1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26 */
27
28 /* Bluetooth L2CAP sockets. */
29
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37
38 #include "smp.h"
39
40 static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
l2cap_is_socket(struct socket * sock)49 bool l2cap_is_socket(struct socket *sock)
50 {
51 return sock && sock->ops == &l2cap_sock_ops;
52 }
53 EXPORT_SYMBOL(l2cap_is_socket);
54
l2cap_validate_bredr_psm(u16 psm)55 static int l2cap_validate_bredr_psm(u16 psm)
56 {
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66 }
67
l2cap_validate_le_psm(u16 psm)68 static int l2cap_validate_le_psm(u16 psm)
69 {
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79 }
80
l2cap_sock_bind(struct socket * sock,struct sockaddr * addr,int alen)81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82 {
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
166
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
169
170 done:
171 release_sock(sk);
172 return err;
173 }
174
l2cap_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 int alen, int flags)
177 {
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
181 int len, err = 0;
182
183 BT_DBG("sk %p", sk);
184
185 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 addr->sa_family != AF_BLUETOOTH)
187 return -EINVAL;
188
189 memset(&la, 0, sizeof(la));
190 len = min_t(unsigned int, sizeof(la), alen);
191 memcpy(&la, addr, len);
192
193 if (la.l2_cid && la.l2_psm)
194 return -EINVAL;
195
196 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 return -EINVAL;
198
199 /* Check that the socket wasn't bound to something that
200 * conflicts with the address given to connect(). If chan->src
201 * is BDADDR_ANY it means bind() was never used, in which case
202 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 */
204 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 /* Old user space versions will try to incorrectly bind
207 * the ATT socket using BDADDR_BREDR. We need to accept
208 * this and fix up the source address type only when
209 * both the source CID and destination CID indicate
210 * ATT. Anything else is an invalid combination.
211 */
212 if (chan->scid != L2CAP_CID_ATT ||
213 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 return -EINVAL;
215
216 /* We don't have the hdev available here to make a
217 * better decision on random vs public, but since all
218 * user space versions that exhibit this issue anyway do
219 * not support random local addresses assuming public
220 * here is good enough.
221 */
222 chan->src_type = BDADDR_LE_PUBLIC;
223 }
224
225 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 return -EINVAL;
227
228 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 /* We only allow ATT user space socket */
230 if (la.l2_cid &&
231 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 return -EINVAL;
233 }
234
235 if (chan->psm && bdaddr_type_is_le(chan->src_type))
236 chan->mode = L2CAP_MODE_LE_FLOWCTL;
237
238 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 &la.l2_bdaddr, la.l2_bdaddr_type);
240 if (err)
241 return err;
242
243 lock_sock(sk);
244
245 err = bt_sock_wait_state(sk, BT_CONNECTED,
246 sock_sndtimeo(sk, flags & O_NONBLOCK));
247
248 release_sock(sk);
249
250 return err;
251 }
252
l2cap_sock_listen(struct socket * sock,int backlog)253 static int l2cap_sock_listen(struct socket *sock, int backlog)
254 {
255 struct sock *sk = sock->sk;
256 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 int err = 0;
258
259 BT_DBG("sk %p backlog %d", sk, backlog);
260
261 lock_sock(sk);
262
263 if (sk->sk_state != BT_BOUND) {
264 err = -EBADFD;
265 goto done;
266 }
267
268 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 err = -EINVAL;
270 goto done;
271 }
272
273 switch (chan->mode) {
274 case L2CAP_MODE_BASIC:
275 case L2CAP_MODE_LE_FLOWCTL:
276 break;
277 case L2CAP_MODE_ERTM:
278 case L2CAP_MODE_STREAMING:
279 if (!disable_ertm)
280 break;
281 /* fall through */
282 default:
283 err = -EOPNOTSUPP;
284 goto done;
285 }
286
287 sk->sk_max_ack_backlog = backlog;
288 sk->sk_ack_backlog = 0;
289
290 /* Listening channels need to use nested locking in order not to
291 * cause lockdep warnings when the created child channels end up
292 * being locked in the same thread as the parent channel.
293 */
294 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
295
296 chan->state = BT_LISTEN;
297 sk->sk_state = BT_LISTEN;
298
299 done:
300 release_sock(sk);
301 return err;
302 }
303
l2cap_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)304 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
305 int flags, bool kern)
306 {
307 DEFINE_WAIT_FUNC(wait, woken_wake_function);
308 struct sock *sk = sock->sk, *nsk;
309 long timeo;
310 int err = 0;
311
312 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
313
314 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
315
316 BT_DBG("sk %p timeo %ld", sk, timeo);
317
318 /* Wait for an incoming connection. (wake-one). */
319 add_wait_queue_exclusive(sk_sleep(sk), &wait);
320 while (1) {
321 if (sk->sk_state != BT_LISTEN) {
322 err = -EBADFD;
323 break;
324 }
325
326 nsk = bt_accept_dequeue(sk, newsock);
327 if (nsk)
328 break;
329
330 if (!timeo) {
331 err = -EAGAIN;
332 break;
333 }
334
335 if (signal_pending(current)) {
336 err = sock_intr_errno(timeo);
337 break;
338 }
339
340 release_sock(sk);
341
342 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
343
344 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
345 }
346 remove_wait_queue(sk_sleep(sk), &wait);
347
348 if (err)
349 goto done;
350
351 newsock->state = SS_CONNECTED;
352
353 BT_DBG("new socket %p", nsk);
354
355 done:
356 release_sock(sk);
357 return err;
358 }
359
l2cap_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)360 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
361 int peer)
362 {
363 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
364 struct sock *sk = sock->sk;
365 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
366
367 BT_DBG("sock %p, sk %p", sock, sk);
368
369 if (peer && sk->sk_state != BT_CONNECTED &&
370 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
371 sk->sk_state != BT_CONFIG)
372 return -ENOTCONN;
373
374 memset(la, 0, sizeof(struct sockaddr_l2));
375 addr->sa_family = AF_BLUETOOTH;
376
377 la->l2_psm = chan->psm;
378
379 if (peer) {
380 bacpy(&la->l2_bdaddr, &chan->dst);
381 la->l2_cid = cpu_to_le16(chan->dcid);
382 la->l2_bdaddr_type = chan->dst_type;
383 } else {
384 bacpy(&la->l2_bdaddr, &chan->src);
385 la->l2_cid = cpu_to_le16(chan->scid);
386 la->l2_bdaddr_type = chan->src_type;
387 }
388
389 return sizeof(struct sockaddr_l2);
390 }
391
l2cap_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)392 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
393 char __user *optval, int __user *optlen)
394 {
395 struct sock *sk = sock->sk;
396 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
397 struct l2cap_options opts;
398 struct l2cap_conninfo cinfo;
399 int len, err = 0;
400 u32 opt;
401
402 BT_DBG("sk %p", sk);
403
404 if (get_user(len, optlen))
405 return -EFAULT;
406
407 lock_sock(sk);
408
409 switch (optname) {
410 case L2CAP_OPTIONS:
411 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
412 * legacy ATT code depends on getsockopt for
413 * L2CAP_OPTIONS we need to let this pass.
414 */
415 if (bdaddr_type_is_le(chan->src_type) &&
416 chan->scid != L2CAP_CID_ATT) {
417 err = -EINVAL;
418 break;
419 }
420
421 memset(&opts, 0, sizeof(opts));
422 opts.imtu = chan->imtu;
423 opts.omtu = chan->omtu;
424 opts.flush_to = chan->flush_to;
425 opts.mode = chan->mode;
426 opts.fcs = chan->fcs;
427 opts.max_tx = chan->max_tx;
428 opts.txwin_size = chan->tx_win;
429
430 len = min_t(unsigned int, len, sizeof(opts));
431 if (copy_to_user(optval, (char *) &opts, len))
432 err = -EFAULT;
433
434 break;
435
436 case L2CAP_LM:
437 switch (chan->sec_level) {
438 case BT_SECURITY_LOW:
439 opt = L2CAP_LM_AUTH;
440 break;
441 case BT_SECURITY_MEDIUM:
442 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
443 break;
444 case BT_SECURITY_HIGH:
445 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
446 L2CAP_LM_SECURE;
447 break;
448 case BT_SECURITY_FIPS:
449 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
450 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
451 break;
452 default:
453 opt = 0;
454 break;
455 }
456
457 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
458 opt |= L2CAP_LM_MASTER;
459
460 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
461 opt |= L2CAP_LM_RELIABLE;
462
463 if (put_user(opt, (u32 __user *) optval))
464 err = -EFAULT;
465
466 break;
467
468 case L2CAP_CONNINFO:
469 if (sk->sk_state != BT_CONNECTED &&
470 !(sk->sk_state == BT_CONNECT2 &&
471 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
472 err = -ENOTCONN;
473 break;
474 }
475
476 memset(&cinfo, 0, sizeof(cinfo));
477 cinfo.hci_handle = chan->conn->hcon->handle;
478 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
479
480 len = min_t(unsigned int, len, sizeof(cinfo));
481 if (copy_to_user(optval, (char *) &cinfo, len))
482 err = -EFAULT;
483
484 break;
485
486 default:
487 err = -ENOPROTOOPT;
488 break;
489 }
490
491 release_sock(sk);
492 return err;
493 }
494
l2cap_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)495 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
496 char __user *optval, int __user *optlen)
497 {
498 struct sock *sk = sock->sk;
499 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
500 struct bt_security sec;
501 struct bt_power pwr;
502 int len, err = 0;
503
504 BT_DBG("sk %p", sk);
505
506 if (level == SOL_L2CAP)
507 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
508
509 if (level != SOL_BLUETOOTH)
510 return -ENOPROTOOPT;
511
512 if (get_user(len, optlen))
513 return -EFAULT;
514
515 lock_sock(sk);
516
517 switch (optname) {
518 case BT_SECURITY:
519 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
520 chan->chan_type != L2CAP_CHAN_FIXED &&
521 chan->chan_type != L2CAP_CHAN_RAW) {
522 err = -EINVAL;
523 break;
524 }
525
526 memset(&sec, 0, sizeof(sec));
527 if (chan->conn) {
528 sec.level = chan->conn->hcon->sec_level;
529
530 if (sk->sk_state == BT_CONNECTED)
531 sec.key_size = chan->conn->hcon->enc_key_size;
532 } else {
533 sec.level = chan->sec_level;
534 }
535
536 len = min_t(unsigned int, len, sizeof(sec));
537 if (copy_to_user(optval, (char *) &sec, len))
538 err = -EFAULT;
539
540 break;
541
542 case BT_DEFER_SETUP:
543 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
544 err = -EINVAL;
545 break;
546 }
547
548 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
549 (u32 __user *) optval))
550 err = -EFAULT;
551
552 break;
553
554 case BT_FLUSHABLE:
555 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
556 (u32 __user *) optval))
557 err = -EFAULT;
558
559 break;
560
561 case BT_POWER:
562 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
563 && sk->sk_type != SOCK_RAW) {
564 err = -EINVAL;
565 break;
566 }
567
568 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
569
570 len = min_t(unsigned int, len, sizeof(pwr));
571 if (copy_to_user(optval, (char *) &pwr, len))
572 err = -EFAULT;
573
574 break;
575
576 case BT_CHANNEL_POLICY:
577 if (put_user(chan->chan_policy, (u32 __user *) optval))
578 err = -EFAULT;
579 break;
580
581 case BT_SNDMTU:
582 if (!bdaddr_type_is_le(chan->src_type)) {
583 err = -EINVAL;
584 break;
585 }
586
587 if (sk->sk_state != BT_CONNECTED) {
588 err = -ENOTCONN;
589 break;
590 }
591
592 if (put_user(chan->omtu, (u16 __user *) optval))
593 err = -EFAULT;
594 break;
595
596 case BT_RCVMTU:
597 if (!bdaddr_type_is_le(chan->src_type)) {
598 err = -EINVAL;
599 break;
600 }
601
602 if (put_user(chan->imtu, (u16 __user *) optval))
603 err = -EFAULT;
604 break;
605
606 default:
607 err = -ENOPROTOOPT;
608 break;
609 }
610
611 release_sock(sk);
612 return err;
613 }
614
l2cap_valid_mtu(struct l2cap_chan * chan,u16 mtu)615 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
616 {
617 switch (chan->scid) {
618 case L2CAP_CID_ATT:
619 if (mtu < L2CAP_LE_MIN_MTU)
620 return false;
621 break;
622
623 default:
624 if (mtu < L2CAP_DEFAULT_MIN_MTU)
625 return false;
626 }
627
628 return true;
629 }
630
l2cap_sock_setsockopt_old(struct socket * sock,int optname,char __user * optval,unsigned int optlen)631 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
632 char __user *optval, unsigned int optlen)
633 {
634 struct sock *sk = sock->sk;
635 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
636 struct l2cap_options opts;
637 int len, err = 0;
638 u32 opt;
639
640 BT_DBG("sk %p", sk);
641
642 lock_sock(sk);
643
644 switch (optname) {
645 case L2CAP_OPTIONS:
646 if (bdaddr_type_is_le(chan->src_type)) {
647 err = -EINVAL;
648 break;
649 }
650
651 if (sk->sk_state == BT_CONNECTED) {
652 err = -EINVAL;
653 break;
654 }
655
656 opts.imtu = chan->imtu;
657 opts.omtu = chan->omtu;
658 opts.flush_to = chan->flush_to;
659 opts.mode = chan->mode;
660 opts.fcs = chan->fcs;
661 opts.max_tx = chan->max_tx;
662 opts.txwin_size = chan->tx_win;
663
664 len = min_t(unsigned int, sizeof(opts), optlen);
665 if (copy_from_user((char *) &opts, optval, len)) {
666 err = -EFAULT;
667 break;
668 }
669
670 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
671 err = -EINVAL;
672 break;
673 }
674
675 if (!l2cap_valid_mtu(chan, opts.imtu)) {
676 err = -EINVAL;
677 break;
678 }
679
680 chan->mode = opts.mode;
681 switch (chan->mode) {
682 case L2CAP_MODE_LE_FLOWCTL:
683 break;
684 case L2CAP_MODE_BASIC:
685 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
686 break;
687 case L2CAP_MODE_ERTM:
688 case L2CAP_MODE_STREAMING:
689 if (!disable_ertm)
690 break;
691 /* fall through */
692 default:
693 err = -EINVAL;
694 break;
695 }
696
697 chan->imtu = opts.imtu;
698 chan->omtu = opts.omtu;
699 chan->fcs = opts.fcs;
700 chan->max_tx = opts.max_tx;
701 chan->tx_win = opts.txwin_size;
702 chan->flush_to = opts.flush_to;
703 break;
704
705 case L2CAP_LM:
706 if (get_user(opt, (u32 __user *) optval)) {
707 err = -EFAULT;
708 break;
709 }
710
711 if (opt & L2CAP_LM_FIPS) {
712 err = -EINVAL;
713 break;
714 }
715
716 if (opt & L2CAP_LM_AUTH)
717 chan->sec_level = BT_SECURITY_LOW;
718 if (opt & L2CAP_LM_ENCRYPT)
719 chan->sec_level = BT_SECURITY_MEDIUM;
720 if (opt & L2CAP_LM_SECURE)
721 chan->sec_level = BT_SECURITY_HIGH;
722
723 if (opt & L2CAP_LM_MASTER)
724 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
725 else
726 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
727
728 if (opt & L2CAP_LM_RELIABLE)
729 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
730 else
731 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
732 break;
733
734 default:
735 err = -ENOPROTOOPT;
736 break;
737 }
738
739 release_sock(sk);
740 return err;
741 }
742
l2cap_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int optlen)743 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
744 char __user *optval, unsigned int optlen)
745 {
746 struct sock *sk = sock->sk;
747 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
748 struct bt_security sec;
749 struct bt_power pwr;
750 struct l2cap_conn *conn;
751 int len, err = 0;
752 u32 opt;
753
754 BT_DBG("sk %p", sk);
755
756 if (level == SOL_L2CAP)
757 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
758
759 if (level != SOL_BLUETOOTH)
760 return -ENOPROTOOPT;
761
762 lock_sock(sk);
763
764 switch (optname) {
765 case BT_SECURITY:
766 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
767 chan->chan_type != L2CAP_CHAN_FIXED &&
768 chan->chan_type != L2CAP_CHAN_RAW) {
769 err = -EINVAL;
770 break;
771 }
772
773 sec.level = BT_SECURITY_LOW;
774
775 len = min_t(unsigned int, sizeof(sec), optlen);
776 if (copy_from_user((char *) &sec, optval, len)) {
777 err = -EFAULT;
778 break;
779 }
780
781 if (sec.level < BT_SECURITY_LOW ||
782 sec.level > BT_SECURITY_FIPS) {
783 err = -EINVAL;
784 break;
785 }
786
787 chan->sec_level = sec.level;
788
789 if (!chan->conn)
790 break;
791
792 conn = chan->conn;
793
794 /*change security for LE channels */
795 if (chan->scid == L2CAP_CID_ATT) {
796 if (smp_conn_security(conn->hcon, sec.level))
797 break;
798 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
799 sk->sk_state = BT_CONFIG;
800 chan->state = BT_CONFIG;
801
802 /* or for ACL link */
803 } else if ((sk->sk_state == BT_CONNECT2 &&
804 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
805 sk->sk_state == BT_CONNECTED) {
806 if (!l2cap_chan_check_security(chan, true))
807 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
808 else
809 sk->sk_state_change(sk);
810 } else {
811 err = -EINVAL;
812 }
813 break;
814
815 case BT_DEFER_SETUP:
816 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
817 err = -EINVAL;
818 break;
819 }
820
821 if (get_user(opt, (u32 __user *) optval)) {
822 err = -EFAULT;
823 break;
824 }
825
826 if (opt) {
827 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
828 set_bit(FLAG_DEFER_SETUP, &chan->flags);
829 } else {
830 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
831 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
832 }
833 break;
834
835 case BT_FLUSHABLE:
836 if (get_user(opt, (u32 __user *) optval)) {
837 err = -EFAULT;
838 break;
839 }
840
841 if (opt > BT_FLUSHABLE_ON) {
842 err = -EINVAL;
843 break;
844 }
845
846 if (opt == BT_FLUSHABLE_OFF) {
847 conn = chan->conn;
848 /* proceed further only when we have l2cap_conn and
849 No Flush support in the LM */
850 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
851 err = -EINVAL;
852 break;
853 }
854 }
855
856 if (opt)
857 set_bit(FLAG_FLUSHABLE, &chan->flags);
858 else
859 clear_bit(FLAG_FLUSHABLE, &chan->flags);
860 break;
861
862 case BT_POWER:
863 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
864 chan->chan_type != L2CAP_CHAN_RAW) {
865 err = -EINVAL;
866 break;
867 }
868
869 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
870
871 len = min_t(unsigned int, sizeof(pwr), optlen);
872 if (copy_from_user((char *) &pwr, optval, len)) {
873 err = -EFAULT;
874 break;
875 }
876
877 if (pwr.force_active)
878 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
879 else
880 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
881 break;
882
883 case BT_CHANNEL_POLICY:
884 if (get_user(opt, (u32 __user *) optval)) {
885 err = -EFAULT;
886 break;
887 }
888
889 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
890 err = -EINVAL;
891 break;
892 }
893
894 if (chan->mode != L2CAP_MODE_ERTM &&
895 chan->mode != L2CAP_MODE_STREAMING) {
896 err = -EOPNOTSUPP;
897 break;
898 }
899
900 chan->chan_policy = (u8) opt;
901
902 if (sk->sk_state == BT_CONNECTED &&
903 chan->move_role == L2CAP_MOVE_ROLE_NONE)
904 l2cap_move_start(chan);
905
906 break;
907
908 case BT_SNDMTU:
909 if (!bdaddr_type_is_le(chan->src_type)) {
910 err = -EINVAL;
911 break;
912 }
913
914 /* Setting is not supported as it's the remote side that
915 * decides this.
916 */
917 err = -EPERM;
918 break;
919
920 case BT_RCVMTU:
921 if (!bdaddr_type_is_le(chan->src_type)) {
922 err = -EINVAL;
923 break;
924 }
925
926 if (sk->sk_state == BT_CONNECTED) {
927 err = -EISCONN;
928 break;
929 }
930
931 if (get_user(opt, (u16 __user *) optval)) {
932 err = -EFAULT;
933 break;
934 }
935
936 chan->imtu = opt;
937 break;
938
939 default:
940 err = -ENOPROTOOPT;
941 break;
942 }
943
944 release_sock(sk);
945 return err;
946 }
947
l2cap_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)948 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
949 size_t len)
950 {
951 struct sock *sk = sock->sk;
952 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
953 int err;
954
955 BT_DBG("sock %p, sk %p", sock, sk);
956
957 err = sock_error(sk);
958 if (err)
959 return err;
960
961 if (msg->msg_flags & MSG_OOB)
962 return -EOPNOTSUPP;
963
964 if (sk->sk_state != BT_CONNECTED)
965 return -ENOTCONN;
966
967 lock_sock(sk);
968 err = bt_sock_wait_ready(sk, msg->msg_flags);
969 release_sock(sk);
970 if (err)
971 return err;
972
973 l2cap_chan_lock(chan);
974 err = l2cap_chan_send(chan, msg, len);
975 l2cap_chan_unlock(chan);
976
977 return err;
978 }
979
l2cap_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)980 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
981 size_t len, int flags)
982 {
983 struct sock *sk = sock->sk;
984 struct l2cap_pinfo *pi = l2cap_pi(sk);
985 int err;
986
987 lock_sock(sk);
988
989 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
990 &bt_sk(sk)->flags)) {
991 if (bdaddr_type_is_le(pi->chan->src_type)) {
992 sk->sk_state = BT_CONNECTED;
993 pi->chan->state = BT_CONNECTED;
994 __l2cap_le_connect_rsp_defer(pi->chan);
995 } else {
996 sk->sk_state = BT_CONFIG;
997 pi->chan->state = BT_CONFIG;
998 __l2cap_connect_rsp_defer(pi->chan);
999 }
1000
1001 err = 0;
1002 goto done;
1003 }
1004
1005 release_sock(sk);
1006
1007 if (sock->type == SOCK_STREAM)
1008 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1009 else
1010 err = bt_sock_recvmsg(sock, msg, len, flags);
1011
1012 if (pi->chan->mode != L2CAP_MODE_ERTM)
1013 return err;
1014
1015 /* Attempt to put pending rx data in the socket buffer */
1016
1017 lock_sock(sk);
1018
1019 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1020 goto done;
1021
1022 if (pi->rx_busy_skb) {
1023 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1024 pi->rx_busy_skb = NULL;
1025 else
1026 goto done;
1027 }
1028
1029 /* Restore data flow when half of the receive buffer is
1030 * available. This avoids resending large numbers of
1031 * frames.
1032 */
1033 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1034 l2cap_chan_busy(pi->chan, 0);
1035
1036 done:
1037 release_sock(sk);
1038 return err;
1039 }
1040
1041 /* Kill socket (only if zapped and orphan)
1042 * Must be called on unlocked socket.
1043 */
l2cap_sock_kill(struct sock * sk)1044 static void l2cap_sock_kill(struct sock *sk)
1045 {
1046 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1047 return;
1048
1049 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1050
1051 /* Kill poor orphan */
1052
1053 l2cap_chan_put(l2cap_pi(sk)->chan);
1054 sock_set_flag(sk, SOCK_DEAD);
1055 sock_put(sk);
1056 }
1057
__l2cap_wait_ack(struct sock * sk,struct l2cap_chan * chan)1058 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1059 {
1060 DECLARE_WAITQUEUE(wait, current);
1061 int err = 0;
1062 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1063 /* Timeout to prevent infinite loop */
1064 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1065
1066 add_wait_queue(sk_sleep(sk), &wait);
1067 set_current_state(TASK_INTERRUPTIBLE);
1068 do {
1069 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1070 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1071 jiffies_to_msecs(timeout - jiffies));
1072
1073 if (!timeo)
1074 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1075
1076 if (signal_pending(current)) {
1077 err = sock_intr_errno(timeo);
1078 break;
1079 }
1080
1081 release_sock(sk);
1082 timeo = schedule_timeout(timeo);
1083 lock_sock(sk);
1084 set_current_state(TASK_INTERRUPTIBLE);
1085
1086 err = sock_error(sk);
1087 if (err)
1088 break;
1089
1090 if (time_after(jiffies, timeout)) {
1091 err = -ENOLINK;
1092 break;
1093 }
1094
1095 } while (chan->unacked_frames > 0 &&
1096 chan->state == BT_CONNECTED);
1097
1098 set_current_state(TASK_RUNNING);
1099 remove_wait_queue(sk_sleep(sk), &wait);
1100 return err;
1101 }
1102
l2cap_sock_shutdown(struct socket * sock,int how)1103 static int l2cap_sock_shutdown(struct socket *sock, int how)
1104 {
1105 struct sock *sk = sock->sk;
1106 struct l2cap_chan *chan;
1107 struct l2cap_conn *conn;
1108 int err = 0;
1109
1110 BT_DBG("sock %p, sk %p", sock, sk);
1111
1112 if (!sk)
1113 return 0;
1114
1115 lock_sock(sk);
1116
1117 if (sk->sk_shutdown)
1118 goto shutdown_already;
1119
1120 BT_DBG("Handling sock shutdown");
1121
1122 /* prevent sk structure from being freed whilst unlocked */
1123 sock_hold(sk);
1124
1125 chan = l2cap_pi(sk)->chan;
1126 /* prevent chan structure from being freed whilst unlocked */
1127 l2cap_chan_hold(chan);
1128
1129 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1130
1131 if (chan->mode == L2CAP_MODE_ERTM &&
1132 chan->unacked_frames > 0 &&
1133 chan->state == BT_CONNECTED) {
1134 err = __l2cap_wait_ack(sk, chan);
1135
1136 /* After waiting for ACKs, check whether shutdown
1137 * has already been actioned to close the L2CAP
1138 * link such as by l2cap_disconnection_req().
1139 */
1140 if (sk->sk_shutdown)
1141 goto has_shutdown;
1142 }
1143
1144 sk->sk_shutdown = SHUTDOWN_MASK;
1145 release_sock(sk);
1146
1147 l2cap_chan_lock(chan);
1148 conn = chan->conn;
1149 if (conn)
1150 /* prevent conn structure from being freed */
1151 l2cap_conn_get(conn);
1152 l2cap_chan_unlock(chan);
1153
1154 if (conn)
1155 /* mutex lock must be taken before l2cap_chan_lock() */
1156 mutex_lock(&conn->chan_lock);
1157
1158 l2cap_chan_lock(chan);
1159 l2cap_chan_close(chan, 0);
1160 l2cap_chan_unlock(chan);
1161
1162 if (conn) {
1163 mutex_unlock(&conn->chan_lock);
1164 l2cap_conn_put(conn);
1165 }
1166
1167 lock_sock(sk);
1168
1169 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1170 !(current->flags & PF_EXITING))
1171 err = bt_sock_wait_state(sk, BT_CLOSED,
1172 sk->sk_lingertime);
1173
1174 has_shutdown:
1175 l2cap_chan_put(chan);
1176 sock_put(sk);
1177
1178 shutdown_already:
1179 if (!err && sk->sk_err)
1180 err = -sk->sk_err;
1181
1182 release_sock(sk);
1183
1184 BT_DBG("Sock shutdown complete err: %d", err);
1185
1186 return err;
1187 }
1188
l2cap_sock_release(struct socket * sock)1189 static int l2cap_sock_release(struct socket *sock)
1190 {
1191 struct sock *sk = sock->sk;
1192 int err;
1193
1194 BT_DBG("sock %p, sk %p", sock, sk);
1195
1196 if (!sk)
1197 return 0;
1198
1199 bt_sock_unlink(&l2cap_sk_list, sk);
1200
1201 err = l2cap_sock_shutdown(sock, 2);
1202
1203 sock_orphan(sk);
1204 l2cap_sock_kill(sk);
1205 return err;
1206 }
1207
l2cap_sock_cleanup_listen(struct sock * parent)1208 static void l2cap_sock_cleanup_listen(struct sock *parent)
1209 {
1210 struct sock *sk;
1211
1212 BT_DBG("parent %p state %s", parent,
1213 state_to_string(parent->sk_state));
1214
1215 /* Close not yet accepted channels */
1216 while ((sk = bt_accept_dequeue(parent, NULL))) {
1217 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1218
1219 BT_DBG("child chan %p state %s", chan,
1220 state_to_string(chan->state));
1221
1222 l2cap_chan_lock(chan);
1223 __clear_chan_timer(chan);
1224 l2cap_chan_close(chan, ECONNRESET);
1225 l2cap_chan_unlock(chan);
1226
1227 l2cap_sock_kill(sk);
1228 }
1229 }
1230
l2cap_sock_new_connection_cb(struct l2cap_chan * chan)1231 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1232 {
1233 struct sock *sk, *parent = chan->data;
1234
1235 lock_sock(parent);
1236
1237 /* Check for backlog size */
1238 if (sk_acceptq_is_full(parent)) {
1239 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1240 release_sock(parent);
1241 return NULL;
1242 }
1243
1244 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1245 GFP_ATOMIC, 0);
1246 if (!sk) {
1247 release_sock(parent);
1248 return NULL;
1249 }
1250
1251 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1252
1253 l2cap_sock_init(sk, parent);
1254
1255 bt_accept_enqueue(parent, sk);
1256
1257 release_sock(parent);
1258
1259 return l2cap_pi(sk)->chan;
1260 }
1261
l2cap_sock_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)1262 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1263 {
1264 struct sock *sk = chan->data;
1265 int err;
1266
1267 lock_sock(sk);
1268
1269 if (l2cap_pi(sk)->rx_busy_skb) {
1270 err = -ENOMEM;
1271 goto done;
1272 }
1273
1274 if (chan->mode != L2CAP_MODE_ERTM &&
1275 chan->mode != L2CAP_MODE_STREAMING) {
1276 /* Even if no filter is attached, we could potentially
1277 * get errors from security modules, etc.
1278 */
1279 err = sk_filter(sk, skb);
1280 if (err)
1281 goto done;
1282 }
1283
1284 err = __sock_queue_rcv_skb(sk, skb);
1285
1286 /* For ERTM, handle one skb that doesn't fit into the recv
1287 * buffer. This is important to do because the data frames
1288 * have already been acked, so the skb cannot be discarded.
1289 *
1290 * Notify the l2cap core that the buffer is full, so the
1291 * LOCAL_BUSY state is entered and no more frames are
1292 * acked and reassembled until there is buffer space
1293 * available.
1294 */
1295 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1296 l2cap_pi(sk)->rx_busy_skb = skb;
1297 l2cap_chan_busy(chan, 1);
1298 err = 0;
1299 }
1300
1301 done:
1302 release_sock(sk);
1303
1304 return err;
1305 }
1306
l2cap_sock_close_cb(struct l2cap_chan * chan)1307 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1308 {
1309 struct sock *sk = chan->data;
1310
1311 l2cap_sock_kill(sk);
1312 }
1313
l2cap_sock_teardown_cb(struct l2cap_chan * chan,int err)1314 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1315 {
1316 struct sock *sk = chan->data;
1317 struct sock *parent;
1318
1319 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1320
1321 /* This callback can be called both for server (BT_LISTEN)
1322 * sockets as well as "normal" ones. To avoid lockdep warnings
1323 * with child socket locking (through l2cap_sock_cleanup_listen)
1324 * we need separation into separate nesting levels. The simplest
1325 * way to accomplish this is to inherit the nesting level used
1326 * for the channel.
1327 */
1328 lock_sock_nested(sk, atomic_read(&chan->nesting));
1329
1330 parent = bt_sk(sk)->parent;
1331
1332 sock_set_flag(sk, SOCK_ZAPPED);
1333
1334 switch (chan->state) {
1335 case BT_OPEN:
1336 case BT_BOUND:
1337 case BT_CLOSED:
1338 break;
1339 case BT_LISTEN:
1340 l2cap_sock_cleanup_listen(sk);
1341 sk->sk_state = BT_CLOSED;
1342 chan->state = BT_CLOSED;
1343
1344 break;
1345 default:
1346 sk->sk_state = BT_CLOSED;
1347 chan->state = BT_CLOSED;
1348
1349 sk->sk_err = err;
1350
1351 if (parent) {
1352 bt_accept_unlink(sk);
1353 parent->sk_data_ready(parent);
1354 } else {
1355 sk->sk_state_change(sk);
1356 }
1357
1358 break;
1359 }
1360
1361 release_sock(sk);
1362 }
1363
l2cap_sock_state_change_cb(struct l2cap_chan * chan,int state,int err)1364 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1365 int err)
1366 {
1367 struct sock *sk = chan->data;
1368
1369 sk->sk_state = state;
1370
1371 if (err)
1372 sk->sk_err = err;
1373 }
1374
l2cap_sock_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)1375 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1376 unsigned long hdr_len,
1377 unsigned long len, int nb)
1378 {
1379 struct sock *sk = chan->data;
1380 struct sk_buff *skb;
1381 int err;
1382
1383 l2cap_chan_unlock(chan);
1384 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1385 l2cap_chan_lock(chan);
1386
1387 if (!skb)
1388 return ERR_PTR(err);
1389
1390 skb->priority = sk->sk_priority;
1391
1392 bt_cb(skb)->l2cap.chan = chan;
1393
1394 return skb;
1395 }
1396
l2cap_sock_ready_cb(struct l2cap_chan * chan)1397 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1398 {
1399 struct sock *sk = chan->data;
1400 struct sock *parent;
1401
1402 lock_sock(sk);
1403
1404 parent = bt_sk(sk)->parent;
1405
1406 BT_DBG("sk %p, parent %p", sk, parent);
1407
1408 sk->sk_state = BT_CONNECTED;
1409 sk->sk_state_change(sk);
1410
1411 if (parent)
1412 parent->sk_data_ready(parent);
1413
1414 release_sock(sk);
1415 }
1416
l2cap_sock_defer_cb(struct l2cap_chan * chan)1417 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1418 {
1419 struct sock *parent, *sk = chan->data;
1420
1421 lock_sock(sk);
1422
1423 parent = bt_sk(sk)->parent;
1424 if (parent)
1425 parent->sk_data_ready(parent);
1426
1427 release_sock(sk);
1428 }
1429
l2cap_sock_resume_cb(struct l2cap_chan * chan)1430 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1431 {
1432 struct sock *sk = chan->data;
1433
1434 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1435 sk->sk_state = BT_CONNECTED;
1436 chan->state = BT_CONNECTED;
1437 }
1438
1439 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1440 sk->sk_state_change(sk);
1441 }
1442
l2cap_sock_set_shutdown_cb(struct l2cap_chan * chan)1443 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1444 {
1445 struct sock *sk = chan->data;
1446
1447 lock_sock(sk);
1448 sk->sk_shutdown = SHUTDOWN_MASK;
1449 release_sock(sk);
1450 }
1451
l2cap_sock_get_sndtimeo_cb(struct l2cap_chan * chan)1452 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1453 {
1454 struct sock *sk = chan->data;
1455
1456 return sk->sk_sndtimeo;
1457 }
1458
l2cap_sock_suspend_cb(struct l2cap_chan * chan)1459 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1460 {
1461 struct sock *sk = chan->data;
1462
1463 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1464 sk->sk_state_change(sk);
1465 }
1466
1467 static const struct l2cap_ops l2cap_chan_ops = {
1468 .name = "L2CAP Socket Interface",
1469 .new_connection = l2cap_sock_new_connection_cb,
1470 .recv = l2cap_sock_recv_cb,
1471 .close = l2cap_sock_close_cb,
1472 .teardown = l2cap_sock_teardown_cb,
1473 .state_change = l2cap_sock_state_change_cb,
1474 .ready = l2cap_sock_ready_cb,
1475 .defer = l2cap_sock_defer_cb,
1476 .resume = l2cap_sock_resume_cb,
1477 .suspend = l2cap_sock_suspend_cb,
1478 .set_shutdown = l2cap_sock_set_shutdown_cb,
1479 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1480 .alloc_skb = l2cap_sock_alloc_skb_cb,
1481 };
1482
l2cap_sock_destruct(struct sock * sk)1483 static void l2cap_sock_destruct(struct sock *sk)
1484 {
1485 BT_DBG("sk %p", sk);
1486
1487 if (l2cap_pi(sk)->chan)
1488 l2cap_chan_put(l2cap_pi(sk)->chan);
1489
1490 if (l2cap_pi(sk)->rx_busy_skb) {
1491 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1492 l2cap_pi(sk)->rx_busy_skb = NULL;
1493 }
1494
1495 skb_queue_purge(&sk->sk_receive_queue);
1496 skb_queue_purge(&sk->sk_write_queue);
1497 }
1498
l2cap_skb_msg_name(struct sk_buff * skb,void * msg_name,int * msg_namelen)1499 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1500 int *msg_namelen)
1501 {
1502 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1503
1504 memset(la, 0, sizeof(struct sockaddr_l2));
1505 la->l2_family = AF_BLUETOOTH;
1506 la->l2_psm = bt_cb(skb)->l2cap.psm;
1507 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1508
1509 *msg_namelen = sizeof(struct sockaddr_l2);
1510 }
1511
l2cap_sock_init(struct sock * sk,struct sock * parent)1512 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1513 {
1514 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1515
1516 BT_DBG("sk %p", sk);
1517
1518 if (parent) {
1519 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1520
1521 sk->sk_type = parent->sk_type;
1522 bt_sk(sk)->flags = bt_sk(parent)->flags;
1523
1524 chan->chan_type = pchan->chan_type;
1525 chan->imtu = pchan->imtu;
1526 chan->omtu = pchan->omtu;
1527 chan->conf_state = pchan->conf_state;
1528 chan->mode = pchan->mode;
1529 chan->fcs = pchan->fcs;
1530 chan->max_tx = pchan->max_tx;
1531 chan->tx_win = pchan->tx_win;
1532 chan->tx_win_max = pchan->tx_win_max;
1533 chan->sec_level = pchan->sec_level;
1534 chan->flags = pchan->flags;
1535 chan->tx_credits = pchan->tx_credits;
1536 chan->rx_credits = pchan->rx_credits;
1537
1538 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1539 chan->scid = pchan->scid;
1540 chan->dcid = pchan->scid;
1541 }
1542
1543 security_sk_clone(parent, sk);
1544 } else {
1545 switch (sk->sk_type) {
1546 case SOCK_RAW:
1547 chan->chan_type = L2CAP_CHAN_RAW;
1548 break;
1549 case SOCK_DGRAM:
1550 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1551 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1552 break;
1553 case SOCK_SEQPACKET:
1554 case SOCK_STREAM:
1555 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1556 break;
1557 }
1558
1559 chan->imtu = L2CAP_DEFAULT_MTU;
1560 chan->omtu = 0;
1561 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1562 chan->mode = L2CAP_MODE_ERTM;
1563 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1564 } else {
1565 chan->mode = L2CAP_MODE_BASIC;
1566 }
1567
1568 l2cap_chan_set_defaults(chan);
1569 }
1570
1571 /* Default config options */
1572 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1573
1574 chan->data = sk;
1575 chan->ops = &l2cap_chan_ops;
1576 }
1577
1578 static struct proto l2cap_proto = {
1579 .name = "L2CAP",
1580 .owner = THIS_MODULE,
1581 .obj_size = sizeof(struct l2cap_pinfo)
1582 };
1583
l2cap_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)1584 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1585 int proto, gfp_t prio, int kern)
1586 {
1587 struct sock *sk;
1588 struct l2cap_chan *chan;
1589
1590 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1591 if (!sk)
1592 return NULL;
1593
1594 sock_init_data(sock, sk);
1595 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1596
1597 sk->sk_destruct = l2cap_sock_destruct;
1598 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1599
1600 sock_reset_flag(sk, SOCK_ZAPPED);
1601
1602 sk->sk_protocol = proto;
1603 sk->sk_state = BT_OPEN;
1604
1605 chan = l2cap_chan_create();
1606 if (!chan) {
1607 sk_free(sk);
1608 return NULL;
1609 }
1610
1611 l2cap_chan_hold(chan);
1612
1613 l2cap_pi(sk)->chan = chan;
1614
1615 return sk;
1616 }
1617
l2cap_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1618 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1619 int kern)
1620 {
1621 struct sock *sk;
1622
1623 BT_DBG("sock %p", sock);
1624
1625 sock->state = SS_UNCONNECTED;
1626
1627 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1628 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1629 return -ESOCKTNOSUPPORT;
1630
1631 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1632 return -EPERM;
1633
1634 sock->ops = &l2cap_sock_ops;
1635
1636 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1637 if (!sk)
1638 return -ENOMEM;
1639
1640 l2cap_sock_init(sk, NULL);
1641 bt_sock_link(&l2cap_sk_list, sk);
1642 return 0;
1643 }
1644
1645 static const struct proto_ops l2cap_sock_ops = {
1646 .family = PF_BLUETOOTH,
1647 .owner = THIS_MODULE,
1648 .release = l2cap_sock_release,
1649 .bind = l2cap_sock_bind,
1650 .connect = l2cap_sock_connect,
1651 .listen = l2cap_sock_listen,
1652 .accept = l2cap_sock_accept,
1653 .getname = l2cap_sock_getname,
1654 .sendmsg = l2cap_sock_sendmsg,
1655 .recvmsg = l2cap_sock_recvmsg,
1656 .poll = bt_sock_poll,
1657 .ioctl = bt_sock_ioctl,
1658 .mmap = sock_no_mmap,
1659 .socketpair = sock_no_socketpair,
1660 .shutdown = l2cap_sock_shutdown,
1661 .setsockopt = l2cap_sock_setsockopt,
1662 .getsockopt = l2cap_sock_getsockopt
1663 };
1664
1665 static const struct net_proto_family l2cap_sock_family_ops = {
1666 .family = PF_BLUETOOTH,
1667 .owner = THIS_MODULE,
1668 .create = l2cap_sock_create,
1669 };
1670
l2cap_init_sockets(void)1671 int __init l2cap_init_sockets(void)
1672 {
1673 int err;
1674
1675 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1676
1677 err = proto_register(&l2cap_proto, 0);
1678 if (err < 0)
1679 return err;
1680
1681 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1682 if (err < 0) {
1683 BT_ERR("L2CAP socket registration failed");
1684 goto error;
1685 }
1686
1687 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1688 NULL);
1689 if (err < 0) {
1690 BT_ERR("Failed to create L2CAP proc file");
1691 bt_sock_unregister(BTPROTO_L2CAP);
1692 goto error;
1693 }
1694
1695 BT_INFO("L2CAP socket layer initialized");
1696
1697 return 0;
1698
1699 error:
1700 proto_unregister(&l2cap_proto);
1701 return err;
1702 }
1703
l2cap_cleanup_sockets(void)1704 void l2cap_cleanup_sockets(void)
1705 {
1706 bt_procfs_cleanup(&init_net, "l2cap");
1707 bt_sock_unregister(BTPROTO_L2CAP);
1708 proto_unregister(&l2cap_proto);
1709 }
1710