1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26 */ 27 28 /* Bluetooth L2CAP sockets. */ 29 30 #include <linux/module.h> 31 #include <linux/export.h> 32 #include <linux/sched/signal.h> 33 34 #include <net/bluetooth/bluetooth.h> 35 #include <net/bluetooth/hci_core.h> 36 #include <net/bluetooth/l2cap.h> 37 38 #include "smp.h" 39 40 static struct bt_sock_list l2cap_sk_list = { 41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 42 }; 43 44 static const struct proto_ops l2cap_sock_ops; 45 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 47 int proto, gfp_t prio, int kern); 48 49 bool l2cap_is_socket(struct socket *sock) 50 { 51 return sock && sock->ops == &l2cap_sock_ops; 52 } 53 EXPORT_SYMBOL(l2cap_is_socket); 54 55 static int l2cap_validate_bredr_psm(u16 psm) 56 { 57 /* PSM must be odd and lsb of upper byte must be 0 */ 58 if ((psm & 0x0101) != 0x0001) 59 return -EINVAL; 60 61 /* Restrict usage of well-known PSMs */ 62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 63 return -EACCES; 64 65 return 0; 66 } 67 68 static int l2cap_validate_le_psm(u16 psm) 69 { 70 /* Valid LE_PSM ranges are defined only until 0x00ff */ 71 if (psm > L2CAP_PSM_LE_DYN_END) 72 return -EINVAL; 73 74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 76 return -EACCES; 77 78 return 0; 79 } 80 81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 82 { 83 struct sock *sk = sock->sk; 84 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 85 struct sockaddr_l2 la; 86 int len, err = 0; 87 88 BT_DBG("sk %p", sk); 89 90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 91 addr->sa_family != AF_BLUETOOTH) 92 return -EINVAL; 93 94 memset(&la, 0, sizeof(la)); 95 len = min_t(unsigned int, sizeof(la), alen); 96 memcpy(&la, addr, len); 97 98 if (la.l2_cid && la.l2_psm) 99 return -EINVAL; 100 101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 102 return -EINVAL; 103 104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 105 /* We only allow ATT user space socket */ 106 if (la.l2_cid && 107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 108 return -EINVAL; 109 } 110 111 lock_sock(sk); 112 113 if (sk->sk_state != BT_OPEN) { 114 err = -EBADFD; 115 goto done; 116 } 117 118 if (la.l2_psm) { 119 __u16 psm = __le16_to_cpu(la.l2_psm); 120 121 if (la.l2_bdaddr_type == BDADDR_BREDR) 122 err = l2cap_validate_bredr_psm(psm); 123 else 124 err = l2cap_validate_le_psm(psm); 125 126 if (err) 127 goto done; 128 } 129 130 bacpy(&chan->src, &la.l2_bdaddr); 131 chan->src_type = la.l2_bdaddr_type; 132 133 if (la.l2_cid) 134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 135 else 136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 137 138 if (err < 0) 139 goto done; 140 141 switch (chan->chan_type) { 142 case L2CAP_CHAN_CONN_LESS: 143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 144 chan->sec_level = BT_SECURITY_SDP; 145 break; 146 case L2CAP_CHAN_CONN_ORIENTED: 147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 149 chan->sec_level = BT_SECURITY_SDP; 150 break; 151 case L2CAP_CHAN_RAW: 152 chan->sec_level = BT_SECURITY_SDP; 153 break; 154 case L2CAP_CHAN_FIXED: 155 /* Fixed channels default to the L2CAP core not holding a 156 * hci_conn reference for them. For fixed channels mapping to 157 * L2CAP sockets we do want to hold a reference so set the 158 * appropriate flag to request it. 159 */ 160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 161 break; 162 } 163 164 if (chan->psm && bdaddr_type_is_le(chan->src_type)) 165 chan->mode = L2CAP_MODE_LE_FLOWCTL; 166 167 chan->state = BT_BOUND; 168 sk->sk_state = BT_BOUND; 169 170 done: 171 release_sock(sk); 172 return err; 173 } 174 175 static void l2cap_sock_init_pid(struct sock *sk) 176 { 177 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 178 179 /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to 180 * group the channels being requested. 181 */ 182 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL) 183 return; 184 185 spin_lock(&sk->sk_peer_lock); 186 sk->sk_peer_pid = get_pid(task_tgid(current)); 187 spin_unlock(&sk->sk_peer_lock); 188 } 189 190 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 191 int alen, int flags) 192 { 193 struct sock *sk = sock->sk; 194 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 195 struct sockaddr_l2 la; 196 int len, err = 0; 197 bool zapped; 198 199 BT_DBG("sk %p", sk); 200 201 lock_sock(sk); 202 zapped = sock_flag(sk, SOCK_ZAPPED); 203 release_sock(sk); 204 205 if (zapped) 206 return -EINVAL; 207 208 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 209 addr->sa_family != AF_BLUETOOTH) 210 return -EINVAL; 211 212 memset(&la, 0, sizeof(la)); 213 len = min_t(unsigned int, sizeof(la), alen); 214 memcpy(&la, addr, len); 215 216 if (la.l2_cid && la.l2_psm) 217 return -EINVAL; 218 219 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 220 return -EINVAL; 221 222 /* Check that the socket wasn't bound to something that 223 * conflicts with the address given to connect(). If chan->src 224 * is BDADDR_ANY it means bind() was never used, in which case 225 * chan->src_type and la.l2_bdaddr_type do not need to match. 226 */ 227 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 228 bdaddr_type_is_le(la.l2_bdaddr_type)) { 229 /* Old user space versions will try to incorrectly bind 230 * the ATT socket using BDADDR_BREDR. We need to accept 231 * this and fix up the source address type only when 232 * both the source CID and destination CID indicate 233 * ATT. Anything else is an invalid combination. 234 */ 235 if (chan->scid != L2CAP_CID_ATT || 236 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 237 return -EINVAL; 238 239 /* We don't have the hdev available here to make a 240 * better decision on random vs public, but since all 241 * user space versions that exhibit this issue anyway do 242 * not support random local addresses assuming public 243 * here is good enough. 244 */ 245 chan->src_type = BDADDR_LE_PUBLIC; 246 } 247 248 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 249 return -EINVAL; 250 251 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 252 /* We only allow ATT user space socket */ 253 if (la.l2_cid && 254 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 255 return -EINVAL; 256 } 257 258 if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode) 259 chan->mode = L2CAP_MODE_LE_FLOWCTL; 260 261 l2cap_sock_init_pid(sk); 262 263 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 264 &la.l2_bdaddr, la.l2_bdaddr_type); 265 if (err) 266 return err; 267 268 lock_sock(sk); 269 270 err = bt_sock_wait_state(sk, BT_CONNECTED, 271 sock_sndtimeo(sk, flags & O_NONBLOCK)); 272 273 release_sock(sk); 274 275 return err; 276 } 277 278 static int l2cap_sock_listen(struct socket *sock, int backlog) 279 { 280 struct sock *sk = sock->sk; 281 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 282 int err = 0; 283 284 BT_DBG("sk %p backlog %d", sk, backlog); 285 286 lock_sock(sk); 287 288 if (sk->sk_state != BT_BOUND) { 289 err = -EBADFD; 290 goto done; 291 } 292 293 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 294 err = -EINVAL; 295 goto done; 296 } 297 298 switch (chan->mode) { 299 case L2CAP_MODE_BASIC: 300 case L2CAP_MODE_LE_FLOWCTL: 301 break; 302 case L2CAP_MODE_EXT_FLOWCTL: 303 if (!enable_ecred) { 304 err = -EOPNOTSUPP; 305 goto done; 306 } 307 break; 308 case L2CAP_MODE_ERTM: 309 case L2CAP_MODE_STREAMING: 310 if (!disable_ertm) 311 break; 312 fallthrough; 313 default: 314 err = -EOPNOTSUPP; 315 goto done; 316 } 317 318 l2cap_sock_init_pid(sk); 319 320 sk->sk_max_ack_backlog = backlog; 321 sk->sk_ack_backlog = 0; 322 323 /* Listening channels need to use nested locking in order not to 324 * cause lockdep warnings when the created child channels end up 325 * being locked in the same thread as the parent channel. 326 */ 327 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 328 329 chan->state = BT_LISTEN; 330 sk->sk_state = BT_LISTEN; 331 332 done: 333 release_sock(sk); 334 return err; 335 } 336 337 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 338 int flags, bool kern) 339 { 340 DEFINE_WAIT_FUNC(wait, woken_wake_function); 341 struct sock *sk = sock->sk, *nsk; 342 long timeo; 343 int err = 0; 344 345 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 346 347 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 348 349 BT_DBG("sk %p timeo %ld", sk, timeo); 350 351 /* Wait for an incoming connection. (wake-one). */ 352 add_wait_queue_exclusive(sk_sleep(sk), &wait); 353 while (1) { 354 if (sk->sk_state != BT_LISTEN) { 355 err = -EBADFD; 356 break; 357 } 358 359 nsk = bt_accept_dequeue(sk, newsock); 360 if (nsk) 361 break; 362 363 if (!timeo) { 364 err = -EAGAIN; 365 break; 366 } 367 368 if (signal_pending(current)) { 369 err = sock_intr_errno(timeo); 370 break; 371 } 372 373 release_sock(sk); 374 375 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 376 377 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 378 } 379 remove_wait_queue(sk_sleep(sk), &wait); 380 381 if (err) 382 goto done; 383 384 newsock->state = SS_CONNECTED; 385 386 BT_DBG("new socket %p", nsk); 387 388 done: 389 release_sock(sk); 390 return err; 391 } 392 393 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 394 int peer) 395 { 396 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 397 struct sock *sk = sock->sk; 398 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 399 400 BT_DBG("sock %p, sk %p", sock, sk); 401 402 if (peer && sk->sk_state != BT_CONNECTED && 403 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 404 sk->sk_state != BT_CONFIG) 405 return -ENOTCONN; 406 407 memset(la, 0, sizeof(struct sockaddr_l2)); 408 addr->sa_family = AF_BLUETOOTH; 409 410 la->l2_psm = chan->psm; 411 412 if (peer) { 413 bacpy(&la->l2_bdaddr, &chan->dst); 414 la->l2_cid = cpu_to_le16(chan->dcid); 415 la->l2_bdaddr_type = chan->dst_type; 416 } else { 417 bacpy(&la->l2_bdaddr, &chan->src); 418 la->l2_cid = cpu_to_le16(chan->scid); 419 la->l2_bdaddr_type = chan->src_type; 420 } 421 422 return sizeof(struct sockaddr_l2); 423 } 424 425 static int l2cap_get_mode(struct l2cap_chan *chan) 426 { 427 switch (chan->mode) { 428 case L2CAP_MODE_BASIC: 429 return BT_MODE_BASIC; 430 case L2CAP_MODE_ERTM: 431 return BT_MODE_ERTM; 432 case L2CAP_MODE_STREAMING: 433 return BT_MODE_STREAMING; 434 case L2CAP_MODE_LE_FLOWCTL: 435 return BT_MODE_LE_FLOWCTL; 436 case L2CAP_MODE_EXT_FLOWCTL: 437 return BT_MODE_EXT_FLOWCTL; 438 } 439 440 return -EINVAL; 441 } 442 443 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 444 char __user *optval, int __user *optlen) 445 { 446 struct sock *sk = sock->sk; 447 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 448 struct l2cap_options opts; 449 struct l2cap_conninfo cinfo; 450 int len, err = 0; 451 u32 opt; 452 453 BT_DBG("sk %p", sk); 454 455 if (get_user(len, optlen)) 456 return -EFAULT; 457 458 lock_sock(sk); 459 460 switch (optname) { 461 case L2CAP_OPTIONS: 462 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 463 * legacy ATT code depends on getsockopt for 464 * L2CAP_OPTIONS we need to let this pass. 465 */ 466 if (bdaddr_type_is_le(chan->src_type) && 467 chan->scid != L2CAP_CID_ATT) { 468 err = -EINVAL; 469 break; 470 } 471 472 /* Only BR/EDR modes are supported here */ 473 switch (chan->mode) { 474 case L2CAP_MODE_BASIC: 475 case L2CAP_MODE_ERTM: 476 case L2CAP_MODE_STREAMING: 477 break; 478 default: 479 err = -EINVAL; 480 break; 481 } 482 483 if (err < 0) 484 break; 485 486 memset(&opts, 0, sizeof(opts)); 487 opts.imtu = chan->imtu; 488 opts.omtu = chan->omtu; 489 opts.flush_to = chan->flush_to; 490 opts.mode = chan->mode; 491 opts.fcs = chan->fcs; 492 opts.max_tx = chan->max_tx; 493 opts.txwin_size = chan->tx_win; 494 495 BT_DBG("mode 0x%2.2x", chan->mode); 496 497 len = min_t(unsigned int, len, sizeof(opts)); 498 if (copy_to_user(optval, (char *) &opts, len)) 499 err = -EFAULT; 500 501 break; 502 503 case L2CAP_LM: 504 switch (chan->sec_level) { 505 case BT_SECURITY_LOW: 506 opt = L2CAP_LM_AUTH; 507 break; 508 case BT_SECURITY_MEDIUM: 509 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 510 break; 511 case BT_SECURITY_HIGH: 512 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 513 L2CAP_LM_SECURE; 514 break; 515 case BT_SECURITY_FIPS: 516 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 517 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 518 break; 519 default: 520 opt = 0; 521 break; 522 } 523 524 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 525 opt |= L2CAP_LM_MASTER; 526 527 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 528 opt |= L2CAP_LM_RELIABLE; 529 530 if (put_user(opt, (u32 __user *) optval)) 531 err = -EFAULT; 532 533 break; 534 535 case L2CAP_CONNINFO: 536 if (sk->sk_state != BT_CONNECTED && 537 !(sk->sk_state == BT_CONNECT2 && 538 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 539 err = -ENOTCONN; 540 break; 541 } 542 543 memset(&cinfo, 0, sizeof(cinfo)); 544 cinfo.hci_handle = chan->conn->hcon->handle; 545 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 546 547 len = min_t(unsigned int, len, sizeof(cinfo)); 548 if (copy_to_user(optval, (char *) &cinfo, len)) 549 err = -EFAULT; 550 551 break; 552 553 default: 554 err = -ENOPROTOOPT; 555 break; 556 } 557 558 release_sock(sk); 559 return err; 560 } 561 562 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 563 char __user *optval, int __user *optlen) 564 { 565 struct sock *sk = sock->sk; 566 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 567 struct bt_security sec; 568 struct bt_power pwr; 569 u32 phys; 570 int len, mode, err = 0; 571 572 BT_DBG("sk %p", sk); 573 574 if (level == SOL_L2CAP) 575 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 576 577 if (level != SOL_BLUETOOTH) 578 return -ENOPROTOOPT; 579 580 if (get_user(len, optlen)) 581 return -EFAULT; 582 583 lock_sock(sk); 584 585 switch (optname) { 586 case BT_SECURITY: 587 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 588 chan->chan_type != L2CAP_CHAN_FIXED && 589 chan->chan_type != L2CAP_CHAN_RAW) { 590 err = -EINVAL; 591 break; 592 } 593 594 memset(&sec, 0, sizeof(sec)); 595 if (chan->conn) { 596 sec.level = chan->conn->hcon->sec_level; 597 598 if (sk->sk_state == BT_CONNECTED) 599 sec.key_size = chan->conn->hcon->enc_key_size; 600 } else { 601 sec.level = chan->sec_level; 602 } 603 604 len = min_t(unsigned int, len, sizeof(sec)); 605 if (copy_to_user(optval, (char *) &sec, len)) 606 err = -EFAULT; 607 608 break; 609 610 case BT_DEFER_SETUP: 611 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 612 err = -EINVAL; 613 break; 614 } 615 616 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 617 (u32 __user *) optval)) 618 err = -EFAULT; 619 620 break; 621 622 case BT_FLUSHABLE: 623 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 624 (u32 __user *) optval)) 625 err = -EFAULT; 626 627 break; 628 629 case BT_POWER: 630 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 631 && sk->sk_type != SOCK_RAW) { 632 err = -EINVAL; 633 break; 634 } 635 636 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 637 638 len = min_t(unsigned int, len, sizeof(pwr)); 639 if (copy_to_user(optval, (char *) &pwr, len)) 640 err = -EFAULT; 641 642 break; 643 644 case BT_CHANNEL_POLICY: 645 if (put_user(chan->chan_policy, (u32 __user *) optval)) 646 err = -EFAULT; 647 break; 648 649 case BT_SNDMTU: 650 if (!bdaddr_type_is_le(chan->src_type)) { 651 err = -EINVAL; 652 break; 653 } 654 655 if (sk->sk_state != BT_CONNECTED) { 656 err = -ENOTCONN; 657 break; 658 } 659 660 if (put_user(chan->omtu, (u16 __user *) optval)) 661 err = -EFAULT; 662 break; 663 664 case BT_RCVMTU: 665 if (!bdaddr_type_is_le(chan->src_type)) { 666 err = -EINVAL; 667 break; 668 } 669 670 if (put_user(chan->imtu, (u16 __user *) optval)) 671 err = -EFAULT; 672 break; 673 674 case BT_PHY: 675 if (sk->sk_state != BT_CONNECTED) { 676 err = -ENOTCONN; 677 break; 678 } 679 680 phys = hci_conn_get_phy(chan->conn->hcon); 681 682 if (put_user(phys, (u32 __user *) optval)) 683 err = -EFAULT; 684 break; 685 686 case BT_MODE: 687 if (!enable_ecred) { 688 err = -ENOPROTOOPT; 689 break; 690 } 691 692 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 693 err = -EINVAL; 694 break; 695 } 696 697 mode = l2cap_get_mode(chan); 698 if (mode < 0) { 699 err = mode; 700 break; 701 } 702 703 if (put_user(mode, (u8 __user *) optval)) 704 err = -EFAULT; 705 break; 706 707 default: 708 err = -ENOPROTOOPT; 709 break; 710 } 711 712 release_sock(sk); 713 return err; 714 } 715 716 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 717 { 718 switch (chan->scid) { 719 case L2CAP_CID_ATT: 720 if (mtu < L2CAP_LE_MIN_MTU) 721 return false; 722 break; 723 724 default: 725 if (mtu < L2CAP_DEFAULT_MIN_MTU) 726 return false; 727 } 728 729 return true; 730 } 731 732 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 733 sockptr_t optval, unsigned int optlen) 734 { 735 struct sock *sk = sock->sk; 736 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 737 struct l2cap_options opts; 738 int len, err = 0; 739 u32 opt; 740 741 BT_DBG("sk %p", sk); 742 743 lock_sock(sk); 744 745 switch (optname) { 746 case L2CAP_OPTIONS: 747 if (bdaddr_type_is_le(chan->src_type)) { 748 err = -EINVAL; 749 break; 750 } 751 752 if (sk->sk_state == BT_CONNECTED) { 753 err = -EINVAL; 754 break; 755 } 756 757 opts.imtu = chan->imtu; 758 opts.omtu = chan->omtu; 759 opts.flush_to = chan->flush_to; 760 opts.mode = chan->mode; 761 opts.fcs = chan->fcs; 762 opts.max_tx = chan->max_tx; 763 opts.txwin_size = chan->tx_win; 764 765 len = min_t(unsigned int, sizeof(opts), optlen); 766 if (copy_from_sockptr(&opts, optval, len)) { 767 err = -EFAULT; 768 break; 769 } 770 771 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 772 err = -EINVAL; 773 break; 774 } 775 776 if (!l2cap_valid_mtu(chan, opts.imtu)) { 777 err = -EINVAL; 778 break; 779 } 780 781 /* Only BR/EDR modes are supported here */ 782 switch (opts.mode) { 783 case L2CAP_MODE_BASIC: 784 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 785 break; 786 case L2CAP_MODE_ERTM: 787 case L2CAP_MODE_STREAMING: 788 if (!disable_ertm) 789 break; 790 fallthrough; 791 default: 792 err = -EINVAL; 793 break; 794 } 795 796 if (err < 0) 797 break; 798 799 chan->mode = opts.mode; 800 801 BT_DBG("mode 0x%2.2x", chan->mode); 802 803 chan->imtu = opts.imtu; 804 chan->omtu = opts.omtu; 805 chan->fcs = opts.fcs; 806 chan->max_tx = opts.max_tx; 807 chan->tx_win = opts.txwin_size; 808 chan->flush_to = opts.flush_to; 809 break; 810 811 case L2CAP_LM: 812 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 813 err = -EFAULT; 814 break; 815 } 816 817 if (opt & L2CAP_LM_FIPS) { 818 err = -EINVAL; 819 break; 820 } 821 822 if (opt & L2CAP_LM_AUTH) 823 chan->sec_level = BT_SECURITY_LOW; 824 if (opt & L2CAP_LM_ENCRYPT) 825 chan->sec_level = BT_SECURITY_MEDIUM; 826 if (opt & L2CAP_LM_SECURE) 827 chan->sec_level = BT_SECURITY_HIGH; 828 829 if (opt & L2CAP_LM_MASTER) 830 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 831 else 832 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 833 834 if (opt & L2CAP_LM_RELIABLE) 835 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 836 else 837 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 838 break; 839 840 default: 841 err = -ENOPROTOOPT; 842 break; 843 } 844 845 release_sock(sk); 846 return err; 847 } 848 849 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 850 { 851 switch (mode) { 852 case BT_MODE_BASIC: 853 if (bdaddr_type_is_le(chan->src_type)) 854 return -EINVAL; 855 mode = L2CAP_MODE_BASIC; 856 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 857 break; 858 case BT_MODE_ERTM: 859 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 860 return -EINVAL; 861 mode = L2CAP_MODE_ERTM; 862 break; 863 case BT_MODE_STREAMING: 864 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 865 return -EINVAL; 866 mode = L2CAP_MODE_STREAMING; 867 break; 868 case BT_MODE_LE_FLOWCTL: 869 if (!bdaddr_type_is_le(chan->src_type)) 870 return -EINVAL; 871 mode = L2CAP_MODE_LE_FLOWCTL; 872 break; 873 case BT_MODE_EXT_FLOWCTL: 874 /* TODO: Add support for ECRED PDUs to BR/EDR */ 875 if (!bdaddr_type_is_le(chan->src_type)) 876 return -EINVAL; 877 mode = L2CAP_MODE_EXT_FLOWCTL; 878 break; 879 default: 880 return -EINVAL; 881 } 882 883 chan->mode = mode; 884 885 return 0; 886 } 887 888 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 889 sockptr_t optval, unsigned int optlen) 890 { 891 struct sock *sk = sock->sk; 892 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 893 struct bt_security sec; 894 struct bt_power pwr; 895 struct l2cap_conn *conn; 896 int len, err = 0; 897 u32 opt; 898 899 BT_DBG("sk %p", sk); 900 901 if (level == SOL_L2CAP) 902 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 903 904 if (level != SOL_BLUETOOTH) 905 return -ENOPROTOOPT; 906 907 lock_sock(sk); 908 909 switch (optname) { 910 case BT_SECURITY: 911 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 912 chan->chan_type != L2CAP_CHAN_FIXED && 913 chan->chan_type != L2CAP_CHAN_RAW) { 914 err = -EINVAL; 915 break; 916 } 917 918 sec.level = BT_SECURITY_LOW; 919 920 len = min_t(unsigned int, sizeof(sec), optlen); 921 if (copy_from_sockptr(&sec, optval, len)) { 922 err = -EFAULT; 923 break; 924 } 925 926 if (sec.level < BT_SECURITY_LOW || 927 sec.level > BT_SECURITY_FIPS) { 928 err = -EINVAL; 929 break; 930 } 931 932 chan->sec_level = sec.level; 933 934 if (!chan->conn) 935 break; 936 937 conn = chan->conn; 938 939 /* change security for LE channels */ 940 if (chan->scid == L2CAP_CID_ATT) { 941 if (smp_conn_security(conn->hcon, sec.level)) { 942 err = -EINVAL; 943 break; 944 } 945 946 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 947 sk->sk_state = BT_CONFIG; 948 chan->state = BT_CONFIG; 949 950 /* or for ACL link */ 951 } else if ((sk->sk_state == BT_CONNECT2 && 952 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 953 sk->sk_state == BT_CONNECTED) { 954 if (!l2cap_chan_check_security(chan, true)) 955 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 956 else 957 sk->sk_state_change(sk); 958 } else { 959 err = -EINVAL; 960 } 961 break; 962 963 case BT_DEFER_SETUP: 964 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 965 err = -EINVAL; 966 break; 967 } 968 969 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 970 err = -EFAULT; 971 break; 972 } 973 974 if (opt) { 975 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 976 set_bit(FLAG_DEFER_SETUP, &chan->flags); 977 } else { 978 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 979 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 980 } 981 break; 982 983 case BT_FLUSHABLE: 984 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 985 err = -EFAULT; 986 break; 987 } 988 989 if (opt > BT_FLUSHABLE_ON) { 990 err = -EINVAL; 991 break; 992 } 993 994 if (opt == BT_FLUSHABLE_OFF) { 995 conn = chan->conn; 996 /* proceed further only when we have l2cap_conn and 997 No Flush support in the LM */ 998 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 999 err = -EINVAL; 1000 break; 1001 } 1002 } 1003 1004 if (opt) 1005 set_bit(FLAG_FLUSHABLE, &chan->flags); 1006 else 1007 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1008 break; 1009 1010 case BT_POWER: 1011 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1012 chan->chan_type != L2CAP_CHAN_RAW) { 1013 err = -EINVAL; 1014 break; 1015 } 1016 1017 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1018 1019 len = min_t(unsigned int, sizeof(pwr), optlen); 1020 if (copy_from_sockptr(&pwr, optval, len)) { 1021 err = -EFAULT; 1022 break; 1023 } 1024 1025 if (pwr.force_active) 1026 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1027 else 1028 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1029 break; 1030 1031 case BT_CHANNEL_POLICY: 1032 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1033 err = -EFAULT; 1034 break; 1035 } 1036 1037 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { 1038 err = -EINVAL; 1039 break; 1040 } 1041 1042 if (chan->mode != L2CAP_MODE_ERTM && 1043 chan->mode != L2CAP_MODE_STREAMING) { 1044 err = -EOPNOTSUPP; 1045 break; 1046 } 1047 1048 chan->chan_policy = (u8) opt; 1049 1050 if (sk->sk_state == BT_CONNECTED && 1051 chan->move_role == L2CAP_MOVE_ROLE_NONE) 1052 l2cap_move_start(chan); 1053 1054 break; 1055 1056 case BT_SNDMTU: 1057 if (!bdaddr_type_is_le(chan->src_type)) { 1058 err = -EINVAL; 1059 break; 1060 } 1061 1062 /* Setting is not supported as it's the remote side that 1063 * decides this. 1064 */ 1065 err = -EPERM; 1066 break; 1067 1068 case BT_RCVMTU: 1069 if (!bdaddr_type_is_le(chan->src_type)) { 1070 err = -EINVAL; 1071 break; 1072 } 1073 1074 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1075 sk->sk_state == BT_CONNECTED) { 1076 err = -EISCONN; 1077 break; 1078 } 1079 1080 if (copy_from_sockptr(&opt, optval, sizeof(u16))) { 1081 err = -EFAULT; 1082 break; 1083 } 1084 1085 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1086 sk->sk_state == BT_CONNECTED) 1087 err = l2cap_chan_reconfigure(chan, opt); 1088 else 1089 chan->imtu = opt; 1090 1091 break; 1092 1093 case BT_MODE: 1094 if (!enable_ecred) { 1095 err = -ENOPROTOOPT; 1096 break; 1097 } 1098 1099 BT_DBG("sk->sk_state %u", sk->sk_state); 1100 1101 if (sk->sk_state != BT_BOUND) { 1102 err = -EINVAL; 1103 break; 1104 } 1105 1106 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1107 err = -EINVAL; 1108 break; 1109 } 1110 1111 if (copy_from_sockptr(&opt, optval, sizeof(u8))) { 1112 err = -EFAULT; 1113 break; 1114 } 1115 1116 BT_DBG("opt %u", opt); 1117 1118 err = l2cap_set_mode(chan, opt); 1119 if (err) 1120 break; 1121 1122 BT_DBG("mode 0x%2.2x", chan->mode); 1123 1124 break; 1125 1126 default: 1127 err = -ENOPROTOOPT; 1128 break; 1129 } 1130 1131 release_sock(sk); 1132 return err; 1133 } 1134 1135 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1136 size_t len) 1137 { 1138 struct sock *sk = sock->sk; 1139 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1140 int err; 1141 1142 BT_DBG("sock %p, sk %p", sock, sk); 1143 1144 err = sock_error(sk); 1145 if (err) 1146 return err; 1147 1148 if (msg->msg_flags & MSG_OOB) 1149 return -EOPNOTSUPP; 1150 1151 if (sk->sk_state != BT_CONNECTED) 1152 return -ENOTCONN; 1153 1154 lock_sock(sk); 1155 err = bt_sock_wait_ready(sk, msg->msg_flags); 1156 release_sock(sk); 1157 if (err) 1158 return err; 1159 1160 l2cap_chan_lock(chan); 1161 err = l2cap_chan_send(chan, msg, len); 1162 l2cap_chan_unlock(chan); 1163 1164 return err; 1165 } 1166 1167 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1168 size_t len, int flags) 1169 { 1170 struct sock *sk = sock->sk; 1171 struct l2cap_pinfo *pi = l2cap_pi(sk); 1172 int err; 1173 1174 lock_sock(sk); 1175 1176 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1177 &bt_sk(sk)->flags)) { 1178 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1179 sk->sk_state = BT_CONNECTED; 1180 pi->chan->state = BT_CONNECTED; 1181 __l2cap_ecred_conn_rsp_defer(pi->chan); 1182 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1183 sk->sk_state = BT_CONNECTED; 1184 pi->chan->state = BT_CONNECTED; 1185 __l2cap_le_connect_rsp_defer(pi->chan); 1186 } else { 1187 sk->sk_state = BT_CONFIG; 1188 pi->chan->state = BT_CONFIG; 1189 __l2cap_connect_rsp_defer(pi->chan); 1190 } 1191 1192 err = 0; 1193 goto done; 1194 } 1195 1196 release_sock(sk); 1197 1198 if (sock->type == SOCK_STREAM) 1199 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1200 else 1201 err = bt_sock_recvmsg(sock, msg, len, flags); 1202 1203 if (pi->chan->mode != L2CAP_MODE_ERTM) 1204 return err; 1205 1206 /* Attempt to put pending rx data in the socket buffer */ 1207 1208 lock_sock(sk); 1209 1210 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) 1211 goto done; 1212 1213 if (pi->rx_busy_skb) { 1214 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) 1215 pi->rx_busy_skb = NULL; 1216 else 1217 goto done; 1218 } 1219 1220 /* Restore data flow when half of the receive buffer is 1221 * available. This avoids resending large numbers of 1222 * frames. 1223 */ 1224 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1225 l2cap_chan_busy(pi->chan, 0); 1226 1227 done: 1228 release_sock(sk); 1229 return err; 1230 } 1231 1232 /* Kill socket (only if zapped and orphan) 1233 * Must be called on unlocked socket, with l2cap channel lock. 1234 */ 1235 static void l2cap_sock_kill(struct sock *sk) 1236 { 1237 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1238 return; 1239 1240 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1241 1242 /* Kill poor orphan */ 1243 1244 l2cap_chan_put(l2cap_pi(sk)->chan); 1245 sock_set_flag(sk, SOCK_DEAD); 1246 sock_put(sk); 1247 } 1248 1249 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1250 { 1251 DECLARE_WAITQUEUE(wait, current); 1252 int err = 0; 1253 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1254 /* Timeout to prevent infinite loop */ 1255 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1256 1257 add_wait_queue(sk_sleep(sk), &wait); 1258 set_current_state(TASK_INTERRUPTIBLE); 1259 do { 1260 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1261 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1262 jiffies_to_msecs(timeout - jiffies)); 1263 1264 if (!timeo) 1265 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1266 1267 if (signal_pending(current)) { 1268 err = sock_intr_errno(timeo); 1269 break; 1270 } 1271 1272 release_sock(sk); 1273 timeo = schedule_timeout(timeo); 1274 lock_sock(sk); 1275 set_current_state(TASK_INTERRUPTIBLE); 1276 1277 err = sock_error(sk); 1278 if (err) 1279 break; 1280 1281 if (time_after(jiffies, timeout)) { 1282 err = -ENOLINK; 1283 break; 1284 } 1285 1286 } while (chan->unacked_frames > 0 && 1287 chan->state == BT_CONNECTED); 1288 1289 set_current_state(TASK_RUNNING); 1290 remove_wait_queue(sk_sleep(sk), &wait); 1291 return err; 1292 } 1293 1294 static int l2cap_sock_shutdown(struct socket *sock, int how) 1295 { 1296 struct sock *sk = sock->sk; 1297 struct l2cap_chan *chan; 1298 struct l2cap_conn *conn; 1299 int err = 0; 1300 1301 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1302 1303 /* 'how' parameter is mapped to sk_shutdown as follows: 1304 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1305 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1306 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1307 */ 1308 how++; 1309 1310 if (!sk) 1311 return 0; 1312 1313 lock_sock(sk); 1314 1315 if ((sk->sk_shutdown & how) == how) 1316 goto shutdown_already; 1317 1318 BT_DBG("Handling sock shutdown"); 1319 1320 /* prevent sk structure from being freed whilst unlocked */ 1321 sock_hold(sk); 1322 1323 chan = l2cap_pi(sk)->chan; 1324 /* prevent chan structure from being freed whilst unlocked */ 1325 l2cap_chan_hold(chan); 1326 1327 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1328 1329 if (chan->mode == L2CAP_MODE_ERTM && 1330 chan->unacked_frames > 0 && 1331 chan->state == BT_CONNECTED) { 1332 err = __l2cap_wait_ack(sk, chan); 1333 1334 /* After waiting for ACKs, check whether shutdown 1335 * has already been actioned to close the L2CAP 1336 * link such as by l2cap_disconnection_req(). 1337 */ 1338 if ((sk->sk_shutdown & how) == how) 1339 goto shutdown_matched; 1340 } 1341 1342 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1343 * is already set 1344 */ 1345 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1346 sk->sk_shutdown |= RCV_SHUTDOWN; 1347 if ((sk->sk_shutdown & how) == how) 1348 goto shutdown_matched; 1349 } 1350 1351 sk->sk_shutdown |= SEND_SHUTDOWN; 1352 release_sock(sk); 1353 1354 l2cap_chan_lock(chan); 1355 conn = chan->conn; 1356 if (conn) 1357 /* prevent conn structure from being freed */ 1358 l2cap_conn_get(conn); 1359 l2cap_chan_unlock(chan); 1360 1361 if (conn) 1362 /* mutex lock must be taken before l2cap_chan_lock() */ 1363 mutex_lock(&conn->chan_lock); 1364 1365 l2cap_chan_lock(chan); 1366 l2cap_chan_close(chan, 0); 1367 l2cap_chan_unlock(chan); 1368 1369 if (conn) { 1370 mutex_unlock(&conn->chan_lock); 1371 l2cap_conn_put(conn); 1372 } 1373 1374 lock_sock(sk); 1375 1376 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1377 !(current->flags & PF_EXITING)) 1378 err = bt_sock_wait_state(sk, BT_CLOSED, 1379 sk->sk_lingertime); 1380 1381 shutdown_matched: 1382 l2cap_chan_put(chan); 1383 sock_put(sk); 1384 1385 shutdown_already: 1386 if (!err && sk->sk_err) 1387 err = -sk->sk_err; 1388 1389 release_sock(sk); 1390 1391 BT_DBG("Sock shutdown complete err: %d", err); 1392 1393 return err; 1394 } 1395 1396 static int l2cap_sock_release(struct socket *sock) 1397 { 1398 struct sock *sk = sock->sk; 1399 int err; 1400 struct l2cap_chan *chan; 1401 1402 BT_DBG("sock %p, sk %p", sock, sk); 1403 1404 if (!sk) 1405 return 0; 1406 1407 bt_sock_unlink(&l2cap_sk_list, sk); 1408 1409 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1410 chan = l2cap_pi(sk)->chan; 1411 1412 l2cap_chan_hold(chan); 1413 l2cap_chan_lock(chan); 1414 1415 sock_orphan(sk); 1416 l2cap_sock_kill(sk); 1417 1418 l2cap_chan_unlock(chan); 1419 l2cap_chan_put(chan); 1420 1421 return err; 1422 } 1423 1424 static void l2cap_sock_cleanup_listen(struct sock *parent) 1425 { 1426 struct sock *sk; 1427 1428 BT_DBG("parent %p state %s", parent, 1429 state_to_string(parent->sk_state)); 1430 1431 /* Close not yet accepted channels */ 1432 while ((sk = bt_accept_dequeue(parent, NULL))) { 1433 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1434 1435 BT_DBG("child chan %p state %s", chan, 1436 state_to_string(chan->state)); 1437 1438 l2cap_chan_hold(chan); 1439 l2cap_chan_lock(chan); 1440 1441 __clear_chan_timer(chan); 1442 l2cap_chan_close(chan, ECONNRESET); 1443 l2cap_sock_kill(sk); 1444 1445 l2cap_chan_unlock(chan); 1446 l2cap_chan_put(chan); 1447 } 1448 } 1449 1450 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1451 { 1452 struct sock *sk, *parent = chan->data; 1453 1454 lock_sock(parent); 1455 1456 /* Check for backlog size */ 1457 if (sk_acceptq_is_full(parent)) { 1458 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1459 release_sock(parent); 1460 return NULL; 1461 } 1462 1463 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1464 GFP_ATOMIC, 0); 1465 if (!sk) { 1466 release_sock(parent); 1467 return NULL; 1468 } 1469 1470 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1471 1472 l2cap_sock_init(sk, parent); 1473 1474 bt_accept_enqueue(parent, sk, false); 1475 1476 release_sock(parent); 1477 1478 return l2cap_pi(sk)->chan; 1479 } 1480 1481 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1482 { 1483 struct sock *sk = chan->data; 1484 int err; 1485 1486 lock_sock(sk); 1487 1488 if (l2cap_pi(sk)->rx_busy_skb) { 1489 err = -ENOMEM; 1490 goto done; 1491 } 1492 1493 if (chan->mode != L2CAP_MODE_ERTM && 1494 chan->mode != L2CAP_MODE_STREAMING) { 1495 /* Even if no filter is attached, we could potentially 1496 * get errors from security modules, etc. 1497 */ 1498 err = sk_filter(sk, skb); 1499 if (err) 1500 goto done; 1501 } 1502 1503 err = __sock_queue_rcv_skb(sk, skb); 1504 1505 /* For ERTM, handle one skb that doesn't fit into the recv 1506 * buffer. This is important to do because the data frames 1507 * have already been acked, so the skb cannot be discarded. 1508 * 1509 * Notify the l2cap core that the buffer is full, so the 1510 * LOCAL_BUSY state is entered and no more frames are 1511 * acked and reassembled until there is buffer space 1512 * available. 1513 */ 1514 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1515 l2cap_pi(sk)->rx_busy_skb = skb; 1516 l2cap_chan_busy(chan, 1); 1517 err = 0; 1518 } 1519 1520 done: 1521 release_sock(sk); 1522 1523 return err; 1524 } 1525 1526 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1527 { 1528 struct sock *sk = chan->data; 1529 1530 if (!sk) 1531 return; 1532 1533 l2cap_sock_kill(sk); 1534 } 1535 1536 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1537 { 1538 struct sock *sk = chan->data; 1539 struct sock *parent; 1540 1541 if (!sk) 1542 return; 1543 1544 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1545 1546 /* This callback can be called both for server (BT_LISTEN) 1547 * sockets as well as "normal" ones. To avoid lockdep warnings 1548 * with child socket locking (through l2cap_sock_cleanup_listen) 1549 * we need separation into separate nesting levels. The simplest 1550 * way to accomplish this is to inherit the nesting level used 1551 * for the channel. 1552 */ 1553 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1554 1555 parent = bt_sk(sk)->parent; 1556 1557 switch (chan->state) { 1558 case BT_OPEN: 1559 case BT_BOUND: 1560 case BT_CLOSED: 1561 break; 1562 case BT_LISTEN: 1563 l2cap_sock_cleanup_listen(sk); 1564 sk->sk_state = BT_CLOSED; 1565 chan->state = BT_CLOSED; 1566 1567 break; 1568 default: 1569 sk->sk_state = BT_CLOSED; 1570 chan->state = BT_CLOSED; 1571 1572 sk->sk_err = err; 1573 1574 if (parent) { 1575 bt_accept_unlink(sk); 1576 parent->sk_data_ready(parent); 1577 } else { 1578 sk->sk_state_change(sk); 1579 } 1580 1581 break; 1582 } 1583 release_sock(sk); 1584 1585 /* Only zap after cleanup to avoid use after free race */ 1586 sock_set_flag(sk, SOCK_ZAPPED); 1587 1588 } 1589 1590 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1591 int err) 1592 { 1593 struct sock *sk = chan->data; 1594 1595 sk->sk_state = state; 1596 1597 if (err) 1598 sk->sk_err = err; 1599 } 1600 1601 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1602 unsigned long hdr_len, 1603 unsigned long len, int nb) 1604 { 1605 struct sock *sk = chan->data; 1606 struct sk_buff *skb; 1607 int err; 1608 1609 l2cap_chan_unlock(chan); 1610 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1611 l2cap_chan_lock(chan); 1612 1613 if (!skb) 1614 return ERR_PTR(err); 1615 1616 skb->priority = sk->sk_priority; 1617 1618 bt_cb(skb)->l2cap.chan = chan; 1619 1620 return skb; 1621 } 1622 1623 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1624 { 1625 struct sock *sk = chan->data; 1626 struct sock *parent; 1627 1628 lock_sock(sk); 1629 1630 parent = bt_sk(sk)->parent; 1631 1632 BT_DBG("sk %p, parent %p", sk, parent); 1633 1634 sk->sk_state = BT_CONNECTED; 1635 sk->sk_state_change(sk); 1636 1637 if (parent) 1638 parent->sk_data_ready(parent); 1639 1640 release_sock(sk); 1641 } 1642 1643 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1644 { 1645 struct sock *parent, *sk = chan->data; 1646 1647 lock_sock(sk); 1648 1649 parent = bt_sk(sk)->parent; 1650 if (parent) 1651 parent->sk_data_ready(parent); 1652 1653 release_sock(sk); 1654 } 1655 1656 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1657 { 1658 struct sock *sk = chan->data; 1659 1660 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1661 sk->sk_state = BT_CONNECTED; 1662 chan->state = BT_CONNECTED; 1663 } 1664 1665 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1666 sk->sk_state_change(sk); 1667 } 1668 1669 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1670 { 1671 struct sock *sk = chan->data; 1672 1673 lock_sock(sk); 1674 sk->sk_shutdown = SHUTDOWN_MASK; 1675 release_sock(sk); 1676 } 1677 1678 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1679 { 1680 struct sock *sk = chan->data; 1681 1682 return sk->sk_sndtimeo; 1683 } 1684 1685 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1686 { 1687 struct sock *sk = chan->data; 1688 1689 return sk->sk_peer_pid; 1690 } 1691 1692 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1693 { 1694 struct sock *sk = chan->data; 1695 1696 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1697 sk->sk_state_change(sk); 1698 } 1699 1700 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1701 { 1702 struct sock *sk = chan->data; 1703 1704 switch (chan->mode) { 1705 case L2CAP_MODE_ERTM: 1706 case L2CAP_MODE_STREAMING: 1707 return sk_filter(sk, skb); 1708 } 1709 1710 return 0; 1711 } 1712 1713 static const struct l2cap_ops l2cap_chan_ops = { 1714 .name = "L2CAP Socket Interface", 1715 .new_connection = l2cap_sock_new_connection_cb, 1716 .recv = l2cap_sock_recv_cb, 1717 .close = l2cap_sock_close_cb, 1718 .teardown = l2cap_sock_teardown_cb, 1719 .state_change = l2cap_sock_state_change_cb, 1720 .ready = l2cap_sock_ready_cb, 1721 .defer = l2cap_sock_defer_cb, 1722 .resume = l2cap_sock_resume_cb, 1723 .suspend = l2cap_sock_suspend_cb, 1724 .set_shutdown = l2cap_sock_set_shutdown_cb, 1725 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1726 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1727 .alloc_skb = l2cap_sock_alloc_skb_cb, 1728 .filter = l2cap_sock_filter, 1729 }; 1730 1731 static void l2cap_sock_destruct(struct sock *sk) 1732 { 1733 BT_DBG("sk %p", sk); 1734 1735 if (l2cap_pi(sk)->chan) { 1736 l2cap_pi(sk)->chan->data = NULL; 1737 l2cap_chan_put(l2cap_pi(sk)->chan); 1738 } 1739 1740 if (l2cap_pi(sk)->rx_busy_skb) { 1741 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1742 l2cap_pi(sk)->rx_busy_skb = NULL; 1743 } 1744 1745 skb_queue_purge(&sk->sk_receive_queue); 1746 skb_queue_purge(&sk->sk_write_queue); 1747 } 1748 1749 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1750 int *msg_namelen) 1751 { 1752 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1753 1754 memset(la, 0, sizeof(struct sockaddr_l2)); 1755 la->l2_family = AF_BLUETOOTH; 1756 la->l2_psm = bt_cb(skb)->l2cap.psm; 1757 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1758 1759 *msg_namelen = sizeof(struct sockaddr_l2); 1760 } 1761 1762 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1763 { 1764 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1765 1766 BT_DBG("sk %p", sk); 1767 1768 if (parent) { 1769 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1770 1771 sk->sk_type = parent->sk_type; 1772 bt_sk(sk)->flags = bt_sk(parent)->flags; 1773 1774 chan->chan_type = pchan->chan_type; 1775 chan->imtu = pchan->imtu; 1776 chan->omtu = pchan->omtu; 1777 chan->conf_state = pchan->conf_state; 1778 chan->mode = pchan->mode; 1779 chan->fcs = pchan->fcs; 1780 chan->max_tx = pchan->max_tx; 1781 chan->tx_win = pchan->tx_win; 1782 chan->tx_win_max = pchan->tx_win_max; 1783 chan->sec_level = pchan->sec_level; 1784 chan->flags = pchan->flags; 1785 chan->tx_credits = pchan->tx_credits; 1786 chan->rx_credits = pchan->rx_credits; 1787 1788 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1789 chan->scid = pchan->scid; 1790 chan->dcid = pchan->scid; 1791 } 1792 1793 security_sk_clone(parent, sk); 1794 } else { 1795 switch (sk->sk_type) { 1796 case SOCK_RAW: 1797 chan->chan_type = L2CAP_CHAN_RAW; 1798 break; 1799 case SOCK_DGRAM: 1800 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1801 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1802 break; 1803 case SOCK_SEQPACKET: 1804 case SOCK_STREAM: 1805 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1806 break; 1807 } 1808 1809 chan->imtu = L2CAP_DEFAULT_MTU; 1810 chan->omtu = 0; 1811 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1812 chan->mode = L2CAP_MODE_ERTM; 1813 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1814 } else { 1815 chan->mode = L2CAP_MODE_BASIC; 1816 } 1817 1818 l2cap_chan_set_defaults(chan); 1819 } 1820 1821 /* Default config options */ 1822 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1823 1824 chan->data = sk; 1825 chan->ops = &l2cap_chan_ops; 1826 } 1827 1828 static struct proto l2cap_proto = { 1829 .name = "L2CAP", 1830 .owner = THIS_MODULE, 1831 .obj_size = sizeof(struct l2cap_pinfo) 1832 }; 1833 1834 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1835 int proto, gfp_t prio, int kern) 1836 { 1837 struct sock *sk; 1838 struct l2cap_chan *chan; 1839 1840 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern); 1841 if (!sk) 1842 return NULL; 1843 1844 sock_init_data(sock, sk); 1845 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 1846 1847 sk->sk_destruct = l2cap_sock_destruct; 1848 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1849 1850 sock_reset_flag(sk, SOCK_ZAPPED); 1851 1852 sk->sk_protocol = proto; 1853 sk->sk_state = BT_OPEN; 1854 1855 chan = l2cap_chan_create(); 1856 if (!chan) { 1857 sk_free(sk); 1858 return NULL; 1859 } 1860 1861 l2cap_chan_hold(chan); 1862 1863 l2cap_pi(sk)->chan = chan; 1864 1865 return sk; 1866 } 1867 1868 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1869 int kern) 1870 { 1871 struct sock *sk; 1872 1873 BT_DBG("sock %p", sock); 1874 1875 sock->state = SS_UNCONNECTED; 1876 1877 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1878 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1879 return -ESOCKTNOSUPPORT; 1880 1881 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1882 return -EPERM; 1883 1884 sock->ops = &l2cap_sock_ops; 1885 1886 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1887 if (!sk) 1888 return -ENOMEM; 1889 1890 l2cap_sock_init(sk, NULL); 1891 bt_sock_link(&l2cap_sk_list, sk); 1892 return 0; 1893 } 1894 1895 static const struct proto_ops l2cap_sock_ops = { 1896 .family = PF_BLUETOOTH, 1897 .owner = THIS_MODULE, 1898 .release = l2cap_sock_release, 1899 .bind = l2cap_sock_bind, 1900 .connect = l2cap_sock_connect, 1901 .listen = l2cap_sock_listen, 1902 .accept = l2cap_sock_accept, 1903 .getname = l2cap_sock_getname, 1904 .sendmsg = l2cap_sock_sendmsg, 1905 .recvmsg = l2cap_sock_recvmsg, 1906 .poll = bt_sock_poll, 1907 .ioctl = bt_sock_ioctl, 1908 .gettstamp = sock_gettstamp, 1909 .mmap = sock_no_mmap, 1910 .socketpair = sock_no_socketpair, 1911 .shutdown = l2cap_sock_shutdown, 1912 .setsockopt = l2cap_sock_setsockopt, 1913 .getsockopt = l2cap_sock_getsockopt 1914 }; 1915 1916 static const struct net_proto_family l2cap_sock_family_ops = { 1917 .family = PF_BLUETOOTH, 1918 .owner = THIS_MODULE, 1919 .create = l2cap_sock_create, 1920 }; 1921 1922 int __init l2cap_init_sockets(void) 1923 { 1924 int err; 1925 1926 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1927 1928 err = proto_register(&l2cap_proto, 0); 1929 if (err < 0) 1930 return err; 1931 1932 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1933 if (err < 0) { 1934 BT_ERR("L2CAP socket registration failed"); 1935 goto error; 1936 } 1937 1938 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1939 NULL); 1940 if (err < 0) { 1941 BT_ERR("Failed to create L2CAP proc file"); 1942 bt_sock_unregister(BTPROTO_L2CAP); 1943 goto error; 1944 } 1945 1946 BT_INFO("L2CAP socket layer initialized"); 1947 1948 return 0; 1949 1950 error: 1951 proto_unregister(&l2cap_proto); 1952 return err; 1953 } 1954 1955 void l2cap_cleanup_sockets(void) 1956 { 1957 bt_procfs_cleanup(&init_net, "l2cap"); 1958 bt_sock_unregister(BTPROTO_L2CAP); 1959 proto_unregister(&l2cap_proto); 1960 } 1961