CoCalc -- l2cap

GitHub Repository: torvalds/linux
Path: blob/master/net/bluetooth/l2cap_sock.c
²⁶²⁷⁸ views
1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (C) 2000-2001 Qualcomm Incorporated
4
   Copyright (C) 2009-2010 Gustavo F. Padovan <[email protected]>
5
   Copyright (C) 2010 Google Inc.
6
   Copyright (C) 2011 ProFUSION Embedded Systems
7

8
   Written 2000,2001 by Maxim Krasnyansky <[email protected]>
9

10
   This program is free software; you can redistribute it and/or modify
11
   it under the terms of the GNU General Public License version 2 as
12
   published by the Free Software Foundation;
13

14
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22

23
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25
   SOFTWARE IS DISCLAIMED.
26
*/
27

28
/* Bluetooth L2CAP sockets. */
29

30
#include <linux/module.h>
31
#include <linux/export.h>
32
#include <linux/filter.h>
33
#include <linux/sched/signal.h>
34

35
#include <net/bluetooth/bluetooth.h>
36
#include <net/bluetooth/hci_core.h>
37
#include <net/bluetooth/l2cap.h>
38

39
#include "smp.h"
40

41
static struct bt_sock_list l2cap_sk_list = {
42
	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43
};
44

45
static const struct proto_ops l2cap_sock_ops;
46
static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47
static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48
				     int proto, gfp_t prio, int kern);
49
static void l2cap_sock_cleanup_listen(struct sock *parent);
50

51
bool l2cap_is_socket(struct socket *sock)
52
{
53
	return sock && sock->ops == &l2cap_sock_ops;
54
}
55
EXPORT_SYMBOL(l2cap_is_socket);
56

57
static int l2cap_validate_bredr_psm(u16 psm)
58
{
59
	/* PSM must be odd and lsb of upper byte must be 0 */
60
	if ((psm & 0x0101) != 0x0001)
61
		return -EINVAL;
62

63
	/* Restrict usage of well-known PSMs */
64
	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65
		return -EACCES;
66

67
	return 0;
68
}
69

70
static int l2cap_validate_le_psm(u16 psm)
71
{
72
	/* Valid LE_PSM ranges are defined only until 0x00ff */
73
	if (psm > L2CAP_PSM_LE_DYN_END)
74
		return -EINVAL;
75

76
	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77
	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78
		return -EACCES;
79

80
	return 0;
81
}
82

83
static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84
{
85
	struct sock *sk = sock->sk;
86
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87
	struct sockaddr_l2 la;
88
	int len, err = 0;
89

90
	BT_DBG("sk %p", sk);
91

92
	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93
	    addr->sa_family != AF_BLUETOOTH)
94
		return -EINVAL;
95

96
	memset(&la, 0, sizeof(la));
97
	len = min_t(unsigned int, sizeof(la), alen);
98
	memcpy(&la, addr, len);
99

100
	if (la.l2_cid && la.l2_psm)
101
		return -EINVAL;
102

103
	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104
		return -EINVAL;
105

106
	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107
		/* We only allow ATT user space socket */
108
		if (la.l2_cid &&
109
		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110
			return -EINVAL;
111
	}
112

113
	lock_sock(sk);
114

115
	if (sk->sk_state != BT_OPEN) {
116
		err = -EBADFD;
117
		goto done;
118
	}
119

120
	if (la.l2_psm) {
121
		__u16 psm = __le16_to_cpu(la.l2_psm);
122

123
		if (la.l2_bdaddr_type == BDADDR_BREDR)
124
			err = l2cap_validate_bredr_psm(psm);
125
		else
126
			err = l2cap_validate_le_psm(psm);
127

128
		if (err)
129
			goto done;
130
	}
131

132
	bacpy(&chan->src, &la.l2_bdaddr);
133
	chan->src_type = la.l2_bdaddr_type;
134

135
	if (la.l2_cid)
136
		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137
	else
138
		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139

140
	if (err < 0)
141
		goto done;
142

143
	switch (chan->chan_type) {
144
	case L2CAP_CHAN_CONN_LESS:
145
		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146
			chan->sec_level = BT_SECURITY_SDP;
147
		break;
148
	case L2CAP_CHAN_CONN_ORIENTED:
149
		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150
		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151
			chan->sec_level = BT_SECURITY_SDP;
152
		break;
153
	case L2CAP_CHAN_RAW:
154
		chan->sec_level = BT_SECURITY_SDP;
155
		break;
156
	case L2CAP_CHAN_FIXED:
157
		/* Fixed channels default to the L2CAP core not holding a
158
		 * hci_conn reference for them. For fixed channels mapping to
159
		 * L2CAP sockets we do want to hold a reference so set the
160
		 * appropriate flag to request it.
161
		 */
162
		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163
		break;
164
	}
165

166
	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167
	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168
	 */
169
	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170
	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171
		chan->mode = L2CAP_MODE_LE_FLOWCTL;
172

173
	chan->state = BT_BOUND;
174
	sk->sk_state = BT_BOUND;
175

176
done:
177
	release_sock(sk);
178
	return err;
179
}
180

181
static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
182
			      int alen, int flags)
183
{
184
	struct sock *sk = sock->sk;
185
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186
	struct sockaddr_l2 la;
187
	int len, err = 0;
188
	bool zapped;
189

190
	BT_DBG("sk %p", sk);
191

192
	lock_sock(sk);
193
	zapped = sock_flag(sk, SOCK_ZAPPED);
194
	release_sock(sk);
195

196
	if (zapped)
197
		return -EINVAL;
198

199
	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200
	    addr->sa_family != AF_BLUETOOTH)
201
		return -EINVAL;
202

203
	memset(&la, 0, sizeof(la));
204
	len = min_t(unsigned int, sizeof(la), alen);
205
	memcpy(&la, addr, len);
206

207
	if (la.l2_cid && la.l2_psm)
208
		return -EINVAL;
209

210
	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211
		return -EINVAL;
212

213
	/* Check that the socket wasn't bound to something that
214
	 * conflicts with the address given to connect(). If chan->src
215
	 * is BDADDR_ANY it means bind() was never used, in which case
216
	 * chan->src_type and la.l2_bdaddr_type do not need to match.
217
	 */
218
	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219
	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
220
		/* Old user space versions will try to incorrectly bind
221
		 * the ATT socket using BDADDR_BREDR. We need to accept
222
		 * this and fix up the source address type only when
223
		 * both the source CID and destination CID indicate
224
		 * ATT. Anything else is an invalid combination.
225
		 */
226
		if (chan->scid != L2CAP_CID_ATT ||
227
		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228
			return -EINVAL;
229

230
		/* We don't have the hdev available here to make a
231
		 * better decision on random vs public, but since all
232
		 * user space versions that exhibit this issue anyway do
233
		 * not support random local addresses assuming public
234
		 * here is good enough.
235
		 */
236
		chan->src_type = BDADDR_LE_PUBLIC;
237
	}
238

239
	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240
		return -EINVAL;
241

242
	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243
		/* We only allow ATT user space socket */
244
		if (la.l2_cid &&
245
		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246
			return -EINVAL;
247
	}
248

249
	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250
	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251
	 */
252
	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253
	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254
		chan->mode = L2CAP_MODE_LE_FLOWCTL;
255

256
	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257
				 &la.l2_bdaddr, la.l2_bdaddr_type,
258
				 READ_ONCE(sk->sk_sndtimeo));
259
	if (err)
260
		return err;
261

262
	lock_sock(sk);
263

264
	err = bt_sock_wait_state(sk, BT_CONNECTED,
265
				 sock_sndtimeo(sk, flags & O_NONBLOCK));
266

267
	release_sock(sk);
268

269
	return err;
270
}
271

272
static int l2cap_sock_listen(struct socket *sock, int backlog)
273
{
274
	struct sock *sk = sock->sk;
275
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
276
	int err = 0;
277

278
	BT_DBG("sk %p backlog %d", sk, backlog);
279

280
	lock_sock(sk);
281

282
	if (sk->sk_state != BT_BOUND) {
283
		err = -EBADFD;
284
		goto done;
285
	}
286

287
	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
288
		err = -EINVAL;
289
		goto done;
290
	}
291

292
	switch (chan->mode) {
293
	case L2CAP_MODE_BASIC:
294
	case L2CAP_MODE_LE_FLOWCTL:
295
		break;
296
	case L2CAP_MODE_EXT_FLOWCTL:
297
		if (!enable_ecred) {
298
			err = -EOPNOTSUPP;
299
			goto done;
300
		}
301
		break;
302
	case L2CAP_MODE_ERTM:
303
	case L2CAP_MODE_STREAMING:
304
		if (!disable_ertm)
305
			break;
306
		fallthrough;
307
	default:
308
		err = -EOPNOTSUPP;
309
		goto done;
310
	}
311

312
	sk->sk_max_ack_backlog = backlog;
313
	sk->sk_ack_backlog = 0;
314

315
	/* Listening channels need to use nested locking in order not to
316
	 * cause lockdep warnings when the created child channels end up
317
	 * being locked in the same thread as the parent channel.
318
	 */
319
	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
320

321
	chan->state = BT_LISTEN;
322
	sk->sk_state = BT_LISTEN;
323

324
done:
325
	release_sock(sk);
326
	return err;
327
}
328

329
static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
330
			     struct proto_accept_arg *arg)
331
{
332
	DEFINE_WAIT_FUNC(wait, woken_wake_function);
333
	struct sock *sk = sock->sk, *nsk;
334
	long timeo;
335
	int err = 0;
336

337
	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
338

339
	timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
340

341
	BT_DBG("sk %p timeo %ld", sk, timeo);
342

343
	/* Wait for an incoming connection. (wake-one). */
344
	add_wait_queue_exclusive(sk_sleep(sk), &wait);
345
	while (1) {
346
		if (sk->sk_state != BT_LISTEN) {
347
			err = -EBADFD;
348
			break;
349
		}
350

351
		nsk = bt_accept_dequeue(sk, newsock);
352
		if (nsk)
353
			break;
354

355
		if (!timeo) {
356
			err = -EAGAIN;
357
			break;
358
		}
359

360
		if (signal_pending(current)) {
361
			err = sock_intr_errno(timeo);
362
			break;
363
		}
364

365
		release_sock(sk);
366

367
		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
368

369
		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
370
	}
371
	remove_wait_queue(sk_sleep(sk), &wait);
372

373
	if (err)
374
		goto done;
375

376
	newsock->state = SS_CONNECTED;
377

378
	BT_DBG("new socket %p", nsk);
379

380
done:
381
	release_sock(sk);
382
	return err;
383
}
384

385
static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
386
			      int peer)
387
{
388
	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
389
	struct sock *sk = sock->sk;
390
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391

392
	BT_DBG("sock %p, sk %p", sock, sk);
393

394
	if (peer && sk->sk_state != BT_CONNECTED &&
395
	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
396
	    sk->sk_state != BT_CONFIG)
397
		return -ENOTCONN;
398

399
	memset(la, 0, sizeof(struct sockaddr_l2));
400
	addr->sa_family = AF_BLUETOOTH;
401

402
	la->l2_psm = chan->psm;
403

404
	if (peer) {
405
		bacpy(&la->l2_bdaddr, &chan->dst);
406
		la->l2_cid = cpu_to_le16(chan->dcid);
407
		la->l2_bdaddr_type = chan->dst_type;
408
	} else {
409
		bacpy(&la->l2_bdaddr, &chan->src);
410
		la->l2_cid = cpu_to_le16(chan->scid);
411
		la->l2_bdaddr_type = chan->src_type;
412
	}
413

414
	return sizeof(struct sockaddr_l2);
415
}
416

417
static int l2cap_get_mode(struct l2cap_chan *chan)
418
{
419
	switch (chan->mode) {
420
	case L2CAP_MODE_BASIC:
421
		return BT_MODE_BASIC;
422
	case L2CAP_MODE_ERTM:
423
		return BT_MODE_ERTM;
424
	case L2CAP_MODE_STREAMING:
425
		return BT_MODE_STREAMING;
426
	case L2CAP_MODE_LE_FLOWCTL:
427
		return BT_MODE_LE_FLOWCTL;
428
	case L2CAP_MODE_EXT_FLOWCTL:
429
		return BT_MODE_EXT_FLOWCTL;
430
	}
431

432
	return -EINVAL;
433
}
434

435
static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
436
				     char __user *optval, int __user *optlen)
437
{
438
	struct sock *sk = sock->sk;
439
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
440
	struct l2cap_options opts;
441
	struct l2cap_conninfo cinfo;
442
	int err = 0;
443
	size_t len;
444
	u32 opt;
445

446
	BT_DBG("sk %p", sk);
447

448
	if (get_user(len, optlen))
449
		return -EFAULT;
450

451
	lock_sock(sk);
452

453
	switch (optname) {
454
	case L2CAP_OPTIONS:
455
		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
456
		 * legacy ATT code depends on getsockopt for
457
		 * L2CAP_OPTIONS we need to let this pass.
458
		 */
459
		if (bdaddr_type_is_le(chan->src_type) &&
460
		    chan->scid != L2CAP_CID_ATT) {
461
			err = -EINVAL;
462
			break;
463
		}
464

465
		/* Only BR/EDR modes are supported here */
466
		switch (chan->mode) {
467
		case L2CAP_MODE_BASIC:
468
		case L2CAP_MODE_ERTM:
469
		case L2CAP_MODE_STREAMING:
470
			break;
471
		default:
472
			err = -EINVAL;
473
			break;
474
		}
475

476
		if (err < 0)
477
			break;
478

479
		memset(&opts, 0, sizeof(opts));
480
		opts.imtu     = chan->imtu;
481
		opts.omtu     = chan->omtu;
482
		opts.flush_to = chan->flush_to;
483
		opts.mode     = chan->mode;
484
		opts.fcs      = chan->fcs;
485
		opts.max_tx   = chan->max_tx;
486
		opts.txwin_size = chan->tx_win;
487

488
		BT_DBG("mode 0x%2.2x", chan->mode);
489

490
		len = min(len, sizeof(opts));
491
		if (copy_to_user(optval, (char *) &opts, len))
492
			err = -EFAULT;
493

494
		break;
495

496
	case L2CAP_LM:
497
		switch (chan->sec_level) {
498
		case BT_SECURITY_LOW:
499
			opt = L2CAP_LM_AUTH;
500
			break;
501
		case BT_SECURITY_MEDIUM:
502
			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
503
			break;
504
		case BT_SECURITY_HIGH:
505
			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
506
			      L2CAP_LM_SECURE;
507
			break;
508
		case BT_SECURITY_FIPS:
509
			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
510
			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
511
			break;
512
		default:
513
			opt = 0;
514
			break;
515
		}
516

517
		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
518
			opt |= L2CAP_LM_MASTER;
519

520
		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
521
			opt |= L2CAP_LM_RELIABLE;
522

523
		if (put_user(opt, (u32 __user *) optval))
524
			err = -EFAULT;
525

526
		break;
527

528
	case L2CAP_CONNINFO:
529
		if (sk->sk_state != BT_CONNECTED &&
530
		    !(sk->sk_state == BT_CONNECT2 &&
531
		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
532
			err = -ENOTCONN;
533
			break;
534
		}
535

536
		memset(&cinfo, 0, sizeof(cinfo));
537
		cinfo.hci_handle = chan->conn->hcon->handle;
538
		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
539

540
		len = min(len, sizeof(cinfo));
541
		if (copy_to_user(optval, (char *) &cinfo, len))
542
			err = -EFAULT;
543

544
		break;
545

546
	default:
547
		err = -ENOPROTOOPT;
548
		break;
549
	}
550

551
	release_sock(sk);
552
	return err;
553
}
554

555
static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
556
				 char __user *optval, int __user *optlen)
557
{
558
	struct sock *sk = sock->sk;
559
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
560
	struct bt_security sec;
561
	struct bt_power pwr;
562
	u32 phys;
563
	int len, mode, err = 0;
564

565
	BT_DBG("sk %p", sk);
566

567
	if (level == SOL_L2CAP)
568
		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
569

570
	if (level != SOL_BLUETOOTH)
571
		return -ENOPROTOOPT;
572

573
	if (get_user(len, optlen))
574
		return -EFAULT;
575

576
	lock_sock(sk);
577

578
	switch (optname) {
579
	case BT_SECURITY:
580
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
581
		    chan->chan_type != L2CAP_CHAN_FIXED &&
582
		    chan->chan_type != L2CAP_CHAN_RAW) {
583
			err = -EINVAL;
584
			break;
585
		}
586

587
		memset(&sec, 0, sizeof(sec));
588
		if (chan->conn) {
589
			sec.level = chan->conn->hcon->sec_level;
590

591
			if (sk->sk_state == BT_CONNECTED)
592
				sec.key_size = chan->conn->hcon->enc_key_size;
593
		} else {
594
			sec.level = chan->sec_level;
595
		}
596

597
		len = min_t(unsigned int, len, sizeof(sec));
598
		if (copy_to_user(optval, (char *) &sec, len))
599
			err = -EFAULT;
600

601
		break;
602

603
	case BT_DEFER_SETUP:
604
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
605
			err = -EINVAL;
606
			break;
607
		}
608

609
		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
610
			     (u32 __user *) optval))
611
			err = -EFAULT;
612

613
		break;
614

615
	case BT_FLUSHABLE:
616
		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
617
			     (u32 __user *) optval))
618
			err = -EFAULT;
619

620
		break;
621

622
	case BT_POWER:
623
		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
624
		    && sk->sk_type != SOCK_RAW) {
625
			err = -EINVAL;
626
			break;
627
		}
628

629
		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
630

631
		len = min_t(unsigned int, len, sizeof(pwr));
632
		if (copy_to_user(optval, (char *) &pwr, len))
633
			err = -EFAULT;
634

635
		break;
636

637
	case BT_CHANNEL_POLICY:
638
		if (put_user(chan->chan_policy, (u32 __user *) optval))
639
			err = -EFAULT;
640
		break;
641

642
	case BT_SNDMTU:
643
		if (!bdaddr_type_is_le(chan->src_type)) {
644
			err = -EINVAL;
645
			break;
646
		}
647

648
		if (sk->sk_state != BT_CONNECTED) {
649
			err = -ENOTCONN;
650
			break;
651
		}
652

653
		if (put_user(chan->omtu, (u16 __user *) optval))
654
			err = -EFAULT;
655
		break;
656

657
	case BT_RCVMTU:
658
		if (!bdaddr_type_is_le(chan->src_type)) {
659
			err = -EINVAL;
660
			break;
661
		}
662

663
		if (put_user(chan->imtu, (u16 __user *) optval))
664
			err = -EFAULT;
665
		break;
666

667
	case BT_PHY:
668
		if (sk->sk_state != BT_CONNECTED) {
669
			err = -ENOTCONN;
670
			break;
671
		}
672

673
		phys = hci_conn_get_phy(chan->conn->hcon);
674

675
		if (put_user(phys, (u32 __user *) optval))
676
			err = -EFAULT;
677
		break;
678

679
	case BT_MODE:
680
		if (!enable_ecred) {
681
			err = -ENOPROTOOPT;
682
			break;
683
		}
684

685
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
686
			err = -EINVAL;
687
			break;
688
		}
689

690
		mode = l2cap_get_mode(chan);
691
		if (mode < 0) {
692
			err = mode;
693
			break;
694
		}
695

696
		if (put_user(mode, (u8 __user *) optval))
697
			err = -EFAULT;
698
		break;
699

700
	default:
701
		err = -ENOPROTOOPT;
702
		break;
703
	}
704

705
	release_sock(sk);
706
	return err;
707
}
708

709
static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
710
{
711
	switch (chan->scid) {
712
	case L2CAP_CID_ATT:
713
		if (mtu && mtu < L2CAP_LE_MIN_MTU)
714
			return false;
715
		break;
716

717
	default:
718
		if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU)
719
			return false;
720
	}
721

722
	return true;
723
}
724

725
static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
726
				     sockptr_t optval, unsigned int optlen)
727
{
728
	struct sock *sk = sock->sk;
729
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
730
	struct l2cap_options opts;
731
	int err = 0;
732
	u32 opt;
733

734
	BT_DBG("sk %p", sk);
735

736
	lock_sock(sk);
737

738
	switch (optname) {
739
	case L2CAP_OPTIONS:
740
		if (bdaddr_type_is_le(chan->src_type)) {
741
			err = -EINVAL;
742
			break;
743
		}
744

745
		if (sk->sk_state == BT_CONNECTED) {
746
			err = -EINVAL;
747
			break;
748
		}
749

750
		opts.imtu     = chan->imtu;
751
		opts.omtu     = chan->omtu;
752
		opts.flush_to = chan->flush_to;
753
		opts.mode     = chan->mode;
754
		opts.fcs      = chan->fcs;
755
		opts.max_tx   = chan->max_tx;
756
		opts.txwin_size = chan->tx_win;
757

758
		err = copy_safe_from_sockptr(&opts, sizeof(opts), optval,
759
					     optlen);
760
		if (err)
761
			break;
762

763
		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
764
			err = -EINVAL;
765
			break;
766
		}
767

768
		if (!l2cap_valid_mtu(chan, opts.imtu)) {
769
			err = -EINVAL;
770
			break;
771
		}
772

773
		/* Only BR/EDR modes are supported here */
774
		switch (opts.mode) {
775
		case L2CAP_MODE_BASIC:
776
			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
777
			break;
778
		case L2CAP_MODE_ERTM:
779
		case L2CAP_MODE_STREAMING:
780
			if (!disable_ertm)
781
				break;
782
			fallthrough;
783
		default:
784
			err = -EINVAL;
785
			break;
786
		}
787

788
		if (err < 0)
789
			break;
790

791
		chan->mode = opts.mode;
792

793
		BT_DBG("mode 0x%2.2x", chan->mode);
794

795
		chan->imtu = opts.imtu;
796
		chan->omtu = opts.omtu;
797
		chan->fcs  = opts.fcs;
798
		chan->max_tx = opts.max_tx;
799
		chan->tx_win = opts.txwin_size;
800
		chan->flush_to = opts.flush_to;
801
		break;
802

803
	case L2CAP_LM:
804
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
805
		if (err)
806
			break;
807

808
		if (opt & L2CAP_LM_FIPS) {
809
			err = -EINVAL;
810
			break;
811
		}
812

813
		if (opt & L2CAP_LM_AUTH)
814
			chan->sec_level = BT_SECURITY_LOW;
815
		if (opt & L2CAP_LM_ENCRYPT)
816
			chan->sec_level = BT_SECURITY_MEDIUM;
817
		if (opt & L2CAP_LM_SECURE)
818
			chan->sec_level = BT_SECURITY_HIGH;
819

820
		if (opt & L2CAP_LM_MASTER)
821
			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
822
		else
823
			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
824

825
		if (opt & L2CAP_LM_RELIABLE)
826
			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
827
		else
828
			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
829
		break;
830

831
	default:
832
		err = -ENOPROTOOPT;
833
		break;
834
	}
835

836
	release_sock(sk);
837
	return err;
838
}
839

840
static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
841
{
842
	switch (mode) {
843
	case BT_MODE_BASIC:
844
		if (bdaddr_type_is_le(chan->src_type))
845
			return -EINVAL;
846
		mode = L2CAP_MODE_BASIC;
847
		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
848
		break;
849
	case BT_MODE_ERTM:
850
		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
851
			return -EINVAL;
852
		mode = L2CAP_MODE_ERTM;
853
		break;
854
	case BT_MODE_STREAMING:
855
		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
856
			return -EINVAL;
857
		mode = L2CAP_MODE_STREAMING;
858
		break;
859
	case BT_MODE_LE_FLOWCTL:
860
		if (!bdaddr_type_is_le(chan->src_type))
861
			return -EINVAL;
862
		mode = L2CAP_MODE_LE_FLOWCTL;
863
		break;
864
	case BT_MODE_EXT_FLOWCTL:
865
		/* TODO: Add support for ECRED PDUs to BR/EDR */
866
		if (!bdaddr_type_is_le(chan->src_type))
867
			return -EINVAL;
868
		mode = L2CAP_MODE_EXT_FLOWCTL;
869
		break;
870
	default:
871
		return -EINVAL;
872
	}
873

874
	chan->mode = mode;
875

876
	return 0;
877
}
878

879
static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880
				 sockptr_t optval, unsigned int optlen)
881
{
882
	struct sock *sk = sock->sk;
883
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884
	struct bt_security sec;
885
	struct bt_power pwr;
886
	struct l2cap_conn *conn;
887
	int err = 0;
888
	u32 opt;
889
	u16 mtu;
890
	u8 mode;
891

892
	BT_DBG("sk %p", sk);
893

894
	if (level == SOL_L2CAP)
895
		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896

897
	if (level != SOL_BLUETOOTH)
898
		return -ENOPROTOOPT;
899

900
	lock_sock(sk);
901

902
	switch (optname) {
903
	case BT_SECURITY:
904
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905
		    chan->chan_type != L2CAP_CHAN_FIXED &&
906
		    chan->chan_type != L2CAP_CHAN_RAW) {
907
			err = -EINVAL;
908
			break;
909
		}
910

911
		sec.level = BT_SECURITY_LOW;
912

913
		err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
914
		if (err)
915
			break;
916

917
		if (sec.level < BT_SECURITY_LOW ||
918
		    sec.level > BT_SECURITY_FIPS) {
919
			err = -EINVAL;
920
			break;
921
		}
922

923
		chan->sec_level = sec.level;
924

925
		if (!chan->conn)
926
			break;
927

928
		conn = chan->conn;
929

930
		/* change security for LE channels */
931
		if (chan->scid == L2CAP_CID_ATT) {
932
			if (smp_conn_security(conn->hcon, sec.level)) {
933
				err = -EINVAL;
934
				break;
935
			}
936

937
			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
938
			sk->sk_state = BT_CONFIG;
939
			chan->state = BT_CONFIG;
940

941
		/* or for ACL link */
942
		} else if ((sk->sk_state == BT_CONNECT2 &&
943
			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
944
			   sk->sk_state == BT_CONNECTED) {
945
			if (!l2cap_chan_check_security(chan, true))
946
				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
947
			else
948
				sk->sk_state_change(sk);
949
		} else {
950
			err = -EINVAL;
951
		}
952
		break;
953

954
	case BT_DEFER_SETUP:
955
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
956
			err = -EINVAL;
957
			break;
958
		}
959

960
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
961
		if (err)
962
			break;
963

964
		if (opt) {
965
			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
966
			set_bit(FLAG_DEFER_SETUP, &chan->flags);
967
		} else {
968
			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969
			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
970
		}
971
		break;
972

973
	case BT_FLUSHABLE:
974
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
975
		if (err)
976
			break;
977

978
		if (opt > BT_FLUSHABLE_ON) {
979
			err = -EINVAL;
980
			break;
981
		}
982

983
		if (opt == BT_FLUSHABLE_OFF) {
984
			conn = chan->conn;
985
			/* proceed further only when we have l2cap_conn and
986
			   No Flush support in the LM */
987
			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
988
				err = -EINVAL;
989
				break;
990
			}
991
		}
992

993
		if (opt)
994
			set_bit(FLAG_FLUSHABLE, &chan->flags);
995
		else
996
			clear_bit(FLAG_FLUSHABLE, &chan->flags);
997
		break;
998

999
	case BT_POWER:
1000
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1001
		    chan->chan_type != L2CAP_CHAN_RAW) {
1002
			err = -EINVAL;
1003
			break;
1004
		}
1005

1006
		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1007

1008
		err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1009
		if (err)
1010
			break;
1011

1012
		if (pwr.force_active)
1013
			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1014
		else
1015
			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1016
		break;
1017

1018
	case BT_CHANNEL_POLICY:
1019
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1020
		if (err)
1021
			break;
1022

1023
		err = -EOPNOTSUPP;
1024
		break;
1025

1026
	case BT_SNDMTU:
1027
		if (!bdaddr_type_is_le(chan->src_type)) {
1028
			err = -EINVAL;
1029
			break;
1030
		}
1031

1032
		/* Setting is not supported as it's the remote side that
1033
		 * decides this.
1034
		 */
1035
		err = -EPERM;
1036
		break;
1037

1038
	case BT_RCVMTU:
1039
		if (!bdaddr_type_is_le(chan->src_type)) {
1040
			err = -EINVAL;
1041
			break;
1042
		}
1043

1044
		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1045
		    sk->sk_state == BT_CONNECTED) {
1046
			err = -EISCONN;
1047
			break;
1048
		}
1049

1050
		err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1051
		if (err)
1052
			break;
1053

1054
		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1055
		    sk->sk_state == BT_CONNECTED)
1056
			err = l2cap_chan_reconfigure(chan, mtu);
1057
		else
1058
			chan->imtu = mtu;
1059

1060
		break;
1061

1062
	case BT_MODE:
1063
		if (!enable_ecred) {
1064
			err = -ENOPROTOOPT;
1065
			break;
1066
		}
1067

1068
		BT_DBG("sk->sk_state %u", sk->sk_state);
1069

1070
		if (sk->sk_state != BT_BOUND) {
1071
			err = -EINVAL;
1072
			break;
1073
		}
1074

1075
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1076
			err = -EINVAL;
1077
			break;
1078
		}
1079

1080
		err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
1081
					     optlen);
1082
		if (err)
1083
			break;
1084

1085
		BT_DBG("mode %u", mode);
1086

1087
		err = l2cap_set_mode(chan, mode);
1088
		if (err)
1089
			break;
1090

1091
		BT_DBG("mode 0x%2.2x", chan->mode);
1092

1093
		break;
1094

1095
	default:
1096
		err = -ENOPROTOOPT;
1097
		break;
1098
	}
1099

1100
	release_sock(sk);
1101
	return err;
1102
}
1103

1104
static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1105
			      size_t len)
1106
{
1107
	struct sock *sk = sock->sk;
1108
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1109
	struct sockcm_cookie sockc;
1110
	int err;
1111

1112
	BT_DBG("sock %p, sk %p", sock, sk);
1113

1114
	err = sock_error(sk);
1115
	if (err)
1116
		return err;
1117

1118
	if (msg->msg_flags & MSG_OOB)
1119
		return -EOPNOTSUPP;
1120

1121
	if (sk->sk_state != BT_CONNECTED)
1122
		return -ENOTCONN;
1123

1124
	hci_sockcm_init(&sockc, sk);
1125

1126
	if (msg->msg_controllen) {
1127
		err = sock_cmsg_send(sk, msg, &sockc);
1128
		if (err)
1129
			return err;
1130
	}
1131

1132
	lock_sock(sk);
1133
	err = bt_sock_wait_ready(sk, msg->msg_flags);
1134
	release_sock(sk);
1135
	if (err)
1136
		return err;
1137

1138
	l2cap_chan_lock(chan);
1139
	err = l2cap_chan_send(chan, msg, len, &sockc);
1140
	l2cap_chan_unlock(chan);
1141

1142
	return err;
1143
}
1144

1145
static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1146
{
1147
	struct sock *sk = chan->data;
1148
	ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1149
	int expected_skbs, skb_overhead;
1150

1151
	if (avail <= 0) {
1152
		l2cap_chan_rx_avail(chan, 0);
1153
		return;
1154
	}
1155

1156
	if (!chan->mps) {
1157
		l2cap_chan_rx_avail(chan, -1);
1158
		return;
1159
	}
1160

1161
	/* Correct available memory by estimated sk_buff overhead.
1162
	 * This is significant due to small transfer sizes. However, accept
1163
	 * at least one full packet if receive space is non-zero.
1164
	 */
1165
	expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1166
	skb_overhead = expected_skbs * sizeof(struct sk_buff);
1167
	if (skb_overhead < avail)
1168
		l2cap_chan_rx_avail(chan, avail - skb_overhead);
1169
	else
1170
		l2cap_chan_rx_avail(chan, -1);
1171
}
1172

1173
static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1174
			      size_t len, int flags)
1175
{
1176
	struct sock *sk = sock->sk;
1177
	struct l2cap_pinfo *pi = l2cap_pi(sk);
1178
	int err;
1179

1180
	if (unlikely(flags & MSG_ERRQUEUE))
1181
		return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1182
					  BT_SCM_ERROR);
1183

1184
	lock_sock(sk);
1185

1186
	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1187
						    &bt_sk(sk)->flags)) {
1188
		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1189
			sk->sk_state = BT_CONNECTED;
1190
			pi->chan->state = BT_CONNECTED;
1191
			__l2cap_ecred_conn_rsp_defer(pi->chan);
1192
		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1193
			sk->sk_state = BT_CONNECTED;
1194
			pi->chan->state = BT_CONNECTED;
1195
			__l2cap_le_connect_rsp_defer(pi->chan);
1196
		} else {
1197
			sk->sk_state = BT_CONFIG;
1198
			pi->chan->state = BT_CONFIG;
1199
			__l2cap_connect_rsp_defer(pi->chan);
1200
		}
1201

1202
		err = 0;
1203
		goto done;
1204
	}
1205

1206
	release_sock(sk);
1207

1208
	if (sock->type == SOCK_STREAM)
1209
		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1210
	else
1211
		err = bt_sock_recvmsg(sock, msg, len, flags);
1212

1213
	if (pi->chan->mode != L2CAP_MODE_ERTM &&
1214
	    pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1215
	    pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1216
		return err;
1217

1218
	lock_sock(sk);
1219

1220
	l2cap_publish_rx_avail(pi->chan);
1221

1222
	/* Attempt to put pending rx data in the socket buffer */
1223
	while (!list_empty(&pi->rx_busy)) {
1224
		struct l2cap_rx_busy *rx_busy =
1225
			list_first_entry(&pi->rx_busy,
1226
					 struct l2cap_rx_busy,
1227
					 list);
1228
		if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1229
			goto done;
1230
		list_del(&rx_busy->list);
1231
		kfree(rx_busy);
1232
	}
1233

1234
	/* Restore data flow when half of the receive buffer is
1235
	 * available.  This avoids resending large numbers of
1236
	 * frames.
1237
	 */
1238
	if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1239
	    atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1240
		l2cap_chan_busy(pi->chan, 0);
1241

1242
done:
1243
	release_sock(sk);
1244
	return err;
1245
}
1246

1247
/* Kill socket (only if zapped and orphan)
1248
 * Must be called on unlocked socket, with l2cap channel lock.
1249
 */
1250
static void l2cap_sock_kill(struct sock *sk)
1251
{
1252
	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1253
		return;
1254

1255
	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1256

1257
	/* Sock is dead, so set chan data to NULL, avoid other task use invalid
1258
	 * sock pointer.
1259
	 */
1260
	l2cap_pi(sk)->chan->data = NULL;
1261
	/* Kill poor orphan */
1262

1263
	l2cap_chan_put(l2cap_pi(sk)->chan);
1264
	sock_set_flag(sk, SOCK_DEAD);
1265
	sock_put(sk);
1266
}
1267

1268
static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1269
{
1270
	DECLARE_WAITQUEUE(wait, current);
1271
	int err = 0;
1272
	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1273
	/* Timeout to prevent infinite loop */
1274
	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1275

1276
	add_wait_queue(sk_sleep(sk), &wait);
1277
	set_current_state(TASK_INTERRUPTIBLE);
1278
	do {
1279
		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1280
		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1281
		       jiffies_to_msecs(timeout - jiffies));
1282

1283
		if (!timeo)
1284
			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1285

1286
		if (signal_pending(current)) {
1287
			err = sock_intr_errno(timeo);
1288
			break;
1289
		}
1290

1291
		release_sock(sk);
1292
		timeo = schedule_timeout(timeo);
1293
		lock_sock(sk);
1294
		set_current_state(TASK_INTERRUPTIBLE);
1295

1296
		err = sock_error(sk);
1297
		if (err)
1298
			break;
1299

1300
		if (time_after(jiffies, timeout)) {
1301
			err = -ENOLINK;
1302
			break;
1303
		}
1304

1305
	} while (chan->unacked_frames > 0 &&
1306
		 chan->state == BT_CONNECTED);
1307

1308
	set_current_state(TASK_RUNNING);
1309
	remove_wait_queue(sk_sleep(sk), &wait);
1310
	return err;
1311
}
1312

1313
static int l2cap_sock_shutdown(struct socket *sock, int how)
1314
{
1315
	struct sock *sk = sock->sk;
1316
	struct l2cap_chan *chan;
1317
	struct l2cap_conn *conn;
1318
	int err = 0;
1319

1320
	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1321

1322
	/* 'how' parameter is mapped to sk_shutdown as follows:
1323
	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1324
	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1325
	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1326
	 */
1327
	how++;
1328

1329
	if (!sk)
1330
		return 0;
1331

1332
	lock_sock(sk);
1333

1334
	if ((sk->sk_shutdown & how) == how)
1335
		goto shutdown_already;
1336

1337
	BT_DBG("Handling sock shutdown");
1338

1339
	/* prevent sk structure from being freed whilst unlocked */
1340
	sock_hold(sk);
1341

1342
	/* prevent chan structure from being freed whilst unlocked */
1343
	chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
1344
	if (!chan)
1345
		goto shutdown_already;
1346

1347
	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1348

1349
	if (chan->mode == L2CAP_MODE_ERTM &&
1350
	    chan->unacked_frames > 0 &&
1351
	    chan->state == BT_CONNECTED) {
1352
		err = __l2cap_wait_ack(sk, chan);
1353

1354
		/* After waiting for ACKs, check whether shutdown
1355
		 * has already been actioned to close the L2CAP
1356
		 * link such as by l2cap_disconnection_req().
1357
		 */
1358
		if ((sk->sk_shutdown & how) == how)
1359
			goto shutdown_matched;
1360
	}
1361

1362
	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1363
	 * is already set
1364
	 */
1365
	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1366
		sk->sk_shutdown |= RCV_SHUTDOWN;
1367
		if ((sk->sk_shutdown & how) == how)
1368
			goto shutdown_matched;
1369
	}
1370

1371
	sk->sk_shutdown |= SEND_SHUTDOWN;
1372
	release_sock(sk);
1373

1374
	l2cap_chan_lock(chan);
1375
	/* prevent conn structure from being freed */
1376
	conn = l2cap_conn_hold_unless_zero(chan->conn);
1377
	l2cap_chan_unlock(chan);
1378

1379
	if (conn)
1380
		/* mutex lock must be taken before l2cap_chan_lock() */
1381
		mutex_lock(&conn->lock);
1382

1383
	l2cap_chan_lock(chan);
1384
	l2cap_chan_close(chan, 0);
1385
	l2cap_chan_unlock(chan);
1386

1387
	if (conn) {
1388
		mutex_unlock(&conn->lock);
1389
		l2cap_conn_put(conn);
1390
	}
1391

1392
	lock_sock(sk);
1393

1394
	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1395
	    !(current->flags & PF_EXITING))
1396
		err = bt_sock_wait_state(sk, BT_CLOSED,
1397
					 sk->sk_lingertime);
1398

1399
shutdown_matched:
1400
	l2cap_chan_put(chan);
1401
	sock_put(sk);
1402

1403
shutdown_already:
1404
	if (!err && sk->sk_err)
1405
		err = -sk->sk_err;
1406

1407
	release_sock(sk);
1408

1409
	BT_DBG("Sock shutdown complete err: %d", err);
1410

1411
	return err;
1412
}
1413

1414
static int l2cap_sock_release(struct socket *sock)
1415
{
1416
	struct sock *sk = sock->sk;
1417
	int err;
1418
	struct l2cap_chan *chan;
1419

1420
	BT_DBG("sock %p, sk %p", sock, sk);
1421

1422
	if (!sk)
1423
		return 0;
1424

1425
	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
1426
	l2cap_sock_cleanup_listen(sk);
1427
	release_sock(sk);
1428

1429
	bt_sock_unlink(&l2cap_sk_list, sk);
1430

1431
	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1432
	chan = l2cap_pi(sk)->chan;
1433

1434
	l2cap_chan_hold(chan);
1435
	l2cap_chan_lock(chan);
1436

1437
	sock_orphan(sk);
1438
	l2cap_sock_kill(sk);
1439

1440
	l2cap_chan_unlock(chan);
1441
	l2cap_chan_put(chan);
1442

1443
	return err;
1444
}
1445

1446
static void l2cap_sock_cleanup_listen(struct sock *parent)
1447
{
1448
	struct sock *sk;
1449

1450
	BT_DBG("parent %p state %s", parent,
1451
	       state_to_string(parent->sk_state));
1452

1453
	/* Close not yet accepted channels */
1454
	while ((sk = bt_accept_dequeue(parent, NULL))) {
1455
		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1456

1457
		BT_DBG("child chan %p state %s", chan,
1458
		       state_to_string(chan->state));
1459

1460
		l2cap_chan_hold(chan);
1461
		l2cap_chan_lock(chan);
1462

1463
		__clear_chan_timer(chan);
1464
		l2cap_chan_close(chan, ECONNRESET);
1465
		l2cap_sock_kill(sk);
1466

1467
		l2cap_chan_unlock(chan);
1468
		l2cap_chan_put(chan);
1469
	}
1470
}
1471

1472
static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1473
{
1474
	struct sock *sk, *parent = chan->data;
1475

1476
	lock_sock(parent);
1477

1478
	/* Check for backlog size */
1479
	if (sk_acceptq_is_full(parent)) {
1480
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1481
		release_sock(parent);
1482
		return NULL;
1483
	}
1484

1485
	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1486
			      GFP_ATOMIC, 0);
1487
	if (!sk) {
1488
		release_sock(parent);
1489
		return NULL;
1490
        }
1491

1492
	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1493

1494
	l2cap_sock_init(sk, parent);
1495

1496
	bt_accept_enqueue(parent, sk, false);
1497

1498
	release_sock(parent);
1499

1500
	return l2cap_pi(sk)->chan;
1501
}
1502

1503
static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1504
{
1505
	struct sock *sk;
1506
	struct l2cap_pinfo *pi;
1507
	int err;
1508

1509
	sk = chan->data;
1510
	if (!sk)
1511
		return -ENXIO;
1512

1513
	pi = l2cap_pi(sk);
1514
	lock_sock(sk);
1515
	if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1516
		err = -ENOMEM;
1517
		goto done;
1518
	}
1519

1520
	if (chan->mode != L2CAP_MODE_ERTM &&
1521
	    chan->mode != L2CAP_MODE_STREAMING &&
1522
	    chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1523
	    chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1524
		/* Even if no filter is attached, we could potentially
1525
		 * get errors from security modules, etc.
1526
		 */
1527
		err = sk_filter(sk, skb);
1528
		if (err)
1529
			goto done;
1530
	}
1531

1532
	err = __sock_queue_rcv_skb(sk, skb);
1533

1534
	l2cap_publish_rx_avail(chan);
1535

1536
	/* For ERTM and LE, handle a skb that doesn't fit into the recv
1537
	 * buffer.  This is important to do because the data frames
1538
	 * have already been acked, so the skb cannot be discarded.
1539
	 *
1540
	 * Notify the l2cap core that the buffer is full, so the
1541
	 * LOCAL_BUSY state is entered and no more frames are
1542
	 * acked and reassembled until there is buffer space
1543
	 * available.
1544
	 */
1545
	if (err < 0 &&
1546
	    (chan->mode == L2CAP_MODE_ERTM ||
1547
	     chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1548
	     chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1549
		struct l2cap_rx_busy *rx_busy =
1550
			kmalloc(sizeof(*rx_busy), GFP_KERNEL);
1551
		if (!rx_busy) {
1552
			err = -ENOMEM;
1553
			goto done;
1554
		}
1555
		rx_busy->skb = skb;
1556
		list_add_tail(&rx_busy->list, &pi->rx_busy);
1557
		l2cap_chan_busy(chan, 1);
1558
		err = 0;
1559
	}
1560

1561
done:
1562
	release_sock(sk);
1563

1564
	return err;
1565
}
1566

1567
static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1568
{
1569
	struct sock *sk = chan->data;
1570

1571
	if (!sk)
1572
		return;
1573

1574
	l2cap_sock_kill(sk);
1575
}
1576

1577
static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1578
{
1579
	struct sock *sk = chan->data;
1580
	struct sock *parent;
1581

1582
	if (!sk)
1583
		return;
1584

1585
	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1586

1587
	/* This callback can be called both for server (BT_LISTEN)
1588
	 * sockets as well as "normal" ones. To avoid lockdep warnings
1589
	 * with child socket locking (through l2cap_sock_cleanup_listen)
1590
	 * we need separation into separate nesting levels. The simplest
1591
	 * way to accomplish this is to inherit the nesting level used
1592
	 * for the channel.
1593
	 */
1594
	lock_sock_nested(sk, atomic_read(&chan->nesting));
1595

1596
	parent = bt_sk(sk)->parent;
1597

1598
	switch (chan->state) {
1599
	case BT_OPEN:
1600
	case BT_BOUND:
1601
	case BT_CLOSED:
1602
		break;
1603
	case BT_LISTEN:
1604
		l2cap_sock_cleanup_listen(sk);
1605
		sk->sk_state = BT_CLOSED;
1606
		chan->state = BT_CLOSED;
1607

1608
		break;
1609
	default:
1610
		sk->sk_state = BT_CLOSED;
1611
		chan->state = BT_CLOSED;
1612

1613
		sk->sk_err = err;
1614

1615
		if (parent) {
1616
			bt_accept_unlink(sk);
1617
			parent->sk_data_ready(parent);
1618
		} else {
1619
			sk->sk_state_change(sk);
1620
		}
1621

1622
		break;
1623
	}
1624
	release_sock(sk);
1625

1626
	/* Only zap after cleanup to avoid use after free race */
1627
	sock_set_flag(sk, SOCK_ZAPPED);
1628

1629
}
1630

1631
static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1632
				       int err)
1633
{
1634
	struct sock *sk = chan->data;
1635

1636
	sk->sk_state = state;
1637

1638
	if (err)
1639
		sk->sk_err = err;
1640
}
1641

1642
static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1643
					       unsigned long hdr_len,
1644
					       unsigned long len, int nb)
1645
{
1646
	struct sock *sk = chan->data;
1647
	struct sk_buff *skb;
1648
	int err;
1649

1650
	l2cap_chan_unlock(chan);
1651
	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1652
	l2cap_chan_lock(chan);
1653

1654
	if (!skb)
1655
		return ERR_PTR(err);
1656

1657
	/* Channel lock is released before requesting new skb and then
1658
	 * reacquired thus we need to recheck channel state.
1659
	 */
1660
	if (chan->state != BT_CONNECTED) {
1661
		kfree_skb(skb);
1662
		return ERR_PTR(-ENOTCONN);
1663
	}
1664

1665
	skb->priority = READ_ONCE(sk->sk_priority);
1666

1667
	bt_cb(skb)->l2cap.chan = chan;
1668

1669
	return skb;
1670
}
1671

1672
static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1673
{
1674
	struct sock *sk = chan->data;
1675
	struct sock *parent;
1676

1677
	lock_sock(sk);
1678

1679
	parent = bt_sk(sk)->parent;
1680

1681
	BT_DBG("sk %p, parent %p", sk, parent);
1682

1683
	sk->sk_state = BT_CONNECTED;
1684
	sk->sk_state_change(sk);
1685

1686
	if (parent)
1687
		parent->sk_data_ready(parent);
1688

1689
	release_sock(sk);
1690
}
1691

1692
static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1693
{
1694
	struct sock *parent, *sk = chan->data;
1695

1696
	lock_sock(sk);
1697

1698
	parent = bt_sk(sk)->parent;
1699
	if (parent)
1700
		parent->sk_data_ready(parent);
1701

1702
	release_sock(sk);
1703
}
1704

1705
static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1706
{
1707
	struct sock *sk = chan->data;
1708

1709
	if (!sk)
1710
		return;
1711

1712
	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1713
		sk->sk_state = BT_CONNECTED;
1714
		chan->state = BT_CONNECTED;
1715
	}
1716

1717
	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1718
	sk->sk_state_change(sk);
1719
}
1720

1721
static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1722
{
1723
	struct sock *sk = chan->data;
1724

1725
	lock_sock(sk);
1726
	sk->sk_shutdown = SHUTDOWN_MASK;
1727
	release_sock(sk);
1728
}
1729

1730
static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1731
{
1732
	struct sock *sk = chan->data;
1733

1734
	return READ_ONCE(sk->sk_sndtimeo);
1735
}
1736

1737
static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1738
{
1739
	struct sock *sk = chan->data;
1740

1741
	return sk->sk_peer_pid;
1742
}
1743

1744
static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1745
{
1746
	struct sock *sk = chan->data;
1747

1748
	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1749
	sk->sk_state_change(sk);
1750
}
1751

1752
static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1753
{
1754
	struct sock *sk = chan->data;
1755

1756
	switch (chan->mode) {
1757
	case L2CAP_MODE_ERTM:
1758
	case L2CAP_MODE_STREAMING:
1759
		return sk_filter(sk, skb);
1760
	}
1761

1762
	return 0;
1763
}
1764

1765
static const struct l2cap_ops l2cap_chan_ops = {
1766
	.name			= "L2CAP Socket Interface",
1767
	.new_connection		= l2cap_sock_new_connection_cb,
1768
	.recv			= l2cap_sock_recv_cb,
1769
	.close			= l2cap_sock_close_cb,
1770
	.teardown		= l2cap_sock_teardown_cb,
1771
	.state_change		= l2cap_sock_state_change_cb,
1772
	.ready			= l2cap_sock_ready_cb,
1773
	.defer			= l2cap_sock_defer_cb,
1774
	.resume			= l2cap_sock_resume_cb,
1775
	.suspend		= l2cap_sock_suspend_cb,
1776
	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1777
	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1778
	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1779
	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1780
	.filter			= l2cap_sock_filter,
1781
};
1782

1783
static void l2cap_sock_destruct(struct sock *sk)
1784
{
1785
	struct l2cap_rx_busy *rx_busy, *next;
1786

1787
	BT_DBG("sk %p", sk);
1788

1789
	if (l2cap_pi(sk)->chan) {
1790
		l2cap_pi(sk)->chan->data = NULL;
1791
		l2cap_chan_put(l2cap_pi(sk)->chan);
1792
	}
1793

1794
	list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1795
		kfree_skb(rx_busy->skb);
1796
		list_del(&rx_busy->list);
1797
		kfree(rx_busy);
1798
	}
1799

1800
	skb_queue_purge(&sk->sk_receive_queue);
1801
	skb_queue_purge(&sk->sk_write_queue);
1802
}
1803

1804
static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1805
			       int *msg_namelen)
1806
{
1807
	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1808

1809
	memset(la, 0, sizeof(struct sockaddr_l2));
1810
	la->l2_family = AF_BLUETOOTH;
1811
	la->l2_psm = bt_cb(skb)->l2cap.psm;
1812
	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1813

1814
	*msg_namelen = sizeof(struct sockaddr_l2);
1815
}
1816

1817
static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1818
{
1819
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1820

1821
	BT_DBG("sk %p", sk);
1822

1823
	if (parent) {
1824
		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1825

1826
		sk->sk_type = parent->sk_type;
1827
		bt_sk(sk)->flags = bt_sk(parent)->flags;
1828

1829
		chan->chan_type = pchan->chan_type;
1830
		chan->imtu = pchan->imtu;
1831
		chan->omtu = pchan->omtu;
1832
		chan->conf_state = pchan->conf_state;
1833
		chan->mode = pchan->mode;
1834
		chan->fcs  = pchan->fcs;
1835
		chan->max_tx = pchan->max_tx;
1836
		chan->tx_win = pchan->tx_win;
1837
		chan->tx_win_max = pchan->tx_win_max;
1838
		chan->sec_level = pchan->sec_level;
1839
		chan->flags = pchan->flags;
1840
		chan->tx_credits = pchan->tx_credits;
1841
		chan->rx_credits = pchan->rx_credits;
1842

1843
		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1844
			chan->scid = pchan->scid;
1845
			chan->dcid = pchan->scid;
1846
		}
1847

1848
		security_sk_clone(parent, sk);
1849
	} else {
1850
		switch (sk->sk_type) {
1851
		case SOCK_RAW:
1852
			chan->chan_type = L2CAP_CHAN_RAW;
1853
			break;
1854
		case SOCK_DGRAM:
1855
			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1856
			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1857
			break;
1858
		case SOCK_SEQPACKET:
1859
		case SOCK_STREAM:
1860
			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1861
			break;
1862
		}
1863

1864
		chan->imtu = L2CAP_DEFAULT_MTU;
1865
		chan->omtu = 0;
1866
		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1867
			chan->mode = L2CAP_MODE_ERTM;
1868
			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1869
		} else {
1870
			chan->mode = L2CAP_MODE_BASIC;
1871
		}
1872

1873
		l2cap_chan_set_defaults(chan);
1874
	}
1875

1876
	/* Default config options */
1877
	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1878

1879
	chan->data = sk;
1880
	chan->ops = &l2cap_chan_ops;
1881

1882
	l2cap_publish_rx_avail(chan);
1883
}
1884

1885
static struct proto l2cap_proto = {
1886
	.name		= "L2CAP",
1887
	.owner		= THIS_MODULE,
1888
	.obj_size	= sizeof(struct l2cap_pinfo)
1889
};
1890

1891
static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1892
				     int proto, gfp_t prio, int kern)
1893
{
1894
	struct sock *sk;
1895
	struct l2cap_chan *chan;
1896

1897
	sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1898
	if (!sk)
1899
		return NULL;
1900

1901
	sk->sk_destruct = l2cap_sock_destruct;
1902
	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1903

1904
	INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1905

1906
	chan = l2cap_chan_create();
1907
	if (!chan) {
1908
		sk_free(sk);
1909
		if (sock)
1910
			sock->sk = NULL;
1911
		return NULL;
1912
	}
1913

1914
	l2cap_chan_hold(chan);
1915

1916
	l2cap_pi(sk)->chan = chan;
1917

1918
	return sk;
1919
}
1920

1921
static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1922
			     int kern)
1923
{
1924
	struct sock *sk;
1925

1926
	BT_DBG("sock %p", sock);
1927

1928
	sock->state = SS_UNCONNECTED;
1929

1930
	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1931
	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1932
		return -ESOCKTNOSUPPORT;
1933

1934
	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1935
		return -EPERM;
1936

1937
	sock->ops = &l2cap_sock_ops;
1938

1939
	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1940
	if (!sk)
1941
		return -ENOMEM;
1942

1943
	l2cap_sock_init(sk, NULL);
1944
	bt_sock_link(&l2cap_sk_list, sk);
1945
	return 0;
1946
}
1947

1948
static const struct proto_ops l2cap_sock_ops = {
1949
	.family		= PF_BLUETOOTH,
1950
	.owner		= THIS_MODULE,
1951
	.release	= l2cap_sock_release,
1952
	.bind		= l2cap_sock_bind,
1953
	.connect	= l2cap_sock_connect,
1954
	.listen		= l2cap_sock_listen,
1955
	.accept		= l2cap_sock_accept,
1956
	.getname	= l2cap_sock_getname,
1957
	.sendmsg	= l2cap_sock_sendmsg,
1958
	.recvmsg	= l2cap_sock_recvmsg,
1959
	.poll		= bt_sock_poll,
1960
	.ioctl		= bt_sock_ioctl,
1961
	.gettstamp	= sock_gettstamp,
1962
	.mmap		= sock_no_mmap,
1963
	.socketpair	= sock_no_socketpair,
1964
	.shutdown	= l2cap_sock_shutdown,
1965
	.setsockopt	= l2cap_sock_setsockopt,
1966
	.getsockopt	= l2cap_sock_getsockopt
1967
};
1968

1969
static const struct net_proto_family l2cap_sock_family_ops = {
1970
	.family	= PF_BLUETOOTH,
1971
	.owner	= THIS_MODULE,
1972
	.create	= l2cap_sock_create,
1973
};
1974

1975
int __init l2cap_init_sockets(void)
1976
{
1977
	int err;
1978

1979
	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1980

1981
	err = proto_register(&l2cap_proto, 0);
1982
	if (err < 0)
1983
		return err;
1984

1985
	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1986
	if (err < 0) {
1987
		BT_ERR("L2CAP socket registration failed");
1988
		goto error;
1989
	}
1990

1991
	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1992
			     NULL);
1993
	if (err < 0) {
1994
		BT_ERR("Failed to create L2CAP proc file");
1995
		bt_sock_unregister(BTPROTO_L2CAP);
1996
		goto error;
1997
	}
1998

1999
	BT_INFO("L2CAP socket layer initialized");
2000

2001
	return 0;
2002

2003
error:
2004
	proto_unregister(&l2cap_proto);
2005
	return err;
2006
}
2007

2008
void l2cap_cleanup_sockets(void)
2009
{
2010
	bt_procfs_cleanup(&init_net, "l2cap");
2011
	bt_sock_unregister(BTPROTO_L2CAP);
2012
	proto_unregister(&l2cap_proto);
2013
}
2014

2015
Product

Resources

Company
