1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/filter.h>
33 #include <linux/sched/signal.h>
34
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38
39 #include "smp.h"
40
41 static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43 };
44
45 static const struct proto_ops l2cap_sock_ops;
46 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 int proto, gfp_t prio, int kern);
49 static void l2cap_sock_cleanup_listen(struct sock *parent);
50
51 bool l2cap_is_socket(struct socket *sock)
52 {
53 return sock && sock->ops == &l2cap_sock_ops;
54 }
55 EXPORT_SYMBOL(l2cap_is_socket);
56
57 static int l2cap_validate_bredr_psm(u16 psm)
58 {
59 /* PSM must be odd and lsb of upper byte must be 0 */
60 if ((psm & 0x0101) != 0x0001)
61 return -EINVAL;
62
63 /* Restrict usage of well-known PSMs */
64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 return -EACCES;
66
67 return 0;
68 }
69
70 static int l2cap_validate_le_psm(u16 psm)
71 {
72 /* Valid LE_PSM ranges are defined only until 0x00ff */
73 if (psm > L2CAP_PSM_LE_DYN_END)
74 return -EINVAL;
75
76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 return -EACCES;
79
80 return 0;
81 }
82
83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84 {
85 struct sock *sk = sock->sk;
86 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 struct sockaddr_l2 la;
88 int len, err = 0;
89
90 BT_DBG("sk %p", sk);
91
92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 addr->sa_family != AF_BLUETOOTH)
94 return -EINVAL;
95
96 memset(&la, 0, sizeof(la));
97 len = min_t(unsigned int, sizeof(la), alen);
98 memcpy(&la, addr, len);
99
100 if (la.l2_cid && la.l2_psm)
101 return -EINVAL;
102
103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 return -EINVAL;
105
106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 /* We only allow ATT user space socket */
108 if (la.l2_cid &&
109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 return -EINVAL;
111 }
112
113 lock_sock(sk);
114
115 if (sk->sk_state != BT_OPEN) {
116 err = -EBADFD;
117 goto done;
118 }
119
120 if (la.l2_psm) {
121 __u16 psm = __le16_to_cpu(la.l2_psm);
122
123 if (la.l2_bdaddr_type == BDADDR_BREDR)
124 err = l2cap_validate_bredr_psm(psm);
125 else
126 err = l2cap_validate_le_psm(psm);
127
128 if (err)
129 goto done;
130 }
131
132 bacpy(&chan->src, &la.l2_bdaddr);
133 chan->src_type = la.l2_bdaddr_type;
134
135 if (la.l2_cid)
136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 else
138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139
140 if (err < 0)
141 goto done;
142
143 switch (chan->chan_type) {
144 case L2CAP_CHAN_CONN_LESS:
145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 chan->sec_level = BT_SECURITY_SDP;
147 break;
148 case L2CAP_CHAN_CONN_ORIENTED:
149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 chan->sec_level = BT_SECURITY_SDP;
152 break;
153 case L2CAP_CHAN_RAW:
154 chan->sec_level = BT_SECURITY_SDP;
155 break;
156 case L2CAP_CHAN_FIXED:
157 /* Fixed channels default to the L2CAP core not holding a
158 * hci_conn reference for them. For fixed channels mapping to
159 * L2CAP sockets we do want to hold a reference so set the
160 * appropriate flag to request it.
161 */
162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 break;
164 }
165
166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 */
169 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 chan->mode = L2CAP_MODE_LE_FLOWCTL;
172
173 chan->state = BT_BOUND;
174 sk->sk_state = BT_BOUND;
175
176 done:
177 release_sock(sk);
178 return err;
179 }
180
181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
182 int alen, int flags)
183 {
184 struct sock *sk = sock->sk;
185 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 struct sockaddr_l2 la;
187 int len, err = 0;
188 bool zapped;
189
190 BT_DBG("sk %p", sk);
191
192 lock_sock(sk);
193 zapped = sock_flag(sk, SOCK_ZAPPED);
194 release_sock(sk);
195
196 if (zapped)
197 return -EINVAL;
198
199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 addr->sa_family != AF_BLUETOOTH)
201 return -EINVAL;
202
203 memset(&la, 0, sizeof(la));
204 len = min_t(unsigned int, sizeof(la), alen);
205 memcpy(&la, addr, len);
206
207 if (la.l2_cid && la.l2_psm)
208 return -EINVAL;
209
210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 return -EINVAL;
212
213 /* Check that the socket wasn't bound to something that
214 * conflicts with the address given to connect(). If chan->src
215 * is BDADDR_ANY it means bind() was never used, in which case
216 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 */
218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 /* Old user space versions will try to incorrectly bind
221 * the ATT socket using BDADDR_BREDR. We need to accept
222 * this and fix up the source address type only when
223 * both the source CID and destination CID indicate
224 * ATT. Anything else is an invalid combination.
225 */
226 if (chan->scid != L2CAP_CID_ATT ||
227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 return -EINVAL;
229
230 /* We don't have the hdev available here to make a
231 * better decision on random vs public, but since all
232 * user space versions that exhibit this issue anyway do
233 * not support random local addresses assuming public
234 * here is good enough.
235 */
236 chan->src_type = BDADDR_LE_PUBLIC;
237 }
238
239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 return -EINVAL;
241
242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 /* We only allow ATT user space socket */
244 if (la.l2_cid &&
245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 return -EINVAL;
247 }
248
249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 */
252 if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 chan->mode = L2CAP_MODE_LE_FLOWCTL;
255
256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 &la.l2_bdaddr, la.l2_bdaddr_type,
258 sk->sk_sndtimeo);
259 if (err)
260 return err;
261
262 lock_sock(sk);
263
264 err = bt_sock_wait_state(sk, BT_CONNECTED,
265 sock_sndtimeo(sk, flags & O_NONBLOCK));
266
267 release_sock(sk);
268
269 return err;
270 }
271
272 static int l2cap_sock_listen(struct socket *sock, int backlog)
273 {
274 struct sock *sk = sock->sk;
275 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
276 int err = 0;
277
278 BT_DBG("sk %p backlog %d", sk, backlog);
279
280 lock_sock(sk);
281
282 if (sk->sk_state != BT_BOUND) {
283 err = -EBADFD;
284 goto done;
285 }
286
287 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
288 err = -EINVAL;
289 goto done;
290 }
291
292 switch (chan->mode) {
293 case L2CAP_MODE_BASIC:
294 case L2CAP_MODE_LE_FLOWCTL:
295 break;
296 case L2CAP_MODE_EXT_FLOWCTL:
297 if (!enable_ecred) {
298 err = -EOPNOTSUPP;
299 goto done;
300 }
301 break;
302 case L2CAP_MODE_ERTM:
303 case L2CAP_MODE_STREAMING:
304 if (!disable_ertm)
305 break;
306 fallthrough;
307 default:
308 err = -EOPNOTSUPP;
309 goto done;
310 }
311
312 sk->sk_max_ack_backlog = backlog;
313 sk->sk_ack_backlog = 0;
314
315 /* Listening channels need to use nested locking in order not to
316 * cause lockdep warnings when the created child channels end up
317 * being locked in the same thread as the parent channel.
318 */
319 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
320
321 chan->state = BT_LISTEN;
322 sk->sk_state = BT_LISTEN;
323
324 done:
325 release_sock(sk);
326 return err;
327 }
328
329 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
330 struct proto_accept_arg *arg)
331 {
332 DEFINE_WAIT_FUNC(wait, woken_wake_function);
333 struct sock *sk = sock->sk, *nsk;
334 long timeo;
335 int err = 0;
336
337 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
338
339 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
340
341 BT_DBG("sk %p timeo %ld", sk, timeo);
342
343 /* Wait for an incoming connection. (wake-one). */
344 add_wait_queue_exclusive(sk_sleep(sk), &wait);
345 while (1) {
346 if (sk->sk_state != BT_LISTEN) {
347 err = -EBADFD;
348 break;
349 }
350
351 nsk = bt_accept_dequeue(sk, newsock);
352 if (nsk)
353 break;
354
355 if (!timeo) {
356 err = -EAGAIN;
357 break;
358 }
359
360 if (signal_pending(current)) {
361 err = sock_intr_errno(timeo);
362 break;
363 }
364
365 release_sock(sk);
366
367 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
368
369 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
370 }
371 remove_wait_queue(sk_sleep(sk), &wait);
372
373 if (err)
374 goto done;
375
376 newsock->state = SS_CONNECTED;
377
378 BT_DBG("new socket %p", nsk);
379
380 done:
381 release_sock(sk);
382 return err;
383 }
384
385 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
386 int peer)
387 {
388 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
389 struct sock *sk = sock->sk;
390 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391
392 BT_DBG("sock %p, sk %p", sock, sk);
393
394 if (peer && sk->sk_state != BT_CONNECTED &&
395 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
396 sk->sk_state != BT_CONFIG)
397 return -ENOTCONN;
398
399 memset(la, 0, sizeof(struct sockaddr_l2));
400 addr->sa_family = AF_BLUETOOTH;
401
402 la->l2_psm = chan->psm;
403
404 if (peer) {
405 bacpy(&la->l2_bdaddr, &chan->dst);
406 la->l2_cid = cpu_to_le16(chan->dcid);
407 la->l2_bdaddr_type = chan->dst_type;
408 } else {
409 bacpy(&la->l2_bdaddr, &chan->src);
410 la->l2_cid = cpu_to_le16(chan->scid);
411 la->l2_bdaddr_type = chan->src_type;
412 }
413
414 return sizeof(struct sockaddr_l2);
415 }
416
417 static int l2cap_get_mode(struct l2cap_chan *chan)
418 {
419 switch (chan->mode) {
420 case L2CAP_MODE_BASIC:
421 return BT_MODE_BASIC;
422 case L2CAP_MODE_ERTM:
423 return BT_MODE_ERTM;
424 case L2CAP_MODE_STREAMING:
425 return BT_MODE_STREAMING;
426 case L2CAP_MODE_LE_FLOWCTL:
427 return BT_MODE_LE_FLOWCTL;
428 case L2CAP_MODE_EXT_FLOWCTL:
429 return BT_MODE_EXT_FLOWCTL;
430 }
431
432 return -EINVAL;
433 }
434
435 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
436 char __user *optval, int __user *optlen)
437 {
438 struct sock *sk = sock->sk;
439 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
440 struct l2cap_options opts;
441 struct l2cap_conninfo cinfo;
442 int err = 0;
443 size_t len;
444 u32 opt;
445
446 BT_DBG("sk %p", sk);
447
448 if (get_user(len, optlen))
449 return -EFAULT;
450
451 lock_sock(sk);
452
453 switch (optname) {
454 case L2CAP_OPTIONS:
455 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
456 * legacy ATT code depends on getsockopt for
457 * L2CAP_OPTIONS we need to let this pass.
458 */
459 if (bdaddr_type_is_le(chan->src_type) &&
460 chan->scid != L2CAP_CID_ATT) {
461 err = -EINVAL;
462 break;
463 }
464
465 /* Only BR/EDR modes are supported here */
466 switch (chan->mode) {
467 case L2CAP_MODE_BASIC:
468 case L2CAP_MODE_ERTM:
469 case L2CAP_MODE_STREAMING:
470 break;
471 default:
472 err = -EINVAL;
473 break;
474 }
475
476 if (err < 0)
477 break;
478
479 memset(&opts, 0, sizeof(opts));
480 opts.imtu = chan->imtu;
481 opts.omtu = chan->omtu;
482 opts.flush_to = chan->flush_to;
483 opts.mode = chan->mode;
484 opts.fcs = chan->fcs;
485 opts.max_tx = chan->max_tx;
486 opts.txwin_size = chan->tx_win;
487
488 BT_DBG("mode 0x%2.2x", chan->mode);
489
490 len = min(len, sizeof(opts));
491 if (copy_to_user(optval, (char *) &opts, len))
492 err = -EFAULT;
493
494 break;
495
496 case L2CAP_LM:
497 switch (chan->sec_level) {
498 case BT_SECURITY_LOW:
499 opt = L2CAP_LM_AUTH;
500 break;
501 case BT_SECURITY_MEDIUM:
502 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
503 break;
504 case BT_SECURITY_HIGH:
505 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
506 L2CAP_LM_SECURE;
507 break;
508 case BT_SECURITY_FIPS:
509 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
510 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
511 break;
512 default:
513 opt = 0;
514 break;
515 }
516
517 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
518 opt |= L2CAP_LM_MASTER;
519
520 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
521 opt |= L2CAP_LM_RELIABLE;
522
523 if (put_user(opt, (u32 __user *) optval))
524 err = -EFAULT;
525
526 break;
527
528 case L2CAP_CONNINFO:
529 if (sk->sk_state != BT_CONNECTED &&
530 !(sk->sk_state == BT_CONNECT2 &&
531 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
532 err = -ENOTCONN;
533 break;
534 }
535
536 memset(&cinfo, 0, sizeof(cinfo));
537 cinfo.hci_handle = chan->conn->hcon->handle;
538 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
539
540 len = min(len, sizeof(cinfo));
541 if (copy_to_user(optval, (char *) &cinfo, len))
542 err = -EFAULT;
543
544 break;
545
546 default:
547 err = -ENOPROTOOPT;
548 break;
549 }
550
551 release_sock(sk);
552 return err;
553 }
554
555 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
556 char __user *optval, int __user *optlen)
557 {
558 struct sock *sk = sock->sk;
559 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
560 struct bt_security sec;
561 struct bt_power pwr;
562 u32 phys;
563 int len, mode, err = 0;
564
565 BT_DBG("sk %p", sk);
566
567 if (level == SOL_L2CAP)
568 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
569
570 if (level != SOL_BLUETOOTH)
571 return -ENOPROTOOPT;
572
573 if (get_user(len, optlen))
574 return -EFAULT;
575
576 lock_sock(sk);
577
578 switch (optname) {
579 case BT_SECURITY:
580 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
581 chan->chan_type != L2CAP_CHAN_FIXED &&
582 chan->chan_type != L2CAP_CHAN_RAW) {
583 err = -EINVAL;
584 break;
585 }
586
587 memset(&sec, 0, sizeof(sec));
588 if (chan->conn) {
589 sec.level = chan->conn->hcon->sec_level;
590
591 if (sk->sk_state == BT_CONNECTED)
592 sec.key_size = chan->conn->hcon->enc_key_size;
593 } else {
594 sec.level = chan->sec_level;
595 }
596
597 len = min_t(unsigned int, len, sizeof(sec));
598 if (copy_to_user(optval, (char *) &sec, len))
599 err = -EFAULT;
600
601 break;
602
603 case BT_DEFER_SETUP:
604 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
605 err = -EINVAL;
606 break;
607 }
608
609 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
610 (u32 __user *) optval))
611 err = -EFAULT;
612
613 break;
614
615 case BT_FLUSHABLE:
616 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
617 (u32 __user *) optval))
618 err = -EFAULT;
619
620 break;
621
622 case BT_POWER:
623 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
624 && sk->sk_type != SOCK_RAW) {
625 err = -EINVAL;
626 break;
627 }
628
629 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
630
631 len = min_t(unsigned int, len, sizeof(pwr));
632 if (copy_to_user(optval, (char *) &pwr, len))
633 err = -EFAULT;
634
635 break;
636
637 case BT_CHANNEL_POLICY:
638 if (put_user(chan->chan_policy, (u32 __user *) optval))
639 err = -EFAULT;
640 break;
641
642 case BT_SNDMTU:
643 if (!bdaddr_type_is_le(chan->src_type)) {
644 err = -EINVAL;
645 break;
646 }
647
648 if (sk->sk_state != BT_CONNECTED) {
649 err = -ENOTCONN;
650 break;
651 }
652
653 if (put_user(chan->omtu, (u16 __user *) optval))
654 err = -EFAULT;
655 break;
656
657 case BT_RCVMTU:
658 if (!bdaddr_type_is_le(chan->src_type)) {
659 err = -EINVAL;
660 break;
661 }
662
663 if (put_user(chan->imtu, (u16 __user *) optval))
664 err = -EFAULT;
665 break;
666
667 case BT_PHY:
668 if (sk->sk_state != BT_CONNECTED) {
669 err = -ENOTCONN;
670 break;
671 }
672
673 phys = hci_conn_get_phy(chan->conn->hcon);
674
675 if (put_user(phys, (u32 __user *) optval))
676 err = -EFAULT;
677 break;
678
679 case BT_MODE:
680 if (!enable_ecred) {
681 err = -ENOPROTOOPT;
682 break;
683 }
684
685 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
686 err = -EINVAL;
687 break;
688 }
689
690 mode = l2cap_get_mode(chan);
691 if (mode < 0) {
692 err = mode;
693 break;
694 }
695
696 if (put_user(mode, (u8 __user *) optval))
697 err = -EFAULT;
698 break;
699
700 default:
701 err = -ENOPROTOOPT;
702 break;
703 }
704
705 release_sock(sk);
706 return err;
707 }
708
709 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
710 {
711 switch (chan->scid) {
712 case L2CAP_CID_ATT:
713 if (mtu < L2CAP_LE_MIN_MTU)
714 return false;
715 break;
716
717 default:
718 if (mtu < L2CAP_DEFAULT_MIN_MTU)
719 return false;
720 }
721
722 return true;
723 }
724
725 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
726 sockptr_t optval, unsigned int optlen)
727 {
728 struct sock *sk = sock->sk;
729 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
730 struct l2cap_options opts;
731 int err = 0;
732 u32 opt;
733
734 BT_DBG("sk %p", sk);
735
736 lock_sock(sk);
737
738 switch (optname) {
739 case L2CAP_OPTIONS:
740 if (bdaddr_type_is_le(chan->src_type)) {
741 err = -EINVAL;
742 break;
743 }
744
745 if (sk->sk_state == BT_CONNECTED) {
746 err = -EINVAL;
747 break;
748 }
749
750 opts.imtu = chan->imtu;
751 opts.omtu = chan->omtu;
752 opts.flush_to = chan->flush_to;
753 opts.mode = chan->mode;
754 opts.fcs = chan->fcs;
755 opts.max_tx = chan->max_tx;
756 opts.txwin_size = chan->tx_win;
757
758 err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen);
759 if (err)
760 break;
761
762 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
763 err = -EINVAL;
764 break;
765 }
766
767 if (!l2cap_valid_mtu(chan, opts.imtu)) {
768 err = -EINVAL;
769 break;
770 }
771
772 /* Only BR/EDR modes are supported here */
773 switch (opts.mode) {
774 case L2CAP_MODE_BASIC:
775 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
776 break;
777 case L2CAP_MODE_ERTM:
778 case L2CAP_MODE_STREAMING:
779 if (!disable_ertm)
780 break;
781 fallthrough;
782 default:
783 err = -EINVAL;
784 break;
785 }
786
787 if (err < 0)
788 break;
789
790 chan->mode = opts.mode;
791
792 BT_DBG("mode 0x%2.2x", chan->mode);
793
794 chan->imtu = opts.imtu;
795 chan->omtu = opts.omtu;
796 chan->fcs = opts.fcs;
797 chan->max_tx = opts.max_tx;
798 chan->tx_win = opts.txwin_size;
799 chan->flush_to = opts.flush_to;
800 break;
801
802 case L2CAP_LM:
803 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
804 if (err)
805 break;
806
807 if (opt & L2CAP_LM_FIPS) {
808 err = -EINVAL;
809 break;
810 }
811
812 if (opt & L2CAP_LM_AUTH)
813 chan->sec_level = BT_SECURITY_LOW;
814 if (opt & L2CAP_LM_ENCRYPT)
815 chan->sec_level = BT_SECURITY_MEDIUM;
816 if (opt & L2CAP_LM_SECURE)
817 chan->sec_level = BT_SECURITY_HIGH;
818
819 if (opt & L2CAP_LM_MASTER)
820 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
821 else
822 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
823
824 if (opt & L2CAP_LM_RELIABLE)
825 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
826 else
827 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
828 break;
829
830 default:
831 err = -ENOPROTOOPT;
832 break;
833 }
834
835 release_sock(sk);
836 return err;
837 }
838
839 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
840 {
841 switch (mode) {
842 case BT_MODE_BASIC:
843 if (bdaddr_type_is_le(chan->src_type))
844 return -EINVAL;
845 mode = L2CAP_MODE_BASIC;
846 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
847 break;
848 case BT_MODE_ERTM:
849 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
850 return -EINVAL;
851 mode = L2CAP_MODE_ERTM;
852 break;
853 case BT_MODE_STREAMING:
854 if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
855 return -EINVAL;
856 mode = L2CAP_MODE_STREAMING;
857 break;
858 case BT_MODE_LE_FLOWCTL:
859 if (!bdaddr_type_is_le(chan->src_type))
860 return -EINVAL;
861 mode = L2CAP_MODE_LE_FLOWCTL;
862 break;
863 case BT_MODE_EXT_FLOWCTL:
864 /* TODO: Add support for ECRED PDUs to BR/EDR */
865 if (!bdaddr_type_is_le(chan->src_type))
866 return -EINVAL;
867 mode = L2CAP_MODE_EXT_FLOWCTL;
868 break;
869 default:
870 return -EINVAL;
871 }
872
873 chan->mode = mode;
874
875 return 0;
876 }
877
878 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
879 sockptr_t optval, unsigned int optlen)
880 {
881 struct sock *sk = sock->sk;
882 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
883 struct bt_security sec;
884 struct bt_power pwr;
885 struct l2cap_conn *conn;
886 int err = 0;
887 u32 opt;
888 u16 mtu;
889 u8 mode;
890
891 BT_DBG("sk %p", sk);
892
893 if (level == SOL_L2CAP)
894 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
895
896 if (level != SOL_BLUETOOTH)
897 return -ENOPROTOOPT;
898
899 lock_sock(sk);
900
901 switch (optname) {
902 case BT_SECURITY:
903 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
904 chan->chan_type != L2CAP_CHAN_FIXED &&
905 chan->chan_type != L2CAP_CHAN_RAW) {
906 err = -EINVAL;
907 break;
908 }
909
910 sec.level = BT_SECURITY_LOW;
911
912 err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
913 if (err)
914 break;
915
916 if (sec.level < BT_SECURITY_LOW ||
917 sec.level > BT_SECURITY_FIPS) {
918 err = -EINVAL;
919 break;
920 }
921
922 chan->sec_level = sec.level;
923
924 if (!chan->conn)
925 break;
926
927 conn = chan->conn;
928
929 /* change security for LE channels */
930 if (chan->scid == L2CAP_CID_ATT) {
931 if (smp_conn_security(conn->hcon, sec.level)) {
932 err = -EINVAL;
933 break;
934 }
935
936 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
937 sk->sk_state = BT_CONFIG;
938 chan->state = BT_CONFIG;
939
940 /* or for ACL link */
941 } else if ((sk->sk_state == BT_CONNECT2 &&
942 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
943 sk->sk_state == BT_CONNECTED) {
944 if (!l2cap_chan_check_security(chan, true))
945 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
946 else
947 sk->sk_state_change(sk);
948 } else {
949 err = -EINVAL;
950 }
951 break;
952
953 case BT_DEFER_SETUP:
954 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
955 err = -EINVAL;
956 break;
957 }
958
959 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
960 if (err)
961 break;
962
963 if (opt) {
964 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
965 set_bit(FLAG_DEFER_SETUP, &chan->flags);
966 } else {
967 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
968 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
969 }
970 break;
971
972 case BT_FLUSHABLE:
973 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
974 if (err)
975 break;
976
977 if (opt > BT_FLUSHABLE_ON) {
978 err = -EINVAL;
979 break;
980 }
981
982 if (opt == BT_FLUSHABLE_OFF) {
983 conn = chan->conn;
984 /* proceed further only when we have l2cap_conn and
985 No Flush support in the LM */
986 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
987 err = -EINVAL;
988 break;
989 }
990 }
991
992 if (opt)
993 set_bit(FLAG_FLUSHABLE, &chan->flags);
994 else
995 clear_bit(FLAG_FLUSHABLE, &chan->flags);
996 break;
997
998 case BT_POWER:
999 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1000 chan->chan_type != L2CAP_CHAN_RAW) {
1001 err = -EINVAL;
1002 break;
1003 }
1004
1005 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1006
1007 err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1008 if (err)
1009 break;
1010
1011 if (pwr.force_active)
1012 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1013 else
1014 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1015 break;
1016
1017 case BT_CHANNEL_POLICY:
1018 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1019 if (err)
1020 break;
1021
1022 err = -EOPNOTSUPP;
1023 break;
1024
1025 case BT_SNDMTU:
1026 if (!bdaddr_type_is_le(chan->src_type)) {
1027 err = -EINVAL;
1028 break;
1029 }
1030
1031 /* Setting is not supported as it's the remote side that
1032 * decides this.
1033 */
1034 err = -EPERM;
1035 break;
1036
1037 case BT_RCVMTU:
1038 if (!bdaddr_type_is_le(chan->src_type)) {
1039 err = -EINVAL;
1040 break;
1041 }
1042
1043 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1044 sk->sk_state == BT_CONNECTED) {
1045 err = -EISCONN;
1046 break;
1047 }
1048
1049 err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1050 if (err)
1051 break;
1052
1053 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1054 sk->sk_state == BT_CONNECTED)
1055 err = l2cap_chan_reconfigure(chan, mtu);
1056 else
1057 chan->imtu = mtu;
1058
1059 break;
1060
1061 case BT_MODE:
1062 if (!enable_ecred) {
1063 err = -ENOPROTOOPT;
1064 break;
1065 }
1066
1067 BT_DBG("sk->sk_state %u", sk->sk_state);
1068
1069 if (sk->sk_state != BT_BOUND) {
1070 err = -EINVAL;
1071 break;
1072 }
1073
1074 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1075 err = -EINVAL;
1076 break;
1077 }
1078
1079 err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen);
1080 if (err)
1081 break;
1082
1083 BT_DBG("mode %u", mode);
1084
1085 err = l2cap_set_mode(chan, mode);
1086 if (err)
1087 break;
1088
1089 BT_DBG("mode 0x%2.2x", chan->mode);
1090
1091 break;
1092
1093 default:
1094 err = -ENOPROTOOPT;
1095 break;
1096 }
1097
1098 release_sock(sk);
1099 return err;
1100 }
1101
1102 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1103 size_t len)
1104 {
1105 struct sock *sk = sock->sk;
1106 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1107 int err;
1108
1109 BT_DBG("sock %p, sk %p", sock, sk);
1110
1111 err = sock_error(sk);
1112 if (err)
1113 return err;
1114
1115 if (msg->msg_flags & MSG_OOB)
1116 return -EOPNOTSUPP;
1117
1118 if (sk->sk_state != BT_CONNECTED)
1119 return -ENOTCONN;
1120
1121 lock_sock(sk);
1122 err = bt_sock_wait_ready(sk, msg->msg_flags);
1123 release_sock(sk);
1124 if (err)
1125 return err;
1126
1127 l2cap_chan_lock(chan);
1128 err = l2cap_chan_send(chan, msg, len);
1129 l2cap_chan_unlock(chan);
1130
1131 return err;
1132 }
1133
1134 static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1135 {
1136 struct sock *sk = chan->data;
1137 ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1138 int expected_skbs, skb_overhead;
1139
1140 if (avail <= 0) {
1141 l2cap_chan_rx_avail(chan, 0);
1142 return;
1143 }
1144
1145 if (!chan->mps) {
1146 l2cap_chan_rx_avail(chan, -1);
1147 return;
1148 }
1149
1150 /* Correct available memory by estimated sk_buff overhead.
1151 * This is significant due to small transfer sizes. However, accept
1152 * at least one full packet if receive space is non-zero.
1153 */
1154 expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1155 skb_overhead = expected_skbs * sizeof(struct sk_buff);
1156 if (skb_overhead < avail)
1157 l2cap_chan_rx_avail(chan, avail - skb_overhead);
1158 else
1159 l2cap_chan_rx_avail(chan, -1);
1160 }
1161
1162 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1163 size_t len, int flags)
1164 {
1165 struct sock *sk = sock->sk;
1166 struct l2cap_pinfo *pi = l2cap_pi(sk);
1167 int err;
1168
1169 lock_sock(sk);
1170
1171 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1172 &bt_sk(sk)->flags)) {
1173 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1174 sk->sk_state = BT_CONNECTED;
1175 pi->chan->state = BT_CONNECTED;
1176 __l2cap_ecred_conn_rsp_defer(pi->chan);
1177 } else if (bdaddr_type_is_le(pi->chan->src_type)) {
1178 sk->sk_state = BT_CONNECTED;
1179 pi->chan->state = BT_CONNECTED;
1180 __l2cap_le_connect_rsp_defer(pi->chan);
1181 } else {
1182 sk->sk_state = BT_CONFIG;
1183 pi->chan->state = BT_CONFIG;
1184 __l2cap_connect_rsp_defer(pi->chan);
1185 }
1186
1187 err = 0;
1188 goto done;
1189 }
1190
1191 release_sock(sk);
1192
1193 if (sock->type == SOCK_STREAM)
1194 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1195 else
1196 err = bt_sock_recvmsg(sock, msg, len, flags);
1197
1198 if (pi->chan->mode != L2CAP_MODE_ERTM &&
1199 pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1200 pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1201 return err;
1202
1203 lock_sock(sk);
1204
1205 l2cap_publish_rx_avail(pi->chan);
1206
1207 /* Attempt to put pending rx data in the socket buffer */
1208 while (!list_empty(&pi->rx_busy)) {
1209 struct l2cap_rx_busy *rx_busy =
1210 list_first_entry(&pi->rx_busy,
1211 struct l2cap_rx_busy,
1212 list);
1213 if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1214 goto done;
1215 list_del(&rx_busy->list);
1216 kfree(rx_busy);
1217 }
1218
1219 /* Restore data flow when half of the receive buffer is
1220 * available. This avoids resending large numbers of
1221 * frames.
1222 */
1223 if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1224 atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1225 l2cap_chan_busy(pi->chan, 0);
1226
1227 done:
1228 release_sock(sk);
1229 return err;
1230 }
1231
1232 /* Kill socket (only if zapped and orphan)
1233 * Must be called on unlocked socket, with l2cap channel lock.
1234 */
1235 static void l2cap_sock_kill(struct sock *sk)
1236 {
1237 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1238 return;
1239
1240 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1241
1242 /* Sock is dead, so set chan data to NULL, avoid other task use invalid
1243 * sock pointer.
1244 */
1245 l2cap_pi(sk)->chan->data = NULL;
1246 /* Kill poor orphan */
1247
1248 l2cap_chan_put(l2cap_pi(sk)->chan);
1249 sock_set_flag(sk, SOCK_DEAD);
1250 sock_put(sk);
1251 }
1252
1253 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1254 {
1255 DECLARE_WAITQUEUE(wait, current);
1256 int err = 0;
1257 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1258 /* Timeout to prevent infinite loop */
1259 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1260
1261 add_wait_queue(sk_sleep(sk), &wait);
1262 set_current_state(TASK_INTERRUPTIBLE);
1263 do {
1264 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1265 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1266 jiffies_to_msecs(timeout - jiffies));
1267
1268 if (!timeo)
1269 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1270
1271 if (signal_pending(current)) {
1272 err = sock_intr_errno(timeo);
1273 break;
1274 }
1275
1276 release_sock(sk);
1277 timeo = schedule_timeout(timeo);
1278 lock_sock(sk);
1279 set_current_state(TASK_INTERRUPTIBLE);
1280
1281 err = sock_error(sk);
1282 if (err)
1283 break;
1284
1285 if (time_after(jiffies, timeout)) {
1286 err = -ENOLINK;
1287 break;
1288 }
1289
1290 } while (chan->unacked_frames > 0 &&
1291 chan->state == BT_CONNECTED);
1292
1293 set_current_state(TASK_RUNNING);
1294 remove_wait_queue(sk_sleep(sk), &wait);
1295 return err;
1296 }
1297
1298 static int l2cap_sock_shutdown(struct socket *sock, int how)
1299 {
1300 struct sock *sk = sock->sk;
1301 struct l2cap_chan *chan;
1302 struct l2cap_conn *conn;
1303 int err = 0;
1304
1305 BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1306
1307 /* 'how' parameter is mapped to sk_shutdown as follows:
1308 * SHUT_RD (0) --> RCV_SHUTDOWN (1)
1309 * SHUT_WR (1) --> SEND_SHUTDOWN (2)
1310 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1311 */
1312 how++;
1313
1314 if (!sk)
1315 return 0;
1316
1317 lock_sock(sk);
1318
1319 if ((sk->sk_shutdown & how) == how)
1320 goto shutdown_already;
1321
1322 BT_DBG("Handling sock shutdown");
1323
1324 /* prevent sk structure from being freed whilst unlocked */
1325 sock_hold(sk);
1326
1327 chan = l2cap_pi(sk)->chan;
1328 /* prevent chan structure from being freed whilst unlocked */
1329 l2cap_chan_hold(chan);
1330
1331 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1332
1333 if (chan->mode == L2CAP_MODE_ERTM &&
1334 chan->unacked_frames > 0 &&
1335 chan->state == BT_CONNECTED) {
1336 err = __l2cap_wait_ack(sk, chan);
1337
1338 /* After waiting for ACKs, check whether shutdown
1339 * has already been actioned to close the L2CAP
1340 * link such as by l2cap_disconnection_req().
1341 */
1342 if ((sk->sk_shutdown & how) == how)
1343 goto shutdown_matched;
1344 }
1345
1346 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1347 * is already set
1348 */
1349 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1350 sk->sk_shutdown |= RCV_SHUTDOWN;
1351 if ((sk->sk_shutdown & how) == how)
1352 goto shutdown_matched;
1353 }
1354
1355 sk->sk_shutdown |= SEND_SHUTDOWN;
1356 release_sock(sk);
1357
1358 l2cap_chan_lock(chan);
1359 conn = chan->conn;
1360 if (conn)
1361 /* prevent conn structure from being freed */
1362 l2cap_conn_get(conn);
1363 l2cap_chan_unlock(chan);
1364
1365 if (conn)
1366 /* mutex lock must be taken before l2cap_chan_lock() */
1367 mutex_lock(&conn->chan_lock);
1368
1369 l2cap_chan_lock(chan);
1370 l2cap_chan_close(chan, 0);
1371 l2cap_chan_unlock(chan);
1372
1373 if (conn) {
1374 mutex_unlock(&conn->chan_lock);
1375 l2cap_conn_put(conn);
1376 }
1377
1378 lock_sock(sk);
1379
1380 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1381 !(current->flags & PF_EXITING))
1382 err = bt_sock_wait_state(sk, BT_CLOSED,
1383 sk->sk_lingertime);
1384
1385 shutdown_matched:
1386 l2cap_chan_put(chan);
1387 sock_put(sk);
1388
1389 shutdown_already:
1390 if (!err && sk->sk_err)
1391 err = -sk->sk_err;
1392
1393 release_sock(sk);
1394
1395 BT_DBG("Sock shutdown complete err: %d", err);
1396
1397 return err;
1398 }
1399
1400 static int l2cap_sock_release(struct socket *sock)
1401 {
1402 struct sock *sk = sock->sk;
1403 int err;
1404 struct l2cap_chan *chan;
1405
1406 BT_DBG("sock %p, sk %p", sock, sk);
1407
1408 if (!sk)
1409 return 0;
1410
1411 l2cap_sock_cleanup_listen(sk);
1412 bt_sock_unlink(&l2cap_sk_list, sk);
1413
1414 err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1415 chan = l2cap_pi(sk)->chan;
1416
1417 l2cap_chan_hold(chan);
1418 l2cap_chan_lock(chan);
1419
1420 sock_orphan(sk);
1421 l2cap_sock_kill(sk);
1422
1423 l2cap_chan_unlock(chan);
1424 l2cap_chan_put(chan);
1425
1426 return err;
1427 }
1428
1429 static void l2cap_sock_cleanup_listen(struct sock *parent)
1430 {
1431 struct sock *sk;
1432
1433 BT_DBG("parent %p state %s", parent,
1434 state_to_string(parent->sk_state));
1435
1436 /* Close not yet accepted channels */
1437 while ((sk = bt_accept_dequeue(parent, NULL))) {
1438 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1439
1440 BT_DBG("child chan %p state %s", chan,
1441 state_to_string(chan->state));
1442
1443 l2cap_chan_hold(chan);
1444 l2cap_chan_lock(chan);
1445
1446 __clear_chan_timer(chan);
1447 l2cap_chan_close(chan, ECONNRESET);
1448 l2cap_sock_kill(sk);
1449
1450 l2cap_chan_unlock(chan);
1451 l2cap_chan_put(chan);
1452 }
1453 }
1454
1455 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1456 {
1457 struct sock *sk, *parent = chan->data;
1458
1459 lock_sock(parent);
1460
1461 /* Check for backlog size */
1462 if (sk_acceptq_is_full(parent)) {
1463 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1464 release_sock(parent);
1465 return NULL;
1466 }
1467
1468 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1469 GFP_ATOMIC, 0);
1470 if (!sk) {
1471 release_sock(parent);
1472 return NULL;
1473 }
1474
1475 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1476
1477 l2cap_sock_init(sk, parent);
1478
1479 bt_accept_enqueue(parent, sk, false);
1480
1481 release_sock(parent);
1482
1483 return l2cap_pi(sk)->chan;
1484 }
1485
1486 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1487 {
1488 struct sock *sk;
1489 struct l2cap_pinfo *pi;
1490 int err;
1491
1492 sk = chan->data;
1493 if (!sk)
1494 return -ENXIO;
1495
1496 pi = l2cap_pi(sk);
1497 lock_sock(sk);
1498 if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1499 err = -ENOMEM;
1500 goto done;
1501 }
1502
1503 if (chan->mode != L2CAP_MODE_ERTM &&
1504 chan->mode != L2CAP_MODE_STREAMING &&
1505 chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1506 chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1507 /* Even if no filter is attached, we could potentially
1508 * get errors from security modules, etc.
1509 */
1510 err = sk_filter(sk, skb);
1511 if (err)
1512 goto done;
1513 }
1514
1515 err = __sock_queue_rcv_skb(sk, skb);
1516
1517 l2cap_publish_rx_avail(chan);
1518
1519 /* For ERTM and LE, handle a skb that doesn't fit into the recv
1520 * buffer. This is important to do because the data frames
1521 * have already been acked, so the skb cannot be discarded.
1522 *
1523 * Notify the l2cap core that the buffer is full, so the
1524 * LOCAL_BUSY state is entered and no more frames are
1525 * acked and reassembled until there is buffer space
1526 * available.
1527 */
1528 if (err < 0 &&
1529 (chan->mode == L2CAP_MODE_ERTM ||
1530 chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1531 chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1532 struct l2cap_rx_busy *rx_busy =
1533 kmalloc(sizeof(*rx_busy), GFP_KERNEL);
1534 if (!rx_busy) {
1535 err = -ENOMEM;
1536 goto done;
1537 }
1538 rx_busy->skb = skb;
1539 list_add_tail(&rx_busy->list, &pi->rx_busy);
1540 l2cap_chan_busy(chan, 1);
1541 err = 0;
1542 }
1543
1544 done:
1545 release_sock(sk);
1546
1547 return err;
1548 }
1549
1550 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1551 {
1552 struct sock *sk = chan->data;
1553
1554 if (!sk)
1555 return;
1556
1557 l2cap_sock_kill(sk);
1558 }
1559
1560 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1561 {
1562 struct sock *sk = chan->data;
1563 struct sock *parent;
1564
1565 if (!sk)
1566 return;
1567
1568 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1569
1570 /* This callback can be called both for server (BT_LISTEN)
1571 * sockets as well as "normal" ones. To avoid lockdep warnings
1572 * with child socket locking (through l2cap_sock_cleanup_listen)
1573 * we need separation into separate nesting levels. The simplest
1574 * way to accomplish this is to inherit the nesting level used
1575 * for the channel.
1576 */
1577 lock_sock_nested(sk, atomic_read(&chan->nesting));
1578
1579 parent = bt_sk(sk)->parent;
1580
1581 switch (chan->state) {
1582 case BT_OPEN:
1583 case BT_BOUND:
1584 case BT_CLOSED:
1585 break;
1586 case BT_LISTEN:
1587 l2cap_sock_cleanup_listen(sk);
1588 sk->sk_state = BT_CLOSED;
1589 chan->state = BT_CLOSED;
1590
1591 break;
1592 default:
1593 sk->sk_state = BT_CLOSED;
1594 chan->state = BT_CLOSED;
1595
1596 sk->sk_err = err;
1597
1598 if (parent) {
1599 bt_accept_unlink(sk);
1600 parent->sk_data_ready(parent);
1601 } else {
1602 sk->sk_state_change(sk);
1603 }
1604
1605 break;
1606 }
1607 release_sock(sk);
1608
1609 /* Only zap after cleanup to avoid use after free race */
1610 sock_set_flag(sk, SOCK_ZAPPED);
1611
1612 }
1613
1614 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1615 int err)
1616 {
1617 struct sock *sk = chan->data;
1618
1619 sk->sk_state = state;
1620
1621 if (err)
1622 sk->sk_err = err;
1623 }
1624
1625 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1626 unsigned long hdr_len,
1627 unsigned long len, int nb)
1628 {
1629 struct sock *sk = chan->data;
1630 struct sk_buff *skb;
1631 int err;
1632
1633 l2cap_chan_unlock(chan);
1634 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1635 l2cap_chan_lock(chan);
1636
1637 if (!skb)
1638 return ERR_PTR(err);
1639
1640 /* Channel lock is released before requesting new skb and then
1641 * reacquired thus we need to recheck channel state.
1642 */
1643 if (chan->state != BT_CONNECTED) {
1644 kfree_skb(skb);
1645 return ERR_PTR(-ENOTCONN);
1646 }
1647
1648 skb->priority = READ_ONCE(sk->sk_priority);
1649
1650 bt_cb(skb)->l2cap.chan = chan;
1651
1652 return skb;
1653 }
1654
1655 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1656 {
1657 struct sock *sk = chan->data;
1658 struct sock *parent;
1659
1660 lock_sock(sk);
1661
1662 parent = bt_sk(sk)->parent;
1663
1664 BT_DBG("sk %p, parent %p", sk, parent);
1665
1666 sk->sk_state = BT_CONNECTED;
1667 sk->sk_state_change(sk);
1668
1669 if (parent)
1670 parent->sk_data_ready(parent);
1671
1672 release_sock(sk);
1673 }
1674
1675 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1676 {
1677 struct sock *parent, *sk = chan->data;
1678
1679 lock_sock(sk);
1680
1681 parent = bt_sk(sk)->parent;
1682 if (parent)
1683 parent->sk_data_ready(parent);
1684
1685 release_sock(sk);
1686 }
1687
1688 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1689 {
1690 struct sock *sk = chan->data;
1691
1692 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1693 sk->sk_state = BT_CONNECTED;
1694 chan->state = BT_CONNECTED;
1695 }
1696
1697 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1698 sk->sk_state_change(sk);
1699 }
1700
1701 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1702 {
1703 struct sock *sk = chan->data;
1704
1705 lock_sock(sk);
1706 sk->sk_shutdown = SHUTDOWN_MASK;
1707 release_sock(sk);
1708 }
1709
1710 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1711 {
1712 struct sock *sk = chan->data;
1713
1714 return sk->sk_sndtimeo;
1715 }
1716
1717 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1718 {
1719 struct sock *sk = chan->data;
1720
1721 return sk->sk_peer_pid;
1722 }
1723
1724 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1725 {
1726 struct sock *sk = chan->data;
1727
1728 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1729 sk->sk_state_change(sk);
1730 }
1731
1732 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1733 {
1734 struct sock *sk = chan->data;
1735
1736 switch (chan->mode) {
1737 case L2CAP_MODE_ERTM:
1738 case L2CAP_MODE_STREAMING:
1739 return sk_filter(sk, skb);
1740 }
1741
1742 return 0;
1743 }
1744
1745 static const struct l2cap_ops l2cap_chan_ops = {
1746 .name = "L2CAP Socket Interface",
1747 .new_connection = l2cap_sock_new_connection_cb,
1748 .recv = l2cap_sock_recv_cb,
1749 .close = l2cap_sock_close_cb,
1750 .teardown = l2cap_sock_teardown_cb,
1751 .state_change = l2cap_sock_state_change_cb,
1752 .ready = l2cap_sock_ready_cb,
1753 .defer = l2cap_sock_defer_cb,
1754 .resume = l2cap_sock_resume_cb,
1755 .suspend = l2cap_sock_suspend_cb,
1756 .set_shutdown = l2cap_sock_set_shutdown_cb,
1757 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1758 .get_peer_pid = l2cap_sock_get_peer_pid_cb,
1759 .alloc_skb = l2cap_sock_alloc_skb_cb,
1760 .filter = l2cap_sock_filter,
1761 };
1762
1763 static void l2cap_sock_destruct(struct sock *sk)
1764 {
1765 struct l2cap_rx_busy *rx_busy, *next;
1766
1767 BT_DBG("sk %p", sk);
1768
1769 if (l2cap_pi(sk)->chan) {
1770 l2cap_pi(sk)->chan->data = NULL;
1771 l2cap_chan_put(l2cap_pi(sk)->chan);
1772 }
1773
1774 list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1775 kfree_skb(rx_busy->skb);
1776 list_del(&rx_busy->list);
1777 kfree(rx_busy);
1778 }
1779
1780 skb_queue_purge(&sk->sk_receive_queue);
1781 skb_queue_purge(&sk->sk_write_queue);
1782 }
1783
1784 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1785 int *msg_namelen)
1786 {
1787 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1788
1789 memset(la, 0, sizeof(struct sockaddr_l2));
1790 la->l2_family = AF_BLUETOOTH;
1791 la->l2_psm = bt_cb(skb)->l2cap.psm;
1792 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1793
1794 *msg_namelen = sizeof(struct sockaddr_l2);
1795 }
1796
1797 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1798 {
1799 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1800
1801 BT_DBG("sk %p", sk);
1802
1803 if (parent) {
1804 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1805
1806 sk->sk_type = parent->sk_type;
1807 bt_sk(sk)->flags = bt_sk(parent)->flags;
1808
1809 chan->chan_type = pchan->chan_type;
1810 chan->imtu = pchan->imtu;
1811 chan->omtu = pchan->omtu;
1812 chan->conf_state = pchan->conf_state;
1813 chan->mode = pchan->mode;
1814 chan->fcs = pchan->fcs;
1815 chan->max_tx = pchan->max_tx;
1816 chan->tx_win = pchan->tx_win;
1817 chan->tx_win_max = pchan->tx_win_max;
1818 chan->sec_level = pchan->sec_level;
1819 chan->flags = pchan->flags;
1820 chan->tx_credits = pchan->tx_credits;
1821 chan->rx_credits = pchan->rx_credits;
1822
1823 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1824 chan->scid = pchan->scid;
1825 chan->dcid = pchan->scid;
1826 }
1827
1828 security_sk_clone(parent, sk);
1829 } else {
1830 switch (sk->sk_type) {
1831 case SOCK_RAW:
1832 chan->chan_type = L2CAP_CHAN_RAW;
1833 break;
1834 case SOCK_DGRAM:
1835 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1836 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1837 break;
1838 case SOCK_SEQPACKET:
1839 case SOCK_STREAM:
1840 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1841 break;
1842 }
1843
1844 chan->imtu = L2CAP_DEFAULT_MTU;
1845 chan->omtu = 0;
1846 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1847 chan->mode = L2CAP_MODE_ERTM;
1848 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1849 } else {
1850 chan->mode = L2CAP_MODE_BASIC;
1851 }
1852
1853 l2cap_chan_set_defaults(chan);
1854 }
1855
1856 /* Default config options */
1857 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1858
1859 chan->data = sk;
1860 chan->ops = &l2cap_chan_ops;
1861
1862 l2cap_publish_rx_avail(chan);
1863 }
1864
1865 static struct proto l2cap_proto = {
1866 .name = "L2CAP",
1867 .owner = THIS_MODULE,
1868 .obj_size = sizeof(struct l2cap_pinfo)
1869 };
1870
1871 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1872 int proto, gfp_t prio, int kern)
1873 {
1874 struct sock *sk;
1875 struct l2cap_chan *chan;
1876
1877 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1878 if (!sk)
1879 return NULL;
1880
1881 sk->sk_destruct = l2cap_sock_destruct;
1882 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1883
1884 INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1885
1886 chan = l2cap_chan_create();
1887 if (!chan) {
1888 sk_free(sk);
1889 return NULL;
1890 }
1891
1892 l2cap_chan_hold(chan);
1893
1894 l2cap_pi(sk)->chan = chan;
1895
1896 return sk;
1897 }
1898
1899 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1900 int kern)
1901 {
1902 struct sock *sk;
1903
1904 BT_DBG("sock %p", sock);
1905
1906 sock->state = SS_UNCONNECTED;
1907
1908 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1909 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1910 return -ESOCKTNOSUPPORT;
1911
1912 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1913 return -EPERM;
1914
1915 sock->ops = &l2cap_sock_ops;
1916
1917 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1918 if (!sk)
1919 return -ENOMEM;
1920
1921 l2cap_sock_init(sk, NULL);
1922 bt_sock_link(&l2cap_sk_list, sk);
1923 return 0;
1924 }
1925
1926 static const struct proto_ops l2cap_sock_ops = {
1927 .family = PF_BLUETOOTH,
1928 .owner = THIS_MODULE,
1929 .release = l2cap_sock_release,
1930 .bind = l2cap_sock_bind,
1931 .connect = l2cap_sock_connect,
1932 .listen = l2cap_sock_listen,
1933 .accept = l2cap_sock_accept,
1934 .getname = l2cap_sock_getname,
1935 .sendmsg = l2cap_sock_sendmsg,
1936 .recvmsg = l2cap_sock_recvmsg,
1937 .poll = bt_sock_poll,
1938 .ioctl = bt_sock_ioctl,
1939 .gettstamp = sock_gettstamp,
1940 .mmap = sock_no_mmap,
1941 .socketpair = sock_no_socketpair,
1942 .shutdown = l2cap_sock_shutdown,
1943 .setsockopt = l2cap_sock_setsockopt,
1944 .getsockopt = l2cap_sock_getsockopt
1945 };
1946
1947 static const struct net_proto_family l2cap_sock_family_ops = {
1948 .family = PF_BLUETOOTH,
1949 .owner = THIS_MODULE,
1950 .create = l2cap_sock_create,
1951 };
1952
1953 int __init l2cap_init_sockets(void)
1954 {
1955 int err;
1956
1957 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1958
1959 err = proto_register(&l2cap_proto, 0);
1960 if (err < 0)
1961 return err;
1962
1963 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1964 if (err < 0) {
1965 BT_ERR("L2CAP socket registration failed");
1966 goto error;
1967 }
1968
1969 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1970 NULL);
1971 if (err < 0) {
1972 BT_ERR("Failed to create L2CAP proc file");
1973 bt_sock_unregister(BTPROTO_L2CAP);
1974 goto error;
1975 }
1976
1977 BT_INFO("L2CAP socket layer initialized");
1978
1979 return 0;
1980
1981 error:
1982 proto_unregister(&l2cap_proto);
1983 return err;
1984 }
1985
1986 void l2cap_cleanup_sockets(void)
1987 {
1988 bt_procfs_cleanup(&init_net, "l2cap");
1989 bt_sock_unregister(BTPROTO_L2CAP);
1990 proto_unregister(&l2cap_proto);
1991 }
1992
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.