l2cap_sock.c (42996B)
1/* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26*/ 27 28/* Bluetooth L2CAP sockets. */ 29 30#include <linux/module.h> 31#include <linux/export.h> 32#include <linux/filter.h> 33#include <linux/sched/signal.h> 34 35#include <net/bluetooth/bluetooth.h> 36#include <net/bluetooth/hci_core.h> 37#include <net/bluetooth/l2cap.h> 38 39#include "smp.h" 40 41static struct bt_sock_list l2cap_sk_list = { 42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 43}; 44 45static const struct proto_ops l2cap_sock_ops; 46static void l2cap_sock_init(struct sock *sk, struct sock *parent); 47static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 48 int proto, gfp_t prio, int kern); 49 50bool l2cap_is_socket(struct socket *sock) 51{ 52 return sock && sock->ops == &l2cap_sock_ops; 53} 54EXPORT_SYMBOL(l2cap_is_socket); 55 56static int l2cap_validate_bredr_psm(u16 psm) 57{ 58 /* PSM must be odd and lsb of upper byte must be 0 */ 59 if ((psm & 0x0101) != 0x0001) 60 return -EINVAL; 61 62 /* Restrict usage of well-known PSMs */ 63 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 64 return -EACCES; 65 66 return 0; 67} 68 69static int l2cap_validate_le_psm(u16 psm) 70{ 71 /* Valid LE_PSM ranges are defined only until 0x00ff */ 72 if (psm > L2CAP_PSM_LE_DYN_END) 73 return -EINVAL; 74 75 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 76 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 77 return -EACCES; 78 79 return 0; 80} 81 82static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 83{ 84 struct sock *sk = sock->sk; 85 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 86 struct sockaddr_l2 la; 87 int len, err = 0; 88 89 BT_DBG("sk %p", sk); 90 91 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 92 addr->sa_family != AF_BLUETOOTH) 93 return -EINVAL; 94 95 memset(&la, 0, sizeof(la)); 96 len = min_t(unsigned int, sizeof(la), alen); 97 memcpy(&la, addr, len); 98 99 if (la.l2_cid && la.l2_psm) 100 return -EINVAL; 101 102 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 103 return -EINVAL; 104 105 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 106 /* We only allow ATT user space socket */ 107 if (la.l2_cid && 108 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 109 return -EINVAL; 110 } 111 112 lock_sock(sk); 113 114 if (sk->sk_state != BT_OPEN) { 115 err = -EBADFD; 116 goto done; 117 } 118 119 if (la.l2_psm) { 120 __u16 psm = __le16_to_cpu(la.l2_psm); 121 122 if (la.l2_bdaddr_type == BDADDR_BREDR) 123 err = l2cap_validate_bredr_psm(psm); 124 else 125 err = l2cap_validate_le_psm(psm); 126 127 if (err) 128 goto done; 129 } 130 131 bacpy(&chan->src, &la.l2_bdaddr); 132 chan->src_type = la.l2_bdaddr_type; 133 134 if (la.l2_cid) 135 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 136 else 137 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 138 139 if (err < 0) 140 goto done; 141 142 switch (chan->chan_type) { 143 case L2CAP_CHAN_CONN_LESS: 144 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 145 chan->sec_level = BT_SECURITY_SDP; 146 break; 147 case L2CAP_CHAN_CONN_ORIENTED: 148 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 149 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 150 chan->sec_level = BT_SECURITY_SDP; 151 break; 152 case L2CAP_CHAN_RAW: 153 chan->sec_level = BT_SECURITY_SDP; 154 break; 155 case L2CAP_CHAN_FIXED: 156 /* Fixed channels default to the L2CAP core not holding a 157 * hci_conn reference for them. For fixed channels mapping to 158 * L2CAP sockets we do want to hold a reference so set the 159 * appropriate flag to request it. 160 */ 161 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 162 break; 163 } 164 165 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 166 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 167 */ 168 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 169 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 170 chan->mode = L2CAP_MODE_LE_FLOWCTL; 171 172 chan->state = BT_BOUND; 173 sk->sk_state = BT_BOUND; 174 175done: 176 release_sock(sk); 177 return err; 178} 179 180static void l2cap_sock_init_pid(struct sock *sk) 181{ 182 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 183 184 /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to 185 * group the channels being requested. 186 */ 187 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL) 188 return; 189 190 spin_lock(&sk->sk_peer_lock); 191 sk->sk_peer_pid = get_pid(task_tgid(current)); 192 spin_unlock(&sk->sk_peer_lock); 193} 194 195static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 196 int alen, int flags) 197{ 198 struct sock *sk = sock->sk; 199 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 200 struct sockaddr_l2 la; 201 int len, err = 0; 202 bool zapped; 203 204 BT_DBG("sk %p", sk); 205 206 lock_sock(sk); 207 zapped = sock_flag(sk, SOCK_ZAPPED); 208 release_sock(sk); 209 210 if (zapped) 211 return -EINVAL; 212 213 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 214 addr->sa_family != AF_BLUETOOTH) 215 return -EINVAL; 216 217 memset(&la, 0, sizeof(la)); 218 len = min_t(unsigned int, sizeof(la), alen); 219 memcpy(&la, addr, len); 220 221 if (la.l2_cid && la.l2_psm) 222 return -EINVAL; 223 224 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 225 return -EINVAL; 226 227 /* Check that the socket wasn't bound to something that 228 * conflicts with the address given to connect(). If chan->src 229 * is BDADDR_ANY it means bind() was never used, in which case 230 * chan->src_type and la.l2_bdaddr_type do not need to match. 231 */ 232 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 233 bdaddr_type_is_le(la.l2_bdaddr_type)) { 234 /* Old user space versions will try to incorrectly bind 235 * the ATT socket using BDADDR_BREDR. We need to accept 236 * this and fix up the source address type only when 237 * both the source CID and destination CID indicate 238 * ATT. Anything else is an invalid combination. 239 */ 240 if (chan->scid != L2CAP_CID_ATT || 241 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 242 return -EINVAL; 243 244 /* We don't have the hdev available here to make a 245 * better decision on random vs public, but since all 246 * user space versions that exhibit this issue anyway do 247 * not support random local addresses assuming public 248 * here is good enough. 249 */ 250 chan->src_type = BDADDR_LE_PUBLIC; 251 } 252 253 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 254 return -EINVAL; 255 256 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 257 /* We only allow ATT user space socket */ 258 if (la.l2_cid && 259 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 260 return -EINVAL; 261 } 262 263 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 264 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 265 */ 266 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 267 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 268 chan->mode = L2CAP_MODE_LE_FLOWCTL; 269 270 l2cap_sock_init_pid(sk); 271 272 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 273 &la.l2_bdaddr, la.l2_bdaddr_type); 274 if (err) 275 return err; 276 277 lock_sock(sk); 278 279 err = bt_sock_wait_state(sk, BT_CONNECTED, 280 sock_sndtimeo(sk, flags & O_NONBLOCK)); 281 282 release_sock(sk); 283 284 return err; 285} 286 287static int l2cap_sock_listen(struct socket *sock, int backlog) 288{ 289 struct sock *sk = sock->sk; 290 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 291 int err = 0; 292 293 BT_DBG("sk %p backlog %d", sk, backlog); 294 295 lock_sock(sk); 296 297 if (sk->sk_state != BT_BOUND) { 298 err = -EBADFD; 299 goto done; 300 } 301 302 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 303 err = -EINVAL; 304 goto done; 305 } 306 307 switch (chan->mode) { 308 case L2CAP_MODE_BASIC: 309 case L2CAP_MODE_LE_FLOWCTL: 310 break; 311 case L2CAP_MODE_EXT_FLOWCTL: 312 if (!enable_ecred) { 313 err = -EOPNOTSUPP; 314 goto done; 315 } 316 break; 317 case L2CAP_MODE_ERTM: 318 case L2CAP_MODE_STREAMING: 319 if (!disable_ertm) 320 break; 321 fallthrough; 322 default: 323 err = -EOPNOTSUPP; 324 goto done; 325 } 326 327 l2cap_sock_init_pid(sk); 328 329 sk->sk_max_ack_backlog = backlog; 330 sk->sk_ack_backlog = 0; 331 332 /* Listening channels need to use nested locking in order not to 333 * cause lockdep warnings when the created child channels end up 334 * being locked in the same thread as the parent channel. 335 */ 336 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 337 338 chan->state = BT_LISTEN; 339 sk->sk_state = BT_LISTEN; 340 341done: 342 release_sock(sk); 343 return err; 344} 345 346static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 347 int flags, bool kern) 348{ 349 DEFINE_WAIT_FUNC(wait, woken_wake_function); 350 struct sock *sk = sock->sk, *nsk; 351 long timeo; 352 int err = 0; 353 354 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 355 356 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 357 358 BT_DBG("sk %p timeo %ld", sk, timeo); 359 360 /* Wait for an incoming connection. (wake-one). */ 361 add_wait_queue_exclusive(sk_sleep(sk), &wait); 362 while (1) { 363 if (sk->sk_state != BT_LISTEN) { 364 err = -EBADFD; 365 break; 366 } 367 368 nsk = bt_accept_dequeue(sk, newsock); 369 if (nsk) 370 break; 371 372 if (!timeo) { 373 err = -EAGAIN; 374 break; 375 } 376 377 if (signal_pending(current)) { 378 err = sock_intr_errno(timeo); 379 break; 380 } 381 382 release_sock(sk); 383 384 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 385 386 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 387 } 388 remove_wait_queue(sk_sleep(sk), &wait); 389 390 if (err) 391 goto done; 392 393 newsock->state = SS_CONNECTED; 394 395 BT_DBG("new socket %p", nsk); 396 397done: 398 release_sock(sk); 399 return err; 400} 401 402static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 403 int peer) 404{ 405 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 406 struct sock *sk = sock->sk; 407 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 408 409 BT_DBG("sock %p, sk %p", sock, sk); 410 411 if (peer && sk->sk_state != BT_CONNECTED && 412 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 413 sk->sk_state != BT_CONFIG) 414 return -ENOTCONN; 415 416 memset(la, 0, sizeof(struct sockaddr_l2)); 417 addr->sa_family = AF_BLUETOOTH; 418 419 la->l2_psm = chan->psm; 420 421 if (peer) { 422 bacpy(&la->l2_bdaddr, &chan->dst); 423 la->l2_cid = cpu_to_le16(chan->dcid); 424 la->l2_bdaddr_type = chan->dst_type; 425 } else { 426 bacpy(&la->l2_bdaddr, &chan->src); 427 la->l2_cid = cpu_to_le16(chan->scid); 428 la->l2_bdaddr_type = chan->src_type; 429 } 430 431 return sizeof(struct sockaddr_l2); 432} 433 434static int l2cap_get_mode(struct l2cap_chan *chan) 435{ 436 switch (chan->mode) { 437 case L2CAP_MODE_BASIC: 438 return BT_MODE_BASIC; 439 case L2CAP_MODE_ERTM: 440 return BT_MODE_ERTM; 441 case L2CAP_MODE_STREAMING: 442 return BT_MODE_STREAMING; 443 case L2CAP_MODE_LE_FLOWCTL: 444 return BT_MODE_LE_FLOWCTL; 445 case L2CAP_MODE_EXT_FLOWCTL: 446 return BT_MODE_EXT_FLOWCTL; 447 } 448 449 return -EINVAL; 450} 451 452static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 453 char __user *optval, int __user *optlen) 454{ 455 struct sock *sk = sock->sk; 456 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 457 struct l2cap_options opts; 458 struct l2cap_conninfo cinfo; 459 int len, err = 0; 460 u32 opt; 461 462 BT_DBG("sk %p", sk); 463 464 if (get_user(len, optlen)) 465 return -EFAULT; 466 467 lock_sock(sk); 468 469 switch (optname) { 470 case L2CAP_OPTIONS: 471 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 472 * legacy ATT code depends on getsockopt for 473 * L2CAP_OPTIONS we need to let this pass. 474 */ 475 if (bdaddr_type_is_le(chan->src_type) && 476 chan->scid != L2CAP_CID_ATT) { 477 err = -EINVAL; 478 break; 479 } 480 481 /* Only BR/EDR modes are supported here */ 482 switch (chan->mode) { 483 case L2CAP_MODE_BASIC: 484 case L2CAP_MODE_ERTM: 485 case L2CAP_MODE_STREAMING: 486 break; 487 default: 488 err = -EINVAL; 489 break; 490 } 491 492 if (err < 0) 493 break; 494 495 memset(&opts, 0, sizeof(opts)); 496 opts.imtu = chan->imtu; 497 opts.omtu = chan->omtu; 498 opts.flush_to = chan->flush_to; 499 opts.mode = chan->mode; 500 opts.fcs = chan->fcs; 501 opts.max_tx = chan->max_tx; 502 opts.txwin_size = chan->tx_win; 503 504 BT_DBG("mode 0x%2.2x", chan->mode); 505 506 len = min_t(unsigned int, len, sizeof(opts)); 507 if (copy_to_user(optval, (char *) &opts, len)) 508 err = -EFAULT; 509 510 break; 511 512 case L2CAP_LM: 513 switch (chan->sec_level) { 514 case BT_SECURITY_LOW: 515 opt = L2CAP_LM_AUTH; 516 break; 517 case BT_SECURITY_MEDIUM: 518 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 519 break; 520 case BT_SECURITY_HIGH: 521 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 522 L2CAP_LM_SECURE; 523 break; 524 case BT_SECURITY_FIPS: 525 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 526 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 527 break; 528 default: 529 opt = 0; 530 break; 531 } 532 533 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 534 opt |= L2CAP_LM_MASTER; 535 536 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 537 opt |= L2CAP_LM_RELIABLE; 538 539 if (put_user(opt, (u32 __user *) optval)) 540 err = -EFAULT; 541 542 break; 543 544 case L2CAP_CONNINFO: 545 if (sk->sk_state != BT_CONNECTED && 546 !(sk->sk_state == BT_CONNECT2 && 547 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 548 err = -ENOTCONN; 549 break; 550 } 551 552 memset(&cinfo, 0, sizeof(cinfo)); 553 cinfo.hci_handle = chan->conn->hcon->handle; 554 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 555 556 len = min_t(unsigned int, len, sizeof(cinfo)); 557 if (copy_to_user(optval, (char *) &cinfo, len)) 558 err = -EFAULT; 559 560 break; 561 562 default: 563 err = -ENOPROTOOPT; 564 break; 565 } 566 567 release_sock(sk); 568 return err; 569} 570 571static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 572 char __user *optval, int __user *optlen) 573{ 574 struct sock *sk = sock->sk; 575 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 576 struct bt_security sec; 577 struct bt_power pwr; 578 u32 phys; 579 int len, mode, err = 0; 580 581 BT_DBG("sk %p", sk); 582 583 if (level == SOL_L2CAP) 584 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 585 586 if (level != SOL_BLUETOOTH) 587 return -ENOPROTOOPT; 588 589 if (get_user(len, optlen)) 590 return -EFAULT; 591 592 lock_sock(sk); 593 594 switch (optname) { 595 case BT_SECURITY: 596 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 597 chan->chan_type != L2CAP_CHAN_FIXED && 598 chan->chan_type != L2CAP_CHAN_RAW) { 599 err = -EINVAL; 600 break; 601 } 602 603 memset(&sec, 0, sizeof(sec)); 604 if (chan->conn) { 605 sec.level = chan->conn->hcon->sec_level; 606 607 if (sk->sk_state == BT_CONNECTED) 608 sec.key_size = chan->conn->hcon->enc_key_size; 609 } else { 610 sec.level = chan->sec_level; 611 } 612 613 len = min_t(unsigned int, len, sizeof(sec)); 614 if (copy_to_user(optval, (char *) &sec, len)) 615 err = -EFAULT; 616 617 break; 618 619 case BT_DEFER_SETUP: 620 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 621 err = -EINVAL; 622 break; 623 } 624 625 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 626 (u32 __user *) optval)) 627 err = -EFAULT; 628 629 break; 630 631 case BT_FLUSHABLE: 632 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 633 (u32 __user *) optval)) 634 err = -EFAULT; 635 636 break; 637 638 case BT_POWER: 639 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 640 && sk->sk_type != SOCK_RAW) { 641 err = -EINVAL; 642 break; 643 } 644 645 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 646 647 len = min_t(unsigned int, len, sizeof(pwr)); 648 if (copy_to_user(optval, (char *) &pwr, len)) 649 err = -EFAULT; 650 651 break; 652 653 case BT_CHANNEL_POLICY: 654 if (put_user(chan->chan_policy, (u32 __user *) optval)) 655 err = -EFAULT; 656 break; 657 658 case BT_SNDMTU: 659 if (!bdaddr_type_is_le(chan->src_type)) { 660 err = -EINVAL; 661 break; 662 } 663 664 if (sk->sk_state != BT_CONNECTED) { 665 err = -ENOTCONN; 666 break; 667 } 668 669 if (put_user(chan->omtu, (u16 __user *) optval)) 670 err = -EFAULT; 671 break; 672 673 case BT_RCVMTU: 674 if (!bdaddr_type_is_le(chan->src_type)) { 675 err = -EINVAL; 676 break; 677 } 678 679 if (put_user(chan->imtu, (u16 __user *) optval)) 680 err = -EFAULT; 681 break; 682 683 case BT_PHY: 684 if (sk->sk_state != BT_CONNECTED) { 685 err = -ENOTCONN; 686 break; 687 } 688 689 phys = hci_conn_get_phy(chan->conn->hcon); 690 691 if (put_user(phys, (u32 __user *) optval)) 692 err = -EFAULT; 693 break; 694 695 case BT_MODE: 696 if (!enable_ecred) { 697 err = -ENOPROTOOPT; 698 break; 699 } 700 701 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 702 err = -EINVAL; 703 break; 704 } 705 706 mode = l2cap_get_mode(chan); 707 if (mode < 0) { 708 err = mode; 709 break; 710 } 711 712 if (put_user(mode, (u8 __user *) optval)) 713 err = -EFAULT; 714 break; 715 716 default: 717 err = -ENOPROTOOPT; 718 break; 719 } 720 721 release_sock(sk); 722 return err; 723} 724 725static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 726{ 727 switch (chan->scid) { 728 case L2CAP_CID_ATT: 729 if (mtu < L2CAP_LE_MIN_MTU) 730 return false; 731 break; 732 733 default: 734 if (mtu < L2CAP_DEFAULT_MIN_MTU) 735 return false; 736 } 737 738 return true; 739} 740 741static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 742 sockptr_t optval, unsigned int optlen) 743{ 744 struct sock *sk = sock->sk; 745 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 746 struct l2cap_options opts; 747 int len, err = 0; 748 u32 opt; 749 750 BT_DBG("sk %p", sk); 751 752 lock_sock(sk); 753 754 switch (optname) { 755 case L2CAP_OPTIONS: 756 if (bdaddr_type_is_le(chan->src_type)) { 757 err = -EINVAL; 758 break; 759 } 760 761 if (sk->sk_state == BT_CONNECTED) { 762 err = -EINVAL; 763 break; 764 } 765 766 opts.imtu = chan->imtu; 767 opts.omtu = chan->omtu; 768 opts.flush_to = chan->flush_to; 769 opts.mode = chan->mode; 770 opts.fcs = chan->fcs; 771 opts.max_tx = chan->max_tx; 772 opts.txwin_size = chan->tx_win; 773 774 len = min_t(unsigned int, sizeof(opts), optlen); 775 if (copy_from_sockptr(&opts, optval, len)) { 776 err = -EFAULT; 777 break; 778 } 779 780 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 781 err = -EINVAL; 782 break; 783 } 784 785 if (!l2cap_valid_mtu(chan, opts.imtu)) { 786 err = -EINVAL; 787 break; 788 } 789 790 /* Only BR/EDR modes are supported here */ 791 switch (opts.mode) { 792 case L2CAP_MODE_BASIC: 793 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 794 break; 795 case L2CAP_MODE_ERTM: 796 case L2CAP_MODE_STREAMING: 797 if (!disable_ertm) 798 break; 799 fallthrough; 800 default: 801 err = -EINVAL; 802 break; 803 } 804 805 if (err < 0) 806 break; 807 808 chan->mode = opts.mode; 809 810 BT_DBG("mode 0x%2.2x", chan->mode); 811 812 chan->imtu = opts.imtu; 813 chan->omtu = opts.omtu; 814 chan->fcs = opts.fcs; 815 chan->max_tx = opts.max_tx; 816 chan->tx_win = opts.txwin_size; 817 chan->flush_to = opts.flush_to; 818 break; 819 820 case L2CAP_LM: 821 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 822 err = -EFAULT; 823 break; 824 } 825 826 if (opt & L2CAP_LM_FIPS) { 827 err = -EINVAL; 828 break; 829 } 830 831 if (opt & L2CAP_LM_AUTH) 832 chan->sec_level = BT_SECURITY_LOW; 833 if (opt & L2CAP_LM_ENCRYPT) 834 chan->sec_level = BT_SECURITY_MEDIUM; 835 if (opt & L2CAP_LM_SECURE) 836 chan->sec_level = BT_SECURITY_HIGH; 837 838 if (opt & L2CAP_LM_MASTER) 839 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 840 else 841 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 842 843 if (opt & L2CAP_LM_RELIABLE) 844 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 845 else 846 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 847 break; 848 849 default: 850 err = -ENOPROTOOPT; 851 break; 852 } 853 854 release_sock(sk); 855 return err; 856} 857 858static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 859{ 860 switch (mode) { 861 case BT_MODE_BASIC: 862 if (bdaddr_type_is_le(chan->src_type)) 863 return -EINVAL; 864 mode = L2CAP_MODE_BASIC; 865 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 866 break; 867 case BT_MODE_ERTM: 868 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 869 return -EINVAL; 870 mode = L2CAP_MODE_ERTM; 871 break; 872 case BT_MODE_STREAMING: 873 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 874 return -EINVAL; 875 mode = L2CAP_MODE_STREAMING; 876 break; 877 case BT_MODE_LE_FLOWCTL: 878 if (!bdaddr_type_is_le(chan->src_type)) 879 return -EINVAL; 880 mode = L2CAP_MODE_LE_FLOWCTL; 881 break; 882 case BT_MODE_EXT_FLOWCTL: 883 /* TODO: Add support for ECRED PDUs to BR/EDR */ 884 if (!bdaddr_type_is_le(chan->src_type)) 885 return -EINVAL; 886 mode = L2CAP_MODE_EXT_FLOWCTL; 887 break; 888 default: 889 return -EINVAL; 890 } 891 892 chan->mode = mode; 893 894 return 0; 895} 896 897static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 898 sockptr_t optval, unsigned int optlen) 899{ 900 struct sock *sk = sock->sk; 901 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 902 struct bt_security sec; 903 struct bt_power pwr; 904 struct l2cap_conn *conn; 905 int len, err = 0; 906 u32 opt; 907 u16 mtu; 908 u8 mode; 909 910 BT_DBG("sk %p", sk); 911 912 if (level == SOL_L2CAP) 913 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 914 915 if (level != SOL_BLUETOOTH) 916 return -ENOPROTOOPT; 917 918 lock_sock(sk); 919 920 switch (optname) { 921 case BT_SECURITY: 922 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 923 chan->chan_type != L2CAP_CHAN_FIXED && 924 chan->chan_type != L2CAP_CHAN_RAW) { 925 err = -EINVAL; 926 break; 927 } 928 929 sec.level = BT_SECURITY_LOW; 930 931 len = min_t(unsigned int, sizeof(sec), optlen); 932 if (copy_from_sockptr(&sec, optval, len)) { 933 err = -EFAULT; 934 break; 935 } 936 937 if (sec.level < BT_SECURITY_LOW || 938 sec.level > BT_SECURITY_FIPS) { 939 err = -EINVAL; 940 break; 941 } 942 943 chan->sec_level = sec.level; 944 945 if (!chan->conn) 946 break; 947 948 conn = chan->conn; 949 950 /* change security for LE channels */ 951 if (chan->scid == L2CAP_CID_ATT) { 952 if (smp_conn_security(conn->hcon, sec.level)) { 953 err = -EINVAL; 954 break; 955 } 956 957 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 958 sk->sk_state = BT_CONFIG; 959 chan->state = BT_CONFIG; 960 961 /* or for ACL link */ 962 } else if ((sk->sk_state == BT_CONNECT2 && 963 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 964 sk->sk_state == BT_CONNECTED) { 965 if (!l2cap_chan_check_security(chan, true)) 966 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 967 else 968 sk->sk_state_change(sk); 969 } else { 970 err = -EINVAL; 971 } 972 break; 973 974 case BT_DEFER_SETUP: 975 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 976 err = -EINVAL; 977 break; 978 } 979 980 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 981 err = -EFAULT; 982 break; 983 } 984 985 if (opt) { 986 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 987 set_bit(FLAG_DEFER_SETUP, &chan->flags); 988 } else { 989 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 990 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 991 } 992 break; 993 994 case BT_FLUSHABLE: 995 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 996 err = -EFAULT; 997 break; 998 } 999 1000 if (opt > BT_FLUSHABLE_ON) { 1001 err = -EINVAL; 1002 break; 1003 } 1004 1005 if (opt == BT_FLUSHABLE_OFF) { 1006 conn = chan->conn; 1007 /* proceed further only when we have l2cap_conn and 1008 No Flush support in the LM */ 1009 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 1010 err = -EINVAL; 1011 break; 1012 } 1013 } 1014 1015 if (opt) 1016 set_bit(FLAG_FLUSHABLE, &chan->flags); 1017 else 1018 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1019 break; 1020 1021 case BT_POWER: 1022 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1023 chan->chan_type != L2CAP_CHAN_RAW) { 1024 err = -EINVAL; 1025 break; 1026 } 1027 1028 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1029 1030 len = min_t(unsigned int, sizeof(pwr), optlen); 1031 if (copy_from_sockptr(&pwr, optval, len)) { 1032 err = -EFAULT; 1033 break; 1034 } 1035 1036 if (pwr.force_active) 1037 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1038 else 1039 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1040 break; 1041 1042 case BT_CHANNEL_POLICY: 1043 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1044 err = -EFAULT; 1045 break; 1046 } 1047 1048 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { 1049 err = -EINVAL; 1050 break; 1051 } 1052 1053 if (chan->mode != L2CAP_MODE_ERTM && 1054 chan->mode != L2CAP_MODE_STREAMING) { 1055 err = -EOPNOTSUPP; 1056 break; 1057 } 1058 1059 chan->chan_policy = (u8) opt; 1060 1061 if (sk->sk_state == BT_CONNECTED && 1062 chan->move_role == L2CAP_MOVE_ROLE_NONE) 1063 l2cap_move_start(chan); 1064 1065 break; 1066 1067 case BT_SNDMTU: 1068 if (!bdaddr_type_is_le(chan->src_type)) { 1069 err = -EINVAL; 1070 break; 1071 } 1072 1073 /* Setting is not supported as it's the remote side that 1074 * decides this. 1075 */ 1076 err = -EPERM; 1077 break; 1078 1079 case BT_RCVMTU: 1080 if (!bdaddr_type_is_le(chan->src_type)) { 1081 err = -EINVAL; 1082 break; 1083 } 1084 1085 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1086 sk->sk_state == BT_CONNECTED) { 1087 err = -EISCONN; 1088 break; 1089 } 1090 1091 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { 1092 err = -EFAULT; 1093 break; 1094 } 1095 1096 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1097 sk->sk_state == BT_CONNECTED) 1098 err = l2cap_chan_reconfigure(chan, mtu); 1099 else 1100 chan->imtu = mtu; 1101 1102 break; 1103 1104 case BT_MODE: 1105 if (!enable_ecred) { 1106 err = -ENOPROTOOPT; 1107 break; 1108 } 1109 1110 BT_DBG("sk->sk_state %u", sk->sk_state); 1111 1112 if (sk->sk_state != BT_BOUND) { 1113 err = -EINVAL; 1114 break; 1115 } 1116 1117 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1118 err = -EINVAL; 1119 break; 1120 } 1121 1122 if (copy_from_sockptr(&mode, optval, sizeof(u8))) { 1123 err = -EFAULT; 1124 break; 1125 } 1126 1127 BT_DBG("mode %u", mode); 1128 1129 err = l2cap_set_mode(chan, mode); 1130 if (err) 1131 break; 1132 1133 BT_DBG("mode 0x%2.2x", chan->mode); 1134 1135 break; 1136 1137 default: 1138 err = -ENOPROTOOPT; 1139 break; 1140 } 1141 1142 release_sock(sk); 1143 return err; 1144} 1145 1146static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1147 size_t len) 1148{ 1149 struct sock *sk = sock->sk; 1150 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1151 int err; 1152 1153 BT_DBG("sock %p, sk %p", sock, sk); 1154 1155 err = sock_error(sk); 1156 if (err) 1157 return err; 1158 1159 if (msg->msg_flags & MSG_OOB) 1160 return -EOPNOTSUPP; 1161 1162 if (sk->sk_state != BT_CONNECTED) 1163 return -ENOTCONN; 1164 1165 lock_sock(sk); 1166 err = bt_sock_wait_ready(sk, msg->msg_flags); 1167 release_sock(sk); 1168 if (err) 1169 return err; 1170 1171 l2cap_chan_lock(chan); 1172 err = l2cap_chan_send(chan, msg, len); 1173 l2cap_chan_unlock(chan); 1174 1175 return err; 1176} 1177 1178static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1179 size_t len, int flags) 1180{ 1181 struct sock *sk = sock->sk; 1182 struct l2cap_pinfo *pi = l2cap_pi(sk); 1183 int err; 1184 1185 lock_sock(sk); 1186 1187 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1188 &bt_sk(sk)->flags)) { 1189 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1190 sk->sk_state = BT_CONNECTED; 1191 pi->chan->state = BT_CONNECTED; 1192 __l2cap_ecred_conn_rsp_defer(pi->chan); 1193 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1194 sk->sk_state = BT_CONNECTED; 1195 pi->chan->state = BT_CONNECTED; 1196 __l2cap_le_connect_rsp_defer(pi->chan); 1197 } else { 1198 sk->sk_state = BT_CONFIG; 1199 pi->chan->state = BT_CONFIG; 1200 __l2cap_connect_rsp_defer(pi->chan); 1201 } 1202 1203 err = 0; 1204 goto done; 1205 } 1206 1207 release_sock(sk); 1208 1209 if (sock->type == SOCK_STREAM) 1210 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1211 else 1212 err = bt_sock_recvmsg(sock, msg, len, flags); 1213 1214 if (pi->chan->mode != L2CAP_MODE_ERTM) 1215 return err; 1216 1217 /* Attempt to put pending rx data in the socket buffer */ 1218 1219 lock_sock(sk); 1220 1221 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) 1222 goto done; 1223 1224 if (pi->rx_busy_skb) { 1225 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) 1226 pi->rx_busy_skb = NULL; 1227 else 1228 goto done; 1229 } 1230 1231 /* Restore data flow when half of the receive buffer is 1232 * available. This avoids resending large numbers of 1233 * frames. 1234 */ 1235 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1236 l2cap_chan_busy(pi->chan, 0); 1237 1238done: 1239 release_sock(sk); 1240 return err; 1241} 1242 1243/* Kill socket (only if zapped and orphan) 1244 * Must be called on unlocked socket, with l2cap channel lock. 1245 */ 1246static void l2cap_sock_kill(struct sock *sk) 1247{ 1248 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1249 return; 1250 1251 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1252 1253 /* Kill poor orphan */ 1254 1255 l2cap_chan_put(l2cap_pi(sk)->chan); 1256 sock_set_flag(sk, SOCK_DEAD); 1257 sock_put(sk); 1258} 1259 1260static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1261{ 1262 DECLARE_WAITQUEUE(wait, current); 1263 int err = 0; 1264 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1265 /* Timeout to prevent infinite loop */ 1266 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1267 1268 add_wait_queue(sk_sleep(sk), &wait); 1269 set_current_state(TASK_INTERRUPTIBLE); 1270 do { 1271 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1272 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1273 jiffies_to_msecs(timeout - jiffies)); 1274 1275 if (!timeo) 1276 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1277 1278 if (signal_pending(current)) { 1279 err = sock_intr_errno(timeo); 1280 break; 1281 } 1282 1283 release_sock(sk); 1284 timeo = schedule_timeout(timeo); 1285 lock_sock(sk); 1286 set_current_state(TASK_INTERRUPTIBLE); 1287 1288 err = sock_error(sk); 1289 if (err) 1290 break; 1291 1292 if (time_after(jiffies, timeout)) { 1293 err = -ENOLINK; 1294 break; 1295 } 1296 1297 } while (chan->unacked_frames > 0 && 1298 chan->state == BT_CONNECTED); 1299 1300 set_current_state(TASK_RUNNING); 1301 remove_wait_queue(sk_sleep(sk), &wait); 1302 return err; 1303} 1304 1305static int l2cap_sock_shutdown(struct socket *sock, int how) 1306{ 1307 struct sock *sk = sock->sk; 1308 struct l2cap_chan *chan; 1309 struct l2cap_conn *conn; 1310 int err = 0; 1311 1312 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1313 1314 /* 'how' parameter is mapped to sk_shutdown as follows: 1315 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1316 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1317 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1318 */ 1319 how++; 1320 1321 if (!sk) 1322 return 0; 1323 1324 lock_sock(sk); 1325 1326 if ((sk->sk_shutdown & how) == how) 1327 goto shutdown_already; 1328 1329 BT_DBG("Handling sock shutdown"); 1330 1331 /* prevent sk structure from being freed whilst unlocked */ 1332 sock_hold(sk); 1333 1334 chan = l2cap_pi(sk)->chan; 1335 /* prevent chan structure from being freed whilst unlocked */ 1336 l2cap_chan_hold(chan); 1337 1338 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1339 1340 if (chan->mode == L2CAP_MODE_ERTM && 1341 chan->unacked_frames > 0 && 1342 chan->state == BT_CONNECTED) { 1343 err = __l2cap_wait_ack(sk, chan); 1344 1345 /* After waiting for ACKs, check whether shutdown 1346 * has already been actioned to close the L2CAP 1347 * link such as by l2cap_disconnection_req(). 1348 */ 1349 if ((sk->sk_shutdown & how) == how) 1350 goto shutdown_matched; 1351 } 1352 1353 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1354 * is already set 1355 */ 1356 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1357 sk->sk_shutdown |= RCV_SHUTDOWN; 1358 if ((sk->sk_shutdown & how) == how) 1359 goto shutdown_matched; 1360 } 1361 1362 sk->sk_shutdown |= SEND_SHUTDOWN; 1363 release_sock(sk); 1364 1365 l2cap_chan_lock(chan); 1366 conn = chan->conn; 1367 if (conn) 1368 /* prevent conn structure from being freed */ 1369 l2cap_conn_get(conn); 1370 l2cap_chan_unlock(chan); 1371 1372 if (conn) 1373 /* mutex lock must be taken before l2cap_chan_lock() */ 1374 mutex_lock(&conn->chan_lock); 1375 1376 l2cap_chan_lock(chan); 1377 l2cap_chan_close(chan, 0); 1378 l2cap_chan_unlock(chan); 1379 1380 if (conn) { 1381 mutex_unlock(&conn->chan_lock); 1382 l2cap_conn_put(conn); 1383 } 1384 1385 lock_sock(sk); 1386 1387 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1388 !(current->flags & PF_EXITING)) 1389 err = bt_sock_wait_state(sk, BT_CLOSED, 1390 sk->sk_lingertime); 1391 1392shutdown_matched: 1393 l2cap_chan_put(chan); 1394 sock_put(sk); 1395 1396shutdown_already: 1397 if (!err && sk->sk_err) 1398 err = -sk->sk_err; 1399 1400 release_sock(sk); 1401 1402 BT_DBG("Sock shutdown complete err: %d", err); 1403 1404 return err; 1405} 1406 1407static int l2cap_sock_release(struct socket *sock) 1408{ 1409 struct sock *sk = sock->sk; 1410 int err; 1411 struct l2cap_chan *chan; 1412 1413 BT_DBG("sock %p, sk %p", sock, sk); 1414 1415 if (!sk) 1416 return 0; 1417 1418 bt_sock_unlink(&l2cap_sk_list, sk); 1419 1420 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1421 chan = l2cap_pi(sk)->chan; 1422 1423 l2cap_chan_hold(chan); 1424 l2cap_chan_lock(chan); 1425 1426 sock_orphan(sk); 1427 l2cap_sock_kill(sk); 1428 1429 l2cap_chan_unlock(chan); 1430 l2cap_chan_put(chan); 1431 1432 return err; 1433} 1434 1435static void l2cap_sock_cleanup_listen(struct sock *parent) 1436{ 1437 struct sock *sk; 1438 1439 BT_DBG("parent %p state %s", parent, 1440 state_to_string(parent->sk_state)); 1441 1442 /* Close not yet accepted channels */ 1443 while ((sk = bt_accept_dequeue(parent, NULL))) { 1444 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1445 1446 BT_DBG("child chan %p state %s", chan, 1447 state_to_string(chan->state)); 1448 1449 l2cap_chan_hold(chan); 1450 l2cap_chan_lock(chan); 1451 1452 __clear_chan_timer(chan); 1453 l2cap_chan_close(chan, ECONNRESET); 1454 l2cap_sock_kill(sk); 1455 1456 l2cap_chan_unlock(chan); 1457 l2cap_chan_put(chan); 1458 } 1459} 1460 1461static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1462{ 1463 struct sock *sk, *parent = chan->data; 1464 1465 lock_sock(parent); 1466 1467 /* Check for backlog size */ 1468 if (sk_acceptq_is_full(parent)) { 1469 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1470 release_sock(parent); 1471 return NULL; 1472 } 1473 1474 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1475 GFP_ATOMIC, 0); 1476 if (!sk) { 1477 release_sock(parent); 1478 return NULL; 1479 } 1480 1481 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1482 1483 l2cap_sock_init(sk, parent); 1484 1485 bt_accept_enqueue(parent, sk, false); 1486 1487 release_sock(parent); 1488 1489 return l2cap_pi(sk)->chan; 1490} 1491 1492static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1493{ 1494 struct sock *sk = chan->data; 1495 int err; 1496 1497 lock_sock(sk); 1498 1499 if (l2cap_pi(sk)->rx_busy_skb) { 1500 err = -ENOMEM; 1501 goto done; 1502 } 1503 1504 if (chan->mode != L2CAP_MODE_ERTM && 1505 chan->mode != L2CAP_MODE_STREAMING) { 1506 /* Even if no filter is attached, we could potentially 1507 * get errors from security modules, etc. 1508 */ 1509 err = sk_filter(sk, skb); 1510 if (err) 1511 goto done; 1512 } 1513 1514 err = __sock_queue_rcv_skb(sk, skb); 1515 1516 /* For ERTM, handle one skb that doesn't fit into the recv 1517 * buffer. This is important to do because the data frames 1518 * have already been acked, so the skb cannot be discarded. 1519 * 1520 * Notify the l2cap core that the buffer is full, so the 1521 * LOCAL_BUSY state is entered and no more frames are 1522 * acked and reassembled until there is buffer space 1523 * available. 1524 */ 1525 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1526 l2cap_pi(sk)->rx_busy_skb = skb; 1527 l2cap_chan_busy(chan, 1); 1528 err = 0; 1529 } 1530 1531done: 1532 release_sock(sk); 1533 1534 return err; 1535} 1536 1537static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1538{ 1539 struct sock *sk = chan->data; 1540 1541 if (!sk) 1542 return; 1543 1544 l2cap_sock_kill(sk); 1545} 1546 1547static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1548{ 1549 struct sock *sk = chan->data; 1550 struct sock *parent; 1551 1552 if (!sk) 1553 return; 1554 1555 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1556 1557 /* This callback can be called both for server (BT_LISTEN) 1558 * sockets as well as "normal" ones. To avoid lockdep warnings 1559 * with child socket locking (through l2cap_sock_cleanup_listen) 1560 * we need separation into separate nesting levels. The simplest 1561 * way to accomplish this is to inherit the nesting level used 1562 * for the channel. 1563 */ 1564 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1565 1566 parent = bt_sk(sk)->parent; 1567 1568 switch (chan->state) { 1569 case BT_OPEN: 1570 case BT_BOUND: 1571 case BT_CLOSED: 1572 break; 1573 case BT_LISTEN: 1574 l2cap_sock_cleanup_listen(sk); 1575 sk->sk_state = BT_CLOSED; 1576 chan->state = BT_CLOSED; 1577 1578 break; 1579 default: 1580 sk->sk_state = BT_CLOSED; 1581 chan->state = BT_CLOSED; 1582 1583 sk->sk_err = err; 1584 1585 if (parent) { 1586 bt_accept_unlink(sk); 1587 parent->sk_data_ready(parent); 1588 } else { 1589 sk->sk_state_change(sk); 1590 } 1591 1592 break; 1593 } 1594 release_sock(sk); 1595 1596 /* Only zap after cleanup to avoid use after free race */ 1597 sock_set_flag(sk, SOCK_ZAPPED); 1598 1599} 1600 1601static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1602 int err) 1603{ 1604 struct sock *sk = chan->data; 1605 1606 sk->sk_state = state; 1607 1608 if (err) 1609 sk->sk_err = err; 1610} 1611 1612static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1613 unsigned long hdr_len, 1614 unsigned long len, int nb) 1615{ 1616 struct sock *sk = chan->data; 1617 struct sk_buff *skb; 1618 int err; 1619 1620 l2cap_chan_unlock(chan); 1621 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1622 l2cap_chan_lock(chan); 1623 1624 if (!skb) 1625 return ERR_PTR(err); 1626 1627 skb->priority = sk->sk_priority; 1628 1629 bt_cb(skb)->l2cap.chan = chan; 1630 1631 return skb; 1632} 1633 1634static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1635{ 1636 struct sock *sk = chan->data; 1637 struct sock *parent; 1638 1639 lock_sock(sk); 1640 1641 parent = bt_sk(sk)->parent; 1642 1643 BT_DBG("sk %p, parent %p", sk, parent); 1644 1645 sk->sk_state = BT_CONNECTED; 1646 sk->sk_state_change(sk); 1647 1648 if (parent) 1649 parent->sk_data_ready(parent); 1650 1651 release_sock(sk); 1652} 1653 1654static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1655{ 1656 struct sock *parent, *sk = chan->data; 1657 1658 lock_sock(sk); 1659 1660 parent = bt_sk(sk)->parent; 1661 if (parent) 1662 parent->sk_data_ready(parent); 1663 1664 release_sock(sk); 1665} 1666 1667static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1668{ 1669 struct sock *sk = chan->data; 1670 1671 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1672 sk->sk_state = BT_CONNECTED; 1673 chan->state = BT_CONNECTED; 1674 } 1675 1676 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1677 sk->sk_state_change(sk); 1678} 1679 1680static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1681{ 1682 struct sock *sk = chan->data; 1683 1684 lock_sock(sk); 1685 sk->sk_shutdown = SHUTDOWN_MASK; 1686 release_sock(sk); 1687} 1688 1689static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1690{ 1691 struct sock *sk = chan->data; 1692 1693 return sk->sk_sndtimeo; 1694} 1695 1696static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1697{ 1698 struct sock *sk = chan->data; 1699 1700 return sk->sk_peer_pid; 1701} 1702 1703static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1704{ 1705 struct sock *sk = chan->data; 1706 1707 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1708 sk->sk_state_change(sk); 1709} 1710 1711static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1712{ 1713 struct sock *sk = chan->data; 1714 1715 switch (chan->mode) { 1716 case L2CAP_MODE_ERTM: 1717 case L2CAP_MODE_STREAMING: 1718 return sk_filter(sk, skb); 1719 } 1720 1721 return 0; 1722} 1723 1724static const struct l2cap_ops l2cap_chan_ops = { 1725 .name = "L2CAP Socket Interface", 1726 .new_connection = l2cap_sock_new_connection_cb, 1727 .recv = l2cap_sock_recv_cb, 1728 .close = l2cap_sock_close_cb, 1729 .teardown = l2cap_sock_teardown_cb, 1730 .state_change = l2cap_sock_state_change_cb, 1731 .ready = l2cap_sock_ready_cb, 1732 .defer = l2cap_sock_defer_cb, 1733 .resume = l2cap_sock_resume_cb, 1734 .suspend = l2cap_sock_suspend_cb, 1735 .set_shutdown = l2cap_sock_set_shutdown_cb, 1736 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1737 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1738 .alloc_skb = l2cap_sock_alloc_skb_cb, 1739 .filter = l2cap_sock_filter, 1740}; 1741 1742static void l2cap_sock_destruct(struct sock *sk) 1743{ 1744 BT_DBG("sk %p", sk); 1745 1746 if (l2cap_pi(sk)->chan) { 1747 l2cap_pi(sk)->chan->data = NULL; 1748 l2cap_chan_put(l2cap_pi(sk)->chan); 1749 } 1750 1751 if (l2cap_pi(sk)->rx_busy_skb) { 1752 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1753 l2cap_pi(sk)->rx_busy_skb = NULL; 1754 } 1755 1756 skb_queue_purge(&sk->sk_receive_queue); 1757 skb_queue_purge(&sk->sk_write_queue); 1758} 1759 1760static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1761 int *msg_namelen) 1762{ 1763 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1764 1765 memset(la, 0, sizeof(struct sockaddr_l2)); 1766 la->l2_family = AF_BLUETOOTH; 1767 la->l2_psm = bt_cb(skb)->l2cap.psm; 1768 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1769 1770 *msg_namelen = sizeof(struct sockaddr_l2); 1771} 1772 1773static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1774{ 1775 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1776 1777 BT_DBG("sk %p", sk); 1778 1779 if (parent) { 1780 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1781 1782 sk->sk_type = parent->sk_type; 1783 bt_sk(sk)->flags = bt_sk(parent)->flags; 1784 1785 chan->chan_type = pchan->chan_type; 1786 chan->imtu = pchan->imtu; 1787 chan->omtu = pchan->omtu; 1788 chan->conf_state = pchan->conf_state; 1789 chan->mode = pchan->mode; 1790 chan->fcs = pchan->fcs; 1791 chan->max_tx = pchan->max_tx; 1792 chan->tx_win = pchan->tx_win; 1793 chan->tx_win_max = pchan->tx_win_max; 1794 chan->sec_level = pchan->sec_level; 1795 chan->flags = pchan->flags; 1796 chan->tx_credits = pchan->tx_credits; 1797 chan->rx_credits = pchan->rx_credits; 1798 1799 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1800 chan->scid = pchan->scid; 1801 chan->dcid = pchan->scid; 1802 } 1803 1804 security_sk_clone(parent, sk); 1805 } else { 1806 switch (sk->sk_type) { 1807 case SOCK_RAW: 1808 chan->chan_type = L2CAP_CHAN_RAW; 1809 break; 1810 case SOCK_DGRAM: 1811 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1812 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1813 break; 1814 case SOCK_SEQPACKET: 1815 case SOCK_STREAM: 1816 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1817 break; 1818 } 1819 1820 chan->imtu = L2CAP_DEFAULT_MTU; 1821 chan->omtu = 0; 1822 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1823 chan->mode = L2CAP_MODE_ERTM; 1824 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1825 } else { 1826 chan->mode = L2CAP_MODE_BASIC; 1827 } 1828 1829 l2cap_chan_set_defaults(chan); 1830 } 1831 1832 /* Default config options */ 1833 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1834 1835 chan->data = sk; 1836 chan->ops = &l2cap_chan_ops; 1837} 1838 1839static struct proto l2cap_proto = { 1840 .name = "L2CAP", 1841 .owner = THIS_MODULE, 1842 .obj_size = sizeof(struct l2cap_pinfo) 1843}; 1844 1845static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1846 int proto, gfp_t prio, int kern) 1847{ 1848 struct sock *sk; 1849 struct l2cap_chan *chan; 1850 1851 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern); 1852 if (!sk) 1853 return NULL; 1854 1855 sock_init_data(sock, sk); 1856 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 1857 1858 sk->sk_destruct = l2cap_sock_destruct; 1859 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1860 1861 sock_reset_flag(sk, SOCK_ZAPPED); 1862 1863 sk->sk_protocol = proto; 1864 sk->sk_state = BT_OPEN; 1865 1866 chan = l2cap_chan_create(); 1867 if (!chan) { 1868 sk_free(sk); 1869 return NULL; 1870 } 1871 1872 l2cap_chan_hold(chan); 1873 1874 l2cap_pi(sk)->chan = chan; 1875 1876 return sk; 1877} 1878 1879static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1880 int kern) 1881{ 1882 struct sock *sk; 1883 1884 BT_DBG("sock %p", sock); 1885 1886 sock->state = SS_UNCONNECTED; 1887 1888 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1889 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1890 return -ESOCKTNOSUPPORT; 1891 1892 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1893 return -EPERM; 1894 1895 sock->ops = &l2cap_sock_ops; 1896 1897 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1898 if (!sk) 1899 return -ENOMEM; 1900 1901 l2cap_sock_init(sk, NULL); 1902 bt_sock_link(&l2cap_sk_list, sk); 1903 return 0; 1904} 1905 1906static const struct proto_ops l2cap_sock_ops = { 1907 .family = PF_BLUETOOTH, 1908 .owner = THIS_MODULE, 1909 .release = l2cap_sock_release, 1910 .bind = l2cap_sock_bind, 1911 .connect = l2cap_sock_connect, 1912 .listen = l2cap_sock_listen, 1913 .accept = l2cap_sock_accept, 1914 .getname = l2cap_sock_getname, 1915 .sendmsg = l2cap_sock_sendmsg, 1916 .recvmsg = l2cap_sock_recvmsg, 1917 .poll = bt_sock_poll, 1918 .ioctl = bt_sock_ioctl, 1919 .gettstamp = sock_gettstamp, 1920 .mmap = sock_no_mmap, 1921 .socketpair = sock_no_socketpair, 1922 .shutdown = l2cap_sock_shutdown, 1923 .setsockopt = l2cap_sock_setsockopt, 1924 .getsockopt = l2cap_sock_getsockopt 1925}; 1926 1927static const struct net_proto_family l2cap_sock_family_ops = { 1928 .family = PF_BLUETOOTH, 1929 .owner = THIS_MODULE, 1930 .create = l2cap_sock_create, 1931}; 1932 1933int __init l2cap_init_sockets(void) 1934{ 1935 int err; 1936 1937 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1938 1939 err = proto_register(&l2cap_proto, 0); 1940 if (err < 0) 1941 return err; 1942 1943 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1944 if (err < 0) { 1945 BT_ERR("L2CAP socket registration failed"); 1946 goto error; 1947 } 1948 1949 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1950 NULL); 1951 if (err < 0) { 1952 BT_ERR("Failed to create L2CAP proc file"); 1953 bt_sock_unregister(BTPROTO_L2CAP); 1954 goto error; 1955 } 1956 1957 BT_INFO("L2CAP socket layer initialized"); 1958 1959 return 0; 1960 1961error: 1962 proto_unregister(&l2cap_proto); 1963 return err; 1964} 1965 1966void l2cap_cleanup_sockets(void) 1967{ 1968 bt_procfs_cleanup(&init_net, "l2cap"); 1969 bt_sock_unregister(BTPROTO_L2CAP); 1970 proto_unregister(&l2cap_proto); 1971}