1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26 */ 27 28 /* Bluetooth L2CAP sockets. */ 29 30 #include <linux/module.h> 31 #include <linux/export.h> 32 #include <linux/filter.h> 33 #include <linux/sched/signal.h> 34 35 #include <net/bluetooth/bluetooth.h> 36 #include <net/bluetooth/hci_core.h> 37 #include <net/bluetooth/l2cap.h> 38 39 #include "smp.h" 40 41 static struct bt_sock_list l2cap_sk_list = { 42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 43 }; 44 45 static const struct proto_ops l2cap_sock_ops; 46 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 48 int proto, gfp_t prio, int kern); 49 static void l2cap_sock_cleanup_listen(struct sock *parent); 50 51 bool l2cap_is_socket(struct socket *sock) 52 { 53 return sock && sock->ops == &l2cap_sock_ops; 54 } 55 EXPORT_SYMBOL(l2cap_is_socket); 56 57 static int l2cap_validate_bredr_psm(u16 psm) 58 { 59 /* PSM must be odd and lsb of upper byte must be 0 */ 60 if ((psm & 0x0101) != 0x0001) 61 return -EINVAL; 62 63 /* Restrict usage of well-known PSMs */ 64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 65 return -EACCES; 66 67 return 0; 68 } 69 70 static int l2cap_validate_le_psm(u16 psm) 71 { 72 /* Valid LE_PSM ranges are defined only until 0x00ff */ 73 if (psm > L2CAP_PSM_LE_DYN_END) 74 return -EINVAL; 75 76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 78 return -EACCES; 79 80 return 0; 81 } 82 83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 84 { 85 struct sock *sk = sock->sk; 86 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 87 struct sockaddr_l2 la; 88 int len, err = 0; 89 90 BT_DBG("sk %p", sk); 91 92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 93 addr->sa_family != AF_BLUETOOTH) 94 return -EINVAL; 95 96 memset(&la, 0, sizeof(la)); 97 len = min_t(unsigned int, sizeof(la), alen); 98 memcpy(&la, addr, len); 99 100 if (la.l2_cid && la.l2_psm) 101 return -EINVAL; 102 103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 104 return -EINVAL; 105 106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 107 /* We only allow ATT user space socket */ 108 if (la.l2_cid && 109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 110 return -EINVAL; 111 } 112 113 lock_sock(sk); 114 115 if (sk->sk_state != BT_OPEN) { 116 err = -EBADFD; 117 goto done; 118 } 119 120 if (la.l2_psm) { 121 __u16 psm = __le16_to_cpu(la.l2_psm); 122 123 if (la.l2_bdaddr_type == BDADDR_BREDR) 124 err = l2cap_validate_bredr_psm(psm); 125 else 126 err = l2cap_validate_le_psm(psm); 127 128 if (err) 129 goto done; 130 } 131 132 bacpy(&chan->src, &la.l2_bdaddr); 133 chan->src_type = la.l2_bdaddr_type; 134 135 if (la.l2_cid) 136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 137 else 138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 139 140 if (err < 0) 141 goto done; 142 143 switch (chan->chan_type) { 144 case L2CAP_CHAN_CONN_LESS: 145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 146 chan->sec_level = BT_SECURITY_SDP; 147 break; 148 case L2CAP_CHAN_CONN_ORIENTED: 149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 151 chan->sec_level = BT_SECURITY_SDP; 152 break; 153 case L2CAP_CHAN_RAW: 154 chan->sec_level = BT_SECURITY_SDP; 155 break; 156 case L2CAP_CHAN_FIXED: 157 /* Fixed channels default to the L2CAP core not holding a 158 * hci_conn reference for them. For fixed channels mapping to 159 * L2CAP sockets we do want to hold a reference so set the 160 * appropriate flag to request it. 161 */ 162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 163 break; 164 } 165 166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 168 */ 169 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 170 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 171 chan->mode = L2CAP_MODE_LE_FLOWCTL; 172 173 chan->state = BT_BOUND; 174 sk->sk_state = BT_BOUND; 175 176 done: 177 release_sock(sk); 178 return err; 179 } 180 181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 182 int alen, int flags) 183 { 184 struct sock *sk = sock->sk; 185 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 186 struct sockaddr_l2 la; 187 int len, err = 0; 188 bool zapped; 189 190 BT_DBG("sk %p", sk); 191 192 lock_sock(sk); 193 zapped = sock_flag(sk, SOCK_ZAPPED); 194 release_sock(sk); 195 196 if (zapped) 197 return -EINVAL; 198 199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 200 addr->sa_family != AF_BLUETOOTH) 201 return -EINVAL; 202 203 memset(&la, 0, sizeof(la)); 204 len = min_t(unsigned int, sizeof(la), alen); 205 memcpy(&la, addr, len); 206 207 if (la.l2_cid && la.l2_psm) 208 return -EINVAL; 209 210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 211 return -EINVAL; 212 213 /* Check that the socket wasn't bound to something that 214 * conflicts with the address given to connect(). If chan->src 215 * is BDADDR_ANY it means bind() was never used, in which case 216 * chan->src_type and la.l2_bdaddr_type do not need to match. 217 */ 218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 219 bdaddr_type_is_le(la.l2_bdaddr_type)) { 220 /* Old user space versions will try to incorrectly bind 221 * the ATT socket using BDADDR_BREDR. We need to accept 222 * this and fix up the source address type only when 223 * both the source CID and destination CID indicate 224 * ATT. Anything else is an invalid combination. 225 */ 226 if (chan->scid != L2CAP_CID_ATT || 227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 228 return -EINVAL; 229 230 /* We don't have the hdev available here to make a 231 * better decision on random vs public, but since all 232 * user space versions that exhibit this issue anyway do 233 * not support random local addresses assuming public 234 * here is good enough. 235 */ 236 chan->src_type = BDADDR_LE_PUBLIC; 237 } 238 239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 240 return -EINVAL; 241 242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 243 /* We only allow ATT user space socket */ 244 if (la.l2_cid && 245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 246 return -EINVAL; 247 } 248 249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 251 */ 252 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 253 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 254 chan->mode = L2CAP_MODE_LE_FLOWCTL; 255 256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 257 &la.l2_bdaddr, la.l2_bdaddr_type, 258 sk->sk_sndtimeo); 259 if (err) 260 return err; 261 262 lock_sock(sk); 263 264 err = bt_sock_wait_state(sk, BT_CONNECTED, 265 sock_sndtimeo(sk, flags & O_NONBLOCK)); 266 267 release_sock(sk); 268 269 return err; 270 } 271 272 static int l2cap_sock_listen(struct socket *sock, int backlog) 273 { 274 struct sock *sk = sock->sk; 275 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 276 int err = 0; 277 278 BT_DBG("sk %p backlog %d", sk, backlog); 279 280 lock_sock(sk); 281 282 if (sk->sk_state != BT_BOUND) { 283 err = -EBADFD; 284 goto done; 285 } 286 287 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 288 err = -EINVAL; 289 goto done; 290 } 291 292 switch (chan->mode) { 293 case L2CAP_MODE_BASIC: 294 case L2CAP_MODE_LE_FLOWCTL: 295 break; 296 case L2CAP_MODE_EXT_FLOWCTL: 297 if (!enable_ecred) { 298 err = -EOPNOTSUPP; 299 goto done; 300 } 301 break; 302 case L2CAP_MODE_ERTM: 303 case L2CAP_MODE_STREAMING: 304 if (!disable_ertm) 305 break; 306 fallthrough; 307 default: 308 err = -EOPNOTSUPP; 309 goto done; 310 } 311 312 sk->sk_max_ack_backlog = backlog; 313 sk->sk_ack_backlog = 0; 314 315 /* Listening channels need to use nested locking in order not to 316 * cause lockdep warnings when the created child channels end up 317 * being locked in the same thread as the parent channel. 318 */ 319 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 320 321 chan->state = BT_LISTEN; 322 sk->sk_state = BT_LISTEN; 323 324 done: 325 release_sock(sk); 326 return err; 327 } 328 329 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 330 int flags, bool kern) 331 { 332 DEFINE_WAIT_FUNC(wait, woken_wake_function); 333 struct sock *sk = sock->sk, *nsk; 334 long timeo; 335 int err = 0; 336 337 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 338 339 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 340 341 BT_DBG("sk %p timeo %ld", sk, timeo); 342 343 /* Wait for an incoming connection. (wake-one). */ 344 add_wait_queue_exclusive(sk_sleep(sk), &wait); 345 while (1) { 346 if (sk->sk_state != BT_LISTEN) { 347 err = -EBADFD; 348 break; 349 } 350 351 nsk = bt_accept_dequeue(sk, newsock); 352 if (nsk) 353 break; 354 355 if (!timeo) { 356 err = -EAGAIN; 357 break; 358 } 359 360 if (signal_pending(current)) { 361 err = sock_intr_errno(timeo); 362 break; 363 } 364 365 release_sock(sk); 366 367 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 368 369 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 370 } 371 remove_wait_queue(sk_sleep(sk), &wait); 372 373 if (err) 374 goto done; 375 376 newsock->state = SS_CONNECTED; 377 378 BT_DBG("new socket %p", nsk); 379 380 done: 381 release_sock(sk); 382 return err; 383 } 384 385 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 386 int peer) 387 { 388 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 389 struct sock *sk = sock->sk; 390 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 391 392 BT_DBG("sock %p, sk %p", sock, sk); 393 394 if (peer && sk->sk_state != BT_CONNECTED && 395 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 396 sk->sk_state != BT_CONFIG) 397 return -ENOTCONN; 398 399 memset(la, 0, sizeof(struct sockaddr_l2)); 400 addr->sa_family = AF_BLUETOOTH; 401 402 la->l2_psm = chan->psm; 403 404 if (peer) { 405 bacpy(&la->l2_bdaddr, &chan->dst); 406 la->l2_cid = cpu_to_le16(chan->dcid); 407 la->l2_bdaddr_type = chan->dst_type; 408 } else { 409 bacpy(&la->l2_bdaddr, &chan->src); 410 la->l2_cid = cpu_to_le16(chan->scid); 411 la->l2_bdaddr_type = chan->src_type; 412 } 413 414 return sizeof(struct sockaddr_l2); 415 } 416 417 static int l2cap_get_mode(struct l2cap_chan *chan) 418 { 419 switch (chan->mode) { 420 case L2CAP_MODE_BASIC: 421 return BT_MODE_BASIC; 422 case L2CAP_MODE_ERTM: 423 return BT_MODE_ERTM; 424 case L2CAP_MODE_STREAMING: 425 return BT_MODE_STREAMING; 426 case L2CAP_MODE_LE_FLOWCTL: 427 return BT_MODE_LE_FLOWCTL; 428 case L2CAP_MODE_EXT_FLOWCTL: 429 return BT_MODE_EXT_FLOWCTL; 430 } 431 432 return -EINVAL; 433 } 434 435 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 436 char __user *optval, int __user *optlen) 437 { 438 struct sock *sk = sock->sk; 439 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 440 struct l2cap_options opts; 441 struct l2cap_conninfo cinfo; 442 int err = 0; 443 size_t len; 444 u32 opt; 445 446 BT_DBG("sk %p", sk); 447 448 if (get_user(len, optlen)) 449 return -EFAULT; 450 451 lock_sock(sk); 452 453 switch (optname) { 454 case L2CAP_OPTIONS: 455 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 456 * legacy ATT code depends on getsockopt for 457 * L2CAP_OPTIONS we need to let this pass. 458 */ 459 if (bdaddr_type_is_le(chan->src_type) && 460 chan->scid != L2CAP_CID_ATT) { 461 err = -EINVAL; 462 break; 463 } 464 465 /* Only BR/EDR modes are supported here */ 466 switch (chan->mode) { 467 case L2CAP_MODE_BASIC: 468 case L2CAP_MODE_ERTM: 469 case L2CAP_MODE_STREAMING: 470 break; 471 default: 472 err = -EINVAL; 473 break; 474 } 475 476 if (err < 0) 477 break; 478 479 memset(&opts, 0, sizeof(opts)); 480 opts.imtu = chan->imtu; 481 opts.omtu = chan->omtu; 482 opts.flush_to = chan->flush_to; 483 opts.mode = chan->mode; 484 opts.fcs = chan->fcs; 485 opts.max_tx = chan->max_tx; 486 opts.txwin_size = chan->tx_win; 487 488 BT_DBG("mode 0x%2.2x", chan->mode); 489 490 len = min(len, sizeof(opts)); 491 if (copy_to_user(optval, (char *) &opts, len)) 492 err = -EFAULT; 493 494 break; 495 496 case L2CAP_LM: 497 switch (chan->sec_level) { 498 case BT_SECURITY_LOW: 499 opt = L2CAP_LM_AUTH; 500 break; 501 case BT_SECURITY_MEDIUM: 502 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 503 break; 504 case BT_SECURITY_HIGH: 505 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 506 L2CAP_LM_SECURE; 507 break; 508 case BT_SECURITY_FIPS: 509 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 510 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 511 break; 512 default: 513 opt = 0; 514 break; 515 } 516 517 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 518 opt |= L2CAP_LM_MASTER; 519 520 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 521 opt |= L2CAP_LM_RELIABLE; 522 523 if (put_user(opt, (u32 __user *) optval)) 524 err = -EFAULT; 525 526 break; 527 528 case L2CAP_CONNINFO: 529 if (sk->sk_state != BT_CONNECTED && 530 !(sk->sk_state == BT_CONNECT2 && 531 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 532 err = -ENOTCONN; 533 break; 534 } 535 536 memset(&cinfo, 0, sizeof(cinfo)); 537 cinfo.hci_handle = chan->conn->hcon->handle; 538 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 539 540 len = min(len, sizeof(cinfo)); 541 if (copy_to_user(optval, (char *) &cinfo, len)) 542 err = -EFAULT; 543 544 break; 545 546 default: 547 err = -ENOPROTOOPT; 548 break; 549 } 550 551 release_sock(sk); 552 return err; 553 } 554 555 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 556 char __user *optval, int __user *optlen) 557 { 558 struct sock *sk = sock->sk; 559 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 560 struct bt_security sec; 561 struct bt_power pwr; 562 u32 phys; 563 int len, mode, err = 0; 564 565 BT_DBG("sk %p", sk); 566 567 if (level == SOL_L2CAP) 568 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 569 570 if (level != SOL_BLUETOOTH) 571 return -ENOPROTOOPT; 572 573 if (get_user(len, optlen)) 574 return -EFAULT; 575 576 lock_sock(sk); 577 578 switch (optname) { 579 case BT_SECURITY: 580 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 581 chan->chan_type != L2CAP_CHAN_FIXED && 582 chan->chan_type != L2CAP_CHAN_RAW) { 583 err = -EINVAL; 584 break; 585 } 586 587 memset(&sec, 0, sizeof(sec)); 588 if (chan->conn) { 589 sec.level = chan->conn->hcon->sec_level; 590 591 if (sk->sk_state == BT_CONNECTED) 592 sec.key_size = chan->conn->hcon->enc_key_size; 593 } else { 594 sec.level = chan->sec_level; 595 } 596 597 len = min_t(unsigned int, len, sizeof(sec)); 598 if (copy_to_user(optval, (char *) &sec, len)) 599 err = -EFAULT; 600 601 break; 602 603 case BT_DEFER_SETUP: 604 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 605 err = -EINVAL; 606 break; 607 } 608 609 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 610 (u32 __user *) optval)) 611 err = -EFAULT; 612 613 break; 614 615 case BT_FLUSHABLE: 616 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 617 (u32 __user *) optval)) 618 err = -EFAULT; 619 620 break; 621 622 case BT_POWER: 623 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 624 && sk->sk_type != SOCK_RAW) { 625 err = -EINVAL; 626 break; 627 } 628 629 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 630 631 len = min_t(unsigned int, len, sizeof(pwr)); 632 if (copy_to_user(optval, (char *) &pwr, len)) 633 err = -EFAULT; 634 635 break; 636 637 case BT_CHANNEL_POLICY: 638 if (put_user(chan->chan_policy, (u32 __user *) optval)) 639 err = -EFAULT; 640 break; 641 642 case BT_SNDMTU: 643 if (!bdaddr_type_is_le(chan->src_type)) { 644 err = -EINVAL; 645 break; 646 } 647 648 if (sk->sk_state != BT_CONNECTED) { 649 err = -ENOTCONN; 650 break; 651 } 652 653 if (put_user(chan->omtu, (u16 __user *) optval)) 654 err = -EFAULT; 655 break; 656 657 case BT_RCVMTU: 658 if (!bdaddr_type_is_le(chan->src_type)) { 659 err = -EINVAL; 660 break; 661 } 662 663 if (put_user(chan->imtu, (u16 __user *) optval)) 664 err = -EFAULT; 665 break; 666 667 case BT_PHY: 668 if (sk->sk_state != BT_CONNECTED) { 669 err = -ENOTCONN; 670 break; 671 } 672 673 phys = hci_conn_get_phy(chan->conn->hcon); 674 675 if (put_user(phys, (u32 __user *) optval)) 676 err = -EFAULT; 677 break; 678 679 case BT_MODE: 680 if (!enable_ecred) { 681 err = -ENOPROTOOPT; 682 break; 683 } 684 685 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 686 err = -EINVAL; 687 break; 688 } 689 690 mode = l2cap_get_mode(chan); 691 if (mode < 0) { 692 err = mode; 693 break; 694 } 695 696 if (put_user(mode, (u8 __user *) optval)) 697 err = -EFAULT; 698 break; 699 700 default: 701 err = -ENOPROTOOPT; 702 break; 703 } 704 705 release_sock(sk); 706 return err; 707 } 708 709 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 710 { 711 switch (chan->scid) { 712 case L2CAP_CID_ATT: 713 if (mtu < L2CAP_LE_MIN_MTU) 714 return false; 715 break; 716 717 default: 718 if (mtu < L2CAP_DEFAULT_MIN_MTU) 719 return false; 720 } 721 722 return true; 723 } 724 725 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 726 sockptr_t optval, unsigned int optlen) 727 { 728 struct sock *sk = sock->sk; 729 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 730 struct l2cap_options opts; 731 int err = 0; 732 u32 opt; 733 734 BT_DBG("sk %p", sk); 735 736 lock_sock(sk); 737 738 switch (optname) { 739 case L2CAP_OPTIONS: 740 if (bdaddr_type_is_le(chan->src_type)) { 741 err = -EINVAL; 742 break; 743 } 744 745 if (sk->sk_state == BT_CONNECTED) { 746 err = -EINVAL; 747 break; 748 } 749 750 opts.imtu = chan->imtu; 751 opts.omtu = chan->omtu; 752 opts.flush_to = chan->flush_to; 753 opts.mode = chan->mode; 754 opts.fcs = chan->fcs; 755 opts.max_tx = chan->max_tx; 756 opts.txwin_size = chan->tx_win; 757 758 err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); 759 if (err) 760 break; 761 762 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 763 err = -EINVAL; 764 break; 765 } 766 767 if (!l2cap_valid_mtu(chan, opts.imtu)) { 768 err = -EINVAL; 769 break; 770 } 771 772 /* Only BR/EDR modes are supported here */ 773 switch (opts.mode) { 774 case L2CAP_MODE_BASIC: 775 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 776 break; 777 case L2CAP_MODE_ERTM: 778 case L2CAP_MODE_STREAMING: 779 if (!disable_ertm) 780 break; 781 fallthrough; 782 default: 783 err = -EINVAL; 784 break; 785 } 786 787 if (err < 0) 788 break; 789 790 chan->mode = opts.mode; 791 792 BT_DBG("mode 0x%2.2x", chan->mode); 793 794 chan->imtu = opts.imtu; 795 chan->omtu = opts.omtu; 796 chan->fcs = opts.fcs; 797 chan->max_tx = opts.max_tx; 798 chan->tx_win = opts.txwin_size; 799 chan->flush_to = opts.flush_to; 800 break; 801 802 case L2CAP_LM: 803 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 804 if (err) 805 break; 806 807 if (opt & L2CAP_LM_FIPS) { 808 err = -EINVAL; 809 break; 810 } 811 812 if (opt & L2CAP_LM_AUTH) 813 chan->sec_level = BT_SECURITY_LOW; 814 if (opt & L2CAP_LM_ENCRYPT) 815 chan->sec_level = BT_SECURITY_MEDIUM; 816 if (opt & L2CAP_LM_SECURE) 817 chan->sec_level = BT_SECURITY_HIGH; 818 819 if (opt & L2CAP_LM_MASTER) 820 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 821 else 822 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 823 824 if (opt & L2CAP_LM_RELIABLE) 825 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 826 else 827 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 828 break; 829 830 default: 831 err = -ENOPROTOOPT; 832 break; 833 } 834 835 release_sock(sk); 836 return err; 837 } 838 839 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 840 { 841 switch (mode) { 842 case BT_MODE_BASIC: 843 if (bdaddr_type_is_le(chan->src_type)) 844 return -EINVAL; 845 mode = L2CAP_MODE_BASIC; 846 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 847 break; 848 case BT_MODE_ERTM: 849 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 850 return -EINVAL; 851 mode = L2CAP_MODE_ERTM; 852 break; 853 case BT_MODE_STREAMING: 854 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 855 return -EINVAL; 856 mode = L2CAP_MODE_STREAMING; 857 break; 858 case BT_MODE_LE_FLOWCTL: 859 if (!bdaddr_type_is_le(chan->src_type)) 860 return -EINVAL; 861 mode = L2CAP_MODE_LE_FLOWCTL; 862 break; 863 case BT_MODE_EXT_FLOWCTL: 864 /* TODO: Add support for ECRED PDUs to BR/EDR */ 865 if (!bdaddr_type_is_le(chan->src_type)) 866 return -EINVAL; 867 mode = L2CAP_MODE_EXT_FLOWCTL; 868 break; 869 default: 870 return -EINVAL; 871 } 872 873 chan->mode = mode; 874 875 return 0; 876 } 877 878 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 879 sockptr_t optval, unsigned int optlen) 880 { 881 struct sock *sk = sock->sk; 882 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 883 struct bt_security sec; 884 struct bt_power pwr; 885 struct l2cap_conn *conn; 886 int err = 0; 887 u32 opt; 888 u16 mtu; 889 u8 mode; 890 891 BT_DBG("sk %p", sk); 892 893 if (level == SOL_L2CAP) 894 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 895 896 if (level != SOL_BLUETOOTH) 897 return -ENOPROTOOPT; 898 899 lock_sock(sk); 900 901 switch (optname) { 902 case BT_SECURITY: 903 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 904 chan->chan_type != L2CAP_CHAN_FIXED && 905 chan->chan_type != L2CAP_CHAN_RAW) { 906 err = -EINVAL; 907 break; 908 } 909 910 sec.level = BT_SECURITY_LOW; 911 912 err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); 913 if (err) 914 break; 915 916 if (sec.level < BT_SECURITY_LOW || 917 sec.level > BT_SECURITY_FIPS) { 918 err = -EINVAL; 919 break; 920 } 921 922 chan->sec_level = sec.level; 923 924 if (!chan->conn) 925 break; 926 927 conn = chan->conn; 928 929 /* change security for LE channels */ 930 if (chan->scid == L2CAP_CID_ATT) { 931 if (smp_conn_security(conn->hcon, sec.level)) { 932 err = -EINVAL; 933 break; 934 } 935 936 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 937 sk->sk_state = BT_CONFIG; 938 chan->state = BT_CONFIG; 939 940 /* or for ACL link */ 941 } else if ((sk->sk_state == BT_CONNECT2 && 942 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 943 sk->sk_state == BT_CONNECTED) { 944 if (!l2cap_chan_check_security(chan, true)) 945 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 946 else 947 sk->sk_state_change(sk); 948 } else { 949 err = -EINVAL; 950 } 951 break; 952 953 case BT_DEFER_SETUP: 954 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 955 err = -EINVAL; 956 break; 957 } 958 959 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 960 if (err) 961 break; 962 963 if (opt) { 964 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 965 set_bit(FLAG_DEFER_SETUP, &chan->flags); 966 } else { 967 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 968 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 969 } 970 break; 971 972 case BT_FLUSHABLE: 973 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 974 if (err) 975 break; 976 977 if (opt > BT_FLUSHABLE_ON) { 978 err = -EINVAL; 979 break; 980 } 981 982 if (opt == BT_FLUSHABLE_OFF) { 983 conn = chan->conn; 984 /* proceed further only when we have l2cap_conn and 985 No Flush support in the LM */ 986 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 987 err = -EINVAL; 988 break; 989 } 990 } 991 992 if (opt) 993 set_bit(FLAG_FLUSHABLE, &chan->flags); 994 else 995 clear_bit(FLAG_FLUSHABLE, &chan->flags); 996 break; 997 998 case BT_POWER: 999 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1000 chan->chan_type != L2CAP_CHAN_RAW) { 1001 err = -EINVAL; 1002 break; 1003 } 1004 1005 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1006 1007 err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); 1008 if (err) 1009 break; 1010 1011 if (pwr.force_active) 1012 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1013 else 1014 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1015 break; 1016 1017 case BT_CHANNEL_POLICY: 1018 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 1019 if (err) 1020 break; 1021 1022 err = -EOPNOTSUPP; 1023 break; 1024 1025 case BT_SNDMTU: 1026 if (!bdaddr_type_is_le(chan->src_type)) { 1027 err = -EINVAL; 1028 break; 1029 } 1030 1031 /* Setting is not supported as it's the remote side that 1032 * decides this. 1033 */ 1034 err = -EPERM; 1035 break; 1036 1037 case BT_RCVMTU: 1038 if (!bdaddr_type_is_le(chan->src_type)) { 1039 err = -EINVAL; 1040 break; 1041 } 1042 1043 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1044 sk->sk_state == BT_CONNECTED) { 1045 err = -EISCONN; 1046 break; 1047 } 1048 1049 err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); 1050 if (err) 1051 break; 1052 1053 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1054 sk->sk_state == BT_CONNECTED) 1055 err = l2cap_chan_reconfigure(chan, mtu); 1056 else 1057 chan->imtu = mtu; 1058 1059 break; 1060 1061 case BT_MODE: 1062 if (!enable_ecred) { 1063 err = -ENOPROTOOPT; 1064 break; 1065 } 1066 1067 BT_DBG("sk->sk_state %u", sk->sk_state); 1068 1069 if (sk->sk_state != BT_BOUND) { 1070 err = -EINVAL; 1071 break; 1072 } 1073 1074 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1075 err = -EINVAL; 1076 break; 1077 } 1078 1079 err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); 1080 if (err) 1081 break; 1082 1083 BT_DBG("mode %u", mode); 1084 1085 err = l2cap_set_mode(chan, mode); 1086 if (err) 1087 break; 1088 1089 BT_DBG("mode 0x%2.2x", chan->mode); 1090 1091 break; 1092 1093 default: 1094 err = -ENOPROTOOPT; 1095 break; 1096 } 1097 1098 release_sock(sk); 1099 return err; 1100 } 1101 1102 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1103 size_t len) 1104 { 1105 struct sock *sk = sock->sk; 1106 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1107 int err; 1108 1109 BT_DBG("sock %p, sk %p", sock, sk); 1110 1111 err = sock_error(sk); 1112 if (err) 1113 return err; 1114 1115 if (msg->msg_flags & MSG_OOB) 1116 return -EOPNOTSUPP; 1117 1118 if (sk->sk_state != BT_CONNECTED) 1119 return -ENOTCONN; 1120 1121 lock_sock(sk); 1122 err = bt_sock_wait_ready(sk, msg->msg_flags); 1123 release_sock(sk); 1124 if (err) 1125 return err; 1126 1127 l2cap_chan_lock(chan); 1128 err = l2cap_chan_send(chan, msg, len); 1129 l2cap_chan_unlock(chan); 1130 1131 return err; 1132 } 1133 1134 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1135 size_t len, int flags) 1136 { 1137 struct sock *sk = sock->sk; 1138 struct l2cap_pinfo *pi = l2cap_pi(sk); 1139 int err; 1140 1141 lock_sock(sk); 1142 1143 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1144 &bt_sk(sk)->flags)) { 1145 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1146 sk->sk_state = BT_CONNECTED; 1147 pi->chan->state = BT_CONNECTED; 1148 __l2cap_ecred_conn_rsp_defer(pi->chan); 1149 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1150 sk->sk_state = BT_CONNECTED; 1151 pi->chan->state = BT_CONNECTED; 1152 __l2cap_le_connect_rsp_defer(pi->chan); 1153 } else { 1154 sk->sk_state = BT_CONFIG; 1155 pi->chan->state = BT_CONFIG; 1156 __l2cap_connect_rsp_defer(pi->chan); 1157 } 1158 1159 err = 0; 1160 goto done; 1161 } 1162 1163 release_sock(sk); 1164 1165 if (sock->type == SOCK_STREAM) 1166 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1167 else 1168 err = bt_sock_recvmsg(sock, msg, len, flags); 1169 1170 if (pi->chan->mode != L2CAP_MODE_ERTM) 1171 return err; 1172 1173 /* Attempt to put pending rx data in the socket buffer */ 1174 1175 lock_sock(sk); 1176 1177 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) 1178 goto done; 1179 1180 if (pi->rx_busy_skb) { 1181 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) 1182 pi->rx_busy_skb = NULL; 1183 else 1184 goto done; 1185 } 1186 1187 /* Restore data flow when half of the receive buffer is 1188 * available. This avoids resending large numbers of 1189 * frames. 1190 */ 1191 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1192 l2cap_chan_busy(pi->chan, 0); 1193 1194 done: 1195 release_sock(sk); 1196 return err; 1197 } 1198 1199 /* Kill socket (only if zapped and orphan) 1200 * Must be called on unlocked socket, with l2cap channel lock. 1201 */ 1202 static void l2cap_sock_kill(struct sock *sk) 1203 { 1204 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1205 return; 1206 1207 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1208 1209 /* Kill poor orphan */ 1210 1211 l2cap_chan_put(l2cap_pi(sk)->chan); 1212 sock_set_flag(sk, SOCK_DEAD); 1213 sock_put(sk); 1214 } 1215 1216 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1217 { 1218 DECLARE_WAITQUEUE(wait, current); 1219 int err = 0; 1220 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1221 /* Timeout to prevent infinite loop */ 1222 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1223 1224 add_wait_queue(sk_sleep(sk), &wait); 1225 set_current_state(TASK_INTERRUPTIBLE); 1226 do { 1227 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1228 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1229 jiffies_to_msecs(timeout - jiffies)); 1230 1231 if (!timeo) 1232 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1233 1234 if (signal_pending(current)) { 1235 err = sock_intr_errno(timeo); 1236 break; 1237 } 1238 1239 release_sock(sk); 1240 timeo = schedule_timeout(timeo); 1241 lock_sock(sk); 1242 set_current_state(TASK_INTERRUPTIBLE); 1243 1244 err = sock_error(sk); 1245 if (err) 1246 break; 1247 1248 if (time_after(jiffies, timeout)) { 1249 err = -ENOLINK; 1250 break; 1251 } 1252 1253 } while (chan->unacked_frames > 0 && 1254 chan->state == BT_CONNECTED); 1255 1256 set_current_state(TASK_RUNNING); 1257 remove_wait_queue(sk_sleep(sk), &wait); 1258 return err; 1259 } 1260 1261 static int l2cap_sock_shutdown(struct socket *sock, int how) 1262 { 1263 struct sock *sk = sock->sk; 1264 struct l2cap_chan *chan; 1265 struct l2cap_conn *conn; 1266 int err = 0; 1267 1268 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1269 1270 /* 'how' parameter is mapped to sk_shutdown as follows: 1271 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1272 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1273 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1274 */ 1275 how++; 1276 1277 if (!sk) 1278 return 0; 1279 1280 lock_sock(sk); 1281 1282 if ((sk->sk_shutdown & how) == how) 1283 goto shutdown_already; 1284 1285 BT_DBG("Handling sock shutdown"); 1286 1287 /* prevent sk structure from being freed whilst unlocked */ 1288 sock_hold(sk); 1289 1290 chan = l2cap_pi(sk)->chan; 1291 /* prevent chan structure from being freed whilst unlocked */ 1292 l2cap_chan_hold(chan); 1293 1294 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1295 1296 if (chan->mode == L2CAP_MODE_ERTM && 1297 chan->unacked_frames > 0 && 1298 chan->state == BT_CONNECTED) { 1299 err = __l2cap_wait_ack(sk, chan); 1300 1301 /* After waiting for ACKs, check whether shutdown 1302 * has already been actioned to close the L2CAP 1303 * link such as by l2cap_disconnection_req(). 1304 */ 1305 if ((sk->sk_shutdown & how) == how) 1306 goto shutdown_matched; 1307 } 1308 1309 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1310 * is already set 1311 */ 1312 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1313 sk->sk_shutdown |= RCV_SHUTDOWN; 1314 if ((sk->sk_shutdown & how) == how) 1315 goto shutdown_matched; 1316 } 1317 1318 sk->sk_shutdown |= SEND_SHUTDOWN; 1319 release_sock(sk); 1320 1321 l2cap_chan_lock(chan); 1322 conn = chan->conn; 1323 if (conn) 1324 /* prevent conn structure from being freed */ 1325 l2cap_conn_get(conn); 1326 l2cap_chan_unlock(chan); 1327 1328 if (conn) 1329 /* mutex lock must be taken before l2cap_chan_lock() */ 1330 mutex_lock(&conn->chan_lock); 1331 1332 l2cap_chan_lock(chan); 1333 l2cap_chan_close(chan, 0); 1334 l2cap_chan_unlock(chan); 1335 1336 if (conn) { 1337 mutex_unlock(&conn->chan_lock); 1338 l2cap_conn_put(conn); 1339 } 1340 1341 lock_sock(sk); 1342 1343 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1344 !(current->flags & PF_EXITING)) 1345 err = bt_sock_wait_state(sk, BT_CLOSED, 1346 sk->sk_lingertime); 1347 1348 shutdown_matched: 1349 l2cap_chan_put(chan); 1350 sock_put(sk); 1351 1352 shutdown_already: 1353 if (!err && sk->sk_err) 1354 err = -sk->sk_err; 1355 1356 release_sock(sk); 1357 1358 BT_DBG("Sock shutdown complete err: %d", err); 1359 1360 return err; 1361 } 1362 1363 static int l2cap_sock_release(struct socket *sock) 1364 { 1365 struct sock *sk = sock->sk; 1366 int err; 1367 struct l2cap_chan *chan; 1368 1369 BT_DBG("sock %p, sk %p", sock, sk); 1370 1371 if (!sk) 1372 return 0; 1373 1374 l2cap_sock_cleanup_listen(sk); 1375 bt_sock_unlink(&l2cap_sk_list, sk); 1376 1377 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1378 chan = l2cap_pi(sk)->chan; 1379 1380 l2cap_chan_hold(chan); 1381 l2cap_chan_lock(chan); 1382 1383 sock_orphan(sk); 1384 l2cap_sock_kill(sk); 1385 1386 l2cap_chan_unlock(chan); 1387 l2cap_chan_put(chan); 1388 1389 return err; 1390 } 1391 1392 static void l2cap_sock_cleanup_listen(struct sock *parent) 1393 { 1394 struct sock *sk; 1395 1396 BT_DBG("parent %p state %s", parent, 1397 state_to_string(parent->sk_state)); 1398 1399 /* Close not yet accepted channels */ 1400 while ((sk = bt_accept_dequeue(parent, NULL))) { 1401 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1402 1403 BT_DBG("child chan %p state %s", chan, 1404 state_to_string(chan->state)); 1405 1406 l2cap_chan_hold(chan); 1407 l2cap_chan_lock(chan); 1408 1409 __clear_chan_timer(chan); 1410 l2cap_chan_close(chan, ECONNRESET); 1411 l2cap_sock_kill(sk); 1412 1413 l2cap_chan_unlock(chan); 1414 l2cap_chan_put(chan); 1415 } 1416 } 1417 1418 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1419 { 1420 struct sock *sk, *parent = chan->data; 1421 1422 lock_sock(parent); 1423 1424 /* Check for backlog size */ 1425 if (sk_acceptq_is_full(parent)) { 1426 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1427 release_sock(parent); 1428 return NULL; 1429 } 1430 1431 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1432 GFP_ATOMIC, 0); 1433 if (!sk) { 1434 release_sock(parent); 1435 return NULL; 1436 } 1437 1438 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1439 1440 l2cap_sock_init(sk, parent); 1441 1442 bt_accept_enqueue(parent, sk, false); 1443 1444 release_sock(parent); 1445 1446 return l2cap_pi(sk)->chan; 1447 } 1448 1449 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1450 { 1451 struct sock *sk = chan->data; 1452 int err; 1453 1454 lock_sock(sk); 1455 1456 if (l2cap_pi(sk)->rx_busy_skb) { 1457 err = -ENOMEM; 1458 goto done; 1459 } 1460 1461 if (chan->mode != L2CAP_MODE_ERTM && 1462 chan->mode != L2CAP_MODE_STREAMING) { 1463 /* Even if no filter is attached, we could potentially 1464 * get errors from security modules, etc. 1465 */ 1466 err = sk_filter(sk, skb); 1467 if (err) 1468 goto done; 1469 } 1470 1471 err = __sock_queue_rcv_skb(sk, skb); 1472 1473 /* For ERTM, handle one skb that doesn't fit into the recv 1474 * buffer. This is important to do because the data frames 1475 * have already been acked, so the skb cannot be discarded. 1476 * 1477 * Notify the l2cap core that the buffer is full, so the 1478 * LOCAL_BUSY state is entered and no more frames are 1479 * acked and reassembled until there is buffer space 1480 * available. 1481 */ 1482 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1483 l2cap_pi(sk)->rx_busy_skb = skb; 1484 l2cap_chan_busy(chan, 1); 1485 err = 0; 1486 } 1487 1488 done: 1489 release_sock(sk); 1490 1491 return err; 1492 } 1493 1494 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1495 { 1496 struct sock *sk = chan->data; 1497 1498 if (!sk) 1499 return; 1500 1501 l2cap_sock_kill(sk); 1502 } 1503 1504 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1505 { 1506 struct sock *sk = chan->data; 1507 struct sock *parent; 1508 1509 if (!sk) 1510 return; 1511 1512 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1513 1514 /* This callback can be called both for server (BT_LISTEN) 1515 * sockets as well as "normal" ones. To avoid lockdep warnings 1516 * with child socket locking (through l2cap_sock_cleanup_listen) 1517 * we need separation into separate nesting levels. The simplest 1518 * way to accomplish this is to inherit the nesting level used 1519 * for the channel. 1520 */ 1521 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1522 1523 parent = bt_sk(sk)->parent; 1524 1525 switch (chan->state) { 1526 case BT_OPEN: 1527 case BT_BOUND: 1528 case BT_CLOSED: 1529 break; 1530 case BT_LISTEN: 1531 l2cap_sock_cleanup_listen(sk); 1532 sk->sk_state = BT_CLOSED; 1533 chan->state = BT_CLOSED; 1534 1535 break; 1536 default: 1537 sk->sk_state = BT_CLOSED; 1538 chan->state = BT_CLOSED; 1539 1540 sk->sk_err = err; 1541 1542 if (parent) { 1543 bt_accept_unlink(sk); 1544 parent->sk_data_ready(parent); 1545 } else { 1546 sk->sk_state_change(sk); 1547 } 1548 1549 break; 1550 } 1551 release_sock(sk); 1552 1553 /* Only zap after cleanup to avoid use after free race */ 1554 sock_set_flag(sk, SOCK_ZAPPED); 1555 1556 } 1557 1558 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1559 int err) 1560 { 1561 struct sock *sk = chan->data; 1562 1563 sk->sk_state = state; 1564 1565 if (err) 1566 sk->sk_err = err; 1567 } 1568 1569 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1570 unsigned long hdr_len, 1571 unsigned long len, int nb) 1572 { 1573 struct sock *sk = chan->data; 1574 struct sk_buff *skb; 1575 int err; 1576 1577 l2cap_chan_unlock(chan); 1578 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1579 l2cap_chan_lock(chan); 1580 1581 if (!skb) 1582 return ERR_PTR(err); 1583 1584 /* Channel lock is released before requesting new skb and then 1585 * reacquired thus we need to recheck channel state. 1586 */ 1587 if (chan->state != BT_CONNECTED) { 1588 kfree_skb(skb); 1589 return ERR_PTR(-ENOTCONN); 1590 } 1591 1592 skb->priority = READ_ONCE(sk->sk_priority); 1593 1594 bt_cb(skb)->l2cap.chan = chan; 1595 1596 return skb; 1597 } 1598 1599 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1600 { 1601 struct sock *sk = chan->data; 1602 struct sock *parent; 1603 1604 lock_sock(sk); 1605 1606 parent = bt_sk(sk)->parent; 1607 1608 BT_DBG("sk %p, parent %p", sk, parent); 1609 1610 sk->sk_state = BT_CONNECTED; 1611 sk->sk_state_change(sk); 1612 1613 if (parent) 1614 parent->sk_data_ready(parent); 1615 1616 release_sock(sk); 1617 } 1618 1619 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1620 { 1621 struct sock *parent, *sk = chan->data; 1622 1623 lock_sock(sk); 1624 1625 parent = bt_sk(sk)->parent; 1626 if (parent) 1627 parent->sk_data_ready(parent); 1628 1629 release_sock(sk); 1630 } 1631 1632 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1633 { 1634 struct sock *sk = chan->data; 1635 1636 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1637 sk->sk_state = BT_CONNECTED; 1638 chan->state = BT_CONNECTED; 1639 } 1640 1641 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1642 sk->sk_state_change(sk); 1643 } 1644 1645 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1646 { 1647 struct sock *sk = chan->data; 1648 1649 lock_sock(sk); 1650 sk->sk_shutdown = SHUTDOWN_MASK; 1651 release_sock(sk); 1652 } 1653 1654 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1655 { 1656 struct sock *sk = chan->data; 1657 1658 return sk->sk_sndtimeo; 1659 } 1660 1661 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1662 { 1663 struct sock *sk = chan->data; 1664 1665 return sk->sk_peer_pid; 1666 } 1667 1668 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1669 { 1670 struct sock *sk = chan->data; 1671 1672 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1673 sk->sk_state_change(sk); 1674 } 1675 1676 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1677 { 1678 struct sock *sk = chan->data; 1679 1680 switch (chan->mode) { 1681 case L2CAP_MODE_ERTM: 1682 case L2CAP_MODE_STREAMING: 1683 return sk_filter(sk, skb); 1684 } 1685 1686 return 0; 1687 } 1688 1689 static const struct l2cap_ops l2cap_chan_ops = { 1690 .name = "L2CAP Socket Interface", 1691 .new_connection = l2cap_sock_new_connection_cb, 1692 .recv = l2cap_sock_recv_cb, 1693 .close = l2cap_sock_close_cb, 1694 .teardown = l2cap_sock_teardown_cb, 1695 .state_change = l2cap_sock_state_change_cb, 1696 .ready = l2cap_sock_ready_cb, 1697 .defer = l2cap_sock_defer_cb, 1698 .resume = l2cap_sock_resume_cb, 1699 .suspend = l2cap_sock_suspend_cb, 1700 .set_shutdown = l2cap_sock_set_shutdown_cb, 1701 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1702 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1703 .alloc_skb = l2cap_sock_alloc_skb_cb, 1704 .filter = l2cap_sock_filter, 1705 }; 1706 1707 static void l2cap_sock_destruct(struct sock *sk) 1708 { 1709 BT_DBG("sk %p", sk); 1710 1711 if (l2cap_pi(sk)->chan) { 1712 l2cap_pi(sk)->chan->data = NULL; 1713 l2cap_chan_put(l2cap_pi(sk)->chan); 1714 } 1715 1716 if (l2cap_pi(sk)->rx_busy_skb) { 1717 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1718 l2cap_pi(sk)->rx_busy_skb = NULL; 1719 } 1720 1721 skb_queue_purge(&sk->sk_receive_queue); 1722 skb_queue_purge(&sk->sk_write_queue); 1723 } 1724 1725 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1726 int *msg_namelen) 1727 { 1728 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1729 1730 memset(la, 0, sizeof(struct sockaddr_l2)); 1731 la->l2_family = AF_BLUETOOTH; 1732 la->l2_psm = bt_cb(skb)->l2cap.psm; 1733 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1734 1735 *msg_namelen = sizeof(struct sockaddr_l2); 1736 } 1737 1738 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1739 { 1740 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1741 1742 BT_DBG("sk %p", sk); 1743 1744 if (parent) { 1745 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1746 1747 sk->sk_type = parent->sk_type; 1748 bt_sk(sk)->flags = bt_sk(parent)->flags; 1749 1750 chan->chan_type = pchan->chan_type; 1751 chan->imtu = pchan->imtu; 1752 chan->omtu = pchan->omtu; 1753 chan->conf_state = pchan->conf_state; 1754 chan->mode = pchan->mode; 1755 chan->fcs = pchan->fcs; 1756 chan->max_tx = pchan->max_tx; 1757 chan->tx_win = pchan->tx_win; 1758 chan->tx_win_max = pchan->tx_win_max; 1759 chan->sec_level = pchan->sec_level; 1760 chan->flags = pchan->flags; 1761 chan->tx_credits = pchan->tx_credits; 1762 chan->rx_credits = pchan->rx_credits; 1763 1764 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1765 chan->scid = pchan->scid; 1766 chan->dcid = pchan->scid; 1767 } 1768 1769 security_sk_clone(parent, sk); 1770 } else { 1771 switch (sk->sk_type) { 1772 case SOCK_RAW: 1773 chan->chan_type = L2CAP_CHAN_RAW; 1774 break; 1775 case SOCK_DGRAM: 1776 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1777 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1778 break; 1779 case SOCK_SEQPACKET: 1780 case SOCK_STREAM: 1781 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1782 break; 1783 } 1784 1785 chan->imtu = L2CAP_DEFAULT_MTU; 1786 chan->omtu = 0; 1787 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1788 chan->mode = L2CAP_MODE_ERTM; 1789 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1790 } else { 1791 chan->mode = L2CAP_MODE_BASIC; 1792 } 1793 1794 l2cap_chan_set_defaults(chan); 1795 } 1796 1797 /* Default config options */ 1798 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1799 1800 chan->data = sk; 1801 chan->ops = &l2cap_chan_ops; 1802 } 1803 1804 static struct proto l2cap_proto = { 1805 .name = "L2CAP", 1806 .owner = THIS_MODULE, 1807 .obj_size = sizeof(struct l2cap_pinfo) 1808 }; 1809 1810 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1811 int proto, gfp_t prio, int kern) 1812 { 1813 struct sock *sk; 1814 struct l2cap_chan *chan; 1815 1816 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern); 1817 if (!sk) 1818 return NULL; 1819 1820 sk->sk_destruct = l2cap_sock_destruct; 1821 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1822 1823 chan = l2cap_chan_create(); 1824 if (!chan) { 1825 sk_free(sk); 1826 return NULL; 1827 } 1828 1829 l2cap_chan_hold(chan); 1830 1831 l2cap_pi(sk)->chan = chan; 1832 1833 return sk; 1834 } 1835 1836 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1837 int kern) 1838 { 1839 struct sock *sk; 1840 1841 BT_DBG("sock %p", sock); 1842 1843 sock->state = SS_UNCONNECTED; 1844 1845 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1846 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1847 return -ESOCKTNOSUPPORT; 1848 1849 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1850 return -EPERM; 1851 1852 sock->ops = &l2cap_sock_ops; 1853 1854 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1855 if (!sk) 1856 return -ENOMEM; 1857 1858 l2cap_sock_init(sk, NULL); 1859 bt_sock_link(&l2cap_sk_list, sk); 1860 return 0; 1861 } 1862 1863 static const struct proto_ops l2cap_sock_ops = { 1864 .family = PF_BLUETOOTH, 1865 .owner = THIS_MODULE, 1866 .release = l2cap_sock_release, 1867 .bind = l2cap_sock_bind, 1868 .connect = l2cap_sock_connect, 1869 .listen = l2cap_sock_listen, 1870 .accept = l2cap_sock_accept, 1871 .getname = l2cap_sock_getname, 1872 .sendmsg = l2cap_sock_sendmsg, 1873 .recvmsg = l2cap_sock_recvmsg, 1874 .poll = bt_sock_poll, 1875 .ioctl = bt_sock_ioctl, 1876 .gettstamp = sock_gettstamp, 1877 .mmap = sock_no_mmap, 1878 .socketpair = sock_no_socketpair, 1879 .shutdown = l2cap_sock_shutdown, 1880 .setsockopt = l2cap_sock_setsockopt, 1881 .getsockopt = l2cap_sock_getsockopt 1882 }; 1883 1884 static const struct net_proto_family l2cap_sock_family_ops = { 1885 .family = PF_BLUETOOTH, 1886 .owner = THIS_MODULE, 1887 .create = l2cap_sock_create, 1888 }; 1889 1890 int __init l2cap_init_sockets(void) 1891 { 1892 int err; 1893 1894 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1895 1896 err = proto_register(&l2cap_proto, 0); 1897 if (err < 0) 1898 return err; 1899 1900 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1901 if (err < 0) { 1902 BT_ERR("L2CAP socket registration failed"); 1903 goto error; 1904 } 1905 1906 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1907 NULL); 1908 if (err < 0) { 1909 BT_ERR("Failed to create L2CAP proc file"); 1910 bt_sock_unregister(BTPROTO_L2CAP); 1911 goto error; 1912 } 1913 1914 BT_INFO("L2CAP socket layer initialized"); 1915 1916 return 0; 1917 1918 error: 1919 proto_unregister(&l2cap_proto); 1920 return err; 1921 } 1922 1923 void l2cap_cleanup_sockets(void) 1924 { 1925 bt_procfs_cleanup(&init_net, "l2cap"); 1926 bt_sock_unregister(BTPROTO_L2CAP); 1927 proto_unregister(&l2cap_proto); 1928 } 1929