TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / third_party / linux.git / 0e64123141f3854e695eb4924d82b52856691466 / . / net / bluetooth / l2cap_sock.c
blob: 82e76ff01267abe5f91830fbe633e00fa9e77fc9 [file] [log] [blame]
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
30#include <linux/module.h>
31#include <linux/export.h>
32#include <linux/sched/signal.h>
33
34#include <net/bluetooth/bluetooth.h>
35#include <net/bluetooth/hci_core.h>
36#include <net/bluetooth/l2cap.h>
37
38#include "smp.h"
39
40static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42};
43
44static const struct proto_ops l2cap_sock_ops;
45static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48
49bool l2cap_is_socket(struct socket *sock)
50{
51 return sock && sock->ops == &l2cap_sock_ops;
52}
53EXPORT_SYMBOL(l2cap_is_socket);
54
55static int l2cap_validate_bredr_psm(u16 psm)
56{
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
59 return -EINVAL;
60
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 return -EACCES;
64
65 return 0;
66}
67
68static int l2cap_validate_le_psm(u16 psm)
69{
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
72 return -EINVAL;
73
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 return -EACCES;
77
78 return 0;
79}
80
81static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82{
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
86 int len, err = 0;
87
88 BT_DBG("sk %p", sk);
89
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
92 return -EINVAL;
93
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
97
98 if (la.l2_cid && la.l2_psm)
99 return -EINVAL;
100
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL;
103
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
106 if (la.l2_cid &&
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 return -EINVAL;
109 }
110
111 lock_sock(sk);
112
113 if (sk->sk_state != BT_OPEN) {
114 err = -EBADFD;
115 goto done;
116 }
117
118 if (la.l2_psm) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
120
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
123 else
124 err = l2cap_validate_le_psm(psm);
125
126 if (err)
127 goto done;
128 }
129
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
132
133 if (la.l2_cid)
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 else
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137
138 if (err < 0)
139 goto done;
140
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
145 break;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
150 break;
151 case L2CAP_CHAN_RAW:
152 chan->sec_level = BT_SECURITY_SDP;
153 break;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
159 */
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 break;
162 }
163
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
166
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
169
170done:
171 release_sock(sk);
172 return err;
173}
174
175static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 int alen, int flags)
177{
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
181 int len, err = 0;
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]182 bool zapped;
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]183
184 BT_DBG("sk %p", sk);
185
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]186 lock_sock(sk);
187 zapped = sock_flag(sk, SOCK_ZAPPED);
188 release_sock(sk);
189
190 if (zapped)
191 return -EINVAL;
192
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]193 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
194 addr->sa_family != AF_BLUETOOTH)
195 return -EINVAL;
196
197 memset(&la, 0, sizeof(la));
198 len = min_t(unsigned int, sizeof(la), alen);
199 memcpy(&la, addr, len);
200
201 if (la.l2_cid && la.l2_psm)
202 return -EINVAL;
203
204 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
205 return -EINVAL;
206
207 /* Check that the socket wasn't bound to something that
208 * conflicts with the address given to connect(). If chan->src
209 * is BDADDR_ANY it means bind() was never used, in which case
210 * chan->src_type and la.l2_bdaddr_type do not need to match.
211 */
212 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
213 bdaddr_type_is_le(la.l2_bdaddr_type)) {
214 /* Old user space versions will try to incorrectly bind
215 * the ATT socket using BDADDR_BREDR. We need to accept
216 * this and fix up the source address type only when
217 * both the source CID and destination CID indicate
218 * ATT. Anything else is an invalid combination.
219 */
220 if (chan->scid != L2CAP_CID_ATT ||
221 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
222 return -EINVAL;
223
224 /* We don't have the hdev available here to make a
225 * better decision on random vs public, but since all
226 * user space versions that exhibit this issue anyway do
227 * not support random local addresses assuming public
228 * here is good enough.
229 */
230 chan->src_type = BDADDR_LE_PUBLIC;
231 }
232
233 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
234 return -EINVAL;
235
236 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
237 /* We only allow ATT user space socket */
238 if (la.l2_cid &&
239 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
240 return -EINVAL;
241 }
242
243 if (chan->psm && bdaddr_type_is_le(chan->src_type))
244 chan->mode = L2CAP_MODE_LE_FLOWCTL;
245
246 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
247 &la.l2_bdaddr, la.l2_bdaddr_type);
248 if (err)
249 return err;
250
251 lock_sock(sk);
252
253 err = bt_sock_wait_state(sk, BT_CONNECTED,
254 sock_sndtimeo(sk, flags & O_NONBLOCK));
255
256 release_sock(sk);
257
258 return err;
259}
260
261static int l2cap_sock_listen(struct socket *sock, int backlog)
262{
263 struct sock *sk = sock->sk;
264 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
265 int err = 0;
266
267 BT_DBG("sk %p backlog %d", sk, backlog);
268
269 lock_sock(sk);
270
271 if (sk->sk_state != BT_BOUND) {
272 err = -EBADFD;
273 goto done;
274 }
275
276 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
277 err = -EINVAL;
278 goto done;
279 }
280
281 switch (chan->mode) {
282 case L2CAP_MODE_BASIC:
283 case L2CAP_MODE_LE_FLOWCTL:
284 break;
285 case L2CAP_MODE_ERTM:
286 case L2CAP_MODE_STREAMING:
287 if (!disable_ertm)
288 break;
289 /* fall through */
290 default:
291 err = -EOPNOTSUPP;
292 goto done;
293 }
294
295 sk->sk_max_ack_backlog = backlog;
296 sk->sk_ack_backlog = 0;
297
298 /* Listening channels need to use nested locking in order not to
299 * cause lockdep warnings when the created child channels end up
300 * being locked in the same thread as the parent channel.
301 */
302 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
303
304 chan->state = BT_LISTEN;
305 sk->sk_state = BT_LISTEN;
306
307done:
308 release_sock(sk);
309 return err;
310}
311
312static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
313 int flags, bool kern)
314{
315 DEFINE_WAIT_FUNC(wait, woken_wake_function);
316 struct sock *sk = sock->sk, *nsk;
317 long timeo;
318 int err = 0;
319
320 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
321
322 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
323
324 BT_DBG("sk %p timeo %ld", sk, timeo);
325
326 /* Wait for an incoming connection. (wake-one). */
327 add_wait_queue_exclusive(sk_sleep(sk), &wait);
328 while (1) {
329 if (sk->sk_state != BT_LISTEN) {
330 err = -EBADFD;
331 break;
332 }
333
334 nsk = bt_accept_dequeue(sk, newsock);
335 if (nsk)
336 break;
337
338 if (!timeo) {
339 err = -EAGAIN;
340 break;
341 }
342
343 if (signal_pending(current)) {
344 err = sock_intr_errno(timeo);
345 break;
346 }
347
348 release_sock(sk);
349
350 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
351
352 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
353 }
354 remove_wait_queue(sk_sleep(sk), &wait);
355
356 if (err)
357 goto done;
358
359 newsock->state = SS_CONNECTED;
360
361 BT_DBG("new socket %p", nsk);
362
363done:
364 release_sock(sk);
365 return err;
366}
367
368static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
369 int peer)
370{
371 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
372 struct sock *sk = sock->sk;
373 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
374
375 BT_DBG("sock %p, sk %p", sock, sk);
376
377 if (peer && sk->sk_state != BT_CONNECTED &&
378 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
379 sk->sk_state != BT_CONFIG)
380 return -ENOTCONN;
381
382 memset(la, 0, sizeof(struct sockaddr_l2));
383 addr->sa_family = AF_BLUETOOTH;
384
385 la->l2_psm = chan->psm;
386
387 if (peer) {
388 bacpy(&la->l2_bdaddr, &chan->dst);
389 la->l2_cid = cpu_to_le16(chan->dcid);
390 la->l2_bdaddr_type = chan->dst_type;
391 } else {
392 bacpy(&la->l2_bdaddr, &chan->src);
393 la->l2_cid = cpu_to_le16(chan->scid);
394 la->l2_bdaddr_type = chan->src_type;
395 }
396
397 return sizeof(struct sockaddr_l2);
398}
399
400static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
401 char __user *optval, int __user *optlen)
402{
403 struct sock *sk = sock->sk;
404 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
405 struct l2cap_options opts;
406 struct l2cap_conninfo cinfo;
407 int len, err = 0;
408 u32 opt;
409
410 BT_DBG("sk %p", sk);
411
412 if (get_user(len, optlen))
413 return -EFAULT;
414
415 lock_sock(sk);
416
417 switch (optname) {
418 case L2CAP_OPTIONS:
419 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
420 * legacy ATT code depends on getsockopt for
421 * L2CAP_OPTIONS we need to let this pass.
422 */
423 if (bdaddr_type_is_le(chan->src_type) &&
424 chan->scid != L2CAP_CID_ATT) {
425 err = -EINVAL;
426 break;
427 }
428
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]429 /* Only BR/EDR modes are supported here */
430 switch (chan->mode) {
431 case L2CAP_MODE_BASIC:
432 case L2CAP_MODE_ERTM:
433 case L2CAP_MODE_STREAMING:
434 break;
435 default:
436 err = -EINVAL;
437 break;
438 }
439
440 if (err < 0)
441 break;
442
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]443 memset(&opts, 0, sizeof(opts));
444 opts.imtu = chan->imtu;
445 opts.omtu = chan->omtu;
446 opts.flush_to = chan->flush_to;
447 opts.mode = chan->mode;
448 opts.fcs = chan->fcs;
449 opts.max_tx = chan->max_tx;
450 opts.txwin_size = chan->tx_win;
451
452 len = min_t(unsigned int, len, sizeof(opts));
453 if (copy_to_user(optval, (char *) &opts, len))
454 err = -EFAULT;
455
456 break;
457
458 case L2CAP_LM:
459 switch (chan->sec_level) {
460 case BT_SECURITY_LOW:
461 opt = L2CAP_LM_AUTH;
462 break;
463 case BT_SECURITY_MEDIUM:
464 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
465 break;
466 case BT_SECURITY_HIGH:
467 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
468 L2CAP_LM_SECURE;
469 break;
470 case BT_SECURITY_FIPS:
471 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
472 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
473 break;
474 default:
475 opt = 0;
476 break;
477 }
478
479 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
480 opt |= L2CAP_LM_MASTER;
481
482 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
483 opt |= L2CAP_LM_RELIABLE;
484
485 if (put_user(opt, (u32 __user *) optval))
486 err = -EFAULT;
487
488 break;
489
490 case L2CAP_CONNINFO:
491 if (sk->sk_state != BT_CONNECTED &&
492 !(sk->sk_state == BT_CONNECT2 &&
493 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
494 err = -ENOTCONN;
495 break;
496 }
497
498 memset(&cinfo, 0, sizeof(cinfo));
499 cinfo.hci_handle = chan->conn->hcon->handle;
500 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
501
502 len = min_t(unsigned int, len, sizeof(cinfo));
503 if (copy_to_user(optval, (char *) &cinfo, len))
504 err = -EFAULT;
505
506 break;
507
508 default:
509 err = -ENOPROTOOPT;
510 break;
511 }
512
513 release_sock(sk);
514 return err;
515}
516
517static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
518 char __user *optval, int __user *optlen)
519{
520 struct sock *sk = sock->sk;
521 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
522 struct bt_security sec;
523 struct bt_power pwr;
524 int len, err = 0;
525
526 BT_DBG("sk %p", sk);
527
528 if (level == SOL_L2CAP)
529 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
530
531 if (level != SOL_BLUETOOTH)
532 return -ENOPROTOOPT;
533
534 if (get_user(len, optlen))
535 return -EFAULT;
536
537 lock_sock(sk);
538
539 switch (optname) {
540 case BT_SECURITY:
541 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
542 chan->chan_type != L2CAP_CHAN_FIXED &&
543 chan->chan_type != L2CAP_CHAN_RAW) {
544 err = -EINVAL;
545 break;
546 }
547
548 memset(&sec, 0, sizeof(sec));
549 if (chan->conn) {
550 sec.level = chan->conn->hcon->sec_level;
551
552 if (sk->sk_state == BT_CONNECTED)
553 sec.key_size = chan->conn->hcon->enc_key_size;
554 } else {
555 sec.level = chan->sec_level;
556 }
557
558 len = min_t(unsigned int, len, sizeof(sec));
559 if (copy_to_user(optval, (char *) &sec, len))
560 err = -EFAULT;
561
562 break;
563
564 case BT_DEFER_SETUP:
565 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
566 err = -EINVAL;
567 break;
568 }
569
570 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
571 (u32 __user *) optval))
572 err = -EFAULT;
573
574 break;
575
576 case BT_FLUSHABLE:
577 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
578 (u32 __user *) optval))
579 err = -EFAULT;
580
581 break;
582
583 case BT_POWER:
584 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
585 && sk->sk_type != SOCK_RAW) {
586 err = -EINVAL;
587 break;
588 }
589
590 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
591
592 len = min_t(unsigned int, len, sizeof(pwr));
593 if (copy_to_user(optval, (char *) &pwr, len))
594 err = -EFAULT;
595
596 break;
597
598 case BT_CHANNEL_POLICY:
599 if (put_user(chan->chan_policy, (u32 __user *) optval))
600 err = -EFAULT;
601 break;
602
603 case BT_SNDMTU:
604 if (!bdaddr_type_is_le(chan->src_type)) {
605 err = -EINVAL;
606 break;
607 }
608
609 if (sk->sk_state != BT_CONNECTED) {
610 err = -ENOTCONN;
611 break;
612 }
613
614 if (put_user(chan->omtu, (u16 __user *) optval))
615 err = -EFAULT;
616 break;
617
618 case BT_RCVMTU:
619 if (!bdaddr_type_is_le(chan->src_type)) {
620 err = -EINVAL;
621 break;
622 }
623
624 if (put_user(chan->imtu, (u16 __user *) optval))
625 err = -EFAULT;
626 break;
627
628 default:
629 err = -ENOPROTOOPT;
630 break;
631 }
632
633 release_sock(sk);
634 return err;
635}
636
637static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
638{
639 switch (chan->scid) {
640 case L2CAP_CID_ATT:
641 if (mtu < L2CAP_LE_MIN_MTU)
642 return false;
643 break;
644
645 default:
646 if (mtu < L2CAP_DEFAULT_MIN_MTU)
647 return false;
648 }
649
650 return true;
651}
652
653static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
654 char __user *optval, unsigned int optlen)
655{
656 struct sock *sk = sock->sk;
657 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
658 struct l2cap_options opts;
659 int len, err = 0;
660 u32 opt;
661
662 BT_DBG("sk %p", sk);
663
664 lock_sock(sk);
665
666 switch (optname) {
667 case L2CAP_OPTIONS:
668 if (bdaddr_type_is_le(chan->src_type)) {
669 err = -EINVAL;
670 break;
671 }
672
673 if (sk->sk_state == BT_CONNECTED) {
674 err = -EINVAL;
675 break;
676 }
677
678 opts.imtu = chan->imtu;
679 opts.omtu = chan->omtu;
680 opts.flush_to = chan->flush_to;
681 opts.mode = chan->mode;
682 opts.fcs = chan->fcs;
683 opts.max_tx = chan->max_tx;
684 opts.txwin_size = chan->tx_win;
685
686 len = min_t(unsigned int, sizeof(opts), optlen);
687 if (copy_from_user((char *) &opts, optval, len)) {
688 err = -EFAULT;
689 break;
690 }
691
692 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
693 err = -EINVAL;
694 break;
695 }
696
697 if (!l2cap_valid_mtu(chan, opts.imtu)) {
698 err = -EINVAL;
699 break;
700 }
701
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]702 /* Only BR/EDR modes are supported here */
703 switch (opts.mode) {
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]704 case L2CAP_MODE_BASIC:
705 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
706 break;
707 case L2CAP_MODE_ERTM:
708 case L2CAP_MODE_STREAMING:
709 if (!disable_ertm)
710 break;
711 /* fall through */
712 default:
713 err = -EINVAL;
714 break;
715 }
716
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]717 if (err < 0)
718 break;
719
720 chan->mode = opts.mode;
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]721 chan->imtu = opts.imtu;
722 chan->omtu = opts.omtu;
723 chan->fcs = opts.fcs;
724 chan->max_tx = opts.max_tx;
725 chan->tx_win = opts.txwin_size;
726 chan->flush_to = opts.flush_to;
727 break;
728
729 case L2CAP_LM:
730 if (get_user(opt, (u32 __user *) optval)) {
731 err = -EFAULT;
732 break;
733 }
734
735 if (opt & L2CAP_LM_FIPS) {
736 err = -EINVAL;
737 break;
738 }
739
740 if (opt & L2CAP_LM_AUTH)
741 chan->sec_level = BT_SECURITY_LOW;
742 if (opt & L2CAP_LM_ENCRYPT)
743 chan->sec_level = BT_SECURITY_MEDIUM;
744 if (opt & L2CAP_LM_SECURE)
745 chan->sec_level = BT_SECURITY_HIGH;
746
747 if (opt & L2CAP_LM_MASTER)
748 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
749 else
750 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
751
752 if (opt & L2CAP_LM_RELIABLE)
753 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
754 else
755 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
756 break;
757
758 default:
759 err = -ENOPROTOOPT;
760 break;
761 }
762
763 release_sock(sk);
764 return err;
765}
766
767static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
768 char __user *optval, unsigned int optlen)
769{
770 struct sock *sk = sock->sk;
771 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
772 struct bt_security sec;
773 struct bt_power pwr;
774 struct l2cap_conn *conn;
775 int len, err = 0;
776 u32 opt;
777
778 BT_DBG("sk %p", sk);
779
780 if (level == SOL_L2CAP)
781 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
782
783 if (level != SOL_BLUETOOTH)
784 return -ENOPROTOOPT;
785
786 lock_sock(sk);
787
788 switch (optname) {
789 case BT_SECURITY:
790 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
791 chan->chan_type != L2CAP_CHAN_FIXED &&
792 chan->chan_type != L2CAP_CHAN_RAW) {
793 err = -EINVAL;
794 break;
795 }
796
797 sec.level = BT_SECURITY_LOW;
798
799 len = min_t(unsigned int, sizeof(sec), optlen);
800 if (copy_from_user((char *) &sec, optval, len)) {
801 err = -EFAULT;
802 break;
803 }
804
805 if (sec.level < BT_SECURITY_LOW ||
806 sec.level > BT_SECURITY_FIPS) {
807 err = -EINVAL;
808 break;
809 }
810
811 chan->sec_level = sec.level;
812
813 if (!chan->conn)
814 break;
815
816 conn = chan->conn;
817
David Brazdil0f672f62019-12-10 10:32:29 +0000[diff] [blame]818 /* change security for LE channels */
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]819 if (chan->scid == L2CAP_CID_ATT) {
David Brazdil0f672f62019-12-10 10:32:29 +0000[diff] [blame]820 if (smp_conn_security(conn->hcon, sec.level)) {
821 err = -EINVAL;
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]822 break;
David Brazdil0f672f62019-12-10 10:32:29 +0000[diff] [blame]823 }
824
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]825 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
826 sk->sk_state = BT_CONFIG;
827 chan->state = BT_CONFIG;
828
829 /* or for ACL link */
830 } else if ((sk->sk_state == BT_CONNECT2 &&
831 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
832 sk->sk_state == BT_CONNECTED) {
833 if (!l2cap_chan_check_security(chan, true))
834 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
835 else
836 sk->sk_state_change(sk);
837 } else {
838 err = -EINVAL;
839 }
840 break;
841
842 case BT_DEFER_SETUP:
843 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
844 err = -EINVAL;
845 break;
846 }
847
848 if (get_user(opt, (u32 __user *) optval)) {
849 err = -EFAULT;
850 break;
851 }
852
853 if (opt) {
854 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
855 set_bit(FLAG_DEFER_SETUP, &chan->flags);
856 } else {
857 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
858 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
859 }
860 break;
861
862 case BT_FLUSHABLE:
863 if (get_user(opt, (u32 __user *) optval)) {
864 err = -EFAULT;
865 break;
866 }
867
868 if (opt > BT_FLUSHABLE_ON) {
869 err = -EINVAL;
870 break;
871 }
872
873 if (opt == BT_FLUSHABLE_OFF) {
874 conn = chan->conn;
875 /* proceed further only when we have l2cap_conn and
876 No Flush support in the LM */
877 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
878 err = -EINVAL;
879 break;
880 }
881 }
882
883 if (opt)
884 set_bit(FLAG_FLUSHABLE, &chan->flags);
885 else
886 clear_bit(FLAG_FLUSHABLE, &chan->flags);
887 break;
888
889 case BT_POWER:
890 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
891 chan->chan_type != L2CAP_CHAN_RAW) {
892 err = -EINVAL;
893 break;
894 }
895
896 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
897
898 len = min_t(unsigned int, sizeof(pwr), optlen);
899 if (copy_from_user((char *) &pwr, optval, len)) {
900 err = -EFAULT;
901 break;
902 }
903
904 if (pwr.force_active)
905 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
906 else
907 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
908 break;
909
910 case BT_CHANNEL_POLICY:
911 if (get_user(opt, (u32 __user *) optval)) {
912 err = -EFAULT;
913 break;
914 }
915
916 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
917 err = -EINVAL;
918 break;
919 }
920
921 if (chan->mode != L2CAP_MODE_ERTM &&
922 chan->mode != L2CAP_MODE_STREAMING) {
923 err = -EOPNOTSUPP;
924 break;
925 }
926
927 chan->chan_policy = (u8) opt;
928
929 if (sk->sk_state == BT_CONNECTED &&
930 chan->move_role == L2CAP_MOVE_ROLE_NONE)
931 l2cap_move_start(chan);
932
933 break;
934
935 case BT_SNDMTU:
936 if (!bdaddr_type_is_le(chan->src_type)) {
937 err = -EINVAL;
938 break;
939 }
940
941 /* Setting is not supported as it's the remote side that
942 * decides this.
943 */
944 err = -EPERM;
945 break;
946
947 case BT_RCVMTU:
948 if (!bdaddr_type_is_le(chan->src_type)) {
949 err = -EINVAL;
950 break;
951 }
952
953 if (sk->sk_state == BT_CONNECTED) {
954 err = -EISCONN;
955 break;
956 }
957
958 if (get_user(opt, (u16 __user *) optval)) {
959 err = -EFAULT;
960 break;
961 }
962
963 chan->imtu = opt;
964 break;
965
966 default:
967 err = -ENOPROTOOPT;
968 break;
969 }
970
971 release_sock(sk);
972 return err;
973}
974
975static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
976 size_t len)
977{
978 struct sock *sk = sock->sk;
979 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
980 int err;
981
982 BT_DBG("sock %p, sk %p", sock, sk);
983
984 err = sock_error(sk);
985 if (err)
986 return err;
987
988 if (msg->msg_flags & MSG_OOB)
989 return -EOPNOTSUPP;
990
991 if (sk->sk_state != BT_CONNECTED)
992 return -ENOTCONN;
993
994 lock_sock(sk);
995 err = bt_sock_wait_ready(sk, msg->msg_flags);
996 release_sock(sk);
997 if (err)
998 return err;
999
1000 l2cap_chan_lock(chan);
1001 err = l2cap_chan_send(chan, msg, len);
1002 l2cap_chan_unlock(chan);
1003
1004 return err;
1005}
1006
1007static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1008 size_t len, int flags)
1009{
1010 struct sock *sk = sock->sk;
1011 struct l2cap_pinfo *pi = l2cap_pi(sk);
1012 int err;
1013
1014 lock_sock(sk);
1015
1016 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1017 &bt_sk(sk)->flags)) {
1018 if (bdaddr_type_is_le(pi->chan->src_type)) {
1019 sk->sk_state = BT_CONNECTED;
1020 pi->chan->state = BT_CONNECTED;
1021 __l2cap_le_connect_rsp_defer(pi->chan);
1022 } else {
1023 sk->sk_state = BT_CONFIG;
1024 pi->chan->state = BT_CONFIG;
1025 __l2cap_connect_rsp_defer(pi->chan);
1026 }
1027
1028 err = 0;
1029 goto done;
1030 }
1031
1032 release_sock(sk);
1033
1034 if (sock->type == SOCK_STREAM)
1035 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1036 else
1037 err = bt_sock_recvmsg(sock, msg, len, flags);
1038
1039 if (pi->chan->mode != L2CAP_MODE_ERTM)
1040 return err;
1041
1042 /* Attempt to put pending rx data in the socket buffer */
1043
1044 lock_sock(sk);
1045
1046 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1047 goto done;
1048
1049 if (pi->rx_busy_skb) {
1050 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1051 pi->rx_busy_skb = NULL;
1052 else
1053 goto done;
1054 }
1055
1056 /* Restore data flow when half of the receive buffer is
1057 * available. This avoids resending large numbers of
1058 * frames.
1059 */
1060 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1061 l2cap_chan_busy(pi->chan, 0);
1062
1063done:
1064 release_sock(sk);
1065 return err;
1066}
1067
1068/* Kill socket (only if zapped and orphan)
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1069 * Must be called on unlocked socket, with l2cap channel lock.
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1070 */
1071static void l2cap_sock_kill(struct sock *sk)
1072{
1073 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1074 return;
1075
1076 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1077
1078 /* Kill poor orphan */
1079
1080 l2cap_chan_put(l2cap_pi(sk)->chan);
1081 sock_set_flag(sk, SOCK_DEAD);
1082 sock_put(sk);
1083}
1084
1085static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1086{
1087 DECLARE_WAITQUEUE(wait, current);
1088 int err = 0;
1089 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1090 /* Timeout to prevent infinite loop */
1091 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1092
1093 add_wait_queue(sk_sleep(sk), &wait);
1094 set_current_state(TASK_INTERRUPTIBLE);
1095 do {
1096 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1097 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1098 jiffies_to_msecs(timeout - jiffies));
1099
1100 if (!timeo)
1101 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1102
1103 if (signal_pending(current)) {
1104 err = sock_intr_errno(timeo);
1105 break;
1106 }
1107
1108 release_sock(sk);
1109 timeo = schedule_timeout(timeo);
1110 lock_sock(sk);
1111 set_current_state(TASK_INTERRUPTIBLE);
1112
1113 err = sock_error(sk);
1114 if (err)
1115 break;
1116
1117 if (time_after(jiffies, timeout)) {
1118 err = -ENOLINK;
1119 break;
1120 }
1121
1122 } while (chan->unacked_frames > 0 &&
1123 chan->state == BT_CONNECTED);
1124
1125 set_current_state(TASK_RUNNING);
1126 remove_wait_queue(sk_sleep(sk), &wait);
1127 return err;
1128}
1129
1130static int l2cap_sock_shutdown(struct socket *sock, int how)
1131{
1132 struct sock *sk = sock->sk;
1133 struct l2cap_chan *chan;
1134 struct l2cap_conn *conn;
1135 int err = 0;
1136
1137 BT_DBG("sock %p, sk %p", sock, sk);
1138
1139 if (!sk)
1140 return 0;
1141
1142 lock_sock(sk);
1143
1144 if (sk->sk_shutdown)
1145 goto shutdown_already;
1146
1147 BT_DBG("Handling sock shutdown");
1148
1149 /* prevent sk structure from being freed whilst unlocked */
1150 sock_hold(sk);
1151
1152 chan = l2cap_pi(sk)->chan;
1153 /* prevent chan structure from being freed whilst unlocked */
1154 l2cap_chan_hold(chan);
1155
1156 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1157
1158 if (chan->mode == L2CAP_MODE_ERTM &&
1159 chan->unacked_frames > 0 &&
1160 chan->state == BT_CONNECTED) {
1161 err = __l2cap_wait_ack(sk, chan);
1162
1163 /* After waiting for ACKs, check whether shutdown
1164 * has already been actioned to close the L2CAP
1165 * link such as by l2cap_disconnection_req().
1166 */
1167 if (sk->sk_shutdown)
1168 goto has_shutdown;
1169 }
1170
1171 sk->sk_shutdown = SHUTDOWN_MASK;
1172 release_sock(sk);
1173
1174 l2cap_chan_lock(chan);
1175 conn = chan->conn;
1176 if (conn)
1177 /* prevent conn structure from being freed */
1178 l2cap_conn_get(conn);
1179 l2cap_chan_unlock(chan);
1180
1181 if (conn)
1182 /* mutex lock must be taken before l2cap_chan_lock() */
1183 mutex_lock(&conn->chan_lock);
1184
1185 l2cap_chan_lock(chan);
1186 l2cap_chan_close(chan, 0);
1187 l2cap_chan_unlock(chan);
1188
1189 if (conn) {
1190 mutex_unlock(&conn->chan_lock);
1191 l2cap_conn_put(conn);
1192 }
1193
1194 lock_sock(sk);
1195
1196 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1197 !(current->flags & PF_EXITING))
1198 err = bt_sock_wait_state(sk, BT_CLOSED,
1199 sk->sk_lingertime);
1200
1201has_shutdown:
1202 l2cap_chan_put(chan);
1203 sock_put(sk);
1204
1205shutdown_already:
1206 if (!err && sk->sk_err)
1207 err = -sk->sk_err;
1208
1209 release_sock(sk);
1210
1211 BT_DBG("Sock shutdown complete err: %d", err);
1212
1213 return err;
1214}
1215
1216static int l2cap_sock_release(struct socket *sock)
1217{
1218 struct sock *sk = sock->sk;
1219 int err;
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1220 struct l2cap_chan *chan;
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1221
1222 BT_DBG("sock %p, sk %p", sock, sk);
1223
1224 if (!sk)
1225 return 0;
1226
1227 bt_sock_unlink(&l2cap_sk_list, sk);
1228
1229 err = l2cap_sock_shutdown(sock, 2);
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1230 chan = l2cap_pi(sk)->chan;
1231
1232 l2cap_chan_hold(chan);
1233 l2cap_chan_lock(chan);
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1234
1235 sock_orphan(sk);
1236 l2cap_sock_kill(sk);
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1237
1238 l2cap_chan_unlock(chan);
1239 l2cap_chan_put(chan);
1240
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1241 return err;
1242}
1243
1244static void l2cap_sock_cleanup_listen(struct sock *parent)
1245{
1246 struct sock *sk;
1247
1248 BT_DBG("parent %p state %s", parent,
1249 state_to_string(parent->sk_state));
1250
1251 /* Close not yet accepted channels */
1252 while ((sk = bt_accept_dequeue(parent, NULL))) {
1253 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1254
1255 BT_DBG("child chan %p state %s", chan,
1256 state_to_string(chan->state));
1257
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1258 l2cap_chan_hold(chan);
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1259 l2cap_chan_lock(chan);
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1260
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1261 __clear_chan_timer(chan);
1262 l2cap_chan_close(chan, ECONNRESET);
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1263 l2cap_sock_kill(sk);
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1264
1265 l2cap_chan_unlock(chan);
1266 l2cap_chan_put(chan);
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1267 }
1268}
1269
1270static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1271{
1272 struct sock *sk, *parent = chan->data;
1273
1274 lock_sock(parent);
1275
1276 /* Check for backlog size */
1277 if (sk_acceptq_is_full(parent)) {
1278 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1279 release_sock(parent);
1280 return NULL;
1281 }
1282
1283 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1284 GFP_ATOMIC, 0);
1285 if (!sk) {
1286 release_sock(parent);
1287 return NULL;
1288 }
1289
1290 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1291
1292 l2cap_sock_init(sk, parent);
1293
David Brazdil0f672f62019-12-10 10:32:29 +0000[diff] [blame]1294 bt_accept_enqueue(parent, sk, false);
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1295
1296 release_sock(parent);
1297
1298 return l2cap_pi(sk)->chan;
1299}
1300
1301static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1302{
1303 struct sock *sk = chan->data;
1304 int err;
1305
1306 lock_sock(sk);
1307
1308 if (l2cap_pi(sk)->rx_busy_skb) {
1309 err = -ENOMEM;
1310 goto done;
1311 }
1312
1313 if (chan->mode != L2CAP_MODE_ERTM &&
1314 chan->mode != L2CAP_MODE_STREAMING) {
1315 /* Even if no filter is attached, we could potentially
1316 * get errors from security modules, etc.
1317 */
1318 err = sk_filter(sk, skb);
1319 if (err)
1320 goto done;
1321 }
1322
1323 err = __sock_queue_rcv_skb(sk, skb);
1324
1325 /* For ERTM, handle one skb that doesn't fit into the recv
1326 * buffer. This is important to do because the data frames
1327 * have already been acked, so the skb cannot be discarded.
1328 *
1329 * Notify the l2cap core that the buffer is full, so the
1330 * LOCAL_BUSY state is entered and no more frames are
1331 * acked and reassembled until there is buffer space
1332 * available.
1333 */
1334 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1335 l2cap_pi(sk)->rx_busy_skb = skb;
1336 l2cap_chan_busy(chan, 1);
1337 err = 0;
1338 }
1339
1340done:
1341 release_sock(sk);
1342
1343 return err;
1344}
1345
1346static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1347{
1348 struct sock *sk = chan->data;
1349
1350 l2cap_sock_kill(sk);
1351}
1352
1353static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1354{
1355 struct sock *sk = chan->data;
1356 struct sock *parent;
1357
1358 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1359
1360 /* This callback can be called both for server (BT_LISTEN)
1361 * sockets as well as "normal" ones. To avoid lockdep warnings
1362 * with child socket locking (through l2cap_sock_cleanup_listen)
1363 * we need separation into separate nesting levels. The simplest
1364 * way to accomplish this is to inherit the nesting level used
1365 * for the channel.
1366 */
1367 lock_sock_nested(sk, atomic_read(&chan->nesting));
1368
1369 parent = bt_sk(sk)->parent;
1370
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1371 switch (chan->state) {
1372 case BT_OPEN:
1373 case BT_BOUND:
1374 case BT_CLOSED:
1375 break;
1376 case BT_LISTEN:
1377 l2cap_sock_cleanup_listen(sk);
1378 sk->sk_state = BT_CLOSED;
1379 chan->state = BT_CLOSED;
1380
1381 break;
1382 default:
1383 sk->sk_state = BT_CLOSED;
1384 chan->state = BT_CLOSED;
1385
1386 sk->sk_err = err;
1387
1388 if (parent) {
1389 bt_accept_unlink(sk);
1390 parent->sk_data_ready(parent);
1391 } else {
1392 sk->sk_state_change(sk);
1393 }
1394
1395 break;
1396 }
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1397 release_sock(sk);
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1398
1399 /* Only zap after cleanup to avoid use after free race */
1400 sock_set_flag(sk, SOCK_ZAPPED);
1401
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1402}
1403
1404static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1405 int err)
1406{
1407 struct sock *sk = chan->data;
1408
1409 sk->sk_state = state;
1410
1411 if (err)
1412 sk->sk_err = err;
1413}
1414
1415static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1416 unsigned long hdr_len,
1417 unsigned long len, int nb)
1418{
1419 struct sock *sk = chan->data;
1420 struct sk_buff *skb;
1421 int err;
1422
1423 l2cap_chan_unlock(chan);
1424 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1425 l2cap_chan_lock(chan);
1426
1427 if (!skb)
1428 return ERR_PTR(err);
1429
1430 skb->priority = sk->sk_priority;
1431
1432 bt_cb(skb)->l2cap.chan = chan;
1433
1434 return skb;
1435}
1436
1437static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1438{
1439 struct sock *sk = chan->data;
1440 struct sock *parent;
1441
1442 lock_sock(sk);
1443
1444 parent = bt_sk(sk)->parent;
1445
1446 BT_DBG("sk %p, parent %p", sk, parent);
1447
1448 sk->sk_state = BT_CONNECTED;
1449 sk->sk_state_change(sk);
1450
1451 if (parent)
1452 parent->sk_data_ready(parent);
1453
1454 release_sock(sk);
1455}
1456
1457static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1458{
1459 struct sock *parent, *sk = chan->data;
1460
1461 lock_sock(sk);
1462
1463 parent = bt_sk(sk)->parent;
1464 if (parent)
1465 parent->sk_data_ready(parent);
1466
1467 release_sock(sk);
1468}
1469
1470static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1471{
1472 struct sock *sk = chan->data;
1473
1474 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1475 sk->sk_state = BT_CONNECTED;
1476 chan->state = BT_CONNECTED;
1477 }
1478
1479 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1480 sk->sk_state_change(sk);
1481}
1482
1483static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1484{
1485 struct sock *sk = chan->data;
1486
1487 lock_sock(sk);
1488 sk->sk_shutdown = SHUTDOWN_MASK;
1489 release_sock(sk);
1490}
1491
1492static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1493{
1494 struct sock *sk = chan->data;
1495
1496 return sk->sk_sndtimeo;
1497}
1498
1499static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1500{
1501 struct sock *sk = chan->data;
1502
1503 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1504 sk->sk_state_change(sk);
1505}
1506
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1507static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1508{
1509 struct sock *sk = chan->data;
1510
1511 switch (chan->mode) {
1512 case L2CAP_MODE_ERTM:
1513 case L2CAP_MODE_STREAMING:
1514 return sk_filter(sk, skb);
1515 }
1516
1517 return 0;
1518}
1519
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1520static const struct l2cap_ops l2cap_chan_ops = {
1521 .name = "L2CAP Socket Interface",
1522 .new_connection = l2cap_sock_new_connection_cb,
1523 .recv = l2cap_sock_recv_cb,
1524 .close = l2cap_sock_close_cb,
1525 .teardown = l2cap_sock_teardown_cb,
1526 .state_change = l2cap_sock_state_change_cb,
1527 .ready = l2cap_sock_ready_cb,
1528 .defer = l2cap_sock_defer_cb,
1529 .resume = l2cap_sock_resume_cb,
1530 .suspend = l2cap_sock_suspend_cb,
1531 .set_shutdown = l2cap_sock_set_shutdown_cb,
1532 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1533 .alloc_skb = l2cap_sock_alloc_skb_cb,
Olivier Deprez0e641232021-09-23 10:07:05 +0200[diff] [blame^]1534 .filter = l2cap_sock_filter,
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1535};
1536
1537static void l2cap_sock_destruct(struct sock *sk)
1538{
1539 BT_DBG("sk %p", sk);
1540
1541 if (l2cap_pi(sk)->chan)
1542 l2cap_chan_put(l2cap_pi(sk)->chan);
1543
1544 if (l2cap_pi(sk)->rx_busy_skb) {
1545 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1546 l2cap_pi(sk)->rx_busy_skb = NULL;
1547 }
1548
1549 skb_queue_purge(&sk->sk_receive_queue);
1550 skb_queue_purge(&sk->sk_write_queue);
1551}
1552
1553static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1554 int *msg_namelen)
1555{
1556 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1557
1558 memset(la, 0, sizeof(struct sockaddr_l2));
1559 la->l2_family = AF_BLUETOOTH;
1560 la->l2_psm = bt_cb(skb)->l2cap.psm;
1561 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1562
1563 *msg_namelen = sizeof(struct sockaddr_l2);
1564}
1565
1566static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1567{
1568 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1569
1570 BT_DBG("sk %p", sk);
1571
1572 if (parent) {
1573 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1574
1575 sk->sk_type = parent->sk_type;
1576 bt_sk(sk)->flags = bt_sk(parent)->flags;
1577
1578 chan->chan_type = pchan->chan_type;
1579 chan->imtu = pchan->imtu;
1580 chan->omtu = pchan->omtu;
1581 chan->conf_state = pchan->conf_state;
1582 chan->mode = pchan->mode;
1583 chan->fcs = pchan->fcs;
1584 chan->max_tx = pchan->max_tx;
1585 chan->tx_win = pchan->tx_win;
1586 chan->tx_win_max = pchan->tx_win_max;
1587 chan->sec_level = pchan->sec_level;
1588 chan->flags = pchan->flags;
1589 chan->tx_credits = pchan->tx_credits;
1590 chan->rx_credits = pchan->rx_credits;
1591
1592 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1593 chan->scid = pchan->scid;
1594 chan->dcid = pchan->scid;
1595 }
1596
1597 security_sk_clone(parent, sk);
1598 } else {
1599 switch (sk->sk_type) {
1600 case SOCK_RAW:
1601 chan->chan_type = L2CAP_CHAN_RAW;
1602 break;
1603 case SOCK_DGRAM:
1604 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1605 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1606 break;
1607 case SOCK_SEQPACKET:
1608 case SOCK_STREAM:
1609 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1610 break;
1611 }
1612
1613 chan->imtu = L2CAP_DEFAULT_MTU;
1614 chan->omtu = 0;
1615 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1616 chan->mode = L2CAP_MODE_ERTM;
1617 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1618 } else {
1619 chan->mode = L2CAP_MODE_BASIC;
1620 }
1621
1622 l2cap_chan_set_defaults(chan);
1623 }
1624
1625 /* Default config options */
1626 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1627
1628 chan->data = sk;
1629 chan->ops = &l2cap_chan_ops;
1630}
1631
1632static struct proto l2cap_proto = {
1633 .name = "L2CAP",
1634 .owner = THIS_MODULE,
1635 .obj_size = sizeof(struct l2cap_pinfo)
1636};
1637
1638static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1639 int proto, gfp_t prio, int kern)
1640{
1641 struct sock *sk;
1642 struct l2cap_chan *chan;
1643
1644 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1645 if (!sk)
1646 return NULL;
1647
1648 sock_init_data(sock, sk);
1649 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1650
1651 sk->sk_destruct = l2cap_sock_destruct;
1652 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1653
1654 sock_reset_flag(sk, SOCK_ZAPPED);
1655
1656 sk->sk_protocol = proto;
1657 sk->sk_state = BT_OPEN;
1658
1659 chan = l2cap_chan_create();
1660 if (!chan) {
1661 sk_free(sk);
1662 return NULL;
1663 }
1664
1665 l2cap_chan_hold(chan);
1666
1667 l2cap_pi(sk)->chan = chan;
1668
1669 return sk;
1670}
1671
1672static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1673 int kern)
1674{
1675 struct sock *sk;
1676
1677 BT_DBG("sock %p", sock);
1678
1679 sock->state = SS_UNCONNECTED;
1680
1681 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1682 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1683 return -ESOCKTNOSUPPORT;
1684
1685 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1686 return -EPERM;
1687
1688 sock->ops = &l2cap_sock_ops;
1689
1690 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1691 if (!sk)
1692 return -ENOMEM;
1693
1694 l2cap_sock_init(sk, NULL);
1695 bt_sock_link(&l2cap_sk_list, sk);
1696 return 0;
1697}
1698
1699static const struct proto_ops l2cap_sock_ops = {
1700 .family = PF_BLUETOOTH,
1701 .owner = THIS_MODULE,
1702 .release = l2cap_sock_release,
1703 .bind = l2cap_sock_bind,
1704 .connect = l2cap_sock_connect,
1705 .listen = l2cap_sock_listen,
1706 .accept = l2cap_sock_accept,
1707 .getname = l2cap_sock_getname,
1708 .sendmsg = l2cap_sock_sendmsg,
1709 .recvmsg = l2cap_sock_recvmsg,
1710 .poll = bt_sock_poll,
1711 .ioctl = bt_sock_ioctl,
David Brazdil0f672f62019-12-10 10:32:29 +0000[diff] [blame]1712 .gettstamp = sock_gettstamp,
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1713 .mmap = sock_no_mmap,
1714 .socketpair = sock_no_socketpair,
1715 .shutdown = l2cap_sock_shutdown,
1716 .setsockopt = l2cap_sock_setsockopt,
1717 .getsockopt = l2cap_sock_getsockopt
1718};
1719
1720static const struct net_proto_family l2cap_sock_family_ops = {
1721 .family = PF_BLUETOOTH,
1722 .owner = THIS_MODULE,
1723 .create = l2cap_sock_create,
1724};
1725
1726int __init l2cap_init_sockets(void)
1727{
1728 int err;
1729
1730 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1731
1732 err = proto_register(&l2cap_proto, 0);
1733 if (err < 0)
1734 return err;
1735
1736 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1737 if (err < 0) {
1738 BT_ERR("L2CAP socket registration failed");
1739 goto error;
1740 }
1741
1742 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1743 NULL);
1744 if (err < 0) {
1745 BT_ERR("Failed to create L2CAP proc file");
1746 bt_sock_unregister(BTPROTO_L2CAP);
1747 goto error;
1748 }
1749
1750 BT_INFO("L2CAP socket layer initialized");
1751
1752 return 0;
1753
1754error:
1755 proto_unregister(&l2cap_proto);
1756 return err;
1757}
1758
1759void l2cap_cleanup_sockets(void)
1760{
1761 bt_procfs_cleanup(&init_net, "l2cap");
1762 bt_sock_unregister(BTPROTO_L2CAP);
1763 proto_unregister(&l2cap_proto);
1764}