Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32#include <linux/sched/signal.h>
33
34#include <net/bluetooth/bluetooth.h>
35#include <net/bluetooth/hci_core.h>
36#include <net/bluetooth/l2cap.h>
37
38#include "smp.h"
39
40static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42};
43
44static const struct proto_ops l2cap_sock_ops;
45static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
49bool l2cap_is_socket(struct socket *sock)
50{
51 return sock && sock->ops == &l2cap_sock_ops;
52}
53EXPORT_SYMBOL(l2cap_is_socket);
54
55static int l2cap_validate_bredr_psm(u16 psm)
56{
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66}
67
68static int l2cap_validate_le_psm(u16 psm)
69{
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79}
80
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
166
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
169
170done:
171 release_sock(sk);
172 return err;
173}
174
175static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 int alen, int flags)
177{
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
181 int len, err = 0;
182
183 BT_DBG("sk %p", sk);
184
185 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 addr->sa_family != AF_BLUETOOTH)
187 return -EINVAL;
188
189 memset(&la, 0, sizeof(la));
190 len = min_t(unsigned int, sizeof(la), alen);
191 memcpy(&la, addr, len);
192
193 if (la.l2_cid && la.l2_psm)
194 return -EINVAL;
195
196 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 return -EINVAL;
198
199 /* Check that the socket wasn't bound to something that
200 * conflicts with the address given to connect(). If chan->src
201 * is BDADDR_ANY it means bind() was never used, in which case
202 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 */
204 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 /* Old user space versions will try to incorrectly bind
207 * the ATT socket using BDADDR_BREDR. We need to accept
208 * this and fix up the source address type only when
209 * both the source CID and destination CID indicate
210 * ATT. Anything else is an invalid combination.
211 */
212 if (chan->scid != L2CAP_CID_ATT ||
213 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 return -EINVAL;
215
216 /* We don't have the hdev available here to make a
217 * better decision on random vs public, but since all
218 * user space versions that exhibit this issue anyway do
219 * not support random local addresses assuming public
220 * here is good enough.
221 */
222 chan->src_type = BDADDR_LE_PUBLIC;
223 }
224
225 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 return -EINVAL;
227
228 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 /* We only allow ATT user space socket */
230 if (la.l2_cid &&
231 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 return -EINVAL;
233 }
234
235 if (chan->psm && bdaddr_type_is_le(chan->src_type))
236 chan->mode = L2CAP_MODE_LE_FLOWCTL;
237
238 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 &la.l2_bdaddr, la.l2_bdaddr_type);
240 if (err)
241 return err;
242
243 lock_sock(sk);
244
245 err = bt_sock_wait_state(sk, BT_CONNECTED,
246 sock_sndtimeo(sk, flags & O_NONBLOCK));
247
248 release_sock(sk);
249
250 return err;
251}
252
253static int l2cap_sock_listen(struct socket *sock, int backlog)
254{
255 struct sock *sk = sock->sk;
256 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 int err = 0;
258
259 BT_DBG("sk %p backlog %d", sk, backlog);
260
261 lock_sock(sk);
262
263 if (sk->sk_state != BT_BOUND) {
264 err = -EBADFD;
265 goto done;
266 }
267
268 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 err = -EINVAL;
270 goto done;
271 }
272
273 switch (chan->mode) {
274 case L2CAP_MODE_BASIC:
275 case L2CAP_MODE_LE_FLOWCTL:
276 break;
277 case L2CAP_MODE_ERTM:
278 case L2CAP_MODE_STREAMING:
279 if (!disable_ertm)
280 break;
281 /* fall through */
282 default:
283 err = -EOPNOTSUPP;
284 goto done;
285 }
286
287 sk->sk_max_ack_backlog = backlog;
288 sk->sk_ack_backlog = 0;
289
290 /* Listening channels need to use nested locking in order not to
291 * cause lockdep warnings when the created child channels end up
292 * being locked in the same thread as the parent channel.
293 */
294 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
295
296 chan->state = BT_LISTEN;
297 sk->sk_state = BT_LISTEN;
298
299done:
300 release_sock(sk);
301 return err;
302}
303
304static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
305 int flags, bool kern)
306{
307 DEFINE_WAIT_FUNC(wait, woken_wake_function);
308 struct sock *sk = sock->sk, *nsk;
309 long timeo;
310 int err = 0;
311
312 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
313
314 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
315
316 BT_DBG("sk %p timeo %ld", sk, timeo);
317
318 /* Wait for an incoming connection. (wake-one). */
319 add_wait_queue_exclusive(sk_sleep(sk), &wait);
320 while (1) {
321 if (sk->sk_state != BT_LISTEN) {
322 err = -EBADFD;
323 break;
324 }
325
326 nsk = bt_accept_dequeue(sk, newsock);
327 if (nsk)
328 break;
329
330 if (!timeo) {
331 err = -EAGAIN;
332 break;
333 }
334
335 if (signal_pending(current)) {
336 err = sock_intr_errno(timeo);
337 break;
338 }
339
340 release_sock(sk);
341
342 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
343
344 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
345 }
346 remove_wait_queue(sk_sleep(sk), &wait);
347
348 if (err)
349 goto done;
350
351 newsock->state = SS_CONNECTED;
352
353 BT_DBG("new socket %p", nsk);
354
355done:
356 release_sock(sk);
357 return err;
358}
359
360static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
361 int peer)
362{
363 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
364 struct sock *sk = sock->sk;
365 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
366
367 BT_DBG("sock %p, sk %p", sock, sk);
368
369 if (peer && sk->sk_state != BT_CONNECTED &&
370 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
371 sk->sk_state != BT_CONFIG)
372 return -ENOTCONN;
373
374 memset(la, 0, sizeof(struct sockaddr_l2));
375 addr->sa_family = AF_BLUETOOTH;
376
377 la->l2_psm = chan->psm;
378
379 if (peer) {
380 bacpy(&la->l2_bdaddr, &chan->dst);
381 la->l2_cid = cpu_to_le16(chan->dcid);
382 la->l2_bdaddr_type = chan->dst_type;
383 } else {
384 bacpy(&la->l2_bdaddr, &chan->src);
385 la->l2_cid = cpu_to_le16(chan->scid);
386 la->l2_bdaddr_type = chan->src_type;
387 }
388
389 return sizeof(struct sockaddr_l2);
390}
391
392static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
393 char __user *optval, int __user *optlen)
394{
395 struct sock *sk = sock->sk;
396 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
397 struct l2cap_options opts;
398 struct l2cap_conninfo cinfo;
399 int len, err = 0;
400 u32 opt;
401
402 BT_DBG("sk %p", sk);
403
404 if (get_user(len, optlen))
405 return -EFAULT;
406
407 lock_sock(sk);
408
409 switch (optname) {
410 case L2CAP_OPTIONS:
411 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
412 * legacy ATT code depends on getsockopt for
413 * L2CAP_OPTIONS we need to let this pass.
414 */
415 if (bdaddr_type_is_le(chan->src_type) &&
416 chan->scid != L2CAP_CID_ATT) {
417 err = -EINVAL;
418 break;
419 }
420
421 memset(&opts, 0, sizeof(opts));
422 opts.imtu = chan->imtu;
423 opts.omtu = chan->omtu;
424 opts.flush_to = chan->flush_to;
425 opts.mode = chan->mode;
426 opts.fcs = chan->fcs;
427 opts.max_tx = chan->max_tx;
428 opts.txwin_size = chan->tx_win;
429
430 len = min_t(unsigned int, len, sizeof(opts));
431 if (copy_to_user(optval, (char *) &opts, len))
432 err = -EFAULT;
433
434 break;
435
436 case L2CAP_LM:
437 switch (chan->sec_level) {
438 case BT_SECURITY_LOW:
439 opt = L2CAP_LM_AUTH;
440 break;
441 case BT_SECURITY_MEDIUM:
442 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
443 break;
444 case BT_SECURITY_HIGH:
445 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
446 L2CAP_LM_SECURE;
447 break;
448 case BT_SECURITY_FIPS:
449 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
450 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
451 break;
452 default:
453 opt = 0;
454 break;
455 }
456
457 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
458 opt |= L2CAP_LM_MASTER;
459
460 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
461 opt |= L2CAP_LM_RELIABLE;
462
463 if (put_user(opt, (u32 __user *) optval))
464 err = -EFAULT;
465
466 break;
467
468 case L2CAP_CONNINFO:
469 if (sk->sk_state != BT_CONNECTED &&
470 !(sk->sk_state == BT_CONNECT2 &&
471 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
472 err = -ENOTCONN;
473 break;
474 }
475
476 memset(&cinfo, 0, sizeof(cinfo));
477 cinfo.hci_handle = chan->conn->hcon->handle;
478 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
479
480 len = min_t(unsigned int, len, sizeof(cinfo));
481 if (copy_to_user(optval, (char *) &cinfo, len))
482 err = -EFAULT;
483
484 break;
485
486 default:
487 err = -ENOPROTOOPT;
488 break;
489 }
490
491 release_sock(sk);
492 return err;
493}
494
495static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
496 char __user *optval, int __user *optlen)
497{
498 struct sock *sk = sock->sk;
499 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
500 struct bt_security sec;
501 struct bt_power pwr;
502 int len, err = 0;
503
504 BT_DBG("sk %p", sk);
505
506 if (level == SOL_L2CAP)
507 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
508
509 if (level != SOL_BLUETOOTH)
510 return -ENOPROTOOPT;
511
512 if (get_user(len, optlen))
513 return -EFAULT;
514
515 lock_sock(sk);
516
517 switch (optname) {
518 case BT_SECURITY:
519 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
520 chan->chan_type != L2CAP_CHAN_FIXED &&
521 chan->chan_type != L2CAP_CHAN_RAW) {
522 err = -EINVAL;
523 break;
524 }
525
526 memset(&sec, 0, sizeof(sec));
527 if (chan->conn) {
528 sec.level = chan->conn->hcon->sec_level;
529
530 if (sk->sk_state == BT_CONNECTED)
531 sec.key_size = chan->conn->hcon->enc_key_size;
532 } else {
533 sec.level = chan->sec_level;
534 }
535
536 len = min_t(unsigned int, len, sizeof(sec));
537 if (copy_to_user(optval, (char *) &sec, len))
538 err = -EFAULT;
539
540 break;
541
542 case BT_DEFER_SETUP:
543 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
544 err = -EINVAL;
545 break;
546 }
547
548 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
549 (u32 __user *) optval))
550 err = -EFAULT;
551
552 break;
553
554 case BT_FLUSHABLE:
555 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
556 (u32 __user *) optval))
557 err = -EFAULT;
558
559 break;
560
561 case BT_POWER:
562 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
563 && sk->sk_type != SOCK_RAW) {
564 err = -EINVAL;
565 break;
566 }
567
568 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
569
570 len = min_t(unsigned int, len, sizeof(pwr));
571 if (copy_to_user(optval, (char *) &pwr, len))
572 err = -EFAULT;
573
574 break;
575
576 case BT_CHANNEL_POLICY:
577 if (put_user(chan->chan_policy, (u32 __user *) optval))
578 err = -EFAULT;
579 break;
580
581 case BT_SNDMTU:
582 if (!bdaddr_type_is_le(chan->src_type)) {
583 err = -EINVAL;
584 break;
585 }
586
587 if (sk->sk_state != BT_CONNECTED) {
588 err = -ENOTCONN;
589 break;
590 }
591
592 if (put_user(chan->omtu, (u16 __user *) optval))
593 err = -EFAULT;
594 break;
595
596 case BT_RCVMTU:
597 if (!bdaddr_type_is_le(chan->src_type)) {
598 err = -EINVAL;
599 break;
600 }
601
602 if (put_user(chan->imtu, (u16 __user *) optval))
603 err = -EFAULT;
604 break;
605
606 default:
607 err = -ENOPROTOOPT;
608 break;
609 }
610
611 release_sock(sk);
612 return err;
613}
614
615static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
616{
617 switch (chan->scid) {
618 case L2CAP_CID_ATT:
619 if (mtu < L2CAP_LE_MIN_MTU)
620 return false;
621 break;
622
623 default:
624 if (mtu < L2CAP_DEFAULT_MIN_MTU)
625 return false;
626 }
627
628 return true;
629}
630
631static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
632 char __user *optval, unsigned int optlen)
633{
634 struct sock *sk = sock->sk;
635 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
636 struct l2cap_options opts;
637 int len, err = 0;
638 u32 opt;
639
640 BT_DBG("sk %p", sk);
641
642 lock_sock(sk);
643
644 switch (optname) {
645 case L2CAP_OPTIONS:
646 if (bdaddr_type_is_le(chan->src_type)) {
647 err = -EINVAL;
648 break;
649 }
650
651 if (sk->sk_state == BT_CONNECTED) {
652 err = -EINVAL;
653 break;
654 }
655
656 opts.imtu = chan->imtu;
657 opts.omtu = chan->omtu;
658 opts.flush_to = chan->flush_to;
659 opts.mode = chan->mode;
660 opts.fcs = chan->fcs;
661 opts.max_tx = chan->max_tx;
662 opts.txwin_size = chan->tx_win;
663
664 len = min_t(unsigned int, sizeof(opts), optlen);
665 if (copy_from_user((char *) &opts, optval, len)) {
666 err = -EFAULT;
667 break;
668 }
669
670 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
671 err = -EINVAL;
672 break;
673 }
674
675 if (!l2cap_valid_mtu(chan, opts.imtu)) {
676 err = -EINVAL;
677 break;
678 }
679
680 chan->mode = opts.mode;
681 switch (chan->mode) {
682 case L2CAP_MODE_LE_FLOWCTL:
683 break;
684 case L2CAP_MODE_BASIC:
685 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
686 break;
687 case L2CAP_MODE_ERTM:
688 case L2CAP_MODE_STREAMING:
689 if (!disable_ertm)
690 break;
691 /* fall through */
692 default:
693 err = -EINVAL;
694 break;
695 }
696
697 chan->imtu = opts.imtu;
698 chan->omtu = opts.omtu;
699 chan->fcs = opts.fcs;
700 chan->max_tx = opts.max_tx;
701 chan->tx_win = opts.txwin_size;
702 chan->flush_to = opts.flush_to;
703 break;
704
705 case L2CAP_LM:
706 if (get_user(opt, (u32 __user *) optval)) {
707 err = -EFAULT;
708 break;
709 }
710
711 if (opt & L2CAP_LM_FIPS) {
712 err = -EINVAL;
713 break;
714 }
715
716 if (opt & L2CAP_LM_AUTH)
717 chan->sec_level = BT_SECURITY_LOW;
718 if (opt & L2CAP_LM_ENCRYPT)
719 chan->sec_level = BT_SECURITY_MEDIUM;
720 if (opt & L2CAP_LM_SECURE)
721 chan->sec_level = BT_SECURITY_HIGH;
722
723 if (opt & L2CAP_LM_MASTER)
724 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
725 else
726 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
727
728 if (opt & L2CAP_LM_RELIABLE)
729 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
730 else
731 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
732 break;
733
734 default:
735 err = -ENOPROTOOPT;
736 break;
737 }
738
739 release_sock(sk);
740 return err;
741}
742
743static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
744 char __user *optval, unsigned int optlen)
745{
746 struct sock *sk = sock->sk;
747 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
748 struct bt_security sec;
749 struct bt_power pwr;
750 struct l2cap_conn *conn;
751 int len, err = 0;
752 u32 opt;
753
754 BT_DBG("sk %p", sk);
755
756 if (level == SOL_L2CAP)
757 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
758
759 if (level != SOL_BLUETOOTH)
760 return -ENOPROTOOPT;
761
762 lock_sock(sk);
763
764 switch (optname) {
765 case BT_SECURITY:
766 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
767 chan->chan_type != L2CAP_CHAN_FIXED &&
768 chan->chan_type != L2CAP_CHAN_RAW) {
769 err = -EINVAL;
770 break;
771 }
772
773 sec.level = BT_SECURITY_LOW;
774
775 len = min_t(unsigned int, sizeof(sec), optlen);
776 if (copy_from_user((char *) &sec, optval, len)) {
777 err = -EFAULT;
778 break;
779 }
780
781 if (sec.level < BT_SECURITY_LOW ||
782 sec.level > BT_SECURITY_FIPS) {
783 err = -EINVAL;
784 break;
785 }
786
787 chan->sec_level = sec.level;
788
789 if (!chan->conn)
790 break;
791
792 conn = chan->conn;
793
794 /*change security for LE channels */
795 if (chan->scid == L2CAP_CID_ATT) {
796 if (smp_conn_security(conn->hcon, sec.level))
797 break;
798 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
799 sk->sk_state = BT_CONFIG;
800 chan->state = BT_CONFIG;
801
802 /* or for ACL link */
803 } else if ((sk->sk_state == BT_CONNECT2 &&
804 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
805 sk->sk_state == BT_CONNECTED) {
806 if (!l2cap_chan_check_security(chan, true))
807 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
808 else
809 sk->sk_state_change(sk);
810 } else {
811 err = -EINVAL;
812 }
813 break;
814
815 case BT_DEFER_SETUP:
816 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
817 err = -EINVAL;
818 break;
819 }
820
821 if (get_user(opt, (u32 __user *) optval)) {
822 err = -EFAULT;
823 break;
824 }
825
826 if (opt) {
827 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
828 set_bit(FLAG_DEFER_SETUP, &chan->flags);
829 } else {
830 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
831 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
832 }
833 break;
834
835 case BT_FLUSHABLE:
836 if (get_user(opt, (u32 __user *) optval)) {
837 err = -EFAULT;
838 break;
839 }
840
841 if (opt > BT_FLUSHABLE_ON) {
842 err = -EINVAL;
843 break;
844 }
845
846 if (opt == BT_FLUSHABLE_OFF) {
847 conn = chan->conn;
848 /* proceed further only when we have l2cap_conn and
849 No Flush support in the LM */
850 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
851 err = -EINVAL;
852 break;
853 }
854 }
855
856 if (opt)
857 set_bit(FLAG_FLUSHABLE, &chan->flags);
858 else
859 clear_bit(FLAG_FLUSHABLE, &chan->flags);
860 break;
861
862 case BT_POWER:
863 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
864 chan->chan_type != L2CAP_CHAN_RAW) {
865 err = -EINVAL;
866 break;
867 }
868
869 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
870
871 len = min_t(unsigned int, sizeof(pwr), optlen);
872 if (copy_from_user((char *) &pwr, optval, len)) {
873 err = -EFAULT;
874 break;
875 }
876
877 if (pwr.force_active)
878 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
879 else
880 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
881 break;
882
883 case BT_CHANNEL_POLICY:
884 if (get_user(opt, (u32 __user *) optval)) {
885 err = -EFAULT;
886 break;
887 }
888
889 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
890 err = -EINVAL;
891 break;
892 }
893
894 if (chan->mode != L2CAP_MODE_ERTM &&
895 chan->mode != L2CAP_MODE_STREAMING) {
896 err = -EOPNOTSUPP;
897 break;
898 }
899
900 chan->chan_policy = (u8) opt;
901
902 if (sk->sk_state == BT_CONNECTED &&
903 chan->move_role == L2CAP_MOVE_ROLE_NONE)
904 l2cap_move_start(chan);
905
906 break;
907
908 case BT_SNDMTU:
909 if (!bdaddr_type_is_le(chan->src_type)) {
910 err = -EINVAL;
911 break;
912 }
913
914 /* Setting is not supported as it's the remote side that
915 * decides this.
916 */
917 err = -EPERM;
918 break;
919
920 case BT_RCVMTU:
921 if (!bdaddr_type_is_le(chan->src_type)) {
922 err = -EINVAL;
923 break;
924 }
925
926 if (sk->sk_state == BT_CONNECTED) {
927 err = -EISCONN;
928 break;
929 }
930
931 if (get_user(opt, (u16 __user *) optval)) {
932 err = -EFAULT;
933 break;
934 }
935
936 chan->imtu = opt;
937 break;
938
939 default:
940 err = -ENOPROTOOPT;
941 break;
942 }
943
944 release_sock(sk);
945 return err;
946}
947
948static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
949 size_t len)
950{
951 struct sock *sk = sock->sk;
952 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
953 int err;
954
955 BT_DBG("sock %p, sk %p", sock, sk);
956
957 err = sock_error(sk);
958 if (err)
959 return err;
960
961 if (msg->msg_flags & MSG_OOB)
962 return -EOPNOTSUPP;
963
964 if (sk->sk_state != BT_CONNECTED)
965 return -ENOTCONN;
966
967 lock_sock(sk);
968 err = bt_sock_wait_ready(sk, msg->msg_flags);
969 release_sock(sk);
970 if (err)
971 return err;
972
973 l2cap_chan_lock(chan);
974 err = l2cap_chan_send(chan, msg, len);
975 l2cap_chan_unlock(chan);
976
977 return err;
978}
979
980static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
981 size_t len, int flags)
982{
983 struct sock *sk = sock->sk;
984 struct l2cap_pinfo *pi = l2cap_pi(sk);
985 int err;
986
987 lock_sock(sk);
988
989 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
990 &bt_sk(sk)->flags)) {
991 if (bdaddr_type_is_le(pi->chan->src_type)) {
992 sk->sk_state = BT_CONNECTED;
993 pi->chan->state = BT_CONNECTED;
994 __l2cap_le_connect_rsp_defer(pi->chan);
995 } else {
996 sk->sk_state = BT_CONFIG;
997 pi->chan->state = BT_CONFIG;
998 __l2cap_connect_rsp_defer(pi->chan);
999 }
1000
1001 err = 0;
1002 goto done;
1003 }
1004
1005 release_sock(sk);
1006
1007 if (sock->type == SOCK_STREAM)
1008 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1009 else
1010 err = bt_sock_recvmsg(sock, msg, len, flags);
1011
1012 if (pi->chan->mode != L2CAP_MODE_ERTM)
1013 return err;
1014
1015 /* Attempt to put pending rx data in the socket buffer */
1016
1017 lock_sock(sk);
1018
1019 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1020 goto done;
1021
1022 if (pi->rx_busy_skb) {
1023 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1024 pi->rx_busy_skb = NULL;
1025 else
1026 goto done;
1027 }
1028
1029 /* Restore data flow when half of the receive buffer is
1030 * available. This avoids resending large numbers of
1031 * frames.
1032 */
1033 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1034 l2cap_chan_busy(pi->chan, 0);
1035
1036done:
1037 release_sock(sk);
1038 return err;
1039}
1040
1041/* Kill socket (only if zapped and orphan)
1042 * Must be called on unlocked socket.
1043 */
1044static void l2cap_sock_kill(struct sock *sk)
1045{
1046 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1047 return;
1048
1049 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1050
1051 /* Kill poor orphan */
1052
1053 l2cap_chan_put(l2cap_pi(sk)->chan);
1054 sock_set_flag(sk, SOCK_DEAD);
1055 sock_put(sk);
1056}
1057
1058static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1059{
1060 DECLARE_WAITQUEUE(wait, current);
1061 int err = 0;
1062 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1063 /* Timeout to prevent infinite loop */
1064 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1065
1066 add_wait_queue(sk_sleep(sk), &wait);
1067 set_current_state(TASK_INTERRUPTIBLE);
1068 do {
1069 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1070 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1071 jiffies_to_msecs(timeout - jiffies));
1072
1073 if (!timeo)
1074 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1075
1076 if (signal_pending(current)) {
1077 err = sock_intr_errno(timeo);
1078 break;
1079 }
1080
1081 release_sock(sk);
1082 timeo = schedule_timeout(timeo);
1083 lock_sock(sk);
1084 set_current_state(TASK_INTERRUPTIBLE);
1085
1086 err = sock_error(sk);
1087 if (err)
1088 break;
1089
1090 if (time_after(jiffies, timeout)) {
1091 err = -ENOLINK;
1092 break;
1093 }
1094
1095 } while (chan->unacked_frames > 0 &&
1096 chan->state == BT_CONNECTED);
1097
1098 set_current_state(TASK_RUNNING);
1099 remove_wait_queue(sk_sleep(sk), &wait);
1100 return err;
1101}
1102
1103static int l2cap_sock_shutdown(struct socket *sock, int how)
1104{
1105 struct sock *sk = sock->sk;
1106 struct l2cap_chan *chan;
1107 struct l2cap_conn *conn;
1108 int err = 0;
1109
1110 BT_DBG("sock %p, sk %p", sock, sk);
1111
1112 if (!sk)
1113 return 0;
1114
1115 lock_sock(sk);
1116
1117 if (sk->sk_shutdown)
1118 goto shutdown_already;
1119
1120 BT_DBG("Handling sock shutdown");
1121
1122 /* prevent sk structure from being freed whilst unlocked */
1123 sock_hold(sk);
1124
1125 chan = l2cap_pi(sk)->chan;
1126 /* prevent chan structure from being freed whilst unlocked */
1127 l2cap_chan_hold(chan);
1128
1129 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1130
1131 if (chan->mode == L2CAP_MODE_ERTM &&
1132 chan->unacked_frames > 0 &&
1133 chan->state == BT_CONNECTED) {
1134 err = __l2cap_wait_ack(sk, chan);
1135
1136 /* After waiting for ACKs, check whether shutdown
1137 * has already been actioned to close the L2CAP
1138 * link such as by l2cap_disconnection_req().
1139 */
1140 if (sk->sk_shutdown)
1141 goto has_shutdown;
1142 }
1143
1144 sk->sk_shutdown = SHUTDOWN_MASK;
1145 release_sock(sk);
1146
1147 l2cap_chan_lock(chan);
1148 conn = chan->conn;
1149 if (conn)
1150 /* prevent conn structure from being freed */
1151 l2cap_conn_get(conn);
1152 l2cap_chan_unlock(chan);
1153
1154 if (conn)
1155 /* mutex lock must be taken before l2cap_chan_lock() */
1156 mutex_lock(&conn->chan_lock);
1157
1158 l2cap_chan_lock(chan);
1159 l2cap_chan_close(chan, 0);
1160 l2cap_chan_unlock(chan);
1161
1162 if (conn) {
1163 mutex_unlock(&conn->chan_lock);
1164 l2cap_conn_put(conn);
1165 }
1166
1167 lock_sock(sk);
1168
1169 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1170 !(current->flags & PF_EXITING))
1171 err = bt_sock_wait_state(sk, BT_CLOSED,
1172 sk->sk_lingertime);
1173
1174has_shutdown:
1175 l2cap_chan_put(chan);
1176 sock_put(sk);
1177
1178shutdown_already:
1179 if (!err && sk->sk_err)
1180 err = -sk->sk_err;
1181
1182 release_sock(sk);
1183
1184 BT_DBG("Sock shutdown complete err: %d", err);
1185
1186 return err;
1187}
1188
1189static int l2cap_sock_release(struct socket *sock)
1190{
1191 struct sock *sk = sock->sk;
1192 int err;
1193
1194 BT_DBG("sock %p, sk %p", sock, sk);
1195
1196 if (!sk)
1197 return 0;
1198
1199 bt_sock_unlink(&l2cap_sk_list, sk);
1200
1201 err = l2cap_sock_shutdown(sock, 2);
1202
1203 sock_orphan(sk);
1204 l2cap_sock_kill(sk);
1205 return err;
1206}
1207
1208static void l2cap_sock_cleanup_listen(struct sock *parent)
1209{
1210 struct sock *sk;
1211
1212 BT_DBG("parent %p state %s", parent,
1213 state_to_string(parent->sk_state));
1214
1215 /* Close not yet accepted channels */
1216 while ((sk = bt_accept_dequeue(parent, NULL))) {
1217 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1218
1219 BT_DBG("child chan %p state %s", chan,
1220 state_to_string(chan->state));
1221
1222 l2cap_chan_lock(chan);
1223 __clear_chan_timer(chan);
1224 l2cap_chan_close(chan, ECONNRESET);
1225 l2cap_chan_unlock(chan);
1226
1227 l2cap_sock_kill(sk);
1228 }
1229}
1230
1231static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1232{
1233 struct sock *sk, *parent = chan->data;
1234
1235 lock_sock(parent);
1236
1237 /* Check for backlog size */
1238 if (sk_acceptq_is_full(parent)) {
1239 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1240 release_sock(parent);
1241 return NULL;
1242 }
1243
1244 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1245 GFP_ATOMIC, 0);
1246 if (!sk) {
1247 release_sock(parent);
1248 return NULL;
1249 }
1250
1251 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1252
1253 l2cap_sock_init(sk, parent);
1254
1255 bt_accept_enqueue(parent, sk);
1256
1257 release_sock(parent);
1258
1259 return l2cap_pi(sk)->chan;
1260}
1261
1262static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1263{
1264 struct sock *sk = chan->data;
1265 int err;
1266
1267 lock_sock(sk);
1268
1269 if (l2cap_pi(sk)->rx_busy_skb) {
1270 err = -ENOMEM;
1271 goto done;
1272 }
1273
1274 if (chan->mode != L2CAP_MODE_ERTM &&
1275 chan->mode != L2CAP_MODE_STREAMING) {
1276 /* Even if no filter is attached, we could potentially
1277 * get errors from security modules, etc.
1278 */
1279 err = sk_filter(sk, skb);
1280 if (err)
1281 goto done;
1282 }
1283
1284 err = __sock_queue_rcv_skb(sk, skb);
1285
1286 /* For ERTM, handle one skb that doesn't fit into the recv
1287 * buffer. This is important to do because the data frames
1288 * have already been acked, so the skb cannot be discarded.
1289 *
1290 * Notify the l2cap core that the buffer is full, so the
1291 * LOCAL_BUSY state is entered and no more frames are
1292 * acked and reassembled until there is buffer space
1293 * available.
1294 */
1295 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1296 l2cap_pi(sk)->rx_busy_skb = skb;
1297 l2cap_chan_busy(chan, 1);
1298 err = 0;
1299 }
1300
1301done:
1302 release_sock(sk);
1303
1304 return err;
1305}
1306
1307static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1308{
1309 struct sock *sk = chan->data;
1310
1311 l2cap_sock_kill(sk);
1312}
1313
1314static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1315{
1316 struct sock *sk = chan->data;
1317 struct sock *parent;
1318
1319 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1320
1321 /* This callback can be called both for server (BT_LISTEN)
1322 * sockets as well as "normal" ones. To avoid lockdep warnings
1323 * with child socket locking (through l2cap_sock_cleanup_listen)
1324 * we need separation into separate nesting levels. The simplest
1325 * way to accomplish this is to inherit the nesting level used
1326 * for the channel.
1327 */
1328 lock_sock_nested(sk, atomic_read(&chan->nesting));
1329
1330 parent = bt_sk(sk)->parent;
1331
1332 sock_set_flag(sk, SOCK_ZAPPED);
1333
1334 switch (chan->state) {
1335 case BT_OPEN:
1336 case BT_BOUND:
1337 case BT_CLOSED:
1338 break;
1339 case BT_LISTEN:
1340 l2cap_sock_cleanup_listen(sk);
1341 sk->sk_state = BT_CLOSED;
1342 chan->state = BT_CLOSED;
1343
1344 break;
1345 default:
1346 sk->sk_state = BT_CLOSED;
1347 chan->state = BT_CLOSED;
1348
1349 sk->sk_err = err;
1350
1351 if (parent) {
1352 bt_accept_unlink(sk);
1353 parent->sk_data_ready(parent);
1354 } else {
1355 sk->sk_state_change(sk);
1356 }
1357
1358 break;
1359 }
1360
1361 release_sock(sk);
1362}
1363
1364static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1365 int err)
1366{
1367 struct sock *sk = chan->data;
1368
1369 sk->sk_state = state;
1370
1371 if (err)
1372 sk->sk_err = err;
1373}
1374
1375static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1376 unsigned long hdr_len,
1377 unsigned long len, int nb)
1378{
1379 struct sock *sk = chan->data;
1380 struct sk_buff *skb;
1381 int err;
1382
1383 l2cap_chan_unlock(chan);
1384 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1385 l2cap_chan_lock(chan);
1386
1387 if (!skb)
1388 return ERR_PTR(err);
1389
1390 skb->priority = sk->sk_priority;
1391
1392 bt_cb(skb)->l2cap.chan = chan;
1393
1394 return skb;
1395}
1396
1397static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1398{
1399 struct sock *sk = chan->data;
1400 struct sock *parent;
1401
1402 lock_sock(sk);
1403
1404 parent = bt_sk(sk)->parent;
1405
1406 BT_DBG("sk %p, parent %p", sk, parent);
1407
1408 sk->sk_state = BT_CONNECTED;
1409 sk->sk_state_change(sk);
1410
1411 if (parent)
1412 parent->sk_data_ready(parent);
1413
1414 release_sock(sk);
1415}
1416
1417static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1418{
1419 struct sock *parent, *sk = chan->data;
1420
1421 lock_sock(sk);
1422
1423 parent = bt_sk(sk)->parent;
1424 if (parent)
1425 parent->sk_data_ready(parent);
1426
1427 release_sock(sk);
1428}
1429
1430static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1431{
1432 struct sock *sk = chan->data;
1433
1434 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1435 sk->sk_state = BT_CONNECTED;
1436 chan->state = BT_CONNECTED;
1437 }
1438
1439 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1440 sk->sk_state_change(sk);
1441}
1442
1443static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1444{
1445 struct sock *sk = chan->data;
1446
1447 lock_sock(sk);
1448 sk->sk_shutdown = SHUTDOWN_MASK;
1449 release_sock(sk);
1450}
1451
1452static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1453{
1454 struct sock *sk = chan->data;
1455
1456 return sk->sk_sndtimeo;
1457}
1458
1459static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1460{
1461 struct sock *sk = chan->data;
1462
1463 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1464 sk->sk_state_change(sk);
1465}
1466
1467static const struct l2cap_ops l2cap_chan_ops = {
1468 .name = "L2CAP Socket Interface",
1469 .new_connection = l2cap_sock_new_connection_cb,
1470 .recv = l2cap_sock_recv_cb,
1471 .close = l2cap_sock_close_cb,
1472 .teardown = l2cap_sock_teardown_cb,
1473 .state_change = l2cap_sock_state_change_cb,
1474 .ready = l2cap_sock_ready_cb,
1475 .defer = l2cap_sock_defer_cb,
1476 .resume = l2cap_sock_resume_cb,
1477 .suspend = l2cap_sock_suspend_cb,
1478 .set_shutdown = l2cap_sock_set_shutdown_cb,
1479 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1480 .alloc_skb = l2cap_sock_alloc_skb_cb,
1481};
1482
1483static void l2cap_sock_destruct(struct sock *sk)
1484{
1485 BT_DBG("sk %p", sk);
1486
1487 if (l2cap_pi(sk)->chan)
1488 l2cap_chan_put(l2cap_pi(sk)->chan);
1489
1490 if (l2cap_pi(sk)->rx_busy_skb) {
1491 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1492 l2cap_pi(sk)->rx_busy_skb = NULL;
1493 }
1494
1495 skb_queue_purge(&sk->sk_receive_queue);
1496 skb_queue_purge(&sk->sk_write_queue);
1497}
1498
1499static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1500 int *msg_namelen)
1501{
1502 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1503
1504 memset(la, 0, sizeof(struct sockaddr_l2));
1505 la->l2_family = AF_BLUETOOTH;
1506 la->l2_psm = bt_cb(skb)->l2cap.psm;
1507 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1508
1509 *msg_namelen = sizeof(struct sockaddr_l2);
1510}
1511
1512static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1513{
1514 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1515
1516 BT_DBG("sk %p", sk);
1517
1518 if (parent) {
1519 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1520
1521 sk->sk_type = parent->sk_type;
1522 bt_sk(sk)->flags = bt_sk(parent)->flags;
1523
1524 chan->chan_type = pchan->chan_type;
1525 chan->imtu = pchan->imtu;
1526 chan->omtu = pchan->omtu;
1527 chan->conf_state = pchan->conf_state;
1528 chan->mode = pchan->mode;
1529 chan->fcs = pchan->fcs;
1530 chan->max_tx = pchan->max_tx;
1531 chan->tx_win = pchan->tx_win;
1532 chan->tx_win_max = pchan->tx_win_max;
1533 chan->sec_level = pchan->sec_level;
1534 chan->flags = pchan->flags;
1535 chan->tx_credits = pchan->tx_credits;
1536 chan->rx_credits = pchan->rx_credits;
1537
1538 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1539 chan->scid = pchan->scid;
1540 chan->dcid = pchan->scid;
1541 }
1542
1543 security_sk_clone(parent, sk);
1544 } else {
1545 switch (sk->sk_type) {
1546 case SOCK_RAW:
1547 chan->chan_type = L2CAP_CHAN_RAW;
1548 break;
1549 case SOCK_DGRAM:
1550 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1551 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1552 break;
1553 case SOCK_SEQPACKET:
1554 case SOCK_STREAM:
1555 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1556 break;
1557 }
1558
1559 chan->imtu = L2CAP_DEFAULT_MTU;
1560 chan->omtu = 0;
1561 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1562 chan->mode = L2CAP_MODE_ERTM;
1563 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1564 } else {
1565 chan->mode = L2CAP_MODE_BASIC;
1566 }
1567
1568 l2cap_chan_set_defaults(chan);
1569 }
1570
1571 /* Default config options */
1572 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1573
1574 chan->data = sk;
1575 chan->ops = &l2cap_chan_ops;
1576}
1577
1578static struct proto l2cap_proto = {
1579 .name = "L2CAP",
1580 .owner = THIS_MODULE,
1581 .obj_size = sizeof(struct l2cap_pinfo)
1582};
1583
1584static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1585 int proto, gfp_t prio, int kern)
1586{
1587 struct sock *sk;
1588 struct l2cap_chan *chan;
1589
1590 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1591 if (!sk)
1592 return NULL;
1593
1594 sock_init_data(sock, sk);
1595 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1596
1597 sk->sk_destruct = l2cap_sock_destruct;
1598 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1599
1600 sock_reset_flag(sk, SOCK_ZAPPED);
1601
1602 sk->sk_protocol = proto;
1603 sk->sk_state = BT_OPEN;
1604
1605 chan = l2cap_chan_create();
1606 if (!chan) {
1607 sk_free(sk);
1608 return NULL;
1609 }
1610
1611 l2cap_chan_hold(chan);
1612
1613 l2cap_pi(sk)->chan = chan;
1614
1615 return sk;
1616}
1617
1618static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1619 int kern)
1620{
1621 struct sock *sk;
1622
1623 BT_DBG("sock %p", sock);
1624
1625 sock->state = SS_UNCONNECTED;
1626
1627 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1628 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1629 return -ESOCKTNOSUPPORT;
1630
1631 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1632 return -EPERM;
1633
1634 sock->ops = &l2cap_sock_ops;
1635
1636 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1637 if (!sk)
1638 return -ENOMEM;
1639
1640 l2cap_sock_init(sk, NULL);
1641 bt_sock_link(&l2cap_sk_list, sk);
1642 return 0;
1643}
1644
1645static const struct proto_ops l2cap_sock_ops = {
1646 .family = PF_BLUETOOTH,
1647 .owner = THIS_MODULE,
1648 .release = l2cap_sock_release,
1649 .bind = l2cap_sock_bind,
1650 .connect = l2cap_sock_connect,
1651 .listen = l2cap_sock_listen,
1652 .accept = l2cap_sock_accept,
1653 .getname = l2cap_sock_getname,
1654 .sendmsg = l2cap_sock_sendmsg,
1655 .recvmsg = l2cap_sock_recvmsg,
1656 .poll = bt_sock_poll,
1657 .ioctl = bt_sock_ioctl,
1658 .mmap = sock_no_mmap,
1659 .socketpair = sock_no_socketpair,
1660 .shutdown = l2cap_sock_shutdown,
1661 .setsockopt = l2cap_sock_setsockopt,
1662 .getsockopt = l2cap_sock_getsockopt
1663};
1664
1665static const struct net_proto_family l2cap_sock_family_ops = {
1666 .family = PF_BLUETOOTH,
1667 .owner = THIS_MODULE,
1668 .create = l2cap_sock_create,
1669};
1670
1671int __init l2cap_init_sockets(void)
1672{
1673 int err;
1674
1675 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1676
1677 err = proto_register(&l2cap_proto, 0);
1678 if (err < 0)
1679 return err;
1680
1681 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1682 if (err < 0) {
1683 BT_ERR("L2CAP socket registration failed");
1684 goto error;
1685 }
1686
1687 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1688 NULL);
1689 if (err < 0) {
1690 BT_ERR("Failed to create L2CAP proc file");
1691 bt_sock_unregister(BTPROTO_L2CAP);
1692 goto error;
1693 }
1694
1695 BT_INFO("L2CAP socket layer initialized");
1696
1697 return 0;
1698
1699error:
1700 proto_unregister(&l2cap_proto);
1701 return err;
1702}
1703
1704void l2cap_cleanup_sockets(void)
1705{
1706 bt_procfs_cleanup(&init_net, "l2cap");
1707 bt_sock_unregister(BTPROTO_L2CAP);
1708 proto_unregister(&l2cap_proto);
1709}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32#include <linux/sched/signal.h>
33
34#include <net/bluetooth/bluetooth.h>
35#include <net/bluetooth/hci_core.h>
36#include <net/bluetooth/l2cap.h>
37
38#include "smp.h"
39
40static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42};
43
44static const struct proto_ops l2cap_sock_ops;
45static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
49bool l2cap_is_socket(struct socket *sock)
50{
51 return sock && sock->ops == &l2cap_sock_ops;
52}
53EXPORT_SYMBOL(l2cap_is_socket);
54
55static int l2cap_validate_bredr_psm(u16 psm)
56{
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66}
67
68static int l2cap_validate_le_psm(u16 psm)
69{
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79}
80
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
166
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
169
170done:
171 release_sock(sk);
172 return err;
173}
174
175static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 int alen, int flags)
177{
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
181 int len, err = 0;
182
183 BT_DBG("sk %p", sk);
184
185 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 addr->sa_family != AF_BLUETOOTH)
187 return -EINVAL;
188
189 memset(&la, 0, sizeof(la));
190 len = min_t(unsigned int, sizeof(la), alen);
191 memcpy(&la, addr, len);
192
193 if (la.l2_cid && la.l2_psm)
194 return -EINVAL;
195
196 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 return -EINVAL;
198
199 /* Check that the socket wasn't bound to something that
200 * conflicts with the address given to connect(). If chan->src
201 * is BDADDR_ANY it means bind() was never used, in which case
202 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 */
204 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 /* Old user space versions will try to incorrectly bind
207 * the ATT socket using BDADDR_BREDR. We need to accept
208 * this and fix up the source address type only when
209 * both the source CID and destination CID indicate
210 * ATT. Anything else is an invalid combination.
211 */
212 if (chan->scid != L2CAP_CID_ATT ||
213 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 return -EINVAL;
215
216 /* We don't have the hdev available here to make a
217 * better decision on random vs public, but since all
218 * user space versions that exhibit this issue anyway do
219 * not support random local addresses assuming public
220 * here is good enough.
221 */
222 chan->src_type = BDADDR_LE_PUBLIC;
223 }
224
225 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 return -EINVAL;
227
228 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 /* We only allow ATT user space socket */
230 if (la.l2_cid &&
231 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 return -EINVAL;
233 }
234
235 if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
236 chan->mode = L2CAP_MODE_LE_FLOWCTL;
237
238 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 &la.l2_bdaddr, la.l2_bdaddr_type);
240 if (err)
241 return err;
242
243 lock_sock(sk);
244
245 err = bt_sock_wait_state(sk, BT_CONNECTED,
246 sock_sndtimeo(sk, flags & O_NONBLOCK));
247
248 release_sock(sk);
249
250 return err;
251}
252
253static int l2cap_sock_listen(struct socket *sock, int backlog)
254{
255 struct sock *sk = sock->sk;
256 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 int err = 0;
258
259 BT_DBG("sk %p backlog %d", sk, backlog);
260
261 lock_sock(sk);
262
263 if (sk->sk_state != BT_BOUND) {
264 err = -EBADFD;
265 goto done;
266 }
267
268 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 err = -EINVAL;
270 goto done;
271 }
272
273 switch (chan->mode) {
274 case L2CAP_MODE_BASIC:
275 case L2CAP_MODE_LE_FLOWCTL:
276 break;
277 case L2CAP_MODE_EXT_FLOWCTL:
278 if (!enable_ecred) {
279 err = -EOPNOTSUPP;
280 goto done;
281 }
282 break;
283 case L2CAP_MODE_ERTM:
284 case L2CAP_MODE_STREAMING:
285 if (!disable_ertm)
286 break;
287 fallthrough;
288 default:
289 err = -EOPNOTSUPP;
290 goto done;
291 }
292
293 sk->sk_max_ack_backlog = backlog;
294 sk->sk_ack_backlog = 0;
295
296 /* Listening channels need to use nested locking in order not to
297 * cause lockdep warnings when the created child channels end up
298 * being locked in the same thread as the parent channel.
299 */
300 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
301
302 chan->state = BT_LISTEN;
303 sk->sk_state = BT_LISTEN;
304
305done:
306 release_sock(sk);
307 return err;
308}
309
310static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
311 int flags, bool kern)
312{
313 DEFINE_WAIT_FUNC(wait, woken_wake_function);
314 struct sock *sk = sock->sk, *nsk;
315 long timeo;
316 int err = 0;
317
318 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
319
320 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
321
322 BT_DBG("sk %p timeo %ld", sk, timeo);
323
324 /* Wait for an incoming connection. (wake-one). */
325 add_wait_queue_exclusive(sk_sleep(sk), &wait);
326 while (1) {
327 if (sk->sk_state != BT_LISTEN) {
328 err = -EBADFD;
329 break;
330 }
331
332 nsk = bt_accept_dequeue(sk, newsock);
333 if (nsk)
334 break;
335
336 if (!timeo) {
337 err = -EAGAIN;
338 break;
339 }
340
341 if (signal_pending(current)) {
342 err = sock_intr_errno(timeo);
343 break;
344 }
345
346 release_sock(sk);
347
348 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
349
350 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
351 }
352 remove_wait_queue(sk_sleep(sk), &wait);
353
354 if (err)
355 goto done;
356
357 newsock->state = SS_CONNECTED;
358
359 BT_DBG("new socket %p", nsk);
360
361done:
362 release_sock(sk);
363 return err;
364}
365
366static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
367 int peer)
368{
369 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
370 struct sock *sk = sock->sk;
371 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
372
373 BT_DBG("sock %p, sk %p", sock, sk);
374
375 if (peer && sk->sk_state != BT_CONNECTED &&
376 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
377 sk->sk_state != BT_CONFIG)
378 return -ENOTCONN;
379
380 memset(la, 0, sizeof(struct sockaddr_l2));
381 addr->sa_family = AF_BLUETOOTH;
382
383 la->l2_psm = chan->psm;
384
385 if (peer) {
386 bacpy(&la->l2_bdaddr, &chan->dst);
387 la->l2_cid = cpu_to_le16(chan->dcid);
388 la->l2_bdaddr_type = chan->dst_type;
389 } else {
390 bacpy(&la->l2_bdaddr, &chan->src);
391 la->l2_cid = cpu_to_le16(chan->scid);
392 la->l2_bdaddr_type = chan->src_type;
393 }
394
395 return sizeof(struct sockaddr_l2);
396}
397
398static int l2cap_get_mode(struct l2cap_chan *chan)
399{
400 switch (chan->mode) {
401 case L2CAP_MODE_BASIC:
402 return BT_MODE_BASIC;
403 case L2CAP_MODE_ERTM:
404 return BT_MODE_ERTM;
405 case L2CAP_MODE_STREAMING:
406 return BT_MODE_STREAMING;
407 case L2CAP_MODE_LE_FLOWCTL:
408 return BT_MODE_LE_FLOWCTL;
409 case L2CAP_MODE_EXT_FLOWCTL:
410 return BT_MODE_EXT_FLOWCTL;
411 }
412
413 return -EINVAL;
414}
415
416static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
417 char __user *optval, int __user *optlen)
418{
419 struct sock *sk = sock->sk;
420 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
421 struct l2cap_options opts;
422 struct l2cap_conninfo cinfo;
423 int len, err = 0;
424 u32 opt;
425
426 BT_DBG("sk %p", sk);
427
428 if (get_user(len, optlen))
429 return -EFAULT;
430
431 lock_sock(sk);
432
433 switch (optname) {
434 case L2CAP_OPTIONS:
435 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
436 * legacy ATT code depends on getsockopt for
437 * L2CAP_OPTIONS we need to let this pass.
438 */
439 if (bdaddr_type_is_le(chan->src_type) &&
440 chan->scid != L2CAP_CID_ATT) {
441 err = -EINVAL;
442 break;
443 }
444
445 /* Only BR/EDR modes are supported here */
446 switch (chan->mode) {
447 case L2CAP_MODE_BASIC:
448 case L2CAP_MODE_ERTM:
449 case L2CAP_MODE_STREAMING:
450 break;
451 default:
452 err = -EINVAL;
453 break;
454 }
455
456 if (err < 0)
457 break;
458
459 memset(&opts, 0, sizeof(opts));
460 opts.imtu = chan->imtu;
461 opts.omtu = chan->omtu;
462 opts.flush_to = chan->flush_to;
463 opts.mode = chan->mode;
464 opts.fcs = chan->fcs;
465 opts.max_tx = chan->max_tx;
466 opts.txwin_size = chan->tx_win;
467
468 BT_DBG("mode 0x%2.2x", chan->mode);
469
470 len = min_t(unsigned int, len, sizeof(opts));
471 if (copy_to_user(optval, (char *) &opts, len))
472 err = -EFAULT;
473
474 break;
475
476 case L2CAP_LM:
477 switch (chan->sec_level) {
478 case BT_SECURITY_LOW:
479 opt = L2CAP_LM_AUTH;
480 break;
481 case BT_SECURITY_MEDIUM:
482 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
483 break;
484 case BT_SECURITY_HIGH:
485 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
486 L2CAP_LM_SECURE;
487 break;
488 case BT_SECURITY_FIPS:
489 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
490 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
491 break;
492 default:
493 opt = 0;
494 break;
495 }
496
497 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
498 opt |= L2CAP_LM_MASTER;
499
500 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
501 opt |= L2CAP_LM_RELIABLE;
502
503 if (put_user(opt, (u32 __user *) optval))
504 err = -EFAULT;
505
506 break;
507
508 case L2CAP_CONNINFO:
509 if (sk->sk_state != BT_CONNECTED &&
510 !(sk->sk_state == BT_CONNECT2 &&
511 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
512 err = -ENOTCONN;
513 break;
514 }
515
516 memset(&cinfo, 0, sizeof(cinfo));
517 cinfo.hci_handle = chan->conn->hcon->handle;
518 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
519
520 len = min_t(unsigned int, len, sizeof(cinfo));
521 if (copy_to_user(optval, (char *) &cinfo, len))
522 err = -EFAULT;
523
524 break;
525
526 default:
527 err = -ENOPROTOOPT;
528 break;
529 }
530
531 release_sock(sk);
532 return err;
533}
534
535static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
536 char __user *optval, int __user *optlen)
537{
538 struct sock *sk = sock->sk;
539 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
540 struct bt_security sec;
541 struct bt_power pwr;
542 u32 phys;
543 int len, mode, err = 0;
544
545 BT_DBG("sk %p", sk);
546
547 if (level == SOL_L2CAP)
548 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
549
550 if (level != SOL_BLUETOOTH)
551 return -ENOPROTOOPT;
552
553 if (get_user(len, optlen))
554 return -EFAULT;
555
556 lock_sock(sk);
557
558 switch (optname) {
559 case BT_SECURITY:
560 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
561 chan->chan_type != L2CAP_CHAN_FIXED &&
562 chan->chan_type != L2CAP_CHAN_RAW) {
563 err = -EINVAL;
564 break;
565 }
566
567 memset(&sec, 0, sizeof(sec));
568 if (chan->conn) {
569 sec.level = chan->conn->hcon->sec_level;
570
571 if (sk->sk_state == BT_CONNECTED)
572 sec.key_size = chan->conn->hcon->enc_key_size;
573 } else {
574 sec.level = chan->sec_level;
575 }
576
577 len = min_t(unsigned int, len, sizeof(sec));
578 if (copy_to_user(optval, (char *) &sec, len))
579 err = -EFAULT;
580
581 break;
582
583 case BT_DEFER_SETUP:
584 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
585 err = -EINVAL;
586 break;
587 }
588
589 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
590 (u32 __user *) optval))
591 err = -EFAULT;
592
593 break;
594
595 case BT_FLUSHABLE:
596 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
597 (u32 __user *) optval))
598 err = -EFAULT;
599
600 break;
601
602 case BT_POWER:
603 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
604 && sk->sk_type != SOCK_RAW) {
605 err = -EINVAL;
606 break;
607 }
608
609 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
610
611 len = min_t(unsigned int, len, sizeof(pwr));
612 if (copy_to_user(optval, (char *) &pwr, len))
613 err = -EFAULT;
614
615 break;
616
617 case BT_CHANNEL_POLICY:
618 if (put_user(chan->chan_policy, (u32 __user *) optval))
619 err = -EFAULT;
620 break;
621
622 case BT_SNDMTU:
623 if (!bdaddr_type_is_le(chan->src_type)) {
624 err = -EINVAL;
625 break;
626 }
627
628 if (sk->sk_state != BT_CONNECTED) {
629 err = -ENOTCONN;
630 break;
631 }
632
633 if (put_user(chan->omtu, (u16 __user *) optval))
634 err = -EFAULT;
635 break;
636
637 case BT_RCVMTU:
638 if (!bdaddr_type_is_le(chan->src_type)) {
639 err = -EINVAL;
640 break;
641 }
642
643 if (put_user(chan->imtu, (u16 __user *) optval))
644 err = -EFAULT;
645 break;
646
647 case BT_PHY:
648 if (sk->sk_state != BT_CONNECTED) {
649 err = -ENOTCONN;
650 break;
651 }
652
653 phys = hci_conn_get_phy(chan->conn->hcon);
654
655 if (put_user(phys, (u32 __user *) optval))
656 err = -EFAULT;
657 break;
658
659 case BT_MODE:
660 if (!enable_ecred) {
661 err = -ENOPROTOOPT;
662 break;
663 }
664
665 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
666 err = -EINVAL;
667 break;
668 }
669
670 mode = l2cap_get_mode(chan);
671 if (mode < 0) {
672 err = mode;
673 break;
674 }
675
676 if (put_user(mode, (u8 __user *) optval))
677 err = -EFAULT;
678 break;
679
680 default:
681 err = -ENOPROTOOPT;
682 break;
683 }
684
685 release_sock(sk);
686 return err;
687}
688
689static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
690{
691 switch (chan->scid) {
692 case L2CAP_CID_ATT:
693 if (mtu < L2CAP_LE_MIN_MTU)
694 return false;
695 break;
696
697 default:
698 if (mtu < L2CAP_DEFAULT_MIN_MTU)
699 return false;
700 }
701
702 return true;
703}
704
705static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
706 sockptr_t optval, unsigned int optlen)
707{
708 struct sock *sk = sock->sk;
709 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
710 struct l2cap_options opts;
711 int len, err = 0;
712 u32 opt;
713
714 BT_DBG("sk %p", sk);
715
716 lock_sock(sk);
717
718 switch (optname) {
719 case L2CAP_OPTIONS:
720 if (bdaddr_type_is_le(chan->src_type)) {
721 err = -EINVAL;
722 break;
723 }
724
725 if (sk->sk_state == BT_CONNECTED) {
726 err = -EINVAL;
727 break;
728 }
729
730 opts.imtu = chan->imtu;
731 opts.omtu = chan->omtu;
732 opts.flush_to = chan->flush_to;
733 opts.mode = chan->mode;
734 opts.fcs = chan->fcs;
735 opts.max_tx = chan->max_tx;
736 opts.txwin_size = chan->tx_win;
737
738 len = min_t(unsigned int, sizeof(opts), optlen);
739 if (copy_from_sockptr(&opts, optval, len)) {
740 err = -EFAULT;
741 break;
742 }
743
744 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
745 err = -EINVAL;
746 break;
747 }
748
749 if (!l2cap_valid_mtu(chan, opts.imtu)) {
750 err = -EINVAL;
751 break;
752 }
753
754 /* Only BR/EDR modes are supported here */
755 switch (opts.mode) {
756 case L2CAP_MODE_BASIC:
757 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
758 break;
759 case L2CAP_MODE_ERTM:
760 case L2CAP_MODE_STREAMING:
761 if (!disable_ertm)
762 break;
763 fallthrough;
764 default:
765 err = -EINVAL;
766 break;
767 }
768
769 if (err < 0)
770 break;
771
772 chan->mode = opts.mode;
773
774 BT_DBG("mode 0x%2.2x", chan->mode);
775
776 chan->imtu = opts.imtu;
777 chan->omtu = opts.omtu;
778 chan->fcs = opts.fcs;
779 chan->max_tx = opts.max_tx;
780 chan->tx_win = opts.txwin_size;
781 chan->flush_to = opts.flush_to;
782 break;
783
784 case L2CAP_LM:
785 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
786 err = -EFAULT;
787 break;
788 }
789
790 if (opt & L2CAP_LM_FIPS) {
791 err = -EINVAL;
792 break;
793 }
794
795 if (opt & L2CAP_LM_AUTH)
796 chan->sec_level = BT_SECURITY_LOW;
797 if (opt & L2CAP_LM_ENCRYPT)
798 chan->sec_level = BT_SECURITY_MEDIUM;
799 if (opt & L2CAP_LM_SECURE)
800 chan->sec_level = BT_SECURITY_HIGH;
801
802 if (opt & L2CAP_LM_MASTER)
803 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
804 else
805 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
806
807 if (opt & L2CAP_LM_RELIABLE)
808 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
809 else
810 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
811 break;
812
813 default:
814 err = -ENOPROTOOPT;
815 break;
816 }
817
818 release_sock(sk);
819 return err;
820}
821
822static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
823{
824 switch (mode) {
825 case BT_MODE_BASIC:
826 if (bdaddr_type_is_le(chan->src_type))
827 return -EINVAL;
828 mode = L2CAP_MODE_BASIC;
829 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
830 break;
831 case BT_MODE_ERTM:
832 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
833 return -EINVAL;
834 mode = L2CAP_MODE_ERTM;
835 break;
836 case BT_MODE_STREAMING:
837 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
838 return -EINVAL;
839 mode = L2CAP_MODE_STREAMING;
840 break;
841 case BT_MODE_LE_FLOWCTL:
842 if (!bdaddr_type_is_le(chan->src_type))
843 return -EINVAL;
844 mode = L2CAP_MODE_LE_FLOWCTL;
845 break;
846 case BT_MODE_EXT_FLOWCTL:
847 /* TODO: Add support for ECRED PDUs to BR/EDR */
848 if (!bdaddr_type_is_le(chan->src_type))
849 return -EINVAL;
850 mode = L2CAP_MODE_EXT_FLOWCTL;
851 break;
852 default:
853 return -EINVAL;
854 }
855
856 chan->mode = mode;
857
858 return 0;
859}
860
861static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
862 sockptr_t optval, unsigned int optlen)
863{
864 struct sock *sk = sock->sk;
865 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
866 struct bt_security sec;
867 struct bt_power pwr;
868 struct l2cap_conn *conn;
869 int len, err = 0;
870 u32 opt;
871
872 BT_DBG("sk %p", sk);
873
874 if (level == SOL_L2CAP)
875 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
876
877 if (level != SOL_BLUETOOTH)
878 return -ENOPROTOOPT;
879
880 lock_sock(sk);
881
882 switch (optname) {
883 case BT_SECURITY:
884 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
885 chan->chan_type != L2CAP_CHAN_FIXED &&
886 chan->chan_type != L2CAP_CHAN_RAW) {
887 err = -EINVAL;
888 break;
889 }
890
891 sec.level = BT_SECURITY_LOW;
892
893 len = min_t(unsigned int, sizeof(sec), optlen);
894 if (copy_from_sockptr(&sec, optval, len)) {
895 err = -EFAULT;
896 break;
897 }
898
899 if (sec.level < BT_SECURITY_LOW ||
900 sec.level > BT_SECURITY_FIPS) {
901 err = -EINVAL;
902 break;
903 }
904
905 chan->sec_level = sec.level;
906
907 if (!chan->conn)
908 break;
909
910 conn = chan->conn;
911
912 /* change security for LE channels */
913 if (chan->scid == L2CAP_CID_ATT) {
914 if (smp_conn_security(conn->hcon, sec.level)) {
915 err = -EINVAL;
916 break;
917 }
918
919 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
920 sk->sk_state = BT_CONFIG;
921 chan->state = BT_CONFIG;
922
923 /* or for ACL link */
924 } else if ((sk->sk_state == BT_CONNECT2 &&
925 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
926 sk->sk_state == BT_CONNECTED) {
927 if (!l2cap_chan_check_security(chan, true))
928 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
929 else
930 sk->sk_state_change(sk);
931 } else {
932 err = -EINVAL;
933 }
934 break;
935
936 case BT_DEFER_SETUP:
937 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
938 err = -EINVAL;
939 break;
940 }
941
942 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
943 err = -EFAULT;
944 break;
945 }
946
947 if (opt) {
948 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
949 set_bit(FLAG_DEFER_SETUP, &chan->flags);
950 } else {
951 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
952 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
953 }
954 break;
955
956 case BT_FLUSHABLE:
957 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
958 err = -EFAULT;
959 break;
960 }
961
962 if (opt > BT_FLUSHABLE_ON) {
963 err = -EINVAL;
964 break;
965 }
966
967 if (opt == BT_FLUSHABLE_OFF) {
968 conn = chan->conn;
969 /* proceed further only when we have l2cap_conn and
970 No Flush support in the LM */
971 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
972 err = -EINVAL;
973 break;
974 }
975 }
976
977 if (opt)
978 set_bit(FLAG_FLUSHABLE, &chan->flags);
979 else
980 clear_bit(FLAG_FLUSHABLE, &chan->flags);
981 break;
982
983 case BT_POWER:
984 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
985 chan->chan_type != L2CAP_CHAN_RAW) {
986 err = -EINVAL;
987 break;
988 }
989
990 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
991
992 len = min_t(unsigned int, sizeof(pwr), optlen);
993 if (copy_from_sockptr(&pwr, optval, len)) {
994 err = -EFAULT;
995 break;
996 }
997
998 if (pwr.force_active)
999 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1000 else
1001 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1002 break;
1003
1004 case BT_CHANNEL_POLICY:
1005 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1006 err = -EFAULT;
1007 break;
1008 }
1009
1010 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1011 err = -EINVAL;
1012 break;
1013 }
1014
1015 if (chan->mode != L2CAP_MODE_ERTM &&
1016 chan->mode != L2CAP_MODE_STREAMING) {
1017 err = -EOPNOTSUPP;
1018 break;
1019 }
1020
1021 chan->chan_policy = (u8) opt;
1022
1023 if (sk->sk_state == BT_CONNECTED &&
1024 chan->move_role == L2CAP_MOVE_ROLE_NONE)
1025 l2cap_move_start(chan);
1026
1027 break;
1028
1029 case BT_SNDMTU:
1030 if (!bdaddr_type_is_le(chan->src_type)) {
1031 err = -EINVAL;
1032 break;
1033 }
1034
1035 /* Setting is not supported as it's the remote side that
1036 * decides this.
1037 */
1038 err = -EPERM;
1039 break;
1040
1041 case BT_RCVMTU:
1042 if (!bdaddr_type_is_le(chan->src_type)) {
1043 err = -EINVAL;
1044 break;
1045 }
1046
1047 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1048 sk->sk_state == BT_CONNECTED) {
1049 err = -EISCONN;
1050 break;
1051 }
1052
1053 if (copy_from_sockptr(&opt, optval, sizeof(u16))) {
1054 err = -EFAULT;
1055 break;
1056 }
1057
1058 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1059 sk->sk_state == BT_CONNECTED)
1060 err = l2cap_chan_reconfigure(chan, opt);
1061 else
1062 chan->imtu = opt;
1063
1064 break;
1065
1066 case BT_MODE:
1067 if (!enable_ecred) {
1068 err = -ENOPROTOOPT;
1069 break;
1070 }
1071
1072 BT_DBG("sk->sk_state %u", sk->sk_state);
1073
1074 if (sk->sk_state != BT_BOUND) {
1075 err = -EINVAL;
1076 break;
1077 }
1078
1079 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1080 err = -EINVAL;
1081 break;
1082 }
1083
1084 if (copy_from_sockptr(&opt, optval, sizeof(u8))) {
1085 err = -EFAULT;
1086 break;
1087 }
1088
1089 BT_DBG("opt %u", opt);
1090
1091 err = l2cap_set_mode(chan, opt);
1092 if (err)
1093 break;
1094
1095 BT_DBG("mode 0x%2.2x", chan->mode);
1096
1097 break;
1098
1099 default:
1100 err = -ENOPROTOOPT;
1101 break;
1102 }
1103
1104 release_sock(sk);
1105 return err;
1106}
1107
1108static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1109 size_t len)
1110{
1111 struct sock *sk = sock->sk;
1112 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1113 int err;
1114
1115 BT_DBG("sock %p, sk %p", sock, sk);
1116
1117 err = sock_error(sk);
1118 if (err)
1119 return err;
1120
1121 if (msg->msg_flags & MSG_OOB)
1122 return -EOPNOTSUPP;
1123
1124 if (sk->sk_state != BT_CONNECTED)
1125 return -ENOTCONN;
1126
1127 lock_sock(sk);
1128 err = bt_sock_wait_ready(sk, msg->msg_flags);
1129 release_sock(sk);
1130 if (err)
1131 return err;
1132
1133 l2cap_chan_lock(chan);
1134 err = l2cap_chan_send(chan, msg, len);
1135 l2cap_chan_unlock(chan);
1136
1137 return err;
1138}
1139
1140static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1141 size_t len, int flags)
1142{
1143 struct sock *sk = sock->sk;
1144 struct l2cap_pinfo *pi = l2cap_pi(sk);
1145 int err;
1146
1147 lock_sock(sk);
1148
1149 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1150 &bt_sk(sk)->flags)) {
1151 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1152 sk->sk_state = BT_CONNECTED;
1153 pi->chan->state = BT_CONNECTED;
1154 __l2cap_ecred_conn_rsp_defer(pi->chan);
1155 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1156 sk->sk_state = BT_CONNECTED;
1157 pi->chan->state = BT_CONNECTED;
1158 __l2cap_le_connect_rsp_defer(pi->chan);
1159 } else {
1160 sk->sk_state = BT_CONFIG;
1161 pi->chan->state = BT_CONFIG;
1162 __l2cap_connect_rsp_defer(pi->chan);
1163 }
1164
1165 err = 0;
1166 goto done;
1167 }
1168
1169 release_sock(sk);
1170
1171 if (sock->type == SOCK_STREAM)
1172 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1173 else
1174 err = bt_sock_recvmsg(sock, msg, len, flags);
1175
1176 if (pi->chan->mode != L2CAP_MODE_ERTM)
1177 return err;
1178
1179 /* Attempt to put pending rx data in the socket buffer */
1180
1181 lock_sock(sk);
1182
1183 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1184 goto done;
1185
1186 if (pi->rx_busy_skb) {
1187 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1188 pi->rx_busy_skb = NULL;
1189 else
1190 goto done;
1191 }
1192
1193 /* Restore data flow when half of the receive buffer is
1194 * available. This avoids resending large numbers of
1195 * frames.
1196 */
1197 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1198 l2cap_chan_busy(pi->chan, 0);
1199
1200done:
1201 release_sock(sk);
1202 return err;
1203}
1204
1205/* Kill socket (only if zapped and orphan)
1206 * Must be called on unlocked socket, with l2cap channel lock.
1207 */
1208static void l2cap_sock_kill(struct sock *sk)
1209{
1210 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1211 return;
1212
1213 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1214
1215 /* Kill poor orphan */
1216
1217 l2cap_chan_put(l2cap_pi(sk)->chan);
1218 sock_set_flag(sk, SOCK_DEAD);
1219 sock_put(sk);
1220}
1221
1222static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1223{
1224 DECLARE_WAITQUEUE(wait, current);
1225 int err = 0;
1226 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1227 /* Timeout to prevent infinite loop */
1228 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1229
1230 add_wait_queue(sk_sleep(sk), &wait);
1231 set_current_state(TASK_INTERRUPTIBLE);
1232 do {
1233 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1234 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1235 jiffies_to_msecs(timeout - jiffies));
1236
1237 if (!timeo)
1238 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1239
1240 if (signal_pending(current)) {
1241 err = sock_intr_errno(timeo);
1242 break;
1243 }
1244
1245 release_sock(sk);
1246 timeo = schedule_timeout(timeo);
1247 lock_sock(sk);
1248 set_current_state(TASK_INTERRUPTIBLE);
1249
1250 err = sock_error(sk);
1251 if (err)
1252 break;
1253
1254 if (time_after(jiffies, timeout)) {
1255 err = -ENOLINK;
1256 break;
1257 }
1258
1259 } while (chan->unacked_frames > 0 &&
1260 chan->state == BT_CONNECTED);
1261
1262 set_current_state(TASK_RUNNING);
1263 remove_wait_queue(sk_sleep(sk), &wait);
1264 return err;
1265}
1266
1267static int l2cap_sock_shutdown(struct socket *sock, int how)
1268{
1269 struct sock *sk = sock->sk;
1270 struct l2cap_chan *chan;
1271 struct l2cap_conn *conn;
1272 int err = 0;
1273
1274 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1275
1276 /* 'how' parameter is mapped to sk_shutdown as follows:
1277 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1278 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1279 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1280 */
1281 how++;
1282
1283 if (!sk)
1284 return 0;
1285
1286 lock_sock(sk);
1287
1288 if ((sk->sk_shutdown & how) == how)
1289 goto shutdown_already;
1290
1291 BT_DBG("Handling sock shutdown");
1292
1293 /* prevent sk structure from being freed whilst unlocked */
1294 sock_hold(sk);
1295
1296 chan = l2cap_pi(sk)->chan;
1297 /* prevent chan structure from being freed whilst unlocked */
1298 l2cap_chan_hold(chan);
1299
1300 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1301
1302 if (chan->mode == L2CAP_MODE_ERTM &&
1303 chan->unacked_frames > 0 &&
1304 chan->state == BT_CONNECTED) {
1305 err = __l2cap_wait_ack(sk, chan);
1306
1307 /* After waiting for ACKs, check whether shutdown
1308 * has already been actioned to close the L2CAP
1309 * link such as by l2cap_disconnection_req().
1310 */
1311 if ((sk->sk_shutdown & how) == how)
1312 goto shutdown_matched;
1313 }
1314
1315 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1316 * is already set
1317 */
1318 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1319 sk->sk_shutdown |= RCV_SHUTDOWN;
1320 if ((sk->sk_shutdown & how) == how)
1321 goto shutdown_matched;
1322 }
1323
1324 sk->sk_shutdown |= SEND_SHUTDOWN;
1325 release_sock(sk);
1326
1327 l2cap_chan_lock(chan);
1328 conn = chan->conn;
1329 if (conn)
1330 /* prevent conn structure from being freed */
1331 l2cap_conn_get(conn);
1332 l2cap_chan_unlock(chan);
1333
1334 if (conn)
1335 /* mutex lock must be taken before l2cap_chan_lock() */
1336 mutex_lock(&conn->chan_lock);
1337
1338 l2cap_chan_lock(chan);
1339 l2cap_chan_close(chan, 0);
1340 l2cap_chan_unlock(chan);
1341
1342 if (conn) {
1343 mutex_unlock(&conn->chan_lock);
1344 l2cap_conn_put(conn);
1345 }
1346
1347 lock_sock(sk);
1348
1349 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1350 !(current->flags & PF_EXITING))
1351 err = bt_sock_wait_state(sk, BT_CLOSED,
1352 sk->sk_lingertime);
1353
1354shutdown_matched:
1355 l2cap_chan_put(chan);
1356 sock_put(sk);
1357
1358shutdown_already:
1359 if (!err && sk->sk_err)
1360 err = -sk->sk_err;
1361
1362 release_sock(sk);
1363
1364 BT_DBG("Sock shutdown complete err: %d", err);
1365
1366 return err;
1367}
1368
1369static int l2cap_sock_release(struct socket *sock)
1370{
1371 struct sock *sk = sock->sk;
1372 int err;
1373 struct l2cap_chan *chan;
1374
1375 BT_DBG("sock %p, sk %p", sock, sk);
1376
1377 if (!sk)
1378 return 0;
1379
1380 bt_sock_unlink(&l2cap_sk_list, sk);
1381
1382 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1383 chan = l2cap_pi(sk)->chan;
1384
1385 l2cap_chan_hold(chan);
1386 l2cap_chan_lock(chan);
1387
1388 sock_orphan(sk);
1389 l2cap_sock_kill(sk);
1390
1391 l2cap_chan_unlock(chan);
1392 l2cap_chan_put(chan);
1393
1394 return err;
1395}
1396
1397static void l2cap_sock_cleanup_listen(struct sock *parent)
1398{
1399 struct sock *sk;
1400
1401 BT_DBG("parent %p state %s", parent,
1402 state_to_string(parent->sk_state));
1403
1404 /* Close not yet accepted channels */
1405 while ((sk = bt_accept_dequeue(parent, NULL))) {
1406 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1407
1408 BT_DBG("child chan %p state %s", chan,
1409 state_to_string(chan->state));
1410
1411 l2cap_chan_hold(chan);
1412 l2cap_chan_lock(chan);
1413
1414 __clear_chan_timer(chan);
1415 l2cap_chan_close(chan, ECONNRESET);
1416 l2cap_sock_kill(sk);
1417
1418 l2cap_chan_unlock(chan);
1419 l2cap_chan_put(chan);
1420 }
1421}
1422
1423static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1424{
1425 struct sock *sk, *parent = chan->data;
1426
1427 lock_sock(parent);
1428
1429 /* Check for backlog size */
1430 if (sk_acceptq_is_full(parent)) {
1431 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1432 release_sock(parent);
1433 return NULL;
1434 }
1435
1436 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1437 GFP_ATOMIC, 0);
1438 if (!sk) {
1439 release_sock(parent);
1440 return NULL;
1441 }
1442
1443 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1444
1445 l2cap_sock_init(sk, parent);
1446
1447 bt_accept_enqueue(parent, sk, false);
1448
1449 release_sock(parent);
1450
1451 return l2cap_pi(sk)->chan;
1452}
1453
1454static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1455{
1456 struct sock *sk = chan->data;
1457 int err;
1458
1459 lock_sock(sk);
1460
1461 if (l2cap_pi(sk)->rx_busy_skb) {
1462 err = -ENOMEM;
1463 goto done;
1464 }
1465
1466 if (chan->mode != L2CAP_MODE_ERTM &&
1467 chan->mode != L2CAP_MODE_STREAMING) {
1468 /* Even if no filter is attached, we could potentially
1469 * get errors from security modules, etc.
1470 */
1471 err = sk_filter(sk, skb);
1472 if (err)
1473 goto done;
1474 }
1475
1476 err = __sock_queue_rcv_skb(sk, skb);
1477
1478 /* For ERTM, handle one skb that doesn't fit into the recv
1479 * buffer. This is important to do because the data frames
1480 * have already been acked, so the skb cannot be discarded.
1481 *
1482 * Notify the l2cap core that the buffer is full, so the
1483 * LOCAL_BUSY state is entered and no more frames are
1484 * acked and reassembled until there is buffer space
1485 * available.
1486 */
1487 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1488 l2cap_pi(sk)->rx_busy_skb = skb;
1489 l2cap_chan_busy(chan, 1);
1490 err = 0;
1491 }
1492
1493done:
1494 release_sock(sk);
1495
1496 return err;
1497}
1498
1499static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1500{
1501 struct sock *sk = chan->data;
1502
1503 l2cap_sock_kill(sk);
1504}
1505
1506static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1507{
1508 struct sock *sk = chan->data;
1509 struct sock *parent;
1510
1511 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1512
1513 /* This callback can be called both for server (BT_LISTEN)
1514 * sockets as well as "normal" ones. To avoid lockdep warnings
1515 * with child socket locking (through l2cap_sock_cleanup_listen)
1516 * we need separation into separate nesting levels. The simplest
1517 * way to accomplish this is to inherit the nesting level used
1518 * for the channel.
1519 */
1520 lock_sock_nested(sk, atomic_read(&chan->nesting));
1521
1522 parent = bt_sk(sk)->parent;
1523
1524 sock_set_flag(sk, SOCK_ZAPPED);
1525
1526 switch (chan->state) {
1527 case BT_OPEN:
1528 case BT_BOUND:
1529 case BT_CLOSED:
1530 break;
1531 case BT_LISTEN:
1532 l2cap_sock_cleanup_listen(sk);
1533 sk->sk_state = BT_CLOSED;
1534 chan->state = BT_CLOSED;
1535
1536 break;
1537 default:
1538 sk->sk_state = BT_CLOSED;
1539 chan->state = BT_CLOSED;
1540
1541 sk->sk_err = err;
1542
1543 if (parent) {
1544 bt_accept_unlink(sk);
1545 parent->sk_data_ready(parent);
1546 } else {
1547 sk->sk_state_change(sk);
1548 }
1549
1550 break;
1551 }
1552
1553 release_sock(sk);
1554}
1555
1556static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1557 int err)
1558{
1559 struct sock *sk = chan->data;
1560
1561 sk->sk_state = state;
1562
1563 if (err)
1564 sk->sk_err = err;
1565}
1566
1567static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1568 unsigned long hdr_len,
1569 unsigned long len, int nb)
1570{
1571 struct sock *sk = chan->data;
1572 struct sk_buff *skb;
1573 int err;
1574
1575 l2cap_chan_unlock(chan);
1576 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1577 l2cap_chan_lock(chan);
1578
1579 if (!skb)
1580 return ERR_PTR(err);
1581
1582 skb->priority = sk->sk_priority;
1583
1584 bt_cb(skb)->l2cap.chan = chan;
1585
1586 return skb;
1587}
1588
1589static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1590{
1591 struct sock *sk = chan->data;
1592 struct sock *parent;
1593
1594 lock_sock(sk);
1595
1596 parent = bt_sk(sk)->parent;
1597
1598 BT_DBG("sk %p, parent %p", sk, parent);
1599
1600 sk->sk_state = BT_CONNECTED;
1601 sk->sk_state_change(sk);
1602
1603 if (parent)
1604 parent->sk_data_ready(parent);
1605
1606 release_sock(sk);
1607}
1608
1609static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1610{
1611 struct sock *parent, *sk = chan->data;
1612
1613 lock_sock(sk);
1614
1615 parent = bt_sk(sk)->parent;
1616 if (parent)
1617 parent->sk_data_ready(parent);
1618
1619 release_sock(sk);
1620}
1621
1622static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1623{
1624 struct sock *sk = chan->data;
1625
1626 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1627 sk->sk_state = BT_CONNECTED;
1628 chan->state = BT_CONNECTED;
1629 }
1630
1631 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1632 sk->sk_state_change(sk);
1633}
1634
1635static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1636{
1637 struct sock *sk = chan->data;
1638
1639 lock_sock(sk);
1640 sk->sk_shutdown = SHUTDOWN_MASK;
1641 release_sock(sk);
1642}
1643
1644static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1645{
1646 struct sock *sk = chan->data;
1647
1648 return sk->sk_sndtimeo;
1649}
1650
1651static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1652{
1653 struct sock *sk = chan->data;
1654
1655 return sk->sk_peer_pid;
1656}
1657
1658static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1659{
1660 struct sock *sk = chan->data;
1661
1662 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1663 sk->sk_state_change(sk);
1664}
1665
1666static const struct l2cap_ops l2cap_chan_ops = {
1667 .name = "L2CAP Socket Interface",
1668 .new_connection = l2cap_sock_new_connection_cb,
1669 .recv = l2cap_sock_recv_cb,
1670 .close = l2cap_sock_close_cb,
1671 .teardown = l2cap_sock_teardown_cb,
1672 .state_change = l2cap_sock_state_change_cb,
1673 .ready = l2cap_sock_ready_cb,
1674 .defer = l2cap_sock_defer_cb,
1675 .resume = l2cap_sock_resume_cb,
1676 .suspend = l2cap_sock_suspend_cb,
1677 .set_shutdown = l2cap_sock_set_shutdown_cb,
1678 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1679 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1680 .alloc_skb = l2cap_sock_alloc_skb_cb,
1681};
1682
1683static void l2cap_sock_destruct(struct sock *sk)
1684{
1685 BT_DBG("sk %p", sk);
1686
1687 if (l2cap_pi(sk)->chan)
1688 l2cap_chan_put(l2cap_pi(sk)->chan);
1689
1690 if (l2cap_pi(sk)->rx_busy_skb) {
1691 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1692 l2cap_pi(sk)->rx_busy_skb = NULL;
1693 }
1694
1695 skb_queue_purge(&sk->sk_receive_queue);
1696 skb_queue_purge(&sk->sk_write_queue);
1697}
1698
1699static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1700 int *msg_namelen)
1701{
1702 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1703
1704 memset(la, 0, sizeof(struct sockaddr_l2));
1705 la->l2_family = AF_BLUETOOTH;
1706 la->l2_psm = bt_cb(skb)->l2cap.psm;
1707 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1708
1709 *msg_namelen = sizeof(struct sockaddr_l2);
1710}
1711
1712static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1713{
1714 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1715
1716 BT_DBG("sk %p", sk);
1717
1718 if (parent) {
1719 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1720
1721 sk->sk_type = parent->sk_type;
1722 bt_sk(sk)->flags = bt_sk(parent)->flags;
1723
1724 chan->chan_type = pchan->chan_type;
1725 chan->imtu = pchan->imtu;
1726 chan->omtu = pchan->omtu;
1727 chan->conf_state = pchan->conf_state;
1728 chan->mode = pchan->mode;
1729 chan->fcs = pchan->fcs;
1730 chan->max_tx = pchan->max_tx;
1731 chan->tx_win = pchan->tx_win;
1732 chan->tx_win_max = pchan->tx_win_max;
1733 chan->sec_level = pchan->sec_level;
1734 chan->flags = pchan->flags;
1735 chan->tx_credits = pchan->tx_credits;
1736 chan->rx_credits = pchan->rx_credits;
1737
1738 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1739 chan->scid = pchan->scid;
1740 chan->dcid = pchan->scid;
1741 }
1742
1743 security_sk_clone(parent, sk);
1744 } else {
1745 switch (sk->sk_type) {
1746 case SOCK_RAW:
1747 chan->chan_type = L2CAP_CHAN_RAW;
1748 break;
1749 case SOCK_DGRAM:
1750 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1751 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1752 break;
1753 case SOCK_SEQPACKET:
1754 case SOCK_STREAM:
1755 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1756 break;
1757 }
1758
1759 chan->imtu = L2CAP_DEFAULT_MTU;
1760 chan->omtu = 0;
1761 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1762 chan->mode = L2CAP_MODE_ERTM;
1763 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1764 } else {
1765 chan->mode = L2CAP_MODE_BASIC;
1766 }
1767
1768 l2cap_chan_set_defaults(chan);
1769 }
1770
1771 /* Default config options */
1772 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1773
1774 chan->data = sk;
1775 chan->ops = &l2cap_chan_ops;
1776}
1777
1778static struct proto l2cap_proto = {
1779 .name = "L2CAP",
1780 .owner = THIS_MODULE,
1781 .obj_size = sizeof(struct l2cap_pinfo)
1782};
1783
1784static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1785 int proto, gfp_t prio, int kern)
1786{
1787 struct sock *sk;
1788 struct l2cap_chan *chan;
1789
1790 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1791 if (!sk)
1792 return NULL;
1793
1794 sock_init_data(sock, sk);
1795 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1796
1797 sk->sk_destruct = l2cap_sock_destruct;
1798 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1799
1800 sock_reset_flag(sk, SOCK_ZAPPED);
1801
1802 sk->sk_protocol = proto;
1803 sk->sk_state = BT_OPEN;
1804
1805 chan = l2cap_chan_create();
1806 if (!chan) {
1807 sk_free(sk);
1808 return NULL;
1809 }
1810
1811 l2cap_chan_hold(chan);
1812
1813 l2cap_pi(sk)->chan = chan;
1814
1815 return sk;
1816}
1817
1818static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1819 int kern)
1820{
1821 struct sock *sk;
1822
1823 BT_DBG("sock %p", sock);
1824
1825 sock->state = SS_UNCONNECTED;
1826
1827 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1828 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1829 return -ESOCKTNOSUPPORT;
1830
1831 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1832 return -EPERM;
1833
1834 sock->ops = &l2cap_sock_ops;
1835
1836 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1837 if (!sk)
1838 return -ENOMEM;
1839
1840 l2cap_sock_init(sk, NULL);
1841 bt_sock_link(&l2cap_sk_list, sk);
1842 return 0;
1843}
1844
1845static const struct proto_ops l2cap_sock_ops = {
1846 .family = PF_BLUETOOTH,
1847 .owner = THIS_MODULE,
1848 .release = l2cap_sock_release,
1849 .bind = l2cap_sock_bind,
1850 .connect = l2cap_sock_connect,
1851 .listen = l2cap_sock_listen,
1852 .accept = l2cap_sock_accept,
1853 .getname = l2cap_sock_getname,
1854 .sendmsg = l2cap_sock_sendmsg,
1855 .recvmsg = l2cap_sock_recvmsg,
1856 .poll = bt_sock_poll,
1857 .ioctl = bt_sock_ioctl,
1858 .gettstamp = sock_gettstamp,
1859 .mmap = sock_no_mmap,
1860 .socketpair = sock_no_socketpair,
1861 .shutdown = l2cap_sock_shutdown,
1862 .setsockopt = l2cap_sock_setsockopt,
1863 .getsockopt = l2cap_sock_getsockopt
1864};
1865
1866static const struct net_proto_family l2cap_sock_family_ops = {
1867 .family = PF_BLUETOOTH,
1868 .owner = THIS_MODULE,
1869 .create = l2cap_sock_create,
1870};
1871
1872int __init l2cap_init_sockets(void)
1873{
1874 int err;
1875
1876 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1877
1878 err = proto_register(&l2cap_proto, 0);
1879 if (err < 0)
1880 return err;
1881
1882 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1883 if (err < 0) {
1884 BT_ERR("L2CAP socket registration failed");
1885 goto error;
1886 }
1887
1888 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1889 NULL);
1890 if (err < 0) {
1891 BT_ERR("Failed to create L2CAP proc file");
1892 bt_sock_unregister(BTPROTO_L2CAP);
1893 goto error;
1894 }
1895
1896 BT_INFO("L2CAP socket layer initialized");
1897
1898 return 0;
1899
1900error:
1901 proto_unregister(&l2cap_proto);
1902 return err;
1903}
1904
1905void l2cap_cleanup_sockets(void)
1906{
1907 bt_procfs_cleanup(&init_net, "l2cap");
1908 bt_sock_unregister(BTPROTO_L2CAP);
1909 proto_unregister(&l2cap_proto);
1910}