Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32#include <linux/filter.h>
33#include <linux/sched/signal.h>
34
35#include <net/bluetooth/bluetooth.h>
36#include <net/bluetooth/hci_core.h>
37#include <net/bluetooth/l2cap.h>
38
39#include "smp.h"
40
41static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43};
44
45static const struct proto_ops l2cap_sock_ops;
46static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 int proto, gfp_t prio, int kern);
49static void l2cap_sock_cleanup_listen(struct sock *parent);
50
51bool l2cap_is_socket(struct socket *sock)
52{
53 return sock && sock->ops == &l2cap_sock_ops;
54}
55EXPORT_SYMBOL(l2cap_is_socket);
56
57static int l2cap_validate_bredr_psm(u16 psm)
58{
59 /* PSM must be odd and lsb of upper byte must be 0 */
60 if ((psm & 0x0101) != 0x0001)
61 return -EINVAL;
62
63 /* Restrict usage of well-known PSMs */
64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 return -EACCES;
66
67 return 0;
68}
69
70static int l2cap_validate_le_psm(u16 psm)
71{
72 /* Valid LE_PSM ranges are defined only until 0x00ff */
73 if (psm > L2CAP_PSM_LE_DYN_END)
74 return -EINVAL;
75
76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 return -EACCES;
79
80 return 0;
81}
82
83static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84{
85 struct sock *sk = sock->sk;
86 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 struct sockaddr_l2 la;
88 int len, err = 0;
89
90 BT_DBG("sk %p", sk);
91
92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 addr->sa_family != AF_BLUETOOTH)
94 return -EINVAL;
95
96 memset(&la, 0, sizeof(la));
97 len = min_t(unsigned int, sizeof(la), alen);
98 memcpy(&la, addr, len);
99
100 if (la.l2_cid && la.l2_psm)
101 return -EINVAL;
102
103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 return -EINVAL;
105
106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 /* We only allow ATT user space socket */
108 if (la.l2_cid &&
109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 return -EINVAL;
111 }
112
113 lock_sock(sk);
114
115 if (sk->sk_state != BT_OPEN) {
116 err = -EBADFD;
117 goto done;
118 }
119
120 if (la.l2_psm) {
121 __u16 psm = __le16_to_cpu(la.l2_psm);
122
123 if (la.l2_bdaddr_type == BDADDR_BREDR)
124 err = l2cap_validate_bredr_psm(psm);
125 else
126 err = l2cap_validate_le_psm(psm);
127
128 if (err)
129 goto done;
130 }
131
132 bacpy(&chan->src, &la.l2_bdaddr);
133 chan->src_type = la.l2_bdaddr_type;
134
135 if (la.l2_cid)
136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 else
138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139
140 if (err < 0)
141 goto done;
142
143 switch (chan->chan_type) {
144 case L2CAP_CHAN_CONN_LESS:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 chan->sec_level = BT_SECURITY_SDP;
147 break;
148 case L2CAP_CHAN_CONN_ORIENTED:
149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 chan->sec_level = BT_SECURITY_SDP;
152 break;
153 case L2CAP_CHAN_RAW:
154 chan->sec_level = BT_SECURITY_SDP;
155 break;
156 case L2CAP_CHAN_FIXED:
157 /* Fixed channels default to the L2CAP core not holding a
158 * hci_conn reference for them. For fixed channels mapping to
159 * L2CAP sockets we do want to hold a reference so set the
160 * appropriate flag to request it.
161 */
162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 break;
164 }
165
166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 */
169 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 chan->mode = L2CAP_MODE_LE_FLOWCTL;
172
173 chan->state = BT_BOUND;
174 sk->sk_state = BT_BOUND;
175
176done:
177 release_sock(sk);
178 return err;
179}
180
181static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
182 int alen, int flags)
183{
184 struct sock *sk = sock->sk;
185 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 struct sockaddr_l2 la;
187 int len, err = 0;
188 bool zapped;
189
190 BT_DBG("sk %p", sk);
191
192 lock_sock(sk);
193 zapped = sock_flag(sk, SOCK_ZAPPED);
194 release_sock(sk);
195
196 if (zapped)
197 return -EINVAL;
198
199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 addr->sa_family != AF_BLUETOOTH)
201 return -EINVAL;
202
203 memset(&la, 0, sizeof(la));
204 len = min_t(unsigned int, sizeof(la), alen);
205 memcpy(&la, addr, len);
206
207 if (la.l2_cid && la.l2_psm)
208 return -EINVAL;
209
210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 return -EINVAL;
212
213 /* Check that the socket wasn't bound to something that
214 * conflicts with the address given to connect(). If chan->src
215 * is BDADDR_ANY it means bind() was never used, in which case
216 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 */
218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 /* Old user space versions will try to incorrectly bind
221 * the ATT socket using BDADDR_BREDR. We need to accept
222 * this and fix up the source address type only when
223 * both the source CID and destination CID indicate
224 * ATT. Anything else is an invalid combination.
225 */
226 if (chan->scid != L2CAP_CID_ATT ||
227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 return -EINVAL;
229
230 /* We don't have the hdev available here to make a
231 * better decision on random vs public, but since all
232 * user space versions that exhibit this issue anyway do
233 * not support random local addresses assuming public
234 * here is good enough.
235 */
236 chan->src_type = BDADDR_LE_PUBLIC;
237 }
238
239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 return -EINVAL;
241
242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 /* We only allow ATT user space socket */
244 if (la.l2_cid &&
245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 return -EINVAL;
247 }
248
249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 */
252 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 chan->mode = L2CAP_MODE_LE_FLOWCTL;
255
256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 &la.l2_bdaddr, la.l2_bdaddr_type,
258 sk->sk_sndtimeo);
259 if (err)
260 return err;
261
262 lock_sock(sk);
263
264 err = bt_sock_wait_state(sk, BT_CONNECTED,
265 sock_sndtimeo(sk, flags & O_NONBLOCK));
266
267 release_sock(sk);
268
269 return err;
270}
271
272static int l2cap_sock_listen(struct socket *sock, int backlog)
273{
274 struct sock *sk = sock->sk;
275 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
276 int err = 0;
277
278 BT_DBG("sk %p backlog %d", sk, backlog);
279
280 lock_sock(sk);
281
282 if (sk->sk_state != BT_BOUND) {
283 err = -EBADFD;
284 goto done;
285 }
286
287 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
288 err = -EINVAL;
289 goto done;
290 }
291
292 switch (chan->mode) {
293 case L2CAP_MODE_BASIC:
294 case L2CAP_MODE_LE_FLOWCTL:
295 break;
296 case L2CAP_MODE_EXT_FLOWCTL:
297 if (!enable_ecred) {
298 err = -EOPNOTSUPP;
299 goto done;
300 }
301 break;
302 case L2CAP_MODE_ERTM:
303 case L2CAP_MODE_STREAMING:
304 if (!disable_ertm)
305 break;
306 fallthrough;
307 default:
308 err = -EOPNOTSUPP;
309 goto done;
310 }
311
312 sk->sk_max_ack_backlog = backlog;
313 sk->sk_ack_backlog = 0;
314
315 /* Listening channels need to use nested locking in order not to
316 * cause lockdep warnings when the created child channels end up
317 * being locked in the same thread as the parent channel.
318 */
319 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
320
321 chan->state = BT_LISTEN;
322 sk->sk_state = BT_LISTEN;
323
324done:
325 release_sock(sk);
326 return err;
327}
328
329static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
330 struct proto_accept_arg *arg)
331{
332 DEFINE_WAIT_FUNC(wait, woken_wake_function);
333 struct sock *sk = sock->sk, *nsk;
334 long timeo;
335 int err = 0;
336
337 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
338
339 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
340
341 BT_DBG("sk %p timeo %ld", sk, timeo);
342
343 /* Wait for an incoming connection. (wake-one). */
344 add_wait_queue_exclusive(sk_sleep(sk), &wait);
345 while (1) {
346 if (sk->sk_state != BT_LISTEN) {
347 err = -EBADFD;
348 break;
349 }
350
351 nsk = bt_accept_dequeue(sk, newsock);
352 if (nsk)
353 break;
354
355 if (!timeo) {
356 err = -EAGAIN;
357 break;
358 }
359
360 if (signal_pending(current)) {
361 err = sock_intr_errno(timeo);
362 break;
363 }
364
365 release_sock(sk);
366
367 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
368
369 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
370 }
371 remove_wait_queue(sk_sleep(sk), &wait);
372
373 if (err)
374 goto done;
375
376 newsock->state = SS_CONNECTED;
377
378 BT_DBG("new socket %p", nsk);
379
380done:
381 release_sock(sk);
382 return err;
383}
384
385static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
386 int peer)
387{
388 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
389 struct sock *sk = sock->sk;
390 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391
392 BT_DBG("sock %p, sk %p", sock, sk);
393
394 if (peer && sk->sk_state != BT_CONNECTED &&
395 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
396 sk->sk_state != BT_CONFIG)
397 return -ENOTCONN;
398
399 memset(la, 0, sizeof(struct sockaddr_l2));
400 addr->sa_family = AF_BLUETOOTH;
401
402 la->l2_psm = chan->psm;
403
404 if (peer) {
405 bacpy(&la->l2_bdaddr, &chan->dst);
406 la->l2_cid = cpu_to_le16(chan->dcid);
407 la->l2_bdaddr_type = chan->dst_type;
408 } else {
409 bacpy(&la->l2_bdaddr, &chan->src);
410 la->l2_cid = cpu_to_le16(chan->scid);
411 la->l2_bdaddr_type = chan->src_type;
412 }
413
414 return sizeof(struct sockaddr_l2);
415}
416
417static int l2cap_get_mode(struct l2cap_chan *chan)
418{
419 switch (chan->mode) {
420 case L2CAP_MODE_BASIC:
421 return BT_MODE_BASIC;
422 case L2CAP_MODE_ERTM:
423 return BT_MODE_ERTM;
424 case L2CAP_MODE_STREAMING:
425 return BT_MODE_STREAMING;
426 case L2CAP_MODE_LE_FLOWCTL:
427 return BT_MODE_LE_FLOWCTL;
428 case L2CAP_MODE_EXT_FLOWCTL:
429 return BT_MODE_EXT_FLOWCTL;
430 }
431
432 return -EINVAL;
433}
434
435static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
436 char __user *optval, int __user *optlen)
437{
438 struct sock *sk = sock->sk;
439 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
440 struct l2cap_options opts;
441 struct l2cap_conninfo cinfo;
442 int err = 0;
443 size_t len;
444 u32 opt;
445
446 BT_DBG("sk %p", sk);
447
448 if (get_user(len, optlen))
449 return -EFAULT;
450
451 lock_sock(sk);
452
453 switch (optname) {
454 case L2CAP_OPTIONS:
455 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
456 * legacy ATT code depends on getsockopt for
457 * L2CAP_OPTIONS we need to let this pass.
458 */
459 if (bdaddr_type_is_le(chan->src_type) &&
460 chan->scid != L2CAP_CID_ATT) {
461 err = -EINVAL;
462 break;
463 }
464
465 /* Only BR/EDR modes are supported here */
466 switch (chan->mode) {
467 case L2CAP_MODE_BASIC:
468 case L2CAP_MODE_ERTM:
469 case L2CAP_MODE_STREAMING:
470 break;
471 default:
472 err = -EINVAL;
473 break;
474 }
475
476 if (err < 0)
477 break;
478
479 memset(&opts, 0, sizeof(opts));
480 opts.imtu = chan->imtu;
481 opts.omtu = chan->omtu;
482 opts.flush_to = chan->flush_to;
483 opts.mode = chan->mode;
484 opts.fcs = chan->fcs;
485 opts.max_tx = chan->max_tx;
486 opts.txwin_size = chan->tx_win;
487
488 BT_DBG("mode 0x%2.2x", chan->mode);
489
490 len = min(len, sizeof(opts));
491 if (copy_to_user(optval, (char *) &opts, len))
492 err = -EFAULT;
493
494 break;
495
496 case L2CAP_LM:
497 switch (chan->sec_level) {
498 case BT_SECURITY_LOW:
499 opt = L2CAP_LM_AUTH;
500 break;
501 case BT_SECURITY_MEDIUM:
502 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
503 break;
504 case BT_SECURITY_HIGH:
505 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
506 L2CAP_LM_SECURE;
507 break;
508 case BT_SECURITY_FIPS:
509 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
510 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
511 break;
512 default:
513 opt = 0;
514 break;
515 }
516
517 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
518 opt |= L2CAP_LM_MASTER;
519
520 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
521 opt |= L2CAP_LM_RELIABLE;
522
523 if (put_user(opt, (u32 __user *) optval))
524 err = -EFAULT;
525
526 break;
527
528 case L2CAP_CONNINFO:
529 if (sk->sk_state != BT_CONNECTED &&
530 !(sk->sk_state == BT_CONNECT2 &&
531 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
532 err = -ENOTCONN;
533 break;
534 }
535
536 memset(&cinfo, 0, sizeof(cinfo));
537 cinfo.hci_handle = chan->conn->hcon->handle;
538 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
539
540 len = min(len, sizeof(cinfo));
541 if (copy_to_user(optval, (char *) &cinfo, len))
542 err = -EFAULT;
543
544 break;
545
546 default:
547 err = -ENOPROTOOPT;
548 break;
549 }
550
551 release_sock(sk);
552 return err;
553}
554
555static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
556 char __user *optval, int __user *optlen)
557{
558 struct sock *sk = sock->sk;
559 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
560 struct bt_security sec;
561 struct bt_power pwr;
562 u32 phys;
563 int len, mode, err = 0;
564
565 BT_DBG("sk %p", sk);
566
567 if (level == SOL_L2CAP)
568 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
569
570 if (level != SOL_BLUETOOTH)
571 return -ENOPROTOOPT;
572
573 if (get_user(len, optlen))
574 return -EFAULT;
575
576 lock_sock(sk);
577
578 switch (optname) {
579 case BT_SECURITY:
580 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
581 chan->chan_type != L2CAP_CHAN_FIXED &&
582 chan->chan_type != L2CAP_CHAN_RAW) {
583 err = -EINVAL;
584 break;
585 }
586
587 memset(&sec, 0, sizeof(sec));
588 if (chan->conn) {
589 sec.level = chan->conn->hcon->sec_level;
590
591 if (sk->sk_state == BT_CONNECTED)
592 sec.key_size = chan->conn->hcon->enc_key_size;
593 } else {
594 sec.level = chan->sec_level;
595 }
596
597 len = min_t(unsigned int, len, sizeof(sec));
598 if (copy_to_user(optval, (char *) &sec, len))
599 err = -EFAULT;
600
601 break;
602
603 case BT_DEFER_SETUP:
604 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
605 err = -EINVAL;
606 break;
607 }
608
609 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
610 (u32 __user *) optval))
611 err = -EFAULT;
612
613 break;
614
615 case BT_FLUSHABLE:
616 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
617 (u32 __user *) optval))
618 err = -EFAULT;
619
620 break;
621
622 case BT_POWER:
623 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
624 && sk->sk_type != SOCK_RAW) {
625 err = -EINVAL;
626 break;
627 }
628
629 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
630
631 len = min_t(unsigned int, len, sizeof(pwr));
632 if (copy_to_user(optval, (char *) &pwr, len))
633 err = -EFAULT;
634
635 break;
636
637 case BT_CHANNEL_POLICY:
638 if (put_user(chan->chan_policy, (u32 __user *) optval))
639 err = -EFAULT;
640 break;
641
642 case BT_SNDMTU:
643 if (!bdaddr_type_is_le(chan->src_type)) {
644 err = -EINVAL;
645 break;
646 }
647
648 if (sk->sk_state != BT_CONNECTED) {
649 err = -ENOTCONN;
650 break;
651 }
652
653 if (put_user(chan->omtu, (u16 __user *) optval))
654 err = -EFAULT;
655 break;
656
657 case BT_RCVMTU:
658 if (!bdaddr_type_is_le(chan->src_type)) {
659 err = -EINVAL;
660 break;
661 }
662
663 if (put_user(chan->imtu, (u16 __user *) optval))
664 err = -EFAULT;
665 break;
666
667 case BT_PHY:
668 if (sk->sk_state != BT_CONNECTED) {
669 err = -ENOTCONN;
670 break;
671 }
672
673 phys = hci_conn_get_phy(chan->conn->hcon);
674
675 if (put_user(phys, (u32 __user *) optval))
676 err = -EFAULT;
677 break;
678
679 case BT_MODE:
680 if (!enable_ecred) {
681 err = -ENOPROTOOPT;
682 break;
683 }
684
685 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
686 err = -EINVAL;
687 break;
688 }
689
690 mode = l2cap_get_mode(chan);
691 if (mode < 0) {
692 err = mode;
693 break;
694 }
695
696 if (put_user(mode, (u8 __user *) optval))
697 err = -EFAULT;
698 break;
699
700 default:
701 err = -ENOPROTOOPT;
702 break;
703 }
704
705 release_sock(sk);
706 return err;
707}
708
709static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
710{
711 switch (chan->scid) {
712 case L2CAP_CID_ATT:
713 if (mtu && mtu < L2CAP_LE_MIN_MTU)
714 return false;
715 break;
716
717 default:
718 if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU)
719 return false;
720 }
721
722 return true;
723}
724
725static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
726 sockptr_t optval, unsigned int optlen)
727{
728 struct sock *sk = sock->sk;
729 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
730 struct l2cap_options opts;
731 int err = 0;
732 u32 opt;
733
734 BT_DBG("sk %p", sk);
735
736 lock_sock(sk);
737
738 switch (optname) {
739 case L2CAP_OPTIONS:
740 if (bdaddr_type_is_le(chan->src_type)) {
741 err = -EINVAL;
742 break;
743 }
744
745 if (sk->sk_state == BT_CONNECTED) {
746 err = -EINVAL;
747 break;
748 }
749
750 opts.imtu = chan->imtu;
751 opts.omtu = chan->omtu;
752 opts.flush_to = chan->flush_to;
753 opts.mode = chan->mode;
754 opts.fcs = chan->fcs;
755 opts.max_tx = chan->max_tx;
756 opts.txwin_size = chan->tx_win;
757
758 err = copy_safe_from_sockptr(&opts, sizeof(opts), optval,
759 optlen);
760 if (err)
761 break;
762
763 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
764 err = -EINVAL;
765 break;
766 }
767
768 if (!l2cap_valid_mtu(chan, opts.imtu)) {
769 err = -EINVAL;
770 break;
771 }
772
773 /* Only BR/EDR modes are supported here */
774 switch (opts.mode) {
775 case L2CAP_MODE_BASIC:
776 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
777 break;
778 case L2CAP_MODE_ERTM:
779 case L2CAP_MODE_STREAMING:
780 if (!disable_ertm)
781 break;
782 fallthrough;
783 default:
784 err = -EINVAL;
785 break;
786 }
787
788 if (err < 0)
789 break;
790
791 chan->mode = opts.mode;
792
793 BT_DBG("mode 0x%2.2x", chan->mode);
794
795 chan->imtu = opts.imtu;
796 chan->omtu = opts.omtu;
797 chan->fcs = opts.fcs;
798 chan->max_tx = opts.max_tx;
799 chan->tx_win = opts.txwin_size;
800 chan->flush_to = opts.flush_to;
801 break;
802
803 case L2CAP_LM:
804 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
805 if (err)
806 break;
807
808 if (opt & L2CAP_LM_FIPS) {
809 err = -EINVAL;
810 break;
811 }
812
813 if (opt & L2CAP_LM_AUTH)
814 chan->sec_level = BT_SECURITY_LOW;
815 if (opt & L2CAP_LM_ENCRYPT)
816 chan->sec_level = BT_SECURITY_MEDIUM;
817 if (opt & L2CAP_LM_SECURE)
818 chan->sec_level = BT_SECURITY_HIGH;
819
820 if (opt & L2CAP_LM_MASTER)
821 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
822 else
823 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
824
825 if (opt & L2CAP_LM_RELIABLE)
826 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
827 else
828 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
829 break;
830
831 default:
832 err = -ENOPROTOOPT;
833 break;
834 }
835
836 release_sock(sk);
837 return err;
838}
839
840static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
841{
842 switch (mode) {
843 case BT_MODE_BASIC:
844 if (bdaddr_type_is_le(chan->src_type))
845 return -EINVAL;
846 mode = L2CAP_MODE_BASIC;
847 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
848 break;
849 case BT_MODE_ERTM:
850 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
851 return -EINVAL;
852 mode = L2CAP_MODE_ERTM;
853 break;
854 case BT_MODE_STREAMING:
855 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
856 return -EINVAL;
857 mode = L2CAP_MODE_STREAMING;
858 break;
859 case BT_MODE_LE_FLOWCTL:
860 if (!bdaddr_type_is_le(chan->src_type))
861 return -EINVAL;
862 mode = L2CAP_MODE_LE_FLOWCTL;
863 break;
864 case BT_MODE_EXT_FLOWCTL:
865 /* TODO: Add support for ECRED PDUs to BR/EDR */
866 if (!bdaddr_type_is_le(chan->src_type))
867 return -EINVAL;
868 mode = L2CAP_MODE_EXT_FLOWCTL;
869 break;
870 default:
871 return -EINVAL;
872 }
873
874 chan->mode = mode;
875
876 return 0;
877}
878
879static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880 sockptr_t optval, unsigned int optlen)
881{
882 struct sock *sk = sock->sk;
883 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884 struct bt_security sec;
885 struct bt_power pwr;
886 struct l2cap_conn *conn;
887 int err = 0;
888 u32 opt;
889 u16 mtu;
890 u8 mode;
891
892 BT_DBG("sk %p", sk);
893
894 if (level == SOL_L2CAP)
895 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896
897 if (level != SOL_BLUETOOTH)
898 return -ENOPROTOOPT;
899
900 lock_sock(sk);
901
902 switch (optname) {
903 case BT_SECURITY:
904 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905 chan->chan_type != L2CAP_CHAN_FIXED &&
906 chan->chan_type != L2CAP_CHAN_RAW) {
907 err = -EINVAL;
908 break;
909 }
910
911 sec.level = BT_SECURITY_LOW;
912
913 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
914 if (err)
915 break;
916
917 if (sec.level < BT_SECURITY_LOW ||
918 sec.level > BT_SECURITY_FIPS) {
919 err = -EINVAL;
920 break;
921 }
922
923 chan->sec_level = sec.level;
924
925 if (!chan->conn)
926 break;
927
928 conn = chan->conn;
929
930 /* change security for LE channels */
931 if (chan->scid == L2CAP_CID_ATT) {
932 if (smp_conn_security(conn->hcon, sec.level)) {
933 err = -EINVAL;
934 break;
935 }
936
937 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
938 sk->sk_state = BT_CONFIG;
939 chan->state = BT_CONFIG;
940
941 /* or for ACL link */
942 } else if ((sk->sk_state == BT_CONNECT2 &&
943 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
944 sk->sk_state == BT_CONNECTED) {
945 if (!l2cap_chan_check_security(chan, true))
946 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
947 else
948 sk->sk_state_change(sk);
949 } else {
950 err = -EINVAL;
951 }
952 break;
953
954 case BT_DEFER_SETUP:
955 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
956 err = -EINVAL;
957 break;
958 }
959
960 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
961 if (err)
962 break;
963
964 if (opt) {
965 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
966 set_bit(FLAG_DEFER_SETUP, &chan->flags);
967 } else {
968 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
970 }
971 break;
972
973 case BT_FLUSHABLE:
974 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
975 if (err)
976 break;
977
978 if (opt > BT_FLUSHABLE_ON) {
979 err = -EINVAL;
980 break;
981 }
982
983 if (opt == BT_FLUSHABLE_OFF) {
984 conn = chan->conn;
985 /* proceed further only when we have l2cap_conn and
986 No Flush support in the LM */
987 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
988 err = -EINVAL;
989 break;
990 }
991 }
992
993 if (opt)
994 set_bit(FLAG_FLUSHABLE, &chan->flags);
995 else
996 clear_bit(FLAG_FLUSHABLE, &chan->flags);
997 break;
998
999 case BT_POWER:
1000 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1001 chan->chan_type != L2CAP_CHAN_RAW) {
1002 err = -EINVAL;
1003 break;
1004 }
1005
1006 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1007
1008 err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1009 if (err)
1010 break;
1011
1012 if (pwr.force_active)
1013 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1014 else
1015 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1016 break;
1017
1018 case BT_CHANNEL_POLICY:
1019 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1020 if (err)
1021 break;
1022
1023 err = -EOPNOTSUPP;
1024 break;
1025
1026 case BT_SNDMTU:
1027 if (!bdaddr_type_is_le(chan->src_type)) {
1028 err = -EINVAL;
1029 break;
1030 }
1031
1032 /* Setting is not supported as it's the remote side that
1033 * decides this.
1034 */
1035 err = -EPERM;
1036 break;
1037
1038 case BT_RCVMTU:
1039 if (!bdaddr_type_is_le(chan->src_type)) {
1040 err = -EINVAL;
1041 break;
1042 }
1043
1044 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1045 sk->sk_state == BT_CONNECTED) {
1046 err = -EISCONN;
1047 break;
1048 }
1049
1050 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1051 if (err)
1052 break;
1053
1054 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1055 sk->sk_state == BT_CONNECTED)
1056 err = l2cap_chan_reconfigure(chan, mtu);
1057 else
1058 chan->imtu = mtu;
1059
1060 break;
1061
1062 case BT_MODE:
1063 if (!enable_ecred) {
1064 err = -ENOPROTOOPT;
1065 break;
1066 }
1067
1068 BT_DBG("sk->sk_state %u", sk->sk_state);
1069
1070 if (sk->sk_state != BT_BOUND) {
1071 err = -EINVAL;
1072 break;
1073 }
1074
1075 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1076 err = -EINVAL;
1077 break;
1078 }
1079
1080 err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
1081 optlen);
1082 if (err)
1083 break;
1084
1085 BT_DBG("mode %u", mode);
1086
1087 err = l2cap_set_mode(chan, mode);
1088 if (err)
1089 break;
1090
1091 BT_DBG("mode 0x%2.2x", chan->mode);
1092
1093 break;
1094
1095 default:
1096 err = -ENOPROTOOPT;
1097 break;
1098 }
1099
1100 release_sock(sk);
1101 return err;
1102}
1103
1104static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1105 size_t len)
1106{
1107 struct sock *sk = sock->sk;
1108 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1109 int err;
1110
1111 BT_DBG("sock %p, sk %p", sock, sk);
1112
1113 err = sock_error(sk);
1114 if (err)
1115 return err;
1116
1117 if (msg->msg_flags & MSG_OOB)
1118 return -EOPNOTSUPP;
1119
1120 if (sk->sk_state != BT_CONNECTED)
1121 return -ENOTCONN;
1122
1123 lock_sock(sk);
1124 err = bt_sock_wait_ready(sk, msg->msg_flags);
1125 release_sock(sk);
1126 if (err)
1127 return err;
1128
1129 l2cap_chan_lock(chan);
1130 err = l2cap_chan_send(chan, msg, len);
1131 l2cap_chan_unlock(chan);
1132
1133 return err;
1134}
1135
1136static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1137{
1138 struct sock *sk = chan->data;
1139 ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1140 int expected_skbs, skb_overhead;
1141
1142 if (avail <= 0) {
1143 l2cap_chan_rx_avail(chan, 0);
1144 return;
1145 }
1146
1147 if (!chan->mps) {
1148 l2cap_chan_rx_avail(chan, -1);
1149 return;
1150 }
1151
1152 /* Correct available memory by estimated sk_buff overhead.
1153 * This is significant due to small transfer sizes. However, accept
1154 * at least one full packet if receive space is non-zero.
1155 */
1156 expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1157 skb_overhead = expected_skbs * sizeof(struct sk_buff);
1158 if (skb_overhead < avail)
1159 l2cap_chan_rx_avail(chan, avail - skb_overhead);
1160 else
1161 l2cap_chan_rx_avail(chan, -1);
1162}
1163
1164static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1165 size_t len, int flags)
1166{
1167 struct sock *sk = sock->sk;
1168 struct l2cap_pinfo *pi = l2cap_pi(sk);
1169 int err;
1170
1171 lock_sock(sk);
1172
1173 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1174 &bt_sk(sk)->flags)) {
1175 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1176 sk->sk_state = BT_CONNECTED;
1177 pi->chan->state = BT_CONNECTED;
1178 __l2cap_ecred_conn_rsp_defer(pi->chan);
1179 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1180 sk->sk_state = BT_CONNECTED;
1181 pi->chan->state = BT_CONNECTED;
1182 __l2cap_le_connect_rsp_defer(pi->chan);
1183 } else {
1184 sk->sk_state = BT_CONFIG;
1185 pi->chan->state = BT_CONFIG;
1186 __l2cap_connect_rsp_defer(pi->chan);
1187 }
1188
1189 err = 0;
1190 goto done;
1191 }
1192
1193 release_sock(sk);
1194
1195 if (sock->type == SOCK_STREAM)
1196 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1197 else
1198 err = bt_sock_recvmsg(sock, msg, len, flags);
1199
1200 if (pi->chan->mode != L2CAP_MODE_ERTM &&
1201 pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1202 pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1203 return err;
1204
1205 lock_sock(sk);
1206
1207 l2cap_publish_rx_avail(pi->chan);
1208
1209 /* Attempt to put pending rx data in the socket buffer */
1210 while (!list_empty(&pi->rx_busy)) {
1211 struct l2cap_rx_busy *rx_busy =
1212 list_first_entry(&pi->rx_busy,
1213 struct l2cap_rx_busy,
1214 list);
1215 if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1216 goto done;
1217 list_del(&rx_busy->list);
1218 kfree(rx_busy);
1219 }
1220
1221 /* Restore data flow when half of the receive buffer is
1222 * available. This avoids resending large numbers of
1223 * frames.
1224 */
1225 if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1226 atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1227 l2cap_chan_busy(pi->chan, 0);
1228
1229done:
1230 release_sock(sk);
1231 return err;
1232}
1233
1234/* Kill socket (only if zapped and orphan)
1235 * Must be called on unlocked socket, with l2cap channel lock.
1236 */
1237static void l2cap_sock_kill(struct sock *sk)
1238{
1239 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1240 return;
1241
1242 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1243
1244 /* Sock is dead, so set chan data to NULL, avoid other task use invalid
1245 * sock pointer.
1246 */
1247 l2cap_pi(sk)->chan->data = NULL;
1248 /* Kill poor orphan */
1249
1250 l2cap_chan_put(l2cap_pi(sk)->chan);
1251 sock_set_flag(sk, SOCK_DEAD);
1252 sock_put(sk);
1253}
1254
1255static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1256{
1257 DECLARE_WAITQUEUE(wait, current);
1258 int err = 0;
1259 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1260 /* Timeout to prevent infinite loop */
1261 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1262
1263 add_wait_queue(sk_sleep(sk), &wait);
1264 set_current_state(TASK_INTERRUPTIBLE);
1265 do {
1266 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1267 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1268 jiffies_to_msecs(timeout - jiffies));
1269
1270 if (!timeo)
1271 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1272
1273 if (signal_pending(current)) {
1274 err = sock_intr_errno(timeo);
1275 break;
1276 }
1277
1278 release_sock(sk);
1279 timeo = schedule_timeout(timeo);
1280 lock_sock(sk);
1281 set_current_state(TASK_INTERRUPTIBLE);
1282
1283 err = sock_error(sk);
1284 if (err)
1285 break;
1286
1287 if (time_after(jiffies, timeout)) {
1288 err = -ENOLINK;
1289 break;
1290 }
1291
1292 } while (chan->unacked_frames > 0 &&
1293 chan->state == BT_CONNECTED);
1294
1295 set_current_state(TASK_RUNNING);
1296 remove_wait_queue(sk_sleep(sk), &wait);
1297 return err;
1298}
1299
1300static int l2cap_sock_shutdown(struct socket *sock, int how)
1301{
1302 struct sock *sk = sock->sk;
1303 struct l2cap_chan *chan;
1304 struct l2cap_conn *conn;
1305 int err = 0;
1306
1307 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1308
1309 /* 'how' parameter is mapped to sk_shutdown as follows:
1310 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1311 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1312 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1313 */
1314 how++;
1315
1316 if (!sk)
1317 return 0;
1318
1319 lock_sock(sk);
1320
1321 if ((sk->sk_shutdown & how) == how)
1322 goto shutdown_already;
1323
1324 BT_DBG("Handling sock shutdown");
1325
1326 /* prevent sk structure from being freed whilst unlocked */
1327 sock_hold(sk);
1328
1329 chan = l2cap_pi(sk)->chan;
1330 /* prevent chan structure from being freed whilst unlocked */
1331 l2cap_chan_hold(chan);
1332
1333 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1334
1335 if (chan->mode == L2CAP_MODE_ERTM &&
1336 chan->unacked_frames > 0 &&
1337 chan->state == BT_CONNECTED) {
1338 err = __l2cap_wait_ack(sk, chan);
1339
1340 /* After waiting for ACKs, check whether shutdown
1341 * has already been actioned to close the L2CAP
1342 * link such as by l2cap_disconnection_req().
1343 */
1344 if ((sk->sk_shutdown & how) == how)
1345 goto shutdown_matched;
1346 }
1347
1348 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1349 * is already set
1350 */
1351 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1352 sk->sk_shutdown |= RCV_SHUTDOWN;
1353 if ((sk->sk_shutdown & how) == how)
1354 goto shutdown_matched;
1355 }
1356
1357 sk->sk_shutdown |= SEND_SHUTDOWN;
1358 release_sock(sk);
1359
1360 l2cap_chan_lock(chan);
1361 conn = chan->conn;
1362 if (conn)
1363 /* prevent conn structure from being freed */
1364 l2cap_conn_get(conn);
1365 l2cap_chan_unlock(chan);
1366
1367 if (conn)
1368 /* mutex lock must be taken before l2cap_chan_lock() */
1369 mutex_lock(&conn->chan_lock);
1370
1371 l2cap_chan_lock(chan);
1372 l2cap_chan_close(chan, 0);
1373 l2cap_chan_unlock(chan);
1374
1375 if (conn) {
1376 mutex_unlock(&conn->chan_lock);
1377 l2cap_conn_put(conn);
1378 }
1379
1380 lock_sock(sk);
1381
1382 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1383 !(current->flags & PF_EXITING))
1384 err = bt_sock_wait_state(sk, BT_CLOSED,
1385 sk->sk_lingertime);
1386
1387shutdown_matched:
1388 l2cap_chan_put(chan);
1389 sock_put(sk);
1390
1391shutdown_already:
1392 if (!err && sk->sk_err)
1393 err = -sk->sk_err;
1394
1395 release_sock(sk);
1396
1397 BT_DBG("Sock shutdown complete err: %d", err);
1398
1399 return err;
1400}
1401
1402static int l2cap_sock_release(struct socket *sock)
1403{
1404 struct sock *sk = sock->sk;
1405 int err;
1406 struct l2cap_chan *chan;
1407
1408 BT_DBG("sock %p, sk %p", sock, sk);
1409
1410 if (!sk)
1411 return 0;
1412
1413 l2cap_sock_cleanup_listen(sk);
1414 bt_sock_unlink(&l2cap_sk_list, sk);
1415
1416 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1417 chan = l2cap_pi(sk)->chan;
1418
1419 l2cap_chan_hold(chan);
1420 l2cap_chan_lock(chan);
1421
1422 sock_orphan(sk);
1423 l2cap_sock_kill(sk);
1424
1425 l2cap_chan_unlock(chan);
1426 l2cap_chan_put(chan);
1427
1428 return err;
1429}
1430
1431static void l2cap_sock_cleanup_listen(struct sock *parent)
1432{
1433 struct sock *sk;
1434
1435 BT_DBG("parent %p state %s", parent,
1436 state_to_string(parent->sk_state));
1437
1438 /* Close not yet accepted channels */
1439 while ((sk = bt_accept_dequeue(parent, NULL))) {
1440 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1441
1442 BT_DBG("child chan %p state %s", chan,
1443 state_to_string(chan->state));
1444
1445 l2cap_chan_hold(chan);
1446 l2cap_chan_lock(chan);
1447
1448 __clear_chan_timer(chan);
1449 l2cap_chan_close(chan, ECONNRESET);
1450 l2cap_sock_kill(sk);
1451
1452 l2cap_chan_unlock(chan);
1453 l2cap_chan_put(chan);
1454 }
1455}
1456
1457static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1458{
1459 struct sock *sk, *parent = chan->data;
1460
1461 lock_sock(parent);
1462
1463 /* Check for backlog size */
1464 if (sk_acceptq_is_full(parent)) {
1465 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1466 release_sock(parent);
1467 return NULL;
1468 }
1469
1470 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1471 GFP_ATOMIC, 0);
1472 if (!sk) {
1473 release_sock(parent);
1474 return NULL;
1475 }
1476
1477 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1478
1479 l2cap_sock_init(sk, parent);
1480
1481 bt_accept_enqueue(parent, sk, false);
1482
1483 release_sock(parent);
1484
1485 return l2cap_pi(sk)->chan;
1486}
1487
1488static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1489{
1490 struct sock *sk;
1491 struct l2cap_pinfo *pi;
1492 int err;
1493
1494 sk = chan->data;
1495 if (!sk)
1496 return -ENXIO;
1497
1498 pi = l2cap_pi(sk);
1499 lock_sock(sk);
1500 if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1501 err = -ENOMEM;
1502 goto done;
1503 }
1504
1505 if (chan->mode != L2CAP_MODE_ERTM &&
1506 chan->mode != L2CAP_MODE_STREAMING &&
1507 chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1508 chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1509 /* Even if no filter is attached, we could potentially
1510 * get errors from security modules, etc.
1511 */
1512 err = sk_filter(sk, skb);
1513 if (err)
1514 goto done;
1515 }
1516
1517 err = __sock_queue_rcv_skb(sk, skb);
1518
1519 l2cap_publish_rx_avail(chan);
1520
1521 /* For ERTM and LE, handle a skb that doesn't fit into the recv
1522 * buffer. This is important to do because the data frames
1523 * have already been acked, so the skb cannot be discarded.
1524 *
1525 * Notify the l2cap core that the buffer is full, so the
1526 * LOCAL_BUSY state is entered and no more frames are
1527 * acked and reassembled until there is buffer space
1528 * available.
1529 */
1530 if (err < 0 &&
1531 (chan->mode == L2CAP_MODE_ERTM ||
1532 chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1533 chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1534 struct l2cap_rx_busy *rx_busy =
1535 kmalloc(sizeof(*rx_busy), GFP_KERNEL);
1536 if (!rx_busy) {
1537 err = -ENOMEM;
1538 goto done;
1539 }
1540 rx_busy->skb = skb;
1541 list_add_tail(&rx_busy->list, &pi->rx_busy);
1542 l2cap_chan_busy(chan, 1);
1543 err = 0;
1544 }
1545
1546done:
1547 release_sock(sk);
1548
1549 return err;
1550}
1551
1552static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1553{
1554 struct sock *sk = chan->data;
1555
1556 if (!sk)
1557 return;
1558
1559 l2cap_sock_kill(sk);
1560}
1561
1562static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1563{
1564 struct sock *sk = chan->data;
1565 struct sock *parent;
1566
1567 if (!sk)
1568 return;
1569
1570 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1571
1572 /* This callback can be called both for server (BT_LISTEN)
1573 * sockets as well as "normal" ones. To avoid lockdep warnings
1574 * with child socket locking (through l2cap_sock_cleanup_listen)
1575 * we need separation into separate nesting levels. The simplest
1576 * way to accomplish this is to inherit the nesting level used
1577 * for the channel.
1578 */
1579 lock_sock_nested(sk, atomic_read(&chan->nesting));
1580
1581 parent = bt_sk(sk)->parent;
1582
1583 switch (chan->state) {
1584 case BT_OPEN:
1585 case BT_BOUND:
1586 case BT_CLOSED:
1587 break;
1588 case BT_LISTEN:
1589 l2cap_sock_cleanup_listen(sk);
1590 sk->sk_state = BT_CLOSED;
1591 chan->state = BT_CLOSED;
1592
1593 break;
1594 default:
1595 sk->sk_state = BT_CLOSED;
1596 chan->state = BT_CLOSED;
1597
1598 sk->sk_err = err;
1599
1600 if (parent) {
1601 bt_accept_unlink(sk);
1602 parent->sk_data_ready(parent);
1603 } else {
1604 sk->sk_state_change(sk);
1605 }
1606
1607 break;
1608 }
1609 release_sock(sk);
1610
1611 /* Only zap after cleanup to avoid use after free race */
1612 sock_set_flag(sk, SOCK_ZAPPED);
1613
1614}
1615
1616static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1617 int err)
1618{
1619 struct sock *sk = chan->data;
1620
1621 sk->sk_state = state;
1622
1623 if (err)
1624 sk->sk_err = err;
1625}
1626
1627static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1628 unsigned long hdr_len,
1629 unsigned long len, int nb)
1630{
1631 struct sock *sk = chan->data;
1632 struct sk_buff *skb;
1633 int err;
1634
1635 l2cap_chan_unlock(chan);
1636 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1637 l2cap_chan_lock(chan);
1638
1639 if (!skb)
1640 return ERR_PTR(err);
1641
1642 /* Channel lock is released before requesting new skb and then
1643 * reacquired thus we need to recheck channel state.
1644 */
1645 if (chan->state != BT_CONNECTED) {
1646 kfree_skb(skb);
1647 return ERR_PTR(-ENOTCONN);
1648 }
1649
1650 skb->priority = READ_ONCE(sk->sk_priority);
1651
1652 bt_cb(skb)->l2cap.chan = chan;
1653
1654 return skb;
1655}
1656
1657static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1658{
1659 struct sock *sk = chan->data;
1660 struct sock *parent;
1661
1662 lock_sock(sk);
1663
1664 parent = bt_sk(sk)->parent;
1665
1666 BT_DBG("sk %p, parent %p", sk, parent);
1667
1668 sk->sk_state = BT_CONNECTED;
1669 sk->sk_state_change(sk);
1670
1671 if (parent)
1672 parent->sk_data_ready(parent);
1673
1674 release_sock(sk);
1675}
1676
1677static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1678{
1679 struct sock *parent, *sk = chan->data;
1680
1681 lock_sock(sk);
1682
1683 parent = bt_sk(sk)->parent;
1684 if (parent)
1685 parent->sk_data_ready(parent);
1686
1687 release_sock(sk);
1688}
1689
1690static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1691{
1692 struct sock *sk = chan->data;
1693
1694 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1695 sk->sk_state = BT_CONNECTED;
1696 chan->state = BT_CONNECTED;
1697 }
1698
1699 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1700 sk->sk_state_change(sk);
1701}
1702
1703static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1704{
1705 struct sock *sk = chan->data;
1706
1707 lock_sock(sk);
1708 sk->sk_shutdown = SHUTDOWN_MASK;
1709 release_sock(sk);
1710}
1711
1712static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1713{
1714 struct sock *sk = chan->data;
1715
1716 return sk->sk_sndtimeo;
1717}
1718
1719static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1720{
1721 struct sock *sk = chan->data;
1722
1723 return sk->sk_peer_pid;
1724}
1725
1726static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1727{
1728 struct sock *sk = chan->data;
1729
1730 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1731 sk->sk_state_change(sk);
1732}
1733
1734static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1735{
1736 struct sock *sk = chan->data;
1737
1738 switch (chan->mode) {
1739 case L2CAP_MODE_ERTM:
1740 case L2CAP_MODE_STREAMING:
1741 return sk_filter(sk, skb);
1742 }
1743
1744 return 0;
1745}
1746
1747static const struct l2cap_ops l2cap_chan_ops = {
1748 .name = "L2CAP Socket Interface",
1749 .new_connection = l2cap_sock_new_connection_cb,
1750 .recv = l2cap_sock_recv_cb,
1751 .close = l2cap_sock_close_cb,
1752 .teardown = l2cap_sock_teardown_cb,
1753 .state_change = l2cap_sock_state_change_cb,
1754 .ready = l2cap_sock_ready_cb,
1755 .defer = l2cap_sock_defer_cb,
1756 .resume = l2cap_sock_resume_cb,
1757 .suspend = l2cap_sock_suspend_cb,
1758 .set_shutdown = l2cap_sock_set_shutdown_cb,
1759 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1760 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1761 .alloc_skb = l2cap_sock_alloc_skb_cb,
1762 .filter = l2cap_sock_filter,
1763};
1764
1765static void l2cap_sock_destruct(struct sock *sk)
1766{
1767 struct l2cap_rx_busy *rx_busy, *next;
1768
1769 BT_DBG("sk %p", sk);
1770
1771 if (l2cap_pi(sk)->chan) {
1772 l2cap_pi(sk)->chan->data = NULL;
1773 l2cap_chan_put(l2cap_pi(sk)->chan);
1774 }
1775
1776 list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1777 kfree_skb(rx_busy->skb);
1778 list_del(&rx_busy->list);
1779 kfree(rx_busy);
1780 }
1781
1782 skb_queue_purge(&sk->sk_receive_queue);
1783 skb_queue_purge(&sk->sk_write_queue);
1784}
1785
1786static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1787 int *msg_namelen)
1788{
1789 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1790
1791 memset(la, 0, sizeof(struct sockaddr_l2));
1792 la->l2_family = AF_BLUETOOTH;
1793 la->l2_psm = bt_cb(skb)->l2cap.psm;
1794 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1795
1796 *msg_namelen = sizeof(struct sockaddr_l2);
1797}
1798
1799static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1800{
1801 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1802
1803 BT_DBG("sk %p", sk);
1804
1805 if (parent) {
1806 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1807
1808 sk->sk_type = parent->sk_type;
1809 bt_sk(sk)->flags = bt_sk(parent)->flags;
1810
1811 chan->chan_type = pchan->chan_type;
1812 chan->imtu = pchan->imtu;
1813 chan->omtu = pchan->omtu;
1814 chan->conf_state = pchan->conf_state;
1815 chan->mode = pchan->mode;
1816 chan->fcs = pchan->fcs;
1817 chan->max_tx = pchan->max_tx;
1818 chan->tx_win = pchan->tx_win;
1819 chan->tx_win_max = pchan->tx_win_max;
1820 chan->sec_level = pchan->sec_level;
1821 chan->flags = pchan->flags;
1822 chan->tx_credits = pchan->tx_credits;
1823 chan->rx_credits = pchan->rx_credits;
1824
1825 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1826 chan->scid = pchan->scid;
1827 chan->dcid = pchan->scid;
1828 }
1829
1830 security_sk_clone(parent, sk);
1831 } else {
1832 switch (sk->sk_type) {
1833 case SOCK_RAW:
1834 chan->chan_type = L2CAP_CHAN_RAW;
1835 break;
1836 case SOCK_DGRAM:
1837 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1838 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1839 break;
1840 case SOCK_SEQPACKET:
1841 case SOCK_STREAM:
1842 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1843 break;
1844 }
1845
1846 chan->imtu = L2CAP_DEFAULT_MTU;
1847 chan->omtu = 0;
1848 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1849 chan->mode = L2CAP_MODE_ERTM;
1850 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1851 } else {
1852 chan->mode = L2CAP_MODE_BASIC;
1853 }
1854
1855 l2cap_chan_set_defaults(chan);
1856 }
1857
1858 /* Default config options */
1859 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1860
1861 chan->data = sk;
1862 chan->ops = &l2cap_chan_ops;
1863
1864 l2cap_publish_rx_avail(chan);
1865}
1866
1867static struct proto l2cap_proto = {
1868 .name = "L2CAP",
1869 .owner = THIS_MODULE,
1870 .obj_size = sizeof(struct l2cap_pinfo)
1871};
1872
1873static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1874 int proto, gfp_t prio, int kern)
1875{
1876 struct sock *sk;
1877 struct l2cap_chan *chan;
1878
1879 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1880 if (!sk)
1881 return NULL;
1882
1883 sk->sk_destruct = l2cap_sock_destruct;
1884 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1885
1886 INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1887
1888 chan = l2cap_chan_create();
1889 if (!chan) {
1890 sk_free(sk);
1891 if (sock)
1892 sock->sk = NULL;
1893 return NULL;
1894 }
1895
1896 l2cap_chan_hold(chan);
1897
1898 l2cap_pi(sk)->chan = chan;
1899
1900 return sk;
1901}
1902
1903static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1904 int kern)
1905{
1906 struct sock *sk;
1907
1908 BT_DBG("sock %p", sock);
1909
1910 sock->state = SS_UNCONNECTED;
1911
1912 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1913 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1914 return -ESOCKTNOSUPPORT;
1915
1916 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1917 return -EPERM;
1918
1919 sock->ops = &l2cap_sock_ops;
1920
1921 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1922 if (!sk)
1923 return -ENOMEM;
1924
1925 l2cap_sock_init(sk, NULL);
1926 bt_sock_link(&l2cap_sk_list, sk);
1927 return 0;
1928}
1929
1930static const struct proto_ops l2cap_sock_ops = {
1931 .family = PF_BLUETOOTH,
1932 .owner = THIS_MODULE,
1933 .release = l2cap_sock_release,
1934 .bind = l2cap_sock_bind,
1935 .connect = l2cap_sock_connect,
1936 .listen = l2cap_sock_listen,
1937 .accept = l2cap_sock_accept,
1938 .getname = l2cap_sock_getname,
1939 .sendmsg = l2cap_sock_sendmsg,
1940 .recvmsg = l2cap_sock_recvmsg,
1941 .poll = bt_sock_poll,
1942 .ioctl = bt_sock_ioctl,
1943 .gettstamp = sock_gettstamp,
1944 .mmap = sock_no_mmap,
1945 .socketpair = sock_no_socketpair,
1946 .shutdown = l2cap_sock_shutdown,
1947 .setsockopt = l2cap_sock_setsockopt,
1948 .getsockopt = l2cap_sock_getsockopt
1949};
1950
1951static const struct net_proto_family l2cap_sock_family_ops = {
1952 .family = PF_BLUETOOTH,
1953 .owner = THIS_MODULE,
1954 .create = l2cap_sock_create,
1955};
1956
1957int __init l2cap_init_sockets(void)
1958{
1959 int err;
1960
1961 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1962
1963 err = proto_register(&l2cap_proto, 0);
1964 if (err < 0)
1965 return err;
1966
1967 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1968 if (err < 0) {
1969 BT_ERR("L2CAP socket registration failed");
1970 goto error;
1971 }
1972
1973 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1974 NULL);
1975 if (err < 0) {
1976 BT_ERR("Failed to create L2CAP proc file");
1977 bt_sock_unregister(BTPROTO_L2CAP);
1978 goto error;
1979 }
1980
1981 BT_INFO("L2CAP socket layer initialized");
1982
1983 return 0;
1984
1985error:
1986 proto_unregister(&l2cap_proto);
1987 return err;
1988}
1989
1990void l2cap_cleanup_sockets(void)
1991{
1992 bt_procfs_cleanup(&init_net, "l2cap");
1993 bt_sock_unregister(BTPROTO_L2CAP);
1994 proto_unregister(&l2cap_proto);
1995}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32#include <linux/sched/signal.h>
33
34#include <net/bluetooth/bluetooth.h>
35#include <net/bluetooth/hci_core.h>
36#include <net/bluetooth/l2cap.h>
37
38#include "smp.h"
39
40static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42};
43
44static const struct proto_ops l2cap_sock_ops;
45static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
49bool l2cap_is_socket(struct socket *sock)
50{
51 return sock && sock->ops == &l2cap_sock_ops;
52}
53EXPORT_SYMBOL(l2cap_is_socket);
54
55static int l2cap_validate_bredr_psm(u16 psm)
56{
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66}
67
68static int l2cap_validate_le_psm(u16 psm)
69{
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79}
80
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
166
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
169
170done:
171 release_sock(sk);
172 return err;
173}
174
175static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 int alen, int flags)
177{
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
181 int len, err = 0;
182
183 BT_DBG("sk %p", sk);
184
185 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 addr->sa_family != AF_BLUETOOTH)
187 return -EINVAL;
188
189 memset(&la, 0, sizeof(la));
190 len = min_t(unsigned int, sizeof(la), alen);
191 memcpy(&la, addr, len);
192
193 if (la.l2_cid && la.l2_psm)
194 return -EINVAL;
195
196 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 return -EINVAL;
198
199 /* Check that the socket wasn't bound to something that
200 * conflicts with the address given to connect(). If chan->src
201 * is BDADDR_ANY it means bind() was never used, in which case
202 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 */
204 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 /* Old user space versions will try to incorrectly bind
207 * the ATT socket using BDADDR_BREDR. We need to accept
208 * this and fix up the source address type only when
209 * both the source CID and destination CID indicate
210 * ATT. Anything else is an invalid combination.
211 */
212 if (chan->scid != L2CAP_CID_ATT ||
213 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 return -EINVAL;
215
216 /* We don't have the hdev available here to make a
217 * better decision on random vs public, but since all
218 * user space versions that exhibit this issue anyway do
219 * not support random local addresses assuming public
220 * here is good enough.
221 */
222 chan->src_type = BDADDR_LE_PUBLIC;
223 }
224
225 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 return -EINVAL;
227
228 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 /* We only allow ATT user space socket */
230 if (la.l2_cid &&
231 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 return -EINVAL;
233 }
234
235 if (chan->psm && bdaddr_type_is_le(chan->src_type))
236 chan->mode = L2CAP_MODE_LE_FLOWCTL;
237
238 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 &la.l2_bdaddr, la.l2_bdaddr_type);
240 if (err)
241 return err;
242
243 lock_sock(sk);
244
245 err = bt_sock_wait_state(sk, BT_CONNECTED,
246 sock_sndtimeo(sk, flags & O_NONBLOCK));
247
248 release_sock(sk);
249
250 return err;
251}
252
253static int l2cap_sock_listen(struct socket *sock, int backlog)
254{
255 struct sock *sk = sock->sk;
256 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 int err = 0;
258
259 BT_DBG("sk %p backlog %d", sk, backlog);
260
261 lock_sock(sk);
262
263 if (sk->sk_state != BT_BOUND) {
264 err = -EBADFD;
265 goto done;
266 }
267
268 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 err = -EINVAL;
270 goto done;
271 }
272
273 switch (chan->mode) {
274 case L2CAP_MODE_BASIC:
275 case L2CAP_MODE_LE_FLOWCTL:
276 break;
277 case L2CAP_MODE_ERTM:
278 case L2CAP_MODE_STREAMING:
279 if (!disable_ertm)
280 break;
281 /* fall through */
282 default:
283 err = -EOPNOTSUPP;
284 goto done;
285 }
286
287 sk->sk_max_ack_backlog = backlog;
288 sk->sk_ack_backlog = 0;
289
290 /* Listening channels need to use nested locking in order not to
291 * cause lockdep warnings when the created child channels end up
292 * being locked in the same thread as the parent channel.
293 */
294 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
295
296 chan->state = BT_LISTEN;
297 sk->sk_state = BT_LISTEN;
298
299done:
300 release_sock(sk);
301 return err;
302}
303
304static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
305 int flags, bool kern)
306{
307 DEFINE_WAIT_FUNC(wait, woken_wake_function);
308 struct sock *sk = sock->sk, *nsk;
309 long timeo;
310 int err = 0;
311
312 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
313
314 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
315
316 BT_DBG("sk %p timeo %ld", sk, timeo);
317
318 /* Wait for an incoming connection. (wake-one). */
319 add_wait_queue_exclusive(sk_sleep(sk), &wait);
320 while (1) {
321 if (sk->sk_state != BT_LISTEN) {
322 err = -EBADFD;
323 break;
324 }
325
326 nsk = bt_accept_dequeue(sk, newsock);
327 if (nsk)
328 break;
329
330 if (!timeo) {
331 err = -EAGAIN;
332 break;
333 }
334
335 if (signal_pending(current)) {
336 err = sock_intr_errno(timeo);
337 break;
338 }
339
340 release_sock(sk);
341
342 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
343
344 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
345 }
346 remove_wait_queue(sk_sleep(sk), &wait);
347
348 if (err)
349 goto done;
350
351 newsock->state = SS_CONNECTED;
352
353 BT_DBG("new socket %p", nsk);
354
355done:
356 release_sock(sk);
357 return err;
358}
359
360static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
361 int peer)
362{
363 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
364 struct sock *sk = sock->sk;
365 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
366
367 BT_DBG("sock %p, sk %p", sock, sk);
368
369 if (peer && sk->sk_state != BT_CONNECTED &&
370 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
371 sk->sk_state != BT_CONFIG)
372 return -ENOTCONN;
373
374 memset(la, 0, sizeof(struct sockaddr_l2));
375 addr->sa_family = AF_BLUETOOTH;
376
377 la->l2_psm = chan->psm;
378
379 if (peer) {
380 bacpy(&la->l2_bdaddr, &chan->dst);
381 la->l2_cid = cpu_to_le16(chan->dcid);
382 la->l2_bdaddr_type = chan->dst_type;
383 } else {
384 bacpy(&la->l2_bdaddr, &chan->src);
385 la->l2_cid = cpu_to_le16(chan->scid);
386 la->l2_bdaddr_type = chan->src_type;
387 }
388
389 return sizeof(struct sockaddr_l2);
390}
391
392static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
393 char __user *optval, int __user *optlen)
394{
395 struct sock *sk = sock->sk;
396 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
397 struct l2cap_options opts;
398 struct l2cap_conninfo cinfo;
399 int len, err = 0;
400 u32 opt;
401
402 BT_DBG("sk %p", sk);
403
404 if (get_user(len, optlen))
405 return -EFAULT;
406
407 lock_sock(sk);
408
409 switch (optname) {
410 case L2CAP_OPTIONS:
411 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
412 * legacy ATT code depends on getsockopt for
413 * L2CAP_OPTIONS we need to let this pass.
414 */
415 if (bdaddr_type_is_le(chan->src_type) &&
416 chan->scid != L2CAP_CID_ATT) {
417 err = -EINVAL;
418 break;
419 }
420
421 memset(&opts, 0, sizeof(opts));
422 opts.imtu = chan->imtu;
423 opts.omtu = chan->omtu;
424 opts.flush_to = chan->flush_to;
425 opts.mode = chan->mode;
426 opts.fcs = chan->fcs;
427 opts.max_tx = chan->max_tx;
428 opts.txwin_size = chan->tx_win;
429
430 len = min_t(unsigned int, len, sizeof(opts));
431 if (copy_to_user(optval, (char *) &opts, len))
432 err = -EFAULT;
433
434 break;
435
436 case L2CAP_LM:
437 switch (chan->sec_level) {
438 case BT_SECURITY_LOW:
439 opt = L2CAP_LM_AUTH;
440 break;
441 case BT_SECURITY_MEDIUM:
442 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
443 break;
444 case BT_SECURITY_HIGH:
445 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
446 L2CAP_LM_SECURE;
447 break;
448 case BT_SECURITY_FIPS:
449 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
450 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
451 break;
452 default:
453 opt = 0;
454 break;
455 }
456
457 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
458 opt |= L2CAP_LM_MASTER;
459
460 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
461 opt |= L2CAP_LM_RELIABLE;
462
463 if (put_user(opt, (u32 __user *) optval))
464 err = -EFAULT;
465
466 break;
467
468 case L2CAP_CONNINFO:
469 if (sk->sk_state != BT_CONNECTED &&
470 !(sk->sk_state == BT_CONNECT2 &&
471 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
472 err = -ENOTCONN;
473 break;
474 }
475
476 memset(&cinfo, 0, sizeof(cinfo));
477 cinfo.hci_handle = chan->conn->hcon->handle;
478 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
479
480 len = min_t(unsigned int, len, sizeof(cinfo));
481 if (copy_to_user(optval, (char *) &cinfo, len))
482 err = -EFAULT;
483
484 break;
485
486 default:
487 err = -ENOPROTOOPT;
488 break;
489 }
490
491 release_sock(sk);
492 return err;
493}
494
495static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
496 char __user *optval, int __user *optlen)
497{
498 struct sock *sk = sock->sk;
499 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
500 struct bt_security sec;
501 struct bt_power pwr;
502 int len, err = 0;
503
504 BT_DBG("sk %p", sk);
505
506 if (level == SOL_L2CAP)
507 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
508
509 if (level != SOL_BLUETOOTH)
510 return -ENOPROTOOPT;
511
512 if (get_user(len, optlen))
513 return -EFAULT;
514
515 lock_sock(sk);
516
517 switch (optname) {
518 case BT_SECURITY:
519 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
520 chan->chan_type != L2CAP_CHAN_FIXED &&
521 chan->chan_type != L2CAP_CHAN_RAW) {
522 err = -EINVAL;
523 break;
524 }
525
526 memset(&sec, 0, sizeof(sec));
527 if (chan->conn) {
528 sec.level = chan->conn->hcon->sec_level;
529
530 if (sk->sk_state == BT_CONNECTED)
531 sec.key_size = chan->conn->hcon->enc_key_size;
532 } else {
533 sec.level = chan->sec_level;
534 }
535
536 len = min_t(unsigned int, len, sizeof(sec));
537 if (copy_to_user(optval, (char *) &sec, len))
538 err = -EFAULT;
539
540 break;
541
542 case BT_DEFER_SETUP:
543 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
544 err = -EINVAL;
545 break;
546 }
547
548 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
549 (u32 __user *) optval))
550 err = -EFAULT;
551
552 break;
553
554 case BT_FLUSHABLE:
555 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
556 (u32 __user *) optval))
557 err = -EFAULT;
558
559 break;
560
561 case BT_POWER:
562 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
563 && sk->sk_type != SOCK_RAW) {
564 err = -EINVAL;
565 break;
566 }
567
568 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
569
570 len = min_t(unsigned int, len, sizeof(pwr));
571 if (copy_to_user(optval, (char *) &pwr, len))
572 err = -EFAULT;
573
574 break;
575
576 case BT_CHANNEL_POLICY:
577 if (put_user(chan->chan_policy, (u32 __user *) optval))
578 err = -EFAULT;
579 break;
580
581 case BT_SNDMTU:
582 if (!bdaddr_type_is_le(chan->src_type)) {
583 err = -EINVAL;
584 break;
585 }
586
587 if (sk->sk_state != BT_CONNECTED) {
588 err = -ENOTCONN;
589 break;
590 }
591
592 if (put_user(chan->omtu, (u16 __user *) optval))
593 err = -EFAULT;
594 break;
595
596 case BT_RCVMTU:
597 if (!bdaddr_type_is_le(chan->src_type)) {
598 err = -EINVAL;
599 break;
600 }
601
602 if (put_user(chan->imtu, (u16 __user *) optval))
603 err = -EFAULT;
604 break;
605
606 default:
607 err = -ENOPROTOOPT;
608 break;
609 }
610
611 release_sock(sk);
612 return err;
613}
614
615static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
616{
617 switch (chan->scid) {
618 case L2CAP_CID_ATT:
619 if (mtu < L2CAP_LE_MIN_MTU)
620 return false;
621 break;
622
623 default:
624 if (mtu < L2CAP_DEFAULT_MIN_MTU)
625 return false;
626 }
627
628 return true;
629}
630
631static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
632 char __user *optval, unsigned int optlen)
633{
634 struct sock *sk = sock->sk;
635 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
636 struct l2cap_options opts;
637 int len, err = 0;
638 u32 opt;
639
640 BT_DBG("sk %p", sk);
641
642 lock_sock(sk);
643
644 switch (optname) {
645 case L2CAP_OPTIONS:
646 if (bdaddr_type_is_le(chan->src_type)) {
647 err = -EINVAL;
648 break;
649 }
650
651 if (sk->sk_state == BT_CONNECTED) {
652 err = -EINVAL;
653 break;
654 }
655
656 opts.imtu = chan->imtu;
657 opts.omtu = chan->omtu;
658 opts.flush_to = chan->flush_to;
659 opts.mode = chan->mode;
660 opts.fcs = chan->fcs;
661 opts.max_tx = chan->max_tx;
662 opts.txwin_size = chan->tx_win;
663
664 len = min_t(unsigned int, sizeof(opts), optlen);
665 if (copy_from_user((char *) &opts, optval, len)) {
666 err = -EFAULT;
667 break;
668 }
669
670 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
671 err = -EINVAL;
672 break;
673 }
674
675 if (!l2cap_valid_mtu(chan, opts.imtu)) {
676 err = -EINVAL;
677 break;
678 }
679
680 chan->mode = opts.mode;
681 switch (chan->mode) {
682 case L2CAP_MODE_LE_FLOWCTL:
683 break;
684 case L2CAP_MODE_BASIC:
685 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
686 break;
687 case L2CAP_MODE_ERTM:
688 case L2CAP_MODE_STREAMING:
689 if (!disable_ertm)
690 break;
691 /* fall through */
692 default:
693 err = -EINVAL;
694 break;
695 }
696
697 chan->imtu = opts.imtu;
698 chan->omtu = opts.omtu;
699 chan->fcs = opts.fcs;
700 chan->max_tx = opts.max_tx;
701 chan->tx_win = opts.txwin_size;
702 chan->flush_to = opts.flush_to;
703 break;
704
705 case L2CAP_LM:
706 if (get_user(opt, (u32 __user *) optval)) {
707 err = -EFAULT;
708 break;
709 }
710
711 if (opt & L2CAP_LM_FIPS) {
712 err = -EINVAL;
713 break;
714 }
715
716 if (opt & L2CAP_LM_AUTH)
717 chan->sec_level = BT_SECURITY_LOW;
718 if (opt & L2CAP_LM_ENCRYPT)
719 chan->sec_level = BT_SECURITY_MEDIUM;
720 if (opt & L2CAP_LM_SECURE)
721 chan->sec_level = BT_SECURITY_HIGH;
722
723 if (opt & L2CAP_LM_MASTER)
724 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
725 else
726 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
727
728 if (opt & L2CAP_LM_RELIABLE)
729 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
730 else
731 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
732 break;
733
734 default:
735 err = -ENOPROTOOPT;
736 break;
737 }
738
739 release_sock(sk);
740 return err;
741}
742
743static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
744 char __user *optval, unsigned int optlen)
745{
746 struct sock *sk = sock->sk;
747 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
748 struct bt_security sec;
749 struct bt_power pwr;
750 struct l2cap_conn *conn;
751 int len, err = 0;
752 u32 opt;
753
754 BT_DBG("sk %p", sk);
755
756 if (level == SOL_L2CAP)
757 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
758
759 if (level != SOL_BLUETOOTH)
760 return -ENOPROTOOPT;
761
762 lock_sock(sk);
763
764 switch (optname) {
765 case BT_SECURITY:
766 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
767 chan->chan_type != L2CAP_CHAN_FIXED &&
768 chan->chan_type != L2CAP_CHAN_RAW) {
769 err = -EINVAL;
770 break;
771 }
772
773 sec.level = BT_SECURITY_LOW;
774
775 len = min_t(unsigned int, sizeof(sec), optlen);
776 if (copy_from_user((char *) &sec, optval, len)) {
777 err = -EFAULT;
778 break;
779 }
780
781 if (sec.level < BT_SECURITY_LOW ||
782 sec.level > BT_SECURITY_FIPS) {
783 err = -EINVAL;
784 break;
785 }
786
787 chan->sec_level = sec.level;
788
789 if (!chan->conn)
790 break;
791
792 conn = chan->conn;
793
794 /*change security for LE channels */
795 if (chan->scid == L2CAP_CID_ATT) {
796 if (smp_conn_security(conn->hcon, sec.level))
797 break;
798 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
799 sk->sk_state = BT_CONFIG;
800 chan->state = BT_CONFIG;
801
802 /* or for ACL link */
803 } else if ((sk->sk_state == BT_CONNECT2 &&
804 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
805 sk->sk_state == BT_CONNECTED) {
806 if (!l2cap_chan_check_security(chan, true))
807 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
808 else
809 sk->sk_state_change(sk);
810 } else {
811 err = -EINVAL;
812 }
813 break;
814
815 case BT_DEFER_SETUP:
816 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
817 err = -EINVAL;
818 break;
819 }
820
821 if (get_user(opt, (u32 __user *) optval)) {
822 err = -EFAULT;
823 break;
824 }
825
826 if (opt) {
827 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
828 set_bit(FLAG_DEFER_SETUP, &chan->flags);
829 } else {
830 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
831 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
832 }
833 break;
834
835 case BT_FLUSHABLE:
836 if (get_user(opt, (u32 __user *) optval)) {
837 err = -EFAULT;
838 break;
839 }
840
841 if (opt > BT_FLUSHABLE_ON) {
842 err = -EINVAL;
843 break;
844 }
845
846 if (opt == BT_FLUSHABLE_OFF) {
847 conn = chan->conn;
848 /* proceed further only when we have l2cap_conn and
849 No Flush support in the LM */
850 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
851 err = -EINVAL;
852 break;
853 }
854 }
855
856 if (opt)
857 set_bit(FLAG_FLUSHABLE, &chan->flags);
858 else
859 clear_bit(FLAG_FLUSHABLE, &chan->flags);
860 break;
861
862 case BT_POWER:
863 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
864 chan->chan_type != L2CAP_CHAN_RAW) {
865 err = -EINVAL;
866 break;
867 }
868
869 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
870
871 len = min_t(unsigned int, sizeof(pwr), optlen);
872 if (copy_from_user((char *) &pwr, optval, len)) {
873 err = -EFAULT;
874 break;
875 }
876
877 if (pwr.force_active)
878 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
879 else
880 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
881 break;
882
883 case BT_CHANNEL_POLICY:
884 if (get_user(opt, (u32 __user *) optval)) {
885 err = -EFAULT;
886 break;
887 }
888
889 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
890 err = -EINVAL;
891 break;
892 }
893
894 if (chan->mode != L2CAP_MODE_ERTM &&
895 chan->mode != L2CAP_MODE_STREAMING) {
896 err = -EOPNOTSUPP;
897 break;
898 }
899
900 chan->chan_policy = (u8) opt;
901
902 if (sk->sk_state == BT_CONNECTED &&
903 chan->move_role == L2CAP_MOVE_ROLE_NONE)
904 l2cap_move_start(chan);
905
906 break;
907
908 case BT_SNDMTU:
909 if (!bdaddr_type_is_le(chan->src_type)) {
910 err = -EINVAL;
911 break;
912 }
913
914 /* Setting is not supported as it's the remote side that
915 * decides this.
916 */
917 err = -EPERM;
918 break;
919
920 case BT_RCVMTU:
921 if (!bdaddr_type_is_le(chan->src_type)) {
922 err = -EINVAL;
923 break;
924 }
925
926 if (sk->sk_state == BT_CONNECTED) {
927 err = -EISCONN;
928 break;
929 }
930
931 if (get_user(opt, (u16 __user *) optval)) {
932 err = -EFAULT;
933 break;
934 }
935
936 chan->imtu = opt;
937 break;
938
939 default:
940 err = -ENOPROTOOPT;
941 break;
942 }
943
944 release_sock(sk);
945 return err;
946}
947
948static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
949 size_t len)
950{
951 struct sock *sk = sock->sk;
952 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
953 int err;
954
955 BT_DBG("sock %p, sk %p", sock, sk);
956
957 err = sock_error(sk);
958 if (err)
959 return err;
960
961 if (msg->msg_flags & MSG_OOB)
962 return -EOPNOTSUPP;
963
964 if (sk->sk_state != BT_CONNECTED)
965 return -ENOTCONN;
966
967 lock_sock(sk);
968 err = bt_sock_wait_ready(sk, msg->msg_flags);
969 release_sock(sk);
970 if (err)
971 return err;
972
973 l2cap_chan_lock(chan);
974 err = l2cap_chan_send(chan, msg, len);
975 l2cap_chan_unlock(chan);
976
977 return err;
978}
979
980static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
981 size_t len, int flags)
982{
983 struct sock *sk = sock->sk;
984 struct l2cap_pinfo *pi = l2cap_pi(sk);
985 int err;
986
987 lock_sock(sk);
988
989 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
990 &bt_sk(sk)->flags)) {
991 if (bdaddr_type_is_le(pi->chan->src_type)) {
992 sk->sk_state = BT_CONNECTED;
993 pi->chan->state = BT_CONNECTED;
994 __l2cap_le_connect_rsp_defer(pi->chan);
995 } else {
996 sk->sk_state = BT_CONFIG;
997 pi->chan->state = BT_CONFIG;
998 __l2cap_connect_rsp_defer(pi->chan);
999 }
1000
1001 err = 0;
1002 goto done;
1003 }
1004
1005 release_sock(sk);
1006
1007 if (sock->type == SOCK_STREAM)
1008 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1009 else
1010 err = bt_sock_recvmsg(sock, msg, len, flags);
1011
1012 if (pi->chan->mode != L2CAP_MODE_ERTM)
1013 return err;
1014
1015 /* Attempt to put pending rx data in the socket buffer */
1016
1017 lock_sock(sk);
1018
1019 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1020 goto done;
1021
1022 if (pi->rx_busy_skb) {
1023 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1024 pi->rx_busy_skb = NULL;
1025 else
1026 goto done;
1027 }
1028
1029 /* Restore data flow when half of the receive buffer is
1030 * available. This avoids resending large numbers of
1031 * frames.
1032 */
1033 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1034 l2cap_chan_busy(pi->chan, 0);
1035
1036done:
1037 release_sock(sk);
1038 return err;
1039}
1040
1041/* Kill socket (only if zapped and orphan)
1042 * Must be called on unlocked socket.
1043 */
1044static void l2cap_sock_kill(struct sock *sk)
1045{
1046 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1047 return;
1048
1049 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1050
1051 /* Kill poor orphan */
1052
1053 l2cap_chan_put(l2cap_pi(sk)->chan);
1054 sock_set_flag(sk, SOCK_DEAD);
1055 sock_put(sk);
1056}
1057
1058static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1059{
1060 DECLARE_WAITQUEUE(wait, current);
1061 int err = 0;
1062 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1063 /* Timeout to prevent infinite loop */
1064 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1065
1066 add_wait_queue(sk_sleep(sk), &wait);
1067 set_current_state(TASK_INTERRUPTIBLE);
1068 do {
1069 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1070 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1071 jiffies_to_msecs(timeout - jiffies));
1072
1073 if (!timeo)
1074 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1075
1076 if (signal_pending(current)) {
1077 err = sock_intr_errno(timeo);
1078 break;
1079 }
1080
1081 release_sock(sk);
1082 timeo = schedule_timeout(timeo);
1083 lock_sock(sk);
1084 set_current_state(TASK_INTERRUPTIBLE);
1085
1086 err = sock_error(sk);
1087 if (err)
1088 break;
1089
1090 if (time_after(jiffies, timeout)) {
1091 err = -ENOLINK;
1092 break;
1093 }
1094
1095 } while (chan->unacked_frames > 0 &&
1096 chan->state == BT_CONNECTED);
1097
1098 set_current_state(TASK_RUNNING);
1099 remove_wait_queue(sk_sleep(sk), &wait);
1100 return err;
1101}
1102
1103static int l2cap_sock_shutdown(struct socket *sock, int how)
1104{
1105 struct sock *sk = sock->sk;
1106 struct l2cap_chan *chan;
1107 struct l2cap_conn *conn;
1108 int err = 0;
1109
1110 BT_DBG("sock %p, sk %p", sock, sk);
1111
1112 if (!sk)
1113 return 0;
1114
1115 lock_sock(sk);
1116
1117 if (sk->sk_shutdown)
1118 goto shutdown_already;
1119
1120 BT_DBG("Handling sock shutdown");
1121
1122 /* prevent sk structure from being freed whilst unlocked */
1123 sock_hold(sk);
1124
1125 chan = l2cap_pi(sk)->chan;
1126 /* prevent chan structure from being freed whilst unlocked */
1127 l2cap_chan_hold(chan);
1128
1129 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1130
1131 if (chan->mode == L2CAP_MODE_ERTM &&
1132 chan->unacked_frames > 0 &&
1133 chan->state == BT_CONNECTED) {
1134 err = __l2cap_wait_ack(sk, chan);
1135
1136 /* After waiting for ACKs, check whether shutdown
1137 * has already been actioned to close the L2CAP
1138 * link such as by l2cap_disconnection_req().
1139 */
1140 if (sk->sk_shutdown)
1141 goto has_shutdown;
1142 }
1143
1144 sk->sk_shutdown = SHUTDOWN_MASK;
1145 release_sock(sk);
1146
1147 l2cap_chan_lock(chan);
1148 conn = chan->conn;
1149 if (conn)
1150 /* prevent conn structure from being freed */
1151 l2cap_conn_get(conn);
1152 l2cap_chan_unlock(chan);
1153
1154 if (conn)
1155 /* mutex lock must be taken before l2cap_chan_lock() */
1156 mutex_lock(&conn->chan_lock);
1157
1158 l2cap_chan_lock(chan);
1159 l2cap_chan_close(chan, 0);
1160 l2cap_chan_unlock(chan);
1161
1162 if (conn) {
1163 mutex_unlock(&conn->chan_lock);
1164 l2cap_conn_put(conn);
1165 }
1166
1167 lock_sock(sk);
1168
1169 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1170 !(current->flags & PF_EXITING))
1171 err = bt_sock_wait_state(sk, BT_CLOSED,
1172 sk->sk_lingertime);
1173
1174has_shutdown:
1175 l2cap_chan_put(chan);
1176 sock_put(sk);
1177
1178shutdown_already:
1179 if (!err && sk->sk_err)
1180 err = -sk->sk_err;
1181
1182 release_sock(sk);
1183
1184 BT_DBG("Sock shutdown complete err: %d", err);
1185
1186 return err;
1187}
1188
1189static int l2cap_sock_release(struct socket *sock)
1190{
1191 struct sock *sk = sock->sk;
1192 int err;
1193
1194 BT_DBG("sock %p, sk %p", sock, sk);
1195
1196 if (!sk)
1197 return 0;
1198
1199 bt_sock_unlink(&l2cap_sk_list, sk);
1200
1201 err = l2cap_sock_shutdown(sock, 2);
1202
1203 sock_orphan(sk);
1204 l2cap_sock_kill(sk);
1205 return err;
1206}
1207
1208static void l2cap_sock_cleanup_listen(struct sock *parent)
1209{
1210 struct sock *sk;
1211
1212 BT_DBG("parent %p state %s", parent,
1213 state_to_string(parent->sk_state));
1214
1215 /* Close not yet accepted channels */
1216 while ((sk = bt_accept_dequeue(parent, NULL))) {
1217 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1218
1219 BT_DBG("child chan %p state %s", chan,
1220 state_to_string(chan->state));
1221
1222 l2cap_chan_lock(chan);
1223 __clear_chan_timer(chan);
1224 l2cap_chan_close(chan, ECONNRESET);
1225 l2cap_chan_unlock(chan);
1226
1227 l2cap_sock_kill(sk);
1228 }
1229}
1230
1231static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1232{
1233 struct sock *sk, *parent = chan->data;
1234
1235 lock_sock(parent);
1236
1237 /* Check for backlog size */
1238 if (sk_acceptq_is_full(parent)) {
1239 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1240 release_sock(parent);
1241 return NULL;
1242 }
1243
1244 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1245 GFP_ATOMIC, 0);
1246 if (!sk) {
1247 release_sock(parent);
1248 return NULL;
1249 }
1250
1251 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1252
1253 l2cap_sock_init(sk, parent);
1254
1255 bt_accept_enqueue(parent, sk);
1256
1257 release_sock(parent);
1258
1259 return l2cap_pi(sk)->chan;
1260}
1261
1262static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1263{
1264 struct sock *sk = chan->data;
1265 int err;
1266
1267 lock_sock(sk);
1268
1269 if (l2cap_pi(sk)->rx_busy_skb) {
1270 err = -ENOMEM;
1271 goto done;
1272 }
1273
1274 if (chan->mode != L2CAP_MODE_ERTM &&
1275 chan->mode != L2CAP_MODE_STREAMING) {
1276 /* Even if no filter is attached, we could potentially
1277 * get errors from security modules, etc.
1278 */
1279 err = sk_filter(sk, skb);
1280 if (err)
1281 goto done;
1282 }
1283
1284 err = __sock_queue_rcv_skb(sk, skb);
1285
1286 /* For ERTM, handle one skb that doesn't fit into the recv
1287 * buffer. This is important to do because the data frames
1288 * have already been acked, so the skb cannot be discarded.
1289 *
1290 * Notify the l2cap core that the buffer is full, so the
1291 * LOCAL_BUSY state is entered and no more frames are
1292 * acked and reassembled until there is buffer space
1293 * available.
1294 */
1295 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1296 l2cap_pi(sk)->rx_busy_skb = skb;
1297 l2cap_chan_busy(chan, 1);
1298 err = 0;
1299 }
1300
1301done:
1302 release_sock(sk);
1303
1304 return err;
1305}
1306
1307static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1308{
1309 struct sock *sk = chan->data;
1310
1311 l2cap_sock_kill(sk);
1312}
1313
1314static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1315{
1316 struct sock *sk = chan->data;
1317 struct sock *parent;
1318
1319 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1320
1321 /* This callback can be called both for server (BT_LISTEN)
1322 * sockets as well as "normal" ones. To avoid lockdep warnings
1323 * with child socket locking (through l2cap_sock_cleanup_listen)
1324 * we need separation into separate nesting levels. The simplest
1325 * way to accomplish this is to inherit the nesting level used
1326 * for the channel.
1327 */
1328 lock_sock_nested(sk, atomic_read(&chan->nesting));
1329
1330 parent = bt_sk(sk)->parent;
1331
1332 sock_set_flag(sk, SOCK_ZAPPED);
1333
1334 switch (chan->state) {
1335 case BT_OPEN:
1336 case BT_BOUND:
1337 case BT_CLOSED:
1338 break;
1339 case BT_LISTEN:
1340 l2cap_sock_cleanup_listen(sk);
1341 sk->sk_state = BT_CLOSED;
1342 chan->state = BT_CLOSED;
1343
1344 break;
1345 default:
1346 sk->sk_state = BT_CLOSED;
1347 chan->state = BT_CLOSED;
1348
1349 sk->sk_err = err;
1350
1351 if (parent) {
1352 bt_accept_unlink(sk);
1353 parent->sk_data_ready(parent);
1354 } else {
1355 sk->sk_state_change(sk);
1356 }
1357
1358 break;
1359 }
1360
1361 release_sock(sk);
1362}
1363
1364static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1365 int err)
1366{
1367 struct sock *sk = chan->data;
1368
1369 sk->sk_state = state;
1370
1371 if (err)
1372 sk->sk_err = err;
1373}
1374
1375static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1376 unsigned long hdr_len,
1377 unsigned long len, int nb)
1378{
1379 struct sock *sk = chan->data;
1380 struct sk_buff *skb;
1381 int err;
1382
1383 l2cap_chan_unlock(chan);
1384 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1385 l2cap_chan_lock(chan);
1386
1387 if (!skb)
1388 return ERR_PTR(err);
1389
1390 skb->priority = sk->sk_priority;
1391
1392 bt_cb(skb)->l2cap.chan = chan;
1393
1394 return skb;
1395}
1396
1397static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1398{
1399 struct sock *sk = chan->data;
1400 struct sock *parent;
1401
1402 lock_sock(sk);
1403
1404 parent = bt_sk(sk)->parent;
1405
1406 BT_DBG("sk %p, parent %p", sk, parent);
1407
1408 sk->sk_state = BT_CONNECTED;
1409 sk->sk_state_change(sk);
1410
1411 if (parent)
1412 parent->sk_data_ready(parent);
1413
1414 release_sock(sk);
1415}
1416
1417static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1418{
1419 struct sock *parent, *sk = chan->data;
1420
1421 lock_sock(sk);
1422
1423 parent = bt_sk(sk)->parent;
1424 if (parent)
1425 parent->sk_data_ready(parent);
1426
1427 release_sock(sk);
1428}
1429
1430static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1431{
1432 struct sock *sk = chan->data;
1433
1434 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1435 sk->sk_state = BT_CONNECTED;
1436 chan->state = BT_CONNECTED;
1437 }
1438
1439 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1440 sk->sk_state_change(sk);
1441}
1442
1443static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1444{
1445 struct sock *sk = chan->data;
1446
1447 lock_sock(sk);
1448 sk->sk_shutdown = SHUTDOWN_MASK;
1449 release_sock(sk);
1450}
1451
1452static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1453{
1454 struct sock *sk = chan->data;
1455
1456 return sk->sk_sndtimeo;
1457}
1458
1459static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1460{
1461 struct sock *sk = chan->data;
1462
1463 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1464 sk->sk_state_change(sk);
1465}
1466
1467static const struct l2cap_ops l2cap_chan_ops = {
1468 .name = "L2CAP Socket Interface",
1469 .new_connection = l2cap_sock_new_connection_cb,
1470 .recv = l2cap_sock_recv_cb,
1471 .close = l2cap_sock_close_cb,
1472 .teardown = l2cap_sock_teardown_cb,
1473 .state_change = l2cap_sock_state_change_cb,
1474 .ready = l2cap_sock_ready_cb,
1475 .defer = l2cap_sock_defer_cb,
1476 .resume = l2cap_sock_resume_cb,
1477 .suspend = l2cap_sock_suspend_cb,
1478 .set_shutdown = l2cap_sock_set_shutdown_cb,
1479 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1480 .alloc_skb = l2cap_sock_alloc_skb_cb,
1481};
1482
1483static void l2cap_sock_destruct(struct sock *sk)
1484{
1485 BT_DBG("sk %p", sk);
1486
1487 if (l2cap_pi(sk)->chan)
1488 l2cap_chan_put(l2cap_pi(sk)->chan);
1489
1490 if (l2cap_pi(sk)->rx_busy_skb) {
1491 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1492 l2cap_pi(sk)->rx_busy_skb = NULL;
1493 }
1494
1495 skb_queue_purge(&sk->sk_receive_queue);
1496 skb_queue_purge(&sk->sk_write_queue);
1497}
1498
1499static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1500 int *msg_namelen)
1501{
1502 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1503
1504 memset(la, 0, sizeof(struct sockaddr_l2));
1505 la->l2_family = AF_BLUETOOTH;
1506 la->l2_psm = bt_cb(skb)->l2cap.psm;
1507 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1508
1509 *msg_namelen = sizeof(struct sockaddr_l2);
1510}
1511
1512static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1513{
1514 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1515
1516 BT_DBG("sk %p", sk);
1517
1518 if (parent) {
1519 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1520
1521 sk->sk_type = parent->sk_type;
1522 bt_sk(sk)->flags = bt_sk(parent)->flags;
1523
1524 chan->chan_type = pchan->chan_type;
1525 chan->imtu = pchan->imtu;
1526 chan->omtu = pchan->omtu;
1527 chan->conf_state = pchan->conf_state;
1528 chan->mode = pchan->mode;
1529 chan->fcs = pchan->fcs;
1530 chan->max_tx = pchan->max_tx;
1531 chan->tx_win = pchan->tx_win;
1532 chan->tx_win_max = pchan->tx_win_max;
1533 chan->sec_level = pchan->sec_level;
1534 chan->flags = pchan->flags;
1535 chan->tx_credits = pchan->tx_credits;
1536 chan->rx_credits = pchan->rx_credits;
1537
1538 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1539 chan->scid = pchan->scid;
1540 chan->dcid = pchan->scid;
1541 }
1542
1543 security_sk_clone(parent, sk);
1544 } else {
1545 switch (sk->sk_type) {
1546 case SOCK_RAW:
1547 chan->chan_type = L2CAP_CHAN_RAW;
1548 break;
1549 case SOCK_DGRAM:
1550 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1551 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1552 break;
1553 case SOCK_SEQPACKET:
1554 case SOCK_STREAM:
1555 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1556 break;
1557 }
1558
1559 chan->imtu = L2CAP_DEFAULT_MTU;
1560 chan->omtu = 0;
1561 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1562 chan->mode = L2CAP_MODE_ERTM;
1563 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1564 } else {
1565 chan->mode = L2CAP_MODE_BASIC;
1566 }
1567
1568 l2cap_chan_set_defaults(chan);
1569 }
1570
1571 /* Default config options */
1572 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1573
1574 chan->data = sk;
1575 chan->ops = &l2cap_chan_ops;
1576}
1577
1578static struct proto l2cap_proto = {
1579 .name = "L2CAP",
1580 .owner = THIS_MODULE,
1581 .obj_size = sizeof(struct l2cap_pinfo)
1582};
1583
1584static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1585 int proto, gfp_t prio, int kern)
1586{
1587 struct sock *sk;
1588 struct l2cap_chan *chan;
1589
1590 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1591 if (!sk)
1592 return NULL;
1593
1594 sock_init_data(sock, sk);
1595 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1596
1597 sk->sk_destruct = l2cap_sock_destruct;
1598 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1599
1600 sock_reset_flag(sk, SOCK_ZAPPED);
1601
1602 sk->sk_protocol = proto;
1603 sk->sk_state = BT_OPEN;
1604
1605 chan = l2cap_chan_create();
1606 if (!chan) {
1607 sk_free(sk);
1608 return NULL;
1609 }
1610
1611 l2cap_chan_hold(chan);
1612
1613 l2cap_pi(sk)->chan = chan;
1614
1615 return sk;
1616}
1617
1618static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1619 int kern)
1620{
1621 struct sock *sk;
1622
1623 BT_DBG("sock %p", sock);
1624
1625 sock->state = SS_UNCONNECTED;
1626
1627 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1628 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1629 return -ESOCKTNOSUPPORT;
1630
1631 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1632 return -EPERM;
1633
1634 sock->ops = &l2cap_sock_ops;
1635
1636 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1637 if (!sk)
1638 return -ENOMEM;
1639
1640 l2cap_sock_init(sk, NULL);
1641 bt_sock_link(&l2cap_sk_list, sk);
1642 return 0;
1643}
1644
1645static const struct proto_ops l2cap_sock_ops = {
1646 .family = PF_BLUETOOTH,
1647 .owner = THIS_MODULE,
1648 .release = l2cap_sock_release,
1649 .bind = l2cap_sock_bind,
1650 .connect = l2cap_sock_connect,
1651 .listen = l2cap_sock_listen,
1652 .accept = l2cap_sock_accept,
1653 .getname = l2cap_sock_getname,
1654 .sendmsg = l2cap_sock_sendmsg,
1655 .recvmsg = l2cap_sock_recvmsg,
1656 .poll = bt_sock_poll,
1657 .ioctl = bt_sock_ioctl,
1658 .mmap = sock_no_mmap,
1659 .socketpair = sock_no_socketpair,
1660 .shutdown = l2cap_sock_shutdown,
1661 .setsockopt = l2cap_sock_setsockopt,
1662 .getsockopt = l2cap_sock_getsockopt
1663};
1664
1665static const struct net_proto_family l2cap_sock_family_ops = {
1666 .family = PF_BLUETOOTH,
1667 .owner = THIS_MODULE,
1668 .create = l2cap_sock_create,
1669};
1670
1671int __init l2cap_init_sockets(void)
1672{
1673 int err;
1674
1675 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1676
1677 err = proto_register(&l2cap_proto, 0);
1678 if (err < 0)
1679 return err;
1680
1681 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1682 if (err < 0) {
1683 BT_ERR("L2CAP socket registration failed");
1684 goto error;
1685 }
1686
1687 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1688 NULL);
1689 if (err < 0) {
1690 BT_ERR("Failed to create L2CAP proc file");
1691 bt_sock_unregister(BTPROTO_L2CAP);
1692 goto error;
1693 }
1694
1695 BT_INFO("L2CAP socket layer initialized");
1696
1697 return 0;
1698
1699error:
1700 proto_unregister(&l2cap_proto);
1701 return err;
1702}
1703
1704void l2cap_cleanup_sockets(void)
1705{
1706 bt_procfs_cleanup(&init_net, "l2cap");
1707 bt_sock_unregister(BTPROTO_L2CAP);
1708 proto_unregister(&l2cap_proto);
1709}