1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26 */ 27 28 /* Bluetooth L2CAP sockets. */ 29 30 #include <linux/module.h> 31 #include <linux/export.h> 32 #include <linux/filter.h> 33 #include <linux/sched/signal.h> 34 35 #include <net/bluetooth/bluetooth.h> 36 #include <net/bluetooth/hci_core.h> 37 #include <net/bluetooth/l2cap.h> 38 39 #include "smp.h" 40 41 static struct bt_sock_list l2cap_sk_list = { 42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 43 }; 44 45 static const struct proto_ops l2cap_sock_ops; 46 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 48 int proto, gfp_t prio, int kern); 49 static void l2cap_sock_cleanup_listen(struct sock *parent); 50 51 bool l2cap_is_socket(struct socket *sock) 52 { 53 return sock && sock->ops == &l2cap_sock_ops; 54 } 55 EXPORT_SYMBOL(l2cap_is_socket); 56 57 static int l2cap_validate_bredr_psm(u16 psm) 58 { 59 /* PSM must be odd and lsb of upper byte must be 0 */ 60 if ((psm & 0x0101) != 0x0001) 61 return -EINVAL; 62 63 /* Restrict usage of well-known PSMs */ 64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 65 return -EACCES; 66 67 return 0; 68 } 69 70 static int l2cap_validate_le_psm(u16 psm) 71 { 72 /* Valid LE_PSM ranges are defined only until 0x00ff */ 73 if (psm > L2CAP_PSM_LE_DYN_END) 74 return -EINVAL; 75 76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 78 return -EACCES; 79 80 return 0; 81 } 82 83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 84 { 85 struct sock *sk = sock->sk; 86 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 87 struct sockaddr_l2 la; 88 int len, err = 0; 89 90 BT_DBG("sk %p", sk); 91 92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 93 addr->sa_family != AF_BLUETOOTH) 94 return -EINVAL; 95 96 memset(&la, 0, sizeof(la)); 97 len = min_t(unsigned int, sizeof(la), alen); 98 memcpy(&la, addr, len); 99 100 if (la.l2_cid && la.l2_psm) 101 return -EINVAL; 102 103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 104 return -EINVAL; 105 106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 107 /* We only allow ATT user space socket */ 108 if (la.l2_cid && 109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 110 return -EINVAL; 111 } 112 113 lock_sock(sk); 114 115 if (sk->sk_state != BT_OPEN) { 116 err = -EBADFD; 117 goto done; 118 } 119 120 if (la.l2_psm) { 121 __u16 psm = __le16_to_cpu(la.l2_psm); 122 123 if (la.l2_bdaddr_type == BDADDR_BREDR) 124 err = l2cap_validate_bredr_psm(psm); 125 else 126 err = l2cap_validate_le_psm(psm); 127 128 if (err) 129 goto done; 130 } 131 132 bacpy(&chan->src, &la.l2_bdaddr); 133 chan->src_type = la.l2_bdaddr_type; 134 135 if (la.l2_cid) 136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 137 else 138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 139 140 if (err < 0) 141 goto done; 142 143 switch (chan->chan_type) { 144 case L2CAP_CHAN_CONN_LESS: 145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 146 chan->sec_level = BT_SECURITY_SDP; 147 break; 148 case L2CAP_CHAN_CONN_ORIENTED: 149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 151 chan->sec_level = BT_SECURITY_SDP; 152 break; 153 case L2CAP_CHAN_RAW: 154 chan->sec_level = BT_SECURITY_SDP; 155 break; 156 case L2CAP_CHAN_FIXED: 157 /* Fixed channels default to the L2CAP core not holding a 158 * hci_conn reference for them. For fixed channels mapping to 159 * L2CAP sockets we do want to hold a reference so set the 160 * appropriate flag to request it. 161 */ 162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 163 break; 164 } 165 166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 168 */ 169 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 170 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 171 chan->mode = L2CAP_MODE_LE_FLOWCTL; 172 173 chan->state = BT_BOUND; 174 sk->sk_state = BT_BOUND; 175 176 done: 177 release_sock(sk); 178 return err; 179 } 180 181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 182 int alen, int flags) 183 { 184 struct sock *sk = sock->sk; 185 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 186 struct sockaddr_l2 la; 187 int len, err = 0; 188 bool zapped; 189 190 BT_DBG("sk %p", sk); 191 192 lock_sock(sk); 193 zapped = sock_flag(sk, SOCK_ZAPPED); 194 release_sock(sk); 195 196 if (zapped) 197 return -EINVAL; 198 199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 200 addr->sa_family != AF_BLUETOOTH) 201 return -EINVAL; 202 203 memset(&la, 0, sizeof(la)); 204 len = min_t(unsigned int, sizeof(la), alen); 205 memcpy(&la, addr, len); 206 207 if (la.l2_cid && la.l2_psm) 208 return -EINVAL; 209 210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 211 return -EINVAL; 212 213 /* Check that the socket wasn't bound to something that 214 * conflicts with the address given to connect(). If chan->src 215 * is BDADDR_ANY it means bind() was never used, in which case 216 * chan->src_type and la.l2_bdaddr_type do not need to match. 217 */ 218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 219 bdaddr_type_is_le(la.l2_bdaddr_type)) { 220 /* Old user space versions will try to incorrectly bind 221 * the ATT socket using BDADDR_BREDR. We need to accept 222 * this and fix up the source address type only when 223 * both the source CID and destination CID indicate 224 * ATT. Anything else is an invalid combination. 225 */ 226 if (chan->scid != L2CAP_CID_ATT || 227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 228 return -EINVAL; 229 230 /* We don't have the hdev available here to make a 231 * better decision on random vs public, but since all 232 * user space versions that exhibit this issue anyway do 233 * not support random local addresses assuming public 234 * here is good enough. 235 */ 236 chan->src_type = BDADDR_LE_PUBLIC; 237 } 238 239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 240 return -EINVAL; 241 242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 243 /* We only allow ATT user space socket */ 244 if (la.l2_cid && 245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 246 return -EINVAL; 247 } 248 249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 251 */ 252 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 253 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 254 chan->mode = L2CAP_MODE_LE_FLOWCTL; 255 256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 257 &la.l2_bdaddr, la.l2_bdaddr_type); 258 if (err) 259 return err; 260 261 lock_sock(sk); 262 263 err = bt_sock_wait_state(sk, BT_CONNECTED, 264 sock_sndtimeo(sk, flags & O_NONBLOCK)); 265 266 release_sock(sk); 267 268 return err; 269 } 270 271 static int l2cap_sock_listen(struct socket *sock, int backlog) 272 { 273 struct sock *sk = sock->sk; 274 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 275 int err = 0; 276 277 BT_DBG("sk %p backlog %d", sk, backlog); 278 279 lock_sock(sk); 280 281 if (sk->sk_state != BT_BOUND) { 282 err = -EBADFD; 283 goto done; 284 } 285 286 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 287 err = -EINVAL; 288 goto done; 289 } 290 291 switch (chan->mode) { 292 case L2CAP_MODE_BASIC: 293 case L2CAP_MODE_LE_FLOWCTL: 294 break; 295 case L2CAP_MODE_EXT_FLOWCTL: 296 if (!enable_ecred) { 297 err = -EOPNOTSUPP; 298 goto done; 299 } 300 break; 301 case L2CAP_MODE_ERTM: 302 case L2CAP_MODE_STREAMING: 303 if (!disable_ertm) 304 break; 305 fallthrough; 306 default: 307 err = -EOPNOTSUPP; 308 goto done; 309 } 310 311 sk->sk_max_ack_backlog = backlog; 312 sk->sk_ack_backlog = 0; 313 314 /* Listening channels need to use nested locking in order not to 315 * cause lockdep warnings when the created child channels end up 316 * being locked in the same thread as the parent channel. 317 */ 318 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 319 320 chan->state = BT_LISTEN; 321 sk->sk_state = BT_LISTEN; 322 323 done: 324 release_sock(sk); 325 return err; 326 } 327 328 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 329 int flags, bool kern) 330 { 331 DEFINE_WAIT_FUNC(wait, woken_wake_function); 332 struct sock *sk = sock->sk, *nsk; 333 long timeo; 334 int err = 0; 335 336 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 337 338 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 339 340 BT_DBG("sk %p timeo %ld", sk, timeo); 341 342 /* Wait for an incoming connection. (wake-one). */ 343 add_wait_queue_exclusive(sk_sleep(sk), &wait); 344 while (1) { 345 if (sk->sk_state != BT_LISTEN) { 346 err = -EBADFD; 347 break; 348 } 349 350 nsk = bt_accept_dequeue(sk, newsock); 351 if (nsk) 352 break; 353 354 if (!timeo) { 355 err = -EAGAIN; 356 break; 357 } 358 359 if (signal_pending(current)) { 360 err = sock_intr_errno(timeo); 361 break; 362 } 363 364 release_sock(sk); 365 366 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 367 368 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 369 } 370 remove_wait_queue(sk_sleep(sk), &wait); 371 372 if (err) 373 goto done; 374 375 newsock->state = SS_CONNECTED; 376 377 BT_DBG("new socket %p", nsk); 378 379 done: 380 release_sock(sk); 381 return err; 382 } 383 384 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 385 int peer) 386 { 387 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 388 struct sock *sk = sock->sk; 389 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 390 391 BT_DBG("sock %p, sk %p", sock, sk); 392 393 if (peer && sk->sk_state != BT_CONNECTED && 394 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 395 sk->sk_state != BT_CONFIG) 396 return -ENOTCONN; 397 398 memset(la, 0, sizeof(struct sockaddr_l2)); 399 addr->sa_family = AF_BLUETOOTH; 400 401 la->l2_psm = chan->psm; 402 403 if (peer) { 404 bacpy(&la->l2_bdaddr, &chan->dst); 405 la->l2_cid = cpu_to_le16(chan->dcid); 406 la->l2_bdaddr_type = chan->dst_type; 407 } else { 408 bacpy(&la->l2_bdaddr, &chan->src); 409 la->l2_cid = cpu_to_le16(chan->scid); 410 la->l2_bdaddr_type = chan->src_type; 411 } 412 413 return sizeof(struct sockaddr_l2); 414 } 415 416 static int l2cap_get_mode(struct l2cap_chan *chan) 417 { 418 switch (chan->mode) { 419 case L2CAP_MODE_BASIC: 420 return BT_MODE_BASIC; 421 case L2CAP_MODE_ERTM: 422 return BT_MODE_ERTM; 423 case L2CAP_MODE_STREAMING: 424 return BT_MODE_STREAMING; 425 case L2CAP_MODE_LE_FLOWCTL: 426 return BT_MODE_LE_FLOWCTL; 427 case L2CAP_MODE_EXT_FLOWCTL: 428 return BT_MODE_EXT_FLOWCTL; 429 } 430 431 return -EINVAL; 432 } 433 434 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 435 char __user *optval, int __user *optlen) 436 { 437 struct sock *sk = sock->sk; 438 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 439 struct l2cap_options opts; 440 struct l2cap_conninfo cinfo; 441 int len, err = 0; 442 u32 opt; 443 444 BT_DBG("sk %p", sk); 445 446 if (get_user(len, optlen)) 447 return -EFAULT; 448 449 lock_sock(sk); 450 451 switch (optname) { 452 case L2CAP_OPTIONS: 453 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 454 * legacy ATT code depends on getsockopt for 455 * L2CAP_OPTIONS we need to let this pass. 456 */ 457 if (bdaddr_type_is_le(chan->src_type) && 458 chan->scid != L2CAP_CID_ATT) { 459 err = -EINVAL; 460 break; 461 } 462 463 /* Only BR/EDR modes are supported here */ 464 switch (chan->mode) { 465 case L2CAP_MODE_BASIC: 466 case L2CAP_MODE_ERTM: 467 case L2CAP_MODE_STREAMING: 468 break; 469 default: 470 err = -EINVAL; 471 break; 472 } 473 474 if (err < 0) 475 break; 476 477 memset(&opts, 0, sizeof(opts)); 478 opts.imtu = chan->imtu; 479 opts.omtu = chan->omtu; 480 opts.flush_to = chan->flush_to; 481 opts.mode = chan->mode; 482 opts.fcs = chan->fcs; 483 opts.max_tx = chan->max_tx; 484 opts.txwin_size = chan->tx_win; 485 486 BT_DBG("mode 0x%2.2x", chan->mode); 487 488 len = min_t(unsigned int, len, sizeof(opts)); 489 if (copy_to_user(optval, (char *) &opts, len)) 490 err = -EFAULT; 491 492 break; 493 494 case L2CAP_LM: 495 switch (chan->sec_level) { 496 case BT_SECURITY_LOW: 497 opt = L2CAP_LM_AUTH; 498 break; 499 case BT_SECURITY_MEDIUM: 500 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 501 break; 502 case BT_SECURITY_HIGH: 503 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 504 L2CAP_LM_SECURE; 505 break; 506 case BT_SECURITY_FIPS: 507 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 508 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 509 break; 510 default: 511 opt = 0; 512 break; 513 } 514 515 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 516 opt |= L2CAP_LM_MASTER; 517 518 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 519 opt |= L2CAP_LM_RELIABLE; 520 521 if (put_user(opt, (u32 __user *) optval)) 522 err = -EFAULT; 523 524 break; 525 526 case L2CAP_CONNINFO: 527 if (sk->sk_state != BT_CONNECTED && 528 !(sk->sk_state == BT_CONNECT2 && 529 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 530 err = -ENOTCONN; 531 break; 532 } 533 534 memset(&cinfo, 0, sizeof(cinfo)); 535 cinfo.hci_handle = chan->conn->hcon->handle; 536 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 537 538 len = min_t(unsigned int, len, sizeof(cinfo)); 539 if (copy_to_user(optval, (char *) &cinfo, len)) 540 err = -EFAULT; 541 542 break; 543 544 default: 545 err = -ENOPROTOOPT; 546 break; 547 } 548 549 release_sock(sk); 550 return err; 551 } 552 553 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 554 char __user *optval, int __user *optlen) 555 { 556 struct sock *sk = sock->sk; 557 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 558 struct bt_security sec; 559 struct bt_power pwr; 560 u32 phys; 561 int len, mode, err = 0; 562 563 BT_DBG("sk %p", sk); 564 565 if (level == SOL_L2CAP) 566 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 567 568 if (level != SOL_BLUETOOTH) 569 return -ENOPROTOOPT; 570 571 if (get_user(len, optlen)) 572 return -EFAULT; 573 574 lock_sock(sk); 575 576 switch (optname) { 577 case BT_SECURITY: 578 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 579 chan->chan_type != L2CAP_CHAN_FIXED && 580 chan->chan_type != L2CAP_CHAN_RAW) { 581 err = -EINVAL; 582 break; 583 } 584 585 memset(&sec, 0, sizeof(sec)); 586 if (chan->conn) { 587 sec.level = chan->conn->hcon->sec_level; 588 589 if (sk->sk_state == BT_CONNECTED) 590 sec.key_size = chan->conn->hcon->enc_key_size; 591 } else { 592 sec.level = chan->sec_level; 593 } 594 595 len = min_t(unsigned int, len, sizeof(sec)); 596 if (copy_to_user(optval, (char *) &sec, len)) 597 err = -EFAULT; 598 599 break; 600 601 case BT_DEFER_SETUP: 602 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 603 err = -EINVAL; 604 break; 605 } 606 607 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 608 (u32 __user *) optval)) 609 err = -EFAULT; 610 611 break; 612 613 case BT_FLUSHABLE: 614 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 615 (u32 __user *) optval)) 616 err = -EFAULT; 617 618 break; 619 620 case BT_POWER: 621 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 622 && sk->sk_type != SOCK_RAW) { 623 err = -EINVAL; 624 break; 625 } 626 627 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 628 629 len = min_t(unsigned int, len, sizeof(pwr)); 630 if (copy_to_user(optval, (char *) &pwr, len)) 631 err = -EFAULT; 632 633 break; 634 635 case BT_CHANNEL_POLICY: 636 if (put_user(chan->chan_policy, (u32 __user *) optval)) 637 err = -EFAULT; 638 break; 639 640 case BT_SNDMTU: 641 if (!bdaddr_type_is_le(chan->src_type)) { 642 err = -EINVAL; 643 break; 644 } 645 646 if (sk->sk_state != BT_CONNECTED) { 647 err = -ENOTCONN; 648 break; 649 } 650 651 if (put_user(chan->omtu, (u16 __user *) optval)) 652 err = -EFAULT; 653 break; 654 655 case BT_RCVMTU: 656 if (!bdaddr_type_is_le(chan->src_type)) { 657 err = -EINVAL; 658 break; 659 } 660 661 if (put_user(chan->imtu, (u16 __user *) optval)) 662 err = -EFAULT; 663 break; 664 665 case BT_PHY: 666 if (sk->sk_state != BT_CONNECTED) { 667 err = -ENOTCONN; 668 break; 669 } 670 671 phys = hci_conn_get_phy(chan->conn->hcon); 672 673 if (put_user(phys, (u32 __user *) optval)) 674 err = -EFAULT; 675 break; 676 677 case BT_MODE: 678 if (!enable_ecred) { 679 err = -ENOPROTOOPT; 680 break; 681 } 682 683 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 684 err = -EINVAL; 685 break; 686 } 687 688 mode = l2cap_get_mode(chan); 689 if (mode < 0) { 690 err = mode; 691 break; 692 } 693 694 if (put_user(mode, (u8 __user *) optval)) 695 err = -EFAULT; 696 break; 697 698 default: 699 err = -ENOPROTOOPT; 700 break; 701 } 702 703 release_sock(sk); 704 return err; 705 } 706 707 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 708 { 709 switch (chan->scid) { 710 case L2CAP_CID_ATT: 711 if (mtu < L2CAP_LE_MIN_MTU) 712 return false; 713 break; 714 715 default: 716 if (mtu < L2CAP_DEFAULT_MIN_MTU) 717 return false; 718 } 719 720 return true; 721 } 722 723 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 724 sockptr_t optval, unsigned int optlen) 725 { 726 struct sock *sk = sock->sk; 727 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 728 struct l2cap_options opts; 729 int len, err = 0; 730 u32 opt; 731 732 BT_DBG("sk %p", sk); 733 734 lock_sock(sk); 735 736 switch (optname) { 737 case L2CAP_OPTIONS: 738 if (bdaddr_type_is_le(chan->src_type)) { 739 err = -EINVAL; 740 break; 741 } 742 743 if (sk->sk_state == BT_CONNECTED) { 744 err = -EINVAL; 745 break; 746 } 747 748 opts.imtu = chan->imtu; 749 opts.omtu = chan->omtu; 750 opts.flush_to = chan->flush_to; 751 opts.mode = chan->mode; 752 opts.fcs = chan->fcs; 753 opts.max_tx = chan->max_tx; 754 opts.txwin_size = chan->tx_win; 755 756 len = min_t(unsigned int, sizeof(opts), optlen); 757 if (copy_from_sockptr(&opts, optval, len)) { 758 err = -EFAULT; 759 break; 760 } 761 762 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 763 err = -EINVAL; 764 break; 765 } 766 767 if (!l2cap_valid_mtu(chan, opts.imtu)) { 768 err = -EINVAL; 769 break; 770 } 771 772 /* Only BR/EDR modes are supported here */ 773 switch (opts.mode) { 774 case L2CAP_MODE_BASIC: 775 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 776 break; 777 case L2CAP_MODE_ERTM: 778 case L2CAP_MODE_STREAMING: 779 if (!disable_ertm) 780 break; 781 fallthrough; 782 default: 783 err = -EINVAL; 784 break; 785 } 786 787 if (err < 0) 788 break; 789 790 chan->mode = opts.mode; 791 792 BT_DBG("mode 0x%2.2x", chan->mode); 793 794 chan->imtu = opts.imtu; 795 chan->omtu = opts.omtu; 796 chan->fcs = opts.fcs; 797 chan->max_tx = opts.max_tx; 798 chan->tx_win = opts.txwin_size; 799 chan->flush_to = opts.flush_to; 800 break; 801 802 case L2CAP_LM: 803 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 804 err = -EFAULT; 805 break; 806 } 807 808 if (opt & L2CAP_LM_FIPS) { 809 err = -EINVAL; 810 break; 811 } 812 813 if (opt & L2CAP_LM_AUTH) 814 chan->sec_level = BT_SECURITY_LOW; 815 if (opt & L2CAP_LM_ENCRYPT) 816 chan->sec_level = BT_SECURITY_MEDIUM; 817 if (opt & L2CAP_LM_SECURE) 818 chan->sec_level = BT_SECURITY_HIGH; 819 820 if (opt & L2CAP_LM_MASTER) 821 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 822 else 823 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 824 825 if (opt & L2CAP_LM_RELIABLE) 826 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 827 else 828 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 829 break; 830 831 default: 832 err = -ENOPROTOOPT; 833 break; 834 } 835 836 release_sock(sk); 837 return err; 838 } 839 840 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 841 { 842 switch (mode) { 843 case BT_MODE_BASIC: 844 if (bdaddr_type_is_le(chan->src_type)) 845 return -EINVAL; 846 mode = L2CAP_MODE_BASIC; 847 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 848 break; 849 case BT_MODE_ERTM: 850 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 851 return -EINVAL; 852 mode = L2CAP_MODE_ERTM; 853 break; 854 case BT_MODE_STREAMING: 855 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 856 return -EINVAL; 857 mode = L2CAP_MODE_STREAMING; 858 break; 859 case BT_MODE_LE_FLOWCTL: 860 if (!bdaddr_type_is_le(chan->src_type)) 861 return -EINVAL; 862 mode = L2CAP_MODE_LE_FLOWCTL; 863 break; 864 case BT_MODE_EXT_FLOWCTL: 865 /* TODO: Add support for ECRED PDUs to BR/EDR */ 866 if (!bdaddr_type_is_le(chan->src_type)) 867 return -EINVAL; 868 mode = L2CAP_MODE_EXT_FLOWCTL; 869 break; 870 default: 871 return -EINVAL; 872 } 873 874 chan->mode = mode; 875 876 return 0; 877 } 878 879 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 880 sockptr_t optval, unsigned int optlen) 881 { 882 struct sock *sk = sock->sk; 883 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 884 struct bt_security sec; 885 struct bt_power pwr; 886 struct l2cap_conn *conn; 887 int len, err = 0; 888 u32 opt; 889 u16 mtu; 890 u8 mode; 891 892 BT_DBG("sk %p", sk); 893 894 if (level == SOL_L2CAP) 895 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 896 897 if (level != SOL_BLUETOOTH) 898 return -ENOPROTOOPT; 899 900 lock_sock(sk); 901 902 switch (optname) { 903 case BT_SECURITY: 904 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 905 chan->chan_type != L2CAP_CHAN_FIXED && 906 chan->chan_type != L2CAP_CHAN_RAW) { 907 err = -EINVAL; 908 break; 909 } 910 911 sec.level = BT_SECURITY_LOW; 912 913 len = min_t(unsigned int, sizeof(sec), optlen); 914 if (copy_from_sockptr(&sec, optval, len)) { 915 err = -EFAULT; 916 break; 917 } 918 919 if (sec.level < BT_SECURITY_LOW || 920 sec.level > BT_SECURITY_FIPS) { 921 err = -EINVAL; 922 break; 923 } 924 925 chan->sec_level = sec.level; 926 927 if (!chan->conn) 928 break; 929 930 conn = chan->conn; 931 932 /* change security for LE channels */ 933 if (chan->scid == L2CAP_CID_ATT) { 934 if (smp_conn_security(conn->hcon, sec.level)) { 935 err = -EINVAL; 936 break; 937 } 938 939 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 940 sk->sk_state = BT_CONFIG; 941 chan->state = BT_CONFIG; 942 943 /* or for ACL link */ 944 } else if ((sk->sk_state == BT_CONNECT2 && 945 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 946 sk->sk_state == BT_CONNECTED) { 947 if (!l2cap_chan_check_security(chan, true)) 948 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 949 else 950 sk->sk_state_change(sk); 951 } else { 952 err = -EINVAL; 953 } 954 break; 955 956 case BT_DEFER_SETUP: 957 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 958 err = -EINVAL; 959 break; 960 } 961 962 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 963 err = -EFAULT; 964 break; 965 } 966 967 if (opt) { 968 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 969 set_bit(FLAG_DEFER_SETUP, &chan->flags); 970 } else { 971 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 972 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 973 } 974 break; 975 976 case BT_FLUSHABLE: 977 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 978 err = -EFAULT; 979 break; 980 } 981 982 if (opt > BT_FLUSHABLE_ON) { 983 err = -EINVAL; 984 break; 985 } 986 987 if (opt == BT_FLUSHABLE_OFF) { 988 conn = chan->conn; 989 /* proceed further only when we have l2cap_conn and 990 No Flush support in the LM */ 991 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 992 err = -EINVAL; 993 break; 994 } 995 } 996 997 if (opt) 998 set_bit(FLAG_FLUSHABLE, &chan->flags); 999 else 1000 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1001 break; 1002 1003 case BT_POWER: 1004 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1005 chan->chan_type != L2CAP_CHAN_RAW) { 1006 err = -EINVAL; 1007 break; 1008 } 1009 1010 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1011 1012 len = min_t(unsigned int, sizeof(pwr), optlen); 1013 if (copy_from_sockptr(&pwr, optval, len)) { 1014 err = -EFAULT; 1015 break; 1016 } 1017 1018 if (pwr.force_active) 1019 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1020 else 1021 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1022 break; 1023 1024 case BT_CHANNEL_POLICY: 1025 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1026 err = -EFAULT; 1027 break; 1028 } 1029 1030 err = -EOPNOTSUPP; 1031 break; 1032 1033 case BT_SNDMTU: 1034 if (!bdaddr_type_is_le(chan->src_type)) { 1035 err = -EINVAL; 1036 break; 1037 } 1038 1039 /* Setting is not supported as it's the remote side that 1040 * decides this. 1041 */ 1042 err = -EPERM; 1043 break; 1044 1045 case BT_RCVMTU: 1046 if (!bdaddr_type_is_le(chan->src_type)) { 1047 err = -EINVAL; 1048 break; 1049 } 1050 1051 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1052 sk->sk_state == BT_CONNECTED) { 1053 err = -EISCONN; 1054 break; 1055 } 1056 1057 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { 1058 err = -EFAULT; 1059 break; 1060 } 1061 1062 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1063 sk->sk_state == BT_CONNECTED) 1064 err = l2cap_chan_reconfigure(chan, mtu); 1065 else 1066 chan->imtu = mtu; 1067 1068 break; 1069 1070 case BT_MODE: 1071 if (!enable_ecred) { 1072 err = -ENOPROTOOPT; 1073 break; 1074 } 1075 1076 BT_DBG("sk->sk_state %u", sk->sk_state); 1077 1078 if (sk->sk_state != BT_BOUND) { 1079 err = -EINVAL; 1080 break; 1081 } 1082 1083 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1084 err = -EINVAL; 1085 break; 1086 } 1087 1088 if (copy_from_sockptr(&mode, optval, sizeof(u8))) { 1089 err = -EFAULT; 1090 break; 1091 } 1092 1093 BT_DBG("mode %u", mode); 1094 1095 err = l2cap_set_mode(chan, mode); 1096 if (err) 1097 break; 1098 1099 BT_DBG("mode 0x%2.2x", chan->mode); 1100 1101 break; 1102 1103 default: 1104 err = -ENOPROTOOPT; 1105 break; 1106 } 1107 1108 release_sock(sk); 1109 return err; 1110 } 1111 1112 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1113 size_t len) 1114 { 1115 struct sock *sk = sock->sk; 1116 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1117 int err; 1118 1119 BT_DBG("sock %p, sk %p", sock, sk); 1120 1121 err = sock_error(sk); 1122 if (err) 1123 return err; 1124 1125 if (msg->msg_flags & MSG_OOB) 1126 return -EOPNOTSUPP; 1127 1128 if (sk->sk_state != BT_CONNECTED) 1129 return -ENOTCONN; 1130 1131 lock_sock(sk); 1132 err = bt_sock_wait_ready(sk, msg->msg_flags); 1133 release_sock(sk); 1134 if (err) 1135 return err; 1136 1137 l2cap_chan_lock(chan); 1138 err = l2cap_chan_send(chan, msg, len); 1139 l2cap_chan_unlock(chan); 1140 1141 return err; 1142 } 1143 1144 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1145 size_t len, int flags) 1146 { 1147 struct sock *sk = sock->sk; 1148 struct l2cap_pinfo *pi = l2cap_pi(sk); 1149 int err; 1150 1151 lock_sock(sk); 1152 1153 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1154 &bt_sk(sk)->flags)) { 1155 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1156 sk->sk_state = BT_CONNECTED; 1157 pi->chan->state = BT_CONNECTED; 1158 __l2cap_ecred_conn_rsp_defer(pi->chan); 1159 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1160 sk->sk_state = BT_CONNECTED; 1161 pi->chan->state = BT_CONNECTED; 1162 __l2cap_le_connect_rsp_defer(pi->chan); 1163 } else { 1164 sk->sk_state = BT_CONFIG; 1165 pi->chan->state = BT_CONFIG; 1166 __l2cap_connect_rsp_defer(pi->chan); 1167 } 1168 1169 err = 0; 1170 goto done; 1171 } 1172 1173 release_sock(sk); 1174 1175 if (sock->type == SOCK_STREAM) 1176 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1177 else 1178 err = bt_sock_recvmsg(sock, msg, len, flags); 1179 1180 if (pi->chan->mode != L2CAP_MODE_ERTM) 1181 return err; 1182 1183 /* Attempt to put pending rx data in the socket buffer */ 1184 1185 lock_sock(sk); 1186 1187 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) 1188 goto done; 1189 1190 if (pi->rx_busy_skb) { 1191 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) 1192 pi->rx_busy_skb = NULL; 1193 else 1194 goto done; 1195 } 1196 1197 /* Restore data flow when half of the receive buffer is 1198 * available. This avoids resending large numbers of 1199 * frames. 1200 */ 1201 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1202 l2cap_chan_busy(pi->chan, 0); 1203 1204 done: 1205 release_sock(sk); 1206 return err; 1207 } 1208 1209 /* Kill socket (only if zapped and orphan) 1210 * Must be called on unlocked socket, with l2cap channel lock. 1211 */ 1212 static void l2cap_sock_kill(struct sock *sk) 1213 { 1214 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1215 return; 1216 1217 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1218 1219 /* Kill poor orphan */ 1220 1221 l2cap_chan_put(l2cap_pi(sk)->chan); 1222 sock_set_flag(sk, SOCK_DEAD); 1223 sock_put(sk); 1224 } 1225 1226 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1227 { 1228 DECLARE_WAITQUEUE(wait, current); 1229 int err = 0; 1230 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1231 /* Timeout to prevent infinite loop */ 1232 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1233 1234 add_wait_queue(sk_sleep(sk), &wait); 1235 set_current_state(TASK_INTERRUPTIBLE); 1236 do { 1237 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1238 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1239 jiffies_to_msecs(timeout - jiffies)); 1240 1241 if (!timeo) 1242 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1243 1244 if (signal_pending(current)) { 1245 err = sock_intr_errno(timeo); 1246 break; 1247 } 1248 1249 release_sock(sk); 1250 timeo = schedule_timeout(timeo); 1251 lock_sock(sk); 1252 set_current_state(TASK_INTERRUPTIBLE); 1253 1254 err = sock_error(sk); 1255 if (err) 1256 break; 1257 1258 if (time_after(jiffies, timeout)) { 1259 err = -ENOLINK; 1260 break; 1261 } 1262 1263 } while (chan->unacked_frames > 0 && 1264 chan->state == BT_CONNECTED); 1265 1266 set_current_state(TASK_RUNNING); 1267 remove_wait_queue(sk_sleep(sk), &wait); 1268 return err; 1269 } 1270 1271 static int l2cap_sock_shutdown(struct socket *sock, int how) 1272 { 1273 struct sock *sk = sock->sk; 1274 struct l2cap_chan *chan; 1275 struct l2cap_conn *conn; 1276 int err = 0; 1277 1278 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1279 1280 /* 'how' parameter is mapped to sk_shutdown as follows: 1281 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1282 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1283 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1284 */ 1285 how++; 1286 1287 if (!sk) 1288 return 0; 1289 1290 lock_sock(sk); 1291 1292 if ((sk->sk_shutdown & how) == how) 1293 goto shutdown_already; 1294 1295 BT_DBG("Handling sock shutdown"); 1296 1297 /* prevent sk structure from being freed whilst unlocked */ 1298 sock_hold(sk); 1299 1300 chan = l2cap_pi(sk)->chan; 1301 /* prevent chan structure from being freed whilst unlocked */ 1302 l2cap_chan_hold(chan); 1303 1304 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1305 1306 if (chan->mode == L2CAP_MODE_ERTM && 1307 chan->unacked_frames > 0 && 1308 chan->state == BT_CONNECTED) { 1309 err = __l2cap_wait_ack(sk, chan); 1310 1311 /* After waiting for ACKs, check whether shutdown 1312 * has already been actioned to close the L2CAP 1313 * link such as by l2cap_disconnection_req(). 1314 */ 1315 if ((sk->sk_shutdown & how) == how) 1316 goto shutdown_matched; 1317 } 1318 1319 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1320 * is already set 1321 */ 1322 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1323 sk->sk_shutdown |= RCV_SHUTDOWN; 1324 if ((sk->sk_shutdown & how) == how) 1325 goto shutdown_matched; 1326 } 1327 1328 sk->sk_shutdown |= SEND_SHUTDOWN; 1329 release_sock(sk); 1330 1331 l2cap_chan_lock(chan); 1332 conn = chan->conn; 1333 if (conn) 1334 /* prevent conn structure from being freed */ 1335 l2cap_conn_get(conn); 1336 l2cap_chan_unlock(chan); 1337 1338 if (conn) 1339 /* mutex lock must be taken before l2cap_chan_lock() */ 1340 mutex_lock(&conn->chan_lock); 1341 1342 l2cap_chan_lock(chan); 1343 l2cap_chan_close(chan, 0); 1344 l2cap_chan_unlock(chan); 1345 1346 if (conn) { 1347 mutex_unlock(&conn->chan_lock); 1348 l2cap_conn_put(conn); 1349 } 1350 1351 lock_sock(sk); 1352 1353 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1354 !(current->flags & PF_EXITING)) 1355 err = bt_sock_wait_state(sk, BT_CLOSED, 1356 sk->sk_lingertime); 1357 1358 shutdown_matched: 1359 l2cap_chan_put(chan); 1360 sock_put(sk); 1361 1362 shutdown_already: 1363 if (!err && sk->sk_err) 1364 err = -sk->sk_err; 1365 1366 release_sock(sk); 1367 1368 BT_DBG("Sock shutdown complete err: %d", err); 1369 1370 return err; 1371 } 1372 1373 static int l2cap_sock_release(struct socket *sock) 1374 { 1375 struct sock *sk = sock->sk; 1376 int err; 1377 struct l2cap_chan *chan; 1378 1379 BT_DBG("sock %p, sk %p", sock, sk); 1380 1381 if (!sk) 1382 return 0; 1383 1384 l2cap_sock_cleanup_listen(sk); 1385 bt_sock_unlink(&l2cap_sk_list, sk); 1386 1387 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1388 chan = l2cap_pi(sk)->chan; 1389 1390 l2cap_chan_hold(chan); 1391 l2cap_chan_lock(chan); 1392 1393 sock_orphan(sk); 1394 l2cap_sock_kill(sk); 1395 1396 l2cap_chan_unlock(chan); 1397 l2cap_chan_put(chan); 1398 1399 return err; 1400 } 1401 1402 static void l2cap_sock_cleanup_listen(struct sock *parent) 1403 { 1404 struct sock *sk; 1405 1406 BT_DBG("parent %p state %s", parent, 1407 state_to_string(parent->sk_state)); 1408 1409 /* Close not yet accepted channels */ 1410 while ((sk = bt_accept_dequeue(parent, NULL))) { 1411 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1412 1413 BT_DBG("child chan %p state %s", chan, 1414 state_to_string(chan->state)); 1415 1416 l2cap_chan_hold(chan); 1417 l2cap_chan_lock(chan); 1418 1419 __clear_chan_timer(chan); 1420 l2cap_chan_close(chan, ECONNRESET); 1421 l2cap_sock_kill(sk); 1422 1423 l2cap_chan_unlock(chan); 1424 l2cap_chan_put(chan); 1425 } 1426 } 1427 1428 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1429 { 1430 struct sock *sk, *parent = chan->data; 1431 1432 lock_sock(parent); 1433 1434 /* Check for backlog size */ 1435 if (sk_acceptq_is_full(parent)) { 1436 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1437 release_sock(parent); 1438 return NULL; 1439 } 1440 1441 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1442 GFP_ATOMIC, 0); 1443 if (!sk) { 1444 release_sock(parent); 1445 return NULL; 1446 } 1447 1448 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1449 1450 l2cap_sock_init(sk, parent); 1451 1452 bt_accept_enqueue(parent, sk, false); 1453 1454 release_sock(parent); 1455 1456 return l2cap_pi(sk)->chan; 1457 } 1458 1459 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1460 { 1461 struct sock *sk = chan->data; 1462 int err; 1463 1464 lock_sock(sk); 1465 1466 if (l2cap_pi(sk)->rx_busy_skb) { 1467 err = -ENOMEM; 1468 goto done; 1469 } 1470 1471 if (chan->mode != L2CAP_MODE_ERTM && 1472 chan->mode != L2CAP_MODE_STREAMING) { 1473 /* Even if no filter is attached, we could potentially 1474 * get errors from security modules, etc. 1475 */ 1476 err = sk_filter(sk, skb); 1477 if (err) 1478 goto done; 1479 } 1480 1481 err = __sock_queue_rcv_skb(sk, skb); 1482 1483 /* For ERTM, handle one skb that doesn't fit into the recv 1484 * buffer. This is important to do because the data frames 1485 * have already been acked, so the skb cannot be discarded. 1486 * 1487 * Notify the l2cap core that the buffer is full, so the 1488 * LOCAL_BUSY state is entered and no more frames are 1489 * acked and reassembled until there is buffer space 1490 * available. 1491 */ 1492 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1493 l2cap_pi(sk)->rx_busy_skb = skb; 1494 l2cap_chan_busy(chan, 1); 1495 err = 0; 1496 } 1497 1498 done: 1499 release_sock(sk); 1500 1501 return err; 1502 } 1503 1504 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1505 { 1506 struct sock *sk = chan->data; 1507 1508 if (!sk) 1509 return; 1510 1511 l2cap_sock_kill(sk); 1512 } 1513 1514 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1515 { 1516 struct sock *sk = chan->data; 1517 struct sock *parent; 1518 1519 if (!sk) 1520 return; 1521 1522 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1523 1524 /* This callback can be called both for server (BT_LISTEN) 1525 * sockets as well as "normal" ones. To avoid lockdep warnings 1526 * with child socket locking (through l2cap_sock_cleanup_listen) 1527 * we need separation into separate nesting levels. The simplest 1528 * way to accomplish this is to inherit the nesting level used 1529 * for the channel. 1530 */ 1531 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1532 1533 parent = bt_sk(sk)->parent; 1534 1535 switch (chan->state) { 1536 case BT_OPEN: 1537 case BT_BOUND: 1538 case BT_CLOSED: 1539 break; 1540 case BT_LISTEN: 1541 l2cap_sock_cleanup_listen(sk); 1542 sk->sk_state = BT_CLOSED; 1543 chan->state = BT_CLOSED; 1544 1545 break; 1546 default: 1547 sk->sk_state = BT_CLOSED; 1548 chan->state = BT_CLOSED; 1549 1550 sk->sk_err = err; 1551 1552 if (parent) { 1553 bt_accept_unlink(sk); 1554 parent->sk_data_ready(parent); 1555 } else { 1556 sk->sk_state_change(sk); 1557 } 1558 1559 break; 1560 } 1561 release_sock(sk); 1562 1563 /* Only zap after cleanup to avoid use after free race */ 1564 sock_set_flag(sk, SOCK_ZAPPED); 1565 1566 } 1567 1568 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1569 int err) 1570 { 1571 struct sock *sk = chan->data; 1572 1573 sk->sk_state = state; 1574 1575 if (err) 1576 sk->sk_err = err; 1577 } 1578 1579 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1580 unsigned long hdr_len, 1581 unsigned long len, int nb) 1582 { 1583 struct sock *sk = chan->data; 1584 struct sk_buff *skb; 1585 int err; 1586 1587 l2cap_chan_unlock(chan); 1588 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1589 l2cap_chan_lock(chan); 1590 1591 if (!skb) 1592 return ERR_PTR(err); 1593 1594 /* Channel lock is released before requesting new skb and then 1595 * reacquired thus we need to recheck channel state. 1596 */ 1597 if (chan->state != BT_CONNECTED) { 1598 kfree_skb(skb); 1599 return ERR_PTR(-ENOTCONN); 1600 } 1601 1602 skb->priority = sk->sk_priority; 1603 1604 bt_cb(skb)->l2cap.chan = chan; 1605 1606 return skb; 1607 } 1608 1609 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1610 { 1611 struct sock *sk = chan->data; 1612 struct sock *parent; 1613 1614 lock_sock(sk); 1615 1616 parent = bt_sk(sk)->parent; 1617 1618 BT_DBG("sk %p, parent %p", sk, parent); 1619 1620 sk->sk_state = BT_CONNECTED; 1621 sk->sk_state_change(sk); 1622 1623 if (parent) 1624 parent->sk_data_ready(parent); 1625 1626 release_sock(sk); 1627 } 1628 1629 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1630 { 1631 struct sock *parent, *sk = chan->data; 1632 1633 lock_sock(sk); 1634 1635 parent = bt_sk(sk)->parent; 1636 if (parent) 1637 parent->sk_data_ready(parent); 1638 1639 release_sock(sk); 1640 } 1641 1642 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1643 { 1644 struct sock *sk = chan->data; 1645 1646 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1647 sk->sk_state = BT_CONNECTED; 1648 chan->state = BT_CONNECTED; 1649 } 1650 1651 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1652 sk->sk_state_change(sk); 1653 } 1654 1655 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1656 { 1657 struct sock *sk = chan->data; 1658 1659 lock_sock(sk); 1660 sk->sk_shutdown = SHUTDOWN_MASK; 1661 release_sock(sk); 1662 } 1663 1664 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1665 { 1666 struct sock *sk = chan->data; 1667 1668 return sk->sk_sndtimeo; 1669 } 1670 1671 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1672 { 1673 struct sock *sk = chan->data; 1674 1675 return sk->sk_peer_pid; 1676 } 1677 1678 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1679 { 1680 struct sock *sk = chan->data; 1681 1682 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1683 sk->sk_state_change(sk); 1684 } 1685 1686 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1687 { 1688 struct sock *sk = chan->data; 1689 1690 switch (chan->mode) { 1691 case L2CAP_MODE_ERTM: 1692 case L2CAP_MODE_STREAMING: 1693 return sk_filter(sk, skb); 1694 } 1695 1696 return 0; 1697 } 1698 1699 static const struct l2cap_ops l2cap_chan_ops = { 1700 .name = "L2CAP Socket Interface", 1701 .new_connection = l2cap_sock_new_connection_cb, 1702 .recv = l2cap_sock_recv_cb, 1703 .close = l2cap_sock_close_cb, 1704 .teardown = l2cap_sock_teardown_cb, 1705 .state_change = l2cap_sock_state_change_cb, 1706 .ready = l2cap_sock_ready_cb, 1707 .defer = l2cap_sock_defer_cb, 1708 .resume = l2cap_sock_resume_cb, 1709 .suspend = l2cap_sock_suspend_cb, 1710 .set_shutdown = l2cap_sock_set_shutdown_cb, 1711 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1712 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1713 .alloc_skb = l2cap_sock_alloc_skb_cb, 1714 .filter = l2cap_sock_filter, 1715 }; 1716 1717 static void l2cap_sock_destruct(struct sock *sk) 1718 { 1719 BT_DBG("sk %p", sk); 1720 1721 if (l2cap_pi(sk)->chan) { 1722 l2cap_pi(sk)->chan->data = NULL; 1723 l2cap_chan_put(l2cap_pi(sk)->chan); 1724 } 1725 1726 if (l2cap_pi(sk)->rx_busy_skb) { 1727 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1728 l2cap_pi(sk)->rx_busy_skb = NULL; 1729 } 1730 1731 skb_queue_purge(&sk->sk_receive_queue); 1732 skb_queue_purge(&sk->sk_write_queue); 1733 } 1734 1735 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1736 int *msg_namelen) 1737 { 1738 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1739 1740 memset(la, 0, sizeof(struct sockaddr_l2)); 1741 la->l2_family = AF_BLUETOOTH; 1742 la->l2_psm = bt_cb(skb)->l2cap.psm; 1743 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1744 1745 *msg_namelen = sizeof(struct sockaddr_l2); 1746 } 1747 1748 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1749 { 1750 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1751 1752 BT_DBG("sk %p", sk); 1753 1754 if (parent) { 1755 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1756 1757 sk->sk_type = parent->sk_type; 1758 bt_sk(sk)->flags = bt_sk(parent)->flags; 1759 1760 chan->chan_type = pchan->chan_type; 1761 chan->imtu = pchan->imtu; 1762 chan->omtu = pchan->omtu; 1763 chan->conf_state = pchan->conf_state; 1764 chan->mode = pchan->mode; 1765 chan->fcs = pchan->fcs; 1766 chan->max_tx = pchan->max_tx; 1767 chan->tx_win = pchan->tx_win; 1768 chan->tx_win_max = pchan->tx_win_max; 1769 chan->sec_level = pchan->sec_level; 1770 chan->flags = pchan->flags; 1771 chan->tx_credits = pchan->tx_credits; 1772 chan->rx_credits = pchan->rx_credits; 1773 1774 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1775 chan->scid = pchan->scid; 1776 chan->dcid = pchan->scid; 1777 } 1778 1779 security_sk_clone(parent, sk); 1780 } else { 1781 switch (sk->sk_type) { 1782 case SOCK_RAW: 1783 chan->chan_type = L2CAP_CHAN_RAW; 1784 break; 1785 case SOCK_DGRAM: 1786 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1787 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1788 break; 1789 case SOCK_SEQPACKET: 1790 case SOCK_STREAM: 1791 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1792 break; 1793 } 1794 1795 chan->imtu = L2CAP_DEFAULT_MTU; 1796 chan->omtu = 0; 1797 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1798 chan->mode = L2CAP_MODE_ERTM; 1799 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1800 } else { 1801 chan->mode = L2CAP_MODE_BASIC; 1802 } 1803 1804 l2cap_chan_set_defaults(chan); 1805 } 1806 1807 /* Default config options */ 1808 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1809 1810 chan->data = sk; 1811 chan->ops = &l2cap_chan_ops; 1812 } 1813 1814 static struct proto l2cap_proto = { 1815 .name = "L2CAP", 1816 .owner = THIS_MODULE, 1817 .obj_size = sizeof(struct l2cap_pinfo) 1818 }; 1819 1820 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1821 int proto, gfp_t prio, int kern) 1822 { 1823 struct sock *sk; 1824 struct l2cap_chan *chan; 1825 1826 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern); 1827 if (!sk) 1828 return NULL; 1829 1830 sk->sk_destruct = l2cap_sock_destruct; 1831 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1832 1833 chan = l2cap_chan_create(); 1834 if (!chan) { 1835 sk_free(sk); 1836 return NULL; 1837 } 1838 1839 l2cap_chan_hold(chan); 1840 1841 l2cap_pi(sk)->chan = chan; 1842 1843 return sk; 1844 } 1845 1846 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1847 int kern) 1848 { 1849 struct sock *sk; 1850 1851 BT_DBG("sock %p", sock); 1852 1853 sock->state = SS_UNCONNECTED; 1854 1855 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1856 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1857 return -ESOCKTNOSUPPORT; 1858 1859 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1860 return -EPERM; 1861 1862 sock->ops = &l2cap_sock_ops; 1863 1864 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1865 if (!sk) 1866 return -ENOMEM; 1867 1868 l2cap_sock_init(sk, NULL); 1869 bt_sock_link(&l2cap_sk_list, sk); 1870 return 0; 1871 } 1872 1873 static const struct proto_ops l2cap_sock_ops = { 1874 .family = PF_BLUETOOTH, 1875 .owner = THIS_MODULE, 1876 .release = l2cap_sock_release, 1877 .bind = l2cap_sock_bind, 1878 .connect = l2cap_sock_connect, 1879 .listen = l2cap_sock_listen, 1880 .accept = l2cap_sock_accept, 1881 .getname = l2cap_sock_getname, 1882 .sendmsg = l2cap_sock_sendmsg, 1883 .recvmsg = l2cap_sock_recvmsg, 1884 .poll = bt_sock_poll, 1885 .ioctl = bt_sock_ioctl, 1886 .gettstamp = sock_gettstamp, 1887 .mmap = sock_no_mmap, 1888 .socketpair = sock_no_socketpair, 1889 .shutdown = l2cap_sock_shutdown, 1890 .setsockopt = l2cap_sock_setsockopt, 1891 .getsockopt = l2cap_sock_getsockopt 1892 }; 1893 1894 static const struct net_proto_family l2cap_sock_family_ops = { 1895 .family = PF_BLUETOOTH, 1896 .owner = THIS_MODULE, 1897 .create = l2cap_sock_create, 1898 }; 1899 1900 int __init l2cap_init_sockets(void) 1901 { 1902 int err; 1903 1904 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1905 1906 err = proto_register(&l2cap_proto, 0); 1907 if (err < 0) 1908 return err; 1909 1910 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1911 if (err < 0) { 1912 BT_ERR("L2CAP socket registration failed"); 1913 goto error; 1914 } 1915 1916 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1917 NULL); 1918 if (err < 0) { 1919 BT_ERR("Failed to create L2CAP proc file"); 1920 bt_sock_unregister(BTPROTO_L2CAP); 1921 goto error; 1922 } 1923 1924 BT_INFO("L2CAP socket layer initialized"); 1925 1926 return 0; 1927 1928 error: 1929 proto_unregister(&l2cap_proto); 1930 return err; 1931 } 1932 1933 void l2cap_cleanup_sockets(void) 1934 { 1935 bt_procfs_cleanup(&init_net, "l2cap"); 1936 bt_sock_unregister(BTPROTO_L2CAP); 1937 proto_unregister(&l2cap_proto); 1938 } 1939