1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37
38 #include "smp.h"
39
40 static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
l2cap_is_socket(struct socket * sock)49 bool l2cap_is_socket(struct socket *sock)
50 {
51 return sock && sock->ops == &l2cap_sock_ops;
52 }
53 EXPORT_SYMBOL(l2cap_is_socket);
54
l2cap_validate_bredr_psm(u16 psm)55 static int l2cap_validate_bredr_psm(u16 psm)
56 {
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66 }
67
l2cap_validate_le_psm(u16 psm)68 static int l2cap_validate_le_psm(u16 psm)
69 {
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79 }
80
l2cap_sock_bind(struct socket * sock,struct sockaddr * addr,int alen)81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82 {
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
165 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
166 */
167 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
168 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
169 chan->mode = L2CAP_MODE_LE_FLOWCTL;
170
171 chan->state = BT_BOUND;
172 sk->sk_state = BT_BOUND;
173
174 done:
175 release_sock(sk);
176 return err;
177 }
178
l2cap_sock_init_pid(struct sock * sk)179 static void l2cap_sock_init_pid(struct sock *sk)
180 {
181 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
182
183 /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to
184 * group the channels being requested.
185 */
186 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
187 return;
188
189 spin_lock(&sk->sk_peer_lock);
190 sk->sk_peer_pid = get_pid(task_tgid(current));
191 spin_unlock(&sk->sk_peer_lock);
192 }
193
l2cap_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)194 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
195 int alen, int flags)
196 {
197 struct sock *sk = sock->sk;
198 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
199 struct sockaddr_l2 la;
200 int len, err = 0;
201 bool zapped;
202
203 BT_DBG("sk %p", sk);
204
205 lock_sock(sk);
206 zapped = sock_flag(sk, SOCK_ZAPPED);
207 release_sock(sk);
208
209 if (zapped)
210 return -EINVAL;
211
212 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
213 addr->sa_family != AF_BLUETOOTH)
214 return -EINVAL;
215
216 memset(&la, 0, sizeof(la));
217 len = min_t(unsigned int, sizeof(la), alen);
218 memcpy(&la, addr, len);
219
220 if (la.l2_cid && la.l2_psm)
221 return -EINVAL;
222
223 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
224 return -EINVAL;
225
226 /* Check that the socket wasn't bound to something that
227 * conflicts with the address given to connect(). If chan->src
228 * is BDADDR_ANY it means bind() was never used, in which case
229 * chan->src_type and la.l2_bdaddr_type do not need to match.
230 */
231 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
232 bdaddr_type_is_le(la.l2_bdaddr_type)) {
233 /* Old user space versions will try to incorrectly bind
234 * the ATT socket using BDADDR_BREDR. We need to accept
235 * this and fix up the source address type only when
236 * both the source CID and destination CID indicate
237 * ATT. Anything else is an invalid combination.
238 */
239 if (chan->scid != L2CAP_CID_ATT ||
240 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
241 return -EINVAL;
242
243 /* We don't have the hdev available here to make a
244 * better decision on random vs public, but since all
245 * user space versions that exhibit this issue anyway do
246 * not support random local addresses assuming public
247 * here is good enough.
248 */
249 chan->src_type = BDADDR_LE_PUBLIC;
250 }
251
252 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
253 return -EINVAL;
254
255 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
256 /* We only allow ATT user space socket */
257 if (la.l2_cid &&
258 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
259 return -EINVAL;
260 }
261
262 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
263 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
264 */
265 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
266 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
267 chan->mode = L2CAP_MODE_LE_FLOWCTL;
268
269 l2cap_sock_init_pid(sk);
270
271 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
272 &la.l2_bdaddr, la.l2_bdaddr_type);
273 if (err)
274 return err;
275
276 lock_sock(sk);
277
278 err = bt_sock_wait_state(sk, BT_CONNECTED,
279 sock_sndtimeo(sk, flags & O_NONBLOCK));
280
281 release_sock(sk);
282
283 return err;
284 }
285
l2cap_sock_listen(struct socket * sock,int backlog)286 static int l2cap_sock_listen(struct socket *sock, int backlog)
287 {
288 struct sock *sk = sock->sk;
289 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
290 int err = 0;
291
292 BT_DBG("sk %p backlog %d", sk, backlog);
293
294 lock_sock(sk);
295
296 if (sk->sk_state != BT_BOUND) {
297 err = -EBADFD;
298 goto done;
299 }
300
301 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
302 err = -EINVAL;
303 goto done;
304 }
305
306 switch (chan->mode) {
307 case L2CAP_MODE_BASIC:
308 case L2CAP_MODE_LE_FLOWCTL:
309 break;
310 case L2CAP_MODE_EXT_FLOWCTL:
311 if (!enable_ecred) {
312 err = -EOPNOTSUPP;
313 goto done;
314 }
315 break;
316 case L2CAP_MODE_ERTM:
317 case L2CAP_MODE_STREAMING:
318 if (!disable_ertm)
319 break;
320 fallthrough;
321 default:
322 err = -EOPNOTSUPP;
323 goto done;
324 }
325
326 l2cap_sock_init_pid(sk);
327
328 sk->sk_max_ack_backlog = backlog;
329 sk->sk_ack_backlog = 0;
330
331 /* Listening channels need to use nested locking in order not to
332 * cause lockdep warnings when the created child channels end up
333 * being locked in the same thread as the parent channel.
334 */
335 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
336
337 chan->state = BT_LISTEN;
338 sk->sk_state = BT_LISTEN;
339
340 done:
341 release_sock(sk);
342 return err;
343 }
344
l2cap_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)345 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
346 int flags, bool kern)
347 {
348 DEFINE_WAIT_FUNC(wait, woken_wake_function);
349 struct sock *sk = sock->sk, *nsk;
350 long timeo;
351 int err = 0;
352
353 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
354
355 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
356
357 BT_DBG("sk %p timeo %ld", sk, timeo);
358
359 /* Wait for an incoming connection. (wake-one). */
360 add_wait_queue_exclusive(sk_sleep(sk), &wait);
361 while (1) {
362 if (sk->sk_state != BT_LISTEN) {
363 err = -EBADFD;
364 break;
365 }
366
367 nsk = bt_accept_dequeue(sk, newsock);
368 if (nsk)
369 break;
370
371 if (!timeo) {
372 err = -EAGAIN;
373 break;
374 }
375
376 if (signal_pending(current)) {
377 err = sock_intr_errno(timeo);
378 break;
379 }
380
381 release_sock(sk);
382
383 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
384
385 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
386 }
387 remove_wait_queue(sk_sleep(sk), &wait);
388
389 if (err)
390 goto done;
391
392 newsock->state = SS_CONNECTED;
393
394 BT_DBG("new socket %p", nsk);
395
396 done:
397 release_sock(sk);
398 return err;
399 }
400
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)401 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
402 int peer)
403 {
404 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
405 struct sock *sk = sock->sk;
406 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
407
408 BT_DBG("sock %p, sk %p", sock, sk);
409
410 if (peer && sk->sk_state != BT_CONNECTED &&
411 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
412 sk->sk_state != BT_CONFIG)
413 return -ENOTCONN;
414
415 memset(la, 0, sizeof(struct sockaddr_l2));
416 addr->sa_family = AF_BLUETOOTH;
417
418 la->l2_psm = chan->psm;
419
420 if (peer) {
421 bacpy(&la->l2_bdaddr, &chan->dst);
422 la->l2_cid = cpu_to_le16(chan->dcid);
423 la->l2_bdaddr_type = chan->dst_type;
424 } else {
425 bacpy(&la->l2_bdaddr, &chan->src);
426 la->l2_cid = cpu_to_le16(chan->scid);
427 la->l2_bdaddr_type = chan->src_type;
428 }
429
430 return sizeof(struct sockaddr_l2);
431 }
432
l2cap_get_mode(struct l2cap_chan * chan)433 static int l2cap_get_mode(struct l2cap_chan *chan)
434 {
435 switch (chan->mode) {
436 case L2CAP_MODE_BASIC:
437 return BT_MODE_BASIC;
438 case L2CAP_MODE_ERTM:
439 return BT_MODE_ERTM;
440 case L2CAP_MODE_STREAMING:
441 return BT_MODE_STREAMING;
442 case L2CAP_MODE_LE_FLOWCTL:
443 return BT_MODE_LE_FLOWCTL;
444 case L2CAP_MODE_EXT_FLOWCTL:
445 return BT_MODE_EXT_FLOWCTL;
446 }
447
448 return -EINVAL;
449 }
450
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)451 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
452 char __user *optval, int __user *optlen)
453 {
454 struct sock *sk = sock->sk;
455 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
456 struct l2cap_options opts;
457 struct l2cap_conninfo cinfo;
458 int len, err = 0;
459 u32 opt;
460
461 BT_DBG("sk %p", sk);
462
463 if (get_user(len, optlen))
464 return -EFAULT;
465
466 lock_sock(sk);
467
468 switch (optname) {
469 case L2CAP_OPTIONS:
470 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
471 * legacy ATT code depends on getsockopt for
472 * L2CAP_OPTIONS we need to let this pass.
473 */
474 if (bdaddr_type_is_le(chan->src_type) &&
475 chan->scid != L2CAP_CID_ATT) {
476 err = -EINVAL;
477 break;
478 }
479
480 /* Only BR/EDR modes are supported here */
481 switch (chan->mode) {
482 case L2CAP_MODE_BASIC:
483 case L2CAP_MODE_ERTM:
484 case L2CAP_MODE_STREAMING:
485 break;
486 default:
487 err = -EINVAL;
488 break;
489 }
490
491 if (err < 0)
492 break;
493
494 memset(&opts, 0, sizeof(opts));
495 opts.imtu = chan->imtu;
496 opts.omtu = chan->omtu;
497 opts.flush_to = chan->flush_to;
498 opts.mode = chan->mode;
499 opts.fcs = chan->fcs;
500 opts.max_tx = chan->max_tx;
501 opts.txwin_size = chan->tx_win;
502
503 BT_DBG("mode 0x%2.2x", chan->mode);
504
505 len = min_t(unsigned int, len, sizeof(opts));
506 if (copy_to_user(optval, (char *) &opts, len))
507 err = -EFAULT;
508
509 break;
510
511 case L2CAP_LM:
512 switch (chan->sec_level) {
513 case BT_SECURITY_LOW:
514 opt = L2CAP_LM_AUTH;
515 break;
516 case BT_SECURITY_MEDIUM:
517 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
518 break;
519 case BT_SECURITY_HIGH:
520 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
521 L2CAP_LM_SECURE;
522 break;
523 case BT_SECURITY_FIPS:
524 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
525 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
526 break;
527 default:
528 opt = 0;
529 break;
530 }
531
532 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
533 opt |= L2CAP_LM_MASTER;
534
535 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
536 opt |= L2CAP_LM_RELIABLE;
537
538 if (put_user(opt, (u32 __user *) optval))
539 err = -EFAULT;
540
541 break;
542
543 case L2CAP_CONNINFO:
544 if (sk->sk_state != BT_CONNECTED &&
545 !(sk->sk_state == BT_CONNECT2 &&
546 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
547 err = -ENOTCONN;
548 break;
549 }
550
551 memset(&cinfo, 0, sizeof(cinfo));
552 cinfo.hci_handle = chan->conn->hcon->handle;
553 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
554
555 len = min_t(unsigned int, len, sizeof(cinfo));
556 if (copy_to_user(optval, (char *) &cinfo, len))
557 err = -EFAULT;
558
559 break;
560
561 default:
562 err = -ENOPROTOOPT;
563 break;
564 }
565
566 release_sock(sk);
567 return err;
568 }
569
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)570 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
571 char __user *optval, int __user *optlen)
572 {
573 struct sock *sk = sock->sk;
574 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
575 struct bt_security sec;
576 struct bt_power pwr;
577 u32 phys;
578 int len, mode, err = 0;
579
580 BT_DBG("sk %p", sk);
581
582 if (level == SOL_L2CAP)
583 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
584
585 if (level != SOL_BLUETOOTH)
586 return -ENOPROTOOPT;
587
588 if (get_user(len, optlen))
589 return -EFAULT;
590
591 lock_sock(sk);
592
593 switch (optname) {
594 case BT_SECURITY:
595 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
596 chan->chan_type != L2CAP_CHAN_FIXED &&
597 chan->chan_type != L2CAP_CHAN_RAW) {
598 err = -EINVAL;
599 break;
600 }
601
602 memset(&sec, 0, sizeof(sec));
603 if (chan->conn) {
604 sec.level = chan->conn->hcon->sec_level;
605
606 if (sk->sk_state == BT_CONNECTED)
607 sec.key_size = chan->conn->hcon->enc_key_size;
608 } else {
609 sec.level = chan->sec_level;
610 }
611
612 len = min_t(unsigned int, len, sizeof(sec));
613 if (copy_to_user(optval, (char *) &sec, len))
614 err = -EFAULT;
615
616 break;
617
618 case BT_DEFER_SETUP:
619 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
620 err = -EINVAL;
621 break;
622 }
623
624 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
625 (u32 __user *) optval))
626 err = -EFAULT;
627
628 break;
629
630 case BT_FLUSHABLE:
631 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
632 (u32 __user *) optval))
633 err = -EFAULT;
634
635 break;
636
637 case BT_POWER:
638 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
639 && sk->sk_type != SOCK_RAW) {
640 err = -EINVAL;
641 break;
642 }
643
644 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
645
646 len = min_t(unsigned int, len, sizeof(pwr));
647 if (copy_to_user(optval, (char *) &pwr, len))
648 err = -EFAULT;
649
650 break;
651
652 case BT_CHANNEL_POLICY:
653 if (put_user(chan->chan_policy, (u32 __user *) optval))
654 err = -EFAULT;
655 break;
656
657 case BT_SNDMTU:
658 if (!bdaddr_type_is_le(chan->src_type)) {
659 err = -EINVAL;
660 break;
661 }
662
663 if (sk->sk_state != BT_CONNECTED) {
664 err = -ENOTCONN;
665 break;
666 }
667
668 if (put_user(chan->omtu, (u16 __user *) optval))
669 err = -EFAULT;
670 break;
671
672 case BT_RCVMTU:
673 if (!bdaddr_type_is_le(chan->src_type)) {
674 err = -EINVAL;
675 break;
676 }
677
678 if (put_user(chan->imtu, (u16 __user *) optval))
679 err = -EFAULT;
680 break;
681
682 case BT_PHY:
683 if (sk->sk_state != BT_CONNECTED) {
684 err = -ENOTCONN;
685 break;
686 }
687
688 phys = hci_conn_get_phy(chan->conn->hcon);
689
690 if (put_user(phys, (u32 __user *) optval))
691 err = -EFAULT;
692 break;
693
694 case BT_MODE:
695 if (!enable_ecred) {
696 err = -ENOPROTOOPT;
697 break;
698 }
699
700 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
701 err = -EINVAL;
702 break;
703 }
704
705 mode = l2cap_get_mode(chan);
706 if (mode < 0) {
707 err = mode;
708 break;
709 }
710
711 if (put_user(mode, (u8 __user *) optval))
712 err = -EFAULT;
713 break;
714
715 default:
716 err = -ENOPROTOOPT;
717 break;
718 }
719
720 release_sock(sk);
721 return err;
722 }
723
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)724 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
725 {
726 switch (chan->scid) {
727 case L2CAP_CID_ATT:
728 if (mtu < L2CAP_LE_MIN_MTU)
729 return false;
730 break;
731
732 default:
733 if (mtu < L2CAP_DEFAULT_MIN_MTU)
734 return false;
735 }
736
737 return true;
738 }
739
l2cap_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)740 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
741 sockptr_t optval, unsigned int optlen)
742 {
743 struct sock *sk = sock->sk;
744 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
745 struct l2cap_options opts;
746 int len, err = 0;
747 u32 opt;
748
749 BT_DBG("sk %p", sk);
750
751 lock_sock(sk);
752
753 switch (optname) {
754 case L2CAP_OPTIONS:
755 if (bdaddr_type_is_le(chan->src_type)) {
756 err = -EINVAL;
757 break;
758 }
759
760 if (sk->sk_state == BT_CONNECTED) {
761 err = -EINVAL;
762 break;
763 }
764
765 opts.imtu = chan->imtu;
766 opts.omtu = chan->omtu;
767 opts.flush_to = chan->flush_to;
768 opts.mode = chan->mode;
769 opts.fcs = chan->fcs;
770 opts.max_tx = chan->max_tx;
771 opts.txwin_size = chan->tx_win;
772
773 len = min_t(unsigned int, sizeof(opts), optlen);
774 if (copy_from_sockptr(&opts, optval, len)) {
775 err = -EFAULT;
776 break;
777 }
778
779 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
780 err = -EINVAL;
781 break;
782 }
783
784 if (!l2cap_valid_mtu(chan, opts.imtu)) {
785 err = -EINVAL;
786 break;
787 }
788
789 /* Only BR/EDR modes are supported here */
790 switch (opts.mode) {
791 case L2CAP_MODE_BASIC:
792 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
793 break;
794 case L2CAP_MODE_ERTM:
795 case L2CAP_MODE_STREAMING:
796 if (!disable_ertm)
797 break;
798 fallthrough;
799 default:
800 err = -EINVAL;
801 break;
802 }
803
804 if (err < 0)
805 break;
806
807 chan->mode = opts.mode;
808
809 BT_DBG("mode 0x%2.2x", chan->mode);
810
811 chan->imtu = opts.imtu;
812 chan->omtu = opts.omtu;
813 chan->fcs = opts.fcs;
814 chan->max_tx = opts.max_tx;
815 chan->tx_win = opts.txwin_size;
816 chan->flush_to = opts.flush_to;
817 break;
818
819 case L2CAP_LM:
820 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
821 err = -EFAULT;
822 break;
823 }
824
825 if (opt & L2CAP_LM_FIPS) {
826 err = -EINVAL;
827 break;
828 }
829
830 if (opt & L2CAP_LM_AUTH)
831 chan->sec_level = BT_SECURITY_LOW;
832 if (opt & L2CAP_LM_ENCRYPT)
833 chan->sec_level = BT_SECURITY_MEDIUM;
834 if (opt & L2CAP_LM_SECURE)
835 chan->sec_level = BT_SECURITY_HIGH;
836
837 if (opt & L2CAP_LM_MASTER)
838 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
839 else
840 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
841
842 if (opt & L2CAP_LM_RELIABLE)
843 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
844 else
845 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
846 break;
847
848 default:
849 err = -ENOPROTOOPT;
850 break;
851 }
852
853 release_sock(sk);
854 return err;
855 }
856
l2cap_set_mode(struct l2cap_chan * chan,u8 mode)857 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
858 {
859 switch (mode) {
860 case BT_MODE_BASIC:
861 if (bdaddr_type_is_le(chan->src_type))
862 return -EINVAL;
863 mode = L2CAP_MODE_BASIC;
864 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
865 break;
866 case BT_MODE_ERTM:
867 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
868 return -EINVAL;
869 mode = L2CAP_MODE_ERTM;
870 break;
871 case BT_MODE_STREAMING:
872 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
873 return -EINVAL;
874 mode = L2CAP_MODE_STREAMING;
875 break;
876 case BT_MODE_LE_FLOWCTL:
877 if (!bdaddr_type_is_le(chan->src_type))
878 return -EINVAL;
879 mode = L2CAP_MODE_LE_FLOWCTL;
880 break;
881 case BT_MODE_EXT_FLOWCTL:
882 /* TODO: Add support for ECRED PDUs to BR/EDR */
883 if (!bdaddr_type_is_le(chan->src_type))
884 return -EINVAL;
885 mode = L2CAP_MODE_EXT_FLOWCTL;
886 break;
887 default:
888 return -EINVAL;
889 }
890
891 chan->mode = mode;
892
893 return 0;
894 }
895
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)896 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
897 sockptr_t optval, unsigned int optlen)
898 {
899 struct sock *sk = sock->sk;
900 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
901 struct bt_security sec;
902 struct bt_power pwr;
903 struct l2cap_conn *conn;
904 int len, err = 0;
905 u32 opt;
906 u16 mtu;
907 u8 mode;
908
909 BT_DBG("sk %p", sk);
910
911 if (level == SOL_L2CAP)
912 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
913
914 if (level != SOL_BLUETOOTH)
915 return -ENOPROTOOPT;
916
917 lock_sock(sk);
918
919 switch (optname) {
920 case BT_SECURITY:
921 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
922 chan->chan_type != L2CAP_CHAN_FIXED &&
923 chan->chan_type != L2CAP_CHAN_RAW) {
924 err = -EINVAL;
925 break;
926 }
927
928 sec.level = BT_SECURITY_LOW;
929
930 len = min_t(unsigned int, sizeof(sec), optlen);
931 if (copy_from_sockptr(&sec, optval, len)) {
932 err = -EFAULT;
933 break;
934 }
935
936 if (sec.level < BT_SECURITY_LOW ||
937 sec.level > BT_SECURITY_FIPS) {
938 err = -EINVAL;
939 break;
940 }
941
942 chan->sec_level = sec.level;
943
944 if (!chan->conn)
945 break;
946
947 conn = chan->conn;
948
949 /* change security for LE channels */
950 if (chan->scid == L2CAP_CID_ATT) {
951 if (smp_conn_security(conn->hcon, sec.level)) {
952 err = -EINVAL;
953 break;
954 }
955
956 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
957 sk->sk_state = BT_CONFIG;
958 chan->state = BT_CONFIG;
959
960 /* or for ACL link */
961 } else if ((sk->sk_state == BT_CONNECT2 &&
962 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
963 sk->sk_state == BT_CONNECTED) {
964 if (!l2cap_chan_check_security(chan, true))
965 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
966 else
967 sk->sk_state_change(sk);
968 } else {
969 err = -EINVAL;
970 }
971 break;
972
973 case BT_DEFER_SETUP:
974 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
975 err = -EINVAL;
976 break;
977 }
978
979 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
980 err = -EFAULT;
981 break;
982 }
983
984 if (opt) {
985 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
986 set_bit(FLAG_DEFER_SETUP, &chan->flags);
987 } else {
988 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
989 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
990 }
991 break;
992
993 case BT_FLUSHABLE:
994 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
995 err = -EFAULT;
996 break;
997 }
998
999 if (opt > BT_FLUSHABLE_ON) {
1000 err = -EINVAL;
1001 break;
1002 }
1003
1004 if (opt == BT_FLUSHABLE_OFF) {
1005 conn = chan->conn;
1006 /* proceed further only when we have l2cap_conn and
1007 No Flush support in the LM */
1008 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
1009 err = -EINVAL;
1010 break;
1011 }
1012 }
1013
1014 if (opt)
1015 set_bit(FLAG_FLUSHABLE, &chan->flags);
1016 else
1017 clear_bit(FLAG_FLUSHABLE, &chan->flags);
1018 break;
1019
1020 case BT_POWER:
1021 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1022 chan->chan_type != L2CAP_CHAN_RAW) {
1023 err = -EINVAL;
1024 break;
1025 }
1026
1027 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1028
1029 len = min_t(unsigned int, sizeof(pwr), optlen);
1030 if (copy_from_sockptr(&pwr, optval, len)) {
1031 err = -EFAULT;
1032 break;
1033 }
1034
1035 if (pwr.force_active)
1036 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1037 else
1038 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1039 break;
1040
1041 case BT_CHANNEL_POLICY:
1042 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1043 err = -EFAULT;
1044 break;
1045 }
1046
1047 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1048 err = -EINVAL;
1049 break;
1050 }
1051
1052 if (chan->mode != L2CAP_MODE_ERTM &&
1053 chan->mode != L2CAP_MODE_STREAMING) {
1054 err = -EOPNOTSUPP;
1055 break;
1056 }
1057
1058 chan->chan_policy = (u8) opt;
1059
1060 if (sk->sk_state == BT_CONNECTED &&
1061 chan->move_role == L2CAP_MOVE_ROLE_NONE)
1062 l2cap_move_start(chan);
1063
1064 break;
1065
1066 case BT_SNDMTU:
1067 if (!bdaddr_type_is_le(chan->src_type)) {
1068 err = -EINVAL;
1069 break;
1070 }
1071
1072 /* Setting is not supported as it's the remote side that
1073 * decides this.
1074 */
1075 err = -EPERM;
1076 break;
1077
1078 case BT_RCVMTU:
1079 if (!bdaddr_type_is_le(chan->src_type)) {
1080 err = -EINVAL;
1081 break;
1082 }
1083
1084 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1085 sk->sk_state == BT_CONNECTED) {
1086 err = -EISCONN;
1087 break;
1088 }
1089
1090 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
1091 err = -EFAULT;
1092 break;
1093 }
1094
1095 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1096 sk->sk_state == BT_CONNECTED)
1097 err = l2cap_chan_reconfigure(chan, mtu);
1098 else
1099 chan->imtu = mtu;
1100
1101 break;
1102
1103 case BT_MODE:
1104 if (!enable_ecred) {
1105 err = -ENOPROTOOPT;
1106 break;
1107 }
1108
1109 BT_DBG("sk->sk_state %u", sk->sk_state);
1110
1111 if (sk->sk_state != BT_BOUND) {
1112 err = -EINVAL;
1113 break;
1114 }
1115
1116 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1117 err = -EINVAL;
1118 break;
1119 }
1120
1121 if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
1122 err = -EFAULT;
1123 break;
1124 }
1125
1126 BT_DBG("mode %u", mode);
1127
1128 err = l2cap_set_mode(chan, mode);
1129 if (err)
1130 break;
1131
1132 BT_DBG("mode 0x%2.2x", chan->mode);
1133
1134 break;
1135
1136 default:
1137 err = -ENOPROTOOPT;
1138 break;
1139 }
1140
1141 release_sock(sk);
1142 return err;
1143 }
1144
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1145 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1146 size_t len)
1147 {
1148 struct sock *sk = sock->sk;
1149 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1150 int err;
1151
1152 BT_DBG("sock %p, sk %p", sock, sk);
1153
1154 err = sock_error(sk);
1155 if (err)
1156 return err;
1157
1158 if (msg->msg_flags & MSG_OOB)
1159 return -EOPNOTSUPP;
1160
1161 if (sk->sk_state != BT_CONNECTED)
1162 return -ENOTCONN;
1163
1164 lock_sock(sk);
1165 err = bt_sock_wait_ready(sk, msg->msg_flags);
1166 release_sock(sk);
1167 if (err)
1168 return err;
1169
1170 l2cap_chan_lock(chan);
1171 err = l2cap_chan_send(chan, msg, len);
1172 l2cap_chan_unlock(chan);
1173
1174 return err;
1175 }
1176
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1177 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1178 size_t len, int flags)
1179 {
1180 struct sock *sk = sock->sk;
1181 struct l2cap_pinfo *pi = l2cap_pi(sk);
1182 int err;
1183
1184 lock_sock(sk);
1185
1186 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1187 &bt_sk(sk)->flags)) {
1188 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1189 sk->sk_state = BT_CONNECTED;
1190 pi->chan->state = BT_CONNECTED;
1191 __l2cap_ecred_conn_rsp_defer(pi->chan);
1192 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1193 sk->sk_state = BT_CONNECTED;
1194 pi->chan->state = BT_CONNECTED;
1195 __l2cap_le_connect_rsp_defer(pi->chan);
1196 } else {
1197 sk->sk_state = BT_CONFIG;
1198 pi->chan->state = BT_CONFIG;
1199 __l2cap_connect_rsp_defer(pi->chan);
1200 }
1201
1202 err = 0;
1203 goto done;
1204 }
1205
1206 release_sock(sk);
1207
1208 if (sock->type == SOCK_STREAM)
1209 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1210 else
1211 err = bt_sock_recvmsg(sock, msg, len, flags);
1212
1213 if (pi->chan->mode != L2CAP_MODE_ERTM)
1214 return err;
1215
1216 /* Attempt to put pending rx data in the socket buffer */
1217
1218 lock_sock(sk);
1219
1220 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1221 goto done;
1222
1223 if (pi->rx_busy_skb) {
1224 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1225 pi->rx_busy_skb = NULL;
1226 else
1227 goto done;
1228 }
1229
1230 /* Restore data flow when half of the receive buffer is
1231 * available. This avoids resending large numbers of
1232 * frames.
1233 */
1234 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1235 l2cap_chan_busy(pi->chan, 0);
1236
1237 done:
1238 release_sock(sk);
1239 return err;
1240 }
1241
1242 /* Kill socket (only if zapped and orphan)
1243 * Must be called on unlocked socket, with l2cap channel lock.
1244 */
l2cap_sock_kill(struct sock * sk)1245 static void l2cap_sock_kill(struct sock *sk)
1246 {
1247 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1248 return;
1249
1250 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1251
1252 /* Kill poor orphan */
1253
1254 l2cap_chan_put(l2cap_pi(sk)->chan);
1255 sock_set_flag(sk, SOCK_DEAD);
1256 sock_put(sk);
1257 }
1258
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1259 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1260 {
1261 DECLARE_WAITQUEUE(wait, current);
1262 int err = 0;
1263 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1264 /* Timeout to prevent infinite loop */
1265 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1266
1267 add_wait_queue(sk_sleep(sk), &wait);
1268 set_current_state(TASK_INTERRUPTIBLE);
1269 do {
1270 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1271 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1272 jiffies_to_msecs(timeout - jiffies));
1273
1274 if (!timeo)
1275 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1276
1277 if (signal_pending(current)) {
1278 err = sock_intr_errno(timeo);
1279 break;
1280 }
1281
1282 release_sock(sk);
1283 timeo = schedule_timeout(timeo);
1284 lock_sock(sk);
1285 set_current_state(TASK_INTERRUPTIBLE);
1286
1287 err = sock_error(sk);
1288 if (err)
1289 break;
1290
1291 if (time_after(jiffies, timeout)) {
1292 err = -ENOLINK;
1293 break;
1294 }
1295
1296 } while (chan->unacked_frames > 0 &&
1297 chan->state == BT_CONNECTED);
1298
1299 set_current_state(TASK_RUNNING);
1300 remove_wait_queue(sk_sleep(sk), &wait);
1301 return err;
1302 }
1303
l2cap_sock_shutdown(struct socket * sock,int how)1304 static int l2cap_sock_shutdown(struct socket *sock, int how)
1305 {
1306 struct sock *sk = sock->sk;
1307 struct l2cap_chan *chan;
1308 struct l2cap_conn *conn;
1309 int err = 0;
1310
1311 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1312
1313 /* 'how' parameter is mapped to sk_shutdown as follows:
1314 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1315 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1316 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1317 */
1318 how++;
1319
1320 if (!sk)
1321 return 0;
1322
1323 lock_sock(sk);
1324
1325 if ((sk->sk_shutdown & how) == how)
1326 goto shutdown_already;
1327
1328 BT_DBG("Handling sock shutdown");
1329
1330 /* prevent sk structure from being freed whilst unlocked */
1331 sock_hold(sk);
1332
1333 chan = l2cap_pi(sk)->chan;
1334 /* prevent chan structure from being freed whilst unlocked */
1335 l2cap_chan_hold(chan);
1336
1337 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1338
1339 if (chan->mode == L2CAP_MODE_ERTM &&
1340 chan->unacked_frames > 0 &&
1341 chan->state == BT_CONNECTED) {
1342 err = __l2cap_wait_ack(sk, chan);
1343
1344 /* After waiting for ACKs, check whether shutdown
1345 * has already been actioned to close the L2CAP
1346 * link such as by l2cap_disconnection_req().
1347 */
1348 if ((sk->sk_shutdown & how) == how)
1349 goto shutdown_matched;
1350 }
1351
1352 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1353 * is already set
1354 */
1355 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1356 sk->sk_shutdown |= RCV_SHUTDOWN;
1357 if ((sk->sk_shutdown & how) == how)
1358 goto shutdown_matched;
1359 }
1360
1361 sk->sk_shutdown |= SEND_SHUTDOWN;
1362 release_sock(sk);
1363
1364 l2cap_chan_lock(chan);
1365 conn = chan->conn;
1366 if (conn)
1367 /* prevent conn structure from being freed */
1368 l2cap_conn_get(conn);
1369 l2cap_chan_unlock(chan);
1370
1371 if (conn)
1372 /* mutex lock must be taken before l2cap_chan_lock() */
1373 mutex_lock(&conn->chan_lock);
1374
1375 l2cap_chan_lock(chan);
1376 l2cap_chan_close(chan, 0);
1377 l2cap_chan_unlock(chan);
1378
1379 if (conn) {
1380 mutex_unlock(&conn->chan_lock);
1381 l2cap_conn_put(conn);
1382 }
1383
1384 lock_sock(sk);
1385
1386 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1387 !(current->flags & PF_EXITING))
1388 err = bt_sock_wait_state(sk, BT_CLOSED,
1389 sk->sk_lingertime);
1390
1391 shutdown_matched:
1392 l2cap_chan_put(chan);
1393 sock_put(sk);
1394
1395 shutdown_already:
1396 if (!err && sk->sk_err)
1397 err = -sk->sk_err;
1398
1399 release_sock(sk);
1400
1401 BT_DBG("Sock shutdown complete err: %d", err);
1402
1403 return err;
1404 }
1405
l2cap_sock_release(struct socket * sock)1406 static int l2cap_sock_release(struct socket *sock)
1407 {
1408 struct sock *sk = sock->sk;
1409 int err;
1410 struct l2cap_chan *chan;
1411
1412 BT_DBG("sock %p, sk %p", sock, sk);
1413
1414 if (!sk)
1415 return 0;
1416
1417 bt_sock_unlink(&l2cap_sk_list, sk);
1418
1419 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1420 chan = l2cap_pi(sk)->chan;
1421
1422 l2cap_chan_hold(chan);
1423 l2cap_chan_lock(chan);
1424
1425 sock_orphan(sk);
1426 l2cap_sock_kill(sk);
1427
1428 l2cap_chan_unlock(chan);
1429 l2cap_chan_put(chan);
1430
1431 return err;
1432 }
1433
l2cap_sock_cleanup_listen(struct sock * parent)1434 static void l2cap_sock_cleanup_listen(struct sock *parent)
1435 {
1436 struct sock *sk;
1437
1438 BT_DBG("parent %p state %s", parent,
1439 state_to_string(parent->sk_state));
1440
1441 /* Close not yet accepted channels */
1442 while ((sk = bt_accept_dequeue(parent, NULL))) {
1443 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1444
1445 BT_DBG("child chan %p state %s", chan,
1446 state_to_string(chan->state));
1447
1448 l2cap_chan_hold(chan);
1449 l2cap_chan_lock(chan);
1450
1451 __clear_chan_timer(chan);
1452 l2cap_chan_close(chan, ECONNRESET);
1453 l2cap_sock_kill(sk);
1454
1455 l2cap_chan_unlock(chan);
1456 l2cap_chan_put(chan);
1457 }
1458 }
1459
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1460 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1461 {
1462 struct sock *sk, *parent = chan->data;
1463
1464 lock_sock(parent);
1465
1466 /* Check for backlog size */
1467 if (sk_acceptq_is_full(parent)) {
1468 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1469 release_sock(parent);
1470 return NULL;
1471 }
1472
1473 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1474 GFP_ATOMIC, 0);
1475 if (!sk) {
1476 release_sock(parent);
1477 return NULL;
1478 }
1479
1480 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1481
1482 l2cap_sock_init(sk, parent);
1483
1484 bt_accept_enqueue(parent, sk, false);
1485
1486 release_sock(parent);
1487
1488 return l2cap_pi(sk)->chan;
1489 }
1490
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1491 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1492 {
1493 struct sock *sk = chan->data;
1494 int err;
1495
1496 lock_sock(sk);
1497
1498 if (l2cap_pi(sk)->rx_busy_skb) {
1499 err = -ENOMEM;
1500 goto done;
1501 }
1502
1503 if (chan->mode != L2CAP_MODE_ERTM &&
1504 chan->mode != L2CAP_MODE_STREAMING) {
1505 /* Even if no filter is attached, we could potentially
1506 * get errors from security modules, etc.
1507 */
1508 err = sk_filter(sk, skb);
1509 if (err)
1510 goto done;
1511 }
1512
1513 err = __sock_queue_rcv_skb(sk, skb);
1514
1515 /* For ERTM, handle one skb that doesn't fit into the recv
1516 * buffer. This is important to do because the data frames
1517 * have already been acked, so the skb cannot be discarded.
1518 *
1519 * Notify the l2cap core that the buffer is full, so the
1520 * LOCAL_BUSY state is entered and no more frames are
1521 * acked and reassembled until there is buffer space
1522 * available.
1523 */
1524 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1525 l2cap_pi(sk)->rx_busy_skb = skb;
1526 l2cap_chan_busy(chan, 1);
1527 err = 0;
1528 }
1529
1530 done:
1531 release_sock(sk);
1532
1533 return err;
1534 }
1535
l2cap_sock_close_cb(struct l2cap_chan * chan)1536 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1537 {
1538 struct sock *sk = chan->data;
1539
1540 if (!sk)
1541 return;
1542
1543 l2cap_sock_kill(sk);
1544 }
1545
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1546 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1547 {
1548 struct sock *sk = chan->data;
1549 struct sock *parent;
1550
1551 if (!sk)
1552 return;
1553
1554 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1555
1556 /* This callback can be called both for server (BT_LISTEN)
1557 * sockets as well as "normal" ones. To avoid lockdep warnings
1558 * with child socket locking (through l2cap_sock_cleanup_listen)
1559 * we need separation into separate nesting levels. The simplest
1560 * way to accomplish this is to inherit the nesting level used
1561 * for the channel.
1562 */
1563 lock_sock_nested(sk, atomic_read(&chan->nesting));
1564
1565 parent = bt_sk(sk)->parent;
1566
1567 switch (chan->state) {
1568 case BT_OPEN:
1569 case BT_BOUND:
1570 case BT_CLOSED:
1571 break;
1572 case BT_LISTEN:
1573 l2cap_sock_cleanup_listen(sk);
1574 sk->sk_state = BT_CLOSED;
1575 chan->state = BT_CLOSED;
1576
1577 break;
1578 default:
1579 sk->sk_state = BT_CLOSED;
1580 chan->state = BT_CLOSED;
1581
1582 sk->sk_err = err;
1583
1584 if (parent) {
1585 bt_accept_unlink(sk);
1586 parent->sk_data_ready(parent);
1587 } else {
1588 sk->sk_state_change(sk);
1589 }
1590
1591 break;
1592 }
1593 release_sock(sk);
1594
1595 /* Only zap after cleanup to avoid use after free race */
1596 sock_set_flag(sk, SOCK_ZAPPED);
1597
1598 }
1599
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1600 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1601 int err)
1602 {
1603 struct sock *sk = chan->data;
1604
1605 sk->sk_state = state;
1606
1607 if (err)
1608 sk->sk_err = err;
1609 }
1610
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1611 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1612 unsigned long hdr_len,
1613 unsigned long len, int nb)
1614 {
1615 struct sock *sk = chan->data;
1616 struct sk_buff *skb;
1617 int err;
1618
1619 l2cap_chan_unlock(chan);
1620 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1621 l2cap_chan_lock(chan);
1622
1623 if (!skb)
1624 return ERR_PTR(err);
1625
1626 skb->priority = sk->sk_priority;
1627
1628 bt_cb(skb)->l2cap.chan = chan;
1629
1630 return skb;
1631 }
1632
l2cap_sock_ready_cb(struct l2cap_chan * chan)1633 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1634 {
1635 struct sock *sk = chan->data;
1636 struct sock *parent;
1637
1638 lock_sock(sk);
1639
1640 parent = bt_sk(sk)->parent;
1641
1642 BT_DBG("sk %p, parent %p", sk, parent);
1643
1644 sk->sk_state = BT_CONNECTED;
1645 sk->sk_state_change(sk);
1646
1647 if (parent)
1648 parent->sk_data_ready(parent);
1649
1650 release_sock(sk);
1651 }
1652
l2cap_sock_defer_cb(struct l2cap_chan * chan)1653 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1654 {
1655 struct sock *parent, *sk = chan->data;
1656
1657 lock_sock(sk);
1658
1659 parent = bt_sk(sk)->parent;
1660 if (parent)
1661 parent->sk_data_ready(parent);
1662
1663 release_sock(sk);
1664 }
1665
l2cap_sock_resume_cb(struct l2cap_chan * chan)1666 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1667 {
1668 struct sock *sk = chan->data;
1669
1670 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1671 sk->sk_state = BT_CONNECTED;
1672 chan->state = BT_CONNECTED;
1673 }
1674
1675 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1676 sk->sk_state_change(sk);
1677 }
1678
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1679 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1680 {
1681 struct sock *sk = chan->data;
1682
1683 lock_sock(sk);
1684 sk->sk_shutdown = SHUTDOWN_MASK;
1685 release_sock(sk);
1686 }
1687
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1688 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1689 {
1690 struct sock *sk = chan->data;
1691
1692 return sk->sk_sndtimeo;
1693 }
1694
l2cap_sock_get_peer_pid_cb(struct l2cap_chan * chan)1695 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1696 {
1697 struct sock *sk = chan->data;
1698
1699 return sk->sk_peer_pid;
1700 }
1701
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1702 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1703 {
1704 struct sock *sk = chan->data;
1705
1706 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1707 sk->sk_state_change(sk);
1708 }
1709
l2cap_sock_filter(struct l2cap_chan * chan,struct sk_buff * skb)1710 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1711 {
1712 struct sock *sk = chan->data;
1713
1714 switch (chan->mode) {
1715 case L2CAP_MODE_ERTM:
1716 case L2CAP_MODE_STREAMING:
1717 return sk_filter(sk, skb);
1718 }
1719
1720 return 0;
1721 }
1722
1723 static const struct l2cap_ops l2cap_chan_ops = {
1724 .name = "L2CAP Socket Interface",
1725 .new_connection = l2cap_sock_new_connection_cb,
1726 .recv = l2cap_sock_recv_cb,
1727 .close = l2cap_sock_close_cb,
1728 .teardown = l2cap_sock_teardown_cb,
1729 .state_change = l2cap_sock_state_change_cb,
1730 .ready = l2cap_sock_ready_cb,
1731 .defer = l2cap_sock_defer_cb,
1732 .resume = l2cap_sock_resume_cb,
1733 .suspend = l2cap_sock_suspend_cb,
1734 .set_shutdown = l2cap_sock_set_shutdown_cb,
1735 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1736 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1737 .alloc_skb = l2cap_sock_alloc_skb_cb,
1738 .filter = l2cap_sock_filter,
1739 };
1740
l2cap_sock_destruct(struct sock * sk)1741 static void l2cap_sock_destruct(struct sock *sk)
1742 {
1743 BT_DBG("sk %p", sk);
1744
1745 if (l2cap_pi(sk)->chan) {
1746 l2cap_pi(sk)->chan->data = NULL;
1747 l2cap_chan_put(l2cap_pi(sk)->chan);
1748 }
1749
1750 if (l2cap_pi(sk)->rx_busy_skb) {
1751 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1752 l2cap_pi(sk)->rx_busy_skb = NULL;
1753 }
1754
1755 skb_queue_purge(&sk->sk_receive_queue);
1756 skb_queue_purge(&sk->sk_write_queue);
1757 }
1758
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1759 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1760 int *msg_namelen)
1761 {
1762 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1763
1764 memset(la, 0, sizeof(struct sockaddr_l2));
1765 la->l2_family = AF_BLUETOOTH;
1766 la->l2_psm = bt_cb(skb)->l2cap.psm;
1767 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1768
1769 *msg_namelen = sizeof(struct sockaddr_l2);
1770 }
1771
l2cap_sock_init(struct sock * sk,struct sock * parent)1772 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1773 {
1774 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1775
1776 BT_DBG("sk %p", sk);
1777
1778 if (parent) {
1779 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1780
1781 sk->sk_type = parent->sk_type;
1782 bt_sk(sk)->flags = bt_sk(parent)->flags;
1783
1784 chan->chan_type = pchan->chan_type;
1785 chan->imtu = pchan->imtu;
1786 chan->omtu = pchan->omtu;
1787 chan->conf_state = pchan->conf_state;
1788 chan->mode = pchan->mode;
1789 chan->fcs = pchan->fcs;
1790 chan->max_tx = pchan->max_tx;
1791 chan->tx_win = pchan->tx_win;
1792 chan->tx_win_max = pchan->tx_win_max;
1793 chan->sec_level = pchan->sec_level;
1794 chan->flags = pchan->flags;
1795 chan->tx_credits = pchan->tx_credits;
1796 chan->rx_credits = pchan->rx_credits;
1797
1798 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1799 chan->scid = pchan->scid;
1800 chan->dcid = pchan->scid;
1801 }
1802
1803 security_sk_clone(parent, sk);
1804 } else {
1805 switch (sk->sk_type) {
1806 case SOCK_RAW:
1807 chan->chan_type = L2CAP_CHAN_RAW;
1808 break;
1809 case SOCK_DGRAM:
1810 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1811 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1812 break;
1813 case SOCK_SEQPACKET:
1814 case SOCK_STREAM:
1815 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1816 break;
1817 }
1818
1819 chan->imtu = L2CAP_DEFAULT_MTU;
1820 chan->omtu = 0;
1821 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1822 chan->mode = L2CAP_MODE_ERTM;
1823 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1824 } else {
1825 chan->mode = L2CAP_MODE_BASIC;
1826 }
1827
1828 l2cap_chan_set_defaults(chan);
1829 }
1830
1831 /* Default config options */
1832 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1833
1834 chan->data = sk;
1835 chan->ops = &l2cap_chan_ops;
1836 }
1837
1838 static struct proto l2cap_proto = {
1839 .name = "L2CAP",
1840 .owner = THIS_MODULE,
1841 .obj_size = sizeof(struct l2cap_pinfo)
1842 };
1843
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1844 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1845 int proto, gfp_t prio, int kern)
1846 {
1847 struct sock *sk;
1848 struct l2cap_chan *chan;
1849
1850 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1851 if (!sk)
1852 return NULL;
1853
1854 sock_init_data(sock, sk);
1855 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1856
1857 sk->sk_destruct = l2cap_sock_destruct;
1858 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1859
1860 sock_reset_flag(sk, SOCK_ZAPPED);
1861
1862 sk->sk_protocol = proto;
1863 sk->sk_state = BT_OPEN;
1864
1865 chan = l2cap_chan_create();
1866 if (!chan) {
1867 sk_free(sk);
1868 return NULL;
1869 }
1870
1871 l2cap_chan_hold(chan);
1872
1873 l2cap_pi(sk)->chan = chan;
1874
1875 return sk;
1876 }
1877
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1878 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1879 int kern)
1880 {
1881 struct sock *sk;
1882
1883 BT_DBG("sock %p", sock);
1884
1885 sock->state = SS_UNCONNECTED;
1886
1887 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1888 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1889 return -ESOCKTNOSUPPORT;
1890
1891 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1892 return -EPERM;
1893
1894 sock->ops = &l2cap_sock_ops;
1895
1896 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1897 if (!sk)
1898 return -ENOMEM;
1899
1900 l2cap_sock_init(sk, NULL);
1901 bt_sock_link(&l2cap_sk_list, sk);
1902 return 0;
1903 }
1904
1905 static const struct proto_ops l2cap_sock_ops = {
1906 .family = PF_BLUETOOTH,
1907 .owner = THIS_MODULE,
1908 .release = l2cap_sock_release,
1909 .bind = l2cap_sock_bind,
1910 .connect = l2cap_sock_connect,
1911 .listen = l2cap_sock_listen,
1912 .accept = l2cap_sock_accept,
1913 .getname = l2cap_sock_getname,
1914 .sendmsg = l2cap_sock_sendmsg,
1915 .recvmsg = l2cap_sock_recvmsg,
1916 .poll = bt_sock_poll,
1917 .ioctl = bt_sock_ioctl,
1918 .gettstamp = sock_gettstamp,
1919 .mmap = sock_no_mmap,
1920 .socketpair = sock_no_socketpair,
1921 .shutdown = l2cap_sock_shutdown,
1922 .setsockopt = l2cap_sock_setsockopt,
1923 .getsockopt = l2cap_sock_getsockopt
1924 };
1925
1926 static const struct net_proto_family l2cap_sock_family_ops = {
1927 .family = PF_BLUETOOTH,
1928 .owner = THIS_MODULE,
1929 .create = l2cap_sock_create,
1930 };
1931
l2cap_init_sockets(void)1932 int __init l2cap_init_sockets(void)
1933 {
1934 int err;
1935
1936 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1937
1938 err = proto_register(&l2cap_proto, 0);
1939 if (err < 0)
1940 return err;
1941
1942 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1943 if (err < 0) {
1944 BT_ERR("L2CAP socket registration failed");
1945 goto error;
1946 }
1947
1948 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1949 NULL);
1950 if (err < 0) {
1951 BT_ERR("Failed to create L2CAP proc file");
1952 bt_sock_unregister(BTPROTO_L2CAP);
1953 goto error;
1954 }
1955
1956 BT_INFO("L2CAP socket layer initialized");
1957
1958 return 0;
1959
1960 error:
1961 proto_unregister(&l2cap_proto);
1962 return err;
1963 }
1964
l2cap_cleanup_sockets(void)1965 void l2cap_cleanup_sockets(void)
1966 {
1967 bt_procfs_cleanup(&init_net, "l2cap");
1968 bt_sock_unregister(BTPROTO_L2CAP);
1969 proto_unregister(&l2cap_proto);
1970 }
1971