1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/filter.h>
33 #include <linux/sched/signal.h>
34
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38
39 #include "smp.h"
40
41 static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43 };
44
45 static const struct proto_ops l2cap_sock_ops;
46 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 int proto, gfp_t prio, int kern);
49 static void l2cap_sock_cleanup_listen(struct sock *parent);
50
l2cap_is_socket(struct socket * sock)51 bool l2cap_is_socket(struct socket *sock)
52 {
53 return sock && sock->ops == &l2cap_sock_ops;
54 }
55 EXPORT_SYMBOL(l2cap_is_socket);
56
l2cap_validate_bredr_psm(u16 psm)57 static int l2cap_validate_bredr_psm(u16 psm)
58 {
59 /* PSM must be odd and lsb of upper byte must be 0 */
60 if ((psm & 0x0101) != 0x0001)
61 return -EINVAL;
62
63 /* Restrict usage of well-known PSMs */
64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 return -EACCES;
66
67 return 0;
68 }
69
l2cap_validate_le_psm(u16 psm)70 static int l2cap_validate_le_psm(u16 psm)
71 {
72 /* Valid LE_PSM ranges are defined only until 0x00ff */
73 if (psm > L2CAP_PSM_LE_DYN_END)
74 return -EINVAL;
75
76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 return -EACCES;
79
80 return 0;
81 }
82
l2cap_sock_bind(struct socket * sock,struct sockaddr_unsized * addr,int alen)83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int alen)
84 {
85 struct sock *sk = sock->sk;
86 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 struct sockaddr_l2 la;
88 int len, err = 0;
89
90 BT_DBG("sk %p", sk);
91
92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 addr->sa_family != AF_BLUETOOTH)
94 return -EINVAL;
95
96 memset(&la, 0, sizeof(la));
97 len = min_t(unsigned int, sizeof(la), alen);
98 memcpy(&la, addr, len);
99
100 if (la.l2_cid && la.l2_psm)
101 return -EINVAL;
102
103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 return -EINVAL;
105
106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 /* We only allow ATT user space socket */
108 if (la.l2_cid &&
109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 return -EINVAL;
111 }
112
113 lock_sock(sk);
114
115 if (sk->sk_state != BT_OPEN) {
116 err = -EBADFD;
117 goto done;
118 }
119
120 if (la.l2_psm) {
121 __u16 psm = __le16_to_cpu(la.l2_psm);
122
123 if (la.l2_bdaddr_type == BDADDR_BREDR)
124 err = l2cap_validate_bredr_psm(psm);
125 else
126 err = l2cap_validate_le_psm(psm);
127
128 if (err)
129 goto done;
130 }
131
132 bacpy(&chan->src, &la.l2_bdaddr);
133 chan->src_type = la.l2_bdaddr_type;
134
135 if (la.l2_cid)
136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 else
138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139
140 if (err < 0)
141 goto done;
142
143 switch (chan->chan_type) {
144 case L2CAP_CHAN_CONN_LESS:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 chan->sec_level = BT_SECURITY_SDP;
147 break;
148 case L2CAP_CHAN_CONN_ORIENTED:
149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 chan->sec_level = BT_SECURITY_SDP;
152 break;
153 case L2CAP_CHAN_RAW:
154 chan->sec_level = BT_SECURITY_SDP;
155 break;
156 case L2CAP_CHAN_FIXED:
157 /* Fixed channels default to the L2CAP core not holding a
158 * hci_conn reference for them. For fixed channels mapping to
159 * L2CAP sockets we do want to hold a reference so set the
160 * appropriate flag to request it.
161 */
162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 break;
164 }
165
166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 */
169 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 chan->mode = L2CAP_MODE_LE_FLOWCTL;
172
173 chan->state = BT_BOUND;
174 sk->sk_state = BT_BOUND;
175
176 done:
177 release_sock(sk);
178 return err;
179 }
180
l2cap_sock_connect(struct socket * sock,struct sockaddr_unsized * addr,int alen,int flags)181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
182 int alen, int flags)
183 {
184 struct sock *sk = sock->sk;
185 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 struct sockaddr_l2 la;
187 int len, err = 0;
188 bool zapped;
189
190 BT_DBG("sk %p", sk);
191
192 lock_sock(sk);
193 zapped = sock_flag(sk, SOCK_ZAPPED);
194 release_sock(sk);
195
196 if (zapped)
197 return -EINVAL;
198
199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 addr->sa_family != AF_BLUETOOTH)
201 return -EINVAL;
202
203 memset(&la, 0, sizeof(la));
204 len = min_t(unsigned int, sizeof(la), alen);
205 memcpy(&la, addr, len);
206
207 if (la.l2_cid && la.l2_psm)
208 return -EINVAL;
209
210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 return -EINVAL;
212
213 /* Check that the socket wasn't bound to something that
214 * conflicts with the address given to connect(). If chan->src
215 * is BDADDR_ANY it means bind() was never used, in which case
216 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 */
218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 /* Old user space versions will try to incorrectly bind
221 * the ATT socket using BDADDR_BREDR. We need to accept
222 * this and fix up the source address type only when
223 * both the source CID and destination CID indicate
224 * ATT. Anything else is an invalid combination.
225 */
226 if (chan->scid != L2CAP_CID_ATT ||
227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 return -EINVAL;
229
230 /* We don't have the hdev available here to make a
231 * better decision on random vs public, but since all
232 * user space versions that exhibit this issue anyway do
233 * not support random local addresses assuming public
234 * here is good enough.
235 */
236 chan->src_type = BDADDR_LE_PUBLIC;
237 }
238
239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 return -EINVAL;
241
242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 /* We only allow ATT user space socket */
244 if (la.l2_cid &&
245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 return -EINVAL;
247 }
248
249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 */
252 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 chan->mode = L2CAP_MODE_LE_FLOWCTL;
255
256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 &la.l2_bdaddr, la.l2_bdaddr_type,
258 READ_ONCE(sk->sk_sndtimeo));
259 if (err)
260 return err;
261
262 lock_sock(sk);
263
264 err = bt_sock_wait_state(sk, BT_CONNECTED,
265 sock_sndtimeo(sk, flags & O_NONBLOCK));
266
267 release_sock(sk);
268
269 return err;
270 }
271
l2cap_sock_listen(struct socket * sock,int backlog)272 static int l2cap_sock_listen(struct socket *sock, int backlog)
273 {
274 struct sock *sk = sock->sk;
275 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
276 int err = 0;
277
278 BT_DBG("sk %p backlog %d", sk, backlog);
279
280 lock_sock(sk);
281
282 if (sk->sk_state != BT_BOUND) {
283 err = -EBADFD;
284 goto done;
285 }
286
287 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
288 err = -EINVAL;
289 goto done;
290 }
291
292 switch (chan->mode) {
293 case L2CAP_MODE_BASIC:
294 case L2CAP_MODE_LE_FLOWCTL:
295 break;
296 case L2CAP_MODE_EXT_FLOWCTL:
297 if (!enable_ecred) {
298 err = -EOPNOTSUPP;
299 goto done;
300 }
301 break;
302 case L2CAP_MODE_ERTM:
303 case L2CAP_MODE_STREAMING:
304 if (!disable_ertm)
305 break;
306 fallthrough;
307 default:
308 err = -EOPNOTSUPP;
309 goto done;
310 }
311
312 sk->sk_max_ack_backlog = backlog;
313 sk->sk_ack_backlog = 0;
314
315 /* Listening channels need to use nested locking in order not to
316 * cause lockdep warnings when the created child channels end up
317 * being locked in the same thread as the parent channel.
318 */
319 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
320
321 chan->state = BT_LISTEN;
322 sk->sk_state = BT_LISTEN;
323
324 done:
325 release_sock(sk);
326 return err;
327 }
328
l2cap_sock_accept(struct socket * sock,struct socket * newsock,struct proto_accept_arg * arg)329 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
330 struct proto_accept_arg *arg)
331 {
332 DEFINE_WAIT_FUNC(wait, woken_wake_function);
333 struct sock *sk = sock->sk, *nsk;
334 long timeo;
335 int err = 0;
336
337 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
338
339 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
340
341 BT_DBG("sk %p timeo %ld", sk, timeo);
342
343 /* Wait for an incoming connection. (wake-one). */
344 add_wait_queue_exclusive(sk_sleep(sk), &wait);
345 while (1) {
346 if (sk->sk_state != BT_LISTEN) {
347 err = -EBADFD;
348 break;
349 }
350
351 nsk = bt_accept_dequeue(sk, newsock);
352 if (nsk) {
353 /* Drop the bridging ref from bt_accept_dequeue();
354 * the grafted socket keeps nsk alive from here.
355 */
356 sock_put(nsk);
357 break;
358 }
359
360 if (!timeo) {
361 err = -EAGAIN;
362 break;
363 }
364
365 if (signal_pending(current)) {
366 err = sock_intr_errno(timeo);
367 break;
368 }
369
370 release_sock(sk);
371
372 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
373
374 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
375 }
376 remove_wait_queue(sk_sleep(sk), &wait);
377
378 if (err)
379 goto done;
380
381 newsock->state = SS_CONNECTED;
382
383 BT_DBG("new socket %p", nsk);
384
385 done:
386 release_sock(sk);
387 return err;
388 }
389
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)390 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
391 int peer)
392 {
393 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
394 struct sock *sk = sock->sk;
395 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
396
397 BT_DBG("sock %p, sk %p", sock, sk);
398
399 if (peer && sk->sk_state != BT_CONNECTED &&
400 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
401 sk->sk_state != BT_CONFIG)
402 return -ENOTCONN;
403
404 memset(la, 0, sizeof(struct sockaddr_l2));
405 addr->sa_family = AF_BLUETOOTH;
406
407 la->l2_psm = chan->psm;
408
409 if (peer) {
410 bacpy(&la->l2_bdaddr, &chan->dst);
411 la->l2_cid = cpu_to_le16(chan->dcid);
412 la->l2_bdaddr_type = chan->dst_type;
413 } else {
414 bacpy(&la->l2_bdaddr, &chan->src);
415 la->l2_cid = cpu_to_le16(chan->scid);
416 la->l2_bdaddr_type = chan->src_type;
417 }
418
419 return sizeof(struct sockaddr_l2);
420 }
421
l2cap_get_mode(struct l2cap_chan * chan)422 static int l2cap_get_mode(struct l2cap_chan *chan)
423 {
424 switch (chan->mode) {
425 case L2CAP_MODE_BASIC:
426 return BT_MODE_BASIC;
427 case L2CAP_MODE_ERTM:
428 return BT_MODE_ERTM;
429 case L2CAP_MODE_STREAMING:
430 return BT_MODE_STREAMING;
431 case L2CAP_MODE_LE_FLOWCTL:
432 return BT_MODE_LE_FLOWCTL;
433 case L2CAP_MODE_EXT_FLOWCTL:
434 return BT_MODE_EXT_FLOWCTL;
435 }
436
437 return -EINVAL;
438 }
439
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)440 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
441 char __user *optval, int __user *optlen)
442 {
443 struct sock *sk = sock->sk;
444 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
445 struct l2cap_options opts;
446 struct l2cap_conninfo cinfo;
447 int err = 0;
448 size_t len;
449 u32 opt;
450
451 BT_DBG("sk %p", sk);
452
453 if (get_user(len, optlen))
454 return -EFAULT;
455
456 lock_sock(sk);
457
458 switch (optname) {
459 case L2CAP_OPTIONS:
460 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
461 * legacy ATT code depends on getsockopt for
462 * L2CAP_OPTIONS we need to let this pass.
463 */
464 if (bdaddr_type_is_le(chan->src_type) &&
465 chan->scid != L2CAP_CID_ATT) {
466 err = -EINVAL;
467 break;
468 }
469
470 /* Only BR/EDR modes are supported here */
471 switch (chan->mode) {
472 case L2CAP_MODE_BASIC:
473 case L2CAP_MODE_ERTM:
474 case L2CAP_MODE_STREAMING:
475 break;
476 default:
477 err = -EINVAL;
478 break;
479 }
480
481 if (err < 0)
482 break;
483
484 memset(&opts, 0, sizeof(opts));
485 opts.imtu = chan->imtu;
486 opts.omtu = chan->omtu;
487 opts.flush_to = chan->flush_to;
488 opts.mode = chan->mode;
489 opts.fcs = chan->fcs;
490 opts.max_tx = chan->max_tx;
491 opts.txwin_size = chan->tx_win;
492
493 BT_DBG("mode 0x%2.2x", chan->mode);
494
495 len = min(len, sizeof(opts));
496 if (copy_to_user(optval, (char *) &opts, len))
497 err = -EFAULT;
498
499 break;
500
501 case L2CAP_LM:
502 switch (chan->sec_level) {
503 case BT_SECURITY_LOW:
504 opt = L2CAP_LM_AUTH;
505 break;
506 case BT_SECURITY_MEDIUM:
507 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
508 break;
509 case BT_SECURITY_HIGH:
510 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
511 L2CAP_LM_SECURE;
512 break;
513 case BT_SECURITY_FIPS:
514 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
515 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
516 break;
517 default:
518 opt = 0;
519 break;
520 }
521
522 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
523 opt |= L2CAP_LM_MASTER;
524
525 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
526 opt |= L2CAP_LM_RELIABLE;
527
528 if (put_user(opt, (u32 __user *) optval))
529 err = -EFAULT;
530
531 break;
532
533 case L2CAP_CONNINFO:
534 if (sk->sk_state != BT_CONNECTED &&
535 !(sk->sk_state == BT_CONNECT2 &&
536 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
537 err = -ENOTCONN;
538 break;
539 }
540
541 memset(&cinfo, 0, sizeof(cinfo));
542 cinfo.hci_handle = chan->conn->hcon->handle;
543 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
544
545 len = min(len, sizeof(cinfo));
546 if (copy_to_user(optval, (char *) &cinfo, len))
547 err = -EFAULT;
548
549 break;
550
551 default:
552 err = -ENOPROTOOPT;
553 break;
554 }
555
556 release_sock(sk);
557 return err;
558 }
559
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)560 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
561 char __user *optval, int __user *optlen)
562 {
563 struct sock *sk = sock->sk;
564 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
565 struct bt_security sec;
566 struct bt_power pwr;
567 u32 phys;
568 int len, mode, err = 0;
569
570 BT_DBG("sk %p", sk);
571
572 if (level == SOL_L2CAP)
573 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
574
575 if (level != SOL_BLUETOOTH)
576 return -ENOPROTOOPT;
577
578 if (get_user(len, optlen))
579 return -EFAULT;
580
581 lock_sock(sk);
582
583 switch (optname) {
584 case BT_SECURITY:
585 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
586 chan->chan_type != L2CAP_CHAN_FIXED &&
587 chan->chan_type != L2CAP_CHAN_RAW) {
588 err = -EINVAL;
589 break;
590 }
591
592 memset(&sec, 0, sizeof(sec));
593 if (chan->conn) {
594 sec.level = chan->conn->hcon->sec_level;
595
596 if (sk->sk_state == BT_CONNECTED)
597 sec.key_size = chan->conn->hcon->enc_key_size;
598 } else {
599 sec.level = chan->sec_level;
600 }
601
602 len = min_t(unsigned int, len, sizeof(sec));
603 if (copy_to_user(optval, (char *) &sec, len))
604 err = -EFAULT;
605
606 break;
607
608 case BT_DEFER_SETUP:
609 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
610 err = -EINVAL;
611 break;
612 }
613
614 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
615 (u32 __user *) optval))
616 err = -EFAULT;
617
618 break;
619
620 case BT_FLUSHABLE:
621 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
622 (u32 __user *) optval))
623 err = -EFAULT;
624
625 break;
626
627 case BT_POWER:
628 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
629 && sk->sk_type != SOCK_RAW) {
630 err = -EINVAL;
631 break;
632 }
633
634 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
635
636 len = min_t(unsigned int, len, sizeof(pwr));
637 if (copy_to_user(optval, (char *) &pwr, len))
638 err = -EFAULT;
639
640 break;
641
642 case BT_CHANNEL_POLICY:
643 if (put_user(chan->chan_policy, (u32 __user *) optval))
644 err = -EFAULT;
645 break;
646
647 case BT_SNDMTU:
648 if (!bdaddr_type_is_le(chan->src_type)) {
649 err = -EINVAL;
650 break;
651 }
652
653 if (sk->sk_state != BT_CONNECTED) {
654 err = -ENOTCONN;
655 break;
656 }
657
658 if (put_user(chan->omtu, (u16 __user *) optval))
659 err = -EFAULT;
660 break;
661
662 case BT_RCVMTU:
663 if (!bdaddr_type_is_le(chan->src_type)) {
664 err = -EINVAL;
665 break;
666 }
667
668 if (put_user(chan->imtu, (u16 __user *) optval))
669 err = -EFAULT;
670 break;
671
672 case BT_PHY:
673 if (sk->sk_state != BT_CONNECTED) {
674 err = -ENOTCONN;
675 break;
676 }
677
678 phys = hci_conn_get_phy(chan->conn->hcon);
679
680 if (put_user(phys, (u32 __user *) optval))
681 err = -EFAULT;
682 break;
683
684 case BT_MODE:
685 if (!enable_ecred) {
686 err = -ENOPROTOOPT;
687 break;
688 }
689
690 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
691 err = -EINVAL;
692 break;
693 }
694
695 mode = l2cap_get_mode(chan);
696 if (mode < 0) {
697 err = mode;
698 break;
699 }
700
701 if (put_user(mode, (u8 __user *) optval))
702 err = -EFAULT;
703 break;
704
705 default:
706 err = -ENOPROTOOPT;
707 break;
708 }
709
710 release_sock(sk);
711 return err;
712 }
713
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)714 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
715 {
716 switch (chan->scid) {
717 case L2CAP_CID_ATT:
718 if (mtu && mtu < L2CAP_LE_MIN_MTU)
719 return false;
720 break;
721
722 default:
723 if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU)
724 return false;
725 }
726
727 return true;
728 }
729
l2cap_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)730 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
731 sockptr_t optval, unsigned int optlen)
732 {
733 struct sock *sk = sock->sk;
734 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
735 struct l2cap_options opts;
736 int err = 0;
737 u32 opt;
738
739 BT_DBG("sk %p", sk);
740
741 lock_sock(sk);
742
743 switch (optname) {
744 case L2CAP_OPTIONS:
745 if (bdaddr_type_is_le(chan->src_type)) {
746 err = -EINVAL;
747 break;
748 }
749
750 if (sk->sk_state == BT_CONNECTED) {
751 err = -EINVAL;
752 break;
753 }
754
755 opts.imtu = chan->imtu;
756 opts.omtu = chan->omtu;
757 opts.flush_to = chan->flush_to;
758 opts.mode = chan->mode;
759 opts.fcs = chan->fcs;
760 opts.max_tx = chan->max_tx;
761 opts.txwin_size = chan->tx_win;
762
763 err = copy_safe_from_sockptr(&opts, sizeof(opts), optval,
764 optlen);
765 if (err)
766 break;
767
768 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
769 err = -EINVAL;
770 break;
771 }
772
773 if (!l2cap_valid_mtu(chan, opts.imtu)) {
774 err = -EINVAL;
775 break;
776 }
777
778 /* Only BR/EDR modes are supported here */
779 switch (opts.mode) {
780 case L2CAP_MODE_BASIC:
781 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
782 break;
783 case L2CAP_MODE_ERTM:
784 case L2CAP_MODE_STREAMING:
785 if (!disable_ertm)
786 break;
787 fallthrough;
788 default:
789 err = -EINVAL;
790 break;
791 }
792
793 if (err < 0)
794 break;
795
796 chan->mode = opts.mode;
797
798 BT_DBG("mode 0x%2.2x", chan->mode);
799
800 chan->imtu = opts.imtu;
801 chan->omtu = opts.omtu;
802 chan->fcs = opts.fcs;
803 chan->max_tx = opts.max_tx;
804 chan->tx_win = opts.txwin_size;
805 chan->flush_to = opts.flush_to;
806 break;
807
808 case L2CAP_LM:
809 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
810 if (err)
811 break;
812
813 if (opt & L2CAP_LM_FIPS) {
814 err = -EINVAL;
815 break;
816 }
817
818 if (opt & L2CAP_LM_AUTH)
819 chan->sec_level = BT_SECURITY_LOW;
820 if (opt & L2CAP_LM_ENCRYPT)
821 chan->sec_level = BT_SECURITY_MEDIUM;
822 if (opt & L2CAP_LM_SECURE)
823 chan->sec_level = BT_SECURITY_HIGH;
824
825 if (opt & L2CAP_LM_MASTER)
826 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
827 else
828 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
829
830 if (opt & L2CAP_LM_RELIABLE)
831 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
832 else
833 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
834 break;
835
836 default:
837 err = -ENOPROTOOPT;
838 break;
839 }
840
841 release_sock(sk);
842 return err;
843 }
844
l2cap_set_mode(struct l2cap_chan * chan,u8 mode)845 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
846 {
847 switch (mode) {
848 case BT_MODE_BASIC:
849 if (bdaddr_type_is_le(chan->src_type))
850 return -EINVAL;
851 mode = L2CAP_MODE_BASIC;
852 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
853 break;
854 case BT_MODE_ERTM:
855 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
856 return -EINVAL;
857 mode = L2CAP_MODE_ERTM;
858 break;
859 case BT_MODE_STREAMING:
860 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
861 return -EINVAL;
862 mode = L2CAP_MODE_STREAMING;
863 break;
864 case BT_MODE_LE_FLOWCTL:
865 if (!bdaddr_type_is_le(chan->src_type))
866 return -EINVAL;
867 mode = L2CAP_MODE_LE_FLOWCTL;
868 break;
869 case BT_MODE_EXT_FLOWCTL:
870 /* TODO: Add support for ECRED PDUs to BR/EDR */
871 if (!bdaddr_type_is_le(chan->src_type))
872 return -EINVAL;
873 mode = L2CAP_MODE_EXT_FLOWCTL;
874 break;
875 default:
876 return -EINVAL;
877 }
878
879 chan->mode = mode;
880
881 return 0;
882 }
883
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)884 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
885 sockptr_t optval, unsigned int optlen)
886 {
887 struct sock *sk = sock->sk;
888 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
889 struct bt_security sec;
890 struct bt_power pwr;
891 struct l2cap_conn *conn;
892 int err = 0;
893 u32 opt, phys;
894 u16 mtu;
895 u8 mode;
896
897 BT_DBG("sk %p", sk);
898
899 if (level == SOL_L2CAP)
900 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
901
902 if (level != SOL_BLUETOOTH)
903 return -ENOPROTOOPT;
904
905 lock_sock(sk);
906
907 switch (optname) {
908 case BT_SECURITY:
909 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
910 chan->chan_type != L2CAP_CHAN_FIXED &&
911 chan->chan_type != L2CAP_CHAN_RAW) {
912 err = -EINVAL;
913 break;
914 }
915
916 sec.level = BT_SECURITY_LOW;
917
918 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
919 if (err)
920 break;
921
922 if (sec.level < BT_SECURITY_LOW ||
923 sec.level > BT_SECURITY_FIPS) {
924 err = -EINVAL;
925 break;
926 }
927
928 chan->sec_level = sec.level;
929
930 if (!chan->conn)
931 break;
932
933 conn = chan->conn;
934
935 /* change security for LE channels */
936 if (chan->scid == L2CAP_CID_ATT) {
937 if (smp_conn_security(conn->hcon, sec.level)) {
938 err = -EINVAL;
939 break;
940 }
941
942 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
943 sk->sk_state = BT_CONFIG;
944 chan->state = BT_CONFIG;
945
946 /* or for ACL link */
947 } else if ((sk->sk_state == BT_CONNECT2 &&
948 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
949 sk->sk_state == BT_CONNECTED) {
950 if (!l2cap_chan_check_security(chan, true))
951 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
952 else
953 sk->sk_state_change(sk);
954 } else {
955 err = -EINVAL;
956 }
957 break;
958
959 case BT_DEFER_SETUP:
960 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
961 err = -EINVAL;
962 break;
963 }
964
965 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
966 if (err)
967 break;
968
969 if (opt) {
970 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
971 set_bit(FLAG_DEFER_SETUP, &chan->flags);
972 } else {
973 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
974 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
975 }
976 break;
977
978 case BT_FLUSHABLE:
979 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
980 if (err)
981 break;
982
983 if (opt > BT_FLUSHABLE_ON) {
984 err = -EINVAL;
985 break;
986 }
987
988 if (opt == BT_FLUSHABLE_OFF) {
989 conn = chan->conn;
990 /* proceed further only when we have l2cap_conn and
991 No Flush support in the LM */
992 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
993 err = -EINVAL;
994 break;
995 }
996 }
997
998 if (opt)
999 set_bit(FLAG_FLUSHABLE, &chan->flags);
1000 else
1001 clear_bit(FLAG_FLUSHABLE, &chan->flags);
1002 break;
1003
1004 case BT_POWER:
1005 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1006 chan->chan_type != L2CAP_CHAN_RAW) {
1007 err = -EINVAL;
1008 break;
1009 }
1010
1011 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1012
1013 err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1014 if (err)
1015 break;
1016
1017 if (pwr.force_active)
1018 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1019 else
1020 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1021 break;
1022
1023 case BT_CHANNEL_POLICY:
1024 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1025 if (err)
1026 break;
1027
1028 err = -EOPNOTSUPP;
1029 break;
1030
1031 case BT_SNDMTU:
1032 if (!bdaddr_type_is_le(chan->src_type)) {
1033 err = -EINVAL;
1034 break;
1035 }
1036
1037 /* Only allow setting output MTU when not connected */
1038 if (sk->sk_state == BT_CONNECTED) {
1039 err = -EISCONN;
1040 break;
1041 }
1042
1043 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1044 if (err)
1045 break;
1046
1047 chan->omtu = mtu;
1048 break;
1049
1050 case BT_RCVMTU:
1051 if (!bdaddr_type_is_le(chan->src_type)) {
1052 err = -EINVAL;
1053 break;
1054 }
1055
1056 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1057 sk->sk_state == BT_CONNECTED) {
1058 err = -EISCONN;
1059 break;
1060 }
1061
1062 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1063 if (err)
1064 break;
1065
1066 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1067 sk->sk_state == BT_CONNECTED)
1068 err = l2cap_chan_reconfigure(chan, mtu);
1069 else
1070 chan->imtu = mtu;
1071
1072 break;
1073
1074 case BT_PHY:
1075 if (sk->sk_state != BT_CONNECTED) {
1076 err = -ENOTCONN;
1077 break;
1078 }
1079
1080 err = copy_safe_from_sockptr(&phys, sizeof(phys), optval,
1081 optlen);
1082 if (err)
1083 break;
1084
1085 if (!chan->conn)
1086 break;
1087
1088 conn = chan->conn;
1089 err = hci_conn_set_phy(conn->hcon, phys);
1090 break;
1091
1092 case BT_MODE:
1093 if (!enable_ecred) {
1094 err = -ENOPROTOOPT;
1095 break;
1096 }
1097
1098 BT_DBG("sk->sk_state %u", sk->sk_state);
1099
1100 if (sk->sk_state != BT_BOUND) {
1101 err = -EINVAL;
1102 break;
1103 }
1104
1105 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1106 err = -EINVAL;
1107 break;
1108 }
1109
1110 err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
1111 optlen);
1112 if (err)
1113 break;
1114
1115 BT_DBG("mode %u", mode);
1116
1117 err = l2cap_set_mode(chan, mode);
1118 if (err)
1119 break;
1120
1121 BT_DBG("mode 0x%2.2x", chan->mode);
1122
1123 break;
1124
1125 default:
1126 err = -ENOPROTOOPT;
1127 break;
1128 }
1129
1130 release_sock(sk);
1131 return err;
1132 }
1133
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1134 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1135 size_t len)
1136 {
1137 struct sock *sk = sock->sk;
1138 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1139 struct sockcm_cookie sockc;
1140 int err;
1141
1142 BT_DBG("sock %p, sk %p", sock, sk);
1143
1144 err = sock_error(sk);
1145 if (err)
1146 return err;
1147
1148 if (msg->msg_flags & MSG_OOB)
1149 return -EOPNOTSUPP;
1150
1151 if (sk->sk_state != BT_CONNECTED)
1152 return -ENOTCONN;
1153
1154 hci_sockcm_init(&sockc, sk);
1155
1156 if (msg->msg_controllen) {
1157 err = sock_cmsg_send(sk, msg, &sockc);
1158 if (err)
1159 return err;
1160 }
1161
1162 lock_sock(sk);
1163 err = bt_sock_wait_ready(sk, msg->msg_flags);
1164 release_sock(sk);
1165 if (err)
1166 return err;
1167
1168 l2cap_chan_lock(chan);
1169 err = l2cap_chan_send(chan, msg, len, &sockc);
1170 l2cap_chan_unlock(chan);
1171
1172 return err;
1173 }
1174
l2cap_publish_rx_avail(struct l2cap_chan * chan)1175 static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1176 {
1177 struct sock *sk = chan->data;
1178 ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1179 int expected_skbs, skb_overhead;
1180
1181 if (avail <= 0) {
1182 l2cap_chan_rx_avail(chan, 0);
1183 return;
1184 }
1185
1186 if (!chan->mps) {
1187 l2cap_chan_rx_avail(chan, -1);
1188 return;
1189 }
1190
1191 /* Correct available memory by estimated sk_buff overhead.
1192 * This is significant due to small transfer sizes. However, accept
1193 * at least one full packet if receive space is non-zero.
1194 */
1195 expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1196 skb_overhead = expected_skbs * sizeof(struct sk_buff);
1197 if (skb_overhead < avail)
1198 l2cap_chan_rx_avail(chan, avail - skb_overhead);
1199 else
1200 l2cap_chan_rx_avail(chan, -1);
1201 }
1202
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1203 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1204 size_t len, int flags)
1205 {
1206 struct sock *sk = sock->sk;
1207 struct l2cap_pinfo *pi = l2cap_pi(sk);
1208 int err;
1209
1210 if (unlikely(flags & MSG_ERRQUEUE))
1211 return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1212 BT_SCM_ERROR);
1213
1214 lock_sock(sk);
1215
1216 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1217 &bt_sk(sk)->flags)) {
1218 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1219 sk->sk_state = BT_CONNECTED;
1220 pi->chan->state = BT_CONNECTED;
1221 __l2cap_ecred_conn_rsp_defer(pi->chan);
1222 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1223 sk->sk_state = BT_CONNECTED;
1224 pi->chan->state = BT_CONNECTED;
1225 __l2cap_le_connect_rsp_defer(pi->chan);
1226 } else {
1227 sk->sk_state = BT_CONFIG;
1228 pi->chan->state = BT_CONFIG;
1229 __l2cap_connect_rsp_defer(pi->chan);
1230 }
1231
1232 err = 0;
1233 goto done;
1234 }
1235
1236 release_sock(sk);
1237
1238 if (sock->type == SOCK_STREAM)
1239 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1240 else
1241 err = bt_sock_recvmsg(sock, msg, len, flags);
1242
1243 if (pi->chan->mode != L2CAP_MODE_ERTM &&
1244 pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1245 pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1246 return err;
1247
1248 lock_sock(sk);
1249
1250 l2cap_publish_rx_avail(pi->chan);
1251
1252 /* Attempt to put pending rx data in the socket buffer */
1253 while (!list_empty(&pi->rx_busy)) {
1254 struct l2cap_rx_busy *rx_busy =
1255 list_first_entry(&pi->rx_busy,
1256 struct l2cap_rx_busy,
1257 list);
1258 if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1259 goto done;
1260 list_del(&rx_busy->list);
1261 kfree(rx_busy);
1262 }
1263
1264 /* Restore data flow when half of the receive buffer is
1265 * available. This avoids resending large numbers of
1266 * frames.
1267 */
1268 if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1269 atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1270 l2cap_chan_busy(pi->chan, 0);
1271
1272 done:
1273 release_sock(sk);
1274 return err;
1275 }
1276
1277 /* Kill socket (only if zapped and orphan)
1278 * Must be called on unlocked socket, with l2cap channel lock.
1279 */
l2cap_sock_kill(struct sock * sk)1280 static void l2cap_sock_kill(struct sock *sk)
1281 {
1282 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1283 return;
1284
1285 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1286
1287 /* Sock is dead, so set chan data to NULL, avoid other task use invalid
1288 * sock pointer.
1289 */
1290 l2cap_pi(sk)->chan->data = NULL;
1291 /* Kill poor orphan */
1292
1293 l2cap_chan_put(l2cap_pi(sk)->chan);
1294 sock_set_flag(sk, SOCK_DEAD);
1295 sock_put(sk);
1296 }
1297
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1298 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1299 {
1300 DECLARE_WAITQUEUE(wait, current);
1301 int err = 0;
1302 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1303 /* Timeout to prevent infinite loop */
1304 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1305
1306 add_wait_queue(sk_sleep(sk), &wait);
1307 set_current_state(TASK_INTERRUPTIBLE);
1308 do {
1309 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1310 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1311 jiffies_to_msecs(timeout - jiffies));
1312
1313 if (!timeo)
1314 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1315
1316 if (signal_pending(current)) {
1317 err = sock_intr_errno(timeo);
1318 break;
1319 }
1320
1321 release_sock(sk);
1322 timeo = schedule_timeout(timeo);
1323 lock_sock(sk);
1324 set_current_state(TASK_INTERRUPTIBLE);
1325
1326 err = sock_error(sk);
1327 if (err)
1328 break;
1329
1330 if (time_after(jiffies, timeout)) {
1331 err = -ENOLINK;
1332 break;
1333 }
1334
1335 } while (chan->unacked_frames > 0 &&
1336 chan->state == BT_CONNECTED);
1337
1338 set_current_state(TASK_RUNNING);
1339 remove_wait_queue(sk_sleep(sk), &wait);
1340 return err;
1341 }
1342
l2cap_sock_shutdown(struct socket * sock,int how)1343 static int l2cap_sock_shutdown(struct socket *sock, int how)
1344 {
1345 struct sock *sk = sock->sk;
1346 struct l2cap_chan *chan;
1347 struct l2cap_conn *conn;
1348 int err = 0;
1349
1350 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1351
1352 /* 'how' parameter is mapped to sk_shutdown as follows:
1353 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1354 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1355 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1356 */
1357 how++;
1358
1359 if (!sk)
1360 return 0;
1361
1362 lock_sock(sk);
1363
1364 if ((sk->sk_shutdown & how) == how)
1365 goto shutdown_already;
1366
1367 BT_DBG("Handling sock shutdown");
1368
1369 /* prevent sk structure from being freed whilst unlocked */
1370 sock_hold(sk);
1371
1372 /* prevent chan structure from being freed whilst unlocked */
1373 chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
1374 if (!chan)
1375 goto shutdown_already;
1376
1377 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1378
1379 if (chan->mode == L2CAP_MODE_ERTM &&
1380 chan->unacked_frames > 0 &&
1381 chan->state == BT_CONNECTED) {
1382 err = __l2cap_wait_ack(sk, chan);
1383
1384 /* After waiting for ACKs, check whether shutdown
1385 * has already been actioned to close the L2CAP
1386 * link such as by l2cap_disconnection_req().
1387 */
1388 if ((sk->sk_shutdown & how) == how)
1389 goto shutdown_matched;
1390 }
1391
1392 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1393 * is already set
1394 */
1395 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1396 sk->sk_shutdown |= RCV_SHUTDOWN;
1397 if ((sk->sk_shutdown & how) == how)
1398 goto shutdown_matched;
1399 }
1400
1401 sk->sk_shutdown |= SEND_SHUTDOWN;
1402 release_sock(sk);
1403
1404 l2cap_chan_lock(chan);
1405 /* prevent conn structure from being freed */
1406 conn = l2cap_conn_hold_unless_zero(chan->conn);
1407 l2cap_chan_unlock(chan);
1408
1409 if (conn)
1410 /* mutex lock must be taken before l2cap_chan_lock() */
1411 mutex_lock(&conn->lock);
1412
1413 l2cap_chan_lock(chan);
1414 l2cap_chan_close(chan, 0);
1415 l2cap_chan_unlock(chan);
1416
1417 if (conn) {
1418 mutex_unlock(&conn->lock);
1419 l2cap_conn_put(conn);
1420 }
1421
1422 lock_sock(sk);
1423
1424 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1425 !(current->flags & PF_EXITING))
1426 err = bt_sock_wait_state(sk, BT_CLOSED,
1427 sk->sk_lingertime);
1428
1429 shutdown_matched:
1430 l2cap_chan_put(chan);
1431 sock_put(sk);
1432
1433 shutdown_already:
1434 if (!err && sk->sk_err)
1435 err = -sk->sk_err;
1436
1437 release_sock(sk);
1438
1439 BT_DBG("Sock shutdown complete err: %d", err);
1440
1441 return err;
1442 }
1443
l2cap_sock_release(struct socket * sock)1444 static int l2cap_sock_release(struct socket *sock)
1445 {
1446 struct sock *sk = sock->sk;
1447 int err;
1448 struct l2cap_chan *chan;
1449
1450 BT_DBG("sock %p, sk %p", sock, sk);
1451
1452 if (!sk)
1453 return 0;
1454
1455 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
1456 l2cap_sock_cleanup_listen(sk);
1457 release_sock(sk);
1458
1459 bt_sock_unlink(&l2cap_sk_list, sk);
1460
1461 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1462 chan = l2cap_pi(sk)->chan;
1463
1464 l2cap_chan_hold(chan);
1465 l2cap_chan_lock(chan);
1466
1467 sock_orphan(sk);
1468 l2cap_sock_kill(sk);
1469
1470 l2cap_chan_unlock(chan);
1471 l2cap_chan_put(chan);
1472
1473 return err;
1474 }
1475
l2cap_sock_cleanup_listen(struct sock * parent)1476 static void l2cap_sock_cleanup_listen(struct sock *parent)
1477 {
1478 struct sock *sk;
1479
1480 BT_DBG("parent %p state %s", parent,
1481 state_to_string(parent->sk_state));
1482
1483 /* Close not yet accepted channels.
1484 *
1485 * bt_accept_dequeue() now returns sk with an extra reference held
1486 * (taken while sk was still locked) so a concurrent l2cap_conn_del()
1487 * -> l2cap_sock_kill() cannot free sk under us.
1488 *
1489 * cleanup_listen() runs under the parent sk lock, so unlike
1490 * l2cap_sock_shutdown() we must NOT take conn->lock here: that would
1491 * establish sk_lock -> conn->lock and invert the established
1492 * conn->lock -> chan->lock -> sk_lock order (lockdep deadlock).
1493 *
1494 * Instead, briefly take the child sk lock to fetch and pin its chan.
1495 * l2cap_conn_del() reaches the chan free only via
1496 * l2cap_chan_del() -> l2cap_sock_teardown_cb(), which itself takes
1497 * the child sk lock; holding it across l2cap_chan_hold_unless_zero()
1498 * therefore guarantees the chan cannot be freed while we read and
1499 * pin it (hold_unless_zero() additionally skips a chan already past
1500 * its last reference). We then drop the sk lock before taking
1501 * chan->lock, so sk and chan locks are never held together.
1502 */
1503 while ((sk = bt_accept_dequeue(parent, NULL))) {
1504 struct l2cap_chan *chan;
1505
1506 lock_sock_nested(sk, L2CAP_NESTING_NORMAL);
1507 chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
1508 release_sock(sk);
1509 if (!chan) {
1510 /* l2cap_conn_del() already tearing this child down */
1511 sock_put(sk);
1512 continue;
1513 }
1514
1515 BT_DBG("child chan %p state %s", chan,
1516 state_to_string(chan->state));
1517
1518 l2cap_chan_lock(chan);
1519 __clear_chan_timer(chan);
1520 l2cap_chan_close(chan, ECONNRESET);
1521 /* l2cap_conn_del() may already have killed this socket
1522 * (it sets SOCK_DEAD); skip the duplicate to avoid a
1523 * double sock_put()/l2cap_chan_put().
1524 */
1525 if (!sock_flag(sk, SOCK_DEAD))
1526 l2cap_sock_kill(sk);
1527 l2cap_chan_unlock(chan);
1528
1529 l2cap_chan_put(chan);
1530 sock_put(sk);
1531 }
1532 }
1533
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1534 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1535 {
1536 struct sock *sk, *parent = chan->data;
1537
1538 if (!parent)
1539 return NULL;
1540
1541 lock_sock(parent);
1542
1543 /* Check for backlog size */
1544 if (sk_acceptq_is_full(parent)) {
1545 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1546 release_sock(parent);
1547 return NULL;
1548 }
1549
1550 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1551 GFP_ATOMIC, 0);
1552 if (!sk) {
1553 release_sock(parent);
1554 return NULL;
1555 }
1556
1557 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1558
1559 l2cap_sock_init(sk, parent);
1560
1561 bt_accept_enqueue(parent, sk, false);
1562
1563 release_sock(parent);
1564
1565 return l2cap_pi(sk)->chan;
1566 }
1567
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1568 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1569 {
1570 struct sock *sk;
1571 struct l2cap_pinfo *pi;
1572 int err;
1573
1574 sk = chan->data;
1575 if (!sk)
1576 return -ENXIO;
1577
1578 pi = l2cap_pi(sk);
1579 lock_sock(sk);
1580 if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1581 err = -ENOMEM;
1582 goto done;
1583 }
1584
1585 if (chan->mode != L2CAP_MODE_ERTM &&
1586 chan->mode != L2CAP_MODE_STREAMING &&
1587 chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1588 chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1589 /* Even if no filter is attached, we could potentially
1590 * get errors from security modules, etc.
1591 */
1592 err = sk_filter(sk, skb);
1593 if (err)
1594 goto done;
1595 }
1596
1597 err = __sock_queue_rcv_skb(sk, skb);
1598
1599 l2cap_publish_rx_avail(chan);
1600
1601 /* For ERTM and LE, handle a skb that doesn't fit into the recv
1602 * buffer. This is important to do because the data frames
1603 * have already been acked, so the skb cannot be discarded.
1604 *
1605 * Notify the l2cap core that the buffer is full, so the
1606 * LOCAL_BUSY state is entered and no more frames are
1607 * acked and reassembled until there is buffer space
1608 * available.
1609 */
1610 if (err < 0 &&
1611 (chan->mode == L2CAP_MODE_ERTM ||
1612 chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1613 chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1614 struct l2cap_rx_busy *rx_busy = kmalloc_obj(*rx_busy);
1615 if (!rx_busy) {
1616 err = -ENOMEM;
1617 goto done;
1618 }
1619 rx_busy->skb = skb;
1620 list_add_tail(&rx_busy->list, &pi->rx_busy);
1621 l2cap_chan_busy(chan, 1);
1622 err = 0;
1623 }
1624
1625 done:
1626 release_sock(sk);
1627
1628 return err;
1629 }
1630
l2cap_sock_close_cb(struct l2cap_chan * chan)1631 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1632 {
1633 struct sock *sk = chan->data;
1634
1635 if (!sk)
1636 return;
1637
1638 l2cap_sock_kill(sk);
1639 }
1640
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1641 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1642 {
1643 struct sock *sk = chan->data;
1644 struct sock *parent;
1645
1646 if (!sk)
1647 return;
1648
1649 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1650
1651 /* This callback can be called both for server (BT_LISTEN)
1652 * sockets as well as "normal" ones. To avoid lockdep warnings
1653 * with child socket locking (through l2cap_sock_cleanup_listen)
1654 * we need separation into separate nesting levels. The simplest
1655 * way to accomplish this is to inherit the nesting level used
1656 * for the channel.
1657 */
1658 lock_sock_nested(sk, atomic_read(&chan->nesting));
1659
1660 parent = bt_sk(sk)->parent;
1661
1662 switch (chan->state) {
1663 case BT_OPEN:
1664 case BT_BOUND:
1665 case BT_CLOSED:
1666 break;
1667 case BT_LISTEN:
1668 l2cap_sock_cleanup_listen(sk);
1669 sk->sk_state = BT_CLOSED;
1670 chan->state = BT_CLOSED;
1671
1672 break;
1673 default:
1674 sk->sk_state = BT_CLOSED;
1675 chan->state = BT_CLOSED;
1676
1677 sk->sk_err = err;
1678
1679 if (parent) {
1680 bt_accept_unlink(sk);
1681 parent->sk_data_ready(parent);
1682 } else {
1683 sk->sk_state_change(sk);
1684 }
1685
1686 break;
1687 }
1688 release_sock(sk);
1689
1690 /* Only zap after cleanup to avoid use after free race */
1691 sock_set_flag(sk, SOCK_ZAPPED);
1692
1693 }
1694
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1695 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1696 int err)
1697 {
1698 struct sock *sk = chan->data;
1699
1700 if (!sk)
1701 return;
1702
1703 sk->sk_state = state;
1704
1705 if (err)
1706 sk->sk_err = err;
1707 }
1708
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1709 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1710 unsigned long hdr_len,
1711 unsigned long len, int nb)
1712 {
1713 struct sock *sk = chan->data;
1714 struct sk_buff *skb;
1715 int err;
1716
1717 l2cap_chan_unlock(chan);
1718 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1719 l2cap_chan_lock(chan);
1720
1721 if (!skb)
1722 return ERR_PTR(err);
1723
1724 /* Channel lock is released before requesting new skb and then
1725 * reacquired thus we need to recheck channel state.
1726 */
1727 if (chan->state != BT_CONNECTED) {
1728 kfree_skb(skb);
1729 return ERR_PTR(-ENOTCONN);
1730 }
1731
1732 skb->priority = READ_ONCE(sk->sk_priority);
1733
1734 bt_cb(skb)->l2cap.chan = chan;
1735
1736 return skb;
1737 }
1738
l2cap_sock_ready_cb(struct l2cap_chan * chan)1739 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1740 {
1741 struct sock *sk = chan->data;
1742 struct sock *parent;
1743
1744 if (!sk)
1745 return;
1746
1747 lock_sock(sk);
1748
1749 parent = bt_sk(sk)->parent;
1750
1751 BT_DBG("sk %p, parent %p", sk, parent);
1752
1753 sk->sk_state = BT_CONNECTED;
1754 sk->sk_state_change(sk);
1755
1756 if (parent)
1757 parent->sk_data_ready(parent);
1758
1759 release_sock(sk);
1760 }
1761
l2cap_sock_defer_cb(struct l2cap_chan * chan)1762 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1763 {
1764 struct sock *parent, *sk = chan->data;
1765
1766 lock_sock(sk);
1767
1768 parent = bt_sk(sk)->parent;
1769 if (parent)
1770 parent->sk_data_ready(parent);
1771
1772 release_sock(sk);
1773 }
1774
l2cap_sock_resume_cb(struct l2cap_chan * chan)1775 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1776 {
1777 struct sock *sk = chan->data;
1778
1779 if (!sk)
1780 return;
1781
1782 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1783 sk->sk_state = BT_CONNECTED;
1784 chan->state = BT_CONNECTED;
1785 }
1786
1787 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1788 sk->sk_state_change(sk);
1789 }
1790
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1791 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1792 {
1793 struct sock *sk = chan->data;
1794
1795 lock_sock(sk);
1796 sk->sk_shutdown = SHUTDOWN_MASK;
1797 release_sock(sk);
1798 }
1799
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1800 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1801 {
1802 struct sock *sk = chan->data;
1803
1804 if (!sk)
1805 return 0;
1806
1807 return READ_ONCE(sk->sk_sndtimeo);
1808 }
1809
l2cap_sock_get_peer_pid_cb(struct l2cap_chan * chan)1810 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1811 {
1812 struct sock *sk = chan->data;
1813
1814 return sk->sk_peer_pid;
1815 }
1816
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1817 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1818 {
1819 struct sock *sk = chan->data;
1820
1821 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1822 sk->sk_state_change(sk);
1823 }
1824
l2cap_sock_filter(struct l2cap_chan * chan,struct sk_buff * skb)1825 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1826 {
1827 struct sock *sk = chan->data;
1828
1829 switch (chan->mode) {
1830 case L2CAP_MODE_ERTM:
1831 case L2CAP_MODE_STREAMING:
1832 return sk_filter(sk, skb);
1833 }
1834
1835 return 0;
1836 }
1837
1838 static const struct l2cap_ops l2cap_chan_ops = {
1839 .name = "L2CAP Socket Interface",
1840 .new_connection = l2cap_sock_new_connection_cb,
1841 .recv = l2cap_sock_recv_cb,
1842 .close = l2cap_sock_close_cb,
1843 .teardown = l2cap_sock_teardown_cb,
1844 .state_change = l2cap_sock_state_change_cb,
1845 .ready = l2cap_sock_ready_cb,
1846 .defer = l2cap_sock_defer_cb,
1847 .resume = l2cap_sock_resume_cb,
1848 .suspend = l2cap_sock_suspend_cb,
1849 .set_shutdown = l2cap_sock_set_shutdown_cb,
1850 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1851 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1852 .alloc_skb = l2cap_sock_alloc_skb_cb,
1853 .filter = l2cap_sock_filter,
1854 };
1855
l2cap_sock_destruct(struct sock * sk)1856 static void l2cap_sock_destruct(struct sock *sk)
1857 {
1858 struct l2cap_rx_busy *rx_busy, *next;
1859
1860 BT_DBG("sk %p", sk);
1861
1862 if (l2cap_pi(sk)->chan) {
1863 l2cap_pi(sk)->chan->data = NULL;
1864 l2cap_chan_put(l2cap_pi(sk)->chan);
1865 }
1866
1867 list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1868 kfree_skb(rx_busy->skb);
1869 list_del(&rx_busy->list);
1870 kfree(rx_busy);
1871 }
1872
1873 skb_queue_purge(&sk->sk_receive_queue);
1874 skb_queue_purge(&sk->sk_write_queue);
1875 skb_queue_purge(&sk->sk_error_queue);
1876 }
1877
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1878 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1879 int *msg_namelen)
1880 {
1881 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1882
1883 memset(la, 0, sizeof(struct sockaddr_l2));
1884 la->l2_family = AF_BLUETOOTH;
1885 la->l2_psm = bt_cb(skb)->l2cap.psm;
1886 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1887
1888 *msg_namelen = sizeof(struct sockaddr_l2);
1889 }
1890
l2cap_sock_init(struct sock * sk,struct sock * parent)1891 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1892 {
1893 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1894
1895 BT_DBG("sk %p", sk);
1896
1897 if (parent) {
1898 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1899
1900 sk->sk_type = parent->sk_type;
1901 bt_sk(sk)->flags = bt_sk(parent)->flags;
1902
1903 chan->chan_type = pchan->chan_type;
1904 chan->imtu = pchan->imtu;
1905 chan->omtu = pchan->omtu;
1906 chan->conf_state = pchan->conf_state;
1907 chan->mode = pchan->mode;
1908 chan->fcs = pchan->fcs;
1909 chan->max_tx = pchan->max_tx;
1910 chan->tx_win = pchan->tx_win;
1911 chan->tx_win_max = pchan->tx_win_max;
1912 chan->sec_level = pchan->sec_level;
1913 chan->flags = pchan->flags;
1914 chan->tx_credits = pchan->tx_credits;
1915 chan->rx_credits = pchan->rx_credits;
1916
1917 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1918 chan->scid = pchan->scid;
1919 chan->dcid = pchan->scid;
1920 }
1921
1922 security_sk_clone(parent, sk);
1923 } else {
1924 switch (sk->sk_type) {
1925 case SOCK_RAW:
1926 chan->chan_type = L2CAP_CHAN_RAW;
1927 break;
1928 case SOCK_DGRAM:
1929 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1930 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1931 break;
1932 case SOCK_SEQPACKET:
1933 case SOCK_STREAM:
1934 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1935 break;
1936 }
1937
1938 chan->imtu = L2CAP_DEFAULT_MTU;
1939 chan->omtu = 0;
1940 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1941 chan->mode = L2CAP_MODE_ERTM;
1942 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1943 } else {
1944 chan->mode = L2CAP_MODE_BASIC;
1945 }
1946
1947 l2cap_chan_set_defaults(chan);
1948 }
1949
1950 /* Default config options */
1951 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1952
1953 chan->data = sk;
1954 chan->ops = &l2cap_chan_ops;
1955
1956 l2cap_publish_rx_avail(chan);
1957 }
1958
1959 static struct proto l2cap_proto = {
1960 .name = "L2CAP",
1961 .owner = THIS_MODULE,
1962 .obj_size = sizeof(struct l2cap_pinfo)
1963 };
1964
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1965 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1966 int proto, gfp_t prio, int kern)
1967 {
1968 struct sock *sk;
1969 struct l2cap_chan *chan;
1970
1971 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1972 if (!sk)
1973 return NULL;
1974
1975 sk->sk_destruct = l2cap_sock_destruct;
1976 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1977
1978 INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1979
1980 chan = l2cap_chan_create();
1981 if (!chan) {
1982 sk_free(sk);
1983 if (sock)
1984 sock->sk = NULL;
1985 return NULL;
1986 }
1987
1988 l2cap_chan_hold(chan);
1989
1990 l2cap_pi(sk)->chan = chan;
1991
1992 return sk;
1993 }
1994
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1995 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1996 int kern)
1997 {
1998 struct sock *sk;
1999
2000 BT_DBG("sock %p", sock);
2001
2002 sock->state = SS_UNCONNECTED;
2003
2004 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
2005 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
2006 return -ESOCKTNOSUPPORT;
2007
2008 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
2009 return -EPERM;
2010
2011 sock->ops = &l2cap_sock_ops;
2012
2013 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
2014 if (!sk)
2015 return -ENOMEM;
2016
2017 l2cap_sock_init(sk, NULL);
2018 bt_sock_link(&l2cap_sk_list, sk);
2019 return 0;
2020 }
2021
2022 static const struct proto_ops l2cap_sock_ops = {
2023 .family = PF_BLUETOOTH,
2024 .owner = THIS_MODULE,
2025 .release = l2cap_sock_release,
2026 .bind = l2cap_sock_bind,
2027 .connect = l2cap_sock_connect,
2028 .listen = l2cap_sock_listen,
2029 .accept = l2cap_sock_accept,
2030 .getname = l2cap_sock_getname,
2031 .sendmsg = l2cap_sock_sendmsg,
2032 .recvmsg = l2cap_sock_recvmsg,
2033 .poll = bt_sock_poll,
2034 .ioctl = bt_sock_ioctl,
2035 .gettstamp = sock_gettstamp,
2036 .mmap = sock_no_mmap,
2037 .socketpair = sock_no_socketpair,
2038 .shutdown = l2cap_sock_shutdown,
2039 .setsockopt = l2cap_sock_setsockopt,
2040 .getsockopt = l2cap_sock_getsockopt
2041 };
2042
2043 static const struct net_proto_family l2cap_sock_family_ops = {
2044 .family = PF_BLUETOOTH,
2045 .owner = THIS_MODULE,
2046 .create = l2cap_sock_create,
2047 };
2048
l2cap_init_sockets(void)2049 int __init l2cap_init_sockets(void)
2050 {
2051 int err;
2052
2053 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
2054
2055 err = proto_register(&l2cap_proto, 0);
2056 if (err < 0)
2057 return err;
2058
2059 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2060 if (err < 0) {
2061 BT_ERR("L2CAP socket registration failed");
2062 goto error;
2063 }
2064
2065 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
2066 NULL);
2067 if (err < 0) {
2068 BT_ERR("Failed to create L2CAP proc file");
2069 bt_sock_unregister(BTPROTO_L2CAP);
2070 goto error;
2071 }
2072
2073 BT_INFO("L2CAP socket layer initialized");
2074
2075 return 0;
2076
2077 error:
2078 proto_unregister(&l2cap_proto);
2079 return err;
2080 }
2081
l2cap_cleanup_sockets(void)2082 void l2cap_cleanup_sockets(void)
2083 {
2084 bt_procfs_cleanup(&init_net, "l2cap");
2085 bt_sock_unregister(BTPROTO_L2CAP);
2086 proto_unregister(&l2cap_proto);
2087 }
2088