1/* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26*/ 27 28/* Bluetooth L2CAP sockets. */ 29 30#include <linux/module.h> 31#include <linux/export.h> 32#include <linux/sched/signal.h> 33 34#include <net/bluetooth/bluetooth.h> 35#include <net/bluetooth/hci_core.h> 36#include <net/bluetooth/l2cap.h> 37 38#include "smp.h" 39 40static struct bt_sock_list l2cap_sk_list = {.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)}; 41 42static const struct proto_ops l2cap_sock_ops; 43static void l2cap_sock_init(struct sock *sk, struct sock *parent); 44static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern); 45 46bool l2cap_is_socket(struct socket *sock) 47{ 48 return sock && sock->ops == &l2cap_sock_ops; 49} 50EXPORT_SYMBOL(l2cap_is_socket); 51 52static int l2cap_validate_bredr_psm(u16 psm) 53{ 54 /* PSM must be odd and lsb of upper byte must be 0 */ 55 if ((psm & 0x0101) != 0x0001) { 56 return -EINVAL; 57 } 58 59 /* Restrict usage of well-known PSMs */ 60 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) { 61 return -EACCES; 62 } 63 64 return 0; 65} 66 67static int l2cap_validate_le_psm(u16 psm) 68{ 69 /* Valid LE_PSM ranges are defined only until 0x00ff */ 70 if (psm > L2CAP_PSM_LE_DYN_END) { 71 return -EINVAL; 72 } 73 74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) { 76 return -EACCES; 77 } 78 79 return 0; 80} 81 82static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 83{ 84 struct sock *sk = sock->sk; 85 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 86 struct sockaddr_l2 la; 87 int len, err = 0; 88 89 BT_DBG("sk %p", sk); 90 91 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || addr->sa_family != AF_BLUETOOTH) { 92 return -EINVAL; 93 } 94 95 memset(&la, 0, sizeof(la)); 96 len = min_t(unsigned int, sizeof(la), alen); 97 memcpy(&la, addr, len); 98 99 if (la.l2_cid && la.l2_psm) { 100 return -EINVAL; 101 } 102 103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) { 104 return -EINVAL; 105 } 106 107 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 108 /* We only allow ATT user space socket */ 109 if (la.l2_cid && la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) { 110 return -EINVAL; 111 } 112 } 113 114 lock_sock(sk); 115 116 if (sk->sk_state != BT_OPEN) { 117 err = -EBADFD; 118 goto done; 119 } 120 121 if (la.l2_psm) { 122 __u16 psm = __le16_to_cpu(la.l2_psm); 123 124 if (la.l2_bdaddr_type == BDADDR_BREDR) { 125 err = l2cap_validate_bredr_psm(psm); 126 } else { 127 err = l2cap_validate_le_psm(psm); 128 } 129 130 if (err) { 131 goto done; 132 } 133 } 134 135 bacpy(&chan->src, &la.l2_bdaddr); 136 chan->src_type = la.l2_bdaddr_type; 137 138 if (la.l2_cid) { 139 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 140 } else { 141 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 142 } 143 144 if (err < 0) { 145 goto done; 146 } 147 148 switch (chan->chan_type) { 149 case L2CAP_CHAN_CONN_LESS: 150 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) { 151 chan->sec_level = BT_SECURITY_SDP; 152 } 153 break; 154 case L2CAP_CHAN_CONN_ORIENTED: 155 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) { 156 chan->sec_level = BT_SECURITY_SDP; 157 } 158 break; 159 case L2CAP_CHAN_RAW: 160 chan->sec_level = BT_SECURITY_SDP; 161 break; 162 case L2CAP_CHAN_FIXED: 163 /* Fixed channels default to the L2CAP core not holding a 164 * hci_conn reference for them. For fixed channels mapping to 165 * L2CAP sockets we do want to hold a reference so set the 166 * appropriate flag to request it. 167 */ 168 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 169 break; 170 } 171 172 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 173 chan->mode != L2CAP_MODE_EXT_FLOWCTL) { 174 chan->mode = L2CAP_MODE_LE_FLOWCTL; 175 } 176 177 chan->state = BT_BOUND; 178 sk->sk_state = BT_BOUND; 179 180done: 181 release_sock(sk); 182 return err; 183} 184 185static void l2cap_sock_init_pid(struct sock *sk) 186{ 187 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 188 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL) 189 return; 190 spin_lock(&sk->sk_peer_lock); 191 sk->sk_peer_pid = get_pid(task_tgid(current)); 192 spin_unlock(&sk->sk_peer_lock); 193} 194 195static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags) 196{ 197 struct sock *sk = sock->sk; 198 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 199 struct sockaddr_l2 la; 200 int len, err = 0; 201 bool zapped; 202 203 BT_DBG("sk %p", sk); 204 205 lock_sock(sk); 206 zapped = sock_flag(sk, SOCK_ZAPPED); 207 release_sock(sk); 208 209 if (zapped) { 210 return -EINVAL; 211 } 212 213 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || addr->sa_family != AF_BLUETOOTH) { 214 return -EINVAL; 215 } 216 217 memset(&la, 0, sizeof(la)); 218 len = min_t(unsigned int, sizeof(la), alen); 219 memcpy(&la, addr, len); 220 221 if (la.l2_cid && la.l2_psm) { 222 return -EINVAL; 223 } 224 225 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) { 226 return -EINVAL; 227 } 228 229 /* Check that the socket wasn't bound to something that 230 * conflicts with the address given to connect(). If chan->src 231 * is BDADDR_ANY it means bind() was never used, in which case 232 * chan->src_type and la.l2_bdaddr_type do not need to match. 233 */ 234 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && bdaddr_type_is_le(la.l2_bdaddr_type)) { 235 /* Old user space versions will try to incorrectly bind 236 * the ATT socket using BDADDR_BREDR. We need to accept 237 * this and fix up the source address type only when 238 * both the source CID and destination CID indicate 239 * ATT. Anything else is an invalid combination. 240 */ 241 if (chan->scid != L2CAP_CID_ATT || la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) { 242 return -EINVAL; 243 } 244 245 /* We don't have the hdev available here to make a 246 * better decision on random vs public, but since all 247 * user space versions that exhibit this issue anyway do 248 * not support random local addresses assuming public 249 * here is good enough. 250 */ 251 chan->src_type = BDADDR_LE_PUBLIC; 252 } 253 254 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) { 255 return -EINVAL; 256 } 257 258 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 259 /* We only allow ATT user space socket */ 260 if (la.l2_cid && la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) { 261 return -EINVAL; 262 } 263 } 264 265 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 266 chan->mode != L2CAP_MODE_EXT_FLOWCTL) { 267 chan->mode = L2CAP_MODE_LE_FLOWCTL; 268 } 269 270 l2cap_sock_init_pid(sk); 271 272 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), &la.l2_bdaddr, la.l2_bdaddr_type); 273 if (err) { 274 return err; 275 } 276 277 lock_sock(sk); 278 279 err = bt_sock_wait_state(sk, BT_CONNECTED, sock_sndtimeo(sk, flags & O_NONBLOCK)); 280 281 release_sock(sk); 282 283 return err; 284} 285 286static int l2cap_sock_listen(struct socket *sock, int backlog) 287{ 288 struct sock *sk = sock->sk; 289 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 290 int err = 0; 291 292 BT_DBG("sk %p backlog %d", sk, backlog); 293 294 lock_sock(sk); 295 296 if (sk->sk_state != BT_BOUND) { 297 err = -EBADFD; 298 goto done; 299 } 300 301 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 302 err = -EINVAL; 303 goto done; 304 } 305 306 switch (chan->mode) { 307 case L2CAP_MODE_BASIC: 308 case L2CAP_MODE_LE_FLOWCTL: 309 break; 310 case L2CAP_MODE_EXT_FLOWCTL: 311 if (!enable_ecred) { 312 err = -EOPNOTSUPP; 313 goto done; 314 } 315 break; 316 case L2CAP_MODE_ERTM: 317 case L2CAP_MODE_STREAMING: 318 if (!disable_ertm) { 319 break; 320 } 321 fallthrough; 322 default: 323 err = -EOPNOTSUPP; 324 goto done; 325 } 326 327 l2cap_sock_init_pid(sk); 328 sk->sk_max_ack_backlog = backlog; 329 sk->sk_ack_backlog = 0; 330 331 /* Listening channels need to use nested locking in order not to 332 * cause lockdep warnings when the created child channels end up 333 * being locked in the same thread as the parent channel. 334 */ 335 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 336 337 chan->state = BT_LISTEN; 338 sk->sk_state = BT_LISTEN; 339 340done: 341 release_sock(sk); 342 return err; 343} 344 345static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags, bool kern) 346{ 347 DEFINE_WAIT_FUNC(wait, woken_wake_function); 348 struct sock *sk = sock->sk, *nsk; 349 long timeo; 350 int err = 0; 351 352 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 353 354 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 355 356 BT_DBG("sk %p timeo %ld", sk, timeo); 357 358 /* Wait for an incoming connection. (wake-one). */ 359 add_wait_queue_exclusive(sk_sleep(sk), &wait); 360 while (1) { 361 if (sk->sk_state != BT_LISTEN) { 362 err = -EBADFD; 363 break; 364 } 365 366 nsk = bt_accept_dequeue(sk, newsock); 367 if (nsk) { 368 break; 369 } 370 371 if (!timeo) { 372 err = -EAGAIN; 373 break; 374 } 375 376 if (signal_pending(current)) { 377 err = sock_intr_errno(timeo); 378 break; 379 } 380 381 release_sock(sk); 382 383 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 384 385 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 386 } 387 remove_wait_queue(sk_sleep(sk), &wait); 388 389 if (err) { 390 goto done; 391 } 392 393 newsock->state = SS_CONNECTED; 394 395 BT_DBG("new socket %p", nsk); 396 397done: 398 release_sock(sk); 399 return err; 400} 401 402static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int peer) 403{ 404 struct sockaddr_l2 *la = (struct sockaddr_l2 *)addr; 405 struct sock *sk = sock->sk; 406 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 407 408 BT_DBG("sock %p, sk %p", sock, sk); 409 410 if (peer && sk->sk_state != BT_CONNECTED && sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 411 sk->sk_state != BT_CONFIG) { 412 return -ENOTCONN; 413 } 414 415 memset(la, 0, sizeof(struct sockaddr_l2)); 416 addr->sa_family = AF_BLUETOOTH; 417 418 la->l2_psm = chan->psm; 419 420 if (peer) { 421 bacpy(&la->l2_bdaddr, &chan->dst); 422 la->l2_cid = cpu_to_le16(chan->dcid); 423 la->l2_bdaddr_type = chan->dst_type; 424 } else { 425 bacpy(&la->l2_bdaddr, &chan->src); 426 la->l2_cid = cpu_to_le16(chan->scid); 427 la->l2_bdaddr_type = chan->src_type; 428 } 429 430 return sizeof(struct sockaddr_l2); 431} 432 433static int l2cap_get_mode(struct l2cap_chan *chan) 434{ 435 switch (chan->mode) { 436 case L2CAP_MODE_BASIC: 437 return BT_MODE_BASIC; 438 case L2CAP_MODE_ERTM: 439 return BT_MODE_ERTM; 440 case L2CAP_MODE_STREAMING: 441 return BT_MODE_STREAMING; 442 case L2CAP_MODE_LE_FLOWCTL: 443 return BT_MODE_LE_FLOWCTL; 444 case L2CAP_MODE_EXT_FLOWCTL: 445 return BT_MODE_EXT_FLOWCTL; 446 } 447 448 return -EINVAL; 449} 450 451static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 452{ 453 struct sock *sk = sock->sk; 454 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 455 struct l2cap_options opts; 456 struct l2cap_conninfo cinfo; 457 int len, err = 0; 458 u32 opt; 459 460 BT_DBG("sk %p", sk); 461 462 if (get_user(len, optlen)) { 463 return -EFAULT; 464 } 465 466 lock_sock(sk); 467 468 switch (optname) { 469 case L2CAP_OPTIONS: 470 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 471 * legacy ATT code depends on getsockopt for 472 * L2CAP_OPTIONS we need to let this pass. 473 */ 474 if (bdaddr_type_is_le(chan->src_type) && chan->scid != L2CAP_CID_ATT) { 475 err = -EINVAL; 476 break; 477 } 478 479 /* Only BR/EDR modes are supported here */ 480 switch (chan->mode) { 481 case L2CAP_MODE_BASIC: 482 case L2CAP_MODE_ERTM: 483 case L2CAP_MODE_STREAMING: 484 break; 485 default: 486 err = -EINVAL; 487 break; 488 } 489 490 if (err < 0) { 491 break; 492 } 493 494 memset(&opts, 0, sizeof(opts)); 495 opts.imtu = chan->imtu; 496 opts.omtu = chan->omtu; 497 opts.flush_to = chan->flush_to; 498 opts.mode = chan->mode; 499 opts.fcs = chan->fcs; 500 opts.max_tx = chan->max_tx; 501 opts.txwin_size = chan->tx_win; 502 503 BT_DBG("mode 0x%2.2x", chan->mode); 504 505 len = min_t(unsigned int, len, sizeof(opts)); 506 if (copy_to_user(optval, (char *)&opts, len)) { 507 err = -EFAULT; 508 } 509 510 break; 511 512 case L2CAP_LM: 513 switch (chan->sec_level) { 514 case BT_SECURITY_LOW: 515 opt = L2CAP_LM_AUTH; 516 break; 517 case BT_SECURITY_MEDIUM: 518 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 519 break; 520 case BT_SECURITY_HIGH: 521 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | L2CAP_LM_SECURE; 522 break; 523 case BT_SECURITY_FIPS: 524 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | L2CAP_LM_SECURE | L2CAP_LM_FIPS; 525 break; 526 default: 527 opt = 0; 528 break; 529 } 530 531 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) { 532 opt |= L2CAP_LM_MASTER; 533 } 534 535 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) { 536 opt |= L2CAP_LM_RELIABLE; 537 } 538 539 if (put_user(opt, (u32 __user *)optval)) { 540 err = -EFAULT; 541 } 542 543 break; 544 545 case L2CAP_CONNINFO: 546 if (sk->sk_state != BT_CONNECTED && 547 !(sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 548 err = -ENOTCONN; 549 break; 550 } 551 552 memset(&cinfo, 0, sizeof(cinfo)); 553 cinfo.hci_handle = chan->conn->hcon->handle; 554 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 555 556 len = min_t(unsigned int, len, sizeof(cinfo)); 557 if (copy_to_user(optval, (char *)&cinfo, len)) { 558 err = -EFAULT; 559 } 560 561 break; 562 563 default: 564 err = -ENOPROTOOPT; 565 break; 566 } 567 568 release_sock(sk); 569 return err; 570} 571 572static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 573{ 574 struct sock *sk = sock->sk; 575 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 576 struct bt_security sec; 577 struct bt_power pwr; 578 u32 phys; 579 int len, mode, err = 0; 580 581 BT_DBG("sk %p", sk); 582 583 if (level == SOL_L2CAP) { 584 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 585 } 586 587 if (level != SOL_BLUETOOTH) { 588 return -ENOPROTOOPT; 589 } 590 591 if (get_user(len, optlen)) { 592 return -EFAULT; 593 } 594 595 lock_sock(sk); 596 597 switch (optname) { 598 case BT_SECURITY: 599 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && chan->chan_type != L2CAP_CHAN_FIXED && 600 chan->chan_type != L2CAP_CHAN_RAW) { 601 err = -EINVAL; 602 break; 603 } 604 605 memset(&sec, 0, sizeof(sec)); 606 if (chan->conn) { 607 sec.level = chan->conn->hcon->sec_level; 608 609 if (sk->sk_state == BT_CONNECTED) { 610 sec.key_size = chan->conn->hcon->enc_key_size; 611 } 612 } else { 613 sec.level = chan->sec_level; 614 } 615 616 len = min_t(unsigned int, len, sizeof(sec)); 617 if (copy_to_user(optval, (char *)&sec, len)) { 618 err = -EFAULT; 619 } 620 621 break; 622 623 case BT_DEFER_SETUP: 624 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 625 err = -EINVAL; 626 break; 627 } 628 629 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), (u32 __user *)optval)) { 630 err = -EFAULT; 631 } 632 633 break; 634 635 case BT_FLUSHABLE: 636 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), (u32 __user *)optval)) { 637 err = -EFAULT; 638 } 639 640 break; 641 642 case BT_POWER: 643 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM && sk->sk_type != SOCK_RAW) { 644 err = -EINVAL; 645 break; 646 } 647 648 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 649 650 len = min_t(unsigned int, len, sizeof(pwr)); 651 if (copy_to_user(optval, (char *)&pwr, len)) { 652 err = -EFAULT; 653 } 654 655 break; 656 657 case BT_CHANNEL_POLICY: 658 if (put_user(chan->chan_policy, (u32 __user *)optval)) { 659 err = -EFAULT; 660 } 661 break; 662 663 case BT_SNDMTU: 664 if (!bdaddr_type_is_le(chan->src_type)) { 665 err = -EINVAL; 666 break; 667 } 668 669 if (sk->sk_state != BT_CONNECTED) { 670 err = -ENOTCONN; 671 break; 672 } 673 674 if (put_user(chan->omtu, (u16 __user *)optval)) { 675 err = -EFAULT; 676 } 677 break; 678 679 case BT_RCVMTU: 680 if (!bdaddr_type_is_le(chan->src_type)) { 681 err = -EINVAL; 682 break; 683 } 684 685 if (put_user(chan->imtu, (u16 __user *)optval)) { 686 err = -EFAULT; 687 } 688 break; 689 690 case BT_PHY: 691 if (sk->sk_state != BT_CONNECTED) { 692 err = -ENOTCONN; 693 break; 694 } 695 696 phys = hci_conn_get_phy(chan->conn->hcon); 697 698 if (put_user(phys, (u32 __user *)optval)) { 699 err = -EFAULT; 700 } 701 break; 702 703 case BT_MODE: 704 if (!enable_ecred) { 705 err = -ENOPROTOOPT; 706 break; 707 } 708 709 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 710 err = -EINVAL; 711 break; 712 } 713 714 mode = l2cap_get_mode(chan); 715 if (mode < 0) { 716 err = mode; 717 break; 718 } 719 720 if (put_user(mode, (u8 __user *)optval)) { 721 err = -EFAULT; 722 } 723 break; 724 725 default: 726 err = -ENOPROTOOPT; 727 break; 728 } 729 730 release_sock(sk); 731 return err; 732} 733 734static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 735{ 736 switch (chan->scid) { 737 case L2CAP_CID_ATT: 738 if (mtu < L2CAP_LE_MIN_MTU) { 739 return false; 740 } 741 break; 742 743 default: 744 if (mtu < L2CAP_DEFAULT_MIN_MTU) { 745 return false; 746 } 747 } 748 749 return true; 750} 751 752static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, sockptr_t optval, unsigned int optlen) 753{ 754 struct sock *sk = sock->sk; 755 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 756 struct l2cap_options opts; 757 int len, err = 0; 758 u32 opt; 759 760 BT_DBG("sk %p", sk); 761 762 lock_sock(sk); 763 764 switch (optname) { 765 case L2CAP_OPTIONS: 766 if (bdaddr_type_is_le(chan->src_type)) { 767 err = -EINVAL; 768 break; 769 } 770 771 if (sk->sk_state == BT_CONNECTED) { 772 err = -EINVAL; 773 break; 774 } 775 776 opts.imtu = chan->imtu; 777 opts.omtu = chan->omtu; 778 opts.flush_to = chan->flush_to; 779 opts.mode = chan->mode; 780 opts.fcs = chan->fcs; 781 opts.max_tx = chan->max_tx; 782 opts.txwin_size = chan->tx_win; 783 784 len = min_t(unsigned int, sizeof(opts), optlen); 785 if (copy_from_sockptr(&opts, optval, len)) { 786 err = -EFAULT; 787 break; 788 } 789 790 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 791 err = -EINVAL; 792 break; 793 } 794 795 if (!l2cap_valid_mtu(chan, opts.imtu)) { 796 err = -EINVAL; 797 break; 798 } 799 800 /* Only BR/EDR modes are supported here */ 801 switch (opts.mode) { 802 case L2CAP_MODE_BASIC: 803 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 804 break; 805 case L2CAP_MODE_ERTM: 806 case L2CAP_MODE_STREAMING: 807 if (!disable_ertm) { 808 break; 809 } 810 fallthrough; 811 default: 812 err = -EINVAL; 813 break; 814 } 815 816 if (err < 0) { 817 break; 818 } 819 820 chan->mode = opts.mode; 821 822 BT_DBG("mode 0x%2.2x", chan->mode); 823 824 chan->imtu = opts.imtu; 825 chan->omtu = opts.omtu; 826 chan->fcs = opts.fcs; 827 chan->max_tx = opts.max_tx; 828 chan->tx_win = opts.txwin_size; 829 chan->flush_to = opts.flush_to; 830 break; 831 832 case L2CAP_LM: 833 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 834 err = -EFAULT; 835 break; 836 } 837 838 if (opt & L2CAP_LM_FIPS) { 839 err = -EINVAL; 840 break; 841 } 842 843 if (opt & L2CAP_LM_AUTH) { 844 chan->sec_level = BT_SECURITY_LOW; 845 } 846 if (opt & L2CAP_LM_ENCRYPT) { 847 chan->sec_level = BT_SECURITY_MEDIUM; 848 } 849 if (opt & L2CAP_LM_SECURE) { 850 chan->sec_level = BT_SECURITY_HIGH; 851 } 852 853 if (opt & L2CAP_LM_MASTER) { 854 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 855 } else { 856 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 857 } 858 859 if (opt & L2CAP_LM_RELIABLE) { 860 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 861 } else { 862 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 863 } 864 break; 865 866 default: 867 err = -ENOPROTOOPT; 868 break; 869 } 870 871 release_sock(sk); 872 return err; 873} 874 875static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 876{ 877 switch (mode) { 878 case BT_MODE_BASIC: 879 if (bdaddr_type_is_le(chan->src_type)) { 880 return -EINVAL; 881 } 882 mode = L2CAP_MODE_BASIC; 883 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 884 break; 885 case BT_MODE_ERTM: 886 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) { 887 return -EINVAL; 888 } 889 mode = L2CAP_MODE_ERTM; 890 break; 891 case BT_MODE_STREAMING: 892 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) { 893 return -EINVAL; 894 } 895 mode = L2CAP_MODE_STREAMING; 896 break; 897 case BT_MODE_LE_FLOWCTL: 898 if (!bdaddr_type_is_le(chan->src_type)) { 899 return -EINVAL; 900 } 901 mode = L2CAP_MODE_LE_FLOWCTL; 902 break; 903 case BT_MODE_EXT_FLOWCTL: 904 /* Add support for ECRED PDUs to BR/EDR */ 905 if (!bdaddr_type_is_le(chan->src_type)) { 906 return -EINVAL; 907 } 908 mode = L2CAP_MODE_EXT_FLOWCTL; 909 break; 910 default: 911 return -EINVAL; 912 } 913 914 chan->mode = mode; 915 916 return 0; 917} 918 919static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, unsigned int optlen) 920{ 921 struct sock *sk = sock->sk; 922 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 923 struct bt_security sec; 924 struct bt_power pwr; 925 struct l2cap_conn *conn; 926 int len, err = 0; 927 u32 opt; 928 u16 mtu; 929 u8 mode; 930 931 BT_DBG("sk %p", sk); 932 933 if (level == SOL_L2CAP) { 934 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 935 } 936 937 if (level != SOL_BLUETOOTH) { 938 return -ENOPROTOOPT; 939 } 940 941 lock_sock(sk); 942 943 switch (optname) { 944 case BT_SECURITY: 945 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && chan->chan_type != L2CAP_CHAN_FIXED && 946 chan->chan_type != L2CAP_CHAN_RAW) { 947 err = -EINVAL; 948 break; 949 } 950 951 sec.level = BT_SECURITY_LOW; 952 953 len = min_t(unsigned int, sizeof(sec), optlen); 954 if (copy_from_sockptr(&sec, optval, len)) { 955 err = -EFAULT; 956 break; 957 } 958 959 if (sec.level < BT_SECURITY_LOW || sec.level > BT_SECURITY_FIPS) { 960 err = -EINVAL; 961 break; 962 } 963 964 chan->sec_level = sec.level; 965 966 if (!chan->conn) { 967 break; 968 } 969 970 conn = chan->conn; 971 972 /* change security for LE channels */ 973 if (chan->scid == L2CAP_CID_ATT) { 974 if (smp_conn_security(conn->hcon, sec.level)) { 975 err = -EINVAL; 976 break; 977 } 978 979 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 980 sk->sk_state = BT_CONFIG; 981 chan->state = BT_CONFIG; 982 983 /* or for ACL link */ 984 } else if ((sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 985 sk->sk_state == BT_CONNECTED) { 986 if (!l2cap_chan_check_security(chan, true)) { 987 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 988 } else { 989 sk->sk_state_change(sk); 990 } 991 } else { 992 err = -EINVAL; 993 } 994 break; 995 996 case BT_DEFER_SETUP: 997 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 998 err = -EINVAL; 999 break; 1000 } 1001 1002 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1003 err = -EFAULT; 1004 break; 1005 } 1006 1007 if (opt) { 1008 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1009 set_bit(FLAG_DEFER_SETUP, &chan->flags); 1010 } else { 1011 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 1012 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 1013 } 1014 break; 1015 1016 case BT_FLUSHABLE: 1017 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1018 err = -EFAULT; 1019 break; 1020 } 1021 1022 if (opt > BT_FLUSHABLE_ON) { 1023 err = -EINVAL; 1024 break; 1025 } 1026 1027 if (opt == BT_FLUSHABLE_OFF) { 1028 conn = chan->conn; 1029 /* proceed further only when we have l2cap_conn and 1030 No Flush support in the LM */ 1031 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 1032 err = -EINVAL; 1033 break; 1034 } 1035 } 1036 1037 if (opt) { 1038 set_bit(FLAG_FLUSHABLE, &chan->flags); 1039 } else { 1040 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1041 } 1042 break; 1043 1044 case BT_POWER: 1045 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && chan->chan_type != L2CAP_CHAN_RAW) { 1046 err = -EINVAL; 1047 break; 1048 } 1049 1050 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1051 1052 len = min_t(unsigned int, sizeof(pwr), optlen); 1053 if (copy_from_sockptr(&pwr, optval, len)) { 1054 err = -EFAULT; 1055 break; 1056 } 1057 1058 if (pwr.force_active) { 1059 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1060 } else { 1061 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1062 } 1063 break; 1064 1065 case BT_CHANNEL_POLICY: 1066 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1067 err = -EFAULT; 1068 break; 1069 } 1070 1071 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { 1072 err = -EINVAL; 1073 break; 1074 } 1075 1076 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) { 1077 err = -EOPNOTSUPP; 1078 break; 1079 } 1080 1081 chan->chan_policy = (u8)opt; 1082 1083 if (sk->sk_state == BT_CONNECTED && chan->move_role == L2CAP_MOVE_ROLE_NONE) { 1084 l2cap_move_start(chan); 1085 } 1086 1087 break; 1088 1089 case BT_SNDMTU: 1090 if (!bdaddr_type_is_le(chan->src_type)) { 1091 err = -EINVAL; 1092 break; 1093 } 1094 1095 /* Setting is not supported as it's the remote side that 1096 * decides this. 1097 */ 1098 err = -EPERM; 1099 break; 1100 1101 case BT_RCVMTU: 1102 if (!bdaddr_type_is_le(chan->src_type)) { 1103 err = -EINVAL; 1104 break; 1105 } 1106 1107 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && sk->sk_state == BT_CONNECTED) { 1108 err = -EISCONN; 1109 break; 1110 } 1111 1112 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { 1113 err = -EFAULT; 1114 break; 1115 } 1116 1117 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && sk->sk_state == BT_CONNECTED) { 1118 err = l2cap_chan_reconfigure(chan, mtu); 1119 } else { 1120 chan->imtu = mtu; 1121 } 1122 1123 break; 1124 1125 case BT_MODE: 1126 if (!enable_ecred) { 1127 err = -ENOPROTOOPT; 1128 break; 1129 } 1130 1131 BT_DBG("sk->sk_state %u", sk->sk_state); 1132 1133 if (sk->sk_state != BT_BOUND) { 1134 err = -EINVAL; 1135 break; 1136 } 1137 1138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1139 err = -EINVAL; 1140 break; 1141 } 1142 1143 if (copy_from_sockptr(&mode, optval, sizeof(u8))) { 1144 err = -EFAULT; 1145 break; 1146 } 1147 1148 BT_DBG("mode %u", mode); 1149 1150 err = l2cap_set_mode(chan, mode); 1151 if (err) { 1152 break; 1153 } 1154 1155 BT_DBG("mode 0x%2.2x", chan->mode); 1156 1157 break; 1158 1159 default: 1160 err = -ENOPROTOOPT; 1161 break; 1162 } 1163 1164 release_sock(sk); 1165 return err; 1166} 1167 1168static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) 1169{ 1170 struct sock *sk = sock->sk; 1171 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1172 int err; 1173 1174 BT_DBG("sock %p, sk %p", sock, sk); 1175 1176 err = sock_error(sk); 1177 if (err) { 1178 return err; 1179 } 1180 1181 if (msg->msg_flags & MSG_OOB) { 1182 return -EOPNOTSUPP; 1183 } 1184 1185 if (sk->sk_state != BT_CONNECTED) { 1186 return -ENOTCONN; 1187 } 1188 1189 lock_sock(sk); 1190 err = bt_sock_wait_ready(sk, msg->msg_flags); 1191 release_sock(sk); 1192 if (err) { 1193 return err; 1194 } 1195 1196 l2cap_chan_lock(chan); 1197 err = l2cap_chan_send(chan, msg, len); 1198 l2cap_chan_unlock(chan); 1199 1200 return err; 1201} 1202 1203static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, int flags) 1204{ 1205 struct sock *sk = sock->sk; 1206 struct l2cap_pinfo *pi = l2cap_pi(sk); 1207 int err; 1208 1209 lock_sock(sk); 1210 1211 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1212 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1213 sk->sk_state = BT_CONNECTED; 1214 pi->chan->state = BT_CONNECTED; 1215 __l2cap_ecred_conn_rsp_defer(pi->chan); 1216 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1217 sk->sk_state = BT_CONNECTED; 1218 pi->chan->state = BT_CONNECTED; 1219 __l2cap_le_connect_rsp_defer(pi->chan); 1220 } else { 1221 sk->sk_state = BT_CONFIG; 1222 pi->chan->state = BT_CONFIG; 1223 __l2cap_connect_rsp_defer(pi->chan); 1224 } 1225 1226 err = 0; 1227 goto done; 1228 } 1229 1230 release_sock(sk); 1231 1232 if (sock->type == SOCK_STREAM) { 1233 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1234 } else { 1235 err = bt_sock_recvmsg(sock, msg, len, flags); 1236 } 1237 1238 if (pi->chan->mode != L2CAP_MODE_ERTM) { 1239 return err; 1240 } 1241 1242 /* Attempt to put pending rx data in the socket buffer */ 1243 1244 lock_sock(sk); 1245 1246 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) { 1247 goto done; 1248 } 1249 1250 if (pi->rx_busy_skb) { 1251 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) { 1252 pi->rx_busy_skb = NULL; 1253 } else { 1254 goto done; 1255 } 1256 } 1257 1258 /* Restore data flow when half of the receive buffer is 1259 * available. This avoids resending large numbers of 1260 * frames. 1261 */ 1262 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) { 1263 l2cap_chan_busy(pi->chan, 0); 1264 } 1265 1266done: 1267 release_sock(sk); 1268 return err; 1269} 1270 1271/* Kill socket (only if zapped and orphan) 1272 * Must be called on unlocked socket, with l2cap channel lock. 1273 */ 1274static void l2cap_sock_kill(struct sock *sk) 1275{ 1276 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) { 1277 return; 1278 } 1279 1280 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1281 1282 /* Kill poor orphan */ 1283 1284 l2cap_chan_put(l2cap_pi(sk)->chan); 1285 sock_set_flag(sk, SOCK_DEAD); 1286 sock_put(sk); 1287} 1288 1289static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1290{ 1291 DECLARE_WAITQUEUE(wait, current); 1292 int err = 0; 1293 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1294 /* Timeout to prevent infinite loop */ 1295 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1296 1297 add_wait_queue(sk_sleep(sk), &wait); 1298 set_current_state(TASK_INTERRUPTIBLE); 1299 do { 1300 BT_DBG("Waiting for %d ACKs, timeout %04d ms", chan->unacked_frames, 1301 time_after(jiffies, timeout) ? 0 : jiffies_to_msecs(timeout - jiffies)); 1302 1303 if (!timeo) { 1304 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1305 } 1306 1307 if (signal_pending(current)) { 1308 err = sock_intr_errno(timeo); 1309 break; 1310 } 1311 1312 release_sock(sk); 1313 timeo = schedule_timeout(timeo); 1314 lock_sock(sk); 1315 set_current_state(TASK_INTERRUPTIBLE); 1316 1317 err = sock_error(sk); 1318 if (err) { 1319 break; 1320 } 1321 1322 if (time_after(jiffies, timeout)) { 1323 err = -ENOLINK; 1324 break; 1325 } 1326 } while (chan->unacked_frames > 0 && chan->state == BT_CONNECTED); 1327 1328 set_current_state(TASK_RUNNING); 1329 remove_wait_queue(sk_sleep(sk), &wait); 1330 return err; 1331} 1332 1333static int l2cap_sock_shutdown(struct socket *sock, int how) 1334{ 1335 struct sock *sk = sock->sk; 1336 struct l2cap_chan *chan; 1337 struct l2cap_conn *conn; 1338 int err = 0; 1339 1340 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1341 1342 /* 'how' parameter is mapped to sk_shutdown as follows: 1343 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1344 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1345 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1346 */ 1347 how++; 1348 1349 if (!sk) { 1350 return 0; 1351 } 1352 1353 lock_sock(sk); 1354 1355 if ((sk->sk_shutdown & how) == how) { 1356 goto shutdown_already; 1357 } 1358 1359 BT_DBG("Handling sock shutdown"); 1360 1361 /* prevent sk structure from being freed whilst unlocked */ 1362 sock_hold(sk); 1363 1364 chan = l2cap_pi(sk)->chan; 1365 /* prevent chan structure from being freed whilst unlocked */ 1366 l2cap_chan_hold(chan); 1367 1368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1369 1370 if (chan->mode == L2CAP_MODE_ERTM && chan->unacked_frames > 0 && chan->state == BT_CONNECTED) { 1371 err = __l2cap_wait_ack(sk, chan); 1372 1373 /* After waiting for ACKs, check whether shutdown 1374 * has already been actioned to close the L2CAP 1375 * link such as by l2cap_disconnection_req(). 1376 */ 1377 if ((sk->sk_shutdown & how) == how) { 1378 goto shutdown_matched; 1379 } 1380 } 1381 1382 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1383 * is already set 1384 */ 1385 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1386 sk->sk_shutdown |= RCV_SHUTDOWN; 1387 if ((sk->sk_shutdown & how) == how) { 1388 goto shutdown_matched; 1389 } 1390 } 1391 1392 sk->sk_shutdown |= SEND_SHUTDOWN; 1393 release_sock(sk); 1394 1395 l2cap_chan_lock(chan); 1396 conn = chan->conn; 1397 if (conn) { 1398 /* prevent conn structure from being freed */ 1399 l2cap_conn_get(conn); 1400 } 1401 l2cap_chan_unlock(chan); 1402 1403 if (conn) { 1404 /* mutex lock must be taken before l2cap_chan_lock() */ 1405 mutex_lock(&conn->chan_lock); 1406 } 1407 1408 l2cap_chan_lock(chan); 1409 l2cap_chan_close(chan, 0); 1410 l2cap_chan_unlock(chan); 1411 1412 if (conn) { 1413 mutex_unlock(&conn->chan_lock); 1414 l2cap_conn_put(conn); 1415 } 1416 1417 lock_sock(sk); 1418 1419 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && !(current->flags & PF_EXITING)) { 1420 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 1421 } 1422 1423shutdown_matched: 1424 l2cap_chan_put(chan); 1425 sock_put(sk); 1426 1427shutdown_already: 1428 if (!err && sk->sk_err) { 1429 err = -sk->sk_err; 1430 } 1431 1432 release_sock(sk); 1433 1434 BT_DBG("Sock shutdown complete err: %d", err); 1435 1436 return err; 1437} 1438 1439static int l2cap_sock_release(struct socket *sock) 1440{ 1441 struct sock *sk = sock->sk; 1442 int err; 1443 struct l2cap_chan *chan; 1444 1445 BT_DBG("sock %p, sk %p", sock, sk); 1446 1447 if (!sk) { 1448 return 0; 1449 } 1450 1451 bt_sock_unlink(&l2cap_sk_list, sk); 1452 1453 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1454 chan = l2cap_pi(sk)->chan; 1455 1456 l2cap_chan_hold(chan); 1457 l2cap_chan_lock(chan); 1458 1459 sock_orphan(sk); 1460 l2cap_sock_kill(sk); 1461 1462 l2cap_chan_unlock(chan); 1463 l2cap_chan_put(chan); 1464 1465 return err; 1466} 1467 1468static void l2cap_sock_cleanup_listen(struct sock *parent) 1469{ 1470 struct sock *sk; 1471 1472 BT_DBG("parent %p state %s", parent, state_to_string(parent->sk_state)); 1473 1474 /* Close not yet accepted channels */ 1475 while ((sk = bt_accept_dequeue(parent, NULL))) { 1476 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1477 1478 BT_DBG("child chan %p state %s", chan, state_to_string(chan->state)); 1479 1480 l2cap_chan_hold(chan); 1481 l2cap_chan_lock(chan); 1482 1483 __clear_chan_timer(chan); 1484 l2cap_chan_close(chan, ECONNRESET); 1485 l2cap_sock_kill(sk); 1486 1487 l2cap_chan_unlock(chan); 1488 l2cap_chan_put(chan); 1489 } 1490} 1491 1492static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1493{ 1494 struct sock *sk, *parent = chan->data; 1495 1496 lock_sock(parent); 1497 1498 /* Check for backlog size */ 1499 if (sk_acceptq_is_full(parent)) { 1500 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1501 release_sock(parent); 1502 return NULL; 1503 } 1504 1505 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC, 0); 1506 if (!sk) { 1507 release_sock(parent); 1508 return NULL; 1509 } 1510 1511 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1512 1513 l2cap_sock_init(sk, parent); 1514 1515 bt_accept_enqueue(parent, sk, false); 1516 1517 release_sock(parent); 1518 1519 return l2cap_pi(sk)->chan; 1520} 1521 1522static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1523{ 1524 struct sock *sk = chan->data; 1525 int err; 1526 1527 lock_sock(sk); 1528 1529 if (l2cap_pi(sk)->rx_busy_skb) { 1530 err = -ENOMEM; 1531 goto done; 1532 } 1533 1534 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) { 1535 /* Even if no filter is attached, we could potentially 1536 * get errors from security modules, etc. 1537 */ 1538 err = sk_filter(sk, skb); 1539 if (err) { 1540 goto done; 1541 } 1542 } 1543 1544 err = __sock_queue_rcv_skb(sk, skb); 1545 /* For ERTM, handle one skb that doesn't fit into the recv 1546 * buffer. This is important to do because the data frames 1547 * have already been acked, so the skb cannot be discarded. 1548 * 1549 * Notify the l2cap core that the buffer is full, so the 1550 * LOCAL_BUSY state is entered and no more frames are 1551 * acked and reassembled until there is buffer space 1552 * available. 1553 */ 1554 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1555 l2cap_pi(sk)->rx_busy_skb = skb; 1556 l2cap_chan_busy(chan, 1); 1557 err = 0; 1558 } 1559 1560done: 1561 release_sock(sk); 1562 1563 return err; 1564} 1565 1566static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1567{ 1568 struct sock *sk = chan->data; 1569 1570 l2cap_sock_kill(sk); 1571} 1572 1573static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1574{ 1575 struct sock *sk = chan->data; 1576 struct sock *parent; 1577 1578 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1579 1580 /* This callback can be called both for server (BT_LISTEN) 1581 * sockets as well as "normal" ones. To avoid lockdep warnings 1582 * with child socket locking (through l2cap_sock_cleanup_listen) 1583 * we need separation into separate nesting levels. The simplest 1584 * way to accomplish this is to inherit the nesting level used 1585 * for the channel. 1586 */ 1587 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1588 1589 parent = bt_sk(sk)->parent; 1590 1591 switch (chan->state) { 1592 case BT_OPEN: 1593 case BT_BOUND: 1594 case BT_CLOSED: 1595 break; 1596 case BT_LISTEN: 1597 l2cap_sock_cleanup_listen(sk); 1598 sk->sk_state = BT_CLOSED; 1599 chan->state = BT_CLOSED; 1600 1601 break; 1602 default: 1603 sk->sk_state = BT_CLOSED; 1604 chan->state = BT_CLOSED; 1605 1606 sk->sk_err = err; 1607 1608 if (parent) { 1609 bt_accept_unlink(sk); 1610 parent->sk_data_ready(parent); 1611 } else { 1612 sk->sk_state_change(sk); 1613 } 1614 1615 break; 1616 } 1617 release_sock(sk); 1618 1619 /* Only zap after cleanup to avoid use after free race */ 1620 sock_set_flag(sk, SOCK_ZAPPED); 1621} 1622 1623static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, int err) 1624{ 1625 struct sock *sk = chan->data; 1626 1627 sk->sk_state = state; 1628 1629 if (err) { 1630 sk->sk_err = err; 1631 } 1632} 1633 1634static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, unsigned long hdr_len, unsigned long len, 1635 int nb) 1636{ 1637 struct sock *sk = chan->data; 1638 struct sk_buff *skb; 1639 int err; 1640 1641 l2cap_chan_unlock(chan); 1642 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1643 l2cap_chan_lock(chan); 1644 1645 if (!skb) { 1646 return ERR_PTR(err); 1647 } 1648 1649 skb->priority = sk->sk_priority; 1650 1651 bt_cb(skb)->l2cap.chan = chan; 1652 1653 return skb; 1654} 1655 1656static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1657{ 1658 struct sock *sk = chan->data; 1659 struct sock *parent; 1660 1661 lock_sock(sk); 1662 1663 parent = bt_sk(sk)->parent; 1664 1665 BT_DBG("sk %p, parent %p", sk, parent); 1666 1667 sk->sk_state = BT_CONNECTED; 1668 sk->sk_state_change(sk); 1669 1670 if (parent) { 1671 parent->sk_data_ready(parent); 1672 } 1673 1674 release_sock(sk); 1675} 1676 1677static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1678{ 1679 struct sock *parent, *sk = chan->data; 1680 1681 lock_sock(sk); 1682 1683 parent = bt_sk(sk)->parent; 1684 if (parent) { 1685 parent->sk_data_ready(parent); 1686 } 1687 1688 release_sock(sk); 1689} 1690 1691static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1692{ 1693 struct sock *sk = chan->data; 1694 1695 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1696 sk->sk_state = BT_CONNECTED; 1697 chan->state = BT_CONNECTED; 1698 } 1699 1700 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1701 sk->sk_state_change(sk); 1702} 1703 1704static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1705{ 1706 struct sock *sk = chan->data; 1707 1708 lock_sock(sk); 1709 sk->sk_shutdown = SHUTDOWN_MASK; 1710 release_sock(sk); 1711} 1712 1713static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1714{ 1715 struct sock *sk = chan->data; 1716 1717 return sk->sk_sndtimeo; 1718} 1719 1720static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1721{ 1722 struct sock *sk = chan->data; 1723 1724 return sk->sk_peer_pid; 1725} 1726 1727static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1728{ 1729 struct sock *sk = chan->data; 1730 1731 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1732 sk->sk_state_change(sk); 1733} 1734 1735static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1736{ 1737 struct sock *sk = chan->data; 1738 if ((chan->mode == L2CAP_MODE_ERTM) || (chan->mode == L2CAP_MODE_STREAMING)) { 1739 return sk_filter(sk, skb); 1740 } 1741 return 0; 1742} 1743 1744static const struct l2cap_ops l2cap_chan_ops = { 1745 .name = "L2CAP Socket Interface", 1746 .new_connection = l2cap_sock_new_connection_cb, 1747 .recv = l2cap_sock_recv_cb, 1748 .close = l2cap_sock_close_cb, 1749 .teardown = l2cap_sock_teardown_cb, 1750 .state_change = l2cap_sock_state_change_cb, 1751 .ready = l2cap_sock_ready_cb, 1752 .defer = l2cap_sock_defer_cb, 1753 .resume = l2cap_sock_resume_cb, 1754 .suspend = l2cap_sock_suspend_cb, 1755 .set_shutdown = l2cap_sock_set_shutdown_cb, 1756 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1757 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1758 .alloc_skb = l2cap_sock_alloc_skb_cb, 1759 .filter = l2cap_sock_filter, 1760}; 1761 1762static void l2cap_sock_destruct(struct sock *sk) 1763{ 1764 BT_DBG("sk %p", sk); 1765 1766 if (l2cap_pi(sk)->chan) { 1767 l2cap_chan_put(l2cap_pi(sk)->chan); 1768 } 1769 1770 if (l2cap_pi(sk)->rx_busy_skb) { 1771 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1772 l2cap_pi(sk)->rx_busy_skb = NULL; 1773 } 1774 1775 skb_queue_purge(&sk->sk_receive_queue); 1776 skb_queue_purge(&sk->sk_write_queue); 1777} 1778 1779static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, int *msg_namelen) 1780{ 1781 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1782 1783 memset(la, 0, sizeof(struct sockaddr_l2)); 1784 la->l2_family = AF_BLUETOOTH; 1785 la->l2_psm = bt_cb(skb)->l2cap.psm; 1786 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1787 1788 *msg_namelen = sizeof(struct sockaddr_l2); 1789} 1790 1791static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1792{ 1793 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1794 1795 BT_DBG("sk %p", sk); 1796 1797 if (parent) { 1798 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1799 1800 sk->sk_type = parent->sk_type; 1801 bt_sk(sk)->flags = bt_sk(parent)->flags; 1802 1803 chan->chan_type = pchan->chan_type; 1804 chan->imtu = pchan->imtu; 1805 chan->omtu = pchan->omtu; 1806 chan->conf_state = pchan->conf_state; 1807 chan->mode = pchan->mode; 1808 chan->fcs = pchan->fcs; 1809 chan->max_tx = pchan->max_tx; 1810 chan->tx_win = pchan->tx_win; 1811 chan->tx_win_max = pchan->tx_win_max; 1812 chan->sec_level = pchan->sec_level; 1813 chan->flags = pchan->flags; 1814 chan->tx_credits = pchan->tx_credits; 1815 chan->rx_credits = pchan->rx_credits; 1816 1817 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1818 chan->scid = pchan->scid; 1819 chan->dcid = pchan->scid; 1820 } 1821 1822 security_sk_clone(parent, sk); 1823 } else { 1824 switch (sk->sk_type) { 1825 case SOCK_RAW: 1826 chan->chan_type = L2CAP_CHAN_RAW; 1827 break; 1828 case SOCK_DGRAM: 1829 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1830 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1831 break; 1832 case SOCK_SEQPACKET: 1833 case SOCK_STREAM: 1834 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1835 break; 1836 } 1837 1838 chan->imtu = L2CAP_DEFAULT_MTU; 1839 chan->omtu = 0; 1840 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1841 chan->mode = L2CAP_MODE_ERTM; 1842 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1843 } else { 1844 chan->mode = L2CAP_MODE_BASIC; 1845 } 1846 1847 l2cap_chan_set_defaults(chan); 1848 } 1849 1850 /* Default config options */ 1851 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1852 1853 chan->data = sk; 1854 chan->ops = &l2cap_chan_ops; 1855} 1856 1857static struct proto l2cap_proto = {.name = "L2CAP", .owner = THIS_MODULE, .obj_size = sizeof(struct l2cap_pinfo)}; 1858 1859static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern) 1860{ 1861 struct sock *sk; 1862 struct l2cap_chan *chan; 1863 1864 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern); 1865 if (!sk) { 1866 return NULL; 1867 } 1868 1869 sock_init_data(sock, sk); 1870 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 1871 1872 sk->sk_destruct = l2cap_sock_destruct; 1873 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1874 1875 sock_reset_flag(sk, SOCK_ZAPPED); 1876 1877 sk->sk_protocol = proto; 1878 sk->sk_state = BT_OPEN; 1879 1880 chan = l2cap_chan_create(); 1881 if (!chan) { 1882 sk_free(sk); 1883 return NULL; 1884 } 1885 1886 l2cap_chan_hold(chan); 1887 1888 l2cap_pi(sk)->chan = chan; 1889 1890 return sk; 1891} 1892 1893static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, int kern) 1894{ 1895 struct sock *sk; 1896 1897 BT_DBG("sock %p", sock); 1898 1899 sock->state = SS_UNCONNECTED; 1900 1901 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && sock->type != SOCK_DGRAM && 1902 sock->type != SOCK_RAW) { 1903 return -ESOCKTNOSUPPORT; 1904 } 1905 1906 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) { 1907 return -EPERM; 1908 } 1909 1910 sock->ops = &l2cap_sock_ops; 1911 1912 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1913 if (!sk) { 1914 return -ENOMEM; 1915 } 1916 1917 l2cap_sock_init(sk, NULL); 1918 bt_sock_link(&l2cap_sk_list, sk); 1919 return 0; 1920} 1921 1922static const struct proto_ops l2cap_sock_ops = {.family = PF_BLUETOOTH, 1923 .owner = THIS_MODULE, 1924 .release = l2cap_sock_release, 1925 .bind = l2cap_sock_bind, 1926 .connect = l2cap_sock_connect, 1927 .listen = l2cap_sock_listen, 1928 .accept = l2cap_sock_accept, 1929 .getname = l2cap_sock_getname, 1930 .sendmsg = l2cap_sock_sendmsg, 1931 .recvmsg = l2cap_sock_recvmsg, 1932 .poll = bt_sock_poll, 1933 .ioctl = bt_sock_ioctl, 1934 .gettstamp = sock_gettstamp, 1935 .mmap = sock_no_mmap, 1936 .socketpair = sock_no_socketpair, 1937 .shutdown = l2cap_sock_shutdown, 1938 .setsockopt = l2cap_sock_setsockopt, 1939 .getsockopt = l2cap_sock_getsockopt}; 1940 1941static const struct net_proto_family l2cap_sock_family_ops = { 1942 .family = PF_BLUETOOTH, 1943 .owner = THIS_MODULE, 1944 .create = l2cap_sock_create, 1945}; 1946 1947int __init l2cap_init_sockets(void) 1948{ 1949 int err; 1950 1951 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1952 1953 err = proto_register(&l2cap_proto, 0); 1954 if (err < 0) { 1955 return err; 1956 } 1957 1958 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1959 if (err < 0) { 1960 BT_ERR("L2CAP socket registration failed"); 1961 goto error; 1962 } 1963 1964 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, NULL); 1965 if (err < 0) { 1966 BT_ERR("Failed to create L2CAP proc file"); 1967 bt_sock_unregister(BTPROTO_L2CAP); 1968 goto error; 1969 } 1970 1971 BT_INFO("L2CAP socket layer initialized"); 1972 1973 return 0; 1974 1975error: 1976 proto_unregister(&l2cap_proto); 1977 return err; 1978} 1979 1980void l2cap_cleanup_sockets(void) 1981{ 1982 bt_procfs_cleanup(&init_net, "l2cap"); 1983 bt_sock_unregister(BTPROTO_L2CAP); 1984 proto_unregister(&l2cap_proto); 1985} 1986