2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
28 /* Bluetooth L2CAP sockets. */
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
40 static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
49 bool l2cap_is_socket(struct socket *sock)
51 return sock && sock->ops == &l2cap_sock_ops;
53 EXPORT_SYMBOL(l2cap_is_socket);
55 static int l2cap_validate_bredr_psm(u16 psm)
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
68 static int l2cap_validate_le_psm(u16 psm)
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
98 if (la.l2_cid && la.l2_psm)
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
113 if (sk->sk_state != BT_OPEN) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
124 err = l2cap_validate_le_psm(psm);
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
152 chan->sec_level = BT_SECURITY_SDP;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
187 zapped = sock_flag(sk, SOCK_ZAPPED);
193 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
194 addr->sa_family != AF_BLUETOOTH)
197 memset(&la, 0, sizeof(la));
198 len = min_t(unsigned int, sizeof(la), alen);
199 memcpy(&la, addr, len);
201 if (la.l2_cid && la.l2_psm)
204 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
207 /* Check that the socket wasn't bound to something that
208 * conflicts with the address given to connect(). If chan->src
209 * is BDADDR_ANY it means bind() was never used, in which case
210 * chan->src_type and la.l2_bdaddr_type do not need to match.
212 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
213 bdaddr_type_is_le(la.l2_bdaddr_type)) {
214 /* Old user space versions will try to incorrectly bind
215 * the ATT socket using BDADDR_BREDR. We need to accept
216 * this and fix up the source address type only when
217 * both the source CID and destination CID indicate
218 * ATT. Anything else is an invalid combination.
220 if (chan->scid != L2CAP_CID_ATT ||
221 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
224 /* We don't have the hdev available here to make a
225 * better decision on random vs public, but since all
226 * user space versions that exhibit this issue anyway do
227 * not support random local addresses assuming public
228 * here is good enough.
230 chan->src_type = BDADDR_LE_PUBLIC;
233 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
236 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
237 /* We only allow ATT user space socket */
239 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
243 if (chan->psm && bdaddr_type_is_le(chan->src_type))
244 chan->mode = L2CAP_MODE_LE_FLOWCTL;
246 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
247 &la.l2_bdaddr, la.l2_bdaddr_type);
253 err = bt_sock_wait_state(sk, BT_CONNECTED,
254 sock_sndtimeo(sk, flags & O_NONBLOCK));
261 static int l2cap_sock_listen(struct socket *sock, int backlog)
263 struct sock *sk = sock->sk;
264 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
267 BT_DBG("sk %p backlog %d", sk, backlog);
271 if (sk->sk_state != BT_BOUND) {
276 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
281 switch (chan->mode) {
282 case L2CAP_MODE_BASIC:
283 case L2CAP_MODE_LE_FLOWCTL:
285 case L2CAP_MODE_ERTM:
286 case L2CAP_MODE_STREAMING:
295 sk->sk_max_ack_backlog = backlog;
296 sk->sk_ack_backlog = 0;
298 /* Listening channels need to use nested locking in order not to
299 * cause lockdep warnings when the created child channels end up
300 * being locked in the same thread as the parent channel.
302 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
304 chan->state = BT_LISTEN;
305 sk->sk_state = BT_LISTEN;
312 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
313 int flags, bool kern)
315 DEFINE_WAIT_FUNC(wait, woken_wake_function);
316 struct sock *sk = sock->sk, *nsk;
320 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
322 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
324 BT_DBG("sk %p timeo %ld", sk, timeo);
326 /* Wait for an incoming connection. (wake-one). */
327 add_wait_queue_exclusive(sk_sleep(sk), &wait);
329 if (sk->sk_state != BT_LISTEN) {
334 nsk = bt_accept_dequeue(sk, newsock);
343 if (signal_pending(current)) {
344 err = sock_intr_errno(timeo);
350 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
352 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
354 remove_wait_queue(sk_sleep(sk), &wait);
359 newsock->state = SS_CONNECTED;
361 BT_DBG("new socket %p", nsk);
368 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
371 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
372 struct sock *sk = sock->sk;
373 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
375 BT_DBG("sock %p, sk %p", sock, sk);
377 if (peer && sk->sk_state != BT_CONNECTED &&
378 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
379 sk->sk_state != BT_CONFIG)
382 memset(la, 0, sizeof(struct sockaddr_l2));
383 addr->sa_family = AF_BLUETOOTH;
384 *len = sizeof(struct sockaddr_l2);
386 la->l2_psm = chan->psm;
389 bacpy(&la->l2_bdaddr, &chan->dst);
390 la->l2_cid = cpu_to_le16(chan->dcid);
391 la->l2_bdaddr_type = chan->dst_type;
393 bacpy(&la->l2_bdaddr, &chan->src);
394 la->l2_cid = cpu_to_le16(chan->scid);
395 la->l2_bdaddr_type = chan->src_type;
401 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
402 char __user *optval, int __user *optlen)
404 struct sock *sk = sock->sk;
405 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
406 struct l2cap_options opts;
407 struct l2cap_conninfo cinfo;
413 if (get_user(len, optlen))
420 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
421 * legacy ATT code depends on getsockopt for
422 * L2CAP_OPTIONS we need to let this pass.
424 if (bdaddr_type_is_le(chan->src_type) &&
425 chan->scid != L2CAP_CID_ATT) {
430 memset(&opts, 0, sizeof(opts));
431 opts.imtu = chan->imtu;
432 opts.omtu = chan->omtu;
433 opts.flush_to = chan->flush_to;
434 opts.mode = chan->mode;
435 opts.fcs = chan->fcs;
436 opts.max_tx = chan->max_tx;
437 opts.txwin_size = chan->tx_win;
439 len = min_t(unsigned int, len, sizeof(opts));
440 if (copy_to_user(optval, (char *) &opts, len))
446 switch (chan->sec_level) {
447 case BT_SECURITY_LOW:
450 case BT_SECURITY_MEDIUM:
451 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
453 case BT_SECURITY_HIGH:
454 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
457 case BT_SECURITY_FIPS:
458 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
459 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
466 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
467 opt |= L2CAP_LM_MASTER;
469 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
470 opt |= L2CAP_LM_RELIABLE;
472 if (put_user(opt, (u32 __user *) optval))
478 if (sk->sk_state != BT_CONNECTED &&
479 !(sk->sk_state == BT_CONNECT2 &&
480 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
485 memset(&cinfo, 0, sizeof(cinfo));
486 cinfo.hci_handle = chan->conn->hcon->handle;
487 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
489 len = min_t(unsigned int, len, sizeof(cinfo));
490 if (copy_to_user(optval, (char *) &cinfo, len))
504 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
505 char __user *optval, int __user *optlen)
507 struct sock *sk = sock->sk;
508 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
509 struct bt_security sec;
515 if (level == SOL_L2CAP)
516 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
518 if (level != SOL_BLUETOOTH)
521 if (get_user(len, optlen))
528 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
529 chan->chan_type != L2CAP_CHAN_FIXED &&
530 chan->chan_type != L2CAP_CHAN_RAW) {
535 memset(&sec, 0, sizeof(sec));
537 sec.level = chan->conn->hcon->sec_level;
539 if (sk->sk_state == BT_CONNECTED)
540 sec.key_size = chan->conn->hcon->enc_key_size;
542 sec.level = chan->sec_level;
545 len = min_t(unsigned int, len, sizeof(sec));
546 if (copy_to_user(optval, (char *) &sec, len))
552 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
557 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
558 (u32 __user *) optval))
564 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
565 (u32 __user *) optval))
571 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
572 && sk->sk_type != SOCK_RAW) {
577 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
579 len = min_t(unsigned int, len, sizeof(pwr));
580 if (copy_to_user(optval, (char *) &pwr, len))
585 case BT_CHANNEL_POLICY:
586 if (put_user(chan->chan_policy, (u32 __user *) optval))
591 if (!bdaddr_type_is_le(chan->src_type)) {
596 if (sk->sk_state != BT_CONNECTED) {
601 if (put_user(chan->omtu, (u16 __user *) optval))
606 if (!bdaddr_type_is_le(chan->src_type)) {
611 if (put_user(chan->imtu, (u16 __user *) optval))
624 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
626 switch (chan->scid) {
628 if (mtu < L2CAP_LE_MIN_MTU)
633 if (mtu < L2CAP_DEFAULT_MIN_MTU)
640 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
641 char __user *optval, unsigned int optlen)
643 struct sock *sk = sock->sk;
644 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
645 struct l2cap_options opts;
655 if (bdaddr_type_is_le(chan->src_type)) {
660 if (sk->sk_state == BT_CONNECTED) {
665 opts.imtu = chan->imtu;
666 opts.omtu = chan->omtu;
667 opts.flush_to = chan->flush_to;
668 opts.mode = chan->mode;
669 opts.fcs = chan->fcs;
670 opts.max_tx = chan->max_tx;
671 opts.txwin_size = chan->tx_win;
673 len = min_t(unsigned int, sizeof(opts), optlen);
674 if (copy_from_user((char *) &opts, optval, len)) {
679 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
684 if (!l2cap_valid_mtu(chan, opts.imtu)) {
689 chan->mode = opts.mode;
690 switch (chan->mode) {
691 case L2CAP_MODE_LE_FLOWCTL:
693 case L2CAP_MODE_BASIC:
694 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
696 case L2CAP_MODE_ERTM:
697 case L2CAP_MODE_STREAMING:
706 chan->imtu = opts.imtu;
707 chan->omtu = opts.omtu;
708 chan->fcs = opts.fcs;
709 chan->max_tx = opts.max_tx;
710 chan->tx_win = opts.txwin_size;
711 chan->flush_to = opts.flush_to;
715 if (get_user(opt, (u32 __user *) optval)) {
720 if (opt & L2CAP_LM_FIPS) {
725 if (opt & L2CAP_LM_AUTH)
726 chan->sec_level = BT_SECURITY_LOW;
727 if (opt & L2CAP_LM_ENCRYPT)
728 chan->sec_level = BT_SECURITY_MEDIUM;
729 if (opt & L2CAP_LM_SECURE)
730 chan->sec_level = BT_SECURITY_HIGH;
732 if (opt & L2CAP_LM_MASTER)
733 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
735 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
737 if (opt & L2CAP_LM_RELIABLE)
738 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
740 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
752 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
753 char __user *optval, unsigned int optlen)
755 struct sock *sk = sock->sk;
756 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
757 struct bt_security sec;
759 struct l2cap_conn *conn;
765 if (level == SOL_L2CAP)
766 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
768 if (level != SOL_BLUETOOTH)
775 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
776 chan->chan_type != L2CAP_CHAN_FIXED &&
777 chan->chan_type != L2CAP_CHAN_RAW) {
782 sec.level = BT_SECURITY_LOW;
784 len = min_t(unsigned int, sizeof(sec), optlen);
785 if (copy_from_user((char *) &sec, optval, len)) {
790 if (sec.level < BT_SECURITY_LOW ||
791 sec.level > BT_SECURITY_FIPS) {
796 chan->sec_level = sec.level;
803 /*change security for LE channels */
804 if (chan->scid == L2CAP_CID_ATT) {
805 if (smp_conn_security(conn->hcon, sec.level))
807 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
808 sk->sk_state = BT_CONFIG;
809 chan->state = BT_CONFIG;
811 /* or for ACL link */
812 } else if ((sk->sk_state == BT_CONNECT2 &&
813 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
814 sk->sk_state == BT_CONNECTED) {
815 if (!l2cap_chan_check_security(chan, true))
816 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
818 sk->sk_state_change(sk);
825 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
830 if (get_user(opt, (u32 __user *) optval)) {
836 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
837 set_bit(FLAG_DEFER_SETUP, &chan->flags);
839 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
840 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
845 if (get_user(opt, (u32 __user *) optval)) {
850 if (opt > BT_FLUSHABLE_ON) {
855 if (opt == BT_FLUSHABLE_OFF) {
857 /* proceed further only when we have l2cap_conn and
858 No Flush support in the LM */
859 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
866 set_bit(FLAG_FLUSHABLE, &chan->flags);
868 clear_bit(FLAG_FLUSHABLE, &chan->flags);
872 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
873 chan->chan_type != L2CAP_CHAN_RAW) {
878 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
880 len = min_t(unsigned int, sizeof(pwr), optlen);
881 if (copy_from_user((char *) &pwr, optval, len)) {
886 if (pwr.force_active)
887 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
889 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
892 case BT_CHANNEL_POLICY:
893 if (get_user(opt, (u32 __user *) optval)) {
898 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
903 if (chan->mode != L2CAP_MODE_ERTM &&
904 chan->mode != L2CAP_MODE_STREAMING) {
909 chan->chan_policy = (u8) opt;
911 if (sk->sk_state == BT_CONNECTED &&
912 chan->move_role == L2CAP_MOVE_ROLE_NONE)
913 l2cap_move_start(chan);
918 if (!bdaddr_type_is_le(chan->src_type)) {
923 /* Setting is not supported as it's the remote side that
930 if (!bdaddr_type_is_le(chan->src_type)) {
935 if (sk->sk_state == BT_CONNECTED) {
940 if (get_user(opt, (u16 __user *) optval)) {
957 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
960 struct sock *sk = sock->sk;
961 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
964 BT_DBG("sock %p, sk %p", sock, sk);
966 err = sock_error(sk);
970 if (msg->msg_flags & MSG_OOB)
973 if (sk->sk_state != BT_CONNECTED)
977 err = bt_sock_wait_ready(sk, msg->msg_flags);
982 l2cap_chan_lock(chan);
983 err = l2cap_chan_send(chan, msg, len);
984 l2cap_chan_unlock(chan);
989 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
990 size_t len, int flags)
992 struct sock *sk = sock->sk;
993 struct l2cap_pinfo *pi = l2cap_pi(sk);
998 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
999 &bt_sk(sk)->flags)) {
1000 if (bdaddr_type_is_le(pi->chan->src_type)) {
1001 sk->sk_state = BT_CONNECTED;
1002 pi->chan->state = BT_CONNECTED;
1003 __l2cap_le_connect_rsp_defer(pi->chan);
1005 sk->sk_state = BT_CONFIG;
1006 pi->chan->state = BT_CONFIG;
1007 __l2cap_connect_rsp_defer(pi->chan);
1016 if (sock->type == SOCK_STREAM)
1017 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1019 err = bt_sock_recvmsg(sock, msg, len, flags);
1021 if (pi->chan->mode != L2CAP_MODE_ERTM)
1024 /* Attempt to put pending rx data in the socket buffer */
1028 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1031 if (pi->rx_busy_skb) {
1032 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1033 pi->rx_busy_skb = NULL;
1038 /* Restore data flow when half of the receive buffer is
1039 * available. This avoids resending large numbers of
1042 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1043 l2cap_chan_busy(pi->chan, 0);
1050 /* Kill socket (only if zapped and orphan)
1051 * Must be called on unlocked socket, with l2cap channel lock.
1053 static void l2cap_sock_kill(struct sock *sk)
1055 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1058 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1060 /* Kill poor orphan */
1062 l2cap_chan_put(l2cap_pi(sk)->chan);
1063 sock_set_flag(sk, SOCK_DEAD);
1067 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1069 DECLARE_WAITQUEUE(wait, current);
1071 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1072 /* Timeout to prevent infinite loop */
1073 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1075 add_wait_queue(sk_sleep(sk), &wait);
1076 set_current_state(TASK_INTERRUPTIBLE);
1078 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1079 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1080 jiffies_to_msecs(timeout - jiffies));
1083 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1085 if (signal_pending(current)) {
1086 err = sock_intr_errno(timeo);
1091 timeo = schedule_timeout(timeo);
1093 set_current_state(TASK_INTERRUPTIBLE);
1095 err = sock_error(sk);
1099 if (time_after(jiffies, timeout)) {
1104 } while (chan->unacked_frames > 0 &&
1105 chan->state == BT_CONNECTED);
1107 set_current_state(TASK_RUNNING);
1108 remove_wait_queue(sk_sleep(sk), &wait);
1112 static int l2cap_sock_shutdown(struct socket *sock, int how)
1114 struct sock *sk = sock->sk;
1115 struct l2cap_chan *chan;
1116 struct l2cap_conn *conn;
1119 BT_DBG("sock %p, sk %p", sock, sk);
1126 if (sk->sk_shutdown)
1127 goto shutdown_already;
1129 BT_DBG("Handling sock shutdown");
1131 /* prevent sk structure from being freed whilst unlocked */
1134 chan = l2cap_pi(sk)->chan;
1135 /* prevent chan structure from being freed whilst unlocked */
1136 l2cap_chan_hold(chan);
1138 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1140 if (chan->mode == L2CAP_MODE_ERTM &&
1141 chan->unacked_frames > 0 &&
1142 chan->state == BT_CONNECTED) {
1143 err = __l2cap_wait_ack(sk, chan);
1145 /* After waiting for ACKs, check whether shutdown
1146 * has already been actioned to close the L2CAP
1147 * link such as by l2cap_disconnection_req().
1149 if (sk->sk_shutdown)
1153 sk->sk_shutdown = SHUTDOWN_MASK;
1156 l2cap_chan_lock(chan);
1159 /* prevent conn structure from being freed */
1160 l2cap_conn_get(conn);
1161 l2cap_chan_unlock(chan);
1164 /* mutex lock must be taken before l2cap_chan_lock() */
1165 mutex_lock(&conn->chan_lock);
1167 l2cap_chan_lock(chan);
1168 l2cap_chan_close(chan, 0);
1169 l2cap_chan_unlock(chan);
1172 mutex_unlock(&conn->chan_lock);
1173 l2cap_conn_put(conn);
1178 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1179 !(current->flags & PF_EXITING))
1180 err = bt_sock_wait_state(sk, BT_CLOSED,
1184 l2cap_chan_put(chan);
1188 if (!err && sk->sk_err)
1193 BT_DBG("Sock shutdown complete err: %d", err);
1198 static int l2cap_sock_release(struct socket *sock)
1200 struct sock *sk = sock->sk;
1202 struct l2cap_chan *chan;
1204 BT_DBG("sock %p, sk %p", sock, sk);
1209 bt_sock_unlink(&l2cap_sk_list, sk);
1211 err = l2cap_sock_shutdown(sock, 2);
1212 chan = l2cap_pi(sk)->chan;
1214 l2cap_chan_hold(chan);
1215 l2cap_chan_lock(chan);
1218 l2cap_sock_kill(sk);
1220 l2cap_chan_unlock(chan);
1221 l2cap_chan_put(chan);
1226 static void l2cap_sock_cleanup_listen(struct sock *parent)
1230 BT_DBG("parent %p state %s", parent,
1231 state_to_string(parent->sk_state));
1233 /* Close not yet accepted channels */
1234 while ((sk = bt_accept_dequeue(parent, NULL))) {
1235 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1237 BT_DBG("child chan %p state %s", chan,
1238 state_to_string(chan->state));
1240 l2cap_chan_hold(chan);
1241 l2cap_chan_lock(chan);
1243 __clear_chan_timer(chan);
1244 l2cap_chan_close(chan, ECONNRESET);
1245 l2cap_sock_kill(sk);
1247 l2cap_chan_unlock(chan);
1248 l2cap_chan_put(chan);
1252 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1254 struct sock *sk, *parent = chan->data;
1258 /* Check for backlog size */
1259 if (sk_acceptq_is_full(parent)) {
1260 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1261 release_sock(parent);
1265 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1268 release_sock(parent);
1272 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1274 l2cap_sock_init(sk, parent);
1276 bt_accept_enqueue(parent, sk, false);
1278 release_sock(parent);
1280 return l2cap_pi(sk)->chan;
1283 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1285 struct sock *sk = chan->data;
1290 if (l2cap_pi(sk)->rx_busy_skb) {
1295 if (chan->mode != L2CAP_MODE_ERTM &&
1296 chan->mode != L2CAP_MODE_STREAMING) {
1297 /* Even if no filter is attached, we could potentially
1298 * get errors from security modules, etc.
1300 err = sk_filter(sk, skb);
1305 err = __sock_queue_rcv_skb(sk, skb);
1307 /* For ERTM, handle one skb that doesn't fit into the recv
1308 * buffer. This is important to do because the data frames
1309 * have already been acked, so the skb cannot be discarded.
1311 * Notify the l2cap core that the buffer is full, so the
1312 * LOCAL_BUSY state is entered and no more frames are
1313 * acked and reassembled until there is buffer space
1316 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1317 l2cap_pi(sk)->rx_busy_skb = skb;
1318 l2cap_chan_busy(chan, 1);
1328 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1330 struct sock *sk = chan->data;
1335 l2cap_sock_kill(sk);
1338 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1340 struct sock *sk = chan->data;
1341 struct sock *parent;
1346 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1348 /* This callback can be called both for server (BT_LISTEN)
1349 * sockets as well as "normal" ones. To avoid lockdep warnings
1350 * with child socket locking (through l2cap_sock_cleanup_listen)
1351 * we need separation into separate nesting levels. The simplest
1352 * way to accomplish this is to inherit the nesting level used
1355 lock_sock_nested(sk, atomic_read(&chan->nesting));
1357 parent = bt_sk(sk)->parent;
1359 switch (chan->state) {
1365 l2cap_sock_cleanup_listen(sk);
1366 sk->sk_state = BT_CLOSED;
1367 chan->state = BT_CLOSED;
1371 sk->sk_state = BT_CLOSED;
1372 chan->state = BT_CLOSED;
1377 bt_accept_unlink(sk);
1378 parent->sk_data_ready(parent);
1380 sk->sk_state_change(sk);
1387 /* Only zap after cleanup to avoid use after free race */
1388 sock_set_flag(sk, SOCK_ZAPPED);
1392 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1395 struct sock *sk = chan->data;
1397 sk->sk_state = state;
1403 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1404 unsigned long hdr_len,
1405 unsigned long len, int nb)
1407 struct sock *sk = chan->data;
1408 struct sk_buff *skb;
1411 l2cap_chan_unlock(chan);
1412 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1413 l2cap_chan_lock(chan);
1416 return ERR_PTR(err);
1418 /* Channel lock is released before requesting new skb and then
1419 * reacquired thus we need to recheck channel state.
1421 if (chan->state != BT_CONNECTED) {
1423 return ERR_PTR(-ENOTCONN);
1426 skb->priority = sk->sk_priority;
1428 bt_cb(skb)->l2cap.chan = chan;
1433 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1435 struct sock *sk = chan->data;
1436 struct sock *parent;
1440 parent = bt_sk(sk)->parent;
1442 BT_DBG("sk %p, parent %p", sk, parent);
1444 sk->sk_state = BT_CONNECTED;
1445 sk->sk_state_change(sk);
1448 parent->sk_data_ready(parent);
1453 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1455 struct sock *parent, *sk = chan->data;
1459 parent = bt_sk(sk)->parent;
1461 parent->sk_data_ready(parent);
1466 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1468 struct sock *sk = chan->data;
1470 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1471 sk->sk_state = BT_CONNECTED;
1472 chan->state = BT_CONNECTED;
1475 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1476 sk->sk_state_change(sk);
1479 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1481 struct sock *sk = chan->data;
1484 sk->sk_shutdown = SHUTDOWN_MASK;
1488 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1490 struct sock *sk = chan->data;
1492 return sk->sk_sndtimeo;
1495 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1497 struct sock *sk = chan->data;
1499 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1500 sk->sk_state_change(sk);
1503 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1505 struct sock *sk = chan->data;
1507 switch (chan->mode) {
1508 case L2CAP_MODE_ERTM:
1509 case L2CAP_MODE_STREAMING:
1510 return sk_filter(sk, skb);
1516 static const struct l2cap_ops l2cap_chan_ops = {
1517 .name = "L2CAP Socket Interface",
1518 .new_connection = l2cap_sock_new_connection_cb,
1519 .recv = l2cap_sock_recv_cb,
1520 .close = l2cap_sock_close_cb,
1521 .teardown = l2cap_sock_teardown_cb,
1522 .state_change = l2cap_sock_state_change_cb,
1523 .ready = l2cap_sock_ready_cb,
1524 .defer = l2cap_sock_defer_cb,
1525 .resume = l2cap_sock_resume_cb,
1526 .suspend = l2cap_sock_suspend_cb,
1527 .set_shutdown = l2cap_sock_set_shutdown_cb,
1528 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1529 .alloc_skb = l2cap_sock_alloc_skb_cb,
1530 .filter = l2cap_sock_filter,
1533 static void l2cap_sock_destruct(struct sock *sk)
1535 BT_DBG("sk %p", sk);
1537 if (l2cap_pi(sk)->chan) {
1538 l2cap_pi(sk)->chan->data = NULL;
1539 l2cap_chan_put(l2cap_pi(sk)->chan);
1542 if (l2cap_pi(sk)->rx_busy_skb) {
1543 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1544 l2cap_pi(sk)->rx_busy_skb = NULL;
1547 skb_queue_purge(&sk->sk_receive_queue);
1548 skb_queue_purge(&sk->sk_write_queue);
1551 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1554 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1556 memset(la, 0, sizeof(struct sockaddr_l2));
1557 la->l2_family = AF_BLUETOOTH;
1558 la->l2_psm = bt_cb(skb)->l2cap.psm;
1559 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1561 *msg_namelen = sizeof(struct sockaddr_l2);
1564 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1566 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1568 BT_DBG("sk %p", sk);
1571 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1573 sk->sk_type = parent->sk_type;
1574 bt_sk(sk)->flags = bt_sk(parent)->flags;
1576 chan->chan_type = pchan->chan_type;
1577 chan->imtu = pchan->imtu;
1578 chan->omtu = pchan->omtu;
1579 chan->conf_state = pchan->conf_state;
1580 chan->mode = pchan->mode;
1581 chan->fcs = pchan->fcs;
1582 chan->max_tx = pchan->max_tx;
1583 chan->tx_win = pchan->tx_win;
1584 chan->tx_win_max = pchan->tx_win_max;
1585 chan->sec_level = pchan->sec_level;
1586 chan->flags = pchan->flags;
1587 chan->tx_credits = pchan->tx_credits;
1588 chan->rx_credits = pchan->rx_credits;
1590 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1591 chan->scid = pchan->scid;
1592 chan->dcid = pchan->scid;
1595 security_sk_clone(parent, sk);
1597 switch (sk->sk_type) {
1599 chan->chan_type = L2CAP_CHAN_RAW;
1602 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1603 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1605 case SOCK_SEQPACKET:
1607 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1611 chan->imtu = L2CAP_DEFAULT_MTU;
1613 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1614 chan->mode = L2CAP_MODE_ERTM;
1615 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1617 chan->mode = L2CAP_MODE_BASIC;
1620 l2cap_chan_set_defaults(chan);
1623 /* Default config options */
1624 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1627 chan->ops = &l2cap_chan_ops;
1630 static struct proto l2cap_proto = {
1632 .owner = THIS_MODULE,
1633 .obj_size = sizeof(struct l2cap_pinfo)
1636 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1637 int proto, gfp_t prio, int kern)
1640 struct l2cap_chan *chan;
1642 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1646 sock_init_data(sock, sk);
1647 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1649 sk->sk_destruct = l2cap_sock_destruct;
1650 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1652 sock_reset_flag(sk, SOCK_ZAPPED);
1654 sk->sk_protocol = proto;
1655 sk->sk_state = BT_OPEN;
1657 chan = l2cap_chan_create();
1663 l2cap_chan_hold(chan);
1665 l2cap_pi(sk)->chan = chan;
1670 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1675 BT_DBG("sock %p", sock);
1677 sock->state = SS_UNCONNECTED;
1679 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1680 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1681 return -ESOCKTNOSUPPORT;
1683 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1686 sock->ops = &l2cap_sock_ops;
1688 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1692 l2cap_sock_init(sk, NULL);
1693 bt_sock_link(&l2cap_sk_list, sk);
1697 static const struct proto_ops l2cap_sock_ops = {
1698 .family = PF_BLUETOOTH,
1699 .owner = THIS_MODULE,
1700 .release = l2cap_sock_release,
1701 .bind = l2cap_sock_bind,
1702 .connect = l2cap_sock_connect,
1703 .listen = l2cap_sock_listen,
1704 .accept = l2cap_sock_accept,
1705 .getname = l2cap_sock_getname,
1706 .sendmsg = l2cap_sock_sendmsg,
1707 .recvmsg = l2cap_sock_recvmsg,
1708 .poll = bt_sock_poll,
1709 .ioctl = bt_sock_ioctl,
1710 .mmap = sock_no_mmap,
1711 .socketpair = sock_no_socketpair,
1712 .shutdown = l2cap_sock_shutdown,
1713 .setsockopt = l2cap_sock_setsockopt,
1714 .getsockopt = l2cap_sock_getsockopt
1717 static const struct net_proto_family l2cap_sock_family_ops = {
1718 .family = PF_BLUETOOTH,
1719 .owner = THIS_MODULE,
1720 .create = l2cap_sock_create,
1723 int __init l2cap_init_sockets(void)
1727 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1729 err = proto_register(&l2cap_proto, 0);
1733 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1735 BT_ERR("L2CAP socket registration failed");
1739 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1742 BT_ERR("Failed to create L2CAP proc file");
1743 bt_sock_unregister(BTPROTO_L2CAP);
1747 BT_INFO("L2CAP socket layer initialized");
1752 proto_unregister(&l2cap_proto);
1756 void l2cap_cleanup_sockets(void)
1758 bt_procfs_cleanup(&init_net, "l2cap");
1759 bt_sock_unregister(BTPROTO_L2CAP);
1760 proto_unregister(&l2cap_proto);