net/bluetooth/l2cap_sock.c at v6.5-rc1

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / bluetooth / l2cap_sock.c
at v6.5-rc1 1981 lines 43 kB view raw
wrap content
   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (C) 2000-2001 Qualcomm Incorporated
   4   Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
   5   Copyright (C) 2010 Google Inc.
   6   Copyright (C) 2011 ProFUSION Embedded Systems
   7
   8   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   9
  10   This program is free software; you can redistribute it and/or modify
  11   it under the terms of the GNU General Public License version 2 as
  12   published by the Free Software Foundation;
  13
  14   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  15   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  16   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  17   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  18   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  19   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  20   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  21   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  22
  23   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  24   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  25   SOFTWARE IS DISCLAIMED.
  26*/
  27
  28/* Bluetooth L2CAP sockets. */
  29
  30#include <linux/module.h>
  31#include <linux/export.h>
  32#include <linux/filter.h>
  33#include <linux/sched/signal.h>
  34
  35#include <net/bluetooth/bluetooth.h>
  36#include <net/bluetooth/hci_core.h>
  37#include <net/bluetooth/l2cap.h>
  38
  39#include "smp.h"
  40
  41static struct bt_sock_list l2cap_sk_list = {
  42	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
  43};
  44
  45static const struct proto_ops l2cap_sock_ops;
  46static void l2cap_sock_init(struct sock *sk, struct sock *parent);
  47static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
  48				     int proto, gfp_t prio, int kern);
  49static void l2cap_sock_cleanup_listen(struct sock *parent);
  50
  51bool l2cap_is_socket(struct socket *sock)
  52{
  53	return sock && sock->ops == &l2cap_sock_ops;
  54}
  55EXPORT_SYMBOL(l2cap_is_socket);
  56
  57static int l2cap_validate_bredr_psm(u16 psm)
  58{
  59	/* PSM must be odd and lsb of upper byte must be 0 */
  60	if ((psm & 0x0101) != 0x0001)
  61		return -EINVAL;
  62
  63	/* Restrict usage of well-known PSMs */
  64	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
  65		return -EACCES;
  66
  67	return 0;
  68}
  69
  70static int l2cap_validate_le_psm(u16 psm)
  71{
  72	/* Valid LE_PSM ranges are defined only until 0x00ff */
  73	if (psm > L2CAP_PSM_LE_DYN_END)
  74		return -EINVAL;
  75
  76	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
  77	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
  78		return -EACCES;
  79
  80	return 0;
  81}
  82
  83static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
  84{
  85	struct sock *sk = sock->sk;
  86	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
  87	struct sockaddr_l2 la;
  88	int len, err = 0;
  89
  90	BT_DBG("sk %p", sk);
  91
  92	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
  93	    addr->sa_family != AF_BLUETOOTH)
  94		return -EINVAL;
  95
  96	memset(&la, 0, sizeof(la));
  97	len = min_t(unsigned int, sizeof(la), alen);
  98	memcpy(&la, addr, len);
  99
 100	if (la.l2_cid && la.l2_psm)
 101		return -EINVAL;
 102
 103	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
 104		return -EINVAL;
 105
 106	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
 107		/* We only allow ATT user space socket */
 108		if (la.l2_cid &&
 109		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
 110			return -EINVAL;
 111	}
 112
 113	lock_sock(sk);
 114
 115	if (sk->sk_state != BT_OPEN) {
 116		err = -EBADFD;
 117		goto done;
 118	}
 119
 120	if (la.l2_psm) {
 121		__u16 psm = __le16_to_cpu(la.l2_psm);
 122
 123		if (la.l2_bdaddr_type == BDADDR_BREDR)
 124			err = l2cap_validate_bredr_psm(psm);
 125		else
 126			err = l2cap_validate_le_psm(psm);
 127
 128		if (err)
 129			goto done;
 130	}
 131
 132	bacpy(&chan->src, &la.l2_bdaddr);
 133	chan->src_type = la.l2_bdaddr_type;
 134
 135	if (la.l2_cid)
 136		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
 137	else
 138		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
 139
 140	if (err < 0)
 141		goto done;
 142
 143	switch (chan->chan_type) {
 144	case L2CAP_CHAN_CONN_LESS:
 145		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
 146			chan->sec_level = BT_SECURITY_SDP;
 147		break;
 148	case L2CAP_CHAN_CONN_ORIENTED:
 149		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
 150		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
 151			chan->sec_level = BT_SECURITY_SDP;
 152		break;
 153	case L2CAP_CHAN_RAW:
 154		chan->sec_level = BT_SECURITY_SDP;
 155		break;
 156	case L2CAP_CHAN_FIXED:
 157		/* Fixed channels default to the L2CAP core not holding a
 158		 * hci_conn reference for them. For fixed channels mapping to
 159		 * L2CAP sockets we do want to hold a reference so set the
 160		 * appropriate flag to request it.
 161		 */
 162		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
 163		break;
 164	}
 165
 166	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
 167	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
 168	 */
 169	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
 170	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
 171		chan->mode = L2CAP_MODE_LE_FLOWCTL;
 172
 173	chan->state = BT_BOUND;
 174	sk->sk_state = BT_BOUND;
 175
 176done:
 177	release_sock(sk);
 178	return err;
 179}
 180
 181static void l2cap_sock_init_pid(struct sock *sk)
 182{
 183	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 184
 185	/* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to
 186	 * group the channels being requested.
 187	 */
 188	if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
 189		return;
 190
 191	spin_lock(&sk->sk_peer_lock);
 192	sk->sk_peer_pid = get_pid(task_tgid(current));
 193	spin_unlock(&sk->sk_peer_lock);
 194}
 195
 196static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
 197			      int alen, int flags)
 198{
 199	struct sock *sk = sock->sk;
 200	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 201	struct sockaddr_l2 la;
 202	int len, err = 0;
 203	bool zapped;
 204
 205	BT_DBG("sk %p", sk);
 206
 207	lock_sock(sk);
 208	zapped = sock_flag(sk, SOCK_ZAPPED);
 209	release_sock(sk);
 210
 211	if (zapped)
 212		return -EINVAL;
 213
 214	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
 215	    addr->sa_family != AF_BLUETOOTH)
 216		return -EINVAL;
 217
 218	memset(&la, 0, sizeof(la));
 219	len = min_t(unsigned int, sizeof(la), alen);
 220	memcpy(&la, addr, len);
 221
 222	if (la.l2_cid && la.l2_psm)
 223		return -EINVAL;
 224
 225	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
 226		return -EINVAL;
 227
 228	/* Check that the socket wasn't bound to something that
 229	 * conflicts with the address given to connect(). If chan->src
 230	 * is BDADDR_ANY it means bind() was never used, in which case
 231	 * chan->src_type and la.l2_bdaddr_type do not need to match.
 232	 */
 233	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
 234	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
 235		/* Old user space versions will try to incorrectly bind
 236		 * the ATT socket using BDADDR_BREDR. We need to accept
 237		 * this and fix up the source address type only when
 238		 * both the source CID and destination CID indicate
 239		 * ATT. Anything else is an invalid combination.
 240		 */
 241		if (chan->scid != L2CAP_CID_ATT ||
 242		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
 243			return -EINVAL;
 244
 245		/* We don't have the hdev available here to make a
 246		 * better decision on random vs public, but since all
 247		 * user space versions that exhibit this issue anyway do
 248		 * not support random local addresses assuming public
 249		 * here is good enough.
 250		 */
 251		chan->src_type = BDADDR_LE_PUBLIC;
 252	}
 253
 254	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
 255		return -EINVAL;
 256
 257	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
 258		/* We only allow ATT user space socket */
 259		if (la.l2_cid &&
 260		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
 261			return -EINVAL;
 262	}
 263
 264	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
 265	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
 266	 */
 267	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
 268	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
 269		chan->mode = L2CAP_MODE_LE_FLOWCTL;
 270
 271	l2cap_sock_init_pid(sk);
 272
 273	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
 274				 &la.l2_bdaddr, la.l2_bdaddr_type);
 275	if (err)
 276		return err;
 277
 278	lock_sock(sk);
 279
 280	err = bt_sock_wait_state(sk, BT_CONNECTED,
 281				 sock_sndtimeo(sk, flags & O_NONBLOCK));
 282
 283	release_sock(sk);
 284
 285	return err;
 286}
 287
 288static int l2cap_sock_listen(struct socket *sock, int backlog)
 289{
 290	struct sock *sk = sock->sk;
 291	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 292	int err = 0;
 293
 294	BT_DBG("sk %p backlog %d", sk, backlog);
 295
 296	lock_sock(sk);
 297
 298	if (sk->sk_state != BT_BOUND) {
 299		err = -EBADFD;
 300		goto done;
 301	}
 302
 303	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
 304		err = -EINVAL;
 305		goto done;
 306	}
 307
 308	switch (chan->mode) {
 309	case L2CAP_MODE_BASIC:
 310	case L2CAP_MODE_LE_FLOWCTL:
 311		break;
 312	case L2CAP_MODE_EXT_FLOWCTL:
 313		if (!enable_ecred) {
 314			err = -EOPNOTSUPP;
 315			goto done;
 316		}
 317		break;
 318	case L2CAP_MODE_ERTM:
 319	case L2CAP_MODE_STREAMING:
 320		if (!disable_ertm)
 321			break;
 322		fallthrough;
 323	default:
 324		err = -EOPNOTSUPP;
 325		goto done;
 326	}
 327
 328	l2cap_sock_init_pid(sk);
 329
 330	sk->sk_max_ack_backlog = backlog;
 331	sk->sk_ack_backlog = 0;
 332
 333	/* Listening channels need to use nested locking in order not to
 334	 * cause lockdep warnings when the created child channels end up
 335	 * being locked in the same thread as the parent channel.
 336	 */
 337	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
 338
 339	chan->state = BT_LISTEN;
 340	sk->sk_state = BT_LISTEN;
 341
 342done:
 343	release_sock(sk);
 344	return err;
 345}
 346
 347static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
 348			     int flags, bool kern)
 349{
 350	DEFINE_WAIT_FUNC(wait, woken_wake_function);
 351	struct sock *sk = sock->sk, *nsk;
 352	long timeo;
 353	int err = 0;
 354
 355	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
 356
 357	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
 358
 359	BT_DBG("sk %p timeo %ld", sk, timeo);
 360
 361	/* Wait for an incoming connection. (wake-one). */
 362	add_wait_queue_exclusive(sk_sleep(sk), &wait);
 363	while (1) {
 364		if (sk->sk_state != BT_LISTEN) {
 365			err = -EBADFD;
 366			break;
 367		}
 368
 369		nsk = bt_accept_dequeue(sk, newsock);
 370		if (nsk)
 371			break;
 372
 373		if (!timeo) {
 374			err = -EAGAIN;
 375			break;
 376		}
 377
 378		if (signal_pending(current)) {
 379			err = sock_intr_errno(timeo);
 380			break;
 381		}
 382
 383		release_sock(sk);
 384
 385		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
 386
 387		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
 388	}
 389	remove_wait_queue(sk_sleep(sk), &wait);
 390
 391	if (err)
 392		goto done;
 393
 394	newsock->state = SS_CONNECTED;
 395
 396	BT_DBG("new socket %p", nsk);
 397
 398done:
 399	release_sock(sk);
 400	return err;
 401}
 402
 403static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
 404			      int peer)
 405{
 406	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
 407	struct sock *sk = sock->sk;
 408	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 409
 410	BT_DBG("sock %p, sk %p", sock, sk);
 411
 412	if (peer && sk->sk_state != BT_CONNECTED &&
 413	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
 414	    sk->sk_state != BT_CONFIG)
 415		return -ENOTCONN;
 416
 417	memset(la, 0, sizeof(struct sockaddr_l2));
 418	addr->sa_family = AF_BLUETOOTH;
 419
 420	la->l2_psm = chan->psm;
 421
 422	if (peer) {
 423		bacpy(&la->l2_bdaddr, &chan->dst);
 424		la->l2_cid = cpu_to_le16(chan->dcid);
 425		la->l2_bdaddr_type = chan->dst_type;
 426	} else {
 427		bacpy(&la->l2_bdaddr, &chan->src);
 428		la->l2_cid = cpu_to_le16(chan->scid);
 429		la->l2_bdaddr_type = chan->src_type;
 430	}
 431
 432	return sizeof(struct sockaddr_l2);
 433}
 434
 435static int l2cap_get_mode(struct l2cap_chan *chan)
 436{
 437	switch (chan->mode) {
 438	case L2CAP_MODE_BASIC:
 439		return BT_MODE_BASIC;
 440	case L2CAP_MODE_ERTM:
 441		return BT_MODE_ERTM;
 442	case L2CAP_MODE_STREAMING:
 443		return BT_MODE_STREAMING;
 444	case L2CAP_MODE_LE_FLOWCTL:
 445		return BT_MODE_LE_FLOWCTL;
 446	case L2CAP_MODE_EXT_FLOWCTL:
 447		return BT_MODE_EXT_FLOWCTL;
 448	}
 449
 450	return -EINVAL;
 451}
 452
 453static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
 454				     char __user *optval, int __user *optlen)
 455{
 456	struct sock *sk = sock->sk;
 457	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 458	struct l2cap_options opts;
 459	struct l2cap_conninfo cinfo;
 460	int len, err = 0;
 461	u32 opt;
 462
 463	BT_DBG("sk %p", sk);
 464
 465	if (get_user(len, optlen))
 466		return -EFAULT;
 467
 468	lock_sock(sk);
 469
 470	switch (optname) {
 471	case L2CAP_OPTIONS:
 472		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
 473		 * legacy ATT code depends on getsockopt for
 474		 * L2CAP_OPTIONS we need to let this pass.
 475		 */
 476		if (bdaddr_type_is_le(chan->src_type) &&
 477		    chan->scid != L2CAP_CID_ATT) {
 478			err = -EINVAL;
 479			break;
 480		}
 481
 482		/* Only BR/EDR modes are supported here */
 483		switch (chan->mode) {
 484		case L2CAP_MODE_BASIC:
 485		case L2CAP_MODE_ERTM:
 486		case L2CAP_MODE_STREAMING:
 487			break;
 488		default:
 489			err = -EINVAL;
 490			break;
 491		}
 492
 493		if (err < 0)
 494			break;
 495
 496		memset(&opts, 0, sizeof(opts));
 497		opts.imtu     = chan->imtu;
 498		opts.omtu     = chan->omtu;
 499		opts.flush_to = chan->flush_to;
 500		opts.mode     = chan->mode;
 501		opts.fcs      = chan->fcs;
 502		opts.max_tx   = chan->max_tx;
 503		opts.txwin_size = chan->tx_win;
 504
 505		BT_DBG("mode 0x%2.2x", chan->mode);
 506
 507		len = min_t(unsigned int, len, sizeof(opts));
 508		if (copy_to_user(optval, (char *) &opts, len))
 509			err = -EFAULT;
 510
 511		break;
 512
 513	case L2CAP_LM:
 514		switch (chan->sec_level) {
 515		case BT_SECURITY_LOW:
 516			opt = L2CAP_LM_AUTH;
 517			break;
 518		case BT_SECURITY_MEDIUM:
 519			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
 520			break;
 521		case BT_SECURITY_HIGH:
 522			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
 523			      L2CAP_LM_SECURE;
 524			break;
 525		case BT_SECURITY_FIPS:
 526			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
 527			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
 528			break;
 529		default:
 530			opt = 0;
 531			break;
 532		}
 533
 534		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
 535			opt |= L2CAP_LM_MASTER;
 536
 537		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
 538			opt |= L2CAP_LM_RELIABLE;
 539
 540		if (put_user(opt, (u32 __user *) optval))
 541			err = -EFAULT;
 542
 543		break;
 544
 545	case L2CAP_CONNINFO:
 546		if (sk->sk_state != BT_CONNECTED &&
 547		    !(sk->sk_state == BT_CONNECT2 &&
 548		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
 549			err = -ENOTCONN;
 550			break;
 551		}
 552
 553		memset(&cinfo, 0, sizeof(cinfo));
 554		cinfo.hci_handle = chan->conn->hcon->handle;
 555		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
 556
 557		len = min_t(unsigned int, len, sizeof(cinfo));
 558		if (copy_to_user(optval, (char *) &cinfo, len))
 559			err = -EFAULT;
 560
 561		break;
 562
 563	default:
 564		err = -ENOPROTOOPT;
 565		break;
 566	}
 567
 568	release_sock(sk);
 569	return err;
 570}
 571
 572static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
 573				 char __user *optval, int __user *optlen)
 574{
 575	struct sock *sk = sock->sk;
 576	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 577	struct bt_security sec;
 578	struct bt_power pwr;
 579	u32 phys;
 580	int len, mode, err = 0;
 581
 582	BT_DBG("sk %p", sk);
 583
 584	if (level == SOL_L2CAP)
 585		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
 586
 587	if (level != SOL_BLUETOOTH)
 588		return -ENOPROTOOPT;
 589
 590	if (get_user(len, optlen))
 591		return -EFAULT;
 592
 593	lock_sock(sk);
 594
 595	switch (optname) {
 596	case BT_SECURITY:
 597		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
 598		    chan->chan_type != L2CAP_CHAN_FIXED &&
 599		    chan->chan_type != L2CAP_CHAN_RAW) {
 600			err = -EINVAL;
 601			break;
 602		}
 603
 604		memset(&sec, 0, sizeof(sec));
 605		if (chan->conn) {
 606			sec.level = chan->conn->hcon->sec_level;
 607
 608			if (sk->sk_state == BT_CONNECTED)
 609				sec.key_size = chan->conn->hcon->enc_key_size;
 610		} else {
 611			sec.level = chan->sec_level;
 612		}
 613
 614		len = min_t(unsigned int, len, sizeof(sec));
 615		if (copy_to_user(optval, (char *) &sec, len))
 616			err = -EFAULT;
 617
 618		break;
 619
 620	case BT_DEFER_SETUP:
 621		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
 622			err = -EINVAL;
 623			break;
 624		}
 625
 626		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
 627			     (u32 __user *) optval))
 628			err = -EFAULT;
 629
 630		break;
 631
 632	case BT_FLUSHABLE:
 633		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
 634			     (u32 __user *) optval))
 635			err = -EFAULT;
 636
 637		break;
 638
 639	case BT_POWER:
 640		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
 641		    && sk->sk_type != SOCK_RAW) {
 642			err = -EINVAL;
 643			break;
 644		}
 645
 646		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
 647
 648		len = min_t(unsigned int, len, sizeof(pwr));
 649		if (copy_to_user(optval, (char *) &pwr, len))
 650			err = -EFAULT;
 651
 652		break;
 653
 654	case BT_CHANNEL_POLICY:
 655		if (put_user(chan->chan_policy, (u32 __user *) optval))
 656			err = -EFAULT;
 657		break;
 658
 659	case BT_SNDMTU:
 660		if (!bdaddr_type_is_le(chan->src_type)) {
 661			err = -EINVAL;
 662			break;
 663		}
 664
 665		if (sk->sk_state != BT_CONNECTED) {
 666			err = -ENOTCONN;
 667			break;
 668		}
 669
 670		if (put_user(chan->omtu, (u16 __user *) optval))
 671			err = -EFAULT;
 672		break;
 673
 674	case BT_RCVMTU:
 675		if (!bdaddr_type_is_le(chan->src_type)) {
 676			err = -EINVAL;
 677			break;
 678		}
 679
 680		if (put_user(chan->imtu, (u16 __user *) optval))
 681			err = -EFAULT;
 682		break;
 683
 684	case BT_PHY:
 685		if (sk->sk_state != BT_CONNECTED) {
 686			err = -ENOTCONN;
 687			break;
 688		}
 689
 690		phys = hci_conn_get_phy(chan->conn->hcon);
 691
 692		if (put_user(phys, (u32 __user *) optval))
 693			err = -EFAULT;
 694		break;
 695
 696	case BT_MODE:
 697		if (!enable_ecred) {
 698			err = -ENOPROTOOPT;
 699			break;
 700		}
 701
 702		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
 703			err = -EINVAL;
 704			break;
 705		}
 706
 707		mode = l2cap_get_mode(chan);
 708		if (mode < 0) {
 709			err = mode;
 710			break;
 711		}
 712
 713		if (put_user(mode, (u8 __user *) optval))
 714			err = -EFAULT;
 715		break;
 716
 717	default:
 718		err = -ENOPROTOOPT;
 719		break;
 720	}
 721
 722	release_sock(sk);
 723	return err;
 724}
 725
 726static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
 727{
 728	switch (chan->scid) {
 729	case L2CAP_CID_ATT:
 730		if (mtu < L2CAP_LE_MIN_MTU)
 731			return false;
 732		break;
 733
 734	default:
 735		if (mtu < L2CAP_DEFAULT_MIN_MTU)
 736			return false;
 737	}
 738
 739	return true;
 740}
 741
 742static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
 743				     sockptr_t optval, unsigned int optlen)
 744{
 745	struct sock *sk = sock->sk;
 746	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 747	struct l2cap_options opts;
 748	int len, err = 0;
 749	u32 opt;
 750
 751	BT_DBG("sk %p", sk);
 752
 753	lock_sock(sk);
 754
 755	switch (optname) {
 756	case L2CAP_OPTIONS:
 757		if (bdaddr_type_is_le(chan->src_type)) {
 758			err = -EINVAL;
 759			break;
 760		}
 761
 762		if (sk->sk_state == BT_CONNECTED) {
 763			err = -EINVAL;
 764			break;
 765		}
 766
 767		opts.imtu     = chan->imtu;
 768		opts.omtu     = chan->omtu;
 769		opts.flush_to = chan->flush_to;
 770		opts.mode     = chan->mode;
 771		opts.fcs      = chan->fcs;
 772		opts.max_tx   = chan->max_tx;
 773		opts.txwin_size = chan->tx_win;
 774
 775		len = min_t(unsigned int, sizeof(opts), optlen);
 776		if (copy_from_sockptr(&opts, optval, len)) {
 777			err = -EFAULT;
 778			break;
 779		}
 780
 781		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
 782			err = -EINVAL;
 783			break;
 784		}
 785
 786		if (!l2cap_valid_mtu(chan, opts.imtu)) {
 787			err = -EINVAL;
 788			break;
 789		}
 790
 791		/* Only BR/EDR modes are supported here */
 792		switch (opts.mode) {
 793		case L2CAP_MODE_BASIC:
 794			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
 795			break;
 796		case L2CAP_MODE_ERTM:
 797		case L2CAP_MODE_STREAMING:
 798			if (!disable_ertm)
 799				break;
 800			fallthrough;
 801		default:
 802			err = -EINVAL;
 803			break;
 804		}
 805
 806		if (err < 0)
 807			break;
 808
 809		chan->mode = opts.mode;
 810
 811		BT_DBG("mode 0x%2.2x", chan->mode);
 812
 813		chan->imtu = opts.imtu;
 814		chan->omtu = opts.omtu;
 815		chan->fcs  = opts.fcs;
 816		chan->max_tx = opts.max_tx;
 817		chan->tx_win = opts.txwin_size;
 818		chan->flush_to = opts.flush_to;
 819		break;
 820
 821	case L2CAP_LM:
 822		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
 823			err = -EFAULT;
 824			break;
 825		}
 826
 827		if (opt & L2CAP_LM_FIPS) {
 828			err = -EINVAL;
 829			break;
 830		}
 831
 832		if (opt & L2CAP_LM_AUTH)
 833			chan->sec_level = BT_SECURITY_LOW;
 834		if (opt & L2CAP_LM_ENCRYPT)
 835			chan->sec_level = BT_SECURITY_MEDIUM;
 836		if (opt & L2CAP_LM_SECURE)
 837			chan->sec_level = BT_SECURITY_HIGH;
 838
 839		if (opt & L2CAP_LM_MASTER)
 840			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
 841		else
 842			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
 843
 844		if (opt & L2CAP_LM_RELIABLE)
 845			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
 846		else
 847			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
 848		break;
 849
 850	default:
 851		err = -ENOPROTOOPT;
 852		break;
 853	}
 854
 855	release_sock(sk);
 856	return err;
 857}
 858
 859static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
 860{
 861	switch (mode) {
 862	case BT_MODE_BASIC:
 863		if (bdaddr_type_is_le(chan->src_type))
 864			return -EINVAL;
 865		mode = L2CAP_MODE_BASIC;
 866		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
 867		break;
 868	case BT_MODE_ERTM:
 869		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
 870			return -EINVAL;
 871		mode = L2CAP_MODE_ERTM;
 872		break;
 873	case BT_MODE_STREAMING:
 874		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
 875			return -EINVAL;
 876		mode = L2CAP_MODE_STREAMING;
 877		break;
 878	case BT_MODE_LE_FLOWCTL:
 879		if (!bdaddr_type_is_le(chan->src_type))
 880			return -EINVAL;
 881		mode = L2CAP_MODE_LE_FLOWCTL;
 882		break;
 883	case BT_MODE_EXT_FLOWCTL:
 884		/* TODO: Add support for ECRED PDUs to BR/EDR */
 885		if (!bdaddr_type_is_le(chan->src_type))
 886			return -EINVAL;
 887		mode = L2CAP_MODE_EXT_FLOWCTL;
 888		break;
 889	default:
 890		return -EINVAL;
 891	}
 892
 893	chan->mode = mode;
 894
 895	return 0;
 896}
 897
 898static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
 899				 sockptr_t optval, unsigned int optlen)
 900{
 901	struct sock *sk = sock->sk;
 902	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 903	struct bt_security sec;
 904	struct bt_power pwr;
 905	struct l2cap_conn *conn;
 906	int len, err = 0;
 907	u32 opt;
 908	u16 mtu;
 909	u8 mode;
 910
 911	BT_DBG("sk %p", sk);
 912
 913	if (level == SOL_L2CAP)
 914		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
 915
 916	if (level != SOL_BLUETOOTH)
 917		return -ENOPROTOOPT;
 918
 919	lock_sock(sk);
 920
 921	switch (optname) {
 922	case BT_SECURITY:
 923		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
 924		    chan->chan_type != L2CAP_CHAN_FIXED &&
 925		    chan->chan_type != L2CAP_CHAN_RAW) {
 926			err = -EINVAL;
 927			break;
 928		}
 929
 930		sec.level = BT_SECURITY_LOW;
 931
 932		len = min_t(unsigned int, sizeof(sec), optlen);
 933		if (copy_from_sockptr(&sec, optval, len)) {
 934			err = -EFAULT;
 935			break;
 936		}
 937
 938		if (sec.level < BT_SECURITY_LOW ||
 939		    sec.level > BT_SECURITY_FIPS) {
 940			err = -EINVAL;
 941			break;
 942		}
 943
 944		chan->sec_level = sec.level;
 945
 946		if (!chan->conn)
 947			break;
 948
 949		conn = chan->conn;
 950
 951		/* change security for LE channels */
 952		if (chan->scid == L2CAP_CID_ATT) {
 953			if (smp_conn_security(conn->hcon, sec.level)) {
 954				err = -EINVAL;
 955				break;
 956			}
 957
 958			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
 959			sk->sk_state = BT_CONFIG;
 960			chan->state = BT_CONFIG;
 961
 962		/* or for ACL link */
 963		} else if ((sk->sk_state == BT_CONNECT2 &&
 964			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
 965			   sk->sk_state == BT_CONNECTED) {
 966			if (!l2cap_chan_check_security(chan, true))
 967				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
 968			else
 969				sk->sk_state_change(sk);
 970		} else {
 971			err = -EINVAL;
 972		}
 973		break;
 974
 975	case BT_DEFER_SETUP:
 976		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
 977			err = -EINVAL;
 978			break;
 979		}
 980
 981		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
 982			err = -EFAULT;
 983			break;
 984		}
 985
 986		if (opt) {
 987			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
 988			set_bit(FLAG_DEFER_SETUP, &chan->flags);
 989		} else {
 990			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
 991			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
 992		}
 993		break;
 994
 995	case BT_FLUSHABLE:
 996		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
 997			err = -EFAULT;
 998			break;
 999		}
1000
1001		if (opt > BT_FLUSHABLE_ON) {
1002			err = -EINVAL;
1003			break;
1004		}
1005
1006		if (opt == BT_FLUSHABLE_OFF) {
1007			conn = chan->conn;
1008			/* proceed further only when we have l2cap_conn and
1009			   No Flush support in the LM */
1010			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
1011				err = -EINVAL;
1012				break;
1013			}
1014		}
1015
1016		if (opt)
1017			set_bit(FLAG_FLUSHABLE, &chan->flags);
1018		else
1019			clear_bit(FLAG_FLUSHABLE, &chan->flags);
1020		break;
1021
1022	case BT_POWER:
1023		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1024		    chan->chan_type != L2CAP_CHAN_RAW) {
1025			err = -EINVAL;
1026			break;
1027		}
1028
1029		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1030
1031		len = min_t(unsigned int, sizeof(pwr), optlen);
1032		if (copy_from_sockptr(&pwr, optval, len)) {
1033			err = -EFAULT;
1034			break;
1035		}
1036
1037		if (pwr.force_active)
1038			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1039		else
1040			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1041		break;
1042
1043	case BT_CHANNEL_POLICY:
1044		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1045			err = -EFAULT;
1046			break;
1047		}
1048
1049		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1050			err = -EINVAL;
1051			break;
1052		}
1053
1054		if (chan->mode != L2CAP_MODE_ERTM &&
1055		    chan->mode != L2CAP_MODE_STREAMING) {
1056			err = -EOPNOTSUPP;
1057			break;
1058		}
1059
1060		chan->chan_policy = (u8) opt;
1061
1062		if (sk->sk_state == BT_CONNECTED &&
1063		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
1064			l2cap_move_start(chan);
1065
1066		break;
1067
1068	case BT_SNDMTU:
1069		if (!bdaddr_type_is_le(chan->src_type)) {
1070			err = -EINVAL;
1071			break;
1072		}
1073
1074		/* Setting is not supported as it's the remote side that
1075		 * decides this.
1076		 */
1077		err = -EPERM;
1078		break;
1079
1080	case BT_RCVMTU:
1081		if (!bdaddr_type_is_le(chan->src_type)) {
1082			err = -EINVAL;
1083			break;
1084		}
1085
1086		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1087		    sk->sk_state == BT_CONNECTED) {
1088			err = -EISCONN;
1089			break;
1090		}
1091
1092		if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
1093			err = -EFAULT;
1094			break;
1095		}
1096
1097		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1098		    sk->sk_state == BT_CONNECTED)
1099			err = l2cap_chan_reconfigure(chan, mtu);
1100		else
1101			chan->imtu = mtu;
1102
1103		break;
1104
1105	case BT_MODE:
1106		if (!enable_ecred) {
1107			err = -ENOPROTOOPT;
1108			break;
1109		}
1110
1111		BT_DBG("sk->sk_state %u", sk->sk_state);
1112
1113		if (sk->sk_state != BT_BOUND) {
1114			err = -EINVAL;
1115			break;
1116		}
1117
1118		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1119			err = -EINVAL;
1120			break;
1121		}
1122
1123		if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
1124			err = -EFAULT;
1125			break;
1126		}
1127
1128		BT_DBG("mode %u", mode);
1129
1130		err = l2cap_set_mode(chan, mode);
1131		if (err)
1132			break;
1133
1134		BT_DBG("mode 0x%2.2x", chan->mode);
1135
1136		break;
1137
1138	default:
1139		err = -ENOPROTOOPT;
1140		break;
1141	}
1142
1143	release_sock(sk);
1144	return err;
1145}
1146
1147static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1148			      size_t len)
1149{
1150	struct sock *sk = sock->sk;
1151	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1152	int err;
1153
1154	BT_DBG("sock %p, sk %p", sock, sk);
1155
1156	err = sock_error(sk);
1157	if (err)
1158		return err;
1159
1160	if (msg->msg_flags & MSG_OOB)
1161		return -EOPNOTSUPP;
1162
1163	if (sk->sk_state != BT_CONNECTED)
1164		return -ENOTCONN;
1165
1166	lock_sock(sk);
1167	err = bt_sock_wait_ready(sk, msg->msg_flags);
1168	release_sock(sk);
1169	if (err)
1170		return err;
1171
1172	l2cap_chan_lock(chan);
1173	err = l2cap_chan_send(chan, msg, len);
1174	l2cap_chan_unlock(chan);
1175
1176	return err;
1177}
1178
1179static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1180			      size_t len, int flags)
1181{
1182	struct sock *sk = sock->sk;
1183	struct l2cap_pinfo *pi = l2cap_pi(sk);
1184	int err;
1185
1186	lock_sock(sk);
1187
1188	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1189						    &bt_sk(sk)->flags)) {
1190		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1191			sk->sk_state = BT_CONNECTED;
1192			pi->chan->state = BT_CONNECTED;
1193			__l2cap_ecred_conn_rsp_defer(pi->chan);
1194		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1195			sk->sk_state = BT_CONNECTED;
1196			pi->chan->state = BT_CONNECTED;
1197			__l2cap_le_connect_rsp_defer(pi->chan);
1198		} else {
1199			sk->sk_state = BT_CONFIG;
1200			pi->chan->state = BT_CONFIG;
1201			__l2cap_connect_rsp_defer(pi->chan);
1202		}
1203
1204		err = 0;
1205		goto done;
1206	}
1207
1208	release_sock(sk);
1209
1210	if (sock->type == SOCK_STREAM)
1211		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1212	else
1213		err = bt_sock_recvmsg(sock, msg, len, flags);
1214
1215	if (pi->chan->mode != L2CAP_MODE_ERTM)
1216		return err;
1217
1218	/* Attempt to put pending rx data in the socket buffer */
1219
1220	lock_sock(sk);
1221
1222	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1223		goto done;
1224
1225	if (pi->rx_busy_skb) {
1226		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1227			pi->rx_busy_skb = NULL;
1228		else
1229			goto done;
1230	}
1231
1232	/* Restore data flow when half of the receive buffer is
1233	 * available.  This avoids resending large numbers of
1234	 * frames.
1235	 */
1236	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1237		l2cap_chan_busy(pi->chan, 0);
1238
1239done:
1240	release_sock(sk);
1241	return err;
1242}
1243
1244/* Kill socket (only if zapped and orphan)
1245 * Must be called on unlocked socket, with l2cap channel lock.
1246 */
1247static void l2cap_sock_kill(struct sock *sk)
1248{
1249	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1250		return;
1251
1252	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1253
1254	/* Kill poor orphan */
1255
1256	l2cap_chan_put(l2cap_pi(sk)->chan);
1257	sock_set_flag(sk, SOCK_DEAD);
1258	sock_put(sk);
1259}
1260
1261static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1262{
1263	DECLARE_WAITQUEUE(wait, current);
1264	int err = 0;
1265	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1266	/* Timeout to prevent infinite loop */
1267	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1268
1269	add_wait_queue(sk_sleep(sk), &wait);
1270	set_current_state(TASK_INTERRUPTIBLE);
1271	do {
1272		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1273		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1274		       jiffies_to_msecs(timeout - jiffies));
1275
1276		if (!timeo)
1277			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1278
1279		if (signal_pending(current)) {
1280			err = sock_intr_errno(timeo);
1281			break;
1282		}
1283
1284		release_sock(sk);
1285		timeo = schedule_timeout(timeo);
1286		lock_sock(sk);
1287		set_current_state(TASK_INTERRUPTIBLE);
1288
1289		err = sock_error(sk);
1290		if (err)
1291			break;
1292
1293		if (time_after(jiffies, timeout)) {
1294			err = -ENOLINK;
1295			break;
1296		}
1297
1298	} while (chan->unacked_frames > 0 &&
1299		 chan->state == BT_CONNECTED);
1300
1301	set_current_state(TASK_RUNNING);
1302	remove_wait_queue(sk_sleep(sk), &wait);
1303	return err;
1304}
1305
1306static int l2cap_sock_shutdown(struct socket *sock, int how)
1307{
1308	struct sock *sk = sock->sk;
1309	struct l2cap_chan *chan;
1310	struct l2cap_conn *conn;
1311	int err = 0;
1312
1313	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1314
1315	/* 'how' parameter is mapped to sk_shutdown as follows:
1316	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1317	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1318	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1319	 */
1320	how++;
1321
1322	if (!sk)
1323		return 0;
1324
1325	lock_sock(sk);
1326
1327	if ((sk->sk_shutdown & how) == how)
1328		goto shutdown_already;
1329
1330	BT_DBG("Handling sock shutdown");
1331
1332	/* prevent sk structure from being freed whilst unlocked */
1333	sock_hold(sk);
1334
1335	chan = l2cap_pi(sk)->chan;
1336	/* prevent chan structure from being freed whilst unlocked */
1337	l2cap_chan_hold(chan);
1338
1339	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1340
1341	if (chan->mode == L2CAP_MODE_ERTM &&
1342	    chan->unacked_frames > 0 &&
1343	    chan->state == BT_CONNECTED) {
1344		err = __l2cap_wait_ack(sk, chan);
1345
1346		/* After waiting for ACKs, check whether shutdown
1347		 * has already been actioned to close the L2CAP
1348		 * link such as by l2cap_disconnection_req().
1349		 */
1350		if ((sk->sk_shutdown & how) == how)
1351			goto shutdown_matched;
1352	}
1353
1354	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1355	 * is already set
1356	 */
1357	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1358		sk->sk_shutdown |= RCV_SHUTDOWN;
1359		if ((sk->sk_shutdown & how) == how)
1360			goto shutdown_matched;
1361	}
1362
1363	sk->sk_shutdown |= SEND_SHUTDOWN;
1364	release_sock(sk);
1365
1366	l2cap_chan_lock(chan);
1367	conn = chan->conn;
1368	if (conn)
1369		/* prevent conn structure from being freed */
1370		l2cap_conn_get(conn);
1371	l2cap_chan_unlock(chan);
1372
1373	if (conn)
1374		/* mutex lock must be taken before l2cap_chan_lock() */
1375		mutex_lock(&conn->chan_lock);
1376
1377	l2cap_chan_lock(chan);
1378	l2cap_chan_close(chan, 0);
1379	l2cap_chan_unlock(chan);
1380
1381	if (conn) {
1382		mutex_unlock(&conn->chan_lock);
1383		l2cap_conn_put(conn);
1384	}
1385
1386	lock_sock(sk);
1387
1388	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1389	    !(current->flags & PF_EXITING))
1390		err = bt_sock_wait_state(sk, BT_CLOSED,
1391					 sk->sk_lingertime);
1392
1393shutdown_matched:
1394	l2cap_chan_put(chan);
1395	sock_put(sk);
1396
1397shutdown_already:
1398	if (!err && sk->sk_err)
1399		err = -sk->sk_err;
1400
1401	release_sock(sk);
1402
1403	BT_DBG("Sock shutdown complete err: %d", err);
1404
1405	return err;
1406}
1407
1408static int l2cap_sock_release(struct socket *sock)
1409{
1410	struct sock *sk = sock->sk;
1411	int err;
1412	struct l2cap_chan *chan;
1413
1414	BT_DBG("sock %p, sk %p", sock, sk);
1415
1416	if (!sk)
1417		return 0;
1418
1419	l2cap_sock_cleanup_listen(sk);
1420	bt_sock_unlink(&l2cap_sk_list, sk);
1421
1422	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1423	chan = l2cap_pi(sk)->chan;
1424
1425	l2cap_chan_hold(chan);
1426	l2cap_chan_lock(chan);
1427
1428	sock_orphan(sk);
1429	l2cap_sock_kill(sk);
1430
1431	l2cap_chan_unlock(chan);
1432	l2cap_chan_put(chan);
1433
1434	return err;
1435}
1436
1437static void l2cap_sock_cleanup_listen(struct sock *parent)
1438{
1439	struct sock *sk;
1440
1441	BT_DBG("parent %p state %s", parent,
1442	       state_to_string(parent->sk_state));
1443
1444	/* Close not yet accepted channels */
1445	while ((sk = bt_accept_dequeue(parent, NULL))) {
1446		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1447
1448		BT_DBG("child chan %p state %s", chan,
1449		       state_to_string(chan->state));
1450
1451		l2cap_chan_hold(chan);
1452		l2cap_chan_lock(chan);
1453
1454		__clear_chan_timer(chan);
1455		l2cap_chan_close(chan, ECONNRESET);
1456		l2cap_sock_kill(sk);
1457
1458		l2cap_chan_unlock(chan);
1459		l2cap_chan_put(chan);
1460	}
1461}
1462
1463static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1464{
1465	struct sock *sk, *parent = chan->data;
1466
1467	lock_sock(parent);
1468
1469	/* Check for backlog size */
1470	if (sk_acceptq_is_full(parent)) {
1471		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1472		release_sock(parent);
1473		return NULL;
1474	}
1475
1476	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1477			      GFP_ATOMIC, 0);
1478	if (!sk) {
1479		release_sock(parent);
1480		return NULL;
1481        }
1482
1483	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1484
1485	l2cap_sock_init(sk, parent);
1486
1487	bt_accept_enqueue(parent, sk, false);
1488
1489	release_sock(parent);
1490
1491	return l2cap_pi(sk)->chan;
1492}
1493
1494static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1495{
1496	struct sock *sk = chan->data;
1497	int err;
1498
1499	lock_sock(sk);
1500
1501	if (l2cap_pi(sk)->rx_busy_skb) {
1502		err = -ENOMEM;
1503		goto done;
1504	}
1505
1506	if (chan->mode != L2CAP_MODE_ERTM &&
1507	    chan->mode != L2CAP_MODE_STREAMING) {
1508		/* Even if no filter is attached, we could potentially
1509		 * get errors from security modules, etc.
1510		 */
1511		err = sk_filter(sk, skb);
1512		if (err)
1513			goto done;
1514	}
1515
1516	err = __sock_queue_rcv_skb(sk, skb);
1517
1518	/* For ERTM, handle one skb that doesn't fit into the recv
1519	 * buffer.  This is important to do because the data frames
1520	 * have already been acked, so the skb cannot be discarded.
1521	 *
1522	 * Notify the l2cap core that the buffer is full, so the
1523	 * LOCAL_BUSY state is entered and no more frames are
1524	 * acked and reassembled until there is buffer space
1525	 * available.
1526	 */
1527	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1528		l2cap_pi(sk)->rx_busy_skb = skb;
1529		l2cap_chan_busy(chan, 1);
1530		err = 0;
1531	}
1532
1533done:
1534	release_sock(sk);
1535
1536	return err;
1537}
1538
1539static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1540{
1541	struct sock *sk = chan->data;
1542
1543	if (!sk)
1544		return;
1545
1546	l2cap_sock_kill(sk);
1547}
1548
1549static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1550{
1551	struct sock *sk = chan->data;
1552	struct sock *parent;
1553
1554	if (!sk)
1555		return;
1556
1557	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1558
1559	/* This callback can be called both for server (BT_LISTEN)
1560	 * sockets as well as "normal" ones. To avoid lockdep warnings
1561	 * with child socket locking (through l2cap_sock_cleanup_listen)
1562	 * we need separation into separate nesting levels. The simplest
1563	 * way to accomplish this is to inherit the nesting level used
1564	 * for the channel.
1565	 */
1566	lock_sock_nested(sk, atomic_read(&chan->nesting));
1567
1568	parent = bt_sk(sk)->parent;
1569
1570	switch (chan->state) {
1571	case BT_OPEN:
1572	case BT_BOUND:
1573	case BT_CLOSED:
1574		break;
1575	case BT_LISTEN:
1576		l2cap_sock_cleanup_listen(sk);
1577		sk->sk_state = BT_CLOSED;
1578		chan->state = BT_CLOSED;
1579
1580		break;
1581	default:
1582		sk->sk_state = BT_CLOSED;
1583		chan->state = BT_CLOSED;
1584
1585		sk->sk_err = err;
1586
1587		if (parent) {
1588			bt_accept_unlink(sk);
1589			parent->sk_data_ready(parent);
1590		} else {
1591			sk->sk_state_change(sk);
1592		}
1593
1594		break;
1595	}
1596	release_sock(sk);
1597
1598	/* Only zap after cleanup to avoid use after free race */
1599	sock_set_flag(sk, SOCK_ZAPPED);
1600
1601}
1602
1603static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1604				       int err)
1605{
1606	struct sock *sk = chan->data;
1607
1608	sk->sk_state = state;
1609
1610	if (err)
1611		sk->sk_err = err;
1612}
1613
1614static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1615					       unsigned long hdr_len,
1616					       unsigned long len, int nb)
1617{
1618	struct sock *sk = chan->data;
1619	struct sk_buff *skb;
1620	int err;
1621
1622	l2cap_chan_unlock(chan);
1623	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1624	l2cap_chan_lock(chan);
1625
1626	if (!skb)
1627		return ERR_PTR(err);
1628
1629	/* Channel lock is released before requesting new skb and then
1630	 * reacquired thus we need to recheck channel state.
1631	 */
1632	if (chan->state != BT_CONNECTED) {
1633		kfree_skb(skb);
1634		return ERR_PTR(-ENOTCONN);
1635	}
1636
1637	skb->priority = sk->sk_priority;
1638
1639	bt_cb(skb)->l2cap.chan = chan;
1640
1641	return skb;
1642}
1643
1644static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1645{
1646	struct sock *sk = chan->data;
1647	struct sock *parent;
1648
1649	lock_sock(sk);
1650
1651	parent = bt_sk(sk)->parent;
1652
1653	BT_DBG("sk %p, parent %p", sk, parent);
1654
1655	sk->sk_state = BT_CONNECTED;
1656	sk->sk_state_change(sk);
1657
1658	if (parent)
1659		parent->sk_data_ready(parent);
1660
1661	release_sock(sk);
1662}
1663
1664static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1665{
1666	struct sock *parent, *sk = chan->data;
1667
1668	lock_sock(sk);
1669
1670	parent = bt_sk(sk)->parent;
1671	if (parent)
1672		parent->sk_data_ready(parent);
1673
1674	release_sock(sk);
1675}
1676
1677static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1678{
1679	struct sock *sk = chan->data;
1680
1681	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1682		sk->sk_state = BT_CONNECTED;
1683		chan->state = BT_CONNECTED;
1684	}
1685
1686	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1687	sk->sk_state_change(sk);
1688}
1689
1690static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1691{
1692	struct sock *sk = chan->data;
1693
1694	lock_sock(sk);
1695	sk->sk_shutdown = SHUTDOWN_MASK;
1696	release_sock(sk);
1697}
1698
1699static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1700{
1701	struct sock *sk = chan->data;
1702
1703	return sk->sk_sndtimeo;
1704}
1705
1706static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1707{
1708	struct sock *sk = chan->data;
1709
1710	return sk->sk_peer_pid;
1711}
1712
1713static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1714{
1715	struct sock *sk = chan->data;
1716
1717	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1718	sk->sk_state_change(sk);
1719}
1720
1721static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1722{
1723	struct sock *sk = chan->data;
1724
1725	switch (chan->mode) {
1726	case L2CAP_MODE_ERTM:
1727	case L2CAP_MODE_STREAMING:
1728		return sk_filter(sk, skb);
1729	}
1730
1731	return 0;
1732}
1733
1734static const struct l2cap_ops l2cap_chan_ops = {
1735	.name			= "L2CAP Socket Interface",
1736	.new_connection		= l2cap_sock_new_connection_cb,
1737	.recv			= l2cap_sock_recv_cb,
1738	.close			= l2cap_sock_close_cb,
1739	.teardown		= l2cap_sock_teardown_cb,
1740	.state_change		= l2cap_sock_state_change_cb,
1741	.ready			= l2cap_sock_ready_cb,
1742	.defer			= l2cap_sock_defer_cb,
1743	.resume			= l2cap_sock_resume_cb,
1744	.suspend		= l2cap_sock_suspend_cb,
1745	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1746	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1747	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1748	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1749	.filter			= l2cap_sock_filter,
1750};
1751
1752static void l2cap_sock_destruct(struct sock *sk)
1753{
1754	BT_DBG("sk %p", sk);
1755
1756	if (l2cap_pi(sk)->chan) {
1757		l2cap_pi(sk)->chan->data = NULL;
1758		l2cap_chan_put(l2cap_pi(sk)->chan);
1759	}
1760
1761	if (l2cap_pi(sk)->rx_busy_skb) {
1762		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1763		l2cap_pi(sk)->rx_busy_skb = NULL;
1764	}
1765
1766	skb_queue_purge(&sk->sk_receive_queue);
1767	skb_queue_purge(&sk->sk_write_queue);
1768}
1769
1770static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1771			       int *msg_namelen)
1772{
1773	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1774
1775	memset(la, 0, sizeof(struct sockaddr_l2));
1776	la->l2_family = AF_BLUETOOTH;
1777	la->l2_psm = bt_cb(skb)->l2cap.psm;
1778	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1779
1780	*msg_namelen = sizeof(struct sockaddr_l2);
1781}
1782
1783static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1784{
1785	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1786
1787	BT_DBG("sk %p", sk);
1788
1789	if (parent) {
1790		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1791
1792		sk->sk_type = parent->sk_type;
1793		bt_sk(sk)->flags = bt_sk(parent)->flags;
1794
1795		chan->chan_type = pchan->chan_type;
1796		chan->imtu = pchan->imtu;
1797		chan->omtu = pchan->omtu;
1798		chan->conf_state = pchan->conf_state;
1799		chan->mode = pchan->mode;
1800		chan->fcs  = pchan->fcs;
1801		chan->max_tx = pchan->max_tx;
1802		chan->tx_win = pchan->tx_win;
1803		chan->tx_win_max = pchan->tx_win_max;
1804		chan->sec_level = pchan->sec_level;
1805		chan->flags = pchan->flags;
1806		chan->tx_credits = pchan->tx_credits;
1807		chan->rx_credits = pchan->rx_credits;
1808
1809		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1810			chan->scid = pchan->scid;
1811			chan->dcid = pchan->scid;
1812		}
1813
1814		security_sk_clone(parent, sk);
1815	} else {
1816		switch (sk->sk_type) {
1817		case SOCK_RAW:
1818			chan->chan_type = L2CAP_CHAN_RAW;
1819			break;
1820		case SOCK_DGRAM:
1821			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1822			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1823			break;
1824		case SOCK_SEQPACKET:
1825		case SOCK_STREAM:
1826			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1827			break;
1828		}
1829
1830		chan->imtu = L2CAP_DEFAULT_MTU;
1831		chan->omtu = 0;
1832		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1833			chan->mode = L2CAP_MODE_ERTM;
1834			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1835		} else {
1836			chan->mode = L2CAP_MODE_BASIC;
1837		}
1838
1839		l2cap_chan_set_defaults(chan);
1840	}
1841
1842	/* Default config options */
1843	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1844
1845	chan->data = sk;
1846	chan->ops = &l2cap_chan_ops;
1847}
1848
1849static struct proto l2cap_proto = {
1850	.name		= "L2CAP",
1851	.owner		= THIS_MODULE,
1852	.obj_size	= sizeof(struct l2cap_pinfo)
1853};
1854
1855static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1856				     int proto, gfp_t prio, int kern)
1857{
1858	struct sock *sk;
1859	struct l2cap_chan *chan;
1860
1861	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1862	if (!sk)
1863		return NULL;
1864
1865	sock_init_data(sock, sk);
1866	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1867
1868	sk->sk_destruct = l2cap_sock_destruct;
1869	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1870
1871	sock_reset_flag(sk, SOCK_ZAPPED);
1872
1873	sk->sk_protocol = proto;
1874	sk->sk_state = BT_OPEN;
1875
1876	chan = l2cap_chan_create();
1877	if (!chan) {
1878		sk_free(sk);
1879		return NULL;
1880	}
1881
1882	l2cap_chan_hold(chan);
1883
1884	l2cap_pi(sk)->chan = chan;
1885
1886	return sk;
1887}
1888
1889static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1890			     int kern)
1891{
1892	struct sock *sk;
1893
1894	BT_DBG("sock %p", sock);
1895
1896	sock->state = SS_UNCONNECTED;
1897
1898	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1899	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1900		return -ESOCKTNOSUPPORT;
1901
1902	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1903		return -EPERM;
1904
1905	sock->ops = &l2cap_sock_ops;
1906
1907	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1908	if (!sk)
1909		return -ENOMEM;
1910
1911	l2cap_sock_init(sk, NULL);
1912	bt_sock_link(&l2cap_sk_list, sk);
1913	return 0;
1914}
1915
1916static const struct proto_ops l2cap_sock_ops = {
1917	.family		= PF_BLUETOOTH,
1918	.owner		= THIS_MODULE,
1919	.release	= l2cap_sock_release,
1920	.bind		= l2cap_sock_bind,
1921	.connect	= l2cap_sock_connect,
1922	.listen		= l2cap_sock_listen,
1923	.accept		= l2cap_sock_accept,
1924	.getname	= l2cap_sock_getname,
1925	.sendmsg	= l2cap_sock_sendmsg,
1926	.recvmsg	= l2cap_sock_recvmsg,
1927	.poll		= bt_sock_poll,
1928	.ioctl		= bt_sock_ioctl,
1929	.gettstamp	= sock_gettstamp,
1930	.mmap		= sock_no_mmap,
1931	.socketpair	= sock_no_socketpair,
1932	.shutdown	= l2cap_sock_shutdown,
1933	.setsockopt	= l2cap_sock_setsockopt,
1934	.getsockopt	= l2cap_sock_getsockopt
1935};
1936
1937static const struct net_proto_family l2cap_sock_family_ops = {
1938	.family	= PF_BLUETOOTH,
1939	.owner	= THIS_MODULE,
1940	.create	= l2cap_sock_create,
1941};
1942
1943int __init l2cap_init_sockets(void)
1944{
1945	int err;
1946
1947	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1948
1949	err = proto_register(&l2cap_proto, 0);
1950	if (err < 0)
1951		return err;
1952
1953	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1954	if (err < 0) {
1955		BT_ERR("L2CAP socket registration failed");
1956		goto error;
1957	}
1958
1959	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1960			     NULL);
1961	if (err < 0) {
1962		BT_ERR("Failed to create L2CAP proc file");
1963		bt_sock_unregister(BTPROTO_L2CAP);
1964		goto error;
1965	}
1966
1967	BT_INFO("L2CAP socket layer initialized");
1968
1969	return 0;
1970
1971error:
1972	proto_unregister(&l2cap_proto);
1973	return err;
1974}
1975
1976void l2cap_cleanup_sockets(void)
1977{
1978	bt_procfs_cleanup(&init_net, "l2cap");
1979	bt_sock_unregister(BTPROTO_L2CAP);
1980	proto_unregister(&l2cap_proto);
1981}
Configure Feed

Configure Feed
