1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26 */ 27 28 /* Bluetooth L2CAP sockets. */ 29 30 #include <linux/export.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/l2cap.h> 35 36 #include "smp.h" 37 38 static struct bt_sock_list l2cap_sk_list = { 39 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 40 }; 41 42 static const struct proto_ops l2cap_sock_ops; 43 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 44 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 45 int proto, gfp_t prio); 46 47 bool l2cap_is_socket(struct socket *sock) 48 { 49 return sock && sock->ops == &l2cap_sock_ops; 50 } 51 EXPORT_SYMBOL(l2cap_is_socket); 52 53 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 54 { 55 struct sock *sk = sock->sk; 56 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 57 struct sockaddr_l2 la; 58 int len, err = 0; 59 60 BT_DBG("sk %p", sk); 61 62 if (!addr || addr->sa_family != AF_BLUETOOTH) 63 return -EINVAL; 64 65 memset(&la, 0, sizeof(la)); 66 len = min_t(unsigned int, sizeof(la), alen); 67 memcpy(&la, addr, len); 68 69 if (la.l2_cid && la.l2_psm) 70 return -EINVAL; 71 72 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 73 return -EINVAL; 74 75 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 76 /* Connection oriented channels are not supported on LE */ 77 if (la.l2_psm) 78 return -EINVAL; 79 /* We only allow ATT user space socket */ 80 if (la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT)) 81 return -EINVAL; 82 } 83 84 lock_sock(sk); 85 86 if (sk->sk_state != BT_OPEN) { 87 err = -EBADFD; 88 goto done; 89 } 90 91 if (la.l2_psm) { 92 __u16 psm = __le16_to_cpu(la.l2_psm); 93 94 /* PSM must be odd and lsb of upper byte must be 0 */ 95 if ((psm & 0x0101) != 0x0001) { 96 err = -EINVAL; 97 goto done; 98 } 99 100 /* Restrict usage of well-known PSMs */ 101 if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE)) { 102 err = -EACCES; 103 goto done; 104 } 105 } 106 107 if (la.l2_cid) 108 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 109 else 110 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 111 112 if (err < 0) 113 goto done; 114 115 switch (chan->chan_type) { 116 case L2CAP_CHAN_CONN_LESS: 117 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 118 chan->sec_level = BT_SECURITY_SDP; 119 break; 120 case L2CAP_CHAN_CONN_ORIENTED: 121 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 122 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 123 chan->sec_level = BT_SECURITY_SDP; 124 break; 125 } 126 127 bacpy(&chan->src, &la.l2_bdaddr); 128 chan->src_type = la.l2_bdaddr_type; 129 130 chan->state = BT_BOUND; 131 sk->sk_state = BT_BOUND; 132 133 done: 134 release_sock(sk); 135 return err; 136 } 137 138 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 139 int alen, int flags) 140 { 141 struct sock *sk = sock->sk; 142 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 143 struct sockaddr_l2 la; 144 int len, err = 0; 145 146 BT_DBG("sk %p", sk); 147 148 if (!addr || alen < sizeof(addr->sa_family) || 149 addr->sa_family != AF_BLUETOOTH) 150 return -EINVAL; 151 152 memset(&la, 0, sizeof(la)); 153 len = min_t(unsigned int, sizeof(la), alen); 154 memcpy(&la, addr, len); 155 156 if (la.l2_cid && la.l2_psm) 157 return -EINVAL; 158 159 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 160 return -EINVAL; 161 162 /* Check that the socket wasn't bound to something that 163 * conflicts with the address given to connect(). If chan->src 164 * is BDADDR_ANY it means bind() was never used, in which case 165 * chan->src_type and la.l2_bdaddr_type do not need to match. 166 */ 167 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 168 bdaddr_type_is_le(la.l2_bdaddr_type)) { 169 /* Old user space versions will try to incorrectly bind 170 * the ATT socket using BDADDR_BREDR. We need to accept 171 * this and fix up the source address type only when 172 * both the source CID and destination CID indicate 173 * ATT. Anything else is an invalid combination. 174 */ 175 if (chan->scid != L2CAP_CID_ATT || 176 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT)) 177 return -EINVAL; 178 179 /* We don't have the hdev available here to make a 180 * better decision on random vs public, but since all 181 * user space versions that exhibit this issue anyway do 182 * not support random local addresses assuming public 183 * here is good enough. 184 */ 185 chan->src_type = BDADDR_LE_PUBLIC; 186 } 187 188 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 189 return -EINVAL; 190 191 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 192 /* Connection oriented channels are not supported on LE */ 193 if (la.l2_psm) 194 return -EINVAL; 195 /* We only allow ATT user space socket */ 196 if (la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT)) 197 return -EINVAL; 198 } 199 200 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 201 &la.l2_bdaddr, la.l2_bdaddr_type); 202 if (err) 203 return err; 204 205 lock_sock(sk); 206 207 err = bt_sock_wait_state(sk, BT_CONNECTED, 208 sock_sndtimeo(sk, flags & O_NONBLOCK)); 209 210 release_sock(sk); 211 212 return err; 213 } 214 215 static int l2cap_sock_listen(struct socket *sock, int backlog) 216 { 217 struct sock *sk = sock->sk; 218 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 219 int err = 0; 220 221 BT_DBG("sk %p backlog %d", sk, backlog); 222 223 lock_sock(sk); 224 225 if (sk->sk_state != BT_BOUND) { 226 err = -EBADFD; 227 goto done; 228 } 229 230 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 231 err = -EINVAL; 232 goto done; 233 } 234 235 switch (chan->mode) { 236 case L2CAP_MODE_BASIC: 237 break; 238 case L2CAP_MODE_ERTM: 239 case L2CAP_MODE_STREAMING: 240 if (!disable_ertm) 241 break; 242 /* fall through */ 243 default: 244 err = -ENOTSUPP; 245 goto done; 246 } 247 248 sk->sk_max_ack_backlog = backlog; 249 sk->sk_ack_backlog = 0; 250 251 chan->state = BT_LISTEN; 252 sk->sk_state = BT_LISTEN; 253 254 done: 255 release_sock(sk); 256 return err; 257 } 258 259 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 260 int flags) 261 { 262 DECLARE_WAITQUEUE(wait, current); 263 struct sock *sk = sock->sk, *nsk; 264 long timeo; 265 int err = 0; 266 267 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 268 269 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 270 271 BT_DBG("sk %p timeo %ld", sk, timeo); 272 273 /* Wait for an incoming connection. (wake-one). */ 274 add_wait_queue_exclusive(sk_sleep(sk), &wait); 275 while (1) { 276 set_current_state(TASK_INTERRUPTIBLE); 277 278 if (sk->sk_state != BT_LISTEN) { 279 err = -EBADFD; 280 break; 281 } 282 283 nsk = bt_accept_dequeue(sk, newsock); 284 if (nsk) 285 break; 286 287 if (!timeo) { 288 err = -EAGAIN; 289 break; 290 } 291 292 if (signal_pending(current)) { 293 err = sock_intr_errno(timeo); 294 break; 295 } 296 297 release_sock(sk); 298 timeo = schedule_timeout(timeo); 299 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 300 } 301 __set_current_state(TASK_RUNNING); 302 remove_wait_queue(sk_sleep(sk), &wait); 303 304 if (err) 305 goto done; 306 307 newsock->state = SS_CONNECTED; 308 309 BT_DBG("new socket %p", nsk); 310 311 done: 312 release_sock(sk); 313 return err; 314 } 315 316 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 317 int *len, int peer) 318 { 319 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 320 struct sock *sk = sock->sk; 321 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 322 323 BT_DBG("sock %p, sk %p", sock, sk); 324 325 memset(la, 0, sizeof(struct sockaddr_l2)); 326 addr->sa_family = AF_BLUETOOTH; 327 *len = sizeof(struct sockaddr_l2); 328 329 if (peer) { 330 la->l2_psm = chan->psm; 331 bacpy(&la->l2_bdaddr, &chan->dst); 332 la->l2_cid = cpu_to_le16(chan->dcid); 333 la->l2_bdaddr_type = chan->dst_type; 334 } else { 335 la->l2_psm = chan->sport; 336 bacpy(&la->l2_bdaddr, &chan->src); 337 la->l2_cid = cpu_to_le16(chan->scid); 338 la->l2_bdaddr_type = chan->src_type; 339 } 340 341 return 0; 342 } 343 344 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 345 char __user *optval, int __user *optlen) 346 { 347 struct sock *sk = sock->sk; 348 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 349 struct l2cap_options opts; 350 struct l2cap_conninfo cinfo; 351 int len, err = 0; 352 u32 opt; 353 354 BT_DBG("sk %p", sk); 355 356 if (get_user(len, optlen)) 357 return -EFAULT; 358 359 lock_sock(sk); 360 361 switch (optname) { 362 case L2CAP_OPTIONS: 363 memset(&opts, 0, sizeof(opts)); 364 opts.imtu = chan->imtu; 365 opts.omtu = chan->omtu; 366 opts.flush_to = chan->flush_to; 367 opts.mode = chan->mode; 368 opts.fcs = chan->fcs; 369 opts.max_tx = chan->max_tx; 370 opts.txwin_size = chan->tx_win; 371 372 len = min_t(unsigned int, len, sizeof(opts)); 373 if (copy_to_user(optval, (char *) &opts, len)) 374 err = -EFAULT; 375 376 break; 377 378 case L2CAP_LM: 379 switch (chan->sec_level) { 380 case BT_SECURITY_LOW: 381 opt = L2CAP_LM_AUTH; 382 break; 383 case BT_SECURITY_MEDIUM: 384 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 385 break; 386 case BT_SECURITY_HIGH: 387 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 388 L2CAP_LM_SECURE; 389 break; 390 default: 391 opt = 0; 392 break; 393 } 394 395 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 396 opt |= L2CAP_LM_MASTER; 397 398 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 399 opt |= L2CAP_LM_RELIABLE; 400 401 if (put_user(opt, (u32 __user *) optval)) 402 err = -EFAULT; 403 break; 404 405 case L2CAP_CONNINFO: 406 if (sk->sk_state != BT_CONNECTED && 407 !(sk->sk_state == BT_CONNECT2 && 408 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 409 err = -ENOTCONN; 410 break; 411 } 412 413 memset(&cinfo, 0, sizeof(cinfo)); 414 cinfo.hci_handle = chan->conn->hcon->handle; 415 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 416 417 len = min_t(unsigned int, len, sizeof(cinfo)); 418 if (copy_to_user(optval, (char *) &cinfo, len)) 419 err = -EFAULT; 420 421 break; 422 423 default: 424 err = -ENOPROTOOPT; 425 break; 426 } 427 428 release_sock(sk); 429 return err; 430 } 431 432 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 433 char __user *optval, int __user *optlen) 434 { 435 struct sock *sk = sock->sk; 436 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 437 struct bt_security sec; 438 struct bt_power pwr; 439 int len, err = 0; 440 441 BT_DBG("sk %p", sk); 442 443 if (level == SOL_L2CAP) 444 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 445 446 if (level != SOL_BLUETOOTH) 447 return -ENOPROTOOPT; 448 449 if (get_user(len, optlen)) 450 return -EFAULT; 451 452 lock_sock(sk); 453 454 switch (optname) { 455 case BT_SECURITY: 456 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 457 chan->chan_type != L2CAP_CHAN_RAW) { 458 err = -EINVAL; 459 break; 460 } 461 462 memset(&sec, 0, sizeof(sec)); 463 if (chan->conn) { 464 sec.level = chan->conn->hcon->sec_level; 465 466 if (sk->sk_state == BT_CONNECTED) 467 sec.key_size = chan->conn->hcon->enc_key_size; 468 } else { 469 sec.level = chan->sec_level; 470 } 471 472 len = min_t(unsigned int, len, sizeof(sec)); 473 if (copy_to_user(optval, (char *) &sec, len)) 474 err = -EFAULT; 475 476 break; 477 478 case BT_DEFER_SETUP: 479 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 480 err = -EINVAL; 481 break; 482 } 483 484 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 485 (u32 __user *) optval)) 486 err = -EFAULT; 487 488 break; 489 490 case BT_FLUSHABLE: 491 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 492 (u32 __user *) optval)) 493 err = -EFAULT; 494 495 break; 496 497 case BT_POWER: 498 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 499 && sk->sk_type != SOCK_RAW) { 500 err = -EINVAL; 501 break; 502 } 503 504 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 505 506 len = min_t(unsigned int, len, sizeof(pwr)); 507 if (copy_to_user(optval, (char *) &pwr, len)) 508 err = -EFAULT; 509 510 break; 511 512 case BT_CHANNEL_POLICY: 513 if (put_user(chan->chan_policy, (u32 __user *) optval)) 514 err = -EFAULT; 515 break; 516 517 default: 518 err = -ENOPROTOOPT; 519 break; 520 } 521 522 release_sock(sk); 523 return err; 524 } 525 526 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 527 { 528 switch (chan->scid) { 529 case L2CAP_CID_ATT: 530 if (mtu < L2CAP_LE_MIN_MTU) 531 return false; 532 break; 533 534 default: 535 if (mtu < L2CAP_DEFAULT_MIN_MTU) 536 return false; 537 } 538 539 return true; 540 } 541 542 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 543 char __user *optval, unsigned int optlen) 544 { 545 struct sock *sk = sock->sk; 546 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 547 struct l2cap_options opts; 548 int len, err = 0; 549 u32 opt; 550 551 BT_DBG("sk %p", sk); 552 553 lock_sock(sk); 554 555 switch (optname) { 556 case L2CAP_OPTIONS: 557 if (sk->sk_state == BT_CONNECTED) { 558 err = -EINVAL; 559 break; 560 } 561 562 opts.imtu = chan->imtu; 563 opts.omtu = chan->omtu; 564 opts.flush_to = chan->flush_to; 565 opts.mode = chan->mode; 566 opts.fcs = chan->fcs; 567 opts.max_tx = chan->max_tx; 568 opts.txwin_size = chan->tx_win; 569 570 len = min_t(unsigned int, sizeof(opts), optlen); 571 if (copy_from_user((char *) &opts, optval, len)) { 572 err = -EFAULT; 573 break; 574 } 575 576 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 577 err = -EINVAL; 578 break; 579 } 580 581 if (!l2cap_valid_mtu(chan, opts.imtu)) { 582 err = -EINVAL; 583 break; 584 } 585 586 chan->mode = opts.mode; 587 switch (chan->mode) { 588 case L2CAP_MODE_BASIC: 589 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 590 break; 591 case L2CAP_MODE_ERTM: 592 case L2CAP_MODE_STREAMING: 593 if (!disable_ertm) 594 break; 595 /* fall through */ 596 default: 597 err = -EINVAL; 598 break; 599 } 600 601 chan->imtu = opts.imtu; 602 chan->omtu = opts.omtu; 603 chan->fcs = opts.fcs; 604 chan->max_tx = opts.max_tx; 605 chan->tx_win = opts.txwin_size; 606 chan->flush_to = opts.flush_to; 607 break; 608 609 case L2CAP_LM: 610 if (get_user(opt, (u32 __user *) optval)) { 611 err = -EFAULT; 612 break; 613 } 614 615 if (opt & L2CAP_LM_AUTH) 616 chan->sec_level = BT_SECURITY_LOW; 617 if (opt & L2CAP_LM_ENCRYPT) 618 chan->sec_level = BT_SECURITY_MEDIUM; 619 if (opt & L2CAP_LM_SECURE) 620 chan->sec_level = BT_SECURITY_HIGH; 621 622 if (opt & L2CAP_LM_MASTER) 623 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 624 else 625 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 626 627 if (opt & L2CAP_LM_RELIABLE) 628 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 629 else 630 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 631 break; 632 633 default: 634 err = -ENOPROTOOPT; 635 break; 636 } 637 638 release_sock(sk); 639 return err; 640 } 641 642 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 643 char __user *optval, unsigned int optlen) 644 { 645 struct sock *sk = sock->sk; 646 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 647 struct bt_security sec; 648 struct bt_power pwr; 649 struct l2cap_conn *conn; 650 int len, err = 0; 651 u32 opt; 652 653 BT_DBG("sk %p", sk); 654 655 if (level == SOL_L2CAP) 656 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 657 658 if (level != SOL_BLUETOOTH) 659 return -ENOPROTOOPT; 660 661 lock_sock(sk); 662 663 switch (optname) { 664 case BT_SECURITY: 665 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 666 chan->chan_type != L2CAP_CHAN_RAW) { 667 err = -EINVAL; 668 break; 669 } 670 671 sec.level = BT_SECURITY_LOW; 672 673 len = min_t(unsigned int, sizeof(sec), optlen); 674 if (copy_from_user((char *) &sec, optval, len)) { 675 err = -EFAULT; 676 break; 677 } 678 679 if (sec.level < BT_SECURITY_LOW || 680 sec.level > BT_SECURITY_HIGH) { 681 err = -EINVAL; 682 break; 683 } 684 685 chan->sec_level = sec.level; 686 687 if (!chan->conn) 688 break; 689 690 conn = chan->conn; 691 692 /*change security for LE channels */ 693 if (chan->scid == L2CAP_CID_ATT) { 694 if (!conn->hcon->out) { 695 err = -EINVAL; 696 break; 697 } 698 699 if (smp_conn_security(conn->hcon, sec.level)) 700 break; 701 sk->sk_state = BT_CONFIG; 702 chan->state = BT_CONFIG; 703 704 /* or for ACL link */ 705 } else if ((sk->sk_state == BT_CONNECT2 && 706 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 707 sk->sk_state == BT_CONNECTED) { 708 if (!l2cap_chan_check_security(chan)) 709 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 710 else 711 sk->sk_state_change(sk); 712 } else { 713 err = -EINVAL; 714 } 715 break; 716 717 case BT_DEFER_SETUP: 718 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 719 err = -EINVAL; 720 break; 721 } 722 723 if (get_user(opt, (u32 __user *) optval)) { 724 err = -EFAULT; 725 break; 726 } 727 728 if (opt) { 729 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 730 set_bit(FLAG_DEFER_SETUP, &chan->flags); 731 } else { 732 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 733 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 734 } 735 break; 736 737 case BT_FLUSHABLE: 738 if (get_user(opt, (u32 __user *) optval)) { 739 err = -EFAULT; 740 break; 741 } 742 743 if (opt > BT_FLUSHABLE_ON) { 744 err = -EINVAL; 745 break; 746 } 747 748 if (opt == BT_FLUSHABLE_OFF) { 749 conn = chan->conn; 750 /* proceed further only when we have l2cap_conn and 751 No Flush support in the LM */ 752 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 753 err = -EINVAL; 754 break; 755 } 756 } 757 758 if (opt) 759 set_bit(FLAG_FLUSHABLE, &chan->flags); 760 else 761 clear_bit(FLAG_FLUSHABLE, &chan->flags); 762 break; 763 764 case BT_POWER: 765 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 766 chan->chan_type != L2CAP_CHAN_RAW) { 767 err = -EINVAL; 768 break; 769 } 770 771 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 772 773 len = min_t(unsigned int, sizeof(pwr), optlen); 774 if (copy_from_user((char *) &pwr, optval, len)) { 775 err = -EFAULT; 776 break; 777 } 778 779 if (pwr.force_active) 780 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 781 else 782 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 783 break; 784 785 case BT_CHANNEL_POLICY: 786 if (get_user(opt, (u32 __user *) optval)) { 787 err = -EFAULT; 788 break; 789 } 790 791 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { 792 err = -EINVAL; 793 break; 794 } 795 796 if (chan->mode != L2CAP_MODE_ERTM && 797 chan->mode != L2CAP_MODE_STREAMING) { 798 err = -EOPNOTSUPP; 799 break; 800 } 801 802 chan->chan_policy = (u8) opt; 803 804 if (sk->sk_state == BT_CONNECTED && 805 chan->move_role == L2CAP_MOVE_ROLE_NONE) 806 l2cap_move_start(chan); 807 808 break; 809 810 default: 811 err = -ENOPROTOOPT; 812 break; 813 } 814 815 release_sock(sk); 816 return err; 817 } 818 819 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 820 struct msghdr *msg, size_t len) 821 { 822 struct sock *sk = sock->sk; 823 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 824 int err; 825 826 BT_DBG("sock %p, sk %p", sock, sk); 827 828 err = sock_error(sk); 829 if (err) 830 return err; 831 832 if (msg->msg_flags & MSG_OOB) 833 return -EOPNOTSUPP; 834 835 if (sk->sk_state != BT_CONNECTED) 836 return -ENOTCONN; 837 838 lock_sock(sk); 839 err = bt_sock_wait_ready(sk, msg->msg_flags); 840 release_sock(sk); 841 if (err) 842 return err; 843 844 l2cap_chan_lock(chan); 845 err = l2cap_chan_send(chan, msg, len, sk->sk_priority); 846 l2cap_chan_unlock(chan); 847 848 return err; 849 } 850 851 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 852 struct msghdr *msg, size_t len, int flags) 853 { 854 struct sock *sk = sock->sk; 855 struct l2cap_pinfo *pi = l2cap_pi(sk); 856 int err; 857 858 lock_sock(sk); 859 860 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 861 &bt_sk(sk)->flags)) { 862 sk->sk_state = BT_CONFIG; 863 pi->chan->state = BT_CONFIG; 864 865 __l2cap_connect_rsp_defer(pi->chan); 866 err = 0; 867 goto done; 868 } 869 870 release_sock(sk); 871 872 if (sock->type == SOCK_STREAM) 873 err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags); 874 else 875 err = bt_sock_recvmsg(iocb, sock, msg, len, flags); 876 877 if (pi->chan->mode != L2CAP_MODE_ERTM) 878 return err; 879 880 /* Attempt to put pending rx data in the socket buffer */ 881 882 lock_sock(sk); 883 884 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) 885 goto done; 886 887 if (pi->rx_busy_skb) { 888 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb)) 889 pi->rx_busy_skb = NULL; 890 else 891 goto done; 892 } 893 894 /* Restore data flow when half of the receive buffer is 895 * available. This avoids resending large numbers of 896 * frames. 897 */ 898 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 899 l2cap_chan_busy(pi->chan, 0); 900 901 done: 902 release_sock(sk); 903 return err; 904 } 905 906 /* Kill socket (only if zapped and orphan) 907 * Must be called on unlocked socket. 908 */ 909 static void l2cap_sock_kill(struct sock *sk) 910 { 911 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 912 return; 913 914 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 915 916 /* Kill poor orphan */ 917 918 l2cap_chan_put(l2cap_pi(sk)->chan); 919 sock_set_flag(sk, SOCK_DEAD); 920 sock_put(sk); 921 } 922 923 static int __l2cap_wait_ack(struct sock *sk) 924 { 925 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 926 DECLARE_WAITQUEUE(wait, current); 927 int err = 0; 928 int timeo = HZ/5; 929 930 add_wait_queue(sk_sleep(sk), &wait); 931 set_current_state(TASK_INTERRUPTIBLE); 932 while (chan->unacked_frames > 0 && chan->conn) { 933 if (!timeo) 934 timeo = HZ/5; 935 936 if (signal_pending(current)) { 937 err = sock_intr_errno(timeo); 938 break; 939 } 940 941 release_sock(sk); 942 timeo = schedule_timeout(timeo); 943 lock_sock(sk); 944 set_current_state(TASK_INTERRUPTIBLE); 945 946 err = sock_error(sk); 947 if (err) 948 break; 949 } 950 set_current_state(TASK_RUNNING); 951 remove_wait_queue(sk_sleep(sk), &wait); 952 return err; 953 } 954 955 static int l2cap_sock_shutdown(struct socket *sock, int how) 956 { 957 struct sock *sk = sock->sk; 958 struct l2cap_chan *chan; 959 struct l2cap_conn *conn; 960 int err = 0; 961 962 BT_DBG("sock %p, sk %p", sock, sk); 963 964 if (!sk) 965 return 0; 966 967 chan = l2cap_pi(sk)->chan; 968 conn = chan->conn; 969 970 if (conn) 971 mutex_lock(&conn->chan_lock); 972 973 l2cap_chan_lock(chan); 974 lock_sock(sk); 975 976 if (!sk->sk_shutdown) { 977 if (chan->mode == L2CAP_MODE_ERTM) 978 err = __l2cap_wait_ack(sk); 979 980 sk->sk_shutdown = SHUTDOWN_MASK; 981 982 release_sock(sk); 983 l2cap_chan_close(chan, 0); 984 lock_sock(sk); 985 986 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime) 987 err = bt_sock_wait_state(sk, BT_CLOSED, 988 sk->sk_lingertime); 989 } 990 991 if (!err && sk->sk_err) 992 err = -sk->sk_err; 993 994 release_sock(sk); 995 l2cap_chan_unlock(chan); 996 997 if (conn) 998 mutex_unlock(&conn->chan_lock); 999 1000 return err; 1001 } 1002 1003 static int l2cap_sock_release(struct socket *sock) 1004 { 1005 struct sock *sk = sock->sk; 1006 int err; 1007 1008 BT_DBG("sock %p, sk %p", sock, sk); 1009 1010 if (!sk) 1011 return 0; 1012 1013 bt_sock_unlink(&l2cap_sk_list, sk); 1014 1015 err = l2cap_sock_shutdown(sock, 2); 1016 1017 sock_orphan(sk); 1018 l2cap_sock_kill(sk); 1019 return err; 1020 } 1021 1022 static void l2cap_sock_cleanup_listen(struct sock *parent) 1023 { 1024 struct sock *sk; 1025 1026 BT_DBG("parent %p", parent); 1027 1028 /* Close not yet accepted channels */ 1029 while ((sk = bt_accept_dequeue(parent, NULL))) { 1030 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1031 1032 l2cap_chan_lock(chan); 1033 __clear_chan_timer(chan); 1034 l2cap_chan_close(chan, ECONNRESET); 1035 l2cap_chan_unlock(chan); 1036 1037 l2cap_sock_kill(sk); 1038 } 1039 } 1040 1041 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1042 { 1043 struct sock *sk, *parent = chan->data; 1044 1045 lock_sock(parent); 1046 1047 /* Check for backlog size */ 1048 if (sk_acceptq_is_full(parent)) { 1049 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1050 return NULL; 1051 } 1052 1053 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1054 GFP_ATOMIC); 1055 if (!sk) 1056 return NULL; 1057 1058 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1059 1060 l2cap_sock_init(sk, parent); 1061 1062 bt_accept_enqueue(parent, sk); 1063 1064 release_sock(parent); 1065 1066 return l2cap_pi(sk)->chan; 1067 } 1068 1069 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1070 { 1071 struct sock *sk = chan->data; 1072 int err; 1073 1074 lock_sock(sk); 1075 1076 if (l2cap_pi(sk)->rx_busy_skb) { 1077 err = -ENOMEM; 1078 goto done; 1079 } 1080 1081 err = sock_queue_rcv_skb(sk, skb); 1082 1083 /* For ERTM, handle one skb that doesn't fit into the recv 1084 * buffer. This is important to do because the data frames 1085 * have already been acked, so the skb cannot be discarded. 1086 * 1087 * Notify the l2cap core that the buffer is full, so the 1088 * LOCAL_BUSY state is entered and no more frames are 1089 * acked and reassembled until there is buffer space 1090 * available. 1091 */ 1092 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1093 l2cap_pi(sk)->rx_busy_skb = skb; 1094 l2cap_chan_busy(chan, 1); 1095 err = 0; 1096 } 1097 1098 done: 1099 release_sock(sk); 1100 1101 return err; 1102 } 1103 1104 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1105 { 1106 struct sock *sk = chan->data; 1107 1108 l2cap_sock_kill(sk); 1109 } 1110 1111 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1112 { 1113 struct sock *sk = chan->data; 1114 struct sock *parent; 1115 1116 lock_sock(sk); 1117 1118 parent = bt_sk(sk)->parent; 1119 1120 sock_set_flag(sk, SOCK_ZAPPED); 1121 1122 switch (chan->state) { 1123 case BT_OPEN: 1124 case BT_BOUND: 1125 case BT_CLOSED: 1126 break; 1127 case BT_LISTEN: 1128 l2cap_sock_cleanup_listen(sk); 1129 sk->sk_state = BT_CLOSED; 1130 chan->state = BT_CLOSED; 1131 1132 break; 1133 default: 1134 sk->sk_state = BT_CLOSED; 1135 chan->state = BT_CLOSED; 1136 1137 sk->sk_err = err; 1138 1139 if (parent) { 1140 bt_accept_unlink(sk); 1141 parent->sk_data_ready(parent, 0); 1142 } else { 1143 sk->sk_state_change(sk); 1144 } 1145 1146 break; 1147 } 1148 1149 release_sock(sk); 1150 } 1151 1152 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1153 int err) 1154 { 1155 struct sock *sk = chan->data; 1156 1157 sk->sk_state = state; 1158 1159 if (err) 1160 sk->sk_err = err; 1161 } 1162 1163 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1164 unsigned long len, int nb) 1165 { 1166 struct sock *sk = chan->data; 1167 struct sk_buff *skb; 1168 int err; 1169 1170 l2cap_chan_unlock(chan); 1171 skb = bt_skb_send_alloc(sk, len, nb, &err); 1172 l2cap_chan_lock(chan); 1173 1174 if (!skb) 1175 return ERR_PTR(err); 1176 1177 bt_cb(skb)->chan = chan; 1178 1179 return skb; 1180 } 1181 1182 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1183 { 1184 struct sock *sk = chan->data; 1185 struct sock *parent; 1186 1187 lock_sock(sk); 1188 1189 parent = bt_sk(sk)->parent; 1190 1191 BT_DBG("sk %p, parent %p", sk, parent); 1192 1193 sk->sk_state = BT_CONNECTED; 1194 sk->sk_state_change(sk); 1195 1196 if (parent) 1197 parent->sk_data_ready(parent, 0); 1198 1199 release_sock(sk); 1200 } 1201 1202 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1203 { 1204 struct sock *parent, *sk = chan->data; 1205 1206 lock_sock(sk); 1207 1208 parent = bt_sk(sk)->parent; 1209 if (parent) 1210 parent->sk_data_ready(parent, 0); 1211 1212 release_sock(sk); 1213 } 1214 1215 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1216 { 1217 struct sock *sk = chan->data; 1218 1219 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1220 sk->sk_state_change(sk); 1221 } 1222 1223 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1224 { 1225 struct sock *sk = chan->data; 1226 1227 lock_sock(sk); 1228 sk->sk_shutdown = SHUTDOWN_MASK; 1229 release_sock(sk); 1230 } 1231 1232 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1233 { 1234 struct sock *sk = chan->data; 1235 1236 return sk->sk_sndtimeo; 1237 } 1238 1239 static struct l2cap_ops l2cap_chan_ops = { 1240 .name = "L2CAP Socket Interface", 1241 .new_connection = l2cap_sock_new_connection_cb, 1242 .recv = l2cap_sock_recv_cb, 1243 .close = l2cap_sock_close_cb, 1244 .teardown = l2cap_sock_teardown_cb, 1245 .state_change = l2cap_sock_state_change_cb, 1246 .ready = l2cap_sock_ready_cb, 1247 .defer = l2cap_sock_defer_cb, 1248 .resume = l2cap_sock_resume_cb, 1249 .set_shutdown = l2cap_sock_set_shutdown_cb, 1250 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1251 .alloc_skb = l2cap_sock_alloc_skb_cb, 1252 }; 1253 1254 static void l2cap_sock_destruct(struct sock *sk) 1255 { 1256 BT_DBG("sk %p", sk); 1257 1258 if (l2cap_pi(sk)->chan) 1259 l2cap_chan_put(l2cap_pi(sk)->chan); 1260 1261 if (l2cap_pi(sk)->rx_busy_skb) { 1262 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1263 l2cap_pi(sk)->rx_busy_skb = NULL; 1264 } 1265 1266 skb_queue_purge(&sk->sk_receive_queue); 1267 skb_queue_purge(&sk->sk_write_queue); 1268 } 1269 1270 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1271 int *msg_namelen) 1272 { 1273 struct sockaddr_l2 *la = (struct sockaddr_l2 *) msg_name; 1274 1275 memset(la, 0, sizeof(struct sockaddr_l2)); 1276 la->l2_family = AF_BLUETOOTH; 1277 la->l2_psm = bt_cb(skb)->psm; 1278 bacpy(&la->l2_bdaddr, &bt_cb(skb)->bdaddr); 1279 1280 *msg_namelen = sizeof(struct sockaddr_l2); 1281 } 1282 1283 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1284 { 1285 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1286 1287 BT_DBG("sk %p", sk); 1288 1289 if (parent) { 1290 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1291 1292 sk->sk_type = parent->sk_type; 1293 bt_sk(sk)->flags = bt_sk(parent)->flags; 1294 1295 chan->chan_type = pchan->chan_type; 1296 chan->imtu = pchan->imtu; 1297 chan->omtu = pchan->omtu; 1298 chan->conf_state = pchan->conf_state; 1299 chan->mode = pchan->mode; 1300 chan->fcs = pchan->fcs; 1301 chan->max_tx = pchan->max_tx; 1302 chan->tx_win = pchan->tx_win; 1303 chan->tx_win_max = pchan->tx_win_max; 1304 chan->sec_level = pchan->sec_level; 1305 chan->flags = pchan->flags; 1306 1307 security_sk_clone(parent, sk); 1308 } else { 1309 switch (sk->sk_type) { 1310 case SOCK_RAW: 1311 chan->chan_type = L2CAP_CHAN_RAW; 1312 break; 1313 case SOCK_DGRAM: 1314 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1315 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1316 break; 1317 case SOCK_SEQPACKET: 1318 case SOCK_STREAM: 1319 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1320 break; 1321 } 1322 1323 chan->imtu = L2CAP_DEFAULT_MTU; 1324 chan->omtu = 0; 1325 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1326 chan->mode = L2CAP_MODE_ERTM; 1327 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1328 } else { 1329 chan->mode = L2CAP_MODE_BASIC; 1330 } 1331 1332 l2cap_chan_set_defaults(chan); 1333 } 1334 1335 /* Default config options */ 1336 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1337 1338 chan->data = sk; 1339 chan->ops = &l2cap_chan_ops; 1340 } 1341 1342 static struct proto l2cap_proto = { 1343 .name = "L2CAP", 1344 .owner = THIS_MODULE, 1345 .obj_size = sizeof(struct l2cap_pinfo) 1346 }; 1347 1348 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1349 int proto, gfp_t prio) 1350 { 1351 struct sock *sk; 1352 struct l2cap_chan *chan; 1353 1354 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto); 1355 if (!sk) 1356 return NULL; 1357 1358 sock_init_data(sock, sk); 1359 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 1360 1361 sk->sk_destruct = l2cap_sock_destruct; 1362 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1363 1364 sock_reset_flag(sk, SOCK_ZAPPED); 1365 1366 sk->sk_protocol = proto; 1367 sk->sk_state = BT_OPEN; 1368 1369 chan = l2cap_chan_create(); 1370 if (!chan) { 1371 sk_free(sk); 1372 return NULL; 1373 } 1374 1375 l2cap_chan_hold(chan); 1376 1377 l2cap_pi(sk)->chan = chan; 1378 1379 return sk; 1380 } 1381 1382 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1383 int kern) 1384 { 1385 struct sock *sk; 1386 1387 BT_DBG("sock %p", sock); 1388 1389 sock->state = SS_UNCONNECTED; 1390 1391 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1392 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1393 return -ESOCKTNOSUPPORT; 1394 1395 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1396 return -EPERM; 1397 1398 sock->ops = &l2cap_sock_ops; 1399 1400 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC); 1401 if (!sk) 1402 return -ENOMEM; 1403 1404 l2cap_sock_init(sk, NULL); 1405 bt_sock_link(&l2cap_sk_list, sk); 1406 return 0; 1407 } 1408 1409 static const struct proto_ops l2cap_sock_ops = { 1410 .family = PF_BLUETOOTH, 1411 .owner = THIS_MODULE, 1412 .release = l2cap_sock_release, 1413 .bind = l2cap_sock_bind, 1414 .connect = l2cap_sock_connect, 1415 .listen = l2cap_sock_listen, 1416 .accept = l2cap_sock_accept, 1417 .getname = l2cap_sock_getname, 1418 .sendmsg = l2cap_sock_sendmsg, 1419 .recvmsg = l2cap_sock_recvmsg, 1420 .poll = bt_sock_poll, 1421 .ioctl = bt_sock_ioctl, 1422 .mmap = sock_no_mmap, 1423 .socketpair = sock_no_socketpair, 1424 .shutdown = l2cap_sock_shutdown, 1425 .setsockopt = l2cap_sock_setsockopt, 1426 .getsockopt = l2cap_sock_getsockopt 1427 }; 1428 1429 static const struct net_proto_family l2cap_sock_family_ops = { 1430 .family = PF_BLUETOOTH, 1431 .owner = THIS_MODULE, 1432 .create = l2cap_sock_create, 1433 }; 1434 1435 int __init l2cap_init_sockets(void) 1436 { 1437 int err; 1438 1439 err = proto_register(&l2cap_proto, 0); 1440 if (err < 0) 1441 return err; 1442 1443 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1444 if (err < 0) { 1445 BT_ERR("L2CAP socket registration failed"); 1446 goto error; 1447 } 1448 1449 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1450 NULL); 1451 if (err < 0) { 1452 BT_ERR("Failed to create L2CAP proc file"); 1453 bt_sock_unregister(BTPROTO_L2CAP); 1454 goto error; 1455 } 1456 1457 BT_INFO("L2CAP socket layer initialized"); 1458 1459 return 0; 1460 1461 error: 1462 proto_unregister(&l2cap_proto); 1463 return err; 1464 } 1465 1466 void l2cap_cleanup_sockets(void) 1467 { 1468 bt_procfs_cleanup(&init_net, "l2cap"); 1469 bt_sock_unregister(BTPROTO_L2CAP); 1470 proto_unregister(&l2cap_proto); 1471 } 1472