1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37
38 #include "smp.h"
39
40 static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48 static void l2cap_sock_cleanup_listen(struct sock *parent);
49
l2cap_is_socket(struct socket * sock)50 bool l2cap_is_socket(struct socket *sock)
51 {
52 return sock && sock->ops == &l2cap_sock_ops;
53 }
54 EXPORT_SYMBOL(l2cap_is_socket);
55
l2cap_validate_bredr_psm(u16 psm)56 static int l2cap_validate_bredr_psm(u16 psm)
57 {
58 /* PSM must be odd and lsb of upper byte must be 0 */
59 if ((psm & 0x0101) != 0x0001)
60 return -EINVAL;
61
62 /* Restrict usage of well-known PSMs */
63 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
64 return -EACCES;
65
66 return 0;
67 }
68
l2cap_validate_le_psm(u16 psm)69 static int l2cap_validate_le_psm(u16 psm)
70 {
71 /* Valid LE_PSM ranges are defined only until 0x00ff */
72 if (psm > L2CAP_PSM_LE_DYN_END)
73 return -EINVAL;
74
75 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
76 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
77 return -EACCES;
78
79 return 0;
80 }
81
l2cap_sock_bind(struct socket * sock,struct sockaddr * addr,int alen)82 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
83 {
84 struct sock *sk = sock->sk;
85 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
86 struct sockaddr_l2 la;
87 int len, err = 0;
88
89 BT_DBG("sk %p", sk);
90
91 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
92 addr->sa_family != AF_BLUETOOTH)
93 return -EINVAL;
94
95 memset(&la, 0, sizeof(la));
96 len = min_t(unsigned int, sizeof(la), alen);
97 memcpy(&la, addr, len);
98
99 if (la.l2_cid && la.l2_psm)
100 return -EINVAL;
101
102 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
103 return -EINVAL;
104
105 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
106 /* We only allow ATT user space socket */
107 if (la.l2_cid &&
108 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
109 return -EINVAL;
110 }
111
112 lock_sock(sk);
113
114 if (sk->sk_state != BT_OPEN) {
115 err = -EBADFD;
116 goto done;
117 }
118
119 if (la.l2_psm) {
120 __u16 psm = __le16_to_cpu(la.l2_psm);
121
122 if (la.l2_bdaddr_type == BDADDR_BREDR)
123 err = l2cap_validate_bredr_psm(psm);
124 else
125 err = l2cap_validate_le_psm(psm);
126
127 if (err)
128 goto done;
129 }
130
131 bacpy(&chan->src, &la.l2_bdaddr);
132 chan->src_type = la.l2_bdaddr_type;
133
134 if (la.l2_cid)
135 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
136 else
137 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
138
139 if (err < 0)
140 goto done;
141
142 switch (chan->chan_type) {
143 case L2CAP_CHAN_CONN_LESS:
144 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
145 chan->sec_level = BT_SECURITY_SDP;
146 break;
147 case L2CAP_CHAN_CONN_ORIENTED:
148 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
149 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
150 chan->sec_level = BT_SECURITY_SDP;
151 break;
152 case L2CAP_CHAN_RAW:
153 chan->sec_level = BT_SECURITY_SDP;
154 break;
155 case L2CAP_CHAN_FIXED:
156 /* Fixed channels default to the L2CAP core not holding a
157 * hci_conn reference for them. For fixed channels mapping to
158 * L2CAP sockets we do want to hold a reference so set the
159 * appropriate flag to request it.
160 */
161 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
162 break;
163 }
164
165 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
166 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
167 */
168 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
169 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
170 chan->mode = L2CAP_MODE_LE_FLOWCTL;
171
172 chan->state = BT_BOUND;
173 sk->sk_state = BT_BOUND;
174
175 done:
176 release_sock(sk);
177 return err;
178 }
179
l2cap_sock_init_pid(struct sock * sk)180 static void l2cap_sock_init_pid(struct sock *sk)
181 {
182 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
183
184 /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to
185 * group the channels being requested.
186 */
187 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
188 return;
189
190 spin_lock(&sk->sk_peer_lock);
191 sk->sk_peer_pid = get_pid(task_tgid(current));
192 spin_unlock(&sk->sk_peer_lock);
193 }
194
l2cap_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)195 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
196 int alen, int flags)
197 {
198 struct sock *sk = sock->sk;
199 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
200 struct sockaddr_l2 la;
201 int len, err = 0;
202 bool zapped;
203
204 BT_DBG("sk %p", sk);
205
206 lock_sock(sk);
207 zapped = sock_flag(sk, SOCK_ZAPPED);
208 release_sock(sk);
209
210 if (zapped)
211 return -EINVAL;
212
213 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
214 addr->sa_family != AF_BLUETOOTH)
215 return -EINVAL;
216
217 memset(&la, 0, sizeof(la));
218 len = min_t(unsigned int, sizeof(la), alen);
219 memcpy(&la, addr, len);
220
221 if (la.l2_cid && la.l2_psm)
222 return -EINVAL;
223
224 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
225 return -EINVAL;
226
227 /* Check that the socket wasn't bound to something that
228 * conflicts with the address given to connect(). If chan->src
229 * is BDADDR_ANY it means bind() was never used, in which case
230 * chan->src_type and la.l2_bdaddr_type do not need to match.
231 */
232 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
233 bdaddr_type_is_le(la.l2_bdaddr_type)) {
234 /* Old user space versions will try to incorrectly bind
235 * the ATT socket using BDADDR_BREDR. We need to accept
236 * this and fix up the source address type only when
237 * both the source CID and destination CID indicate
238 * ATT. Anything else is an invalid combination.
239 */
240 if (chan->scid != L2CAP_CID_ATT ||
241 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
242 return -EINVAL;
243
244 /* We don't have the hdev available here to make a
245 * better decision on random vs public, but since all
246 * user space versions that exhibit this issue anyway do
247 * not support random local addresses assuming public
248 * here is good enough.
249 */
250 chan->src_type = BDADDR_LE_PUBLIC;
251 }
252
253 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
254 return -EINVAL;
255
256 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
257 /* We only allow ATT user space socket */
258 if (la.l2_cid &&
259 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
260 return -EINVAL;
261 }
262
263 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
264 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
265 */
266 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
267 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
268 chan->mode = L2CAP_MODE_LE_FLOWCTL;
269
270 l2cap_sock_init_pid(sk);
271
272 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
273 &la.l2_bdaddr, la.l2_bdaddr_type);
274 if (err)
275 return err;
276
277 lock_sock(sk);
278
279 err = bt_sock_wait_state(sk, BT_CONNECTED,
280 sock_sndtimeo(sk, flags & O_NONBLOCK));
281
282 release_sock(sk);
283
284 return err;
285 }
286
l2cap_sock_listen(struct socket * sock,int backlog)287 static int l2cap_sock_listen(struct socket *sock, int backlog)
288 {
289 struct sock *sk = sock->sk;
290 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
291 int err = 0;
292
293 BT_DBG("sk %p backlog %d", sk, backlog);
294
295 lock_sock(sk);
296
297 if (sk->sk_state != BT_BOUND) {
298 err = -EBADFD;
299 goto done;
300 }
301
302 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
303 err = -EINVAL;
304 goto done;
305 }
306
307 switch (chan->mode) {
308 case L2CAP_MODE_BASIC:
309 case L2CAP_MODE_LE_FLOWCTL:
310 break;
311 case L2CAP_MODE_EXT_FLOWCTL:
312 if (!enable_ecred) {
313 err = -EOPNOTSUPP;
314 goto done;
315 }
316 break;
317 case L2CAP_MODE_ERTM:
318 case L2CAP_MODE_STREAMING:
319 if (!disable_ertm)
320 break;
321 fallthrough;
322 default:
323 err = -EOPNOTSUPP;
324 goto done;
325 }
326
327 l2cap_sock_init_pid(sk);
328
329 sk->sk_max_ack_backlog = backlog;
330 sk->sk_ack_backlog = 0;
331
332 /* Listening channels need to use nested locking in order not to
333 * cause lockdep warnings when the created child channels end up
334 * being locked in the same thread as the parent channel.
335 */
336 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
337
338 chan->state = BT_LISTEN;
339 sk->sk_state = BT_LISTEN;
340
341 done:
342 release_sock(sk);
343 return err;
344 }
345
l2cap_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)346 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
347 int flags, bool kern)
348 {
349 DEFINE_WAIT_FUNC(wait, woken_wake_function);
350 struct sock *sk = sock->sk, *nsk;
351 long timeo;
352 int err = 0;
353
354 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
355
356 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
357
358 BT_DBG("sk %p timeo %ld", sk, timeo);
359
360 /* Wait for an incoming connection. (wake-one). */
361 add_wait_queue_exclusive(sk_sleep(sk), &wait);
362 while (1) {
363 if (sk->sk_state != BT_LISTEN) {
364 err = -EBADFD;
365 break;
366 }
367
368 nsk = bt_accept_dequeue(sk, newsock);
369 if (nsk)
370 break;
371
372 if (!timeo) {
373 err = -EAGAIN;
374 break;
375 }
376
377 if (signal_pending(current)) {
378 err = sock_intr_errno(timeo);
379 break;
380 }
381
382 release_sock(sk);
383
384 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
385
386 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
387 }
388 remove_wait_queue(sk_sleep(sk), &wait);
389
390 if (err)
391 goto done;
392
393 newsock->state = SS_CONNECTED;
394
395 BT_DBG("new socket %p", nsk);
396
397 done:
398 release_sock(sk);
399 return err;
400 }
401
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)402 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
403 int peer)
404 {
405 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
406 struct sock *sk = sock->sk;
407 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
408
409 BT_DBG("sock %p, sk %p", sock, sk);
410
411 if (peer && sk->sk_state != BT_CONNECTED &&
412 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
413 sk->sk_state != BT_CONFIG)
414 return -ENOTCONN;
415
416 memset(la, 0, sizeof(struct sockaddr_l2));
417 addr->sa_family = AF_BLUETOOTH;
418
419 la->l2_psm = chan->psm;
420
421 if (peer) {
422 bacpy(&la->l2_bdaddr, &chan->dst);
423 la->l2_cid = cpu_to_le16(chan->dcid);
424 la->l2_bdaddr_type = chan->dst_type;
425 } else {
426 bacpy(&la->l2_bdaddr, &chan->src);
427 la->l2_cid = cpu_to_le16(chan->scid);
428 la->l2_bdaddr_type = chan->src_type;
429 }
430
431 return sizeof(struct sockaddr_l2);
432 }
433
l2cap_get_mode(struct l2cap_chan * chan)434 static int l2cap_get_mode(struct l2cap_chan *chan)
435 {
436 switch (chan->mode) {
437 case L2CAP_MODE_BASIC:
438 return BT_MODE_BASIC;
439 case L2CAP_MODE_ERTM:
440 return BT_MODE_ERTM;
441 case L2CAP_MODE_STREAMING:
442 return BT_MODE_STREAMING;
443 case L2CAP_MODE_LE_FLOWCTL:
444 return BT_MODE_LE_FLOWCTL;
445 case L2CAP_MODE_EXT_FLOWCTL:
446 return BT_MODE_EXT_FLOWCTL;
447 }
448
449 return -EINVAL;
450 }
451
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)452 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
453 char __user *optval, int __user *optlen)
454 {
455 struct sock *sk = sock->sk;
456 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
457 struct l2cap_options opts;
458 struct l2cap_conninfo cinfo;
459 int len, err = 0;
460 u32 opt;
461
462 BT_DBG("sk %p", sk);
463
464 if (get_user(len, optlen))
465 return -EFAULT;
466
467 lock_sock(sk);
468
469 switch (optname) {
470 case L2CAP_OPTIONS:
471 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
472 * legacy ATT code depends on getsockopt for
473 * L2CAP_OPTIONS we need to let this pass.
474 */
475 if (bdaddr_type_is_le(chan->src_type) &&
476 chan->scid != L2CAP_CID_ATT) {
477 err = -EINVAL;
478 break;
479 }
480
481 /* Only BR/EDR modes are supported here */
482 switch (chan->mode) {
483 case L2CAP_MODE_BASIC:
484 case L2CAP_MODE_ERTM:
485 case L2CAP_MODE_STREAMING:
486 break;
487 default:
488 err = -EINVAL;
489 break;
490 }
491
492 if (err < 0)
493 break;
494
495 memset(&opts, 0, sizeof(opts));
496 opts.imtu = chan->imtu;
497 opts.omtu = chan->omtu;
498 opts.flush_to = chan->flush_to;
499 opts.mode = chan->mode;
500 opts.fcs = chan->fcs;
501 opts.max_tx = chan->max_tx;
502 opts.txwin_size = chan->tx_win;
503
504 BT_DBG("mode 0x%2.2x", chan->mode);
505
506 len = min_t(unsigned int, len, sizeof(opts));
507 if (copy_to_user(optval, (char *) &opts, len))
508 err = -EFAULT;
509
510 break;
511
512 case L2CAP_LM:
513 switch (chan->sec_level) {
514 case BT_SECURITY_LOW:
515 opt = L2CAP_LM_AUTH;
516 break;
517 case BT_SECURITY_MEDIUM:
518 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
519 break;
520 case BT_SECURITY_HIGH:
521 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
522 L2CAP_LM_SECURE;
523 break;
524 case BT_SECURITY_FIPS:
525 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
526 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
527 break;
528 default:
529 opt = 0;
530 break;
531 }
532
533 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
534 opt |= L2CAP_LM_MASTER;
535
536 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
537 opt |= L2CAP_LM_RELIABLE;
538
539 if (put_user(opt, (u32 __user *) optval))
540 err = -EFAULT;
541
542 break;
543
544 case L2CAP_CONNINFO:
545 if (sk->sk_state != BT_CONNECTED &&
546 !(sk->sk_state == BT_CONNECT2 &&
547 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
548 err = -ENOTCONN;
549 break;
550 }
551
552 memset(&cinfo, 0, sizeof(cinfo));
553 cinfo.hci_handle = chan->conn->hcon->handle;
554 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
555
556 len = min_t(unsigned int, len, sizeof(cinfo));
557 if (copy_to_user(optval, (char *) &cinfo, len))
558 err = -EFAULT;
559
560 break;
561
562 default:
563 err = -ENOPROTOOPT;
564 break;
565 }
566
567 release_sock(sk);
568 return err;
569 }
570
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)571 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
572 char __user *optval, int __user *optlen)
573 {
574 struct sock *sk = sock->sk;
575 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
576 struct bt_security sec;
577 struct bt_power pwr;
578 u32 phys;
579 int len, mode, err = 0;
580
581 BT_DBG("sk %p", sk);
582
583 if (level == SOL_L2CAP)
584 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
585
586 if (level != SOL_BLUETOOTH)
587 return -ENOPROTOOPT;
588
589 if (get_user(len, optlen))
590 return -EFAULT;
591
592 lock_sock(sk);
593
594 switch (optname) {
595 case BT_SECURITY:
596 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
597 chan->chan_type != L2CAP_CHAN_FIXED &&
598 chan->chan_type != L2CAP_CHAN_RAW) {
599 err = -EINVAL;
600 break;
601 }
602
603 memset(&sec, 0, sizeof(sec));
604 if (chan->conn) {
605 sec.level = chan->conn->hcon->sec_level;
606
607 if (sk->sk_state == BT_CONNECTED)
608 sec.key_size = chan->conn->hcon->enc_key_size;
609 } else {
610 sec.level = chan->sec_level;
611 }
612
613 len = min_t(unsigned int, len, sizeof(sec));
614 if (copy_to_user(optval, (char *) &sec, len))
615 err = -EFAULT;
616
617 break;
618
619 case BT_DEFER_SETUP:
620 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
621 err = -EINVAL;
622 break;
623 }
624
625 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
626 (u32 __user *) optval))
627 err = -EFAULT;
628
629 break;
630
631 case BT_FLUSHABLE:
632 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
633 (u32 __user *) optval))
634 err = -EFAULT;
635
636 break;
637
638 case BT_POWER:
639 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
640 && sk->sk_type != SOCK_RAW) {
641 err = -EINVAL;
642 break;
643 }
644
645 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
646
647 len = min_t(unsigned int, len, sizeof(pwr));
648 if (copy_to_user(optval, (char *) &pwr, len))
649 err = -EFAULT;
650
651 break;
652
653 case BT_CHANNEL_POLICY:
654 if (put_user(chan->chan_policy, (u32 __user *) optval))
655 err = -EFAULT;
656 break;
657
658 case BT_SNDMTU:
659 if (!bdaddr_type_is_le(chan->src_type)) {
660 err = -EINVAL;
661 break;
662 }
663
664 if (sk->sk_state != BT_CONNECTED) {
665 err = -ENOTCONN;
666 break;
667 }
668
669 if (put_user(chan->omtu, (u16 __user *) optval))
670 err = -EFAULT;
671 break;
672
673 case BT_RCVMTU:
674 if (!bdaddr_type_is_le(chan->src_type)) {
675 err = -EINVAL;
676 break;
677 }
678
679 if (put_user(chan->imtu, (u16 __user *) optval))
680 err = -EFAULT;
681 break;
682
683 case BT_PHY:
684 if (sk->sk_state != BT_CONNECTED) {
685 err = -ENOTCONN;
686 break;
687 }
688
689 phys = hci_conn_get_phy(chan->conn->hcon);
690
691 if (put_user(phys, (u32 __user *) optval))
692 err = -EFAULT;
693 break;
694
695 case BT_MODE:
696 if (!enable_ecred) {
697 err = -ENOPROTOOPT;
698 break;
699 }
700
701 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
702 err = -EINVAL;
703 break;
704 }
705
706 mode = l2cap_get_mode(chan);
707 if (mode < 0) {
708 err = mode;
709 break;
710 }
711
712 if (put_user(mode, (u8 __user *) optval))
713 err = -EFAULT;
714 break;
715
716 default:
717 err = -ENOPROTOOPT;
718 break;
719 }
720
721 release_sock(sk);
722 return err;
723 }
724
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)725 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
726 {
727 switch (chan->scid) {
728 case L2CAP_CID_ATT:
729 if (mtu < L2CAP_LE_MIN_MTU)
730 return false;
731 break;
732
733 default:
734 if (mtu < L2CAP_DEFAULT_MIN_MTU)
735 return false;
736 }
737
738 return true;
739 }
740
l2cap_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)741 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
742 sockptr_t optval, unsigned int optlen)
743 {
744 struct sock *sk = sock->sk;
745 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
746 struct l2cap_options opts;
747 int err = 0;
748 u32 opt;
749
750 BT_DBG("sk %p", sk);
751
752 lock_sock(sk);
753
754 switch (optname) {
755 case L2CAP_OPTIONS:
756 if (bdaddr_type_is_le(chan->src_type)) {
757 err = -EINVAL;
758 break;
759 }
760
761 if (sk->sk_state == BT_CONNECTED) {
762 err = -EINVAL;
763 break;
764 }
765
766 opts.imtu = chan->imtu;
767 opts.omtu = chan->omtu;
768 opts.flush_to = chan->flush_to;
769 opts.mode = chan->mode;
770 opts.fcs = chan->fcs;
771 opts.max_tx = chan->max_tx;
772 opts.txwin_size = chan->tx_win;
773
774 err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen);
775 if (err)
776 break;
777
778 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
779 err = -EINVAL;
780 break;
781 }
782
783 if (!l2cap_valid_mtu(chan, opts.imtu)) {
784 err = -EINVAL;
785 break;
786 }
787
788 /* Only BR/EDR modes are supported here */
789 switch (opts.mode) {
790 case L2CAP_MODE_BASIC:
791 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
792 break;
793 case L2CAP_MODE_ERTM:
794 case L2CAP_MODE_STREAMING:
795 if (!disable_ertm)
796 break;
797 fallthrough;
798 default:
799 err = -EINVAL;
800 break;
801 }
802
803 if (err < 0)
804 break;
805
806 chan->mode = opts.mode;
807
808 BT_DBG("mode 0x%2.2x", chan->mode);
809
810 chan->imtu = opts.imtu;
811 chan->omtu = opts.omtu;
812 chan->fcs = opts.fcs;
813 chan->max_tx = opts.max_tx;
814 chan->tx_win = opts.txwin_size;
815 chan->flush_to = opts.flush_to;
816 break;
817
818 case L2CAP_LM:
819 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
820 if (err)
821 break;
822
823 if (opt & L2CAP_LM_FIPS) {
824 err = -EINVAL;
825 break;
826 }
827
828 if (opt & L2CAP_LM_AUTH)
829 chan->sec_level = BT_SECURITY_LOW;
830 if (opt & L2CAP_LM_ENCRYPT)
831 chan->sec_level = BT_SECURITY_MEDIUM;
832 if (opt & L2CAP_LM_SECURE)
833 chan->sec_level = BT_SECURITY_HIGH;
834
835 if (opt & L2CAP_LM_MASTER)
836 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
837 else
838 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
839
840 if (opt & L2CAP_LM_RELIABLE)
841 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
842 else
843 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
844 break;
845
846 default:
847 err = -ENOPROTOOPT;
848 break;
849 }
850
851 release_sock(sk);
852 return err;
853 }
854
l2cap_set_mode(struct l2cap_chan * chan,u8 mode)855 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
856 {
857 switch (mode) {
858 case BT_MODE_BASIC:
859 if (bdaddr_type_is_le(chan->src_type))
860 return -EINVAL;
861 mode = L2CAP_MODE_BASIC;
862 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
863 break;
864 case BT_MODE_ERTM:
865 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
866 return -EINVAL;
867 mode = L2CAP_MODE_ERTM;
868 break;
869 case BT_MODE_STREAMING:
870 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
871 return -EINVAL;
872 mode = L2CAP_MODE_STREAMING;
873 break;
874 case BT_MODE_LE_FLOWCTL:
875 if (!bdaddr_type_is_le(chan->src_type))
876 return -EINVAL;
877 mode = L2CAP_MODE_LE_FLOWCTL;
878 break;
879 case BT_MODE_EXT_FLOWCTL:
880 /* TODO: Add support for ECRED PDUs to BR/EDR */
881 if (!bdaddr_type_is_le(chan->src_type))
882 return -EINVAL;
883 mode = L2CAP_MODE_EXT_FLOWCTL;
884 break;
885 default:
886 return -EINVAL;
887 }
888
889 chan->mode = mode;
890
891 return 0;
892 }
893
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)894 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
895 sockptr_t optval, unsigned int optlen)
896 {
897 struct sock *sk = sock->sk;
898 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
899 struct bt_security sec;
900 struct bt_power pwr;
901 struct l2cap_conn *conn;
902 int err = 0;
903 u32 opt;
904 u16 mtu;
905 u8 mode;
906
907 BT_DBG("sk %p", sk);
908
909 if (level == SOL_L2CAP)
910 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
911
912 if (level != SOL_BLUETOOTH)
913 return -ENOPROTOOPT;
914
915 lock_sock(sk);
916
917 switch (optname) {
918 case BT_SECURITY:
919 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
920 chan->chan_type != L2CAP_CHAN_FIXED &&
921 chan->chan_type != L2CAP_CHAN_RAW) {
922 err = -EINVAL;
923 break;
924 }
925
926 sec.level = BT_SECURITY_LOW;
927
928 err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
929 if (err)
930 break;
931
932 if (sec.level < BT_SECURITY_LOW ||
933 sec.level > BT_SECURITY_FIPS) {
934 err = -EINVAL;
935 break;
936 }
937
938 chan->sec_level = sec.level;
939
940 if (!chan->conn)
941 break;
942
943 conn = chan->conn;
944
945 /* change security for LE channels */
946 if (chan->scid == L2CAP_CID_ATT) {
947 if (smp_conn_security(conn->hcon, sec.level)) {
948 err = -EINVAL;
949 break;
950 }
951
952 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
953 sk->sk_state = BT_CONFIG;
954 chan->state = BT_CONFIG;
955
956 /* or for ACL link */
957 } else if ((sk->sk_state == BT_CONNECT2 &&
958 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
959 sk->sk_state == BT_CONNECTED) {
960 if (!l2cap_chan_check_security(chan, true))
961 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
962 else
963 sk->sk_state_change(sk);
964 } else {
965 err = -EINVAL;
966 }
967 break;
968
969 case BT_DEFER_SETUP:
970 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
971 err = -EINVAL;
972 break;
973 }
974
975 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
976 if (err)
977 break;
978
979 if (opt) {
980 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
981 set_bit(FLAG_DEFER_SETUP, &chan->flags);
982 } else {
983 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
984 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
985 }
986 break;
987
988 case BT_FLUSHABLE:
989 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
990 if (err)
991 break;
992
993 if (opt > BT_FLUSHABLE_ON) {
994 err = -EINVAL;
995 break;
996 }
997
998 if (opt == BT_FLUSHABLE_OFF) {
999 conn = chan->conn;
1000 /* proceed further only when we have l2cap_conn and
1001 No Flush support in the LM */
1002 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
1003 err = -EINVAL;
1004 break;
1005 }
1006 }
1007
1008 if (opt)
1009 set_bit(FLAG_FLUSHABLE, &chan->flags);
1010 else
1011 clear_bit(FLAG_FLUSHABLE, &chan->flags);
1012 break;
1013
1014 case BT_POWER:
1015 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1016 chan->chan_type != L2CAP_CHAN_RAW) {
1017 err = -EINVAL;
1018 break;
1019 }
1020
1021 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1022
1023 err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1024 if (err)
1025 break;
1026
1027 if (pwr.force_active)
1028 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1029 else
1030 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1031 break;
1032
1033 case BT_CHANNEL_POLICY:
1034 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1035 if (err)
1036 break;
1037
1038 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1039 err = -EINVAL;
1040 break;
1041 }
1042
1043 if (chan->mode != L2CAP_MODE_ERTM &&
1044 chan->mode != L2CAP_MODE_STREAMING) {
1045 err = -EOPNOTSUPP;
1046 break;
1047 }
1048
1049 chan->chan_policy = (u8) opt;
1050
1051 if (sk->sk_state == BT_CONNECTED &&
1052 chan->move_role == L2CAP_MOVE_ROLE_NONE)
1053 l2cap_move_start(chan);
1054
1055 break;
1056
1057 case BT_SNDMTU:
1058 if (!bdaddr_type_is_le(chan->src_type)) {
1059 err = -EINVAL;
1060 break;
1061 }
1062
1063 /* Setting is not supported as it's the remote side that
1064 * decides this.
1065 */
1066 err = -EPERM;
1067 break;
1068
1069 case BT_RCVMTU:
1070 if (!bdaddr_type_is_le(chan->src_type)) {
1071 err = -EINVAL;
1072 break;
1073 }
1074
1075 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1076 sk->sk_state == BT_CONNECTED) {
1077 err = -EISCONN;
1078 break;
1079 }
1080
1081 err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1082 if (err)
1083 break;
1084
1085 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1086 sk->sk_state == BT_CONNECTED)
1087 err = l2cap_chan_reconfigure(chan, mtu);
1088 else
1089 chan->imtu = mtu;
1090
1091 break;
1092
1093 case BT_MODE:
1094 if (!enable_ecred) {
1095 err = -ENOPROTOOPT;
1096 break;
1097 }
1098
1099 BT_DBG("sk->sk_state %u", sk->sk_state);
1100
1101 if (sk->sk_state != BT_BOUND) {
1102 err = -EINVAL;
1103 break;
1104 }
1105
1106 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1107 err = -EINVAL;
1108 break;
1109 }
1110
1111 err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen);
1112 if (err)
1113 break;
1114
1115 BT_DBG("mode %u", mode);
1116
1117 err = l2cap_set_mode(chan, mode);
1118 if (err)
1119 break;
1120
1121 BT_DBG("mode 0x%2.2x", chan->mode);
1122
1123 break;
1124
1125 default:
1126 err = -ENOPROTOOPT;
1127 break;
1128 }
1129
1130 release_sock(sk);
1131 return err;
1132 }
1133
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1134 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1135 size_t len)
1136 {
1137 struct sock *sk = sock->sk;
1138 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1139 int err;
1140
1141 BT_DBG("sock %p, sk %p", sock, sk);
1142
1143 err = sock_error(sk);
1144 if (err)
1145 return err;
1146
1147 if (msg->msg_flags & MSG_OOB)
1148 return -EOPNOTSUPP;
1149
1150 if (sk->sk_state != BT_CONNECTED)
1151 return -ENOTCONN;
1152
1153 lock_sock(sk);
1154 err = bt_sock_wait_ready(sk, msg->msg_flags);
1155 release_sock(sk);
1156 if (err)
1157 return err;
1158
1159 l2cap_chan_lock(chan);
1160 err = l2cap_chan_send(chan, msg, len);
1161 l2cap_chan_unlock(chan);
1162
1163 return err;
1164 }
1165
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1166 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1167 size_t len, int flags)
1168 {
1169 struct sock *sk = sock->sk;
1170 struct l2cap_pinfo *pi = l2cap_pi(sk);
1171 int err;
1172
1173 lock_sock(sk);
1174
1175 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1176 &bt_sk(sk)->flags)) {
1177 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1178 sk->sk_state = BT_CONNECTED;
1179 pi->chan->state = BT_CONNECTED;
1180 __l2cap_ecred_conn_rsp_defer(pi->chan);
1181 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1182 sk->sk_state = BT_CONNECTED;
1183 pi->chan->state = BT_CONNECTED;
1184 __l2cap_le_connect_rsp_defer(pi->chan);
1185 } else {
1186 sk->sk_state = BT_CONFIG;
1187 pi->chan->state = BT_CONFIG;
1188 __l2cap_connect_rsp_defer(pi->chan);
1189 }
1190
1191 err = 0;
1192 goto done;
1193 }
1194
1195 release_sock(sk);
1196
1197 if (sock->type == SOCK_STREAM)
1198 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1199 else
1200 err = bt_sock_recvmsg(sock, msg, len, flags);
1201
1202 if (pi->chan->mode != L2CAP_MODE_ERTM)
1203 return err;
1204
1205 /* Attempt to put pending rx data in the socket buffer */
1206
1207 lock_sock(sk);
1208
1209 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1210 goto done;
1211
1212 if (pi->rx_busy_skb) {
1213 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1214 pi->rx_busy_skb = NULL;
1215 else
1216 goto done;
1217 }
1218
1219 /* Restore data flow when half of the receive buffer is
1220 * available. This avoids resending large numbers of
1221 * frames.
1222 */
1223 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1224 l2cap_chan_busy(pi->chan, 0);
1225
1226 done:
1227 release_sock(sk);
1228 return err;
1229 }
1230
1231 /* Kill socket (only if zapped and orphan)
1232 * Must be called on unlocked socket, with l2cap channel lock.
1233 */
l2cap_sock_kill(struct sock * sk)1234 static void l2cap_sock_kill(struct sock *sk)
1235 {
1236 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1237 return;
1238
1239 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1240
1241 /* Sock is dead, so set chan data to NULL, avoid other task use invalid
1242 * sock pointer.
1243 */
1244 l2cap_pi(sk)->chan->data = NULL;
1245 /* Kill poor orphan */
1246
1247 l2cap_chan_put(l2cap_pi(sk)->chan);
1248 sock_set_flag(sk, SOCK_DEAD);
1249 sock_put(sk);
1250 }
1251
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1252 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1253 {
1254 DECLARE_WAITQUEUE(wait, current);
1255 int err = 0;
1256 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1257 /* Timeout to prevent infinite loop */
1258 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1259
1260 add_wait_queue(sk_sleep(sk), &wait);
1261 set_current_state(TASK_INTERRUPTIBLE);
1262 do {
1263 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1264 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1265 jiffies_to_msecs(timeout - jiffies));
1266
1267 if (!timeo)
1268 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1269
1270 if (signal_pending(current)) {
1271 err = sock_intr_errno(timeo);
1272 break;
1273 }
1274
1275 release_sock(sk);
1276 timeo = schedule_timeout(timeo);
1277 lock_sock(sk);
1278 set_current_state(TASK_INTERRUPTIBLE);
1279
1280 err = sock_error(sk);
1281 if (err)
1282 break;
1283
1284 if (time_after(jiffies, timeout)) {
1285 err = -ENOLINK;
1286 break;
1287 }
1288
1289 } while (chan->unacked_frames > 0 &&
1290 chan->state == BT_CONNECTED);
1291
1292 set_current_state(TASK_RUNNING);
1293 remove_wait_queue(sk_sleep(sk), &wait);
1294 return err;
1295 }
1296
l2cap_sock_shutdown(struct socket * sock,int how)1297 static int l2cap_sock_shutdown(struct socket *sock, int how)
1298 {
1299 struct sock *sk = sock->sk;
1300 struct l2cap_chan *chan;
1301 struct l2cap_conn *conn;
1302 int err = 0;
1303
1304 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1305
1306 /* 'how' parameter is mapped to sk_shutdown as follows:
1307 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1308 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1309 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1310 */
1311 how++;
1312
1313 if (!sk)
1314 return 0;
1315
1316 lock_sock(sk);
1317
1318 if ((sk->sk_shutdown & how) == how)
1319 goto shutdown_already;
1320
1321 BT_DBG("Handling sock shutdown");
1322
1323 /* prevent sk structure from being freed whilst unlocked */
1324 sock_hold(sk);
1325
1326 chan = l2cap_pi(sk)->chan;
1327 /* prevent chan structure from being freed whilst unlocked */
1328 l2cap_chan_hold(chan);
1329
1330 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1331
1332 if (chan->mode == L2CAP_MODE_ERTM &&
1333 chan->unacked_frames > 0 &&
1334 chan->state == BT_CONNECTED) {
1335 err = __l2cap_wait_ack(sk, chan);
1336
1337 /* After waiting for ACKs, check whether shutdown
1338 * has already been actioned to close the L2CAP
1339 * link such as by l2cap_disconnection_req().
1340 */
1341 if ((sk->sk_shutdown & how) == how)
1342 goto shutdown_matched;
1343 }
1344
1345 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1346 * is already set
1347 */
1348 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1349 sk->sk_shutdown |= RCV_SHUTDOWN;
1350 if ((sk->sk_shutdown & how) == how)
1351 goto shutdown_matched;
1352 }
1353
1354 sk->sk_shutdown |= SEND_SHUTDOWN;
1355 release_sock(sk);
1356
1357 l2cap_chan_lock(chan);
1358 conn = chan->conn;
1359 if (conn)
1360 /* prevent conn structure from being freed */
1361 l2cap_conn_get(conn);
1362 l2cap_chan_unlock(chan);
1363
1364 if (conn)
1365 /* mutex lock must be taken before l2cap_chan_lock() */
1366 mutex_lock(&conn->chan_lock);
1367
1368 l2cap_chan_lock(chan);
1369 l2cap_chan_close(chan, 0);
1370 l2cap_chan_unlock(chan);
1371
1372 if (conn) {
1373 mutex_unlock(&conn->chan_lock);
1374 l2cap_conn_put(conn);
1375 }
1376
1377 lock_sock(sk);
1378
1379 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1380 !(current->flags & PF_EXITING))
1381 err = bt_sock_wait_state(sk, BT_CLOSED,
1382 sk->sk_lingertime);
1383
1384 shutdown_matched:
1385 l2cap_chan_put(chan);
1386 sock_put(sk);
1387
1388 shutdown_already:
1389 if (!err && sk->sk_err)
1390 err = -sk->sk_err;
1391
1392 release_sock(sk);
1393
1394 BT_DBG("Sock shutdown complete err: %d", err);
1395
1396 return err;
1397 }
1398
l2cap_sock_release(struct socket * sock)1399 static int l2cap_sock_release(struct socket *sock)
1400 {
1401 struct sock *sk = sock->sk;
1402 int err;
1403 struct l2cap_chan *chan;
1404
1405 BT_DBG("sock %p, sk %p", sock, sk);
1406
1407 if (!sk)
1408 return 0;
1409
1410 l2cap_sock_cleanup_listen(sk);
1411 bt_sock_unlink(&l2cap_sk_list, sk);
1412
1413 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1414 chan = l2cap_pi(sk)->chan;
1415
1416 l2cap_chan_hold(chan);
1417 l2cap_chan_lock(chan);
1418
1419 sock_orphan(sk);
1420 l2cap_sock_kill(sk);
1421
1422 l2cap_chan_unlock(chan);
1423 l2cap_chan_put(chan);
1424
1425 return err;
1426 }
1427
l2cap_sock_cleanup_listen(struct sock * parent)1428 static void l2cap_sock_cleanup_listen(struct sock *parent)
1429 {
1430 struct sock *sk;
1431
1432 BT_DBG("parent %p state %s", parent,
1433 state_to_string(parent->sk_state));
1434
1435 /* Close not yet accepted channels */
1436 while ((sk = bt_accept_dequeue(parent, NULL))) {
1437 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1438
1439 BT_DBG("child chan %p state %s", chan,
1440 state_to_string(chan->state));
1441
1442 l2cap_chan_hold(chan);
1443 l2cap_chan_lock(chan);
1444
1445 __clear_chan_timer(chan);
1446 l2cap_chan_close(chan, ECONNRESET);
1447 l2cap_sock_kill(sk);
1448
1449 l2cap_chan_unlock(chan);
1450 l2cap_chan_put(chan);
1451 }
1452 }
1453
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1454 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1455 {
1456 struct sock *sk, *parent = chan->data;
1457
1458 lock_sock(parent);
1459
1460 /* Check for backlog size */
1461 if (sk_acceptq_is_full(parent)) {
1462 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1463 release_sock(parent);
1464 return NULL;
1465 }
1466
1467 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1468 GFP_ATOMIC, 0);
1469 if (!sk) {
1470 release_sock(parent);
1471 return NULL;
1472 }
1473
1474 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1475
1476 l2cap_sock_init(sk, parent);
1477
1478 bt_accept_enqueue(parent, sk, false);
1479
1480 release_sock(parent);
1481
1482 return l2cap_pi(sk)->chan;
1483 }
1484
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1485 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1486 {
1487 struct sock *sk;
1488 int err;
1489
1490 /* To avoid race with sock_release, a chan lock needs to be added here
1491 * to synchronize the sock.
1492 */
1493 l2cap_chan_hold(chan);
1494 l2cap_chan_lock(chan);
1495 sk = chan->data;
1496
1497 if (!sk) {
1498 l2cap_chan_unlock(chan);
1499 l2cap_chan_put(chan);
1500 return -ENXIO;
1501 }
1502
1503 lock_sock(sk);
1504
1505 if (l2cap_pi(sk)->rx_busy_skb) {
1506 err = -ENOMEM;
1507 goto done;
1508 }
1509
1510 if (chan->mode != L2CAP_MODE_ERTM &&
1511 chan->mode != L2CAP_MODE_STREAMING) {
1512 /* Even if no filter is attached, we could potentially
1513 * get errors from security modules, etc.
1514 */
1515 err = sk_filter(sk, skb);
1516 if (err)
1517 goto done;
1518 }
1519
1520 err = __sock_queue_rcv_skb(sk, skb);
1521
1522 /* For ERTM, handle one skb that doesn't fit into the recv
1523 * buffer. This is important to do because the data frames
1524 * have already been acked, so the skb cannot be discarded.
1525 *
1526 * Notify the l2cap core that the buffer is full, so the
1527 * LOCAL_BUSY state is entered and no more frames are
1528 * acked and reassembled until there is buffer space
1529 * available.
1530 */
1531 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1532 l2cap_pi(sk)->rx_busy_skb = skb;
1533 l2cap_chan_busy(chan, 1);
1534 err = 0;
1535 }
1536
1537 done:
1538 release_sock(sk);
1539 l2cap_chan_unlock(chan);
1540 l2cap_chan_put(chan);
1541
1542 return err;
1543 }
1544
l2cap_sock_close_cb(struct l2cap_chan * chan)1545 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1546 {
1547 struct sock *sk = chan->data;
1548
1549 if (!sk)
1550 return;
1551
1552 l2cap_sock_kill(sk);
1553 }
1554
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1555 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1556 {
1557 struct sock *sk = chan->data;
1558 struct sock *parent;
1559
1560 if (!sk)
1561 return;
1562
1563 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1564
1565 /* This callback can be called both for server (BT_LISTEN)
1566 * sockets as well as "normal" ones. To avoid lockdep warnings
1567 * with child socket locking (through l2cap_sock_cleanup_listen)
1568 * we need separation into separate nesting levels. The simplest
1569 * way to accomplish this is to inherit the nesting level used
1570 * for the channel.
1571 */
1572 lock_sock_nested(sk, atomic_read(&chan->nesting));
1573
1574 parent = bt_sk(sk)->parent;
1575
1576 switch (chan->state) {
1577 case BT_OPEN:
1578 case BT_BOUND:
1579 case BT_CLOSED:
1580 break;
1581 case BT_LISTEN:
1582 l2cap_sock_cleanup_listen(sk);
1583 sk->sk_state = BT_CLOSED;
1584 chan->state = BT_CLOSED;
1585
1586 break;
1587 default:
1588 sk->sk_state = BT_CLOSED;
1589 chan->state = BT_CLOSED;
1590
1591 sk->sk_err = err;
1592
1593 if (parent) {
1594 bt_accept_unlink(sk);
1595 parent->sk_data_ready(parent);
1596 } else {
1597 sk->sk_state_change(sk);
1598 }
1599
1600 break;
1601 }
1602 release_sock(sk);
1603
1604 /* Only zap after cleanup to avoid use after free race */
1605 sock_set_flag(sk, SOCK_ZAPPED);
1606
1607 }
1608
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1609 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1610 int err)
1611 {
1612 struct sock *sk = chan->data;
1613
1614 sk->sk_state = state;
1615
1616 if (err)
1617 sk->sk_err = err;
1618 }
1619
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1620 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1621 unsigned long hdr_len,
1622 unsigned long len, int nb)
1623 {
1624 struct sock *sk = chan->data;
1625 struct sk_buff *skb;
1626 int err;
1627
1628 l2cap_chan_unlock(chan);
1629 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1630 l2cap_chan_lock(chan);
1631
1632 if (!skb)
1633 return ERR_PTR(err);
1634
1635 /* Channel lock is released before requesting new skb and then
1636 * reacquired thus we need to recheck channel state.
1637 */
1638 if (chan->state != BT_CONNECTED) {
1639 kfree_skb(skb);
1640 return ERR_PTR(-ENOTCONN);
1641 }
1642
1643 skb->priority = sk->sk_priority;
1644
1645 bt_cb(skb)->l2cap.chan = chan;
1646
1647 return skb;
1648 }
1649
l2cap_sock_ready_cb(struct l2cap_chan * chan)1650 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1651 {
1652 struct sock *sk = chan->data;
1653 struct sock *parent;
1654
1655 lock_sock(sk);
1656
1657 parent = bt_sk(sk)->parent;
1658
1659 BT_DBG("sk %p, parent %p", sk, parent);
1660
1661 sk->sk_state = BT_CONNECTED;
1662 sk->sk_state_change(sk);
1663
1664 if (parent)
1665 parent->sk_data_ready(parent);
1666
1667 release_sock(sk);
1668 }
1669
l2cap_sock_defer_cb(struct l2cap_chan * chan)1670 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1671 {
1672 struct sock *parent, *sk = chan->data;
1673
1674 lock_sock(sk);
1675
1676 parent = bt_sk(sk)->parent;
1677 if (parent)
1678 parent->sk_data_ready(parent);
1679
1680 release_sock(sk);
1681 }
1682
l2cap_sock_resume_cb(struct l2cap_chan * chan)1683 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1684 {
1685 struct sock *sk = chan->data;
1686
1687 if (!sk)
1688 return;
1689
1690 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1691 sk->sk_state = BT_CONNECTED;
1692 chan->state = BT_CONNECTED;
1693 }
1694
1695 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1696 sk->sk_state_change(sk);
1697 }
1698
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1699 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1700 {
1701 struct sock *sk = chan->data;
1702
1703 lock_sock(sk);
1704 sk->sk_shutdown = SHUTDOWN_MASK;
1705 release_sock(sk);
1706 }
1707
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1708 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1709 {
1710 struct sock *sk = chan->data;
1711
1712 return sk->sk_sndtimeo;
1713 }
1714
l2cap_sock_get_peer_pid_cb(struct l2cap_chan * chan)1715 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1716 {
1717 struct sock *sk = chan->data;
1718
1719 return sk->sk_peer_pid;
1720 }
1721
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1722 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1723 {
1724 struct sock *sk = chan->data;
1725
1726 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1727 sk->sk_state_change(sk);
1728 }
1729
l2cap_sock_filter(struct l2cap_chan * chan,struct sk_buff * skb)1730 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1731 {
1732 struct sock *sk = chan->data;
1733
1734 switch (chan->mode) {
1735 case L2CAP_MODE_ERTM:
1736 case L2CAP_MODE_STREAMING:
1737 return sk_filter(sk, skb);
1738 }
1739
1740 return 0;
1741 }
1742
1743 static const struct l2cap_ops l2cap_chan_ops = {
1744 .name = "L2CAP Socket Interface",
1745 .new_connection = l2cap_sock_new_connection_cb,
1746 .recv = l2cap_sock_recv_cb,
1747 .close = l2cap_sock_close_cb,
1748 .teardown = l2cap_sock_teardown_cb,
1749 .state_change = l2cap_sock_state_change_cb,
1750 .ready = l2cap_sock_ready_cb,
1751 .defer = l2cap_sock_defer_cb,
1752 .resume = l2cap_sock_resume_cb,
1753 .suspend = l2cap_sock_suspend_cb,
1754 .set_shutdown = l2cap_sock_set_shutdown_cb,
1755 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1756 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1757 .alloc_skb = l2cap_sock_alloc_skb_cb,
1758 .filter = l2cap_sock_filter,
1759 };
1760
l2cap_sock_destruct(struct sock * sk)1761 static void l2cap_sock_destruct(struct sock *sk)
1762 {
1763 BT_DBG("sk %p", sk);
1764
1765 if (l2cap_pi(sk)->chan) {
1766 l2cap_pi(sk)->chan->data = NULL;
1767 l2cap_chan_put(l2cap_pi(sk)->chan);
1768 }
1769
1770 if (l2cap_pi(sk)->rx_busy_skb) {
1771 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1772 l2cap_pi(sk)->rx_busy_skb = NULL;
1773 }
1774
1775 skb_queue_purge(&sk->sk_receive_queue);
1776 skb_queue_purge(&sk->sk_write_queue);
1777 }
1778
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1779 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1780 int *msg_namelen)
1781 {
1782 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1783
1784 memset(la, 0, sizeof(struct sockaddr_l2));
1785 la->l2_family = AF_BLUETOOTH;
1786 la->l2_psm = bt_cb(skb)->l2cap.psm;
1787 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1788
1789 *msg_namelen = sizeof(struct sockaddr_l2);
1790 }
1791
l2cap_sock_init(struct sock * sk,struct sock * parent)1792 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1793 {
1794 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1795
1796 BT_DBG("sk %p", sk);
1797
1798 if (parent) {
1799 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1800
1801 sk->sk_type = parent->sk_type;
1802 bt_sk(sk)->flags = bt_sk(parent)->flags;
1803
1804 chan->chan_type = pchan->chan_type;
1805 chan->imtu = pchan->imtu;
1806 chan->omtu = pchan->omtu;
1807 chan->conf_state = pchan->conf_state;
1808 chan->mode = pchan->mode;
1809 chan->fcs = pchan->fcs;
1810 chan->max_tx = pchan->max_tx;
1811 chan->tx_win = pchan->tx_win;
1812 chan->tx_win_max = pchan->tx_win_max;
1813 chan->sec_level = pchan->sec_level;
1814 chan->flags = pchan->flags;
1815 chan->tx_credits = pchan->tx_credits;
1816 chan->rx_credits = pchan->rx_credits;
1817
1818 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1819 chan->scid = pchan->scid;
1820 chan->dcid = pchan->scid;
1821 }
1822
1823 security_sk_clone(parent, sk);
1824 } else {
1825 switch (sk->sk_type) {
1826 case SOCK_RAW:
1827 chan->chan_type = L2CAP_CHAN_RAW;
1828 break;
1829 case SOCK_DGRAM:
1830 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1831 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1832 break;
1833 case SOCK_SEQPACKET:
1834 case SOCK_STREAM:
1835 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1836 break;
1837 }
1838
1839 chan->imtu = L2CAP_DEFAULT_MTU;
1840 chan->omtu = 0;
1841 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1842 chan->mode = L2CAP_MODE_ERTM;
1843 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1844 } else {
1845 chan->mode = L2CAP_MODE_BASIC;
1846 }
1847
1848 l2cap_chan_set_defaults(chan);
1849 }
1850
1851 /* Default config options */
1852 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1853
1854 chan->data = sk;
1855 chan->ops = &l2cap_chan_ops;
1856 }
1857
1858 static struct proto l2cap_proto = {
1859 .name = "L2CAP",
1860 .owner = THIS_MODULE,
1861 .obj_size = sizeof(struct l2cap_pinfo)
1862 };
1863
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1864 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1865 int proto, gfp_t prio, int kern)
1866 {
1867 struct sock *sk;
1868 struct l2cap_chan *chan;
1869
1870 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1871 if (!sk)
1872 return NULL;
1873
1874 sock_init_data(sock, sk);
1875 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1876
1877 sk->sk_destruct = l2cap_sock_destruct;
1878 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1879
1880 sock_reset_flag(sk, SOCK_ZAPPED);
1881
1882 sk->sk_protocol = proto;
1883 sk->sk_state = BT_OPEN;
1884
1885 chan = l2cap_chan_create();
1886 if (!chan) {
1887 sk_free(sk);
1888 if (sock)
1889 sock->sk = NULL;
1890 return NULL;
1891 }
1892
1893 l2cap_chan_hold(chan);
1894
1895 l2cap_pi(sk)->chan = chan;
1896
1897 return sk;
1898 }
1899
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1900 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1901 int kern)
1902 {
1903 struct sock *sk;
1904
1905 BT_DBG("sock %p", sock);
1906
1907 sock->state = SS_UNCONNECTED;
1908
1909 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1910 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1911 return -ESOCKTNOSUPPORT;
1912
1913 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1914 return -EPERM;
1915
1916 sock->ops = &l2cap_sock_ops;
1917
1918 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1919 if (!sk)
1920 return -ENOMEM;
1921
1922 l2cap_sock_init(sk, NULL);
1923 bt_sock_link(&l2cap_sk_list, sk);
1924 return 0;
1925 }
1926
1927 static const struct proto_ops l2cap_sock_ops = {
1928 .family = PF_BLUETOOTH,
1929 .owner = THIS_MODULE,
1930 .release = l2cap_sock_release,
1931 .bind = l2cap_sock_bind,
1932 .connect = l2cap_sock_connect,
1933 .listen = l2cap_sock_listen,
1934 .accept = l2cap_sock_accept,
1935 .getname = l2cap_sock_getname,
1936 .sendmsg = l2cap_sock_sendmsg,
1937 .recvmsg = l2cap_sock_recvmsg,
1938 .poll = bt_sock_poll,
1939 .ioctl = bt_sock_ioctl,
1940 .gettstamp = sock_gettstamp,
1941 .mmap = sock_no_mmap,
1942 .socketpair = sock_no_socketpair,
1943 .shutdown = l2cap_sock_shutdown,
1944 .setsockopt = l2cap_sock_setsockopt,
1945 .getsockopt = l2cap_sock_getsockopt
1946 };
1947
1948 static const struct net_proto_family l2cap_sock_family_ops = {
1949 .family = PF_BLUETOOTH,
1950 .owner = THIS_MODULE,
1951 .create = l2cap_sock_create,
1952 };
1953
l2cap_init_sockets(void)1954 int __init l2cap_init_sockets(void)
1955 {
1956 int err;
1957
1958 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1959
1960 err = proto_register(&l2cap_proto, 0);
1961 if (err < 0)
1962 return err;
1963
1964 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1965 if (err < 0) {
1966 BT_ERR("L2CAP socket registration failed");
1967 goto error;
1968 }
1969
1970 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1971 NULL);
1972 if (err < 0) {
1973 BT_ERR("Failed to create L2CAP proc file");
1974 bt_sock_unregister(BTPROTO_L2CAP);
1975 goto error;
1976 }
1977
1978 BT_INFO("L2CAP socket layer initialized");
1979
1980 return 0;
1981
1982 error:
1983 proto_unregister(&l2cap_proto);
1984 return err;
1985 }
1986
l2cap_cleanup_sockets(void)1987 void l2cap_cleanup_sockets(void)
1988 {
1989 bt_procfs_cleanup(&init_net, "l2cap");
1990 bt_sock_unregister(BTPROTO_L2CAP);
1991 proto_unregister(&l2cap_proto);
1992 }
1993