1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37
38 #include "smp.h"
39
40 static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
l2cap_is_socket(struct socket * sock)49 bool l2cap_is_socket(struct socket *sock)
50 {
51 return sock && sock->ops == &l2cap_sock_ops;
52 }
53 EXPORT_SYMBOL(l2cap_is_socket);
54
l2cap_validate_bredr_psm(u16 psm)55 static int l2cap_validate_bredr_psm(u16 psm)
56 {
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66 }
67
l2cap_validate_le_psm(u16 psm)68 static int l2cap_validate_le_psm(u16 psm)
69 {
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79 }
80
l2cap_sock_bind(struct socket * sock,struct sockaddr * addr,int alen)81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82 {
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
166
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
169
170 done:
171 release_sock(sk);
172 return err;
173 }
174
l2cap_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 int alen, int flags)
177 {
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
181 int len, err = 0;
182
183 BT_DBG("sk %p", sk);
184
185 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 addr->sa_family != AF_BLUETOOTH)
187 return -EINVAL;
188
189 memset(&la, 0, sizeof(la));
190 len = min_t(unsigned int, sizeof(la), alen);
191 memcpy(&la, addr, len);
192
193 if (la.l2_cid && la.l2_psm)
194 return -EINVAL;
195
196 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 return -EINVAL;
198
199 /* Check that the socket wasn't bound to something that
200 * conflicts with the address given to connect(). If chan->src
201 * is BDADDR_ANY it means bind() was never used, in which case
202 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 */
204 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 /* Old user space versions will try to incorrectly bind
207 * the ATT socket using BDADDR_BREDR. We need to accept
208 * this and fix up the source address type only when
209 * both the source CID and destination CID indicate
210 * ATT. Anything else is an invalid combination.
211 */
212 if (chan->scid != L2CAP_CID_ATT ||
213 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 return -EINVAL;
215
216 /* We don't have the hdev available here to make a
217 * better decision on random vs public, but since all
218 * user space versions that exhibit this issue anyway do
219 * not support random local addresses assuming public
220 * here is good enough.
221 */
222 chan->src_type = BDADDR_LE_PUBLIC;
223 }
224
225 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 return -EINVAL;
227
228 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 /* We only allow ATT user space socket */
230 if (la.l2_cid &&
231 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 return -EINVAL;
233 }
234
235 if (chan->psm && bdaddr_type_is_le(chan->src_type))
236 chan->mode = L2CAP_MODE_LE_FLOWCTL;
237
238 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 &la.l2_bdaddr, la.l2_bdaddr_type);
240 if (err)
241 return err;
242
243 lock_sock(sk);
244
245 err = bt_sock_wait_state(sk, BT_CONNECTED,
246 sock_sndtimeo(sk, flags & O_NONBLOCK));
247
248 release_sock(sk);
249
250 return err;
251 }
252
l2cap_sock_listen(struct socket * sock,int backlog)253 static int l2cap_sock_listen(struct socket *sock, int backlog)
254 {
255 struct sock *sk = sock->sk;
256 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 int err = 0;
258
259 BT_DBG("sk %p backlog %d", sk, backlog);
260
261 lock_sock(sk);
262
263 if (sk->sk_state != BT_BOUND) {
264 err = -EBADFD;
265 goto done;
266 }
267
268 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 err = -EINVAL;
270 goto done;
271 }
272
273 switch (chan->mode) {
274 case L2CAP_MODE_BASIC:
275 case L2CAP_MODE_LE_FLOWCTL:
276 break;
277 case L2CAP_MODE_ERTM:
278 case L2CAP_MODE_STREAMING:
279 if (!disable_ertm)
280 break;
281 /* fall through */
282 default:
283 err = -EOPNOTSUPP;
284 goto done;
285 }
286
287 sk->sk_max_ack_backlog = backlog;
288 sk->sk_ack_backlog = 0;
289
290 /* Listening channels need to use nested locking in order not to
291 * cause lockdep warnings when the created child channels end up
292 * being locked in the same thread as the parent channel.
293 */
294 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
295
296 chan->state = BT_LISTEN;
297 sk->sk_state = BT_LISTEN;
298
299 done:
300 release_sock(sk);
301 return err;
302 }
303
l2cap_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)304 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
305 int flags, bool kern)
306 {
307 DEFINE_WAIT_FUNC(wait, woken_wake_function);
308 struct sock *sk = sock->sk, *nsk;
309 long timeo;
310 int err = 0;
311
312 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
313
314 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
315
316 BT_DBG("sk %p timeo %ld", sk, timeo);
317
318 /* Wait for an incoming connection. (wake-one). */
319 add_wait_queue_exclusive(sk_sleep(sk), &wait);
320 while (1) {
321 if (sk->sk_state != BT_LISTEN) {
322 err = -EBADFD;
323 break;
324 }
325
326 nsk = bt_accept_dequeue(sk, newsock);
327 if (nsk)
328 break;
329
330 if (!timeo) {
331 err = -EAGAIN;
332 break;
333 }
334
335 if (signal_pending(current)) {
336 err = sock_intr_errno(timeo);
337 break;
338 }
339
340 release_sock(sk);
341
342 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
343
344 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
345 }
346 remove_wait_queue(sk_sleep(sk), &wait);
347
348 if (err)
349 goto done;
350
351 newsock->state = SS_CONNECTED;
352
353 BT_DBG("new socket %p", nsk);
354
355 done:
356 release_sock(sk);
357 return err;
358 }
359
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)360 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
361 int peer)
362 {
363 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
364 struct sock *sk = sock->sk;
365 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
366
367 BT_DBG("sock %p, sk %p", sock, sk);
368
369 if (peer && sk->sk_state != BT_CONNECTED &&
370 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
371 sk->sk_state != BT_CONFIG)
372 return -ENOTCONN;
373
374 memset(la, 0, sizeof(struct sockaddr_l2));
375 addr->sa_family = AF_BLUETOOTH;
376
377 la->l2_psm = chan->psm;
378
379 if (peer) {
380 bacpy(&la->l2_bdaddr, &chan->dst);
381 la->l2_cid = cpu_to_le16(chan->dcid);
382 la->l2_bdaddr_type = chan->dst_type;
383 } else {
384 bacpy(&la->l2_bdaddr, &chan->src);
385 la->l2_cid = cpu_to_le16(chan->scid);
386 la->l2_bdaddr_type = chan->src_type;
387 }
388
389 return sizeof(struct sockaddr_l2);
390 }
391
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)392 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
393 char __user *optval, int __user *optlen)
394 {
395 struct sock *sk = sock->sk;
396 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
397 struct l2cap_options opts;
398 struct l2cap_conninfo cinfo;
399 int len, err = 0;
400 u32 opt;
401
402 BT_DBG("sk %p", sk);
403
404 if (get_user(len, optlen))
405 return -EFAULT;
406
407 lock_sock(sk);
408
409 switch (optname) {
410 case L2CAP_OPTIONS:
411 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
412 * legacy ATT code depends on getsockopt for
413 * L2CAP_OPTIONS we need to let this pass.
414 */
415 if (bdaddr_type_is_le(chan->src_type) &&
416 chan->scid != L2CAP_CID_ATT) {
417 err = -EINVAL;
418 break;
419 }
420
421 memset(&opts, 0, sizeof(opts));
422 opts.imtu = chan->imtu;
423 opts.omtu = chan->omtu;
424 opts.flush_to = chan->flush_to;
425 opts.mode = chan->mode;
426 opts.fcs = chan->fcs;
427 opts.max_tx = chan->max_tx;
428 opts.txwin_size = chan->tx_win;
429
430 len = min_t(unsigned int, len, sizeof(opts));
431 if (copy_to_user(optval, (char *) &opts, len))
432 err = -EFAULT;
433
434 break;
435
436 case L2CAP_LM:
437 switch (chan->sec_level) {
438 case BT_SECURITY_LOW:
439 opt = L2CAP_LM_AUTH;
440 break;
441 case BT_SECURITY_MEDIUM:
442 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
443 break;
444 case BT_SECURITY_HIGH:
445 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
446 L2CAP_LM_SECURE;
447 break;
448 case BT_SECURITY_FIPS:
449 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
450 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
451 break;
452 default:
453 opt = 0;
454 break;
455 }
456
457 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
458 opt |= L2CAP_LM_MASTER;
459
460 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
461 opt |= L2CAP_LM_RELIABLE;
462
463 if (put_user(opt, (u32 __user *) optval))
464 err = -EFAULT;
465
466 break;
467
468 case L2CAP_CONNINFO:
469 if (sk->sk_state != BT_CONNECTED &&
470 !(sk->sk_state == BT_CONNECT2 &&
471 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
472 err = -ENOTCONN;
473 break;
474 }
475
476 memset(&cinfo, 0, sizeof(cinfo));
477 cinfo.hci_handle = chan->conn->hcon->handle;
478 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
479
480 len = min_t(unsigned int, len, sizeof(cinfo));
481 if (copy_to_user(optval, (char *) &cinfo, len))
482 err = -EFAULT;
483
484 break;
485
486 default:
487 err = -ENOPROTOOPT;
488 break;
489 }
490
491 release_sock(sk);
492 return err;
493 }
494
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)495 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
496 char __user *optval, int __user *optlen)
497 {
498 struct sock *sk = sock->sk;
499 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
500 struct bt_security sec;
501 struct bt_power pwr;
502 int len, err = 0;
503
504 BT_DBG("sk %p", sk);
505
506 if (level == SOL_L2CAP)
507 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
508
509 if (level != SOL_BLUETOOTH)
510 return -ENOPROTOOPT;
511
512 if (get_user(len, optlen))
513 return -EFAULT;
514
515 lock_sock(sk);
516
517 switch (optname) {
518 case BT_SECURITY:
519 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
520 chan->chan_type != L2CAP_CHAN_FIXED &&
521 chan->chan_type != L2CAP_CHAN_RAW) {
522 err = -EINVAL;
523 break;
524 }
525
526 memset(&sec, 0, sizeof(sec));
527 if (chan->conn) {
528 sec.level = chan->conn->hcon->sec_level;
529
530 if (sk->sk_state == BT_CONNECTED)
531 sec.key_size = chan->conn->hcon->enc_key_size;
532 } else {
533 sec.level = chan->sec_level;
534 }
535
536 len = min_t(unsigned int, len, sizeof(sec));
537 if (copy_to_user(optval, (char *) &sec, len))
538 err = -EFAULT;
539
540 break;
541
542 case BT_DEFER_SETUP:
543 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
544 err = -EINVAL;
545 break;
546 }
547
548 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
549 (u32 __user *) optval))
550 err = -EFAULT;
551
552 break;
553
554 case BT_FLUSHABLE:
555 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
556 (u32 __user *) optval))
557 err = -EFAULT;
558
559 break;
560
561 case BT_POWER:
562 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
563 && sk->sk_type != SOCK_RAW) {
564 err = -EINVAL;
565 break;
566 }
567
568 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
569
570 len = min_t(unsigned int, len, sizeof(pwr));
571 if (copy_to_user(optval, (char *) &pwr, len))
572 err = -EFAULT;
573
574 break;
575
576 case BT_CHANNEL_POLICY:
577 if (put_user(chan->chan_policy, (u32 __user *) optval))
578 err = -EFAULT;
579 break;
580
581 case BT_SNDMTU:
582 if (!bdaddr_type_is_le(chan->src_type)) {
583 err = -EINVAL;
584 break;
585 }
586
587 if (sk->sk_state != BT_CONNECTED) {
588 err = -ENOTCONN;
589 break;
590 }
591
592 if (put_user(chan->omtu, (u16 __user *) optval))
593 err = -EFAULT;
594 break;
595
596 case BT_RCVMTU:
597 if (!bdaddr_type_is_le(chan->src_type)) {
598 err = -EINVAL;
599 break;
600 }
601
602 if (put_user(chan->imtu, (u16 __user *) optval))
603 err = -EFAULT;
604 break;
605
606 default:
607 err = -ENOPROTOOPT;
608 break;
609 }
610
611 release_sock(sk);
612 return err;
613 }
614
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)615 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
616 {
617 switch (chan->scid) {
618 case L2CAP_CID_ATT:
619 if (mtu < L2CAP_LE_MIN_MTU)
620 return false;
621 break;
622
623 default:
624 if (mtu < L2CAP_DEFAULT_MIN_MTU)
625 return false;
626 }
627
628 return true;
629 }
630
l2cap_sock_setsockopt_old(struct socket * sock,int optname,char __user * optval,unsigned int optlen)631 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
632 char __user *optval, unsigned int optlen)
633 {
634 struct sock *sk = sock->sk;
635 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
636 struct l2cap_options opts;
637 int len, err = 0;
638 u32 opt;
639
640 BT_DBG("sk %p", sk);
641
642 lock_sock(sk);
643
644 switch (optname) {
645 case L2CAP_OPTIONS:
646 if (bdaddr_type_is_le(chan->src_type)) {
647 err = -EINVAL;
648 break;
649 }
650
651 if (sk->sk_state == BT_CONNECTED) {
652 err = -EINVAL;
653 break;
654 }
655
656 opts.imtu = chan->imtu;
657 opts.omtu = chan->omtu;
658 opts.flush_to = chan->flush_to;
659 opts.mode = chan->mode;
660 opts.fcs = chan->fcs;
661 opts.max_tx = chan->max_tx;
662 opts.txwin_size = chan->tx_win;
663
664 len = min_t(unsigned int, sizeof(opts), optlen);
665 if (copy_from_user((char *) &opts, optval, len)) {
666 err = -EFAULT;
667 break;
668 }
669
670 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
671 err = -EINVAL;
672 break;
673 }
674
675 if (!l2cap_valid_mtu(chan, opts.imtu)) {
676 err = -EINVAL;
677 break;
678 }
679
680 chan->mode = opts.mode;
681 switch (chan->mode) {
682 case L2CAP_MODE_LE_FLOWCTL:
683 break;
684 case L2CAP_MODE_BASIC:
685 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
686 break;
687 case L2CAP_MODE_ERTM:
688 case L2CAP_MODE_STREAMING:
689 if (!disable_ertm)
690 break;
691 /* fall through */
692 default:
693 err = -EINVAL;
694 break;
695 }
696
697 chan->imtu = opts.imtu;
698 chan->omtu = opts.omtu;
699 chan->fcs = opts.fcs;
700 chan->max_tx = opts.max_tx;
701 chan->tx_win = opts.txwin_size;
702 chan->flush_to = opts.flush_to;
703 break;
704
705 case L2CAP_LM:
706 if (get_user(opt, (u32 __user *) optval)) {
707 err = -EFAULT;
708 break;
709 }
710
711 if (opt & L2CAP_LM_FIPS) {
712 err = -EINVAL;
713 break;
714 }
715
716 if (opt & L2CAP_LM_AUTH)
717 chan->sec_level = BT_SECURITY_LOW;
718 if (opt & L2CAP_LM_ENCRYPT)
719 chan->sec_level = BT_SECURITY_MEDIUM;
720 if (opt & L2CAP_LM_SECURE)
721 chan->sec_level = BT_SECURITY_HIGH;
722
723 if (opt & L2CAP_LM_MASTER)
724 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
725 else
726 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
727
728 if (opt & L2CAP_LM_RELIABLE)
729 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
730 else
731 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
732 break;
733
734 default:
735 err = -ENOPROTOOPT;
736 break;
737 }
738
739 release_sock(sk);
740 return err;
741 }
742
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int optlen)743 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
744 char __user *optval, unsigned int optlen)
745 {
746 struct sock *sk = sock->sk;
747 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
748 struct bt_security sec;
749 struct bt_power pwr;
750 struct l2cap_conn *conn;
751 int len, err = 0;
752 u32 opt;
753
754 BT_DBG("sk %p", sk);
755
756 if (level == SOL_L2CAP)
757 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
758
759 if (level != SOL_BLUETOOTH)
760 return -ENOPROTOOPT;
761
762 lock_sock(sk);
763
764 switch (optname) {
765 case BT_SECURITY:
766 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
767 chan->chan_type != L2CAP_CHAN_FIXED &&
768 chan->chan_type != L2CAP_CHAN_RAW) {
769 err = -EINVAL;
770 break;
771 }
772
773 sec.level = BT_SECURITY_LOW;
774
775 len = min_t(unsigned int, sizeof(sec), optlen);
776 if (copy_from_user((char *) &sec, optval, len)) {
777 err = -EFAULT;
778 break;
779 }
780
781 if (sec.level < BT_SECURITY_LOW ||
782 sec.level > BT_SECURITY_FIPS) {
783 err = -EINVAL;
784 break;
785 }
786
787 chan->sec_level = sec.level;
788
789 if (!chan->conn)
790 break;
791
792 conn = chan->conn;
793
794 /*change security for LE channels */
795 if (chan->scid == L2CAP_CID_ATT) {
796 if (smp_conn_security(conn->hcon, sec.level))
797 break;
798 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
799 sk->sk_state = BT_CONFIG;
800 chan->state = BT_CONFIG;
801
802 /* or for ACL link */
803 } else if ((sk->sk_state == BT_CONNECT2 &&
804 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
805 sk->sk_state == BT_CONNECTED) {
806 if (!l2cap_chan_check_security(chan, true))
807 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
808 else
809 sk->sk_state_change(sk);
810 } else {
811 err = -EINVAL;
812 }
813 break;
814
815 case BT_DEFER_SETUP:
816 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
817 err = -EINVAL;
818 break;
819 }
820
821 if (get_user(opt, (u32 __user *) optval)) {
822 err = -EFAULT;
823 break;
824 }
825
826 if (opt) {
827 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
828 set_bit(FLAG_DEFER_SETUP, &chan->flags);
829 } else {
830 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
831 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
832 }
833 break;
834
835 case BT_FLUSHABLE:
836 if (get_user(opt, (u32 __user *) optval)) {
837 err = -EFAULT;
838 break;
839 }
840
841 if (opt > BT_FLUSHABLE_ON) {
842 err = -EINVAL;
843 break;
844 }
845
846 if (opt == BT_FLUSHABLE_OFF) {
847 conn = chan->conn;
848 /* proceed further only when we have l2cap_conn and
849 No Flush support in the LM */
850 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
851 err = -EINVAL;
852 break;
853 }
854 }
855
856 if (opt)
857 set_bit(FLAG_FLUSHABLE, &chan->flags);
858 else
859 clear_bit(FLAG_FLUSHABLE, &chan->flags);
860 break;
861
862 case BT_POWER:
863 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
864 chan->chan_type != L2CAP_CHAN_RAW) {
865 err = -EINVAL;
866 break;
867 }
868
869 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
870
871 len = min_t(unsigned int, sizeof(pwr), optlen);
872 if (copy_from_user((char *) &pwr, optval, len)) {
873 err = -EFAULT;
874 break;
875 }
876
877 if (pwr.force_active)
878 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
879 else
880 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
881 break;
882
883 case BT_CHANNEL_POLICY:
884 if (get_user(opt, (u32 __user *) optval)) {
885 err = -EFAULT;
886 break;
887 }
888
889 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
890 err = -EINVAL;
891 break;
892 }
893
894 if (chan->mode != L2CAP_MODE_ERTM &&
895 chan->mode != L2CAP_MODE_STREAMING) {
896 err = -EOPNOTSUPP;
897 break;
898 }
899
900 chan->chan_policy = (u8) opt;
901
902 if (sk->sk_state == BT_CONNECTED &&
903 chan->move_role == L2CAP_MOVE_ROLE_NONE)
904 l2cap_move_start(chan);
905
906 break;
907
908 case BT_SNDMTU:
909 if (!bdaddr_type_is_le(chan->src_type)) {
910 err = -EINVAL;
911 break;
912 }
913
914 /* Setting is not supported as it's the remote side that
915 * decides this.
916 */
917 err = -EPERM;
918 break;
919
920 case BT_RCVMTU:
921 if (!bdaddr_type_is_le(chan->src_type)) {
922 err = -EINVAL;
923 break;
924 }
925
926 if (sk->sk_state == BT_CONNECTED) {
927 err = -EISCONN;
928 break;
929 }
930
931 if (get_user(opt, (u16 __user *) optval)) {
932 err = -EFAULT;
933 break;
934 }
935
936 chan->imtu = opt;
937 break;
938
939 default:
940 err = -ENOPROTOOPT;
941 break;
942 }
943
944 release_sock(sk);
945 return err;
946 }
947
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)948 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
949 size_t len)
950 {
951 struct sock *sk = sock->sk;
952 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
953 int err;
954
955 BT_DBG("sock %p, sk %p", sock, sk);
956
957 err = sock_error(sk);
958 if (err)
959 return err;
960
961 if (msg->msg_flags & MSG_OOB)
962 return -EOPNOTSUPP;
963
964 if (sk->sk_state != BT_CONNECTED)
965 return -ENOTCONN;
966
967 lock_sock(sk);
968 err = bt_sock_wait_ready(sk, msg->msg_flags);
969 release_sock(sk);
970 if (err)
971 return err;
972
973 l2cap_chan_lock(chan);
974 err = l2cap_chan_send(chan, msg, len);
975 l2cap_chan_unlock(chan);
976
977 return err;
978 }
979
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)980 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
981 size_t len, int flags)
982 {
983 struct sock *sk = sock->sk;
984 struct l2cap_pinfo *pi = l2cap_pi(sk);
985 int err;
986
987 lock_sock(sk);
988
989 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
990 &bt_sk(sk)->flags)) {
991 if (bdaddr_type_is_le(pi->chan->src_type)) {
992 sk->sk_state = BT_CONNECTED;
993 pi->chan->state = BT_CONNECTED;
994 __l2cap_le_connect_rsp_defer(pi->chan);
995 } else {
996 sk->sk_state = BT_CONFIG;
997 pi->chan->state = BT_CONFIG;
998 __l2cap_connect_rsp_defer(pi->chan);
999 }
1000
1001 err = 0;
1002 goto done;
1003 }
1004
1005 release_sock(sk);
1006
1007 if (sock->type == SOCK_STREAM)
1008 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1009 else
1010 err = bt_sock_recvmsg(sock, msg, len, flags);
1011
1012 if (pi->chan->mode != L2CAP_MODE_ERTM)
1013 return err;
1014
1015 /* Attempt to put pending rx data in the socket buffer */
1016
1017 lock_sock(sk);
1018
1019 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1020 goto done;
1021
1022 if (pi->rx_busy_skb) {
1023 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1024 pi->rx_busy_skb = NULL;
1025 else
1026 goto done;
1027 }
1028
1029 /* Restore data flow when half of the receive buffer is
1030 * available. This avoids resending large numbers of
1031 * frames.
1032 */
1033 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1034 l2cap_chan_busy(pi->chan, 0);
1035
1036 done:
1037 release_sock(sk);
1038 return err;
1039 }
1040
1041 /* Kill socket (only if zapped and orphan)
1042 * Must be called on unlocked socket, with l2cap channel lock.
1043 */
l2cap_sock_kill(struct sock * sk)1044 static void l2cap_sock_kill(struct sock *sk)
1045 {
1046 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1047 return;
1048
1049 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1050
1051 /* Kill poor orphan */
1052
1053 l2cap_chan_put(l2cap_pi(sk)->chan);
1054 sock_set_flag(sk, SOCK_DEAD);
1055 sock_put(sk);
1056 }
1057
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1058 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1059 {
1060 DECLARE_WAITQUEUE(wait, current);
1061 int err = 0;
1062 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1063 /* Timeout to prevent infinite loop */
1064 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1065
1066 add_wait_queue(sk_sleep(sk), &wait);
1067 set_current_state(TASK_INTERRUPTIBLE);
1068 do {
1069 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1070 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1071 jiffies_to_msecs(timeout - jiffies));
1072
1073 if (!timeo)
1074 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1075
1076 if (signal_pending(current)) {
1077 err = sock_intr_errno(timeo);
1078 break;
1079 }
1080
1081 release_sock(sk);
1082 timeo = schedule_timeout(timeo);
1083 lock_sock(sk);
1084 set_current_state(TASK_INTERRUPTIBLE);
1085
1086 err = sock_error(sk);
1087 if (err)
1088 break;
1089
1090 if (time_after(jiffies, timeout)) {
1091 err = -ENOLINK;
1092 break;
1093 }
1094
1095 } while (chan->unacked_frames > 0 &&
1096 chan->state == BT_CONNECTED);
1097
1098 set_current_state(TASK_RUNNING);
1099 remove_wait_queue(sk_sleep(sk), &wait);
1100 return err;
1101 }
1102
l2cap_sock_shutdown(struct socket * sock,int how)1103 static int l2cap_sock_shutdown(struct socket *sock, int how)
1104 {
1105 struct sock *sk = sock->sk;
1106 struct l2cap_chan *chan;
1107 struct l2cap_conn *conn;
1108 int err = 0;
1109
1110 BT_DBG("sock %p, sk %p", sock, sk);
1111
1112 if (!sk)
1113 return 0;
1114
1115 lock_sock(sk);
1116
1117 if (sk->sk_shutdown)
1118 goto shutdown_already;
1119
1120 BT_DBG("Handling sock shutdown");
1121
1122 /* prevent sk structure from being freed whilst unlocked */
1123 sock_hold(sk);
1124
1125 chan = l2cap_pi(sk)->chan;
1126 /* prevent chan structure from being freed whilst unlocked */
1127 l2cap_chan_hold(chan);
1128
1129 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1130
1131 if (chan->mode == L2CAP_MODE_ERTM &&
1132 chan->unacked_frames > 0 &&
1133 chan->state == BT_CONNECTED) {
1134 err = __l2cap_wait_ack(sk, chan);
1135
1136 /* After waiting for ACKs, check whether shutdown
1137 * has already been actioned to close the L2CAP
1138 * link such as by l2cap_disconnection_req().
1139 */
1140 if (sk->sk_shutdown)
1141 goto has_shutdown;
1142 }
1143
1144 sk->sk_shutdown = SHUTDOWN_MASK;
1145 release_sock(sk);
1146
1147 l2cap_chan_lock(chan);
1148 conn = chan->conn;
1149 if (conn)
1150 /* prevent conn structure from being freed */
1151 l2cap_conn_get(conn);
1152 l2cap_chan_unlock(chan);
1153
1154 if (conn)
1155 /* mutex lock must be taken before l2cap_chan_lock() */
1156 mutex_lock(&conn->chan_lock);
1157
1158 l2cap_chan_lock(chan);
1159 l2cap_chan_close(chan, 0);
1160 l2cap_chan_unlock(chan);
1161
1162 if (conn) {
1163 mutex_unlock(&conn->chan_lock);
1164 l2cap_conn_put(conn);
1165 }
1166
1167 lock_sock(sk);
1168
1169 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1170 !(current->flags & PF_EXITING))
1171 err = bt_sock_wait_state(sk, BT_CLOSED,
1172 sk->sk_lingertime);
1173
1174 has_shutdown:
1175 l2cap_chan_put(chan);
1176 sock_put(sk);
1177
1178 shutdown_already:
1179 if (!err && sk->sk_err)
1180 err = -sk->sk_err;
1181
1182 release_sock(sk);
1183
1184 BT_DBG("Sock shutdown complete err: %d", err);
1185
1186 return err;
1187 }
1188
l2cap_sock_release(struct socket * sock)1189 static int l2cap_sock_release(struct socket *sock)
1190 {
1191 struct sock *sk = sock->sk;
1192 int err;
1193 struct l2cap_chan *chan;
1194
1195 BT_DBG("sock %p, sk %p", sock, sk);
1196
1197 if (!sk)
1198 return 0;
1199
1200 bt_sock_unlink(&l2cap_sk_list, sk);
1201
1202 err = l2cap_sock_shutdown(sock, 2);
1203 chan = l2cap_pi(sk)->chan;
1204
1205 l2cap_chan_hold(chan);
1206 l2cap_chan_lock(chan);
1207
1208 sock_orphan(sk);
1209 l2cap_sock_kill(sk);
1210
1211 l2cap_chan_unlock(chan);
1212 l2cap_chan_put(chan);
1213
1214 return err;
1215 }
1216
l2cap_sock_cleanup_listen(struct sock * parent)1217 static void l2cap_sock_cleanup_listen(struct sock *parent)
1218 {
1219 struct sock *sk;
1220
1221 BT_DBG("parent %p state %s", parent,
1222 state_to_string(parent->sk_state));
1223
1224 /* Close not yet accepted channels */
1225 while ((sk = bt_accept_dequeue(parent, NULL))) {
1226 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1227
1228 BT_DBG("child chan %p state %s", chan,
1229 state_to_string(chan->state));
1230
1231 l2cap_chan_hold(chan);
1232 l2cap_chan_lock(chan);
1233
1234 __clear_chan_timer(chan);
1235 l2cap_chan_close(chan, ECONNRESET);
1236 l2cap_sock_kill(sk);
1237
1238 l2cap_chan_unlock(chan);
1239 l2cap_chan_put(chan);
1240 }
1241 }
1242
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1243 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1244 {
1245 struct sock *sk, *parent = chan->data;
1246
1247 lock_sock(parent);
1248
1249 /* Check for backlog size */
1250 if (sk_acceptq_is_full(parent)) {
1251 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1252 release_sock(parent);
1253 return NULL;
1254 }
1255
1256 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1257 GFP_ATOMIC, 0);
1258 if (!sk) {
1259 release_sock(parent);
1260 return NULL;
1261 }
1262
1263 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1264
1265 l2cap_sock_init(sk, parent);
1266
1267 bt_accept_enqueue(parent, sk, false);
1268
1269 release_sock(parent);
1270
1271 return l2cap_pi(sk)->chan;
1272 }
1273
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1274 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1275 {
1276 struct sock *sk = chan->data;
1277 int err;
1278
1279 lock_sock(sk);
1280
1281 if (l2cap_pi(sk)->rx_busy_skb) {
1282 err = -ENOMEM;
1283 goto done;
1284 }
1285
1286 if (chan->mode != L2CAP_MODE_ERTM &&
1287 chan->mode != L2CAP_MODE_STREAMING) {
1288 /* Even if no filter is attached, we could potentially
1289 * get errors from security modules, etc.
1290 */
1291 err = sk_filter(sk, skb);
1292 if (err)
1293 goto done;
1294 }
1295
1296 err = __sock_queue_rcv_skb(sk, skb);
1297
1298 /* For ERTM, handle one skb that doesn't fit into the recv
1299 * buffer. This is important to do because the data frames
1300 * have already been acked, so the skb cannot be discarded.
1301 *
1302 * Notify the l2cap core that the buffer is full, so the
1303 * LOCAL_BUSY state is entered and no more frames are
1304 * acked and reassembled until there is buffer space
1305 * available.
1306 */
1307 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1308 l2cap_pi(sk)->rx_busy_skb = skb;
1309 l2cap_chan_busy(chan, 1);
1310 err = 0;
1311 }
1312
1313 done:
1314 release_sock(sk);
1315
1316 return err;
1317 }
1318
l2cap_sock_close_cb(struct l2cap_chan * chan)1319 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1320 {
1321 struct sock *sk = chan->data;
1322
1323 if (!sk)
1324 return;
1325
1326 l2cap_sock_kill(sk);
1327 }
1328
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1329 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1330 {
1331 struct sock *sk = chan->data;
1332 struct sock *parent;
1333
1334 if (!sk)
1335 return;
1336
1337 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1338
1339 /* This callback can be called both for server (BT_LISTEN)
1340 * sockets as well as "normal" ones. To avoid lockdep warnings
1341 * with child socket locking (through l2cap_sock_cleanup_listen)
1342 * we need separation into separate nesting levels. The simplest
1343 * way to accomplish this is to inherit the nesting level used
1344 * for the channel.
1345 */
1346 lock_sock_nested(sk, atomic_read(&chan->nesting));
1347
1348 parent = bt_sk(sk)->parent;
1349
1350 switch (chan->state) {
1351 case BT_OPEN:
1352 case BT_BOUND:
1353 case BT_CLOSED:
1354 break;
1355 case BT_LISTEN:
1356 l2cap_sock_cleanup_listen(sk);
1357 sk->sk_state = BT_CLOSED;
1358 chan->state = BT_CLOSED;
1359
1360 break;
1361 default:
1362 sk->sk_state = BT_CLOSED;
1363 chan->state = BT_CLOSED;
1364
1365 sk->sk_err = err;
1366
1367 if (parent) {
1368 bt_accept_unlink(sk);
1369 parent->sk_data_ready(parent);
1370 } else {
1371 sk->sk_state_change(sk);
1372 }
1373
1374 break;
1375 }
1376 release_sock(sk);
1377
1378 /* Only zap after cleanup to avoid use after free race */
1379 sock_set_flag(sk, SOCK_ZAPPED);
1380
1381 }
1382
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1383 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1384 int err)
1385 {
1386 struct sock *sk = chan->data;
1387
1388 sk->sk_state = state;
1389
1390 if (err)
1391 sk->sk_err = err;
1392 }
1393
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1394 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1395 unsigned long hdr_len,
1396 unsigned long len, int nb)
1397 {
1398 struct sock *sk = chan->data;
1399 struct sk_buff *skb;
1400 int err;
1401
1402 l2cap_chan_unlock(chan);
1403 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1404 l2cap_chan_lock(chan);
1405
1406 if (!skb)
1407 return ERR_PTR(err);
1408
1409 skb->priority = sk->sk_priority;
1410
1411 bt_cb(skb)->l2cap.chan = chan;
1412
1413 return skb;
1414 }
1415
l2cap_sock_ready_cb(struct l2cap_chan * chan)1416 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1417 {
1418 struct sock *sk = chan->data;
1419 struct sock *parent;
1420
1421 lock_sock(sk);
1422
1423 parent = bt_sk(sk)->parent;
1424
1425 BT_DBG("sk %p, parent %p", sk, parent);
1426
1427 sk->sk_state = BT_CONNECTED;
1428 sk->sk_state_change(sk);
1429
1430 if (parent)
1431 parent->sk_data_ready(parent);
1432
1433 release_sock(sk);
1434 }
1435
l2cap_sock_defer_cb(struct l2cap_chan * chan)1436 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1437 {
1438 struct sock *parent, *sk = chan->data;
1439
1440 lock_sock(sk);
1441
1442 parent = bt_sk(sk)->parent;
1443 if (parent)
1444 parent->sk_data_ready(parent);
1445
1446 release_sock(sk);
1447 }
1448
l2cap_sock_resume_cb(struct l2cap_chan * chan)1449 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1450 {
1451 struct sock *sk = chan->data;
1452
1453 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1454 sk->sk_state = BT_CONNECTED;
1455 chan->state = BT_CONNECTED;
1456 }
1457
1458 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1459 sk->sk_state_change(sk);
1460 }
1461
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1462 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1463 {
1464 struct sock *sk = chan->data;
1465
1466 lock_sock(sk);
1467 sk->sk_shutdown = SHUTDOWN_MASK;
1468 release_sock(sk);
1469 }
1470
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1471 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1472 {
1473 struct sock *sk = chan->data;
1474
1475 return sk->sk_sndtimeo;
1476 }
1477
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1478 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1479 {
1480 struct sock *sk = chan->data;
1481
1482 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1483 sk->sk_state_change(sk);
1484 }
1485
l2cap_sock_filter(struct l2cap_chan * chan,struct sk_buff * skb)1486 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1487 {
1488 struct sock *sk = chan->data;
1489
1490 switch (chan->mode) {
1491 case L2CAP_MODE_ERTM:
1492 case L2CAP_MODE_STREAMING:
1493 return sk_filter(sk, skb);
1494 }
1495
1496 return 0;
1497 }
1498
1499 static const struct l2cap_ops l2cap_chan_ops = {
1500 .name = "L2CAP Socket Interface",
1501 .new_connection = l2cap_sock_new_connection_cb,
1502 .recv = l2cap_sock_recv_cb,
1503 .close = l2cap_sock_close_cb,
1504 .teardown = l2cap_sock_teardown_cb,
1505 .state_change = l2cap_sock_state_change_cb,
1506 .ready = l2cap_sock_ready_cb,
1507 .defer = l2cap_sock_defer_cb,
1508 .resume = l2cap_sock_resume_cb,
1509 .suspend = l2cap_sock_suspend_cb,
1510 .set_shutdown = l2cap_sock_set_shutdown_cb,
1511 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1512 .alloc_skb = l2cap_sock_alloc_skb_cb,
1513 .filter = l2cap_sock_filter,
1514 };
1515
l2cap_sock_destruct(struct sock * sk)1516 static void l2cap_sock_destruct(struct sock *sk)
1517 {
1518 BT_DBG("sk %p", sk);
1519
1520 if (l2cap_pi(sk)->chan) {
1521 l2cap_pi(sk)->chan->data = NULL;
1522 l2cap_chan_put(l2cap_pi(sk)->chan);
1523 }
1524
1525 if (l2cap_pi(sk)->rx_busy_skb) {
1526 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1527 l2cap_pi(sk)->rx_busy_skb = NULL;
1528 }
1529
1530 skb_queue_purge(&sk->sk_receive_queue);
1531 skb_queue_purge(&sk->sk_write_queue);
1532 }
1533
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1534 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1535 int *msg_namelen)
1536 {
1537 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1538
1539 memset(la, 0, sizeof(struct sockaddr_l2));
1540 la->l2_family = AF_BLUETOOTH;
1541 la->l2_psm = bt_cb(skb)->l2cap.psm;
1542 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1543
1544 *msg_namelen = sizeof(struct sockaddr_l2);
1545 }
1546
l2cap_sock_init(struct sock * sk,struct sock * parent)1547 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1548 {
1549 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1550
1551 BT_DBG("sk %p", sk);
1552
1553 if (parent) {
1554 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1555
1556 sk->sk_type = parent->sk_type;
1557 bt_sk(sk)->flags = bt_sk(parent)->flags;
1558
1559 chan->chan_type = pchan->chan_type;
1560 chan->imtu = pchan->imtu;
1561 chan->omtu = pchan->omtu;
1562 chan->conf_state = pchan->conf_state;
1563 chan->mode = pchan->mode;
1564 chan->fcs = pchan->fcs;
1565 chan->max_tx = pchan->max_tx;
1566 chan->tx_win = pchan->tx_win;
1567 chan->tx_win_max = pchan->tx_win_max;
1568 chan->sec_level = pchan->sec_level;
1569 chan->flags = pchan->flags;
1570 chan->tx_credits = pchan->tx_credits;
1571 chan->rx_credits = pchan->rx_credits;
1572
1573 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1574 chan->scid = pchan->scid;
1575 chan->dcid = pchan->scid;
1576 }
1577
1578 security_sk_clone(parent, sk);
1579 } else {
1580 switch (sk->sk_type) {
1581 case SOCK_RAW:
1582 chan->chan_type = L2CAP_CHAN_RAW;
1583 break;
1584 case SOCK_DGRAM:
1585 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1586 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1587 break;
1588 case SOCK_SEQPACKET:
1589 case SOCK_STREAM:
1590 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1591 break;
1592 }
1593
1594 chan->imtu = L2CAP_DEFAULT_MTU;
1595 chan->omtu = 0;
1596 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1597 chan->mode = L2CAP_MODE_ERTM;
1598 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1599 } else {
1600 chan->mode = L2CAP_MODE_BASIC;
1601 }
1602
1603 l2cap_chan_set_defaults(chan);
1604 }
1605
1606 /* Default config options */
1607 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1608
1609 chan->data = sk;
1610 chan->ops = &l2cap_chan_ops;
1611 }
1612
1613 static struct proto l2cap_proto = {
1614 .name = "L2CAP",
1615 .owner = THIS_MODULE,
1616 .obj_size = sizeof(struct l2cap_pinfo)
1617 };
1618
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1619 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1620 int proto, gfp_t prio, int kern)
1621 {
1622 struct sock *sk;
1623 struct l2cap_chan *chan;
1624
1625 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1626 if (!sk)
1627 return NULL;
1628
1629 sock_init_data(sock, sk);
1630 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1631
1632 sk->sk_destruct = l2cap_sock_destruct;
1633 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1634
1635 sock_reset_flag(sk, SOCK_ZAPPED);
1636
1637 sk->sk_protocol = proto;
1638 sk->sk_state = BT_OPEN;
1639
1640 chan = l2cap_chan_create();
1641 if (!chan) {
1642 sk_free(sk);
1643 return NULL;
1644 }
1645
1646 l2cap_chan_hold(chan);
1647
1648 l2cap_pi(sk)->chan = chan;
1649
1650 return sk;
1651 }
1652
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1653 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1654 int kern)
1655 {
1656 struct sock *sk;
1657
1658 BT_DBG("sock %p", sock);
1659
1660 sock->state = SS_UNCONNECTED;
1661
1662 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1663 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1664 return -ESOCKTNOSUPPORT;
1665
1666 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1667 return -EPERM;
1668
1669 sock->ops = &l2cap_sock_ops;
1670
1671 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1672 if (!sk)
1673 return -ENOMEM;
1674
1675 l2cap_sock_init(sk, NULL);
1676 bt_sock_link(&l2cap_sk_list, sk);
1677 return 0;
1678 }
1679
1680 static const struct proto_ops l2cap_sock_ops = {
1681 .family = PF_BLUETOOTH,
1682 .owner = THIS_MODULE,
1683 .release = l2cap_sock_release,
1684 .bind = l2cap_sock_bind,
1685 .connect = l2cap_sock_connect,
1686 .listen = l2cap_sock_listen,
1687 .accept = l2cap_sock_accept,
1688 .getname = l2cap_sock_getname,
1689 .sendmsg = l2cap_sock_sendmsg,
1690 .recvmsg = l2cap_sock_recvmsg,
1691 .poll = bt_sock_poll,
1692 .ioctl = bt_sock_ioctl,
1693 .mmap = sock_no_mmap,
1694 .socketpair = sock_no_socketpair,
1695 .shutdown = l2cap_sock_shutdown,
1696 .setsockopt = l2cap_sock_setsockopt,
1697 .getsockopt = l2cap_sock_getsockopt
1698 };
1699
1700 static const struct net_proto_family l2cap_sock_family_ops = {
1701 .family = PF_BLUETOOTH,
1702 .owner = THIS_MODULE,
1703 .create = l2cap_sock_create,
1704 };
1705
l2cap_init_sockets(void)1706 int __init l2cap_init_sockets(void)
1707 {
1708 int err;
1709
1710 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1711
1712 err = proto_register(&l2cap_proto, 0);
1713 if (err < 0)
1714 return err;
1715
1716 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1717 if (err < 0) {
1718 BT_ERR("L2CAP socket registration failed");
1719 goto error;
1720 }
1721
1722 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1723 NULL);
1724 if (err < 0) {
1725 BT_ERR("Failed to create L2CAP proc file");
1726 bt_sock_unregister(BTPROTO_L2CAP);
1727 goto error;
1728 }
1729
1730 BT_INFO("L2CAP socket layer initialized");
1731
1732 return 0;
1733
1734 error:
1735 proto_unregister(&l2cap_proto);
1736 return err;
1737 }
1738
l2cap_cleanup_sockets(void)1739 void l2cap_cleanup_sockets(void)
1740 {
1741 bt_procfs_cleanup(&init_net, "l2cap");
1742 bt_sock_unregister(BTPROTO_L2CAP);
1743 proto_unregister(&l2cap_proto);
1744 }
1745