2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
28 /* Bluetooth L2CAP sockets. */
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
40 static struct bt_sock_list l2cap_sk_list = {
41 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 int proto, gfp_t prio, int kern);
48 static void l2cap_sock_cleanup_listen(struct sock *parent);
50 bool l2cap_is_socket(struct socket *sock)
52 return sock && sock->ops == &l2cap_sock_ops;
54 EXPORT_SYMBOL(l2cap_is_socket);
56 static int l2cap_validate_bredr_psm(u16 psm)
58 /* PSM must be odd and lsb of upper byte must be 0 */
59 if ((psm & 0x0101) != 0x0001)
62 /* Restrict usage of well-known PSMs */
63 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
69 static int l2cap_validate_le_psm(u16 psm)
71 /* Valid LE_PSM ranges are defined only until 0x00ff */
72 if (psm > L2CAP_PSM_LE_DYN_END)
75 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
76 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
82 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84 struct sock *sk = sock->sk;
85 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
86 struct sockaddr_l2 la;
91 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
92 addr->sa_family != AF_BLUETOOTH)
95 memset(&la, 0, sizeof(la));
96 len = min_t(unsigned int, sizeof(la), alen);
97 memcpy(&la, addr, len);
99 if (la.l2_cid && la.l2_psm)
102 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
105 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
106 /* We only allow ATT user space socket */
108 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
114 if (sk->sk_state != BT_OPEN) {
120 __u16 psm = __le16_to_cpu(la.l2_psm);
122 if (la.l2_bdaddr_type == BDADDR_BREDR)
123 err = l2cap_validate_bredr_psm(psm);
125 err = l2cap_validate_le_psm(psm);
131 bacpy(&chan->src, &la.l2_bdaddr);
132 chan->src_type = la.l2_bdaddr_type;
135 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
142 switch (chan->chan_type) {
143 case L2CAP_CHAN_CONN_LESS:
144 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
145 chan->sec_level = BT_SECURITY_SDP;
147 case L2CAP_CHAN_CONN_ORIENTED:
148 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
149 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
150 chan->sec_level = BT_SECURITY_SDP;
153 chan->sec_level = BT_SECURITY_SDP;
155 case L2CAP_CHAN_FIXED:
156 /* Fixed channels default to the L2CAP core not holding a
157 * hci_conn reference for them. For fixed channels mapping to
158 * L2CAP sockets we do want to hold a reference so set the
159 * appropriate flag to request it.
161 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
165 if (chan->psm && bdaddr_type_is_le(chan->src_type))
166 chan->mode = L2CAP_MODE_LE_FLOWCTL;
168 chan->state = BT_BOUND;
169 sk->sk_state = BT_BOUND;
176 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
179 struct sock *sk = sock->sk;
180 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
181 struct sockaddr_l2 la;
188 zapped = sock_flag(sk, SOCK_ZAPPED);
194 if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
195 addr->sa_family != AF_BLUETOOTH)
198 memset(&la, 0, sizeof(la));
199 len = min_t(unsigned int, sizeof(la), alen);
200 memcpy(&la, addr, len);
202 if (la.l2_cid && la.l2_psm)
205 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
208 /* Check that the socket wasn't bound to something that
209 * conflicts with the address given to connect(). If chan->src
210 * is BDADDR_ANY it means bind() was never used, in which case
211 * chan->src_type and la.l2_bdaddr_type do not need to match.
213 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
214 bdaddr_type_is_le(la.l2_bdaddr_type)) {
215 /* Old user space versions will try to incorrectly bind
216 * the ATT socket using BDADDR_BREDR. We need to accept
217 * this and fix up the source address type only when
218 * both the source CID and destination CID indicate
219 * ATT. Anything else is an invalid combination.
221 if (chan->scid != L2CAP_CID_ATT ||
222 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
225 /* We don't have the hdev available here to make a
226 * better decision on random vs public, but since all
227 * user space versions that exhibit this issue anyway do
228 * not support random local addresses assuming public
229 * here is good enough.
231 chan->src_type = BDADDR_LE_PUBLIC;
234 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
237 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
238 /* We only allow ATT user space socket */
240 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
244 if (chan->psm && bdaddr_type_is_le(chan->src_type))
245 chan->mode = L2CAP_MODE_LE_FLOWCTL;
247 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
248 &la.l2_bdaddr, la.l2_bdaddr_type);
254 err = bt_sock_wait_state(sk, BT_CONNECTED,
255 sock_sndtimeo(sk, flags & O_NONBLOCK));
262 static int l2cap_sock_listen(struct socket *sock, int backlog)
264 struct sock *sk = sock->sk;
265 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
268 BT_DBG("sk %p backlog %d", sk, backlog);
272 if (sk->sk_state != BT_BOUND) {
277 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
282 switch (chan->mode) {
283 case L2CAP_MODE_BASIC:
284 case L2CAP_MODE_LE_FLOWCTL:
286 case L2CAP_MODE_ERTM:
287 case L2CAP_MODE_STREAMING:
296 sk->sk_max_ack_backlog = backlog;
297 sk->sk_ack_backlog = 0;
299 /* Listening channels need to use nested locking in order not to
300 * cause lockdep warnings when the created child channels end up
301 * being locked in the same thread as the parent channel.
303 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
305 chan->state = BT_LISTEN;
306 sk->sk_state = BT_LISTEN;
313 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
314 int flags, bool kern)
316 DEFINE_WAIT_FUNC(wait, woken_wake_function);
317 struct sock *sk = sock->sk, *nsk;
321 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
323 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
325 BT_DBG("sk %p timeo %ld", sk, timeo);
327 /* Wait for an incoming connection. (wake-one). */
328 add_wait_queue_exclusive(sk_sleep(sk), &wait);
330 if (sk->sk_state != BT_LISTEN) {
335 nsk = bt_accept_dequeue(sk, newsock);
344 if (signal_pending(current)) {
345 err = sock_intr_errno(timeo);
351 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
353 lock_sock_nested(sk, L2CAP_NESTING_PARENT);
355 remove_wait_queue(sk_sleep(sk), &wait);
360 newsock->state = SS_CONNECTED;
362 BT_DBG("new socket %p", nsk);
369 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
372 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
373 struct sock *sk = sock->sk;
374 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
376 BT_DBG("sock %p, sk %p", sock, sk);
378 if (peer && sk->sk_state != BT_CONNECTED &&
379 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
380 sk->sk_state != BT_CONFIG)
383 memset(la, 0, sizeof(struct sockaddr_l2));
384 addr->sa_family = AF_BLUETOOTH;
385 *len = sizeof(struct sockaddr_l2);
387 la->l2_psm = chan->psm;
390 bacpy(&la->l2_bdaddr, &chan->dst);
391 la->l2_cid = cpu_to_le16(chan->dcid);
392 la->l2_bdaddr_type = chan->dst_type;
394 bacpy(&la->l2_bdaddr, &chan->src);
395 la->l2_cid = cpu_to_le16(chan->scid);
396 la->l2_bdaddr_type = chan->src_type;
402 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
403 char __user *optval, int __user *optlen)
405 struct sock *sk = sock->sk;
406 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
407 struct l2cap_options opts;
408 struct l2cap_conninfo cinfo;
414 if (get_user(len, optlen))
421 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
422 * legacy ATT code depends on getsockopt for
423 * L2CAP_OPTIONS we need to let this pass.
425 if (bdaddr_type_is_le(chan->src_type) &&
426 chan->scid != L2CAP_CID_ATT) {
431 memset(&opts, 0, sizeof(opts));
432 opts.imtu = chan->imtu;
433 opts.omtu = chan->omtu;
434 opts.flush_to = chan->flush_to;
435 opts.mode = chan->mode;
436 opts.fcs = chan->fcs;
437 opts.max_tx = chan->max_tx;
438 opts.txwin_size = chan->tx_win;
440 len = min_t(unsigned int, len, sizeof(opts));
441 if (copy_to_user(optval, (char *) &opts, len))
447 switch (chan->sec_level) {
448 case BT_SECURITY_LOW:
451 case BT_SECURITY_MEDIUM:
452 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
454 case BT_SECURITY_HIGH:
455 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
458 case BT_SECURITY_FIPS:
459 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
460 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
467 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
468 opt |= L2CAP_LM_MASTER;
470 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
471 opt |= L2CAP_LM_RELIABLE;
473 if (put_user(opt, (u32 __user *) optval))
479 if (sk->sk_state != BT_CONNECTED &&
480 !(sk->sk_state == BT_CONNECT2 &&
481 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
486 memset(&cinfo, 0, sizeof(cinfo));
487 cinfo.hci_handle = chan->conn->hcon->handle;
488 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
490 len = min_t(unsigned int, len, sizeof(cinfo));
491 if (copy_to_user(optval, (char *) &cinfo, len))
505 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
506 char __user *optval, int __user *optlen)
508 struct sock *sk = sock->sk;
509 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
510 struct bt_security sec;
516 if (level == SOL_L2CAP)
517 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
519 if (level != SOL_BLUETOOTH)
522 if (get_user(len, optlen))
529 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
530 chan->chan_type != L2CAP_CHAN_FIXED &&
531 chan->chan_type != L2CAP_CHAN_RAW) {
536 memset(&sec, 0, sizeof(sec));
538 sec.level = chan->conn->hcon->sec_level;
540 if (sk->sk_state == BT_CONNECTED)
541 sec.key_size = chan->conn->hcon->enc_key_size;
543 sec.level = chan->sec_level;
546 len = min_t(unsigned int, len, sizeof(sec));
547 if (copy_to_user(optval, (char *) &sec, len))
553 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
558 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
559 (u32 __user *) optval))
565 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
566 (u32 __user *) optval))
572 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
573 && sk->sk_type != SOCK_RAW) {
578 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
580 len = min_t(unsigned int, len, sizeof(pwr));
581 if (copy_to_user(optval, (char *) &pwr, len))
586 case BT_CHANNEL_POLICY:
587 if (put_user(chan->chan_policy, (u32 __user *) optval))
592 if (!bdaddr_type_is_le(chan->src_type)) {
597 if (sk->sk_state != BT_CONNECTED) {
602 if (put_user(chan->omtu, (u16 __user *) optval))
607 if (!bdaddr_type_is_le(chan->src_type)) {
612 if (put_user(chan->imtu, (u16 __user *) optval))
625 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
627 switch (chan->scid) {
629 if (mtu < L2CAP_LE_MIN_MTU)
634 if (mtu < L2CAP_DEFAULT_MIN_MTU)
641 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
642 char __user *optval, unsigned int optlen)
644 struct sock *sk = sock->sk;
645 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
646 struct l2cap_options opts;
656 if (bdaddr_type_is_le(chan->src_type)) {
661 if (sk->sk_state == BT_CONNECTED) {
666 opts.imtu = chan->imtu;
667 opts.omtu = chan->omtu;
668 opts.flush_to = chan->flush_to;
669 opts.mode = chan->mode;
670 opts.fcs = chan->fcs;
671 opts.max_tx = chan->max_tx;
672 opts.txwin_size = chan->tx_win;
674 len = min_t(unsigned int, sizeof(opts), optlen);
675 if (copy_from_user((char *) &opts, optval, len)) {
680 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
685 if (!l2cap_valid_mtu(chan, opts.imtu)) {
690 chan->mode = opts.mode;
691 switch (chan->mode) {
692 case L2CAP_MODE_LE_FLOWCTL:
694 case L2CAP_MODE_BASIC:
695 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
697 case L2CAP_MODE_ERTM:
698 case L2CAP_MODE_STREAMING:
707 chan->imtu = opts.imtu;
708 chan->omtu = opts.omtu;
709 chan->fcs = opts.fcs;
710 chan->max_tx = opts.max_tx;
711 chan->tx_win = opts.txwin_size;
712 chan->flush_to = opts.flush_to;
716 if (get_user(opt, (u32 __user *) optval)) {
721 if (opt & L2CAP_LM_FIPS) {
726 if (opt & L2CAP_LM_AUTH)
727 chan->sec_level = BT_SECURITY_LOW;
728 if (opt & L2CAP_LM_ENCRYPT)
729 chan->sec_level = BT_SECURITY_MEDIUM;
730 if (opt & L2CAP_LM_SECURE)
731 chan->sec_level = BT_SECURITY_HIGH;
733 if (opt & L2CAP_LM_MASTER)
734 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
736 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
738 if (opt & L2CAP_LM_RELIABLE)
739 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
741 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
753 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
754 char __user *optval, unsigned int optlen)
756 struct sock *sk = sock->sk;
757 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
758 struct bt_security sec;
760 struct l2cap_conn *conn;
766 if (level == SOL_L2CAP)
767 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
769 if (level != SOL_BLUETOOTH)
776 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
777 chan->chan_type != L2CAP_CHAN_FIXED &&
778 chan->chan_type != L2CAP_CHAN_RAW) {
783 sec.level = BT_SECURITY_LOW;
785 len = min_t(unsigned int, sizeof(sec), optlen);
786 if (copy_from_user((char *) &sec, optval, len)) {
791 if (sec.level < BT_SECURITY_LOW ||
792 sec.level > BT_SECURITY_FIPS) {
797 chan->sec_level = sec.level;
804 /*change security for LE channels */
805 if (chan->scid == L2CAP_CID_ATT) {
806 if (smp_conn_security(conn->hcon, sec.level))
808 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
809 sk->sk_state = BT_CONFIG;
810 chan->state = BT_CONFIG;
812 /* or for ACL link */
813 } else if ((sk->sk_state == BT_CONNECT2 &&
814 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
815 sk->sk_state == BT_CONNECTED) {
816 if (!l2cap_chan_check_security(chan, true))
817 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
819 sk->sk_state_change(sk);
826 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
831 if (get_user(opt, (u32 __user *) optval)) {
837 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
838 set_bit(FLAG_DEFER_SETUP, &chan->flags);
840 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
841 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
846 if (get_user(opt, (u32 __user *) optval)) {
851 if (opt > BT_FLUSHABLE_ON) {
856 if (opt == BT_FLUSHABLE_OFF) {
858 /* proceed further only when we have l2cap_conn and
859 No Flush support in the LM */
860 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
867 set_bit(FLAG_FLUSHABLE, &chan->flags);
869 clear_bit(FLAG_FLUSHABLE, &chan->flags);
873 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
874 chan->chan_type != L2CAP_CHAN_RAW) {
879 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
881 len = min_t(unsigned int, sizeof(pwr), optlen);
882 if (copy_from_user((char *) &pwr, optval, len)) {
887 if (pwr.force_active)
888 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
890 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
893 case BT_CHANNEL_POLICY:
894 if (get_user(opt, (u32 __user *) optval)) {
899 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
904 if (chan->mode != L2CAP_MODE_ERTM &&
905 chan->mode != L2CAP_MODE_STREAMING) {
910 chan->chan_policy = (u8) opt;
912 if (sk->sk_state == BT_CONNECTED &&
913 chan->move_role == L2CAP_MOVE_ROLE_NONE)
914 l2cap_move_start(chan);
919 if (!bdaddr_type_is_le(chan->src_type)) {
924 /* Setting is not supported as it's the remote side that
931 if (!bdaddr_type_is_le(chan->src_type)) {
936 if (sk->sk_state == BT_CONNECTED) {
941 if (get_user(opt, (u16 __user *) optval)) {
958 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
961 struct sock *sk = sock->sk;
962 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
965 BT_DBG("sock %p, sk %p", sock, sk);
967 err = sock_error(sk);
971 if (msg->msg_flags & MSG_OOB)
974 if (sk->sk_state != BT_CONNECTED)
978 err = bt_sock_wait_ready(sk, msg->msg_flags);
983 l2cap_chan_lock(chan);
984 err = l2cap_chan_send(chan, msg, len);
985 l2cap_chan_unlock(chan);
990 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
991 size_t len, int flags)
993 struct sock *sk = sock->sk;
994 struct l2cap_pinfo *pi = l2cap_pi(sk);
999 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1000 &bt_sk(sk)->flags)) {
1001 if (bdaddr_type_is_le(pi->chan->src_type)) {
1002 sk->sk_state = BT_CONNECTED;
1003 pi->chan->state = BT_CONNECTED;
1004 __l2cap_le_connect_rsp_defer(pi->chan);
1006 sk->sk_state = BT_CONFIG;
1007 pi->chan->state = BT_CONFIG;
1008 __l2cap_connect_rsp_defer(pi->chan);
1017 if (sock->type == SOCK_STREAM)
1018 err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1020 err = bt_sock_recvmsg(sock, msg, len, flags);
1022 if (pi->chan->mode != L2CAP_MODE_ERTM)
1025 /* Attempt to put pending rx data in the socket buffer */
1029 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1032 if (pi->rx_busy_skb) {
1033 if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1034 pi->rx_busy_skb = NULL;
1039 /* Restore data flow when half of the receive buffer is
1040 * available. This avoids resending large numbers of
1043 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1044 l2cap_chan_busy(pi->chan, 0);
1051 /* Kill socket (only if zapped and orphan)
1052 * Must be called on unlocked socket, with l2cap channel lock.
1054 static void l2cap_sock_kill(struct sock *sk)
1056 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1059 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1061 /* Kill poor orphan */
1063 l2cap_chan_put(l2cap_pi(sk)->chan);
1064 sock_set_flag(sk, SOCK_DEAD);
1068 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1070 DECLARE_WAITQUEUE(wait, current);
1072 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1073 /* Timeout to prevent infinite loop */
1074 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1076 add_wait_queue(sk_sleep(sk), &wait);
1077 set_current_state(TASK_INTERRUPTIBLE);
1079 BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1080 chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1081 jiffies_to_msecs(timeout - jiffies));
1084 timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1086 if (signal_pending(current)) {
1087 err = sock_intr_errno(timeo);
1092 timeo = schedule_timeout(timeo);
1094 set_current_state(TASK_INTERRUPTIBLE);
1096 err = sock_error(sk);
1100 if (time_after(jiffies, timeout)) {
1105 } while (chan->unacked_frames > 0 &&
1106 chan->state == BT_CONNECTED);
1108 set_current_state(TASK_RUNNING);
1109 remove_wait_queue(sk_sleep(sk), &wait);
1113 static int l2cap_sock_shutdown(struct socket *sock, int how)
1115 struct sock *sk = sock->sk;
1116 struct l2cap_chan *chan;
1117 struct l2cap_conn *conn;
1120 BT_DBG("sock %p, sk %p", sock, sk);
1127 if (sk->sk_shutdown)
1128 goto shutdown_already;
1130 BT_DBG("Handling sock shutdown");
1132 /* prevent sk structure from being freed whilst unlocked */
1135 chan = l2cap_pi(sk)->chan;
1136 /* prevent chan structure from being freed whilst unlocked */
1137 l2cap_chan_hold(chan);
1139 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1141 if (chan->mode == L2CAP_MODE_ERTM &&
1142 chan->unacked_frames > 0 &&
1143 chan->state == BT_CONNECTED) {
1144 err = __l2cap_wait_ack(sk, chan);
1146 /* After waiting for ACKs, check whether shutdown
1147 * has already been actioned to close the L2CAP
1148 * link such as by l2cap_disconnection_req().
1150 if (sk->sk_shutdown)
1154 sk->sk_shutdown = SHUTDOWN_MASK;
1157 l2cap_chan_lock(chan);
1160 /* prevent conn structure from being freed */
1161 l2cap_conn_get(conn);
1162 l2cap_chan_unlock(chan);
1165 /* mutex lock must be taken before l2cap_chan_lock() */
1166 mutex_lock(&conn->chan_lock);
1168 l2cap_chan_lock(chan);
1169 l2cap_chan_close(chan, 0);
1170 l2cap_chan_unlock(chan);
1173 mutex_unlock(&conn->chan_lock);
1174 l2cap_conn_put(conn);
1179 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1180 !(current->flags & PF_EXITING))
1181 err = bt_sock_wait_state(sk, BT_CLOSED,
1185 l2cap_chan_put(chan);
1189 if (!err && sk->sk_err)
1194 BT_DBG("Sock shutdown complete err: %d", err);
1199 static int l2cap_sock_release(struct socket *sock)
1201 struct sock *sk = sock->sk;
1203 struct l2cap_chan *chan;
1205 BT_DBG("sock %p, sk %p", sock, sk);
1210 l2cap_sock_cleanup_listen(sk);
1211 bt_sock_unlink(&l2cap_sk_list, sk);
1213 err = l2cap_sock_shutdown(sock, 2);
1214 chan = l2cap_pi(sk)->chan;
1216 l2cap_chan_hold(chan);
1217 l2cap_chan_lock(chan);
1220 l2cap_sock_kill(sk);
1222 l2cap_chan_unlock(chan);
1223 l2cap_chan_put(chan);
1228 static void l2cap_sock_cleanup_listen(struct sock *parent)
1232 BT_DBG("parent %p state %s", parent,
1233 state_to_string(parent->sk_state));
1235 /* Close not yet accepted channels */
1236 while ((sk = bt_accept_dequeue(parent, NULL))) {
1237 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1239 BT_DBG("child chan %p state %s", chan,
1240 state_to_string(chan->state));
1242 l2cap_chan_hold(chan);
1243 l2cap_chan_lock(chan);
1245 __clear_chan_timer(chan);
1246 l2cap_chan_close(chan, ECONNRESET);
1247 l2cap_sock_kill(sk);
1249 l2cap_chan_unlock(chan);
1250 l2cap_chan_put(chan);
1254 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1256 struct sock *sk, *parent = chan->data;
1260 /* Check for backlog size */
1261 if (sk_acceptq_is_full(parent)) {
1262 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1263 release_sock(parent);
1267 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1270 release_sock(parent);
1274 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1276 l2cap_sock_init(sk, parent);
1278 bt_accept_enqueue(parent, sk, false);
1280 release_sock(parent);
1282 return l2cap_pi(sk)->chan;
1285 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1287 struct sock *sk = chan->data;
1292 if (l2cap_pi(sk)->rx_busy_skb) {
1297 if (chan->mode != L2CAP_MODE_ERTM &&
1298 chan->mode != L2CAP_MODE_STREAMING) {
1299 /* Even if no filter is attached, we could potentially
1300 * get errors from security modules, etc.
1302 err = sk_filter(sk, skb);
1307 err = __sock_queue_rcv_skb(sk, skb);
1309 /* For ERTM, handle one skb that doesn't fit into the recv
1310 * buffer. This is important to do because the data frames
1311 * have already been acked, so the skb cannot be discarded.
1313 * Notify the l2cap core that the buffer is full, so the
1314 * LOCAL_BUSY state is entered and no more frames are
1315 * acked and reassembled until there is buffer space
1318 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1319 l2cap_pi(sk)->rx_busy_skb = skb;
1320 l2cap_chan_busy(chan, 1);
1330 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1332 struct sock *sk = chan->data;
1337 l2cap_sock_kill(sk);
1340 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1342 struct sock *sk = chan->data;
1343 struct sock *parent;
1348 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1350 /* This callback can be called both for server (BT_LISTEN)
1351 * sockets as well as "normal" ones. To avoid lockdep warnings
1352 * with child socket locking (through l2cap_sock_cleanup_listen)
1353 * we need separation into separate nesting levels. The simplest
1354 * way to accomplish this is to inherit the nesting level used
1357 lock_sock_nested(sk, atomic_read(&chan->nesting));
1359 parent = bt_sk(sk)->parent;
1361 switch (chan->state) {
1367 l2cap_sock_cleanup_listen(sk);
1368 sk->sk_state = BT_CLOSED;
1369 chan->state = BT_CLOSED;
1373 sk->sk_state = BT_CLOSED;
1374 chan->state = BT_CLOSED;
1379 bt_accept_unlink(sk);
1380 parent->sk_data_ready(parent);
1382 sk->sk_state_change(sk);
1389 /* Only zap after cleanup to avoid use after free race */
1390 sock_set_flag(sk, SOCK_ZAPPED);
1394 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1397 struct sock *sk = chan->data;
1399 sk->sk_state = state;
1405 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1406 unsigned long hdr_len,
1407 unsigned long len, int nb)
1409 struct sock *sk = chan->data;
1410 struct sk_buff *skb;
1413 l2cap_chan_unlock(chan);
1414 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1415 l2cap_chan_lock(chan);
1418 return ERR_PTR(err);
1420 /* Channel lock is released before requesting new skb and then
1421 * reacquired thus we need to recheck channel state.
1423 if (chan->state != BT_CONNECTED) {
1425 return ERR_PTR(-ENOTCONN);
1428 skb->priority = sk->sk_priority;
1430 bt_cb(skb)->l2cap.chan = chan;
1435 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1437 struct sock *sk = chan->data;
1438 struct sock *parent;
1442 parent = bt_sk(sk)->parent;
1444 BT_DBG("sk %p, parent %p", sk, parent);
1446 sk->sk_state = BT_CONNECTED;
1447 sk->sk_state_change(sk);
1450 parent->sk_data_ready(parent);
1455 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1457 struct sock *parent, *sk = chan->data;
1461 parent = bt_sk(sk)->parent;
1463 parent->sk_data_ready(parent);
1468 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1470 struct sock *sk = chan->data;
1472 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1473 sk->sk_state = BT_CONNECTED;
1474 chan->state = BT_CONNECTED;
1477 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1478 sk->sk_state_change(sk);
1481 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1483 struct sock *sk = chan->data;
1486 sk->sk_shutdown = SHUTDOWN_MASK;
1490 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1492 struct sock *sk = chan->data;
1494 return sk->sk_sndtimeo;
1497 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1499 struct sock *sk = chan->data;
1501 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1502 sk->sk_state_change(sk);
1505 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1507 struct sock *sk = chan->data;
1509 switch (chan->mode) {
1510 case L2CAP_MODE_ERTM:
1511 case L2CAP_MODE_STREAMING:
1512 return sk_filter(sk, skb);
1518 static const struct l2cap_ops l2cap_chan_ops = {
1519 .name = "L2CAP Socket Interface",
1520 .new_connection = l2cap_sock_new_connection_cb,
1521 .recv = l2cap_sock_recv_cb,
1522 .close = l2cap_sock_close_cb,
1523 .teardown = l2cap_sock_teardown_cb,
1524 .state_change = l2cap_sock_state_change_cb,
1525 .ready = l2cap_sock_ready_cb,
1526 .defer = l2cap_sock_defer_cb,
1527 .resume = l2cap_sock_resume_cb,
1528 .suspend = l2cap_sock_suspend_cb,
1529 .set_shutdown = l2cap_sock_set_shutdown_cb,
1530 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1531 .alloc_skb = l2cap_sock_alloc_skb_cb,
1532 .filter = l2cap_sock_filter,
1535 static void l2cap_sock_destruct(struct sock *sk)
1537 BT_DBG("sk %p", sk);
1539 if (l2cap_pi(sk)->chan) {
1540 l2cap_pi(sk)->chan->data = NULL;
1541 l2cap_chan_put(l2cap_pi(sk)->chan);
1544 if (l2cap_pi(sk)->rx_busy_skb) {
1545 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1546 l2cap_pi(sk)->rx_busy_skb = NULL;
1549 skb_queue_purge(&sk->sk_receive_queue);
1550 skb_queue_purge(&sk->sk_write_queue);
1553 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1556 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1558 memset(la, 0, sizeof(struct sockaddr_l2));
1559 la->l2_family = AF_BLUETOOTH;
1560 la->l2_psm = bt_cb(skb)->l2cap.psm;
1561 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1563 *msg_namelen = sizeof(struct sockaddr_l2);
1566 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1568 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1570 BT_DBG("sk %p", sk);
1573 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1575 sk->sk_type = parent->sk_type;
1576 bt_sk(sk)->flags = bt_sk(parent)->flags;
1578 chan->chan_type = pchan->chan_type;
1579 chan->imtu = pchan->imtu;
1580 chan->omtu = pchan->omtu;
1581 chan->conf_state = pchan->conf_state;
1582 chan->mode = pchan->mode;
1583 chan->fcs = pchan->fcs;
1584 chan->max_tx = pchan->max_tx;
1585 chan->tx_win = pchan->tx_win;
1586 chan->tx_win_max = pchan->tx_win_max;
1587 chan->sec_level = pchan->sec_level;
1588 chan->flags = pchan->flags;
1589 chan->tx_credits = pchan->tx_credits;
1590 chan->rx_credits = pchan->rx_credits;
1592 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1593 chan->scid = pchan->scid;
1594 chan->dcid = pchan->scid;
1597 security_sk_clone(parent, sk);
1599 switch (sk->sk_type) {
1601 chan->chan_type = L2CAP_CHAN_RAW;
1604 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1605 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1607 case SOCK_SEQPACKET:
1609 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1613 chan->imtu = L2CAP_DEFAULT_MTU;
1615 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1616 chan->mode = L2CAP_MODE_ERTM;
1617 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1619 chan->mode = L2CAP_MODE_BASIC;
1622 l2cap_chan_set_defaults(chan);
1625 /* Default config options */
1626 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1629 chan->ops = &l2cap_chan_ops;
1632 static struct proto l2cap_proto = {
1634 .owner = THIS_MODULE,
1635 .obj_size = sizeof(struct l2cap_pinfo)
1638 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1639 int proto, gfp_t prio, int kern)
1642 struct l2cap_chan *chan;
1644 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1648 sock_init_data(sock, sk);
1649 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1651 sk->sk_destruct = l2cap_sock_destruct;
1652 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1654 sock_reset_flag(sk, SOCK_ZAPPED);
1656 sk->sk_protocol = proto;
1657 sk->sk_state = BT_OPEN;
1659 chan = l2cap_chan_create();
1665 l2cap_chan_hold(chan);
1667 l2cap_pi(sk)->chan = chan;
1672 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1677 BT_DBG("sock %p", sock);
1679 sock->state = SS_UNCONNECTED;
1681 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1682 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1683 return -ESOCKTNOSUPPORT;
1685 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1688 sock->ops = &l2cap_sock_ops;
1690 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1694 l2cap_sock_init(sk, NULL);
1695 bt_sock_link(&l2cap_sk_list, sk);
1699 static const struct proto_ops l2cap_sock_ops = {
1700 .family = PF_BLUETOOTH,
1701 .owner = THIS_MODULE,
1702 .release = l2cap_sock_release,
1703 .bind = l2cap_sock_bind,
1704 .connect = l2cap_sock_connect,
1705 .listen = l2cap_sock_listen,
1706 .accept = l2cap_sock_accept,
1707 .getname = l2cap_sock_getname,
1708 .sendmsg = l2cap_sock_sendmsg,
1709 .recvmsg = l2cap_sock_recvmsg,
1710 .poll = bt_sock_poll,
1711 .ioctl = bt_sock_ioctl,
1712 .mmap = sock_no_mmap,
1713 .socketpair = sock_no_socketpair,
1714 .shutdown = l2cap_sock_shutdown,
1715 .setsockopt = l2cap_sock_setsockopt,
1716 .getsockopt = l2cap_sock_getsockopt
1719 static const struct net_proto_family l2cap_sock_family_ops = {
1720 .family = PF_BLUETOOTH,
1721 .owner = THIS_MODULE,
1722 .create = l2cap_sock_create,
1725 int __init l2cap_init_sockets(void)
1729 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1731 err = proto_register(&l2cap_proto, 0);
1735 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1737 BT_ERR("L2CAP socket registration failed");
1741 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1744 BT_ERR("Failed to create L2CAP proc file");
1745 bt_sock_unregister(BTPROTO_L2CAP);
1749 BT_INFO("L2CAP socket layer initialized");
1754 proto_unregister(&l2cap_proto);
1758 void l2cap_cleanup_sockets(void)
1760 bt_procfs_cleanup(&init_net, "l2cap");
1761 bt_sock_unregister(BTPROTO_L2CAP);
1762 proto_unregister(&l2cap_proto);