1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/filter.h>
33 #include <linux/sched/signal.h>
34
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38
39 #include "smp.h"
40
41 static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43 };
44
45 static const struct proto_ops l2cap_sock_ops;
46 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 int proto, gfp_t prio, int kern);
49 static void l2cap_sock_cleanup_listen(struct sock *parent);
50
l2cap_is_socket(struct socket * sock)51 bool l2cap_is_socket(struct socket *sock)
52 {
53 return sock && sock->ops == &l2cap_sock_ops;
54 }
55 EXPORT_SYMBOL(l2cap_is_socket);
56
l2cap_validate_bredr_psm(u16 psm)57 static int l2cap_validate_bredr_psm(u16 psm)
58 {
59 /* PSM must be odd and lsb of upper byte must be 0 */
60 if ((psm & 0x0101) != 0x0001)
61 return -EINVAL;
62
63 /* Restrict usage of well-known PSMs */
64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 return -EACCES;
66
67 return 0;
68 }
69
l2cap_validate_le_psm(u16 psm)70 static int l2cap_validate_le_psm(u16 psm)
71 {
72 /* Valid LE_PSM ranges are defined only until 0x00ff */
73 if (psm > L2CAP_PSM_LE_DYN_END)
74 return -EINVAL;
75
76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 return -EACCES;
79
80 return 0;
81 }
82
l2cap_sock_bind(struct socket * sock,struct sockaddr_unsized * addr,int alen)83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int alen)
84 {
85 struct sock *sk = sock->sk;
86 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 struct sockaddr_l2 la;
88 int len, err = 0;
89
90 BT_DBG("sk %p", sk);
91
92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 addr->sa_family != AF_BLUETOOTH)
94 return -EINVAL;
95
96 memset(&la, 0, sizeof(la));
97 len = min_t(unsigned int, sizeof(la), alen);
98 memcpy(&la, addr, len);
99
100 if (la.l2_cid && la.l2_psm)
101 return -EINVAL;
102
103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 return -EINVAL;
105
106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 /* We only allow ATT user space socket */
108 if (la.l2_cid &&
109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 return -EINVAL;
111 }
112
113 lock_sock(sk);
114
115 if (sk->sk_state != BT_OPEN) {
116 err = -EBADFD;
117 goto done;
118 }
119
120 if (la.l2_psm) {
121 __u16 psm = __le16_to_cpu(la.l2_psm);
122
123 if (la.l2_bdaddr_type == BDADDR_BREDR)
124 err = l2cap_validate_bredr_psm(psm);
125 else
126 err = l2cap_validate_le_psm(psm);
127
128 if (err)
129 goto done;
130 }
131
132 bacpy(&chan->src, &la.l2_bdaddr);
133 chan->src_type = la.l2_bdaddr_type;
134
135 if (la.l2_cid)
136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 else
138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139
140 if (err < 0)
141 goto done;
142
143 switch (chan->chan_type) {
144 case L2CAP_CHAN_CONN_LESS:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 chan->sec_level = BT_SECURITY_SDP;
147 break;
148 case L2CAP_CHAN_CONN_ORIENTED:
149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 chan->sec_level = BT_SECURITY_SDP;
152 break;
153 case L2CAP_CHAN_RAW:
154 chan->sec_level = BT_SECURITY_SDP;
155 break;
156 case L2CAP_CHAN_FIXED:
157 /* Fixed channels default to the L2CAP core not holding a
158 * hci_conn reference for them. For fixed channels mapping to
159 * L2CAP sockets we do want to hold a reference so set the
160 * appropriate flag to request it.
161 */
162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 break;
164 }
165
166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 */
169 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 chan->mode = L2CAP_MODE_LE_FLOWCTL;
172
173 chan->state = BT_BOUND;
174 sk->sk_state = BT_BOUND;
175
176 done:
177 release_sock(sk);
178 return err;
179 }
180
l2cap_sock_connect(struct socket * sock,struct sockaddr_unsized * addr,int alen,int flags)181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
182 int alen, int flags)
183 {
184 struct sock *sk = sock->sk;
185 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 struct sockaddr_l2 la;
187 int len, err = 0;
188 bool zapped;
189
190 BT_DBG("sk %p", sk);
191
192 lock_sock(sk);
193 zapped = sock_flag(sk, SOCK_ZAPPED);
194 release_sock(sk);
195
196 if (zapped)
197 return -EINVAL;
198
199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 addr->sa_family != AF_BLUETOOTH)
201 return -EINVAL;
202
203 memset(&la, 0, sizeof(la));
204 len = min_t(unsigned int, sizeof(la), alen);
205 memcpy(&la, addr, len);
206
207 if (la.l2_cid && la.l2_psm)
208 return -EINVAL;
209
210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 return -EINVAL;
212
213 /* Check that the socket wasn't bound to something that
214 * conflicts with the address given to connect(). If chan->src
215 * is BDADDR_ANY it means bind() was never used, in which case
216 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 */
218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 /* Old user space versions will try to incorrectly bind
221 * the ATT socket using BDADDR_BREDR. We need to accept
222 * this and fix up the source address type only when
223 * both the source CID and destination CID indicate
224 * ATT. Anything else is an invalid combination.
225 */
226 if (chan->scid != L2CAP_CID_ATT ||
227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 return -EINVAL;
229
230 /* We don't have the hdev available here to make a
231 * better decision on random vs public, but since all
232 * user space versions that exhibit this issue anyway do
233 * not support random local addresses assuming public
234 * here is good enough.
235 */
236 chan->src_type = BDADDR_LE_PUBLIC;
237 }
238
239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 return -EINVAL;
241
242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 /* We only allow ATT user space socket */
244 if (la.l2_cid &&
245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 return -EINVAL;
247 }
248
249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 */
252 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 chan->mode = L2CAP_MODE_LE_FLOWCTL;
255
256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 &la.l2_bdaddr, la.l2_bdaddr_type,
258 READ_ONCE(sk->sk_sndtimeo));
259 if (err)
260 return err;
261
262 lock_sock(sk);
263
264 err = bt_sock_wait_state(sk, BT_CONNECTED,
265 sock_sndtimeo(sk, flags & O_NONBLOCK));
266
267 release_sock(sk);
268
269 return err;
270 }
271
l2cap_sock_listen(struct socket * sock,int backlog)272 static int l2cap_sock_listen(struct socket *sock, int backlog)
273 {
274 struct sock *sk = sock->sk;
275 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
276 int err = 0;
277
278 BT_DBG("sk %p backlog %d", sk, backlog);
279
280 lock_sock(sk);
281
282 if (sk->sk_state != BT_BOUND) {
283 err = -EBADFD;
284 goto done;
285 }
286
287 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
288 err = -EINVAL;
289 goto done;
290 }
291
292 switch (chan->mode) {
293 case L2CAP_MODE_BASIC:
294 case L2CAP_MODE_LE_FLOWCTL:
295 break;
296 case L2CAP_MODE_EXT_FLOWCTL:
297 if (!enable_ecred) {
298 err = -EOPNOTSUPP;
299 goto done;
300 }
301 break;
302 case L2CAP_MODE_ERTM:
303 case L2CAP_MODE_STREAMING:
304 if (!disable_ertm)
305 break;
306 fallthrough;
307 default:
308 err = -EOPNOTSUPP;
309 goto done;
310 }
311
312 sk->sk_max_ack_backlog = backlog;
313 sk->sk_ack_backlog = 0;
314
315 /* Listening channels need to use nested locking in order not to
316 * cause lockdep warnings when the created child channels end up
317 * being locked in the same thread as the parent channel.
318 */
319 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
320
321 chan->state = BT_LISTEN;
322 sk->sk_state = BT_LISTEN;
323
324 done:
325 release_sock(sk);
326 return err;
327 }
328
l2cap_sock_accept(struct socket * sock,struct socket * newsock,struct proto_accept_arg * arg)329 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
330 struct proto_accept_arg *arg)
331 {
332 DEFINE_WAIT_FUNC(wait, woken_wake_function);
333 struct sock *sk = sock->sk, *nsk;
334 long timeo;
335 int err = 0;
336
337 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
338
339 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
340
341 BT_DBG("sk %p timeo %ld", sk, timeo);
342
343 /* Wait for an incoming connection. (wake-one). */
344 add_wait_queue_exclusive(sk_sleep(sk), &wait);
345 while (1) {
346 if (sk->sk_state != BT_LISTEN) {
347 err = -EBADFD;
348 break;
349 }
350
351 nsk = bt_accept_dequeue(sk, newsock);
352 if (nsk)
353 break;
354
355 if (!timeo) {
356 err = -EAGAIN;
357 break;
358 }
359
360 if (signal_pending(current)) {
361 err = sock_intr_errno(timeo);
362 break;
363 }
364
365 release_sock(sk);
366
367 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
368
369 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
370 }
371 remove_wait_queue(sk_sleep(sk), &wait);
372
373 if (err)
374 goto done;
375
376 newsock->state = SS_CONNECTED;
377
378 BT_DBG("new socket %p", nsk);
379
380 done:
381 release_sock(sk);
382 return err;
383 }
384
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)385 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
386 int peer)
387 {
388 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
389 struct sock *sk = sock->sk;
390 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391
392 BT_DBG("sock %p, sk %p", sock, sk);
393
394 if (peer && sk->sk_state != BT_CONNECTED &&
395 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
396 sk->sk_state != BT_CONFIG)
397 return -ENOTCONN;
398
399 memset(la, 0, sizeof(struct sockaddr_l2));
400 addr->sa_family = AF_BLUETOOTH;
401
402 la->l2_psm = chan->psm;
403
404 if (peer) {
405 bacpy(&la->l2_bdaddr, &chan->dst);
406 la->l2_cid = cpu_to_le16(chan->dcid);
407 la->l2_bdaddr_type = chan->dst_type;
408 } else {
409 bacpy(&la->l2_bdaddr, &chan->src);
410 la->l2_cid = cpu_to_le16(chan->scid);
411 la->l2_bdaddr_type = chan->src_type;
412 }
413
414 return sizeof(struct sockaddr_l2);
415 }
416
l2cap_get_mode(struct l2cap_chan * chan)417 static int l2cap_get_mode(struct l2cap_chan *chan)
418 {
419 switch (chan->mode) {
420 case L2CAP_MODE_BASIC:
421 return BT_MODE_BASIC;
422 case L2CAP_MODE_ERTM:
423 return BT_MODE_ERTM;
424 case L2CAP_MODE_STREAMING:
425 return BT_MODE_STREAMING;
426 case L2CAP_MODE_LE_FLOWCTL:
427 return BT_MODE_LE_FLOWCTL;
428 case L2CAP_MODE_EXT_FLOWCTL:
429 return BT_MODE_EXT_FLOWCTL;
430 }
431
432 return -EINVAL;
433 }
434
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)435 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
436 char __user *optval, int __user *optlen)
437 {
438 struct sock *sk = sock->sk;
439 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
440 struct l2cap_options opts;
441 struct l2cap_conninfo cinfo;
442 int err = 0;
443 size_t len;
444 u32 opt;
445
446 BT_DBG("sk %p", sk);
447
448 if (get_user(len, optlen))
449 return -EFAULT;
450
451 lock_sock(sk);
452
453 switch (optname) {
454 case L2CAP_OPTIONS:
455 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
456 * legacy ATT code depends on getsockopt for
457 * L2CAP_OPTIONS we need to let this pass.
458 */
459 if (bdaddr_type_is_le(chan->src_type) &&
460 chan->scid != L2CAP_CID_ATT) {
461 err = -EINVAL;
462 break;
463 }
464
465 /* Only BR/EDR modes are supported here */
466 switch (chan->mode) {
467 case L2CAP_MODE_BASIC:
468 case L2CAP_MODE_ERTM:
469 case L2CAP_MODE_STREAMING:
470 break;
471 default:
472 err = -EINVAL;
473 break;
474 }
475
476 if (err < 0)
477 break;
478
479 memset(&opts, 0, sizeof(opts));
480 opts.imtu = chan->imtu;
481 opts.omtu = chan->omtu;
482 opts.flush_to = chan->flush_to;
483 opts.mode = chan->mode;
484 opts.fcs = chan->fcs;
485 opts.max_tx = chan->max_tx;
486 opts.txwin_size = chan->tx_win;
487
488 BT_DBG("mode 0x%2.2x", chan->mode);
489
490 len = min(len, sizeof(opts));
491 if (copy_to_user(optval, (char *) &opts, len))
492 err = -EFAULT;
493
494 break;
495
496 case L2CAP_LM:
497 switch (chan->sec_level) {
498 case BT_SECURITY_LOW:
499 opt = L2CAP_LM_AUTH;
500 break;
501 case BT_SECURITY_MEDIUM:
502 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
503 break;
504 case BT_SECURITY_HIGH:
505 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
506 L2CAP_LM_SECURE;
507 break;
508 case BT_SECURITY_FIPS:
509 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
510 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
511 break;
512 default:
513 opt = 0;
514 break;
515 }
516
517 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
518 opt |= L2CAP_LM_MASTER;
519
520 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
521 opt |= L2CAP_LM_RELIABLE;
522
523 if (put_user(opt, (u32 __user *) optval))
524 err = -EFAULT;
525
526 break;
527
528 case L2CAP_CONNINFO:
529 if (sk->sk_state != BT_CONNECTED &&
530 !(sk->sk_state == BT_CONNECT2 &&
531 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
532 err = -ENOTCONN;
533 break;
534 }
535
536 memset(&cinfo, 0, sizeof(cinfo));
537 cinfo.hci_handle = chan->conn->hcon->handle;
538 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
539
540 len = min(len, sizeof(cinfo));
541 if (copy_to_user(optval, (char *) &cinfo, len))
542 err = -EFAULT;
543
544 break;
545
546 default:
547 err = -ENOPROTOOPT;
548 break;
549 }
550
551 release_sock(sk);
552 return err;
553 }
554
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)555 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
556 char __user *optval, int __user *optlen)
557 {
558 struct sock *sk = sock->sk;
559 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
560 struct bt_security sec;
561 struct bt_power pwr;
562 u32 phys;
563 int len, mode, err = 0;
564
565 BT_DBG("sk %p", sk);
566
567 if (level == SOL_L2CAP)
568 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
569
570 if (level != SOL_BLUETOOTH)
571 return -ENOPROTOOPT;
572
573 if (get_user(len, optlen))
574 return -EFAULT;
575
576 lock_sock(sk);
577
578 switch (optname) {
579 case BT_SECURITY:
580 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
581 chan->chan_type != L2CAP_CHAN_FIXED &&
582 chan->chan_type != L2CAP_CHAN_RAW) {
583 err = -EINVAL;
584 break;
585 }
586
587 memset(&sec, 0, sizeof(sec));
588 if (chan->conn) {
589 sec.level = chan->conn->hcon->sec_level;
590
591 if (sk->sk_state == BT_CONNECTED)
592 sec.key_size = chan->conn->hcon->enc_key_size;
593 } else {
594 sec.level = chan->sec_level;
595 }
596
597 len = min_t(unsigned int, len, sizeof(sec));
598 if (copy_to_user(optval, (char *) &sec, len))
599 err = -EFAULT;
600
601 break;
602
603 case BT_DEFER_SETUP:
604 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
605 err = -EINVAL;
606 break;
607 }
608
609 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
610 (u32 __user *) optval))
611 err = -EFAULT;
612
613 break;
614
615 case BT_FLUSHABLE:
616 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
617 (u32 __user *) optval))
618 err = -EFAULT;
619
620 break;
621
622 case BT_POWER:
623 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
624 && sk->sk_type != SOCK_RAW) {
625 err = -EINVAL;
626 break;
627 }
628
629 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
630
631 len = min_t(unsigned int, len, sizeof(pwr));
632 if (copy_to_user(optval, (char *) &pwr, len))
633 err = -EFAULT;
634
635 break;
636
637 case BT_CHANNEL_POLICY:
638 if (put_user(chan->chan_policy, (u32 __user *) optval))
639 err = -EFAULT;
640 break;
641
642 case BT_SNDMTU:
643 if (!bdaddr_type_is_le(chan->src_type)) {
644 err = -EINVAL;
645 break;
646 }
647
648 if (sk->sk_state != BT_CONNECTED) {
649 err = -ENOTCONN;
650 break;
651 }
652
653 if (put_user(chan->omtu, (u16 __user *) optval))
654 err = -EFAULT;
655 break;
656
657 case BT_RCVMTU:
658 if (!bdaddr_type_is_le(chan->src_type)) {
659 err = -EINVAL;
660 break;
661 }
662
663 if (put_user(chan->imtu, (u16 __user *) optval))
664 err = -EFAULT;
665 break;
666
667 case BT_PHY:
668 if (sk->sk_state != BT_CONNECTED) {
669 err = -ENOTCONN;
670 break;
671 }
672
673 phys = hci_conn_get_phy(chan->conn->hcon);
674
675 if (put_user(phys, (u32 __user *) optval))
676 err = -EFAULT;
677 break;
678
679 case BT_MODE:
680 if (!enable_ecred) {
681 err = -ENOPROTOOPT;
682 break;
683 }
684
685 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
686 err = -EINVAL;
687 break;
688 }
689
690 mode = l2cap_get_mode(chan);
691 if (mode < 0) {
692 err = mode;
693 break;
694 }
695
696 if (put_user(mode, (u8 __user *) optval))
697 err = -EFAULT;
698 break;
699
700 default:
701 err = -ENOPROTOOPT;
702 break;
703 }
704
705 release_sock(sk);
706 return err;
707 }
708
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)709 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
710 {
711 switch (chan->scid) {
712 case L2CAP_CID_ATT:
713 if (mtu && mtu < L2CAP_LE_MIN_MTU)
714 return false;
715 break;
716
717 default:
718 if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU)
719 return false;
720 }
721
722 return true;
723 }
724
l2cap_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)725 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
726 sockptr_t optval, unsigned int optlen)
727 {
728 struct sock *sk = sock->sk;
729 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
730 struct l2cap_options opts;
731 int err = 0;
732 u32 opt;
733
734 BT_DBG("sk %p", sk);
735
736 lock_sock(sk);
737
738 switch (optname) {
739 case L2CAP_OPTIONS:
740 if (bdaddr_type_is_le(chan->src_type)) {
741 err = -EINVAL;
742 break;
743 }
744
745 if (sk->sk_state == BT_CONNECTED) {
746 err = -EINVAL;
747 break;
748 }
749
750 opts.imtu = chan->imtu;
751 opts.omtu = chan->omtu;
752 opts.flush_to = chan->flush_to;
753 opts.mode = chan->mode;
754 opts.fcs = chan->fcs;
755 opts.max_tx = chan->max_tx;
756 opts.txwin_size = chan->tx_win;
757
758 err = copy_safe_from_sockptr(&opts, sizeof(opts), optval,
759 optlen);
760 if (err)
761 break;
762
763 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
764 err = -EINVAL;
765 break;
766 }
767
768 if (!l2cap_valid_mtu(chan, opts.imtu)) {
769 err = -EINVAL;
770 break;
771 }
772
773 /* Only BR/EDR modes are supported here */
774 switch (opts.mode) {
775 case L2CAP_MODE_BASIC:
776 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
777 break;
778 case L2CAP_MODE_ERTM:
779 case L2CAP_MODE_STREAMING:
780 if (!disable_ertm)
781 break;
782 fallthrough;
783 default:
784 err = -EINVAL;
785 break;
786 }
787
788 if (err < 0)
789 break;
790
791 chan->mode = opts.mode;
792
793 BT_DBG("mode 0x%2.2x", chan->mode);
794
795 chan->imtu = opts.imtu;
796 chan->omtu = opts.omtu;
797 chan->fcs = opts.fcs;
798 chan->max_tx = opts.max_tx;
799 chan->tx_win = opts.txwin_size;
800 chan->flush_to = opts.flush_to;
801 break;
802
803 case L2CAP_LM:
804 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
805 if (err)
806 break;
807
808 if (opt & L2CAP_LM_FIPS) {
809 err = -EINVAL;
810 break;
811 }
812
813 if (opt & L2CAP_LM_AUTH)
814 chan->sec_level = BT_SECURITY_LOW;
815 if (opt & L2CAP_LM_ENCRYPT)
816 chan->sec_level = BT_SECURITY_MEDIUM;
817 if (opt & L2CAP_LM_SECURE)
818 chan->sec_level = BT_SECURITY_HIGH;
819
820 if (opt & L2CAP_LM_MASTER)
821 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
822 else
823 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
824
825 if (opt & L2CAP_LM_RELIABLE)
826 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
827 else
828 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
829 break;
830
831 default:
832 err = -ENOPROTOOPT;
833 break;
834 }
835
836 release_sock(sk);
837 return err;
838 }
839
l2cap_set_mode(struct l2cap_chan * chan,u8 mode)840 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
841 {
842 switch (mode) {
843 case BT_MODE_BASIC:
844 if (bdaddr_type_is_le(chan->src_type))
845 return -EINVAL;
846 mode = L2CAP_MODE_BASIC;
847 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
848 break;
849 case BT_MODE_ERTM:
850 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
851 return -EINVAL;
852 mode = L2CAP_MODE_ERTM;
853 break;
854 case BT_MODE_STREAMING:
855 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
856 return -EINVAL;
857 mode = L2CAP_MODE_STREAMING;
858 break;
859 case BT_MODE_LE_FLOWCTL:
860 if (!bdaddr_type_is_le(chan->src_type))
861 return -EINVAL;
862 mode = L2CAP_MODE_LE_FLOWCTL;
863 break;
864 case BT_MODE_EXT_FLOWCTL:
865 /* TODO: Add support for ECRED PDUs to BR/EDR */
866 if (!bdaddr_type_is_le(chan->src_type))
867 return -EINVAL;
868 mode = L2CAP_MODE_EXT_FLOWCTL;
869 break;
870 default:
871 return -EINVAL;
872 }
873
874 chan->mode = mode;
875
876 return 0;
877 }
878
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)879 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880 sockptr_t optval, unsigned int optlen)
881 {
882 struct sock *sk = sock->sk;
883 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884 struct bt_security sec;
885 struct bt_power pwr;
886 struct l2cap_conn *conn;
887 int err = 0;
888 u32 opt, phys;
889 u16 mtu;
890 u8 mode;
891
892 BT_DBG("sk %p", sk);
893
894 if (level == SOL_L2CAP)
895 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896
897 if (level != SOL_BLUETOOTH)
898 return -ENOPROTOOPT;
899
900 lock_sock(sk);
901
902 switch (optname) {
903 case BT_SECURITY:
904 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905 chan->chan_type != L2CAP_CHAN_FIXED &&
906 chan->chan_type != L2CAP_CHAN_RAW) {
907 err = -EINVAL;
908 break;
909 }
910
911 sec.level = BT_SECURITY_LOW;
912
913 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
914 if (err)
915 break;
916
917 if (sec.level < BT_SECURITY_LOW ||
918 sec.level > BT_SECURITY_FIPS) {
919 err = -EINVAL;
920 break;
921 }
922
923 chan->sec_level = sec.level;
924
925 if (!chan->conn)
926 break;
927
928 conn = chan->conn;
929
930 /* change security for LE channels */
931 if (chan->scid == L2CAP_CID_ATT) {
932 if (smp_conn_security(conn->hcon, sec.level)) {
933 err = -EINVAL;
934 break;
935 }
936
937 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
938 sk->sk_state = BT_CONFIG;
939 chan->state = BT_CONFIG;
940
941 /* or for ACL link */
942 } else if ((sk->sk_state == BT_CONNECT2 &&
943 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
944 sk->sk_state == BT_CONNECTED) {
945 if (!l2cap_chan_check_security(chan, true))
946 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
947 else
948 sk->sk_state_change(sk);
949 } else {
950 err = -EINVAL;
951 }
952 break;
953
954 case BT_DEFER_SETUP:
955 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
956 err = -EINVAL;
957 break;
958 }
959
960 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
961 if (err)
962 break;
963
964 if (opt) {
965 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
966 set_bit(FLAG_DEFER_SETUP, &chan->flags);
967 } else {
968 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
970 }
971 break;
972
973 case BT_FLUSHABLE:
974 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
975 if (err)
976 break;
977
978 if (opt > BT_FLUSHABLE_ON) {
979 err = -EINVAL;
980 break;
981 }
982
983 if (opt == BT_FLUSHABLE_OFF) {
984 conn = chan->conn;
985 /* proceed further only when we have l2cap_conn and
986 No Flush support in the LM */
987 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
988 err = -EINVAL;
989 break;
990 }
991 }
992
993 if (opt)
994 set_bit(FLAG_FLUSHABLE, &chan->flags);
995 else
996 clear_bit(FLAG_FLUSHABLE, &chan->flags);
997 break;
998
999 case BT_POWER:
1000 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1001 chan->chan_type != L2CAP_CHAN_RAW) {
1002 err = -EINVAL;
1003 break;
1004 }
1005
1006 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1007
1008 err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1009 if (err)
1010 break;
1011
1012 if (pwr.force_active)
1013 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1014 else
1015 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1016 break;
1017
1018 case BT_CHANNEL_POLICY:
1019 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1020 if (err)
1021 break;
1022
1023 err = -EOPNOTSUPP;
1024 break;
1025
1026 case BT_SNDMTU:
1027 if (!bdaddr_type_is_le(chan->src_type)) {
1028 err = -EINVAL;
1029 break;
1030 }
1031
1032 /* Setting is not supported as it's the remote side that
1033 * decides this.
1034 */
1035 err = -EPERM;
1036 break;
1037
1038 case BT_RCVMTU:
1039 if (!bdaddr_type_is_le(chan->src_type)) {
1040 err = -EINVAL;
1041 break;
1042 }
1043
1044 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1045 sk->sk_state == BT_CONNECTED) {
1046 err = -EISCONN;
1047 break;
1048 }
1049
1050 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1051 if (err)
1052 break;
1053
1054 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1055 sk->sk_state == BT_CONNECTED)
1056 err = l2cap_chan_reconfigure(chan, mtu);
1057 else
1058 chan->imtu = mtu;
1059
1060 break;
1061
1062 case BT_PHY:
1063 if (sk->sk_state != BT_CONNECTED) {
1064 err = -ENOTCONN;
1065 break;
1066 }
1067
1068 err = copy_safe_from_sockptr(&phys, sizeof(phys), optval,
1069 optlen);
1070 if (err)
1071 break;
1072
1073 if (!chan->conn)
1074 break;
1075
1076 conn = chan->conn;
1077 err = hci_conn_set_phy(conn->hcon, phys);
1078 break;
1079
1080 case BT_MODE:
1081 if (!enable_ecred) {
1082 err = -ENOPROTOOPT;
1083 break;
1084 }
1085
1086 BT_DBG("sk->sk_state %u", sk->sk_state);
1087
1088 if (sk->sk_state != BT_BOUND) {
1089 err = -EINVAL;
1090 break;
1091 }
1092
1093 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1094 err = -EINVAL;
1095 break;
1096 }
1097
1098 err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
1099 optlen);
1100 if (err)
1101 break;
1102
1103 BT_DBG("mode %u", mode);
1104
1105 err = l2cap_set_mode(chan, mode);
1106 if (err)
1107 break;
1108
1109 BT_DBG("mode 0x%2.2x", chan->mode);
1110
1111 break;
1112
1113 default:
1114 err = -ENOPROTOOPT;
1115 break;
1116 }
1117
1118 release_sock(sk);
1119 return err;
1120 }
1121
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1122 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1123 size_t len)
1124 {
1125 struct sock *sk = sock->sk;
1126 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1127 struct sockcm_cookie sockc;
1128 int err;
1129
1130 BT_DBG("sock %p, sk %p", sock, sk);
1131
1132 err = sock_error(sk);
1133 if (err)
1134 return err;
1135
1136 if (msg->msg_flags & MSG_OOB)
1137 return -EOPNOTSUPP;
1138
1139 if (sk->sk_state != BT_CONNECTED)
1140 return -ENOTCONN;
1141
1142 hci_sockcm_init(&sockc, sk);
1143
1144 if (msg->msg_controllen) {
1145 err = sock_cmsg_send(sk, msg, &sockc);
1146 if (err)
1147 return err;
1148 }
1149
1150 lock_sock(sk);
1151 err = bt_sock_wait_ready(sk, msg->msg_flags);
1152 release_sock(sk);
1153 if (err)
1154 return err;
1155
1156 l2cap_chan_lock(chan);
1157 err = l2cap_chan_send(chan, msg, len, &sockc);
1158 l2cap_chan_unlock(chan);
1159
1160 return err;
1161 }
1162
l2cap_publish_rx_avail(struct l2cap_chan * chan)1163 static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1164 {
1165 struct sock *sk = chan->data;
1166 ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1167 int expected_skbs, skb_overhead;
1168
1169 if (avail <= 0) {
1170 l2cap_chan_rx_avail(chan, 0);
1171 return;
1172 }
1173
1174 if (!chan->mps) {
1175 l2cap_chan_rx_avail(chan, -1);
1176 return;
1177 }
1178
1179 /* Correct available memory by estimated sk_buff overhead.
1180 * This is significant due to small transfer sizes. However, accept
1181 * at least one full packet if receive space is non-zero.
1182 */
1183 expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1184 skb_overhead = expected_skbs * sizeof(struct sk_buff);
1185 if (skb_overhead < avail)
1186 l2cap_chan_rx_avail(chan, avail - skb_overhead);
1187 else
1188 l2cap_chan_rx_avail(chan, -1);
1189 }
1190
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1191 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1192 size_t len, int flags)
1193 {
1194 struct sock *sk = sock->sk;
1195 struct l2cap_pinfo *pi = l2cap_pi(sk);
1196 int err;
1197
1198 if (unlikely(flags & MSG_ERRQUEUE))
1199 return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1200 BT_SCM_ERROR);
1201
1202 lock_sock(sk);
1203
1204 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1205 &bt_sk(sk)->flags)) {
1206 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1207 sk->sk_state = BT_CONNECTED;
1208 pi->chan->state = BT_CONNECTED;
1209 __l2cap_ecred_conn_rsp_defer(pi->chan);
1210 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1211 sk->sk_state = BT_CONNECTED;
1212 pi->chan->state = BT_CONNECTED;
1213 __l2cap_le_connect_rsp_defer(pi->chan);
1214 } else {
1215 sk->sk_state = BT_CONFIG;
1216 pi->chan->state = BT_CONFIG;
1217 __l2cap_connect_rsp_defer(pi->chan);
1218 }
1219
1220 err = 0;
1221 goto done;
1222 }
1223
1224 release_sock(sk);
1225
1226 if (sock->type == SOCK_STREAM)
1227 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1228 else
1229 err = bt_sock_recvmsg(sock, msg, len, flags);
1230
1231 if (pi->chan->mode != L2CAP_MODE_ERTM &&
1232 pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1233 pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1234 return err;
1235
1236 lock_sock(sk);
1237
1238 l2cap_publish_rx_avail(pi->chan);
1239
1240 /* Attempt to put pending rx data in the socket buffer */
1241 while (!list_empty(&pi->rx_busy)) {
1242 struct l2cap_rx_busy *rx_busy =
1243 list_first_entry(&pi->rx_busy,
1244 struct l2cap_rx_busy,
1245 list);
1246 if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1247 goto done;
1248 list_del(&rx_busy->list);
1249 kfree(rx_busy);
1250 }
1251
1252 /* Restore data flow when half of the receive buffer is
1253 * available. This avoids resending large numbers of
1254 * frames.
1255 */
1256 if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1257 atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1258 l2cap_chan_busy(pi->chan, 0);
1259
1260 done:
1261 release_sock(sk);
1262 return err;
1263 }
1264
1265 /* Kill socket (only if zapped and orphan)
1266 * Must be called on unlocked socket, with l2cap channel lock.
1267 */
l2cap_sock_kill(struct sock * sk)1268 static void l2cap_sock_kill(struct sock *sk)
1269 {
1270 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1271 return;
1272
1273 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1274
1275 /* Sock is dead, so set chan data to NULL, avoid other task use invalid
1276 * sock pointer.
1277 */
1278 l2cap_pi(sk)->chan->data = NULL;
1279 /* Kill poor orphan */
1280
1281 l2cap_chan_put(l2cap_pi(sk)->chan);
1282 sock_set_flag(sk, SOCK_DEAD);
1283 sock_put(sk);
1284 }
1285
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1286 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1287 {
1288 DECLARE_WAITQUEUE(wait, current);
1289 int err = 0;
1290 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1291 /* Timeout to prevent infinite loop */
1292 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1293
1294 add_wait_queue(sk_sleep(sk), &wait);
1295 set_current_state(TASK_INTERRUPTIBLE);
1296 do {
1297 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1298 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1299 jiffies_to_msecs(timeout - jiffies));
1300
1301 if (!timeo)
1302 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1303
1304 if (signal_pending(current)) {
1305 err = sock_intr_errno(timeo);
1306 break;
1307 }
1308
1309 release_sock(sk);
1310 timeo = schedule_timeout(timeo);
1311 lock_sock(sk);
1312 set_current_state(TASK_INTERRUPTIBLE);
1313
1314 err = sock_error(sk);
1315 if (err)
1316 break;
1317
1318 if (time_after(jiffies, timeout)) {
1319 err = -ENOLINK;
1320 break;
1321 }
1322
1323 } while (chan->unacked_frames > 0 &&
1324 chan->state == BT_CONNECTED);
1325
1326 set_current_state(TASK_RUNNING);
1327 remove_wait_queue(sk_sleep(sk), &wait);
1328 return err;
1329 }
1330
l2cap_sock_shutdown(struct socket * sock,int how)1331 static int l2cap_sock_shutdown(struct socket *sock, int how)
1332 {
1333 struct sock *sk = sock->sk;
1334 struct l2cap_chan *chan;
1335 struct l2cap_conn *conn;
1336 int err = 0;
1337
1338 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1339
1340 /* 'how' parameter is mapped to sk_shutdown as follows:
1341 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1342 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1343 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1344 */
1345 how++;
1346
1347 if (!sk)
1348 return 0;
1349
1350 lock_sock(sk);
1351
1352 if ((sk->sk_shutdown & how) == how)
1353 goto shutdown_already;
1354
1355 BT_DBG("Handling sock shutdown");
1356
1357 /* prevent sk structure from being freed whilst unlocked */
1358 sock_hold(sk);
1359
1360 /* prevent chan structure from being freed whilst unlocked */
1361 chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
1362 if (!chan)
1363 goto shutdown_already;
1364
1365 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1366
1367 if (chan->mode == L2CAP_MODE_ERTM &&
1368 chan->unacked_frames > 0 &&
1369 chan->state == BT_CONNECTED) {
1370 err = __l2cap_wait_ack(sk, chan);
1371
1372 /* After waiting for ACKs, check whether shutdown
1373 * has already been actioned to close the L2CAP
1374 * link such as by l2cap_disconnection_req().
1375 */
1376 if ((sk->sk_shutdown & how) == how)
1377 goto shutdown_matched;
1378 }
1379
1380 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1381 * is already set
1382 */
1383 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1384 sk->sk_shutdown |= RCV_SHUTDOWN;
1385 if ((sk->sk_shutdown & how) == how)
1386 goto shutdown_matched;
1387 }
1388
1389 sk->sk_shutdown |= SEND_SHUTDOWN;
1390 release_sock(sk);
1391
1392 l2cap_chan_lock(chan);
1393 /* prevent conn structure from being freed */
1394 conn = l2cap_conn_hold_unless_zero(chan->conn);
1395 l2cap_chan_unlock(chan);
1396
1397 if (conn)
1398 /* mutex lock must be taken before l2cap_chan_lock() */
1399 mutex_lock(&conn->lock);
1400
1401 l2cap_chan_lock(chan);
1402 l2cap_chan_close(chan, 0);
1403 l2cap_chan_unlock(chan);
1404
1405 if (conn) {
1406 mutex_unlock(&conn->lock);
1407 l2cap_conn_put(conn);
1408 }
1409
1410 lock_sock(sk);
1411
1412 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1413 !(current->flags & PF_EXITING))
1414 err = bt_sock_wait_state(sk, BT_CLOSED,
1415 sk->sk_lingertime);
1416
1417 shutdown_matched:
1418 l2cap_chan_put(chan);
1419 sock_put(sk);
1420
1421 shutdown_already:
1422 if (!err && sk->sk_err)
1423 err = -sk->sk_err;
1424
1425 release_sock(sk);
1426
1427 BT_DBG("Sock shutdown complete err: %d", err);
1428
1429 return err;
1430 }
1431
l2cap_sock_release(struct socket * sock)1432 static int l2cap_sock_release(struct socket *sock)
1433 {
1434 struct sock *sk = sock->sk;
1435 int err;
1436 struct l2cap_chan *chan;
1437
1438 BT_DBG("sock %p, sk %p", sock, sk);
1439
1440 if (!sk)
1441 return 0;
1442
1443 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
1444 l2cap_sock_cleanup_listen(sk);
1445 release_sock(sk);
1446
1447 bt_sock_unlink(&l2cap_sk_list, sk);
1448
1449 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1450 chan = l2cap_pi(sk)->chan;
1451
1452 l2cap_chan_hold(chan);
1453 l2cap_chan_lock(chan);
1454
1455 sock_orphan(sk);
1456 l2cap_sock_kill(sk);
1457
1458 l2cap_chan_unlock(chan);
1459 l2cap_chan_put(chan);
1460
1461 return err;
1462 }
1463
l2cap_sock_cleanup_listen(struct sock * parent)1464 static void l2cap_sock_cleanup_listen(struct sock *parent)
1465 {
1466 struct sock *sk;
1467
1468 BT_DBG("parent %p state %s", parent,
1469 state_to_string(parent->sk_state));
1470
1471 /* Close not yet accepted channels */
1472 while ((sk = bt_accept_dequeue(parent, NULL))) {
1473 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1474
1475 BT_DBG("child chan %p state %s", chan,
1476 state_to_string(chan->state));
1477
1478 l2cap_chan_hold(chan);
1479 l2cap_chan_lock(chan);
1480
1481 __clear_chan_timer(chan);
1482 l2cap_chan_close(chan, ECONNRESET);
1483 l2cap_sock_kill(sk);
1484
1485 l2cap_chan_unlock(chan);
1486 l2cap_chan_put(chan);
1487 }
1488 }
1489
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1490 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1491 {
1492 struct sock *sk, *parent = chan->data;
1493
1494 lock_sock(parent);
1495
1496 /* Check for backlog size */
1497 if (sk_acceptq_is_full(parent)) {
1498 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1499 release_sock(parent);
1500 return NULL;
1501 }
1502
1503 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1504 GFP_ATOMIC, 0);
1505 if (!sk) {
1506 release_sock(parent);
1507 return NULL;
1508 }
1509
1510 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1511
1512 l2cap_sock_init(sk, parent);
1513
1514 bt_accept_enqueue(parent, sk, false);
1515
1516 release_sock(parent);
1517
1518 return l2cap_pi(sk)->chan;
1519 }
1520
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1521 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1522 {
1523 struct sock *sk;
1524 struct l2cap_pinfo *pi;
1525 int err;
1526
1527 sk = chan->data;
1528 if (!sk)
1529 return -ENXIO;
1530
1531 pi = l2cap_pi(sk);
1532 lock_sock(sk);
1533 if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1534 err = -ENOMEM;
1535 goto done;
1536 }
1537
1538 if (chan->mode != L2CAP_MODE_ERTM &&
1539 chan->mode != L2CAP_MODE_STREAMING &&
1540 chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1541 chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1542 /* Even if no filter is attached, we could potentially
1543 * get errors from security modules, etc.
1544 */
1545 err = sk_filter(sk, skb);
1546 if (err)
1547 goto done;
1548 }
1549
1550 err = __sock_queue_rcv_skb(sk, skb);
1551
1552 l2cap_publish_rx_avail(chan);
1553
1554 /* For ERTM and LE, handle a skb that doesn't fit into the recv
1555 * buffer. This is important to do because the data frames
1556 * have already been acked, so the skb cannot be discarded.
1557 *
1558 * Notify the l2cap core that the buffer is full, so the
1559 * LOCAL_BUSY state is entered and no more frames are
1560 * acked and reassembled until there is buffer space
1561 * available.
1562 */
1563 if (err < 0 &&
1564 (chan->mode == L2CAP_MODE_ERTM ||
1565 chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1566 chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1567 struct l2cap_rx_busy *rx_busy = kmalloc_obj(*rx_busy);
1568 if (!rx_busy) {
1569 err = -ENOMEM;
1570 goto done;
1571 }
1572 rx_busy->skb = skb;
1573 list_add_tail(&rx_busy->list, &pi->rx_busy);
1574 l2cap_chan_busy(chan, 1);
1575 err = 0;
1576 }
1577
1578 done:
1579 release_sock(sk);
1580
1581 return err;
1582 }
1583
l2cap_sock_close_cb(struct l2cap_chan * chan)1584 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1585 {
1586 struct sock *sk = chan->data;
1587
1588 if (!sk)
1589 return;
1590
1591 l2cap_sock_kill(sk);
1592 }
1593
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1594 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1595 {
1596 struct sock *sk = chan->data;
1597 struct sock *parent;
1598
1599 if (!sk)
1600 return;
1601
1602 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1603
1604 /* This callback can be called both for server (BT_LISTEN)
1605 * sockets as well as "normal" ones. To avoid lockdep warnings
1606 * with child socket locking (through l2cap_sock_cleanup_listen)
1607 * we need separation into separate nesting levels. The simplest
1608 * way to accomplish this is to inherit the nesting level used
1609 * for the channel.
1610 */
1611 lock_sock_nested(sk, atomic_read(&chan->nesting));
1612
1613 parent = bt_sk(sk)->parent;
1614
1615 switch (chan->state) {
1616 case BT_OPEN:
1617 case BT_BOUND:
1618 case BT_CLOSED:
1619 break;
1620 case BT_LISTEN:
1621 l2cap_sock_cleanup_listen(sk);
1622 sk->sk_state = BT_CLOSED;
1623 chan->state = BT_CLOSED;
1624
1625 break;
1626 default:
1627 sk->sk_state = BT_CLOSED;
1628 chan->state = BT_CLOSED;
1629
1630 sk->sk_err = err;
1631
1632 if (parent) {
1633 bt_accept_unlink(sk);
1634 parent->sk_data_ready(parent);
1635 } else {
1636 sk->sk_state_change(sk);
1637 }
1638
1639 break;
1640 }
1641 release_sock(sk);
1642
1643 /* Only zap after cleanup to avoid use after free race */
1644 sock_set_flag(sk, SOCK_ZAPPED);
1645
1646 }
1647
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1648 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1649 int err)
1650 {
1651 struct sock *sk = chan->data;
1652
1653 sk->sk_state = state;
1654
1655 if (err)
1656 sk->sk_err = err;
1657 }
1658
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1659 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1660 unsigned long hdr_len,
1661 unsigned long len, int nb)
1662 {
1663 struct sock *sk = chan->data;
1664 struct sk_buff *skb;
1665 int err;
1666
1667 l2cap_chan_unlock(chan);
1668 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1669 l2cap_chan_lock(chan);
1670
1671 if (!skb)
1672 return ERR_PTR(err);
1673
1674 /* Channel lock is released before requesting new skb and then
1675 * reacquired thus we need to recheck channel state.
1676 */
1677 if (chan->state != BT_CONNECTED) {
1678 kfree_skb(skb);
1679 return ERR_PTR(-ENOTCONN);
1680 }
1681
1682 skb->priority = READ_ONCE(sk->sk_priority);
1683
1684 bt_cb(skb)->l2cap.chan = chan;
1685
1686 return skb;
1687 }
1688
l2cap_sock_ready_cb(struct l2cap_chan * chan)1689 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1690 {
1691 struct sock *sk = chan->data;
1692 struct sock *parent;
1693
1694 lock_sock(sk);
1695
1696 parent = bt_sk(sk)->parent;
1697
1698 BT_DBG("sk %p, parent %p", sk, parent);
1699
1700 sk->sk_state = BT_CONNECTED;
1701 sk->sk_state_change(sk);
1702
1703 if (parent)
1704 parent->sk_data_ready(parent);
1705
1706 release_sock(sk);
1707 }
1708
l2cap_sock_defer_cb(struct l2cap_chan * chan)1709 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1710 {
1711 struct sock *parent, *sk = chan->data;
1712
1713 lock_sock(sk);
1714
1715 parent = bt_sk(sk)->parent;
1716 if (parent)
1717 parent->sk_data_ready(parent);
1718
1719 release_sock(sk);
1720 }
1721
l2cap_sock_resume_cb(struct l2cap_chan * chan)1722 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1723 {
1724 struct sock *sk = chan->data;
1725
1726 if (!sk)
1727 return;
1728
1729 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1730 sk->sk_state = BT_CONNECTED;
1731 chan->state = BT_CONNECTED;
1732 }
1733
1734 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1735 sk->sk_state_change(sk);
1736 }
1737
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1738 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1739 {
1740 struct sock *sk = chan->data;
1741
1742 lock_sock(sk);
1743 sk->sk_shutdown = SHUTDOWN_MASK;
1744 release_sock(sk);
1745 }
1746
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1747 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1748 {
1749 struct sock *sk = chan->data;
1750
1751 return READ_ONCE(sk->sk_sndtimeo);
1752 }
1753
l2cap_sock_get_peer_pid_cb(struct l2cap_chan * chan)1754 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1755 {
1756 struct sock *sk = chan->data;
1757
1758 return sk->sk_peer_pid;
1759 }
1760
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1761 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1762 {
1763 struct sock *sk = chan->data;
1764
1765 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1766 sk->sk_state_change(sk);
1767 }
1768
l2cap_sock_filter(struct l2cap_chan * chan,struct sk_buff * skb)1769 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1770 {
1771 struct sock *sk = chan->data;
1772
1773 switch (chan->mode) {
1774 case L2CAP_MODE_ERTM:
1775 case L2CAP_MODE_STREAMING:
1776 return sk_filter(sk, skb);
1777 }
1778
1779 return 0;
1780 }
1781
1782 static const struct l2cap_ops l2cap_chan_ops = {
1783 .name = "L2CAP Socket Interface",
1784 .new_connection = l2cap_sock_new_connection_cb,
1785 .recv = l2cap_sock_recv_cb,
1786 .close = l2cap_sock_close_cb,
1787 .teardown = l2cap_sock_teardown_cb,
1788 .state_change = l2cap_sock_state_change_cb,
1789 .ready = l2cap_sock_ready_cb,
1790 .defer = l2cap_sock_defer_cb,
1791 .resume = l2cap_sock_resume_cb,
1792 .suspend = l2cap_sock_suspend_cb,
1793 .set_shutdown = l2cap_sock_set_shutdown_cb,
1794 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1795 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1796 .alloc_skb = l2cap_sock_alloc_skb_cb,
1797 .filter = l2cap_sock_filter,
1798 };
1799
l2cap_sock_destruct(struct sock * sk)1800 static void l2cap_sock_destruct(struct sock *sk)
1801 {
1802 struct l2cap_rx_busy *rx_busy, *next;
1803
1804 BT_DBG("sk %p", sk);
1805
1806 if (l2cap_pi(sk)->chan) {
1807 l2cap_pi(sk)->chan->data = NULL;
1808 l2cap_chan_put(l2cap_pi(sk)->chan);
1809 }
1810
1811 list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1812 kfree_skb(rx_busy->skb);
1813 list_del(&rx_busy->list);
1814 kfree(rx_busy);
1815 }
1816
1817 skb_queue_purge(&sk->sk_receive_queue);
1818 skb_queue_purge(&sk->sk_write_queue);
1819 }
1820
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1821 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1822 int *msg_namelen)
1823 {
1824 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1825
1826 memset(la, 0, sizeof(struct sockaddr_l2));
1827 la->l2_family = AF_BLUETOOTH;
1828 la->l2_psm = bt_cb(skb)->l2cap.psm;
1829 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1830
1831 *msg_namelen = sizeof(struct sockaddr_l2);
1832 }
1833
l2cap_sock_init(struct sock * sk,struct sock * parent)1834 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1835 {
1836 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1837
1838 BT_DBG("sk %p", sk);
1839
1840 if (parent) {
1841 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1842
1843 sk->sk_type = parent->sk_type;
1844 bt_sk(sk)->flags = bt_sk(parent)->flags;
1845
1846 chan->chan_type = pchan->chan_type;
1847 chan->imtu = pchan->imtu;
1848 chan->omtu = pchan->omtu;
1849 chan->conf_state = pchan->conf_state;
1850 chan->mode = pchan->mode;
1851 chan->fcs = pchan->fcs;
1852 chan->max_tx = pchan->max_tx;
1853 chan->tx_win = pchan->tx_win;
1854 chan->tx_win_max = pchan->tx_win_max;
1855 chan->sec_level = pchan->sec_level;
1856 chan->flags = pchan->flags;
1857 chan->tx_credits = pchan->tx_credits;
1858 chan->rx_credits = pchan->rx_credits;
1859
1860 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1861 chan->scid = pchan->scid;
1862 chan->dcid = pchan->scid;
1863 }
1864
1865 security_sk_clone(parent, sk);
1866 } else {
1867 switch (sk->sk_type) {
1868 case SOCK_RAW:
1869 chan->chan_type = L2CAP_CHAN_RAW;
1870 break;
1871 case SOCK_DGRAM:
1872 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1873 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1874 break;
1875 case SOCK_SEQPACKET:
1876 case SOCK_STREAM:
1877 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1878 break;
1879 }
1880
1881 chan->imtu = L2CAP_DEFAULT_MTU;
1882 chan->omtu = 0;
1883 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1884 chan->mode = L2CAP_MODE_ERTM;
1885 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1886 } else {
1887 chan->mode = L2CAP_MODE_BASIC;
1888 }
1889
1890 l2cap_chan_set_defaults(chan);
1891 }
1892
1893 /* Default config options */
1894 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1895
1896 chan->data = sk;
1897 chan->ops = &l2cap_chan_ops;
1898
1899 l2cap_publish_rx_avail(chan);
1900 }
1901
1902 static struct proto l2cap_proto = {
1903 .name = "L2CAP",
1904 .owner = THIS_MODULE,
1905 .obj_size = sizeof(struct l2cap_pinfo)
1906 };
1907
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1908 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1909 int proto, gfp_t prio, int kern)
1910 {
1911 struct sock *sk;
1912 struct l2cap_chan *chan;
1913
1914 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1915 if (!sk)
1916 return NULL;
1917
1918 sk->sk_destruct = l2cap_sock_destruct;
1919 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1920
1921 INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1922
1923 chan = l2cap_chan_create();
1924 if (!chan) {
1925 sk_free(sk);
1926 if (sock)
1927 sock->sk = NULL;
1928 return NULL;
1929 }
1930
1931 l2cap_chan_hold(chan);
1932
1933 l2cap_pi(sk)->chan = chan;
1934
1935 return sk;
1936 }
1937
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1938 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1939 int kern)
1940 {
1941 struct sock *sk;
1942
1943 BT_DBG("sock %p", sock);
1944
1945 sock->state = SS_UNCONNECTED;
1946
1947 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1948 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1949 return -ESOCKTNOSUPPORT;
1950
1951 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1952 return -EPERM;
1953
1954 sock->ops = &l2cap_sock_ops;
1955
1956 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1957 if (!sk)
1958 return -ENOMEM;
1959
1960 l2cap_sock_init(sk, NULL);
1961 bt_sock_link(&l2cap_sk_list, sk);
1962 return 0;
1963 }
1964
1965 static const struct proto_ops l2cap_sock_ops = {
1966 .family = PF_BLUETOOTH,
1967 .owner = THIS_MODULE,
1968 .release = l2cap_sock_release,
1969 .bind = l2cap_sock_bind,
1970 .connect = l2cap_sock_connect,
1971 .listen = l2cap_sock_listen,
1972 .accept = l2cap_sock_accept,
1973 .getname = l2cap_sock_getname,
1974 .sendmsg = l2cap_sock_sendmsg,
1975 .recvmsg = l2cap_sock_recvmsg,
1976 .poll = bt_sock_poll,
1977 .ioctl = bt_sock_ioctl,
1978 .gettstamp = sock_gettstamp,
1979 .mmap = sock_no_mmap,
1980 .socketpair = sock_no_socketpair,
1981 .shutdown = l2cap_sock_shutdown,
1982 .setsockopt = l2cap_sock_setsockopt,
1983 .getsockopt = l2cap_sock_getsockopt
1984 };
1985
1986 static const struct net_proto_family l2cap_sock_family_ops = {
1987 .family = PF_BLUETOOTH,
1988 .owner = THIS_MODULE,
1989 .create = l2cap_sock_create,
1990 };
1991
l2cap_init_sockets(void)1992 int __init l2cap_init_sockets(void)
1993 {
1994 int err;
1995
1996 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1997
1998 err = proto_register(&l2cap_proto, 0);
1999 if (err < 0)
2000 return err;
2001
2002 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2003 if (err < 0) {
2004 BT_ERR("L2CAP socket registration failed");
2005 goto error;
2006 }
2007
2008 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
2009 NULL);
2010 if (err < 0) {
2011 BT_ERR("Failed to create L2CAP proc file");
2012 bt_sock_unregister(BTPROTO_L2CAP);
2013 goto error;
2014 }
2015
2016 BT_INFO("L2CAP socket layer initialized");
2017
2018 return 0;
2019
2020 error:
2021 proto_unregister(&l2cap_proto);
2022 return err;
2023 }
2024
l2cap_cleanup_sockets(void)2025 void l2cap_cleanup_sockets(void)
2026 {
2027 bt_procfs_cleanup(&init_net, "l2cap");
2028 bt_sock_unregister(BTPROTO_L2CAP);
2029 proto_unregister(&l2cap_proto);
2030 }
2031