1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/filter.h>
33 #include <linux/sched/signal.h>
34
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38
39 #include "smp.h"
40
41 static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43 };
44
45 static const struct proto_ops l2cap_sock_ops;
46 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 int proto, gfp_t prio, int kern);
49 static void l2cap_sock_cleanup_listen(struct sock *parent);
50
l2cap_is_socket(struct socket * sock)51 bool l2cap_is_socket(struct socket *sock)
52 {
53 return sock && sock->ops == &l2cap_sock_ops;
54 }
55 EXPORT_SYMBOL(l2cap_is_socket);
56
l2cap_validate_bredr_psm(u16 psm)57 static int l2cap_validate_bredr_psm(u16 psm)
58 {
59 /* PSM must be odd and lsb of upper byte must be 0 */
60 if ((psm & 0x0101) != 0x0001)
61 return -EINVAL;
62
63 /* Restrict usage of well-known PSMs */
64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 return -EACCES;
66
67 return 0;
68 }
69
l2cap_validate_le_psm(u16 psm)70 static int l2cap_validate_le_psm(u16 psm)
71 {
72 /* Valid LE_PSM ranges are defined only until 0x00ff */
73 if (psm > L2CAP_PSM_LE_DYN_END)
74 return -EINVAL;
75
76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 return -EACCES;
79
80 return 0;
81 }
82
l2cap_sock_bind(struct socket * sock,struct sockaddr * addr,int alen)83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84 {
85 struct sock *sk = sock->sk;
86 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 struct sockaddr_l2 la;
88 int len, err = 0;
89
90 BT_DBG("sk %p", sk);
91
92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 addr->sa_family != AF_BLUETOOTH)
94 return -EINVAL;
95
96 memset(&la, 0, sizeof(la));
97 len = min_t(unsigned int, sizeof(la), alen);
98 memcpy(&la, addr, len);
99
100 if (la.l2_cid && la.l2_psm)
101 return -EINVAL;
102
103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 return -EINVAL;
105
106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 /* We only allow ATT user space socket */
108 if (la.l2_cid &&
109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 return -EINVAL;
111 }
112
113 lock_sock(sk);
114
115 if (sk->sk_state != BT_OPEN) {
116 err = -EBADFD;
117 goto done;
118 }
119
120 if (la.l2_psm) {
121 __u16 psm = __le16_to_cpu(la.l2_psm);
122
123 if (la.l2_bdaddr_type == BDADDR_BREDR)
124 err = l2cap_validate_bredr_psm(psm);
125 else
126 err = l2cap_validate_le_psm(psm);
127
128 if (err)
129 goto done;
130 }
131
132 bacpy(&chan->src, &la.l2_bdaddr);
133 chan->src_type = la.l2_bdaddr_type;
134
135 if (la.l2_cid)
136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 else
138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139
140 if (err < 0)
141 goto done;
142
143 switch (chan->chan_type) {
144 case L2CAP_CHAN_CONN_LESS:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 chan->sec_level = BT_SECURITY_SDP;
147 break;
148 case L2CAP_CHAN_CONN_ORIENTED:
149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 chan->sec_level = BT_SECURITY_SDP;
152 break;
153 case L2CAP_CHAN_RAW:
154 chan->sec_level = BT_SECURITY_SDP;
155 break;
156 case L2CAP_CHAN_FIXED:
157 /* Fixed channels default to the L2CAP core not holding a
158 * hci_conn reference for them. For fixed channels mapping to
159 * L2CAP sockets we do want to hold a reference so set the
160 * appropriate flag to request it.
161 */
162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 break;
164 }
165
166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 */
169 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 chan->mode = L2CAP_MODE_LE_FLOWCTL;
172
173 chan->state = BT_BOUND;
174 sk->sk_state = BT_BOUND;
175
176 done:
177 release_sock(sk);
178 return err;
179 }
180
l2cap_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
182 int alen, int flags)
183 {
184 struct sock *sk = sock->sk;
185 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 struct sockaddr_l2 la;
187 int len, err = 0;
188 bool zapped;
189
190 BT_DBG("sk %p", sk);
191
192 lock_sock(sk);
193 zapped = sock_flag(sk, SOCK_ZAPPED);
194 release_sock(sk);
195
196 if (zapped)
197 return -EINVAL;
198
199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 addr->sa_family != AF_BLUETOOTH)
201 return -EINVAL;
202
203 memset(&la, 0, sizeof(la));
204 len = min_t(unsigned int, sizeof(la), alen);
205 memcpy(&la, addr, len);
206
207 if (la.l2_cid && la.l2_psm)
208 return -EINVAL;
209
210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 return -EINVAL;
212
213 /* Check that the socket wasn't bound to something that
214 * conflicts with the address given to connect(). If chan->src
215 * is BDADDR_ANY it means bind() was never used, in which case
216 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 */
218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 /* Old user space versions will try to incorrectly bind
221 * the ATT socket using BDADDR_BREDR. We need to accept
222 * this and fix up the source address type only when
223 * both the source CID and destination CID indicate
224 * ATT. Anything else is an invalid combination.
225 */
226 if (chan->scid != L2CAP_CID_ATT ||
227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 return -EINVAL;
229
230 /* We don't have the hdev available here to make a
231 * better decision on random vs public, but since all
232 * user space versions that exhibit this issue anyway do
233 * not support random local addresses assuming public
234 * here is good enough.
235 */
236 chan->src_type = BDADDR_LE_PUBLIC;
237 }
238
239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 return -EINVAL;
241
242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 /* We only allow ATT user space socket */
244 if (la.l2_cid &&
245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 return -EINVAL;
247 }
248
249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 */
252 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 chan->mode = L2CAP_MODE_LE_FLOWCTL;
255
256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 &la.l2_bdaddr, la.l2_bdaddr_type);
258 if (err)
259 return err;
260
261 lock_sock(sk);
262
263 err = bt_sock_wait_state(sk, BT_CONNECTED,
264 sock_sndtimeo(sk, flags & O_NONBLOCK));
265
266 release_sock(sk);
267
268 return err;
269 }
270
l2cap_sock_listen(struct socket * sock,int backlog)271 static int l2cap_sock_listen(struct socket *sock, int backlog)
272 {
273 struct sock *sk = sock->sk;
274 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
275 int err = 0;
276
277 BT_DBG("sk %p backlog %d", sk, backlog);
278
279 lock_sock(sk);
280
281 if (sk->sk_state != BT_BOUND) {
282 err = -EBADFD;
283 goto done;
284 }
285
286 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
287 err = -EINVAL;
288 goto done;
289 }
290
291 switch (chan->mode) {
292 case L2CAP_MODE_BASIC:
293 case L2CAP_MODE_LE_FLOWCTL:
294 break;
295 case L2CAP_MODE_EXT_FLOWCTL:
296 if (!enable_ecred) {
297 err = -EOPNOTSUPP;
298 goto done;
299 }
300 break;
301 case L2CAP_MODE_ERTM:
302 case L2CAP_MODE_STREAMING:
303 if (!disable_ertm)
304 break;
305 fallthrough;
306 default:
307 err = -EOPNOTSUPP;
308 goto done;
309 }
310
311 sk->sk_max_ack_backlog = backlog;
312 sk->sk_ack_backlog = 0;
313
314 /* Listening channels need to use nested locking in order not to
315 * cause lockdep warnings when the created child channels end up
316 * being locked in the same thread as the parent channel.
317 */
318 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
319
320 chan->state = BT_LISTEN;
321 sk->sk_state = BT_LISTEN;
322
323 done:
324 release_sock(sk);
325 return err;
326 }
327
l2cap_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)328 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
329 int flags, bool kern)
330 {
331 DEFINE_WAIT_FUNC(wait, woken_wake_function);
332 struct sock *sk = sock->sk, *nsk;
333 long timeo;
334 int err = 0;
335
336 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
337
338 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
339
340 BT_DBG("sk %p timeo %ld", sk, timeo);
341
342 /* Wait for an incoming connection. (wake-one). */
343 add_wait_queue_exclusive(sk_sleep(sk), &wait);
344 while (1) {
345 if (sk->sk_state != BT_LISTEN) {
346 err = -EBADFD;
347 break;
348 }
349
350 nsk = bt_accept_dequeue(sk, newsock);
351 if (nsk)
352 break;
353
354 if (!timeo) {
355 err = -EAGAIN;
356 break;
357 }
358
359 if (signal_pending(current)) {
360 err = sock_intr_errno(timeo);
361 break;
362 }
363
364 release_sock(sk);
365
366 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
367
368 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
369 }
370 remove_wait_queue(sk_sleep(sk), &wait);
371
372 if (err)
373 goto done;
374
375 newsock->state = SS_CONNECTED;
376
377 BT_DBG("new socket %p", nsk);
378
379 done:
380 release_sock(sk);
381 return err;
382 }
383
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)384 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
385 int peer)
386 {
387 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
388 struct sock *sk = sock->sk;
389 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
390
391 BT_DBG("sock %p, sk %p", sock, sk);
392
393 if (peer && sk->sk_state != BT_CONNECTED &&
394 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
395 sk->sk_state != BT_CONFIG)
396 return -ENOTCONN;
397
398 memset(la, 0, sizeof(struct sockaddr_l2));
399 addr->sa_family = AF_BLUETOOTH;
400
401 la->l2_psm = chan->psm;
402
403 if (peer) {
404 bacpy(&la->l2_bdaddr, &chan->dst);
405 la->l2_cid = cpu_to_le16(chan->dcid);
406 la->l2_bdaddr_type = chan->dst_type;
407 } else {
408 bacpy(&la->l2_bdaddr, &chan->src);
409 la->l2_cid = cpu_to_le16(chan->scid);
410 la->l2_bdaddr_type = chan->src_type;
411 }
412
413 return sizeof(struct sockaddr_l2);
414 }
415
l2cap_get_mode(struct l2cap_chan * chan)416 static int l2cap_get_mode(struct l2cap_chan *chan)
417 {
418 switch (chan->mode) {
419 case L2CAP_MODE_BASIC:
420 return BT_MODE_BASIC;
421 case L2CAP_MODE_ERTM:
422 return BT_MODE_ERTM;
423 case L2CAP_MODE_STREAMING:
424 return BT_MODE_STREAMING;
425 case L2CAP_MODE_LE_FLOWCTL:
426 return BT_MODE_LE_FLOWCTL;
427 case L2CAP_MODE_EXT_FLOWCTL:
428 return BT_MODE_EXT_FLOWCTL;
429 }
430
431 return -EINVAL;
432 }
433
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)434 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
435 char __user *optval, int __user *optlen)
436 {
437 struct sock *sk = sock->sk;
438 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
439 struct l2cap_options opts;
440 struct l2cap_conninfo cinfo;
441 int err = 0;
442 size_t len;
443 u32 opt;
444
445 BT_DBG("sk %p", sk);
446
447 if (get_user(len, optlen))
448 return -EFAULT;
449
450 lock_sock(sk);
451
452 switch (optname) {
453 case L2CAP_OPTIONS:
454 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
455 * legacy ATT code depends on getsockopt for
456 * L2CAP_OPTIONS we need to let this pass.
457 */
458 if (bdaddr_type_is_le(chan->src_type) &&
459 chan->scid != L2CAP_CID_ATT) {
460 err = -EINVAL;
461 break;
462 }
463
464 /* Only BR/EDR modes are supported here */
465 switch (chan->mode) {
466 case L2CAP_MODE_BASIC:
467 case L2CAP_MODE_ERTM:
468 case L2CAP_MODE_STREAMING:
469 break;
470 default:
471 err = -EINVAL;
472 break;
473 }
474
475 if (err < 0)
476 break;
477
478 memset(&opts, 0, sizeof(opts));
479 opts.imtu = chan->imtu;
480 opts.omtu = chan->omtu;
481 opts.flush_to = chan->flush_to;
482 opts.mode = chan->mode;
483 opts.fcs = chan->fcs;
484 opts.max_tx = chan->max_tx;
485 opts.txwin_size = chan->tx_win;
486
487 BT_DBG("mode 0x%2.2x", chan->mode);
488
489 len = min(len, sizeof(opts));
490 if (copy_to_user(optval, (char *) &opts, len))
491 err = -EFAULT;
492
493 break;
494
495 case L2CAP_LM:
496 switch (chan->sec_level) {
497 case BT_SECURITY_LOW:
498 opt = L2CAP_LM_AUTH;
499 break;
500 case BT_SECURITY_MEDIUM:
501 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
502 break;
503 case BT_SECURITY_HIGH:
504 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
505 L2CAP_LM_SECURE;
506 break;
507 case BT_SECURITY_FIPS:
508 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
509 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
510 break;
511 default:
512 opt = 0;
513 break;
514 }
515
516 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
517 opt |= L2CAP_LM_MASTER;
518
519 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
520 opt |= L2CAP_LM_RELIABLE;
521
522 if (put_user(opt, (u32 __user *) optval))
523 err = -EFAULT;
524
525 break;
526
527 case L2CAP_CONNINFO:
528 if (sk->sk_state != BT_CONNECTED &&
529 !(sk->sk_state == BT_CONNECT2 &&
530 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
531 err = -ENOTCONN;
532 break;
533 }
534
535 memset(&cinfo, 0, sizeof(cinfo));
536 cinfo.hci_handle = chan->conn->hcon->handle;
537 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
538
539 len = min(len, sizeof(cinfo));
540 if (copy_to_user(optval, (char *) &cinfo, len))
541 err = -EFAULT;
542
543 break;
544
545 default:
546 err = -ENOPROTOOPT;
547 break;
548 }
549
550 release_sock(sk);
551 return err;
552 }
553
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)554 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
555 char __user *optval, int __user *optlen)
556 {
557 struct sock *sk = sock->sk;
558 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
559 struct bt_security sec;
560 struct bt_power pwr;
561 u32 phys;
562 int len, mode, err = 0;
563
564 BT_DBG("sk %p", sk);
565
566 if (level == SOL_L2CAP)
567 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
568
569 if (level != SOL_BLUETOOTH)
570 return -ENOPROTOOPT;
571
572 if (get_user(len, optlen))
573 return -EFAULT;
574
575 lock_sock(sk);
576
577 switch (optname) {
578 case BT_SECURITY:
579 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
580 chan->chan_type != L2CAP_CHAN_FIXED &&
581 chan->chan_type != L2CAP_CHAN_RAW) {
582 err = -EINVAL;
583 break;
584 }
585
586 memset(&sec, 0, sizeof(sec));
587 if (chan->conn) {
588 sec.level = chan->conn->hcon->sec_level;
589
590 if (sk->sk_state == BT_CONNECTED)
591 sec.key_size = chan->conn->hcon->enc_key_size;
592 } else {
593 sec.level = chan->sec_level;
594 }
595
596 len = min_t(unsigned int, len, sizeof(sec));
597 if (copy_to_user(optval, (char *) &sec, len))
598 err = -EFAULT;
599
600 break;
601
602 case BT_DEFER_SETUP:
603 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
604 err = -EINVAL;
605 break;
606 }
607
608 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
609 (u32 __user *) optval))
610 err = -EFAULT;
611
612 break;
613
614 case BT_FLUSHABLE:
615 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
616 (u32 __user *) optval))
617 err = -EFAULT;
618
619 break;
620
621 case BT_POWER:
622 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
623 && sk->sk_type != SOCK_RAW) {
624 err = -EINVAL;
625 break;
626 }
627
628 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
629
630 len = min_t(unsigned int, len, sizeof(pwr));
631 if (copy_to_user(optval, (char *) &pwr, len))
632 err = -EFAULT;
633
634 break;
635
636 case BT_CHANNEL_POLICY:
637 if (put_user(chan->chan_policy, (u32 __user *) optval))
638 err = -EFAULT;
639 break;
640
641 case BT_SNDMTU:
642 if (!bdaddr_type_is_le(chan->src_type)) {
643 err = -EINVAL;
644 break;
645 }
646
647 if (sk->sk_state != BT_CONNECTED) {
648 err = -ENOTCONN;
649 break;
650 }
651
652 if (put_user(chan->omtu, (u16 __user *) optval))
653 err = -EFAULT;
654 break;
655
656 case BT_RCVMTU:
657 if (!bdaddr_type_is_le(chan->src_type)) {
658 err = -EINVAL;
659 break;
660 }
661
662 if (put_user(chan->imtu, (u16 __user *) optval))
663 err = -EFAULT;
664 break;
665
666 case BT_PHY:
667 if (sk->sk_state != BT_CONNECTED) {
668 err = -ENOTCONN;
669 break;
670 }
671
672 phys = hci_conn_get_phy(chan->conn->hcon);
673
674 if (put_user(phys, (u32 __user *) optval))
675 err = -EFAULT;
676 break;
677
678 case BT_MODE:
679 if (!enable_ecred) {
680 err = -ENOPROTOOPT;
681 break;
682 }
683
684 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
685 err = -EINVAL;
686 break;
687 }
688
689 mode = l2cap_get_mode(chan);
690 if (mode < 0) {
691 err = mode;
692 break;
693 }
694
695 if (put_user(mode, (u8 __user *) optval))
696 err = -EFAULT;
697 break;
698
699 default:
700 err = -ENOPROTOOPT;
701 break;
702 }
703
704 release_sock(sk);
705 return err;
706 }
707
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)708 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
709 {
710 switch (chan->scid) {
711 case L2CAP_CID_ATT:
712 if (mtu && mtu < L2CAP_LE_MIN_MTU)
713 return false;
714 break;
715
716 default:
717 if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU)
718 return false;
719 }
720
721 return true;
722 }
723
l2cap_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)724 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
725 sockptr_t optval, unsigned int optlen)
726 {
727 struct sock *sk = sock->sk;
728 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
729 struct l2cap_options opts;
730 int err = 0;
731 u32 opt;
732
733 BT_DBG("sk %p", sk);
734
735 lock_sock(sk);
736
737 switch (optname) {
738 case L2CAP_OPTIONS:
739 if (bdaddr_type_is_le(chan->src_type)) {
740 err = -EINVAL;
741 break;
742 }
743
744 if (sk->sk_state == BT_CONNECTED) {
745 err = -EINVAL;
746 break;
747 }
748
749 opts.imtu = chan->imtu;
750 opts.omtu = chan->omtu;
751 opts.flush_to = chan->flush_to;
752 opts.mode = chan->mode;
753 opts.fcs = chan->fcs;
754 opts.max_tx = chan->max_tx;
755 opts.txwin_size = chan->tx_win;
756
757 err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen);
758 if (err)
759 break;
760
761 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
762 err = -EINVAL;
763 break;
764 }
765
766 if (!l2cap_valid_mtu(chan, opts.imtu)) {
767 err = -EINVAL;
768 break;
769 }
770
771 /* Only BR/EDR modes are supported here */
772 switch (opts.mode) {
773 case L2CAP_MODE_BASIC:
774 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
775 break;
776 case L2CAP_MODE_ERTM:
777 case L2CAP_MODE_STREAMING:
778 if (!disable_ertm)
779 break;
780 fallthrough;
781 default:
782 err = -EINVAL;
783 break;
784 }
785
786 if (err < 0)
787 break;
788
789 chan->mode = opts.mode;
790
791 BT_DBG("mode 0x%2.2x", chan->mode);
792
793 chan->imtu = opts.imtu;
794 chan->omtu = opts.omtu;
795 chan->fcs = opts.fcs;
796 chan->max_tx = opts.max_tx;
797 chan->tx_win = opts.txwin_size;
798 chan->flush_to = opts.flush_to;
799 break;
800
801 case L2CAP_LM:
802 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
803 if (err)
804 break;
805
806 if (opt & L2CAP_LM_FIPS) {
807 err = -EINVAL;
808 break;
809 }
810
811 if (opt & L2CAP_LM_AUTH)
812 chan->sec_level = BT_SECURITY_LOW;
813 if (opt & L2CAP_LM_ENCRYPT)
814 chan->sec_level = BT_SECURITY_MEDIUM;
815 if (opt & L2CAP_LM_SECURE)
816 chan->sec_level = BT_SECURITY_HIGH;
817
818 if (opt & L2CAP_LM_MASTER)
819 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
820 else
821 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
822
823 if (opt & L2CAP_LM_RELIABLE)
824 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
825 else
826 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
827 break;
828
829 default:
830 err = -ENOPROTOOPT;
831 break;
832 }
833
834 release_sock(sk);
835 return err;
836 }
837
l2cap_set_mode(struct l2cap_chan * chan,u8 mode)838 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
839 {
840 switch (mode) {
841 case BT_MODE_BASIC:
842 if (bdaddr_type_is_le(chan->src_type))
843 return -EINVAL;
844 mode = L2CAP_MODE_BASIC;
845 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
846 break;
847 case BT_MODE_ERTM:
848 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
849 return -EINVAL;
850 mode = L2CAP_MODE_ERTM;
851 break;
852 case BT_MODE_STREAMING:
853 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
854 return -EINVAL;
855 mode = L2CAP_MODE_STREAMING;
856 break;
857 case BT_MODE_LE_FLOWCTL:
858 if (!bdaddr_type_is_le(chan->src_type))
859 return -EINVAL;
860 mode = L2CAP_MODE_LE_FLOWCTL;
861 break;
862 case BT_MODE_EXT_FLOWCTL:
863 /* TODO: Add support for ECRED PDUs to BR/EDR */
864 if (!bdaddr_type_is_le(chan->src_type))
865 return -EINVAL;
866 mode = L2CAP_MODE_EXT_FLOWCTL;
867 break;
868 default:
869 return -EINVAL;
870 }
871
872 chan->mode = mode;
873
874 return 0;
875 }
876
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)877 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
878 sockptr_t optval, unsigned int optlen)
879 {
880 struct sock *sk = sock->sk;
881 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
882 struct bt_security sec;
883 struct bt_power pwr;
884 struct l2cap_conn *conn;
885 int err = 0;
886 u32 opt;
887 u16 mtu;
888 u8 mode;
889
890 BT_DBG("sk %p", sk);
891
892 if (level == SOL_L2CAP)
893 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
894
895 if (level != SOL_BLUETOOTH)
896 return -ENOPROTOOPT;
897
898 lock_sock(sk);
899
900 switch (optname) {
901 case BT_SECURITY:
902 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
903 chan->chan_type != L2CAP_CHAN_FIXED &&
904 chan->chan_type != L2CAP_CHAN_RAW) {
905 err = -EINVAL;
906 break;
907 }
908
909 sec.level = BT_SECURITY_LOW;
910
911 err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
912 if (err)
913 break;
914
915 if (sec.level < BT_SECURITY_LOW ||
916 sec.level > BT_SECURITY_FIPS) {
917 err = -EINVAL;
918 break;
919 }
920
921 chan->sec_level = sec.level;
922
923 if (!chan->conn)
924 break;
925
926 conn = chan->conn;
927
928 /* change security for LE channels */
929 if (chan->scid == L2CAP_CID_ATT) {
930 if (smp_conn_security(conn->hcon, sec.level)) {
931 err = -EINVAL;
932 break;
933 }
934
935 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
936 sk->sk_state = BT_CONFIG;
937 chan->state = BT_CONFIG;
938
939 /* or for ACL link */
940 } else if ((sk->sk_state == BT_CONNECT2 &&
941 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
942 sk->sk_state == BT_CONNECTED) {
943 if (!l2cap_chan_check_security(chan, true))
944 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
945 else
946 sk->sk_state_change(sk);
947 } else {
948 err = -EINVAL;
949 }
950 break;
951
952 case BT_DEFER_SETUP:
953 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
954 err = -EINVAL;
955 break;
956 }
957
958 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
959 if (err)
960 break;
961
962 if (opt) {
963 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
964 set_bit(FLAG_DEFER_SETUP, &chan->flags);
965 } else {
966 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
967 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
968 }
969 break;
970
971 case BT_FLUSHABLE:
972 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
973 if (err)
974 break;
975
976 if (opt > BT_FLUSHABLE_ON) {
977 err = -EINVAL;
978 break;
979 }
980
981 if (opt == BT_FLUSHABLE_OFF) {
982 conn = chan->conn;
983 /* proceed further only when we have l2cap_conn and
984 No Flush support in the LM */
985 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
986 err = -EINVAL;
987 break;
988 }
989 }
990
991 if (opt)
992 set_bit(FLAG_FLUSHABLE, &chan->flags);
993 else
994 clear_bit(FLAG_FLUSHABLE, &chan->flags);
995 break;
996
997 case BT_POWER:
998 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
999 chan->chan_type != L2CAP_CHAN_RAW) {
1000 err = -EINVAL;
1001 break;
1002 }
1003
1004 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1005
1006 err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1007 if (err)
1008 break;
1009
1010 if (pwr.force_active)
1011 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1012 else
1013 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1014 break;
1015
1016 case BT_CHANNEL_POLICY:
1017 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1018 if (err)
1019 break;
1020
1021 err = -EOPNOTSUPP;
1022 break;
1023
1024 case BT_SNDMTU:
1025 if (!bdaddr_type_is_le(chan->src_type)) {
1026 err = -EINVAL;
1027 break;
1028 }
1029
1030 /* Setting is not supported as it's the remote side that
1031 * decides this.
1032 */
1033 err = -EPERM;
1034 break;
1035
1036 case BT_RCVMTU:
1037 if (!bdaddr_type_is_le(chan->src_type)) {
1038 err = -EINVAL;
1039 break;
1040 }
1041
1042 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1043 sk->sk_state == BT_CONNECTED) {
1044 err = -EISCONN;
1045 break;
1046 }
1047
1048 err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1049 if (err)
1050 break;
1051
1052 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1053 sk->sk_state == BT_CONNECTED)
1054 err = l2cap_chan_reconfigure(chan, mtu);
1055 else
1056 chan->imtu = mtu;
1057
1058 break;
1059
1060 case BT_MODE:
1061 if (!enable_ecred) {
1062 err = -ENOPROTOOPT;
1063 break;
1064 }
1065
1066 BT_DBG("sk->sk_state %u", sk->sk_state);
1067
1068 if (sk->sk_state != BT_BOUND) {
1069 err = -EINVAL;
1070 break;
1071 }
1072
1073 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1074 err = -EINVAL;
1075 break;
1076 }
1077
1078 err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen);
1079 if (err)
1080 break;
1081
1082 BT_DBG("mode %u", mode);
1083
1084 err = l2cap_set_mode(chan, mode);
1085 if (err)
1086 break;
1087
1088 BT_DBG("mode 0x%2.2x", chan->mode);
1089
1090 break;
1091
1092 default:
1093 err = -ENOPROTOOPT;
1094 break;
1095 }
1096
1097 release_sock(sk);
1098 return err;
1099 }
1100
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1101 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1102 size_t len)
1103 {
1104 struct sock *sk = sock->sk;
1105 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1106 int err;
1107
1108 BT_DBG("sock %p, sk %p", sock, sk);
1109
1110 err = sock_error(sk);
1111 if (err)
1112 return err;
1113
1114 if (msg->msg_flags & MSG_OOB)
1115 return -EOPNOTSUPP;
1116
1117 if (sk->sk_state != BT_CONNECTED)
1118 return -ENOTCONN;
1119
1120 lock_sock(sk);
1121 err = bt_sock_wait_ready(sk, msg->msg_flags);
1122 release_sock(sk);
1123 if (err)
1124 return err;
1125
1126 l2cap_chan_lock(chan);
1127 err = l2cap_chan_send(chan, msg, len);
1128 l2cap_chan_unlock(chan);
1129
1130 return err;
1131 }
1132
l2cap_publish_rx_avail(struct l2cap_chan * chan)1133 static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1134 {
1135 struct sock *sk = chan->data;
1136 ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1137 int expected_skbs, skb_overhead;
1138
1139 if (avail <= 0) {
1140 l2cap_chan_rx_avail(chan, 0);
1141 return;
1142 }
1143
1144 if (!chan->mps) {
1145 l2cap_chan_rx_avail(chan, -1);
1146 return;
1147 }
1148
1149 /* Correct available memory by estimated sk_buff overhead.
1150 * This is significant due to small transfer sizes. However, accept
1151 * at least one full packet if receive space is non-zero.
1152 */
1153 expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1154 skb_overhead = expected_skbs * sizeof(struct sk_buff);
1155 if (skb_overhead < avail)
1156 l2cap_chan_rx_avail(chan, avail - skb_overhead);
1157 else
1158 l2cap_chan_rx_avail(chan, -1);
1159 }
1160
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1161 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1162 size_t len, int flags)
1163 {
1164 struct sock *sk = sock->sk;
1165 struct l2cap_pinfo *pi = l2cap_pi(sk);
1166 int err;
1167
1168 lock_sock(sk);
1169
1170 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1171 &bt_sk(sk)->flags)) {
1172 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1173 sk->sk_state = BT_CONNECTED;
1174 pi->chan->state = BT_CONNECTED;
1175 __l2cap_ecred_conn_rsp_defer(pi->chan);
1176 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1177 sk->sk_state = BT_CONNECTED;
1178 pi->chan->state = BT_CONNECTED;
1179 __l2cap_le_connect_rsp_defer(pi->chan);
1180 } else {
1181 sk->sk_state = BT_CONFIG;
1182 pi->chan->state = BT_CONFIG;
1183 __l2cap_connect_rsp_defer(pi->chan);
1184 }
1185
1186 err = 0;
1187 goto done;
1188 }
1189
1190 release_sock(sk);
1191
1192 if (sock->type == SOCK_STREAM)
1193 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1194 else
1195 err = bt_sock_recvmsg(sock, msg, len, flags);
1196
1197 if (pi->chan->mode != L2CAP_MODE_ERTM &&
1198 pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1199 pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1200 return err;
1201
1202 lock_sock(sk);
1203
1204 l2cap_publish_rx_avail(pi->chan);
1205
1206 /* Attempt to put pending rx data in the socket buffer */
1207 while (!list_empty(&pi->rx_busy)) {
1208 struct l2cap_rx_busy *rx_busy =
1209 list_first_entry(&pi->rx_busy,
1210 struct l2cap_rx_busy,
1211 list);
1212 if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1213 goto done;
1214 list_del(&rx_busy->list);
1215 kfree(rx_busy);
1216 }
1217
1218 /* Restore data flow when half of the receive buffer is
1219 * available. This avoids resending large numbers of
1220 * frames.
1221 */
1222 if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1223 atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1224 l2cap_chan_busy(pi->chan, 0);
1225
1226 done:
1227 release_sock(sk);
1228 return err;
1229 }
1230
1231 /* Kill socket (only if zapped and orphan)
1232 * Must be called on unlocked socket, with l2cap channel lock.
1233 */
l2cap_sock_kill(struct sock * sk)1234 static void l2cap_sock_kill(struct sock *sk)
1235 {
1236 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1237 return;
1238
1239 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1240
1241 /* Sock is dead, so set chan data to NULL, avoid other task use invalid
1242 * sock pointer.
1243 */
1244 l2cap_pi(sk)->chan->data = NULL;
1245 /* Kill poor orphan */
1246
1247 l2cap_chan_put(l2cap_pi(sk)->chan);
1248 sock_set_flag(sk, SOCK_DEAD);
1249 sock_put(sk);
1250 }
1251
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1252 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1253 {
1254 DECLARE_WAITQUEUE(wait, current);
1255 int err = 0;
1256 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1257 /* Timeout to prevent infinite loop */
1258 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1259
1260 add_wait_queue(sk_sleep(sk), &wait);
1261 set_current_state(TASK_INTERRUPTIBLE);
1262 do {
1263 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1264 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1265 jiffies_to_msecs(timeout - jiffies));
1266
1267 if (!timeo)
1268 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1269
1270 if (signal_pending(current)) {
1271 err = sock_intr_errno(timeo);
1272 break;
1273 }
1274
1275 release_sock(sk);
1276 timeo = schedule_timeout(timeo);
1277 lock_sock(sk);
1278 set_current_state(TASK_INTERRUPTIBLE);
1279
1280 err = sock_error(sk);
1281 if (err)
1282 break;
1283
1284 if (time_after(jiffies, timeout)) {
1285 err = -ENOLINK;
1286 break;
1287 }
1288
1289 } while (chan->unacked_frames > 0 &&
1290 chan->state == BT_CONNECTED);
1291
1292 set_current_state(TASK_RUNNING);
1293 remove_wait_queue(sk_sleep(sk), &wait);
1294 return err;
1295 }
1296
l2cap_sock_shutdown(struct socket * sock,int how)1297 static int l2cap_sock_shutdown(struct socket *sock, int how)
1298 {
1299 struct sock *sk = sock->sk;
1300 struct l2cap_chan *chan;
1301 struct l2cap_conn *conn;
1302 int err = 0;
1303
1304 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1305
1306 /* 'how' parameter is mapped to sk_shutdown as follows:
1307 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1308 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1309 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1310 */
1311 how++;
1312
1313 if (!sk)
1314 return 0;
1315
1316 lock_sock(sk);
1317
1318 if ((sk->sk_shutdown & how) == how)
1319 goto shutdown_already;
1320
1321 BT_DBG("Handling sock shutdown");
1322
1323 /* prevent sk structure from being freed whilst unlocked */
1324 sock_hold(sk);
1325
1326 /* prevent chan structure from being freed whilst unlocked */
1327 chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
1328 if (!chan)
1329 goto shutdown_already;
1330
1331 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1332
1333 if (chan->mode == L2CAP_MODE_ERTM &&
1334 chan->unacked_frames > 0 &&
1335 chan->state == BT_CONNECTED) {
1336 err = __l2cap_wait_ack(sk, chan);
1337
1338 /* After waiting for ACKs, check whether shutdown
1339 * has already been actioned to close the L2CAP
1340 * link such as by l2cap_disconnection_req().
1341 */
1342 if ((sk->sk_shutdown & how) == how)
1343 goto shutdown_matched;
1344 }
1345
1346 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1347 * is already set
1348 */
1349 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1350 sk->sk_shutdown |= RCV_SHUTDOWN;
1351 if ((sk->sk_shutdown & how) == how)
1352 goto shutdown_matched;
1353 }
1354
1355 sk->sk_shutdown |= SEND_SHUTDOWN;
1356 release_sock(sk);
1357
1358 l2cap_chan_lock(chan);
1359 /* prevent conn structure from being freed */
1360 conn = l2cap_conn_hold_unless_zero(chan->conn);
1361 l2cap_chan_unlock(chan);
1362
1363 if (conn)
1364 /* mutex lock must be taken before l2cap_chan_lock() */
1365 mutex_lock(&conn->lock);
1366
1367 l2cap_chan_lock(chan);
1368 l2cap_chan_close(chan, 0);
1369 l2cap_chan_unlock(chan);
1370
1371 if (conn) {
1372 mutex_unlock(&conn->lock);
1373 l2cap_conn_put(conn);
1374 }
1375
1376 lock_sock(sk);
1377
1378 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1379 !(current->flags & PF_EXITING))
1380 err = bt_sock_wait_state(sk, BT_CLOSED,
1381 sk->sk_lingertime);
1382
1383 shutdown_matched:
1384 l2cap_chan_put(chan);
1385 sock_put(sk);
1386
1387 shutdown_already:
1388 if (!err && sk->sk_err)
1389 err = -sk->sk_err;
1390
1391 release_sock(sk);
1392
1393 BT_DBG("Sock shutdown complete err: %d", err);
1394
1395 return err;
1396 }
1397
l2cap_sock_release(struct socket * sock)1398 static int l2cap_sock_release(struct socket *sock)
1399 {
1400 struct sock *sk = sock->sk;
1401 int err;
1402 struct l2cap_chan *chan;
1403
1404 BT_DBG("sock %p, sk %p", sock, sk);
1405
1406 if (!sk)
1407 return 0;
1408
1409 l2cap_sock_cleanup_listen(sk);
1410 bt_sock_unlink(&l2cap_sk_list, sk);
1411
1412 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1413 chan = l2cap_pi(sk)->chan;
1414
1415 l2cap_chan_hold(chan);
1416 l2cap_chan_lock(chan);
1417
1418 sock_orphan(sk);
1419 l2cap_sock_kill(sk);
1420
1421 l2cap_chan_unlock(chan);
1422 l2cap_chan_put(chan);
1423
1424 return err;
1425 }
1426
l2cap_sock_cleanup_listen(struct sock * parent)1427 static void l2cap_sock_cleanup_listen(struct sock *parent)
1428 {
1429 struct sock *sk;
1430
1431 BT_DBG("parent %p state %s", parent,
1432 state_to_string(parent->sk_state));
1433
1434 /* Close not yet accepted channels */
1435 while ((sk = bt_accept_dequeue(parent, NULL))) {
1436 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1437
1438 BT_DBG("child chan %p state %s", chan,
1439 state_to_string(chan->state));
1440
1441 l2cap_chan_hold(chan);
1442 l2cap_chan_lock(chan);
1443
1444 __clear_chan_timer(chan);
1445 l2cap_chan_close(chan, ECONNRESET);
1446 l2cap_sock_kill(sk);
1447
1448 l2cap_chan_unlock(chan);
1449 l2cap_chan_put(chan);
1450 }
1451 }
1452
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1453 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1454 {
1455 struct sock *sk, *parent = chan->data;
1456
1457 lock_sock(parent);
1458
1459 /* Check for backlog size */
1460 if (sk_acceptq_is_full(parent)) {
1461 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1462 release_sock(parent);
1463 return NULL;
1464 }
1465
1466 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1467 GFP_ATOMIC, 0);
1468 if (!sk) {
1469 release_sock(parent);
1470 return NULL;
1471 }
1472
1473 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1474
1475 l2cap_sock_init(sk, parent);
1476
1477 bt_accept_enqueue(parent, sk, false);
1478
1479 release_sock(parent);
1480
1481 return l2cap_pi(sk)->chan;
1482 }
1483
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1484 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1485 {
1486 struct sock *sk;
1487 struct l2cap_pinfo *pi;
1488 int err;
1489
1490 sk = chan->data;
1491 if (!sk)
1492 return -ENXIO;
1493
1494 pi = l2cap_pi(sk);
1495 lock_sock(sk);
1496 if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1497 err = -ENOMEM;
1498 goto done;
1499 }
1500
1501 if (chan->mode != L2CAP_MODE_ERTM &&
1502 chan->mode != L2CAP_MODE_STREAMING &&
1503 chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1504 chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1505 /* Even if no filter is attached, we could potentially
1506 * get errors from security modules, etc.
1507 */
1508 err = sk_filter(sk, skb);
1509 if (err)
1510 goto done;
1511 }
1512
1513 err = __sock_queue_rcv_skb(sk, skb);
1514
1515 l2cap_publish_rx_avail(chan);
1516
1517 /* For ERTM and LE, handle a skb that doesn't fit into the recv
1518 * buffer. This is important to do because the data frames
1519 * have already been acked, so the skb cannot be discarded.
1520 *
1521 * Notify the l2cap core that the buffer is full, so the
1522 * LOCAL_BUSY state is entered and no more frames are
1523 * acked and reassembled until there is buffer space
1524 * available.
1525 */
1526 if (err < 0 &&
1527 (chan->mode == L2CAP_MODE_ERTM ||
1528 chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1529 chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1530 struct l2cap_rx_busy *rx_busy =
1531 kmalloc(sizeof(*rx_busy), GFP_KERNEL);
1532 if (!rx_busy) {
1533 err = -ENOMEM;
1534 goto done;
1535 }
1536 rx_busy->skb = skb;
1537 list_add_tail(&rx_busy->list, &pi->rx_busy);
1538 l2cap_chan_busy(chan, 1);
1539 err = 0;
1540 }
1541
1542 done:
1543 release_sock(sk);
1544
1545 return err;
1546 }
1547
l2cap_sock_close_cb(struct l2cap_chan * chan)1548 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1549 {
1550 struct sock *sk = chan->data;
1551
1552 if (!sk)
1553 return;
1554
1555 l2cap_sock_kill(sk);
1556 }
1557
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1558 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1559 {
1560 struct sock *sk = chan->data;
1561 struct sock *parent;
1562
1563 if (!sk)
1564 return;
1565
1566 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1567
1568 /* This callback can be called both for server (BT_LISTEN)
1569 * sockets as well as "normal" ones. To avoid lockdep warnings
1570 * with child socket locking (through l2cap_sock_cleanup_listen)
1571 * we need separation into separate nesting levels. The simplest
1572 * way to accomplish this is to inherit the nesting level used
1573 * for the channel.
1574 */
1575 lock_sock_nested(sk, atomic_read(&chan->nesting));
1576
1577 parent = bt_sk(sk)->parent;
1578
1579 switch (chan->state) {
1580 case BT_OPEN:
1581 case BT_BOUND:
1582 case BT_CLOSED:
1583 break;
1584 case BT_LISTEN:
1585 l2cap_sock_cleanup_listen(sk);
1586 sk->sk_state = BT_CLOSED;
1587 chan->state = BT_CLOSED;
1588
1589 break;
1590 default:
1591 sk->sk_state = BT_CLOSED;
1592 chan->state = BT_CLOSED;
1593
1594 sk->sk_err = err;
1595
1596 if (parent) {
1597 bt_accept_unlink(sk);
1598 parent->sk_data_ready(parent);
1599 } else {
1600 sk->sk_state_change(sk);
1601 }
1602
1603 break;
1604 }
1605 release_sock(sk);
1606
1607 /* Only zap after cleanup to avoid use after free race */
1608 sock_set_flag(sk, SOCK_ZAPPED);
1609
1610 }
1611
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1612 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1613 int err)
1614 {
1615 struct sock *sk = chan->data;
1616
1617 sk->sk_state = state;
1618
1619 if (err)
1620 sk->sk_err = err;
1621 }
1622
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1623 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1624 unsigned long hdr_len,
1625 unsigned long len, int nb)
1626 {
1627 struct sock *sk = chan->data;
1628 struct sk_buff *skb;
1629 int err;
1630
1631 l2cap_chan_unlock(chan);
1632 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1633 l2cap_chan_lock(chan);
1634
1635 if (!skb)
1636 return ERR_PTR(err);
1637
1638 /* Channel lock is released before requesting new skb and then
1639 * reacquired thus we need to recheck channel state.
1640 */
1641 if (chan->state != BT_CONNECTED) {
1642 kfree_skb(skb);
1643 return ERR_PTR(-ENOTCONN);
1644 }
1645
1646 skb->priority = sk->sk_priority;
1647
1648 bt_cb(skb)->l2cap.chan = chan;
1649
1650 return skb;
1651 }
1652
l2cap_sock_ready_cb(struct l2cap_chan * chan)1653 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1654 {
1655 struct sock *sk = chan->data;
1656 struct sock *parent;
1657
1658 lock_sock(sk);
1659
1660 parent = bt_sk(sk)->parent;
1661
1662 BT_DBG("sk %p, parent %p", sk, parent);
1663
1664 sk->sk_state = BT_CONNECTED;
1665 sk->sk_state_change(sk);
1666
1667 if (parent)
1668 parent->sk_data_ready(parent);
1669
1670 release_sock(sk);
1671 }
1672
l2cap_sock_defer_cb(struct l2cap_chan * chan)1673 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1674 {
1675 struct sock *parent, *sk = chan->data;
1676
1677 lock_sock(sk);
1678
1679 parent = bt_sk(sk)->parent;
1680 if (parent)
1681 parent->sk_data_ready(parent);
1682
1683 release_sock(sk);
1684 }
1685
l2cap_sock_resume_cb(struct l2cap_chan * chan)1686 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1687 {
1688 struct sock *sk = chan->data;
1689
1690 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1691 sk->sk_state = BT_CONNECTED;
1692 chan->state = BT_CONNECTED;
1693 }
1694
1695 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1696 sk->sk_state_change(sk);
1697 }
1698
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1699 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1700 {
1701 struct sock *sk = chan->data;
1702
1703 lock_sock(sk);
1704 sk->sk_shutdown = SHUTDOWN_MASK;
1705 release_sock(sk);
1706 }
1707
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1708 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1709 {
1710 struct sock *sk = chan->data;
1711
1712 return sk->sk_sndtimeo;
1713 }
1714
l2cap_sock_get_peer_pid_cb(struct l2cap_chan * chan)1715 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1716 {
1717 struct sock *sk = chan->data;
1718
1719 return sk->sk_peer_pid;
1720 }
1721
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1722 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1723 {
1724 struct sock *sk = chan->data;
1725
1726 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1727 sk->sk_state_change(sk);
1728 }
1729
l2cap_sock_filter(struct l2cap_chan * chan,struct sk_buff * skb)1730 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1731 {
1732 struct sock *sk = chan->data;
1733
1734 switch (chan->mode) {
1735 case L2CAP_MODE_ERTM:
1736 case L2CAP_MODE_STREAMING:
1737 return sk_filter(sk, skb);
1738 }
1739
1740 return 0;
1741 }
1742
1743 static const struct l2cap_ops l2cap_chan_ops = {
1744 .name = "L2CAP Socket Interface",
1745 .new_connection = l2cap_sock_new_connection_cb,
1746 .recv = l2cap_sock_recv_cb,
1747 .close = l2cap_sock_close_cb,
1748 .teardown = l2cap_sock_teardown_cb,
1749 .state_change = l2cap_sock_state_change_cb,
1750 .ready = l2cap_sock_ready_cb,
1751 .defer = l2cap_sock_defer_cb,
1752 .resume = l2cap_sock_resume_cb,
1753 .suspend = l2cap_sock_suspend_cb,
1754 .set_shutdown = l2cap_sock_set_shutdown_cb,
1755 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1756 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1757 .alloc_skb = l2cap_sock_alloc_skb_cb,
1758 .filter = l2cap_sock_filter,
1759 };
1760
l2cap_sock_destruct(struct sock * sk)1761 static void l2cap_sock_destruct(struct sock *sk)
1762 {
1763 struct l2cap_rx_busy *rx_busy, *next;
1764
1765 BT_DBG("sk %p", sk);
1766
1767 if (l2cap_pi(sk)->chan) {
1768 l2cap_pi(sk)->chan->data = NULL;
1769 l2cap_chan_put(l2cap_pi(sk)->chan);
1770 }
1771
1772 list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1773 kfree_skb(rx_busy->skb);
1774 list_del(&rx_busy->list);
1775 kfree(rx_busy);
1776 }
1777
1778 skb_queue_purge(&sk->sk_receive_queue);
1779 skb_queue_purge(&sk->sk_write_queue);
1780 }
1781
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1782 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1783 int *msg_namelen)
1784 {
1785 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1786
1787 memset(la, 0, sizeof(struct sockaddr_l2));
1788 la->l2_family = AF_BLUETOOTH;
1789 la->l2_psm = bt_cb(skb)->l2cap.psm;
1790 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1791
1792 *msg_namelen = sizeof(struct sockaddr_l2);
1793 }
1794
l2cap_sock_init(struct sock * sk,struct sock * parent)1795 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1796 {
1797 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1798
1799 BT_DBG("sk %p", sk);
1800
1801 if (parent) {
1802 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1803
1804 sk->sk_type = parent->sk_type;
1805 bt_sk(sk)->flags = bt_sk(parent)->flags;
1806
1807 chan->chan_type = pchan->chan_type;
1808 chan->imtu = pchan->imtu;
1809 chan->omtu = pchan->omtu;
1810 chan->conf_state = pchan->conf_state;
1811 chan->mode = pchan->mode;
1812 chan->fcs = pchan->fcs;
1813 chan->max_tx = pchan->max_tx;
1814 chan->tx_win = pchan->tx_win;
1815 chan->tx_win_max = pchan->tx_win_max;
1816 chan->sec_level = pchan->sec_level;
1817 chan->flags = pchan->flags;
1818 chan->tx_credits = pchan->tx_credits;
1819 chan->rx_credits = pchan->rx_credits;
1820
1821 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1822 chan->scid = pchan->scid;
1823 chan->dcid = pchan->scid;
1824 }
1825
1826 security_sk_clone(parent, sk);
1827 } else {
1828 switch (sk->sk_type) {
1829 case SOCK_RAW:
1830 chan->chan_type = L2CAP_CHAN_RAW;
1831 break;
1832 case SOCK_DGRAM:
1833 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1834 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1835 break;
1836 case SOCK_SEQPACKET:
1837 case SOCK_STREAM:
1838 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1839 break;
1840 }
1841
1842 chan->imtu = L2CAP_DEFAULT_MTU;
1843 chan->omtu = 0;
1844 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1845 chan->mode = L2CAP_MODE_ERTM;
1846 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1847 } else {
1848 chan->mode = L2CAP_MODE_BASIC;
1849 }
1850
1851 l2cap_chan_set_defaults(chan);
1852 }
1853
1854 /* Default config options */
1855 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1856
1857 chan->data = sk;
1858 chan->ops = &l2cap_chan_ops;
1859
1860 l2cap_publish_rx_avail(chan);
1861 }
1862
1863 static struct proto l2cap_proto = {
1864 .name = "L2CAP",
1865 .owner = THIS_MODULE,
1866 .obj_size = sizeof(struct l2cap_pinfo)
1867 };
1868
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1869 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1870 int proto, gfp_t prio, int kern)
1871 {
1872 struct sock *sk;
1873 struct l2cap_chan *chan;
1874
1875 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1876 if (!sk)
1877 return NULL;
1878
1879 sk->sk_destruct = l2cap_sock_destruct;
1880 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1881
1882 INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1883
1884 chan = l2cap_chan_create();
1885 if (!chan) {
1886 sk_free(sk);
1887 if (sock)
1888 sock->sk = NULL;
1889 return NULL;
1890 }
1891
1892 l2cap_chan_hold(chan);
1893
1894 l2cap_pi(sk)->chan = chan;
1895
1896 return sk;
1897 }
1898
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1899 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1900 int kern)
1901 {
1902 struct sock *sk;
1903
1904 BT_DBG("sock %p", sock);
1905
1906 sock->state = SS_UNCONNECTED;
1907
1908 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1909 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1910 return -ESOCKTNOSUPPORT;
1911
1912 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1913 return -EPERM;
1914
1915 sock->ops = &l2cap_sock_ops;
1916
1917 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1918 if (!sk)
1919 return -ENOMEM;
1920
1921 l2cap_sock_init(sk, NULL);
1922 bt_sock_link(&l2cap_sk_list, sk);
1923 return 0;
1924 }
1925
1926 static const struct proto_ops l2cap_sock_ops = {
1927 .family = PF_BLUETOOTH,
1928 .owner = THIS_MODULE,
1929 .release = l2cap_sock_release,
1930 .bind = l2cap_sock_bind,
1931 .connect = l2cap_sock_connect,
1932 .listen = l2cap_sock_listen,
1933 .accept = l2cap_sock_accept,
1934 .getname = l2cap_sock_getname,
1935 .sendmsg = l2cap_sock_sendmsg,
1936 .recvmsg = l2cap_sock_recvmsg,
1937 .poll = bt_sock_poll,
1938 .ioctl = bt_sock_ioctl,
1939 .gettstamp = sock_gettstamp,
1940 .mmap = sock_no_mmap,
1941 .socketpair = sock_no_socketpair,
1942 .shutdown = l2cap_sock_shutdown,
1943 .setsockopt = l2cap_sock_setsockopt,
1944 .getsockopt = l2cap_sock_getsockopt
1945 };
1946
1947 static const struct net_proto_family l2cap_sock_family_ops = {
1948 .family = PF_BLUETOOTH,
1949 .owner = THIS_MODULE,
1950 .create = l2cap_sock_create,
1951 };
1952
l2cap_init_sockets(void)1953 int __init l2cap_init_sockets(void)
1954 {
1955 int err;
1956
1957 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1958
1959 err = proto_register(&l2cap_proto, 0);
1960 if (err < 0)
1961 return err;
1962
1963 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1964 if (err < 0) {
1965 BT_ERR("L2CAP socket registration failed");
1966 goto error;
1967 }
1968
1969 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1970 NULL);
1971 if (err < 0) {
1972 BT_ERR("Failed to create L2CAP proc file");
1973 bt_sock_unregister(BTPROTO_L2CAP);
1974 goto error;
1975 }
1976
1977 BT_INFO("L2CAP socket layer initialized");
1978
1979 return 0;
1980
1981 error:
1982 proto_unregister(&l2cap_proto);
1983 return err;
1984 }
1985
l2cap_cleanup_sockets(void)1986 void l2cap_cleanup_sockets(void)
1987 {
1988 bt_procfs_cleanup(&init_net, "l2cap");
1989 bt_sock_unregister(BTPROTO_L2CAP);
1990 proto_unregister(&l2cap_proto);
1991 }
1992