• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37 
38 #include "smp.h"
39 
40 static struct bt_sock_list l2cap_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43 
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 				     int proto, gfp_t prio, int kern);
48 
l2cap_is_socket(struct socket * sock)49 bool l2cap_is_socket(struct socket *sock)
50 {
51 	return sock && sock->ops == &l2cap_sock_ops;
52 }
53 EXPORT_SYMBOL(l2cap_is_socket);
54 
l2cap_validate_bredr_psm(u16 psm)55 static int l2cap_validate_bredr_psm(u16 psm)
56 {
57 	/* PSM must be odd and lsb of upper byte must be 0 */
58 	if ((psm & 0x0101) != 0x0001)
59 		return -EINVAL;
60 
61 	/* Restrict usage of well-known PSMs */
62 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 		return -EACCES;
64 
65 	return 0;
66 }
67 
l2cap_validate_le_psm(u16 psm)68 static int l2cap_validate_le_psm(u16 psm)
69 {
70 	/* Valid LE_PSM ranges are defined only until 0x00ff */
71 	if (psm > L2CAP_PSM_LE_DYN_END)
72 		return -EINVAL;
73 
74 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 		return -EACCES;
77 
78 	return 0;
79 }
80 
l2cap_sock_bind(struct socket * sock,struct sockaddr * addr,int alen)81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82 {
83 	struct sock *sk = sock->sk;
84 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 	struct sockaddr_l2 la;
86 	int len, err = 0;
87 
88 	BT_DBG("sk %p", sk);
89 
90 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 	    addr->sa_family != AF_BLUETOOTH)
92 		return -EINVAL;
93 
94 	memset(&la, 0, sizeof(la));
95 	len = min_t(unsigned int, sizeof(la), alen);
96 	memcpy(&la, addr, len);
97 
98 	if (la.l2_cid && la.l2_psm)
99 		return -EINVAL;
100 
101 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 		return -EINVAL;
103 
104 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 		/* We only allow ATT user space socket */
106 		if (la.l2_cid &&
107 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 			return -EINVAL;
109 	}
110 
111 	lock_sock(sk);
112 
113 	if (sk->sk_state != BT_OPEN) {
114 		err = -EBADFD;
115 		goto done;
116 	}
117 
118 	if (la.l2_psm) {
119 		__u16 psm = __le16_to_cpu(la.l2_psm);
120 
121 		if (la.l2_bdaddr_type == BDADDR_BREDR)
122 			err = l2cap_validate_bredr_psm(psm);
123 		else
124 			err = l2cap_validate_le_psm(psm);
125 
126 		if (err)
127 			goto done;
128 	}
129 
130 	bacpy(&chan->src, &la.l2_bdaddr);
131 	chan->src_type = la.l2_bdaddr_type;
132 
133 	if (la.l2_cid)
134 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 	else
136 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137 
138 	if (err < 0)
139 		goto done;
140 
141 	switch (chan->chan_type) {
142 	case L2CAP_CHAN_CONN_LESS:
143 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 			chan->sec_level = BT_SECURITY_SDP;
145 		break;
146 	case L2CAP_CHAN_CONN_ORIENTED:
147 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 			chan->sec_level = BT_SECURITY_SDP;
150 		break;
151 	case L2CAP_CHAN_RAW:
152 		chan->sec_level = BT_SECURITY_SDP;
153 		break;
154 	case L2CAP_CHAN_FIXED:
155 		/* Fixed channels default to the L2CAP core not holding a
156 		 * hci_conn reference for them. For fixed channels mapping to
157 		 * L2CAP sockets we do want to hold a reference so set the
158 		 * appropriate flag to request it.
159 		 */
160 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 		break;
162 	}
163 
164 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
166 
167 	chan->state = BT_BOUND;
168 	sk->sk_state = BT_BOUND;
169 
170 done:
171 	release_sock(sk);
172 	return err;
173 }
174 
l2cap_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 			      int alen, int flags)
177 {
178 	struct sock *sk = sock->sk;
179 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 	struct sockaddr_l2 la;
181 	int len, err = 0;
182 
183 	BT_DBG("sk %p", sk);
184 
185 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 	    addr->sa_family != AF_BLUETOOTH)
187 		return -EINVAL;
188 
189 	memset(&la, 0, sizeof(la));
190 	len = min_t(unsigned int, sizeof(la), alen);
191 	memcpy(&la, addr, len);
192 
193 	if (la.l2_cid && la.l2_psm)
194 		return -EINVAL;
195 
196 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 		return -EINVAL;
198 
199 	/* Check that the socket wasn't bound to something that
200 	 * conflicts with the address given to connect(). If chan->src
201 	 * is BDADDR_ANY it means bind() was never used, in which case
202 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 	 */
204 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 		/* Old user space versions will try to incorrectly bind
207 		 * the ATT socket using BDADDR_BREDR. We need to accept
208 		 * this and fix up the source address type only when
209 		 * both the source CID and destination CID indicate
210 		 * ATT. Anything else is an invalid combination.
211 		 */
212 		if (chan->scid != L2CAP_CID_ATT ||
213 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 			return -EINVAL;
215 
216 		/* We don't have the hdev available here to make a
217 		 * better decision on random vs public, but since all
218 		 * user space versions that exhibit this issue anyway do
219 		 * not support random local addresses assuming public
220 		 * here is good enough.
221 		 */
222 		chan->src_type = BDADDR_LE_PUBLIC;
223 	}
224 
225 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 		return -EINVAL;
227 
228 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 		/* We only allow ATT user space socket */
230 		if (la.l2_cid &&
231 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 			return -EINVAL;
233 	}
234 
235 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
236 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
237 
238 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 				 &la.l2_bdaddr, la.l2_bdaddr_type);
240 	if (err)
241 		return err;
242 
243 	lock_sock(sk);
244 
245 	err = bt_sock_wait_state(sk, BT_CONNECTED,
246 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
247 
248 	release_sock(sk);
249 
250 	return err;
251 }
252 
l2cap_sock_listen(struct socket * sock,int backlog)253 static int l2cap_sock_listen(struct socket *sock, int backlog)
254 {
255 	struct sock *sk = sock->sk;
256 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 	int err = 0;
258 
259 	BT_DBG("sk %p backlog %d", sk, backlog);
260 
261 	lock_sock(sk);
262 
263 	if (sk->sk_state != BT_BOUND) {
264 		err = -EBADFD;
265 		goto done;
266 	}
267 
268 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 		err = -EINVAL;
270 		goto done;
271 	}
272 
273 	switch (chan->mode) {
274 	case L2CAP_MODE_BASIC:
275 	case L2CAP_MODE_LE_FLOWCTL:
276 		break;
277 	case L2CAP_MODE_ERTM:
278 	case L2CAP_MODE_STREAMING:
279 		if (!disable_ertm)
280 			break;
281 		/* fall through */
282 	default:
283 		err = -EOPNOTSUPP;
284 		goto done;
285 	}
286 
287 	sk->sk_max_ack_backlog = backlog;
288 	sk->sk_ack_backlog = 0;
289 
290 	/* Listening channels need to use nested locking in order not to
291 	 * cause lockdep warnings when the created child channels end up
292 	 * being locked in the same thread as the parent channel.
293 	 */
294 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
295 
296 	chan->state = BT_LISTEN;
297 	sk->sk_state = BT_LISTEN;
298 
299 done:
300 	release_sock(sk);
301 	return err;
302 }
303 
l2cap_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)304 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
305 			     int flags, bool kern)
306 {
307 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
308 	struct sock *sk = sock->sk, *nsk;
309 	long timeo;
310 	int err = 0;
311 
312 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
313 
314 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
315 
316 	BT_DBG("sk %p timeo %ld", sk, timeo);
317 
318 	/* Wait for an incoming connection. (wake-one). */
319 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
320 	while (1) {
321 		if (sk->sk_state != BT_LISTEN) {
322 			err = -EBADFD;
323 			break;
324 		}
325 
326 		nsk = bt_accept_dequeue(sk, newsock);
327 		if (nsk)
328 			break;
329 
330 		if (!timeo) {
331 			err = -EAGAIN;
332 			break;
333 		}
334 
335 		if (signal_pending(current)) {
336 			err = sock_intr_errno(timeo);
337 			break;
338 		}
339 
340 		release_sock(sk);
341 
342 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
343 
344 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
345 	}
346 	remove_wait_queue(sk_sleep(sk), &wait);
347 
348 	if (err)
349 		goto done;
350 
351 	newsock->state = SS_CONNECTED;
352 
353 	BT_DBG("new socket %p", nsk);
354 
355 done:
356 	release_sock(sk);
357 	return err;
358 }
359 
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)360 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
361 			      int peer)
362 {
363 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
364 	struct sock *sk = sock->sk;
365 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
366 
367 	BT_DBG("sock %p, sk %p", sock, sk);
368 
369 	if (peer && sk->sk_state != BT_CONNECTED &&
370 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
371 	    sk->sk_state != BT_CONFIG)
372 		return -ENOTCONN;
373 
374 	memset(la, 0, sizeof(struct sockaddr_l2));
375 	addr->sa_family = AF_BLUETOOTH;
376 
377 	la->l2_psm = chan->psm;
378 
379 	if (peer) {
380 		bacpy(&la->l2_bdaddr, &chan->dst);
381 		la->l2_cid = cpu_to_le16(chan->dcid);
382 		la->l2_bdaddr_type = chan->dst_type;
383 	} else {
384 		bacpy(&la->l2_bdaddr, &chan->src);
385 		la->l2_cid = cpu_to_le16(chan->scid);
386 		la->l2_bdaddr_type = chan->src_type;
387 	}
388 
389 	return sizeof(struct sockaddr_l2);
390 }
391 
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)392 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
393 				     char __user *optval, int __user *optlen)
394 {
395 	struct sock *sk = sock->sk;
396 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
397 	struct l2cap_options opts;
398 	struct l2cap_conninfo cinfo;
399 	int len, err = 0;
400 	u32 opt;
401 
402 	BT_DBG("sk %p", sk);
403 
404 	if (get_user(len, optlen))
405 		return -EFAULT;
406 
407 	lock_sock(sk);
408 
409 	switch (optname) {
410 	case L2CAP_OPTIONS:
411 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
412 		 * legacy ATT code depends on getsockopt for
413 		 * L2CAP_OPTIONS we need to let this pass.
414 		 */
415 		if (bdaddr_type_is_le(chan->src_type) &&
416 		    chan->scid != L2CAP_CID_ATT) {
417 			err = -EINVAL;
418 			break;
419 		}
420 
421 		memset(&opts, 0, sizeof(opts));
422 		opts.imtu     = chan->imtu;
423 		opts.omtu     = chan->omtu;
424 		opts.flush_to = chan->flush_to;
425 		opts.mode     = chan->mode;
426 		opts.fcs      = chan->fcs;
427 		opts.max_tx   = chan->max_tx;
428 		opts.txwin_size = chan->tx_win;
429 
430 		len = min_t(unsigned int, len, sizeof(opts));
431 		if (copy_to_user(optval, (char *) &opts, len))
432 			err = -EFAULT;
433 
434 		break;
435 
436 	case L2CAP_LM:
437 		switch (chan->sec_level) {
438 		case BT_SECURITY_LOW:
439 			opt = L2CAP_LM_AUTH;
440 			break;
441 		case BT_SECURITY_MEDIUM:
442 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
443 			break;
444 		case BT_SECURITY_HIGH:
445 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
446 			      L2CAP_LM_SECURE;
447 			break;
448 		case BT_SECURITY_FIPS:
449 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
450 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
451 			break;
452 		default:
453 			opt = 0;
454 			break;
455 		}
456 
457 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
458 			opt |= L2CAP_LM_MASTER;
459 
460 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
461 			opt |= L2CAP_LM_RELIABLE;
462 
463 		if (put_user(opt, (u32 __user *) optval))
464 			err = -EFAULT;
465 
466 		break;
467 
468 	case L2CAP_CONNINFO:
469 		if (sk->sk_state != BT_CONNECTED &&
470 		    !(sk->sk_state == BT_CONNECT2 &&
471 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
472 			err = -ENOTCONN;
473 			break;
474 		}
475 
476 		memset(&cinfo, 0, sizeof(cinfo));
477 		cinfo.hci_handle = chan->conn->hcon->handle;
478 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
479 
480 		len = min_t(unsigned int, len, sizeof(cinfo));
481 		if (copy_to_user(optval, (char *) &cinfo, len))
482 			err = -EFAULT;
483 
484 		break;
485 
486 	default:
487 		err = -ENOPROTOOPT;
488 		break;
489 	}
490 
491 	release_sock(sk);
492 	return err;
493 }
494 
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)495 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
496 				 char __user *optval, int __user *optlen)
497 {
498 	struct sock *sk = sock->sk;
499 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
500 	struct bt_security sec;
501 	struct bt_power pwr;
502 	int len, err = 0;
503 
504 	BT_DBG("sk %p", sk);
505 
506 	if (level == SOL_L2CAP)
507 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
508 
509 	if (level != SOL_BLUETOOTH)
510 		return -ENOPROTOOPT;
511 
512 	if (get_user(len, optlen))
513 		return -EFAULT;
514 
515 	lock_sock(sk);
516 
517 	switch (optname) {
518 	case BT_SECURITY:
519 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
520 		    chan->chan_type != L2CAP_CHAN_FIXED &&
521 		    chan->chan_type != L2CAP_CHAN_RAW) {
522 			err = -EINVAL;
523 			break;
524 		}
525 
526 		memset(&sec, 0, sizeof(sec));
527 		if (chan->conn) {
528 			sec.level = chan->conn->hcon->sec_level;
529 
530 			if (sk->sk_state == BT_CONNECTED)
531 				sec.key_size = chan->conn->hcon->enc_key_size;
532 		} else {
533 			sec.level = chan->sec_level;
534 		}
535 
536 		len = min_t(unsigned int, len, sizeof(sec));
537 		if (copy_to_user(optval, (char *) &sec, len))
538 			err = -EFAULT;
539 
540 		break;
541 
542 	case BT_DEFER_SETUP:
543 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
544 			err = -EINVAL;
545 			break;
546 		}
547 
548 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
549 			     (u32 __user *) optval))
550 			err = -EFAULT;
551 
552 		break;
553 
554 	case BT_FLUSHABLE:
555 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
556 			     (u32 __user *) optval))
557 			err = -EFAULT;
558 
559 		break;
560 
561 	case BT_POWER:
562 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
563 		    && sk->sk_type != SOCK_RAW) {
564 			err = -EINVAL;
565 			break;
566 		}
567 
568 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
569 
570 		len = min_t(unsigned int, len, sizeof(pwr));
571 		if (copy_to_user(optval, (char *) &pwr, len))
572 			err = -EFAULT;
573 
574 		break;
575 
576 	case BT_CHANNEL_POLICY:
577 		if (put_user(chan->chan_policy, (u32 __user *) optval))
578 			err = -EFAULT;
579 		break;
580 
581 	case BT_SNDMTU:
582 		if (!bdaddr_type_is_le(chan->src_type)) {
583 			err = -EINVAL;
584 			break;
585 		}
586 
587 		if (sk->sk_state != BT_CONNECTED) {
588 			err = -ENOTCONN;
589 			break;
590 		}
591 
592 		if (put_user(chan->omtu, (u16 __user *) optval))
593 			err = -EFAULT;
594 		break;
595 
596 	case BT_RCVMTU:
597 		if (!bdaddr_type_is_le(chan->src_type)) {
598 			err = -EINVAL;
599 			break;
600 		}
601 
602 		if (put_user(chan->imtu, (u16 __user *) optval))
603 			err = -EFAULT;
604 		break;
605 
606 	default:
607 		err = -ENOPROTOOPT;
608 		break;
609 	}
610 
611 	release_sock(sk);
612 	return err;
613 }
614 
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)615 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
616 {
617 	switch (chan->scid) {
618 	case L2CAP_CID_ATT:
619 		if (mtu < L2CAP_LE_MIN_MTU)
620 			return false;
621 		break;
622 
623 	default:
624 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
625 			return false;
626 	}
627 
628 	return true;
629 }
630 
l2cap_sock_setsockopt_old(struct socket * sock,int optname,char __user * optval,unsigned int optlen)631 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
632 				     char __user *optval, unsigned int optlen)
633 {
634 	struct sock *sk = sock->sk;
635 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
636 	struct l2cap_options opts;
637 	int len, err = 0;
638 	u32 opt;
639 
640 	BT_DBG("sk %p", sk);
641 
642 	lock_sock(sk);
643 
644 	switch (optname) {
645 	case L2CAP_OPTIONS:
646 		if (bdaddr_type_is_le(chan->src_type)) {
647 			err = -EINVAL;
648 			break;
649 		}
650 
651 		if (sk->sk_state == BT_CONNECTED) {
652 			err = -EINVAL;
653 			break;
654 		}
655 
656 		opts.imtu     = chan->imtu;
657 		opts.omtu     = chan->omtu;
658 		opts.flush_to = chan->flush_to;
659 		opts.mode     = chan->mode;
660 		opts.fcs      = chan->fcs;
661 		opts.max_tx   = chan->max_tx;
662 		opts.txwin_size = chan->tx_win;
663 
664 		len = min_t(unsigned int, sizeof(opts), optlen);
665 		if (copy_from_user((char *) &opts, optval, len)) {
666 			err = -EFAULT;
667 			break;
668 		}
669 
670 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
671 			err = -EINVAL;
672 			break;
673 		}
674 
675 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
676 			err = -EINVAL;
677 			break;
678 		}
679 
680 		chan->mode = opts.mode;
681 		switch (chan->mode) {
682 		case L2CAP_MODE_LE_FLOWCTL:
683 			break;
684 		case L2CAP_MODE_BASIC:
685 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
686 			break;
687 		case L2CAP_MODE_ERTM:
688 		case L2CAP_MODE_STREAMING:
689 			if (!disable_ertm)
690 				break;
691 			/* fall through */
692 		default:
693 			err = -EINVAL;
694 			break;
695 		}
696 
697 		chan->imtu = opts.imtu;
698 		chan->omtu = opts.omtu;
699 		chan->fcs  = opts.fcs;
700 		chan->max_tx = opts.max_tx;
701 		chan->tx_win = opts.txwin_size;
702 		chan->flush_to = opts.flush_to;
703 		break;
704 
705 	case L2CAP_LM:
706 		if (get_user(opt, (u32 __user *) optval)) {
707 			err = -EFAULT;
708 			break;
709 		}
710 
711 		if (opt & L2CAP_LM_FIPS) {
712 			err = -EINVAL;
713 			break;
714 		}
715 
716 		if (opt & L2CAP_LM_AUTH)
717 			chan->sec_level = BT_SECURITY_LOW;
718 		if (opt & L2CAP_LM_ENCRYPT)
719 			chan->sec_level = BT_SECURITY_MEDIUM;
720 		if (opt & L2CAP_LM_SECURE)
721 			chan->sec_level = BT_SECURITY_HIGH;
722 
723 		if (opt & L2CAP_LM_MASTER)
724 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
725 		else
726 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
727 
728 		if (opt & L2CAP_LM_RELIABLE)
729 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
730 		else
731 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
732 		break;
733 
734 	default:
735 		err = -ENOPROTOOPT;
736 		break;
737 	}
738 
739 	release_sock(sk);
740 	return err;
741 }
742 
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int optlen)743 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
744 				 char __user *optval, unsigned int optlen)
745 {
746 	struct sock *sk = sock->sk;
747 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
748 	struct bt_security sec;
749 	struct bt_power pwr;
750 	struct l2cap_conn *conn;
751 	int len, err = 0;
752 	u32 opt;
753 
754 	BT_DBG("sk %p", sk);
755 
756 	if (level == SOL_L2CAP)
757 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
758 
759 	if (level != SOL_BLUETOOTH)
760 		return -ENOPROTOOPT;
761 
762 	lock_sock(sk);
763 
764 	switch (optname) {
765 	case BT_SECURITY:
766 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
767 		    chan->chan_type != L2CAP_CHAN_FIXED &&
768 		    chan->chan_type != L2CAP_CHAN_RAW) {
769 			err = -EINVAL;
770 			break;
771 		}
772 
773 		sec.level = BT_SECURITY_LOW;
774 
775 		len = min_t(unsigned int, sizeof(sec), optlen);
776 		if (copy_from_user((char *) &sec, optval, len)) {
777 			err = -EFAULT;
778 			break;
779 		}
780 
781 		if (sec.level < BT_SECURITY_LOW ||
782 		    sec.level > BT_SECURITY_FIPS) {
783 			err = -EINVAL;
784 			break;
785 		}
786 
787 		chan->sec_level = sec.level;
788 
789 		if (!chan->conn)
790 			break;
791 
792 		conn = chan->conn;
793 
794 		/* change security for LE channels */
795 		if (chan->scid == L2CAP_CID_ATT) {
796 			if (smp_conn_security(conn->hcon, sec.level)) {
797 				err = -EINVAL;
798 				break;
799 			}
800 
801 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
802 			sk->sk_state = BT_CONFIG;
803 			chan->state = BT_CONFIG;
804 
805 		/* or for ACL link */
806 		} else if ((sk->sk_state == BT_CONNECT2 &&
807 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
808 			   sk->sk_state == BT_CONNECTED) {
809 			if (!l2cap_chan_check_security(chan, true))
810 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
811 			else
812 				sk->sk_state_change(sk);
813 		} else {
814 			err = -EINVAL;
815 		}
816 		break;
817 
818 	case BT_DEFER_SETUP:
819 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
820 			err = -EINVAL;
821 			break;
822 		}
823 
824 		if (get_user(opt, (u32 __user *) optval)) {
825 			err = -EFAULT;
826 			break;
827 		}
828 
829 		if (opt) {
830 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
831 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
832 		} else {
833 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
834 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
835 		}
836 		break;
837 
838 	case BT_FLUSHABLE:
839 		if (get_user(opt, (u32 __user *) optval)) {
840 			err = -EFAULT;
841 			break;
842 		}
843 
844 		if (opt > BT_FLUSHABLE_ON) {
845 			err = -EINVAL;
846 			break;
847 		}
848 
849 		if (opt == BT_FLUSHABLE_OFF) {
850 			conn = chan->conn;
851 			/* proceed further only when we have l2cap_conn and
852 			   No Flush support in the LM */
853 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
854 				err = -EINVAL;
855 				break;
856 			}
857 		}
858 
859 		if (opt)
860 			set_bit(FLAG_FLUSHABLE, &chan->flags);
861 		else
862 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
863 		break;
864 
865 	case BT_POWER:
866 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
867 		    chan->chan_type != L2CAP_CHAN_RAW) {
868 			err = -EINVAL;
869 			break;
870 		}
871 
872 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
873 
874 		len = min_t(unsigned int, sizeof(pwr), optlen);
875 		if (copy_from_user((char *) &pwr, optval, len)) {
876 			err = -EFAULT;
877 			break;
878 		}
879 
880 		if (pwr.force_active)
881 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
882 		else
883 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
884 		break;
885 
886 	case BT_CHANNEL_POLICY:
887 		if (get_user(opt, (u32 __user *) optval)) {
888 			err = -EFAULT;
889 			break;
890 		}
891 
892 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
893 			err = -EINVAL;
894 			break;
895 		}
896 
897 		if (chan->mode != L2CAP_MODE_ERTM &&
898 		    chan->mode != L2CAP_MODE_STREAMING) {
899 			err = -EOPNOTSUPP;
900 			break;
901 		}
902 
903 		chan->chan_policy = (u8) opt;
904 
905 		if (sk->sk_state == BT_CONNECTED &&
906 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
907 			l2cap_move_start(chan);
908 
909 		break;
910 
911 	case BT_SNDMTU:
912 		if (!bdaddr_type_is_le(chan->src_type)) {
913 			err = -EINVAL;
914 			break;
915 		}
916 
917 		/* Setting is not supported as it's the remote side that
918 		 * decides this.
919 		 */
920 		err = -EPERM;
921 		break;
922 
923 	case BT_RCVMTU:
924 		if (!bdaddr_type_is_le(chan->src_type)) {
925 			err = -EINVAL;
926 			break;
927 		}
928 
929 		if (sk->sk_state == BT_CONNECTED) {
930 			err = -EISCONN;
931 			break;
932 		}
933 
934 		if (get_user(opt, (u16 __user *) optval)) {
935 			err = -EFAULT;
936 			break;
937 		}
938 
939 		chan->imtu = opt;
940 		break;
941 
942 	default:
943 		err = -ENOPROTOOPT;
944 		break;
945 	}
946 
947 	release_sock(sk);
948 	return err;
949 }
950 
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)951 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
952 			      size_t len)
953 {
954 	struct sock *sk = sock->sk;
955 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
956 	int err;
957 
958 	BT_DBG("sock %p, sk %p", sock, sk);
959 
960 	err = sock_error(sk);
961 	if (err)
962 		return err;
963 
964 	if (msg->msg_flags & MSG_OOB)
965 		return -EOPNOTSUPP;
966 
967 	if (sk->sk_state != BT_CONNECTED)
968 		return -ENOTCONN;
969 
970 	lock_sock(sk);
971 	err = bt_sock_wait_ready(sk, msg->msg_flags);
972 	release_sock(sk);
973 	if (err)
974 		return err;
975 
976 	l2cap_chan_lock(chan);
977 	err = l2cap_chan_send(chan, msg, len);
978 	l2cap_chan_unlock(chan);
979 
980 	return err;
981 }
982 
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)983 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
984 			      size_t len, int flags)
985 {
986 	struct sock *sk = sock->sk;
987 	struct l2cap_pinfo *pi = l2cap_pi(sk);
988 	int err;
989 
990 	lock_sock(sk);
991 
992 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
993 						    &bt_sk(sk)->flags)) {
994 		if (bdaddr_type_is_le(pi->chan->src_type)) {
995 			sk->sk_state = BT_CONNECTED;
996 			pi->chan->state = BT_CONNECTED;
997 			__l2cap_le_connect_rsp_defer(pi->chan);
998 		} else {
999 			sk->sk_state = BT_CONFIG;
1000 			pi->chan->state = BT_CONFIG;
1001 			__l2cap_connect_rsp_defer(pi->chan);
1002 		}
1003 
1004 		err = 0;
1005 		goto done;
1006 	}
1007 
1008 	release_sock(sk);
1009 
1010 	if (sock->type == SOCK_STREAM)
1011 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1012 	else
1013 		err = bt_sock_recvmsg(sock, msg, len, flags);
1014 
1015 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1016 		return err;
1017 
1018 	/* Attempt to put pending rx data in the socket buffer */
1019 
1020 	lock_sock(sk);
1021 
1022 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1023 		goto done;
1024 
1025 	if (pi->rx_busy_skb) {
1026 		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1027 			pi->rx_busy_skb = NULL;
1028 		else
1029 			goto done;
1030 	}
1031 
1032 	/* Restore data flow when half of the receive buffer is
1033 	 * available.  This avoids resending large numbers of
1034 	 * frames.
1035 	 */
1036 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1037 		l2cap_chan_busy(pi->chan, 0);
1038 
1039 done:
1040 	release_sock(sk);
1041 	return err;
1042 }
1043 
1044 /* Kill socket (only if zapped and orphan)
1045  * Must be called on unlocked socket.
1046  */
l2cap_sock_kill(struct sock * sk)1047 static void l2cap_sock_kill(struct sock *sk)
1048 {
1049 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1050 		return;
1051 
1052 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1053 
1054 	/* Kill poor orphan */
1055 
1056 	l2cap_chan_put(l2cap_pi(sk)->chan);
1057 	sock_set_flag(sk, SOCK_DEAD);
1058 	sock_put(sk);
1059 }
1060 
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1061 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1062 {
1063 	DECLARE_WAITQUEUE(wait, current);
1064 	int err = 0;
1065 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1066 	/* Timeout to prevent infinite loop */
1067 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1068 
1069 	add_wait_queue(sk_sleep(sk), &wait);
1070 	set_current_state(TASK_INTERRUPTIBLE);
1071 	do {
1072 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1073 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1074 		       jiffies_to_msecs(timeout - jiffies));
1075 
1076 		if (!timeo)
1077 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1078 
1079 		if (signal_pending(current)) {
1080 			err = sock_intr_errno(timeo);
1081 			break;
1082 		}
1083 
1084 		release_sock(sk);
1085 		timeo = schedule_timeout(timeo);
1086 		lock_sock(sk);
1087 		set_current_state(TASK_INTERRUPTIBLE);
1088 
1089 		err = sock_error(sk);
1090 		if (err)
1091 			break;
1092 
1093 		if (time_after(jiffies, timeout)) {
1094 			err = -ENOLINK;
1095 			break;
1096 		}
1097 
1098 	} while (chan->unacked_frames > 0 &&
1099 		 chan->state == BT_CONNECTED);
1100 
1101 	set_current_state(TASK_RUNNING);
1102 	remove_wait_queue(sk_sleep(sk), &wait);
1103 	return err;
1104 }
1105 
l2cap_sock_shutdown(struct socket * sock,int how)1106 static int l2cap_sock_shutdown(struct socket *sock, int how)
1107 {
1108 	struct sock *sk = sock->sk;
1109 	struct l2cap_chan *chan;
1110 	struct l2cap_conn *conn;
1111 	int err = 0;
1112 
1113 	BT_DBG("sock %p, sk %p", sock, sk);
1114 
1115 	if (!sk)
1116 		return 0;
1117 
1118 	lock_sock(sk);
1119 
1120 	if (sk->sk_shutdown)
1121 		goto shutdown_already;
1122 
1123 	BT_DBG("Handling sock shutdown");
1124 
1125 	/* prevent sk structure from being freed whilst unlocked */
1126 	sock_hold(sk);
1127 
1128 	chan = l2cap_pi(sk)->chan;
1129 	/* prevent chan structure from being freed whilst unlocked */
1130 	l2cap_chan_hold(chan);
1131 
1132 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1133 
1134 	if (chan->mode == L2CAP_MODE_ERTM &&
1135 	    chan->unacked_frames > 0 &&
1136 	    chan->state == BT_CONNECTED) {
1137 		err = __l2cap_wait_ack(sk, chan);
1138 
1139 		/* After waiting for ACKs, check whether shutdown
1140 		 * has already been actioned to close the L2CAP
1141 		 * link such as by l2cap_disconnection_req().
1142 		 */
1143 		if (sk->sk_shutdown)
1144 			goto has_shutdown;
1145 	}
1146 
1147 	sk->sk_shutdown = SHUTDOWN_MASK;
1148 	release_sock(sk);
1149 
1150 	l2cap_chan_lock(chan);
1151 	conn = chan->conn;
1152 	if (conn)
1153 		/* prevent conn structure from being freed */
1154 		l2cap_conn_get(conn);
1155 	l2cap_chan_unlock(chan);
1156 
1157 	if (conn)
1158 		/* mutex lock must be taken before l2cap_chan_lock() */
1159 		mutex_lock(&conn->chan_lock);
1160 
1161 	l2cap_chan_lock(chan);
1162 	l2cap_chan_close(chan, 0);
1163 	l2cap_chan_unlock(chan);
1164 
1165 	if (conn) {
1166 		mutex_unlock(&conn->chan_lock);
1167 		l2cap_conn_put(conn);
1168 	}
1169 
1170 	lock_sock(sk);
1171 
1172 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1173 	    !(current->flags & PF_EXITING))
1174 		err = bt_sock_wait_state(sk, BT_CLOSED,
1175 					 sk->sk_lingertime);
1176 
1177 has_shutdown:
1178 	l2cap_chan_put(chan);
1179 	sock_put(sk);
1180 
1181 shutdown_already:
1182 	if (!err && sk->sk_err)
1183 		err = -sk->sk_err;
1184 
1185 	release_sock(sk);
1186 
1187 	BT_DBG("Sock shutdown complete err: %d", err);
1188 
1189 	return err;
1190 }
1191 
l2cap_sock_release(struct socket * sock)1192 static int l2cap_sock_release(struct socket *sock)
1193 {
1194 	struct sock *sk = sock->sk;
1195 	int err;
1196 
1197 	BT_DBG("sock %p, sk %p", sock, sk);
1198 
1199 	if (!sk)
1200 		return 0;
1201 
1202 	bt_sock_unlink(&l2cap_sk_list, sk);
1203 
1204 	err = l2cap_sock_shutdown(sock, 2);
1205 
1206 	sock_orphan(sk);
1207 	l2cap_sock_kill(sk);
1208 	return err;
1209 }
1210 
l2cap_sock_cleanup_listen(struct sock * parent)1211 static void l2cap_sock_cleanup_listen(struct sock *parent)
1212 {
1213 	struct sock *sk;
1214 
1215 	BT_DBG("parent %p state %s", parent,
1216 	       state_to_string(parent->sk_state));
1217 
1218 	/* Close not yet accepted channels */
1219 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1220 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1221 
1222 		BT_DBG("child chan %p state %s", chan,
1223 		       state_to_string(chan->state));
1224 
1225 		l2cap_chan_lock(chan);
1226 		__clear_chan_timer(chan);
1227 		l2cap_chan_close(chan, ECONNRESET);
1228 		l2cap_chan_unlock(chan);
1229 
1230 		l2cap_sock_kill(sk);
1231 	}
1232 }
1233 
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1234 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1235 {
1236 	struct sock *sk, *parent = chan->data;
1237 
1238 	lock_sock(parent);
1239 
1240 	/* Check for backlog size */
1241 	if (sk_acceptq_is_full(parent)) {
1242 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1243 		release_sock(parent);
1244 		return NULL;
1245 	}
1246 
1247 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1248 			      GFP_ATOMIC, 0);
1249 	if (!sk) {
1250 		release_sock(parent);
1251 		return NULL;
1252         }
1253 
1254 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1255 
1256 	l2cap_sock_init(sk, parent);
1257 
1258 	bt_accept_enqueue(parent, sk, false);
1259 
1260 	release_sock(parent);
1261 
1262 	return l2cap_pi(sk)->chan;
1263 }
1264 
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1265 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1266 {
1267 	struct sock *sk = chan->data;
1268 	int err;
1269 
1270 	lock_sock(sk);
1271 
1272 	if (l2cap_pi(sk)->rx_busy_skb) {
1273 		err = -ENOMEM;
1274 		goto done;
1275 	}
1276 
1277 	if (chan->mode != L2CAP_MODE_ERTM &&
1278 	    chan->mode != L2CAP_MODE_STREAMING) {
1279 		/* Even if no filter is attached, we could potentially
1280 		 * get errors from security modules, etc.
1281 		 */
1282 		err = sk_filter(sk, skb);
1283 		if (err)
1284 			goto done;
1285 	}
1286 
1287 	err = __sock_queue_rcv_skb(sk, skb);
1288 
1289 	/* For ERTM, handle one skb that doesn't fit into the recv
1290 	 * buffer.  This is important to do because the data frames
1291 	 * have already been acked, so the skb cannot be discarded.
1292 	 *
1293 	 * Notify the l2cap core that the buffer is full, so the
1294 	 * LOCAL_BUSY state is entered and no more frames are
1295 	 * acked and reassembled until there is buffer space
1296 	 * available.
1297 	 */
1298 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1299 		l2cap_pi(sk)->rx_busy_skb = skb;
1300 		l2cap_chan_busy(chan, 1);
1301 		err = 0;
1302 	}
1303 
1304 done:
1305 	release_sock(sk);
1306 
1307 	return err;
1308 }
1309 
l2cap_sock_close_cb(struct l2cap_chan * chan)1310 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1311 {
1312 	struct sock *sk = chan->data;
1313 
1314 	l2cap_sock_kill(sk);
1315 }
1316 
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1317 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1318 {
1319 	struct sock *sk = chan->data;
1320 	struct sock *parent;
1321 
1322 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1323 
1324 	/* This callback can be called both for server (BT_LISTEN)
1325 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1326 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1327 	 * we need separation into separate nesting levels. The simplest
1328 	 * way to accomplish this is to inherit the nesting level used
1329 	 * for the channel.
1330 	 */
1331 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1332 
1333 	parent = bt_sk(sk)->parent;
1334 
1335 	sock_set_flag(sk, SOCK_ZAPPED);
1336 
1337 	switch (chan->state) {
1338 	case BT_OPEN:
1339 	case BT_BOUND:
1340 	case BT_CLOSED:
1341 		break;
1342 	case BT_LISTEN:
1343 		l2cap_sock_cleanup_listen(sk);
1344 		sk->sk_state = BT_CLOSED;
1345 		chan->state = BT_CLOSED;
1346 
1347 		break;
1348 	default:
1349 		sk->sk_state = BT_CLOSED;
1350 		chan->state = BT_CLOSED;
1351 
1352 		sk->sk_err = err;
1353 
1354 		if (parent) {
1355 			bt_accept_unlink(sk);
1356 			parent->sk_data_ready(parent);
1357 		} else {
1358 			sk->sk_state_change(sk);
1359 		}
1360 
1361 		break;
1362 	}
1363 
1364 	release_sock(sk);
1365 }
1366 
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1367 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1368 				       int err)
1369 {
1370 	struct sock *sk = chan->data;
1371 
1372 	sk->sk_state = state;
1373 
1374 	if (err)
1375 		sk->sk_err = err;
1376 }
1377 
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1378 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1379 					       unsigned long hdr_len,
1380 					       unsigned long len, int nb)
1381 {
1382 	struct sock *sk = chan->data;
1383 	struct sk_buff *skb;
1384 	int err;
1385 
1386 	l2cap_chan_unlock(chan);
1387 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1388 	l2cap_chan_lock(chan);
1389 
1390 	if (!skb)
1391 		return ERR_PTR(err);
1392 
1393 	skb->priority = sk->sk_priority;
1394 
1395 	bt_cb(skb)->l2cap.chan = chan;
1396 
1397 	return skb;
1398 }
1399 
l2cap_sock_ready_cb(struct l2cap_chan * chan)1400 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1401 {
1402 	struct sock *sk = chan->data;
1403 	struct sock *parent;
1404 
1405 	lock_sock(sk);
1406 
1407 	parent = bt_sk(sk)->parent;
1408 
1409 	BT_DBG("sk %p, parent %p", sk, parent);
1410 
1411 	sk->sk_state = BT_CONNECTED;
1412 	sk->sk_state_change(sk);
1413 
1414 	if (parent)
1415 		parent->sk_data_ready(parent);
1416 
1417 	release_sock(sk);
1418 }
1419 
l2cap_sock_defer_cb(struct l2cap_chan * chan)1420 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1421 {
1422 	struct sock *parent, *sk = chan->data;
1423 
1424 	lock_sock(sk);
1425 
1426 	parent = bt_sk(sk)->parent;
1427 	if (parent)
1428 		parent->sk_data_ready(parent);
1429 
1430 	release_sock(sk);
1431 }
1432 
l2cap_sock_resume_cb(struct l2cap_chan * chan)1433 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1434 {
1435 	struct sock *sk = chan->data;
1436 
1437 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1438 		sk->sk_state = BT_CONNECTED;
1439 		chan->state = BT_CONNECTED;
1440 	}
1441 
1442 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1443 	sk->sk_state_change(sk);
1444 }
1445 
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1446 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1447 {
1448 	struct sock *sk = chan->data;
1449 
1450 	lock_sock(sk);
1451 	sk->sk_shutdown = SHUTDOWN_MASK;
1452 	release_sock(sk);
1453 }
1454 
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1455 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1456 {
1457 	struct sock *sk = chan->data;
1458 
1459 	return sk->sk_sndtimeo;
1460 }
1461 
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1462 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1463 {
1464 	struct sock *sk = chan->data;
1465 
1466 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1467 	sk->sk_state_change(sk);
1468 }
1469 
1470 static const struct l2cap_ops l2cap_chan_ops = {
1471 	.name			= "L2CAP Socket Interface",
1472 	.new_connection		= l2cap_sock_new_connection_cb,
1473 	.recv			= l2cap_sock_recv_cb,
1474 	.close			= l2cap_sock_close_cb,
1475 	.teardown		= l2cap_sock_teardown_cb,
1476 	.state_change		= l2cap_sock_state_change_cb,
1477 	.ready			= l2cap_sock_ready_cb,
1478 	.defer			= l2cap_sock_defer_cb,
1479 	.resume			= l2cap_sock_resume_cb,
1480 	.suspend		= l2cap_sock_suspend_cb,
1481 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1482 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1483 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1484 };
1485 
l2cap_sock_destruct(struct sock * sk)1486 static void l2cap_sock_destruct(struct sock *sk)
1487 {
1488 	BT_DBG("sk %p", sk);
1489 
1490 	if (l2cap_pi(sk)->chan)
1491 		l2cap_chan_put(l2cap_pi(sk)->chan);
1492 
1493 	if (l2cap_pi(sk)->rx_busy_skb) {
1494 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1495 		l2cap_pi(sk)->rx_busy_skb = NULL;
1496 	}
1497 
1498 	skb_queue_purge(&sk->sk_receive_queue);
1499 	skb_queue_purge(&sk->sk_write_queue);
1500 }
1501 
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1502 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1503 			       int *msg_namelen)
1504 {
1505 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1506 
1507 	memset(la, 0, sizeof(struct sockaddr_l2));
1508 	la->l2_family = AF_BLUETOOTH;
1509 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1510 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1511 
1512 	*msg_namelen = sizeof(struct sockaddr_l2);
1513 }
1514 
l2cap_sock_init(struct sock * sk,struct sock * parent)1515 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1516 {
1517 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1518 
1519 	BT_DBG("sk %p", sk);
1520 
1521 	if (parent) {
1522 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1523 
1524 		sk->sk_type = parent->sk_type;
1525 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1526 
1527 		chan->chan_type = pchan->chan_type;
1528 		chan->imtu = pchan->imtu;
1529 		chan->omtu = pchan->omtu;
1530 		chan->conf_state = pchan->conf_state;
1531 		chan->mode = pchan->mode;
1532 		chan->fcs  = pchan->fcs;
1533 		chan->max_tx = pchan->max_tx;
1534 		chan->tx_win = pchan->tx_win;
1535 		chan->tx_win_max = pchan->tx_win_max;
1536 		chan->sec_level = pchan->sec_level;
1537 		chan->flags = pchan->flags;
1538 		chan->tx_credits = pchan->tx_credits;
1539 		chan->rx_credits = pchan->rx_credits;
1540 
1541 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1542 			chan->scid = pchan->scid;
1543 			chan->dcid = pchan->scid;
1544 		}
1545 
1546 		security_sk_clone(parent, sk);
1547 	} else {
1548 		switch (sk->sk_type) {
1549 		case SOCK_RAW:
1550 			chan->chan_type = L2CAP_CHAN_RAW;
1551 			break;
1552 		case SOCK_DGRAM:
1553 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1554 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1555 			break;
1556 		case SOCK_SEQPACKET:
1557 		case SOCK_STREAM:
1558 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1559 			break;
1560 		}
1561 
1562 		chan->imtu = L2CAP_DEFAULT_MTU;
1563 		chan->omtu = 0;
1564 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1565 			chan->mode = L2CAP_MODE_ERTM;
1566 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1567 		} else {
1568 			chan->mode = L2CAP_MODE_BASIC;
1569 		}
1570 
1571 		l2cap_chan_set_defaults(chan);
1572 	}
1573 
1574 	/* Default config options */
1575 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1576 
1577 	chan->data = sk;
1578 	chan->ops = &l2cap_chan_ops;
1579 }
1580 
1581 static struct proto l2cap_proto = {
1582 	.name		= "L2CAP",
1583 	.owner		= THIS_MODULE,
1584 	.obj_size	= sizeof(struct l2cap_pinfo)
1585 };
1586 
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1587 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1588 				     int proto, gfp_t prio, int kern)
1589 {
1590 	struct sock *sk;
1591 	struct l2cap_chan *chan;
1592 
1593 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1594 	if (!sk)
1595 		return NULL;
1596 
1597 	sock_init_data(sock, sk);
1598 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1599 
1600 	sk->sk_destruct = l2cap_sock_destruct;
1601 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1602 
1603 	sock_reset_flag(sk, SOCK_ZAPPED);
1604 
1605 	sk->sk_protocol = proto;
1606 	sk->sk_state = BT_OPEN;
1607 
1608 	chan = l2cap_chan_create();
1609 	if (!chan) {
1610 		sk_free(sk);
1611 		return NULL;
1612 	}
1613 
1614 	l2cap_chan_hold(chan);
1615 
1616 	l2cap_pi(sk)->chan = chan;
1617 
1618 	return sk;
1619 }
1620 
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1621 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1622 			     int kern)
1623 {
1624 	struct sock *sk;
1625 
1626 	BT_DBG("sock %p", sock);
1627 
1628 	sock->state = SS_UNCONNECTED;
1629 
1630 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1631 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1632 		return -ESOCKTNOSUPPORT;
1633 
1634 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1635 		return -EPERM;
1636 
1637 	sock->ops = &l2cap_sock_ops;
1638 
1639 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1640 	if (!sk)
1641 		return -ENOMEM;
1642 
1643 	l2cap_sock_init(sk, NULL);
1644 	bt_sock_link(&l2cap_sk_list, sk);
1645 	return 0;
1646 }
1647 
1648 static const struct proto_ops l2cap_sock_ops = {
1649 	.family		= PF_BLUETOOTH,
1650 	.owner		= THIS_MODULE,
1651 	.release	= l2cap_sock_release,
1652 	.bind		= l2cap_sock_bind,
1653 	.connect	= l2cap_sock_connect,
1654 	.listen		= l2cap_sock_listen,
1655 	.accept		= l2cap_sock_accept,
1656 	.getname	= l2cap_sock_getname,
1657 	.sendmsg	= l2cap_sock_sendmsg,
1658 	.recvmsg	= l2cap_sock_recvmsg,
1659 	.poll		= bt_sock_poll,
1660 	.ioctl		= bt_sock_ioctl,
1661 	.gettstamp	= sock_gettstamp,
1662 	.mmap		= sock_no_mmap,
1663 	.socketpair	= sock_no_socketpair,
1664 	.shutdown	= l2cap_sock_shutdown,
1665 	.setsockopt	= l2cap_sock_setsockopt,
1666 	.getsockopt	= l2cap_sock_getsockopt
1667 };
1668 
1669 static const struct net_proto_family l2cap_sock_family_ops = {
1670 	.family	= PF_BLUETOOTH,
1671 	.owner	= THIS_MODULE,
1672 	.create	= l2cap_sock_create,
1673 };
1674 
l2cap_init_sockets(void)1675 int __init l2cap_init_sockets(void)
1676 {
1677 	int err;
1678 
1679 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1680 
1681 	err = proto_register(&l2cap_proto, 0);
1682 	if (err < 0)
1683 		return err;
1684 
1685 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1686 	if (err < 0) {
1687 		BT_ERR("L2CAP socket registration failed");
1688 		goto error;
1689 	}
1690 
1691 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1692 			     NULL);
1693 	if (err < 0) {
1694 		BT_ERR("Failed to create L2CAP proc file");
1695 		bt_sock_unregister(BTPROTO_L2CAP);
1696 		goto error;
1697 	}
1698 
1699 	BT_INFO("L2CAP socket layer initialized");
1700 
1701 	return 0;
1702 
1703 error:
1704 	proto_unregister(&l2cap_proto);
1705 	return err;
1706 }
1707 
l2cap_cleanup_sockets(void)1708 void l2cap_cleanup_sockets(void)
1709 {
1710 	bt_procfs_cleanup(&init_net, "l2cap");
1711 	bt_sock_unregister(BTPROTO_L2CAP);
1712 	proto_unregister(&l2cap_proto);
1713 }
1714