net/bluetooth/iso.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * BlueZ - Bluetooth protocol stack for Linux
   4  *
   5  * Copyright (C) 2022 Intel Corporation
   6  * Copyright 2023 NXP
   7  */
   8
   9 #include <linux/module.h>
  10 #include <linux/debugfs.h>
  11 #include <linux/seq_file.h>
  12 #include <linux/sched/signal.h>
  13
  14 #include <net/bluetooth/bluetooth.h>
  15 #include <net/bluetooth/hci_core.h>
  16 #include <net/bluetooth/iso.h>
  17 #include "eir.h"
  18
  19 static const struct proto_ops iso_sock_ops;
  20
  21 static struct bt_sock_list iso_sk_list = {
  22         .lock = __RW_LOCK_UNLOCKED(iso_sk_list.lock)
  23 };
  24
  25 /* ---- ISO connections ---- */
  26 struct iso_conn {
  27         struct hci_conn *hcon;
  28
  29         /* @lock: spinlock protecting changes to iso_conn fields */
  30         spinlock_t      lock;
  31         struct sock     *sk;
  32
  33         struct delayed_work     timeout_work;
  34
  35         struct sk_buff  *rx_skb;
  36         __u32           rx_len;
  37         __u16           tx_sn;
  38 };
  39
  40 #define iso_conn_lock(c)        spin_lock(&(c)->lock)
  41 #define iso_conn_unlock(c)      spin_unlock(&(c)->lock)
  42
  43 static void iso_sock_close(struct sock *sk);
  44 static void iso_sock_kill(struct sock *sk);
  45
  46 /* ----- ISO socket info ----- */
  47 #define iso_pi(sk) ((struct iso_pinfo *)sk)
  48
  49 #define EIR_SERVICE_DATA_LENGTH 4
  50 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
  51 #define EIR_BAA_SERVICE_UUID    0x1851
  52
  53 /* iso_pinfo flags values */
  54 enum {
  55         BT_SK_BIG_SYNC,
  56         BT_SK_PA_SYNC,
  57         BT_SK_PA_SYNC_TERM,
  58 };
  59
  60 struct iso_pinfo {
  61         struct bt_sock          bt;
  62         bdaddr_t                src;
  63         __u8                    src_type;
  64         bdaddr_t                dst;
  65         __u8                    dst_type;
  66         __u8                    bc_sid;
  67         __u8                    bc_num_bis;
  68         __u8                    bc_bis[ISO_MAX_NUM_BIS];
  69         __u16                   sync_handle;
  70         unsigned long           flags;
  71         struct bt_iso_qos       qos;
  72         bool                    qos_user_set;
  73         __u8                    base_len;
  74         __u8                    base[BASE_MAX_LENGTH];
  75         struct iso_conn         *conn;
  76 };
  77
  78 static struct bt_iso_qos default_qos;
  79
  80 static bool check_ucast_qos(struct bt_iso_qos *qos);
  81 static bool check_bcast_qos(struct bt_iso_qos *qos);
  82 static bool iso_match_sid(struct sock *sk, void *data);
  83 static bool iso_match_sync_handle(struct sock *sk, void *data);
  84 static void iso_sock_disconn(struct sock *sk);
  85
  86 typedef bool (*iso_sock_match_t)(struct sock *sk, void *data);
  87
  88 static struct sock *iso_get_sock_listen(bdaddr_t *src, bdaddr_t *dst,
  89                                         iso_sock_match_t match, void *data);
  90
  91 /* ---- ISO timers ---- */
  92 #define ISO_CONN_TIMEOUT        (HZ * 40)
  93 #define ISO_DISCONN_TIMEOUT     (HZ * 2)
  94
  95 static void iso_sock_timeout(struct work_struct *work)
  96 {
  97         struct iso_conn *conn = container_of(work, struct iso_conn,
  98                                              timeout_work.work);
  99         struct sock *sk;
 100
 101         iso_conn_lock(conn);
 102         sk = conn->sk;
 103         if (sk)
 104                 sock_hold(sk);
 105         iso_conn_unlock(conn);
 106
 107         if (!sk)
 108                 return;
 109
 110         BT_DBG("sock %p state %d", sk, sk->sk_state);
 111
 112         lock_sock(sk);
 113         sk->sk_err = ETIMEDOUT;
 114         sk->sk_state_change(sk);
 115         release_sock(sk);
 116         sock_put(sk);
 117 }
 118
 119 static void iso_sock_set_timer(struct sock *sk, long timeout)
 120 {
 121         if (!iso_pi(sk)->conn)
 122                 return;
 123
 124         BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
 125         cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
 126         schedule_delayed_work(&iso_pi(sk)->conn->timeout_work, timeout);
 127 }
 128
 129 static void iso_sock_clear_timer(struct sock *sk)
 130 {
 131         if (!iso_pi(sk)->conn)
 132                 return;
 133
 134         BT_DBG("sock %p state %d", sk, sk->sk_state);
 135         cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
 136 }
 137
 138 /* ---- ISO connections ---- */
 139 static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
 140 {
 141         struct iso_conn *conn = hcon->iso_data;
 142
 143         if (conn) {
 144                 if (!conn->hcon)
 145                         conn->hcon = hcon;
 146                 return conn;
 147         }
 148
 149         conn = kzalloc(sizeof(*conn), GFP_KERNEL);
 150         if (!conn)
 151                 return NULL;
 152
 153         spin_lock_init(&conn->lock);
 154         INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout);
 155
 156         hcon->iso_data = conn;
 157         conn->hcon = hcon;
 158         conn->tx_sn = 0;
 159
 160         BT_DBG("hcon %p conn %p", hcon, conn);
 161
 162         return conn;
 163 }
 164
 165 /* Delete channel. Must be called on the locked socket. */
 166 static void iso_chan_del(struct sock *sk, int err)
 167 {
 168         struct iso_conn *conn;
 169         struct sock *parent;
 170
 171         conn = iso_pi(sk)->conn;
 172
 173         BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
 174
 175         if (conn) {
 176                 iso_conn_lock(conn);
 177                 conn->sk = NULL;
 178                 iso_pi(sk)->conn = NULL;
 179                 iso_conn_unlock(conn);
 180
 181                 if (conn->hcon)
 182                         hci_conn_drop(conn->hcon);
 183         }
 184
 185         sk->sk_state = BT_CLOSED;
 186         sk->sk_err   = err;
 187
 188         parent = bt_sk(sk)->parent;
 189         if (parent) {
 190                 bt_accept_unlink(sk);
 191                 parent->sk_data_ready(parent);
 192         } else {
 193                 sk->sk_state_change(sk);
 194         }
 195
 196         sock_set_flag(sk, SOCK_ZAPPED);
 197 }
 198
 199 static bool iso_match_conn_sync_handle(struct sock *sk, void *data)
 200 {
 201         struct hci_conn *hcon = data;
 202
 203         if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags))
 204                 return false;
 205
 206         return hcon->sync_handle == iso_pi(sk)->sync_handle;
 207 }
 208
 209 static void iso_conn_del(struct hci_conn *hcon, int err)
 210 {
 211         struct iso_conn *conn = hcon->iso_data;
 212         struct sock *sk;
 213         struct sock *parent;
 214
 215         if (!conn)
 216                 return;
 217
 218         BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
 219
 220         /* Kill socket */
 221         iso_conn_lock(conn);
 222         sk = conn->sk;
 223         if (sk)
 224                 sock_hold(sk);
 225         iso_conn_unlock(conn);
 226
 227         if (sk) {
 228                 lock_sock(sk);
 229
 230                 /* While a PA sync hcon is in the process of closing,
 231                  * mark parent socket with a flag, so that any residual
 232                  * BIGInfo adv reports that arrive before PA sync is
 233                  * terminated are not processed anymore.
 234                  */
 235                 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
 236                         parent = iso_get_sock_listen(&hcon->src,
 237                                                      &hcon->dst,
 238                                                      iso_match_conn_sync_handle,
 239                                                      hcon);
 240
 241                         if (parent) {
 242                                 set_bit(BT_SK_PA_SYNC_TERM,
 243                                         &iso_pi(parent)->flags);
 244                                 sock_put(parent);
 245                         }
 246                 }
 247
 248                 iso_sock_clear_timer(sk);
 249                 iso_chan_del(sk, err);
 250                 release_sock(sk);
 251                 sock_put(sk);
 252         }
 253
 254         /* Ensure no more work items will run before freeing conn. */
 255         cancel_delayed_work_sync(&conn->timeout_work);
 256
 257         hcon->iso_data = NULL;
 258         kfree(conn);
 259 }
 260
 261 static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
 262                           struct sock *parent)
 263 {
 264         BT_DBG("conn %p", conn);
 265
 266         if (iso_pi(sk)->conn == conn && conn->sk == sk)
 267                 return 0;
 268
 269         if (conn->sk) {
 270                 BT_ERR("conn->sk already set");
 271                 return -EBUSY;
 272         }
 273
 274         iso_pi(sk)->conn = conn;
 275         conn->sk = sk;
 276
 277         if (parent)
 278                 bt_accept_enqueue(parent, sk, true);
 279
 280         return 0;
 281 }
 282
 283 static int iso_chan_add(struct iso_conn *conn, struct sock *sk,
 284                         struct sock *parent)
 285 {
 286         int err;
 287
 288         iso_conn_lock(conn);
 289         err = __iso_chan_add(conn, sk, parent);
 290         iso_conn_unlock(conn);
 291
 292         return err;
 293 }
 294
 295 static inline u8 le_addr_type(u8 bdaddr_type)
 296 {
 297         if (bdaddr_type == BDADDR_LE_PUBLIC)
 298                 return ADDR_LE_DEV_PUBLIC;
 299         else
 300                 return ADDR_LE_DEV_RANDOM;
 301 }
 302
 303 static int iso_connect_bis(struct sock *sk)
 304 {
 305         struct iso_conn *conn;
 306         struct hci_conn *hcon;
 307         struct hci_dev  *hdev;
 308         int err;
 309
 310         BT_DBG("%pMR", &iso_pi(sk)->src);
 311
 312         hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
 313                              iso_pi(sk)->src_type);
 314         if (!hdev)
 315                 return -EHOSTUNREACH;
 316
 317         hci_dev_lock(hdev);
 318
 319         if (!bis_capable(hdev)) {
 320                 err = -EOPNOTSUPP;
 321                 goto unlock;
 322         }
 323
 324         /* Fail if user set invalid QoS */
 325         if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
 326                 iso_pi(sk)->qos = default_qos;
 327                 err = -EINVAL;
 328                 goto unlock;
 329         }
 330
 331         /* Fail if out PHYs are marked as disabled */
 332         if (!iso_pi(sk)->qos.bcast.out.phy) {
 333                 err = -EINVAL;
 334                 goto unlock;
 335         }
 336
 337         /* Just bind if DEFER_SETUP has been set */
 338         if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 339                 hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst,
 340                                     &iso_pi(sk)->qos, iso_pi(sk)->base_len,
 341                                     iso_pi(sk)->base);
 342                 if (IS_ERR(hcon)) {
 343                         err = PTR_ERR(hcon);
 344                         goto unlock;
 345                 }
 346         } else {
 347                 hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst,
 348                                        le_addr_type(iso_pi(sk)->dst_type),
 349                                        &iso_pi(sk)->qos, iso_pi(sk)->base_len,
 350                                        iso_pi(sk)->base);
 351                 if (IS_ERR(hcon)) {
 352                         err = PTR_ERR(hcon);
 353                         goto unlock;
 354                 }
 355         }
 356
 357         conn = iso_conn_add(hcon);
 358         if (!conn) {
 359                 hci_conn_drop(hcon);
 360                 err = -ENOMEM;
 361                 goto unlock;
 362         }
 363
 364         lock_sock(sk);
 365
 366         err = iso_chan_add(conn, sk, NULL);
 367         if (err) {
 368                 release_sock(sk);
 369                 goto unlock;
 370         }
 371
 372         /* Update source addr of the socket */
 373         bacpy(&iso_pi(sk)->src, &hcon->src);
 374
 375         if (hcon->state == BT_CONNECTED) {
 376                 iso_sock_clear_timer(sk);
 377                 sk->sk_state = BT_CONNECTED;
 378         } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 379                 iso_sock_clear_timer(sk);
 380                 sk->sk_state = BT_CONNECT;
 381         } else {
 382                 sk->sk_state = BT_CONNECT;
 383                 iso_sock_set_timer(sk, sk->sk_sndtimeo);
 384         }
 385
 386         release_sock(sk);
 387
 388 unlock:
 389         hci_dev_unlock(hdev);
 390         hci_dev_put(hdev);
 391         return err;
 392 }
 393
 394 static int iso_connect_cis(struct sock *sk)
 395 {
 396         struct iso_conn *conn;
 397         struct hci_conn *hcon;
 398         struct hci_dev  *hdev;
 399         int err;
 400
 401         BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst);
 402
 403         hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
 404                              iso_pi(sk)->src_type);
 405         if (!hdev)
 406                 return -EHOSTUNREACH;
 407
 408         hci_dev_lock(hdev);
 409
 410         if (!cis_central_capable(hdev)) {
 411                 err = -EOPNOTSUPP;
 412                 goto unlock;
 413         }
 414
 415         /* Fail if user set invalid QoS */
 416         if (iso_pi(sk)->qos_user_set && !check_ucast_qos(&iso_pi(sk)->qos)) {
 417                 iso_pi(sk)->qos = default_qos;
 418                 err = -EINVAL;
 419                 goto unlock;
 420         }
 421
 422         /* Fail if either PHYs are marked as disabled */
 423         if (!iso_pi(sk)->qos.ucast.in.phy && !iso_pi(sk)->qos.ucast.out.phy) {
 424                 err = -EINVAL;
 425                 goto unlock;
 426         }
 427
 428         /* Just bind if DEFER_SETUP has been set */
 429         if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 430                 hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst,
 431                                     le_addr_type(iso_pi(sk)->dst_type),
 432                                     &iso_pi(sk)->qos);
 433                 if (IS_ERR(hcon)) {
 434                         err = PTR_ERR(hcon);
 435                         goto unlock;
 436                 }
 437         } else {
 438                 hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst,
 439                                        le_addr_type(iso_pi(sk)->dst_type),
 440                                        &iso_pi(sk)->qos);
 441                 if (IS_ERR(hcon)) {
 442                         err = PTR_ERR(hcon);
 443                         goto unlock;
 444                 }
 445         }
 446
 447         conn = iso_conn_add(hcon);
 448         if (!conn) {
 449                 hci_conn_drop(hcon);
 450                 err = -ENOMEM;
 451                 goto unlock;
 452         }
 453
 454         lock_sock(sk);
 455
 456         err = iso_chan_add(conn, sk, NULL);
 457         if (err) {
 458                 release_sock(sk);
 459                 goto unlock;
 460         }
 461
 462         /* Update source addr of the socket */
 463         bacpy(&iso_pi(sk)->src, &hcon->src);
 464
 465         if (hcon->state == BT_CONNECTED) {
 466                 iso_sock_clear_timer(sk);
 467                 sk->sk_state = BT_CONNECTED;
 468         } else if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
 469                 iso_sock_clear_timer(sk);
 470                 sk->sk_state = BT_CONNECT;
 471         } else {
 472                 sk->sk_state = BT_CONNECT;
 473                 iso_sock_set_timer(sk, sk->sk_sndtimeo);
 474         }
 475
 476         release_sock(sk);
 477
 478 unlock:
 479         hci_dev_unlock(hdev);
 480         hci_dev_put(hdev);
 481         return err;
 482 }
 483
 484 static struct bt_iso_qos *iso_sock_get_qos(struct sock *sk)
 485 {
 486         if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONNECT2)
 487                 return &iso_pi(sk)->conn->hcon->iso_qos;
 488
 489         return &iso_pi(sk)->qos;
 490 }
 491
 492 static int iso_send_frame(struct sock *sk, struct sk_buff *skb)
 493 {
 494         struct iso_conn *conn = iso_pi(sk)->conn;
 495         struct bt_iso_qos *qos = iso_sock_get_qos(sk);
 496         struct hci_iso_data_hdr *hdr;
 497         int len = 0;
 498
 499         BT_DBG("sk %p len %d", sk, skb->len);
 500
 501         if (skb->len > qos->ucast.out.sdu)
 502                 return -EMSGSIZE;
 503
 504         len = skb->len;
 505
 506         /* Push ISO data header */
 507         hdr = skb_push(skb, HCI_ISO_DATA_HDR_SIZE);
 508         hdr->sn = cpu_to_le16(conn->tx_sn++);
 509         hdr->slen = cpu_to_le16(hci_iso_data_len_pack(len,
 510                                                       HCI_ISO_STATUS_VALID));
 511
 512         if (sk->sk_state == BT_CONNECTED)
 513                 hci_send_iso(conn->hcon, skb);
 514         else
 515                 len = -ENOTCONN;
 516
 517         return len;
 518 }
 519
 520 static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
 521 {
 522         struct sock *sk;
 523
 524         iso_conn_lock(conn);
 525         sk = conn->sk;
 526         iso_conn_unlock(conn);
 527
 528         if (!sk)
 529                 goto drop;
 530
 531         BT_DBG("sk %p len %d", sk, skb->len);
 532
 533         if (sk->sk_state != BT_CONNECTED)
 534                 goto drop;
 535
 536         if (!sock_queue_rcv_skb(sk, skb))
 537                 return;
 538
 539 drop:
 540         kfree_skb(skb);
 541 }
 542
 543 /* -------- Socket interface ---------- */
 544 static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst)
 545 {
 546         struct sock *sk;
 547
 548         sk_for_each(sk, &iso_sk_list.head) {
 549                 if (sk->sk_state != BT_LISTEN)
 550                         continue;
 551
 552                 if (bacmp(&iso_pi(sk)->dst, dst))
 553                         continue;
 554
 555                 if (!bacmp(&iso_pi(sk)->src, src))
 556                         return sk;
 557         }
 558
 559         return NULL;
 560 }
 561
 562 static struct sock *__iso_get_sock_listen_by_sid(bdaddr_t *ba, bdaddr_t *bc,
 563                                                  __u8 sid)
 564 {
 565         struct sock *sk;
 566
 567         sk_for_each(sk, &iso_sk_list.head) {
 568                 if (sk->sk_state != BT_LISTEN)
 569                         continue;
 570
 571                 if (bacmp(&iso_pi(sk)->src, ba))
 572                         continue;
 573
 574                 if (bacmp(&iso_pi(sk)->dst, bc))
 575                         continue;
 576
 577                 if (iso_pi(sk)->bc_sid == sid)
 578                         return sk;
 579         }
 580
 581         return NULL;
 582 }
 583
 584 /* Find socket listening:
 585  * source bdaddr (Unicast)
 586  * destination bdaddr (Broadcast only)
 587  * match func - pass NULL to ignore
 588  * match func data - pass -1 to ignore
 589  * Returns closest match.
 590  */
 591 static struct sock *iso_get_sock_listen(bdaddr_t *src, bdaddr_t *dst,
 592                                         iso_sock_match_t match, void *data)
 593 {
 594         struct sock *sk = NULL, *sk1 = NULL;
 595
 596         read_lock(&iso_sk_list.lock);
 597
 598         sk_for_each(sk, &iso_sk_list.head) {
 599                 if (sk->sk_state != BT_LISTEN)
 600                         continue;
 601
 602                 /* Match Broadcast destination */
 603                 if (bacmp(dst, BDADDR_ANY) && bacmp(&iso_pi(sk)->dst, dst))
 604                         continue;
 605
 606                 /* Use Match function if provided */
 607                 if (match && !match(sk, data))
 608                         continue;
 609
 610                 /* Exact match. */
 611                 if (!bacmp(&iso_pi(sk)->src, src)) {
 612                         sock_hold(sk);
 613                         break;
 614                 }
 615
 616                 /* Closest match */
 617                 if (!bacmp(&iso_pi(sk)->src, BDADDR_ANY)) {
 618                         if (sk1)
 619                                 sock_put(sk1);
 620
 621                         sk1 = sk;
 622                         sock_hold(sk1);
 623                 }
 624         }
 625
 626         if (sk && sk1)
 627                 sock_put(sk1);
 628
 629         read_unlock(&iso_sk_list.lock);
 630
 631         return sk ? sk : sk1;
 632 }
 633
 634 static struct sock *iso_get_sock_big(struct sock *match_sk, bdaddr_t *src,
 635                                      bdaddr_t *dst, uint8_t big)
 636 {
 637         struct sock *sk = NULL;
 638
 639         read_lock(&iso_sk_list.lock);
 640
 641         sk_for_each(sk, &iso_sk_list.head) {
 642                 if (match_sk == sk)
 643                         continue;
 644
 645                 /* Look for sockets that have already been
 646                  * connected to the BIG
 647                  */
 648                 if (sk->sk_state != BT_CONNECTED &&
 649                     sk->sk_state != BT_CONNECT)
 650                         continue;
 651
 652                 /* Match Broadcast destination */
 653                 if (bacmp(&iso_pi(sk)->dst, dst))
 654                         continue;
 655
 656                 /* Match BIG handle */
 657                 if (iso_pi(sk)->qos.bcast.big != big)
 658                         continue;
 659
 660                 /* Match source address */
 661                 if (bacmp(&iso_pi(sk)->src, src))
 662                         continue;
 663
 664                 sock_hold(sk);
 665                 break;
 666         }
 667
 668         read_unlock(&iso_sk_list.lock);
 669
 670         return sk;
 671 }
 672
 673 static void iso_sock_destruct(struct sock *sk)
 674 {
 675         BT_DBG("sk %p", sk);
 676
 677         skb_queue_purge(&sk->sk_receive_queue);
 678         skb_queue_purge(&sk->sk_write_queue);
 679 }
 680
 681 static void iso_sock_cleanup_listen(struct sock *parent)
 682 {
 683         struct sock *sk;
 684
 685         BT_DBG("parent %p", parent);
 686
 687         /* Close not yet accepted channels */
 688         while ((sk = bt_accept_dequeue(parent, NULL))) {
 689                 iso_sock_close(sk);
 690                 iso_sock_kill(sk);
 691         }
 692
 693         /* If listening socket stands for a PA sync connection,
 694          * properly disconnect the hcon and socket.
 695          */
 696         if (iso_pi(parent)->conn && iso_pi(parent)->conn->hcon &&
 697             test_bit(HCI_CONN_PA_SYNC, &iso_pi(parent)->conn->hcon->flags)) {
 698                 iso_sock_disconn(parent);
 699                 return;
 700         }
 701
 702         parent->sk_state  = BT_CLOSED;
 703         sock_set_flag(parent, SOCK_ZAPPED);
 704 }
 705
 706 /* Kill socket (only if zapped and orphan)
 707  * Must be called on unlocked socket.
 708  */
 709 static void iso_sock_kill(struct sock *sk)
 710 {
 711         if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
 712             sock_flag(sk, SOCK_DEAD))
 713                 return;
 714
 715         BT_DBG("sk %p state %d", sk, sk->sk_state);
 716
 717         /* Kill poor orphan */
 718         bt_sock_unlink(&iso_sk_list, sk);
 719         sock_set_flag(sk, SOCK_DEAD);
 720         sock_put(sk);
 721 }
 722
 723 static void iso_sock_disconn(struct sock *sk)
 724 {
 725         struct sock *bis_sk;
 726         struct hci_conn *hcon = iso_pi(sk)->conn->hcon;
 727
 728         if (test_bit(HCI_CONN_BIG_CREATED, &hcon->flags)) {
 729                 bis_sk = iso_get_sock_big(sk, &iso_pi(sk)->src,
 730                                           &iso_pi(sk)->dst,
 731                                           iso_pi(sk)->qos.bcast.big);
 732
 733                 /* If there are any other connected sockets for the
 734                  * same BIG, just delete the sk and leave the bis
 735                  * hcon active, in case later rebinding is needed.
 736                  */
 737                 if (bis_sk) {
 738                         hcon->state = BT_OPEN;
 739                         iso_pi(sk)->conn->hcon = NULL;
 740                         iso_sock_clear_timer(sk);
 741                         iso_chan_del(sk, bt_to_errno(hcon->abort_reason));
 742                         sock_put(bis_sk);
 743                         return;
 744                 }
 745         }
 746
 747         sk->sk_state = BT_DISCONN;
 748         iso_sock_set_timer(sk, ISO_DISCONN_TIMEOUT);
 749         iso_conn_lock(iso_pi(sk)->conn);
 750         hci_conn_drop(iso_pi(sk)->conn->hcon);
 751         iso_pi(sk)->conn->hcon = NULL;
 752         iso_conn_unlock(iso_pi(sk)->conn);
 753 }
 754
 755 static void __iso_sock_close(struct sock *sk)
 756 {
 757         BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
 758
 759         switch (sk->sk_state) {
 760         case BT_LISTEN:
 761                 iso_sock_cleanup_listen(sk);
 762                 break;
 763
 764         case BT_CONNECT:
 765         case BT_CONNECTED:
 766         case BT_CONFIG:
 767                 if (iso_pi(sk)->conn->hcon)
 768                         iso_sock_disconn(sk);
 769                 else
 770                         iso_chan_del(sk, ECONNRESET);
 771                 break;
 772
 773         case BT_CONNECT2:
 774                 if (iso_pi(sk)->conn->hcon &&
 775                     (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
 776                     test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
 777                         iso_sock_disconn(sk);
 778                 else
 779                         iso_chan_del(sk, ECONNRESET);
 780                 break;
 781         case BT_DISCONN:
 782                 iso_chan_del(sk, ECONNRESET);
 783                 break;
 784
 785         default:
 786                 sock_set_flag(sk, SOCK_ZAPPED);
 787                 break;
 788         }
 789 }
 790
 791 /* Must be called on unlocked socket. */
 792 static void iso_sock_close(struct sock *sk)
 793 {
 794         iso_sock_clear_timer(sk);
 795         lock_sock(sk);
 796         __iso_sock_close(sk);
 797         release_sock(sk);
 798         iso_sock_kill(sk);
 799 }
 800
 801 static void iso_sock_init(struct sock *sk, struct sock *parent)
 802 {
 803         BT_DBG("sk %p", sk);
 804
 805         if (parent) {
 806                 sk->sk_type = parent->sk_type;
 807                 bt_sk(sk)->flags = bt_sk(parent)->flags;
 808                 security_sk_clone(parent, sk);
 809         }
 810 }
 811
 812 static struct proto iso_proto = {
 813         .name           = "ISO",
 814         .owner          = THIS_MODULE,
 815         .obj_size       = sizeof(struct iso_pinfo)
 816 };
 817
 818 #define DEFAULT_IO_QOS \
 819 { \
 820         .interval       = 10000u, \
 821         .latency        = 10u, \
 822         .sdu            = 40u, \
 823         .phy            = BT_ISO_PHY_2M, \
 824         .rtn            = 2u, \
 825 }
 826
 827 static struct bt_iso_qos default_qos = {
 828         .bcast = {
 829                 .big                    = BT_ISO_QOS_BIG_UNSET,
 830                 .bis                    = BT_ISO_QOS_BIS_UNSET,
 831                 .sync_factor            = 0x01,
 832                 .packing                = 0x00,
 833                 .framing                = 0x00,
 834                 .in                     = DEFAULT_IO_QOS,
 835                 .out                    = DEFAULT_IO_QOS,
 836                 .encryption             = 0x00,
 837                 .bcode                  = {0x00},
 838                 .options                = 0x00,
 839                 .skip                   = 0x0000,
 840                 .sync_timeout           = BT_ISO_SYNC_TIMEOUT,
 841                 .sync_cte_type          = 0x00,
 842                 .mse                    = 0x00,
 843                 .timeout                = BT_ISO_SYNC_TIMEOUT,
 844         },
 845 };
 846
 847 static struct sock *iso_sock_alloc(struct net *net, struct socket *sock,
 848                                    int proto, gfp_t prio, int kern)
 849 {
 850         struct sock *sk;
 851
 852         sk = bt_sock_alloc(net, sock, &iso_proto, proto, prio, kern);
 853         if (!sk)
 854                 return NULL;
 855
 856         sk->sk_destruct = iso_sock_destruct;
 857         sk->sk_sndtimeo = ISO_CONN_TIMEOUT;
 858
 859         /* Set address type as public as default src address is BDADDR_ANY */
 860         iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
 861
 862         iso_pi(sk)->qos = default_qos;
 863
 864         bt_sock_link(&iso_sk_list, sk);
 865         return sk;
 866 }
 867
 868 static int iso_sock_create(struct net *net, struct socket *sock, int protocol,
 869                            int kern)
 870 {
 871         struct sock *sk;
 872
 873         BT_DBG("sock %p", sock);
 874
 875         sock->state = SS_UNCONNECTED;
 876
 877         if (sock->type != SOCK_SEQPACKET)
 878                 return -ESOCKTNOSUPPORT;
 879
 880         sock->ops = &iso_sock_ops;
 881
 882         sk = iso_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
 883         if (!sk)
 884                 return -ENOMEM;
 885
 886         iso_sock_init(sk, NULL);
 887         return 0;
 888 }
 889
 890 static int iso_sock_bind_bc(struct socket *sock, struct sockaddr *addr,
 891                             int addr_len)
 892 {
 893         struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
 894         struct sock *sk = sock->sk;
 895         int i;
 896
 897         BT_DBG("sk %p bc_sid %u bc_num_bis %u", sk, sa->iso_bc->bc_sid,
 898                sa->iso_bc->bc_num_bis);
 899
 900         if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc))
 901                 return -EINVAL;
 902
 903         bacpy(&iso_pi(sk)->dst, &sa->iso_bc->bc_bdaddr);
 904
 905         /* Check if the address type is of LE type */
 906         if (!bdaddr_type_is_le(sa->iso_bc->bc_bdaddr_type))
 907                 return -EINVAL;
 908
 909         iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type;
 910         iso_pi(sk)->sync_handle = -1;
 911
 912         if (sa->iso_bc->bc_sid > 0x0f)
 913                 return -EINVAL;
 914
 915         iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid;
 916
 917         if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS)
 918                 return -EINVAL;
 919
 920         iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
 921
 922         for (i = 0; i < iso_pi(sk)->bc_num_bis; i++)
 923                 if (sa->iso_bc->bc_bis[i] < 0x01 ||
 924                     sa->iso_bc->bc_bis[i] > 0x1f)
 925                         return -EINVAL;
 926
 927         memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
 928                iso_pi(sk)->bc_num_bis);
 929
 930         return 0;
 931 }
 932
 933 static int iso_sock_bind_pa_sk(struct sock *sk, struct sockaddr_iso *sa,
 934                                int addr_len)
 935 {
 936         int err = 0;
 937
 938         if (sk->sk_type != SOCK_SEQPACKET) {
 939                 err = -EINVAL;
 940                 goto done;
 941         }
 942
 943         if (addr_len != sizeof(*sa) + sizeof(*sa->iso_bc)) {
 944                 err = -EINVAL;
 945                 goto done;
 946         }
 947
 948         if (sa->iso_bc->bc_num_bis > ISO_MAX_NUM_BIS) {
 949                 err = -EINVAL;
 950                 goto done;
 951         }
 952
 953         iso_pi(sk)->bc_num_bis = sa->iso_bc->bc_num_bis;
 954
 955         for (int i = 0; i < iso_pi(sk)->bc_num_bis; i++)
 956                 if (sa->iso_bc->bc_bis[i] < 0x01 ||
 957                     sa->iso_bc->bc_bis[i] > 0x1f) {
 958                         err = -EINVAL;
 959                         goto done;
 960                 }
 961
 962         memcpy(iso_pi(sk)->bc_bis, sa->iso_bc->bc_bis,
 963                iso_pi(sk)->bc_num_bis);
 964
 965 done:
 966         return err;
 967 }
 968
 969 static int iso_sock_bind(struct socket *sock, struct sockaddr *addr,
 970                          int addr_len)
 971 {
 972         struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
 973         struct sock *sk = sock->sk;
 974         int err = 0;
 975
 976         BT_DBG("sk %p %pMR type %u", sk, &sa->iso_bdaddr, sa->iso_bdaddr_type);
 977
 978         if (!addr || addr_len < sizeof(struct sockaddr_iso) ||
 979             addr->sa_family != AF_BLUETOOTH)
 980                 return -EINVAL;
 981
 982         lock_sock(sk);
 983
 984         /* Allow the user to bind a PA sync socket to a number
 985          * of BISes to sync to.
 986          */
 987         if (sk->sk_state == BT_CONNECT2 &&
 988             test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
 989                 err = iso_sock_bind_pa_sk(sk, sa, addr_len);
 990                 goto done;
 991         }
 992
 993         if (sk->sk_state != BT_OPEN) {
 994                 err = -EBADFD;
 995                 goto done;
 996         }
 997
 998         if (sk->sk_type != SOCK_SEQPACKET) {
 999                 err = -EINVAL;
1000                 goto done;
1001         }
1002
1003         /* Check if the address type is of LE type */
1004         if (!bdaddr_type_is_le(sa->iso_bdaddr_type)) {
1005                 err = -EINVAL;
1006                 goto done;
1007         }
1008
1009         bacpy(&iso_pi(sk)->src, &sa->iso_bdaddr);
1010         iso_pi(sk)->src_type = sa->iso_bdaddr_type;
1011
1012         /* Check for Broadcast address */
1013         if (addr_len > sizeof(*sa)) {
1014                 err = iso_sock_bind_bc(sock, addr, addr_len);
1015                 if (err)
1016                         goto done;
1017         }
1018
1019         sk->sk_state = BT_BOUND;
1020
1021 done:
1022         release_sock(sk);
1023         return err;
1024 }
1025
1026 static int iso_sock_connect(struct socket *sock, struct sockaddr *addr,
1027                             int alen, int flags)
1028 {
1029         struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1030         struct sock *sk = sock->sk;
1031         int err;
1032
1033         BT_DBG("sk %p", sk);
1034
1035         if (alen < sizeof(struct sockaddr_iso) ||
1036             addr->sa_family != AF_BLUETOOTH)
1037                 return -EINVAL;
1038
1039         if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
1040                 return -EBADFD;
1041
1042         if (sk->sk_type != SOCK_SEQPACKET)
1043                 return -EINVAL;
1044
1045         /* Check if the address type is of LE type */
1046         if (!bdaddr_type_is_le(sa->iso_bdaddr_type))
1047                 return -EINVAL;
1048
1049         lock_sock(sk);
1050
1051         bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr);
1052         iso_pi(sk)->dst_type = sa->iso_bdaddr_type;
1053
1054         release_sock(sk);
1055
1056         if (bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
1057                 err = iso_connect_cis(sk);
1058         else
1059                 err = iso_connect_bis(sk);
1060
1061         if (err)
1062                 return err;
1063
1064         lock_sock(sk);
1065
1066         if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1067                 err = bt_sock_wait_state(sk, BT_CONNECTED,
1068                                          sock_sndtimeo(sk, flags & O_NONBLOCK));
1069         }
1070
1071         release_sock(sk);
1072         return err;
1073 }
1074
1075 static int iso_listen_bis(struct sock *sk)
1076 {
1077         struct hci_dev *hdev;
1078         int err = 0;
1079
1080         BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src,
1081                &iso_pi(sk)->dst, iso_pi(sk)->bc_sid);
1082
1083         write_lock(&iso_sk_list.lock);
1084
1085         if (__iso_get_sock_listen_by_sid(&iso_pi(sk)->src, &iso_pi(sk)->dst,
1086                                          iso_pi(sk)->bc_sid))
1087                 err = -EADDRINUSE;
1088
1089         write_unlock(&iso_sk_list.lock);
1090
1091         if (err)
1092                 return err;
1093
1094         hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1095                              iso_pi(sk)->src_type);
1096         if (!hdev)
1097                 return -EHOSTUNREACH;
1098
1099         /* Fail if user set invalid QoS */
1100         if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
1101                 iso_pi(sk)->qos = default_qos;
1102                 return -EINVAL;
1103         }
1104
1105         err = hci_pa_create_sync(hdev, &iso_pi(sk)->dst,
1106                                  le_addr_type(iso_pi(sk)->dst_type),
1107                                  iso_pi(sk)->bc_sid, &iso_pi(sk)->qos);
1108
1109         hci_dev_put(hdev);
1110
1111         return err;
1112 }
1113
1114 static int iso_listen_cis(struct sock *sk)
1115 {
1116         int err = 0;
1117
1118         BT_DBG("%pMR", &iso_pi(sk)->src);
1119
1120         write_lock(&iso_sk_list.lock);
1121
1122         if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst))
1123                 err = -EADDRINUSE;
1124
1125         write_unlock(&iso_sk_list.lock);
1126
1127         return err;
1128 }
1129
1130 static int iso_sock_listen(struct socket *sock, int backlog)
1131 {
1132         struct sock *sk = sock->sk;
1133         int err = 0;
1134
1135         BT_DBG("sk %p backlog %d", sk, backlog);
1136
1137         lock_sock(sk);
1138
1139         if (sk->sk_state != BT_BOUND) {
1140                 err = -EBADFD;
1141                 goto done;
1142         }
1143
1144         if (sk->sk_type != SOCK_SEQPACKET) {
1145                 err = -EINVAL;
1146                 goto done;
1147         }
1148
1149         if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
1150                 err = iso_listen_cis(sk);
1151         else
1152                 err = iso_listen_bis(sk);
1153
1154         if (err)
1155                 goto done;
1156
1157         sk->sk_max_ack_backlog = backlog;
1158         sk->sk_ack_backlog = 0;
1159
1160         sk->sk_state = BT_LISTEN;
1161
1162 done:
1163         release_sock(sk);
1164         return err;
1165 }
1166
1167 static int iso_sock_accept(struct socket *sock, struct socket *newsock,
1168                            int flags, bool kern)
1169 {
1170         DEFINE_WAIT_FUNC(wait, woken_wake_function);
1171         struct sock *sk = sock->sk, *ch;
1172         long timeo;
1173         int err = 0;
1174
1175         lock_sock(sk);
1176
1177         timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1178
1179         BT_DBG("sk %p timeo %ld", sk, timeo);
1180
1181         /* Wait for an incoming connection. (wake-one). */
1182         add_wait_queue_exclusive(sk_sleep(sk), &wait);
1183         while (1) {
1184                 if (sk->sk_state != BT_LISTEN) {
1185                         err = -EBADFD;
1186                         break;
1187                 }
1188
1189                 ch = bt_accept_dequeue(sk, newsock);
1190                 if (ch)
1191                         break;
1192
1193                 if (!timeo) {
1194                         err = -EAGAIN;
1195                         break;
1196                 }
1197
1198                 if (signal_pending(current)) {
1199                         err = sock_intr_errno(timeo);
1200                         break;
1201                 }
1202
1203                 release_sock(sk);
1204
1205                 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
1206                 lock_sock(sk);
1207         }
1208         remove_wait_queue(sk_sleep(sk), &wait);
1209
1210         if (err)
1211                 goto done;
1212
1213         newsock->state = SS_CONNECTED;
1214
1215         BT_DBG("new socket %p", ch);
1216
1217 done:
1218         release_sock(sk);
1219         return err;
1220 }
1221
1222 static int iso_sock_getname(struct socket *sock, struct sockaddr *addr,
1223                             int peer)
1224 {
1225         struct sockaddr_iso *sa = (struct sockaddr_iso *)addr;
1226         struct sock *sk = sock->sk;
1227
1228         BT_DBG("sock %p, sk %p", sock, sk);
1229
1230         addr->sa_family = AF_BLUETOOTH;
1231
1232         if (peer) {
1233                 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->dst);
1234                 sa->iso_bdaddr_type = iso_pi(sk)->dst_type;
1235         } else {
1236                 bacpy(&sa->iso_bdaddr, &iso_pi(sk)->src);
1237                 sa->iso_bdaddr_type = iso_pi(sk)->src_type;
1238         }
1239
1240         return sizeof(struct sockaddr_iso);
1241 }
1242
1243 static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1244                             size_t len)
1245 {
1246         struct sock *sk = sock->sk;
1247         struct sk_buff *skb, **frag;
1248         size_t mtu;
1249         int err;
1250
1251         BT_DBG("sock %p, sk %p", sock, sk);
1252
1253         err = sock_error(sk);
1254         if (err)
1255                 return err;
1256
1257         if (msg->msg_flags & MSG_OOB)
1258                 return -EOPNOTSUPP;
1259
1260         lock_sock(sk);
1261
1262         if (sk->sk_state != BT_CONNECTED) {
1263                 release_sock(sk);
1264                 return -ENOTCONN;
1265         }
1266
1267         mtu = iso_pi(sk)->conn->hcon->hdev->iso_mtu;
1268
1269         release_sock(sk);
1270
1271         skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0);
1272         if (IS_ERR(skb))
1273                 return PTR_ERR(skb);
1274
1275         len -= skb->len;
1276
1277         BT_DBG("skb %p len %d", sk, skb->len);
1278
1279         /* Continuation fragments */
1280         frag = &skb_shinfo(skb)->frag_list;
1281         while (len) {
1282                 struct sk_buff *tmp;
1283
1284                 tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0);
1285                 if (IS_ERR(tmp)) {
1286                         kfree_skb(skb);
1287                         return PTR_ERR(tmp);
1288                 }
1289
1290                 *frag = tmp;
1291
1292                 len  -= tmp->len;
1293
1294                 skb->len += tmp->len;
1295                 skb->data_len += tmp->len;
1296
1297                 BT_DBG("frag %p len %d", *frag, tmp->len);
1298
1299                 frag = &(*frag)->next;
1300         }
1301
1302         lock_sock(sk);
1303
1304         if (sk->sk_state == BT_CONNECTED)
1305                 err = iso_send_frame(sk, skb);
1306         else
1307                 err = -ENOTCONN;
1308
1309         release_sock(sk);
1310
1311         if (err < 0)
1312                 kfree_skb(skb);
1313         return err;
1314 }
1315
1316 static void iso_conn_defer_accept(struct hci_conn *conn)
1317 {
1318         struct hci_cp_le_accept_cis cp;
1319         struct hci_dev *hdev = conn->hdev;
1320
1321         BT_DBG("conn %p", conn);
1322
1323         conn->state = BT_CONFIG;
1324
1325         cp.handle = cpu_to_le16(conn->handle);
1326
1327         hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
1328 }
1329
1330 static void iso_conn_big_sync(struct sock *sk)
1331 {
1332         int err;
1333         struct hci_dev *hdev;
1334
1335         hdev = hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src,
1336                              iso_pi(sk)->src_type);
1337
1338         if (!hdev)
1339                 return;
1340
1341         if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1342                 err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
1343                                              &iso_pi(sk)->qos,
1344                                              iso_pi(sk)->sync_handle,
1345                                              iso_pi(sk)->bc_num_bis,
1346                                              iso_pi(sk)->bc_bis);
1347                 if (err)
1348                         bt_dev_err(hdev, "hci_le_big_create_sync: %d",
1349                                    err);
1350         }
1351 }
1352
1353 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1354                             size_t len, int flags)
1355 {
1356         struct sock *sk = sock->sk;
1357         struct iso_pinfo *pi = iso_pi(sk);
1358
1359         BT_DBG("sk %p", sk);
1360
1361         if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1362                 lock_sock(sk);
1363                 switch (sk->sk_state) {
1364                 case BT_CONNECT2:
1365                         if (pi->conn->hcon &&
1366                             test_bit(HCI_CONN_PA_SYNC, &pi->conn->hcon->flags)) {
1367                                 iso_conn_big_sync(sk);
1368                                 sk->sk_state = BT_LISTEN;
1369                         } else {
1370                                 iso_conn_defer_accept(pi->conn->hcon);
1371                                 sk->sk_state = BT_CONFIG;
1372                         }
1373                         release_sock(sk);
1374                         return 0;
1375                 case BT_CONNECT:
1376                         release_sock(sk);
1377                         return iso_connect_cis(sk);
1378                 default:
1379                         release_sock(sk);
1380                         break;
1381                 }
1382         }
1383
1384         return bt_sock_recvmsg(sock, msg, len, flags);
1385 }
1386
1387 static bool check_io_qos(struct bt_iso_io_qos *qos)
1388 {
1389         /* If no PHY is enable SDU must be 0 */
1390         if (!qos->phy && qos->sdu)
1391                 return false;
1392
1393         if (qos->interval && (qos->interval < 0xff || qos->interval > 0xfffff))
1394                 return false;
1395
1396         if (qos->latency && (qos->latency < 0x05 || qos->latency > 0xfa0))
1397                 return false;
1398
1399         if (qos->phy > BT_ISO_PHY_ANY)
1400                 return false;
1401
1402         return true;
1403 }
1404
1405 static bool check_ucast_qos(struct bt_iso_qos *qos)
1406 {
1407         if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET)
1408                 return false;
1409
1410         if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET)
1411                 return false;
1412
1413         if (qos->ucast.sca > 0x07)
1414                 return false;
1415
1416         if (qos->ucast.packing > 0x01)
1417                 return false;
1418
1419         if (qos->ucast.framing > 0x01)
1420                 return false;
1421
1422         if (!check_io_qos(&qos->ucast.in))
1423                 return false;
1424
1425         if (!check_io_qos(&qos->ucast.out))
1426                 return false;
1427
1428         return true;
1429 }
1430
1431 static bool check_bcast_qos(struct bt_iso_qos *qos)
1432 {
1433         if (!qos->bcast.sync_factor)
1434                 qos->bcast.sync_factor = 0x01;
1435
1436         if (qos->bcast.packing > 0x01)
1437                 return false;
1438
1439         if (qos->bcast.framing > 0x01)
1440                 return false;
1441
1442         if (!check_io_qos(&qos->bcast.in))
1443                 return false;
1444
1445         if (!check_io_qos(&qos->bcast.out))
1446                 return false;
1447
1448         if (qos->bcast.encryption > 0x01)
1449                 return false;
1450
1451         if (qos->bcast.options > 0x07)
1452                 return false;
1453
1454         if (qos->bcast.skip > 0x01f3)
1455                 return false;
1456
1457         if (!qos->bcast.sync_timeout)
1458                 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1459
1460         if (qos->bcast.sync_timeout < 0x000a || qos->bcast.sync_timeout > 0x4000)
1461                 return false;
1462
1463         if (qos->bcast.sync_cte_type > 0x1f)
1464                 return false;
1465
1466         if (qos->bcast.mse > 0x1f)
1467                 return false;
1468
1469         if (!qos->bcast.timeout)
1470                 qos->bcast.sync_timeout = BT_ISO_SYNC_TIMEOUT;
1471
1472         if (qos->bcast.timeout < 0x000a || qos->bcast.timeout > 0x4000)
1473                 return false;
1474
1475         return true;
1476 }
1477
1478 static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
1479                                sockptr_t optval, unsigned int optlen)
1480 {
1481         struct sock *sk = sock->sk;
1482         int err = 0;
1483         struct bt_iso_qos qos = default_qos;
1484         u32 opt;
1485
1486         BT_DBG("sk %p", sk);
1487
1488         lock_sock(sk);
1489
1490         switch (optname) {
1491         case BT_DEFER_SETUP:
1492                 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1493                         err = -EINVAL;
1494                         break;
1495                 }
1496
1497                 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1498                 if (err)
1499                         break;
1500
1501                 if (opt)
1502                         set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1503                 else
1504                         clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1505                 break;
1506
1507         case BT_PKT_STATUS:
1508                 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1509                 if (err)
1510                         break;
1511
1512                 if (opt)
1513                         set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1514                 else
1515                         clear_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
1516                 break;
1517
1518         case BT_ISO_QOS:
1519                 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1520                     sk->sk_state != BT_CONNECT2) {
1521                         err = -EINVAL;
1522                         break;
1523                 }
1524
1525                 err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen);
1526                 if (err)
1527                         break;
1528
1529                 iso_pi(sk)->qos = qos;
1530                 iso_pi(sk)->qos_user_set = true;
1531
1532                 break;
1533
1534         case BT_ISO_BASE:
1535                 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
1536                     sk->sk_state != BT_CONNECT2) {
1537                         err = -EINVAL;
1538                         break;
1539                 }
1540
1541                 if (optlen > sizeof(iso_pi(sk)->base)) {
1542                         err = -EINVAL;
1543                         break;
1544                 }
1545
1546                 err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval,
1547                                            optlen);
1548                 if (err)
1549                         break;
1550
1551                 iso_pi(sk)->base_len = optlen;
1552
1553                 break;
1554
1555         default:
1556                 err = -ENOPROTOOPT;
1557                 break;
1558         }
1559
1560         release_sock(sk);
1561         return err;
1562 }
1563
1564 static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
1565                                char __user *optval, int __user *optlen)
1566 {
1567         struct sock *sk = sock->sk;
1568         int len, err = 0;
1569         struct bt_iso_qos *qos;
1570         u8 base_len;
1571         u8 *base;
1572
1573         BT_DBG("sk %p", sk);
1574
1575         if (get_user(len, optlen))
1576                 return -EFAULT;
1577
1578         lock_sock(sk);
1579
1580         switch (optname) {
1581         case BT_DEFER_SETUP:
1582                 if (sk->sk_state == BT_CONNECTED) {
1583                         err = -EINVAL;
1584                         break;
1585                 }
1586
1587                 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
1588                              (u32 __user *)optval))
1589                         err = -EFAULT;
1590
1591                 break;
1592
1593         case BT_PKT_STATUS:
1594                 if (put_user(test_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags),
1595                              (int __user *)optval))
1596                         err = -EFAULT;
1597                 break;
1598
1599         case BT_ISO_QOS:
1600                 qos = iso_sock_get_qos(sk);
1601
1602                 len = min_t(unsigned int, len, sizeof(*qos));
1603                 if (copy_to_user(optval, qos, len))
1604                         err = -EFAULT;
1605
1606                 break;
1607
1608         case BT_ISO_BASE:
1609                 if (sk->sk_state == BT_CONNECTED &&
1610                     !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
1611                         base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len;
1612                         base = iso_pi(sk)->conn->hcon->le_per_adv_data;
1613                 } else {
1614                         base_len = iso_pi(sk)->base_len;
1615                         base = iso_pi(sk)->base;
1616                 }
1617
1618                 len = min_t(unsigned int, len, base_len);
1619                 if (copy_to_user(optval, base, len))
1620                         err = -EFAULT;
1621                 if (put_user(len, optlen))
1622                         err = -EFAULT;
1623
1624                 break;
1625
1626         default:
1627                 err = -ENOPROTOOPT;
1628                 break;
1629         }
1630
1631         release_sock(sk);
1632         return err;
1633 }
1634
1635 static int iso_sock_shutdown(struct socket *sock, int how)
1636 {
1637         struct sock *sk = sock->sk;
1638         int err = 0;
1639
1640         BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1641
1642         if (!sk)
1643                 return 0;
1644
1645         sock_hold(sk);
1646         lock_sock(sk);
1647
1648         switch (how) {
1649         case SHUT_RD:
1650                 if (sk->sk_shutdown & RCV_SHUTDOWN)
1651                         goto unlock;
1652                 sk->sk_shutdown |= RCV_SHUTDOWN;
1653                 break;
1654         case SHUT_WR:
1655                 if (sk->sk_shutdown & SEND_SHUTDOWN)
1656                         goto unlock;
1657                 sk->sk_shutdown |= SEND_SHUTDOWN;
1658                 break;
1659         case SHUT_RDWR:
1660                 if (sk->sk_shutdown & SHUTDOWN_MASK)
1661                         goto unlock;
1662                 sk->sk_shutdown |= SHUTDOWN_MASK;
1663                 break;
1664         }
1665
1666         iso_sock_clear_timer(sk);
1667         __iso_sock_close(sk);
1668
1669         if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1670             !(current->flags & PF_EXITING))
1671                 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1672
1673 unlock:
1674         release_sock(sk);
1675         sock_put(sk);
1676
1677         return err;
1678 }
1679
1680 static int iso_sock_release(struct socket *sock)
1681 {
1682         struct sock *sk = sock->sk;
1683         int err = 0;
1684
1685         BT_DBG("sock %p, sk %p", sock, sk);
1686
1687         if (!sk)
1688                 return 0;
1689
1690         iso_sock_close(sk);
1691
1692         if (sock_flag(sk, SOCK_LINGER) && READ_ONCE(sk->sk_lingertime) &&
1693             !(current->flags & PF_EXITING)) {
1694                 lock_sock(sk);
1695                 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1696                 release_sock(sk);
1697         }
1698
1699         sock_orphan(sk);
1700         iso_sock_kill(sk);
1701         return err;
1702 }
1703
1704 static void iso_sock_ready(struct sock *sk)
1705 {
1706         BT_DBG("sk %p", sk);
1707
1708         if (!sk)
1709                 return;
1710
1711         lock_sock(sk);
1712         iso_sock_clear_timer(sk);
1713         sk->sk_state = BT_CONNECTED;
1714         sk->sk_state_change(sk);
1715         release_sock(sk);
1716 }
1717
1718 struct iso_list_data {
1719         struct hci_conn *hcon;
1720         int count;
1721 };
1722
1723 static bool iso_match_big(struct sock *sk, void *data)
1724 {
1725         struct hci_evt_le_big_sync_estabilished *ev = data;
1726
1727         return ev->handle == iso_pi(sk)->qos.bcast.big;
1728 }
1729
1730 static bool iso_match_pa_sync_flag(struct sock *sk, void *data)
1731 {
1732         return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
1733 }
1734
1735 static void iso_conn_ready(struct iso_conn *conn)
1736 {
1737         struct sock *parent = NULL;
1738         struct sock *sk = conn->sk;
1739         struct hci_ev_le_big_sync_estabilished *ev = NULL;
1740         struct hci_ev_le_pa_sync_established *ev2 = NULL;
1741         struct hci_evt_le_big_info_adv_report *ev3 = NULL;
1742         struct hci_conn *hcon;
1743
1744         BT_DBG("conn %p", conn);
1745
1746         if (sk) {
1747                 iso_sock_ready(conn->sk);
1748         } else {
1749                 hcon = conn->hcon;
1750                 if (!hcon)
1751                         return;
1752
1753                 if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags) ||
1754                     test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) {
1755                         ev = hci_recv_event_data(hcon->hdev,
1756                                                  HCI_EVT_LE_BIG_SYNC_ESTABILISHED);
1757
1758                         /* Get reference to PA sync parent socket, if it exists */
1759                         parent = iso_get_sock_listen(&hcon->src,
1760                                                      &hcon->dst,
1761                                                      iso_match_pa_sync_flag, NULL);
1762                         if (!parent && ev)
1763                                 parent = iso_get_sock_listen(&hcon->src,
1764                                                              &hcon->dst,
1765                                                              iso_match_big, ev);
1766                 } else if (test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
1767                         ev2 = hci_recv_event_data(hcon->hdev,
1768                                                   HCI_EV_LE_PA_SYNC_ESTABLISHED);
1769                         if (ev2)
1770                                 parent = iso_get_sock_listen(&hcon->src,
1771                                                              &hcon->dst,
1772                                                              iso_match_sid, ev2);
1773                 } else if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
1774                         ev3 = hci_recv_event_data(hcon->hdev,
1775                                                   HCI_EVT_LE_BIG_INFO_ADV_REPORT);
1776                         if (ev3)
1777                                 parent = iso_get_sock_listen(&hcon->src,
1778                                                              &hcon->dst,
1779                                                              iso_match_sync_handle, ev3);
1780                 }
1781
1782                 if (!parent)
1783                         parent = iso_get_sock_listen(&hcon->src,
1784                                                         BDADDR_ANY, NULL, NULL);
1785
1786                 if (!parent)
1787                         return;
1788
1789                 lock_sock(parent);
1790
1791                 sk = iso_sock_alloc(sock_net(parent), NULL,
1792                                     BTPROTO_ISO, GFP_ATOMIC, 0);
1793                 if (!sk) {
1794                         release_sock(parent);
1795                         return;
1796                 }
1797
1798                 iso_sock_init(sk, parent);
1799
1800                 bacpy(&iso_pi(sk)->src, &hcon->src);
1801
1802                 /* Convert from HCI to three-value type */
1803                 if (hcon->src_type == ADDR_LE_DEV_PUBLIC)
1804                         iso_pi(sk)->src_type = BDADDR_LE_PUBLIC;
1805                 else
1806                         iso_pi(sk)->src_type = BDADDR_LE_RANDOM;
1807
1808                 /* If hcon has no destination address (BDADDR_ANY) it means it
1809                  * was created by HCI_EV_LE_BIG_SYNC_ESTABILISHED or
1810                  * HCI_EV_LE_PA_SYNC_ESTABLISHED so we need to initialize using
1811                  * the parent socket destination address.
1812                  */
1813                 if (!bacmp(&hcon->dst, BDADDR_ANY)) {
1814                         bacpy(&hcon->dst, &iso_pi(parent)->dst);
1815                         hcon->dst_type = iso_pi(parent)->dst_type;
1816                         hcon->sync_handle = iso_pi(parent)->sync_handle;
1817                 }
1818
1819                 if (ev3) {
1820                         iso_pi(sk)->qos = iso_pi(parent)->qos;
1821                         iso_pi(sk)->qos.bcast.encryption = ev3->encryption;
1822                         hcon->iso_qos = iso_pi(sk)->qos;
1823                         iso_pi(sk)->bc_num_bis = iso_pi(parent)->bc_num_bis;
1824                         memcpy(iso_pi(sk)->bc_bis, iso_pi(parent)->bc_bis, ISO_MAX_NUM_BIS);
1825                         set_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags);
1826                 }
1827
1828                 bacpy(&iso_pi(sk)->dst, &hcon->dst);
1829                 iso_pi(sk)->dst_type = hcon->dst_type;
1830                 iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
1831                 memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
1832                 iso_pi(sk)->base_len = iso_pi(parent)->base_len;
1833
1834                 hci_conn_hold(hcon);
1835                 iso_chan_add(conn, sk, parent);
1836
1837                 if ((ev && ((struct hci_evt_le_big_sync_estabilished *)ev)->status) ||
1838                     (ev2 && ev2->status)) {
1839                         /* Trigger error signal on child socket */
1840                         sk->sk_err = ECONNREFUSED;
1841                         sk->sk_error_report(sk);
1842                 }
1843
1844                 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1845                         sk->sk_state = BT_CONNECT2;
1846                 else
1847                         sk->sk_state = BT_CONNECTED;
1848
1849                 /* Wake up parent */
1850                 parent->sk_data_ready(parent);
1851
1852                 release_sock(parent);
1853                 sock_put(parent);
1854         }
1855 }
1856
1857 static bool iso_match_sid(struct sock *sk, void *data)
1858 {
1859         struct hci_ev_le_pa_sync_established *ev = data;
1860
1861         return ev->sid == iso_pi(sk)->bc_sid;
1862 }
1863
1864 static bool iso_match_sync_handle(struct sock *sk, void *data)
1865 {
1866         struct hci_evt_le_big_info_adv_report *ev = data;
1867
1868         return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
1869 }
1870
1871 static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data)
1872 {
1873         struct hci_ev_le_per_adv_report *ev = data;
1874
1875         return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
1876 }
1877
1878 /* ----- ISO interface with lower layer (HCI) ----- */
1879
1880 int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
1881 {
1882         struct hci_ev_le_pa_sync_established *ev1;
1883         struct hci_evt_le_big_info_adv_report *ev2;
1884         struct hci_ev_le_per_adv_report *ev3;
1885         struct sock *sk;
1886         int lm = 0;
1887
1888         bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
1889
1890         /* Broadcast receiver requires handling of some events before it can
1891          * proceed to establishing a BIG sync:
1892          *
1893          * 1. HCI_EV_LE_PA_SYNC_ESTABLISHED: The socket may specify a specific
1894          * SID to listen to and once sync is estabilished its handle needs to
1895          * be stored in iso_pi(sk)->sync_handle so it can be matched once
1896          * receiving the BIG Info.
1897          * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a
1898          * a BIG Info it attempts to check if there any listening socket with
1899          * the same sync_handle and if it does then attempt to create a sync.
1900          * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored
1901          * in iso_pi(sk)->base so it can be passed up to user, in the case of a
1902          * broadcast sink.
1903          */
1904         ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED);
1905         if (ev1) {
1906                 sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr, iso_match_sid,
1907                                          ev1);
1908                 if (sk && !ev1->status)
1909                         iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle);
1910
1911                 goto done;
1912         }
1913
1914         ev2 = hci_recv_event_data(hdev, HCI_EVT_LE_BIG_INFO_ADV_REPORT);
1915         if (ev2) {
1916                 /* Try to get PA sync listening socket, if it exists */
1917                 sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
1918                                                 iso_match_pa_sync_flag, NULL);
1919
1920                 if (!sk) {
1921                         sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
1922                                                  iso_match_sync_handle, ev2);
1923
1924                         /* If PA Sync is in process of terminating,
1925                          * do not handle any more BIGInfo adv reports.
1926                          */
1927
1928                         if (sk && test_bit(BT_SK_PA_SYNC_TERM,
1929                                            &iso_pi(sk)->flags))
1930                                 return lm;
1931                 }
1932
1933                 if (sk) {
1934                         int err;
1935
1936                         if (ev2->num_bis < iso_pi(sk)->bc_num_bis)
1937                                 iso_pi(sk)->bc_num_bis = ev2->num_bis;
1938
1939                         if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) &&
1940                             !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
1941                                 err = hci_le_big_create_sync(hdev, NULL,
1942                                                              &iso_pi(sk)->qos,
1943                                                              iso_pi(sk)->sync_handle,
1944                                                              iso_pi(sk)->bc_num_bis,
1945                                                              iso_pi(sk)->bc_bis);
1946                                 if (err) {
1947                                         bt_dev_err(hdev, "hci_le_big_create_sync: %d",
1948                                                    err);
1949                                         sock_put(sk);
1950                                         sk = NULL;
1951                                 }
1952                         }
1953                 }
1954         }
1955
1956         ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
1957         if (ev3) {
1958                 size_t base_len = ev3->length;
1959                 u8 *base;
1960
1961                 sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
1962                                          iso_match_sync_handle_pa_report, ev3);
1963                 base = eir_get_service_data(ev3->data, ev3->length,
1964                                             EIR_BAA_SERVICE_UUID, &base_len);
1965                 if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
1966                         memcpy(iso_pi(sk)->base, base, base_len);
1967                         iso_pi(sk)->base_len = base_len;
1968                 }
1969         } else {
1970                 sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
1971         }
1972
1973 done:
1974         if (!sk)
1975                 return lm;
1976
1977         lm |= HCI_LM_ACCEPT;
1978
1979         if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
1980                 *flags |= HCI_PROTO_DEFER;
1981
1982         sock_put(sk);
1983
1984         return lm;
1985 }
1986
1987 static void iso_connect_cfm(struct hci_conn *hcon, __u8 status)
1988 {
1989         if (hcon->type != ISO_LINK) {
1990                 if (hcon->type != LE_LINK)
1991                         return;
1992
1993                 /* Check if LE link has failed */
1994                 if (status) {
1995                         struct hci_link *link, *t;
1996
1997                         list_for_each_entry_safe(link, t, &hcon->link_list,
1998                                                  list)
1999                                 iso_conn_del(link->conn, bt_to_errno(status));
2000
2001                         return;
2002                 }
2003
2004                 /* Create CIS if pending */
2005                 hci_le_create_cis_pending(hcon->hdev);
2006                 return;
2007         }
2008
2009         BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
2010
2011         /* Similar to the success case, if HCI_CONN_BIG_SYNC_FAILED or
2012          * HCI_CONN_PA_SYNC_FAILED is set, queue the failed connection
2013          * into the accept queue of the listening socket and wake up
2014          * userspace, to inform the user about the event.
2015          */
2016         if (!status || test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags) ||
2017             test_bit(HCI_CONN_PA_SYNC_FAILED, &hcon->flags)) {
2018                 struct iso_conn *conn;
2019
2020                 conn = iso_conn_add(hcon);
2021                 if (conn)
2022                         iso_conn_ready(conn);
2023         } else {
2024                 iso_conn_del(hcon, bt_to_errno(status));
2025         }
2026 }
2027
2028 static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
2029 {
2030         if (hcon->type != ISO_LINK)
2031                 return;
2032
2033         BT_DBG("hcon %p reason %d", hcon, reason);
2034
2035         iso_conn_del(hcon, bt_to_errno(reason));
2036 }
2037
2038 void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
2039 {
2040         struct iso_conn *conn = hcon->iso_data;
2041         __u16 pb, ts, len;
2042
2043         if (!conn)
2044                 goto drop;
2045
2046         pb     = hci_iso_flags_pb(flags);
2047         ts     = hci_iso_flags_ts(flags);
2048
2049         BT_DBG("conn %p len %d pb 0x%x ts 0x%x", conn, skb->len, pb, ts);
2050
2051         switch (pb) {
2052         case ISO_START:
2053         case ISO_SINGLE:
2054                 if (conn->rx_len) {
2055                         BT_ERR("Unexpected start frame (len %d)", skb->len);
2056                         kfree_skb(conn->rx_skb);
2057                         conn->rx_skb = NULL;
2058                         conn->rx_len = 0;
2059                 }
2060
2061                 if (ts) {
2062                         struct hci_iso_ts_data_hdr *hdr;
2063
2064                         /* TODO: add timestamp to the packet? */
2065                         hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE);
2066                         if (!hdr) {
2067                                 BT_ERR("Frame is too short (len %d)", skb->len);
2068                                 goto drop;
2069                         }
2070
2071                         len = __le16_to_cpu(hdr->slen);
2072                 } else {
2073                         struct hci_iso_data_hdr *hdr;
2074
2075                         hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE);
2076                         if (!hdr) {
2077                                 BT_ERR("Frame is too short (len %d)", skb->len);
2078                                 goto drop;
2079                         }
2080
2081                         len = __le16_to_cpu(hdr->slen);
2082                 }
2083
2084                 flags  = hci_iso_data_flags(len);
2085                 len    = hci_iso_data_len(len);
2086
2087                 BT_DBG("Start: total len %d, frag len %d flags 0x%4.4x", len,
2088                        skb->len, flags);
2089
2090                 if (len == skb->len) {
2091                         /* Complete frame received */
2092                         hci_skb_pkt_status(skb) = flags & 0x03;
2093                         iso_recv_frame(conn, skb);
2094                         return;
2095                 }
2096
2097                 if (pb == ISO_SINGLE) {
2098                         BT_ERR("Frame malformed (len %d, expected len %d)",
2099                                skb->len, len);
2100                         goto drop;
2101                 }
2102
2103                 if (skb->len > len) {
2104                         BT_ERR("Frame is too long (len %d, expected len %d)",
2105                                skb->len, len);
2106                         goto drop;
2107                 }
2108
2109                 /* Allocate skb for the complete frame (with header) */
2110                 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
2111                 if (!conn->rx_skb)
2112                         goto drop;
2113
2114                 hci_skb_pkt_status(conn->rx_skb) = flags & 0x03;
2115                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2116                                           skb->len);
2117                 conn->rx_len = len - skb->len;
2118                 break;
2119
2120         case ISO_CONT:
2121                 BT_DBG("Cont: frag len %d (expecting %d)", skb->len,
2122                        conn->rx_len);
2123
2124                 if (!conn->rx_len) {
2125                         BT_ERR("Unexpected continuation frame (len %d)",
2126                                skb->len);
2127                         goto drop;
2128                 }
2129
2130                 if (skb->len > conn->rx_len) {
2131                         BT_ERR("Fragment is too long (len %d, expected %d)",
2132                                skb->len, conn->rx_len);
2133                         kfree_skb(conn->rx_skb);
2134                         conn->rx_skb = NULL;
2135                         conn->rx_len = 0;
2136                         goto drop;
2137                 }
2138
2139                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2140                                           skb->len);
2141                 conn->rx_len -= skb->len;
2142                 return;
2143
2144         case ISO_END:
2145                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2146                                           skb->len);
2147                 conn->rx_len -= skb->len;
2148
2149                 if (!conn->rx_len) {
2150                         struct sk_buff *rx_skb = conn->rx_skb;
2151
2152                         /* Complete frame received. iso_recv_frame
2153                          * takes ownership of the skb so set the global
2154                          * rx_skb pointer to NULL first.
2155                          */
2156                         conn->rx_skb = NULL;
2157                         iso_recv_frame(conn, rx_skb);
2158                 }
2159                 break;
2160         }
2161
2162 drop:
2163         kfree_skb(skb);
2164 }
2165
2166 static struct hci_cb iso_cb = {
2167         .name           = "ISO",
2168         .connect_cfm    = iso_connect_cfm,
2169         .disconn_cfm    = iso_disconn_cfm,
2170 };
2171
2172 static int iso_debugfs_show(struct seq_file *f, void *p)
2173 {
2174         struct sock *sk;
2175
2176         read_lock(&iso_sk_list.lock);
2177
2178         sk_for_each(sk, &iso_sk_list.head) {
2179                 seq_printf(f, "%pMR %pMR %d\n", &iso_pi(sk)->src,
2180                            &iso_pi(sk)->dst, sk->sk_state);
2181         }
2182
2183         read_unlock(&iso_sk_list.lock);
2184
2185         return 0;
2186 }
2187
2188 DEFINE_SHOW_ATTRIBUTE(iso_debugfs);
2189
2190 static struct dentry *iso_debugfs;
2191
2192 static const struct proto_ops iso_sock_ops = {
2193         .family         = PF_BLUETOOTH,
2194         .owner          = THIS_MODULE,
2195         .release        = iso_sock_release,
2196         .bind           = iso_sock_bind,
2197         .connect        = iso_sock_connect,
2198         .listen         = iso_sock_listen,
2199         .accept         = iso_sock_accept,
2200         .getname        = iso_sock_getname,
2201         .sendmsg        = iso_sock_sendmsg,
2202         .recvmsg        = iso_sock_recvmsg,
2203         .poll           = bt_sock_poll,
2204         .ioctl          = bt_sock_ioctl,
2205         .mmap           = sock_no_mmap,
2206         .socketpair     = sock_no_socketpair,
2207         .shutdown       = iso_sock_shutdown,
2208         .setsockopt     = iso_sock_setsockopt,
2209         .getsockopt     = iso_sock_getsockopt
2210 };
2211
2212 static const struct net_proto_family iso_sock_family_ops = {
2213         .family = PF_BLUETOOTH,
2214         .owner  = THIS_MODULE,
2215         .create = iso_sock_create,
2216 };
2217
2218 static bool iso_inited;
2219
2220 bool iso_enabled(void)
2221 {
2222         return iso_inited;
2223 }
2224
2225 int iso_init(void)
2226 {
2227         int err;
2228
2229         BUILD_BUG_ON(sizeof(struct sockaddr_iso) > sizeof(struct sockaddr));
2230
2231         if (iso_inited)
2232                 return -EALREADY;
2233
2234         err = proto_register(&iso_proto, 0);
2235         if (err < 0)
2236                 return err;
2237
2238         err = bt_sock_register(BTPROTO_ISO, &iso_sock_family_ops);
2239         if (err < 0) {
2240                 BT_ERR("ISO socket registration failed");
2241                 goto error;
2242         }
2243
2244         err = bt_procfs_init(&init_net, "iso", &iso_sk_list, NULL);
2245         if (err < 0) {
2246                 BT_ERR("Failed to create ISO proc file");
2247                 bt_sock_unregister(BTPROTO_ISO);
2248                 goto error;
2249         }
2250
2251         BT_INFO("ISO socket layer initialized");
2252
2253         hci_register_cb(&iso_cb);
2254
2255         if (IS_ERR_OR_NULL(bt_debugfs))
2256                 return 0;
2257
2258         if (!iso_debugfs) {
2259                 iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs,
2260                                                   NULL, &iso_debugfs_fops);
2261         }
2262
2263         iso_inited = true;
2264
2265         return 0;
2266
2267 error:
2268         proto_unregister(&iso_proto);
2269         return err;
2270 }
2271
2272 int iso_exit(void)
2273 {
2274         if (!iso_inited)
2275                 return -EALREADY;
2276
2277         bt_procfs_cleanup(&init_net, "iso");
2278
2279         debugfs_remove(iso_debugfs);
2280         iso_debugfs = NULL;
2281
2282         hci_unregister_cb(&iso_cb);
2283
2284         bt_sock_unregister(BTPROTO_ISO);
2285
2286         proto_unregister(&iso_proto);
2287
2288         iso_inited = false;
2289
2290         return 0;
2291 }