net/bluetooth/iso.c at master

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / bluetooth / iso.c
at master 2741 lines 60 kB view raw
wrap content
   1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 * BlueZ - Bluetooth protocol stack for Linux
   4 *
   5 * Copyright (C) 2022 Intel Corporation
   6 * Copyright 2023-2024 NXP
   7 */
   8
   9#include <linux/module.h>
  10#include <linux/debugfs.h>
  11#include <linux/seq_file.h>
  12#include <linux/sched/signal.h>
  13
  14#include <net/bluetooth/bluetooth.h>
  15#include <net/bluetooth/hci_core.h>
  16#include <net/bluetooth/iso.h>
  17#include "eir.h"
  18
  19static const struct proto_ops iso_sock_ops;
  20
  21static struct bt_sock_list iso_sk_list = {
  22	.lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock)
  23};
  24
  25/* ---- ISO connections ---- */
  26struct iso_conn {
  27	struct hci_conn	*hcon;
  28
  29	/* @lock: spinlock protecting changes to iso_conn fields */
  30	spinlock_t	lock;
  31	struct sock	*sk;
  32
  33	struct delayed_work	timeout_work;
  34
  35	struct sk_buff	*rx_skb;
  36	__u32		rx_len;
  37	__u16		tx_sn;
  38	struct kref	ref;
  39};
  40
  41#define iso_conn_lock(c)	spin_lock(&(c)->lock)
  42#define iso_conn_unlock(c)	spin_unlock(&(c)->lock)
  43
  44static void iso_sock_close(struct sock *sk);
  45static void iso_sock_kill(struct sock *sk);
  46
  47/* ----- ISO socket info ----- */
  48#define iso_pi(sk) ((struct iso_pinfo *)sk)
  49
  50#define EIR_SERVICE_DATA_LENGTH 4
  51#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
  52#define EIR_BAA_SERVICE_UUID	0x1851
  53
  54/* iso_pinfo flags values */
  55enum {
  56	BT_SK_BIG_SYNC,
  57	BT_SK_PA_SYNC,
  58};
  59
  60struct iso_pinfo {
  61	struct bt_sock		bt;
  62	bdaddr_t		src;
  63	__u8			src_type;
  64	bdaddr_t		dst;
  65	__u8			dst_type;
  66	__u8			bc_sid;
  67	__u8			bc_num_bis;
  68	__u8			bc_bis[ISO_MAX_NUM_BIS];
  69	__u16			sync_handle;
  70	unsigned long		flags;
  71	struct bt_iso_qos	qos;
  72	bool			qos_user_set;
  73	__u8			base_len;
  74	__u8			base[BASE_MAX_LENGTH];
  75	struct iso_conn		*conn;
  76};
  77
  78static struct bt_iso_qos default_qos;
  79
  80static bool check_ucast_qos(struct bt_iso_qos *qos);
  81static bool check_bcast_qos(struct bt_iso_qos *qos);
  82static bool iso_match_sid(struct sock *sk, void *data);
  83static bool iso_match_sid_past(struct sock *sk, void *data);
  84static bool iso_match_sync_handle(struct sock *sk, void *data);
  85static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data);
  86static void iso_sock_disconn(struct sock *sk);
  87
  88typedef bool (*iso_sock_match_t)(struct sock *sk, void *data);
  89
  90static struct sock *iso_get_sock(struct hci_dev *hdev, bdaddr_t *src,
  91				 bdaddr_t *dst, enum bt_sock_state state,
  92				 iso_sock_match_t match, void *data);
  93
  94/* ---- ISO timers ---- */
  95#define ISO_CONN_TIMEOUT	secs_to_jiffies(20)
  96#define ISO_DISCONN_TIMEOUT	secs_to_jiffies(2)
  97
  98static void iso_conn_free(struct kref *ref)
  99{
 100	struct iso_conn *conn = container_of(ref, struct iso_conn, ref);
 101
 102	BT_DBG("conn %p", conn);
 103
 104	if (conn->sk)
 105		iso_pi(conn->sk)->conn = NULL;
 106
 107	if (conn->hcon) {
 108		conn->hcon->iso_data = NULL;
 109		hci_conn_drop(conn->hcon);
 110	}
 111
 112	/* Ensure no more work items will run since hci_conn has been dropped */
 113	disable_delayed_work_sync(&conn->timeout_work);
 114
 115	kfree_skb(conn->rx_skb);
 116
 117	kfree(conn);
 118}
 119
 120static void iso_conn_put(struct iso_conn *conn)
 121{
 122	if (!conn)
 123		return;
 124
 125	BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref));
 126
 127	kref_put(&conn->ref, iso_conn_free);
 128}
 129
 130static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn)
 131{
 132	if (!conn)
 133		return NULL;
 134
 135	BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref));
 136
 137	if (!kref_get_unless_zero(&conn->ref))
 138		return NULL;
 139
 140	return conn;
 141}
 142
 143static struct sock *iso_sock_hold(struct iso_conn *conn)
 144{
 145	if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk))
 146		return NULL;
 147
 148	sock_hold(conn->sk);
 149
 150	return conn->sk;
 151}
 152
 153static void iso_sock_timeout(struct work_struct *work)
 154{
 155	struct iso_conn *conn = container_of(work, struct iso_conn,
 156					     timeout_work.work);
 157	struct sock *sk;
 158
 159	conn = iso_conn_hold_unless_zero(conn);
 160	if (!conn)
 161		return;
 162
 163	iso_conn_lock(conn);
 164	sk = iso_sock_hold(conn);
 165	iso_conn_unlock(conn);
 166	iso_conn_put(conn);
 167
 168	if (!sk)
 169		return;
 170
 171	BT_DBG("sock %p state %d", sk, sk->sk_state);
 172
 173	lock_sock(sk);
 174	sk->sk_err = ETIMEDOUT;
 175	sk->sk_state_change(sk);
 176	release_sock(sk);
 177	sock_put(sk);
 178}
 179
 180static void iso_sock_set_timer(struct sock *sk, long timeout)
 181{
 182	if (!iso_pi(sk)->conn)
 183		return;
 184
 185	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
 186	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
 187	schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout);
 188}
 189
 190static void iso_sock_clear_timer(struct sock *sk)
 191{
 192	if (!iso_pi(sk)->conn)
 193		return;
 194
 195	BT_DBG("sock %p state %d", sk, sk->sk_state);
 196	cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
 197}
 198
 199/* ---- ISO connections ---- */
 200static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
 201{
 202	struct iso_conn *conn = hcon->iso_data;
 203
 204	conn = iso_conn_hold_unless_zero(conn);
 205	if (conn) {
 206		if (!conn->hcon) {
 207			iso_conn_lock(conn);
 208			conn->hcon = hcon;
 209			iso_conn_unlock(conn);
 210		}
 211		iso_conn_put(conn);
 212		return conn;
 213	}
 214
 215	conn = kzalloc_obj(*conn);
 216	if (!conn)
 217		return NULL;
 218
 219	kref_init(&conn->ref);
 220	spin_lock_init(&conn->lock);
 221	INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout);
 222
 223	hcon->iso_data = conn;
 224	conn->hcon = hcon;
 225	conn->tx_sn = 0;
 226
 227	BT_DBG("hcon %p conn %p", hcon, conn);
 228
 229	return conn;
 230}
 231
 232/* Delete channel. Must be called on the locked socket. */
 233static void iso_chan_del(struct sock *sk, int err)
 234{
 235	struct iso_conn *conn;
 236	struct sock *parent;
 237
 238	conn = iso_pi(sk)->conn;
 239	iso_pi(sk)->conn = NULL;
 240
 241	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
 242
 243	if (conn) {
 244		iso_conn_lock(conn);
 245		conn->sk = NULL;
 246		iso_conn_unlock(conn);
 247		iso_conn_put(conn);
 248	}
 249
 250	sk->sk_state = BT_CLOSED;
 251	sk->sk_err   = err;
 252
 253	parent = bt_sk(sk)->parent;
 254	if (parent) {
 255		bt_accept_unlink(sk);
 256		parent->sk_data_ready(parent);
 257	} else {
 258		sk->sk_state_change(sk);
 259	}
 260
 261	sock_set_flag(sk, SOCK_ZAPPED);
 262}
 263
 264static void iso_conn_del(struct hci_conn *hcon, int err)
 265{
 266	struct iso_conn *conn = hcon->iso_data;
 267	struct sock *sk;
 268
 269	conn = iso_conn_hold_unless_zero(conn);
 270	if (!conn)
 271		return;
 272
 273	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
 274
 275	/* Kill socket */
 276	iso_conn_lock(conn);
 277	sk = iso_sock_hold(conn);
 278	iso_conn_unlock(conn);
 279	iso_conn_put(conn);
 280
 281	if (!sk) {
 282		iso_conn_put(conn);
 283		return;
 284	}
 285
 286	lock_sock(sk);
 287	iso_sock_clear_timer(sk);
 288	iso_chan_del(sk, err);
 289	release_sock(sk);
 290	sock_put(sk);
 291}
 292
 293static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
 294			  struct sock *parent)
 295{
 296	BT_DBG("conn %p", conn);
 297
 298	if (iso_pi(sk)->conn == conn && conn->sk == sk)
 299		return 0;
 300
 301	if (conn->sk) {
 302		BT_ERR("conn->sk already set");
 303		return -EBUSY;
 304	}
 305
 306	iso_pi(sk)->conn = conn;
 307	conn->sk = sk;
 308
 309	if (parent)
 310		bt_accept_enqueue(parent, sk, true);
 311
 312	return 0;
 313}
 314
 315static int iso_chan_add(struct iso_conn *conn, struct sock *sk,
 316			struct sock *parent)
 317{
 318	int err;
 319
 320	iso_conn_lock(conn);
 321	err = __iso_chan_add(conn, sk, parent);
 322	iso_conn_unlock(conn);
 323
 324	return err;
 325}
 326
 327static inline u8 le_addr_type(u8 bdaddr_type)
 328{
 329	if (bdaddr_type == BDADDR_LE_PUBLIC)
 330		return ADDR_LE_DEV_PUBLIC;
 331	else
 332		return ADDR_LE_DEV_RANDOM;
 333}
 334
 335static int iso_connect_bis(struct sock *sk)
 336{
 337	struct iso_conn *conn;
 338	struct hci_conn *hcon;
 339	struct hci_dev  *hdev;
 340	int err;
 341
 342	BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid);
 343
 344	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
 345			     iso_pi(sk)->src_type);
 346	if (!hdev)
 347		return -EHOSTUNREACH;
 348
 349	hci_dev_lock(hdev);
 350	lock_sock(sk);
 351
 352	if (!bis_capable(hdev)) {
 353		err = -EOPNOTSUPP;
 354		goto unlock;
 355	}
 356
 357	/* Fail if user set invalid QoS */
 358	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
 359		iso_pi(sk)->qos = default_qos;
 360		err = -EINVAL;
 361		goto unlock;
 362	}
 363
 364	/* Fail if out PHYs are marked as disabled */
 365	if (!iso_pi(sk)->qos.bcast.out.phys) {
 366		err = -EINVAL;
 367		goto unlock;
 368	}
 369
 370	/* Just bind if DEFER_SETUP has been set */
 371	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 372		hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid,
 373				    &iso_pi(sk)->qos, iso_pi(sk)->base_len,
 374				    iso_pi(sk)->base,
 375				    READ_ONCE(sk->sk_sndtimeo));
 376		if (IS_ERR(hcon)) {
 377			err = PTR_ERR(hcon);
 378			goto unlock;
 379		}
 380	} else {
 381		hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst,
 382				       le_addr_type(iso_pi(sk)->dst_type),
 383				       iso_pi(sk)->bc_sid, &iso_pi(sk)->qos,
 384				       iso_pi(sk)->base_len, iso_pi(sk)->base,
 385				       READ_ONCE(sk->sk_sndtimeo));
 386		if (IS_ERR(hcon)) {
 387			err = PTR_ERR(hcon);
 388			goto unlock;
 389		}
 390
 391		/* Update SID if it was not set */
 392		if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
 393			iso_pi(sk)->bc_sid = hcon->sid;
 394	}
 395
 396	conn = iso_conn_add(hcon);
 397	if (!conn) {
 398		hci_conn_drop(hcon);
 399		err = -ENOMEM;
 400		goto unlock;
 401	}
 402
 403	err = iso_chan_add(conn, sk, NULL);
 404	if (err)
 405		goto unlock;
 406
 407	/* Update source addr of the socket */
 408	bacpy(&iso_pi(sk)->src, &hcon->src);
 409
 410	if (hcon->state == BT_CONNECTED) {
 411		iso_sock_clear_timer(sk);
 412		sk->sk_state = BT_CONNECTED;
 413	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 414		iso_sock_clear_timer(sk);
 415		sk->sk_state = BT_CONNECT;
 416	} else {
 417		sk->sk_state = BT_CONNECT;
 418		iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
 419	}
 420
 421unlock:
 422	release_sock(sk);
 423	hci_dev_unlock(hdev);
 424	hci_dev_put(hdev);
 425	return err;
 426}
 427
 428static int iso_connect_cis(struct sock *sk)
 429{
 430	struct iso_conn *conn;
 431	struct hci_conn *hcon;
 432	struct hci_dev  *hdev;
 433	int err;
 434
 435	BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst);
 436
 437	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
 438			     iso_pi(sk)->src_type);
 439	if (!hdev)
 440		return -EHOSTUNREACH;
 441
 442	hci_dev_lock(hdev);
 443	lock_sock(sk);
 444
 445	if (!cis_central_capable(hdev)) {
 446		err = -EOPNOTSUPP;
 447		goto unlock;
 448	}
 449
 450	/* Fail if user set invalid QoS */
 451	if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) {
 452		iso_pi(sk)->qos = default_qos;
 453		err = -EINVAL;
 454		goto unlock;
 455	}
 456
 457	/* Fail if either PHYs are marked as disabled */
 458	if (!iso_pi(sk)->qos.ucast.in.phys && !iso_pi(sk)->qos.ucast.out.phys) {
 459		err = -EINVAL;
 460		goto unlock;
 461	}
 462
 463	/* Check if there are available buffers for output/TX. */
 464	if (iso_pi(sk)->qos.ucast.out.sdu && !hci_iso_count(hdev) &&
 465	    (hdev->iso_pkts && !hdev->iso_cnt)) {
 466		err = -ENOBUFS;
 467		goto unlock;
 468	}
 469
 470	/* Just bind if DEFER_SETUP has been set */
 471	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 472		hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst,
 473				    le_addr_type(iso_pi(sk)->dst_type),
 474				    &iso_pi(sk)->qos,
 475				    READ_ONCE(sk->sk_sndtimeo));
 476		if (IS_ERR(hcon)) {
 477			err = PTR_ERR(hcon);
 478			goto unlock;
 479		}
 480	} else {
 481		hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst,
 482				       le_addr_type(iso_pi(sk)->dst_type),
 483				       &iso_pi(sk)->qos,
 484				       READ_ONCE(sk->sk_sndtimeo));
 485		if (IS_ERR(hcon)) {
 486			err = PTR_ERR(hcon);
 487			goto unlock;
 488		}
 489	}
 490
 491	conn = iso_conn_add(hcon);
 492	if (!conn) {
 493		hci_conn_drop(hcon);
 494		err = -ENOMEM;
 495		goto unlock;
 496	}
 497
 498	err = iso_chan_add(conn, sk, NULL);
 499	if (err)
 500		goto unlock;
 501
 502	/* Update source addr of the socket */
 503	bacpy(&iso_pi(sk)->src, &hcon->src);
 504
 505	if (hcon->state == BT_CONNECTED) {
 506		iso_sock_clear_timer(sk);
 507		sk->sk_state = BT_CONNECTED;
 508	} else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 509		iso_sock_clear_timer(sk);
 510		sk->sk_state = BT_CONNECT;
 511	} else {
 512		sk->sk_state = BT_CONNECT;
 513		iso_sock_set_timer(sk, READ_ONCE(sk->sk_sndtimeo));
 514	}
 515
 516unlock:
 517	release_sock(sk);
 518	hci_dev_unlock(hdev);
 519	hci_dev_put(hdev);
 520	return err;
 521}
 522
 523static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk)
 524{
 525	if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
 526		return &iso_pi(sk)->conn->hcon->iso_qos;
 527
 528	return &iso_pi(sk)->qos;
 529}
 530
 531static int iso_send_frame(struct sock *sk, struct sk_buff *skb,
 532			  const struct sockcm_cookie *sockc)
 533{
 534	struct iso_conn *conn = iso_pi(sk)->conn;
 535	struct bt_iso_qos *qos = iso_sock_get_qos(sk);
 536	struct hci_iso_data_hdr *hdr;
 537	int len = 0;
 538
 539	BT_DBG("sk %p len %d", sk, skb->len);
 540
 541	if (skb->len > qos->ucast.out.sdu)
 542		return -EMSGSIZE;
 543
 544	len = skb->len;
 545
 546	/* Push ISO data header */
 547	hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE);
 548	hdr->sn = cpu_to_le16(conn->tx_sn++);
 549	hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len,
 550						      HCI_ISO_STATUS_VALID));
 551
 552	if (sk->sk_state == BT_CONNECTED) {
 553		hci_setup_tx_timestamp(skb, 1, sockc);
 554		hci_send_iso(conn->hcon, skb);
 555	} else {
 556		len = -ENOTCONN;
 557	}
 558
 559	return len;
 560}
 561
 562static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
 563{
 564	struct sock *sk;
 565
 566	iso_conn_lock(conn);
 567	sk = conn->sk;
 568	iso_conn_unlock(conn);
 569
 570	if (!sk)
 571		goto drop;
 572
 573	BT_DBG("sk %p len %d", sk, skb->len);
 574
 575	if (sk->sk_state != BT_CONNECTED)
 576		goto drop;
 577
 578	if (!sock_queue_rcv_skb(sk, skb))
 579		return;
 580
 581drop:
 582	kfree_skb(skb);
 583}
 584
 585/* -------- Socket interface ---------- */
 586static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst)
 587{
 588	struct sock *sk;
 589
 590	sk_for_each(sk, &iso_sk_list.head) {
 591		if (sk->sk_state != BT_LISTEN)
 592			continue;
 593
 594		if (bacmp(&iso_pi(sk)->dst, dst))
 595			continue;
 596
 597		if (!bacmp(&iso_pi(sk)->src, src))
 598			return sk;
 599	}
 600
 601	return NULL;
 602}
 603
 604static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc,
 605						 __u8 sid)
 606{
 607	struct sock *sk;
 608
 609	sk_for_each(sk, &iso_sk_list.head) {
 610		if (sk->sk_state != BT_LISTEN)
 611			continue;
 612
 613		if (bacmp(&iso_pi(sk)->src, ba))
 614			continue;
 615
 616		if (bacmp(&iso_pi(sk)->dst, bc))
 617			continue;
 618
 619		if (iso_pi(sk)->bc_sid == sid)
 620			return sk;
 621	}
 622
 623	return NULL;
 624}
 625
 626/* Find socket in given state:
 627 * source bdaddr (Unicast)
 628 * destination bdaddr (Broadcast only)
 629 * match func - pass NULL to ignore
 630 * match func data - pass -1 to ignore
 631 * Returns closest match.
 632 */
 633static struct sock *iso_get_sock(struct hci_dev *hdev, bdaddr_t *src,
 634				 bdaddr_t *dst, enum bt_sock_state state,
 635				 iso_sock_match_t match, void *data)
 636{
 637	struct sock *sk = NULL, *sk1 = NULL;
 638
 639	read_lock(&iso_sk_list.lock);
 640
 641	sk_for_each(sk, &iso_sk_list.head) {
 642		if (sk->sk_state != state)
 643			continue;
 644
 645		/* Match Broadcast destination */
 646		if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst)) {
 647			struct smp_irk *irk1, *irk2;
 648
 649			/* Check if destination is an RPA that we can resolve */
 650			irk1 = hci_find_irk_by_rpa(hdev, dst);
 651			if (!irk1)
 652				continue;
 653
 654			/* Match with identity address */
 655			if (bacmp(&iso_pi(sk)->dst, &irk1->bdaddr)) {
 656				/* Check if socket destination address is also
 657				 * an RPA and if the IRK matches.
 658				 */
 659				irk2 = hci_find_irk_by_rpa(hdev,
 660							   &iso_pi(sk)->dst);
 661				if (!irk2 || irk1 != irk2)
 662					continue;
 663			}
 664		}
 665
 666		/* Use Match function if provided */
 667		if (match && !match(sk, data))
 668			continue;
 669
 670		/* Exact match. */
 671		if (!bacmp(&iso_pi(sk)->src, src)) {
 672			sock_hold(sk);
 673			break;
 674		}
 675
 676		/* Closest match */
 677		if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) {
 678			if (sk1)
 679				sock_put(sk1);
 680
 681			sk1 = sk;
 682			sock_hold(sk1);
 683		}
 684	}
 685
 686	if (sk && sk1)
 687		sock_put(sk1);
 688
 689	read_unlock(&iso_sk_list.lock);
 690
 691	return sk ? sk : sk1;
 692}
 693
 694static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src,
 695				     bdaddr_t *dst, uint8_t big)
 696{
 697	struct sock *sk = NULL;
 698
 699	read_lock(&iso_sk_list.lock);
 700
 701	sk_for_each(sk, &iso_sk_list.head) {
 702		if (match_sk == sk)
 703			continue;
 704
 705		/* Look for sockets that have already been
 706		 * connected to the BIG
 707		 */
 708		if (sk->sk_state != BT_CONNECTED &&
 709		    sk->sk_state != BT_CONNECT)
 710			continue;
 711
 712		/* Match Broadcast destination */
 713		if (bacmp(&iso_pi(sk)->dst, dst))
 714			continue;
 715
 716		/* Match BIG handle */
 717		if (iso_pi(sk)->qos.bcast.big != big)
 718			continue;
 719
 720		/* Match source address */
 721		if (bacmp(&iso_pi(sk)->src, src))
 722			continue;
 723
 724		sock_hold(sk);
 725		break;
 726	}
 727
 728	read_unlock(&iso_sk_list.lock);
 729
 730	return sk;
 731}
 732
 733static void iso_sock_destruct(struct sock *sk)
 734{
 735	BT_DBG("sk %p", sk);
 736
 737	iso_conn_put(iso_pi(sk)->conn);
 738
 739	skb_queue_purge(&sk->sk_receive_queue);
 740	skb_queue_purge(&sk->sk_write_queue);
 741	skb_queue_purge(&sk->sk_error_queue);
 742}
 743
 744static void iso_sock_cleanup_listen(struct sock *parent)
 745{
 746	struct sock *sk;
 747
 748	BT_DBG("parent %p", parent);
 749
 750	/* Close not yet accepted channels */
 751	while ((sk = bt_accept_dequeue(parent, NULL))) {
 752		iso_sock_close(sk);
 753		iso_sock_kill(sk);
 754	}
 755
 756	/* If listening socket has a hcon, properly disconnect it */
 757	if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon) {
 758		iso_sock_disconn(parent);
 759		return;
 760	}
 761
 762	parent->sk_state  = BT_CLOSED;
 763	sock_set_flag(parent, SOCK_ZAPPED);
 764}
 765
 766/* Kill socket (only if zapped and orphan)
 767 * Must be called on unlocked socket.
 768 */
 769static void iso_sock_kill(struct sock *sk)
 770{
 771	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
 772	    sock_flag(sk, SOCK_DEAD))
 773		return;
 774
 775	BT_DBG("sk %p state %d", sk, sk->sk_state);
 776
 777	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
 778	if (iso_pi(sk)->conn) {
 779		iso_conn_lock(iso_pi(sk)->conn);
 780		iso_pi(sk)->conn->sk = NULL;
 781		iso_conn_unlock(iso_pi(sk)->conn);
 782	}
 783
 784	/* Kill poor orphan */
 785	bt_sock_unlink(&iso_sk_list, sk);
 786	sock_set_flag(sk, SOCK_DEAD);
 787	sock_put(sk);
 788}
 789
 790static void iso_sock_disconn(struct sock *sk)
 791{
 792	struct sock *bis_sk;
 793	struct hci_conn *hcon = iso_pi(sk)->conn->hcon;
 794
 795	if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) {
 796		bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src,
 797					  &iso_pi(sk)->dst,
 798					  iso_pi(sk)->qos.bcast.big);
 799
 800		/* If there are any other connected sockets for the
 801		 * same BIG, just delete the sk and leave the bis
 802		 * hcon active, in case later rebinding is needed.
 803		 */
 804		if (bis_sk) {
 805			hcon->state = BT_OPEN;
 806			hcon->iso_data = NULL;
 807			iso_pi(sk)->conn->hcon = NULL;
 808			iso_sock_clear_timer(sk);
 809			iso_chan_del(sk, bt_to_errno(hcon->abort_reason));
 810			sock_put(bis_sk);
 811			return;
 812		}
 813	}
 814
 815	sk->sk_state = BT_DISCONN;
 816	iso_conn_lock(iso_pi(sk)->conn);
 817	hci_conn_drop(iso_pi(sk)->conn->hcon);
 818	iso_pi(sk)->conn->hcon = NULL;
 819	iso_conn_unlock(iso_pi(sk)->conn);
 820}
 821
 822static void __iso_sock_close(struct sock *sk)
 823{
 824	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
 825
 826	switch (sk->sk_state) {
 827	case BT_LISTEN:
 828		iso_sock_cleanup_listen(sk);
 829		break;
 830
 831	case BT_CONNECT:
 832	case BT_CONNECTED:
 833	case BT_CONFIG:
 834		if (iso_pi(sk)->conn->hcon)
 835			iso_sock_disconn(sk);
 836		else
 837			iso_chan_del(sk, ECONNRESET);
 838		break;
 839
 840	case BT_CONNECT2:
 841		if (iso_pi(sk)->conn->hcon &&
 842		    (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
 843		    test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
 844			iso_sock_disconn(sk);
 845		else
 846			iso_chan_del(sk, ECONNRESET);
 847		break;
 848	case BT_DISCONN:
 849		iso_chan_del(sk, ECONNRESET);
 850		break;
 851
 852	default:
 853		sock_set_flag(sk, SOCK_ZAPPED);
 854		break;
 855	}
 856}
 857
 858/* Must be called on unlocked socket. */
 859static void iso_sock_close(struct sock *sk)
 860{
 861	iso_sock_clear_timer(sk);
 862	lock_sock(sk);
 863	__iso_sock_close(sk);
 864	release_sock(sk);
 865	iso_sock_kill(sk);
 866}
 867
 868static void iso_sock_init(struct sock *sk, struct sock *parent)
 869{
 870	BT_DBG("sk %p", sk);
 871
 872	if (parent) {
 873		sk->sk_type = parent->sk_type;
 874		bt_sk(sk)->flags = bt_sk(parent)->flags;
 875		security_sk_clone(parent, sk);
 876	}
 877}
 878
 879static struct proto iso_proto = {
 880	.name		= "ISO",
 881	.owner		= THIS_MODULE,
 882	.obj_size	= sizeof(struct iso_pinfo)
 883};
 884
 885#define DEFAULT_IO_QOS \
 886{ \
 887	.interval	= 10000u, \
 888	.latency	= 10u, \
 889	.sdu		= 40u, \
 890	.phys		= BT_ISO_PHY_2M, \
 891	.rtn		= 2u, \
 892}
 893
 894static struct bt_iso_qos default_qos = {
 895	.bcast = {
 896		.big			= BT_ISO_QOS_BIG_UNSET,
 897		.bis			= BT_ISO_QOS_BIS_UNSET,
 898		.sync_factor		= 0x01,
 899		.packing		= 0x00,
 900		.framing		= 0x00,
 901		.in			= DEFAULT_IO_QOS,
 902		.out			= DEFAULT_IO_QOS,
 903		.encryption		= 0x00,
 904		.bcode			= {0x00},
 905		.options		= 0x00,
 906		.skip			= 0x0000,
 907		.sync_timeout		= BT_ISO_SYNC_TIMEOUT,
 908		.sync_cte_type		= 0x00,
 909		.mse			= 0x00,
 910		.timeout		= BT_ISO_SYNC_TIMEOUT,
 911	},
 912};
 913
 914static struct sock *iso_sock_alloc(struct net *net, struct socket *sock,
 915				   int proto, gfp_t prio, int kern)
 916{
 917	struct sock *sk;
 918
 919	sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern);
 920	if (!sk)
 921		return NULL;
 922
 923	sk->sk_destruct = iso_sock_destruct;
 924	sk->sk_sndtimeo = ISO_CONN_TIMEOUT;
 925
 926	/* Set address type as public as default src address is BDADDR_ANY */
 927	iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
 928
 929	iso_pi(sk)->qos = default_qos;
 930	iso_pi(sk)->sync_handle = -1;
 931
 932	bt_sock_link(&iso_sk_list, sk);
 933	return sk;
 934}
 935
 936static int iso_sock_create(struct net *net, struct socket *sock, int protocol,
 937			   int kern)
 938{
 939	struct sock *sk;
 940
 941	BT_DBG("sock %p", sock);
 942
 943	sock->state = SS_UNCONNECTED;
 944
 945	if (sock->type != SOCK_SEQPACKET)
 946		return -ESOCKTNOSUPPORT;
 947
 948	sock->ops = &iso_sock_ops;
 949
 950	sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
 951	if (!sk)
 952		return -ENOMEM;
 953
 954	iso_sock_init(sk, NULL);
 955	return 0;
 956}
 957
 958static int iso_sock_bind_bc(struct socket *sock, struct sockaddr_unsized *addr,
 959			    int addr_len)
 960{
 961	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
 962	struct sock *sk = sock->sk;
 963	int i;
 964
 965	BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid,
 966	       sa->iso_bc->bc_num_bis);
 967
 968	if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc))
 969		return -EINVAL;
 970
 971	bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr);
 972
 973	/* Check if the address type is of LE type */
 974	if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type))
 975		return -EINVAL;
 976
 977	iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type;
 978
 979	if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID)
 980		return -EINVAL;
 981
 982	iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid;
 983
 984	if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS)
 985		return -EINVAL;
 986
 987	iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
 988
 989	for (i = 0; i < iso_pi(sk)->bc_num_bis; i++)
 990		if (sa->iso_bc->bc_bis[i] < 0x01 ||
 991		    sa->iso_bc->bc_bis[i] > 0x1f)
 992			return -EINVAL;
 993
 994	memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
 995	       iso_pi(sk)->bc_num_bis);
 996
 997	return 0;
 998}
 999
1000/* Must be called on the locked socket. */
1001static int iso_sock_rebind_bis(struct sock *sk, struct sockaddr_iso *sa,
1002			       int addr_len)
1003{
1004	int err = 0;
1005
1006	if (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags))
1007		return -EBADFD;
1008
1009	if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) {
1010		err = -EINVAL;
1011		goto done;
1012	}
1013
1014	iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
1015
1016	for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++)
1017		if (sa->iso_bc->bc_bis[i] < 0x01 ||
1018		    sa->iso_bc->bc_bis[i] > 0x1f) {
1019			err = -EINVAL;
1020			goto done;
1021		}
1022
1023	memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
1024	       iso_pi(sk)->bc_num_bis);
1025
1026done:
1027	return err;
1028}
1029
1030static struct hci_dev *iso_conn_get_hdev(struct iso_conn *conn)
1031{
1032	struct hci_dev *hdev = NULL;
1033
1034	iso_conn_lock(conn);
1035	if (conn->hcon)
1036		hdev = hci_dev_hold(conn->hcon->hdev);
1037	iso_conn_unlock(conn);
1038
1039	return hdev;
1040}
1041
1042/* Must be called on the locked socket. */
1043static int iso_sock_rebind_bc(struct sock *sk, struct sockaddr_iso *sa,
1044			      int addr_len)
1045{
1046	struct hci_dev *hdev;
1047	struct hci_conn *bis;
1048	int err;
1049
1050	if (sk->sk_type != SOCK_SEQPACKET || !iso_pi(sk)->conn)
1051		return -EINVAL;
1052
1053	/* Check if it is really a Broadcast address being requested */
1054	if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc))
1055		return -EINVAL;
1056
1057	/* Check if the address hasn't changed then perhaps only the number of
1058	 * bis has changed.
1059	 */
1060	if (!bacmp(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr) ||
1061	    !bacmp(&sa->iso_bc->bc_bdaddr, BDADDR_ANY))
1062		return iso_sock_rebind_bis(sk, sa, addr_len);
1063
1064	/* Check if the address type is of LE type */
1065	if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type))
1066		return -EINVAL;
1067
1068	hdev = iso_conn_get_hdev(iso_pi(sk)->conn);
1069	if (!hdev)
1070		return -EINVAL;
1071
1072	bis = iso_pi(sk)->conn->hcon;
1073
1074	/* Release the socket before lookups since that requires hci_dev_lock
1075	 * which shall not be acquired while holding sock_lock for proper
1076	 * ordering.
1077	 */
1078	release_sock(sk);
1079	hci_dev_lock(bis->hdev);
1080	lock_sock(sk);
1081
1082	if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) {
1083		/* raced with iso_conn_del() or iso_disconn_sock() */
1084		err = -ENOTCONN;
1085		goto unlock;
1086	}
1087
1088	BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bc->bc_bdaddr,
1089	       sa->iso_bc->bc_bdaddr_type);
1090
1091	err = hci_past_bis(bis, &sa->iso_bc->bc_bdaddr,
1092			   le_addr_type(sa->iso_bc->bc_bdaddr_type));
1093
1094unlock:
1095	hci_dev_unlock(hdev);
1096	hci_dev_put(hdev);
1097
1098	return err;
1099}
1100
1101static int iso_sock_bind(struct socket *sock, struct sockaddr_unsized *addr,
1102			 int addr_len)
1103{
1104	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1105	struct sock *sk = sock->sk;
1106	int err = 0;
1107
1108	BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type);
1109
1110	if (!addr || addr_len < sizeof(struct sockaddr_iso) ||
1111	    addr->sa_family != AF_BLUETOOTH)
1112		return -EINVAL;
1113
1114	lock_sock(sk);
1115
1116	if ((sk->sk_state == BT_CONNECT2 || sk->sk_state == BT_CONNECTED) &&
1117	    addr_len > sizeof(*sa)) {
1118		/* Allow the user to rebind to a different address using
1119		 * PAST procedures.
1120		 */
1121		err = iso_sock_rebind_bc(sk, sa, addr_len);
1122		goto done;
1123	}
1124
1125	if (sk->sk_state != BT_OPEN) {
1126		err = -EBADFD;
1127		goto done;
1128	}
1129
1130	if (sk->sk_type != SOCK_SEQPACKET) {
1131		err = -EINVAL;
1132		goto done;
1133	}
1134
1135	/* Check if the address type is of LE type */
1136	if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) {
1137		err = -EINVAL;
1138		goto done;
1139	}
1140
1141	bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr);
1142	iso_pi(sk)->src_type = sa->iso_bdaddr_type;
1143
1144	/* Check for Broadcast address */
1145	if (addr_len > sizeof(*sa)) {
1146		err = iso_sock_bind_bc(sock, addr, addr_len);
1147		if (err)
1148			goto done;
1149	}
1150
1151	sk->sk_state = BT_BOUND;
1152
1153done:
1154	release_sock(sk);
1155	return err;
1156}
1157
1158static int iso_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
1159			    int alen, int flags)
1160{
1161	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1162	struct sock *sk = sock->sk;
1163	int err;
1164
1165	BT_DBG("sk %p", sk);
1166
1167	if (alen < sizeof(struct sockaddr_iso) ||
1168	    addr->sa_family != AF_BLUETOOTH)
1169		return -EINVAL;
1170
1171	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
1172		return -EBADFD;
1173
1174	if (sk->sk_type != SOCK_SEQPACKET)
1175		return -EINVAL;
1176
1177	/* Check if the address type is of LE type */
1178	if (!bdaddr_type_is_le(sa->iso_bdaddr_type))
1179		return -EINVAL;
1180
1181	lock_sock(sk);
1182
1183	bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr);
1184	iso_pi(sk)->dst_type = sa->iso_bdaddr_type;
1185
1186	release_sock(sk);
1187
1188	if (bacmp(&sa->iso_bdaddr, BDADDR_ANY))
1189		err = iso_connect_cis(sk);
1190	else
1191		err = iso_connect_bis(sk);
1192
1193	if (err)
1194		return err;
1195
1196	lock_sock(sk);
1197
1198	if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1199		err = bt_sock_wait_state(sk, BT_CONNECTED,
1200					 sock_sndtimeo(sk, flags & O_NONBLOCK));
1201	}
1202
1203	release_sock(sk);
1204	return err;
1205}
1206
1207static int iso_listen_bis(struct sock *sk)
1208{
1209	struct hci_dev *hdev;
1210	int err = 0;
1211	struct iso_conn *conn;
1212	struct hci_conn *hcon;
1213
1214	BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src,
1215	       &iso_pi(sk)->dst, iso_pi(sk)->bc_sid);
1216
1217	write_lock(&iso_sk_list.lock);
1218
1219	if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst,
1220					 iso_pi(sk)->bc_sid))
1221		err = -EADDRINUSE;
1222
1223	write_unlock(&iso_sk_list.lock);
1224
1225	if (err)
1226		return err;
1227
1228	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1229			     iso_pi(sk)->src_type);
1230	if (!hdev)
1231		return -EHOSTUNREACH;
1232
1233	hci_dev_lock(hdev);
1234	lock_sock(sk);
1235
1236	/* Fail if user set invalid QoS */
1237	if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
1238		iso_pi(sk)->qos = default_qos;
1239		err = -EINVAL;
1240		goto unlock;
1241	}
1242
1243	hcon = hci_pa_create_sync(hdev, &iso_pi(sk)->dst,
1244				  le_addr_type(iso_pi(sk)->dst_type),
1245				  iso_pi(sk)->bc_sid, &iso_pi(sk)->qos);
1246	if (IS_ERR(hcon)) {
1247		err = PTR_ERR(hcon);
1248		goto unlock;
1249	}
1250
1251	conn = iso_conn_add(hcon);
1252	if (!conn) {
1253		hci_conn_drop(hcon);
1254		err = -ENOMEM;
1255		goto unlock;
1256	}
1257
1258	err = iso_chan_add(conn, sk, NULL);
1259	if (err) {
1260		hci_conn_drop(hcon);
1261		goto unlock;
1262	}
1263
1264unlock:
1265	release_sock(sk);
1266	hci_dev_unlock(hdev);
1267	hci_dev_put(hdev);
1268	return err;
1269}
1270
1271static int iso_listen_cis(struct sock *sk)
1272{
1273	int err = 0;
1274
1275	BT_DBG("%pMR", &iso_pi(sk)->src);
1276
1277	write_lock(&iso_sk_list.lock);
1278
1279	if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst))
1280		err = -EADDRINUSE;
1281
1282	write_unlock(&iso_sk_list.lock);
1283
1284	return err;
1285}
1286
1287static int iso_sock_listen(struct socket *sock, int backlog)
1288{
1289	struct sock *sk = sock->sk;
1290	int err = 0;
1291
1292	BT_DBG("sk %p backlog %d", sk, backlog);
1293
1294	sock_hold(sk);
1295	lock_sock(sk);
1296
1297	if (sk->sk_state != BT_BOUND) {
1298		err = -EBADFD;
1299		goto done;
1300	}
1301
1302	if (sk->sk_type != SOCK_SEQPACKET) {
1303		err = -EINVAL;
1304		goto done;
1305	}
1306
1307	if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1308		err = iso_listen_cis(sk);
1309	} else {
1310		/* Drop sock lock to avoid potential
1311		 * deadlock with the hdev lock.
1312		 */
1313		release_sock(sk);
1314		err = iso_listen_bis(sk);
1315		lock_sock(sk);
1316	}
1317
1318	if (err)
1319		goto done;
1320
1321	sk->sk_max_ack_backlog = backlog;
1322	sk->sk_ack_backlog = 0;
1323
1324	sk->sk_state = BT_LISTEN;
1325
1326done:
1327	release_sock(sk);
1328	sock_put(sk);
1329	return err;
1330}
1331
1332static int iso_sock_accept(struct socket *sock, struct socket *newsock,
1333			   struct proto_accept_arg *arg)
1334{
1335	DEFINE_WAIT_FUNC(wait, woken_wake_function);
1336	struct sock *sk = sock->sk, *ch;
1337	long timeo;
1338	int err = 0;
1339
1340	/* Use explicit nested locking to avoid lockdep warnings generated
1341	 * because the parent socket and the child socket are locked on the
1342	 * same thread.
1343	 */
1344	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1345
1346	timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
1347
1348	BT_DBG("sk %p timeo %ld", sk, timeo);
1349
1350	/* Wait for an incoming connection. (wake-one). */
1351	add_wait_queue_exclusive(sk_sleep(sk), &wait);
1352	while (1) {
1353		if (sk->sk_state != BT_LISTEN) {
1354			err = -EBADFD;
1355			break;
1356		}
1357
1358		ch = bt_accept_dequeue(sk, newsock);
1359		if (ch)
1360			break;
1361
1362		if (!timeo) {
1363			err = -EAGAIN;
1364			break;
1365		}
1366
1367		if (signal_pending(current)) {
1368			err = sock_intr_errno(timeo);
1369			break;
1370		}
1371
1372		release_sock(sk);
1373
1374		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
1375		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1376	}
1377	remove_wait_queue(sk_sleep(sk), &wait);
1378
1379	if (err)
1380		goto done;
1381
1382	newsock->state = SS_CONNECTED;
1383
1384	BT_DBG("new socket %p", ch);
1385
1386	/* A Broadcast Sink might require BIG sync to be terminated
1387	 * and re-established multiple times, while keeping the same
1388	 * PA sync handle active. To allow this, once all BIS
1389	 * connections have been accepted on a PA sync parent socket,
1390	 * "reset" socket state, to allow future BIG re-sync procedures.
1391	 */
1392	if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1393		/* Iterate through the list of bound BIS indices
1394		 * and clear each BIS as they are accepted by the
1395		 * user space, one by one.
1396		 */
1397		for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++) {
1398			if (iso_pi(sk)->bc_bis[i] > 0) {
1399				iso_pi(sk)->bc_bis[i] = 0;
1400				iso_pi(sk)->bc_num_bis--;
1401				break;
1402			}
1403		}
1404
1405		if (iso_pi(sk)->bc_num_bis == 0) {
1406			/* Once the last BIS was accepted, reset parent
1407			 * socket parameters to mark that the listening
1408			 * process for BIS connections has been completed:
1409			 *
1410			 * 1. Reset the DEFER setup flag on the parent sk.
1411			 * 2. Clear the flag marking that the BIG create
1412			 *    sync command is pending.
1413			 * 3. Transition socket state from BT_LISTEN to
1414			 *    BT_CONNECTED.
1415			 */
1416			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1417			clear_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags);
1418			sk->sk_state = BT_CONNECTED;
1419		}
1420	}
1421
1422done:
1423	release_sock(sk);
1424	return err;
1425}
1426
1427static int iso_sock_getname(struct socket *sock, struct sockaddr *addr,
1428			    int peer)
1429{
1430	struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1431	struct sock *sk = sock->sk;
1432	int len = sizeof(struct sockaddr_iso);
1433
1434	BT_DBG("sock %p, sk %p", sock, sk);
1435
1436	addr->sa_family = AF_BLUETOOTH;
1437
1438	if (peer) {
1439		struct hci_conn *hcon = iso_pi(sk)->conn ?
1440					iso_pi(sk)->conn->hcon : NULL;
1441
1442		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst);
1443		sa->iso_bdaddr_type = iso_pi(sk)->dst_type;
1444
1445		if (hcon && (hcon->type == BIS_LINK || hcon->type == PA_LINK)) {
1446			sa->iso_bc->bc_sid = iso_pi(sk)->bc_sid;
1447			sa->iso_bc->bc_num_bis = iso_pi(sk)->bc_num_bis;
1448			memcpy(sa->iso_bc->bc_bis, iso_pi(sk)->bc_bis,
1449			       ISO_MAX_NUM_BIS);
1450			len += sizeof(struct sockaddr_iso_bc);
1451		}
1452	} else {
1453		bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src);
1454		sa->iso_bdaddr_type = iso_pi(sk)->src_type;
1455	}
1456
1457	return len;
1458}
1459
1460static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1461			    size_t len)
1462{
1463	struct sock *sk = sock->sk;
1464	struct sk_buff *skb, **frag;
1465	struct sockcm_cookie sockc;
1466	size_t mtu;
1467	int err;
1468
1469	BT_DBG("sock %p, sk %p", sock, sk);
1470
1471	err = sock_error(sk);
1472	if (err)
1473		return err;
1474
1475	if (msg->msg_flags & MSG_OOB)
1476		return -EOPNOTSUPP;
1477
1478	hci_sockcm_init(&sockc, sk);
1479
1480	if (msg->msg_controllen) {
1481		err = sock_cmsg_send(sk, msg, &sockc);
1482		if (err)
1483			return err;
1484	}
1485
1486	lock_sock(sk);
1487
1488	if (sk->sk_state != BT_CONNECTED) {
1489		release_sock(sk);
1490		return -ENOTCONN;
1491	}
1492
1493	mtu = iso_pi(sk)->conn->hcon->mtu;
1494
1495	release_sock(sk);
1496
1497	skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0);
1498	if (IS_ERR(skb))
1499		return PTR_ERR(skb);
1500
1501	len -= skb->len;
1502
1503	BT_DBG("skb %p len %d", sk, skb->len);
1504
1505	/* Continuation fragments */
1506	frag = &skb_shinfo(skb)->frag_list;
1507	while (len) {
1508		struct sk_buff *tmp;
1509
1510		tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0);
1511		if (IS_ERR(tmp)) {
1512			kfree_skb(skb);
1513			return PTR_ERR(tmp);
1514		}
1515
1516		*frag = tmp;
1517
1518		len  -= tmp->len;
1519
1520		skb->len += tmp->len;
1521		skb->data_len += tmp->len;
1522
1523		BT_DBG("frag %p len %d", *frag, tmp->len);
1524
1525		frag = &(*frag)->next;
1526	}
1527
1528	lock_sock(sk);
1529
1530	if (sk->sk_state == BT_CONNECTED)
1531		err = iso_send_frame(sk, skb, &sockc);
1532	else
1533		err = -ENOTCONN;
1534
1535	release_sock(sk);
1536
1537	if (err < 0)
1538		kfree_skb(skb);
1539	return err;
1540}
1541
1542static void iso_conn_defer_accept(struct hci_conn *conn)
1543{
1544	struct hci_cp_le_accept_cis cp;
1545	struct hci_dev *hdev = conn->hdev;
1546
1547	BT_DBG("conn %p", conn);
1548
1549	conn->state = BT_CONFIG;
1550
1551	cp.handle = cpu_to_le16(conn->handle);
1552
1553	hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
1554}
1555
1556static void iso_conn_big_sync(struct sock *sk)
1557{
1558	int err;
1559	struct hci_dev *hdev;
1560
1561	hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1562			     iso_pi(sk)->src_type);
1563
1564	if (!hdev)
1565		return;
1566
1567	/* hci_le_big_create_sync requires hdev lock to be held, since
1568	 * it enqueues the HCI LE BIG Create Sync command via
1569	 * hci_cmd_sync_queue_once, which checks hdev flags that might
1570	 * change.
1571	 */
1572	hci_dev_lock(hdev);
1573	lock_sock(sk);
1574
1575	if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1576		err = hci_conn_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
1577					       &iso_pi(sk)->qos,
1578					       iso_pi(sk)->sync_handle,
1579					       iso_pi(sk)->bc_num_bis,
1580					       iso_pi(sk)->bc_bis);
1581		if (err)
1582			bt_dev_err(hdev, "hci_big_create_sync: %d", err);
1583	}
1584
1585	release_sock(sk);
1586	hci_dev_unlock(hdev);
1587}
1588
1589static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1590			    size_t len, int flags)
1591{
1592	struct sock *sk = sock->sk;
1593	struct iso_pinfo *pi = iso_pi(sk);
1594	bool early_ret = false;
1595	int err = 0;
1596
1597	BT_DBG("sk %p", sk);
1598
1599	if (unlikely(flags & MSG_ERRQUEUE))
1600		return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1601					  BT_SCM_ERROR);
1602
1603	if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1604		sock_hold(sk);
1605		lock_sock(sk);
1606
1607		switch (sk->sk_state) {
1608		case BT_CONNECT2:
1609			if (test_bit(BT_SK_PA_SYNC, &pi->flags)) {
1610				release_sock(sk);
1611				iso_conn_big_sync(sk);
1612				lock_sock(sk);
1613
1614				sk->sk_state = BT_LISTEN;
1615			} else {
1616				iso_conn_defer_accept(pi->conn->hcon);
1617				sk->sk_state = BT_CONFIG;
1618			}
1619
1620			early_ret = true;
1621			break;
1622		case BT_CONNECTED:
1623			if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
1624				release_sock(sk);
1625				iso_conn_big_sync(sk);
1626				lock_sock(sk);
1627
1628				sk->sk_state = BT_LISTEN;
1629				early_ret = true;
1630			}
1631
1632			break;
1633		case BT_CONNECT:
1634			release_sock(sk);
1635			err = iso_connect_cis(sk);
1636			lock_sock(sk);
1637
1638			early_ret = true;
1639			break;
1640		default:
1641			break;
1642		}
1643
1644		release_sock(sk);
1645		sock_put(sk);
1646
1647		if (early_ret)
1648			return err;
1649	}
1650
1651	return bt_sock_recvmsg(sock, msg, len, flags);
1652}
1653
1654static bool check_io_qos(struct bt_iso_io_qos *qos)
1655{
1656	/* If no PHY is enable SDU must be 0 */
1657	if (!qos->phys && qos->sdu)
1658		return false;
1659
1660	if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff))
1661		return false;
1662
1663	if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0))
1664		return false;
1665
1666	if (qos->phys > BT_ISO_PHY_ANY)
1667		return false;
1668
1669	return true;
1670}
1671
1672static bool check_ucast_qos(struct bt_iso_qos *qos)
1673{
1674	if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET)
1675		return false;
1676
1677	if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET)
1678		return false;
1679
1680	if (qos->ucast.sca > 0x07)
1681		return false;
1682
1683	if (qos->ucast.packing > 0x01)
1684		return false;
1685
1686	if (qos->ucast.framing > 0x01)
1687		return false;
1688
1689	if (!check_io_qos(&qos->ucast.in))
1690		return false;
1691
1692	if (!check_io_qos(&qos->ucast.out))
1693		return false;
1694
1695	return true;
1696}
1697
1698static bool check_bcast_qos(struct bt_iso_qos *qos)
1699{
1700	if (!qos->bcast.sync_factor)
1701		qos->bcast.sync_factor = 0x01;
1702
1703	if (qos->bcast.packing > 0x01)
1704		return false;
1705
1706	if (qos->bcast.framing > 0x01)
1707		return false;
1708
1709	if (!check_io_qos(&qos->bcast.in))
1710		return false;
1711
1712	if (!check_io_qos(&qos->bcast.out))
1713		return false;
1714
1715	if (qos->bcast.encryption > 0x01)
1716		return false;
1717
1718	if (qos->bcast.options > 0x07)
1719		return false;
1720
1721	if (qos->bcast.skip > 0x01f3)
1722		return false;
1723
1724	if (!qos->bcast.sync_timeout)
1725		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1726
1727	if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000)
1728		return false;
1729
1730	if (qos->bcast.sync_cte_type > 0x1f)
1731		return false;
1732
1733	if (qos->bcast.mse > 0x1f)
1734		return false;
1735
1736	if (!qos->bcast.timeout)
1737		qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1738
1739	if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000)
1740		return false;
1741
1742	return true;
1743}
1744
1745static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
1746			       sockptr_t optval, unsigned int optlen)
1747{
1748	struct sock *sk = sock->sk;
1749	int err = 0;
1750	struct bt_iso_qos qos = default_qos;
1751	u32 opt;
1752
1753	BT_DBG("sk %p", sk);
1754
1755	lock_sock(sk);
1756
1757	switch (optname) {
1758	case BT_DEFER_SETUP:
1759		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1760			err = -EINVAL;
1761			break;
1762		}
1763
1764		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1765		if (err)
1766			break;
1767
1768		if (opt)
1769			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1770		else
1771			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1772		break;
1773
1774	case BT_PKT_STATUS:
1775		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1776		if (err)
1777			break;
1778
1779		if (opt)
1780			set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1781		else
1782			clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1783		break;
1784
1785	case BT_PKT_SEQNUM:
1786		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1787		if (err)
1788			break;
1789
1790		if (opt)
1791			set_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1792		else
1793			clear_bit(BT_SK_PKT_SEQNUM, &bt_sk(sk)->flags);
1794		break;
1795
1796	case BT_ISO_QOS:
1797		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1798		    sk->sk_state != BT_CONNECT2 &&
1799		    (!test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags) ||
1800		    sk->sk_state != BT_CONNECTED)) {
1801			err = -EINVAL;
1802			break;
1803		}
1804
1805		err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen);
1806		if (err)
1807			break;
1808
1809		iso_pi(sk)->qos = qos;
1810		iso_pi(sk)->qos_user_set = true;
1811
1812		break;
1813
1814	case BT_ISO_BASE:
1815		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1816		    sk->sk_state != BT_CONNECT2) {
1817			err = -EINVAL;
1818			break;
1819		}
1820
1821		if (optlen > sizeof(iso_pi(sk)->base)) {
1822			err = -EINVAL;
1823			break;
1824		}
1825
1826		err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval,
1827					     optlen);
1828		if (err)
1829			break;
1830
1831		iso_pi(sk)->base_len = optlen;
1832
1833		break;
1834
1835	default:
1836		err = -ENOPROTOOPT;
1837		break;
1838	}
1839
1840	release_sock(sk);
1841	return err;
1842}
1843
1844static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
1845			       char __user *optval, int __user *optlen)
1846{
1847	struct sock *sk = sock->sk;
1848	int len, err = 0;
1849	struct bt_iso_qos *qos;
1850	u8 base_len;
1851	u8 *base;
1852
1853	BT_DBG("sk %p", sk);
1854
1855	if (get_user(len, optlen))
1856		return -EFAULT;
1857
1858	lock_sock(sk);
1859
1860	switch (optname) {
1861	case BT_DEFER_SETUP:
1862		if (sk->sk_state == BT_CONNECTED) {
1863			err = -EINVAL;
1864			break;
1865		}
1866
1867		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
1868			     (u32 __user *)optval))
1869			err = -EFAULT;
1870
1871		break;
1872
1873	case BT_PKT_STATUS:
1874		if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags),
1875			     (int __user *)optval))
1876			err = -EFAULT;
1877		break;
1878
1879	case BT_ISO_QOS:
1880		qos = iso_sock_get_qos(sk);
1881
1882		len = min_t(unsigned int, len, sizeof(*qos));
1883		if (copy_to_user(optval, qos, len))
1884			err = -EFAULT;
1885
1886		break;
1887
1888	case BT_ISO_BASE:
1889		if (sk->sk_state == BT_CONNECTED &&
1890		    !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1891			base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len;
1892			base = iso_pi(sk)->conn->hcon->le_per_adv_data;
1893		} else {
1894			base_len = iso_pi(sk)->base_len;
1895			base = iso_pi(sk)->base;
1896		}
1897
1898		len = min_t(unsigned int, len, base_len);
1899		if (copy_to_user(optval, base, len))
1900			err = -EFAULT;
1901		if (put_user(len, optlen))
1902			err = -EFAULT;
1903
1904		break;
1905
1906	default:
1907		err = -ENOPROTOOPT;
1908		break;
1909	}
1910
1911	release_sock(sk);
1912	return err;
1913}
1914
1915static int iso_sock_shutdown(struct socket *sock, int how)
1916{
1917	struct sock *sk = sock->sk;
1918	int err = 0;
1919
1920	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1921
1922	if (!sk)
1923		return 0;
1924
1925	sock_hold(sk);
1926	lock_sock(sk);
1927
1928	switch (how) {
1929	case SHUT_RD:
1930		if (sk->sk_shutdown & RCV_SHUTDOWN)
1931			goto unlock;
1932		sk->sk_shutdown |= RCV_SHUTDOWN;
1933		break;
1934	case SHUT_WR:
1935		if (sk->sk_shutdown & SEND_SHUTDOWN)
1936			goto unlock;
1937		sk->sk_shutdown |= SEND_SHUTDOWN;
1938		break;
1939	case SHUT_RDWR:
1940		if (sk->sk_shutdown & SHUTDOWN_MASK)
1941			goto unlock;
1942		sk->sk_shutdown |= SHUTDOWN_MASK;
1943		break;
1944	}
1945
1946	iso_sock_clear_timer(sk);
1947	__iso_sock_close(sk);
1948
1949	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1950	    !(current->flags & PF_EXITING))
1951		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1952
1953unlock:
1954	release_sock(sk);
1955	sock_put(sk);
1956
1957	return err;
1958}
1959
1960static int iso_sock_release(struct socket *sock)
1961{
1962	struct sock *sk = sock->sk;
1963	int err = 0;
1964
1965	BT_DBG("sock %p, sk %p", sock, sk);
1966
1967	if (!sk)
1968		return 0;
1969
1970	iso_sock_close(sk);
1971
1972	if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) &&
1973	    !(current->flags & PF_EXITING)) {
1974		lock_sock(sk);
1975		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1976		release_sock(sk);
1977	}
1978
1979	sock_orphan(sk);
1980	iso_sock_kill(sk);
1981	return err;
1982}
1983
1984static void iso_sock_ready(struct sock *sk)
1985{
1986	BT_DBG("sk %p", sk);
1987
1988	if (!sk)
1989		return;
1990
1991	lock_sock(sk);
1992	iso_sock_clear_timer(sk);
1993	sk->sk_state = BT_CONNECTED;
1994	sk->sk_state_change(sk);
1995	release_sock(sk);
1996}
1997
1998static bool iso_match_big(struct sock *sk, void *data)
1999{
2000	struct hci_evt_le_big_sync_established *ev = data;
2001
2002	return ev->handle == iso_pi(sk)->qos.bcast.big;
2003}
2004
2005static bool iso_match_big_hcon(struct sock *sk, void *data)
2006{
2007	struct hci_conn *hcon = data;
2008
2009	return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big;
2010}
2011
2012static bool iso_match_pa_sync_flag(struct sock *sk, void *data)
2013{
2014	return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
2015}
2016
2017static bool iso_match_dst(struct sock *sk, void *data)
2018{
2019	return !bacmp(&iso_pi(sk)->dst, (bdaddr_t *)data);
2020}
2021
2022static void iso_conn_ready(struct iso_conn *conn)
2023{
2024	struct sock *parent = NULL;
2025	struct sock *sk = conn->sk;
2026	struct hci_ev_le_big_sync_established *ev = NULL;
2027	struct hci_ev_le_pa_sync_established *ev2 = NULL;
2028	struct hci_ev_le_per_adv_report *ev3 = NULL;
2029	struct hci_conn *hcon;
2030	struct hci_dev *hdev;
2031
2032	BT_DBG("conn %p", conn);
2033
2034	if (sk) {
2035		/* Attempt to update source address in case of BIS Sender if
2036		 * the advertisement is using a random address.
2037		 */
2038		if (conn->hcon->type == BIS_LINK &&
2039		    conn->hcon->role == HCI_ROLE_MASTER &&
2040		    !bacmp(&conn->hcon->dst, BDADDR_ANY)) {
2041			struct hci_conn *bis = conn->hcon;
2042			struct adv_info *adv;
2043
2044			adv = hci_find_adv_instance(bis->hdev,
2045						    bis->iso_qos.bcast.bis);
2046			if (adv && bacmp(&adv->random_addr, BDADDR_ANY)) {
2047				lock_sock(sk);
2048				iso_pi(sk)->src_type = BDADDR_LE_RANDOM;
2049				bacpy(&iso_pi(sk)->src, &adv->random_addr);
2050				release_sock(sk);
2051			}
2052		}
2053
2054		iso_sock_ready(conn->sk);
2055	} else {
2056		hcon = conn->hcon;
2057		if (!hcon)
2058			return;
2059
2060		hdev = hcon->hdev;
2061
2062		if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) {
2063			/* A BIS slave hcon is notified to the ISO layer
2064			 * after the Command Complete for the LE Setup
2065			 * ISO Data Path command is received. Get the
2066			 * parent socket that matches the hcon BIG handle.
2067			 */
2068			parent = iso_get_sock(hdev, &hcon->src, &hcon->dst,
2069					      BT_LISTEN, iso_match_big_hcon,
2070					      hcon);
2071		} else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) {
2072			ev = hci_recv_event_data(hcon->hdev,
2073						 HCI_EVT_LE_BIG_SYNC_ESTABLISHED);
2074
2075			/* Get reference to PA sync parent socket, if it exists */
2076			parent = iso_get_sock(hdev, &hcon->src, &hcon->dst,
2077					      BT_LISTEN,
2078					      iso_match_pa_sync_flag,
2079					      NULL);
2080			if (!parent && ev)
2081				parent = iso_get_sock(hdev, &hcon->src,
2082						      &hcon->dst,
2083						      BT_LISTEN,
2084						      iso_match_big, ev);
2085		} else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
2086			ev2 = hci_recv_event_data(hcon->hdev,
2087						  HCI_EV_LE_PA_SYNC_ESTABLISHED);
2088			if (ev2)
2089				parent = iso_get_sock(hdev, &hcon->src,
2090						      &hcon->dst,
2091						      BT_LISTEN,
2092						      iso_match_sid, ev2);
2093		} else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
2094			ev3 = hci_recv_event_data(hcon->hdev,
2095						  HCI_EV_LE_PER_ADV_REPORT);
2096			if (ev3)
2097				parent = iso_get_sock(hdev, &hcon->src,
2098						      &hcon->dst,
2099						      BT_LISTEN,
2100						      iso_match_sync_handle_pa_report,
2101						      ev3);
2102		}
2103
2104		if (!parent)
2105			parent = iso_get_sock(hdev, &hcon->src, BDADDR_ANY,
2106					      BT_LISTEN, iso_match_dst, BDADDR_ANY);
2107
2108		if (!parent)
2109			return;
2110
2111		lock_sock(parent);
2112
2113		sk = iso_sock_alloc(sock_net(parent), NULL,
2114				    BTPROTO_ISO, GFP_ATOMIC, 0);
2115		if (!sk) {
2116			release_sock(parent);
2117			return;
2118		}
2119
2120		iso_sock_init(sk, parent);
2121
2122		bacpy(&iso_pi(sk)->src, &hcon->src);
2123
2124		/* Convert from HCI to three-value type */
2125		if (hcon->src_type == ADDR_LE_DEV_PUBLIC)
2126			iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
2127		else
2128			iso_pi(sk)->src_type = BDADDR_LE_RANDOM;
2129
2130		/* If hcon has no destination address (BDADDR_ANY) it means it
2131		 * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or
2132		 * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using
2133		 * the parent socket destination address.
2134		 */
2135		if (!bacmp(&hcon->dst, BDADDR_ANY)) {
2136			bacpy(&hcon->dst, &iso_pi(parent)->dst);
2137			hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type);
2138		}
2139
2140		if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
2141			iso_pi(sk)->qos = iso_pi(parent)->qos;
2142			hcon->iso_qos = iso_pi(sk)->qos;
2143			iso_pi(sk)->bc_sid = iso_pi(parent)->bc_sid;
2144			iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis;
2145			memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis,
2146			       ISO_MAX_NUM_BIS);
2147			set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
2148		}
2149
2150		bacpy(&iso_pi(sk)->dst, &hcon->dst);
2151
2152		/* Convert from HCI to three-value type */
2153		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
2154			iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC;
2155		else
2156			iso_pi(sk)->dst_type = BDADDR_LE_RANDOM;
2157
2158		iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
2159		memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
2160		iso_pi(sk)->base_len = iso_pi(parent)->base_len;
2161
2162		hci_conn_hold(hcon);
2163		iso_chan_add(conn, sk, parent);
2164
2165		if ((ev && ((struct hci_evt_le_big_sync_established *)ev)->status) ||
2166		    (ev2 && ev2->status)) {
2167			/* Trigger error signal on child socket */
2168			sk->sk_err = ECONNREFUSED;
2169			sk->sk_error_report(sk);
2170		}
2171
2172		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
2173			sk->sk_state = BT_CONNECT2;
2174		else
2175			sk->sk_state = BT_CONNECTED;
2176
2177		/* Wake up parent */
2178		parent->sk_data_ready(parent);
2179
2180		release_sock(parent);
2181		sock_put(parent);
2182	}
2183}
2184
2185static bool iso_match_sid(struct sock *sk, void *data)
2186{
2187	struct hci_ev_le_pa_sync_established *ev = data;
2188
2189	if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
2190		return true;
2191
2192	return ev->sid == iso_pi(sk)->bc_sid;
2193}
2194
2195static bool iso_match_sid_past(struct sock *sk, void *data)
2196{
2197	struct hci_ev_le_past_received *ev = data;
2198
2199	if (iso_pi(sk)->bc_sid == HCI_SID_INVALID)
2200		return true;
2201
2202	return ev->sid == iso_pi(sk)->bc_sid;
2203}
2204
2205static bool iso_match_sync_handle(struct sock *sk, void *data)
2206{
2207	struct hci_evt_le_big_info_adv_report *ev = data;
2208
2209	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2210}
2211
2212static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data)
2213{
2214	struct hci_ev_le_per_adv_report *ev = data;
2215
2216	return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
2217}
2218
2219/* ----- ISO interface with lower layer (HCI) ----- */
2220
2221int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
2222{
2223	struct hci_ev_le_pa_sync_established *ev1;
2224	struct hci_ev_le_past_received *ev1a;
2225	struct hci_evt_le_big_info_adv_report *ev2;
2226	struct hci_ev_le_per_adv_report *ev3;
2227	struct sock *sk;
2228
2229	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
2230
2231	/* Broadcast receiver requires handling of some events before it can
2232	 * proceed to establishing a BIG sync:
2233	 *
2234	 * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific
2235	 * SID to listen to and once sync is established its handle needs to
2236	 * be stored in iso_pi(sk)->sync_handle so it can be matched once
2237	 * receiving the BIG Info.
2238	 * 1a. HCI_EV_LE_PAST_RECEIVED: alternative to 1.
2239	 * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a
2240	 * a BIG Info it attempts to check if there any listening socket with
2241	 * the same sync_handle and if it does then attempt to create a sync.
2242	 * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored
2243	 * in iso_pi(sk)->base so it can be passed up to user, in the case of a
2244	 * broadcast sink.
2245	 */
2246	ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED);
2247	if (ev1) {
2248		sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN,
2249				  iso_match_sid, ev1);
2250		if (sk && !ev1->status) {
2251			lock_sock(sk);
2252			iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle);
2253			iso_pi(sk)->bc_sid = ev1->sid;
2254			release_sock(sk);
2255		}
2256
2257		goto done;
2258	}
2259
2260	ev1a = hci_recv_event_data(hdev, HCI_EV_LE_PAST_RECEIVED);
2261	if (ev1a) {
2262		sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN,
2263				  iso_match_sid_past, ev1a);
2264		if (sk && !ev1a->status) {
2265			lock_sock(sk);
2266			iso_pi(sk)->sync_handle = le16_to_cpu(ev1a->sync_handle);
2267			iso_pi(sk)->bc_sid = ev1a->sid;
2268			release_sock(sk);
2269		}
2270
2271		goto done;
2272	}
2273
2274	ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT);
2275	if (ev2) {
2276		/* Check if BIGInfo report has already been handled */
2277		sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_CONNECTED,
2278				  iso_match_sync_handle, ev2);
2279		if (sk) {
2280			sock_put(sk);
2281			sk = NULL;
2282			goto done;
2283		}
2284
2285		/* Try to get PA sync socket, if it exists */
2286		sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_CONNECT2,
2287				  iso_match_sync_handle, ev2);
2288		if (!sk)
2289			sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr,
2290					  BT_LISTEN,
2291					  iso_match_sync_handle,
2292					  ev2);
2293
2294		if (sk) {
2295			int err = 0;
2296			bool big_sync;
2297			struct hci_conn *hcon;
2298
2299			lock_sock(sk);
2300
2301			hcon = iso_pi(sk)->conn->hcon;
2302			iso_pi(sk)->qos.bcast.encryption = ev2->encryption;
2303
2304			if (ev2->num_bis < iso_pi(sk)->bc_num_bis)
2305				iso_pi(sk)->bc_num_bis = ev2->num_bis;
2306
2307			big_sync = !test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) &&
2308				   !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags);
2309
2310			if (big_sync)
2311				err = hci_conn_big_create_sync(hdev, hcon,
2312							       &iso_pi(sk)->qos,
2313							       iso_pi(sk)->sync_handle,
2314							       iso_pi(sk)->bc_num_bis,
2315							       iso_pi(sk)->bc_bis);
2316
2317			release_sock(sk);
2318
2319			if (big_sync && err) {
2320				bt_dev_err(hdev, "hci_le_big_create_sync: %d",
2321					   err);
2322				sock_put(sk);
2323				sk = NULL;
2324			}
2325		}
2326
2327		goto done;
2328	}
2329
2330	ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
2331	if (ev3) {
2332		size_t base_len = 0;
2333		u8 *base;
2334		struct hci_conn *hcon;
2335
2336		sk = iso_get_sock(hdev, &hdev->bdaddr, bdaddr, BT_LISTEN,
2337				  iso_match_sync_handle_pa_report, ev3);
2338		if (!sk)
2339			goto done;
2340
2341		hcon = iso_pi(sk)->conn->hcon;
2342		if (!hcon)
2343			goto done;
2344
2345		if (ev3->data_status == LE_PA_DATA_TRUNCATED) {
2346			/* The controller was unable to retrieve PA data. */
2347			memset(hcon->le_per_adv_data, 0,
2348			       HCI_MAX_PER_AD_TOT_LEN);
2349			hcon->le_per_adv_data_len = 0;
2350			hcon->le_per_adv_data_offset = 0;
2351			goto done;
2352		}
2353
2354		if (hcon->le_per_adv_data_offset + ev3->length >
2355		    HCI_MAX_PER_AD_TOT_LEN)
2356			goto done;
2357
2358		memcpy(hcon->le_per_adv_data + hcon->le_per_adv_data_offset,
2359		       ev3->data, ev3->length);
2360		hcon->le_per_adv_data_offset += ev3->length;
2361
2362		if (ev3->data_status == LE_PA_DATA_COMPLETE) {
2363			/* All PA data has been received. */
2364			hcon->le_per_adv_data_len =
2365				hcon->le_per_adv_data_offset;
2366			hcon->le_per_adv_data_offset = 0;
2367
2368			/* Extract BASE */
2369			base = eir_get_service_data(hcon->le_per_adv_data,
2370						    hcon->le_per_adv_data_len,
2371						    EIR_BAA_SERVICE_UUID,
2372						    &base_len);
2373
2374			if (!base || base_len > BASE_MAX_LENGTH)
2375				goto done;
2376
2377			lock_sock(sk);
2378			memcpy(iso_pi(sk)->base, base, base_len);
2379			iso_pi(sk)->base_len = base_len;
2380			release_sock(sk);
2381		} else {
2382			/* This is a PA data fragment. Keep pa_data_len set to 0
2383			 * until all data has been reassembled.
2384			 */
2385			hcon->le_per_adv_data_len = 0;
2386		}
2387	} else {
2388		sk = iso_get_sock(hdev, &hdev->bdaddr, BDADDR_ANY,
2389				  BT_LISTEN, iso_match_dst, BDADDR_ANY);
2390	}
2391
2392done:
2393	if (!sk)
2394		return 0;
2395
2396	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
2397		*flags |= HCI_PROTO_DEFER;
2398
2399	sock_put(sk);
2400
2401	return HCI_LM_ACCEPT;
2402}
2403
2404static void iso_connect_cfm(struct hci_conn *hcon, __u8 status)
2405{
2406	if (hcon->type != CIS_LINK && hcon->type != BIS_LINK &&
2407	    hcon->type != PA_LINK) {
2408		if (hcon->type != LE_LINK)
2409			return;
2410
2411		/* Check if LE link has failed */
2412		if (status) {
2413			struct hci_link *link, *t;
2414
2415			list_for_each_entry_safe(link, t, &hcon->link_list,
2416						 list)
2417				iso_conn_del(link->conn, bt_to_errno(status));
2418
2419			return;
2420		}
2421
2422		/* Create CIS if pending */
2423		hci_le_create_cis_pending(hcon->hdev);
2424		return;
2425	}
2426
2427	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
2428
2429	/* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or
2430	 * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection
2431	 * into the accept queue of the listening socket and wake up
2432	 * userspace, to inform the user about the event.
2433	 */
2434	if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) ||
2435	    test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
2436		struct iso_conn *conn;
2437
2438		conn = iso_conn_add(hcon);
2439		if (conn)
2440			iso_conn_ready(conn);
2441	} else {
2442		iso_conn_del(hcon, bt_to_errno(status));
2443	}
2444}
2445
2446static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
2447{
2448	if (hcon->type != CIS_LINK && hcon->type !=  BIS_LINK &&
2449	    hcon->type != PA_LINK)
2450		return;
2451
2452	BT_DBG("hcon %p reason %d", hcon, reason);
2453
2454	iso_conn_del(hcon, bt_to_errno(reason));
2455}
2456
2457int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, u16 flags)
2458{
2459	struct hci_conn *hcon;
2460	struct iso_conn *conn;
2461	struct skb_shared_hwtstamps *hwts;
2462	__u16 pb, ts, len, sn;
2463
2464	hci_dev_lock(hdev);
2465
2466	hcon = hci_conn_hash_lookup_handle(hdev, handle);
2467	if (!hcon) {
2468		hci_dev_unlock(hdev);
2469		kfree_skb(skb);
2470		return -ENOENT;
2471	}
2472
2473	conn = iso_conn_hold_unless_zero(hcon->iso_data);
2474	hcon = NULL;
2475
2476	hci_dev_unlock(hdev);
2477
2478	if (!conn) {
2479		kfree_skb(skb);
2480		return -EINVAL;
2481	}
2482
2483	pb     = hci_iso_flags_pb(flags);
2484	ts     = hci_iso_flags_ts(flags);
2485
2486	BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts);
2487
2488	switch (pb) {
2489	case ISO_START:
2490	case ISO_SINGLE:
2491		if (conn->rx_len) {
2492			BT_ERR("Unexpected start frame (len %d)", skb->len);
2493			kfree_skb(conn->rx_skb);
2494			conn->rx_skb = NULL;
2495			conn->rx_len = 0;
2496		}
2497
2498		if (ts) {
2499			struct hci_iso_ts_data_hdr *hdr;
2500
2501			hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE);
2502			if (!hdr) {
2503				BT_ERR("Frame is too short (len %d)", skb->len);
2504				goto drop;
2505			}
2506
2507			/*  Record the timestamp to skb */
2508			hwts = skb_hwtstamps(skb);
2509			hwts->hwtstamp = us_to_ktime(le32_to_cpu(hdr->ts));
2510
2511			sn = __le16_to_cpu(hdr->sn);
2512			len = __le16_to_cpu(hdr->slen);
2513		} else {
2514			struct hci_iso_data_hdr *hdr;
2515
2516			hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE);
2517			if (!hdr) {
2518				BT_ERR("Frame is too short (len %d)", skb->len);
2519				goto drop;
2520			}
2521
2522			sn = __le16_to_cpu(hdr->sn);
2523			len = __le16_to_cpu(hdr->slen);
2524		}
2525
2526		flags  = hci_iso_data_flags(len);
2527		len    = hci_iso_data_len(len);
2528
2529		BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x sn %d",
2530		       len, skb->len, flags, sn);
2531
2532		if (len == skb->len) {
2533			/* Complete frame received */
2534			hci_skb_pkt_status(skb) = flags & 0x03;
2535			hci_skb_pkt_seqnum(skb) = sn;
2536			iso_recv_frame(conn, skb);
2537			goto done;
2538		}
2539
2540		if (pb == ISO_SINGLE) {
2541			BT_ERR("Frame malformed (len %d, expected len %d)",
2542			       skb->len, len);
2543			goto drop;
2544		}
2545
2546		if (skb->len > len) {
2547			BT_ERR("Frame is too long (len %d, expected len %d)",
2548			       skb->len, len);
2549			goto drop;
2550		}
2551
2552		/* Allocate skb for the complete frame (with header) */
2553		conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
2554		if (!conn->rx_skb)
2555			goto drop;
2556
2557		hci_skb_pkt_status(conn->rx_skb) = flags & 0x03;
2558		hci_skb_pkt_seqnum(conn->rx_skb) = sn;
2559		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2560					  skb->len);
2561		conn->rx_len = len - skb->len;
2562
2563		/* Copy hw timestamp from skb to rx_skb if present */
2564		if (ts) {
2565			hwts = skb_hwtstamps(conn->rx_skb);
2566			hwts->hwtstamp = skb_hwtstamps(skb)->hwtstamp;
2567		}
2568
2569		break;
2570
2571	case ISO_CONT:
2572		BT_DBG("Cont: frag len %d (expecting %d)", skb->len,
2573		       conn->rx_len);
2574
2575		if (!conn->rx_len) {
2576			BT_ERR("Unexpected continuation frame (len %d)",
2577			       skb->len);
2578			goto drop;
2579		}
2580
2581		if (skb->len > conn->rx_len) {
2582			BT_ERR("Fragment is too long (len %d, expected %d)",
2583			       skb->len, conn->rx_len);
2584			kfree_skb(conn->rx_skb);
2585			conn->rx_skb = NULL;
2586			conn->rx_len = 0;
2587			goto drop;
2588		}
2589
2590		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2591					  skb->len);
2592		conn->rx_len -= skb->len;
2593		break;
2594
2595	case ISO_END:
2596		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2597					  skb->len);
2598		conn->rx_len -= skb->len;
2599
2600		if (!conn->rx_len) {
2601			struct sk_buff *rx_skb = conn->rx_skb;
2602
2603			/* Complete frame received. iso_recv_frame
2604			 * takes ownership of the skb so set the global
2605			 * rx_skb pointer to NULL first.
2606			 */
2607			conn->rx_skb = NULL;
2608			iso_recv_frame(conn, rx_skb);
2609		}
2610		break;
2611	}
2612
2613drop:
2614	kfree_skb(skb);
2615done:
2616	iso_conn_put(conn);
2617	return 0;
2618}
2619
2620static struct hci_cb iso_cb = {
2621	.name		= "ISO",
2622	.connect_cfm	= iso_connect_cfm,
2623	.disconn_cfm	= iso_disconn_cfm,
2624};
2625
2626static int iso_debugfs_show(struct seq_file *f, void *p)
2627{
2628	struct sock *sk;
2629
2630	read_lock(&iso_sk_list.lock);
2631
2632	sk_for_each(sk, &iso_sk_list.head) {
2633		seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src,
2634			   &iso_pi(sk)->dst, sk->sk_state);
2635	}
2636
2637	read_unlock(&iso_sk_list.lock);
2638
2639	return 0;
2640}
2641
2642DEFINE_SHOW_ATTRIBUTE(iso_debugfs);
2643
2644static struct dentry *iso_debugfs;
2645
2646static const struct proto_ops iso_sock_ops = {
2647	.family		= PF_BLUETOOTH,
2648	.owner		= THIS_MODULE,
2649	.release	= iso_sock_release,
2650	.bind		= iso_sock_bind,
2651	.connect	= iso_sock_connect,
2652	.listen		= iso_sock_listen,
2653	.accept		= iso_sock_accept,
2654	.getname	= iso_sock_getname,
2655	.sendmsg	= iso_sock_sendmsg,
2656	.recvmsg	= iso_sock_recvmsg,
2657	.poll		= bt_sock_poll,
2658	.ioctl		= bt_sock_ioctl,
2659	.mmap		= sock_no_mmap,
2660	.socketpair	= sock_no_socketpair,
2661	.shutdown	= iso_sock_shutdown,
2662	.setsockopt	= iso_sock_setsockopt,
2663	.getsockopt	= iso_sock_getsockopt
2664};
2665
2666static const struct net_proto_family iso_sock_family_ops = {
2667	.family	= PF_BLUETOOTH,
2668	.owner	= THIS_MODULE,
2669	.create	= iso_sock_create,
2670};
2671
2672static bool inited;
2673
2674bool iso_inited(void)
2675{
2676	return inited;
2677}
2678
2679int iso_init(void)
2680{
2681	int err;
2682
2683	BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr));
2684
2685	if (inited)
2686		return -EALREADY;
2687
2688	err = proto_register(&iso_proto, 0);
2689	if (err < 0)
2690		return err;
2691
2692	err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops);
2693	if (err < 0) {
2694		BT_ERR("ISO socket registration failed");
2695		goto error;
2696	}
2697
2698	err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL);
2699	if (err < 0) {
2700		BT_ERR("Failed to create ISO proc file");
2701		bt_sock_unregister(BTPROTO_ISO);
2702		goto error;
2703	}
2704
2705	BT_INFO("ISO socket layer initialized");
2706
2707	hci_register_cb(&iso_cb);
2708
2709	if (!IS_ERR_OR_NULL(bt_debugfs))
2710		iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs,
2711						  NULL, &iso_debugfs_fops);
2712
2713	inited = true;
2714
2715	return 0;
2716
2717error:
2718	proto_unregister(&iso_proto);
2719	return err;
2720}
2721
2722int iso_exit(void)
2723{
2724	if (!inited)
2725		return -EALREADY;
2726
2727	bt_procfs_cleanup(&init_net, "iso");
2728
2729	debugfs_remove(iso_debugfs);
2730	iso_debugfs = NULL;
2731
2732	hci_unregister_cb(&iso_cb);
2733
2734	bt_sock_unregister(BTPROTO_ISO);
2735
2736	proto_unregister(&iso_proto);
2737
2738	inited = false;
2739
2740	return 0;
2741}
Configure Feed

Configure Feed
