Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36
37#include "smp.h"
38
39static struct bt_sock_list l2cap_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
41};
42
43static const struct proto_ops l2cap_sock_ops;
44static void l2cap_sock_init(struct sock *sk, struct sock *parent);
45static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
46 int proto, gfp_t prio, int kern);
47
48bool l2cap_is_socket(struct socket *sock)
49{
50 return sock && sock->ops == &l2cap_sock_ops;
51}
52EXPORT_SYMBOL(l2cap_is_socket);
53
54static int l2cap_validate_bredr_psm(u16 psm)
55{
56 /* PSM must be odd and lsb of upper byte must be 0 */
57 if ((psm & 0x0101) != 0x0001)
58 return -EINVAL;
59
60 /* Restrict usage of well-known PSMs */
61 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
62 return -EACCES;
63
64 return 0;
65}
66
67static int l2cap_validate_le_psm(u16 psm)
68{
69 /* Valid LE_PSM ranges are defined only until 0x00ff */
70 if (psm > L2CAP_PSM_LE_DYN_END)
71 return -EINVAL;
72
73 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
74 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
75 return -EACCES;
76
77 return 0;
78}
79
80static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
81{
82 struct sock *sk = sock->sk;
83 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
84 struct sockaddr_l2 la;
85 int len, err = 0;
86
87 BT_DBG("sk %p", sk);
88
89 if (!addr || addr->sa_family != AF_BLUETOOTH)
90 return -EINVAL;
91
92 memset(&la, 0, sizeof(la));
93 len = min_t(unsigned int, sizeof(la), alen);
94 memcpy(&la, addr, len);
95
96 if (la.l2_cid && la.l2_psm)
97 return -EINVAL;
98
99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 return -EINVAL;
101
102 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
103 /* We only allow ATT user space socket */
104 if (la.l2_cid &&
105 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
106 return -EINVAL;
107 }
108
109 lock_sock(sk);
110
111 if (sk->sk_state != BT_OPEN) {
112 err = -EBADFD;
113 goto done;
114 }
115
116 if (la.l2_psm) {
117 __u16 psm = __le16_to_cpu(la.l2_psm);
118
119 if (la.l2_bdaddr_type == BDADDR_BREDR)
120 err = l2cap_validate_bredr_psm(psm);
121 else
122 err = l2cap_validate_le_psm(psm);
123
124 if (err)
125 goto done;
126 }
127
128 bacpy(&chan->src, &la.l2_bdaddr);
129 chan->src_type = la.l2_bdaddr_type;
130
131 if (la.l2_cid)
132 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
133 else
134 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
135
136 if (err < 0)
137 goto done;
138
139 switch (chan->chan_type) {
140 case L2CAP_CHAN_CONN_LESS:
141 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
142 chan->sec_level = BT_SECURITY_SDP;
143 break;
144 case L2CAP_CHAN_CONN_ORIENTED:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
146 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
147 chan->sec_level = BT_SECURITY_SDP;
148 break;
149 case L2CAP_CHAN_RAW:
150 chan->sec_level = BT_SECURITY_SDP;
151 break;
152 case L2CAP_CHAN_FIXED:
153 /* Fixed channels default to the L2CAP core not holding a
154 * hci_conn reference for them. For fixed channels mapping to
155 * L2CAP sockets we do want to hold a reference so set the
156 * appropriate flag to request it.
157 */
158 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
159 break;
160 }
161
162 if (chan->psm && bdaddr_type_is_le(chan->src_type))
163 chan->mode = L2CAP_MODE_LE_FLOWCTL;
164
165 chan->state = BT_BOUND;
166 sk->sk_state = BT_BOUND;
167
168done:
169 release_sock(sk);
170 return err;
171}
172
173static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
174 int alen, int flags)
175{
176 struct sock *sk = sock->sk;
177 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
178 struct sockaddr_l2 la;
179 int len, err = 0;
180
181 BT_DBG("sk %p", sk);
182
183 if (!addr || alen < sizeof(addr->sa_family) ||
184 addr->sa_family != AF_BLUETOOTH)
185 return -EINVAL;
186
187 memset(&la, 0, sizeof(la));
188 len = min_t(unsigned int, sizeof(la), alen);
189 memcpy(&la, addr, len);
190
191 if (la.l2_cid && la.l2_psm)
192 return -EINVAL;
193
194 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
195 return -EINVAL;
196
197 /* Check that the socket wasn't bound to something that
198 * conflicts with the address given to connect(). If chan->src
199 * is BDADDR_ANY it means bind() was never used, in which case
200 * chan->src_type and la.l2_bdaddr_type do not need to match.
201 */
202 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
203 bdaddr_type_is_le(la.l2_bdaddr_type)) {
204 /* Old user space versions will try to incorrectly bind
205 * the ATT socket using BDADDR_BREDR. We need to accept
206 * this and fix up the source address type only when
207 * both the source CID and destination CID indicate
208 * ATT. Anything else is an invalid combination.
209 */
210 if (chan->scid != L2CAP_CID_ATT ||
211 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
212 return -EINVAL;
213
214 /* We don't have the hdev available here to make a
215 * better decision on random vs public, but since all
216 * user space versions that exhibit this issue anyway do
217 * not support random local addresses assuming public
218 * here is good enough.
219 */
220 chan->src_type = BDADDR_LE_PUBLIC;
221 }
222
223 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
224 return -EINVAL;
225
226 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
227 /* We only allow ATT user space socket */
228 if (la.l2_cid &&
229 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
230 return -EINVAL;
231 }
232
233 if (chan->psm && bdaddr_type_is_le(chan->src_type))
234 chan->mode = L2CAP_MODE_LE_FLOWCTL;
235
236 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
237 &la.l2_bdaddr, la.l2_bdaddr_type);
238 if (err)
239 return err;
240
241 lock_sock(sk);
242
243 err = bt_sock_wait_state(sk, BT_CONNECTED,
244 sock_sndtimeo(sk, flags & O_NONBLOCK));
245
246 release_sock(sk);
247
248 return err;
249}
250
251static int l2cap_sock_listen(struct socket *sock, int backlog)
252{
253 struct sock *sk = sock->sk;
254 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
255 int err = 0;
256
257 BT_DBG("sk %p backlog %d", sk, backlog);
258
259 lock_sock(sk);
260
261 if (sk->sk_state != BT_BOUND) {
262 err = -EBADFD;
263 goto done;
264 }
265
266 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
267 err = -EINVAL;
268 goto done;
269 }
270
271 switch (chan->mode) {
272 case L2CAP_MODE_BASIC:
273 case L2CAP_MODE_LE_FLOWCTL:
274 break;
275 case L2CAP_MODE_ERTM:
276 case L2CAP_MODE_STREAMING:
277 if (!disable_ertm)
278 break;
279 /* fall through */
280 default:
281 err = -EOPNOTSUPP;
282 goto done;
283 }
284
285 sk->sk_max_ack_backlog = backlog;
286 sk->sk_ack_backlog = 0;
287
288 /* Listening channels need to use nested locking in order not to
289 * cause lockdep warnings when the created child channels end up
290 * being locked in the same thread as the parent channel.
291 */
292 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
293
294 chan->state = BT_LISTEN;
295 sk->sk_state = BT_LISTEN;
296
297done:
298 release_sock(sk);
299 return err;
300}
301
302static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
303 int flags)
304{
305 DEFINE_WAIT_FUNC(wait, woken_wake_function);
306 struct sock *sk = sock->sk, *nsk;
307 long timeo;
308 int err = 0;
309
310 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
311
312 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
313
314 BT_DBG("sk %p timeo %ld", sk, timeo);
315
316 /* Wait for an incoming connection. (wake-one). */
317 add_wait_queue_exclusive(sk_sleep(sk), &wait);
318 while (1) {
319 if (sk->sk_state != BT_LISTEN) {
320 err = -EBADFD;
321 break;
322 }
323
324 nsk = bt_accept_dequeue(sk, newsock);
325 if (nsk)
326 break;
327
328 if (!timeo) {
329 err = -EAGAIN;
330 break;
331 }
332
333 if (signal_pending(current)) {
334 err = sock_intr_errno(timeo);
335 break;
336 }
337
338 release_sock(sk);
339
340 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
341
342 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
343 }
344 remove_wait_queue(sk_sleep(sk), &wait);
345
346 if (err)
347 goto done;
348
349 newsock->state = SS_CONNECTED;
350
351 BT_DBG("new socket %p", nsk);
352
353done:
354 release_sock(sk);
355 return err;
356}
357
358static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
359 int *len, int peer)
360{
361 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
362 struct sock *sk = sock->sk;
363 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
364
365 BT_DBG("sock %p, sk %p", sock, sk);
366
367 if (peer && sk->sk_state != BT_CONNECTED &&
368 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
369 sk->sk_state != BT_CONFIG)
370 return -ENOTCONN;
371
372 memset(la, 0, sizeof(struct sockaddr_l2));
373 addr->sa_family = AF_BLUETOOTH;
374 *len = sizeof(struct sockaddr_l2);
375
376 la->l2_psm = chan->psm;
377
378 if (peer) {
379 bacpy(&la->l2_bdaddr, &chan->dst);
380 la->l2_cid = cpu_to_le16(chan->dcid);
381 la->l2_bdaddr_type = chan->dst_type;
382 } else {
383 bacpy(&la->l2_bdaddr, &chan->src);
384 la->l2_cid = cpu_to_le16(chan->scid);
385 la->l2_bdaddr_type = chan->src_type;
386 }
387
388 return 0;
389}
390
391static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
392 char __user *optval, int __user *optlen)
393{
394 struct sock *sk = sock->sk;
395 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
396 struct l2cap_options opts;
397 struct l2cap_conninfo cinfo;
398 int len, err = 0;
399 u32 opt;
400
401 BT_DBG("sk %p", sk);
402
403 if (get_user(len, optlen))
404 return -EFAULT;
405
406 lock_sock(sk);
407
408 switch (optname) {
409 case L2CAP_OPTIONS:
410 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
411 * legacy ATT code depends on getsockopt for
412 * L2CAP_OPTIONS we need to let this pass.
413 */
414 if (bdaddr_type_is_le(chan->src_type) &&
415 chan->scid != L2CAP_CID_ATT) {
416 err = -EINVAL;
417 break;
418 }
419
420 memset(&opts, 0, sizeof(opts));
421 opts.imtu = chan->imtu;
422 opts.omtu = chan->omtu;
423 opts.flush_to = chan->flush_to;
424 opts.mode = chan->mode;
425 opts.fcs = chan->fcs;
426 opts.max_tx = chan->max_tx;
427 opts.txwin_size = chan->tx_win;
428
429 len = min_t(unsigned int, len, sizeof(opts));
430 if (copy_to_user(optval, (char *) &opts, len))
431 err = -EFAULT;
432
433 break;
434
435 case L2CAP_LM:
436 switch (chan->sec_level) {
437 case BT_SECURITY_LOW:
438 opt = L2CAP_LM_AUTH;
439 break;
440 case BT_SECURITY_MEDIUM:
441 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
442 break;
443 case BT_SECURITY_HIGH:
444 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
445 L2CAP_LM_SECURE;
446 break;
447 case BT_SECURITY_FIPS:
448 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
449 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
450 break;
451 default:
452 opt = 0;
453 break;
454 }
455
456 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
457 opt |= L2CAP_LM_MASTER;
458
459 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
460 opt |= L2CAP_LM_RELIABLE;
461
462 if (put_user(opt, (u32 __user *) optval))
463 err = -EFAULT;
464
465 break;
466
467 case L2CAP_CONNINFO:
468 if (sk->sk_state != BT_CONNECTED &&
469 !(sk->sk_state == BT_CONNECT2 &&
470 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
471 err = -ENOTCONN;
472 break;
473 }
474
475 memset(&cinfo, 0, sizeof(cinfo));
476 cinfo.hci_handle = chan->conn->hcon->handle;
477 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
478
479 len = min_t(unsigned int, len, sizeof(cinfo));
480 if (copy_to_user(optval, (char *) &cinfo, len))
481 err = -EFAULT;
482
483 break;
484
485 default:
486 err = -ENOPROTOOPT;
487 break;
488 }
489
490 release_sock(sk);
491 return err;
492}
493
494static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
495 char __user *optval, int __user *optlen)
496{
497 struct sock *sk = sock->sk;
498 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
499 struct bt_security sec;
500 struct bt_power pwr;
501 int len, err = 0;
502
503 BT_DBG("sk %p", sk);
504
505 if (level == SOL_L2CAP)
506 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
507
508 if (level != SOL_BLUETOOTH)
509 return -ENOPROTOOPT;
510
511 if (get_user(len, optlen))
512 return -EFAULT;
513
514 lock_sock(sk);
515
516 switch (optname) {
517 case BT_SECURITY:
518 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
519 chan->chan_type != L2CAP_CHAN_FIXED &&
520 chan->chan_type != L2CAP_CHAN_RAW) {
521 err = -EINVAL;
522 break;
523 }
524
525 memset(&sec, 0, sizeof(sec));
526 if (chan->conn) {
527 sec.level = chan->conn->hcon->sec_level;
528
529 if (sk->sk_state == BT_CONNECTED)
530 sec.key_size = chan->conn->hcon->enc_key_size;
531 } else {
532 sec.level = chan->sec_level;
533 }
534
535 len = min_t(unsigned int, len, sizeof(sec));
536 if (copy_to_user(optval, (char *) &sec, len))
537 err = -EFAULT;
538
539 break;
540
541 case BT_DEFER_SETUP:
542 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
543 err = -EINVAL;
544 break;
545 }
546
547 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
548 (u32 __user *) optval))
549 err = -EFAULT;
550
551 break;
552
553 case BT_FLUSHABLE:
554 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
555 (u32 __user *) optval))
556 err = -EFAULT;
557
558 break;
559
560 case BT_POWER:
561 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
562 && sk->sk_type != SOCK_RAW) {
563 err = -EINVAL;
564 break;
565 }
566
567 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
568
569 len = min_t(unsigned int, len, sizeof(pwr));
570 if (copy_to_user(optval, (char *) &pwr, len))
571 err = -EFAULT;
572
573 break;
574
575 case BT_CHANNEL_POLICY:
576 if (put_user(chan->chan_policy, (u32 __user *) optval))
577 err = -EFAULT;
578 break;
579
580 case BT_SNDMTU:
581 if (!bdaddr_type_is_le(chan->src_type)) {
582 err = -EINVAL;
583 break;
584 }
585
586 if (sk->sk_state != BT_CONNECTED) {
587 err = -ENOTCONN;
588 break;
589 }
590
591 if (put_user(chan->omtu, (u16 __user *) optval))
592 err = -EFAULT;
593 break;
594
595 case BT_RCVMTU:
596 if (!bdaddr_type_is_le(chan->src_type)) {
597 err = -EINVAL;
598 break;
599 }
600
601 if (put_user(chan->imtu, (u16 __user *) optval))
602 err = -EFAULT;
603 break;
604
605 default:
606 err = -ENOPROTOOPT;
607 break;
608 }
609
610 release_sock(sk);
611 return err;
612}
613
614static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
615{
616 switch (chan->scid) {
617 case L2CAP_CID_ATT:
618 if (mtu < L2CAP_LE_MIN_MTU)
619 return false;
620 break;
621
622 default:
623 if (mtu < L2CAP_DEFAULT_MIN_MTU)
624 return false;
625 }
626
627 return true;
628}
629
630static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
631 char __user *optval, unsigned int optlen)
632{
633 struct sock *sk = sock->sk;
634 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
635 struct l2cap_options opts;
636 int len, err = 0;
637 u32 opt;
638
639 BT_DBG("sk %p", sk);
640
641 lock_sock(sk);
642
643 switch (optname) {
644 case L2CAP_OPTIONS:
645 if (bdaddr_type_is_le(chan->src_type)) {
646 err = -EINVAL;
647 break;
648 }
649
650 if (sk->sk_state == BT_CONNECTED) {
651 err = -EINVAL;
652 break;
653 }
654
655 opts.imtu = chan->imtu;
656 opts.omtu = chan->omtu;
657 opts.flush_to = chan->flush_to;
658 opts.mode = chan->mode;
659 opts.fcs = chan->fcs;
660 opts.max_tx = chan->max_tx;
661 opts.txwin_size = chan->tx_win;
662
663 len = min_t(unsigned int, sizeof(opts), optlen);
664 if (copy_from_user((char *) &opts, optval, len)) {
665 err = -EFAULT;
666 break;
667 }
668
669 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
670 err = -EINVAL;
671 break;
672 }
673
674 if (!l2cap_valid_mtu(chan, opts.imtu)) {
675 err = -EINVAL;
676 break;
677 }
678
679 chan->mode = opts.mode;
680 switch (chan->mode) {
681 case L2CAP_MODE_LE_FLOWCTL:
682 break;
683 case L2CAP_MODE_BASIC:
684 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
685 break;
686 case L2CAP_MODE_ERTM:
687 case L2CAP_MODE_STREAMING:
688 if (!disable_ertm)
689 break;
690 /* fall through */
691 default:
692 err = -EINVAL;
693 break;
694 }
695
696 chan->imtu = opts.imtu;
697 chan->omtu = opts.omtu;
698 chan->fcs = opts.fcs;
699 chan->max_tx = opts.max_tx;
700 chan->tx_win = opts.txwin_size;
701 chan->flush_to = opts.flush_to;
702 break;
703
704 case L2CAP_LM:
705 if (get_user(opt, (u32 __user *) optval)) {
706 err = -EFAULT;
707 break;
708 }
709
710 if (opt & L2CAP_LM_FIPS) {
711 err = -EINVAL;
712 break;
713 }
714
715 if (opt & L2CAP_LM_AUTH)
716 chan->sec_level = BT_SECURITY_LOW;
717 if (opt & L2CAP_LM_ENCRYPT)
718 chan->sec_level = BT_SECURITY_MEDIUM;
719 if (opt & L2CAP_LM_SECURE)
720 chan->sec_level = BT_SECURITY_HIGH;
721
722 if (opt & L2CAP_LM_MASTER)
723 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
724 else
725 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
726
727 if (opt & L2CAP_LM_RELIABLE)
728 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
729 else
730 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
731 break;
732
733 default:
734 err = -ENOPROTOOPT;
735 break;
736 }
737
738 release_sock(sk);
739 return err;
740}
741
742static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
743 char __user *optval, unsigned int optlen)
744{
745 struct sock *sk = sock->sk;
746 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
747 struct bt_security sec;
748 struct bt_power pwr;
749 struct l2cap_conn *conn;
750 int len, err = 0;
751 u32 opt;
752
753 BT_DBG("sk %p", sk);
754
755 if (level == SOL_L2CAP)
756 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
757
758 if (level != SOL_BLUETOOTH)
759 return -ENOPROTOOPT;
760
761 lock_sock(sk);
762
763 switch (optname) {
764 case BT_SECURITY:
765 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
766 chan->chan_type != L2CAP_CHAN_FIXED &&
767 chan->chan_type != L2CAP_CHAN_RAW) {
768 err = -EINVAL;
769 break;
770 }
771
772 sec.level = BT_SECURITY_LOW;
773
774 len = min_t(unsigned int, sizeof(sec), optlen);
775 if (copy_from_user((char *) &sec, optval, len)) {
776 err = -EFAULT;
777 break;
778 }
779
780 if (sec.level < BT_SECURITY_LOW ||
781 sec.level > BT_SECURITY_HIGH) {
782 err = -EINVAL;
783 break;
784 }
785
786 chan->sec_level = sec.level;
787
788 if (!chan->conn)
789 break;
790
791 conn = chan->conn;
792
793 /*change security for LE channels */
794 if (chan->scid == L2CAP_CID_ATT) {
795 if (smp_conn_security(conn->hcon, sec.level))
796 break;
797 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
798 sk->sk_state = BT_CONFIG;
799 chan->state = BT_CONFIG;
800
801 /* or for ACL link */
802 } else if ((sk->sk_state == BT_CONNECT2 &&
803 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
804 sk->sk_state == BT_CONNECTED) {
805 if (!l2cap_chan_check_security(chan, true))
806 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
807 else
808 sk->sk_state_change(sk);
809 } else {
810 err = -EINVAL;
811 }
812 break;
813
814 case BT_DEFER_SETUP:
815 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
816 err = -EINVAL;
817 break;
818 }
819
820 if (get_user(opt, (u32 __user *) optval)) {
821 err = -EFAULT;
822 break;
823 }
824
825 if (opt) {
826 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
827 set_bit(FLAG_DEFER_SETUP, &chan->flags);
828 } else {
829 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
830 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
831 }
832 break;
833
834 case BT_FLUSHABLE:
835 if (get_user(opt, (u32 __user *) optval)) {
836 err = -EFAULT;
837 break;
838 }
839
840 if (opt > BT_FLUSHABLE_ON) {
841 err = -EINVAL;
842 break;
843 }
844
845 if (opt == BT_FLUSHABLE_OFF) {
846 conn = chan->conn;
847 /* proceed further only when we have l2cap_conn and
848 No Flush support in the LM */
849 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
850 err = -EINVAL;
851 break;
852 }
853 }
854
855 if (opt)
856 set_bit(FLAG_FLUSHABLE, &chan->flags);
857 else
858 clear_bit(FLAG_FLUSHABLE, &chan->flags);
859 break;
860
861 case BT_POWER:
862 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
863 chan->chan_type != L2CAP_CHAN_RAW) {
864 err = -EINVAL;
865 break;
866 }
867
868 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
869
870 len = min_t(unsigned int, sizeof(pwr), optlen);
871 if (copy_from_user((char *) &pwr, optval, len)) {
872 err = -EFAULT;
873 break;
874 }
875
876 if (pwr.force_active)
877 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
878 else
879 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
880 break;
881
882 case BT_CHANNEL_POLICY:
883 if (get_user(opt, (u32 __user *) optval)) {
884 err = -EFAULT;
885 break;
886 }
887
888 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
889 err = -EINVAL;
890 break;
891 }
892
893 if (chan->mode != L2CAP_MODE_ERTM &&
894 chan->mode != L2CAP_MODE_STREAMING) {
895 err = -EOPNOTSUPP;
896 break;
897 }
898
899 chan->chan_policy = (u8) opt;
900
901 if (sk->sk_state == BT_CONNECTED &&
902 chan->move_role == L2CAP_MOVE_ROLE_NONE)
903 l2cap_move_start(chan);
904
905 break;
906
907 case BT_SNDMTU:
908 if (!bdaddr_type_is_le(chan->src_type)) {
909 err = -EINVAL;
910 break;
911 }
912
913 /* Setting is not supported as it's the remote side that
914 * decides this.
915 */
916 err = -EPERM;
917 break;
918
919 case BT_RCVMTU:
920 if (!bdaddr_type_is_le(chan->src_type)) {
921 err = -EINVAL;
922 break;
923 }
924
925 if (sk->sk_state == BT_CONNECTED) {
926 err = -EISCONN;
927 break;
928 }
929
930 if (get_user(opt, (u32 __user *) optval)) {
931 err = -EFAULT;
932 break;
933 }
934
935 chan->imtu = opt;
936 break;
937
938 default:
939 err = -ENOPROTOOPT;
940 break;
941 }
942
943 release_sock(sk);
944 return err;
945}
946
947static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
948 size_t len)
949{
950 struct sock *sk = sock->sk;
951 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
952 int err;
953
954 BT_DBG("sock %p, sk %p", sock, sk);
955
956 err = sock_error(sk);
957 if (err)
958 return err;
959
960 if (msg->msg_flags & MSG_OOB)
961 return -EOPNOTSUPP;
962
963 if (sk->sk_state != BT_CONNECTED)
964 return -ENOTCONN;
965
966 lock_sock(sk);
967 err = bt_sock_wait_ready(sk, msg->msg_flags);
968 release_sock(sk);
969 if (err)
970 return err;
971
972 l2cap_chan_lock(chan);
973 err = l2cap_chan_send(chan, msg, len);
974 l2cap_chan_unlock(chan);
975
976 return err;
977}
978
979static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
980 size_t len, int flags)
981{
982 struct sock *sk = sock->sk;
983 struct l2cap_pinfo *pi = l2cap_pi(sk);
984 int err;
985
986 lock_sock(sk);
987
988 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
989 &bt_sk(sk)->flags)) {
990 if (bdaddr_type_is_le(pi->chan->src_type)) {
991 sk->sk_state = BT_CONNECTED;
992 pi->chan->state = BT_CONNECTED;
993 __l2cap_le_connect_rsp_defer(pi->chan);
994 } else {
995 sk->sk_state = BT_CONFIG;
996 pi->chan->state = BT_CONFIG;
997 __l2cap_connect_rsp_defer(pi->chan);
998 }
999
1000 err = 0;
1001 goto done;
1002 }
1003
1004 release_sock(sk);
1005
1006 if (sock->type == SOCK_STREAM)
1007 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1008 else
1009 err = bt_sock_recvmsg(sock, msg, len, flags);
1010
1011 if (pi->chan->mode != L2CAP_MODE_ERTM)
1012 return err;
1013
1014 /* Attempt to put pending rx data in the socket buffer */
1015
1016 lock_sock(sk);
1017
1018 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1019 goto done;
1020
1021 if (pi->rx_busy_skb) {
1022 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1023 pi->rx_busy_skb = NULL;
1024 else
1025 goto done;
1026 }
1027
1028 /* Restore data flow when half of the receive buffer is
1029 * available. This avoids resending large numbers of
1030 * frames.
1031 */
1032 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1033 l2cap_chan_busy(pi->chan, 0);
1034
1035done:
1036 release_sock(sk);
1037 return err;
1038}
1039
1040/* Kill socket (only if zapped and orphan)
1041 * Must be called on unlocked socket.
1042 */
1043static void l2cap_sock_kill(struct sock *sk)
1044{
1045 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1046 return;
1047
1048 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1049
1050 /* Kill poor orphan */
1051
1052 l2cap_chan_put(l2cap_pi(sk)->chan);
1053 sock_set_flag(sk, SOCK_DEAD);
1054 sock_put(sk);
1055}
1056
1057static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1058{
1059 DECLARE_WAITQUEUE(wait, current);
1060 int err = 0;
1061 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1062 /* Timeout to prevent infinite loop */
1063 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1064
1065 add_wait_queue(sk_sleep(sk), &wait);
1066 set_current_state(TASK_INTERRUPTIBLE);
1067 do {
1068 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1069 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1070 jiffies_to_msecs(timeout - jiffies));
1071
1072 if (!timeo)
1073 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1074
1075 if (signal_pending(current)) {
1076 err = sock_intr_errno(timeo);
1077 break;
1078 }
1079
1080 release_sock(sk);
1081 timeo = schedule_timeout(timeo);
1082 lock_sock(sk);
1083 set_current_state(TASK_INTERRUPTIBLE);
1084
1085 err = sock_error(sk);
1086 if (err)
1087 break;
1088
1089 if (time_after(jiffies, timeout)) {
1090 err = -ENOLINK;
1091 break;
1092 }
1093
1094 } while (chan->unacked_frames > 0 &&
1095 chan->state == BT_CONNECTED);
1096
1097 set_current_state(TASK_RUNNING);
1098 remove_wait_queue(sk_sleep(sk), &wait);
1099 return err;
1100}
1101
1102static int l2cap_sock_shutdown(struct socket *sock, int how)
1103{
1104 struct sock *sk = sock->sk;
1105 struct l2cap_chan *chan;
1106 struct l2cap_conn *conn;
1107 int err = 0;
1108
1109 BT_DBG("sock %p, sk %p", sock, sk);
1110
1111 if (!sk)
1112 return 0;
1113
1114 lock_sock(sk);
1115
1116 if (sk->sk_shutdown)
1117 goto shutdown_already;
1118
1119 BT_DBG("Handling sock shutdown");
1120
1121 /* prevent sk structure from being freed whilst unlocked */
1122 sock_hold(sk);
1123
1124 chan = l2cap_pi(sk)->chan;
1125 /* prevent chan structure from being freed whilst unlocked */
1126 l2cap_chan_hold(chan);
1127
1128 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1129
1130 if (chan->mode == L2CAP_MODE_ERTM &&
1131 chan->unacked_frames > 0 &&
1132 chan->state == BT_CONNECTED) {
1133 err = __l2cap_wait_ack(sk, chan);
1134
1135 /* After waiting for ACKs, check whether shutdown
1136 * has already been actioned to close the L2CAP
1137 * link such as by l2cap_disconnection_req().
1138 */
1139 if (sk->sk_shutdown)
1140 goto has_shutdown;
1141 }
1142
1143 sk->sk_shutdown = SHUTDOWN_MASK;
1144 release_sock(sk);
1145
1146 l2cap_chan_lock(chan);
1147 conn = chan->conn;
1148 if (conn)
1149 /* prevent conn structure from being freed */
1150 l2cap_conn_get(conn);
1151 l2cap_chan_unlock(chan);
1152
1153 if (conn)
1154 /* mutex lock must be taken before l2cap_chan_lock() */
1155 mutex_lock(&conn->chan_lock);
1156
1157 l2cap_chan_lock(chan);
1158 l2cap_chan_close(chan, 0);
1159 l2cap_chan_unlock(chan);
1160
1161 if (conn) {
1162 mutex_unlock(&conn->chan_lock);
1163 l2cap_conn_put(conn);
1164 }
1165
1166 lock_sock(sk);
1167
1168 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1169 !(current->flags & PF_EXITING))
1170 err = bt_sock_wait_state(sk, BT_CLOSED,
1171 sk->sk_lingertime);
1172
1173has_shutdown:
1174 l2cap_chan_put(chan);
1175 sock_put(sk);
1176
1177shutdown_already:
1178 if (!err && sk->sk_err)
1179 err = -sk->sk_err;
1180
1181 release_sock(sk);
1182
1183 BT_DBG("Sock shutdown complete err: %d", err);
1184
1185 return err;
1186}
1187
1188static int l2cap_sock_release(struct socket *sock)
1189{
1190 struct sock *sk = sock->sk;
1191 int err;
1192
1193 BT_DBG("sock %p, sk %p", sock, sk);
1194
1195 if (!sk)
1196 return 0;
1197
1198 bt_sock_unlink(&l2cap_sk_list, sk);
1199
1200 err = l2cap_sock_shutdown(sock, 2);
1201
1202 sock_orphan(sk);
1203 l2cap_sock_kill(sk);
1204 return err;
1205}
1206
1207static void l2cap_sock_cleanup_listen(struct sock *parent)
1208{
1209 struct sock *sk;
1210
1211 BT_DBG("parent %p state %s", parent,
1212 state_to_string(parent->sk_state));
1213
1214 /* Close not yet accepted channels */
1215 while ((sk = bt_accept_dequeue(parent, NULL))) {
1216 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1217
1218 BT_DBG("child chan %p state %s", chan,
1219 state_to_string(chan->state));
1220
1221 l2cap_chan_lock(chan);
1222 __clear_chan_timer(chan);
1223 l2cap_chan_close(chan, ECONNRESET);
1224 l2cap_chan_unlock(chan);
1225
1226 l2cap_sock_kill(sk);
1227 }
1228}
1229
1230static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1231{
1232 struct sock *sk, *parent = chan->data;
1233
1234 lock_sock(parent);
1235
1236 /* Check for backlog size */
1237 if (sk_acceptq_is_full(parent)) {
1238 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1239 release_sock(parent);
1240 return NULL;
1241 }
1242
1243 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1244 GFP_ATOMIC, 0);
1245 if (!sk) {
1246 release_sock(parent);
1247 return NULL;
1248 }
1249
1250 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1251
1252 l2cap_sock_init(sk, parent);
1253
1254 bt_accept_enqueue(parent, sk);
1255
1256 release_sock(parent);
1257
1258 return l2cap_pi(sk)->chan;
1259}
1260
1261static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1262{
1263 struct sock *sk = chan->data;
1264 int err;
1265
1266 lock_sock(sk);
1267
1268 if (l2cap_pi(sk)->rx_busy_skb) {
1269 err = -ENOMEM;
1270 goto done;
1271 }
1272
1273 err = sock_queue_rcv_skb(sk, skb);
1274
1275 /* For ERTM, handle one skb that doesn't fit into the recv
1276 * buffer. This is important to do because the data frames
1277 * have already been acked, so the skb cannot be discarded.
1278 *
1279 * Notify the l2cap core that the buffer is full, so the
1280 * LOCAL_BUSY state is entered and no more frames are
1281 * acked and reassembled until there is buffer space
1282 * available.
1283 */
1284 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1285 l2cap_pi(sk)->rx_busy_skb = skb;
1286 l2cap_chan_busy(chan, 1);
1287 err = 0;
1288 }
1289
1290done:
1291 release_sock(sk);
1292
1293 return err;
1294}
1295
1296static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1297{
1298 struct sock *sk = chan->data;
1299
1300 l2cap_sock_kill(sk);
1301}
1302
1303static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1304{
1305 struct sock *sk = chan->data;
1306 struct sock *parent;
1307
1308 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1309
1310 /* This callback can be called both for server (BT_LISTEN)
1311 * sockets as well as "normal" ones. To avoid lockdep warnings
1312 * with child socket locking (through l2cap_sock_cleanup_listen)
1313 * we need separation into separate nesting levels. The simplest
1314 * way to accomplish this is to inherit the nesting level used
1315 * for the channel.
1316 */
1317 lock_sock_nested(sk, atomic_read(&chan->nesting));
1318
1319 parent = bt_sk(sk)->parent;
1320
1321 sock_set_flag(sk, SOCK_ZAPPED);
1322
1323 switch (chan->state) {
1324 case BT_OPEN:
1325 case BT_BOUND:
1326 case BT_CLOSED:
1327 break;
1328 case BT_LISTEN:
1329 l2cap_sock_cleanup_listen(sk);
1330 sk->sk_state = BT_CLOSED;
1331 chan->state = BT_CLOSED;
1332
1333 break;
1334 default:
1335 sk->sk_state = BT_CLOSED;
1336 chan->state = BT_CLOSED;
1337
1338 sk->sk_err = err;
1339
1340 if (parent) {
1341 bt_accept_unlink(sk);
1342 parent->sk_data_ready(parent);
1343 } else {
1344 sk->sk_state_change(sk);
1345 }
1346
1347 break;
1348 }
1349
1350 release_sock(sk);
1351}
1352
1353static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1354 int err)
1355{
1356 struct sock *sk = chan->data;
1357
1358 sk->sk_state = state;
1359
1360 if (err)
1361 sk->sk_err = err;
1362}
1363
1364static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1365 unsigned long hdr_len,
1366 unsigned long len, int nb)
1367{
1368 struct sock *sk = chan->data;
1369 struct sk_buff *skb;
1370 int err;
1371
1372 l2cap_chan_unlock(chan);
1373 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1374 l2cap_chan_lock(chan);
1375
1376 if (!skb)
1377 return ERR_PTR(err);
1378
1379 skb->priority = sk->sk_priority;
1380
1381 bt_cb(skb)->l2cap.chan = chan;
1382
1383 return skb;
1384}
1385
1386static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1387{
1388 struct sock *sk = chan->data;
1389 struct sock *parent;
1390
1391 lock_sock(sk);
1392
1393 parent = bt_sk(sk)->parent;
1394
1395 BT_DBG("sk %p, parent %p", sk, parent);
1396
1397 sk->sk_state = BT_CONNECTED;
1398 sk->sk_state_change(sk);
1399
1400 if (parent)
1401 parent->sk_data_ready(parent);
1402
1403 release_sock(sk);
1404}
1405
1406static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1407{
1408 struct sock *parent, *sk = chan->data;
1409
1410 lock_sock(sk);
1411
1412 parent = bt_sk(sk)->parent;
1413 if (parent)
1414 parent->sk_data_ready(parent);
1415
1416 release_sock(sk);
1417}
1418
1419static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1420{
1421 struct sock *sk = chan->data;
1422
1423 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1424 sk->sk_state = BT_CONNECTED;
1425 chan->state = BT_CONNECTED;
1426 }
1427
1428 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1429 sk->sk_state_change(sk);
1430}
1431
1432static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1433{
1434 struct sock *sk = chan->data;
1435
1436 lock_sock(sk);
1437 sk->sk_shutdown = SHUTDOWN_MASK;
1438 release_sock(sk);
1439}
1440
1441static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1442{
1443 struct sock *sk = chan->data;
1444
1445 return sk->sk_sndtimeo;
1446}
1447
1448static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1449{
1450 struct sock *sk = chan->data;
1451
1452 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1453 sk->sk_state_change(sk);
1454}
1455
1456static const struct l2cap_ops l2cap_chan_ops = {
1457 .name = "L2CAP Socket Interface",
1458 .new_connection = l2cap_sock_new_connection_cb,
1459 .recv = l2cap_sock_recv_cb,
1460 .close = l2cap_sock_close_cb,
1461 .teardown = l2cap_sock_teardown_cb,
1462 .state_change = l2cap_sock_state_change_cb,
1463 .ready = l2cap_sock_ready_cb,
1464 .defer = l2cap_sock_defer_cb,
1465 .resume = l2cap_sock_resume_cb,
1466 .suspend = l2cap_sock_suspend_cb,
1467 .set_shutdown = l2cap_sock_set_shutdown_cb,
1468 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1469 .alloc_skb = l2cap_sock_alloc_skb_cb,
1470};
1471
1472static void l2cap_sock_destruct(struct sock *sk)
1473{
1474 BT_DBG("sk %p", sk);
1475
1476 if (l2cap_pi(sk)->chan)
1477 l2cap_chan_put(l2cap_pi(sk)->chan);
1478
1479 if (l2cap_pi(sk)->rx_busy_skb) {
1480 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1481 l2cap_pi(sk)->rx_busy_skb = NULL;
1482 }
1483
1484 skb_queue_purge(&sk->sk_receive_queue);
1485 skb_queue_purge(&sk->sk_write_queue);
1486}
1487
1488static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1489 int *msg_namelen)
1490{
1491 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1492
1493 memset(la, 0, sizeof(struct sockaddr_l2));
1494 la->l2_family = AF_BLUETOOTH;
1495 la->l2_psm = bt_cb(skb)->l2cap.psm;
1496 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1497
1498 *msg_namelen = sizeof(struct sockaddr_l2);
1499}
1500
1501static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1502{
1503 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1504
1505 BT_DBG("sk %p", sk);
1506
1507 if (parent) {
1508 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1509
1510 sk->sk_type = parent->sk_type;
1511 bt_sk(sk)->flags = bt_sk(parent)->flags;
1512
1513 chan->chan_type = pchan->chan_type;
1514 chan->imtu = pchan->imtu;
1515 chan->omtu = pchan->omtu;
1516 chan->conf_state = pchan->conf_state;
1517 chan->mode = pchan->mode;
1518 chan->fcs = pchan->fcs;
1519 chan->max_tx = pchan->max_tx;
1520 chan->tx_win = pchan->tx_win;
1521 chan->tx_win_max = pchan->tx_win_max;
1522 chan->sec_level = pchan->sec_level;
1523 chan->flags = pchan->flags;
1524 chan->tx_credits = pchan->tx_credits;
1525 chan->rx_credits = pchan->rx_credits;
1526
1527 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1528 chan->scid = pchan->scid;
1529 chan->dcid = pchan->scid;
1530 }
1531
1532 security_sk_clone(parent, sk);
1533 } else {
1534 switch (sk->sk_type) {
1535 case SOCK_RAW:
1536 chan->chan_type = L2CAP_CHAN_RAW;
1537 break;
1538 case SOCK_DGRAM:
1539 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1540 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1541 break;
1542 case SOCK_SEQPACKET:
1543 case SOCK_STREAM:
1544 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1545 break;
1546 }
1547
1548 chan->imtu = L2CAP_DEFAULT_MTU;
1549 chan->omtu = 0;
1550 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1551 chan->mode = L2CAP_MODE_ERTM;
1552 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1553 } else {
1554 chan->mode = L2CAP_MODE_BASIC;
1555 }
1556
1557 l2cap_chan_set_defaults(chan);
1558 }
1559
1560 /* Default config options */
1561 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1562
1563 chan->data = sk;
1564 chan->ops = &l2cap_chan_ops;
1565}
1566
1567static struct proto l2cap_proto = {
1568 .name = "L2CAP",
1569 .owner = THIS_MODULE,
1570 .obj_size = sizeof(struct l2cap_pinfo)
1571};
1572
1573static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1574 int proto, gfp_t prio, int kern)
1575{
1576 struct sock *sk;
1577 struct l2cap_chan *chan;
1578
1579 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1580 if (!sk)
1581 return NULL;
1582
1583 sock_init_data(sock, sk);
1584 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1585
1586 sk->sk_destruct = l2cap_sock_destruct;
1587 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1588
1589 sock_reset_flag(sk, SOCK_ZAPPED);
1590
1591 sk->sk_protocol = proto;
1592 sk->sk_state = BT_OPEN;
1593
1594 chan = l2cap_chan_create();
1595 if (!chan) {
1596 sk_free(sk);
1597 return NULL;
1598 }
1599
1600 l2cap_chan_hold(chan);
1601
1602 l2cap_pi(sk)->chan = chan;
1603
1604 return sk;
1605}
1606
1607static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1608 int kern)
1609{
1610 struct sock *sk;
1611
1612 BT_DBG("sock %p", sock);
1613
1614 sock->state = SS_UNCONNECTED;
1615
1616 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1617 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1618 return -ESOCKTNOSUPPORT;
1619
1620 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1621 return -EPERM;
1622
1623 sock->ops = &l2cap_sock_ops;
1624
1625 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1626 if (!sk)
1627 return -ENOMEM;
1628
1629 l2cap_sock_init(sk, NULL);
1630 bt_sock_link(&l2cap_sk_list, sk);
1631 return 0;
1632}
1633
1634static const struct proto_ops l2cap_sock_ops = {
1635 .family = PF_BLUETOOTH,
1636 .owner = THIS_MODULE,
1637 .release = l2cap_sock_release,
1638 .bind = l2cap_sock_bind,
1639 .connect = l2cap_sock_connect,
1640 .listen = l2cap_sock_listen,
1641 .accept = l2cap_sock_accept,
1642 .getname = l2cap_sock_getname,
1643 .sendmsg = l2cap_sock_sendmsg,
1644 .recvmsg = l2cap_sock_recvmsg,
1645 .poll = bt_sock_poll,
1646 .ioctl = bt_sock_ioctl,
1647 .mmap = sock_no_mmap,
1648 .socketpair = sock_no_socketpair,
1649 .shutdown = l2cap_sock_shutdown,
1650 .setsockopt = l2cap_sock_setsockopt,
1651 .getsockopt = l2cap_sock_getsockopt
1652};
1653
1654static const struct net_proto_family l2cap_sock_family_ops = {
1655 .family = PF_BLUETOOTH,
1656 .owner = THIS_MODULE,
1657 .create = l2cap_sock_create,
1658};
1659
1660int __init l2cap_init_sockets(void)
1661{
1662 int err;
1663
1664 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1665
1666 err = proto_register(&l2cap_proto, 0);
1667 if (err < 0)
1668 return err;
1669
1670 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1671 if (err < 0) {
1672 BT_ERR("L2CAP socket registration failed");
1673 goto error;
1674 }
1675
1676 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1677 NULL);
1678 if (err < 0) {
1679 BT_ERR("Failed to create L2CAP proc file");
1680 bt_sock_unregister(BTPROTO_L2CAP);
1681 goto error;
1682 }
1683
1684 BT_INFO("L2CAP socket layer initialized");
1685
1686 return 0;
1687
1688error:
1689 proto_unregister(&l2cap_proto);
1690 return err;
1691}
1692
1693void l2cap_cleanup_sockets(void)
1694{
1695 bt_procfs_cleanup(&init_net, "l2cap");
1696 bt_sock_unregister(BTPROTO_L2CAP);
1697 proto_unregister(&l2cap_proto);
1698}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32#include <linux/sched/signal.h>
33
34#include <net/bluetooth/bluetooth.h>
35#include <net/bluetooth/hci_core.h>
36#include <net/bluetooth/l2cap.h>
37
38#include "smp.h"
39
40static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42};
43
44static const struct proto_ops l2cap_sock_ops;
45static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
49bool l2cap_is_socket(struct socket *sock)
50{
51 return sock && sock->ops == &l2cap_sock_ops;
52}
53EXPORT_SYMBOL(l2cap_is_socket);
54
55static int l2cap_validate_bredr_psm(u16 psm)
56{
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66}
67
68static int l2cap_validate_le_psm(u16 psm)
69{
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79}
80
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
166
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
169
170done:
171 release_sock(sk);
172 return err;
173}
174
175static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 int alen, int flags)
177{
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
181 int len, err = 0;
182 bool zapped;
183
184 BT_DBG("sk %p", sk);
185
186 lock_sock(sk);
187 zapped = sock_flag(sk, SOCK_ZAPPED);
188 release_sock(sk);
189
190 if (zapped)
191 return -EINVAL;
192
193 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
194 addr->sa_family != AF_BLUETOOTH)
195 return -EINVAL;
196
197 memset(&la, 0, sizeof(la));
198 len = min_t(unsigned int, sizeof(la), alen);
199 memcpy(&la, addr, len);
200
201 if (la.l2_cid && la.l2_psm)
202 return -EINVAL;
203
204 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
205 return -EINVAL;
206
207 /* Check that the socket wasn't bound to something that
208 * conflicts with the address given to connect(). If chan->src
209 * is BDADDR_ANY it means bind() was never used, in which case
210 * chan->src_type and la.l2_bdaddr_type do not need to match.
211 */
212 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
213 bdaddr_type_is_le(la.l2_bdaddr_type)) {
214 /* Old user space versions will try to incorrectly bind
215 * the ATT socket using BDADDR_BREDR. We need to accept
216 * this and fix up the source address type only when
217 * both the source CID and destination CID indicate
218 * ATT. Anything else is an invalid combination.
219 */
220 if (chan->scid != L2CAP_CID_ATT ||
221 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
222 return -EINVAL;
223
224 /* We don't have the hdev available here to make a
225 * better decision on random vs public, but since all
226 * user space versions that exhibit this issue anyway do
227 * not support random local addresses assuming public
228 * here is good enough.
229 */
230 chan->src_type = BDADDR_LE_PUBLIC;
231 }
232
233 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
234 return -EINVAL;
235
236 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
237 /* We only allow ATT user space socket */
238 if (la.l2_cid &&
239 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
240 return -EINVAL;
241 }
242
243 if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
244 chan->mode = L2CAP_MODE_LE_FLOWCTL;
245
246 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
247 &la.l2_bdaddr, la.l2_bdaddr_type);
248 if (err)
249 return err;
250
251 lock_sock(sk);
252
253 err = bt_sock_wait_state(sk, BT_CONNECTED,
254 sock_sndtimeo(sk, flags & O_NONBLOCK));
255
256 release_sock(sk);
257
258 return err;
259}
260
261static int l2cap_sock_listen(struct socket *sock, int backlog)
262{
263 struct sock *sk = sock->sk;
264 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
265 int err = 0;
266
267 BT_DBG("sk %p backlog %d", sk, backlog);
268
269 lock_sock(sk);
270
271 if (sk->sk_state != BT_BOUND) {
272 err = -EBADFD;
273 goto done;
274 }
275
276 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
277 err = -EINVAL;
278 goto done;
279 }
280
281 switch (chan->mode) {
282 case L2CAP_MODE_BASIC:
283 case L2CAP_MODE_LE_FLOWCTL:
284 break;
285 case L2CAP_MODE_EXT_FLOWCTL:
286 if (!enable_ecred) {
287 err = -EOPNOTSUPP;
288 goto done;
289 }
290 break;
291 case L2CAP_MODE_ERTM:
292 case L2CAP_MODE_STREAMING:
293 if (!disable_ertm)
294 break;
295 fallthrough;
296 default:
297 err = -EOPNOTSUPP;
298 goto done;
299 }
300
301 sk->sk_max_ack_backlog = backlog;
302 sk->sk_ack_backlog = 0;
303
304 /* Listening channels need to use nested locking in order not to
305 * cause lockdep warnings when the created child channels end up
306 * being locked in the same thread as the parent channel.
307 */
308 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
309
310 chan->state = BT_LISTEN;
311 sk->sk_state = BT_LISTEN;
312
313done:
314 release_sock(sk);
315 return err;
316}
317
318static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
319 int flags, bool kern)
320{
321 DEFINE_WAIT_FUNC(wait, woken_wake_function);
322 struct sock *sk = sock->sk, *nsk;
323 long timeo;
324 int err = 0;
325
326 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
327
328 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
329
330 BT_DBG("sk %p timeo %ld", sk, timeo);
331
332 /* Wait for an incoming connection. (wake-one). */
333 add_wait_queue_exclusive(sk_sleep(sk), &wait);
334 while (1) {
335 if (sk->sk_state != BT_LISTEN) {
336 err = -EBADFD;
337 break;
338 }
339
340 nsk = bt_accept_dequeue(sk, newsock);
341 if (nsk)
342 break;
343
344 if (!timeo) {
345 err = -EAGAIN;
346 break;
347 }
348
349 if (signal_pending(current)) {
350 err = sock_intr_errno(timeo);
351 break;
352 }
353
354 release_sock(sk);
355
356 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
357
358 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
359 }
360 remove_wait_queue(sk_sleep(sk), &wait);
361
362 if (err)
363 goto done;
364
365 newsock->state = SS_CONNECTED;
366
367 BT_DBG("new socket %p", nsk);
368
369done:
370 release_sock(sk);
371 return err;
372}
373
374static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
375 int peer)
376{
377 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
378 struct sock *sk = sock->sk;
379 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
380
381 BT_DBG("sock %p, sk %p", sock, sk);
382
383 if (peer && sk->sk_state != BT_CONNECTED &&
384 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
385 sk->sk_state != BT_CONFIG)
386 return -ENOTCONN;
387
388 memset(la, 0, sizeof(struct sockaddr_l2));
389 addr->sa_family = AF_BLUETOOTH;
390
391 la->l2_psm = chan->psm;
392
393 if (peer) {
394 bacpy(&la->l2_bdaddr, &chan->dst);
395 la->l2_cid = cpu_to_le16(chan->dcid);
396 la->l2_bdaddr_type = chan->dst_type;
397 } else {
398 bacpy(&la->l2_bdaddr, &chan->src);
399 la->l2_cid = cpu_to_le16(chan->scid);
400 la->l2_bdaddr_type = chan->src_type;
401 }
402
403 return sizeof(struct sockaddr_l2);
404}
405
406static int l2cap_get_mode(struct l2cap_chan *chan)
407{
408 switch (chan->mode) {
409 case L2CAP_MODE_BASIC:
410 return BT_MODE_BASIC;
411 case L2CAP_MODE_ERTM:
412 return BT_MODE_ERTM;
413 case L2CAP_MODE_STREAMING:
414 return BT_MODE_STREAMING;
415 case L2CAP_MODE_LE_FLOWCTL:
416 return BT_MODE_LE_FLOWCTL;
417 case L2CAP_MODE_EXT_FLOWCTL:
418 return BT_MODE_EXT_FLOWCTL;
419 }
420
421 return -EINVAL;
422}
423
424static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
425 char __user *optval, int __user *optlen)
426{
427 struct sock *sk = sock->sk;
428 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
429 struct l2cap_options opts;
430 struct l2cap_conninfo cinfo;
431 int len, err = 0;
432 u32 opt;
433
434 BT_DBG("sk %p", sk);
435
436 if (get_user(len, optlen))
437 return -EFAULT;
438
439 lock_sock(sk);
440
441 switch (optname) {
442 case L2CAP_OPTIONS:
443 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
444 * legacy ATT code depends on getsockopt for
445 * L2CAP_OPTIONS we need to let this pass.
446 */
447 if (bdaddr_type_is_le(chan->src_type) &&
448 chan->scid != L2CAP_CID_ATT) {
449 err = -EINVAL;
450 break;
451 }
452
453 /* Only BR/EDR modes are supported here */
454 switch (chan->mode) {
455 case L2CAP_MODE_BASIC:
456 case L2CAP_MODE_ERTM:
457 case L2CAP_MODE_STREAMING:
458 break;
459 default:
460 err = -EINVAL;
461 break;
462 }
463
464 if (err < 0)
465 break;
466
467 memset(&opts, 0, sizeof(opts));
468 opts.imtu = chan->imtu;
469 opts.omtu = chan->omtu;
470 opts.flush_to = chan->flush_to;
471 opts.mode = chan->mode;
472 opts.fcs = chan->fcs;
473 opts.max_tx = chan->max_tx;
474 opts.txwin_size = chan->tx_win;
475
476 BT_DBG("mode 0x%2.2x", chan->mode);
477
478 len = min_t(unsigned int, len, sizeof(opts));
479 if (copy_to_user(optval, (char *) &opts, len))
480 err = -EFAULT;
481
482 break;
483
484 case L2CAP_LM:
485 switch (chan->sec_level) {
486 case BT_SECURITY_LOW:
487 opt = L2CAP_LM_AUTH;
488 break;
489 case BT_SECURITY_MEDIUM:
490 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
491 break;
492 case BT_SECURITY_HIGH:
493 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
494 L2CAP_LM_SECURE;
495 break;
496 case BT_SECURITY_FIPS:
497 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
498 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
499 break;
500 default:
501 opt = 0;
502 break;
503 }
504
505 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
506 opt |= L2CAP_LM_MASTER;
507
508 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
509 opt |= L2CAP_LM_RELIABLE;
510
511 if (put_user(opt, (u32 __user *) optval))
512 err = -EFAULT;
513
514 break;
515
516 case L2CAP_CONNINFO:
517 if (sk->sk_state != BT_CONNECTED &&
518 !(sk->sk_state == BT_CONNECT2 &&
519 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
520 err = -ENOTCONN;
521 break;
522 }
523
524 memset(&cinfo, 0, sizeof(cinfo));
525 cinfo.hci_handle = chan->conn->hcon->handle;
526 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
527
528 len = min_t(unsigned int, len, sizeof(cinfo));
529 if (copy_to_user(optval, (char *) &cinfo, len))
530 err = -EFAULT;
531
532 break;
533
534 default:
535 err = -ENOPROTOOPT;
536 break;
537 }
538
539 release_sock(sk);
540 return err;
541}
542
543static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
544 char __user *optval, int __user *optlen)
545{
546 struct sock *sk = sock->sk;
547 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
548 struct bt_security sec;
549 struct bt_power pwr;
550 u32 phys;
551 int len, mode, err = 0;
552
553 BT_DBG("sk %p", sk);
554
555 if (level == SOL_L2CAP)
556 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
557
558 if (level != SOL_BLUETOOTH)
559 return -ENOPROTOOPT;
560
561 if (get_user(len, optlen))
562 return -EFAULT;
563
564 lock_sock(sk);
565
566 switch (optname) {
567 case BT_SECURITY:
568 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
569 chan->chan_type != L2CAP_CHAN_FIXED &&
570 chan->chan_type != L2CAP_CHAN_RAW) {
571 err = -EINVAL;
572 break;
573 }
574
575 memset(&sec, 0, sizeof(sec));
576 if (chan->conn) {
577 sec.level = chan->conn->hcon->sec_level;
578
579 if (sk->sk_state == BT_CONNECTED)
580 sec.key_size = chan->conn->hcon->enc_key_size;
581 } else {
582 sec.level = chan->sec_level;
583 }
584
585 len = min_t(unsigned int, len, sizeof(sec));
586 if (copy_to_user(optval, (char *) &sec, len))
587 err = -EFAULT;
588
589 break;
590
591 case BT_DEFER_SETUP:
592 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
593 err = -EINVAL;
594 break;
595 }
596
597 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
598 (u32 __user *) optval))
599 err = -EFAULT;
600
601 break;
602
603 case BT_FLUSHABLE:
604 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
605 (u32 __user *) optval))
606 err = -EFAULT;
607
608 break;
609
610 case BT_POWER:
611 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
612 && sk->sk_type != SOCK_RAW) {
613 err = -EINVAL;
614 break;
615 }
616
617 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
618
619 len = min_t(unsigned int, len, sizeof(pwr));
620 if (copy_to_user(optval, (char *) &pwr, len))
621 err = -EFAULT;
622
623 break;
624
625 case BT_CHANNEL_POLICY:
626 if (put_user(chan->chan_policy, (u32 __user *) optval))
627 err = -EFAULT;
628 break;
629
630 case BT_SNDMTU:
631 if (!bdaddr_type_is_le(chan->src_type)) {
632 err = -EINVAL;
633 break;
634 }
635
636 if (sk->sk_state != BT_CONNECTED) {
637 err = -ENOTCONN;
638 break;
639 }
640
641 if (put_user(chan->omtu, (u16 __user *) optval))
642 err = -EFAULT;
643 break;
644
645 case BT_RCVMTU:
646 if (!bdaddr_type_is_le(chan->src_type)) {
647 err = -EINVAL;
648 break;
649 }
650
651 if (put_user(chan->imtu, (u16 __user *) optval))
652 err = -EFAULT;
653 break;
654
655 case BT_PHY:
656 if (sk->sk_state != BT_CONNECTED) {
657 err = -ENOTCONN;
658 break;
659 }
660
661 phys = hci_conn_get_phy(chan->conn->hcon);
662
663 if (put_user(phys, (u32 __user *) optval))
664 err = -EFAULT;
665 break;
666
667 case BT_MODE:
668 if (!enable_ecred) {
669 err = -ENOPROTOOPT;
670 break;
671 }
672
673 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
674 err = -EINVAL;
675 break;
676 }
677
678 mode = l2cap_get_mode(chan);
679 if (mode < 0) {
680 err = mode;
681 break;
682 }
683
684 if (put_user(mode, (u8 __user *) optval))
685 err = -EFAULT;
686 break;
687
688 default:
689 err = -ENOPROTOOPT;
690 break;
691 }
692
693 release_sock(sk);
694 return err;
695}
696
697static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
698{
699 switch (chan->scid) {
700 case L2CAP_CID_ATT:
701 if (mtu < L2CAP_LE_MIN_MTU)
702 return false;
703 break;
704
705 default:
706 if (mtu < L2CAP_DEFAULT_MIN_MTU)
707 return false;
708 }
709
710 return true;
711}
712
713static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
714 sockptr_t optval, unsigned int optlen)
715{
716 struct sock *sk = sock->sk;
717 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
718 struct l2cap_options opts;
719 int len, err = 0;
720 u32 opt;
721
722 BT_DBG("sk %p", sk);
723
724 lock_sock(sk);
725
726 switch (optname) {
727 case L2CAP_OPTIONS:
728 if (bdaddr_type_is_le(chan->src_type)) {
729 err = -EINVAL;
730 break;
731 }
732
733 if (sk->sk_state == BT_CONNECTED) {
734 err = -EINVAL;
735 break;
736 }
737
738 opts.imtu = chan->imtu;
739 opts.omtu = chan->omtu;
740 opts.flush_to = chan->flush_to;
741 opts.mode = chan->mode;
742 opts.fcs = chan->fcs;
743 opts.max_tx = chan->max_tx;
744 opts.txwin_size = chan->tx_win;
745
746 len = min_t(unsigned int, sizeof(opts), optlen);
747 if (copy_from_sockptr(&opts, optval, len)) {
748 err = -EFAULT;
749 break;
750 }
751
752 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
753 err = -EINVAL;
754 break;
755 }
756
757 if (!l2cap_valid_mtu(chan, opts.imtu)) {
758 err = -EINVAL;
759 break;
760 }
761
762 /* Only BR/EDR modes are supported here */
763 switch (opts.mode) {
764 case L2CAP_MODE_BASIC:
765 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
766 break;
767 case L2CAP_MODE_ERTM:
768 case L2CAP_MODE_STREAMING:
769 if (!disable_ertm)
770 break;
771 fallthrough;
772 default:
773 err = -EINVAL;
774 break;
775 }
776
777 if (err < 0)
778 break;
779
780 chan->mode = opts.mode;
781
782 BT_DBG("mode 0x%2.2x", chan->mode);
783
784 chan->imtu = opts.imtu;
785 chan->omtu = opts.omtu;
786 chan->fcs = opts.fcs;
787 chan->max_tx = opts.max_tx;
788 chan->tx_win = opts.txwin_size;
789 chan->flush_to = opts.flush_to;
790 break;
791
792 case L2CAP_LM:
793 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
794 err = -EFAULT;
795 break;
796 }
797
798 if (opt & L2CAP_LM_FIPS) {
799 err = -EINVAL;
800 break;
801 }
802
803 if (opt & L2CAP_LM_AUTH)
804 chan->sec_level = BT_SECURITY_LOW;
805 if (opt & L2CAP_LM_ENCRYPT)
806 chan->sec_level = BT_SECURITY_MEDIUM;
807 if (opt & L2CAP_LM_SECURE)
808 chan->sec_level = BT_SECURITY_HIGH;
809
810 if (opt & L2CAP_LM_MASTER)
811 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
812 else
813 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
814
815 if (opt & L2CAP_LM_RELIABLE)
816 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
817 else
818 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
819 break;
820
821 default:
822 err = -ENOPROTOOPT;
823 break;
824 }
825
826 release_sock(sk);
827 return err;
828}
829
830static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
831{
832 switch (mode) {
833 case BT_MODE_BASIC:
834 if (bdaddr_type_is_le(chan->src_type))
835 return -EINVAL;
836 mode = L2CAP_MODE_BASIC;
837 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
838 break;
839 case BT_MODE_ERTM:
840 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
841 return -EINVAL;
842 mode = L2CAP_MODE_ERTM;
843 break;
844 case BT_MODE_STREAMING:
845 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
846 return -EINVAL;
847 mode = L2CAP_MODE_STREAMING;
848 break;
849 case BT_MODE_LE_FLOWCTL:
850 if (!bdaddr_type_is_le(chan->src_type))
851 return -EINVAL;
852 mode = L2CAP_MODE_LE_FLOWCTL;
853 break;
854 case BT_MODE_EXT_FLOWCTL:
855 /* TODO: Add support for ECRED PDUs to BR/EDR */
856 if (!bdaddr_type_is_le(chan->src_type))
857 return -EINVAL;
858 mode = L2CAP_MODE_EXT_FLOWCTL;
859 break;
860 default:
861 return -EINVAL;
862 }
863
864 chan->mode = mode;
865
866 return 0;
867}
868
869static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
870 sockptr_t optval, unsigned int optlen)
871{
872 struct sock *sk = sock->sk;
873 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
874 struct bt_security sec;
875 struct bt_power pwr;
876 struct l2cap_conn *conn;
877 int len, err = 0;
878 u32 opt;
879
880 BT_DBG("sk %p", sk);
881
882 if (level == SOL_L2CAP)
883 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
884
885 if (level != SOL_BLUETOOTH)
886 return -ENOPROTOOPT;
887
888 lock_sock(sk);
889
890 switch (optname) {
891 case BT_SECURITY:
892 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
893 chan->chan_type != L2CAP_CHAN_FIXED &&
894 chan->chan_type != L2CAP_CHAN_RAW) {
895 err = -EINVAL;
896 break;
897 }
898
899 sec.level = BT_SECURITY_LOW;
900
901 len = min_t(unsigned int, sizeof(sec), optlen);
902 if (copy_from_sockptr(&sec, optval, len)) {
903 err = -EFAULT;
904 break;
905 }
906
907 if (sec.level < BT_SECURITY_LOW ||
908 sec.level > BT_SECURITY_FIPS) {
909 err = -EINVAL;
910 break;
911 }
912
913 chan->sec_level = sec.level;
914
915 if (!chan->conn)
916 break;
917
918 conn = chan->conn;
919
920 /* change security for LE channels */
921 if (chan->scid == L2CAP_CID_ATT) {
922 if (smp_conn_security(conn->hcon, sec.level)) {
923 err = -EINVAL;
924 break;
925 }
926
927 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
928 sk->sk_state = BT_CONFIG;
929 chan->state = BT_CONFIG;
930
931 /* or for ACL link */
932 } else if ((sk->sk_state == BT_CONNECT2 &&
933 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
934 sk->sk_state == BT_CONNECTED) {
935 if (!l2cap_chan_check_security(chan, true))
936 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
937 else
938 sk->sk_state_change(sk);
939 } else {
940 err = -EINVAL;
941 }
942 break;
943
944 case BT_DEFER_SETUP:
945 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
946 err = -EINVAL;
947 break;
948 }
949
950 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
951 err = -EFAULT;
952 break;
953 }
954
955 if (opt) {
956 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
957 set_bit(FLAG_DEFER_SETUP, &chan->flags);
958 } else {
959 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
960 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
961 }
962 break;
963
964 case BT_FLUSHABLE:
965 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
966 err = -EFAULT;
967 break;
968 }
969
970 if (opt > BT_FLUSHABLE_ON) {
971 err = -EINVAL;
972 break;
973 }
974
975 if (opt == BT_FLUSHABLE_OFF) {
976 conn = chan->conn;
977 /* proceed further only when we have l2cap_conn and
978 No Flush support in the LM */
979 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
980 err = -EINVAL;
981 break;
982 }
983 }
984
985 if (opt)
986 set_bit(FLAG_FLUSHABLE, &chan->flags);
987 else
988 clear_bit(FLAG_FLUSHABLE, &chan->flags);
989 break;
990
991 case BT_POWER:
992 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
993 chan->chan_type != L2CAP_CHAN_RAW) {
994 err = -EINVAL;
995 break;
996 }
997
998 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
999
1000 len = min_t(unsigned int, sizeof(pwr), optlen);
1001 if (copy_from_sockptr(&pwr, optval, len)) {
1002 err = -EFAULT;
1003 break;
1004 }
1005
1006 if (pwr.force_active)
1007 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1008 else
1009 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1010 break;
1011
1012 case BT_CHANNEL_POLICY:
1013 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1014 err = -EFAULT;
1015 break;
1016 }
1017
1018 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1019 err = -EINVAL;
1020 break;
1021 }
1022
1023 if (chan->mode != L2CAP_MODE_ERTM &&
1024 chan->mode != L2CAP_MODE_STREAMING) {
1025 err = -EOPNOTSUPP;
1026 break;
1027 }
1028
1029 chan->chan_policy = (u8) opt;
1030
1031 if (sk->sk_state == BT_CONNECTED &&
1032 chan->move_role == L2CAP_MOVE_ROLE_NONE)
1033 l2cap_move_start(chan);
1034
1035 break;
1036
1037 case BT_SNDMTU:
1038 if (!bdaddr_type_is_le(chan->src_type)) {
1039 err = -EINVAL;
1040 break;
1041 }
1042
1043 /* Setting is not supported as it's the remote side that
1044 * decides this.
1045 */
1046 err = -EPERM;
1047 break;
1048
1049 case BT_RCVMTU:
1050 if (!bdaddr_type_is_le(chan->src_type)) {
1051 err = -EINVAL;
1052 break;
1053 }
1054
1055 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1056 sk->sk_state == BT_CONNECTED) {
1057 err = -EISCONN;
1058 break;
1059 }
1060
1061 if (copy_from_sockptr(&opt, optval, sizeof(u16))) {
1062 err = -EFAULT;
1063 break;
1064 }
1065
1066 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1067 sk->sk_state == BT_CONNECTED)
1068 err = l2cap_chan_reconfigure(chan, opt);
1069 else
1070 chan->imtu = opt;
1071
1072 break;
1073
1074 case BT_MODE:
1075 if (!enable_ecred) {
1076 err = -ENOPROTOOPT;
1077 break;
1078 }
1079
1080 BT_DBG("sk->sk_state %u", sk->sk_state);
1081
1082 if (sk->sk_state != BT_BOUND) {
1083 err = -EINVAL;
1084 break;
1085 }
1086
1087 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1088 err = -EINVAL;
1089 break;
1090 }
1091
1092 if (copy_from_sockptr(&opt, optval, sizeof(u8))) {
1093 err = -EFAULT;
1094 break;
1095 }
1096
1097 BT_DBG("opt %u", opt);
1098
1099 err = l2cap_set_mode(chan, opt);
1100 if (err)
1101 break;
1102
1103 BT_DBG("mode 0x%2.2x", chan->mode);
1104
1105 break;
1106
1107 default:
1108 err = -ENOPROTOOPT;
1109 break;
1110 }
1111
1112 release_sock(sk);
1113 return err;
1114}
1115
1116static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1117 size_t len)
1118{
1119 struct sock *sk = sock->sk;
1120 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1121 int err;
1122
1123 BT_DBG("sock %p, sk %p", sock, sk);
1124
1125 err = sock_error(sk);
1126 if (err)
1127 return err;
1128
1129 if (msg->msg_flags & MSG_OOB)
1130 return -EOPNOTSUPP;
1131
1132 if (sk->sk_state != BT_CONNECTED)
1133 return -ENOTCONN;
1134
1135 lock_sock(sk);
1136 err = bt_sock_wait_ready(sk, msg->msg_flags);
1137 release_sock(sk);
1138 if (err)
1139 return err;
1140
1141 l2cap_chan_lock(chan);
1142 err = l2cap_chan_send(chan, msg, len);
1143 l2cap_chan_unlock(chan);
1144
1145 return err;
1146}
1147
1148static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1149 size_t len, int flags)
1150{
1151 struct sock *sk = sock->sk;
1152 struct l2cap_pinfo *pi = l2cap_pi(sk);
1153 int err;
1154
1155 lock_sock(sk);
1156
1157 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1158 &bt_sk(sk)->flags)) {
1159 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1160 sk->sk_state = BT_CONNECTED;
1161 pi->chan->state = BT_CONNECTED;
1162 __l2cap_ecred_conn_rsp_defer(pi->chan);
1163 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1164 sk->sk_state = BT_CONNECTED;
1165 pi->chan->state = BT_CONNECTED;
1166 __l2cap_le_connect_rsp_defer(pi->chan);
1167 } else {
1168 sk->sk_state = BT_CONFIG;
1169 pi->chan->state = BT_CONFIG;
1170 __l2cap_connect_rsp_defer(pi->chan);
1171 }
1172
1173 err = 0;
1174 goto done;
1175 }
1176
1177 release_sock(sk);
1178
1179 if (sock->type == SOCK_STREAM)
1180 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1181 else
1182 err = bt_sock_recvmsg(sock, msg, len, flags);
1183
1184 if (pi->chan->mode != L2CAP_MODE_ERTM)
1185 return err;
1186
1187 /* Attempt to put pending rx data in the socket buffer */
1188
1189 lock_sock(sk);
1190
1191 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1192 goto done;
1193
1194 if (pi->rx_busy_skb) {
1195 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1196 pi->rx_busy_skb = NULL;
1197 else
1198 goto done;
1199 }
1200
1201 /* Restore data flow when half of the receive buffer is
1202 * available. This avoids resending large numbers of
1203 * frames.
1204 */
1205 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1206 l2cap_chan_busy(pi->chan, 0);
1207
1208done:
1209 release_sock(sk);
1210 return err;
1211}
1212
1213/* Kill socket (only if zapped and orphan)
1214 * Must be called on unlocked socket, with l2cap channel lock.
1215 */
1216static void l2cap_sock_kill(struct sock *sk)
1217{
1218 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1219 return;
1220
1221 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1222
1223 /* Kill poor orphan */
1224
1225 l2cap_chan_put(l2cap_pi(sk)->chan);
1226 sock_set_flag(sk, SOCK_DEAD);
1227 sock_put(sk);
1228}
1229
1230static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1231{
1232 DECLARE_WAITQUEUE(wait, current);
1233 int err = 0;
1234 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1235 /* Timeout to prevent infinite loop */
1236 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1237
1238 add_wait_queue(sk_sleep(sk), &wait);
1239 set_current_state(TASK_INTERRUPTIBLE);
1240 do {
1241 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1242 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1243 jiffies_to_msecs(timeout - jiffies));
1244
1245 if (!timeo)
1246 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1247
1248 if (signal_pending(current)) {
1249 err = sock_intr_errno(timeo);
1250 break;
1251 }
1252
1253 release_sock(sk);
1254 timeo = schedule_timeout(timeo);
1255 lock_sock(sk);
1256 set_current_state(TASK_INTERRUPTIBLE);
1257
1258 err = sock_error(sk);
1259 if (err)
1260 break;
1261
1262 if (time_after(jiffies, timeout)) {
1263 err = -ENOLINK;
1264 break;
1265 }
1266
1267 } while (chan->unacked_frames > 0 &&
1268 chan->state == BT_CONNECTED);
1269
1270 set_current_state(TASK_RUNNING);
1271 remove_wait_queue(sk_sleep(sk), &wait);
1272 return err;
1273}
1274
1275static int l2cap_sock_shutdown(struct socket *sock, int how)
1276{
1277 struct sock *sk = sock->sk;
1278 struct l2cap_chan *chan;
1279 struct l2cap_conn *conn;
1280 int err = 0;
1281
1282 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1283
1284 /* 'how' parameter is mapped to sk_shutdown as follows:
1285 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1286 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1287 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1288 */
1289 how++;
1290
1291 if (!sk)
1292 return 0;
1293
1294 lock_sock(sk);
1295
1296 if ((sk->sk_shutdown & how) == how)
1297 goto shutdown_already;
1298
1299 BT_DBG("Handling sock shutdown");
1300
1301 /* prevent sk structure from being freed whilst unlocked */
1302 sock_hold(sk);
1303
1304 chan = l2cap_pi(sk)->chan;
1305 /* prevent chan structure from being freed whilst unlocked */
1306 l2cap_chan_hold(chan);
1307
1308 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1309
1310 if (chan->mode == L2CAP_MODE_ERTM &&
1311 chan->unacked_frames > 0 &&
1312 chan->state == BT_CONNECTED) {
1313 err = __l2cap_wait_ack(sk, chan);
1314
1315 /* After waiting for ACKs, check whether shutdown
1316 * has already been actioned to close the L2CAP
1317 * link such as by l2cap_disconnection_req().
1318 */
1319 if ((sk->sk_shutdown & how) == how)
1320 goto shutdown_matched;
1321 }
1322
1323 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1324 * is already set
1325 */
1326 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1327 sk->sk_shutdown |= RCV_SHUTDOWN;
1328 if ((sk->sk_shutdown & how) == how)
1329 goto shutdown_matched;
1330 }
1331
1332 sk->sk_shutdown |= SEND_SHUTDOWN;
1333 release_sock(sk);
1334
1335 l2cap_chan_lock(chan);
1336 conn = chan->conn;
1337 if (conn)
1338 /* prevent conn structure from being freed */
1339 l2cap_conn_get(conn);
1340 l2cap_chan_unlock(chan);
1341
1342 if (conn)
1343 /* mutex lock must be taken before l2cap_chan_lock() */
1344 mutex_lock(&conn->chan_lock);
1345
1346 l2cap_chan_lock(chan);
1347 l2cap_chan_close(chan, 0);
1348 l2cap_chan_unlock(chan);
1349
1350 if (conn) {
1351 mutex_unlock(&conn->chan_lock);
1352 l2cap_conn_put(conn);
1353 }
1354
1355 lock_sock(sk);
1356
1357 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1358 !(current->flags & PF_EXITING))
1359 err = bt_sock_wait_state(sk, BT_CLOSED,
1360 sk->sk_lingertime);
1361
1362shutdown_matched:
1363 l2cap_chan_put(chan);
1364 sock_put(sk);
1365
1366shutdown_already:
1367 if (!err && sk->sk_err)
1368 err = -sk->sk_err;
1369
1370 release_sock(sk);
1371
1372 BT_DBG("Sock shutdown complete err: %d", err);
1373
1374 return err;
1375}
1376
1377static int l2cap_sock_release(struct socket *sock)
1378{
1379 struct sock *sk = sock->sk;
1380 int err;
1381 struct l2cap_chan *chan;
1382
1383 BT_DBG("sock %p, sk %p", sock, sk);
1384
1385 if (!sk)
1386 return 0;
1387
1388 bt_sock_unlink(&l2cap_sk_list, sk);
1389
1390 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1391 chan = l2cap_pi(sk)->chan;
1392
1393 l2cap_chan_hold(chan);
1394 l2cap_chan_lock(chan);
1395
1396 sock_orphan(sk);
1397 l2cap_sock_kill(sk);
1398
1399 l2cap_chan_unlock(chan);
1400 l2cap_chan_put(chan);
1401
1402 return err;
1403}
1404
1405static void l2cap_sock_cleanup_listen(struct sock *parent)
1406{
1407 struct sock *sk;
1408
1409 BT_DBG("parent %p state %s", parent,
1410 state_to_string(parent->sk_state));
1411
1412 /* Close not yet accepted channels */
1413 while ((sk = bt_accept_dequeue(parent, NULL))) {
1414 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1415
1416 BT_DBG("child chan %p state %s", chan,
1417 state_to_string(chan->state));
1418
1419 l2cap_chan_hold(chan);
1420 l2cap_chan_lock(chan);
1421
1422 __clear_chan_timer(chan);
1423 l2cap_chan_close(chan, ECONNRESET);
1424 l2cap_sock_kill(sk);
1425
1426 l2cap_chan_unlock(chan);
1427 l2cap_chan_put(chan);
1428 }
1429}
1430
1431static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1432{
1433 struct sock *sk, *parent = chan->data;
1434
1435 lock_sock(parent);
1436
1437 /* Check for backlog size */
1438 if (sk_acceptq_is_full(parent)) {
1439 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1440 release_sock(parent);
1441 return NULL;
1442 }
1443
1444 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1445 GFP_ATOMIC, 0);
1446 if (!sk) {
1447 release_sock(parent);
1448 return NULL;
1449 }
1450
1451 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1452
1453 l2cap_sock_init(sk, parent);
1454
1455 bt_accept_enqueue(parent, sk, false);
1456
1457 release_sock(parent);
1458
1459 return l2cap_pi(sk)->chan;
1460}
1461
1462static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1463{
1464 struct sock *sk = chan->data;
1465 int err;
1466
1467 lock_sock(sk);
1468
1469 if (l2cap_pi(sk)->rx_busy_skb) {
1470 err = -ENOMEM;
1471 goto done;
1472 }
1473
1474 if (chan->mode != L2CAP_MODE_ERTM &&
1475 chan->mode != L2CAP_MODE_STREAMING) {
1476 /* Even if no filter is attached, we could potentially
1477 * get errors from security modules, etc.
1478 */
1479 err = sk_filter(sk, skb);
1480 if (err)
1481 goto done;
1482 }
1483
1484 err = __sock_queue_rcv_skb(sk, skb);
1485
1486 /* For ERTM, handle one skb that doesn't fit into the recv
1487 * buffer. This is important to do because the data frames
1488 * have already been acked, so the skb cannot be discarded.
1489 *
1490 * Notify the l2cap core that the buffer is full, so the
1491 * LOCAL_BUSY state is entered and no more frames are
1492 * acked and reassembled until there is buffer space
1493 * available.
1494 */
1495 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1496 l2cap_pi(sk)->rx_busy_skb = skb;
1497 l2cap_chan_busy(chan, 1);
1498 err = 0;
1499 }
1500
1501done:
1502 release_sock(sk);
1503
1504 return err;
1505}
1506
1507static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1508{
1509 struct sock *sk = chan->data;
1510
1511 l2cap_sock_kill(sk);
1512}
1513
1514static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1515{
1516 struct sock *sk = chan->data;
1517 struct sock *parent;
1518
1519 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1520
1521 /* This callback can be called both for server (BT_LISTEN)
1522 * sockets as well as "normal" ones. To avoid lockdep warnings
1523 * with child socket locking (through l2cap_sock_cleanup_listen)
1524 * we need separation into separate nesting levels. The simplest
1525 * way to accomplish this is to inherit the nesting level used
1526 * for the channel.
1527 */
1528 lock_sock_nested(sk, atomic_read(&chan->nesting));
1529
1530 parent = bt_sk(sk)->parent;
1531
1532 switch (chan->state) {
1533 case BT_OPEN:
1534 case BT_BOUND:
1535 case BT_CLOSED:
1536 break;
1537 case BT_LISTEN:
1538 l2cap_sock_cleanup_listen(sk);
1539 sk->sk_state = BT_CLOSED;
1540 chan->state = BT_CLOSED;
1541
1542 break;
1543 default:
1544 sk->sk_state = BT_CLOSED;
1545 chan->state = BT_CLOSED;
1546
1547 sk->sk_err = err;
1548
1549 if (parent) {
1550 bt_accept_unlink(sk);
1551 parent->sk_data_ready(parent);
1552 } else {
1553 sk->sk_state_change(sk);
1554 }
1555
1556 break;
1557 }
1558 release_sock(sk);
1559
1560 /* Only zap after cleanup to avoid use after free race */
1561 sock_set_flag(sk, SOCK_ZAPPED);
1562
1563}
1564
1565static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1566 int err)
1567{
1568 struct sock *sk = chan->data;
1569
1570 sk->sk_state = state;
1571
1572 if (err)
1573 sk->sk_err = err;
1574}
1575
1576static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1577 unsigned long hdr_len,
1578 unsigned long len, int nb)
1579{
1580 struct sock *sk = chan->data;
1581 struct sk_buff *skb;
1582 int err;
1583
1584 l2cap_chan_unlock(chan);
1585 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1586 l2cap_chan_lock(chan);
1587
1588 if (!skb)
1589 return ERR_PTR(err);
1590
1591 skb->priority = sk->sk_priority;
1592
1593 bt_cb(skb)->l2cap.chan = chan;
1594
1595 return skb;
1596}
1597
1598static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1599{
1600 struct sock *sk = chan->data;
1601 struct sock *parent;
1602
1603 lock_sock(sk);
1604
1605 parent = bt_sk(sk)->parent;
1606
1607 BT_DBG("sk %p, parent %p", sk, parent);
1608
1609 sk->sk_state = BT_CONNECTED;
1610 sk->sk_state_change(sk);
1611
1612 if (parent)
1613 parent->sk_data_ready(parent);
1614
1615 release_sock(sk);
1616}
1617
1618static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1619{
1620 struct sock *parent, *sk = chan->data;
1621
1622 lock_sock(sk);
1623
1624 parent = bt_sk(sk)->parent;
1625 if (parent)
1626 parent->sk_data_ready(parent);
1627
1628 release_sock(sk);
1629}
1630
1631static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1632{
1633 struct sock *sk = chan->data;
1634
1635 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1636 sk->sk_state = BT_CONNECTED;
1637 chan->state = BT_CONNECTED;
1638 }
1639
1640 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1641 sk->sk_state_change(sk);
1642}
1643
1644static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1645{
1646 struct sock *sk = chan->data;
1647
1648 lock_sock(sk);
1649 sk->sk_shutdown = SHUTDOWN_MASK;
1650 release_sock(sk);
1651}
1652
1653static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1654{
1655 struct sock *sk = chan->data;
1656
1657 return sk->sk_sndtimeo;
1658}
1659
1660static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1661{
1662 struct sock *sk = chan->data;
1663
1664 return sk->sk_peer_pid;
1665}
1666
1667static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1668{
1669 struct sock *sk = chan->data;
1670
1671 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1672 sk->sk_state_change(sk);
1673}
1674
1675static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1676{
1677 struct sock *sk = chan->data;
1678
1679 switch (chan->mode) {
1680 case L2CAP_MODE_ERTM:
1681 case L2CAP_MODE_STREAMING:
1682 return sk_filter(sk, skb);
1683 }
1684
1685 return 0;
1686}
1687
1688static const struct l2cap_ops l2cap_chan_ops = {
1689 .name = "L2CAP Socket Interface",
1690 .new_connection = l2cap_sock_new_connection_cb,
1691 .recv = l2cap_sock_recv_cb,
1692 .close = l2cap_sock_close_cb,
1693 .teardown = l2cap_sock_teardown_cb,
1694 .state_change = l2cap_sock_state_change_cb,
1695 .ready = l2cap_sock_ready_cb,
1696 .defer = l2cap_sock_defer_cb,
1697 .resume = l2cap_sock_resume_cb,
1698 .suspend = l2cap_sock_suspend_cb,
1699 .set_shutdown = l2cap_sock_set_shutdown_cb,
1700 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1701 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1702 .alloc_skb = l2cap_sock_alloc_skb_cb,
1703 .filter = l2cap_sock_filter,
1704};
1705
1706static void l2cap_sock_destruct(struct sock *sk)
1707{
1708 BT_DBG("sk %p", sk);
1709
1710 if (l2cap_pi(sk)->chan)
1711 l2cap_chan_put(l2cap_pi(sk)->chan);
1712
1713 if (l2cap_pi(sk)->rx_busy_skb) {
1714 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1715 l2cap_pi(sk)->rx_busy_skb = NULL;
1716 }
1717
1718 skb_queue_purge(&sk->sk_receive_queue);
1719 skb_queue_purge(&sk->sk_write_queue);
1720}
1721
1722static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1723 int *msg_namelen)
1724{
1725 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1726
1727 memset(la, 0, sizeof(struct sockaddr_l2));
1728 la->l2_family = AF_BLUETOOTH;
1729 la->l2_psm = bt_cb(skb)->l2cap.psm;
1730 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1731
1732 *msg_namelen = sizeof(struct sockaddr_l2);
1733}
1734
1735static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1736{
1737 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1738
1739 BT_DBG("sk %p", sk);
1740
1741 if (parent) {
1742 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1743
1744 sk->sk_type = parent->sk_type;
1745 bt_sk(sk)->flags = bt_sk(parent)->flags;
1746
1747 chan->chan_type = pchan->chan_type;
1748 chan->imtu = pchan->imtu;
1749 chan->omtu = pchan->omtu;
1750 chan->conf_state = pchan->conf_state;
1751 chan->mode = pchan->mode;
1752 chan->fcs = pchan->fcs;
1753 chan->max_tx = pchan->max_tx;
1754 chan->tx_win = pchan->tx_win;
1755 chan->tx_win_max = pchan->tx_win_max;
1756 chan->sec_level = pchan->sec_level;
1757 chan->flags = pchan->flags;
1758 chan->tx_credits = pchan->tx_credits;
1759 chan->rx_credits = pchan->rx_credits;
1760
1761 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1762 chan->scid = pchan->scid;
1763 chan->dcid = pchan->scid;
1764 }
1765
1766 security_sk_clone(parent, sk);
1767 } else {
1768 switch (sk->sk_type) {
1769 case SOCK_RAW:
1770 chan->chan_type = L2CAP_CHAN_RAW;
1771 break;
1772 case SOCK_DGRAM:
1773 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1774 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1775 break;
1776 case SOCK_SEQPACKET:
1777 case SOCK_STREAM:
1778 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1779 break;
1780 }
1781
1782 chan->imtu = L2CAP_DEFAULT_MTU;
1783 chan->omtu = 0;
1784 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1785 chan->mode = L2CAP_MODE_ERTM;
1786 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1787 } else {
1788 chan->mode = L2CAP_MODE_BASIC;
1789 }
1790
1791 l2cap_chan_set_defaults(chan);
1792 }
1793
1794 /* Default config options */
1795 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1796
1797 chan->data = sk;
1798 chan->ops = &l2cap_chan_ops;
1799}
1800
1801static struct proto l2cap_proto = {
1802 .name = "L2CAP",
1803 .owner = THIS_MODULE,
1804 .obj_size = sizeof(struct l2cap_pinfo)
1805};
1806
1807static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1808 int proto, gfp_t prio, int kern)
1809{
1810 struct sock *sk;
1811 struct l2cap_chan *chan;
1812
1813 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1814 if (!sk)
1815 return NULL;
1816
1817 sock_init_data(sock, sk);
1818 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1819
1820 sk->sk_destruct = l2cap_sock_destruct;
1821 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1822
1823 sock_reset_flag(sk, SOCK_ZAPPED);
1824
1825 sk->sk_protocol = proto;
1826 sk->sk_state = BT_OPEN;
1827
1828 chan = l2cap_chan_create();
1829 if (!chan) {
1830 sk_free(sk);
1831 return NULL;
1832 }
1833
1834 l2cap_chan_hold(chan);
1835
1836 l2cap_pi(sk)->chan = chan;
1837
1838 return sk;
1839}
1840
1841static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1842 int kern)
1843{
1844 struct sock *sk;
1845
1846 BT_DBG("sock %p", sock);
1847
1848 sock->state = SS_UNCONNECTED;
1849
1850 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1851 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1852 return -ESOCKTNOSUPPORT;
1853
1854 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1855 return -EPERM;
1856
1857 sock->ops = &l2cap_sock_ops;
1858
1859 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1860 if (!sk)
1861 return -ENOMEM;
1862
1863 l2cap_sock_init(sk, NULL);
1864 bt_sock_link(&l2cap_sk_list, sk);
1865 return 0;
1866}
1867
1868static const struct proto_ops l2cap_sock_ops = {
1869 .family = PF_BLUETOOTH,
1870 .owner = THIS_MODULE,
1871 .release = l2cap_sock_release,
1872 .bind = l2cap_sock_bind,
1873 .connect = l2cap_sock_connect,
1874 .listen = l2cap_sock_listen,
1875 .accept = l2cap_sock_accept,
1876 .getname = l2cap_sock_getname,
1877 .sendmsg = l2cap_sock_sendmsg,
1878 .recvmsg = l2cap_sock_recvmsg,
1879 .poll = bt_sock_poll,
1880 .ioctl = bt_sock_ioctl,
1881 .gettstamp = sock_gettstamp,
1882 .mmap = sock_no_mmap,
1883 .socketpair = sock_no_socketpair,
1884 .shutdown = l2cap_sock_shutdown,
1885 .setsockopt = l2cap_sock_setsockopt,
1886 .getsockopt = l2cap_sock_getsockopt
1887};
1888
1889static const struct net_proto_family l2cap_sock_family_ops = {
1890 .family = PF_BLUETOOTH,
1891 .owner = THIS_MODULE,
1892 .create = l2cap_sock_create,
1893};
1894
1895int __init l2cap_init_sockets(void)
1896{
1897 int err;
1898
1899 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1900
1901 err = proto_register(&l2cap_proto, 0);
1902 if (err < 0)
1903 return err;
1904
1905 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1906 if (err < 0) {
1907 BT_ERR("L2CAP socket registration failed");
1908 goto error;
1909 }
1910
1911 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1912 NULL);
1913 if (err < 0) {
1914 BT_ERR("Failed to create L2CAP proc file");
1915 bt_sock_unregister(BTPROTO_L2CAP);
1916 goto error;
1917 }
1918
1919 BT_INFO("L2CAP socket layer initialized");
1920
1921 return 0;
1922
1923error:
1924 proto_unregister(&l2cap_proto);
1925 return err;
1926}
1927
1928void l2cap_cleanup_sockets(void)
1929{
1930 bt_procfs_cleanup(&init_net, "l2cap");
1931 bt_sock_unregister(BTPROTO_L2CAP);
1932 proto_unregister(&l2cap_proto);
1933}