1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 BlueZ - Bluetooth protocol stack for Linux 4 Copyright (C) 2000-2001 Qualcomm Incorporated 5 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 6 Copyright (C) 2010 Google Inc. 7 Copyright (C) 2011 ProFUSION Embedded Systems 8 9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth L2CAP sockets. */ 26 27 #include <linux/module.h> 28 #include <linux/export.h> 29 #include <linux/filter.h> 30 #include <linux/sched/signal.h> 31 #include <linux/uio.h> 32 33 #include <net/bluetooth/bluetooth.h> 34 #include <net/bluetooth/hci_core.h> 35 #include <net/bluetooth/l2cap.h> 36 37 #include "smp.h" 38 39 static struct bt_sock_list l2cap_sk_list = { 40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 41 }; 42 43 static const struct proto_ops l2cap_sock_ops; 44 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 45 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 46 int proto, gfp_t prio, int kern); 47 static void l2cap_sock_cleanup_listen(struct sock *parent); 48 49 bool l2cap_is_socket(struct socket *sock) 50 { 51 return sock && sock->ops == &l2cap_sock_ops; 52 } 53 EXPORT_SYMBOL(l2cap_is_socket); 54 55 static int l2cap_validate_bredr_psm(u16 psm) 56 { 57 /* PSM must be odd and lsb of upper byte must be 0 */ 58 if ((psm & 0x0101) != 0x0001) 59 return -EINVAL; 60 61 /* Restrict usage of well-known PSMs */ 62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 63 return -EACCES; 64 65 return 0; 66 } 67 68 static int l2cap_validate_le_psm(u16 psm) 69 { 70 /* Valid LE_PSM ranges are defined only until 0x00ff */ 71 if (psm > L2CAP_PSM_LE_DYN_END) 72 return -EINVAL; 73 74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 76 return -EACCES; 77 78 return 0; 79 } 80 81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int alen) 82 { 83 struct sock *sk = sock->sk; 84 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 85 struct sockaddr_l2 la; 86 int len, err = 0; 87 88 BT_DBG("sk %p", sk); 89 90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 91 addr->sa_family != AF_BLUETOOTH) 92 return -EINVAL; 93 94 memset(&la, 0, sizeof(la)); 95 len = min_t(unsigned int, sizeof(la), alen); 96 memcpy(&la, addr, len); 97 98 if (la.l2_cid && la.l2_psm) 99 return -EINVAL; 100 101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 102 return -EINVAL; 103 104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 105 /* We only allow ATT user space socket */ 106 if (la.l2_cid && 107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 108 return -EINVAL; 109 } 110 111 lock_sock(sk); 112 113 if (sk->sk_state != BT_OPEN) { 114 err = -EBADFD; 115 goto done; 116 } 117 118 if (la.l2_psm) { 119 __u16 psm = __le16_to_cpu(la.l2_psm); 120 121 if (la.l2_bdaddr_type == BDADDR_BREDR) 122 err = l2cap_validate_bredr_psm(psm); 123 else 124 err = l2cap_validate_le_psm(psm); 125 126 if (err) 127 goto done; 128 } 129 130 bacpy(&chan->src, &la.l2_bdaddr); 131 chan->src_type = la.l2_bdaddr_type; 132 133 if (la.l2_cid) 134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 135 else 136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 137 138 if (err < 0) 139 goto done; 140 141 switch (chan->chan_type) { 142 case L2CAP_CHAN_CONN_LESS: 143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 144 chan->sec_level = BT_SECURITY_SDP; 145 break; 146 case L2CAP_CHAN_CONN_ORIENTED: 147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 149 chan->sec_level = BT_SECURITY_SDP; 150 break; 151 case L2CAP_CHAN_RAW: 152 chan->sec_level = BT_SECURITY_SDP; 153 break; 154 case L2CAP_CHAN_FIXED: 155 /* Fixed channels default to the L2CAP core not holding a 156 * hci_conn reference for them. For fixed channels mapping to 157 * L2CAP sockets we do want to hold a reference so set the 158 * appropriate flag to request it. 159 */ 160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 161 break; 162 } 163 164 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 165 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 166 */ 167 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 168 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 169 chan->mode = L2CAP_MODE_LE_FLOWCTL; 170 171 chan->state = BT_BOUND; 172 sk->sk_state = BT_BOUND; 173 174 done: 175 release_sock(sk); 176 return err; 177 } 178 179 static int l2cap_sock_connect(struct socket *sock, struct sockaddr_unsized *addr, 180 int alen, int flags) 181 { 182 struct sock *sk = sock->sk; 183 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 184 struct sockaddr_l2 la; 185 int len, err = 0; 186 bool zapped; 187 188 BT_DBG("sk %p", sk); 189 190 lock_sock(sk); 191 zapped = sock_flag(sk, SOCK_ZAPPED); 192 release_sock(sk); 193 194 if (zapped) 195 return -EINVAL; 196 197 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 198 addr->sa_family != AF_BLUETOOTH) 199 return -EINVAL; 200 201 memset(&la, 0, sizeof(la)); 202 len = min_t(unsigned int, sizeof(la), alen); 203 memcpy(&la, addr, len); 204 205 if (la.l2_cid && la.l2_psm) 206 return -EINVAL; 207 208 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 209 return -EINVAL; 210 211 /* Check that the socket wasn't bound to something that 212 * conflicts with the address given to connect(). If chan->src 213 * is BDADDR_ANY it means bind() was never used, in which case 214 * chan->src_type and la.l2_bdaddr_type do not need to match. 215 */ 216 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 217 bdaddr_type_is_le(la.l2_bdaddr_type)) { 218 /* Old user space versions will try to incorrectly bind 219 * the ATT socket using BDADDR_BREDR. We need to accept 220 * this and fix up the source address type only when 221 * both the source CID and destination CID indicate 222 * ATT. Anything else is an invalid combination. 223 */ 224 if (chan->scid != L2CAP_CID_ATT || 225 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 226 return -EINVAL; 227 228 /* We don't have the hdev available here to make a 229 * better decision on random vs public, but since all 230 * user space versions that exhibit this issue anyway do 231 * not support random local addresses assuming public 232 * here is good enough. 233 */ 234 chan->src_type = BDADDR_LE_PUBLIC; 235 } 236 237 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 238 return -EINVAL; 239 240 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 241 /* We only allow ATT user space socket */ 242 if (la.l2_cid && 243 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 244 return -EINVAL; 245 } 246 247 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 248 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 249 */ 250 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 251 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 252 chan->mode = L2CAP_MODE_LE_FLOWCTL; 253 254 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 255 &la.l2_bdaddr, la.l2_bdaddr_type, 256 READ_ONCE(sk->sk_sndtimeo)); 257 if (err) 258 return err; 259 260 lock_sock(sk); 261 262 err = bt_sock_wait_state(sk, BT_CONNECTED, 263 sock_sndtimeo(sk, flags & O_NONBLOCK)); 264 265 release_sock(sk); 266 267 return err; 268 } 269 270 static int l2cap_sock_listen(struct socket *sock, int backlog) 271 { 272 struct sock *sk = sock->sk; 273 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 274 int err = 0; 275 276 BT_DBG("sk %p backlog %d", sk, backlog); 277 278 lock_sock(sk); 279 280 if (sk->sk_state != BT_BOUND) { 281 err = -EBADFD; 282 goto done; 283 } 284 285 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 286 err = -EINVAL; 287 goto done; 288 } 289 290 switch (chan->mode) { 291 case L2CAP_MODE_BASIC: 292 case L2CAP_MODE_LE_FLOWCTL: 293 break; 294 case L2CAP_MODE_EXT_FLOWCTL: 295 if (!enable_ecred) { 296 err = -EOPNOTSUPP; 297 goto done; 298 } 299 break; 300 case L2CAP_MODE_ERTM: 301 case L2CAP_MODE_STREAMING: 302 if (!disable_ertm) 303 break; 304 fallthrough; 305 default: 306 err = -EOPNOTSUPP; 307 goto done; 308 } 309 310 sk->sk_max_ack_backlog = backlog; 311 sk->sk_ack_backlog = 0; 312 313 /* Listening channels need to use nested locking in order not to 314 * cause lockdep warnings when the created child channels end up 315 * being locked in the same thread as the parent channel. 316 */ 317 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 318 319 chan->state = BT_LISTEN; 320 sk->sk_state = BT_LISTEN; 321 322 done: 323 release_sock(sk); 324 return err; 325 } 326 327 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 328 struct proto_accept_arg *arg) 329 { 330 DEFINE_WAIT_FUNC(wait, woken_wake_function); 331 struct sock *sk = sock->sk, *nsk; 332 long timeo; 333 int err = 0; 334 335 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 336 337 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 338 339 BT_DBG("sk %p timeo %ld", sk, timeo); 340 341 /* Wait for an incoming connection. (wake-one). */ 342 add_wait_queue_exclusive(sk_sleep(sk), &wait); 343 while (1) { 344 if (sk->sk_state != BT_LISTEN) { 345 err = -EBADFD; 346 break; 347 } 348 349 nsk = bt_accept_dequeue(sk, newsock); 350 if (nsk) { 351 /* Drop the bridging ref from bt_accept_dequeue(); 352 * the grafted socket keeps nsk alive from here. 353 */ 354 sock_put(nsk); 355 break; 356 } 357 358 if (!timeo) { 359 err = -EAGAIN; 360 break; 361 } 362 363 if (signal_pending(current)) { 364 err = sock_intr_errno(timeo); 365 break; 366 } 367 368 release_sock(sk); 369 370 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 371 372 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 373 } 374 remove_wait_queue(sk_sleep(sk), &wait); 375 376 if (err) 377 goto done; 378 379 newsock->state = SS_CONNECTED; 380 381 BT_DBG("new socket %p", nsk); 382 383 done: 384 release_sock(sk); 385 return err; 386 } 387 388 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 389 int peer) 390 { 391 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 392 struct sock *sk = sock->sk; 393 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 394 395 BT_DBG("sock %p, sk %p", sock, sk); 396 397 if (peer && sk->sk_state != BT_CONNECTED && 398 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 399 sk->sk_state != BT_CONFIG) 400 return -ENOTCONN; 401 402 memset(la, 0, sizeof(struct sockaddr_l2)); 403 addr->sa_family = AF_BLUETOOTH; 404 405 la->l2_psm = chan->psm; 406 407 if (peer) { 408 bacpy(&la->l2_bdaddr, &chan->dst); 409 la->l2_cid = cpu_to_le16(chan->dcid); 410 la->l2_bdaddr_type = chan->dst_type; 411 } else { 412 bacpy(&la->l2_bdaddr, &chan->src); 413 la->l2_cid = cpu_to_le16(chan->scid); 414 la->l2_bdaddr_type = chan->src_type; 415 } 416 417 return sizeof(struct sockaddr_l2); 418 } 419 420 static int l2cap_get_mode(struct l2cap_chan *chan) 421 { 422 switch (chan->mode) { 423 case L2CAP_MODE_BASIC: 424 return BT_MODE_BASIC; 425 case L2CAP_MODE_ERTM: 426 return BT_MODE_ERTM; 427 case L2CAP_MODE_STREAMING: 428 return BT_MODE_STREAMING; 429 case L2CAP_MODE_LE_FLOWCTL: 430 return BT_MODE_LE_FLOWCTL; 431 case L2CAP_MODE_EXT_FLOWCTL: 432 return BT_MODE_EXT_FLOWCTL; 433 } 434 435 return -EINVAL; 436 } 437 438 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 439 sockopt_t *sopt) 440 { 441 struct sock *sk = sock->sk; 442 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 443 struct l2cap_options opts; 444 struct l2cap_conninfo cinfo; 445 int err = 0; 446 size_t len; 447 u32 opt; 448 449 BT_DBG("sk %p", sk); 450 451 len = sopt->optlen; 452 453 lock_sock(sk); 454 455 switch (optname) { 456 case L2CAP_OPTIONS: 457 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 458 * legacy ATT code depends on getsockopt for 459 * L2CAP_OPTIONS we need to let this pass. 460 */ 461 if (bdaddr_type_is_le(chan->src_type) && 462 chan->scid != L2CAP_CID_ATT) { 463 err = -EINVAL; 464 break; 465 } 466 467 /* Only BR/EDR modes are supported here */ 468 switch (chan->mode) { 469 case L2CAP_MODE_BASIC: 470 case L2CAP_MODE_ERTM: 471 case L2CAP_MODE_STREAMING: 472 break; 473 default: 474 err = -EINVAL; 475 break; 476 } 477 478 if (err < 0) 479 break; 480 481 memset(&opts, 0, sizeof(opts)); 482 opts.imtu = chan->imtu; 483 opts.omtu = chan->omtu; 484 opts.flush_to = chan->flush_to; 485 opts.mode = chan->mode; 486 opts.fcs = chan->fcs; 487 opts.max_tx = chan->max_tx; 488 opts.txwin_size = chan->tx_win; 489 490 BT_DBG("mode 0x%2.2x", chan->mode); 491 492 len = min(len, sizeof(opts)); 493 if (copy_to_iter(&opts, len, &sopt->iter_out) != len) 494 err = -EFAULT; 495 496 break; 497 498 case L2CAP_LM: 499 switch (chan->sec_level) { 500 case BT_SECURITY_LOW: 501 opt = L2CAP_LM_AUTH; 502 break; 503 case BT_SECURITY_MEDIUM: 504 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 505 break; 506 case BT_SECURITY_HIGH: 507 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 508 L2CAP_LM_SECURE; 509 break; 510 case BT_SECURITY_FIPS: 511 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 512 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 513 break; 514 default: 515 opt = 0; 516 break; 517 } 518 519 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 520 opt |= L2CAP_LM_MASTER; 521 522 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 523 opt |= L2CAP_LM_RELIABLE; 524 525 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 526 sizeof(opt)) 527 err = -EFAULT; 528 529 break; 530 531 case L2CAP_CONNINFO: 532 if (sk->sk_state != BT_CONNECTED && 533 !(sk->sk_state == BT_CONNECT2 && 534 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 535 err = -ENOTCONN; 536 break; 537 } 538 539 memset(&cinfo, 0, sizeof(cinfo)); 540 cinfo.hci_handle = chan->conn->hcon->handle; 541 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 542 543 len = min(len, sizeof(cinfo)); 544 if (copy_to_iter(&cinfo, len, &sopt->iter_out) != len) 545 err = -EFAULT; 546 547 break; 548 549 default: 550 err = -ENOPROTOOPT; 551 break; 552 } 553 554 release_sock(sk); 555 return err; 556 } 557 558 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 559 sockopt_t *sopt) 560 { 561 struct sock *sk = sock->sk; 562 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 563 struct bt_security sec; 564 struct bt_power pwr; 565 int len, mode, err = 0; 566 u32 opt; 567 u16 mtu; 568 u8 mval; 569 570 BT_DBG("sk %p", sk); 571 572 if (level == SOL_L2CAP) 573 return l2cap_sock_getsockopt_old(sock, optname, sopt); 574 575 if (level != SOL_BLUETOOTH) 576 return -ENOPROTOOPT; 577 578 len = sopt->optlen; 579 580 lock_sock(sk); 581 582 switch (optname) { 583 case BT_SECURITY: 584 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 585 chan->chan_type != L2CAP_CHAN_FIXED && 586 chan->chan_type != L2CAP_CHAN_RAW) { 587 err = -EINVAL; 588 break; 589 } 590 591 memset(&sec, 0, sizeof(sec)); 592 if (chan->conn) { 593 sec.level = chan->conn->hcon->sec_level; 594 595 if (sk->sk_state == BT_CONNECTED) 596 sec.key_size = chan->conn->hcon->enc_key_size; 597 } else { 598 sec.level = chan->sec_level; 599 } 600 601 len = min_t(unsigned int, len, sizeof(sec)); 602 if (copy_to_iter(&sec, len, &sopt->iter_out) != len) 603 err = -EFAULT; 604 605 break; 606 607 case BT_DEFER_SETUP: 608 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 609 err = -EINVAL; 610 break; 611 } 612 613 opt = test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 614 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 615 sizeof(opt)) 616 err = -EFAULT; 617 618 break; 619 620 case BT_FLUSHABLE: 621 opt = test_bit(FLAG_FLUSHABLE, &chan->flags); 622 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 623 sizeof(opt)) 624 err = -EFAULT; 625 626 break; 627 628 case BT_POWER: 629 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 630 && sk->sk_type != SOCK_RAW) { 631 err = -EINVAL; 632 break; 633 } 634 635 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 636 637 len = min_t(unsigned int, len, sizeof(pwr)); 638 if (copy_to_iter(&pwr, len, &sopt->iter_out) != len) 639 err = -EFAULT; 640 641 break; 642 643 case BT_CHANNEL_POLICY: 644 opt = chan->chan_policy; 645 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 646 sizeof(opt)) 647 err = -EFAULT; 648 break; 649 650 case BT_SNDMTU: 651 if (!bdaddr_type_is_le(chan->src_type)) { 652 err = -EINVAL; 653 break; 654 } 655 656 if (sk->sk_state != BT_CONNECTED) { 657 err = -ENOTCONN; 658 break; 659 } 660 661 mtu = chan->omtu; 662 if (copy_to_iter(&mtu, sizeof(mtu), &sopt->iter_out) != 663 sizeof(mtu)) 664 err = -EFAULT; 665 break; 666 667 case BT_RCVMTU: 668 if (!bdaddr_type_is_le(chan->src_type)) { 669 err = -EINVAL; 670 break; 671 } 672 673 mtu = chan->imtu; 674 if (copy_to_iter(&mtu, sizeof(mtu), &sopt->iter_out) != 675 sizeof(mtu)) 676 err = -EFAULT; 677 break; 678 679 case BT_PHY: 680 if (sk->sk_state != BT_CONNECTED) { 681 err = -ENOTCONN; 682 break; 683 } 684 685 opt = hci_conn_get_phy(chan->conn->hcon); 686 687 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 688 sizeof(opt)) 689 err = -EFAULT; 690 break; 691 692 case BT_MODE: 693 if (!enable_ecred) { 694 err = -ENOPROTOOPT; 695 break; 696 } 697 698 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 699 err = -EINVAL; 700 break; 701 } 702 703 mode = l2cap_get_mode(chan); 704 if (mode < 0) { 705 err = mode; 706 break; 707 } 708 709 mval = mode; 710 if (copy_to_iter(&mval, sizeof(mval), &sopt->iter_out) != 711 sizeof(mval)) 712 err = -EFAULT; 713 break; 714 715 default: 716 err = -ENOPROTOOPT; 717 break; 718 } 719 720 release_sock(sk); 721 return err; 722 } 723 724 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 725 { 726 switch (chan->scid) { 727 case L2CAP_CID_ATT: 728 if (mtu && mtu < L2CAP_LE_MIN_MTU) 729 return false; 730 break; 731 732 default: 733 if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU) 734 return false; 735 } 736 737 return true; 738 } 739 740 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 741 sockptr_t optval, unsigned int optlen) 742 { 743 struct sock *sk = sock->sk; 744 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 745 struct l2cap_options opts; 746 int err = 0; 747 u32 opt; 748 749 BT_DBG("sk %p", sk); 750 751 lock_sock(sk); 752 753 switch (optname) { 754 case L2CAP_OPTIONS: 755 if (bdaddr_type_is_le(chan->src_type)) { 756 err = -EINVAL; 757 break; 758 } 759 760 if (sk->sk_state == BT_CONNECTED) { 761 err = -EINVAL; 762 break; 763 } 764 765 opts.imtu = chan->imtu; 766 opts.omtu = chan->omtu; 767 opts.flush_to = chan->flush_to; 768 opts.mode = chan->mode; 769 opts.fcs = chan->fcs; 770 opts.max_tx = chan->max_tx; 771 opts.txwin_size = chan->tx_win; 772 773 err = copy_safe_from_sockptr(&opts, sizeof(opts), optval, 774 optlen); 775 if (err) 776 break; 777 778 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 779 err = -EINVAL; 780 break; 781 } 782 783 if (!l2cap_valid_mtu(chan, opts.imtu)) { 784 err = -EINVAL; 785 break; 786 } 787 788 /* Only BR/EDR modes are supported here */ 789 switch (opts.mode) { 790 case L2CAP_MODE_BASIC: 791 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 792 break; 793 case L2CAP_MODE_ERTM: 794 case L2CAP_MODE_STREAMING: 795 if (!disable_ertm) 796 break; 797 fallthrough; 798 default: 799 err = -EINVAL; 800 break; 801 } 802 803 if (err < 0) 804 break; 805 806 chan->mode = opts.mode; 807 808 BT_DBG("mode 0x%2.2x", chan->mode); 809 810 chan->imtu = opts.imtu; 811 chan->omtu = opts.omtu; 812 chan->fcs = opts.fcs; 813 chan->max_tx = opts.max_tx; 814 chan->tx_win = opts.txwin_size; 815 chan->flush_to = opts.flush_to; 816 break; 817 818 case L2CAP_LM: 819 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 820 if (err) 821 break; 822 823 if (opt & L2CAP_LM_FIPS) { 824 err = -EINVAL; 825 break; 826 } 827 828 if (opt & L2CAP_LM_AUTH) 829 chan->sec_level = BT_SECURITY_LOW; 830 if (opt & L2CAP_LM_ENCRYPT) 831 chan->sec_level = BT_SECURITY_MEDIUM; 832 if (opt & L2CAP_LM_SECURE) 833 chan->sec_level = BT_SECURITY_HIGH; 834 835 if (opt & L2CAP_LM_MASTER) 836 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 837 else 838 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 839 840 if (opt & L2CAP_LM_RELIABLE) 841 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 842 else 843 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 844 break; 845 846 default: 847 err = -ENOPROTOOPT; 848 break; 849 } 850 851 release_sock(sk); 852 return err; 853 } 854 855 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 856 { 857 switch (mode) { 858 case BT_MODE_BASIC: 859 if (bdaddr_type_is_le(chan->src_type)) 860 return -EINVAL; 861 mode = L2CAP_MODE_BASIC; 862 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 863 break; 864 case BT_MODE_ERTM: 865 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 866 return -EINVAL; 867 mode = L2CAP_MODE_ERTM; 868 break; 869 case BT_MODE_STREAMING: 870 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 871 return -EINVAL; 872 mode = L2CAP_MODE_STREAMING; 873 break; 874 case BT_MODE_LE_FLOWCTL: 875 if (!bdaddr_type_is_le(chan->src_type)) 876 return -EINVAL; 877 mode = L2CAP_MODE_LE_FLOWCTL; 878 break; 879 case BT_MODE_EXT_FLOWCTL: 880 /* TODO: Add support for ECRED PDUs to BR/EDR */ 881 if (!bdaddr_type_is_le(chan->src_type)) 882 return -EINVAL; 883 mode = L2CAP_MODE_EXT_FLOWCTL; 884 break; 885 default: 886 return -EINVAL; 887 } 888 889 chan->mode = mode; 890 891 return 0; 892 } 893 894 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 895 sockptr_t optval, unsigned int optlen) 896 { 897 struct sock *sk = sock->sk; 898 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 899 struct bt_security sec; 900 struct bt_power pwr; 901 struct l2cap_conn *conn; 902 int err = 0; 903 u32 opt, phys; 904 u16 mtu; 905 u8 mode; 906 907 BT_DBG("sk %p", sk); 908 909 if (level == SOL_L2CAP) 910 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 911 912 if (level != SOL_BLUETOOTH) 913 return -ENOPROTOOPT; 914 915 lock_sock(sk); 916 917 switch (optname) { 918 case BT_SECURITY: 919 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 920 chan->chan_type != L2CAP_CHAN_FIXED && 921 chan->chan_type != L2CAP_CHAN_RAW) { 922 err = -EINVAL; 923 break; 924 } 925 926 sec.level = BT_SECURITY_LOW; 927 928 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); 929 if (err) 930 break; 931 932 if (sec.level < BT_SECURITY_LOW || 933 sec.level > BT_SECURITY_FIPS) { 934 err = -EINVAL; 935 break; 936 } 937 938 chan->sec_level = sec.level; 939 940 if (!chan->conn) 941 break; 942 943 conn = chan->conn; 944 945 /* change security for LE channels */ 946 if (chan->scid == L2CAP_CID_ATT) { 947 if (smp_conn_security(conn->hcon, sec.level)) { 948 err = -EINVAL; 949 break; 950 } 951 952 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 953 sk->sk_state = BT_CONFIG; 954 chan->state = BT_CONFIG; 955 956 /* or for ACL link */ 957 } else if ((sk->sk_state == BT_CONNECT2 && 958 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 959 sk->sk_state == BT_CONNECTED) { 960 if (!l2cap_chan_check_security(chan, true)) 961 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 962 else 963 sk->sk_state_change(sk); 964 } else { 965 err = -EINVAL; 966 } 967 break; 968 969 case BT_DEFER_SETUP: 970 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 971 err = -EINVAL; 972 break; 973 } 974 975 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 976 if (err) 977 break; 978 979 if (opt) { 980 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 981 set_bit(FLAG_DEFER_SETUP, &chan->flags); 982 } else { 983 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 984 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 985 } 986 break; 987 988 case BT_FLUSHABLE: 989 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 990 if (err) 991 break; 992 993 if (opt > BT_FLUSHABLE_ON) { 994 err = -EINVAL; 995 break; 996 } 997 998 if (opt == BT_FLUSHABLE_OFF) { 999 conn = chan->conn; 1000 /* proceed further only when we have l2cap_conn and 1001 No Flush support in the LM */ 1002 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 1003 err = -EINVAL; 1004 break; 1005 } 1006 } 1007 1008 if (opt) 1009 set_bit(FLAG_FLUSHABLE, &chan->flags); 1010 else 1011 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1012 break; 1013 1014 case BT_POWER: 1015 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1016 chan->chan_type != L2CAP_CHAN_RAW) { 1017 err = -EINVAL; 1018 break; 1019 } 1020 1021 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1022 1023 err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen); 1024 if (err) 1025 break; 1026 1027 if (pwr.force_active) 1028 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1029 else 1030 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1031 break; 1032 1033 case BT_CHANNEL_POLICY: 1034 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1035 if (err) 1036 break; 1037 1038 err = -EOPNOTSUPP; 1039 break; 1040 1041 case BT_SNDMTU: 1042 if (!bdaddr_type_is_le(chan->src_type)) { 1043 err = -EINVAL; 1044 break; 1045 } 1046 1047 /* Only allow setting output MTU when not connected */ 1048 if (sk->sk_state == BT_CONNECTED) { 1049 err = -EISCONN; 1050 break; 1051 } 1052 1053 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen); 1054 if (err) 1055 break; 1056 1057 chan->omtu = mtu; 1058 break; 1059 1060 case BT_RCVMTU: 1061 if (!bdaddr_type_is_le(chan->src_type)) { 1062 err = -EINVAL; 1063 break; 1064 } 1065 1066 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1067 sk->sk_state == BT_CONNECTED) { 1068 err = -EISCONN; 1069 break; 1070 } 1071 1072 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen); 1073 if (err) 1074 break; 1075 1076 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1077 sk->sk_state == BT_CONNECTED) 1078 err = l2cap_chan_reconfigure(chan, mtu); 1079 else 1080 chan->imtu = mtu; 1081 1082 break; 1083 1084 case BT_PHY: 1085 if (sk->sk_state != BT_CONNECTED) { 1086 err = -ENOTCONN; 1087 break; 1088 } 1089 1090 err = copy_safe_from_sockptr(&phys, sizeof(phys), optval, 1091 optlen); 1092 if (err) 1093 break; 1094 1095 if (!chan->conn) 1096 break; 1097 1098 conn = chan->conn; 1099 err = hci_conn_set_phy(conn->hcon, phys); 1100 break; 1101 1102 case BT_MODE: 1103 if (!enable_ecred) { 1104 err = -ENOPROTOOPT; 1105 break; 1106 } 1107 1108 BT_DBG("sk->sk_state %u", sk->sk_state); 1109 1110 if (sk->sk_state != BT_BOUND) { 1111 err = -EINVAL; 1112 break; 1113 } 1114 1115 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1116 err = -EINVAL; 1117 break; 1118 } 1119 1120 err = copy_safe_from_sockptr(&mode, sizeof(mode), optval, 1121 optlen); 1122 if (err) 1123 break; 1124 1125 BT_DBG("mode %u", mode); 1126 1127 err = l2cap_set_mode(chan, mode); 1128 if (err) 1129 break; 1130 1131 BT_DBG("mode 0x%2.2x", chan->mode); 1132 1133 break; 1134 1135 default: 1136 err = -ENOPROTOOPT; 1137 break; 1138 } 1139 1140 release_sock(sk); 1141 return err; 1142 } 1143 1144 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1145 size_t len) 1146 { 1147 struct sock *sk = sock->sk; 1148 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1149 struct sockcm_cookie sockc; 1150 int err; 1151 1152 BT_DBG("sock %p, sk %p", sock, sk); 1153 1154 err = sock_error(sk); 1155 if (err) 1156 return err; 1157 1158 if (msg->msg_flags & MSG_OOB) 1159 return -EOPNOTSUPP; 1160 1161 if (sk->sk_state != BT_CONNECTED) 1162 return -ENOTCONN; 1163 1164 hci_sockcm_init(&sockc, sk); 1165 1166 if (msg->msg_controllen) { 1167 err = sock_cmsg_send(sk, msg, &sockc); 1168 if (err) 1169 return err; 1170 } 1171 1172 lock_sock(sk); 1173 err = bt_sock_wait_ready(sk, msg->msg_flags); 1174 release_sock(sk); 1175 if (err) 1176 return err; 1177 1178 l2cap_chan_lock(chan); 1179 err = l2cap_chan_send(chan, msg, len, &sockc); 1180 l2cap_chan_unlock(chan); 1181 1182 return err; 1183 } 1184 1185 static void l2cap_publish_rx_avail(struct l2cap_chan *chan) 1186 { 1187 struct sock *sk = chan->data; 1188 ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc); 1189 int expected_skbs, skb_overhead; 1190 1191 if (avail <= 0) { 1192 l2cap_chan_rx_avail(chan, 0); 1193 return; 1194 } 1195 1196 if (!chan->mps) { 1197 l2cap_chan_rx_avail(chan, -1); 1198 return; 1199 } 1200 1201 /* Correct available memory by estimated sk_buff overhead. 1202 * This is significant due to small transfer sizes. However, accept 1203 * at least one full packet if receive space is non-zero. 1204 */ 1205 expected_skbs = DIV_ROUND_UP(avail, chan->mps); 1206 skb_overhead = expected_skbs * sizeof(struct sk_buff); 1207 if (skb_overhead < avail) 1208 l2cap_chan_rx_avail(chan, avail - skb_overhead); 1209 else 1210 l2cap_chan_rx_avail(chan, -1); 1211 } 1212 1213 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1214 size_t len, int flags) 1215 { 1216 struct sock *sk = sock->sk; 1217 struct l2cap_pinfo *pi = l2cap_pi(sk); 1218 int err; 1219 1220 if (unlikely(flags & MSG_ERRQUEUE)) 1221 return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH, 1222 BT_SCM_ERROR); 1223 1224 lock_sock(sk); 1225 1226 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1227 &bt_sk(sk)->flags)) { 1228 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1229 sk->sk_state = BT_CONNECTED; 1230 pi->chan->state = BT_CONNECTED; 1231 __l2cap_ecred_conn_rsp_defer(pi->chan); 1232 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1233 sk->sk_state = BT_CONNECTED; 1234 pi->chan->state = BT_CONNECTED; 1235 __l2cap_le_connect_rsp_defer(pi->chan); 1236 } else { 1237 sk->sk_state = BT_CONFIG; 1238 pi->chan->state = BT_CONFIG; 1239 __l2cap_connect_rsp_defer(pi->chan); 1240 } 1241 1242 err = 0; 1243 goto done; 1244 } 1245 1246 release_sock(sk); 1247 1248 if (sock->type == SOCK_STREAM) 1249 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1250 else 1251 err = bt_sock_recvmsg(sock, msg, len, flags); 1252 1253 if (pi->chan->mode != L2CAP_MODE_ERTM && 1254 pi->chan->mode != L2CAP_MODE_LE_FLOWCTL && 1255 pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL) 1256 return err; 1257 1258 lock_sock(sk); 1259 1260 l2cap_publish_rx_avail(pi->chan); 1261 1262 /* Attempt to put pending rx data in the socket buffer */ 1263 while (!list_empty(&pi->rx_busy)) { 1264 struct l2cap_rx_busy *rx_busy = 1265 list_first_entry(&pi->rx_busy, 1266 struct l2cap_rx_busy, 1267 list); 1268 if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0) 1269 goto done; 1270 list_del(&rx_busy->list); 1271 kfree(rx_busy); 1272 } 1273 1274 /* Restore data flow when half of the receive buffer is 1275 * available. This avoids resending large numbers of 1276 * frames. 1277 */ 1278 if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) && 1279 atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1280 l2cap_chan_busy(pi->chan, 0); 1281 1282 done: 1283 release_sock(sk); 1284 return err; 1285 } 1286 1287 /* Kill socket (only if zapped and orphan) 1288 * Must be called on unlocked socket, with l2cap channel lock. 1289 */ 1290 static void l2cap_sock_kill(struct sock *sk) 1291 { 1292 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1293 return; 1294 1295 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1296 1297 /* Sock is dead, so set chan data to NULL, avoid other task use invalid 1298 * sock pointer. 1299 */ 1300 l2cap_pi(sk)->chan->data = NULL; 1301 /* Kill poor orphan */ 1302 1303 l2cap_chan_put(l2cap_pi(sk)->chan); 1304 sock_set_flag(sk, SOCK_DEAD); 1305 sock_put(sk); 1306 } 1307 1308 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1309 { 1310 DECLARE_WAITQUEUE(wait, current); 1311 int err = 0; 1312 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1313 /* Timeout to prevent infinite loop */ 1314 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1315 1316 add_wait_queue(sk_sleep(sk), &wait); 1317 set_current_state(TASK_INTERRUPTIBLE); 1318 do { 1319 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1320 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1321 jiffies_to_msecs(timeout - jiffies)); 1322 1323 if (!timeo) 1324 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1325 1326 if (signal_pending(current)) { 1327 err = sock_intr_errno(timeo); 1328 break; 1329 } 1330 1331 release_sock(sk); 1332 timeo = schedule_timeout(timeo); 1333 lock_sock(sk); 1334 set_current_state(TASK_INTERRUPTIBLE); 1335 1336 err = sock_error(sk); 1337 if (err) 1338 break; 1339 1340 if (time_after(jiffies, timeout)) { 1341 err = -ENOLINK; 1342 break; 1343 } 1344 1345 } while (chan->unacked_frames > 0 && 1346 chan->state == BT_CONNECTED); 1347 1348 set_current_state(TASK_RUNNING); 1349 remove_wait_queue(sk_sleep(sk), &wait); 1350 return err; 1351 } 1352 1353 static int l2cap_sock_shutdown(struct socket *sock, int how) 1354 { 1355 struct sock *sk = sock->sk; 1356 struct l2cap_chan *chan; 1357 struct l2cap_conn *conn; 1358 int err = 0; 1359 1360 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1361 1362 /* 'how' parameter is mapped to sk_shutdown as follows: 1363 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1364 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1365 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1366 */ 1367 how++; 1368 1369 if (!sk) 1370 return 0; 1371 1372 lock_sock(sk); 1373 1374 if ((sk->sk_shutdown & how) == how) 1375 goto shutdown_already; 1376 1377 BT_DBG("Handling sock shutdown"); 1378 1379 /* prevent sk structure from being freed whilst unlocked */ 1380 sock_hold(sk); 1381 1382 /* prevent chan structure from being freed whilst unlocked */ 1383 chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan); 1384 if (!chan) 1385 goto shutdown_already; 1386 1387 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1388 1389 if (chan->mode == L2CAP_MODE_ERTM && 1390 chan->unacked_frames > 0 && 1391 chan->state == BT_CONNECTED) { 1392 err = __l2cap_wait_ack(sk, chan); 1393 1394 /* After waiting for ACKs, check whether shutdown 1395 * has already been actioned to close the L2CAP 1396 * link such as by l2cap_disconnection_req(). 1397 */ 1398 if ((sk->sk_shutdown & how) == how) 1399 goto shutdown_matched; 1400 } 1401 1402 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1403 * is already set 1404 */ 1405 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1406 sk->sk_shutdown |= RCV_SHUTDOWN; 1407 if ((sk->sk_shutdown & how) == how) 1408 goto shutdown_matched; 1409 } 1410 1411 sk->sk_shutdown |= SEND_SHUTDOWN; 1412 release_sock(sk); 1413 1414 l2cap_chan_lock(chan); 1415 /* prevent conn structure from being freed */ 1416 conn = l2cap_conn_hold_unless_zero(chan->conn); 1417 l2cap_chan_unlock(chan); 1418 1419 if (conn) 1420 /* mutex lock must be taken before l2cap_chan_lock() */ 1421 mutex_lock(&conn->lock); 1422 1423 l2cap_chan_lock(chan); 1424 l2cap_chan_close(chan, 0); 1425 l2cap_chan_unlock(chan); 1426 1427 if (conn) { 1428 mutex_unlock(&conn->lock); 1429 l2cap_conn_put(conn); 1430 } 1431 1432 lock_sock(sk); 1433 1434 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1435 !(current->flags & PF_EXITING)) 1436 err = bt_sock_wait_state(sk, BT_CLOSED, 1437 sk->sk_lingertime); 1438 1439 shutdown_matched: 1440 l2cap_chan_put(chan); 1441 sock_put(sk); 1442 1443 shutdown_already: 1444 if (!err && sk->sk_err) 1445 err = -sk->sk_err; 1446 1447 release_sock(sk); 1448 1449 BT_DBG("Sock shutdown complete err: %d", err); 1450 1451 return err; 1452 } 1453 1454 static int l2cap_sock_release(struct socket *sock) 1455 { 1456 struct sock *sk = sock->sk; 1457 int err; 1458 struct l2cap_chan *chan; 1459 1460 BT_DBG("sock %p, sk %p", sock, sk); 1461 1462 if (!sk) 1463 return 0; 1464 1465 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 1466 l2cap_sock_cleanup_listen(sk); 1467 release_sock(sk); 1468 1469 bt_sock_unlink(&l2cap_sk_list, sk); 1470 1471 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1472 chan = l2cap_pi(sk)->chan; 1473 1474 l2cap_chan_hold(chan); 1475 l2cap_chan_lock(chan); 1476 1477 sock_orphan(sk); 1478 l2cap_sock_kill(sk); 1479 1480 l2cap_chan_unlock(chan); 1481 l2cap_chan_put(chan); 1482 1483 return err; 1484 } 1485 1486 static void l2cap_sock_cleanup_listen(struct sock *parent) 1487 { 1488 struct sock *sk; 1489 1490 BT_DBG("parent %p state %s", parent, 1491 state_to_string(parent->sk_state)); 1492 1493 /* Close not yet accepted channels. 1494 * 1495 * bt_accept_dequeue() now returns sk with an extra reference held 1496 * (taken while sk was still locked) so a concurrent l2cap_conn_del() 1497 * -> l2cap_sock_kill() cannot free sk under us. 1498 * 1499 * cleanup_listen() runs under the parent sk lock, so unlike 1500 * l2cap_sock_shutdown() we must NOT take conn->lock here: that would 1501 * establish sk_lock -> conn->lock and invert the established 1502 * conn->lock -> chan->lock -> sk_lock order (lockdep deadlock). 1503 * 1504 * Instead, briefly take the child sk lock to fetch and pin its chan. 1505 * l2cap_conn_del() reaches the chan free only via 1506 * l2cap_chan_del() -> l2cap_sock_teardown_cb(), which itself takes 1507 * the child sk lock; holding it across l2cap_chan_hold_unless_zero() 1508 * therefore guarantees the chan cannot be freed while we read and 1509 * pin it (hold_unless_zero() additionally skips a chan already past 1510 * its last reference). We then drop the sk lock before taking 1511 * chan->lock, so sk and chan locks are never held together. 1512 * 1513 * Since we cannot call l2cap_chan_close() without conn->lock, 1514 * schedule l2cap_chan_timeout to close the channel; it already 1515 * acquires conn->lock -> chan->lock in the correct order. 1516 */ 1517 while ((sk = bt_accept_dequeue(parent, NULL))) { 1518 struct l2cap_chan *chan; 1519 1520 lock_sock_nested(sk, L2CAP_NESTING_NORMAL); 1521 chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan); 1522 release_sock(sk); 1523 if (!chan) { 1524 /* l2cap_conn_del() already tearing this child down */ 1525 sock_put(sk); 1526 continue; 1527 } 1528 1529 BT_DBG("child chan %p state %s", chan, 1530 state_to_string(chan->state)); 1531 1532 l2cap_chan_lock(chan); 1533 /* Since we cannot call l2cap_chan_close() without 1534 * conn->lock, schedule its timer to trigger the close 1535 * and cleanup of this channel. 1536 */ 1537 if (chan->conn) 1538 __set_chan_timer(chan, 0); 1539 l2cap_chan_unlock(chan); 1540 1541 l2cap_chan_put(chan); 1542 sock_put(sk); 1543 } 1544 } 1545 1546 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1547 { 1548 struct sock *sk, *parent = chan->data; 1549 1550 if (!parent) 1551 return NULL; 1552 1553 lock_sock(parent); 1554 1555 /* Check for backlog size */ 1556 if (sk_acceptq_is_full(parent)) { 1557 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1558 release_sock(parent); 1559 return NULL; 1560 } 1561 1562 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1563 GFP_ATOMIC, 0); 1564 if (!sk) { 1565 release_sock(parent); 1566 return NULL; 1567 } 1568 1569 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1570 1571 l2cap_sock_init(sk, parent); 1572 1573 bt_accept_enqueue(parent, sk, false); 1574 1575 release_sock(parent); 1576 1577 return l2cap_pi(sk)->chan; 1578 } 1579 1580 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1581 { 1582 struct sock *sk; 1583 struct l2cap_pinfo *pi; 1584 int err; 1585 1586 sk = chan->data; 1587 if (!sk) 1588 return -ENXIO; 1589 1590 pi = l2cap_pi(sk); 1591 lock_sock(sk); 1592 if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) { 1593 err = -ENOMEM; 1594 goto done; 1595 } 1596 1597 if (chan->mode != L2CAP_MODE_ERTM && 1598 chan->mode != L2CAP_MODE_STREAMING && 1599 chan->mode != L2CAP_MODE_LE_FLOWCTL && 1600 chan->mode != L2CAP_MODE_EXT_FLOWCTL) { 1601 /* Even if no filter is attached, we could potentially 1602 * get errors from security modules, etc. 1603 */ 1604 err = sk_filter(sk, skb); 1605 if (err) 1606 goto done; 1607 } 1608 1609 err = __sock_queue_rcv_skb(sk, skb); 1610 1611 l2cap_publish_rx_avail(chan); 1612 1613 /* For ERTM and LE, handle a skb that doesn't fit into the recv 1614 * buffer. This is important to do because the data frames 1615 * have already been acked, so the skb cannot be discarded. 1616 * 1617 * Notify the l2cap core that the buffer is full, so the 1618 * LOCAL_BUSY state is entered and no more frames are 1619 * acked and reassembled until there is buffer space 1620 * available. 1621 */ 1622 if (err < 0 && 1623 (chan->mode == L2CAP_MODE_ERTM || 1624 chan->mode == L2CAP_MODE_LE_FLOWCTL || 1625 chan->mode == L2CAP_MODE_EXT_FLOWCTL)) { 1626 struct l2cap_rx_busy *rx_busy = kmalloc_obj(*rx_busy); 1627 if (!rx_busy) { 1628 err = -ENOMEM; 1629 goto done; 1630 } 1631 rx_busy->skb = skb; 1632 list_add_tail(&rx_busy->list, &pi->rx_busy); 1633 l2cap_chan_busy(chan, 1); 1634 err = 0; 1635 } 1636 1637 done: 1638 release_sock(sk); 1639 1640 return err; 1641 } 1642 1643 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1644 { 1645 struct sock *sk = chan->data; 1646 1647 if (!sk) 1648 return; 1649 1650 l2cap_sock_kill(sk); 1651 } 1652 1653 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1654 { 1655 struct sock *sk = chan->data; 1656 struct sock *parent; 1657 1658 if (!sk) 1659 return; 1660 1661 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1662 1663 /* This callback can be called both for server (BT_LISTEN) 1664 * sockets as well as "normal" ones. To avoid lockdep warnings 1665 * with child socket locking (through l2cap_sock_cleanup_listen) 1666 * we need separation into separate nesting levels. The simplest 1667 * way to accomplish this is to inherit the nesting level used 1668 * for the channel. 1669 */ 1670 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1671 1672 parent = bt_sk(sk)->parent; 1673 1674 switch (chan->state) { 1675 case BT_OPEN: 1676 case BT_BOUND: 1677 case BT_CLOSED: 1678 break; 1679 case BT_LISTEN: 1680 l2cap_sock_cleanup_listen(sk); 1681 sk->sk_state = BT_CLOSED; 1682 chan->state = BT_CLOSED; 1683 1684 break; 1685 default: 1686 sk->sk_state = BT_CLOSED; 1687 chan->state = BT_CLOSED; 1688 1689 sk->sk_err = err; 1690 1691 if (parent) { 1692 bt_accept_unlink(sk); 1693 parent->sk_data_ready(parent); 1694 } else { 1695 sk->sk_state_change(sk); 1696 } 1697 1698 break; 1699 } 1700 release_sock(sk); 1701 1702 /* Only zap after cleanup to avoid use after free race */ 1703 sock_set_flag(sk, SOCK_ZAPPED); 1704 1705 } 1706 1707 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1708 int err) 1709 { 1710 struct sock *sk = chan->data; 1711 1712 if (!sk) 1713 return; 1714 1715 sk->sk_state = state; 1716 1717 if (err) 1718 sk->sk_err = err; 1719 } 1720 1721 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1722 unsigned long hdr_len, 1723 unsigned long len, int nb) 1724 { 1725 struct sock *sk = chan->data; 1726 struct sk_buff *skb; 1727 int err; 1728 1729 l2cap_chan_unlock(chan); 1730 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1731 l2cap_chan_lock(chan); 1732 1733 if (!skb) 1734 return ERR_PTR(err); 1735 1736 /* Channel lock is released before requesting new skb and then 1737 * reacquired thus we need to recheck channel state. 1738 */ 1739 if (chan->state != BT_CONNECTED) { 1740 kfree_skb(skb); 1741 return ERR_PTR(-ENOTCONN); 1742 } 1743 1744 skb->priority = READ_ONCE(sk->sk_priority); 1745 1746 bt_cb(skb)->l2cap.chan = chan; 1747 1748 return skb; 1749 } 1750 1751 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1752 { 1753 struct sock *sk = chan->data; 1754 struct sock *parent; 1755 1756 if (!sk) 1757 return; 1758 1759 lock_sock(sk); 1760 1761 parent = bt_sk(sk)->parent; 1762 1763 BT_DBG("sk %p, parent %p", sk, parent); 1764 1765 sk->sk_state = BT_CONNECTED; 1766 sk->sk_state_change(sk); 1767 1768 if (parent) 1769 parent->sk_data_ready(parent); 1770 1771 release_sock(sk); 1772 } 1773 1774 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1775 { 1776 struct sock *parent, *sk = chan->data; 1777 1778 lock_sock(sk); 1779 1780 parent = bt_sk(sk)->parent; 1781 if (parent) 1782 parent->sk_data_ready(parent); 1783 1784 release_sock(sk); 1785 } 1786 1787 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1788 { 1789 struct sock *sk = chan->data; 1790 1791 if (!sk) 1792 return; 1793 1794 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1795 sk->sk_state = BT_CONNECTED; 1796 chan->state = BT_CONNECTED; 1797 } 1798 1799 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1800 sk->sk_state_change(sk); 1801 } 1802 1803 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1804 { 1805 struct sock *sk = chan->data; 1806 1807 lock_sock(sk); 1808 sk->sk_shutdown = SHUTDOWN_MASK; 1809 release_sock(sk); 1810 } 1811 1812 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1813 { 1814 struct sock *sk = chan->data; 1815 1816 if (!sk) 1817 return 0; 1818 1819 return READ_ONCE(sk->sk_sndtimeo); 1820 } 1821 1822 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1823 { 1824 struct sock *sk = chan->data; 1825 1826 return sk->sk_peer_pid; 1827 } 1828 1829 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1830 { 1831 struct sock *sk = chan->data; 1832 1833 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1834 sk->sk_state_change(sk); 1835 } 1836 1837 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1838 { 1839 struct sock *sk = chan->data; 1840 1841 switch (chan->mode) { 1842 case L2CAP_MODE_ERTM: 1843 case L2CAP_MODE_STREAMING: 1844 return sk_filter(sk, skb); 1845 } 1846 1847 return 0; 1848 } 1849 1850 static const struct l2cap_ops l2cap_chan_ops = { 1851 .name = "L2CAP Socket Interface", 1852 .new_connection = l2cap_sock_new_connection_cb, 1853 .recv = l2cap_sock_recv_cb, 1854 .close = l2cap_sock_close_cb, 1855 .teardown = l2cap_sock_teardown_cb, 1856 .state_change = l2cap_sock_state_change_cb, 1857 .ready = l2cap_sock_ready_cb, 1858 .defer = l2cap_sock_defer_cb, 1859 .resume = l2cap_sock_resume_cb, 1860 .suspend = l2cap_sock_suspend_cb, 1861 .set_shutdown = l2cap_sock_set_shutdown_cb, 1862 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1863 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1864 .alloc_skb = l2cap_sock_alloc_skb_cb, 1865 .filter = l2cap_sock_filter, 1866 }; 1867 1868 static void l2cap_sock_destruct(struct sock *sk) 1869 { 1870 struct l2cap_rx_busy *rx_busy, *next; 1871 1872 BT_DBG("sk %p", sk); 1873 1874 if (l2cap_pi(sk)->chan) { 1875 l2cap_pi(sk)->chan->data = NULL; 1876 l2cap_chan_put(l2cap_pi(sk)->chan); 1877 } 1878 1879 list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) { 1880 kfree_skb(rx_busy->skb); 1881 list_del(&rx_busy->list); 1882 kfree(rx_busy); 1883 } 1884 1885 skb_queue_purge(&sk->sk_receive_queue); 1886 skb_queue_purge(&sk->sk_write_queue); 1887 skb_queue_purge(&sk->sk_error_queue); 1888 } 1889 1890 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1891 int *msg_namelen) 1892 { 1893 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1894 1895 memset(la, 0, sizeof(struct sockaddr_l2)); 1896 la->l2_family = AF_BLUETOOTH; 1897 la->l2_psm = bt_cb(skb)->l2cap.psm; 1898 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1899 1900 *msg_namelen = sizeof(struct sockaddr_l2); 1901 } 1902 1903 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1904 { 1905 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1906 1907 BT_DBG("sk %p", sk); 1908 1909 if (parent) { 1910 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1911 1912 sk->sk_type = parent->sk_type; 1913 bt_sk(sk)->flags = bt_sk(parent)->flags; 1914 1915 chan->chan_type = pchan->chan_type; 1916 chan->imtu = pchan->imtu; 1917 chan->omtu = pchan->omtu; 1918 chan->conf_state = pchan->conf_state; 1919 chan->mode = pchan->mode; 1920 chan->fcs = pchan->fcs; 1921 chan->max_tx = pchan->max_tx; 1922 chan->tx_win = pchan->tx_win; 1923 chan->tx_win_max = pchan->tx_win_max; 1924 chan->sec_level = pchan->sec_level; 1925 chan->flags = pchan->flags; 1926 chan->tx_credits = pchan->tx_credits; 1927 chan->rx_credits = pchan->rx_credits; 1928 1929 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1930 chan->scid = pchan->scid; 1931 chan->dcid = pchan->scid; 1932 } 1933 1934 security_sk_clone(parent, sk); 1935 } else { 1936 switch (sk->sk_type) { 1937 case SOCK_RAW: 1938 chan->chan_type = L2CAP_CHAN_RAW; 1939 break; 1940 case SOCK_DGRAM: 1941 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1942 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1943 break; 1944 case SOCK_SEQPACKET: 1945 case SOCK_STREAM: 1946 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1947 break; 1948 } 1949 1950 chan->imtu = L2CAP_DEFAULT_MTU; 1951 chan->omtu = 0; 1952 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1953 chan->mode = L2CAP_MODE_ERTM; 1954 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1955 } else { 1956 chan->mode = L2CAP_MODE_BASIC; 1957 } 1958 1959 l2cap_chan_set_defaults(chan); 1960 } 1961 1962 /* Default config options */ 1963 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1964 1965 chan->data = sk; 1966 chan->ops = &l2cap_chan_ops; 1967 1968 l2cap_publish_rx_avail(chan); 1969 } 1970 1971 static struct proto l2cap_proto = { 1972 .name = "L2CAP", 1973 .owner = THIS_MODULE, 1974 .obj_size = sizeof(struct l2cap_pinfo) 1975 }; 1976 1977 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1978 int proto, gfp_t prio, int kern) 1979 { 1980 struct sock *sk; 1981 struct l2cap_chan *chan; 1982 1983 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern); 1984 if (!sk) 1985 return NULL; 1986 1987 sk->sk_destruct = l2cap_sock_destruct; 1988 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1989 1990 INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy); 1991 1992 chan = l2cap_chan_create(); 1993 if (!chan) { 1994 sk_free(sk); 1995 if (sock) 1996 sock->sk = NULL; 1997 return NULL; 1998 } 1999 2000 l2cap_chan_hold(chan); 2001 2002 l2cap_pi(sk)->chan = chan; 2003 2004 return sk; 2005 } 2006 2007 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 2008 int kern) 2009 { 2010 struct sock *sk; 2011 2012 BT_DBG("sock %p", sock); 2013 2014 sock->state = SS_UNCONNECTED; 2015 2016 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 2017 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 2018 return -ESOCKTNOSUPPORT; 2019 2020 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 2021 return -EPERM; 2022 2023 sock->ops = &l2cap_sock_ops; 2024 2025 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 2026 if (!sk) 2027 return -ENOMEM; 2028 2029 l2cap_sock_init(sk, NULL); 2030 bt_sock_link(&l2cap_sk_list, sk); 2031 return 0; 2032 } 2033 2034 static const struct proto_ops l2cap_sock_ops = { 2035 .family = PF_BLUETOOTH, 2036 .owner = THIS_MODULE, 2037 .release = l2cap_sock_release, 2038 .bind = l2cap_sock_bind, 2039 .connect = l2cap_sock_connect, 2040 .listen = l2cap_sock_listen, 2041 .accept = l2cap_sock_accept, 2042 .getname = l2cap_sock_getname, 2043 .sendmsg = l2cap_sock_sendmsg, 2044 .recvmsg = l2cap_sock_recvmsg, 2045 .poll = bt_sock_poll, 2046 .ioctl = bt_sock_ioctl, 2047 .gettstamp = sock_gettstamp, 2048 .mmap = sock_no_mmap, 2049 .socketpair = sock_no_socketpair, 2050 .shutdown = l2cap_sock_shutdown, 2051 .setsockopt = l2cap_sock_setsockopt, 2052 .getsockopt_iter = l2cap_sock_getsockopt 2053 }; 2054 2055 static const struct net_proto_family l2cap_sock_family_ops = { 2056 .family = PF_BLUETOOTH, 2057 .owner = THIS_MODULE, 2058 .create = l2cap_sock_create, 2059 }; 2060 2061 int __init l2cap_init_sockets(void) 2062 { 2063 int err; 2064 2065 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 2066 2067 err = proto_register(&l2cap_proto, 0); 2068 if (err < 0) 2069 return err; 2070 2071 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 2072 if (err < 0) { 2073 BT_ERR("L2CAP socket registration failed"); 2074 goto error; 2075 } 2076 2077 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 2078 NULL); 2079 if (err < 0) { 2080 BT_ERR("Failed to create L2CAP proc file"); 2081 bt_sock_unregister(BTPROTO_L2CAP); 2082 goto error; 2083 } 2084 2085 BT_INFO("L2CAP socket layer initialized"); 2086 2087 return 0; 2088 2089 error: 2090 proto_unregister(&l2cap_proto); 2091 return err; 2092 } 2093 2094 void l2cap_cleanup_sockets(void) 2095 { 2096 bt_procfs_cleanup(&init_net, "l2cap"); 2097 bt_sock_unregister(BTPROTO_L2CAP); 2098 proto_unregister(&l2cap_proto); 2099 } 2100