1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26 */ 27 28 /* Bluetooth L2CAP sockets. */ 29 30 #include <linux/module.h> 31 #include <linux/export.h> 32 #include <linux/filter.h> 33 #include <linux/sched/signal.h> 34 35 #include <net/bluetooth/bluetooth.h> 36 #include <net/bluetooth/hci_core.h> 37 #include <net/bluetooth/l2cap.h> 38 39 #include "smp.h" 40 41 static struct bt_sock_list l2cap_sk_list = { 42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 43 }; 44 45 static const struct proto_ops l2cap_sock_ops; 46 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 48 int proto, gfp_t prio, int kern); 49 50 bool l2cap_is_socket(struct socket *sock) 51 { 52 return sock && sock->ops == &l2cap_sock_ops; 53 } 54 EXPORT_SYMBOL(l2cap_is_socket); 55 56 static int l2cap_validate_bredr_psm(u16 psm) 57 { 58 /* PSM must be odd and lsb of upper byte must be 0 */ 59 if ((psm & 0x0101) != 0x0001) 60 return -EINVAL; 61 62 /* Restrict usage of well-known PSMs */ 63 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 64 return -EACCES; 65 66 return 0; 67 } 68 69 static int l2cap_validate_le_psm(u16 psm) 70 { 71 /* Valid LE_PSM ranges are defined only until 0x00ff */ 72 if (psm > L2CAP_PSM_LE_DYN_END) 73 return -EINVAL; 74 75 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 76 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 77 return -EACCES; 78 79 return 0; 80 } 81 82 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 83 { 84 struct sock *sk = sock->sk; 85 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 86 struct sockaddr_l2 la; 87 int len, err = 0; 88 89 BT_DBG("sk %p", sk); 90 91 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 92 addr->sa_family != AF_BLUETOOTH) 93 return -EINVAL; 94 95 memset(&la, 0, sizeof(la)); 96 len = min_t(unsigned int, sizeof(la), alen); 97 memcpy(&la, addr, len); 98 99 if (la.l2_cid && la.l2_psm) 100 return -EINVAL; 101 102 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 103 return -EINVAL; 104 105 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 106 /* We only allow ATT user space socket */ 107 if (la.l2_cid && 108 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 109 return -EINVAL; 110 } 111 112 lock_sock(sk); 113 114 if (sk->sk_state != BT_OPEN) { 115 err = -EBADFD; 116 goto done; 117 } 118 119 if (la.l2_psm) { 120 __u16 psm = __le16_to_cpu(la.l2_psm); 121 122 if (la.l2_bdaddr_type == BDADDR_BREDR) 123 err = l2cap_validate_bredr_psm(psm); 124 else 125 err = l2cap_validate_le_psm(psm); 126 127 if (err) 128 goto done; 129 } 130 131 bacpy(&chan->src, &la.l2_bdaddr); 132 chan->src_type = la.l2_bdaddr_type; 133 134 if (la.l2_cid) 135 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 136 else 137 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 138 139 if (err < 0) 140 goto done; 141 142 switch (chan->chan_type) { 143 case L2CAP_CHAN_CONN_LESS: 144 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 145 chan->sec_level = BT_SECURITY_SDP; 146 break; 147 case L2CAP_CHAN_CONN_ORIENTED: 148 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 149 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 150 chan->sec_level = BT_SECURITY_SDP; 151 break; 152 case L2CAP_CHAN_RAW: 153 chan->sec_level = BT_SECURITY_SDP; 154 break; 155 case L2CAP_CHAN_FIXED: 156 /* Fixed channels default to the L2CAP core not holding a 157 * hci_conn reference for them. For fixed channels mapping to 158 * L2CAP sockets we do want to hold a reference so set the 159 * appropriate flag to request it. 160 */ 161 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 162 break; 163 } 164 165 if (chan->psm && bdaddr_type_is_le(chan->src_type)) 166 chan->mode = L2CAP_MODE_LE_FLOWCTL; 167 168 chan->state = BT_BOUND; 169 sk->sk_state = BT_BOUND; 170 171 done: 172 release_sock(sk); 173 return err; 174 } 175 176 static void l2cap_sock_init_pid(struct sock *sk) 177 { 178 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 179 180 /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to 181 * group the channels being requested. 182 */ 183 if (chan->mode != L2CAP_MODE_EXT_FLOWCTL) 184 return; 185 186 spin_lock(&sk->sk_peer_lock); 187 sk->sk_peer_pid = get_pid(task_tgid(current)); 188 spin_unlock(&sk->sk_peer_lock); 189 } 190 191 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 192 int alen, int flags) 193 { 194 struct sock *sk = sock->sk; 195 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 196 struct sockaddr_l2 la; 197 int len, err = 0; 198 bool zapped; 199 200 BT_DBG("sk %p", sk); 201 202 lock_sock(sk); 203 zapped = sock_flag(sk, SOCK_ZAPPED); 204 release_sock(sk); 205 206 if (zapped) 207 return -EINVAL; 208 209 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 210 addr->sa_family != AF_BLUETOOTH) 211 return -EINVAL; 212 213 memset(&la, 0, sizeof(la)); 214 len = min_t(unsigned int, sizeof(la), alen); 215 memcpy(&la, addr, len); 216 217 if (la.l2_cid && la.l2_psm) 218 return -EINVAL; 219 220 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 221 return -EINVAL; 222 223 /* Check that the socket wasn't bound to something that 224 * conflicts with the address given to connect(). If chan->src 225 * is BDADDR_ANY it means bind() was never used, in which case 226 * chan->src_type and la.l2_bdaddr_type do not need to match. 227 */ 228 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 229 bdaddr_type_is_le(la.l2_bdaddr_type)) { 230 /* Old user space versions will try to incorrectly bind 231 * the ATT socket using BDADDR_BREDR. We need to accept 232 * this and fix up the source address type only when 233 * both the source CID and destination CID indicate 234 * ATT. Anything else is an invalid combination. 235 */ 236 if (chan->scid != L2CAP_CID_ATT || 237 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 238 return -EINVAL; 239 240 /* We don't have the hdev available here to make a 241 * better decision on random vs public, but since all 242 * user space versions that exhibit this issue anyway do 243 * not support random local addresses assuming public 244 * here is good enough. 245 */ 246 chan->src_type = BDADDR_LE_PUBLIC; 247 } 248 249 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 250 return -EINVAL; 251 252 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 253 /* We only allow ATT user space socket */ 254 if (la.l2_cid && 255 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 256 return -EINVAL; 257 } 258 259 if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode) 260 chan->mode = L2CAP_MODE_LE_FLOWCTL; 261 262 l2cap_sock_init_pid(sk); 263 264 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 265 &la.l2_bdaddr, la.l2_bdaddr_type); 266 if (err) 267 return err; 268 269 lock_sock(sk); 270 271 err = bt_sock_wait_state(sk, BT_CONNECTED, 272 sock_sndtimeo(sk, flags & O_NONBLOCK)); 273 274 release_sock(sk); 275 276 return err; 277 } 278 279 static int l2cap_sock_listen(struct socket *sock, int backlog) 280 { 281 struct sock *sk = sock->sk; 282 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 283 int err = 0; 284 285 BT_DBG("sk %p backlog %d", sk, backlog); 286 287 lock_sock(sk); 288 289 if (sk->sk_state != BT_BOUND) { 290 err = -EBADFD; 291 goto done; 292 } 293 294 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 295 err = -EINVAL; 296 goto done; 297 } 298 299 switch (chan->mode) { 300 case L2CAP_MODE_BASIC: 301 case L2CAP_MODE_LE_FLOWCTL: 302 break; 303 case L2CAP_MODE_EXT_FLOWCTL: 304 if (!enable_ecred) { 305 err = -EOPNOTSUPP; 306 goto done; 307 } 308 break; 309 case L2CAP_MODE_ERTM: 310 case L2CAP_MODE_STREAMING: 311 if (!disable_ertm) 312 break; 313 fallthrough; 314 default: 315 err = -EOPNOTSUPP; 316 goto done; 317 } 318 319 l2cap_sock_init_pid(sk); 320 321 sk->sk_max_ack_backlog = backlog; 322 sk->sk_ack_backlog = 0; 323 324 /* Listening channels need to use nested locking in order not to 325 * cause lockdep warnings when the created child channels end up 326 * being locked in the same thread as the parent channel. 327 */ 328 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 329 330 chan->state = BT_LISTEN; 331 sk->sk_state = BT_LISTEN; 332 333 done: 334 release_sock(sk); 335 return err; 336 } 337 338 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 339 int flags, bool kern) 340 { 341 DEFINE_WAIT_FUNC(wait, woken_wake_function); 342 struct sock *sk = sock->sk, *nsk; 343 long timeo; 344 int err = 0; 345 346 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 347 348 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 349 350 BT_DBG("sk %p timeo %ld", sk, timeo); 351 352 /* Wait for an incoming connection. (wake-one). */ 353 add_wait_queue_exclusive(sk_sleep(sk), &wait); 354 while (1) { 355 if (sk->sk_state != BT_LISTEN) { 356 err = -EBADFD; 357 break; 358 } 359 360 nsk = bt_accept_dequeue(sk, newsock); 361 if (nsk) 362 break; 363 364 if (!timeo) { 365 err = -EAGAIN; 366 break; 367 } 368 369 if (signal_pending(current)) { 370 err = sock_intr_errno(timeo); 371 break; 372 } 373 374 release_sock(sk); 375 376 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 377 378 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 379 } 380 remove_wait_queue(sk_sleep(sk), &wait); 381 382 if (err) 383 goto done; 384 385 newsock->state = SS_CONNECTED; 386 387 BT_DBG("new socket %p", nsk); 388 389 done: 390 release_sock(sk); 391 return err; 392 } 393 394 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 395 int peer) 396 { 397 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 398 struct sock *sk = sock->sk; 399 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 400 401 BT_DBG("sock %p, sk %p", sock, sk); 402 403 if (peer && sk->sk_state != BT_CONNECTED && 404 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 405 sk->sk_state != BT_CONFIG) 406 return -ENOTCONN; 407 408 memset(la, 0, sizeof(struct sockaddr_l2)); 409 addr->sa_family = AF_BLUETOOTH; 410 411 la->l2_psm = chan->psm; 412 413 if (peer) { 414 bacpy(&la->l2_bdaddr, &chan->dst); 415 la->l2_cid = cpu_to_le16(chan->dcid); 416 la->l2_bdaddr_type = chan->dst_type; 417 } else { 418 bacpy(&la->l2_bdaddr, &chan->src); 419 la->l2_cid = cpu_to_le16(chan->scid); 420 la->l2_bdaddr_type = chan->src_type; 421 } 422 423 return sizeof(struct sockaddr_l2); 424 } 425 426 static int l2cap_get_mode(struct l2cap_chan *chan) 427 { 428 switch (chan->mode) { 429 case L2CAP_MODE_BASIC: 430 return BT_MODE_BASIC; 431 case L2CAP_MODE_ERTM: 432 return BT_MODE_ERTM; 433 case L2CAP_MODE_STREAMING: 434 return BT_MODE_STREAMING; 435 case L2CAP_MODE_LE_FLOWCTL: 436 return BT_MODE_LE_FLOWCTL; 437 case L2CAP_MODE_EXT_FLOWCTL: 438 return BT_MODE_EXT_FLOWCTL; 439 } 440 441 return -EINVAL; 442 } 443 444 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 445 char __user *optval, int __user *optlen) 446 { 447 struct sock *sk = sock->sk; 448 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 449 struct l2cap_options opts; 450 struct l2cap_conninfo cinfo; 451 int len, err = 0; 452 u32 opt; 453 454 BT_DBG("sk %p", sk); 455 456 if (get_user(len, optlen)) 457 return -EFAULT; 458 459 lock_sock(sk); 460 461 switch (optname) { 462 case L2CAP_OPTIONS: 463 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 464 * legacy ATT code depends on getsockopt for 465 * L2CAP_OPTIONS we need to let this pass. 466 */ 467 if (bdaddr_type_is_le(chan->src_type) && 468 chan->scid != L2CAP_CID_ATT) { 469 err = -EINVAL; 470 break; 471 } 472 473 /* Only BR/EDR modes are supported here */ 474 switch (chan->mode) { 475 case L2CAP_MODE_BASIC: 476 case L2CAP_MODE_ERTM: 477 case L2CAP_MODE_STREAMING: 478 break; 479 default: 480 err = -EINVAL; 481 break; 482 } 483 484 if (err < 0) 485 break; 486 487 memset(&opts, 0, sizeof(opts)); 488 opts.imtu = chan->imtu; 489 opts.omtu = chan->omtu; 490 opts.flush_to = chan->flush_to; 491 opts.mode = chan->mode; 492 opts.fcs = chan->fcs; 493 opts.max_tx = chan->max_tx; 494 opts.txwin_size = chan->tx_win; 495 496 BT_DBG("mode 0x%2.2x", chan->mode); 497 498 len = min_t(unsigned int, len, sizeof(opts)); 499 if (copy_to_user(optval, (char *) &opts, len)) 500 err = -EFAULT; 501 502 break; 503 504 case L2CAP_LM: 505 switch (chan->sec_level) { 506 case BT_SECURITY_LOW: 507 opt = L2CAP_LM_AUTH; 508 break; 509 case BT_SECURITY_MEDIUM: 510 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 511 break; 512 case BT_SECURITY_HIGH: 513 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 514 L2CAP_LM_SECURE; 515 break; 516 case BT_SECURITY_FIPS: 517 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 518 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 519 break; 520 default: 521 opt = 0; 522 break; 523 } 524 525 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 526 opt |= L2CAP_LM_MASTER; 527 528 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 529 opt |= L2CAP_LM_RELIABLE; 530 531 if (put_user(opt, (u32 __user *) optval)) 532 err = -EFAULT; 533 534 break; 535 536 case L2CAP_CONNINFO: 537 if (sk->sk_state != BT_CONNECTED && 538 !(sk->sk_state == BT_CONNECT2 && 539 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 540 err = -ENOTCONN; 541 break; 542 } 543 544 memset(&cinfo, 0, sizeof(cinfo)); 545 cinfo.hci_handle = chan->conn->hcon->handle; 546 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 547 548 len = min_t(unsigned int, len, sizeof(cinfo)); 549 if (copy_to_user(optval, (char *) &cinfo, len)) 550 err = -EFAULT; 551 552 break; 553 554 default: 555 err = -ENOPROTOOPT; 556 break; 557 } 558 559 release_sock(sk); 560 return err; 561 } 562 563 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 564 char __user *optval, int __user *optlen) 565 { 566 struct sock *sk = sock->sk; 567 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 568 struct bt_security sec; 569 struct bt_power pwr; 570 u32 phys; 571 int len, mode, err = 0; 572 573 BT_DBG("sk %p", sk); 574 575 if (level == SOL_L2CAP) 576 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 577 578 if (level != SOL_BLUETOOTH) 579 return -ENOPROTOOPT; 580 581 if (get_user(len, optlen)) 582 return -EFAULT; 583 584 lock_sock(sk); 585 586 switch (optname) { 587 case BT_SECURITY: 588 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 589 chan->chan_type != L2CAP_CHAN_FIXED && 590 chan->chan_type != L2CAP_CHAN_RAW) { 591 err = -EINVAL; 592 break; 593 } 594 595 memset(&sec, 0, sizeof(sec)); 596 if (chan->conn) { 597 sec.level = chan->conn->hcon->sec_level; 598 599 if (sk->sk_state == BT_CONNECTED) 600 sec.key_size = chan->conn->hcon->enc_key_size; 601 } else { 602 sec.level = chan->sec_level; 603 } 604 605 len = min_t(unsigned int, len, sizeof(sec)); 606 if (copy_to_user(optval, (char *) &sec, len)) 607 err = -EFAULT; 608 609 break; 610 611 case BT_DEFER_SETUP: 612 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 613 err = -EINVAL; 614 break; 615 } 616 617 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 618 (u32 __user *) optval)) 619 err = -EFAULT; 620 621 break; 622 623 case BT_FLUSHABLE: 624 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 625 (u32 __user *) optval)) 626 err = -EFAULT; 627 628 break; 629 630 case BT_POWER: 631 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 632 && sk->sk_type != SOCK_RAW) { 633 err = -EINVAL; 634 break; 635 } 636 637 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 638 639 len = min_t(unsigned int, len, sizeof(pwr)); 640 if (copy_to_user(optval, (char *) &pwr, len)) 641 err = -EFAULT; 642 643 break; 644 645 case BT_CHANNEL_POLICY: 646 if (put_user(chan->chan_policy, (u32 __user *) optval)) 647 err = -EFAULT; 648 break; 649 650 case BT_SNDMTU: 651 if (!bdaddr_type_is_le(chan->src_type)) { 652 err = -EINVAL; 653 break; 654 } 655 656 if (sk->sk_state != BT_CONNECTED) { 657 err = -ENOTCONN; 658 break; 659 } 660 661 if (put_user(chan->omtu, (u16 __user *) optval)) 662 err = -EFAULT; 663 break; 664 665 case BT_RCVMTU: 666 if (!bdaddr_type_is_le(chan->src_type)) { 667 err = -EINVAL; 668 break; 669 } 670 671 if (put_user(chan->imtu, (u16 __user *) optval)) 672 err = -EFAULT; 673 break; 674 675 case BT_PHY: 676 if (sk->sk_state != BT_CONNECTED) { 677 err = -ENOTCONN; 678 break; 679 } 680 681 phys = hci_conn_get_phy(chan->conn->hcon); 682 683 if (put_user(phys, (u32 __user *) optval)) 684 err = -EFAULT; 685 break; 686 687 case BT_MODE: 688 if (!enable_ecred) { 689 err = -ENOPROTOOPT; 690 break; 691 } 692 693 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 694 err = -EINVAL; 695 break; 696 } 697 698 mode = l2cap_get_mode(chan); 699 if (mode < 0) { 700 err = mode; 701 break; 702 } 703 704 if (put_user(mode, (u8 __user *) optval)) 705 err = -EFAULT; 706 break; 707 708 default: 709 err = -ENOPROTOOPT; 710 break; 711 } 712 713 release_sock(sk); 714 return err; 715 } 716 717 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 718 { 719 switch (chan->scid) { 720 case L2CAP_CID_ATT: 721 if (mtu < L2CAP_LE_MIN_MTU) 722 return false; 723 break; 724 725 default: 726 if (mtu < L2CAP_DEFAULT_MIN_MTU) 727 return false; 728 } 729 730 return true; 731 } 732 733 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 734 sockptr_t optval, unsigned int optlen) 735 { 736 struct sock *sk = sock->sk; 737 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 738 struct l2cap_options opts; 739 int len, err = 0; 740 u32 opt; 741 742 BT_DBG("sk %p", sk); 743 744 lock_sock(sk); 745 746 switch (optname) { 747 case L2CAP_OPTIONS: 748 if (bdaddr_type_is_le(chan->src_type)) { 749 err = -EINVAL; 750 break; 751 } 752 753 if (sk->sk_state == BT_CONNECTED) { 754 err = -EINVAL; 755 break; 756 } 757 758 opts.imtu = chan->imtu; 759 opts.omtu = chan->omtu; 760 opts.flush_to = chan->flush_to; 761 opts.mode = chan->mode; 762 opts.fcs = chan->fcs; 763 opts.max_tx = chan->max_tx; 764 opts.txwin_size = chan->tx_win; 765 766 len = min_t(unsigned int, sizeof(opts), optlen); 767 if (copy_from_sockptr(&opts, optval, len)) { 768 err = -EFAULT; 769 break; 770 } 771 772 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 773 err = -EINVAL; 774 break; 775 } 776 777 if (!l2cap_valid_mtu(chan, opts.imtu)) { 778 err = -EINVAL; 779 break; 780 } 781 782 /* Only BR/EDR modes are supported here */ 783 switch (opts.mode) { 784 case L2CAP_MODE_BASIC: 785 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 786 break; 787 case L2CAP_MODE_ERTM: 788 case L2CAP_MODE_STREAMING: 789 if (!disable_ertm) 790 break; 791 fallthrough; 792 default: 793 err = -EINVAL; 794 break; 795 } 796 797 if (err < 0) 798 break; 799 800 chan->mode = opts.mode; 801 802 BT_DBG("mode 0x%2.2x", chan->mode); 803 804 chan->imtu = opts.imtu; 805 chan->omtu = opts.omtu; 806 chan->fcs = opts.fcs; 807 chan->max_tx = opts.max_tx; 808 chan->tx_win = opts.txwin_size; 809 chan->flush_to = opts.flush_to; 810 break; 811 812 case L2CAP_LM: 813 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 814 err = -EFAULT; 815 break; 816 } 817 818 if (opt & L2CAP_LM_FIPS) { 819 err = -EINVAL; 820 break; 821 } 822 823 if (opt & L2CAP_LM_AUTH) 824 chan->sec_level = BT_SECURITY_LOW; 825 if (opt & L2CAP_LM_ENCRYPT) 826 chan->sec_level = BT_SECURITY_MEDIUM; 827 if (opt & L2CAP_LM_SECURE) 828 chan->sec_level = BT_SECURITY_HIGH; 829 830 if (opt & L2CAP_LM_MASTER) 831 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 832 else 833 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 834 835 if (opt & L2CAP_LM_RELIABLE) 836 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 837 else 838 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 839 break; 840 841 default: 842 err = -ENOPROTOOPT; 843 break; 844 } 845 846 release_sock(sk); 847 return err; 848 } 849 850 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 851 { 852 switch (mode) { 853 case BT_MODE_BASIC: 854 if (bdaddr_type_is_le(chan->src_type)) 855 return -EINVAL; 856 mode = L2CAP_MODE_BASIC; 857 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 858 break; 859 case BT_MODE_ERTM: 860 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 861 return -EINVAL; 862 mode = L2CAP_MODE_ERTM; 863 break; 864 case BT_MODE_STREAMING: 865 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 866 return -EINVAL; 867 mode = L2CAP_MODE_STREAMING; 868 break; 869 case BT_MODE_LE_FLOWCTL: 870 if (!bdaddr_type_is_le(chan->src_type)) 871 return -EINVAL; 872 mode = L2CAP_MODE_LE_FLOWCTL; 873 break; 874 case BT_MODE_EXT_FLOWCTL: 875 /* TODO: Add support for ECRED PDUs to BR/EDR */ 876 if (!bdaddr_type_is_le(chan->src_type)) 877 return -EINVAL; 878 mode = L2CAP_MODE_EXT_FLOWCTL; 879 break; 880 default: 881 return -EINVAL; 882 } 883 884 chan->mode = mode; 885 886 return 0; 887 } 888 889 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 890 sockptr_t optval, unsigned int optlen) 891 { 892 struct sock *sk = sock->sk; 893 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 894 struct bt_security sec; 895 struct bt_power pwr; 896 struct l2cap_conn *conn; 897 int len, err = 0; 898 u32 opt; 899 900 BT_DBG("sk %p", sk); 901 902 if (level == SOL_L2CAP) 903 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 904 905 if (level != SOL_BLUETOOTH) 906 return -ENOPROTOOPT; 907 908 lock_sock(sk); 909 910 switch (optname) { 911 case BT_SECURITY: 912 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 913 chan->chan_type != L2CAP_CHAN_FIXED && 914 chan->chan_type != L2CAP_CHAN_RAW) { 915 err = -EINVAL; 916 break; 917 } 918 919 sec.level = BT_SECURITY_LOW; 920 921 len = min_t(unsigned int, sizeof(sec), optlen); 922 if (copy_from_sockptr(&sec, optval, len)) { 923 err = -EFAULT; 924 break; 925 } 926 927 if (sec.level < BT_SECURITY_LOW || 928 sec.level > BT_SECURITY_FIPS) { 929 err = -EINVAL; 930 break; 931 } 932 933 chan->sec_level = sec.level; 934 935 if (!chan->conn) 936 break; 937 938 conn = chan->conn; 939 940 /* change security for LE channels */ 941 if (chan->scid == L2CAP_CID_ATT) { 942 if (smp_conn_security(conn->hcon, sec.level)) { 943 err = -EINVAL; 944 break; 945 } 946 947 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 948 sk->sk_state = BT_CONFIG; 949 chan->state = BT_CONFIG; 950 951 /* or for ACL link */ 952 } else if ((sk->sk_state == BT_CONNECT2 && 953 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 954 sk->sk_state == BT_CONNECTED) { 955 if (!l2cap_chan_check_security(chan, true)) 956 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 957 else 958 sk->sk_state_change(sk); 959 } else { 960 err = -EINVAL; 961 } 962 break; 963 964 case BT_DEFER_SETUP: 965 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 966 err = -EINVAL; 967 break; 968 } 969 970 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 971 err = -EFAULT; 972 break; 973 } 974 975 if (opt) { 976 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 977 set_bit(FLAG_DEFER_SETUP, &chan->flags); 978 } else { 979 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 980 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 981 } 982 break; 983 984 case BT_FLUSHABLE: 985 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 986 err = -EFAULT; 987 break; 988 } 989 990 if (opt > BT_FLUSHABLE_ON) { 991 err = -EINVAL; 992 break; 993 } 994 995 if (opt == BT_FLUSHABLE_OFF) { 996 conn = chan->conn; 997 /* proceed further only when we have l2cap_conn and 998 No Flush support in the LM */ 999 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 1000 err = -EINVAL; 1001 break; 1002 } 1003 } 1004 1005 if (opt) 1006 set_bit(FLAG_FLUSHABLE, &chan->flags); 1007 else 1008 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1009 break; 1010 1011 case BT_POWER: 1012 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1013 chan->chan_type != L2CAP_CHAN_RAW) { 1014 err = -EINVAL; 1015 break; 1016 } 1017 1018 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1019 1020 len = min_t(unsigned int, sizeof(pwr), optlen); 1021 if (copy_from_sockptr(&pwr, optval, len)) { 1022 err = -EFAULT; 1023 break; 1024 } 1025 1026 if (pwr.force_active) 1027 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1028 else 1029 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1030 break; 1031 1032 case BT_CHANNEL_POLICY: 1033 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1034 err = -EFAULT; 1035 break; 1036 } 1037 1038 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { 1039 err = -EINVAL; 1040 break; 1041 } 1042 1043 if (chan->mode != L2CAP_MODE_ERTM && 1044 chan->mode != L2CAP_MODE_STREAMING) { 1045 err = -EOPNOTSUPP; 1046 break; 1047 } 1048 1049 chan->chan_policy = (u8) opt; 1050 1051 if (sk->sk_state == BT_CONNECTED && 1052 chan->move_role == L2CAP_MOVE_ROLE_NONE) 1053 l2cap_move_start(chan); 1054 1055 break; 1056 1057 case BT_SNDMTU: 1058 if (!bdaddr_type_is_le(chan->src_type)) { 1059 err = -EINVAL; 1060 break; 1061 } 1062 1063 /* Setting is not supported as it's the remote side that 1064 * decides this. 1065 */ 1066 err = -EPERM; 1067 break; 1068 1069 case BT_RCVMTU: 1070 if (!bdaddr_type_is_le(chan->src_type)) { 1071 err = -EINVAL; 1072 break; 1073 } 1074 1075 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1076 sk->sk_state == BT_CONNECTED) { 1077 err = -EISCONN; 1078 break; 1079 } 1080 1081 if (copy_from_sockptr(&opt, optval, sizeof(u16))) { 1082 err = -EFAULT; 1083 break; 1084 } 1085 1086 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1087 sk->sk_state == BT_CONNECTED) 1088 err = l2cap_chan_reconfigure(chan, opt); 1089 else 1090 chan->imtu = opt; 1091 1092 break; 1093 1094 case BT_MODE: 1095 if (!enable_ecred) { 1096 err = -ENOPROTOOPT; 1097 break; 1098 } 1099 1100 BT_DBG("sk->sk_state %u", sk->sk_state); 1101 1102 if (sk->sk_state != BT_BOUND) { 1103 err = -EINVAL; 1104 break; 1105 } 1106 1107 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1108 err = -EINVAL; 1109 break; 1110 } 1111 1112 if (copy_from_sockptr(&opt, optval, sizeof(u8))) { 1113 err = -EFAULT; 1114 break; 1115 } 1116 1117 BT_DBG("opt %u", opt); 1118 1119 err = l2cap_set_mode(chan, opt); 1120 if (err) 1121 break; 1122 1123 BT_DBG("mode 0x%2.2x", chan->mode); 1124 1125 break; 1126 1127 default: 1128 err = -ENOPROTOOPT; 1129 break; 1130 } 1131 1132 release_sock(sk); 1133 return err; 1134 } 1135 1136 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1137 size_t len) 1138 { 1139 struct sock *sk = sock->sk; 1140 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1141 int err; 1142 1143 BT_DBG("sock %p, sk %p", sock, sk); 1144 1145 err = sock_error(sk); 1146 if (err) 1147 return err; 1148 1149 if (msg->msg_flags & MSG_OOB) 1150 return -EOPNOTSUPP; 1151 1152 if (sk->sk_state != BT_CONNECTED) 1153 return -ENOTCONN; 1154 1155 lock_sock(sk); 1156 err = bt_sock_wait_ready(sk, msg->msg_flags); 1157 release_sock(sk); 1158 if (err) 1159 return err; 1160 1161 l2cap_chan_lock(chan); 1162 err = l2cap_chan_send(chan, msg, len); 1163 l2cap_chan_unlock(chan); 1164 1165 return err; 1166 } 1167 1168 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1169 size_t len, int flags) 1170 { 1171 struct sock *sk = sock->sk; 1172 struct l2cap_pinfo *pi = l2cap_pi(sk); 1173 int err; 1174 1175 lock_sock(sk); 1176 1177 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1178 &bt_sk(sk)->flags)) { 1179 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1180 sk->sk_state = BT_CONNECTED; 1181 pi->chan->state = BT_CONNECTED; 1182 __l2cap_ecred_conn_rsp_defer(pi->chan); 1183 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1184 sk->sk_state = BT_CONNECTED; 1185 pi->chan->state = BT_CONNECTED; 1186 __l2cap_le_connect_rsp_defer(pi->chan); 1187 } else { 1188 sk->sk_state = BT_CONFIG; 1189 pi->chan->state = BT_CONFIG; 1190 __l2cap_connect_rsp_defer(pi->chan); 1191 } 1192 1193 err = 0; 1194 goto done; 1195 } 1196 1197 release_sock(sk); 1198 1199 if (sock->type == SOCK_STREAM) 1200 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1201 else 1202 err = bt_sock_recvmsg(sock, msg, len, flags); 1203 1204 if (pi->chan->mode != L2CAP_MODE_ERTM) 1205 return err; 1206 1207 /* Attempt to put pending rx data in the socket buffer */ 1208 1209 lock_sock(sk); 1210 1211 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state)) 1212 goto done; 1213 1214 if (pi->rx_busy_skb) { 1215 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb)) 1216 pi->rx_busy_skb = NULL; 1217 else 1218 goto done; 1219 } 1220 1221 /* Restore data flow when half of the receive buffer is 1222 * available. This avoids resending large numbers of 1223 * frames. 1224 */ 1225 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1226 l2cap_chan_busy(pi->chan, 0); 1227 1228 done: 1229 release_sock(sk); 1230 return err; 1231 } 1232 1233 /* Kill socket (only if zapped and orphan) 1234 * Must be called on unlocked socket, with l2cap channel lock. 1235 */ 1236 static void l2cap_sock_kill(struct sock *sk) 1237 { 1238 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1239 return; 1240 1241 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1242 1243 /* Kill poor orphan */ 1244 1245 l2cap_chan_put(l2cap_pi(sk)->chan); 1246 sock_set_flag(sk, SOCK_DEAD); 1247 sock_put(sk); 1248 } 1249 1250 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1251 { 1252 DECLARE_WAITQUEUE(wait, current); 1253 int err = 0; 1254 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1255 /* Timeout to prevent infinite loop */ 1256 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1257 1258 add_wait_queue(sk_sleep(sk), &wait); 1259 set_current_state(TASK_INTERRUPTIBLE); 1260 do { 1261 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1262 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1263 jiffies_to_msecs(timeout - jiffies)); 1264 1265 if (!timeo) 1266 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1267 1268 if (signal_pending(current)) { 1269 err = sock_intr_errno(timeo); 1270 break; 1271 } 1272 1273 release_sock(sk); 1274 timeo = schedule_timeout(timeo); 1275 lock_sock(sk); 1276 set_current_state(TASK_INTERRUPTIBLE); 1277 1278 err = sock_error(sk); 1279 if (err) 1280 break; 1281 1282 if (time_after(jiffies, timeout)) { 1283 err = -ENOLINK; 1284 break; 1285 } 1286 1287 } while (chan->unacked_frames > 0 && 1288 chan->state == BT_CONNECTED); 1289 1290 set_current_state(TASK_RUNNING); 1291 remove_wait_queue(sk_sleep(sk), &wait); 1292 return err; 1293 } 1294 1295 static int l2cap_sock_shutdown(struct socket *sock, int how) 1296 { 1297 struct sock *sk = sock->sk; 1298 struct l2cap_chan *chan; 1299 struct l2cap_conn *conn; 1300 int err = 0; 1301 1302 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1303 1304 /* 'how' parameter is mapped to sk_shutdown as follows: 1305 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1306 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1307 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1308 */ 1309 how++; 1310 1311 if (!sk) 1312 return 0; 1313 1314 lock_sock(sk); 1315 1316 if ((sk->sk_shutdown & how) == how) 1317 goto shutdown_already; 1318 1319 BT_DBG("Handling sock shutdown"); 1320 1321 /* prevent sk structure from being freed whilst unlocked */ 1322 sock_hold(sk); 1323 1324 chan = l2cap_pi(sk)->chan; 1325 /* prevent chan structure from being freed whilst unlocked */ 1326 l2cap_chan_hold(chan); 1327 1328 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1329 1330 if (chan->mode == L2CAP_MODE_ERTM && 1331 chan->unacked_frames > 0 && 1332 chan->state == BT_CONNECTED) { 1333 err = __l2cap_wait_ack(sk, chan); 1334 1335 /* After waiting for ACKs, check whether shutdown 1336 * has already been actioned to close the L2CAP 1337 * link such as by l2cap_disconnection_req(). 1338 */ 1339 if ((sk->sk_shutdown & how) == how) 1340 goto shutdown_matched; 1341 } 1342 1343 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1344 * is already set 1345 */ 1346 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1347 sk->sk_shutdown |= RCV_SHUTDOWN; 1348 if ((sk->sk_shutdown & how) == how) 1349 goto shutdown_matched; 1350 } 1351 1352 sk->sk_shutdown |= SEND_SHUTDOWN; 1353 release_sock(sk); 1354 1355 l2cap_chan_lock(chan); 1356 conn = chan->conn; 1357 if (conn) 1358 /* prevent conn structure from being freed */ 1359 l2cap_conn_get(conn); 1360 l2cap_chan_unlock(chan); 1361 1362 if (conn) 1363 /* mutex lock must be taken before l2cap_chan_lock() */ 1364 mutex_lock(&conn->chan_lock); 1365 1366 l2cap_chan_lock(chan); 1367 l2cap_chan_close(chan, 0); 1368 l2cap_chan_unlock(chan); 1369 1370 if (conn) { 1371 mutex_unlock(&conn->chan_lock); 1372 l2cap_conn_put(conn); 1373 } 1374 1375 lock_sock(sk); 1376 1377 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1378 !(current->flags & PF_EXITING)) 1379 err = bt_sock_wait_state(sk, BT_CLOSED, 1380 sk->sk_lingertime); 1381 1382 shutdown_matched: 1383 l2cap_chan_put(chan); 1384 sock_put(sk); 1385 1386 shutdown_already: 1387 if (!err && sk->sk_err) 1388 err = -sk->sk_err; 1389 1390 release_sock(sk); 1391 1392 BT_DBG("Sock shutdown complete err: %d", err); 1393 1394 return err; 1395 } 1396 1397 static int l2cap_sock_release(struct socket *sock) 1398 { 1399 struct sock *sk = sock->sk; 1400 int err; 1401 struct l2cap_chan *chan; 1402 1403 BT_DBG("sock %p, sk %p", sock, sk); 1404 1405 if (!sk) 1406 return 0; 1407 1408 bt_sock_unlink(&l2cap_sk_list, sk); 1409 1410 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1411 chan = l2cap_pi(sk)->chan; 1412 1413 l2cap_chan_hold(chan); 1414 l2cap_chan_lock(chan); 1415 1416 sock_orphan(sk); 1417 l2cap_sock_kill(sk); 1418 1419 l2cap_chan_unlock(chan); 1420 l2cap_chan_put(chan); 1421 1422 return err; 1423 } 1424 1425 static void l2cap_sock_cleanup_listen(struct sock *parent) 1426 { 1427 struct sock *sk; 1428 1429 BT_DBG("parent %p state %s", parent, 1430 state_to_string(parent->sk_state)); 1431 1432 /* Close not yet accepted channels */ 1433 while ((sk = bt_accept_dequeue(parent, NULL))) { 1434 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1435 1436 BT_DBG("child chan %p state %s", chan, 1437 state_to_string(chan->state)); 1438 1439 l2cap_chan_hold(chan); 1440 l2cap_chan_lock(chan); 1441 1442 __clear_chan_timer(chan); 1443 l2cap_chan_close(chan, ECONNRESET); 1444 l2cap_sock_kill(sk); 1445 1446 l2cap_chan_unlock(chan); 1447 l2cap_chan_put(chan); 1448 } 1449 } 1450 1451 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1452 { 1453 struct sock *sk, *parent = chan->data; 1454 1455 lock_sock(parent); 1456 1457 /* Check for backlog size */ 1458 if (sk_acceptq_is_full(parent)) { 1459 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1460 release_sock(parent); 1461 return NULL; 1462 } 1463 1464 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1465 GFP_ATOMIC, 0); 1466 if (!sk) { 1467 release_sock(parent); 1468 return NULL; 1469 } 1470 1471 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1472 1473 l2cap_sock_init(sk, parent); 1474 1475 bt_accept_enqueue(parent, sk, false); 1476 1477 release_sock(parent); 1478 1479 return l2cap_pi(sk)->chan; 1480 } 1481 1482 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1483 { 1484 struct sock *sk = chan->data; 1485 int err; 1486 1487 lock_sock(sk); 1488 1489 if (l2cap_pi(sk)->rx_busy_skb) { 1490 err = -ENOMEM; 1491 goto done; 1492 } 1493 1494 if (chan->mode != L2CAP_MODE_ERTM && 1495 chan->mode != L2CAP_MODE_STREAMING) { 1496 /* Even if no filter is attached, we could potentially 1497 * get errors from security modules, etc. 1498 */ 1499 err = sk_filter(sk, skb); 1500 if (err) 1501 goto done; 1502 } 1503 1504 err = __sock_queue_rcv_skb(sk, skb); 1505 1506 /* For ERTM, handle one skb that doesn't fit into the recv 1507 * buffer. This is important to do because the data frames 1508 * have already been acked, so the skb cannot be discarded. 1509 * 1510 * Notify the l2cap core that the buffer is full, so the 1511 * LOCAL_BUSY state is entered and no more frames are 1512 * acked and reassembled until there is buffer space 1513 * available. 1514 */ 1515 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) { 1516 l2cap_pi(sk)->rx_busy_skb = skb; 1517 l2cap_chan_busy(chan, 1); 1518 err = 0; 1519 } 1520 1521 done: 1522 release_sock(sk); 1523 1524 return err; 1525 } 1526 1527 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1528 { 1529 struct sock *sk = chan->data; 1530 1531 if (!sk) 1532 return; 1533 1534 l2cap_sock_kill(sk); 1535 } 1536 1537 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1538 { 1539 struct sock *sk = chan->data; 1540 struct sock *parent; 1541 1542 if (!sk) 1543 return; 1544 1545 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1546 1547 /* This callback can be called both for server (BT_LISTEN) 1548 * sockets as well as "normal" ones. To avoid lockdep warnings 1549 * with child socket locking (through l2cap_sock_cleanup_listen) 1550 * we need separation into separate nesting levels. The simplest 1551 * way to accomplish this is to inherit the nesting level used 1552 * for the channel. 1553 */ 1554 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1555 1556 parent = bt_sk(sk)->parent; 1557 1558 switch (chan->state) { 1559 case BT_OPEN: 1560 case BT_BOUND: 1561 case BT_CLOSED: 1562 break; 1563 case BT_LISTEN: 1564 l2cap_sock_cleanup_listen(sk); 1565 sk->sk_state = BT_CLOSED; 1566 chan->state = BT_CLOSED; 1567 1568 break; 1569 default: 1570 sk->sk_state = BT_CLOSED; 1571 chan->state = BT_CLOSED; 1572 1573 sk->sk_err = err; 1574 1575 if (parent) { 1576 bt_accept_unlink(sk); 1577 parent->sk_data_ready(parent); 1578 } else { 1579 sk->sk_state_change(sk); 1580 } 1581 1582 break; 1583 } 1584 release_sock(sk); 1585 1586 /* Only zap after cleanup to avoid use after free race */ 1587 sock_set_flag(sk, SOCK_ZAPPED); 1588 1589 } 1590 1591 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1592 int err) 1593 { 1594 struct sock *sk = chan->data; 1595 1596 sk->sk_state = state; 1597 1598 if (err) 1599 sk->sk_err = err; 1600 } 1601 1602 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1603 unsigned long hdr_len, 1604 unsigned long len, int nb) 1605 { 1606 struct sock *sk = chan->data; 1607 struct sk_buff *skb; 1608 int err; 1609 1610 l2cap_chan_unlock(chan); 1611 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1612 l2cap_chan_lock(chan); 1613 1614 if (!skb) 1615 return ERR_PTR(err); 1616 1617 skb->priority = sk->sk_priority; 1618 1619 bt_cb(skb)->l2cap.chan = chan; 1620 1621 return skb; 1622 } 1623 1624 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1625 { 1626 struct sock *sk = chan->data; 1627 struct sock *parent; 1628 1629 lock_sock(sk); 1630 1631 parent = bt_sk(sk)->parent; 1632 1633 BT_DBG("sk %p, parent %p", sk, parent); 1634 1635 sk->sk_state = BT_CONNECTED; 1636 sk->sk_state_change(sk); 1637 1638 if (parent) 1639 parent->sk_data_ready(parent); 1640 1641 release_sock(sk); 1642 } 1643 1644 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1645 { 1646 struct sock *parent, *sk = chan->data; 1647 1648 lock_sock(sk); 1649 1650 parent = bt_sk(sk)->parent; 1651 if (parent) 1652 parent->sk_data_ready(parent); 1653 1654 release_sock(sk); 1655 } 1656 1657 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1658 { 1659 struct sock *sk = chan->data; 1660 1661 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1662 sk->sk_state = BT_CONNECTED; 1663 chan->state = BT_CONNECTED; 1664 } 1665 1666 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1667 sk->sk_state_change(sk); 1668 } 1669 1670 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1671 { 1672 struct sock *sk = chan->data; 1673 1674 lock_sock(sk); 1675 sk->sk_shutdown = SHUTDOWN_MASK; 1676 release_sock(sk); 1677 } 1678 1679 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1680 { 1681 struct sock *sk = chan->data; 1682 1683 return sk->sk_sndtimeo; 1684 } 1685 1686 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1687 { 1688 struct sock *sk = chan->data; 1689 1690 return sk->sk_peer_pid; 1691 } 1692 1693 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1694 { 1695 struct sock *sk = chan->data; 1696 1697 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1698 sk->sk_state_change(sk); 1699 } 1700 1701 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1702 { 1703 struct sock *sk = chan->data; 1704 1705 switch (chan->mode) { 1706 case L2CAP_MODE_ERTM: 1707 case L2CAP_MODE_STREAMING: 1708 return sk_filter(sk, skb); 1709 } 1710 1711 return 0; 1712 } 1713 1714 static const struct l2cap_ops l2cap_chan_ops = { 1715 .name = "L2CAP Socket Interface", 1716 .new_connection = l2cap_sock_new_connection_cb, 1717 .recv = l2cap_sock_recv_cb, 1718 .close = l2cap_sock_close_cb, 1719 .teardown = l2cap_sock_teardown_cb, 1720 .state_change = l2cap_sock_state_change_cb, 1721 .ready = l2cap_sock_ready_cb, 1722 .defer = l2cap_sock_defer_cb, 1723 .resume = l2cap_sock_resume_cb, 1724 .suspend = l2cap_sock_suspend_cb, 1725 .set_shutdown = l2cap_sock_set_shutdown_cb, 1726 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1727 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1728 .alloc_skb = l2cap_sock_alloc_skb_cb, 1729 .filter = l2cap_sock_filter, 1730 }; 1731 1732 static void l2cap_sock_destruct(struct sock *sk) 1733 { 1734 BT_DBG("sk %p", sk); 1735 1736 if (l2cap_pi(sk)->chan) { 1737 l2cap_pi(sk)->chan->data = NULL; 1738 l2cap_chan_put(l2cap_pi(sk)->chan); 1739 } 1740 1741 if (l2cap_pi(sk)->rx_busy_skb) { 1742 kfree_skb(l2cap_pi(sk)->rx_busy_skb); 1743 l2cap_pi(sk)->rx_busy_skb = NULL; 1744 } 1745 1746 skb_queue_purge(&sk->sk_receive_queue); 1747 skb_queue_purge(&sk->sk_write_queue); 1748 } 1749 1750 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1751 int *msg_namelen) 1752 { 1753 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1754 1755 memset(la, 0, sizeof(struct sockaddr_l2)); 1756 la->l2_family = AF_BLUETOOTH; 1757 la->l2_psm = bt_cb(skb)->l2cap.psm; 1758 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1759 1760 *msg_namelen = sizeof(struct sockaddr_l2); 1761 } 1762 1763 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1764 { 1765 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1766 1767 BT_DBG("sk %p", sk); 1768 1769 if (parent) { 1770 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1771 1772 sk->sk_type = parent->sk_type; 1773 bt_sk(sk)->flags = bt_sk(parent)->flags; 1774 1775 chan->chan_type = pchan->chan_type; 1776 chan->imtu = pchan->imtu; 1777 chan->omtu = pchan->omtu; 1778 chan->conf_state = pchan->conf_state; 1779 chan->mode = pchan->mode; 1780 chan->fcs = pchan->fcs; 1781 chan->max_tx = pchan->max_tx; 1782 chan->tx_win = pchan->tx_win; 1783 chan->tx_win_max = pchan->tx_win_max; 1784 chan->sec_level = pchan->sec_level; 1785 chan->flags = pchan->flags; 1786 chan->tx_credits = pchan->tx_credits; 1787 chan->rx_credits = pchan->rx_credits; 1788 1789 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1790 chan->scid = pchan->scid; 1791 chan->dcid = pchan->scid; 1792 } 1793 1794 security_sk_clone(parent, sk); 1795 } else { 1796 switch (sk->sk_type) { 1797 case SOCK_RAW: 1798 chan->chan_type = L2CAP_CHAN_RAW; 1799 break; 1800 case SOCK_DGRAM: 1801 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1802 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1803 break; 1804 case SOCK_SEQPACKET: 1805 case SOCK_STREAM: 1806 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1807 break; 1808 } 1809 1810 chan->imtu = L2CAP_DEFAULT_MTU; 1811 chan->omtu = 0; 1812 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1813 chan->mode = L2CAP_MODE_ERTM; 1814 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1815 } else { 1816 chan->mode = L2CAP_MODE_BASIC; 1817 } 1818 1819 l2cap_chan_set_defaults(chan); 1820 } 1821 1822 /* Default config options */ 1823 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1824 1825 chan->data = sk; 1826 chan->ops = &l2cap_chan_ops; 1827 } 1828 1829 static struct proto l2cap_proto = { 1830 .name = "L2CAP", 1831 .owner = THIS_MODULE, 1832 .obj_size = sizeof(struct l2cap_pinfo) 1833 }; 1834 1835 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1836 int proto, gfp_t prio, int kern) 1837 { 1838 struct sock *sk; 1839 struct l2cap_chan *chan; 1840 1841 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern); 1842 if (!sk) 1843 return NULL; 1844 1845 sock_init_data(sock, sk); 1846 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 1847 1848 sk->sk_destruct = l2cap_sock_destruct; 1849 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1850 1851 sock_reset_flag(sk, SOCK_ZAPPED); 1852 1853 sk->sk_protocol = proto; 1854 sk->sk_state = BT_OPEN; 1855 1856 chan = l2cap_chan_create(); 1857 if (!chan) { 1858 sk_free(sk); 1859 return NULL; 1860 } 1861 1862 l2cap_chan_hold(chan); 1863 1864 l2cap_pi(sk)->chan = chan; 1865 1866 return sk; 1867 } 1868 1869 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1870 int kern) 1871 { 1872 struct sock *sk; 1873 1874 BT_DBG("sock %p", sock); 1875 1876 sock->state = SS_UNCONNECTED; 1877 1878 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1879 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1880 return -ESOCKTNOSUPPORT; 1881 1882 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1883 return -EPERM; 1884 1885 sock->ops = &l2cap_sock_ops; 1886 1887 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1888 if (!sk) 1889 return -ENOMEM; 1890 1891 l2cap_sock_init(sk, NULL); 1892 bt_sock_link(&l2cap_sk_list, sk); 1893 return 0; 1894 } 1895 1896 static const struct proto_ops l2cap_sock_ops = { 1897 .family = PF_BLUETOOTH, 1898 .owner = THIS_MODULE, 1899 .release = l2cap_sock_release, 1900 .bind = l2cap_sock_bind, 1901 .connect = l2cap_sock_connect, 1902 .listen = l2cap_sock_listen, 1903 .accept = l2cap_sock_accept, 1904 .getname = l2cap_sock_getname, 1905 .sendmsg = l2cap_sock_sendmsg, 1906 .recvmsg = l2cap_sock_recvmsg, 1907 .poll = bt_sock_poll, 1908 .ioctl = bt_sock_ioctl, 1909 .gettstamp = sock_gettstamp, 1910 .mmap = sock_no_mmap, 1911 .socketpair = sock_no_socketpair, 1912 .shutdown = l2cap_sock_shutdown, 1913 .setsockopt = l2cap_sock_setsockopt, 1914 .getsockopt = l2cap_sock_getsockopt 1915 }; 1916 1917 static const struct net_proto_family l2cap_sock_family_ops = { 1918 .family = PF_BLUETOOTH, 1919 .owner = THIS_MODULE, 1920 .create = l2cap_sock_create, 1921 }; 1922 1923 int __init l2cap_init_sockets(void) 1924 { 1925 int err; 1926 1927 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1928 1929 err = proto_register(&l2cap_proto, 0); 1930 if (err < 0) 1931 return err; 1932 1933 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1934 if (err < 0) { 1935 BT_ERR("L2CAP socket registration failed"); 1936 goto error; 1937 } 1938 1939 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1940 NULL); 1941 if (err < 0) { 1942 BT_ERR("Failed to create L2CAP proc file"); 1943 bt_sock_unregister(BTPROTO_L2CAP); 1944 goto error; 1945 } 1946 1947 BT_INFO("L2CAP socket layer initialized"); 1948 1949 return 0; 1950 1951 error: 1952 proto_unregister(&l2cap_proto); 1953 return err; 1954 } 1955 1956 void l2cap_cleanup_sockets(void) 1957 { 1958 bt_procfs_cleanup(&init_net, "l2cap"); 1959 bt_sock_unregister(BTPROTO_L2CAP); 1960 proto_unregister(&l2cap_proto); 1961 } 1962