1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37
38 #include "smp.h"
39
40 static struct bt_sock_list l2cap_sk_list = {.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)};
41
42 static const struct proto_ops l2cap_sock_ops;
43 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
44 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern);
45
l2cap_is_socket(struct socket *sock)46 bool l2cap_is_socket(struct socket *sock)
47 {
48 return sock && sock->ops == &l2cap_sock_ops;
49 }
50 EXPORT_SYMBOL(l2cap_is_socket);
51
l2cap_validate_bredr_psm(u16 psm)52 static int l2cap_validate_bredr_psm(u16 psm)
53 {
54 /* PSM must be odd and lsb of upper byte must be 0 */
55 if ((psm & 0x0101) != 0x0001) {
56 return -EINVAL;
57 }
58
59 /* Restrict usage of well-known PSMs */
60 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) {
61 return -EACCES;
62 }
63
64 return 0;
65 }
66
l2cap_validate_le_psm(u16 psm)67 static int l2cap_validate_le_psm(u16 psm)
68 {
69 /* Valid LE_PSM ranges are defined only until 0x00ff */
70 if (psm > L2CAP_PSM_LE_DYN_END) {
71 return -EINVAL;
72 }
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) {
76 return -EACCES;
77 }
78
79 return 0;
80 }
81
l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)82 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
83 {
84 struct sock *sk = sock->sk;
85 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
86 struct sockaddr_l2 la;
87 int len, err = 0;
88
89 BT_DBG("sk %p", sk);
90
91 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || addr->sa_family != AF_BLUETOOTH) {
92 return -EINVAL;
93 }
94
95 memset(&la, 0, sizeof(la));
96 len = min_t(unsigned int, sizeof(la), alen);
97 memcpy(&la, addr, len);
98
99 if (la.l2_cid && la.l2_psm) {
100 return -EINVAL;
101 }
102
103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) {
104 return -EINVAL;
105 }
106
107 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
108 /* We only allow ATT user space socket */
109 if (la.l2_cid && la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) {
110 return -EINVAL;
111 }
112 }
113
114 lock_sock(sk);
115
116 if (sk->sk_state != BT_OPEN) {
117 err = -EBADFD;
118 goto done;
119 }
120
121 if (la.l2_psm) {
122 __u16 psm = __le16_to_cpu(la.l2_psm);
123
124 if (la.l2_bdaddr_type == BDADDR_BREDR) {
125 err = l2cap_validate_bredr_psm(psm);
126 } else {
127 err = l2cap_validate_le_psm(psm);
128 }
129
130 if (err) {
131 goto done;
132 }
133 }
134
135 bacpy(&chan->src, &la.l2_bdaddr);
136 chan->src_type = la.l2_bdaddr_type;
137
138 if (la.l2_cid) {
139 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
140 } else {
141 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
142 }
143
144 if (err < 0) {
145 goto done;
146 }
147
148 switch (chan->chan_type) {
149 case L2CAP_CHAN_CONN_LESS:
150 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) {
151 chan->sec_level = BT_SECURITY_SDP;
152 }
153 break;
154 case L2CAP_CHAN_CONN_ORIENTED:
155 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) {
156 chan->sec_level = BT_SECURITY_SDP;
157 }
158 break;
159 case L2CAP_CHAN_RAW:
160 chan->sec_level = BT_SECURITY_SDP;
161 break;
162 case L2CAP_CHAN_FIXED:
163 /* Fixed channels default to the L2CAP core not holding a
164 * hci_conn reference for them. For fixed channels mapping to
165 * L2CAP sockets we do want to hold a reference so set the
166 * appropriate flag to request it.
167 */
168 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
169 break;
170 }
171
172 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
173 chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
174 chan->mode = L2CAP_MODE_LE_FLOWCTL;
175 }
176
177 chan->state = BT_BOUND;
178 sk->sk_state = BT_BOUND;
179
180 done:
181 release_sock(sk);
182 return err;
183 }
184
l2cap_sock_init_pid(struct sock *sk)185 static void l2cap_sock_init_pid(struct sock *sk)
186 {
187 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
188 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
189 return;
190 spin_lock(&sk->sk_peer_lock);
191 sk->sk_peer_pid = get_pid(task_tgid(current));
192 spin_unlock(&sk->sk_peer_lock);
193 }
194
l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)195 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
196 {
197 struct sock *sk = sock->sk;
198 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
199 struct sockaddr_l2 la;
200 int len, err = 0;
201 bool zapped;
202
203 BT_DBG("sk %p", sk);
204
205 lock_sock(sk);
206 zapped = sock_flag(sk, SOCK_ZAPPED);
207 release_sock(sk);
208
209 if (zapped) {
210 return -EINVAL;
211 }
212
213 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || addr->sa_family != AF_BLUETOOTH) {
214 return -EINVAL;
215 }
216
217 memset(&la, 0, sizeof(la));
218 len = min_t(unsigned int, sizeof(la), alen);
219 memcpy(&la, addr, len);
220
221 if (la.l2_cid && la.l2_psm) {
222 return -EINVAL;
223 }
224
225 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) {
226 return -EINVAL;
227 }
228
229 /* Check that the socket wasn't bound to something that
230 * conflicts with the address given to connect(). If chan->src
231 * is BDADDR_ANY it means bind() was never used, in which case
232 * chan->src_type and la.l2_bdaddr_type do not need to match.
233 */
234 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && bdaddr_type_is_le(la.l2_bdaddr_type)) {
235 /* Old user space versions will try to incorrectly bind
236 * the ATT socket using BDADDR_BREDR. We need to accept
237 * this and fix up the source address type only when
238 * both the source CID and destination CID indicate
239 * ATT. Anything else is an invalid combination.
240 */
241 if (chan->scid != L2CAP_CID_ATT || la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) {
242 return -EINVAL;
243 }
244
245 /* We don't have the hdev available here to make a
246 * better decision on random vs public, but since all
247 * user space versions that exhibit this issue anyway do
248 * not support random local addresses assuming public
249 * here is good enough.
250 */
251 chan->src_type = BDADDR_LE_PUBLIC;
252 }
253
254 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) {
255 return -EINVAL;
256 }
257
258 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
259 /* We only allow ATT user space socket */
260 if (la.l2_cid && la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) {
261 return -EINVAL;
262 }
263 }
264
265 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
266 chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
267 chan->mode = L2CAP_MODE_LE_FLOWCTL;
268 }
269
270 l2cap_sock_init_pid(sk);
271
272 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), &la.l2_bdaddr, la.l2_bdaddr_type);
273 if (err) {
274 return err;
275 }
276
277 lock_sock(sk);
278
279 err = bt_sock_wait_state(sk, BT_CONNECTED, sock_sndtimeo(sk, flags & O_NONBLOCK));
280
281 release_sock(sk);
282
283 return err;
284 }
285
l2cap_sock_listen(struct socket *sock, int backlog)286 static int l2cap_sock_listen(struct socket *sock, int backlog)
287 {
288 struct sock *sk = sock->sk;
289 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
290 int err = 0;
291
292 BT_DBG("sk %p backlog %d", sk, backlog);
293
294 lock_sock(sk);
295
296 if (sk->sk_state != BT_BOUND) {
297 err = -EBADFD;
298 goto done;
299 }
300
301 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
302 err = -EINVAL;
303 goto done;
304 }
305
306 switch (chan->mode) {
307 case L2CAP_MODE_BASIC:
308 case L2CAP_MODE_LE_FLOWCTL:
309 break;
310 case L2CAP_MODE_EXT_FLOWCTL:
311 if (!enable_ecred) {
312 err = -EOPNOTSUPP;
313 goto done;
314 }
315 break;
316 case L2CAP_MODE_ERTM:
317 case L2CAP_MODE_STREAMING:
318 if (!disable_ertm) {
319 break;
320 }
321 fallthrough;
322 default:
323 err = -EOPNOTSUPP;
324 goto done;
325 }
326
327 l2cap_sock_init_pid(sk);
328 sk->sk_max_ack_backlog = backlog;
329 sk->sk_ack_backlog = 0;
330
331 /* Listening channels need to use nested locking in order not to
332 * cause lockdep warnings when the created child channels end up
333 * being locked in the same thread as the parent channel.
334 */
335 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
336
337 chan->state = BT_LISTEN;
338 sk->sk_state = BT_LISTEN;
339
340 done:
341 release_sock(sk);
342 return err;
343 }
344
l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags, bool kern)345 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags, bool kern)
346 {
347 DEFINE_WAIT_FUNC(wait, woken_wake_function);
348 struct sock *sk = sock->sk, *nsk;
349 long timeo;
350 int err = 0;
351
352 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
353
354 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
355
356 BT_DBG("sk %p timeo %ld", sk, timeo);
357
358 /* Wait for an incoming connection. (wake-one). */
359 add_wait_queue_exclusive(sk_sleep(sk), &wait);
360 while (1) {
361 if (sk->sk_state != BT_LISTEN) {
362 err = -EBADFD;
363 break;
364 }
365
366 nsk = bt_accept_dequeue(sk, newsock);
367 if (nsk) {
368 break;
369 }
370
371 if (!timeo) {
372 err = -EAGAIN;
373 break;
374 }
375
376 if (signal_pending(current)) {
377 err = sock_intr_errno(timeo);
378 break;
379 }
380
381 release_sock(sk);
382
383 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
384
385 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
386 }
387 remove_wait_queue(sk_sleep(sk), &wait);
388
389 if (err) {
390 goto done;
391 }
392
393 newsock->state = SS_CONNECTED;
394
395 BT_DBG("new socket %p", nsk);
396
397 done:
398 release_sock(sk);
399 return err;
400 }
401
l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)402 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
403 {
404 struct sockaddr_l2 *la = (struct sockaddr_l2 *)addr;
405 struct sock *sk = sock->sk;
406 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
407
408 BT_DBG("sock %p, sk %p", sock, sk);
409
410 if (peer && sk->sk_state != BT_CONNECTED && sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
411 sk->sk_state != BT_CONFIG) {
412 return -ENOTCONN;
413 }
414
415 memset(la, 0, sizeof(struct sockaddr_l2));
416 addr->sa_family = AF_BLUETOOTH;
417
418 la->l2_psm = chan->psm;
419
420 if (peer) {
421 bacpy(&la->l2_bdaddr, &chan->dst);
422 la->l2_cid = cpu_to_le16(chan->dcid);
423 la->l2_bdaddr_type = chan->dst_type;
424 } else {
425 bacpy(&la->l2_bdaddr, &chan->src);
426 la->l2_cid = cpu_to_le16(chan->scid);
427 la->l2_bdaddr_type = chan->src_type;
428 }
429
430 return sizeof(struct sockaddr_l2);
431 }
432
l2cap_get_mode(struct l2cap_chan *chan)433 static int l2cap_get_mode(struct l2cap_chan *chan)
434 {
435 switch (chan->mode) {
436 case L2CAP_MODE_BASIC:
437 return BT_MODE_BASIC;
438 case L2CAP_MODE_ERTM:
439 return BT_MODE_ERTM;
440 case L2CAP_MODE_STREAMING:
441 return BT_MODE_STREAMING;
442 case L2CAP_MODE_LE_FLOWCTL:
443 return BT_MODE_LE_FLOWCTL;
444 case L2CAP_MODE_EXT_FLOWCTL:
445 return BT_MODE_EXT_FLOWCTL;
446 }
447
448 return -EINVAL;
449 }
450
l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)451 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
452 {
453 struct sock *sk = sock->sk;
454 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
455 struct l2cap_options opts;
456 struct l2cap_conninfo cinfo;
457 int len, err = 0;
458 u32 opt;
459
460 BT_DBG("sk %p", sk);
461
462 if (get_user(len, optlen)) {
463 return -EFAULT;
464 }
465
466 lock_sock(sk);
467
468 switch (optname) {
469 case L2CAP_OPTIONS:
470 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
471 * legacy ATT code depends on getsockopt for
472 * L2CAP_OPTIONS we need to let this pass.
473 */
474 if (bdaddr_type_is_le(chan->src_type) && chan->scid != L2CAP_CID_ATT) {
475 err = -EINVAL;
476 break;
477 }
478
479 /* Only BR/EDR modes are supported here */
480 switch (chan->mode) {
481 case L2CAP_MODE_BASIC:
482 case L2CAP_MODE_ERTM:
483 case L2CAP_MODE_STREAMING:
484 break;
485 default:
486 err = -EINVAL;
487 break;
488 }
489
490 if (err < 0) {
491 break;
492 }
493
494 memset(&opts, 0, sizeof(opts));
495 opts.imtu = chan->imtu;
496 opts.omtu = chan->omtu;
497 opts.flush_to = chan->flush_to;
498 opts.mode = chan->mode;
499 opts.fcs = chan->fcs;
500 opts.max_tx = chan->max_tx;
501 opts.txwin_size = chan->tx_win;
502
503 BT_DBG("mode 0x%2.2x", chan->mode);
504
505 len = min_t(unsigned int, len, sizeof(opts));
506 if (copy_to_user(optval, (char *)&opts, len)) {
507 err = -EFAULT;
508 }
509
510 break;
511
512 case L2CAP_LM:
513 switch (chan->sec_level) {
514 case BT_SECURITY_LOW:
515 opt = L2CAP_LM_AUTH;
516 break;
517 case BT_SECURITY_MEDIUM:
518 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
519 break;
520 case BT_SECURITY_HIGH:
521 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | L2CAP_LM_SECURE;
522 break;
523 case BT_SECURITY_FIPS:
524 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | L2CAP_LM_SECURE | L2CAP_LM_FIPS;
525 break;
526 default:
527 opt = 0;
528 break;
529 }
530
531 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) {
532 opt |= L2CAP_LM_MASTER;
533 }
534
535 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) {
536 opt |= L2CAP_LM_RELIABLE;
537 }
538
539 if (put_user(opt, (u32 __user *)optval)) {
540 err = -EFAULT;
541 }
542
543 break;
544
545 case L2CAP_CONNINFO:
546 if (sk->sk_state != BT_CONNECTED &&
547 !(sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
548 err = -ENOTCONN;
549 break;
550 }
551
552 memset(&cinfo, 0, sizeof(cinfo));
553 cinfo.hci_handle = chan->conn->hcon->handle;
554 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
555
556 len = min_t(unsigned int, len, sizeof(cinfo));
557 if (copy_to_user(optval, (char *)&cinfo, len)) {
558 err = -EFAULT;
559 }
560
561 break;
562
563 default:
564 err = -ENOPROTOOPT;
565 break;
566 }
567
568 release_sock(sk);
569 return err;
570 }
571
l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)572 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
573 {
574 struct sock *sk = sock->sk;
575 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
576 struct bt_security sec;
577 struct bt_power pwr;
578 u32 phys;
579 int len, mode, err = 0;
580
581 BT_DBG("sk %p", sk);
582
583 if (level == SOL_L2CAP) {
584 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
585 }
586
587 if (level != SOL_BLUETOOTH) {
588 return -ENOPROTOOPT;
589 }
590
591 if (get_user(len, optlen)) {
592 return -EFAULT;
593 }
594
595 lock_sock(sk);
596
597 switch (optname) {
598 case BT_SECURITY:
599 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && chan->chan_type != L2CAP_CHAN_FIXED &&
600 chan->chan_type != L2CAP_CHAN_RAW) {
601 err = -EINVAL;
602 break;
603 }
604
605 memset(&sec, 0, sizeof(sec));
606 if (chan->conn) {
607 sec.level = chan->conn->hcon->sec_level;
608
609 if (sk->sk_state == BT_CONNECTED) {
610 sec.key_size = chan->conn->hcon->enc_key_size;
611 }
612 } else {
613 sec.level = chan->sec_level;
614 }
615
616 len = min_t(unsigned int, len, sizeof(sec));
617 if (copy_to_user(optval, (char *)&sec, len)) {
618 err = -EFAULT;
619 }
620
621 break;
622
623 case BT_DEFER_SETUP:
624 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
625 err = -EINVAL;
626 break;
627 }
628
629 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), (u32 __user *)optval)) {
630 err = -EFAULT;
631 }
632
633 break;
634
635 case BT_FLUSHABLE:
636 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), (u32 __user *)optval)) {
637 err = -EFAULT;
638 }
639
640 break;
641
642 case BT_POWER:
643 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM && sk->sk_type != SOCK_RAW) {
644 err = -EINVAL;
645 break;
646 }
647
648 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
649
650 len = min_t(unsigned int, len, sizeof(pwr));
651 if (copy_to_user(optval, (char *)&pwr, len)) {
652 err = -EFAULT;
653 }
654
655 break;
656
657 case BT_CHANNEL_POLICY:
658 if (put_user(chan->chan_policy, (u32 __user *)optval)) {
659 err = -EFAULT;
660 }
661 break;
662
663 case BT_SNDMTU:
664 if (!bdaddr_type_is_le(chan->src_type)) {
665 err = -EINVAL;
666 break;
667 }
668
669 if (sk->sk_state != BT_CONNECTED) {
670 err = -ENOTCONN;
671 break;
672 }
673
674 if (put_user(chan->omtu, (u16 __user *)optval)) {
675 err = -EFAULT;
676 }
677 break;
678
679 case BT_RCVMTU:
680 if (!bdaddr_type_is_le(chan->src_type)) {
681 err = -EINVAL;
682 break;
683 }
684
685 if (put_user(chan->imtu, (u16 __user *)optval)) {
686 err = -EFAULT;
687 }
688 break;
689
690 case BT_PHY:
691 if (sk->sk_state != BT_CONNECTED) {
692 err = -ENOTCONN;
693 break;
694 }
695
696 phys = hci_conn_get_phy(chan->conn->hcon);
697
698 if (put_user(phys, (u32 __user *)optval)) {
699 err = -EFAULT;
700 }
701 break;
702
703 case BT_MODE:
704 if (!enable_ecred) {
705 err = -ENOPROTOOPT;
706 break;
707 }
708
709 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
710 err = -EINVAL;
711 break;
712 }
713
714 mode = l2cap_get_mode(chan);
715 if (mode < 0) {
716 err = mode;
717 break;
718 }
719
720 if (put_user(mode, (u8 __user *)optval)) {
721 err = -EFAULT;
722 }
723 break;
724
725 default:
726 err = -ENOPROTOOPT;
727 break;
728 }
729
730 release_sock(sk);
731 return err;
732 }
733
l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)734 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
735 {
736 switch (chan->scid) {
737 case L2CAP_CID_ATT:
738 if (mtu < L2CAP_LE_MIN_MTU) {
739 return false;
740 }
741 break;
742
743 default:
744 if (mtu < L2CAP_DEFAULT_MIN_MTU) {
745 return false;
746 }
747 }
748
749 return true;
750 }
751
l2cap_sock_setsockopt_old(struct socket *sock, int optname, sockptr_t optval, unsigned int optlen)752 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, sockptr_t optval, unsigned int optlen)
753 {
754 struct sock *sk = sock->sk;
755 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
756 struct l2cap_options opts;
757 int len, err = 0;
758 u32 opt;
759
760 BT_DBG("sk %p", sk);
761
762 lock_sock(sk);
763
764 switch (optname) {
765 case L2CAP_OPTIONS:
766 if (bdaddr_type_is_le(chan->src_type)) {
767 err = -EINVAL;
768 break;
769 }
770
771 if (sk->sk_state == BT_CONNECTED) {
772 err = -EINVAL;
773 break;
774 }
775
776 opts.imtu = chan->imtu;
777 opts.omtu = chan->omtu;
778 opts.flush_to = chan->flush_to;
779 opts.mode = chan->mode;
780 opts.fcs = chan->fcs;
781 opts.max_tx = chan->max_tx;
782 opts.txwin_size = chan->tx_win;
783
784 len = min_t(unsigned int, sizeof(opts), optlen);
785 if (copy_from_sockptr(&opts, optval, len)) {
786 err = -EFAULT;
787 break;
788 }
789
790 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
791 err = -EINVAL;
792 break;
793 }
794
795 if (!l2cap_valid_mtu(chan, opts.imtu)) {
796 err = -EINVAL;
797 break;
798 }
799
800 /* Only BR/EDR modes are supported here */
801 switch (opts.mode) {
802 case L2CAP_MODE_BASIC:
803 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
804 break;
805 case L2CAP_MODE_ERTM:
806 case L2CAP_MODE_STREAMING:
807 if (!disable_ertm) {
808 break;
809 }
810 fallthrough;
811 default:
812 err = -EINVAL;
813 break;
814 }
815
816 if (err < 0) {
817 break;
818 }
819
820 chan->mode = opts.mode;
821
822 BT_DBG("mode 0x%2.2x", chan->mode);
823
824 chan->imtu = opts.imtu;
825 chan->omtu = opts.omtu;
826 chan->fcs = opts.fcs;
827 chan->max_tx = opts.max_tx;
828 chan->tx_win = opts.txwin_size;
829 chan->flush_to = opts.flush_to;
830 break;
831
832 case L2CAP_LM:
833 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
834 err = -EFAULT;
835 break;
836 }
837
838 if (opt & L2CAP_LM_FIPS) {
839 err = -EINVAL;
840 break;
841 }
842
843 if (opt & L2CAP_LM_AUTH) {
844 chan->sec_level = BT_SECURITY_LOW;
845 }
846 if (opt & L2CAP_LM_ENCRYPT) {
847 chan->sec_level = BT_SECURITY_MEDIUM;
848 }
849 if (opt & L2CAP_LM_SECURE) {
850 chan->sec_level = BT_SECURITY_HIGH;
851 }
852
853 if (opt & L2CAP_LM_MASTER) {
854 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
855 } else {
856 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
857 }
858
859 if (opt & L2CAP_LM_RELIABLE) {
860 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
861 } else {
862 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
863 }
864 break;
865
866 default:
867 err = -ENOPROTOOPT;
868 break;
869 }
870
871 release_sock(sk);
872 return err;
873 }
874
l2cap_set_mode(struct l2cap_chan *chan, u8 mode)875 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
876 {
877 switch (mode) {
878 case BT_MODE_BASIC:
879 if (bdaddr_type_is_le(chan->src_type)) {
880 return -EINVAL;
881 }
882 mode = L2CAP_MODE_BASIC;
883 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
884 break;
885 case BT_MODE_ERTM:
886 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) {
887 return -EINVAL;
888 }
889 mode = L2CAP_MODE_ERTM;
890 break;
891 case BT_MODE_STREAMING:
892 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) {
893 return -EINVAL;
894 }
895 mode = L2CAP_MODE_STREAMING;
896 break;
897 case BT_MODE_LE_FLOWCTL:
898 if (!bdaddr_type_is_le(chan->src_type)) {
899 return -EINVAL;
900 }
901 mode = L2CAP_MODE_LE_FLOWCTL;
902 break;
903 case BT_MODE_EXT_FLOWCTL:
904 /* Add support for ECRED PDUs to BR/EDR */
905 if (!bdaddr_type_is_le(chan->src_type)) {
906 return -EINVAL;
907 }
908 mode = L2CAP_MODE_EXT_FLOWCTL;
909 break;
910 default:
911 return -EINVAL;
912 }
913
914 chan->mode = mode;
915
916 return 0;
917 }
918
l2cap_sock_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, unsigned int optlen)919 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, unsigned int optlen)
920 {
921 struct sock *sk = sock->sk;
922 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
923 struct bt_security sec;
924 struct bt_power pwr;
925 struct l2cap_conn *conn;
926 int len, err = 0;
927 u32 opt;
928 u16 mtu;
929 u8 mode;
930
931 BT_DBG("sk %p", sk);
932
933 if (level == SOL_L2CAP) {
934 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
935 }
936
937 if (level != SOL_BLUETOOTH) {
938 return -ENOPROTOOPT;
939 }
940
941 lock_sock(sk);
942
943 switch (optname) {
944 case BT_SECURITY:
945 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && chan->chan_type != L2CAP_CHAN_FIXED &&
946 chan->chan_type != L2CAP_CHAN_RAW) {
947 err = -EINVAL;
948 break;
949 }
950
951 sec.level = BT_SECURITY_LOW;
952
953 len = min_t(unsigned int, sizeof(sec), optlen);
954 if (copy_from_sockptr(&sec, optval, len)) {
955 err = -EFAULT;
956 break;
957 }
958
959 if (sec.level < BT_SECURITY_LOW || sec.level > BT_SECURITY_FIPS) {
960 err = -EINVAL;
961 break;
962 }
963
964 chan->sec_level = sec.level;
965
966 if (!chan->conn) {
967 break;
968 }
969
970 conn = chan->conn;
971
972 /* change security for LE channels */
973 if (chan->scid == L2CAP_CID_ATT) {
974 if (smp_conn_security(conn->hcon, sec.level)) {
975 err = -EINVAL;
976 break;
977 }
978
979 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
980 sk->sk_state = BT_CONFIG;
981 chan->state = BT_CONFIG;
982
983 /* or for ACL link */
984 } else if ((sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
985 sk->sk_state == BT_CONNECTED) {
986 if (!l2cap_chan_check_security(chan, true)) {
987 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
988 } else {
989 sk->sk_state_change(sk);
990 }
991 } else {
992 err = -EINVAL;
993 }
994 break;
995
996 case BT_DEFER_SETUP:
997 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
998 err = -EINVAL;
999 break;
1000 }
1001
1002 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1003 err = -EFAULT;
1004 break;
1005 }
1006
1007 if (opt) {
1008 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1009 set_bit(FLAG_DEFER_SETUP, &chan->flags);
1010 } else {
1011 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
1012 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
1013 }
1014 break;
1015
1016 case BT_FLUSHABLE:
1017 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1018 err = -EFAULT;
1019 break;
1020 }
1021
1022 if (opt > BT_FLUSHABLE_ON) {
1023 err = -EINVAL;
1024 break;
1025 }
1026
1027 if (opt == BT_FLUSHABLE_OFF) {
1028 conn = chan->conn;
1029 /* proceed further only when we have l2cap_conn and
1030 No Flush support in the LM */
1031 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
1032 err = -EINVAL;
1033 break;
1034 }
1035 }
1036
1037 if (opt) {
1038 set_bit(FLAG_FLUSHABLE, &chan->flags);
1039 } else {
1040 clear_bit(FLAG_FLUSHABLE, &chan->flags);
1041 }
1042 break;
1043
1044 case BT_POWER:
1045 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && chan->chan_type != L2CAP_CHAN_RAW) {
1046 err = -EINVAL;
1047 break;
1048 }
1049
1050 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1051
1052 len = min_t(unsigned int, sizeof(pwr), optlen);
1053 if (copy_from_sockptr(&pwr, optval, len)) {
1054 err = -EFAULT;
1055 break;
1056 }
1057
1058 if (pwr.force_active) {
1059 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1060 } else {
1061 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1062 }
1063 break;
1064
1065 case BT_CHANNEL_POLICY:
1066 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1067 err = -EFAULT;
1068 break;
1069 }
1070
1071 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1072 err = -EINVAL;
1073 break;
1074 }
1075
1076 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) {
1077 err = -EOPNOTSUPP;
1078 break;
1079 }
1080
1081 chan->chan_policy = (u8)opt;
1082
1083 if (sk->sk_state == BT_CONNECTED && chan->move_role == L2CAP_MOVE_ROLE_NONE) {
1084 l2cap_move_start(chan);
1085 }
1086
1087 break;
1088
1089 case BT_SNDMTU:
1090 if (!bdaddr_type_is_le(chan->src_type)) {
1091 err = -EINVAL;
1092 break;
1093 }
1094
1095 /* Setting is not supported as it's the remote side that
1096 * decides this.
1097 */
1098 err = -EPERM;
1099 break;
1100
1101 case BT_RCVMTU:
1102 if (!bdaddr_type_is_le(chan->src_type)) {
1103 err = -EINVAL;
1104 break;
1105 }
1106
1107 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && sk->sk_state == BT_CONNECTED) {
1108 err = -EISCONN;
1109 break;
1110 }
1111
1112 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
1113 err = -EFAULT;
1114 break;
1115 }
1116
1117 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && sk->sk_state == BT_CONNECTED) {
1118 err = l2cap_chan_reconfigure(chan, mtu);
1119 } else {
1120 chan->imtu = mtu;
1121 }
1122
1123 break;
1124
1125 case BT_MODE:
1126 if (!enable_ecred) {
1127 err = -ENOPROTOOPT;
1128 break;
1129 }
1130
1131 BT_DBG("sk->sk_state %u", sk->sk_state);
1132
1133 if (sk->sk_state != BT_BOUND) {
1134 err = -EINVAL;
1135 break;
1136 }
1137
1138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1139 err = -EINVAL;
1140 break;
1141 }
1142
1143 if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
1144 err = -EFAULT;
1145 break;
1146 }
1147
1148 BT_DBG("mode %u", mode);
1149
1150 err = l2cap_set_mode(chan, mode);
1151 if (err) {
1152 break;
1153 }
1154
1155 BT_DBG("mode 0x%2.2x", chan->mode);
1156
1157 break;
1158
1159 default:
1160 err = -ENOPROTOOPT;
1161 break;
1162 }
1163
1164 release_sock(sk);
1165 return err;
1166 }
1167
l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)1168 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
1169 {
1170 struct sock *sk = sock->sk;
1171 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1172 int err;
1173
1174 BT_DBG("sock %p, sk %p", sock, sk);
1175
1176 err = sock_error(sk);
1177 if (err) {
1178 return err;
1179 }
1180
1181 if (msg->msg_flags & MSG_OOB) {
1182 return -EOPNOTSUPP;
1183 }
1184
1185 if (sk->sk_state != BT_CONNECTED) {
1186 return -ENOTCONN;
1187 }
1188
1189 lock_sock(sk);
1190 err = bt_sock_wait_ready(sk, msg->msg_flags);
1191 release_sock(sk);
1192 if (err) {
1193 return err;
1194 }
1195
1196 l2cap_chan_lock(chan);
1197 err = l2cap_chan_send(chan, msg, len);
1198 l2cap_chan_unlock(chan);
1199
1200 return err;
1201 }
1202
l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, int flags)1203 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, int flags)
1204 {
1205 struct sock *sk = sock->sk;
1206 struct l2cap_pinfo *pi = l2cap_pi(sk);
1207 int err;
1208
1209 lock_sock(sk);
1210
1211 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
1212 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1213 sk->sk_state = BT_CONNECTED;
1214 pi->chan->state = BT_CONNECTED;
1215 __l2cap_ecred_conn_rsp_defer(pi->chan);
1216 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1217 sk->sk_state = BT_CONNECTED;
1218 pi->chan->state = BT_CONNECTED;
1219 __l2cap_le_connect_rsp_defer(pi->chan);
1220 } else {
1221 sk->sk_state = BT_CONFIG;
1222 pi->chan->state = BT_CONFIG;
1223 __l2cap_connect_rsp_defer(pi->chan);
1224 }
1225
1226 err = 0;
1227 goto done;
1228 }
1229
1230 release_sock(sk);
1231
1232 if (sock->type == SOCK_STREAM) {
1233 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1234 } else {
1235 err = bt_sock_recvmsg(sock, msg, len, flags);
1236 }
1237
1238 if (pi->chan->mode != L2CAP_MODE_ERTM) {
1239 return err;
1240 }
1241
1242 /* Attempt to put pending rx data in the socket buffer */
1243
1244 lock_sock(sk);
1245
1246 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) {
1247 goto done;
1248 }
1249
1250 if (pi->rx_busy_skb) {
1251 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) {
1252 pi->rx_busy_skb = NULL;
1253 } else {
1254 goto done;
1255 }
1256 }
1257
1258 /* Restore data flow when half of the receive buffer is
1259 * available. This avoids resending large numbers of
1260 * frames.
1261 */
1262 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) {
1263 l2cap_chan_busy(pi->chan, 0);
1264 }
1265
1266 done:
1267 release_sock(sk);
1268 return err;
1269 }
1270
1271 /* Kill socket (only if zapped and orphan)
1272 * Must be called on unlocked socket, with l2cap channel lock.
1273 */
l2cap_sock_kill(struct sock *sk)1274 static void l2cap_sock_kill(struct sock *sk)
1275 {
1276 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) {
1277 return;
1278 }
1279
1280 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1281
1282 /* Kill poor orphan */
1283
1284 l2cap_chan_put(l2cap_pi(sk)->chan);
1285 sock_set_flag(sk, SOCK_DEAD);
1286 sock_put(sk);
1287 }
1288
__l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)1289 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1290 {
1291 DECLARE_WAITQUEUE(wait, current);
1292 int err = 0;
1293 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1294 /* Timeout to prevent infinite loop */
1295 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1296
1297 add_wait_queue(sk_sleep(sk), &wait);
1298 set_current_state(TASK_INTERRUPTIBLE);
1299 do {
1300 BT_DBG("Waiting for %d ACKs, timeout %04d ms", chan->unacked_frames,
1301 time_after(jiffies, timeout) ? 0 : jiffies_to_msecs(timeout - jiffies));
1302
1303 if (!timeo) {
1304 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1305 }
1306
1307 if (signal_pending(current)) {
1308 err = sock_intr_errno(timeo);
1309 break;
1310 }
1311
1312 release_sock(sk);
1313 timeo = schedule_timeout(timeo);
1314 lock_sock(sk);
1315 set_current_state(TASK_INTERRUPTIBLE);
1316
1317 err = sock_error(sk);
1318 if (err) {
1319 break;
1320 }
1321
1322 if (time_after(jiffies, timeout)) {
1323 err = -ENOLINK;
1324 break;
1325 }
1326 } while (chan->unacked_frames > 0 && chan->state == BT_CONNECTED);
1327
1328 set_current_state(TASK_RUNNING);
1329 remove_wait_queue(sk_sleep(sk), &wait);
1330 return err;
1331 }
1332
l2cap_sock_shutdown(struct socket *sock, int how)1333 static int l2cap_sock_shutdown(struct socket *sock, int how)
1334 {
1335 struct sock *sk = sock->sk;
1336 struct l2cap_chan *chan;
1337 struct l2cap_conn *conn;
1338 int err = 0;
1339
1340 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1341
1342 /* 'how' parameter is mapped to sk_shutdown as follows:
1343 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1344 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1345 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1346 */
1347 how++;
1348
1349 if (!sk) {
1350 return 0;
1351 }
1352
1353 lock_sock(sk);
1354
1355 if ((sk->sk_shutdown & how) == how) {
1356 goto shutdown_already;
1357 }
1358
1359 BT_DBG("Handling sock shutdown");
1360
1361 /* prevent sk structure from being freed whilst unlocked */
1362 sock_hold(sk);
1363
1364 chan = l2cap_pi(sk)->chan;
1365 /* prevent chan structure from being freed whilst unlocked */
1366 l2cap_chan_hold(chan);
1367
1368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1369
1370 if (chan->mode == L2CAP_MODE_ERTM && chan->unacked_frames > 0 && chan->state == BT_CONNECTED) {
1371 err = __l2cap_wait_ack(sk, chan);
1372
1373 /* After waiting for ACKs, check whether shutdown
1374 * has already been actioned to close the L2CAP
1375 * link such as by l2cap_disconnection_req().
1376 */
1377 if ((sk->sk_shutdown & how) == how) {
1378 goto shutdown_matched;
1379 }
1380 }
1381
1382 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1383 * is already set
1384 */
1385 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1386 sk->sk_shutdown |= RCV_SHUTDOWN;
1387 if ((sk->sk_shutdown & how) == how) {
1388 goto shutdown_matched;
1389 }
1390 }
1391
1392 sk->sk_shutdown |= SEND_SHUTDOWN;
1393 release_sock(sk);
1394
1395 l2cap_chan_lock(chan);
1396 conn = chan->conn;
1397 if (conn) {
1398 /* prevent conn structure from being freed */
1399 l2cap_conn_get(conn);
1400 }
1401 l2cap_chan_unlock(chan);
1402
1403 if (conn) {
1404 /* mutex lock must be taken before l2cap_chan_lock() */
1405 mutex_lock(&conn->chan_lock);
1406 }
1407
1408 l2cap_chan_lock(chan);
1409 l2cap_chan_close(chan, 0);
1410 l2cap_chan_unlock(chan);
1411
1412 if (conn) {
1413 mutex_unlock(&conn->chan_lock);
1414 l2cap_conn_put(conn);
1415 }
1416
1417 lock_sock(sk);
1418
1419 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && !(current->flags & PF_EXITING)) {
1420 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1421 }
1422
1423 shutdown_matched:
1424 l2cap_chan_put(chan);
1425 sock_put(sk);
1426
1427 shutdown_already:
1428 if (!err && sk->sk_err) {
1429 err = -sk->sk_err;
1430 }
1431
1432 release_sock(sk);
1433
1434 BT_DBG("Sock shutdown complete err: %d", err);
1435
1436 return err;
1437 }
1438
l2cap_sock_release(struct socket *sock)1439 static int l2cap_sock_release(struct socket *sock)
1440 {
1441 struct sock *sk = sock->sk;
1442 int err;
1443 struct l2cap_chan *chan;
1444
1445 BT_DBG("sock %p, sk %p", sock, sk);
1446
1447 if (!sk) {
1448 return 0;
1449 }
1450
1451 bt_sock_unlink(&l2cap_sk_list, sk);
1452
1453 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1454 chan = l2cap_pi(sk)->chan;
1455
1456 l2cap_chan_hold(chan);
1457 l2cap_chan_lock(chan);
1458
1459 sock_orphan(sk);
1460 l2cap_sock_kill(sk);
1461
1462 l2cap_chan_unlock(chan);
1463 l2cap_chan_put(chan);
1464
1465 return err;
1466 }
1467
l2cap_sock_cleanup_listen(struct sock *parent)1468 static void l2cap_sock_cleanup_listen(struct sock *parent)
1469 {
1470 struct sock *sk;
1471
1472 BT_DBG("parent %p state %s", parent, state_to_string(parent->sk_state));
1473
1474 /* Close not yet accepted channels */
1475 while ((sk = bt_accept_dequeue(parent, NULL))) {
1476 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1477
1478 BT_DBG("child chan %p state %s", chan, state_to_string(chan->state));
1479
1480 l2cap_chan_hold(chan);
1481 l2cap_chan_lock(chan);
1482
1483 __clear_chan_timer(chan);
1484 l2cap_chan_close(chan, ECONNRESET);
1485 l2cap_sock_kill(sk);
1486
1487 l2cap_chan_unlock(chan);
1488 l2cap_chan_put(chan);
1489 }
1490 }
1491
l2cap_sock_new_connection_cb(struct l2cap_chan *chan)1492 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1493 {
1494 struct sock *sk, *parent = chan->data;
1495
1496 lock_sock(parent);
1497
1498 /* Check for backlog size */
1499 if (sk_acceptq_is_full(parent)) {
1500 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1501 release_sock(parent);
1502 return NULL;
1503 }
1504
1505 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC, 0);
1506 if (!sk) {
1507 release_sock(parent);
1508 return NULL;
1509 }
1510
1511 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1512
1513 l2cap_sock_init(sk, parent);
1514
1515 bt_accept_enqueue(parent, sk, false);
1516
1517 release_sock(parent);
1518
1519 return l2cap_pi(sk)->chan;
1520 }
1521
l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)1522 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1523 {
1524 struct sock *sk = chan->data;
1525 int err;
1526
1527 lock_sock(sk);
1528
1529 if (l2cap_pi(sk)->rx_busy_skb) {
1530 err = -ENOMEM;
1531 goto done;
1532 }
1533
1534 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) {
1535 /* Even if no filter is attached, we could potentially
1536 * get errors from security modules, etc.
1537 */
1538 err = sk_filter(sk, skb);
1539 if (err) {
1540 goto done;
1541 }
1542 }
1543
1544 err = __sock_queue_rcv_skb(sk, skb);
1545 /* For ERTM, handle one skb that doesn't fit into the recv
1546 * buffer. This is important to do because the data frames
1547 * have already been acked, so the skb cannot be discarded.
1548 *
1549 * Notify the l2cap core that the buffer is full, so the
1550 * LOCAL_BUSY state is entered and no more frames are
1551 * acked and reassembled until there is buffer space
1552 * available.
1553 */
1554 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1555 l2cap_pi(sk)->rx_busy_skb = skb;
1556 l2cap_chan_busy(chan, 1);
1557 err = 0;
1558 }
1559
1560 done:
1561 release_sock(sk);
1562
1563 return err;
1564 }
1565
l2cap_sock_close_cb(struct l2cap_chan *chan)1566 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1567 {
1568 struct sock *sk = chan->data;
1569
1570 l2cap_sock_kill(sk);
1571 }
1572
l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)1573 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1574 {
1575 struct sock *sk = chan->data;
1576 struct sock *parent;
1577
1578 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1579
1580 /* This callback can be called both for server (BT_LISTEN)
1581 * sockets as well as "normal" ones. To avoid lockdep warnings
1582 * with child socket locking (through l2cap_sock_cleanup_listen)
1583 * we need separation into separate nesting levels. The simplest
1584 * way to accomplish this is to inherit the nesting level used
1585 * for the channel.
1586 */
1587 lock_sock_nested(sk, atomic_read(&chan->nesting));
1588
1589 parent = bt_sk(sk)->parent;
1590
1591 switch (chan->state) {
1592 case BT_OPEN:
1593 case BT_BOUND:
1594 case BT_CLOSED:
1595 break;
1596 case BT_LISTEN:
1597 l2cap_sock_cleanup_listen(sk);
1598 sk->sk_state = BT_CLOSED;
1599 chan->state = BT_CLOSED;
1600
1601 break;
1602 default:
1603 sk->sk_state = BT_CLOSED;
1604 chan->state = BT_CLOSED;
1605
1606 sk->sk_err = err;
1607
1608 if (parent) {
1609 bt_accept_unlink(sk);
1610 parent->sk_data_ready(parent);
1611 } else {
1612 sk->sk_state_change(sk);
1613 }
1614
1615 break;
1616 }
1617 release_sock(sk);
1618
1619 /* Only zap after cleanup to avoid use after free race */
1620 sock_set_flag(sk, SOCK_ZAPPED);
1621 }
1622
l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, int err)1623 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, int err)
1624 {
1625 struct sock *sk = chan->data;
1626
1627 sk->sk_state = state;
1628
1629 if (err) {
1630 sk->sk_err = err;
1631 }
1632 }
1633
l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, unsigned long hdr_len, unsigned long len, int nb)1634 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, unsigned long hdr_len, unsigned long len,
1635 int nb)
1636 {
1637 struct sock *sk = chan->data;
1638 struct sk_buff *skb;
1639 int err;
1640
1641 l2cap_chan_unlock(chan);
1642 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1643 l2cap_chan_lock(chan);
1644
1645 if (!skb) {
1646 return ERR_PTR(err);
1647 }
1648
1649 skb->priority = sk->sk_priority;
1650
1651 bt_cb(skb)->l2cap.chan = chan;
1652
1653 return skb;
1654 }
1655
l2cap_sock_ready_cb(struct l2cap_chan *chan)1656 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1657 {
1658 struct sock *sk = chan->data;
1659 struct sock *parent;
1660
1661 lock_sock(sk);
1662
1663 parent = bt_sk(sk)->parent;
1664
1665 BT_DBG("sk %p, parent %p", sk, parent);
1666
1667 sk->sk_state = BT_CONNECTED;
1668 sk->sk_state_change(sk);
1669
1670 if (parent) {
1671 parent->sk_data_ready(parent);
1672 }
1673
1674 release_sock(sk);
1675 }
1676
l2cap_sock_defer_cb(struct l2cap_chan *chan)1677 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1678 {
1679 struct sock *parent, *sk = chan->data;
1680
1681 lock_sock(sk);
1682
1683 parent = bt_sk(sk)->parent;
1684 if (parent) {
1685 parent->sk_data_ready(parent);
1686 }
1687
1688 release_sock(sk);
1689 }
1690
l2cap_sock_resume_cb(struct l2cap_chan *chan)1691 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1692 {
1693 struct sock *sk = chan->data;
1694
1695 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1696 sk->sk_state = BT_CONNECTED;
1697 chan->state = BT_CONNECTED;
1698 }
1699
1700 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1701 sk->sk_state_change(sk);
1702 }
1703
l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)1704 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1705 {
1706 struct sock *sk = chan->data;
1707
1708 lock_sock(sk);
1709 sk->sk_shutdown = SHUTDOWN_MASK;
1710 release_sock(sk);
1711 }
1712
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)1713 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1714 {
1715 struct sock *sk = chan->data;
1716
1717 return sk->sk_sndtimeo;
1718 }
1719
l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)1720 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1721 {
1722 struct sock *sk = chan->data;
1723
1724 return sk->sk_peer_pid;
1725 }
1726
l2cap_sock_suspend_cb(struct l2cap_chan *chan)1727 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1728 {
1729 struct sock *sk = chan->data;
1730
1731 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1732 sk->sk_state_change(sk);
1733 }
1734
l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)1735 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1736 {
1737 struct sock *sk = chan->data;
1738 if ((chan->mode == L2CAP_MODE_ERTM) || (chan->mode == L2CAP_MODE_STREAMING)) {
1739 return sk_filter(sk, skb);
1740 }
1741 return 0;
1742 }
1743
1744 static const struct l2cap_ops l2cap_chan_ops = {
1745 .name = "L2CAP Socket Interface",
1746 .new_connection = l2cap_sock_new_connection_cb,
1747 .recv = l2cap_sock_recv_cb,
1748 .close = l2cap_sock_close_cb,
1749 .teardown = l2cap_sock_teardown_cb,
1750 .state_change = l2cap_sock_state_change_cb,
1751 .ready = l2cap_sock_ready_cb,
1752 .defer = l2cap_sock_defer_cb,
1753 .resume = l2cap_sock_resume_cb,
1754 .suspend = l2cap_sock_suspend_cb,
1755 .set_shutdown = l2cap_sock_set_shutdown_cb,
1756 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1757 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1758 .alloc_skb = l2cap_sock_alloc_skb_cb,
1759 .filter = l2cap_sock_filter,
1760 };
1761
l2cap_sock_destruct(struct sock *sk)1762 static void l2cap_sock_destruct(struct sock *sk)
1763 {
1764 BT_DBG("sk %p", sk);
1765
1766 if (l2cap_pi(sk)->chan) {
1767 l2cap_chan_put(l2cap_pi(sk)->chan);
1768 }
1769
1770 if (l2cap_pi(sk)->rx_busy_skb) {
1771 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1772 l2cap_pi(sk)->rx_busy_skb = NULL;
1773 }
1774
1775 skb_queue_purge(&sk->sk_receive_queue);
1776 skb_queue_purge(&sk->sk_write_queue);
1777 }
1778
l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, int *msg_namelen)1779 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, int *msg_namelen)
1780 {
1781 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1782
1783 memset(la, 0, sizeof(struct sockaddr_l2));
1784 la->l2_family = AF_BLUETOOTH;
1785 la->l2_psm = bt_cb(skb)->l2cap.psm;
1786 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1787
1788 *msg_namelen = sizeof(struct sockaddr_l2);
1789 }
1790
l2cap_sock_init(struct sock *sk, struct sock *parent)1791 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1792 {
1793 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1794
1795 BT_DBG("sk %p", sk);
1796
1797 if (parent) {
1798 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1799
1800 sk->sk_type = parent->sk_type;
1801 bt_sk(sk)->flags = bt_sk(parent)->flags;
1802
1803 chan->chan_type = pchan->chan_type;
1804 chan->imtu = pchan->imtu;
1805 chan->omtu = pchan->omtu;
1806 chan->conf_state = pchan->conf_state;
1807 chan->mode = pchan->mode;
1808 chan->fcs = pchan->fcs;
1809 chan->max_tx = pchan->max_tx;
1810 chan->tx_win = pchan->tx_win;
1811 chan->tx_win_max = pchan->tx_win_max;
1812 chan->sec_level = pchan->sec_level;
1813 chan->flags = pchan->flags;
1814 chan->tx_credits = pchan->tx_credits;
1815 chan->rx_credits = pchan->rx_credits;
1816
1817 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1818 chan->scid = pchan->scid;
1819 chan->dcid = pchan->scid;
1820 }
1821
1822 security_sk_clone(parent, sk);
1823 } else {
1824 switch (sk->sk_type) {
1825 case SOCK_RAW:
1826 chan->chan_type = L2CAP_CHAN_RAW;
1827 break;
1828 case SOCK_DGRAM:
1829 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1830 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1831 break;
1832 case SOCK_SEQPACKET:
1833 case SOCK_STREAM:
1834 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1835 break;
1836 }
1837
1838 chan->imtu = L2CAP_DEFAULT_MTU;
1839 chan->omtu = 0;
1840 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1841 chan->mode = L2CAP_MODE_ERTM;
1842 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1843 } else {
1844 chan->mode = L2CAP_MODE_BASIC;
1845 }
1846
1847 l2cap_chan_set_defaults(chan);
1848 }
1849
1850 /* Default config options */
1851 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1852
1853 chan->data = sk;
1854 chan->ops = &l2cap_chan_ops;
1855 }
1856
1857 static struct proto l2cap_proto = {.name = "L2CAP", .owner = THIS_MODULE, .obj_size = sizeof(struct l2cap_pinfo)};
1858
l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)1859 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
1860 {
1861 struct sock *sk;
1862 struct l2cap_chan *chan;
1863
1864 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1865 if (!sk) {
1866 return NULL;
1867 }
1868
1869 sock_init_data(sock, sk);
1870 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1871
1872 sk->sk_destruct = l2cap_sock_destruct;
1873 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1874
1875 sock_reset_flag(sk, SOCK_ZAPPED);
1876
1877 sk->sk_protocol = proto;
1878 sk->sk_state = BT_OPEN;
1879
1880 chan = l2cap_chan_create();
1881 if (!chan) {
1882 sk_free(sk);
1883 return NULL;
1884 }
1885
1886 l2cap_chan_hold(chan);
1887
1888 l2cap_pi(sk)->chan = chan;
1889
1890 return sk;
1891 }
1892
l2cap_sock_create(struct net *net, struct socket *sock, int protocol, int kern)1893 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, int kern)
1894 {
1895 struct sock *sk;
1896
1897 BT_DBG("sock %p", sock);
1898
1899 sock->state = SS_UNCONNECTED;
1900
1901 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && sock->type != SOCK_DGRAM &&
1902 sock->type != SOCK_RAW) {
1903 return -ESOCKTNOSUPPORT;
1904 }
1905
1906 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) {
1907 return -EPERM;
1908 }
1909
1910 sock->ops = &l2cap_sock_ops;
1911
1912 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1913 if (!sk) {
1914 return -ENOMEM;
1915 }
1916
1917 l2cap_sock_init(sk, NULL);
1918 bt_sock_link(&l2cap_sk_list, sk);
1919 return 0;
1920 }
1921
1922 static const struct proto_ops l2cap_sock_ops = {.family = PF_BLUETOOTH,
1923 .owner = THIS_MODULE,
1924 .release = l2cap_sock_release,
1925 .bind = l2cap_sock_bind,
1926 .connect = l2cap_sock_connect,
1927 .listen = l2cap_sock_listen,
1928 .accept = l2cap_sock_accept,
1929 .getname = l2cap_sock_getname,
1930 .sendmsg = l2cap_sock_sendmsg,
1931 .recvmsg = l2cap_sock_recvmsg,
1932 .poll = bt_sock_poll,
1933 .ioctl = bt_sock_ioctl,
1934 .gettstamp = sock_gettstamp,
1935 .mmap = sock_no_mmap,
1936 .socketpair = sock_no_socketpair,
1937 .shutdown = l2cap_sock_shutdown,
1938 .setsockopt = l2cap_sock_setsockopt,
1939 .getsockopt = l2cap_sock_getsockopt};
1940
1941 static const struct net_proto_family l2cap_sock_family_ops = {
1942 .family = PF_BLUETOOTH,
1943 .owner = THIS_MODULE,
1944 .create = l2cap_sock_create,
1945 };
1946
l2cap_init_sockets(void)1947 int __init l2cap_init_sockets(void)
1948 {
1949 int err;
1950
1951 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1952
1953 err = proto_register(&l2cap_proto, 0);
1954 if (err < 0) {
1955 return err;
1956 }
1957
1958 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1959 if (err < 0) {
1960 BT_ERR("L2CAP socket registration failed");
1961 goto error;
1962 }
1963
1964 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, NULL);
1965 if (err < 0) {
1966 BT_ERR("Failed to create L2CAP proc file");
1967 bt_sock_unregister(BTPROTO_L2CAP);
1968 goto error;
1969 }
1970
1971 BT_INFO("L2CAP socket layer initialized");
1972
1973 return 0;
1974
1975 error:
1976 proto_unregister(&l2cap_proto);
1977 return err;
1978 }
1979
l2cap_cleanup_sockets(void)1980 void l2cap_cleanup_sockets(void)
1981 {
1982 bt_procfs_cleanup(&init_net, "l2cap");
1983 bt_sock_unregister(BTPROTO_L2CAP);
1984 proto_unregister(&l2cap_proto);
1985 }
1986