2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
28 /* Bluetooth L2CAP sockets. */
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
40 static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
49 bool l2cap_is_socket(struct socket *sock)
51 return sock && sock->ops == &l2cap_sock_ops;
53 EXPORT_SYMBOL(l2cap_is_socket);
55 static int l2cap_validate_bredr_psm(u16 psm)
57 /* PSM must be odd and lsb of upper byte must be 0 */
58 if ((psm & 0x0101) != 0x0001)
61 /* Restrict usage of well-known PSMs */
62 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
68 static int l2cap_validate_le_psm(u16 psm)
70 /* Valid LE_PSM ranges are defined only until 0x00ff */
71 if (psm > L2CAP_PSM_LE_DYN_END)
74 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
83 struct sock *sk = sock->sk;
84 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 struct sockaddr_l2 la;
90 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 addr->sa_family != AF_BLUETOOTH)
94 memset(&la, 0, sizeof(la));
95 len = min_t(unsigned int, sizeof(la), alen);
96 memcpy(&la, addr, len);
98 if (la.l2_cid && la.l2_psm)
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 /* We only allow ATT user space socket */
107 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
113 if (sk->sk_state != BT_OPEN) {
119 __u16 psm = __le16_to_cpu(la.l2_psm);
121 if (la.l2_bdaddr_type == BDADDR_BREDR)
122 err = l2cap_validate_bredr_psm(psm);
124 err = l2cap_validate_le_psm(psm);
130 bacpy(&chan->src, &la.l2_bdaddr);
131 chan->src_type = la.l2_bdaddr_type;
134 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
136 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
141 switch (chan->chan_type) {
142 case L2CAP_CHAN_CONN_LESS:
143 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 chan->sec_level = BT_SECURITY_SDP;
146 case L2CAP_CHAN_CONN_ORIENTED:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 chan->sec_level = BT_SECURITY_SDP;
152 chan->sec_level = BT_SECURITY_SDP;
154 case L2CAP_CHAN_FIXED:
155 /* Fixed channels default to the L2CAP core not holding a
156 * hci_conn reference for them. For fixed channels mapping to
157 * L2CAP sockets we do want to hold a reference so set the
158 * appropriate flag to request it.
160 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
164 if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 chan->mode = L2CAP_MODE_LE_FLOWCTL;
167 chan->state = BT_BOUND;
168 sk->sk_state = BT_BOUND;
175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
178 struct sock *sk = sock->sk;
179 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 struct sockaddr_l2 la;
187 zapped = sock_flag(sk, SOCK_ZAPPED);
193 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
194 addr->sa_family != AF_BLUETOOTH)
197 memset(&la, 0, sizeof(la));
198 len = min_t(unsigned int, sizeof(la), alen);
199 memcpy(&la, addr, len);
201 if (la.l2_cid && la.l2_psm)
204 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
207 /* Check that the socket wasn't bound to something that
208 * conflicts with the address given to connect(). If chan->src
209 * is BDADDR_ANY it means bind() was never used, in which case
210 * chan->src_type and la.l2_bdaddr_type do not need to match.
212 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
213 bdaddr_type_is_le(la.l2_bdaddr_type)) {
214 /* Old user space versions will try to incorrectly bind
215 * the ATT socket using BDADDR_BREDR. We need to accept
216 * this and fix up the source address type only when
217 * both the source CID and destination CID indicate
218 * ATT. Anything else is an invalid combination.
220 if (chan->scid != L2CAP_CID_ATT ||
221 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
224 /* We don't have the hdev available here to make a
225 * better decision on random vs public, but since all
226 * user space versions that exhibit this issue anyway do
227 * not support random local addresses assuming public
228 * here is good enough.
230 chan->src_type = BDADDR_LE_PUBLIC;
233 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
236 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
237 /* We only allow ATT user space socket */
239 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
243 if (chan->psm && bdaddr_type_is_le(chan->src_type))
244 chan->mode = L2CAP_MODE_LE_FLOWCTL;
246 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
247 &la.l2_bdaddr, la.l2_bdaddr_type);
253 err = bt_sock_wait_state(sk, BT_CONNECTED,
254 sock_sndtimeo(sk, flags & O_NONBLOCK));
261 static int l2cap_sock_listen(struct socket *sock, int backlog)
263 struct sock *sk = sock->sk;
264 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
267 BT_DBG("sk %p backlog %d", sk, backlog);
271 if (sk->sk_state != BT_BOUND) {
276 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
281 switch (chan->mode) {
282 case L2CAP_MODE_BASIC:
283 case L2CAP_MODE_LE_FLOWCTL:
285 case L2CAP_MODE_ERTM:
286 case L2CAP_MODE_STREAMING:
295 sk->sk_max_ack_backlog = backlog;
296 sk->sk_ack_backlog = 0;
298 /* Listening channels need to use nested locking in order not to
299 * cause lockdep warnings when the created child channels end up
300 * being locked in the same thread as the parent channel.
302 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
304 chan->state = BT_LISTEN;
305 sk->sk_state = BT_LISTEN;
312 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
313 int flags, bool kern)
315 DEFINE_WAIT_FUNC(wait, woken_wake_function);
316 struct sock *sk = sock->sk, *nsk;
320 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
322 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
324 BT_DBG("sk %p timeo %ld", sk, timeo);
326 /* Wait for an incoming connection. (wake-one). */
327 add_wait_queue_exclusive(sk_sleep(sk), &wait);
329 if (sk->sk_state != BT_LISTEN) {
334 nsk = bt_accept_dequeue(sk, newsock);
343 if (signal_pending(current)) {
344 err = sock_intr_errno(timeo);
350 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
352 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
354 remove_wait_queue(sk_sleep(sk), &wait);
359 newsock->state = SS_CONNECTED;
361 BT_DBG("new socket %p", nsk);
368 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
371 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
372 struct sock *sk = sock->sk;
373 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
375 BT_DBG("sock %p, sk %p", sock, sk);
377 if (peer && sk->sk_state != BT_CONNECTED &&
378 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
379 sk->sk_state != BT_CONFIG)
382 memset(la, 0, sizeof(struct sockaddr_l2));
383 addr->sa_family = AF_BLUETOOTH;
384 *len = sizeof(struct sockaddr_l2);
386 la->l2_psm = chan->psm;
389 bacpy(&la->l2_bdaddr, &chan->dst);
390 la->l2_cid = cpu_to_le16(chan->dcid);
391 la->l2_bdaddr_type = chan->dst_type;
393 bacpy(&la->l2_bdaddr, &chan->src);
394 la->l2_cid = cpu_to_le16(chan->scid);
395 la->l2_bdaddr_type = chan->src_type;
401 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
402 char __user *optval, int __user *optlen)
404 struct sock *sk = sock->sk;
405 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
406 struct l2cap_options opts;
407 struct l2cap_conninfo cinfo;
413 if (get_user(len, optlen))
420 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
421 * legacy ATT code depends on getsockopt for
422 * L2CAP_OPTIONS we need to let this pass.
424 if (bdaddr_type_is_le(chan->src_type) &&
425 chan->scid != L2CAP_CID_ATT) {
430 memset(&opts, 0, sizeof(opts));
431 opts.imtu = chan->imtu;
432 opts.omtu = chan->omtu;
433 opts.flush_to = chan->flush_to;
434 opts.mode = chan->mode;
435 opts.fcs = chan->fcs;
436 opts.max_tx = chan->max_tx;
437 opts.txwin_size = chan->tx_win;
439 len = min_t(unsigned int, len, sizeof(opts));
440 if (copy_to_user(optval, (char *) &opts, len))
446 switch (chan->sec_level) {
447 case BT_SECURITY_LOW:
450 case BT_SECURITY_MEDIUM:
451 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
453 case BT_SECURITY_HIGH:
454 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
457 case BT_SECURITY_FIPS:
458 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
459 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
466 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
467 opt |= L2CAP_LM_MASTER;
469 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
470 opt |= L2CAP_LM_RELIABLE;
472 if (put_user(opt, (u32 __user *) optval))
478 if (sk->sk_state != BT_CONNECTED &&
479 !(sk->sk_state == BT_CONNECT2 &&
480 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
485 memset(&cinfo, 0, sizeof(cinfo));
486 cinfo.hci_handle = chan->conn->hcon->handle;
487 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
489 len = min_t(unsigned int, len, sizeof(cinfo));
490 if (copy_to_user(optval, (char *) &cinfo, len))
504 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
505 char __user *optval, int __user *optlen)
507 struct sock *sk = sock->sk;
508 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
509 struct bt_security sec;
515 if (level == SOL_L2CAP)
516 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
518 if (level != SOL_BLUETOOTH)
521 if (get_user(len, optlen))
528 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
529 chan->chan_type != L2CAP_CHAN_FIXED &&
530 chan->chan_type != L2CAP_CHAN_RAW) {
535 memset(&sec, 0, sizeof(sec));
537 sec.level = chan->conn->hcon->sec_level;
539 if (sk->sk_state == BT_CONNECTED)
540 sec.key_size = chan->conn->hcon->enc_key_size;
542 sec.level = chan->sec_level;
545 len = min_t(unsigned int, len, sizeof(sec));
546 if (copy_to_user(optval, (char *) &sec, len))
552 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
557 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
558 (u32 __user *) optval))
564 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
565 (u32 __user *) optval))
571 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
572 && sk->sk_type != SOCK_RAW) {
577 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
579 len = min_t(unsigned int, len, sizeof(pwr));
580 if (copy_to_user(optval, (char *) &pwr, len))
585 case BT_CHANNEL_POLICY:
586 if (put_user(chan->chan_policy, (u32 __user *) optval))
591 if (!bdaddr_type_is_le(chan->src_type)) {
596 if (sk->sk_state != BT_CONNECTED) {
601 if (put_user(chan->omtu, (u16 __user *) optval))
606 if (!bdaddr_type_is_le(chan->src_type)) {
611 if (put_user(chan->imtu, (u16 __user *) optval))
624 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
626 switch (chan->scid) {
628 if (mtu < L2CAP_LE_MIN_MTU)
633 if (mtu < L2CAP_DEFAULT_MIN_MTU)
640 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
641 char __user *optval, unsigned int optlen)
643 struct sock *sk = sock->sk;
644 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
645 struct l2cap_options opts;
655 if (bdaddr_type_is_le(chan->src_type)) {
660 if (sk->sk_state == BT_CONNECTED) {
665 opts.imtu = chan->imtu;
666 opts.omtu = chan->omtu;
667 opts.flush_to = chan->flush_to;
668 opts.mode = chan->mode;
669 opts.fcs = chan->fcs;
670 opts.max_tx = chan->max_tx;
671 opts.txwin_size = chan->tx_win;
673 len = min_t(unsigned int, sizeof(opts), optlen);
674 if (copy_from_user((char *) &opts, optval, len)) {
679 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
684 if (!l2cap_valid_mtu(chan, opts.imtu)) {
689 chan->mode = opts.mode;
690 switch (chan->mode) {
691 case L2CAP_MODE_LE_FLOWCTL:
693 case L2CAP_MODE_BASIC:
694 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
696 case L2CAP_MODE_ERTM:
697 case L2CAP_MODE_STREAMING:
706 chan->imtu = opts.imtu;
707 chan->omtu = opts.omtu;
708 chan->fcs = opts.fcs;
709 chan->max_tx = opts.max_tx;
710 chan->tx_win = opts.txwin_size;
711 chan->flush_to = opts.flush_to;
715 if (get_user(opt, (u32 __user *) optval)) {
720 if (opt & L2CAP_LM_FIPS) {
725 if (opt & L2CAP_LM_AUTH)
726 chan->sec_level = BT_SECURITY_LOW;
727 if (opt & L2CAP_LM_ENCRYPT)
728 chan->sec_level = BT_SECURITY_MEDIUM;
729 if (opt & L2CAP_LM_SECURE)
730 chan->sec_level = BT_SECURITY_HIGH;
732 if (opt & L2CAP_LM_MASTER)
733 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
735 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
737 if (opt & L2CAP_LM_RELIABLE)
738 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
740 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
752 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
753 char __user *optval, unsigned int optlen)
755 struct sock *sk = sock->sk;
756 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
757 struct bt_security sec;
759 struct l2cap_conn *conn;
765 if (level == SOL_L2CAP)
766 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
768 if (level != SOL_BLUETOOTH)
775 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
776 chan->chan_type != L2CAP_CHAN_FIXED &&
777 chan->chan_type != L2CAP_CHAN_RAW) {
782 sec.level = BT_SECURITY_LOW;
784 len = min_t(unsigned int, sizeof(sec), optlen);
785 if (copy_from_user((char *) &sec, optval, len)) {
790 if (sec.level < BT_SECURITY_LOW ||
791 sec.level > BT_SECURITY_FIPS) {
796 chan->sec_level = sec.level;
803 /*change security for LE channels */
804 if (chan->scid == L2CAP_CID_ATT) {
805 if (smp_conn_security(conn->hcon, sec.level))
807 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
808 sk->sk_state = BT_CONFIG;
809 chan->state = BT_CONFIG;
811 /* or for ACL link */
812 } else if ((sk->sk_state == BT_CONNECT2 &&
813 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
814 sk->sk_state == BT_CONNECTED) {
815 if (!l2cap_chan_check_security(chan, true))
816 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
818 sk->sk_state_change(sk);
825 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
830 if (get_user(opt, (u32 __user *) optval)) {
836 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
837 set_bit(FLAG_DEFER_SETUP, &chan->flags);
839 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
840 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
845 if (get_user(opt, (u32 __user *) optval)) {
850 if (opt > BT_FLUSHABLE_ON) {
855 if (opt == BT_FLUSHABLE_OFF) {
857 /* proceed further only when we have l2cap_conn and
858 No Flush support in the LM */
859 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
866 set_bit(FLAG_FLUSHABLE, &chan->flags);
868 clear_bit(FLAG_FLUSHABLE, &chan->flags);
872 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
873 chan->chan_type != L2CAP_CHAN_RAW) {
878 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
880 len = min_t(unsigned int, sizeof(pwr), optlen);
881 if (copy_from_user((char *) &pwr, optval, len)) {
886 if (pwr.force_active)
887 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
889 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
892 case BT_CHANNEL_POLICY:
893 if (get_user(opt, (u32 __user *) optval)) {
898 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
903 if (chan->mode != L2CAP_MODE_ERTM &&
904 chan->mode != L2CAP_MODE_STREAMING) {
909 chan->chan_policy = (u8) opt;
911 if (sk->sk_state == BT_CONNECTED &&
912 chan->move_role == L2CAP_MOVE_ROLE_NONE)
913 l2cap_move_start(chan);
918 if (!bdaddr_type_is_le(chan->src_type)) {
923 /* Setting is not supported as it's the remote side that
930 if (!bdaddr_type_is_le(chan->src_type)) {
935 if (sk->sk_state == BT_CONNECTED) {
940 if (get_user(opt, (u16 __user *) optval)) {
957 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
960 struct sock *sk = sock->sk;
961 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
964 BT_DBG("sock %p, sk %p", sock, sk);
966 err = sock_error(sk);
970 if (msg->msg_flags & MSG_OOB)
973 if (sk->sk_state != BT_CONNECTED)
977 err = bt_sock_wait_ready(sk, msg->msg_flags);
982 l2cap_chan_lock(chan);
983 err = l2cap_chan_send(chan, msg, len);
984 l2cap_chan_unlock(chan);
989 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
990 size_t len, int flags)
992 struct sock *sk = sock->sk;
993 struct l2cap_pinfo *pi = l2cap_pi(sk);
998 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
999 &bt_sk(sk)->flags)) {
1000 if (bdaddr_type_is_le(pi->chan->src_type)) {
1001 sk->sk_state = BT_CONNECTED;
1002 pi->chan->state = BT_CONNECTED;
1003 __l2cap_le_connect_rsp_defer(pi->chan);
1005 sk->sk_state = BT_CONFIG;
1006 pi->chan->state = BT_CONFIG;
1007 __l2cap_connect_rsp_defer(pi->chan);
1016 if (sock->type == SOCK_STREAM)
1017 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1019 err = bt_sock_recvmsg(sock, msg, len, flags);
1021 if (pi->chan->mode != L2CAP_MODE_ERTM)
1024 /* Attempt to put pending rx data in the socket buffer */
1028 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1031 if (pi->rx_busy_skb) {
1032 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1033 pi->rx_busy_skb = NULL;
1038 /* Restore data flow when half of the receive buffer is
1039 * available. This avoids resending large numbers of
1042 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1043 l2cap_chan_busy(pi->chan, 0);
1050 /* Kill socket (only if zapped and orphan)
1051 * Must be called on unlocked socket, with l2cap channel lock.
1053 static void l2cap_sock_kill(struct sock *sk)
1055 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1058 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1060 /* Kill poor orphan */
1062 l2cap_chan_put(l2cap_pi(sk)->chan);
1063 sock_set_flag(sk, SOCK_DEAD);
1067 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1069 DECLARE_WAITQUEUE(wait, current);
1071 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1072 /* Timeout to prevent infinite loop */
1073 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1075 add_wait_queue(sk_sleep(sk), &wait);
1076 set_current_state(TASK_INTERRUPTIBLE);
1078 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1079 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1080 jiffies_to_msecs(timeout - jiffies));
1083 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1085 if (signal_pending(current)) {
1086 err = sock_intr_errno(timeo);
1091 timeo = schedule_timeout(timeo);
1093 set_current_state(TASK_INTERRUPTIBLE);
1095 err = sock_error(sk);
1099 if (time_after(jiffies, timeout)) {
1104 } while (chan->unacked_frames > 0 &&
1105 chan->state == BT_CONNECTED);
1107 set_current_state(TASK_RUNNING);
1108 remove_wait_queue(sk_sleep(sk), &wait);
1112 static int l2cap_sock_shutdown(struct socket *sock, int how)
1114 struct sock *sk = sock->sk;
1115 struct l2cap_chan *chan;
1116 struct l2cap_conn *conn;
1119 BT_DBG("sock %p, sk %p", sock, sk);
1126 if (sk->sk_shutdown)
1127 goto shutdown_already;
1129 BT_DBG("Handling sock shutdown");
1131 /* prevent sk structure from being freed whilst unlocked */
1134 chan = l2cap_pi(sk)->chan;
1135 /* prevent chan structure from being freed whilst unlocked */
1136 l2cap_chan_hold(chan);
1138 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1140 if (chan->mode == L2CAP_MODE_ERTM &&
1141 chan->unacked_frames > 0 &&
1142 chan->state == BT_CONNECTED) {
1143 err = __l2cap_wait_ack(sk, chan);
1145 /* After waiting for ACKs, check whether shutdown
1146 * has already been actioned to close the L2CAP
1147 * link such as by l2cap_disconnection_req().
1149 if (sk->sk_shutdown)
1153 sk->sk_shutdown = SHUTDOWN_MASK;
1156 l2cap_chan_lock(chan);
1159 /* prevent conn structure from being freed */
1160 l2cap_conn_get(conn);
1161 l2cap_chan_unlock(chan);
1164 /* mutex lock must be taken before l2cap_chan_lock() */
1165 mutex_lock(&conn->chan_lock);
1167 l2cap_chan_lock(chan);
1168 l2cap_chan_close(chan, 0);
1169 l2cap_chan_unlock(chan);
1172 mutex_unlock(&conn->chan_lock);
1173 l2cap_conn_put(conn);
1178 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1179 !(current->flags & PF_EXITING))
1180 err = bt_sock_wait_state(sk, BT_CLOSED,
1184 l2cap_chan_put(chan);
1188 if (!err && sk->sk_err)
1193 BT_DBG("Sock shutdown complete err: %d", err);
1198 static int l2cap_sock_release(struct socket *sock)
1200 struct sock *sk = sock->sk;
1202 struct l2cap_chan *chan;
1204 BT_DBG("sock %p, sk %p", sock, sk);
1209 bt_sock_unlink(&l2cap_sk_list, sk);
1211 err = l2cap_sock_shutdown(sock, 2);
1212 chan = l2cap_pi(sk)->chan;
1214 l2cap_chan_hold(chan);
1215 l2cap_chan_lock(chan);
1218 l2cap_sock_kill(sk);
1220 l2cap_chan_unlock(chan);
1221 l2cap_chan_put(chan);
1226 static void l2cap_sock_cleanup_listen(struct sock *parent)
1230 BT_DBG("parent %p state %s", parent,
1231 state_to_string(parent->sk_state));
1233 /* Close not yet accepted channels */
1234 while ((sk = bt_accept_dequeue(parent, NULL))) {
1235 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1237 BT_DBG("child chan %p state %s", chan,
1238 state_to_string(chan->state));
1240 l2cap_chan_hold(chan);
1241 l2cap_chan_lock(chan);
1243 __clear_chan_timer(chan);
1244 l2cap_chan_close(chan, ECONNRESET);
1245 l2cap_sock_kill(sk);
1247 l2cap_chan_unlock(chan);
1248 l2cap_chan_put(chan);
1252 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1254 struct sock *sk, *parent = chan->data;
1258 /* Check for backlog size */
1259 if (sk_acceptq_is_full(parent)) {
1260 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1261 release_sock(parent);
1265 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1268 release_sock(parent);
1272 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1274 l2cap_sock_init(sk, parent);
1276 bt_accept_enqueue(parent, sk, false);
1278 release_sock(parent);
1280 return l2cap_pi(sk)->chan;
1283 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1285 struct sock *sk = chan->data;
1290 if (l2cap_pi(sk)->rx_busy_skb) {
1295 if (chan->mode != L2CAP_MODE_ERTM &&
1296 chan->mode != L2CAP_MODE_STREAMING) {
1297 /* Even if no filter is attached, we could potentially
1298 * get errors from security modules, etc.
1300 err = sk_filter(sk, skb);
1305 err = __sock_queue_rcv_skb(sk, skb);
1307 /* For ERTM, handle one skb that doesn't fit into the recv
1308 * buffer. This is important to do because the data frames
1309 * have already been acked, so the skb cannot be discarded.
1311 * Notify the l2cap core that the buffer is full, so the
1312 * LOCAL_BUSY state is entered and no more frames are
1313 * acked and reassembled until there is buffer space
1316 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1317 l2cap_pi(sk)->rx_busy_skb = skb;
1318 l2cap_chan_busy(chan, 1);
1328 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1330 struct sock *sk = chan->data;
1332 l2cap_sock_kill(sk);
1335 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1337 struct sock *sk = chan->data;
1338 struct sock *parent;
1340 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1342 /* This callback can be called both for server (BT_LISTEN)
1343 * sockets as well as "normal" ones. To avoid lockdep warnings
1344 * with child socket locking (through l2cap_sock_cleanup_listen)
1345 * we need separation into separate nesting levels. The simplest
1346 * way to accomplish this is to inherit the nesting level used
1349 lock_sock_nested(sk, atomic_read(&chan->nesting));
1351 parent = bt_sk(sk)->parent;
1353 switch (chan->state) {
1359 l2cap_sock_cleanup_listen(sk);
1360 sk->sk_state = BT_CLOSED;
1361 chan->state = BT_CLOSED;
1365 sk->sk_state = BT_CLOSED;
1366 chan->state = BT_CLOSED;
1371 bt_accept_unlink(sk);
1372 parent->sk_data_ready(parent);
1374 sk->sk_state_change(sk);
1381 /* Only zap after cleanup to avoid use after free race */
1382 sock_set_flag(sk, SOCK_ZAPPED);
1386 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1389 struct sock *sk = chan->data;
1391 sk->sk_state = state;
1397 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1398 unsigned long hdr_len,
1399 unsigned long len, int nb)
1401 struct sock *sk = chan->data;
1402 struct sk_buff *skb;
1405 l2cap_chan_unlock(chan);
1406 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1407 l2cap_chan_lock(chan);
1410 return ERR_PTR(err);
1412 skb->priority = sk->sk_priority;
1414 bt_cb(skb)->l2cap.chan = chan;
1419 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1421 struct sock *sk = chan->data;
1422 struct sock *parent;
1426 parent = bt_sk(sk)->parent;
1428 BT_DBG("sk %p, parent %p", sk, parent);
1430 sk->sk_state = BT_CONNECTED;
1431 sk->sk_state_change(sk);
1434 parent->sk_data_ready(parent);
1439 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1441 struct sock *parent, *sk = chan->data;
1445 parent = bt_sk(sk)->parent;
1447 parent->sk_data_ready(parent);
1452 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1454 struct sock *sk = chan->data;
1456 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1457 sk->sk_state = BT_CONNECTED;
1458 chan->state = BT_CONNECTED;
1461 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1462 sk->sk_state_change(sk);
1465 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1467 struct sock *sk = chan->data;
1470 sk->sk_shutdown = SHUTDOWN_MASK;
1474 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1476 struct sock *sk = chan->data;
1478 return sk->sk_sndtimeo;
1481 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1483 struct sock *sk = chan->data;
1485 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1486 sk->sk_state_change(sk);
1489 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1491 struct sock *sk = chan->data;
1493 switch (chan->mode) {
1494 case L2CAP_MODE_ERTM:
1495 case L2CAP_MODE_STREAMING:
1496 return sk_filter(sk, skb);
1502 static const struct l2cap_ops l2cap_chan_ops = {
1503 .name = "L2CAP Socket Interface",
1504 .new_connection = l2cap_sock_new_connection_cb,
1505 .recv = l2cap_sock_recv_cb,
1506 .close = l2cap_sock_close_cb,
1507 .teardown = l2cap_sock_teardown_cb,
1508 .state_change = l2cap_sock_state_change_cb,
1509 .ready = l2cap_sock_ready_cb,
1510 .defer = l2cap_sock_defer_cb,
1511 .resume = l2cap_sock_resume_cb,
1512 .suspend = l2cap_sock_suspend_cb,
1513 .set_shutdown = l2cap_sock_set_shutdown_cb,
1514 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1515 .alloc_skb = l2cap_sock_alloc_skb_cb,
1516 .filter = l2cap_sock_filter,
1519 static void l2cap_sock_destruct(struct sock *sk)
1521 BT_DBG("sk %p", sk);
1523 if (l2cap_pi(sk)->chan)
1524 l2cap_chan_put(l2cap_pi(sk)->chan);
1526 if (l2cap_pi(sk)->rx_busy_skb) {
1527 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1528 l2cap_pi(sk)->rx_busy_skb = NULL;
1531 skb_queue_purge(&sk->sk_receive_queue);
1532 skb_queue_purge(&sk->sk_write_queue);
1535 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1538 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1540 memset(la, 0, sizeof(struct sockaddr_l2));
1541 la->l2_family = AF_BLUETOOTH;
1542 la->l2_psm = bt_cb(skb)->l2cap.psm;
1543 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1545 *msg_namelen = sizeof(struct sockaddr_l2);
1548 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1550 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1552 BT_DBG("sk %p", sk);
1555 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1557 sk->sk_type = parent->sk_type;
1558 bt_sk(sk)->flags = bt_sk(parent)->flags;
1560 chan->chan_type = pchan->chan_type;
1561 chan->imtu = pchan->imtu;
1562 chan->omtu = pchan->omtu;
1563 chan->conf_state = pchan->conf_state;
1564 chan->mode = pchan->mode;
1565 chan->fcs = pchan->fcs;
1566 chan->max_tx = pchan->max_tx;
1567 chan->tx_win = pchan->tx_win;
1568 chan->tx_win_max = pchan->tx_win_max;
1569 chan->sec_level = pchan->sec_level;
1570 chan->flags = pchan->flags;
1571 chan->tx_credits = pchan->tx_credits;
1572 chan->rx_credits = pchan->rx_credits;
1574 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1575 chan->scid = pchan->scid;
1576 chan->dcid = pchan->scid;
1579 security_sk_clone(parent, sk);
1581 switch (sk->sk_type) {
1583 chan->chan_type = L2CAP_CHAN_RAW;
1586 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1587 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1589 case SOCK_SEQPACKET:
1591 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1595 chan->imtu = L2CAP_DEFAULT_MTU;
1597 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1598 chan->mode = L2CAP_MODE_ERTM;
1599 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1601 chan->mode = L2CAP_MODE_BASIC;
1604 l2cap_chan_set_defaults(chan);
1607 /* Default config options */
1608 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1611 chan->ops = &l2cap_chan_ops;
1614 static struct proto l2cap_proto = {
1616 .owner = THIS_MODULE,
1617 .obj_size = sizeof(struct l2cap_pinfo)
1620 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1621 int proto, gfp_t prio, int kern)
1624 struct l2cap_chan *chan;
1626 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1630 sock_init_data(sock, sk);
1631 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1633 sk->sk_destruct = l2cap_sock_destruct;
1634 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1636 sock_reset_flag(sk, SOCK_ZAPPED);
1638 sk->sk_protocol = proto;
1639 sk->sk_state = BT_OPEN;
1641 chan = l2cap_chan_create();
1647 l2cap_chan_hold(chan);
1649 l2cap_pi(sk)->chan = chan;
1654 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1659 BT_DBG("sock %p", sock);
1661 sock->state = SS_UNCONNECTED;
1663 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1664 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1665 return -ESOCKTNOSUPPORT;
1667 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1670 sock->ops = &l2cap_sock_ops;
1672 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1676 l2cap_sock_init(sk, NULL);
1677 bt_sock_link(&l2cap_sk_list, sk);
1681 static const struct proto_ops l2cap_sock_ops = {
1682 .family = PF_BLUETOOTH,
1683 .owner = THIS_MODULE,
1684 .release = l2cap_sock_release,
1685 .bind = l2cap_sock_bind,
1686 .connect = l2cap_sock_connect,
1687 .listen = l2cap_sock_listen,
1688 .accept = l2cap_sock_accept,
1689 .getname = l2cap_sock_getname,
1690 .sendmsg = l2cap_sock_sendmsg,
1691 .recvmsg = l2cap_sock_recvmsg,
1692 .poll = bt_sock_poll,
1693 .ioctl = bt_sock_ioctl,
1694 .mmap = sock_no_mmap,
1695 .socketpair = sock_no_socketpair,
1696 .shutdown = l2cap_sock_shutdown,
1697 .setsockopt = l2cap_sock_setsockopt,
1698 .getsockopt = l2cap_sock_getsockopt
1701 static const struct net_proto_family l2cap_sock_family_ops = {
1702 .family = PF_BLUETOOTH,
1703 .owner = THIS_MODULE,
1704 .create = l2cap_sock_create,
1707 int __init l2cap_init_sockets(void)
1711 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1713 err = proto_register(&l2cap_proto, 0);
1717 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1719 BT_ERR("L2CAP socket registration failed");
1723 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1726 BT_ERR("Failed to create L2CAP proc file");
1727 bt_sock_unregister(BTPROTO_L2CAP);
1731 BT_INFO("L2CAP socket layer initialized");
1736 proto_unregister(&l2cap_proto);
1740 void l2cap_cleanup_sockets(void)
1742 bt_procfs_cleanup(&init_net, "l2cap");
1743 bt_sock_unregister(BTPROTO_L2CAP);
1744 proto_unregister(&l2cap_proto);