Hi Pauli,
[ EXTERNAL EMAIL ]
Hi,
ke, 2025-06-25 kello 16:42 +0800, Yang Li via B4 Relay kirjoitti:
From: Yang Li <yang.li@xxxxxxxxxxx>
When the BIS source stops, the controller sends an LE BIG Sync Lost
event (subevent 0x1E). Currently, this event is not handled, causing
the BIS stream to remain active in BlueZ and preventing recovery.
Signed-off-by: Yang Li <yang.li@xxxxxxxxxxx>
---
Changes in v2:
- Matching the BIG handle is required when looking up a BIG connection.
- Use ev->reason to determine the cause of disconnection.
- Call hci_conn_del after hci_disconnect_cfm to remove the connection entry
- Delete the big connection
- Link to v1: https://lore.kernel.org/r/20250624-handle_big_sync_lost_event-v1-1-c32ce37dd6a5@xxxxxxxxxxx
---
include/net/bluetooth/hci.h | 6 ++++++
net/bluetooth/hci_event.c | 31 +++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+)
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 82cbd54443ac..48389a64accb 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -2849,6 +2849,12 @@ struct hci_evt_le_big_sync_estabilished {
__le16 bis[];
} __packed;
+#define HCI_EVT_LE_BIG_SYNC_LOST 0x1e
+struct hci_evt_le_big_sync_lost {
+ __u8 handle;
+ __u8 reason;
+} __packed;
+
#define HCI_EVT_LE_BIG_INFO_ADV_REPORT 0x22
struct hci_evt_le_big_info_adv_report {
__le16 sync_handle;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 66052d6aaa1d..d0b9c8dca891 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7026,6 +7026,32 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
hci_dev_unlock(hdev);
}
+static void hci_le_big_sync_lost_evt(struct hci_dev *hdev, void *data,
+ struct sk_buff *skb)
+{
+ struct hci_evt_le_big_sync_lost *ev = data;
+ struct hci_conn *bis, *conn;
+
+ bt_dev_dbg(hdev, "big handle 0x%2.2x", ev->handle);
+
+ hci_dev_lock(hdev);
+
+ list_for_each_entry(bis, &hdev->conn_hash.list, list) {
This should check bis->type == BIS_LINK too.
Will do.
+ if (test_and_clear_bit(HCI_CONN_BIG_SYNC, &bis->flags) &&
+ (bis->iso_qos.bcast.big == ev->handle)) {
+ hci_disconn_cfm(bis, ev->reason);
+ hci_conn_del(bis);
+
+ /* Delete the big connection */
+ conn = hci_conn_hash_lookup_pa_sync_handle(hdev, bis->sync_handle);
+ if (conn)
+ hci_conn_del(conn);
Problems:
- use after free
- hci_conn_del() cannot be used inside list_for_each_entry()
of the connection list
- also list_for_each_entry_safe() allows deleting only the iteration
cursor, so some restructuring above is needed
Following your suggestion, I updated the hci_le_big_sync_lost_evt function.
+static void hci_le_big_sync_lost_evt(struct hci_dev *hdev, void *data,
+ struct sk_buff *skb)
+{
+ struct hci_evt_le_big_sync_lost *ev = data;
+ struct hci_conn *bis, *conn, *n;
+
+ bt_dev_dbg(hdev, "big handle 0x%2.2x", ev->handle);
+
+ hci_dev_lock(hdev);
+
+ /* Delete the pa sync connection */
+ bis = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
+ if (bis) {
+ conn = hci_conn_hash_lookup_pa_sync_handle(hdev,
bis->sync_handle);
+ if (conn)
+ hci_conn_del(conn);
+ }
+
+ /* Delete each bis connection */
+ list_for_each_entry_safe(bis, n, &hdev->conn_hash.list, list) {
+ if (bis->type == BIS_LINK &&
+ bis->iso_qos.bcast.big == ev->handle &&
+ test_and_clear_bit(HCI_CONN_BIG_SYNC, &bis->flags)) {
+ hci_disconn_cfm(bis, ev->reason);
+ hci_conn_del(bis);
+ }
+ }
+
+ hci_dev_unlock(hdev);
+}
+ }
+ }
+
+ hci_dev_unlock(hdev);
+}
+
static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
struct sk_buff *skb)
{
@@ -7149,6 +7175,11 @@ static const struct hci_le_ev {
hci_le_big_sync_established_evt,
sizeof(struct hci_evt_le_big_sync_estabilished),
HCI_MAX_EVENT_SIZE),
+ /* [0x1e = HCI_EVT_LE_BIG_SYNC_LOST] */
+ HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_LOST,
+ hci_le_big_sync_lost_evt,
+ sizeof(struct hci_evt_le_big_sync_lost),
+ HCI_MAX_EVENT_SIZE),
/* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
hci_le_big_info_adv_report_evt,
---
base-commit: bd35cd12d915bc410c721ba28afcada16f0ebd16
change-id: 20250612-handle_big_sync_lost_event-4c7dc64390a2
Best regards,
--
Pauli Virtanen
