1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26 */ 27 28 /* Bluetooth L2CAP sockets. */ 29 30 #include <linux/module.h> 31 #include <linux/export.h> 32 #include <linux/filter.h> 33 #include <linux/sched/signal.h> 34 35 #include <net/bluetooth/bluetooth.h> 36 #include <net/bluetooth/hci_core.h> 37 #include <net/bluetooth/l2cap.h> 38 39 #include "smp.h" 40 41 static struct bt_sock_list l2cap_sk_list = { 42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 43 }; 44 45 static const struct proto_ops l2cap_sock_ops; 46 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 48 int proto, gfp_t prio, int kern); 49 static void l2cap_sock_cleanup_listen(struct sock *parent); 50 51 bool l2cap_is_socket(struct socket *sock) 52 { 53 return sock && sock->ops == &l2cap_sock_ops; 54 } 55 EXPORT_SYMBOL(l2cap_is_socket); 56 57 static int l2cap_validate_bredr_psm(u16 psm) 58 { 59 /* PSM must be odd and lsb of upper byte must be 0 */ 60 if ((psm & 0x0101) != 0x0001) 61 return -EINVAL; 62 63 /* Restrict usage of well-known PSMs */ 64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 65 return -EACCES; 66 67 return 0; 68 } 69 70 static int l2cap_validate_le_psm(u16 psm) 71 { 72 /* Valid LE_PSM ranges are defined only until 0x00ff */ 73 if (psm > L2CAP_PSM_LE_DYN_END) 74 return -EINVAL; 75 76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 78 return -EACCES; 79 80 return 0; 81 } 82 83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 84 { 85 struct sock *sk = sock->sk; 86 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 87 struct sockaddr_l2 la; 88 int len, err = 0; 89 90 BT_DBG("sk %p", sk); 91 92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 93 addr->sa_family != AF_BLUETOOTH) 94 return -EINVAL; 95 96 memset(&la, 0, sizeof(la)); 97 len = min_t(unsigned int, sizeof(la), alen); 98 memcpy(&la, addr, len); 99 100 if (la.l2_cid && la.l2_psm) 101 return -EINVAL; 102 103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 104 return -EINVAL; 105 106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 107 /* We only allow ATT user space socket */ 108 if (la.l2_cid && 109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 110 return -EINVAL; 111 } 112 113 lock_sock(sk); 114 115 if (sk->sk_state != BT_OPEN) { 116 err = -EBADFD; 117 goto done; 118 } 119 120 if (la.l2_psm) { 121 __u16 psm = __le16_to_cpu(la.l2_psm); 122 123 if (la.l2_bdaddr_type == BDADDR_BREDR) 124 err = l2cap_validate_bredr_psm(psm); 125 else 126 err = l2cap_validate_le_psm(psm); 127 128 if (err) 129 goto done; 130 } 131 132 bacpy(&chan->src, &la.l2_bdaddr); 133 chan->src_type = la.l2_bdaddr_type; 134 135 if (la.l2_cid) 136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 137 else 138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 139 140 if (err < 0) 141 goto done; 142 143 switch (chan->chan_type) { 144 case L2CAP_CHAN_CONN_LESS: 145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 146 chan->sec_level = BT_SECURITY_SDP; 147 break; 148 case L2CAP_CHAN_CONN_ORIENTED: 149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 151 chan->sec_level = BT_SECURITY_SDP; 152 break; 153 case L2CAP_CHAN_RAW: 154 chan->sec_level = BT_SECURITY_SDP; 155 break; 156 case L2CAP_CHAN_FIXED: 157 /* Fixed channels default to the L2CAP core not holding a 158 * hci_conn reference for them. For fixed channels mapping to 159 * L2CAP sockets we do want to hold a reference so set the 160 * appropriate flag to request it. 161 */ 162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 163 break; 164 } 165 166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 168 */ 169 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 170 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 171 chan->mode = L2CAP_MODE_LE_FLOWCTL; 172 173 chan->state = BT_BOUND; 174 sk->sk_state = BT_BOUND; 175 176 done: 177 release_sock(sk); 178 return err; 179 } 180 181 static void l2cap_sock_init_pid(struct sock *sk) 182 { 183 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 184 185 /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to 186 * group the channels being requested. 187 */ 188 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL) 189 return; 190 191 spin_lock(&sk->sk_peer_lock); 192 sk->sk_peer_pid = get_pid(task_tgid(current)); 193 spin_unlock(&sk->sk_peer_lock); 194 } 195 196 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 197 int alen, int flags) 198 { 199 struct sock *sk = sock->sk; 200 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 201 struct sockaddr_l2 la; 202 int len, err = 0; 203 bool zapped; 204 205 BT_DBG("sk %p", sk); 206 207 lock_sock(sk); 208 zapped = sock_flag(sk, SOCK_ZAPPED); 209 release_sock(sk); 210 211 if (zapped) 212 return -EINVAL; 213 214 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 215 addr->sa_family != AF_BLUETOOTH) 216 return -EINVAL; 217 218 memset(&la, 0, sizeof(la)); 219 len = min_t(unsigned int, sizeof(la), alen); 220 memcpy(&la, addr, len); 221 222 if (la.l2_cid && la.l2_psm) 223 return -EINVAL; 224 225 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 226 return -EINVAL; 227 228 /* Check that the socket wasn't bound to something that 229 * conflicts with the address given to connect(). If chan->src 230 * is BDADDR_ANY it means bind() was never used, in which case 231 * chan->src_type and la.l2_bdaddr_type do not need to match. 232 */ 233 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 234 bdaddr_type_is_le(la.l2_bdaddr_type)) { 235 /* Old user space versions will try to incorrectly bind 236 * the ATT socket using BDADDR_BREDR. We need to accept 237 * this and fix up the source address type only when 238 * both the source CID and destination CID indicate 239 * ATT. Anything else is an invalid combination. 240 */ 241 if (chan->scid != L2CAP_CID_ATT || 242 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 243 return -EINVAL; 244 245 /* We don't have the hdev available here to make a 246 * better decision on random vs public, but since all 247 * user space versions that exhibit this issue anyway do 248 * not support random local addresses assuming public 249 * here is good enough. 250 */ 251 chan->src_type = BDADDR_LE_PUBLIC; 252 } 253 254 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 255 return -EINVAL; 256 257 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 258 /* We only allow ATT user space socket */ 259 if (la.l2_cid && 260 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 261 return -EINVAL; 262 } 263 264 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 265 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 266 */ 267 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 268 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 269 chan->mode = L2CAP_MODE_LE_FLOWCTL; 270 271 l2cap_sock_init_pid(sk); 272 273 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 274 &la.l2_bdaddr, la.l2_bdaddr_type); 275 if (err) 276 return err; 277 278 lock_sock(sk); 279 280 err = bt_sock_wait_state(sk, BT_CONNECTED, 281 sock_sndtimeo(sk, flags & O_NONBLOCK)); 282 283 release_sock(sk); 284 285 return err; 286 } 287 288 static int l2cap_sock_listen(struct socket *sock, int backlog) 289 { 290 struct sock *sk = sock->sk; 291 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 292 int err = 0; 293 294 BT_DBG("sk %p backlog %d", sk, backlog); 295 296 lock_sock(sk); 297 298 if (sk->sk_state != BT_BOUND) { 299 err = -EBADFD; 300 goto done; 301 } 302 303 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 304 err = -EINVAL; 305 goto done; 306 } 307 308 switch (chan->mode) { 309 case L2CAP_MODE_BASIC: 310 case L2CAP_MODE_LE_FLOWCTL: 311 break; 312 case L2CAP_MODE_EXT_FLOWCTL: 313 if (!enable_ecred) { 314 err = -EOPNOTSUPP; 315 goto done; 316 } 317 break; 318 case L2CAP_MODE_ERTM: 319 case L2CAP_MODE_STREAMING: 320 if (!disable_ertm) 321 break; 322 fallthrough; 323 default: 324 err = -EOPNOTSUPP; 325 goto done; 326 } 327 328 l2cap_sock_init_pid(sk); 329 330 sk->sk_max_ack_backlog = backlog; 331 sk->sk_ack_backlog = 0; 332 333 /* Listening channels need to use nested locking in order not to 334 * cause lockdep warnings when the created child channels end up 335 * being locked in the same thread as the parent channel. 336 */ 337 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 338 339 chan->state = BT_LISTEN; 340 sk->sk_state = BT_LISTEN; 341 342 done: 343 release_sock(sk); 344 return err; 345 } 346 347 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 348 int flags, bool kern) 349 { 350 DEFINE_WAIT_FUNC(wait, woken_wake_function); 351 struct sock *sk = sock->sk, *nsk; 352 long timeo; 353 int err = 0; 354 355 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 356 357 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 358 359 BT_DBG("sk %p timeo %ld", sk, timeo); 360 361 /* Wait for an incoming connection. (wake-one). */ 362 add_wait_queue_exclusive(sk_sleep(sk), &wait); 363 while (1) { 364 if (sk->sk_state != BT_LISTEN) { 365 err = -EBADFD; 366 break; 367 } 368 369 nsk = bt_accept_dequeue(sk, newsock); 370 if (nsk) 371 break; 372 373 if (!timeo) { 374 err = -EAGAIN; 375 break; 376 } 377 378 if (signal_pending(current)) { 379 err = sock_intr_errno(timeo); 380 break; 381 } 382 383 release_sock(sk); 384 385 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 386 387 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 388 } 389 remove_wait_queue(sk_sleep(sk), &wait); 390 391 if (err) 392 goto done; 393 394 newsock->state = SS_CONNECTED; 395 396 BT_DBG("new socket %p", nsk); 397 398 done: 399 release_sock(sk); 400 return err; 401 } 402 403 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 404 int peer) 405 { 406 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 407 struct sock *sk = sock->sk; 408 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 409 410 BT_DBG("sock %p, sk %p", sock, sk); 411 412 if (peer && sk->sk_state != BT_CONNECTED && 413 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 414 sk->sk_state != BT_CONFIG) 415 return -ENOTCONN; 416 417 memset(la, 0, sizeof(struct sockaddr_l2)); 418 addr->sa_family = AF_BLUETOOTH; 419 420 la->l2_psm = chan->psm; 421 422 if (peer) { 423 bacpy(&la->l2_bdaddr, &chan->dst); 424 la->l2_cid = cpu_to_le16(chan->dcid); 425 la->l2_bdaddr_type = chan->dst_type; 426 } else { 427 bacpy(&la->l2_bdaddr, &chan->src); 428 la->l2_cid = cpu_to_le16(chan->scid); 429 la->l2_bdaddr_type = chan->src_type; 430 } 431 432 return sizeof(struct sockaddr_l2); 433 } 434 435 static int l2cap_get_mode(struct l2cap_chan *chan) 436 { 437 switch (chan->mode) { 438 case L2CAP_MODE_BASIC: 439 return BT_MODE_BASIC; 440 case L2CAP_MODE_ERTM: 441 return BT_MODE_ERTM; 442 case L2CAP_MODE_STREAMING: 443 return BT_MODE_STREAMING; 444 case L2CAP_MODE_LE_FLOWCTL: 445 return BT_MODE_LE_FLOWCTL; 446 case L2CAP_MODE_EXT_FLOWCTL: 447 return BT_MODE_EXT_FLOWCTL; 448 } 449 450 return -EINVAL; 451 } 452 453 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 454 char __user *optval, int __user *optlen) 455 { 456 struct sock *sk = sock->sk; 457 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 458 struct l2cap_options opts; 459 struct l2cap_conninfo cinfo; 460 int len, err = 0; 461 u32 opt; 462 463 BT_DBG("sk %p", sk); 464 465 if (get_user(len, optlen)) 466 return -EFAULT; 467 468 lock_sock(sk); 469 470 switch (optname) { 471 case L2CAP_OPTIONS: 472 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 473 * legacy ATT code depends on getsockopt for 474 * L2CAP_OPTIONS we need to let this pass. 475 */ 476 if (bdaddr_type_is_le(chan->src_type) && 477 chan->scid != L2CAP_CID_ATT) { 478 err = -EINVAL; 479 break; 480 } 481 482 /* Only BR/EDR modes are supported here */ 483 switch (chan->mode) { 484 case L2CAP_MODE_BASIC: 485 case L2CAP_MODE_ERTM: 486 case L2CAP_MODE_STREAMING: 487 break; 488 default: 489 err = -EINVAL; 490 break; 491 } 492 493 if (err < 0) 494 break; 495 496 memset(&opts, 0, sizeof(opts)); 497 opts.imtu = chan->imtu; 498 opts.omtu = chan->omtu; 499 opts.flush_to = chan->flush_to; 500 opts.mode = chan->mode; 501 opts.fcs = chan->fcs; 502 opts.max_tx = chan->max_tx; 503 opts.txwin_size = chan->tx_win; 504 505 BT_DBG("mode 0x%2.2x", chan->mode); 506 507 len = min_t(unsigned int, len, sizeof(opts)); 508 if (copy_to_user(optval, (char *) &opts, len)) 509 err = -EFAULT; 510 511 break; 512 513 case L2CAP_LM: 514 switch (chan->sec_level) { 515 case BT_SECURITY_LOW: 516 opt = L2CAP_LM_AUTH; 517 break; 518 case BT_SECURITY_MEDIUM: 519 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 520 break; 521 case BT_SECURITY_HIGH: 522 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 523 L2CAP_LM_SECURE; 524 break; 525 case BT_SECURITY_FIPS: 526 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 527 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 528 break; 529 default: 530 opt = 0; 531 break; 532 } 533 534 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 535 opt |= L2CAP_LM_MASTER; 536 537 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 538 opt |= L2CAP_LM_RELIABLE; 539 540 if (put_user(opt, (u32 __user *) optval)) 541 err = -EFAULT; 542 543 break; 544 545 case L2CAP_CONNINFO: 546 if (sk->sk_state != BT_CONNECTED && 547 !(sk->sk_state == BT_CONNECT2 && 548 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 549 err = -ENOTCONN; 550 break; 551 } 552 553 memset(&cinfo, 0, sizeof(cinfo)); 554 cinfo.hci_handle = chan->conn->hcon->handle; 555 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 556 557 len = min_t(unsigned int, len, sizeof(cinfo)); 558 if (copy_to_user(optval, (char *) &cinfo, len)) 559 err = -EFAULT; 560 561 break; 562 563 default: 564 err = -ENOPROTOOPT; 565 break; 566 } 567 568 release_sock(sk); 569 return err; 570 } 571 572 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 573 char __user *optval, int __user *optlen) 574 { 575 struct sock *sk = sock->sk; 576 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 577 struct bt_security sec; 578 struct bt_power pwr; 579 u32 phys; 580 int len, mode, err = 0; 581 582 BT_DBG("sk %p", sk); 583 584 if (level == SOL_L2CAP) 585 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 586 587 if (level != SOL_BLUETOOTH) 588 return -ENOPROTOOPT; 589 590 if (get_user(len, optlen)) 591 return -EFAULT; 592 593 lock_sock(sk); 594 595 switch (optname) { 596 case BT_SECURITY: 597 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 598 chan->chan_type != L2CAP_CHAN_FIXED && 599 chan->chan_type != L2CAP_CHAN_RAW) { 600 err = -EINVAL; 601 break; 602 } 603 604 memset(&sec, 0, sizeof(sec)); 605 if (chan->conn) { 606 sec.level = chan->conn->hcon->sec_level; 607 608 if (sk->sk_state == BT_CONNECTED) 609 sec.key_size = chan->conn->hcon->enc_key_size; 610 } else { 611 sec.level = chan->sec_level; 612 } 613 614 len = min_t(unsigned int, len, sizeof(sec)); 615 if (copy_to_user(optval, (char *) &sec, len)) 616 err = -EFAULT; 617 618 break; 619 620 case BT_DEFER_SETUP: 621 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 622 err = -EINVAL; 623 break; 624 } 625 626 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 627 (u32 __user *) optval)) 628 err = -EFAULT; 629 630 break; 631 632 case BT_FLUSHABLE: 633 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 634 (u32 __user *) optval)) 635 err = -EFAULT; 636 637 break; 638 639 case BT_POWER: 640 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 641 && sk->sk_type != SOCK_RAW) { 642 err = -EINVAL; 643 break; 644 } 645 646 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 647 648 len = min_t(unsigned int, len, sizeof(pwr)); 649 if (copy_to_user(optval, (char *) &pwr, len)) 650 err = -EFAULT; 651 652 break; 653 654 case BT_CHANNEL_POLICY: 655 if (put_user(chan->chan_policy, (u32 __user *) optval)) 656 err = -EFAULT; 657 break; 658 659 case BT_SNDMTU: 660 if (!bdaddr_type_is_le(chan->src_type)) { 661 err = -EINVAL; 662 break; 663 } 664 665 if (sk->sk_state != BT_CONNECTED) { 666 err = -ENOTCONN; 667 break; 668 } 669 670 if (put_user(chan->omtu, (u16 __user *) optval)) 671 err = -EFAULT; 672 break; 673 674 case BT_RCVMTU: 675 if (!bdaddr_type_is_le(chan->src_type)) { 676 err = -EINVAL; 677 break; 678 } 679 680 if (put_user(chan->imtu, (u16 __user *) optval)) 681 err = -EFAULT; 682 break; 683 684 case BT_PHY: 685 if (sk->sk_state != BT_CONNECTED) { 686 err = -ENOTCONN; 687 break; 688 } 689 690 phys = hci_conn_get_phy(chan->conn->hcon); 691 692 if (put_user(phys, (u32 __user *) optval)) 693 err = -EFAULT; 694 break; 695 696 case BT_MODE: 697 if (!enable_ecred) { 698 err = -ENOPROTOOPT; 699 break; 700 } 701 702 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 703 err = -EINVAL; 704 break; 705 } 706 707 mode = l2cap_get_mode(chan); 708 if (mode < 0) { 709 err = mode; 710 break; 711 } 712 713 if (put_user(mode, (u8 __user *) optval)) 714 err = -EFAULT; 715 break; 716 717 default: 718 err = -ENOPROTOOPT; 719 break; 720 } 721 722 release_sock(sk); 723 return err; 724 } 725 726 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 727 { 728 switch (chan->scid) { 729 case L2CAP_CID_ATT: 730 if (mtu < L2CAP_LE_MIN_MTU) 731 return false; 732 break; 733 734 default: 735 if (mtu < L2CAP_DEFAULT_MIN_MTU) 736 return false; 737 } 738 739 return true; 740 } 741 742 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 743 sockptr_t optval, unsigned int optlen) 744 { 745 struct sock *sk = sock->sk; 746 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 747 struct l2cap_options opts; 748 int len, err = 0; 749 u32 opt; 750 751 BT_DBG("sk %p", sk); 752 753 lock_sock(sk); 754 755 switch (optname) { 756 case L2CAP_OPTIONS: 757 if (bdaddr_type_is_le(chan->src_type)) { 758 err = -EINVAL; 759 break; 760 } 761 762 if (sk->sk_state == BT_CONNECTED) { 763 err = -EINVAL; 764 break; 765 } 766 767 opts.imtu = chan->imtu; 768 opts.omtu = chan->omtu; 769 opts.flush_to = chan->flush_to; 770 opts.mode = chan->mode; 771 opts.fcs = chan->fcs; 772 opts.max_tx = chan->max_tx; 773 opts.txwin_size = chan->tx_win; 774 775 len = min_t(unsigned int, sizeof(opts), optlen); 776 if (copy_from_sockptr(&opts, optval, len)) { 777 err = -EFAULT; 778 break; 779 } 780 781 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 782 err = -EINVAL; 783 break; 784 } 785 786 if (!l2cap_valid_mtu(chan, opts.imtu)) { 787 err = -EINVAL; 788 break; 789 } 790 791 /* Only BR/EDR modes are supported here */ 792 switch (opts.mode) { 793 case L2CAP_MODE_BASIC: 794 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 795 break; 796 case L2CAP_MODE_ERTM: 797 case L2CAP_MODE_STREAMING: 798 if (!disable_ertm) 799 break; 800 fallthrough; 801 default: 802 err = -EINVAL; 803 break; 804 } 805 806 if (err < 0) 807 break; 808 809 chan->mode = opts.mode; 810 811 BT_DBG("mode 0x%2.2x", chan->mode); 812 813 chan->imtu = opts.imtu; 814 chan->omtu = opts.omtu; 815 chan->fcs = opts.fcs; 816 chan->max_tx = opts.max_tx; 817 chan->tx_win = opts.txwin_size; 818 chan->flush_to = opts.flush_to; 819 break; 820 821 case L2CAP_LM: 822 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 823 err = -EFAULT; 824 break; 825 } 826 827 if (opt & L2CAP_LM_FIPS) { 828 err = -EINVAL; 829 break; 830 } 831 832 if (opt & L2CAP_LM_AUTH) 833 chan->sec_level = BT_SECURITY_LOW; 834 if (opt & L2CAP_LM_ENCRYPT) 835 chan->sec_level = BT_SECURITY_MEDIUM; 836 if (opt & L2CAP_LM_SECURE) 837 chan->sec_level = BT_SECURITY_HIGH; 838 839 if (opt & L2CAP_LM_MASTER) 840 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 841 else 842 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 843 844 if (opt & L2CAP_LM_RELIABLE) 845 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 846 else 847 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 848 break; 849 850 default: 851 err = -ENOPROTOOPT; 852 break; 853 } 854 855 release_sock(sk); 856 return err; 857 } 858 859 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 860 { 861 switch (mode) { 862 case BT_MODE_BASIC: 863 if (bdaddr_type_is_le(chan->src_type)) 864 return -EINVAL; 865 mode = L2CAP_MODE_BASIC; 866 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 867 break; 868 case BT_MODE_ERTM: 869 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 870 return -EINVAL; 871 mode = L2CAP_MODE_ERTM; 872 break; 873 case BT_MODE_STREAMING: 874 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 875 return -EINVAL; 876 mode = L2CAP_MODE_STREAMING; 877 break; 878 case BT_MODE_LE_FLOWCTL: 879 if (!bdaddr_type_is_le(chan->src_type)) 880 return -EINVAL; 881 mode = L2CAP_MODE_LE_FLOWCTL; 882 break; 883 case BT_MODE_EXT_FLOWCTL: 884 /* TODO: Add support for ECRED PDUs to BR/EDR */ 885 if (!bdaddr_type_is_le(chan->src_type)) 886 return -EINVAL; 887 mode = L2CAP_MODE_EXT_FLOWCTL; 888 break; 889 default: 890 return -EINVAL; 891 } 892 893 chan->mode = mode; 894 895 return 0; 896 } 897 898 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 899 sockptr_t optval, unsigned int optlen) 900 { 901 struct sock *sk = sock->sk; 902 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 903 struct bt_security sec; 904 struct bt_power pwr; 905 struct l2cap_conn *conn; 906 int len, err = 0; 907 u32 opt; 908 u16 mtu; 909 u8 mode; 910 911 BT_DBG("sk %p", sk); 912 913 if (level == SOL_L2CAP) 914 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 915 916 if (level != SOL_BLUETOOTH) 917 return -ENOPROTOOPT; 918 919 lock_sock(sk); 920 921 switch (optname) { 922 case BT_SECURITY: 923 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 924 chan->chan_type != L2CAP_CHAN_FIXED && 925 chan->chan_type != L2CAP_CHAN_RAW) { 926 err = -EINVAL; 927 break; 928 } 929 930 sec.level = BT_SECURITY_LOW; 931 932 len = min_t(unsigned int, sizeof(sec), optlen); 933 if (copy_from_sockptr(&sec, optval, len)) { 934 err = -EFAULT; 935 break; 936 } 937 938 if (sec.level < BT_SECURITY_LOW || 939 sec.level > BT_SECURITY_FIPS) { 940 err = -EINVAL; 941 break; 942 } 943 944 chan->sec_level = sec.level; 945 946 if (!chan->conn) 947 break; 948 949 conn = chan->conn; 950 951 /* change security for LE channels */ 952 if (chan->scid == L2CAP_CID_ATT) { 953 if (smp_conn_security(conn->hcon, sec.level)) { 954 err = -EINVAL; 955 break; 956 } 957 958 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 959 sk->sk_state = BT_CONFIG; 960 chan->state = BT_CONFIG; 961 962 /* or for ACL link */ 963 } else if ((sk->sk_state == BT_CONNECT2 && 964 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 965 sk->sk_state == BT_CONNECTED) { 966 if (!l2cap_chan_check_security(chan, true)) 967 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 968 else 969 sk->sk_state_change(sk); 970 } else { 971 err = -EINVAL; 972 } 973 break; 974 975 case BT_DEFER_SETUP: 976 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 977 err = -EINVAL; 978 break; 979 } 980 981 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 982 err = -EFAULT; 983 break; 984 } 985 986 if (opt) { 987 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 988 set_bit(FLAG_DEFER_SETUP, &chan->flags); 989 } else { 990 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 991 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 992 } 993 break; 994 995 case BT_FLUSHABLE: 996 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 997 err = -EFAULT; 998 break; 999 } 1000 1001 if (opt > BT_FLUSHABLE_ON) { 1002 err = -EINVAL; 1003 break; 1004 } 1005 1006 if (opt == BT_FLUSHABLE_OFF) { 1007 conn = chan->conn; 1008 /* proceed further only when we have l2cap_conn and 1009 No Flush support in the LM */ 1010 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 1011 err = -EINVAL; 1012 break; 1013 } 1014 } 1015 1016 if (opt) 1017 set_bit(FLAG_FLUSHABLE, &chan->flags); 1018 else 1019 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1020 break; 1021 1022 case BT_POWER: 1023 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1024 chan->chan_type != L2CAP_CHAN_RAW) { 1025 err = -EINVAL; 1026 break; 1027 } 1028 1029 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1030 1031 len = min_t(unsigned int, sizeof(pwr), optlen); 1032 if (copy_from_sockptr(&pwr, optval, len)) { 1033 err = -EFAULT; 1034 break; 1035 } 1036 1037 if (pwr.force_active) 1038 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1039 else 1040 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1041 break; 1042 1043 case BT_CHANNEL_POLICY: 1044 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1045 err = -EFAULT; 1046 break; 1047 } 1048 1049 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { 1050 err = -EINVAL; 1051 break; 1052 } 1053 1054 if (chan->mode != L2CAP_MODE_ERTM && 1055 chan->mode != L2CAP_MODE_STREAMING) { 1056 err = -EOPNOTSUPP; 1057 break; 1058 } 1059 1060 chan->chan_policy = (u8) opt; 1061 1062 if (sk->sk_state == BT_CONNECTED && 1063 chan->move_role == L2CAP_MOVE_ROLE_NONE) 1064 l2cap_move_start(chan); 1065 1066 break; 1067 1068 case BT_SNDMTU: 1069 if (!bdaddr_type_is_le(chan->src_type)) { 1070 err = -EINVAL; 1071 break; 1072 } 1073 1074 /* Setting is not supported as it's the remote side that 1075 * decides this. 1076 */ 1077 err = -EPERM; 1078 break; 1079 1080 case BT_RCVMTU: 1081 if (!bdaddr_type_is_le(chan->src_type)) { 1082 err = -EINVAL; 1083 break; 1084 } 1085 1086 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1087 sk->sk_state == BT_CONNECTED) { 1088 err = -EISCONN; 1089 break; 1090 } 1091 1092 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { 1093 err = -EFAULT; 1094 break; 1095 } 1096 1097 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1098 sk->sk_state == BT_CONNECTED) 1099 err = l2cap_chan_reconfigure(chan, mtu); 1100 else 1101 chan->imtu = mtu; 1102 1103 break; 1104 1105 case BT_MODE: 1106 if (!enable_ecred) { 1107 err = -ENOPROTOOPT; 1108 break; 1109 } 1110 1111 BT_DBG("sk->sk_state %u", sk->sk_state); 1112 1113 if (sk->sk_state != BT_BOUND) { 1114 err = -EINVAL; 1115 break; 1116 } 1117 1118 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1119 err = -EINVAL; 1120 break; 1121 } 1122 1123 if (copy_from_sockptr(&mode, optval, sizeof(u8))) { 1124 err = -EFAULT; 1125 break; 1126 } 1127 1128 BT_DBG("mode %u", mode); 1129 1130 err = l2cap_set_mode(chan, mode); 1131 if (err) 1132 break; 1133 1134 BT_DBG("mode 0x%2.2x", chan->mode); 1135 1136 break; 1137 1138 default: 1139 err = -ENOPROTOOPT; 1140 break; 1141 } 1142 1143 release_sock(sk); 1144 return err; 1145 } 1146 1147 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1148 size_t len) 1149 { 1150 struct sock *sk = sock->sk; 1151 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1152 int err; 1153 1154 BT_DBG("sock %p, sk %p", sock, sk); 1155 1156 err = sock_error(sk); 1157 if (err) 1158 return err; 1159 1160 if (msg->msg_flags & MSG_OOB) 1161 return -EOPNOTSUPP; 1162 1163 if (sk->sk_state != BT_CONNECTED) 1164 return -ENOTCONN; 1165 1166 lock_sock(sk); 1167 err = bt_sock_wait_ready(sk, msg->msg_flags); 1168 release_sock(sk); 1169 if (err) 1170 return err; 1171 1172 l2cap_chan_lock(chan); 1173 err = l2cap_chan_send(chan, msg, len); 1174 l2cap_chan_unlock(chan); 1175 1176 return err; 1177 } 1178 1179 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1180 size_t len, int flags) 1181 { 1182 struct sock *sk = sock->sk; 1183 struct l2cap_pinfo *pi = l2cap_pi(sk); 1184 int err; 1185 1186 lock_sock(sk); 1187 1188 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1189 &bt_sk(sk)->flags)) { 1190 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1191 sk->sk_state = BT_CONNECTED; 1192 pi->chan->state = BT_CONNECTED; 1193 __l2cap_ecred_conn_rsp_defer(pi->chan); 1194 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1195 sk->sk_state = BT_CONNECTED; 1196 pi->chan->state = BT_CONNECTED; 1197 __l2cap_le_connect_rsp_defer(pi->chan); 1198 } else { 1199 sk->sk_state = BT_CONFIG; 1200 pi->chan->state = BT_CONFIG; 1201 __l2cap_connect_rsp_defer(pi->chan); 1202 } 1203 1204 err = 0; 1205 goto done; 1206 } 1207 1208 release_sock(sk); 1209 1210 if (sock->type == SOCK_STREAM) 1211 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1212 else 1213 err = bt_sock_recvmsg(sock, msg, len, flags); 1214 1215 if (pi->chan->mode != L2CAP_MODE_ERTM) 1216 return err; 1217 1218 /* Attempt to put pending rx data in the socket buffer */ 1219 1220 lock_sock(sk); 1221 1222 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) 1223 goto done; 1224 1225 if (pi->rx_busy_skb) { 1226 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) 1227 pi->rx_busy_skb = NULL; 1228 else 1229 goto done; 1230 } 1231 1232 /* Restore data flow when half of the receive buffer is 1233 * available. This avoids resending large numbers of 1234 * frames. 1235 */ 1236 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1237 l2cap_chan_busy(pi->chan, 0); 1238 1239 done: 1240 release_sock(sk); 1241 return err; 1242 } 1243 1244 /* Kill socket (only if zapped and orphan) 1245 * Must be called on unlocked socket, with l2cap channel lock. 1246 */ 1247 static void l2cap_sock_kill(struct sock *sk) 1248 { 1249 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1250 return; 1251 1252 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1253 1254 /* Kill poor orphan */ 1255 1256 l2cap_chan_put(l2cap_pi(sk)->chan); 1257 sock_set_flag(sk, SOCK_DEAD); 1258 sock_put(sk); 1259 } 1260 1261 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1262 { 1263 DECLARE_WAITQUEUE(wait, current); 1264 int err = 0; 1265 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1266 /* Timeout to prevent infinite loop */ 1267 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1268 1269 add_wait_queue(sk_sleep(sk), &wait); 1270 set_current_state(TASK_INTERRUPTIBLE); 1271 do { 1272 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1273 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1274 jiffies_to_msecs(timeout - jiffies)); 1275 1276 if (!timeo) 1277 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1278 1279 if (signal_pending(current)) { 1280 err = sock_intr_errno(timeo); 1281 break; 1282 } 1283 1284 release_sock(sk); 1285 timeo = schedule_timeout(timeo); 1286 lock_sock(sk); 1287 set_current_state(TASK_INTERRUPTIBLE); 1288 1289 err = sock_error(sk); 1290 if (err) 1291 break; 1292 1293 if (time_after(jiffies, timeout)) { 1294 err = -ENOLINK; 1295 break; 1296 } 1297 1298 } while (chan->unacked_frames > 0 && 1299 chan->state == BT_CONNECTED); 1300 1301 set_current_state(TASK_RUNNING); 1302 remove_wait_queue(sk_sleep(sk), &wait); 1303 return err; 1304 } 1305 1306 static int l2cap_sock_shutdown(struct socket *sock, int how) 1307 { 1308 struct sock *sk = sock->sk; 1309 struct l2cap_chan *chan; 1310 struct l2cap_conn *conn; 1311 int err = 0; 1312 1313 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1314 1315 /* 'how' parameter is mapped to sk_shutdown as follows: 1316 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1317 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1318 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1319 */ 1320 how++; 1321 1322 if (!sk) 1323 return 0; 1324 1325 lock_sock(sk); 1326 1327 if ((sk->sk_shutdown & how) == how) 1328 goto shutdown_already; 1329 1330 BT_DBG("Handling sock shutdown"); 1331 1332 /* prevent sk structure from being freed whilst unlocked */ 1333 sock_hold(sk); 1334 1335 chan = l2cap_pi(sk)->chan; 1336 /* prevent chan structure from being freed whilst unlocked */ 1337 l2cap_chan_hold(chan); 1338 1339 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1340 1341 if (chan->mode == L2CAP_MODE_ERTM && 1342 chan->unacked_frames > 0 && 1343 chan->state == BT_CONNECTED) { 1344 err = __l2cap_wait_ack(sk, chan); 1345 1346 /* After waiting for ACKs, check whether shutdown 1347 * has already been actioned to close the L2CAP 1348 * link such as by l2cap_disconnection_req(). 1349 */ 1350 if ((sk->sk_shutdown & how) == how) 1351 goto shutdown_matched; 1352 } 1353 1354 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1355 * is already set 1356 */ 1357 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1358 sk->sk_shutdown |= RCV_SHUTDOWN; 1359 if ((sk->sk_shutdown & how) == how) 1360 goto shutdown_matched; 1361 } 1362 1363 sk->sk_shutdown |= SEND_SHUTDOWN; 1364 release_sock(sk); 1365 1366 l2cap_chan_lock(chan); 1367 conn = chan->conn; 1368 if (conn) 1369 /* prevent conn structure from being freed */ 1370 l2cap_conn_get(conn); 1371 l2cap_chan_unlock(chan); 1372 1373 if (conn) 1374 /* mutex lock must be taken before l2cap_chan_lock() */ 1375 mutex_lock(&conn->chan_lock); 1376 1377 l2cap_chan_lock(chan); 1378 l2cap_chan_close(chan, 0); 1379 l2cap_chan_unlock(chan); 1380 1381 if (conn) { 1382 mutex_unlock(&conn->chan_lock); 1383 l2cap_conn_put(conn); 1384 } 1385 1386 lock_sock(sk); 1387 1388 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1389 !(current->flags & PF_EXITING)) 1390 err = bt_sock_wait_state(sk, BT_CLOSED, 1391 sk->sk_lingertime); 1392 1393 shutdown_matched: 1394 l2cap_chan_put(chan); 1395 sock_put(sk); 1396 1397 shutdown_already: 1398 if (!err && sk->sk_err) 1399 err = -sk->sk_err; 1400 1401 release_sock(sk); 1402 1403 BT_DBG("Sock shutdown complete err: %d", err); 1404 1405 return err; 1406 } 1407 1408 static int l2cap_sock_release(struct socket *sock) 1409 { 1410 struct sock *sk = sock->sk; 1411 int err; 1412 struct l2cap_chan *chan; 1413 1414 BT_DBG("sock %p, sk %p", sock, sk); 1415 1416 if (!sk) 1417 return 0; 1418 1419 l2cap_sock_cleanup_listen(sk); 1420 bt_sock_unlink(&l2cap_sk_list, sk); 1421 1422 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1423 chan = l2cap_pi(sk)->chan; 1424 1425 l2cap_chan_hold(chan); 1426 l2cap_chan_lock(chan); 1427 1428 sock_orphan(sk); 1429 l2cap_sock_kill(sk); 1430 1431 l2cap_chan_unlock(chan); 1432 l2cap_chan_put(chan); 1433 1434 return err; 1435 } 1436 1437 static void l2cap_sock_cleanup_listen(struct sock *parent) 1438 { 1439 struct sock *sk; 1440 1441 BT_DBG("parent %p state %s", parent, 1442 state_to_string(parent->sk_state)); 1443 1444 /* Close not yet accepted channels */ 1445 while ((sk = bt_accept_dequeue(parent, NULL))) { 1446 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1447 1448 BT_DBG("child chan %p state %s", chan, 1449 state_to_string(chan->state)); 1450 1451 l2cap_chan_hold(chan); 1452 l2cap_chan_lock(chan); 1453 1454 __clear_chan_timer(chan); 1455 l2cap_chan_close(chan, ECONNRESET); 1456 l2cap_sock_kill(sk); 1457 1458 l2cap_chan_unlock(chan); 1459 l2cap_chan_put(chan); 1460 } 1461 } 1462 1463 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1464 { 1465 struct sock *sk, *parent = chan->data; 1466 1467 lock_sock(parent); 1468 1469 /* Check for backlog size */ 1470 if (sk_acceptq_is_full(parent)) { 1471 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1472 release_sock(parent); 1473 return NULL; 1474 } 1475 1476 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1477 GFP_ATOMIC, 0); 1478 if (!sk) { 1479 release_sock(parent); 1480 return NULL; 1481 } 1482 1483 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1484 1485 l2cap_sock_init(sk, parent); 1486 1487 bt_accept_enqueue(parent, sk, false); 1488 1489 release_sock(parent); 1490 1491 return l2cap_pi(sk)->chan; 1492 } 1493 1494 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1495 { 1496 struct sock *sk = chan->data; 1497 int err; 1498 1499 lock_sock(sk); 1500 1501 if (l2cap_pi(sk)->rx_busy_skb) { 1502 err = -ENOMEM; 1503 goto done; 1504 } 1505 1506 if (chan->mode != L2CAP_MODE_ERTM && 1507 chan->mode != L2CAP_MODE_STREAMING) { 1508 /* Even if no filter is attached, we could potentially 1509 * get errors from security modules, etc. 1510 */ 1511 err = sk_filter(sk, skb); 1512 if (err) 1513 goto done; 1514 } 1515 1516 err = __sock_queue_rcv_skb(sk, skb); 1517 1518 /* For ERTM, handle one skb that doesn't fit into the recv 1519 * buffer. This is important to do because the data frames 1520 * have already been acked, so the skb cannot be discarded. 1521 * 1522 * Notify the l2cap core that the buffer is full, so the 1523 * LOCAL_BUSY state is entered and no more frames are 1524 * acked and reassembled until there is buffer space 1525 * available. 1526 */ 1527 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1528 l2cap_pi(sk)->rx_busy_skb = skb; 1529 l2cap_chan_busy(chan, 1); 1530 err = 0; 1531 } 1532 1533 done: 1534 release_sock(sk); 1535 1536 return err; 1537 } 1538 1539 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1540 { 1541 struct sock *sk = chan->data; 1542 1543 if (!sk) 1544 return; 1545 1546 l2cap_sock_kill(sk); 1547 } 1548 1549 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1550 { 1551 struct sock *sk = chan->data; 1552 struct sock *parent; 1553 1554 if (!sk) 1555 return; 1556 1557 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1558 1559 /* This callback can be called both for server (BT_LISTEN) 1560 * sockets as well as "normal" ones. To avoid lockdep warnings 1561 * with child socket locking (through l2cap_sock_cleanup_listen) 1562 * we need separation into separate nesting levels. The simplest 1563 * way to accomplish this is to inherit the nesting level used 1564 * for the channel. 1565 */ 1566 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1567 1568 parent = bt_sk(sk)->parent; 1569 1570 switch (chan->state) { 1571 case BT_OPEN: 1572 case BT_BOUND: 1573 case BT_CLOSED: 1574 break; 1575 case BT_LISTEN: 1576 l2cap_sock_cleanup_listen(sk); 1577 sk->sk_state = BT_CLOSED; 1578 chan->state = BT_CLOSED; 1579 1580 break; 1581 default: 1582 sk->sk_state = BT_CLOSED; 1583 chan->state = BT_CLOSED; 1584 1585 sk->sk_err = err; 1586 1587 if (parent) { 1588 bt_accept_unlink(sk); 1589 parent->sk_data_ready(parent); 1590 } else { 1591 sk->sk_state_change(sk); 1592 } 1593 1594 break; 1595 } 1596 release_sock(sk); 1597 1598 /* Only zap after cleanup to avoid use after free race */ 1599 sock_set_flag(sk, SOCK_ZAPPED); 1600 1601 } 1602 1603 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1604 int err) 1605 { 1606 struct sock *sk = chan->data; 1607 1608 sk->sk_state = state; 1609 1610 if (err) 1611 sk->sk_err = err; 1612 } 1613 1614 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1615 unsigned long hdr_len, 1616 unsigned long len, int nb) 1617 { 1618 struct sock *sk = chan->data; 1619 struct sk_buff *skb; 1620 int err; 1621 1622 l2cap_chan_unlock(chan); 1623 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1624 l2cap_chan_lock(chan); 1625 1626 if (!skb) 1627 return ERR_PTR(err); 1628 1629 /* Channel lock is released before requesting new skb and then 1630 * reacquired thus we need to recheck channel state. 1631 */ 1632 if (chan->state != BT_CONNECTED) { 1633 kfree_skb(skb); 1634 return ERR_PTR(-ENOTCONN); 1635 } 1636 1637 skb->priority = sk->sk_priority; 1638 1639 bt_cb(skb)->l2cap.chan = chan; 1640 1641 return skb; 1642 } 1643 1644 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1645 { 1646 struct sock *sk = chan->data; 1647 struct sock *parent; 1648 1649 lock_sock(sk); 1650 1651 parent = bt_sk(sk)->parent; 1652 1653 BT_DBG("sk %p, parent %p", sk, parent); 1654 1655 sk->sk_state = BT_CONNECTED; 1656 sk->sk_state_change(sk); 1657 1658 if (parent) 1659 parent->sk_data_ready(parent); 1660 1661 release_sock(sk); 1662 } 1663 1664 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1665 { 1666 struct sock *parent, *sk = chan->data; 1667 1668 lock_sock(sk); 1669 1670 parent = bt_sk(sk)->parent; 1671 if (parent) 1672 parent->sk_data_ready(parent); 1673 1674 release_sock(sk); 1675 } 1676 1677 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1678 { 1679 struct sock *sk = chan->data; 1680 1681 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1682 sk->sk_state = BT_CONNECTED; 1683 chan->state = BT_CONNECTED; 1684 } 1685 1686 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1687 sk->sk_state_change(sk); 1688 } 1689 1690 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1691 { 1692 struct sock *sk = chan->data; 1693 1694 lock_sock(sk); 1695 sk->sk_shutdown = SHUTDOWN_MASK; 1696 release_sock(sk); 1697 } 1698 1699 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1700 { 1701 struct sock *sk = chan->data; 1702 1703 return sk->sk_sndtimeo; 1704 } 1705 1706 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1707 { 1708 struct sock *sk = chan->data; 1709 1710 return sk->sk_peer_pid; 1711 } 1712 1713 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1714 { 1715 struct sock *sk = chan->data; 1716 1717 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1718 sk->sk_state_change(sk); 1719 } 1720 1721 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1722 { 1723 struct sock *sk = chan->data; 1724 1725 switch (chan->mode) { 1726 case L2CAP_MODE_ERTM: 1727 case L2CAP_MODE_STREAMING: 1728 return sk_filter(sk, skb); 1729 } 1730 1731 return 0; 1732 } 1733 1734 static const struct l2cap_ops l2cap_chan_ops = { 1735 .name = "L2CAP Socket Interface", 1736 .new_connection = l2cap_sock_new_connection_cb, 1737 .recv = l2cap_sock_recv_cb, 1738 .close = l2cap_sock_close_cb, 1739 .teardown = l2cap_sock_teardown_cb, 1740 .state_change = l2cap_sock_state_change_cb, 1741 .ready = l2cap_sock_ready_cb, 1742 .defer = l2cap_sock_defer_cb, 1743 .resume = l2cap_sock_resume_cb, 1744 .suspend = l2cap_sock_suspend_cb, 1745 .set_shutdown = l2cap_sock_set_shutdown_cb, 1746 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1747 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1748 .alloc_skb = l2cap_sock_alloc_skb_cb, 1749 .filter = l2cap_sock_filter, 1750 }; 1751 1752 static void l2cap_sock_destruct(struct sock *sk) 1753 { 1754 BT_DBG("sk %p", sk); 1755 1756 if (l2cap_pi(sk)->chan) { 1757 l2cap_pi(sk)->chan->data = NULL; 1758 l2cap_chan_put(l2cap_pi(sk)->chan); 1759 } 1760 1761 if (l2cap_pi(sk)->rx_busy_skb) { 1762 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1763 l2cap_pi(sk)->rx_busy_skb = NULL; 1764 } 1765 1766 skb_queue_purge(&sk->sk_receive_queue); 1767 skb_queue_purge(&sk->sk_write_queue); 1768 } 1769 1770 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1771 int *msg_namelen) 1772 { 1773 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1774 1775 memset(la, 0, sizeof(struct sockaddr_l2)); 1776 la->l2_family = AF_BLUETOOTH; 1777 la->l2_psm = bt_cb(skb)->l2cap.psm; 1778 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1779 1780 *msg_namelen = sizeof(struct sockaddr_l2); 1781 } 1782 1783 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1784 { 1785 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1786 1787 BT_DBG("sk %p", sk); 1788 1789 if (parent) { 1790 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1791 1792 sk->sk_type = parent->sk_type; 1793 bt_sk(sk)->flags = bt_sk(parent)->flags; 1794 1795 chan->chan_type = pchan->chan_type; 1796 chan->imtu = pchan->imtu; 1797 chan->omtu = pchan->omtu; 1798 chan->conf_state = pchan->conf_state; 1799 chan->mode = pchan->mode; 1800 chan->fcs = pchan->fcs; 1801 chan->max_tx = pchan->max_tx; 1802 chan->tx_win = pchan->tx_win; 1803 chan->tx_win_max = pchan->tx_win_max; 1804 chan->sec_level = pchan->sec_level; 1805 chan->flags = pchan->flags; 1806 chan->tx_credits = pchan->tx_credits; 1807 chan->rx_credits = pchan->rx_credits; 1808 1809 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1810 chan->scid = pchan->scid; 1811 chan->dcid = pchan->scid; 1812 } 1813 1814 security_sk_clone(parent, sk); 1815 } else { 1816 switch (sk->sk_type) { 1817 case SOCK_RAW: 1818 chan->chan_type = L2CAP_CHAN_RAW; 1819 break; 1820 case SOCK_DGRAM: 1821 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1822 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1823 break; 1824 case SOCK_SEQPACKET: 1825 case SOCK_STREAM: 1826 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1827 break; 1828 } 1829 1830 chan->imtu = L2CAP_DEFAULT_MTU; 1831 chan->omtu = 0; 1832 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1833 chan->mode = L2CAP_MODE_ERTM; 1834 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1835 } else { 1836 chan->mode = L2CAP_MODE_BASIC; 1837 } 1838 1839 l2cap_chan_set_defaults(chan); 1840 } 1841 1842 /* Default config options */ 1843 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1844 1845 chan->data = sk; 1846 chan->ops = &l2cap_chan_ops; 1847 } 1848 1849 static struct proto l2cap_proto = { 1850 .name = "L2CAP", 1851 .owner = THIS_MODULE, 1852 .obj_size = sizeof(struct l2cap_pinfo) 1853 }; 1854 1855 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1856 int proto, gfp_t prio, int kern) 1857 { 1858 struct sock *sk; 1859 struct l2cap_chan *chan; 1860 1861 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern); 1862 if (!sk) 1863 return NULL; 1864 1865 sock_init_data(sock, sk); 1866 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 1867 1868 sk->sk_destruct = l2cap_sock_destruct; 1869 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1870 1871 sock_reset_flag(sk, SOCK_ZAPPED); 1872 1873 sk->sk_protocol = proto; 1874 sk->sk_state = BT_OPEN; 1875 1876 chan = l2cap_chan_create(); 1877 if (!chan) { 1878 sk_free(sk); 1879 return NULL; 1880 } 1881 1882 l2cap_chan_hold(chan); 1883 1884 l2cap_pi(sk)->chan = chan; 1885 1886 return sk; 1887 } 1888 1889 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1890 int kern) 1891 { 1892 struct sock *sk; 1893 1894 BT_DBG("sock %p", sock); 1895 1896 sock->state = SS_UNCONNECTED; 1897 1898 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1899 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1900 return -ESOCKTNOSUPPORT; 1901 1902 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1903 return -EPERM; 1904 1905 sock->ops = &l2cap_sock_ops; 1906 1907 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1908 if (!sk) 1909 return -ENOMEM; 1910 1911 l2cap_sock_init(sk, NULL); 1912 bt_sock_link(&l2cap_sk_list, sk); 1913 return 0; 1914 } 1915 1916 static const struct proto_ops l2cap_sock_ops = { 1917 .family = PF_BLUETOOTH, 1918 .owner = THIS_MODULE, 1919 .release = l2cap_sock_release, 1920 .bind = l2cap_sock_bind, 1921 .connect = l2cap_sock_connect, 1922 .listen = l2cap_sock_listen, 1923 .accept = l2cap_sock_accept, 1924 .getname = l2cap_sock_getname, 1925 .sendmsg = l2cap_sock_sendmsg, 1926 .recvmsg = l2cap_sock_recvmsg, 1927 .poll = bt_sock_poll, 1928 .ioctl = bt_sock_ioctl, 1929 .gettstamp = sock_gettstamp, 1930 .mmap = sock_no_mmap, 1931 .socketpair = sock_no_socketpair, 1932 .shutdown = l2cap_sock_shutdown, 1933 .setsockopt = l2cap_sock_setsockopt, 1934 .getsockopt = l2cap_sock_getsockopt 1935 }; 1936 1937 static const struct net_proto_family l2cap_sock_family_ops = { 1938 .family = PF_BLUETOOTH, 1939 .owner = THIS_MODULE, 1940 .create = l2cap_sock_create, 1941 }; 1942 1943 int __init l2cap_init_sockets(void) 1944 { 1945 int err; 1946 1947 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1948 1949 err = proto_register(&l2cap_proto, 0); 1950 if (err < 0) 1951 return err; 1952 1953 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1954 if (err < 0) { 1955 BT_ERR("L2CAP socket registration failed"); 1956 goto error; 1957 } 1958 1959 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1960 NULL); 1961 if (err < 0) { 1962 BT_ERR("Failed to create L2CAP proc file"); 1963 bt_sock_unregister(BTPROTO_L2CAP); 1964 goto error; 1965 } 1966 1967 BT_INFO("L2CAP socket layer initialized"); 1968 1969 return 0; 1970 1971 error: 1972 proto_unregister(&l2cap_proto); 1973 return err; 1974 } 1975 1976 void l2cap_cleanup_sockets(void) 1977 { 1978 bt_procfs_cleanup(&init_net, "l2cap"); 1979 bt_sock_unregister(BTPROTO_L2CAP); 1980 proto_unregister(&l2cap_proto); 1981 } 1982