Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32#include <linux/filter.h>
33#include <linux/sched/signal.h>
34
35#include <net/bluetooth/bluetooth.h>
36#include <net/bluetooth/hci_core.h>
37#include <net/bluetooth/l2cap.h>
38
39#include "smp.h"
40
41static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43};
44
45static const struct proto_ops l2cap_sock_ops;
46static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 int proto, gfp_t prio, int kern);
49static void l2cap_sock_cleanup_listen(struct sock *parent);
50
51bool l2cap_is_socket(struct socket *sock)
52{
53 return sock && sock->ops == &l2cap_sock_ops;
54}
55EXPORT_SYMBOL(l2cap_is_socket);
56
57static int l2cap_validate_bredr_psm(u16 psm)
58{
59 /* PSM must be odd and lsb of upper byte must be 0 */
60 if ((psm & 0x0101) != 0x0001)
61 return -EINVAL;
62
63 /* Restrict usage of well-known PSMs */
64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 return -EACCES;
66
67 return 0;
68}
69
70static int l2cap_validate_le_psm(u16 psm)
71{
72 /* Valid LE_PSM ranges are defined only until 0x00ff */
73 if (psm > L2CAP_PSM_LE_DYN_END)
74 return -EINVAL;
75
76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 return -EACCES;
79
80 return 0;
81}
82
83static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84{
85 struct sock *sk = sock->sk;
86 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 struct sockaddr_l2 la;
88 int len, err = 0;
89
90 BT_DBG("sk %p", sk);
91
92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 addr->sa_family != AF_BLUETOOTH)
94 return -EINVAL;
95
96 memset(&la, 0, sizeof(la));
97 len = min_t(unsigned int, sizeof(la), alen);
98 memcpy(&la, addr, len);
99
100 if (la.l2_cid && la.l2_psm)
101 return -EINVAL;
102
103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 return -EINVAL;
105
106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 /* We only allow ATT user space socket */
108 if (la.l2_cid &&
109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 return -EINVAL;
111 }
112
113 lock_sock(sk);
114
115 if (sk->sk_state != BT_OPEN) {
116 err = -EBADFD;
117 goto done;
118 }
119
120 if (la.l2_psm) {
121 __u16 psm = __le16_to_cpu(la.l2_psm);
122
123 if (la.l2_bdaddr_type == BDADDR_BREDR)
124 err = l2cap_validate_bredr_psm(psm);
125 else
126 err = l2cap_validate_le_psm(psm);
127
128 if (err)
129 goto done;
130 }
131
132 bacpy(&chan->src, &la.l2_bdaddr);
133 chan->src_type = la.l2_bdaddr_type;
134
135 if (la.l2_cid)
136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 else
138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139
140 if (err < 0)
141 goto done;
142
143 switch (chan->chan_type) {
144 case L2CAP_CHAN_CONN_LESS:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 chan->sec_level = BT_SECURITY_SDP;
147 break;
148 case L2CAP_CHAN_CONN_ORIENTED:
149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 chan->sec_level = BT_SECURITY_SDP;
152 break;
153 case L2CAP_CHAN_RAW:
154 chan->sec_level = BT_SECURITY_SDP;
155 break;
156 case L2CAP_CHAN_FIXED:
157 /* Fixed channels default to the L2CAP core not holding a
158 * hci_conn reference for them. For fixed channels mapping to
159 * L2CAP sockets we do want to hold a reference so set the
160 * appropriate flag to request it.
161 */
162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 break;
164 }
165
166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 */
169 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 chan->mode = L2CAP_MODE_LE_FLOWCTL;
172
173 chan->state = BT_BOUND;
174 sk->sk_state = BT_BOUND;
175
176done:
177 release_sock(sk);
178 return err;
179}
180
181static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
182 int alen, int flags)
183{
184 struct sock *sk = sock->sk;
185 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 struct sockaddr_l2 la;
187 int len, err = 0;
188 bool zapped;
189
190 BT_DBG("sk %p", sk);
191
192 lock_sock(sk);
193 zapped = sock_flag(sk, SOCK_ZAPPED);
194 release_sock(sk);
195
196 if (zapped)
197 return -EINVAL;
198
199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 addr->sa_family != AF_BLUETOOTH)
201 return -EINVAL;
202
203 memset(&la, 0, sizeof(la));
204 len = min_t(unsigned int, sizeof(la), alen);
205 memcpy(&la, addr, len);
206
207 if (la.l2_cid && la.l2_psm)
208 return -EINVAL;
209
210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 return -EINVAL;
212
213 /* Check that the socket wasn't bound to something that
214 * conflicts with the address given to connect(). If chan->src
215 * is BDADDR_ANY it means bind() was never used, in which case
216 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 */
218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 /* Old user space versions will try to incorrectly bind
221 * the ATT socket using BDADDR_BREDR. We need to accept
222 * this and fix up the source address type only when
223 * both the source CID and destination CID indicate
224 * ATT. Anything else is an invalid combination.
225 */
226 if (chan->scid != L2CAP_CID_ATT ||
227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 return -EINVAL;
229
230 /* We don't have the hdev available here to make a
231 * better decision on random vs public, but since all
232 * user space versions that exhibit this issue anyway do
233 * not support random local addresses assuming public
234 * here is good enough.
235 */
236 chan->src_type = BDADDR_LE_PUBLIC;
237 }
238
239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 return -EINVAL;
241
242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 /* We only allow ATT user space socket */
244 if (la.l2_cid &&
245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 return -EINVAL;
247 }
248
249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 */
252 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 chan->mode = L2CAP_MODE_LE_FLOWCTL;
255
256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 &la.l2_bdaddr, la.l2_bdaddr_type);
258 if (err)
259 return err;
260
261 lock_sock(sk);
262
263 err = bt_sock_wait_state(sk, BT_CONNECTED,
264 sock_sndtimeo(sk, flags & O_NONBLOCK));
265
266 release_sock(sk);
267
268 return err;
269}
270
271static int l2cap_sock_listen(struct socket *sock, int backlog)
272{
273 struct sock *sk = sock->sk;
274 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
275 int err = 0;
276
277 BT_DBG("sk %p backlog %d", sk, backlog);
278
279 lock_sock(sk);
280
281 if (sk->sk_state != BT_BOUND) {
282 err = -EBADFD;
283 goto done;
284 }
285
286 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
287 err = -EINVAL;
288 goto done;
289 }
290
291 switch (chan->mode) {
292 case L2CAP_MODE_BASIC:
293 case L2CAP_MODE_LE_FLOWCTL:
294 break;
295 case L2CAP_MODE_EXT_FLOWCTL:
296 if (!enable_ecred) {
297 err = -EOPNOTSUPP;
298 goto done;
299 }
300 break;
301 case L2CAP_MODE_ERTM:
302 case L2CAP_MODE_STREAMING:
303 if (!disable_ertm)
304 break;
305 fallthrough;
306 default:
307 err = -EOPNOTSUPP;
308 goto done;
309 }
310
311 sk->sk_max_ack_backlog = backlog;
312 sk->sk_ack_backlog = 0;
313
314 /* Listening channels need to use nested locking in order not to
315 * cause lockdep warnings when the created child channels end up
316 * being locked in the same thread as the parent channel.
317 */
318 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
319
320 chan->state = BT_LISTEN;
321 sk->sk_state = BT_LISTEN;
322
323done:
324 release_sock(sk);
325 return err;
326}
327
328static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
329 int flags, bool kern)
330{
331 DEFINE_WAIT_FUNC(wait, woken_wake_function);
332 struct sock *sk = sock->sk, *nsk;
333 long timeo;
334 int err = 0;
335
336 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
337
338 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
339
340 BT_DBG("sk %p timeo %ld", sk, timeo);
341
342 /* Wait for an incoming connection. (wake-one). */
343 add_wait_queue_exclusive(sk_sleep(sk), &wait);
344 while (1) {
345 if (sk->sk_state != BT_LISTEN) {
346 err = -EBADFD;
347 break;
348 }
349
350 nsk = bt_accept_dequeue(sk, newsock);
351 if (nsk)
352 break;
353
354 if (!timeo) {
355 err = -EAGAIN;
356 break;
357 }
358
359 if (signal_pending(current)) {
360 err = sock_intr_errno(timeo);
361 break;
362 }
363
364 release_sock(sk);
365
366 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
367
368 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
369 }
370 remove_wait_queue(sk_sleep(sk), &wait);
371
372 if (err)
373 goto done;
374
375 newsock->state = SS_CONNECTED;
376
377 BT_DBG("new socket %p", nsk);
378
379done:
380 release_sock(sk);
381 return err;
382}
383
384static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
385 int peer)
386{
387 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
388 struct sock *sk = sock->sk;
389 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
390
391 BT_DBG("sock %p, sk %p", sock, sk);
392
393 if (peer && sk->sk_state != BT_CONNECTED &&
394 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
395 sk->sk_state != BT_CONFIG)
396 return -ENOTCONN;
397
398 memset(la, 0, sizeof(struct sockaddr_l2));
399 addr->sa_family = AF_BLUETOOTH;
400
401 la->l2_psm = chan->psm;
402
403 if (peer) {
404 bacpy(&la->l2_bdaddr, &chan->dst);
405 la->l2_cid = cpu_to_le16(chan->dcid);
406 la->l2_bdaddr_type = chan->dst_type;
407 } else {
408 bacpy(&la->l2_bdaddr, &chan->src);
409 la->l2_cid = cpu_to_le16(chan->scid);
410 la->l2_bdaddr_type = chan->src_type;
411 }
412
413 return sizeof(struct sockaddr_l2);
414}
415
416static int l2cap_get_mode(struct l2cap_chan *chan)
417{
418 switch (chan->mode) {
419 case L2CAP_MODE_BASIC:
420 return BT_MODE_BASIC;
421 case L2CAP_MODE_ERTM:
422 return BT_MODE_ERTM;
423 case L2CAP_MODE_STREAMING:
424 return BT_MODE_STREAMING;
425 case L2CAP_MODE_LE_FLOWCTL:
426 return BT_MODE_LE_FLOWCTL;
427 case L2CAP_MODE_EXT_FLOWCTL:
428 return BT_MODE_EXT_FLOWCTL;
429 }
430
431 return -EINVAL;
432}
433
434static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
435 char __user *optval, int __user *optlen)
436{
437 struct sock *sk = sock->sk;
438 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
439 struct l2cap_options opts;
440 struct l2cap_conninfo cinfo;
441 int len, err = 0;
442 u32 opt;
443
444 BT_DBG("sk %p", sk);
445
446 if (get_user(len, optlen))
447 return -EFAULT;
448
449 lock_sock(sk);
450
451 switch (optname) {
452 case L2CAP_OPTIONS:
453 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
454 * legacy ATT code depends on getsockopt for
455 * L2CAP_OPTIONS we need to let this pass.
456 */
457 if (bdaddr_type_is_le(chan->src_type) &&
458 chan->scid != L2CAP_CID_ATT) {
459 err = -EINVAL;
460 break;
461 }
462
463 /* Only BR/EDR modes are supported here */
464 switch (chan->mode) {
465 case L2CAP_MODE_BASIC:
466 case L2CAP_MODE_ERTM:
467 case L2CAP_MODE_STREAMING:
468 break;
469 default:
470 err = -EINVAL;
471 break;
472 }
473
474 if (err < 0)
475 break;
476
477 memset(&opts, 0, sizeof(opts));
478 opts.imtu = chan->imtu;
479 opts.omtu = chan->omtu;
480 opts.flush_to = chan->flush_to;
481 opts.mode = chan->mode;
482 opts.fcs = chan->fcs;
483 opts.max_tx = chan->max_tx;
484 opts.txwin_size = chan->tx_win;
485
486 BT_DBG("mode 0x%2.2x", chan->mode);
487
488 len = min_t(unsigned int, len, sizeof(opts));
489 if (copy_to_user(optval, (char *) &opts, len))
490 err = -EFAULT;
491
492 break;
493
494 case L2CAP_LM:
495 switch (chan->sec_level) {
496 case BT_SECURITY_LOW:
497 opt = L2CAP_LM_AUTH;
498 break;
499 case BT_SECURITY_MEDIUM:
500 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
501 break;
502 case BT_SECURITY_HIGH:
503 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
504 L2CAP_LM_SECURE;
505 break;
506 case BT_SECURITY_FIPS:
507 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
508 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
509 break;
510 default:
511 opt = 0;
512 break;
513 }
514
515 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
516 opt |= L2CAP_LM_MASTER;
517
518 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
519 opt |= L2CAP_LM_RELIABLE;
520
521 if (put_user(opt, (u32 __user *) optval))
522 err = -EFAULT;
523
524 break;
525
526 case L2CAP_CONNINFO:
527 if (sk->sk_state != BT_CONNECTED &&
528 !(sk->sk_state == BT_CONNECT2 &&
529 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
530 err = -ENOTCONN;
531 break;
532 }
533
534 memset(&cinfo, 0, sizeof(cinfo));
535 cinfo.hci_handle = chan->conn->hcon->handle;
536 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
537
538 len = min_t(unsigned int, len, sizeof(cinfo));
539 if (copy_to_user(optval, (char *) &cinfo, len))
540 err = -EFAULT;
541
542 break;
543
544 default:
545 err = -ENOPROTOOPT;
546 break;
547 }
548
549 release_sock(sk);
550 return err;
551}
552
553static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
554 char __user *optval, int __user *optlen)
555{
556 struct sock *sk = sock->sk;
557 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
558 struct bt_security sec;
559 struct bt_power pwr;
560 u32 phys;
561 int len, mode, err = 0;
562
563 BT_DBG("sk %p", sk);
564
565 if (level == SOL_L2CAP)
566 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
567
568 if (level != SOL_BLUETOOTH)
569 return -ENOPROTOOPT;
570
571 if (get_user(len, optlen))
572 return -EFAULT;
573
574 lock_sock(sk);
575
576 switch (optname) {
577 case BT_SECURITY:
578 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
579 chan->chan_type != L2CAP_CHAN_FIXED &&
580 chan->chan_type != L2CAP_CHAN_RAW) {
581 err = -EINVAL;
582 break;
583 }
584
585 memset(&sec, 0, sizeof(sec));
586 if (chan->conn) {
587 sec.level = chan->conn->hcon->sec_level;
588
589 if (sk->sk_state == BT_CONNECTED)
590 sec.key_size = chan->conn->hcon->enc_key_size;
591 } else {
592 sec.level = chan->sec_level;
593 }
594
595 len = min_t(unsigned int, len, sizeof(sec));
596 if (copy_to_user(optval, (char *) &sec, len))
597 err = -EFAULT;
598
599 break;
600
601 case BT_DEFER_SETUP:
602 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
603 err = -EINVAL;
604 break;
605 }
606
607 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
608 (u32 __user *) optval))
609 err = -EFAULT;
610
611 break;
612
613 case BT_FLUSHABLE:
614 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
615 (u32 __user *) optval))
616 err = -EFAULT;
617
618 break;
619
620 case BT_POWER:
621 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
622 && sk->sk_type != SOCK_RAW) {
623 err = -EINVAL;
624 break;
625 }
626
627 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
628
629 len = min_t(unsigned int, len, sizeof(pwr));
630 if (copy_to_user(optval, (char *) &pwr, len))
631 err = -EFAULT;
632
633 break;
634
635 case BT_CHANNEL_POLICY:
636 if (put_user(chan->chan_policy, (u32 __user *) optval))
637 err = -EFAULT;
638 break;
639
640 case BT_SNDMTU:
641 if (!bdaddr_type_is_le(chan->src_type)) {
642 err = -EINVAL;
643 break;
644 }
645
646 if (sk->sk_state != BT_CONNECTED) {
647 err = -ENOTCONN;
648 break;
649 }
650
651 if (put_user(chan->omtu, (u16 __user *) optval))
652 err = -EFAULT;
653 break;
654
655 case BT_RCVMTU:
656 if (!bdaddr_type_is_le(chan->src_type)) {
657 err = -EINVAL;
658 break;
659 }
660
661 if (put_user(chan->imtu, (u16 __user *) optval))
662 err = -EFAULT;
663 break;
664
665 case BT_PHY:
666 if (sk->sk_state != BT_CONNECTED) {
667 err = -ENOTCONN;
668 break;
669 }
670
671 phys = hci_conn_get_phy(chan->conn->hcon);
672
673 if (put_user(phys, (u32 __user *) optval))
674 err = -EFAULT;
675 break;
676
677 case BT_MODE:
678 if (!enable_ecred) {
679 err = -ENOPROTOOPT;
680 break;
681 }
682
683 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
684 err = -EINVAL;
685 break;
686 }
687
688 mode = l2cap_get_mode(chan);
689 if (mode < 0) {
690 err = mode;
691 break;
692 }
693
694 if (put_user(mode, (u8 __user *) optval))
695 err = -EFAULT;
696 break;
697
698 default:
699 err = -ENOPROTOOPT;
700 break;
701 }
702
703 release_sock(sk);
704 return err;
705}
706
707static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
708{
709 switch (chan->scid) {
710 case L2CAP_CID_ATT:
711 if (mtu < L2CAP_LE_MIN_MTU)
712 return false;
713 break;
714
715 default:
716 if (mtu < L2CAP_DEFAULT_MIN_MTU)
717 return false;
718 }
719
720 return true;
721}
722
723static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
724 sockptr_t optval, unsigned int optlen)
725{
726 struct sock *sk = sock->sk;
727 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
728 struct l2cap_options opts;
729 int len, err = 0;
730 u32 opt;
731
732 BT_DBG("sk %p", sk);
733
734 lock_sock(sk);
735
736 switch (optname) {
737 case L2CAP_OPTIONS:
738 if (bdaddr_type_is_le(chan->src_type)) {
739 err = -EINVAL;
740 break;
741 }
742
743 if (sk->sk_state == BT_CONNECTED) {
744 err = -EINVAL;
745 break;
746 }
747
748 opts.imtu = chan->imtu;
749 opts.omtu = chan->omtu;
750 opts.flush_to = chan->flush_to;
751 opts.mode = chan->mode;
752 opts.fcs = chan->fcs;
753 opts.max_tx = chan->max_tx;
754 opts.txwin_size = chan->tx_win;
755
756 len = min_t(unsigned int, sizeof(opts), optlen);
757 if (copy_from_sockptr(&opts, optval, len)) {
758 err = -EFAULT;
759 break;
760 }
761
762 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
763 err = -EINVAL;
764 break;
765 }
766
767 if (!l2cap_valid_mtu(chan, opts.imtu)) {
768 err = -EINVAL;
769 break;
770 }
771
772 /* Only BR/EDR modes are supported here */
773 switch (opts.mode) {
774 case L2CAP_MODE_BASIC:
775 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
776 break;
777 case L2CAP_MODE_ERTM:
778 case L2CAP_MODE_STREAMING:
779 if (!disable_ertm)
780 break;
781 fallthrough;
782 default:
783 err = -EINVAL;
784 break;
785 }
786
787 if (err < 0)
788 break;
789
790 chan->mode = opts.mode;
791
792 BT_DBG("mode 0x%2.2x", chan->mode);
793
794 chan->imtu = opts.imtu;
795 chan->omtu = opts.omtu;
796 chan->fcs = opts.fcs;
797 chan->max_tx = opts.max_tx;
798 chan->tx_win = opts.txwin_size;
799 chan->flush_to = opts.flush_to;
800 break;
801
802 case L2CAP_LM:
803 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
804 err = -EFAULT;
805 break;
806 }
807
808 if (opt & L2CAP_LM_FIPS) {
809 err = -EINVAL;
810 break;
811 }
812
813 if (opt & L2CAP_LM_AUTH)
814 chan->sec_level = BT_SECURITY_LOW;
815 if (opt & L2CAP_LM_ENCRYPT)
816 chan->sec_level = BT_SECURITY_MEDIUM;
817 if (opt & L2CAP_LM_SECURE)
818 chan->sec_level = BT_SECURITY_HIGH;
819
820 if (opt & L2CAP_LM_MASTER)
821 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
822 else
823 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
824
825 if (opt & L2CAP_LM_RELIABLE)
826 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
827 else
828 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
829 break;
830
831 default:
832 err = -ENOPROTOOPT;
833 break;
834 }
835
836 release_sock(sk);
837 return err;
838}
839
840static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
841{
842 switch (mode) {
843 case BT_MODE_BASIC:
844 if (bdaddr_type_is_le(chan->src_type))
845 return -EINVAL;
846 mode = L2CAP_MODE_BASIC;
847 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
848 break;
849 case BT_MODE_ERTM:
850 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
851 return -EINVAL;
852 mode = L2CAP_MODE_ERTM;
853 break;
854 case BT_MODE_STREAMING:
855 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
856 return -EINVAL;
857 mode = L2CAP_MODE_STREAMING;
858 break;
859 case BT_MODE_LE_FLOWCTL:
860 if (!bdaddr_type_is_le(chan->src_type))
861 return -EINVAL;
862 mode = L2CAP_MODE_LE_FLOWCTL;
863 break;
864 case BT_MODE_EXT_FLOWCTL:
865 /* TODO: Add support for ECRED PDUs to BR/EDR */
866 if (!bdaddr_type_is_le(chan->src_type))
867 return -EINVAL;
868 mode = L2CAP_MODE_EXT_FLOWCTL;
869 break;
870 default:
871 return -EINVAL;
872 }
873
874 chan->mode = mode;
875
876 return 0;
877}
878
879static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880 sockptr_t optval, unsigned int optlen)
881{
882 struct sock *sk = sock->sk;
883 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884 struct bt_security sec;
885 struct bt_power pwr;
886 struct l2cap_conn *conn;
887 int len, err = 0;
888 u32 opt;
889 u16 mtu;
890 u8 mode;
891
892 BT_DBG("sk %p", sk);
893
894 if (level == SOL_L2CAP)
895 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896
897 if (level != SOL_BLUETOOTH)
898 return -ENOPROTOOPT;
899
900 lock_sock(sk);
901
902 switch (optname) {
903 case BT_SECURITY:
904 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905 chan->chan_type != L2CAP_CHAN_FIXED &&
906 chan->chan_type != L2CAP_CHAN_RAW) {
907 err = -EINVAL;
908 break;
909 }
910
911 sec.level = BT_SECURITY_LOW;
912
913 len = min_t(unsigned int, sizeof(sec), optlen);
914 if (copy_from_sockptr(&sec, optval, len)) {
915 err = -EFAULT;
916 break;
917 }
918
919 if (sec.level < BT_SECURITY_LOW ||
920 sec.level > BT_SECURITY_FIPS) {
921 err = -EINVAL;
922 break;
923 }
924
925 chan->sec_level = sec.level;
926
927 if (!chan->conn)
928 break;
929
930 conn = chan->conn;
931
932 /* change security for LE channels */
933 if (chan->scid == L2CAP_CID_ATT) {
934 if (smp_conn_security(conn->hcon, sec.level)) {
935 err = -EINVAL;
936 break;
937 }
938
939 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
940 sk->sk_state = BT_CONFIG;
941 chan->state = BT_CONFIG;
942
943 /* or for ACL link */
944 } else if ((sk->sk_state == BT_CONNECT2 &&
945 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
946 sk->sk_state == BT_CONNECTED) {
947 if (!l2cap_chan_check_security(chan, true))
948 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
949 else
950 sk->sk_state_change(sk);
951 } else {
952 err = -EINVAL;
953 }
954 break;
955
956 case BT_DEFER_SETUP:
957 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
958 err = -EINVAL;
959 break;
960 }
961
962 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
963 err = -EFAULT;
964 break;
965 }
966
967 if (opt) {
968 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969 set_bit(FLAG_DEFER_SETUP, &chan->flags);
970 } else {
971 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
972 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
973 }
974 break;
975
976 case BT_FLUSHABLE:
977 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
978 err = -EFAULT;
979 break;
980 }
981
982 if (opt > BT_FLUSHABLE_ON) {
983 err = -EINVAL;
984 break;
985 }
986
987 if (opt == BT_FLUSHABLE_OFF) {
988 conn = chan->conn;
989 /* proceed further only when we have l2cap_conn and
990 No Flush support in the LM */
991 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
992 err = -EINVAL;
993 break;
994 }
995 }
996
997 if (opt)
998 set_bit(FLAG_FLUSHABLE, &chan->flags);
999 else
1000 clear_bit(FLAG_FLUSHABLE, &chan->flags);
1001 break;
1002
1003 case BT_POWER:
1004 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1005 chan->chan_type != L2CAP_CHAN_RAW) {
1006 err = -EINVAL;
1007 break;
1008 }
1009
1010 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1011
1012 len = min_t(unsigned int, sizeof(pwr), optlen);
1013 if (copy_from_sockptr(&pwr, optval, len)) {
1014 err = -EFAULT;
1015 break;
1016 }
1017
1018 if (pwr.force_active)
1019 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1020 else
1021 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1022 break;
1023
1024 case BT_CHANNEL_POLICY:
1025 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1026 err = -EFAULT;
1027 break;
1028 }
1029
1030 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1031 err = -EINVAL;
1032 break;
1033 }
1034
1035 if (chan->mode != L2CAP_MODE_ERTM &&
1036 chan->mode != L2CAP_MODE_STREAMING) {
1037 err = -EOPNOTSUPP;
1038 break;
1039 }
1040
1041 chan->chan_policy = (u8) opt;
1042
1043 if (sk->sk_state == BT_CONNECTED &&
1044 chan->move_role == L2CAP_MOVE_ROLE_NONE)
1045 l2cap_move_start(chan);
1046
1047 break;
1048
1049 case BT_SNDMTU:
1050 if (!bdaddr_type_is_le(chan->src_type)) {
1051 err = -EINVAL;
1052 break;
1053 }
1054
1055 /* Setting is not supported as it's the remote side that
1056 * decides this.
1057 */
1058 err = -EPERM;
1059 break;
1060
1061 case BT_RCVMTU:
1062 if (!bdaddr_type_is_le(chan->src_type)) {
1063 err = -EINVAL;
1064 break;
1065 }
1066
1067 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1068 sk->sk_state == BT_CONNECTED) {
1069 err = -EISCONN;
1070 break;
1071 }
1072
1073 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
1074 err = -EFAULT;
1075 break;
1076 }
1077
1078 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1079 sk->sk_state == BT_CONNECTED)
1080 err = l2cap_chan_reconfigure(chan, mtu);
1081 else
1082 chan->imtu = mtu;
1083
1084 break;
1085
1086 case BT_MODE:
1087 if (!enable_ecred) {
1088 err = -ENOPROTOOPT;
1089 break;
1090 }
1091
1092 BT_DBG("sk->sk_state %u", sk->sk_state);
1093
1094 if (sk->sk_state != BT_BOUND) {
1095 err = -EINVAL;
1096 break;
1097 }
1098
1099 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1100 err = -EINVAL;
1101 break;
1102 }
1103
1104 if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
1105 err = -EFAULT;
1106 break;
1107 }
1108
1109 BT_DBG("mode %u", mode);
1110
1111 err = l2cap_set_mode(chan, mode);
1112 if (err)
1113 break;
1114
1115 BT_DBG("mode 0x%2.2x", chan->mode);
1116
1117 break;
1118
1119 default:
1120 err = -ENOPROTOOPT;
1121 break;
1122 }
1123
1124 release_sock(sk);
1125 return err;
1126}
1127
1128static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1129 size_t len)
1130{
1131 struct sock *sk = sock->sk;
1132 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1133 int err;
1134
1135 BT_DBG("sock %p, sk %p", sock, sk);
1136
1137 err = sock_error(sk);
1138 if (err)
1139 return err;
1140
1141 if (msg->msg_flags & MSG_OOB)
1142 return -EOPNOTSUPP;
1143
1144 if (sk->sk_state != BT_CONNECTED)
1145 return -ENOTCONN;
1146
1147 lock_sock(sk);
1148 err = bt_sock_wait_ready(sk, msg->msg_flags);
1149 release_sock(sk);
1150 if (err)
1151 return err;
1152
1153 l2cap_chan_lock(chan);
1154 err = l2cap_chan_send(chan, msg, len);
1155 l2cap_chan_unlock(chan);
1156
1157 return err;
1158}
1159
1160static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1161 size_t len, int flags)
1162{
1163 struct sock *sk = sock->sk;
1164 struct l2cap_pinfo *pi = l2cap_pi(sk);
1165 int err;
1166
1167 lock_sock(sk);
1168
1169 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1170 &bt_sk(sk)->flags)) {
1171 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1172 sk->sk_state = BT_CONNECTED;
1173 pi->chan->state = BT_CONNECTED;
1174 __l2cap_ecred_conn_rsp_defer(pi->chan);
1175 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1176 sk->sk_state = BT_CONNECTED;
1177 pi->chan->state = BT_CONNECTED;
1178 __l2cap_le_connect_rsp_defer(pi->chan);
1179 } else {
1180 sk->sk_state = BT_CONFIG;
1181 pi->chan->state = BT_CONFIG;
1182 __l2cap_connect_rsp_defer(pi->chan);
1183 }
1184
1185 err = 0;
1186 goto done;
1187 }
1188
1189 release_sock(sk);
1190
1191 if (sock->type == SOCK_STREAM)
1192 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1193 else
1194 err = bt_sock_recvmsg(sock, msg, len, flags);
1195
1196 if (pi->chan->mode != L2CAP_MODE_ERTM)
1197 return err;
1198
1199 /* Attempt to put pending rx data in the socket buffer */
1200
1201 lock_sock(sk);
1202
1203 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1204 goto done;
1205
1206 if (pi->rx_busy_skb) {
1207 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1208 pi->rx_busy_skb = NULL;
1209 else
1210 goto done;
1211 }
1212
1213 /* Restore data flow when half of the receive buffer is
1214 * available. This avoids resending large numbers of
1215 * frames.
1216 */
1217 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1218 l2cap_chan_busy(pi->chan, 0);
1219
1220done:
1221 release_sock(sk);
1222 return err;
1223}
1224
1225/* Kill socket (only if zapped and orphan)
1226 * Must be called on unlocked socket, with l2cap channel lock.
1227 */
1228static void l2cap_sock_kill(struct sock *sk)
1229{
1230 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1231 return;
1232
1233 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1234
1235 /* Kill poor orphan */
1236
1237 l2cap_chan_put(l2cap_pi(sk)->chan);
1238 sock_set_flag(sk, SOCK_DEAD);
1239 sock_put(sk);
1240}
1241
1242static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1243{
1244 DECLARE_WAITQUEUE(wait, current);
1245 int err = 0;
1246 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1247 /* Timeout to prevent infinite loop */
1248 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1249
1250 add_wait_queue(sk_sleep(sk), &wait);
1251 set_current_state(TASK_INTERRUPTIBLE);
1252 do {
1253 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1254 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1255 jiffies_to_msecs(timeout - jiffies));
1256
1257 if (!timeo)
1258 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1259
1260 if (signal_pending(current)) {
1261 err = sock_intr_errno(timeo);
1262 break;
1263 }
1264
1265 release_sock(sk);
1266 timeo = schedule_timeout(timeo);
1267 lock_sock(sk);
1268 set_current_state(TASK_INTERRUPTIBLE);
1269
1270 err = sock_error(sk);
1271 if (err)
1272 break;
1273
1274 if (time_after(jiffies, timeout)) {
1275 err = -ENOLINK;
1276 break;
1277 }
1278
1279 } while (chan->unacked_frames > 0 &&
1280 chan->state == BT_CONNECTED);
1281
1282 set_current_state(TASK_RUNNING);
1283 remove_wait_queue(sk_sleep(sk), &wait);
1284 return err;
1285}
1286
1287static int l2cap_sock_shutdown(struct socket *sock, int how)
1288{
1289 struct sock *sk = sock->sk;
1290 struct l2cap_chan *chan;
1291 struct l2cap_conn *conn;
1292 int err = 0;
1293
1294 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1295
1296 /* 'how' parameter is mapped to sk_shutdown as follows:
1297 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1298 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1299 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1300 */
1301 how++;
1302
1303 if (!sk)
1304 return 0;
1305
1306 lock_sock(sk);
1307
1308 if ((sk->sk_shutdown & how) == how)
1309 goto shutdown_already;
1310
1311 BT_DBG("Handling sock shutdown");
1312
1313 /* prevent sk structure from being freed whilst unlocked */
1314 sock_hold(sk);
1315
1316 chan = l2cap_pi(sk)->chan;
1317 /* prevent chan structure from being freed whilst unlocked */
1318 l2cap_chan_hold(chan);
1319
1320 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1321
1322 if (chan->mode == L2CAP_MODE_ERTM &&
1323 chan->unacked_frames > 0 &&
1324 chan->state == BT_CONNECTED) {
1325 err = __l2cap_wait_ack(sk, chan);
1326
1327 /* After waiting for ACKs, check whether shutdown
1328 * has already been actioned to close the L2CAP
1329 * link such as by l2cap_disconnection_req().
1330 */
1331 if ((sk->sk_shutdown & how) == how)
1332 goto shutdown_matched;
1333 }
1334
1335 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1336 * is already set
1337 */
1338 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1339 sk->sk_shutdown |= RCV_SHUTDOWN;
1340 if ((sk->sk_shutdown & how) == how)
1341 goto shutdown_matched;
1342 }
1343
1344 sk->sk_shutdown |= SEND_SHUTDOWN;
1345 release_sock(sk);
1346
1347 l2cap_chan_lock(chan);
1348 conn = chan->conn;
1349 if (conn)
1350 /* prevent conn structure from being freed */
1351 l2cap_conn_get(conn);
1352 l2cap_chan_unlock(chan);
1353
1354 if (conn)
1355 /* mutex lock must be taken before l2cap_chan_lock() */
1356 mutex_lock(&conn->chan_lock);
1357
1358 l2cap_chan_lock(chan);
1359 l2cap_chan_close(chan, 0);
1360 l2cap_chan_unlock(chan);
1361
1362 if (conn) {
1363 mutex_unlock(&conn->chan_lock);
1364 l2cap_conn_put(conn);
1365 }
1366
1367 lock_sock(sk);
1368
1369 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1370 !(current->flags & PF_EXITING))
1371 err = bt_sock_wait_state(sk, BT_CLOSED,
1372 sk->sk_lingertime);
1373
1374shutdown_matched:
1375 l2cap_chan_put(chan);
1376 sock_put(sk);
1377
1378shutdown_already:
1379 if (!err && sk->sk_err)
1380 err = -sk->sk_err;
1381
1382 release_sock(sk);
1383
1384 BT_DBG("Sock shutdown complete err: %d", err);
1385
1386 return err;
1387}
1388
1389static int l2cap_sock_release(struct socket *sock)
1390{
1391 struct sock *sk = sock->sk;
1392 int err;
1393 struct l2cap_chan *chan;
1394
1395 BT_DBG("sock %p, sk %p", sock, sk);
1396
1397 if (!sk)
1398 return 0;
1399
1400 l2cap_sock_cleanup_listen(sk);
1401 bt_sock_unlink(&l2cap_sk_list, sk);
1402
1403 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1404 chan = l2cap_pi(sk)->chan;
1405
1406 l2cap_chan_hold(chan);
1407 l2cap_chan_lock(chan);
1408
1409 sock_orphan(sk);
1410 l2cap_sock_kill(sk);
1411
1412 l2cap_chan_unlock(chan);
1413 l2cap_chan_put(chan);
1414
1415 return err;
1416}
1417
1418static void l2cap_sock_cleanup_listen(struct sock *parent)
1419{
1420 struct sock *sk;
1421
1422 BT_DBG("parent %p state %s", parent,
1423 state_to_string(parent->sk_state));
1424
1425 /* Close not yet accepted channels */
1426 while ((sk = bt_accept_dequeue(parent, NULL))) {
1427 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1428
1429 BT_DBG("child chan %p state %s", chan,
1430 state_to_string(chan->state));
1431
1432 l2cap_chan_hold(chan);
1433 l2cap_chan_lock(chan);
1434
1435 __clear_chan_timer(chan);
1436 l2cap_chan_close(chan, ECONNRESET);
1437 l2cap_sock_kill(sk);
1438
1439 l2cap_chan_unlock(chan);
1440 l2cap_chan_put(chan);
1441 }
1442}
1443
1444static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1445{
1446 struct sock *sk, *parent = chan->data;
1447
1448 lock_sock(parent);
1449
1450 /* Check for backlog size */
1451 if (sk_acceptq_is_full(parent)) {
1452 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1453 release_sock(parent);
1454 return NULL;
1455 }
1456
1457 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1458 GFP_ATOMIC, 0);
1459 if (!sk) {
1460 release_sock(parent);
1461 return NULL;
1462 }
1463
1464 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1465
1466 l2cap_sock_init(sk, parent);
1467
1468 bt_accept_enqueue(parent, sk, false);
1469
1470 release_sock(parent);
1471
1472 return l2cap_pi(sk)->chan;
1473}
1474
1475static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1476{
1477 struct sock *sk = chan->data;
1478 int err;
1479
1480 lock_sock(sk);
1481
1482 if (l2cap_pi(sk)->rx_busy_skb) {
1483 err = -ENOMEM;
1484 goto done;
1485 }
1486
1487 if (chan->mode != L2CAP_MODE_ERTM &&
1488 chan->mode != L2CAP_MODE_STREAMING) {
1489 /* Even if no filter is attached, we could potentially
1490 * get errors from security modules, etc.
1491 */
1492 err = sk_filter(sk, skb);
1493 if (err)
1494 goto done;
1495 }
1496
1497 err = __sock_queue_rcv_skb(sk, skb);
1498
1499 /* For ERTM, handle one skb that doesn't fit into the recv
1500 * buffer. This is important to do because the data frames
1501 * have already been acked, so the skb cannot be discarded.
1502 *
1503 * Notify the l2cap core that the buffer is full, so the
1504 * LOCAL_BUSY state is entered and no more frames are
1505 * acked and reassembled until there is buffer space
1506 * available.
1507 */
1508 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1509 l2cap_pi(sk)->rx_busy_skb = skb;
1510 l2cap_chan_busy(chan, 1);
1511 err = 0;
1512 }
1513
1514done:
1515 release_sock(sk);
1516
1517 return err;
1518}
1519
1520static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1521{
1522 struct sock *sk = chan->data;
1523
1524 if (!sk)
1525 return;
1526
1527 l2cap_sock_kill(sk);
1528}
1529
1530static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1531{
1532 struct sock *sk = chan->data;
1533 struct sock *parent;
1534
1535 if (!sk)
1536 return;
1537
1538 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1539
1540 /* This callback can be called both for server (BT_LISTEN)
1541 * sockets as well as "normal" ones. To avoid lockdep warnings
1542 * with child socket locking (through l2cap_sock_cleanup_listen)
1543 * we need separation into separate nesting levels. The simplest
1544 * way to accomplish this is to inherit the nesting level used
1545 * for the channel.
1546 */
1547 lock_sock_nested(sk, atomic_read(&chan->nesting));
1548
1549 parent = bt_sk(sk)->parent;
1550
1551 switch (chan->state) {
1552 case BT_OPEN:
1553 case BT_BOUND:
1554 case BT_CLOSED:
1555 break;
1556 case BT_LISTEN:
1557 l2cap_sock_cleanup_listen(sk);
1558 sk->sk_state = BT_CLOSED;
1559 chan->state = BT_CLOSED;
1560
1561 break;
1562 default:
1563 sk->sk_state = BT_CLOSED;
1564 chan->state = BT_CLOSED;
1565
1566 sk->sk_err = err;
1567
1568 if (parent) {
1569 bt_accept_unlink(sk);
1570 parent->sk_data_ready(parent);
1571 } else {
1572 sk->sk_state_change(sk);
1573 }
1574
1575 break;
1576 }
1577 release_sock(sk);
1578
1579 /* Only zap after cleanup to avoid use after free race */
1580 sock_set_flag(sk, SOCK_ZAPPED);
1581
1582}
1583
1584static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1585 int err)
1586{
1587 struct sock *sk = chan->data;
1588
1589 sk->sk_state = state;
1590
1591 if (err)
1592 sk->sk_err = err;
1593}
1594
1595static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1596 unsigned long hdr_len,
1597 unsigned long len, int nb)
1598{
1599 struct sock *sk = chan->data;
1600 struct sk_buff *skb;
1601 int err;
1602
1603 l2cap_chan_unlock(chan);
1604 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1605 l2cap_chan_lock(chan);
1606
1607 if (!skb)
1608 return ERR_PTR(err);
1609
1610 /* Channel lock is released before requesting new skb and then
1611 * reacquired thus we need to recheck channel state.
1612 */
1613 if (chan->state != BT_CONNECTED) {
1614 kfree_skb(skb);
1615 return ERR_PTR(-ENOTCONN);
1616 }
1617
1618 skb->priority = READ_ONCE(sk->sk_priority);
1619
1620 bt_cb(skb)->l2cap.chan = chan;
1621
1622 return skb;
1623}
1624
1625static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1626{
1627 struct sock *sk = chan->data;
1628 struct sock *parent;
1629
1630 lock_sock(sk);
1631
1632 parent = bt_sk(sk)->parent;
1633
1634 BT_DBG("sk %p, parent %p", sk, parent);
1635
1636 sk->sk_state = BT_CONNECTED;
1637 sk->sk_state_change(sk);
1638
1639 if (parent)
1640 parent->sk_data_ready(parent);
1641
1642 release_sock(sk);
1643}
1644
1645static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1646{
1647 struct sock *parent, *sk = chan->data;
1648
1649 lock_sock(sk);
1650
1651 parent = bt_sk(sk)->parent;
1652 if (parent)
1653 parent->sk_data_ready(parent);
1654
1655 release_sock(sk);
1656}
1657
1658static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1659{
1660 struct sock *sk = chan->data;
1661
1662 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1663 sk->sk_state = BT_CONNECTED;
1664 chan->state = BT_CONNECTED;
1665 }
1666
1667 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1668 sk->sk_state_change(sk);
1669}
1670
1671static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1672{
1673 struct sock *sk = chan->data;
1674
1675 lock_sock(sk);
1676 sk->sk_shutdown = SHUTDOWN_MASK;
1677 release_sock(sk);
1678}
1679
1680static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1681{
1682 struct sock *sk = chan->data;
1683
1684 return sk->sk_sndtimeo;
1685}
1686
1687static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1688{
1689 struct sock *sk = chan->data;
1690
1691 return sk->sk_peer_pid;
1692}
1693
1694static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1695{
1696 struct sock *sk = chan->data;
1697
1698 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1699 sk->sk_state_change(sk);
1700}
1701
1702static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1703{
1704 struct sock *sk = chan->data;
1705
1706 switch (chan->mode) {
1707 case L2CAP_MODE_ERTM:
1708 case L2CAP_MODE_STREAMING:
1709 return sk_filter(sk, skb);
1710 }
1711
1712 return 0;
1713}
1714
1715static const struct l2cap_ops l2cap_chan_ops = {
1716 .name = "L2CAP Socket Interface",
1717 .new_connection = l2cap_sock_new_connection_cb,
1718 .recv = l2cap_sock_recv_cb,
1719 .close = l2cap_sock_close_cb,
1720 .teardown = l2cap_sock_teardown_cb,
1721 .state_change = l2cap_sock_state_change_cb,
1722 .ready = l2cap_sock_ready_cb,
1723 .defer = l2cap_sock_defer_cb,
1724 .resume = l2cap_sock_resume_cb,
1725 .suspend = l2cap_sock_suspend_cb,
1726 .set_shutdown = l2cap_sock_set_shutdown_cb,
1727 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1728 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1729 .alloc_skb = l2cap_sock_alloc_skb_cb,
1730 .filter = l2cap_sock_filter,
1731};
1732
1733static void l2cap_sock_destruct(struct sock *sk)
1734{
1735 BT_DBG("sk %p", sk);
1736
1737 if (l2cap_pi(sk)->chan) {
1738 l2cap_pi(sk)->chan->data = NULL;
1739 l2cap_chan_put(l2cap_pi(sk)->chan);
1740 }
1741
1742 if (l2cap_pi(sk)->rx_busy_skb) {
1743 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1744 l2cap_pi(sk)->rx_busy_skb = NULL;
1745 }
1746
1747 skb_queue_purge(&sk->sk_receive_queue);
1748 skb_queue_purge(&sk->sk_write_queue);
1749}
1750
1751static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1752 int *msg_namelen)
1753{
1754 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1755
1756 memset(la, 0, sizeof(struct sockaddr_l2));
1757 la->l2_family = AF_BLUETOOTH;
1758 la->l2_psm = bt_cb(skb)->l2cap.psm;
1759 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1760
1761 *msg_namelen = sizeof(struct sockaddr_l2);
1762}
1763
1764static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1765{
1766 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1767
1768 BT_DBG("sk %p", sk);
1769
1770 if (parent) {
1771 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1772
1773 sk->sk_type = parent->sk_type;
1774 bt_sk(sk)->flags = bt_sk(parent)->flags;
1775
1776 chan->chan_type = pchan->chan_type;
1777 chan->imtu = pchan->imtu;
1778 chan->omtu = pchan->omtu;
1779 chan->conf_state = pchan->conf_state;
1780 chan->mode = pchan->mode;
1781 chan->fcs = pchan->fcs;
1782 chan->max_tx = pchan->max_tx;
1783 chan->tx_win = pchan->tx_win;
1784 chan->tx_win_max = pchan->tx_win_max;
1785 chan->sec_level = pchan->sec_level;
1786 chan->flags = pchan->flags;
1787 chan->tx_credits = pchan->tx_credits;
1788 chan->rx_credits = pchan->rx_credits;
1789
1790 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1791 chan->scid = pchan->scid;
1792 chan->dcid = pchan->scid;
1793 }
1794
1795 security_sk_clone(parent, sk);
1796 } else {
1797 switch (sk->sk_type) {
1798 case SOCK_RAW:
1799 chan->chan_type = L2CAP_CHAN_RAW;
1800 break;
1801 case SOCK_DGRAM:
1802 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1803 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1804 break;
1805 case SOCK_SEQPACKET:
1806 case SOCK_STREAM:
1807 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1808 break;
1809 }
1810
1811 chan->imtu = L2CAP_DEFAULT_MTU;
1812 chan->omtu = 0;
1813 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1814 chan->mode = L2CAP_MODE_ERTM;
1815 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1816 } else {
1817 chan->mode = L2CAP_MODE_BASIC;
1818 }
1819
1820 l2cap_chan_set_defaults(chan);
1821 }
1822
1823 /* Default config options */
1824 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1825
1826 chan->data = sk;
1827 chan->ops = &l2cap_chan_ops;
1828}
1829
1830static struct proto l2cap_proto = {
1831 .name = "L2CAP",
1832 .owner = THIS_MODULE,
1833 .obj_size = sizeof(struct l2cap_pinfo)
1834};
1835
1836static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1837 int proto, gfp_t prio, int kern)
1838{
1839 struct sock *sk;
1840 struct l2cap_chan *chan;
1841
1842 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1843 if (!sk)
1844 return NULL;
1845
1846 sk->sk_destruct = l2cap_sock_destruct;
1847 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1848
1849 chan = l2cap_chan_create();
1850 if (!chan) {
1851 sk_free(sk);
1852 return NULL;
1853 }
1854
1855 l2cap_chan_hold(chan);
1856
1857 l2cap_pi(sk)->chan = chan;
1858
1859 return sk;
1860}
1861
1862static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1863 int kern)
1864{
1865 struct sock *sk;
1866
1867 BT_DBG("sock %p", sock);
1868
1869 sock->state = SS_UNCONNECTED;
1870
1871 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1872 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1873 return -ESOCKTNOSUPPORT;
1874
1875 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1876 return -EPERM;
1877
1878 sock->ops = &l2cap_sock_ops;
1879
1880 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1881 if (!sk)
1882 return -ENOMEM;
1883
1884 l2cap_sock_init(sk, NULL);
1885 bt_sock_link(&l2cap_sk_list, sk);
1886 return 0;
1887}
1888
1889static const struct proto_ops l2cap_sock_ops = {
1890 .family = PF_BLUETOOTH,
1891 .owner = THIS_MODULE,
1892 .release = l2cap_sock_release,
1893 .bind = l2cap_sock_bind,
1894 .connect = l2cap_sock_connect,
1895 .listen = l2cap_sock_listen,
1896 .accept = l2cap_sock_accept,
1897 .getname = l2cap_sock_getname,
1898 .sendmsg = l2cap_sock_sendmsg,
1899 .recvmsg = l2cap_sock_recvmsg,
1900 .poll = bt_sock_poll,
1901 .ioctl = bt_sock_ioctl,
1902 .gettstamp = sock_gettstamp,
1903 .mmap = sock_no_mmap,
1904 .socketpair = sock_no_socketpair,
1905 .shutdown = l2cap_sock_shutdown,
1906 .setsockopt = l2cap_sock_setsockopt,
1907 .getsockopt = l2cap_sock_getsockopt
1908};
1909
1910static const struct net_proto_family l2cap_sock_family_ops = {
1911 .family = PF_BLUETOOTH,
1912 .owner = THIS_MODULE,
1913 .create = l2cap_sock_create,
1914};
1915
1916int __init l2cap_init_sockets(void)
1917{
1918 int err;
1919
1920 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1921
1922 err = proto_register(&l2cap_proto, 0);
1923 if (err < 0)
1924 return err;
1925
1926 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1927 if (err < 0) {
1928 BT_ERR("L2CAP socket registration failed");
1929 goto error;
1930 }
1931
1932 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1933 NULL);
1934 if (err < 0) {
1935 BT_ERR("Failed to create L2CAP proc file");
1936 bt_sock_unregister(BTPROTO_L2CAP);
1937 goto error;
1938 }
1939
1940 BT_INFO("L2CAP socket layer initialized");
1941
1942 return 0;
1943
1944error:
1945 proto_unregister(&l2cap_proto);
1946 return err;
1947}
1948
1949void l2cap_cleanup_sockets(void)
1950{
1951 bt_procfs_cleanup(&init_net, "l2cap");
1952 bt_sock_unregister(BTPROTO_L2CAP);
1953 proto_unregister(&l2cap_proto);
1954}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36
37#include "smp.h"
38
39static struct bt_sock_list l2cap_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
41};
42
43static const struct proto_ops l2cap_sock_ops;
44static void l2cap_sock_init(struct sock *sk, struct sock *parent);
45static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
46 int proto, gfp_t prio);
47
48bool l2cap_is_socket(struct socket *sock)
49{
50 return sock && sock->ops == &l2cap_sock_ops;
51}
52EXPORT_SYMBOL(l2cap_is_socket);
53
54static int l2cap_validate_bredr_psm(u16 psm)
55{
56 /* PSM must be odd and lsb of upper byte must be 0 */
57 if ((psm & 0x0101) != 0x0001)
58 return -EINVAL;
59
60 /* Restrict usage of well-known PSMs */
61 if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE))
62 return -EACCES;
63
64 return 0;
65}
66
67static int l2cap_validate_le_psm(u16 psm)
68{
69 /* Valid LE_PSM ranges are defined only until 0x00ff */
70 if (psm > 0x00ff)
71 return -EINVAL;
72
73 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
74 if (psm <= 0x007f && !capable(CAP_NET_BIND_SERVICE))
75 return -EACCES;
76
77 return 0;
78}
79
80static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
81{
82 struct sock *sk = sock->sk;
83 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
84 struct sockaddr_l2 la;
85 int len, err = 0;
86
87 BT_DBG("sk %p", sk);
88
89 if (!addr || addr->sa_family != AF_BLUETOOTH)
90 return -EINVAL;
91
92 memset(&la, 0, sizeof(la));
93 len = min_t(unsigned int, sizeof(la), alen);
94 memcpy(&la, addr, len);
95
96 if (la.l2_cid && la.l2_psm)
97 return -EINVAL;
98
99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 return -EINVAL;
101
102 if (la.l2_cid) {
103 /* When the socket gets created it defaults to
104 * CHAN_CONN_ORIENTED, so we need to overwrite the
105 * default here.
106 */
107 chan->chan_type = L2CAP_CHAN_FIXED;
108 chan->omtu = L2CAP_DEFAULT_MTU;
109 }
110
111 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
112 /* We only allow ATT user space socket */
113 if (la.l2_cid &&
114 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
115 return -EINVAL;
116 }
117
118 lock_sock(sk);
119
120 if (sk->sk_state != BT_OPEN) {
121 err = -EBADFD;
122 goto done;
123 }
124
125 if (la.l2_psm) {
126 __u16 psm = __le16_to_cpu(la.l2_psm);
127
128 if (la.l2_bdaddr_type == BDADDR_BREDR)
129 err = l2cap_validate_bredr_psm(psm);
130 else
131 err = l2cap_validate_le_psm(psm);
132
133 if (err)
134 goto done;
135 }
136
137 if (la.l2_cid)
138 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
139 else
140 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
141
142 if (err < 0)
143 goto done;
144
145 switch (chan->chan_type) {
146 case L2CAP_CHAN_CONN_LESS:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
148 chan->sec_level = BT_SECURITY_SDP;
149 break;
150 case L2CAP_CHAN_CONN_ORIENTED:
151 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
152 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
153 chan->sec_level = BT_SECURITY_SDP;
154 break;
155 case L2CAP_CHAN_RAW:
156 chan->sec_level = BT_SECURITY_SDP;
157 break;
158 }
159
160 bacpy(&chan->src, &la.l2_bdaddr);
161 chan->src_type = la.l2_bdaddr_type;
162
163 if (chan->psm && bdaddr_type_is_le(chan->src_type))
164 chan->mode = L2CAP_MODE_LE_FLOWCTL;
165
166 chan->state = BT_BOUND;
167 sk->sk_state = BT_BOUND;
168
169done:
170 release_sock(sk);
171 return err;
172}
173
174static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
175 int alen, int flags)
176{
177 struct sock *sk = sock->sk;
178 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
179 struct sockaddr_l2 la;
180 int len, err = 0;
181
182 BT_DBG("sk %p", sk);
183
184 if (!addr || alen < sizeof(addr->sa_family) ||
185 addr->sa_family != AF_BLUETOOTH)
186 return -EINVAL;
187
188 memset(&la, 0, sizeof(la));
189 len = min_t(unsigned int, sizeof(la), alen);
190 memcpy(&la, addr, len);
191
192 if (la.l2_cid && la.l2_psm)
193 return -EINVAL;
194
195 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
196 return -EINVAL;
197
198 /* Check that the socket wasn't bound to something that
199 * conflicts with the address given to connect(). If chan->src
200 * is BDADDR_ANY it means bind() was never used, in which case
201 * chan->src_type and la.l2_bdaddr_type do not need to match.
202 */
203 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
204 bdaddr_type_is_le(la.l2_bdaddr_type)) {
205 /* Old user space versions will try to incorrectly bind
206 * the ATT socket using BDADDR_BREDR. We need to accept
207 * this and fix up the source address type only when
208 * both the source CID and destination CID indicate
209 * ATT. Anything else is an invalid combination.
210 */
211 if (chan->scid != L2CAP_CID_ATT ||
212 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
213 return -EINVAL;
214
215 /* We don't have the hdev available here to make a
216 * better decision on random vs public, but since all
217 * user space versions that exhibit this issue anyway do
218 * not support random local addresses assuming public
219 * here is good enough.
220 */
221 chan->src_type = BDADDR_LE_PUBLIC;
222 }
223
224 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
225 return -EINVAL;
226
227 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
228 /* We only allow ATT user space socket */
229 if (la.l2_cid &&
230 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
231 return -EINVAL;
232 }
233
234 if (chan->psm && bdaddr_type_is_le(chan->src_type))
235 chan->mode = L2CAP_MODE_LE_FLOWCTL;
236
237 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
238 &la.l2_bdaddr, la.l2_bdaddr_type);
239 if (err)
240 return err;
241
242 lock_sock(sk);
243
244 err = bt_sock_wait_state(sk, BT_CONNECTED,
245 sock_sndtimeo(sk, flags & O_NONBLOCK));
246
247 release_sock(sk);
248
249 return err;
250}
251
252static int l2cap_sock_listen(struct socket *sock, int backlog)
253{
254 struct sock *sk = sock->sk;
255 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
256 int err = 0;
257
258 BT_DBG("sk %p backlog %d", sk, backlog);
259
260 lock_sock(sk);
261
262 if (sk->sk_state != BT_BOUND) {
263 err = -EBADFD;
264 goto done;
265 }
266
267 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
268 err = -EINVAL;
269 goto done;
270 }
271
272 switch (chan->mode) {
273 case L2CAP_MODE_BASIC:
274 case L2CAP_MODE_LE_FLOWCTL:
275 break;
276 case L2CAP_MODE_ERTM:
277 case L2CAP_MODE_STREAMING:
278 if (!disable_ertm)
279 break;
280 /* fall through */
281 default:
282 err = -ENOTSUPP;
283 goto done;
284 }
285
286 sk->sk_max_ack_backlog = backlog;
287 sk->sk_ack_backlog = 0;
288
289 chan->state = BT_LISTEN;
290 sk->sk_state = BT_LISTEN;
291
292done:
293 release_sock(sk);
294 return err;
295}
296
297static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
298 int flags)
299{
300 DECLARE_WAITQUEUE(wait, current);
301 struct sock *sk = sock->sk, *nsk;
302 long timeo;
303 int err = 0;
304
305 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
306
307 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
308
309 BT_DBG("sk %p timeo %ld", sk, timeo);
310
311 /* Wait for an incoming connection. (wake-one). */
312 add_wait_queue_exclusive(sk_sleep(sk), &wait);
313 while (1) {
314 set_current_state(TASK_INTERRUPTIBLE);
315
316 if (sk->sk_state != BT_LISTEN) {
317 err = -EBADFD;
318 break;
319 }
320
321 nsk = bt_accept_dequeue(sk, newsock);
322 if (nsk)
323 break;
324
325 if (!timeo) {
326 err = -EAGAIN;
327 break;
328 }
329
330 if (signal_pending(current)) {
331 err = sock_intr_errno(timeo);
332 break;
333 }
334
335 release_sock(sk);
336 timeo = schedule_timeout(timeo);
337 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
338 }
339 __set_current_state(TASK_RUNNING);
340 remove_wait_queue(sk_sleep(sk), &wait);
341
342 if (err)
343 goto done;
344
345 newsock->state = SS_CONNECTED;
346
347 BT_DBG("new socket %p", nsk);
348
349done:
350 release_sock(sk);
351 return err;
352}
353
354static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
355 int *len, int peer)
356{
357 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
358 struct sock *sk = sock->sk;
359 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
360
361 BT_DBG("sock %p, sk %p", sock, sk);
362
363 if (peer && sk->sk_state != BT_CONNECTED &&
364 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
365 return -ENOTCONN;
366
367 memset(la, 0, sizeof(struct sockaddr_l2));
368 addr->sa_family = AF_BLUETOOTH;
369 *len = sizeof(struct sockaddr_l2);
370
371 la->l2_psm = chan->psm;
372
373 if (peer) {
374 bacpy(&la->l2_bdaddr, &chan->dst);
375 la->l2_cid = cpu_to_le16(chan->dcid);
376 la->l2_bdaddr_type = chan->dst_type;
377 } else {
378 bacpy(&la->l2_bdaddr, &chan->src);
379 la->l2_cid = cpu_to_le16(chan->scid);
380 la->l2_bdaddr_type = chan->src_type;
381 }
382
383 return 0;
384}
385
386static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
387 char __user *optval, int __user *optlen)
388{
389 struct sock *sk = sock->sk;
390 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391 struct l2cap_options opts;
392 struct l2cap_conninfo cinfo;
393 int len, err = 0;
394 u32 opt;
395
396 BT_DBG("sk %p", sk);
397
398 if (get_user(len, optlen))
399 return -EFAULT;
400
401 lock_sock(sk);
402
403 switch (optname) {
404 case L2CAP_OPTIONS:
405 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
406 * legacy ATT code depends on getsockopt for
407 * L2CAP_OPTIONS we need to let this pass.
408 */
409 if (bdaddr_type_is_le(chan->src_type) &&
410 chan->scid != L2CAP_CID_ATT) {
411 err = -EINVAL;
412 break;
413 }
414
415 memset(&opts, 0, sizeof(opts));
416 opts.imtu = chan->imtu;
417 opts.omtu = chan->omtu;
418 opts.flush_to = chan->flush_to;
419 opts.mode = chan->mode;
420 opts.fcs = chan->fcs;
421 opts.max_tx = chan->max_tx;
422 opts.txwin_size = chan->tx_win;
423
424 len = min_t(unsigned int, len, sizeof(opts));
425 if (copy_to_user(optval, (char *) &opts, len))
426 err = -EFAULT;
427
428 break;
429
430 case L2CAP_LM:
431 switch (chan->sec_level) {
432 case BT_SECURITY_LOW:
433 opt = L2CAP_LM_AUTH;
434 break;
435 case BT_SECURITY_MEDIUM:
436 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
437 break;
438 case BT_SECURITY_HIGH:
439 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
440 L2CAP_LM_SECURE;
441 break;
442 case BT_SECURITY_FIPS:
443 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
444 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
445 break;
446 default:
447 opt = 0;
448 break;
449 }
450
451 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
452 opt |= L2CAP_LM_MASTER;
453
454 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
455 opt |= L2CAP_LM_RELIABLE;
456
457 if (put_user(opt, (u32 __user *) optval))
458 err = -EFAULT;
459
460 break;
461
462 case L2CAP_CONNINFO:
463 if (sk->sk_state != BT_CONNECTED &&
464 !(sk->sk_state == BT_CONNECT2 &&
465 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
466 err = -ENOTCONN;
467 break;
468 }
469
470 memset(&cinfo, 0, sizeof(cinfo));
471 cinfo.hci_handle = chan->conn->hcon->handle;
472 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
473
474 len = min_t(unsigned int, len, sizeof(cinfo));
475 if (copy_to_user(optval, (char *) &cinfo, len))
476 err = -EFAULT;
477
478 break;
479
480 default:
481 err = -ENOPROTOOPT;
482 break;
483 }
484
485 release_sock(sk);
486 return err;
487}
488
489static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
490 char __user *optval, int __user *optlen)
491{
492 struct sock *sk = sock->sk;
493 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
494 struct bt_security sec;
495 struct bt_power pwr;
496 int len, err = 0;
497
498 BT_DBG("sk %p", sk);
499
500 if (level == SOL_L2CAP)
501 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
502
503 if (level != SOL_BLUETOOTH)
504 return -ENOPROTOOPT;
505
506 if (get_user(len, optlen))
507 return -EFAULT;
508
509 lock_sock(sk);
510
511 switch (optname) {
512 case BT_SECURITY:
513 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
514 chan->chan_type != L2CAP_CHAN_FIXED &&
515 chan->chan_type != L2CAP_CHAN_RAW) {
516 err = -EINVAL;
517 break;
518 }
519
520 memset(&sec, 0, sizeof(sec));
521 if (chan->conn) {
522 sec.level = chan->conn->hcon->sec_level;
523
524 if (sk->sk_state == BT_CONNECTED)
525 sec.key_size = chan->conn->hcon->enc_key_size;
526 } else {
527 sec.level = chan->sec_level;
528 }
529
530 len = min_t(unsigned int, len, sizeof(sec));
531 if (copy_to_user(optval, (char *) &sec, len))
532 err = -EFAULT;
533
534 break;
535
536 case BT_DEFER_SETUP:
537 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
538 err = -EINVAL;
539 break;
540 }
541
542 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
543 (u32 __user *) optval))
544 err = -EFAULT;
545
546 break;
547
548 case BT_FLUSHABLE:
549 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
550 (u32 __user *) optval))
551 err = -EFAULT;
552
553 break;
554
555 case BT_POWER:
556 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
557 && sk->sk_type != SOCK_RAW) {
558 err = -EINVAL;
559 break;
560 }
561
562 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
563
564 len = min_t(unsigned int, len, sizeof(pwr));
565 if (copy_to_user(optval, (char *) &pwr, len))
566 err = -EFAULT;
567
568 break;
569
570 case BT_CHANNEL_POLICY:
571 if (put_user(chan->chan_policy, (u32 __user *) optval))
572 err = -EFAULT;
573 break;
574
575 case BT_SNDMTU:
576 if (!bdaddr_type_is_le(chan->src_type)) {
577 err = -EINVAL;
578 break;
579 }
580
581 if (sk->sk_state != BT_CONNECTED) {
582 err = -ENOTCONN;
583 break;
584 }
585
586 if (put_user(chan->omtu, (u16 __user *) optval))
587 err = -EFAULT;
588 break;
589
590 case BT_RCVMTU:
591 if (!bdaddr_type_is_le(chan->src_type)) {
592 err = -EINVAL;
593 break;
594 }
595
596 if (put_user(chan->imtu, (u16 __user *) optval))
597 err = -EFAULT;
598 break;
599
600 default:
601 err = -ENOPROTOOPT;
602 break;
603 }
604
605 release_sock(sk);
606 return err;
607}
608
609static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
610{
611 switch (chan->scid) {
612 case L2CAP_CID_ATT:
613 if (mtu < L2CAP_LE_MIN_MTU)
614 return false;
615 break;
616
617 default:
618 if (mtu < L2CAP_DEFAULT_MIN_MTU)
619 return false;
620 }
621
622 return true;
623}
624
625static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
626 char __user *optval, unsigned int optlen)
627{
628 struct sock *sk = sock->sk;
629 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
630 struct l2cap_options opts;
631 int len, err = 0;
632 u32 opt;
633
634 BT_DBG("sk %p", sk);
635
636 lock_sock(sk);
637
638 switch (optname) {
639 case L2CAP_OPTIONS:
640 if (bdaddr_type_is_le(chan->src_type)) {
641 err = -EINVAL;
642 break;
643 }
644
645 if (sk->sk_state == BT_CONNECTED) {
646 err = -EINVAL;
647 break;
648 }
649
650 opts.imtu = chan->imtu;
651 opts.omtu = chan->omtu;
652 opts.flush_to = chan->flush_to;
653 opts.mode = chan->mode;
654 opts.fcs = chan->fcs;
655 opts.max_tx = chan->max_tx;
656 opts.txwin_size = chan->tx_win;
657
658 len = min_t(unsigned int, sizeof(opts), optlen);
659 if (copy_from_user((char *) &opts, optval, len)) {
660 err = -EFAULT;
661 break;
662 }
663
664 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
665 err = -EINVAL;
666 break;
667 }
668
669 if (!l2cap_valid_mtu(chan, opts.imtu)) {
670 err = -EINVAL;
671 break;
672 }
673
674 chan->mode = opts.mode;
675 switch (chan->mode) {
676 case L2CAP_MODE_LE_FLOWCTL:
677 break;
678 case L2CAP_MODE_BASIC:
679 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
680 break;
681 case L2CAP_MODE_ERTM:
682 case L2CAP_MODE_STREAMING:
683 if (!disable_ertm)
684 break;
685 /* fall through */
686 default:
687 err = -EINVAL;
688 break;
689 }
690
691 chan->imtu = opts.imtu;
692 chan->omtu = opts.omtu;
693 chan->fcs = opts.fcs;
694 chan->max_tx = opts.max_tx;
695 chan->tx_win = opts.txwin_size;
696 chan->flush_to = opts.flush_to;
697 break;
698
699 case L2CAP_LM:
700 if (get_user(opt, (u32 __user *) optval)) {
701 err = -EFAULT;
702 break;
703 }
704
705 if (opt & L2CAP_LM_FIPS) {
706 err = -EINVAL;
707 break;
708 }
709
710 if (opt & L2CAP_LM_AUTH)
711 chan->sec_level = BT_SECURITY_LOW;
712 if (opt & L2CAP_LM_ENCRYPT)
713 chan->sec_level = BT_SECURITY_MEDIUM;
714 if (opt & L2CAP_LM_SECURE)
715 chan->sec_level = BT_SECURITY_HIGH;
716
717 if (opt & L2CAP_LM_MASTER)
718 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
719 else
720 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
721
722 if (opt & L2CAP_LM_RELIABLE)
723 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
724 else
725 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
726 break;
727
728 default:
729 err = -ENOPROTOOPT;
730 break;
731 }
732
733 release_sock(sk);
734 return err;
735}
736
737static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
738 char __user *optval, unsigned int optlen)
739{
740 struct sock *sk = sock->sk;
741 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
742 struct bt_security sec;
743 struct bt_power pwr;
744 struct l2cap_conn *conn;
745 int len, err = 0;
746 u32 opt;
747
748 BT_DBG("sk %p", sk);
749
750 if (level == SOL_L2CAP)
751 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
752
753 if (level != SOL_BLUETOOTH)
754 return -ENOPROTOOPT;
755
756 lock_sock(sk);
757
758 switch (optname) {
759 case BT_SECURITY:
760 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
761 chan->chan_type != L2CAP_CHAN_FIXED &&
762 chan->chan_type != L2CAP_CHAN_RAW) {
763 err = -EINVAL;
764 break;
765 }
766
767 sec.level = BT_SECURITY_LOW;
768
769 len = min_t(unsigned int, sizeof(sec), optlen);
770 if (copy_from_user((char *) &sec, optval, len)) {
771 err = -EFAULT;
772 break;
773 }
774
775 if (sec.level < BT_SECURITY_LOW ||
776 sec.level > BT_SECURITY_HIGH) {
777 err = -EINVAL;
778 break;
779 }
780
781 chan->sec_level = sec.level;
782
783 if (!chan->conn)
784 break;
785
786 conn = chan->conn;
787
788 /*change security for LE channels */
789 if (chan->scid == L2CAP_CID_ATT) {
790 if (!conn->hcon->out) {
791 err = -EINVAL;
792 break;
793 }
794
795 if (smp_conn_security(conn->hcon, sec.level))
796 break;
797 sk->sk_state = BT_CONFIG;
798 chan->state = BT_CONFIG;
799
800 /* or for ACL link */
801 } else if ((sk->sk_state == BT_CONNECT2 &&
802 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
803 sk->sk_state == BT_CONNECTED) {
804 if (!l2cap_chan_check_security(chan))
805 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
806 else
807 sk->sk_state_change(sk);
808 } else {
809 err = -EINVAL;
810 }
811 break;
812
813 case BT_DEFER_SETUP:
814 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
815 err = -EINVAL;
816 break;
817 }
818
819 if (get_user(opt, (u32 __user *) optval)) {
820 err = -EFAULT;
821 break;
822 }
823
824 if (opt) {
825 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
826 set_bit(FLAG_DEFER_SETUP, &chan->flags);
827 } else {
828 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
829 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
830 }
831 break;
832
833 case BT_FLUSHABLE:
834 if (get_user(opt, (u32 __user *) optval)) {
835 err = -EFAULT;
836 break;
837 }
838
839 if (opt > BT_FLUSHABLE_ON) {
840 err = -EINVAL;
841 break;
842 }
843
844 if (opt == BT_FLUSHABLE_OFF) {
845 conn = chan->conn;
846 /* proceed further only when we have l2cap_conn and
847 No Flush support in the LM */
848 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
849 err = -EINVAL;
850 break;
851 }
852 }
853
854 if (opt)
855 set_bit(FLAG_FLUSHABLE, &chan->flags);
856 else
857 clear_bit(FLAG_FLUSHABLE, &chan->flags);
858 break;
859
860 case BT_POWER:
861 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
862 chan->chan_type != L2CAP_CHAN_RAW) {
863 err = -EINVAL;
864 break;
865 }
866
867 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
868
869 len = min_t(unsigned int, sizeof(pwr), optlen);
870 if (copy_from_user((char *) &pwr, optval, len)) {
871 err = -EFAULT;
872 break;
873 }
874
875 if (pwr.force_active)
876 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
877 else
878 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
879 break;
880
881 case BT_CHANNEL_POLICY:
882 if (get_user(opt, (u32 __user *) optval)) {
883 err = -EFAULT;
884 break;
885 }
886
887 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
888 err = -EINVAL;
889 break;
890 }
891
892 if (chan->mode != L2CAP_MODE_ERTM &&
893 chan->mode != L2CAP_MODE_STREAMING) {
894 err = -EOPNOTSUPP;
895 break;
896 }
897
898 chan->chan_policy = (u8) opt;
899
900 if (sk->sk_state == BT_CONNECTED &&
901 chan->move_role == L2CAP_MOVE_ROLE_NONE)
902 l2cap_move_start(chan);
903
904 break;
905
906 case BT_SNDMTU:
907 if (!bdaddr_type_is_le(chan->src_type)) {
908 err = -EINVAL;
909 break;
910 }
911
912 /* Setting is not supported as it's the remote side that
913 * decides this.
914 */
915 err = -EPERM;
916 break;
917
918 case BT_RCVMTU:
919 if (!bdaddr_type_is_le(chan->src_type)) {
920 err = -EINVAL;
921 break;
922 }
923
924 if (sk->sk_state == BT_CONNECTED) {
925 err = -EISCONN;
926 break;
927 }
928
929 if (get_user(opt, (u32 __user *) optval)) {
930 err = -EFAULT;
931 break;
932 }
933
934 chan->imtu = opt;
935 break;
936
937 default:
938 err = -ENOPROTOOPT;
939 break;
940 }
941
942 release_sock(sk);
943 return err;
944}
945
946static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
947 struct msghdr *msg, size_t len)
948{
949 struct sock *sk = sock->sk;
950 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
951 int err;
952
953 BT_DBG("sock %p, sk %p", sock, sk);
954
955 err = sock_error(sk);
956 if (err)
957 return err;
958
959 if (msg->msg_flags & MSG_OOB)
960 return -EOPNOTSUPP;
961
962 if (sk->sk_state != BT_CONNECTED)
963 return -ENOTCONN;
964
965 lock_sock(sk);
966 err = bt_sock_wait_ready(sk, msg->msg_flags);
967 release_sock(sk);
968 if (err)
969 return err;
970
971 l2cap_chan_lock(chan);
972 err = l2cap_chan_send(chan, msg, len, sk->sk_priority);
973 l2cap_chan_unlock(chan);
974
975 return err;
976}
977
978static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
979 struct msghdr *msg, size_t len, int flags)
980{
981 struct sock *sk = sock->sk;
982 struct l2cap_pinfo *pi = l2cap_pi(sk);
983 int err;
984
985 lock_sock(sk);
986
987 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
988 &bt_sk(sk)->flags)) {
989 if (bdaddr_type_is_le(pi->chan->src_type)) {
990 sk->sk_state = BT_CONNECTED;
991 pi->chan->state = BT_CONNECTED;
992 __l2cap_le_connect_rsp_defer(pi->chan);
993 } else {
994 sk->sk_state = BT_CONFIG;
995 pi->chan->state = BT_CONFIG;
996 __l2cap_connect_rsp_defer(pi->chan);
997 }
998
999 err = 0;
1000 goto done;
1001 }
1002
1003 release_sock(sk);
1004
1005 if (sock->type == SOCK_STREAM)
1006 err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
1007 else
1008 err = bt_sock_recvmsg(iocb, sock, msg, len, flags);
1009
1010 if (pi->chan->mode != L2CAP_MODE_ERTM)
1011 return err;
1012
1013 /* Attempt to put pending rx data in the socket buffer */
1014
1015 lock_sock(sk);
1016
1017 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1018 goto done;
1019
1020 if (pi->rx_busy_skb) {
1021 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1022 pi->rx_busy_skb = NULL;
1023 else
1024 goto done;
1025 }
1026
1027 /* Restore data flow when half of the receive buffer is
1028 * available. This avoids resending large numbers of
1029 * frames.
1030 */
1031 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1032 l2cap_chan_busy(pi->chan, 0);
1033
1034done:
1035 release_sock(sk);
1036 return err;
1037}
1038
1039/* Kill socket (only if zapped and orphan)
1040 * Must be called on unlocked socket.
1041 */
1042static void l2cap_sock_kill(struct sock *sk)
1043{
1044 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1045 return;
1046
1047 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1048
1049 /* Kill poor orphan */
1050
1051 l2cap_chan_put(l2cap_pi(sk)->chan);
1052 sock_set_flag(sk, SOCK_DEAD);
1053 sock_put(sk);
1054}
1055
1056static int __l2cap_wait_ack(struct sock *sk)
1057{
1058 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1059 DECLARE_WAITQUEUE(wait, current);
1060 int err = 0;
1061 int timeo = HZ/5;
1062
1063 add_wait_queue(sk_sleep(sk), &wait);
1064 set_current_state(TASK_INTERRUPTIBLE);
1065 while (chan->unacked_frames > 0 && chan->conn) {
1066 if (!timeo)
1067 timeo = HZ/5;
1068
1069 if (signal_pending(current)) {
1070 err = sock_intr_errno(timeo);
1071 break;
1072 }
1073
1074 release_sock(sk);
1075 timeo = schedule_timeout(timeo);
1076 lock_sock(sk);
1077 set_current_state(TASK_INTERRUPTIBLE);
1078
1079 err = sock_error(sk);
1080 if (err)
1081 break;
1082 }
1083 set_current_state(TASK_RUNNING);
1084 remove_wait_queue(sk_sleep(sk), &wait);
1085 return err;
1086}
1087
1088static int l2cap_sock_shutdown(struct socket *sock, int how)
1089{
1090 struct sock *sk = sock->sk;
1091 struct l2cap_chan *chan;
1092 struct l2cap_conn *conn;
1093 int err = 0;
1094
1095 BT_DBG("sock %p, sk %p", sock, sk);
1096
1097 if (!sk)
1098 return 0;
1099
1100 chan = l2cap_pi(sk)->chan;
1101 conn = chan->conn;
1102
1103 if (conn)
1104 mutex_lock(&conn->chan_lock);
1105
1106 l2cap_chan_lock(chan);
1107 lock_sock(sk);
1108
1109 if (!sk->sk_shutdown) {
1110 if (chan->mode == L2CAP_MODE_ERTM)
1111 err = __l2cap_wait_ack(sk);
1112
1113 sk->sk_shutdown = SHUTDOWN_MASK;
1114
1115 release_sock(sk);
1116 l2cap_chan_close(chan, 0);
1117 lock_sock(sk);
1118
1119 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1120 err = bt_sock_wait_state(sk, BT_CLOSED,
1121 sk->sk_lingertime);
1122 }
1123
1124 if (!err && sk->sk_err)
1125 err = -sk->sk_err;
1126
1127 release_sock(sk);
1128 l2cap_chan_unlock(chan);
1129
1130 if (conn)
1131 mutex_unlock(&conn->chan_lock);
1132
1133 return err;
1134}
1135
1136static int l2cap_sock_release(struct socket *sock)
1137{
1138 struct sock *sk = sock->sk;
1139 int err;
1140
1141 BT_DBG("sock %p, sk %p", sock, sk);
1142
1143 if (!sk)
1144 return 0;
1145
1146 bt_sock_unlink(&l2cap_sk_list, sk);
1147
1148 err = l2cap_sock_shutdown(sock, 2);
1149
1150 sock_orphan(sk);
1151 l2cap_sock_kill(sk);
1152 return err;
1153}
1154
1155static void l2cap_sock_cleanup_listen(struct sock *parent)
1156{
1157 struct sock *sk;
1158
1159 BT_DBG("parent %p", parent);
1160
1161 /* Close not yet accepted channels */
1162 while ((sk = bt_accept_dequeue(parent, NULL))) {
1163 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1164
1165 l2cap_chan_lock(chan);
1166 __clear_chan_timer(chan);
1167 l2cap_chan_close(chan, ECONNRESET);
1168 l2cap_chan_unlock(chan);
1169
1170 l2cap_sock_kill(sk);
1171 }
1172}
1173
1174static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1175{
1176 struct sock *sk, *parent = chan->data;
1177
1178 lock_sock(parent);
1179
1180 /* Check for backlog size */
1181 if (sk_acceptq_is_full(parent)) {
1182 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1183 return NULL;
1184 }
1185
1186 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1187 GFP_ATOMIC);
1188 if (!sk)
1189 return NULL;
1190
1191 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1192
1193 l2cap_sock_init(sk, parent);
1194
1195 bt_accept_enqueue(parent, sk);
1196
1197 release_sock(parent);
1198
1199 return l2cap_pi(sk)->chan;
1200}
1201
1202static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1203{
1204 struct sock *sk = chan->data;
1205 int err;
1206
1207 lock_sock(sk);
1208
1209 if (l2cap_pi(sk)->rx_busy_skb) {
1210 err = -ENOMEM;
1211 goto done;
1212 }
1213
1214 err = sock_queue_rcv_skb(sk, skb);
1215
1216 /* For ERTM, handle one skb that doesn't fit into the recv
1217 * buffer. This is important to do because the data frames
1218 * have already been acked, so the skb cannot be discarded.
1219 *
1220 * Notify the l2cap core that the buffer is full, so the
1221 * LOCAL_BUSY state is entered and no more frames are
1222 * acked and reassembled until there is buffer space
1223 * available.
1224 */
1225 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1226 l2cap_pi(sk)->rx_busy_skb = skb;
1227 l2cap_chan_busy(chan, 1);
1228 err = 0;
1229 }
1230
1231done:
1232 release_sock(sk);
1233
1234 return err;
1235}
1236
1237static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1238{
1239 struct sock *sk = chan->data;
1240
1241 l2cap_sock_kill(sk);
1242}
1243
1244static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1245{
1246 struct sock *sk = chan->data;
1247 struct sock *parent;
1248
1249 lock_sock(sk);
1250
1251 parent = bt_sk(sk)->parent;
1252
1253 sock_set_flag(sk, SOCK_ZAPPED);
1254
1255 switch (chan->state) {
1256 case BT_OPEN:
1257 case BT_BOUND:
1258 case BT_CLOSED:
1259 break;
1260 case BT_LISTEN:
1261 l2cap_sock_cleanup_listen(sk);
1262 sk->sk_state = BT_CLOSED;
1263 chan->state = BT_CLOSED;
1264
1265 break;
1266 default:
1267 sk->sk_state = BT_CLOSED;
1268 chan->state = BT_CLOSED;
1269
1270 sk->sk_err = err;
1271
1272 if (parent) {
1273 bt_accept_unlink(sk);
1274 parent->sk_data_ready(parent);
1275 } else {
1276 sk->sk_state_change(sk);
1277 }
1278
1279 break;
1280 }
1281
1282 release_sock(sk);
1283}
1284
1285static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1286 int err)
1287{
1288 struct sock *sk = chan->data;
1289
1290 sk->sk_state = state;
1291
1292 if (err)
1293 sk->sk_err = err;
1294}
1295
1296static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1297 unsigned long len, int nb)
1298{
1299 struct sock *sk = chan->data;
1300 struct sk_buff *skb;
1301 int err;
1302
1303 l2cap_chan_unlock(chan);
1304 skb = bt_skb_send_alloc(sk, len, nb, &err);
1305 l2cap_chan_lock(chan);
1306
1307 if (!skb)
1308 return ERR_PTR(err);
1309
1310 bt_cb(skb)->chan = chan;
1311
1312 return skb;
1313}
1314
1315static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1316{
1317 struct sock *sk = chan->data;
1318 struct sock *parent;
1319
1320 lock_sock(sk);
1321
1322 parent = bt_sk(sk)->parent;
1323
1324 BT_DBG("sk %p, parent %p", sk, parent);
1325
1326 sk->sk_state = BT_CONNECTED;
1327 sk->sk_state_change(sk);
1328
1329 if (parent)
1330 parent->sk_data_ready(parent);
1331
1332 release_sock(sk);
1333}
1334
1335static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1336{
1337 struct sock *parent, *sk = chan->data;
1338
1339 lock_sock(sk);
1340
1341 parent = bt_sk(sk)->parent;
1342 if (parent)
1343 parent->sk_data_ready(parent);
1344
1345 release_sock(sk);
1346}
1347
1348static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1349{
1350 struct sock *sk = chan->data;
1351
1352 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1353 sk->sk_state_change(sk);
1354}
1355
1356static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1357{
1358 struct sock *sk = chan->data;
1359
1360 lock_sock(sk);
1361 sk->sk_shutdown = SHUTDOWN_MASK;
1362 release_sock(sk);
1363}
1364
1365static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1366{
1367 struct sock *sk = chan->data;
1368
1369 return sk->sk_sndtimeo;
1370}
1371
1372static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1373{
1374 struct sock *sk = chan->data;
1375
1376 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1377 sk->sk_state_change(sk);
1378}
1379
1380static struct l2cap_ops l2cap_chan_ops = {
1381 .name = "L2CAP Socket Interface",
1382 .new_connection = l2cap_sock_new_connection_cb,
1383 .recv = l2cap_sock_recv_cb,
1384 .close = l2cap_sock_close_cb,
1385 .teardown = l2cap_sock_teardown_cb,
1386 .state_change = l2cap_sock_state_change_cb,
1387 .ready = l2cap_sock_ready_cb,
1388 .defer = l2cap_sock_defer_cb,
1389 .resume = l2cap_sock_resume_cb,
1390 .suspend = l2cap_sock_suspend_cb,
1391 .set_shutdown = l2cap_sock_set_shutdown_cb,
1392 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1393 .alloc_skb = l2cap_sock_alloc_skb_cb,
1394};
1395
1396static void l2cap_sock_destruct(struct sock *sk)
1397{
1398 BT_DBG("sk %p", sk);
1399
1400 if (l2cap_pi(sk)->chan)
1401 l2cap_chan_put(l2cap_pi(sk)->chan);
1402
1403 if (l2cap_pi(sk)->rx_busy_skb) {
1404 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1405 l2cap_pi(sk)->rx_busy_skb = NULL;
1406 }
1407
1408 skb_queue_purge(&sk->sk_receive_queue);
1409 skb_queue_purge(&sk->sk_write_queue);
1410}
1411
1412static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1413 int *msg_namelen)
1414{
1415 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1416
1417 memset(la, 0, sizeof(struct sockaddr_l2));
1418 la->l2_family = AF_BLUETOOTH;
1419 la->l2_psm = bt_cb(skb)->psm;
1420 bacpy(&la->l2_bdaddr, &bt_cb(skb)->bdaddr);
1421
1422 *msg_namelen = sizeof(struct sockaddr_l2);
1423}
1424
1425static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1426{
1427 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1428
1429 BT_DBG("sk %p", sk);
1430
1431 if (parent) {
1432 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1433
1434 sk->sk_type = parent->sk_type;
1435 bt_sk(sk)->flags = bt_sk(parent)->flags;
1436
1437 chan->chan_type = pchan->chan_type;
1438 chan->imtu = pchan->imtu;
1439 chan->omtu = pchan->omtu;
1440 chan->conf_state = pchan->conf_state;
1441 chan->mode = pchan->mode;
1442 chan->fcs = pchan->fcs;
1443 chan->max_tx = pchan->max_tx;
1444 chan->tx_win = pchan->tx_win;
1445 chan->tx_win_max = pchan->tx_win_max;
1446 chan->sec_level = pchan->sec_level;
1447 chan->flags = pchan->flags;
1448 chan->tx_credits = pchan->tx_credits;
1449 chan->rx_credits = pchan->rx_credits;
1450
1451 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1452 chan->scid = pchan->scid;
1453 chan->dcid = pchan->scid;
1454 }
1455
1456 security_sk_clone(parent, sk);
1457 } else {
1458 switch (sk->sk_type) {
1459 case SOCK_RAW:
1460 chan->chan_type = L2CAP_CHAN_RAW;
1461 break;
1462 case SOCK_DGRAM:
1463 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1464 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1465 break;
1466 case SOCK_SEQPACKET:
1467 case SOCK_STREAM:
1468 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1469 break;
1470 }
1471
1472 chan->imtu = L2CAP_DEFAULT_MTU;
1473 chan->omtu = 0;
1474 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1475 chan->mode = L2CAP_MODE_ERTM;
1476 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1477 } else {
1478 chan->mode = L2CAP_MODE_BASIC;
1479 }
1480
1481 l2cap_chan_set_defaults(chan);
1482 }
1483
1484 /* Default config options */
1485 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1486
1487 chan->data = sk;
1488 chan->ops = &l2cap_chan_ops;
1489}
1490
1491static struct proto l2cap_proto = {
1492 .name = "L2CAP",
1493 .owner = THIS_MODULE,
1494 .obj_size = sizeof(struct l2cap_pinfo)
1495};
1496
1497static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1498 int proto, gfp_t prio)
1499{
1500 struct sock *sk;
1501 struct l2cap_chan *chan;
1502
1503 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1504 if (!sk)
1505 return NULL;
1506
1507 sock_init_data(sock, sk);
1508 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1509
1510 sk->sk_destruct = l2cap_sock_destruct;
1511 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1512
1513 sock_reset_flag(sk, SOCK_ZAPPED);
1514
1515 sk->sk_protocol = proto;
1516 sk->sk_state = BT_OPEN;
1517
1518 chan = l2cap_chan_create();
1519 if (!chan) {
1520 sk_free(sk);
1521 return NULL;
1522 }
1523
1524 l2cap_chan_hold(chan);
1525
1526 l2cap_pi(sk)->chan = chan;
1527
1528 return sk;
1529}
1530
1531static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1532 int kern)
1533{
1534 struct sock *sk;
1535
1536 BT_DBG("sock %p", sock);
1537
1538 sock->state = SS_UNCONNECTED;
1539
1540 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1541 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1542 return -ESOCKTNOSUPPORT;
1543
1544 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1545 return -EPERM;
1546
1547 sock->ops = &l2cap_sock_ops;
1548
1549 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1550 if (!sk)
1551 return -ENOMEM;
1552
1553 l2cap_sock_init(sk, NULL);
1554 bt_sock_link(&l2cap_sk_list, sk);
1555 return 0;
1556}
1557
1558static const struct proto_ops l2cap_sock_ops = {
1559 .family = PF_BLUETOOTH,
1560 .owner = THIS_MODULE,
1561 .release = l2cap_sock_release,
1562 .bind = l2cap_sock_bind,
1563 .connect = l2cap_sock_connect,
1564 .listen = l2cap_sock_listen,
1565 .accept = l2cap_sock_accept,
1566 .getname = l2cap_sock_getname,
1567 .sendmsg = l2cap_sock_sendmsg,
1568 .recvmsg = l2cap_sock_recvmsg,
1569 .poll = bt_sock_poll,
1570 .ioctl = bt_sock_ioctl,
1571 .mmap = sock_no_mmap,
1572 .socketpair = sock_no_socketpair,
1573 .shutdown = l2cap_sock_shutdown,
1574 .setsockopt = l2cap_sock_setsockopt,
1575 .getsockopt = l2cap_sock_getsockopt
1576};
1577
1578static const struct net_proto_family l2cap_sock_family_ops = {
1579 .family = PF_BLUETOOTH,
1580 .owner = THIS_MODULE,
1581 .create = l2cap_sock_create,
1582};
1583
1584int __init l2cap_init_sockets(void)
1585{
1586 int err;
1587
1588 err = proto_register(&l2cap_proto, 0);
1589 if (err < 0)
1590 return err;
1591
1592 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1593 if (err < 0) {
1594 BT_ERR("L2CAP socket registration failed");
1595 goto error;
1596 }
1597
1598 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1599 NULL);
1600 if (err < 0) {
1601 BT_ERR("Failed to create L2CAP proc file");
1602 bt_sock_unregister(BTPROTO_L2CAP);
1603 goto error;
1604 }
1605
1606 BT_INFO("L2CAP socket layer initialized");
1607
1608 return 0;
1609
1610error:
1611 proto_unregister(&l2cap_proto);
1612 return err;
1613}
1614
1615void l2cap_cleanup_sockets(void)
1616{
1617 bt_procfs_cleanup(&init_net, "l2cap");
1618 bt_sock_unregister(BTPROTO_L2CAP);
1619 proto_unregister(&l2cap_proto);
1620}