx_skb;
2096 
2097 			/* Complete frame received. iso_recv_frame
2098 			 * takes ownership of the skb so set the global
2099 			 * rx_skb pointer to NULL first.
2100 			 */
2101 			conn->rx_skb = NULL;
2102 			iso_recv_frame(conn, rx_skb);
2103 		}
2104 		break;
2105 	}
2106 
2107 drop:
2108 	kfree_skb(skb);
2109 }
2110 
2111 static struct hci_cb iso_cb = {
2112 	.name		= "ISO",
2113 	.connect_cfm	= iso_connect_cfm,
2114 	.disconn_cfm	= iso_disconn_cfm,
2115 };
2116 
iso_debugfs_show(struct seq_file * f,void * p)2117 static int iso_debugfs_show(struct seq_file *f, void *p)
2118 {
2119 	struct sock *sk;
2120 
2121 	read_lock(&iso_sk_list.lock);
2122 
2123 	sk_for_each(sk, &iso_sk_list.head) {
2124 		seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src,
2125 			   &iso_pi(sk)->dst, sk->sk_state);
2126 	}
2127 
2128 	read_unlock(&iso_sk_list.lock);
2129 
2130 	return 0;
2131 }
2132 
2133 DEFINE_SHOW_ATTRIBUTE(iso_debugfs);
2134 
2135 static struct dentry *iso_debugfs;
2136 
2137 static const struct proto_ops iso_sock_ops = {
2138 	.family		= PF_BLUETOOTH,
2139 	.owner		= THIS_MODULE,
2140 	.release	= iso_sock_release,
2141 	.bind		= iso_sock_bind,
2142 	.connect	= iso_sock_connect,
2143 	.listen		= iso_sock_listen,
2144 	.accept		= iso_sock_accept,
2145 	.getname	= iso_sock_getname,
2146 	.sendmsg	= iso_sock_sendmsg,
2147 	.recvmsg	= iso_sock_recvmsg,
2148 	.poll		= bt_sock_poll,
2149 	.ioctl		= bt_sock_ioctl,
2150 	.mmap		= sock_no_mmap,
2151 	.socketpair	= sock_no_socketpair,
2152 	.shutdown	= iso_sock_shutdown,
2153 	.setsockopt	= iso_sock_setsockopt,
2154 	.getsockopt	= iso_sock_getsockopt
2155 };
2156 
2157 static const struct net_proto_family iso_sock_family_ops = {
2158 	.family	= PF_BLUETOOTH,
2159 	.owner	= THIS_MODULE,
2160 	.create	= iso_sock_create,
2161 };
2162 
2163 static bool iso_inited;
2164 
iso_enabled(void)2165 bool iso_enabled(void)
2166 {
2167 	return iso_inited;
2168 }
2169 
iso_init(void)2170 int iso_init(void)
2171 {
2172 	int err;
2173 
2174 	BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr));
2175 
2176 	if (iso_inited)
2177 		return -EALREADY;
2178 
2179 	err = proto_register(&iso_proto, 0);
2180 	if (err < 0)
2181 		return err;
2182 
2183 	err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops);
2184 	if (err < 0) {
2185 		BT_ERR("ISO socket registration failed");
2186 		goto error;
2187 	}
2188 
2189 	err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL);
2190 	if (err < 0) {
2191 		BT_ERR("Failed to create ISO proc file");
2192 		bt_sock_unregister(BTPROTO_ISO);
2193 		goto error;
2194 	}
2195 
2196 	BT_INFO("ISO socket layer initialized");
2197 
2198 	hci_register_cb(&iso_cb);
2199 
2200 	if (!IS_ERR_OR_NULL(bt_debugfs))
2201 		iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs,
2202 						  NULL, &iso_debugfs_fops);
2203 
2204 	iso_inited = true;
2205 
2206 	return 0;
2207 
2208 error:
2209 	proto_unregister(&iso_proto);
2210 	return err;
2211 }
2212 
iso_exit(void)2213 int iso_exit(void)
2214 {
2215 	if (!iso_inited)
2216 		return -EALREADY;
2217 
2218 	bt_procfs_cleanup(&init_net, "iso");
2219 
2220 	debugfs_remove(iso_debugfs);
2221 	iso_debugfs = NULL;
2222 
2223 	hci_unregister_cb(&iso_cb);
2224 
2225 	bt_sock_unregister(BTPROTO_ISO);
2226 
2227 	proto_unregister(&iso_proto);
2228 
2229 	iso_inited = false;
2230 
2231 	return 0;
2232 }
2233