Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36
37#include "smp.h"
38
39static struct bt_sock_list l2cap_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
41};
42
43static const struct proto_ops l2cap_sock_ops;
44static void l2cap_sock_init(struct sock *sk, struct sock *parent);
45static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
46 int proto, gfp_t prio, int kern);
47
48bool l2cap_is_socket(struct socket *sock)
49{
50 return sock && sock->ops == &l2cap_sock_ops;
51}
52EXPORT_SYMBOL(l2cap_is_socket);
53
54static int l2cap_validate_bredr_psm(u16 psm)
55{
56 /* PSM must be odd and lsb of upper byte must be 0 */
57 if ((psm & 0x0101) != 0x0001)
58 return -EINVAL;
59
60 /* Restrict usage of well-known PSMs */
61 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
62 return -EACCES;
63
64 return 0;
65}
66
67static int l2cap_validate_le_psm(u16 psm)
68{
69 /* Valid LE_PSM ranges are defined only until 0x00ff */
70 if (psm > L2CAP_PSM_LE_DYN_END)
71 return -EINVAL;
72
73 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
74 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
75 return -EACCES;
76
77 return 0;
78}
79
80static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
81{
82 struct sock *sk = sock->sk;
83 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
84 struct sockaddr_l2 la;
85 int len, err = 0;
86
87 BT_DBG("sk %p", sk);
88
89 if (!addr || addr->sa_family != AF_BLUETOOTH)
90 return -EINVAL;
91
92 memset(&la, 0, sizeof(la));
93 len = min_t(unsigned int, sizeof(la), alen);
94 memcpy(&la, addr, len);
95
96 if (la.l2_cid && la.l2_psm)
97 return -EINVAL;
98
99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 return -EINVAL;
101
102 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
103 /* We only allow ATT user space socket */
104 if (la.l2_cid &&
105 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
106 return -EINVAL;
107 }
108
109 lock_sock(sk);
110
111 if (sk->sk_state != BT_OPEN) {
112 err = -EBADFD;
113 goto done;
114 }
115
116 if (la.l2_psm) {
117 __u16 psm = __le16_to_cpu(la.l2_psm);
118
119 if (la.l2_bdaddr_type == BDADDR_BREDR)
120 err = l2cap_validate_bredr_psm(psm);
121 else
122 err = l2cap_validate_le_psm(psm);
123
124 if (err)
125 goto done;
126 }
127
128 bacpy(&chan->src, &la.l2_bdaddr);
129 chan->src_type = la.l2_bdaddr_type;
130
131 if (la.l2_cid)
132 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
133 else
134 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
135
136 if (err < 0)
137 goto done;
138
139 switch (chan->chan_type) {
140 case L2CAP_CHAN_CONN_LESS:
141 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
142 chan->sec_level = BT_SECURITY_SDP;
143 break;
144 case L2CAP_CHAN_CONN_ORIENTED:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
146 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
147 chan->sec_level = BT_SECURITY_SDP;
148 break;
149 case L2CAP_CHAN_RAW:
150 chan->sec_level = BT_SECURITY_SDP;
151 break;
152 case L2CAP_CHAN_FIXED:
153 /* Fixed channels default to the L2CAP core not holding a
154 * hci_conn reference for them. For fixed channels mapping to
155 * L2CAP sockets we do want to hold a reference so set the
156 * appropriate flag to request it.
157 */
158 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
159 break;
160 }
161
162 if (chan->psm && bdaddr_type_is_le(chan->src_type))
163 chan->mode = L2CAP_MODE_LE_FLOWCTL;
164
165 chan->state = BT_BOUND;
166 sk->sk_state = BT_BOUND;
167
168done:
169 release_sock(sk);
170 return err;
171}
172
173static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
174 int alen, int flags)
175{
176 struct sock *sk = sock->sk;
177 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
178 struct sockaddr_l2 la;
179 int len, err = 0;
180
181 BT_DBG("sk %p", sk);
182
183 if (!addr || alen < sizeof(addr->sa_family) ||
184 addr->sa_family != AF_BLUETOOTH)
185 return -EINVAL;
186
187 memset(&la, 0, sizeof(la));
188 len = min_t(unsigned int, sizeof(la), alen);
189 memcpy(&la, addr, len);
190
191 if (la.l2_cid && la.l2_psm)
192 return -EINVAL;
193
194 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
195 return -EINVAL;
196
197 /* Check that the socket wasn't bound to something that
198 * conflicts with the address given to connect(). If chan->src
199 * is BDADDR_ANY it means bind() was never used, in which case
200 * chan->src_type and la.l2_bdaddr_type do not need to match.
201 */
202 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
203 bdaddr_type_is_le(la.l2_bdaddr_type)) {
204 /* Old user space versions will try to incorrectly bind
205 * the ATT socket using BDADDR_BREDR. We need to accept
206 * this and fix up the source address type only when
207 * both the source CID and destination CID indicate
208 * ATT. Anything else is an invalid combination.
209 */
210 if (chan->scid != L2CAP_CID_ATT ||
211 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
212 return -EINVAL;
213
214 /* We don't have the hdev available here to make a
215 * better decision on random vs public, but since all
216 * user space versions that exhibit this issue anyway do
217 * not support random local addresses assuming public
218 * here is good enough.
219 */
220 chan->src_type = BDADDR_LE_PUBLIC;
221 }
222
223 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
224 return -EINVAL;
225
226 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
227 /* We only allow ATT user space socket */
228 if (la.l2_cid &&
229 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
230 return -EINVAL;
231 }
232
233 if (chan->psm && bdaddr_type_is_le(chan->src_type))
234 chan->mode = L2CAP_MODE_LE_FLOWCTL;
235
236 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
237 &la.l2_bdaddr, la.l2_bdaddr_type);
238 if (err)
239 return err;
240
241 lock_sock(sk);
242
243 err = bt_sock_wait_state(sk, BT_CONNECTED,
244 sock_sndtimeo(sk, flags & O_NONBLOCK));
245
246 release_sock(sk);
247
248 return err;
249}
250
251static int l2cap_sock_listen(struct socket *sock, int backlog)
252{
253 struct sock *sk = sock->sk;
254 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
255 int err = 0;
256
257 BT_DBG("sk %p backlog %d", sk, backlog);
258
259 lock_sock(sk);
260
261 if (sk->sk_state != BT_BOUND) {
262 err = -EBADFD;
263 goto done;
264 }
265
266 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
267 err = -EINVAL;
268 goto done;
269 }
270
271 switch (chan->mode) {
272 case L2CAP_MODE_BASIC:
273 case L2CAP_MODE_LE_FLOWCTL:
274 break;
275 case L2CAP_MODE_ERTM:
276 case L2CAP_MODE_STREAMING:
277 if (!disable_ertm)
278 break;
279 /* fall through */
280 default:
281 err = -EOPNOTSUPP;
282 goto done;
283 }
284
285 sk->sk_max_ack_backlog = backlog;
286 sk->sk_ack_backlog = 0;
287
288 /* Listening channels need to use nested locking in order not to
289 * cause lockdep warnings when the created child channels end up
290 * being locked in the same thread as the parent channel.
291 */
292 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
293
294 chan->state = BT_LISTEN;
295 sk->sk_state = BT_LISTEN;
296
297done:
298 release_sock(sk);
299 return err;
300}
301
302static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
303 int flags)
304{
305 DEFINE_WAIT_FUNC(wait, woken_wake_function);
306 struct sock *sk = sock->sk, *nsk;
307 long timeo;
308 int err = 0;
309
310 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
311
312 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
313
314 BT_DBG("sk %p timeo %ld", sk, timeo);
315
316 /* Wait for an incoming connection. (wake-one). */
317 add_wait_queue_exclusive(sk_sleep(sk), &wait);
318 while (1) {
319 if (sk->sk_state != BT_LISTEN) {
320 err = -EBADFD;
321 break;
322 }
323
324 nsk = bt_accept_dequeue(sk, newsock);
325 if (nsk)
326 break;
327
328 if (!timeo) {
329 err = -EAGAIN;
330 break;
331 }
332
333 if (signal_pending(current)) {
334 err = sock_intr_errno(timeo);
335 break;
336 }
337
338 release_sock(sk);
339
340 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
341
342 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
343 }
344 remove_wait_queue(sk_sleep(sk), &wait);
345
346 if (err)
347 goto done;
348
349 newsock->state = SS_CONNECTED;
350
351 BT_DBG("new socket %p", nsk);
352
353done:
354 release_sock(sk);
355 return err;
356}
357
358static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
359 int *len, int peer)
360{
361 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
362 struct sock *sk = sock->sk;
363 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
364
365 BT_DBG("sock %p, sk %p", sock, sk);
366
367 if (peer && sk->sk_state != BT_CONNECTED &&
368 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
369 sk->sk_state != BT_CONFIG)
370 return -ENOTCONN;
371
372 memset(la, 0, sizeof(struct sockaddr_l2));
373 addr->sa_family = AF_BLUETOOTH;
374 *len = sizeof(struct sockaddr_l2);
375
376 la->l2_psm = chan->psm;
377
378 if (peer) {
379 bacpy(&la->l2_bdaddr, &chan->dst);
380 la->l2_cid = cpu_to_le16(chan->dcid);
381 la->l2_bdaddr_type = chan->dst_type;
382 } else {
383 bacpy(&la->l2_bdaddr, &chan->src);
384 la->l2_cid = cpu_to_le16(chan->scid);
385 la->l2_bdaddr_type = chan->src_type;
386 }
387
388 return 0;
389}
390
391static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
392 char __user *optval, int __user *optlen)
393{
394 struct sock *sk = sock->sk;
395 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
396 struct l2cap_options opts;
397 struct l2cap_conninfo cinfo;
398 int len, err = 0;
399 u32 opt;
400
401 BT_DBG("sk %p", sk);
402
403 if (get_user(len, optlen))
404 return -EFAULT;
405
406 lock_sock(sk);
407
408 switch (optname) {
409 case L2CAP_OPTIONS:
410 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
411 * legacy ATT code depends on getsockopt for
412 * L2CAP_OPTIONS we need to let this pass.
413 */
414 if (bdaddr_type_is_le(chan->src_type) &&
415 chan->scid != L2CAP_CID_ATT) {
416 err = -EINVAL;
417 break;
418 }
419
420 memset(&opts, 0, sizeof(opts));
421 opts.imtu = chan->imtu;
422 opts.omtu = chan->omtu;
423 opts.flush_to = chan->flush_to;
424 opts.mode = chan->mode;
425 opts.fcs = chan->fcs;
426 opts.max_tx = chan->max_tx;
427 opts.txwin_size = chan->tx_win;
428
429 len = min_t(unsigned int, len, sizeof(opts));
430 if (copy_to_user(optval, (char *) &opts, len))
431 err = -EFAULT;
432
433 break;
434
435 case L2CAP_LM:
436 switch (chan->sec_level) {
437 case BT_SECURITY_LOW:
438 opt = L2CAP_LM_AUTH;
439 break;
440 case BT_SECURITY_MEDIUM:
441 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
442 break;
443 case BT_SECURITY_HIGH:
444 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
445 L2CAP_LM_SECURE;
446 break;
447 case BT_SECURITY_FIPS:
448 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
449 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
450 break;
451 default:
452 opt = 0;
453 break;
454 }
455
456 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
457 opt |= L2CAP_LM_MASTER;
458
459 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
460 opt |= L2CAP_LM_RELIABLE;
461
462 if (put_user(opt, (u32 __user *) optval))
463 err = -EFAULT;
464
465 break;
466
467 case L2CAP_CONNINFO:
468 if (sk->sk_state != BT_CONNECTED &&
469 !(sk->sk_state == BT_CONNECT2 &&
470 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
471 err = -ENOTCONN;
472 break;
473 }
474
475 memset(&cinfo, 0, sizeof(cinfo));
476 cinfo.hci_handle = chan->conn->hcon->handle;
477 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
478
479 len = min_t(unsigned int, len, sizeof(cinfo));
480 if (copy_to_user(optval, (char *) &cinfo, len))
481 err = -EFAULT;
482
483 break;
484
485 default:
486 err = -ENOPROTOOPT;
487 break;
488 }
489
490 release_sock(sk);
491 return err;
492}
493
494static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
495 char __user *optval, int __user *optlen)
496{
497 struct sock *sk = sock->sk;
498 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
499 struct bt_security sec;
500 struct bt_power pwr;
501 int len, err = 0;
502
503 BT_DBG("sk %p", sk);
504
505 if (level == SOL_L2CAP)
506 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
507
508 if (level != SOL_BLUETOOTH)
509 return -ENOPROTOOPT;
510
511 if (get_user(len, optlen))
512 return -EFAULT;
513
514 lock_sock(sk);
515
516 switch (optname) {
517 case BT_SECURITY:
518 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
519 chan->chan_type != L2CAP_CHAN_FIXED &&
520 chan->chan_type != L2CAP_CHAN_RAW) {
521 err = -EINVAL;
522 break;
523 }
524
525 memset(&sec, 0, sizeof(sec));
526 if (chan->conn) {
527 sec.level = chan->conn->hcon->sec_level;
528
529 if (sk->sk_state == BT_CONNECTED)
530 sec.key_size = chan->conn->hcon->enc_key_size;
531 } else {
532 sec.level = chan->sec_level;
533 }
534
535 len = min_t(unsigned int, len, sizeof(sec));
536 if (copy_to_user(optval, (char *) &sec, len))
537 err = -EFAULT;
538
539 break;
540
541 case BT_DEFER_SETUP:
542 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
543 err = -EINVAL;
544 break;
545 }
546
547 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
548 (u32 __user *) optval))
549 err = -EFAULT;
550
551 break;
552
553 case BT_FLUSHABLE:
554 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
555 (u32 __user *) optval))
556 err = -EFAULT;
557
558 break;
559
560 case BT_POWER:
561 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
562 && sk->sk_type != SOCK_RAW) {
563 err = -EINVAL;
564 break;
565 }
566
567 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
568
569 len = min_t(unsigned int, len, sizeof(pwr));
570 if (copy_to_user(optval, (char *) &pwr, len))
571 err = -EFAULT;
572
573 break;
574
575 case BT_CHANNEL_POLICY:
576 if (put_user(chan->chan_policy, (u32 __user *) optval))
577 err = -EFAULT;
578 break;
579
580 case BT_SNDMTU:
581 if (!bdaddr_type_is_le(chan->src_type)) {
582 err = -EINVAL;
583 break;
584 }
585
586 if (sk->sk_state != BT_CONNECTED) {
587 err = -ENOTCONN;
588 break;
589 }
590
591 if (put_user(chan->omtu, (u16 __user *) optval))
592 err = -EFAULT;
593 break;
594
595 case BT_RCVMTU:
596 if (!bdaddr_type_is_le(chan->src_type)) {
597 err = -EINVAL;
598 break;
599 }
600
601 if (put_user(chan->imtu, (u16 __user *) optval))
602 err = -EFAULT;
603 break;
604
605 default:
606 err = -ENOPROTOOPT;
607 break;
608 }
609
610 release_sock(sk);
611 return err;
612}
613
614static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
615{
616 switch (chan->scid) {
617 case L2CAP_CID_ATT:
618 if (mtu < L2CAP_LE_MIN_MTU)
619 return false;
620 break;
621
622 default:
623 if (mtu < L2CAP_DEFAULT_MIN_MTU)
624 return false;
625 }
626
627 return true;
628}
629
630static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
631 char __user *optval, unsigned int optlen)
632{
633 struct sock *sk = sock->sk;
634 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
635 struct l2cap_options opts;
636 int len, err = 0;
637 u32 opt;
638
639 BT_DBG("sk %p", sk);
640
641 lock_sock(sk);
642
643 switch (optname) {
644 case L2CAP_OPTIONS:
645 if (bdaddr_type_is_le(chan->src_type)) {
646 err = -EINVAL;
647 break;
648 }
649
650 if (sk->sk_state == BT_CONNECTED) {
651 err = -EINVAL;
652 break;
653 }
654
655 opts.imtu = chan->imtu;
656 opts.omtu = chan->omtu;
657 opts.flush_to = chan->flush_to;
658 opts.mode = chan->mode;
659 opts.fcs = chan->fcs;
660 opts.max_tx = chan->max_tx;
661 opts.txwin_size = chan->tx_win;
662
663 len = min_t(unsigned int, sizeof(opts), optlen);
664 if (copy_from_user((char *) &opts, optval, len)) {
665 err = -EFAULT;
666 break;
667 }
668
669 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
670 err = -EINVAL;
671 break;
672 }
673
674 if (!l2cap_valid_mtu(chan, opts.imtu)) {
675 err = -EINVAL;
676 break;
677 }
678
679 chan->mode = opts.mode;
680 switch (chan->mode) {
681 case L2CAP_MODE_LE_FLOWCTL:
682 break;
683 case L2CAP_MODE_BASIC:
684 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
685 break;
686 case L2CAP_MODE_ERTM:
687 case L2CAP_MODE_STREAMING:
688 if (!disable_ertm)
689 break;
690 /* fall through */
691 default:
692 err = -EINVAL;
693 break;
694 }
695
696 chan->imtu = opts.imtu;
697 chan->omtu = opts.omtu;
698 chan->fcs = opts.fcs;
699 chan->max_tx = opts.max_tx;
700 chan->tx_win = opts.txwin_size;
701 chan->flush_to = opts.flush_to;
702 break;
703
704 case L2CAP_LM:
705 if (get_user(opt, (u32 __user *) optval)) {
706 err = -EFAULT;
707 break;
708 }
709
710 if (opt & L2CAP_LM_FIPS) {
711 err = -EINVAL;
712 break;
713 }
714
715 if (opt & L2CAP_LM_AUTH)
716 chan->sec_level = BT_SECURITY_LOW;
717 if (opt & L2CAP_LM_ENCRYPT)
718 chan->sec_level = BT_SECURITY_MEDIUM;
719 if (opt & L2CAP_LM_SECURE)
720 chan->sec_level = BT_SECURITY_HIGH;
721
722 if (opt & L2CAP_LM_MASTER)
723 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
724 else
725 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
726
727 if (opt & L2CAP_LM_RELIABLE)
728 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
729 else
730 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
731 break;
732
733 default:
734 err = -ENOPROTOOPT;
735 break;
736 }
737
738 release_sock(sk);
739 return err;
740}
741
742static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
743 char __user *optval, unsigned int optlen)
744{
745 struct sock *sk = sock->sk;
746 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
747 struct bt_security sec;
748 struct bt_power pwr;
749 struct l2cap_conn *conn;
750 int len, err = 0;
751 u32 opt;
752
753 BT_DBG("sk %p", sk);
754
755 if (level == SOL_L2CAP)
756 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
757
758 if (level != SOL_BLUETOOTH)
759 return -ENOPROTOOPT;
760
761 lock_sock(sk);
762
763 switch (optname) {
764 case BT_SECURITY:
765 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
766 chan->chan_type != L2CAP_CHAN_FIXED &&
767 chan->chan_type != L2CAP_CHAN_RAW) {
768 err = -EINVAL;
769 break;
770 }
771
772 sec.level = BT_SECURITY_LOW;
773
774 len = min_t(unsigned int, sizeof(sec), optlen);
775 if (copy_from_user((char *) &sec, optval, len)) {
776 err = -EFAULT;
777 break;
778 }
779
780 if (sec.level < BT_SECURITY_LOW ||
781 sec.level > BT_SECURITY_HIGH) {
782 err = -EINVAL;
783 break;
784 }
785
786 chan->sec_level = sec.level;
787
788 if (!chan->conn)
789 break;
790
791 conn = chan->conn;
792
793 /*change security for LE channels */
794 if (chan->scid == L2CAP_CID_ATT) {
795 if (smp_conn_security(conn->hcon, sec.level))
796 break;
797 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
798 sk->sk_state = BT_CONFIG;
799 chan->state = BT_CONFIG;
800
801 /* or for ACL link */
802 } else if ((sk->sk_state == BT_CONNECT2 &&
803 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
804 sk->sk_state == BT_CONNECTED) {
805 if (!l2cap_chan_check_security(chan, true))
806 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
807 else
808 sk->sk_state_change(sk);
809 } else {
810 err = -EINVAL;
811 }
812 break;
813
814 case BT_DEFER_SETUP:
815 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
816 err = -EINVAL;
817 break;
818 }
819
820 if (get_user(opt, (u32 __user *) optval)) {
821 err = -EFAULT;
822 break;
823 }
824
825 if (opt) {
826 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
827 set_bit(FLAG_DEFER_SETUP, &chan->flags);
828 } else {
829 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
830 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
831 }
832 break;
833
834 case BT_FLUSHABLE:
835 if (get_user(opt, (u32 __user *) optval)) {
836 err = -EFAULT;
837 break;
838 }
839
840 if (opt > BT_FLUSHABLE_ON) {
841 err = -EINVAL;
842 break;
843 }
844
845 if (opt == BT_FLUSHABLE_OFF) {
846 conn = chan->conn;
847 /* proceed further only when we have l2cap_conn and
848 No Flush support in the LM */
849 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
850 err = -EINVAL;
851 break;
852 }
853 }
854
855 if (opt)
856 set_bit(FLAG_FLUSHABLE, &chan->flags);
857 else
858 clear_bit(FLAG_FLUSHABLE, &chan->flags);
859 break;
860
861 case BT_POWER:
862 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
863 chan->chan_type != L2CAP_CHAN_RAW) {
864 err = -EINVAL;
865 break;
866 }
867
868 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
869
870 len = min_t(unsigned int, sizeof(pwr), optlen);
871 if (copy_from_user((char *) &pwr, optval, len)) {
872 err = -EFAULT;
873 break;
874 }
875
876 if (pwr.force_active)
877 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
878 else
879 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
880 break;
881
882 case BT_CHANNEL_POLICY:
883 if (get_user(opt, (u32 __user *) optval)) {
884 err = -EFAULT;
885 break;
886 }
887
888 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
889 err = -EINVAL;
890 break;
891 }
892
893 if (chan->mode != L2CAP_MODE_ERTM &&
894 chan->mode != L2CAP_MODE_STREAMING) {
895 err = -EOPNOTSUPP;
896 break;
897 }
898
899 chan->chan_policy = (u8) opt;
900
901 if (sk->sk_state == BT_CONNECTED &&
902 chan->move_role == L2CAP_MOVE_ROLE_NONE)
903 l2cap_move_start(chan);
904
905 break;
906
907 case BT_SNDMTU:
908 if (!bdaddr_type_is_le(chan->src_type)) {
909 err = -EINVAL;
910 break;
911 }
912
913 /* Setting is not supported as it's the remote side that
914 * decides this.
915 */
916 err = -EPERM;
917 break;
918
919 case BT_RCVMTU:
920 if (!bdaddr_type_is_le(chan->src_type)) {
921 err = -EINVAL;
922 break;
923 }
924
925 if (sk->sk_state == BT_CONNECTED) {
926 err = -EISCONN;
927 break;
928 }
929
930 if (get_user(opt, (u32 __user *) optval)) {
931 err = -EFAULT;
932 break;
933 }
934
935 chan->imtu = opt;
936 break;
937
938 default:
939 err = -ENOPROTOOPT;
940 break;
941 }
942
943 release_sock(sk);
944 return err;
945}
946
947static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
948 size_t len)
949{
950 struct sock *sk = sock->sk;
951 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
952 int err;
953
954 BT_DBG("sock %p, sk %p", sock, sk);
955
956 err = sock_error(sk);
957 if (err)
958 return err;
959
960 if (msg->msg_flags & MSG_OOB)
961 return -EOPNOTSUPP;
962
963 if (sk->sk_state != BT_CONNECTED)
964 return -ENOTCONN;
965
966 lock_sock(sk);
967 err = bt_sock_wait_ready(sk, msg->msg_flags);
968 release_sock(sk);
969 if (err)
970 return err;
971
972 l2cap_chan_lock(chan);
973 err = l2cap_chan_send(chan, msg, len);
974 l2cap_chan_unlock(chan);
975
976 return err;
977}
978
979static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
980 size_t len, int flags)
981{
982 struct sock *sk = sock->sk;
983 struct l2cap_pinfo *pi = l2cap_pi(sk);
984 int err;
985
986 lock_sock(sk);
987
988 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
989 &bt_sk(sk)->flags)) {
990 if (bdaddr_type_is_le(pi->chan->src_type)) {
991 sk->sk_state = BT_CONNECTED;
992 pi->chan->state = BT_CONNECTED;
993 __l2cap_le_connect_rsp_defer(pi->chan);
994 } else {
995 sk->sk_state = BT_CONFIG;
996 pi->chan->state = BT_CONFIG;
997 __l2cap_connect_rsp_defer(pi->chan);
998 }
999
1000 err = 0;
1001 goto done;
1002 }
1003
1004 release_sock(sk);
1005
1006 if (sock->type == SOCK_STREAM)
1007 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1008 else
1009 err = bt_sock_recvmsg(sock, msg, len, flags);
1010
1011 if (pi->chan->mode != L2CAP_MODE_ERTM)
1012 return err;
1013
1014 /* Attempt to put pending rx data in the socket buffer */
1015
1016 lock_sock(sk);
1017
1018 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1019 goto done;
1020
1021 if (pi->rx_busy_skb) {
1022 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1023 pi->rx_busy_skb = NULL;
1024 else
1025 goto done;
1026 }
1027
1028 /* Restore data flow when half of the receive buffer is
1029 * available. This avoids resending large numbers of
1030 * frames.
1031 */
1032 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1033 l2cap_chan_busy(pi->chan, 0);
1034
1035done:
1036 release_sock(sk);
1037 return err;
1038}
1039
1040/* Kill socket (only if zapped and orphan)
1041 * Must be called on unlocked socket.
1042 */
1043static void l2cap_sock_kill(struct sock *sk)
1044{
1045 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1046 return;
1047
1048 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1049
1050 /* Kill poor orphan */
1051
1052 l2cap_chan_put(l2cap_pi(sk)->chan);
1053 sock_set_flag(sk, SOCK_DEAD);
1054 sock_put(sk);
1055}
1056
1057static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1058{
1059 DECLARE_WAITQUEUE(wait, current);
1060 int err = 0;
1061 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1062 /* Timeout to prevent infinite loop */
1063 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1064
1065 add_wait_queue(sk_sleep(sk), &wait);
1066 set_current_state(TASK_INTERRUPTIBLE);
1067 do {
1068 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1069 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1070 jiffies_to_msecs(timeout - jiffies));
1071
1072 if (!timeo)
1073 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1074
1075 if (signal_pending(current)) {
1076 err = sock_intr_errno(timeo);
1077 break;
1078 }
1079
1080 release_sock(sk);
1081 timeo = schedule_timeout(timeo);
1082 lock_sock(sk);
1083 set_current_state(TASK_INTERRUPTIBLE);
1084
1085 err = sock_error(sk);
1086 if (err)
1087 break;
1088
1089 if (time_after(jiffies, timeout)) {
1090 err = -ENOLINK;
1091 break;
1092 }
1093
1094 } while (chan->unacked_frames > 0 &&
1095 chan->state == BT_CONNECTED);
1096
1097 set_current_state(TASK_RUNNING);
1098 remove_wait_queue(sk_sleep(sk), &wait);
1099 return err;
1100}
1101
1102static int l2cap_sock_shutdown(struct socket *sock, int how)
1103{
1104 struct sock *sk = sock->sk;
1105 struct l2cap_chan *chan;
1106 struct l2cap_conn *conn;
1107 int err = 0;
1108
1109 BT_DBG("sock %p, sk %p", sock, sk);
1110
1111 if (!sk)
1112 return 0;
1113
1114 lock_sock(sk);
1115
1116 if (sk->sk_shutdown)
1117 goto shutdown_already;
1118
1119 BT_DBG("Handling sock shutdown");
1120
1121 /* prevent sk structure from being freed whilst unlocked */
1122 sock_hold(sk);
1123
1124 chan = l2cap_pi(sk)->chan;
1125 /* prevent chan structure from being freed whilst unlocked */
1126 l2cap_chan_hold(chan);
1127
1128 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1129
1130 if (chan->mode == L2CAP_MODE_ERTM &&
1131 chan->unacked_frames > 0 &&
1132 chan->state == BT_CONNECTED) {
1133 err = __l2cap_wait_ack(sk, chan);
1134
1135 /* After waiting for ACKs, check whether shutdown
1136 * has already been actioned to close the L2CAP
1137 * link such as by l2cap_disconnection_req().
1138 */
1139 if (sk->sk_shutdown)
1140 goto has_shutdown;
1141 }
1142
1143 sk->sk_shutdown = SHUTDOWN_MASK;
1144 release_sock(sk);
1145
1146 l2cap_chan_lock(chan);
1147 conn = chan->conn;
1148 if (conn)
1149 /* prevent conn structure from being freed */
1150 l2cap_conn_get(conn);
1151 l2cap_chan_unlock(chan);
1152
1153 if (conn)
1154 /* mutex lock must be taken before l2cap_chan_lock() */
1155 mutex_lock(&conn->chan_lock);
1156
1157 l2cap_chan_lock(chan);
1158 l2cap_chan_close(chan, 0);
1159 l2cap_chan_unlock(chan);
1160
1161 if (conn) {
1162 mutex_unlock(&conn->chan_lock);
1163 l2cap_conn_put(conn);
1164 }
1165
1166 lock_sock(sk);
1167
1168 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1169 !(current->flags & PF_EXITING))
1170 err = bt_sock_wait_state(sk, BT_CLOSED,
1171 sk->sk_lingertime);
1172
1173has_shutdown:
1174 l2cap_chan_put(chan);
1175 sock_put(sk);
1176
1177shutdown_already:
1178 if (!err && sk->sk_err)
1179 err = -sk->sk_err;
1180
1181 release_sock(sk);
1182
1183 BT_DBG("Sock shutdown complete err: %d", err);
1184
1185 return err;
1186}
1187
1188static int l2cap_sock_release(struct socket *sock)
1189{
1190 struct sock *sk = sock->sk;
1191 int err;
1192
1193 BT_DBG("sock %p, sk %p", sock, sk);
1194
1195 if (!sk)
1196 return 0;
1197
1198 bt_sock_unlink(&l2cap_sk_list, sk);
1199
1200 err = l2cap_sock_shutdown(sock, 2);
1201
1202 sock_orphan(sk);
1203 l2cap_sock_kill(sk);
1204 return err;
1205}
1206
1207static void l2cap_sock_cleanup_listen(struct sock *parent)
1208{
1209 struct sock *sk;
1210
1211 BT_DBG("parent %p state %s", parent,
1212 state_to_string(parent->sk_state));
1213
1214 /* Close not yet accepted channels */
1215 while ((sk = bt_accept_dequeue(parent, NULL))) {
1216 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1217
1218 BT_DBG("child chan %p state %s", chan,
1219 state_to_string(chan->state));
1220
1221 l2cap_chan_lock(chan);
1222 __clear_chan_timer(chan);
1223 l2cap_chan_close(chan, ECONNRESET);
1224 l2cap_chan_unlock(chan);
1225
1226 l2cap_sock_kill(sk);
1227 }
1228}
1229
1230static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1231{
1232 struct sock *sk, *parent = chan->data;
1233
1234 lock_sock(parent);
1235
1236 /* Check for backlog size */
1237 if (sk_acceptq_is_full(parent)) {
1238 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1239 release_sock(parent);
1240 return NULL;
1241 }
1242
1243 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1244 GFP_ATOMIC, 0);
1245 if (!sk) {
1246 release_sock(parent);
1247 return NULL;
1248 }
1249
1250 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1251
1252 l2cap_sock_init(sk, parent);
1253
1254 bt_accept_enqueue(parent, sk);
1255
1256 release_sock(parent);
1257
1258 return l2cap_pi(sk)->chan;
1259}
1260
1261static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1262{
1263 struct sock *sk = chan->data;
1264 int err;
1265
1266 lock_sock(sk);
1267
1268 if (l2cap_pi(sk)->rx_busy_skb) {
1269 err = -ENOMEM;
1270 goto done;
1271 }
1272
1273 err = sock_queue_rcv_skb(sk, skb);
1274
1275 /* For ERTM, handle one skb that doesn't fit into the recv
1276 * buffer. This is important to do because the data frames
1277 * have already been acked, so the skb cannot be discarded.
1278 *
1279 * Notify the l2cap core that the buffer is full, so the
1280 * LOCAL_BUSY state is entered and no more frames are
1281 * acked and reassembled until there is buffer space
1282 * available.
1283 */
1284 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1285 l2cap_pi(sk)->rx_busy_skb = skb;
1286 l2cap_chan_busy(chan, 1);
1287 err = 0;
1288 }
1289
1290done:
1291 release_sock(sk);
1292
1293 return err;
1294}
1295
1296static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1297{
1298 struct sock *sk = chan->data;
1299
1300 l2cap_sock_kill(sk);
1301}
1302
1303static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1304{
1305 struct sock *sk = chan->data;
1306 struct sock *parent;
1307
1308 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1309
1310 /* This callback can be called both for server (BT_LISTEN)
1311 * sockets as well as "normal" ones. To avoid lockdep warnings
1312 * with child socket locking (through l2cap_sock_cleanup_listen)
1313 * we need separation into separate nesting levels. The simplest
1314 * way to accomplish this is to inherit the nesting level used
1315 * for the channel.
1316 */
1317 lock_sock_nested(sk, atomic_read(&chan->nesting));
1318
1319 parent = bt_sk(sk)->parent;
1320
1321 sock_set_flag(sk, SOCK_ZAPPED);
1322
1323 switch (chan->state) {
1324 case BT_OPEN:
1325 case BT_BOUND:
1326 case BT_CLOSED:
1327 break;
1328 case BT_LISTEN:
1329 l2cap_sock_cleanup_listen(sk);
1330 sk->sk_state = BT_CLOSED;
1331 chan->state = BT_CLOSED;
1332
1333 break;
1334 default:
1335 sk->sk_state = BT_CLOSED;
1336 chan->state = BT_CLOSED;
1337
1338 sk->sk_err = err;
1339
1340 if (parent) {
1341 bt_accept_unlink(sk);
1342 parent->sk_data_ready(parent);
1343 } else {
1344 sk->sk_state_change(sk);
1345 }
1346
1347 break;
1348 }
1349
1350 release_sock(sk);
1351}
1352
1353static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1354 int err)
1355{
1356 struct sock *sk = chan->data;
1357
1358 sk->sk_state = state;
1359
1360 if (err)
1361 sk->sk_err = err;
1362}
1363
1364static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1365 unsigned long hdr_len,
1366 unsigned long len, int nb)
1367{
1368 struct sock *sk = chan->data;
1369 struct sk_buff *skb;
1370 int err;
1371
1372 l2cap_chan_unlock(chan);
1373 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1374 l2cap_chan_lock(chan);
1375
1376 if (!skb)
1377 return ERR_PTR(err);
1378
1379 skb->priority = sk->sk_priority;
1380
1381 bt_cb(skb)->l2cap.chan = chan;
1382
1383 return skb;
1384}
1385
1386static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1387{
1388 struct sock *sk = chan->data;
1389 struct sock *parent;
1390
1391 lock_sock(sk);
1392
1393 parent = bt_sk(sk)->parent;
1394
1395 BT_DBG("sk %p, parent %p", sk, parent);
1396
1397 sk->sk_state = BT_CONNECTED;
1398 sk->sk_state_change(sk);
1399
1400 if (parent)
1401 parent->sk_data_ready(parent);
1402
1403 release_sock(sk);
1404}
1405
1406static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1407{
1408 struct sock *parent, *sk = chan->data;
1409
1410 lock_sock(sk);
1411
1412 parent = bt_sk(sk)->parent;
1413 if (parent)
1414 parent->sk_data_ready(parent);
1415
1416 release_sock(sk);
1417}
1418
1419static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1420{
1421 struct sock *sk = chan->data;
1422
1423 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1424 sk->sk_state = BT_CONNECTED;
1425 chan->state = BT_CONNECTED;
1426 }
1427
1428 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1429 sk->sk_state_change(sk);
1430}
1431
1432static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1433{
1434 struct sock *sk = chan->data;
1435
1436 lock_sock(sk);
1437 sk->sk_shutdown = SHUTDOWN_MASK;
1438 release_sock(sk);
1439}
1440
1441static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1442{
1443 struct sock *sk = chan->data;
1444
1445 return sk->sk_sndtimeo;
1446}
1447
1448static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1449{
1450 struct sock *sk = chan->data;
1451
1452 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1453 sk->sk_state_change(sk);
1454}
1455
1456static const struct l2cap_ops l2cap_chan_ops = {
1457 .name = "L2CAP Socket Interface",
1458 .new_connection = l2cap_sock_new_connection_cb,
1459 .recv = l2cap_sock_recv_cb,
1460 .close = l2cap_sock_close_cb,
1461 .teardown = l2cap_sock_teardown_cb,
1462 .state_change = l2cap_sock_state_change_cb,
1463 .ready = l2cap_sock_ready_cb,
1464 .defer = l2cap_sock_defer_cb,
1465 .resume = l2cap_sock_resume_cb,
1466 .suspend = l2cap_sock_suspend_cb,
1467 .set_shutdown = l2cap_sock_set_shutdown_cb,
1468 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1469 .alloc_skb = l2cap_sock_alloc_skb_cb,
1470};
1471
1472static void l2cap_sock_destruct(struct sock *sk)
1473{
1474 BT_DBG("sk %p", sk);
1475
1476 if (l2cap_pi(sk)->chan)
1477 l2cap_chan_put(l2cap_pi(sk)->chan);
1478
1479 if (l2cap_pi(sk)->rx_busy_skb) {
1480 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1481 l2cap_pi(sk)->rx_busy_skb = NULL;
1482 }
1483
1484 skb_queue_purge(&sk->sk_receive_queue);
1485 skb_queue_purge(&sk->sk_write_queue);
1486}
1487
1488static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1489 int *msg_namelen)
1490{
1491 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1492
1493 memset(la, 0, sizeof(struct sockaddr_l2));
1494 la->l2_family = AF_BLUETOOTH;
1495 la->l2_psm = bt_cb(skb)->l2cap.psm;
1496 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1497
1498 *msg_namelen = sizeof(struct sockaddr_l2);
1499}
1500
1501static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1502{
1503 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1504
1505 BT_DBG("sk %p", sk);
1506
1507 if (parent) {
1508 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1509
1510 sk->sk_type = parent->sk_type;
1511 bt_sk(sk)->flags = bt_sk(parent)->flags;
1512
1513 chan->chan_type = pchan->chan_type;
1514 chan->imtu = pchan->imtu;
1515 chan->omtu = pchan->omtu;
1516 chan->conf_state = pchan->conf_state;
1517 chan->mode = pchan->mode;
1518 chan->fcs = pchan->fcs;
1519 chan->max_tx = pchan->max_tx;
1520 chan->tx_win = pchan->tx_win;
1521 chan->tx_win_max = pchan->tx_win_max;
1522 chan->sec_level = pchan->sec_level;
1523 chan->flags = pchan->flags;
1524 chan->tx_credits = pchan->tx_credits;
1525 chan->rx_credits = pchan->rx_credits;
1526
1527 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1528 chan->scid = pchan->scid;
1529 chan->dcid = pchan->scid;
1530 }
1531
1532 security_sk_clone(parent, sk);
1533 } else {
1534 switch (sk->sk_type) {
1535 case SOCK_RAW:
1536 chan->chan_type = L2CAP_CHAN_RAW;
1537 break;
1538 case SOCK_DGRAM:
1539 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1540 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1541 break;
1542 case SOCK_SEQPACKET:
1543 case SOCK_STREAM:
1544 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1545 break;
1546 }
1547
1548 chan->imtu = L2CAP_DEFAULT_MTU;
1549 chan->omtu = 0;
1550 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1551 chan->mode = L2CAP_MODE_ERTM;
1552 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1553 } else {
1554 chan->mode = L2CAP_MODE_BASIC;
1555 }
1556
1557 l2cap_chan_set_defaults(chan);
1558 }
1559
1560 /* Default config options */
1561 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1562
1563 chan->data = sk;
1564 chan->ops = &l2cap_chan_ops;
1565}
1566
1567static struct proto l2cap_proto = {
1568 .name = "L2CAP",
1569 .owner = THIS_MODULE,
1570 .obj_size = sizeof(struct l2cap_pinfo)
1571};
1572
1573static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1574 int proto, gfp_t prio, int kern)
1575{
1576 struct sock *sk;
1577 struct l2cap_chan *chan;
1578
1579 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1580 if (!sk)
1581 return NULL;
1582
1583 sock_init_data(sock, sk);
1584 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1585
1586 sk->sk_destruct = l2cap_sock_destruct;
1587 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1588
1589 sock_reset_flag(sk, SOCK_ZAPPED);
1590
1591 sk->sk_protocol = proto;
1592 sk->sk_state = BT_OPEN;
1593
1594 chan = l2cap_chan_create();
1595 if (!chan) {
1596 sk_free(sk);
1597 return NULL;
1598 }
1599
1600 l2cap_chan_hold(chan);
1601
1602 l2cap_pi(sk)->chan = chan;
1603
1604 return sk;
1605}
1606
1607static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1608 int kern)
1609{
1610 struct sock *sk;
1611
1612 BT_DBG("sock %p", sock);
1613
1614 sock->state = SS_UNCONNECTED;
1615
1616 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1617 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1618 return -ESOCKTNOSUPPORT;
1619
1620 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1621 return -EPERM;
1622
1623 sock->ops = &l2cap_sock_ops;
1624
1625 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1626 if (!sk)
1627 return -ENOMEM;
1628
1629 l2cap_sock_init(sk, NULL);
1630 bt_sock_link(&l2cap_sk_list, sk);
1631 return 0;
1632}
1633
1634static const struct proto_ops l2cap_sock_ops = {
1635 .family = PF_BLUETOOTH,
1636 .owner = THIS_MODULE,
1637 .release = l2cap_sock_release,
1638 .bind = l2cap_sock_bind,
1639 .connect = l2cap_sock_connect,
1640 .listen = l2cap_sock_listen,
1641 .accept = l2cap_sock_accept,
1642 .getname = l2cap_sock_getname,
1643 .sendmsg = l2cap_sock_sendmsg,
1644 .recvmsg = l2cap_sock_recvmsg,
1645 .poll = bt_sock_poll,
1646 .ioctl = bt_sock_ioctl,
1647 .mmap = sock_no_mmap,
1648 .socketpair = sock_no_socketpair,
1649 .shutdown = l2cap_sock_shutdown,
1650 .setsockopt = l2cap_sock_setsockopt,
1651 .getsockopt = l2cap_sock_getsockopt
1652};
1653
1654static const struct net_proto_family l2cap_sock_family_ops = {
1655 .family = PF_BLUETOOTH,
1656 .owner = THIS_MODULE,
1657 .create = l2cap_sock_create,
1658};
1659
1660int __init l2cap_init_sockets(void)
1661{
1662 int err;
1663
1664 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1665
1666 err = proto_register(&l2cap_proto, 0);
1667 if (err < 0)
1668 return err;
1669
1670 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1671 if (err < 0) {
1672 BT_ERR("L2CAP socket registration failed");
1673 goto error;
1674 }
1675
1676 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1677 NULL);
1678 if (err < 0) {
1679 BT_ERR("Failed to create L2CAP proc file");
1680 bt_sock_unregister(BTPROTO_L2CAP);
1681 goto error;
1682 }
1683
1684 BT_INFO("L2CAP socket layer initialized");
1685
1686 return 0;
1687
1688error:
1689 proto_unregister(&l2cap_proto);
1690 return err;
1691}
1692
1693void l2cap_cleanup_sockets(void)
1694{
1695 bt_procfs_cleanup(&init_net, "l2cap");
1696 bt_sock_unregister(BTPROTO_L2CAP);
1697 proto_unregister(&l2cap_proto);
1698}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36
37#include "smp.h"
38
39static struct bt_sock_list l2cap_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
41};
42
43static const struct proto_ops l2cap_sock_ops;
44static void l2cap_sock_init(struct sock *sk, struct sock *parent);
45static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
46 int proto, gfp_t prio);
47
48bool l2cap_is_socket(struct socket *sock)
49{
50 return sock && sock->ops == &l2cap_sock_ops;
51}
52EXPORT_SYMBOL(l2cap_is_socket);
53
54static int l2cap_validate_bredr_psm(u16 psm)
55{
56 /* PSM must be odd and lsb of upper byte must be 0 */
57 if ((psm & 0x0101) != 0x0001)
58 return -EINVAL;
59
60 /* Restrict usage of well-known PSMs */
61 if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE))
62 return -EACCES;
63
64 return 0;
65}
66
67static int l2cap_validate_le_psm(u16 psm)
68{
69 /* Valid LE_PSM ranges are defined only until 0x00ff */
70 if (psm > 0x00ff)
71 return -EINVAL;
72
73 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
74 if (psm <= 0x007f && !capable(CAP_NET_BIND_SERVICE))
75 return -EACCES;
76
77 return 0;
78}
79
80static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
81{
82 struct sock *sk = sock->sk;
83 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
84 struct sockaddr_l2 la;
85 int len, err = 0;
86
87 BT_DBG("sk %p", sk);
88
89 if (!addr || addr->sa_family != AF_BLUETOOTH)
90 return -EINVAL;
91
92 memset(&la, 0, sizeof(la));
93 len = min_t(unsigned int, sizeof(la), alen);
94 memcpy(&la, addr, len);
95
96 if (la.l2_cid && la.l2_psm)
97 return -EINVAL;
98
99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 return -EINVAL;
101
102 if (la.l2_cid) {
103 /* When the socket gets created it defaults to
104 * CHAN_CONN_ORIENTED, so we need to overwrite the
105 * default here.
106 */
107 chan->chan_type = L2CAP_CHAN_FIXED;
108 chan->omtu = L2CAP_DEFAULT_MTU;
109 }
110
111 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
112 /* We only allow ATT user space socket */
113 if (la.l2_cid &&
114 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
115 return -EINVAL;
116 }
117
118 lock_sock(sk);
119
120 if (sk->sk_state != BT_OPEN) {
121 err = -EBADFD;
122 goto done;
123 }
124
125 if (la.l2_psm) {
126 __u16 psm = __le16_to_cpu(la.l2_psm);
127
128 if (la.l2_bdaddr_type == BDADDR_BREDR)
129 err = l2cap_validate_bredr_psm(psm);
130 else
131 err = l2cap_validate_le_psm(psm);
132
133 if (err)
134 goto done;
135 }
136
137 if (la.l2_cid)
138 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
139 else
140 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
141
142 if (err < 0)
143 goto done;
144
145 switch (chan->chan_type) {
146 case L2CAP_CHAN_CONN_LESS:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
148 chan->sec_level = BT_SECURITY_SDP;
149 break;
150 case L2CAP_CHAN_CONN_ORIENTED:
151 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
152 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
153 chan->sec_level = BT_SECURITY_SDP;
154 break;
155 case L2CAP_CHAN_RAW:
156 chan->sec_level = BT_SECURITY_SDP;
157 break;
158 }
159
160 bacpy(&chan->src, &la.l2_bdaddr);
161 chan->src_type = la.l2_bdaddr_type;
162
163 if (chan->psm && bdaddr_type_is_le(chan->src_type))
164 chan->mode = L2CAP_MODE_LE_FLOWCTL;
165
166 chan->state = BT_BOUND;
167 sk->sk_state = BT_BOUND;
168
169done:
170 release_sock(sk);
171 return err;
172}
173
174static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
175 int alen, int flags)
176{
177 struct sock *sk = sock->sk;
178 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
179 struct sockaddr_l2 la;
180 int len, err = 0;
181
182 BT_DBG("sk %p", sk);
183
184 if (!addr || alen < sizeof(addr->sa_family) ||
185 addr->sa_family != AF_BLUETOOTH)
186 return -EINVAL;
187
188 memset(&la, 0, sizeof(la));
189 len = min_t(unsigned int, sizeof(la), alen);
190 memcpy(&la, addr, len);
191
192 if (la.l2_cid && la.l2_psm)
193 return -EINVAL;
194
195 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
196 return -EINVAL;
197
198 /* Check that the socket wasn't bound to something that
199 * conflicts with the address given to connect(). If chan->src
200 * is BDADDR_ANY it means bind() was never used, in which case
201 * chan->src_type and la.l2_bdaddr_type do not need to match.
202 */
203 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
204 bdaddr_type_is_le(la.l2_bdaddr_type)) {
205 /* Old user space versions will try to incorrectly bind
206 * the ATT socket using BDADDR_BREDR. We need to accept
207 * this and fix up the source address type only when
208 * both the source CID and destination CID indicate
209 * ATT. Anything else is an invalid combination.
210 */
211 if (chan->scid != L2CAP_CID_ATT ||
212 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
213 return -EINVAL;
214
215 /* We don't have the hdev available here to make a
216 * better decision on random vs public, but since all
217 * user space versions that exhibit this issue anyway do
218 * not support random local addresses assuming public
219 * here is good enough.
220 */
221 chan->src_type = BDADDR_LE_PUBLIC;
222 }
223
224 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
225 return -EINVAL;
226
227 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
228 /* We only allow ATT user space socket */
229 if (la.l2_cid &&
230 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
231 return -EINVAL;
232 }
233
234 if (chan->psm && bdaddr_type_is_le(chan->src_type))
235 chan->mode = L2CAP_MODE_LE_FLOWCTL;
236
237 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
238 &la.l2_bdaddr, la.l2_bdaddr_type);
239 if (err)
240 return err;
241
242 lock_sock(sk);
243
244 err = bt_sock_wait_state(sk, BT_CONNECTED,
245 sock_sndtimeo(sk, flags & O_NONBLOCK));
246
247 release_sock(sk);
248
249 return err;
250}
251
252static int l2cap_sock_listen(struct socket *sock, int backlog)
253{
254 struct sock *sk = sock->sk;
255 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
256 int err = 0;
257
258 BT_DBG("sk %p backlog %d", sk, backlog);
259
260 lock_sock(sk);
261
262 if (sk->sk_state != BT_BOUND) {
263 err = -EBADFD;
264 goto done;
265 }
266
267 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
268 err = -EINVAL;
269 goto done;
270 }
271
272 switch (chan->mode) {
273 case L2CAP_MODE_BASIC:
274 case L2CAP_MODE_LE_FLOWCTL:
275 break;
276 case L2CAP_MODE_ERTM:
277 case L2CAP_MODE_STREAMING:
278 if (!disable_ertm)
279 break;
280 /* fall through */
281 default:
282 err = -ENOTSUPP;
283 goto done;
284 }
285
286 sk->sk_max_ack_backlog = backlog;
287 sk->sk_ack_backlog = 0;
288
289 chan->state = BT_LISTEN;
290 sk->sk_state = BT_LISTEN;
291
292done:
293 release_sock(sk);
294 return err;
295}
296
297static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
298 int flags)
299{
300 DECLARE_WAITQUEUE(wait, current);
301 struct sock *sk = sock->sk, *nsk;
302 long timeo;
303 int err = 0;
304
305 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
306
307 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
308
309 BT_DBG("sk %p timeo %ld", sk, timeo);
310
311 /* Wait for an incoming connection. (wake-one). */
312 add_wait_queue_exclusive(sk_sleep(sk), &wait);
313 while (1) {
314 set_current_state(TASK_INTERRUPTIBLE);
315
316 if (sk->sk_state != BT_LISTEN) {
317 err = -EBADFD;
318 break;
319 }
320
321 nsk = bt_accept_dequeue(sk, newsock);
322 if (nsk)
323 break;
324
325 if (!timeo) {
326 err = -EAGAIN;
327 break;
328 }
329
330 if (signal_pending(current)) {
331 err = sock_intr_errno(timeo);
332 break;
333 }
334
335 release_sock(sk);
336 timeo = schedule_timeout(timeo);
337 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
338 }
339 __set_current_state(TASK_RUNNING);
340 remove_wait_queue(sk_sleep(sk), &wait);
341
342 if (err)
343 goto done;
344
345 newsock->state = SS_CONNECTED;
346
347 BT_DBG("new socket %p", nsk);
348
349done:
350 release_sock(sk);
351 return err;
352}
353
354static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
355 int *len, int peer)
356{
357 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
358 struct sock *sk = sock->sk;
359 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
360
361 BT_DBG("sock %p, sk %p", sock, sk);
362
363 if (peer && sk->sk_state != BT_CONNECTED &&
364 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
365 return -ENOTCONN;
366
367 memset(la, 0, sizeof(struct sockaddr_l2));
368 addr->sa_family = AF_BLUETOOTH;
369 *len = sizeof(struct sockaddr_l2);
370
371 la->l2_psm = chan->psm;
372
373 if (peer) {
374 bacpy(&la->l2_bdaddr, &chan->dst);
375 la->l2_cid = cpu_to_le16(chan->dcid);
376 la->l2_bdaddr_type = chan->dst_type;
377 } else {
378 bacpy(&la->l2_bdaddr, &chan->src);
379 la->l2_cid = cpu_to_le16(chan->scid);
380 la->l2_bdaddr_type = chan->src_type;
381 }
382
383 return 0;
384}
385
386static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
387 char __user *optval, int __user *optlen)
388{
389 struct sock *sk = sock->sk;
390 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391 struct l2cap_options opts;
392 struct l2cap_conninfo cinfo;
393 int len, err = 0;
394 u32 opt;
395
396 BT_DBG("sk %p", sk);
397
398 if (get_user(len, optlen))
399 return -EFAULT;
400
401 lock_sock(sk);
402
403 switch (optname) {
404 case L2CAP_OPTIONS:
405 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
406 * legacy ATT code depends on getsockopt for
407 * L2CAP_OPTIONS we need to let this pass.
408 */
409 if (bdaddr_type_is_le(chan->src_type) &&
410 chan->scid != L2CAP_CID_ATT) {
411 err = -EINVAL;
412 break;
413 }
414
415 memset(&opts, 0, sizeof(opts));
416 opts.imtu = chan->imtu;
417 opts.omtu = chan->omtu;
418 opts.flush_to = chan->flush_to;
419 opts.mode = chan->mode;
420 opts.fcs = chan->fcs;
421 opts.max_tx = chan->max_tx;
422 opts.txwin_size = chan->tx_win;
423
424 len = min_t(unsigned int, len, sizeof(opts));
425 if (copy_to_user(optval, (char *) &opts, len))
426 err = -EFAULT;
427
428 break;
429
430 case L2CAP_LM:
431 switch (chan->sec_level) {
432 case BT_SECURITY_LOW:
433 opt = L2CAP_LM_AUTH;
434 break;
435 case BT_SECURITY_MEDIUM:
436 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
437 break;
438 case BT_SECURITY_HIGH:
439 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
440 L2CAP_LM_SECURE;
441 break;
442 case BT_SECURITY_FIPS:
443 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
444 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
445 break;
446 default:
447 opt = 0;
448 break;
449 }
450
451 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
452 opt |= L2CAP_LM_MASTER;
453
454 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
455 opt |= L2CAP_LM_RELIABLE;
456
457 if (put_user(opt, (u32 __user *) optval))
458 err = -EFAULT;
459
460 break;
461
462 case L2CAP_CONNINFO:
463 if (sk->sk_state != BT_CONNECTED &&
464 !(sk->sk_state == BT_CONNECT2 &&
465 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
466 err = -ENOTCONN;
467 break;
468 }
469
470 memset(&cinfo, 0, sizeof(cinfo));
471 cinfo.hci_handle = chan->conn->hcon->handle;
472 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
473
474 len = min_t(unsigned int, len, sizeof(cinfo));
475 if (copy_to_user(optval, (char *) &cinfo, len))
476 err = -EFAULT;
477
478 break;
479
480 default:
481 err = -ENOPROTOOPT;
482 break;
483 }
484
485 release_sock(sk);
486 return err;
487}
488
489static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
490 char __user *optval, int __user *optlen)
491{
492 struct sock *sk = sock->sk;
493 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
494 struct bt_security sec;
495 struct bt_power pwr;
496 int len, err = 0;
497
498 BT_DBG("sk %p", sk);
499
500 if (level == SOL_L2CAP)
501 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
502
503 if (level != SOL_BLUETOOTH)
504 return -ENOPROTOOPT;
505
506 if (get_user(len, optlen))
507 return -EFAULT;
508
509 lock_sock(sk);
510
511 switch (optname) {
512 case BT_SECURITY:
513 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
514 chan->chan_type != L2CAP_CHAN_FIXED &&
515 chan->chan_type != L2CAP_CHAN_RAW) {
516 err = -EINVAL;
517 break;
518 }
519
520 memset(&sec, 0, sizeof(sec));
521 if (chan->conn) {
522 sec.level = chan->conn->hcon->sec_level;
523
524 if (sk->sk_state == BT_CONNECTED)
525 sec.key_size = chan->conn->hcon->enc_key_size;
526 } else {
527 sec.level = chan->sec_level;
528 }
529
530 len = min_t(unsigned int, len, sizeof(sec));
531 if (copy_to_user(optval, (char *) &sec, len))
532 err = -EFAULT;
533
534 break;
535
536 case BT_DEFER_SETUP:
537 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
538 err = -EINVAL;
539 break;
540 }
541
542 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
543 (u32 __user *) optval))
544 err = -EFAULT;
545
546 break;
547
548 case BT_FLUSHABLE:
549 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
550 (u32 __user *) optval))
551 err = -EFAULT;
552
553 break;
554
555 case BT_POWER:
556 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
557 && sk->sk_type != SOCK_RAW) {
558 err = -EINVAL;
559 break;
560 }
561
562 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
563
564 len = min_t(unsigned int, len, sizeof(pwr));
565 if (copy_to_user(optval, (char *) &pwr, len))
566 err = -EFAULT;
567
568 break;
569
570 case BT_CHANNEL_POLICY:
571 if (put_user(chan->chan_policy, (u32 __user *) optval))
572 err = -EFAULT;
573 break;
574
575 case BT_SNDMTU:
576 if (!bdaddr_type_is_le(chan->src_type)) {
577 err = -EINVAL;
578 break;
579 }
580
581 if (sk->sk_state != BT_CONNECTED) {
582 err = -ENOTCONN;
583 break;
584 }
585
586 if (put_user(chan->omtu, (u16 __user *) optval))
587 err = -EFAULT;
588 break;
589
590 case BT_RCVMTU:
591 if (!bdaddr_type_is_le(chan->src_type)) {
592 err = -EINVAL;
593 break;
594 }
595
596 if (put_user(chan->imtu, (u16 __user *) optval))
597 err = -EFAULT;
598 break;
599
600 default:
601 err = -ENOPROTOOPT;
602 break;
603 }
604
605 release_sock(sk);
606 return err;
607}
608
609static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
610{
611 switch (chan->scid) {
612 case L2CAP_CID_ATT:
613 if (mtu < L2CAP_LE_MIN_MTU)
614 return false;
615 break;
616
617 default:
618 if (mtu < L2CAP_DEFAULT_MIN_MTU)
619 return false;
620 }
621
622 return true;
623}
624
625static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
626 char __user *optval, unsigned int optlen)
627{
628 struct sock *sk = sock->sk;
629 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
630 struct l2cap_options opts;
631 int len, err = 0;
632 u32 opt;
633
634 BT_DBG("sk %p", sk);
635
636 lock_sock(sk);
637
638 switch (optname) {
639 case L2CAP_OPTIONS:
640 if (bdaddr_type_is_le(chan->src_type)) {
641 err = -EINVAL;
642 break;
643 }
644
645 if (sk->sk_state == BT_CONNECTED) {
646 err = -EINVAL;
647 break;
648 }
649
650 opts.imtu = chan->imtu;
651 opts.omtu = chan->omtu;
652 opts.flush_to = chan->flush_to;
653 opts.mode = chan->mode;
654 opts.fcs = chan->fcs;
655 opts.max_tx = chan->max_tx;
656 opts.txwin_size = chan->tx_win;
657
658 len = min_t(unsigned int, sizeof(opts), optlen);
659 if (copy_from_user((char *) &opts, optval, len)) {
660 err = -EFAULT;
661 break;
662 }
663
664 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
665 err = -EINVAL;
666 break;
667 }
668
669 if (!l2cap_valid_mtu(chan, opts.imtu)) {
670 err = -EINVAL;
671 break;
672 }
673
674 chan->mode = opts.mode;
675 switch (chan->mode) {
676 case L2CAP_MODE_LE_FLOWCTL:
677 break;
678 case L2CAP_MODE_BASIC:
679 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
680 break;
681 case L2CAP_MODE_ERTM:
682 case L2CAP_MODE_STREAMING:
683 if (!disable_ertm)
684 break;
685 /* fall through */
686 default:
687 err = -EINVAL;
688 break;
689 }
690
691 chan->imtu = opts.imtu;
692 chan->omtu = opts.omtu;
693 chan->fcs = opts.fcs;
694 chan->max_tx = opts.max_tx;
695 chan->tx_win = opts.txwin_size;
696 chan->flush_to = opts.flush_to;
697 break;
698
699 case L2CAP_LM:
700 if (get_user(opt, (u32 __user *) optval)) {
701 err = -EFAULT;
702 break;
703 }
704
705 if (opt & L2CAP_LM_FIPS) {
706 err = -EINVAL;
707 break;
708 }
709
710 if (opt & L2CAP_LM_AUTH)
711 chan->sec_level = BT_SECURITY_LOW;
712 if (opt & L2CAP_LM_ENCRYPT)
713 chan->sec_level = BT_SECURITY_MEDIUM;
714 if (opt & L2CAP_LM_SECURE)
715 chan->sec_level = BT_SECURITY_HIGH;
716
717 if (opt & L2CAP_LM_MASTER)
718 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
719 else
720 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
721
722 if (opt & L2CAP_LM_RELIABLE)
723 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
724 else
725 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
726 break;
727
728 default:
729 err = -ENOPROTOOPT;
730 break;
731 }
732
733 release_sock(sk);
734 return err;
735}
736
737static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
738 char __user *optval, unsigned int optlen)
739{
740 struct sock *sk = sock->sk;
741 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
742 struct bt_security sec;
743 struct bt_power pwr;
744 struct l2cap_conn *conn;
745 int len, err = 0;
746 u32 opt;
747
748 BT_DBG("sk %p", sk);
749
750 if (level == SOL_L2CAP)
751 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
752
753 if (level != SOL_BLUETOOTH)
754 return -ENOPROTOOPT;
755
756 lock_sock(sk);
757
758 switch (optname) {
759 case BT_SECURITY:
760 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
761 chan->chan_type != L2CAP_CHAN_FIXED &&
762 chan->chan_type != L2CAP_CHAN_RAW) {
763 err = -EINVAL;
764 break;
765 }
766
767 sec.level = BT_SECURITY_LOW;
768
769 len = min_t(unsigned int, sizeof(sec), optlen);
770 if (copy_from_user((char *) &sec, optval, len)) {
771 err = -EFAULT;
772 break;
773 }
774
775 if (sec.level < BT_SECURITY_LOW ||
776 sec.level > BT_SECURITY_HIGH) {
777 err = -EINVAL;
778 break;
779 }
780
781 chan->sec_level = sec.level;
782
783 if (!chan->conn)
784 break;
785
786 conn = chan->conn;
787
788 /*change security for LE channels */
789 if (chan->scid == L2CAP_CID_ATT) {
790 if (!conn->hcon->out) {
791 err = -EINVAL;
792 break;
793 }
794
795 if (smp_conn_security(conn->hcon, sec.level))
796 break;
797 sk->sk_state = BT_CONFIG;
798 chan->state = BT_CONFIG;
799
800 /* or for ACL link */
801 } else if ((sk->sk_state == BT_CONNECT2 &&
802 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
803 sk->sk_state == BT_CONNECTED) {
804 if (!l2cap_chan_check_security(chan))
805 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
806 else
807 sk->sk_state_change(sk);
808 } else {
809 err = -EINVAL;
810 }
811 break;
812
813 case BT_DEFER_SETUP:
814 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
815 err = -EINVAL;
816 break;
817 }
818
819 if (get_user(opt, (u32 __user *) optval)) {
820 err = -EFAULT;
821 break;
822 }
823
824 if (opt) {
825 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
826 set_bit(FLAG_DEFER_SETUP, &chan->flags);
827 } else {
828 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
829 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
830 }
831 break;
832
833 case BT_FLUSHABLE:
834 if (get_user(opt, (u32 __user *) optval)) {
835 err = -EFAULT;
836 break;
837 }
838
839 if (opt > BT_FLUSHABLE_ON) {
840 err = -EINVAL;
841 break;
842 }
843
844 if (opt == BT_FLUSHABLE_OFF) {
845 conn = chan->conn;
846 /* proceed further only when we have l2cap_conn and
847 No Flush support in the LM */
848 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
849 err = -EINVAL;
850 break;
851 }
852 }
853
854 if (opt)
855 set_bit(FLAG_FLUSHABLE, &chan->flags);
856 else
857 clear_bit(FLAG_FLUSHABLE, &chan->flags);
858 break;
859
860 case BT_POWER:
861 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
862 chan->chan_type != L2CAP_CHAN_RAW) {
863 err = -EINVAL;
864 break;
865 }
866
867 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
868
869 len = min_t(unsigned int, sizeof(pwr), optlen);
870 if (copy_from_user((char *) &pwr, optval, len)) {
871 err = -EFAULT;
872 break;
873 }
874
875 if (pwr.force_active)
876 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
877 else
878 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
879 break;
880
881 case BT_CHANNEL_POLICY:
882 if (get_user(opt, (u32 __user *) optval)) {
883 err = -EFAULT;
884 break;
885 }
886
887 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
888 err = -EINVAL;
889 break;
890 }
891
892 if (chan->mode != L2CAP_MODE_ERTM &&
893 chan->mode != L2CAP_MODE_STREAMING) {
894 err = -EOPNOTSUPP;
895 break;
896 }
897
898 chan->chan_policy = (u8) opt;
899
900 if (sk->sk_state == BT_CONNECTED &&
901 chan->move_role == L2CAP_MOVE_ROLE_NONE)
902 l2cap_move_start(chan);
903
904 break;
905
906 case BT_SNDMTU:
907 if (!bdaddr_type_is_le(chan->src_type)) {
908 err = -EINVAL;
909 break;
910 }
911
912 /* Setting is not supported as it's the remote side that
913 * decides this.
914 */
915 err = -EPERM;
916 break;
917
918 case BT_RCVMTU:
919 if (!bdaddr_type_is_le(chan->src_type)) {
920 err = -EINVAL;
921 break;
922 }
923
924 if (sk->sk_state == BT_CONNECTED) {
925 err = -EISCONN;
926 break;
927 }
928
929 if (get_user(opt, (u32 __user *) optval)) {
930 err = -EFAULT;
931 break;
932 }
933
934 chan->imtu = opt;
935 break;
936
937 default:
938 err = -ENOPROTOOPT;
939 break;
940 }
941
942 release_sock(sk);
943 return err;
944}
945
946static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
947 struct msghdr *msg, size_t len)
948{
949 struct sock *sk = sock->sk;
950 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
951 int err;
952
953 BT_DBG("sock %p, sk %p", sock, sk);
954
955 err = sock_error(sk);
956 if (err)
957 return err;
958
959 if (msg->msg_flags & MSG_OOB)
960 return -EOPNOTSUPP;
961
962 if (sk->sk_state != BT_CONNECTED)
963 return -ENOTCONN;
964
965 lock_sock(sk);
966 err = bt_sock_wait_ready(sk, msg->msg_flags);
967 release_sock(sk);
968 if (err)
969 return err;
970
971 l2cap_chan_lock(chan);
972 err = l2cap_chan_send(chan, msg, len, sk->sk_priority);
973 l2cap_chan_unlock(chan);
974
975 return err;
976}
977
978static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
979 struct msghdr *msg, size_t len, int flags)
980{
981 struct sock *sk = sock->sk;
982 struct l2cap_pinfo *pi = l2cap_pi(sk);
983 int err;
984
985 lock_sock(sk);
986
987 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
988 &bt_sk(sk)->flags)) {
989 if (bdaddr_type_is_le(pi->chan->src_type)) {
990 sk->sk_state = BT_CONNECTED;
991 pi->chan->state = BT_CONNECTED;
992 __l2cap_le_connect_rsp_defer(pi->chan);
993 } else {
994 sk->sk_state = BT_CONFIG;
995 pi->chan->state = BT_CONFIG;
996 __l2cap_connect_rsp_defer(pi->chan);
997 }
998
999 err = 0;
1000 goto done;
1001 }
1002
1003 release_sock(sk);
1004
1005 if (sock->type == SOCK_STREAM)
1006 err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
1007 else
1008 err = bt_sock_recvmsg(iocb, sock, msg, len, flags);
1009
1010 if (pi->chan->mode != L2CAP_MODE_ERTM)
1011 return err;
1012
1013 /* Attempt to put pending rx data in the socket buffer */
1014
1015 lock_sock(sk);
1016
1017 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1018 goto done;
1019
1020 if (pi->rx_busy_skb) {
1021 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1022 pi->rx_busy_skb = NULL;
1023 else
1024 goto done;
1025 }
1026
1027 /* Restore data flow when half of the receive buffer is
1028 * available. This avoids resending large numbers of
1029 * frames.
1030 */
1031 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1032 l2cap_chan_busy(pi->chan, 0);
1033
1034done:
1035 release_sock(sk);
1036 return err;
1037}
1038
1039/* Kill socket (only if zapped and orphan)
1040 * Must be called on unlocked socket.
1041 */
1042static void l2cap_sock_kill(struct sock *sk)
1043{
1044 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1045 return;
1046
1047 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1048
1049 /* Kill poor orphan */
1050
1051 l2cap_chan_put(l2cap_pi(sk)->chan);
1052 sock_set_flag(sk, SOCK_DEAD);
1053 sock_put(sk);
1054}
1055
1056static int __l2cap_wait_ack(struct sock *sk)
1057{
1058 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1059 DECLARE_WAITQUEUE(wait, current);
1060 int err = 0;
1061 int timeo = HZ/5;
1062
1063 add_wait_queue(sk_sleep(sk), &wait);
1064 set_current_state(TASK_INTERRUPTIBLE);
1065 while (chan->unacked_frames > 0 && chan->conn) {
1066 if (!timeo)
1067 timeo = HZ/5;
1068
1069 if (signal_pending(current)) {
1070 err = sock_intr_errno(timeo);
1071 break;
1072 }
1073
1074 release_sock(sk);
1075 timeo = schedule_timeout(timeo);
1076 lock_sock(sk);
1077 set_current_state(TASK_INTERRUPTIBLE);
1078
1079 err = sock_error(sk);
1080 if (err)
1081 break;
1082 }
1083 set_current_state(TASK_RUNNING);
1084 remove_wait_queue(sk_sleep(sk), &wait);
1085 return err;
1086}
1087
1088static int l2cap_sock_shutdown(struct socket *sock, int how)
1089{
1090 struct sock *sk = sock->sk;
1091 struct l2cap_chan *chan;
1092 struct l2cap_conn *conn;
1093 int err = 0;
1094
1095 BT_DBG("sock %p, sk %p", sock, sk);
1096
1097 if (!sk)
1098 return 0;
1099
1100 chan = l2cap_pi(sk)->chan;
1101 conn = chan->conn;
1102
1103 if (conn)
1104 mutex_lock(&conn->chan_lock);
1105
1106 l2cap_chan_lock(chan);
1107 lock_sock(sk);
1108
1109 if (!sk->sk_shutdown) {
1110 if (chan->mode == L2CAP_MODE_ERTM)
1111 err = __l2cap_wait_ack(sk);
1112
1113 sk->sk_shutdown = SHUTDOWN_MASK;
1114
1115 release_sock(sk);
1116 l2cap_chan_close(chan, 0);
1117 lock_sock(sk);
1118
1119 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1120 err = bt_sock_wait_state(sk, BT_CLOSED,
1121 sk->sk_lingertime);
1122 }
1123
1124 if (!err && sk->sk_err)
1125 err = -sk->sk_err;
1126
1127 release_sock(sk);
1128 l2cap_chan_unlock(chan);
1129
1130 if (conn)
1131 mutex_unlock(&conn->chan_lock);
1132
1133 return err;
1134}
1135
1136static int l2cap_sock_release(struct socket *sock)
1137{
1138 struct sock *sk = sock->sk;
1139 int err;
1140
1141 BT_DBG("sock %p, sk %p", sock, sk);
1142
1143 if (!sk)
1144 return 0;
1145
1146 bt_sock_unlink(&l2cap_sk_list, sk);
1147
1148 err = l2cap_sock_shutdown(sock, 2);
1149
1150 sock_orphan(sk);
1151 l2cap_sock_kill(sk);
1152 return err;
1153}
1154
1155static void l2cap_sock_cleanup_listen(struct sock *parent)
1156{
1157 struct sock *sk;
1158
1159 BT_DBG("parent %p", parent);
1160
1161 /* Close not yet accepted channels */
1162 while ((sk = bt_accept_dequeue(parent, NULL))) {
1163 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1164
1165 l2cap_chan_lock(chan);
1166 __clear_chan_timer(chan);
1167 l2cap_chan_close(chan, ECONNRESET);
1168 l2cap_chan_unlock(chan);
1169
1170 l2cap_sock_kill(sk);
1171 }
1172}
1173
1174static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1175{
1176 struct sock *sk, *parent = chan->data;
1177
1178 lock_sock(parent);
1179
1180 /* Check for backlog size */
1181 if (sk_acceptq_is_full(parent)) {
1182 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1183 return NULL;
1184 }
1185
1186 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1187 GFP_ATOMIC);
1188 if (!sk)
1189 return NULL;
1190
1191 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1192
1193 l2cap_sock_init(sk, parent);
1194
1195 bt_accept_enqueue(parent, sk);
1196
1197 release_sock(parent);
1198
1199 return l2cap_pi(sk)->chan;
1200}
1201
1202static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1203{
1204 struct sock *sk = chan->data;
1205 int err;
1206
1207 lock_sock(sk);
1208
1209 if (l2cap_pi(sk)->rx_busy_skb) {
1210 err = -ENOMEM;
1211 goto done;
1212 }
1213
1214 err = sock_queue_rcv_skb(sk, skb);
1215
1216 /* For ERTM, handle one skb that doesn't fit into the recv
1217 * buffer. This is important to do because the data frames
1218 * have already been acked, so the skb cannot be discarded.
1219 *
1220 * Notify the l2cap core that the buffer is full, so the
1221 * LOCAL_BUSY state is entered and no more frames are
1222 * acked and reassembled until there is buffer space
1223 * available.
1224 */
1225 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1226 l2cap_pi(sk)->rx_busy_skb = skb;
1227 l2cap_chan_busy(chan, 1);
1228 err = 0;
1229 }
1230
1231done:
1232 release_sock(sk);
1233
1234 return err;
1235}
1236
1237static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1238{
1239 struct sock *sk = chan->data;
1240
1241 l2cap_sock_kill(sk);
1242}
1243
1244static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1245{
1246 struct sock *sk = chan->data;
1247 struct sock *parent;
1248
1249 lock_sock(sk);
1250
1251 parent = bt_sk(sk)->parent;
1252
1253 sock_set_flag(sk, SOCK_ZAPPED);
1254
1255 switch (chan->state) {
1256 case BT_OPEN:
1257 case BT_BOUND:
1258 case BT_CLOSED:
1259 break;
1260 case BT_LISTEN:
1261 l2cap_sock_cleanup_listen(sk);
1262 sk->sk_state = BT_CLOSED;
1263 chan->state = BT_CLOSED;
1264
1265 break;
1266 default:
1267 sk->sk_state = BT_CLOSED;
1268 chan->state = BT_CLOSED;
1269
1270 sk->sk_err = err;
1271
1272 if (parent) {
1273 bt_accept_unlink(sk);
1274 parent->sk_data_ready(parent);
1275 } else {
1276 sk->sk_state_change(sk);
1277 }
1278
1279 break;
1280 }
1281
1282 release_sock(sk);
1283}
1284
1285static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1286 int err)
1287{
1288 struct sock *sk = chan->data;
1289
1290 sk->sk_state = state;
1291
1292 if (err)
1293 sk->sk_err = err;
1294}
1295
1296static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1297 unsigned long len, int nb)
1298{
1299 struct sock *sk = chan->data;
1300 struct sk_buff *skb;
1301 int err;
1302
1303 l2cap_chan_unlock(chan);
1304 skb = bt_skb_send_alloc(sk, len, nb, &err);
1305 l2cap_chan_lock(chan);
1306
1307 if (!skb)
1308 return ERR_PTR(err);
1309
1310 bt_cb(skb)->chan = chan;
1311
1312 return skb;
1313}
1314
1315static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1316{
1317 struct sock *sk = chan->data;
1318 struct sock *parent;
1319
1320 lock_sock(sk);
1321
1322 parent = bt_sk(sk)->parent;
1323
1324 BT_DBG("sk %p, parent %p", sk, parent);
1325
1326 sk->sk_state = BT_CONNECTED;
1327 sk->sk_state_change(sk);
1328
1329 if (parent)
1330 parent->sk_data_ready(parent);
1331
1332 release_sock(sk);
1333}
1334
1335static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1336{
1337 struct sock *parent, *sk = chan->data;
1338
1339 lock_sock(sk);
1340
1341 parent = bt_sk(sk)->parent;
1342 if (parent)
1343 parent->sk_data_ready(parent);
1344
1345 release_sock(sk);
1346}
1347
1348static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1349{
1350 struct sock *sk = chan->data;
1351
1352 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1353 sk->sk_state_change(sk);
1354}
1355
1356static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1357{
1358 struct sock *sk = chan->data;
1359
1360 lock_sock(sk);
1361 sk->sk_shutdown = SHUTDOWN_MASK;
1362 release_sock(sk);
1363}
1364
1365static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1366{
1367 struct sock *sk = chan->data;
1368
1369 return sk->sk_sndtimeo;
1370}
1371
1372static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1373{
1374 struct sock *sk = chan->data;
1375
1376 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1377 sk->sk_state_change(sk);
1378}
1379
1380static struct l2cap_ops l2cap_chan_ops = {
1381 .name = "L2CAP Socket Interface",
1382 .new_connection = l2cap_sock_new_connection_cb,
1383 .recv = l2cap_sock_recv_cb,
1384 .close = l2cap_sock_close_cb,
1385 .teardown = l2cap_sock_teardown_cb,
1386 .state_change = l2cap_sock_state_change_cb,
1387 .ready = l2cap_sock_ready_cb,
1388 .defer = l2cap_sock_defer_cb,
1389 .resume = l2cap_sock_resume_cb,
1390 .suspend = l2cap_sock_suspend_cb,
1391 .set_shutdown = l2cap_sock_set_shutdown_cb,
1392 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1393 .alloc_skb = l2cap_sock_alloc_skb_cb,
1394};
1395
1396static void l2cap_sock_destruct(struct sock *sk)
1397{
1398 BT_DBG("sk %p", sk);
1399
1400 if (l2cap_pi(sk)->chan)
1401 l2cap_chan_put(l2cap_pi(sk)->chan);
1402
1403 if (l2cap_pi(sk)->rx_busy_skb) {
1404 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1405 l2cap_pi(sk)->rx_busy_skb = NULL;
1406 }
1407
1408 skb_queue_purge(&sk->sk_receive_queue);
1409 skb_queue_purge(&sk->sk_write_queue);
1410}
1411
1412static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1413 int *msg_namelen)
1414{
1415 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1416
1417 memset(la, 0, sizeof(struct sockaddr_l2));
1418 la->l2_family = AF_BLUETOOTH;
1419 la->l2_psm = bt_cb(skb)->psm;
1420 bacpy(&la->l2_bdaddr, &bt_cb(skb)->bdaddr);
1421
1422 *msg_namelen = sizeof(struct sockaddr_l2);
1423}
1424
1425static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1426{
1427 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1428
1429 BT_DBG("sk %p", sk);
1430
1431 if (parent) {
1432 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1433
1434 sk->sk_type = parent->sk_type;
1435 bt_sk(sk)->flags = bt_sk(parent)->flags;
1436
1437 chan->chan_type = pchan->chan_type;
1438 chan->imtu = pchan->imtu;
1439 chan->omtu = pchan->omtu;
1440 chan->conf_state = pchan->conf_state;
1441 chan->mode = pchan->mode;
1442 chan->fcs = pchan->fcs;
1443 chan->max_tx = pchan->max_tx;
1444 chan->tx_win = pchan->tx_win;
1445 chan->tx_win_max = pchan->tx_win_max;
1446 chan->sec_level = pchan->sec_level;
1447 chan->flags = pchan->flags;
1448 chan->tx_credits = pchan->tx_credits;
1449 chan->rx_credits = pchan->rx_credits;
1450
1451 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1452 chan->scid = pchan->scid;
1453 chan->dcid = pchan->scid;
1454 }
1455
1456 security_sk_clone(parent, sk);
1457 } else {
1458 switch (sk->sk_type) {
1459 case SOCK_RAW:
1460 chan->chan_type = L2CAP_CHAN_RAW;
1461 break;
1462 case SOCK_DGRAM:
1463 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1464 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1465 break;
1466 case SOCK_SEQPACKET:
1467 case SOCK_STREAM:
1468 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1469 break;
1470 }
1471
1472 chan->imtu = L2CAP_DEFAULT_MTU;
1473 chan->omtu = 0;
1474 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1475 chan->mode = L2CAP_MODE_ERTM;
1476 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1477 } else {
1478 chan->mode = L2CAP_MODE_BASIC;
1479 }
1480
1481 l2cap_chan_set_defaults(chan);
1482 }
1483
1484 /* Default config options */
1485 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1486
1487 chan->data = sk;
1488 chan->ops = &l2cap_chan_ops;
1489}
1490
1491static struct proto l2cap_proto = {
1492 .name = "L2CAP",
1493 .owner = THIS_MODULE,
1494 .obj_size = sizeof(struct l2cap_pinfo)
1495};
1496
1497static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1498 int proto, gfp_t prio)
1499{
1500 struct sock *sk;
1501 struct l2cap_chan *chan;
1502
1503 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1504 if (!sk)
1505 return NULL;
1506
1507 sock_init_data(sock, sk);
1508 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1509
1510 sk->sk_destruct = l2cap_sock_destruct;
1511 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1512
1513 sock_reset_flag(sk, SOCK_ZAPPED);
1514
1515 sk->sk_protocol = proto;
1516 sk->sk_state = BT_OPEN;
1517
1518 chan = l2cap_chan_create();
1519 if (!chan) {
1520 sk_free(sk);
1521 return NULL;
1522 }
1523
1524 l2cap_chan_hold(chan);
1525
1526 l2cap_pi(sk)->chan = chan;
1527
1528 return sk;
1529}
1530
1531static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1532 int kern)
1533{
1534 struct sock *sk;
1535
1536 BT_DBG("sock %p", sock);
1537
1538 sock->state = SS_UNCONNECTED;
1539
1540 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1541 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1542 return -ESOCKTNOSUPPORT;
1543
1544 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1545 return -EPERM;
1546
1547 sock->ops = &l2cap_sock_ops;
1548
1549 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1550 if (!sk)
1551 return -ENOMEM;
1552
1553 l2cap_sock_init(sk, NULL);
1554 bt_sock_link(&l2cap_sk_list, sk);
1555 return 0;
1556}
1557
1558static const struct proto_ops l2cap_sock_ops = {
1559 .family = PF_BLUETOOTH,
1560 .owner = THIS_MODULE,
1561 .release = l2cap_sock_release,
1562 .bind = l2cap_sock_bind,
1563 .connect = l2cap_sock_connect,
1564 .listen = l2cap_sock_listen,
1565 .accept = l2cap_sock_accept,
1566 .getname = l2cap_sock_getname,
1567 .sendmsg = l2cap_sock_sendmsg,
1568 .recvmsg = l2cap_sock_recvmsg,
1569 .poll = bt_sock_poll,
1570 .ioctl = bt_sock_ioctl,
1571 .mmap = sock_no_mmap,
1572 .socketpair = sock_no_socketpair,
1573 .shutdown = l2cap_sock_shutdown,
1574 .setsockopt = l2cap_sock_setsockopt,
1575 .getsockopt = l2cap_sock_getsockopt
1576};
1577
1578static const struct net_proto_family l2cap_sock_family_ops = {
1579 .family = PF_BLUETOOTH,
1580 .owner = THIS_MODULE,
1581 .create = l2cap_sock_create,
1582};
1583
1584int __init l2cap_init_sockets(void)
1585{
1586 int err;
1587
1588 err = proto_register(&l2cap_proto, 0);
1589 if (err < 0)
1590 return err;
1591
1592 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1593 if (err < 0) {
1594 BT_ERR("L2CAP socket registration failed");
1595 goto error;
1596 }
1597
1598 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1599 NULL);
1600 if (err < 0) {
1601 BT_ERR("Failed to create L2CAP proc file");
1602 bt_sock_unregister(BTPROTO_L2CAP);
1603 goto error;
1604 }
1605
1606 BT_INFO("L2CAP socket layer initialized");
1607
1608 return 0;
1609
1610error:
1611 proto_unregister(&l2cap_proto);
1612 return err;
1613}
1614
1615void l2cap_cleanup_sockets(void)
1616{
1617 bt_procfs_cleanup(&init_net, "l2cap");
1618 bt_sock_unregister(BTPROTO_L2CAP);
1619 proto_unregister(&l2cap_proto);
1620}