projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: RFCOMM - Fix info leak via getsockname()
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_sock.c
CommitLineData
bb58f747
GP		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
bb58f747
GP		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
bc3b2d7f 30#include <linux/export.h>
6230c9b4 31
bb58f747 32#include <net/bluetooth/bluetooth.h>
33575df7 33#include <net/bluetooth/hci_core.h>
bb58f747 34#include <net/bluetooth/l2cap.h>
f1cb9af5 35#include <net/bluetooth/smp.h>
bb58f747 36
cf2f90f5 37static const struct proto_ops l2cap_sock_ops;
80808e43
GP		 38static void l2cap_sock_init(struct sock *sk, struct sock *parent);
39static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
cf2f90f5 40
af6bcd82
GP		 41static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
42{
43 struct sock *sk = sock->sk;
4343478f 44 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
af6bcd82
GP		 45 struct sockaddr_l2 la;
46 int len, err = 0;
47
48 BT_DBG("sk %p", sk);
49
50 if (!addr || addr->sa_family != AF_BLUETOOTH)
51 return -EINVAL;
52
53 memset(&la, 0, sizeof(la));
54 len = min_t(unsigned int, sizeof(la), alen);
55 memcpy(&la, addr, len);
56
b62f328b 57 if (la.l2_cid && la.l2_psm)
af6bcd82
GP		 58 return -EINVAL;
59
60 lock_sock(sk);
61
62 if (sk->sk_state != BT_OPEN) {
63 err = -EBADFD;
64 goto done;
65 }
66
67 if (la.l2_psm) {
68 __u16 psm = __le16_to_cpu(la.l2_psm);
69
70 /* PSM must be odd and lsb of upper byte must be 0 */
71 if ((psm & 0x0101) != 0x0001) {
72 err = -EINVAL;
73 goto done;
74 }
75
76 /* Restrict usage of well-known PSMs */
77 if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE)) {
78 err = -EACCES;
79 goto done;
80 }
81 }
82
9e4425ff 83 if (la.l2_cid)
6e4aff10 84 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
9e4425ff
GP		 85 else
86 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
af6bcd82 87
9e4425ff
GP		 88 if (err < 0)
89 goto done;
af6bcd82 90
2983fd68
AE		 91 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
92 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
9e4425ff 93 chan->sec_level = BT_SECURITY_SDP;
b62f328b 94
9e4425ff 95 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
89bc500e
GP		 96
97 chan->state = BT_BOUND;
9e4425ff 98 sk->sk_state = BT_BOUND;
af6bcd82
GP		 99
100done:
101 release_sock(sk);
102 return err;
103}
104
4e34c50b
GP		 105static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
106{
107 struct sock *sk = sock->sk;
0c1bc5c6 108 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
4e34c50b
GP		 109 struct sockaddr_l2 la;
110 int len, err = 0;
111
112 BT_DBG("sk %p", sk);
113
114 if (!addr || alen < sizeof(addr->sa_family) ||
115 addr->sa_family != AF_BLUETOOTH)
116 return -EINVAL;
117
118 memset(&la, 0, sizeof(la));
119 len = min_t(unsigned int, sizeof(la), alen);
120 memcpy(&la, addr, len);
121
acd7d370 122 if (la.l2_cid && la.l2_psm)
4e34c50b
GP		 123 return -EINVAL;
124
6e4aff10 125 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
8e9f9892 126 &la.l2_bdaddr, la.l2_bdaddr_type);
4e34c50b 127 if (err)
b3fb611e 128 return err;
4e34c50b 129
6be36555
AE		 130 lock_sock(sk);
131
4e34c50b
GP		 132 err = bt_sock_wait_state(sk, BT_CONNECTED,
133 sock_sndtimeo(sk, flags & O_NONBLOCK));
b3fb611e
AE		 134
135 release_sock(sk);
136
4e34c50b
GP		 137 return err;
138}
139
af6bcd82
GP		 140static int l2cap_sock_listen(struct socket *sock, int backlog)
141{
142 struct sock *sk = sock->sk;
0c1bc5c6 143 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
af6bcd82
GP		 144 int err = 0;
145
146 BT_DBG("sk %p backlog %d", sk, backlog);
147
148 lock_sock(sk);
149
6b3af733 150 if (sk->sk_state != BT_BOUND) {
af6bcd82
GP		 151 err = -EBADFD;
152 goto done;
153 }
154
6b3af733
MH		 155 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
156 err = -EINVAL;
157 goto done;
158 }
159
0c1bc5c6 160 switch (chan->mode) {
af6bcd82
GP		 161 case L2CAP_MODE_BASIC:
162 break;
163 case L2CAP_MODE_ERTM:
164 case L2CAP_MODE_STREAMING:
165 if (!disable_ertm)
166 break;
167 /* fall through */
168 default:
169 err = -ENOTSUPP;
170 goto done;
171 }
172
af6bcd82
GP		 173 sk->sk_max_ack_backlog = backlog;
174 sk->sk_ack_backlog = 0;
89bc500e
GP		 175
176 chan->state = BT_LISTEN;
af6bcd82
GP		 177 sk->sk_state = BT_LISTEN;
178
179done:
180 release_sock(sk);
181 return err;
182}
183
c47b7c72
GP		 184static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
185{
186 DECLARE_WAITQUEUE(wait, current);
187 struct sock *sk = sock->sk, *nsk;
188 long timeo;
189 int err = 0;
190
191 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
192
c47b7c72
GP		 193 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
194
195 BT_DBG("sk %p timeo %ld", sk, timeo);
196
197 /* Wait for an incoming connection. (wake-one). */
198 add_wait_queue_exclusive(sk_sleep(sk), &wait);
f9a3c20a 199 while (1) {
c47b7c72 200 set_current_state(TASK_INTERRUPTIBLE);
f9a3c20a
PH		 201
202 if (sk->sk_state != BT_LISTEN) {
203 err = -EBADFD;
c47b7c72
GP		 204 break;
205 }
206
f9a3c20a
PH		 207 nsk = bt_accept_dequeue(sk, newsock);
208 if (nsk)
209 break;
c47b7c72 210
f9a3c20a
PH		 211 if (!timeo) {
212 err = -EAGAIN;
c47b7c72
GP		 213 break;
214 }
215
216 if (signal_pending(current)) {
217 err = sock_intr_errno(timeo);
218 break;
219 }
f9a3c20a
PH		 220
221 release_sock(sk);
222 timeo = schedule_timeout(timeo);
223 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
c47b7c72 224 }
f9a3c20a 225 __set_current_state(TASK_RUNNING);
c47b7c72
GP		 226 remove_wait_queue(sk_sleep(sk), &wait);
227
228 if (err)
229 goto done;
230
231 newsock->state = SS_CONNECTED;
232
233 BT_DBG("new socket %p", nsk);
234
235done:
236 release_sock(sk);
237 return err;
238}
239
d7175d55
GP		 240static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
241{
242 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
243 struct sock *sk = sock->sk;
0c1bc5c6 244 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
d7175d55
GP		 245
246 BT_DBG("sock %p, sk %p", sock, sk);
247
248 addr->sa_family = AF_BLUETOOTH;
249 *len = sizeof(struct sockaddr_l2);
250
251 if (peer) {
fe4128e0 252 la->l2_psm = chan->psm;
d7175d55 253 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
fe4128e0 254 la->l2_cid = cpu_to_le16(chan->dcid);
d7175d55 255 } else {
0c1bc5c6 256 la->l2_psm = chan->sport;
d7175d55 257 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
fe4128e0 258 la->l2_cid = cpu_to_le16(chan->scid);
d7175d55
GP		 259 }
260
261 return 0;
262}
263
99f4808d
GP		 264static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
265{
266 struct sock *sk = sock->sk;
4343478f 267 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
99f4808d
GP		 268 struct l2cap_options opts;
269 struct l2cap_conninfo cinfo;
270 int len, err = 0;
271 u32 opt;
272
273 BT_DBG("sk %p", sk);
274
275 if (get_user(len, optlen))
276 return -EFAULT;
277
278 lock_sock(sk);
279
280 switch (optname) {
281 case L2CAP_OPTIONS:
e3fb592b 282 memset(&opts, 0, sizeof(opts));
0c1bc5c6
GP		 283 opts.imtu = chan->imtu;
284 opts.omtu = chan->omtu;
285 opts.flush_to = chan->flush_to;
286 opts.mode = chan->mode;
47d1ec61
GP		 287 opts.fcs = chan->fcs;
288 opts.max_tx = chan->max_tx;
6327eb98 289 opts.txwin_size = chan->tx_win;
99f4808d
GP		 290
291 len = min_t(unsigned int, len, sizeof(opts));
292 if (copy_to_user(optval, (char *) &opts, len))
293 err = -EFAULT;
294
295 break;
296
297 case L2CAP_LM:
4343478f 298 switch (chan->sec_level) {
99f4808d
GP		 299 case BT_SECURITY_LOW:
300 opt = L2CAP_LM_AUTH;
301 break;
302 case BT_SECURITY_MEDIUM:
303 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
304 break;
305 case BT_SECURITY_HIGH:
306 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
307 L2CAP_LM_SECURE;
308 break;
309 default:
310 opt = 0;
311 break;
312 }
313
43bd0f32 314 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
99f4808d
GP		 315 opt |= L2CAP_LM_MASTER;
316
ecf61bdb 317 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
99f4808d
GP		 318 opt |= L2CAP_LM_RELIABLE;
319
320 if (put_user(opt, (u32 __user *) optval))
321 err = -EFAULT;
322 break;
323
324 case L2CAP_CONNINFO:
325 if (sk->sk_state != BT_CONNECTED &&
c5daa683
GP		 326 !(sk->sk_state == BT_CONNECT2 &&
327 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
99f4808d
GP		 328 err = -ENOTCONN;
329 break;
330 }
331
8d03e971 332 memset(&cinfo, 0, sizeof(cinfo));
8c1d787b
GP		 333 cinfo.hci_handle = chan->conn->hcon->handle;
334 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
99f4808d
GP		 335
336 len = min_t(unsigned int, len, sizeof(cinfo));
337 if (copy_to_user(optval, (char *) &cinfo, len))
338 err = -EFAULT;
339
340 break;
341
342 default:
343 err = -ENOPROTOOPT;
344 break;
345 }
346
347 release_sock(sk);
348 return err;
349}
350
351static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
352{
353 struct sock *sk = sock->sk;
4343478f 354 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
99f4808d 355 struct bt_security sec;
14b12d0b 356 struct bt_power pwr;
99f4808d
GP		 357 int len, err = 0;
358
359 BT_DBG("sk %p", sk);
360
361 if (level == SOL_L2CAP)
362 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
363
364 if (level != SOL_BLUETOOTH)
365 return -ENOPROTOOPT;
366
367 if (get_user(len, optlen))
368 return -EFAULT;
369
370 lock_sock(sk);
371
372 switch (optname) {
373 case BT_SECURITY:
715ec005
GP		 374 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
375 chan->chan_type != L2CAP_CHAN_RAW) {
99f4808d
GP		 376 err = -EINVAL;
377 break;
378 }
379
8f360119 380 memset(&sec, 0, sizeof(sec));
c6585a4d
GP		 381 if (chan->conn)
382 sec.level = chan->conn->hcon->sec_level;
383 else
384 sec.level = chan->sec_level;
99f4808d 385
8f360119
VCG		 386 if (sk->sk_state == BT_CONNECTED)
387 sec.key_size = chan->conn->hcon->enc_key_size;
388
99f4808d
GP		 389 len = min_t(unsigned int, len, sizeof(sec));
390 if (copy_to_user(optval, (char *) &sec, len))
391 err = -EFAULT;
392
393 break;
394
395 case BT_DEFER_SETUP:
396 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
397 err = -EINVAL;
398 break;
399 }
400
c5daa683
GP		 401 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
402 (u32 __user *) optval))
99f4808d
GP		 403 err = -EFAULT;
404
405 break;
406
407 case BT_FLUSHABLE:
d57b0e8b
AE		 408 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
409 (u32 __user *) optval))
99f4808d
GP		 410 err = -EFAULT;
411
412 break;
413
14b12d0b
JG		 414 case BT_POWER:
415 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
416 && sk->sk_type != SOCK_RAW) {
417 err = -EINVAL;
418 break;
419 }
420
15770b1a 421 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b
JG		 422
423 len = min_t(unsigned int, len, sizeof(pwr));
424 if (copy_to_user(optval, (char *) &pwr, len))
425 err = -EFAULT;
426
427 break;
428
2ea66482
MM		 429 case BT_CHANNEL_POLICY:
430 if (!enable_hs) {
431 err = -ENOPROTOOPT;
432 break;
433 }
434
435 if (put_user(chan->chan_policy, (u32 __user *) optval))
436 err = -EFAULT;
437 break;
438
99f4808d
GP		 439 default:
440 err = -ENOPROTOOPT;
441 break;
442 }
443
444 release_sock(sk);
445 return err;
446}
447
682877c3
AG		 448static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
449{
450 switch (chan->scid) {
451 case L2CAP_CID_LE_DATA:
8c3a4f00 452 if (mtu < L2CAP_LE_MIN_MTU)
682877c3
AG		 453 return false;
454 break;
455
456 default:
457 if (mtu < L2CAP_DEFAULT_MIN_MTU)
458 return false;
459 }
460
461 return true;
462}
463
33575df7
GP		 464static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
465{
466 struct sock *sk = sock->sk;
b4450035 467 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
33575df7
GP		 468 struct l2cap_options opts;
469 int len, err = 0;
470 u32 opt;
471
472 BT_DBG("sk %p", sk);
473
474 lock_sock(sk);
475
476 switch (optname) {
477 case L2CAP_OPTIONS:
478 if (sk->sk_state == BT_CONNECTED) {
479 err = -EINVAL;
480 break;
481 }
482
0c1bc5c6
GP		 483 opts.imtu = chan->imtu;
484 opts.omtu = chan->omtu;
485 opts.flush_to = chan->flush_to;
486 opts.mode = chan->mode;
47d1ec61
GP		 487 opts.fcs = chan->fcs;
488 opts.max_tx = chan->max_tx;
6327eb98 489 opts.txwin_size = chan->tx_win;
33575df7
GP		 490
491 len = min_t(unsigned int, sizeof(opts), optlen);
492 if (copy_from_user((char *) &opts, optval, len)) {
493 err = -EFAULT;
494 break;
495 }
496
6327eb98 497 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
33575df7
GP		 498 err = -EINVAL;
499 break;
500 }
501
682877c3
AG		 502 if (!l2cap_valid_mtu(chan, opts.imtu)) {
503 err = -EINVAL;
504 break;
505 }
506
0c1bc5c6
GP		 507 chan->mode = opts.mode;
508 switch (chan->mode) {
33575df7 509 case L2CAP_MODE_BASIC:
c1360a1c 510 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
33575df7
GP		 511 break;
512 case L2CAP_MODE_ERTM:
513 case L2CAP_MODE_STREAMING:
514 if (!disable_ertm)
515 break;
516 /* fall through */
517 default:
518 err = -EINVAL;
519 break;
520 }
521
0c1bc5c6
GP		 522 chan->imtu = opts.imtu;
523 chan->omtu = opts.omtu;
47d1ec61
GP		 524 chan->fcs = opts.fcs;
525 chan->max_tx = opts.max_tx;
6327eb98 526 chan->tx_win = opts.txwin_size;
33575df7
GP		 527 break;
528
529 case L2CAP_LM:
530 if (get_user(opt, (u32 __user *) optval)) {
531 err = -EFAULT;
532 break;
533 }
534
535 if (opt & L2CAP_LM_AUTH)
4343478f 536 chan->sec_level = BT_SECURITY_LOW;
33575df7 537 if (opt & L2CAP_LM_ENCRYPT)
4343478f 538 chan->sec_level = BT_SECURITY_MEDIUM;
33575df7 539 if (opt & L2CAP_LM_SECURE)
4343478f 540 chan->sec_level = BT_SECURITY_HIGH;
33575df7 541
43bd0f32
AE		 542 if (opt & L2CAP_LM_MASTER)
543 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
544 else
545 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
ecf61bdb
AE		 546
547 if (opt & L2CAP_LM_RELIABLE)
548 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
549 else
550 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
33575df7
GP		 551 break;
552
553 default:
554 err = -ENOPROTOOPT;
555 break;
556 }
557
558 release_sock(sk);
559 return err;
560}
561
562static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
563{
564 struct sock *sk = sock->sk;
4343478f 565 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
33575df7 566 struct bt_security sec;
14b12d0b 567 struct bt_power pwr;
f1cb9af5 568 struct l2cap_conn *conn;
33575df7
GP		 569 int len, err = 0;
570 u32 opt;
571
572 BT_DBG("sk %p", sk);
573
574 if (level == SOL_L2CAP)
575 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
576
577 if (level != SOL_BLUETOOTH)
578 return -ENOPROTOOPT;
579
580 lock_sock(sk);
581
582 switch (optname) {
583 case BT_SECURITY:
715ec005
GP		 584 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
585 chan->chan_type != L2CAP_CHAN_RAW) {
33575df7
GP		 586 err = -EINVAL;
587 break;
588 }
589
590 sec.level = BT_SECURITY_LOW;
591
592 len = min_t(unsigned int, sizeof(sec), optlen);
593 if (copy_from_user((char *) &sec, optval, len)) {
594 err = -EFAULT;
595 break;
596 }
597
598 if (sec.level < BT_SECURITY_LOW ||
599 sec.level > BT_SECURITY_HIGH) {
600 err = -EINVAL;
601 break;
602 }
603
4343478f 604 chan->sec_level = sec.level;
f1cb9af5 605
0bee1d60
GP		 606 if (!chan->conn)
607 break;
608
f1cb9af5 609 conn = chan->conn;
0bee1d60
GP		 610
611 /*change security for LE channels */
612 if (chan->scid == L2CAP_CID_LE_DATA) {
f1cb9af5
VCG		 613 if (!conn->hcon->out) {
614 err = -EINVAL;
615 break;
616 }
617
618 if (smp_conn_security(conn, sec.level))
619 break;
f1cb9af5 620 sk->sk_state = BT_CONFIG;
3542b854 621 chan->state = BT_CONFIG;
0bee1d60 622
a7d7723a
GP		 623 /* or for ACL link */
624 } else if ((sk->sk_state == BT_CONNECT2 &&
c5daa683 625 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
a7d7723a
GP		 626 sk->sk_state == BT_CONNECTED) {
627 if (!l2cap_chan_check_security(chan))
c5daa683 628 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 629 else
630 sk->sk_state_change(sk);
0bee1d60
GP		 631 } else {
632 err = -EINVAL;
f1cb9af5 633 }
33575df7
GP		 634 break;
635
636 case BT_DEFER_SETUP:
637 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
638 err = -EINVAL;
639 break;
640 }
641
642 if (get_user(opt, (u32 __user *) optval)) {
643 err = -EFAULT;
644 break;
645 }
646
c5daa683
GP		 647 if (opt)
648 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
649 else
650 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
33575df7
GP		 651 break;
652
653 case BT_FLUSHABLE:
654 if (get_user(opt, (u32 __user *) optval)) {
655 err = -EFAULT;
656 break;
657 }
658
659 if (opt > BT_FLUSHABLE_ON) {
660 err = -EINVAL;
661 break;
662 }
663
664 if (opt == BT_FLUSHABLE_OFF) {
8c1d787b 665 struct l2cap_conn *conn = chan->conn;
25985edc 666 /* proceed further only when we have l2cap_conn and
33575df7
GP		 667 No Flush support in the LM */
668 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
669 err = -EINVAL;
670 break;
671 }
672 }
673
d57b0e8b
AE		 674 if (opt)
675 set_bit(FLAG_FLUSHABLE, &chan->flags);
676 else
677 clear_bit(FLAG_FLUSHABLE, &chan->flags);
33575df7
GP		 678 break;
679
14b12d0b
JG		 680 case BT_POWER:
681 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
682 chan->chan_type != L2CAP_CHAN_RAW) {
683 err = -EINVAL;
684 break;
685 }
686
687 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
688
689 len = min_t(unsigned int, sizeof(pwr), optlen);
690 if (copy_from_user((char *) &pwr, optval, len)) {
691 err = -EFAULT;
692 break;
693 }
15770b1a
AE		 694
695 if (pwr.force_active)
696 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
697 else
698 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b
JG		 699 break;
700
2ea66482
MM		 701 case BT_CHANNEL_POLICY:
702 if (!enable_hs) {
703 err = -ENOPROTOOPT;
704 break;
705 }
706
707 if (get_user(opt, (u32 __user *) optval)) {
708 err = -EFAULT;
709 break;
710 }
711
712 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
713 err = -EINVAL;
714 break;
715 }
716
717 if (chan->mode != L2CAP_MODE_ERTM &&
718 chan->mode != L2CAP_MODE_STREAMING) {
719 err = -EOPNOTSUPP;
720 break;
721 }
722
723 chan->chan_policy = (u8) opt;
14b12d0b
JG		 724 break;
725
33575df7
GP		 726 default:
727 err = -ENOPROTOOPT;
728 break;
729 }
730
731 release_sock(sk);
732 return err;
733}
fd83ccdb
GP		 734
735static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
736{
737 struct sock *sk = sock->sk;
0c1bc5c6 738 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
fd83ccdb
GP		 739 int err;
740
741 BT_DBG("sock %p, sk %p", sock, sk);
742
743 err = sock_error(sk);
744 if (err)
745 return err;
746
747 if (msg->msg_flags & MSG_OOB)
748 return -EOPNOTSUPP;
749
a6a5568c 750 if (sk->sk_state != BT_CONNECTED)
9a91a04a 751 return -ENOTCONN;
fd83ccdb 752
a6a5568c 753 l2cap_chan_lock(chan);
5e59b791 754 err = l2cap_chan_send(chan, msg, len, sk->sk_priority);
a6a5568c 755 l2cap_chan_unlock(chan);
fd83ccdb 756
fd83ccdb
GP		 757 return err;
758}
33575df7 759
68983259
GP		 760static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
761{
762 struct sock *sk = sock->sk;
e328140f
MM		 763 struct l2cap_pinfo *pi = l2cap_pi(sk);
764 int err;
68983259
GP		 765
766 lock_sock(sk);
767
c5daa683
GP		 768 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
769 &bt_sk(sk)->flags)) {
8c1d787b 770 sk->sk_state = BT_CONFIG;
3542b854 771 pi->chan->state = BT_CONFIG;
8c1d787b 772
e328140f 773 __l2cap_connect_rsp_defer(pi->chan);
68983259
GP		 774 release_sock(sk);
775 return 0;
776 }
777
778 release_sock(sk);
779
780 if (sock->type == SOCK_STREAM)
e328140f
MM		 781 err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
782 else
783 err = bt_sock_recvmsg(iocb, sock, msg, len, flags);
784
785 if (pi->chan->mode != L2CAP_MODE_ERTM)
786 return err;
787
788 /* Attempt to put pending rx data in the socket buffer */
789
790 lock_sock(sk);
791
792 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
793 goto done;
794
795 if (pi->rx_busy_skb) {
796 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
797 pi->rx_busy_skb = NULL;
798 else
799 goto done;
800 }
801
802 /* Restore data flow when half of the receive buffer is
803 * available. This avoids resending large numbers of
804 * frames.
805 */
806 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
807 l2cap_chan_busy(pi->chan, 0);
68983259 808
e328140f
MM		 809done:
810 release_sock(sk);
811 return err;
68983259
GP		 812}
813
05fc1576
GP		 814/* Kill socket (only if zapped and orphan)
815 * Must be called on unlocked socket.
816 */
ba3bd0ee 817static void l2cap_sock_kill(struct sock *sk)
05fc1576
GP		 818{
819 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
820 return;
821
e05dcc32 822 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
05fc1576
GP		 823
824 /* Kill poor orphan */
6ff5abbf 825
23691d75 826 l2cap_chan_destroy(l2cap_pi(sk)->chan);
05fc1576
GP		 827 sock_set_flag(sk, SOCK_DEAD);
828 sock_put(sk);
829}
830
dcba0dba
GP		 831static int l2cap_sock_shutdown(struct socket *sock, int how)
832{
833 struct sock *sk = sock->sk;
7ddb6e0f 834 struct l2cap_chan *chan;
3df91ea2 835 struct l2cap_conn *conn;
dcba0dba
GP		 836 int err = 0;
837
838 BT_DBG("sock %p, sk %p", sock, sk);
839
840 if (!sk)
841 return 0;
842
7ddb6e0f 843 chan = l2cap_pi(sk)->chan;
3df91ea2
AE		 844 conn = chan->conn;
845
846 if (conn)
847 mutex_lock(&conn->chan_lock);
7ddb6e0f 848
6be36555 849 l2cap_chan_lock(chan);
dcba0dba 850 lock_sock(sk);
6be36555 851
dcba0dba 852 if (!sk->sk_shutdown) {
0c1bc5c6 853 if (chan->mode == L2CAP_MODE_ERTM)
dcba0dba
GP		 854 err = __l2cap_wait_ack(sk);
855
856 sk->sk_shutdown = SHUTDOWN_MASK;
3df91ea2 857
6be36555 858 release_sock(sk);
0f852724 859 l2cap_chan_close(chan, 0);
6be36555 860 lock_sock(sk);
dcba0dba
GP		 861
862 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
863 err = bt_sock_wait_state(sk, BT_CLOSED,
864 sk->sk_lingertime);
865 }
866
867 if (!err && sk->sk_err)
868 err = -sk->sk_err;
869
870 release_sock(sk);
6be36555 871 l2cap_chan_unlock(chan);
3df91ea2
AE		 872
873 if (conn)
874 mutex_unlock(&conn->chan_lock);
875
dcba0dba
GP		 876 return err;
877}
878
554f05bb
GP		 879static int l2cap_sock_release(struct socket *sock)
880{
881 struct sock *sk = sock->sk;
882 int err;
883
884 BT_DBG("sock %p, sk %p", sock, sk);
885
886 if (!sk)
887 return 0;
888
889 err = l2cap_sock_shutdown(sock, 2);
890
891 sock_orphan(sk);
892 l2cap_sock_kill(sk);
893 return err;
894}
895
c0df7f6e
AE		 896static void l2cap_sock_cleanup_listen(struct sock *parent)
897{
898 struct sock *sk;
899
900 BT_DBG("parent %p", parent);
901
902 /* Close not yet accepted channels */
903 while ((sk = bt_accept_dequeue(parent, NULL))) {
904 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
905
906 l2cap_chan_lock(chan);
907 __clear_chan_timer(chan);
908 l2cap_chan_close(chan, ECONNRESET);
909 l2cap_chan_unlock(chan);
910
911 l2cap_sock_kill(sk);
912 }
913}
914
80b98027 915static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
80808e43 916{
80b98027 917 struct sock *sk, *parent = chan->data;
80808e43 918
53826692
GP		 919 /* Check for backlog size */
920 if (sk_acceptq_is_full(parent)) {
921 BT_DBG("backlog full %d", parent->sk_ack_backlog);
922 return NULL;
923 }
924
80808e43
GP		 925 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
926 GFP_ATOMIC);
927 if (!sk)
928 return NULL;
929
d22015aa
OP		 930 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
931
80808e43
GP		 932 l2cap_sock_init(sk, parent);
933
934 return l2cap_pi(sk)->chan;
935}
936
80b98027 937static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
23070494 938{
e328140f 939 int err;
80b98027 940 struct sock *sk = chan->data;
e328140f
MM		 941 struct l2cap_pinfo *pi = l2cap_pi(sk);
942
6be36555
AE		 943 lock_sock(sk);
944
945 if (pi->rx_busy_skb) {
946 err = -ENOMEM;
947 goto done;
948 }
e328140f
MM		 949
950 err = sock_queue_rcv_skb(sk, skb);
951
952 /* For ERTM, handle one skb that doesn't fit into the recv
953 * buffer. This is important to do because the data frames
954 * have already been acked, so the skb cannot be discarded.
955 *
956 * Notify the l2cap core that the buffer is full, so the
957 * LOCAL_BUSY state is entered and no more frames are
958 * acked and reassembled until there is buffer space
959 * available.
960 */
961 if (err < 0 && pi->chan->mode == L2CAP_MODE_ERTM) {
962 pi->rx_busy_skb = skb;
963 l2cap_chan_busy(pi->chan, 1);
964 err = 0;
965 }
23070494 966
6be36555
AE		 967done:
968 release_sock(sk);
969
e328140f 970 return err;
23070494
GP		 971}
972
80b98027 973static void l2cap_sock_close_cb(struct l2cap_chan *chan)
ba3bd0ee 974{
80b98027 975 struct sock *sk = chan->data;
ba3bd0ee
GP		 976
977 l2cap_sock_kill(sk);
978}
979
c0df7f6e
AE		 980static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
981{
982 struct sock *sk = chan->data;
983 struct sock *parent;
984
985 lock_sock(sk);
986
987 parent = bt_sk(sk)->parent;
988
989 sock_set_flag(sk, SOCK_ZAPPED);
990
991 switch (chan->state) {
992 case BT_OPEN:
993 case BT_BOUND:
994 case BT_CLOSED:
995 break;
996 case BT_LISTEN:
997 l2cap_sock_cleanup_listen(sk);
998 sk->sk_state = BT_CLOSED;
999 chan->state = BT_CLOSED;
1000
1001 break;
1002 default:
1003 sk->sk_state = BT_CLOSED;
1004 chan->state = BT_CLOSED;
1005
1006 sk->sk_err = err;
1007
1008 if (parent) {
1009 bt_accept_unlink(sk);
1010 parent->sk_data_ready(parent, 0);
1011 } else {
1012 sk->sk_state_change(sk);
1013 }
1014
1015 break;
1016 }
1017
1018 release_sock(sk);
1019}
1020
80b98027 1021static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state)
89bc500e 1022{
80b98027 1023 struct sock *sk = chan->data;
89bc500e
GP		 1024
1025 sk->sk_state = state;
1026}
1027
2f7719ce 1028static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
90338947 1029 unsigned long len, int nb)
2f7719ce 1030{
90338947
GP		 1031 struct sk_buff *skb;
1032 int err;
1033
a6a5568c 1034 l2cap_chan_unlock(chan);
90338947 1035 skb = bt_skb_send_alloc(chan->sk, len, nb, &err);
a6a5568c
MM		 1036 l2cap_chan_lock(chan);
1037
90338947
GP		 1038 if (!skb)
1039 return ERR_PTR(err);
2f7719ce 1040
90338947 1041 return skb;
2f7719ce
AE		 1042}
1043
54a59aa2
AE		 1044static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1045{
1046 struct sock *sk = chan->data;
1047 struct sock *parent;
1048
1049 lock_sock(sk);
1050
1051 parent = bt_sk(sk)->parent;
1052
1053 BT_DBG("sk %p, parent %p", sk, parent);
1054
1055 sk->sk_state = BT_CONNECTED;
1056 sk->sk_state_change(sk);
1057
1058 if (parent)
1059 parent->sk_data_ready(parent, 0);
1060
1061 release_sock(sk);
1062}
1063
80808e43
GP		 1064static struct l2cap_ops l2cap_chan_ops = {
1065 .name = "L2CAP Socket Interface",
1066 .new_connection = l2cap_sock_new_connection_cb,
23070494 1067 .recv = l2cap_sock_recv_cb,
ba3bd0ee 1068 .close = l2cap_sock_close_cb,
c0df7f6e 1069 .teardown = l2cap_sock_teardown_cb,
89bc500e 1070 .state_change = l2cap_sock_state_change_cb,
54a59aa2 1071 .ready = l2cap_sock_ready_cb,
2f7719ce 1072 .alloc_skb = l2cap_sock_alloc_skb_cb,
80808e43
GP		 1073};
1074
bb58f747
GP		 1075static void l2cap_sock_destruct(struct sock *sk)
1076{
1077 BT_DBG("sk %p", sk);
1078
61d6ef3e 1079 l2cap_chan_put(l2cap_pi(sk)->chan);
e328140f
MM		 1080 if (l2cap_pi(sk)->rx_busy_skb) {
1081 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1082 l2cap_pi(sk)->rx_busy_skb = NULL;
1083 }
1084
bb58f747
GP		 1085 skb_queue_purge(&sk->sk_receive_queue);
1086 skb_queue_purge(&sk->sk_write_queue);
1087}
1088
80808e43 1089static void l2cap_sock_init(struct sock *sk, struct sock *parent)
bb58f747
GP		 1090{
1091 struct l2cap_pinfo *pi = l2cap_pi(sk);
b4450035 1092 struct l2cap_chan *chan = pi->chan;
bb58f747
GP		 1093
1094 BT_DBG("sk %p", sk);
1095
1096 if (parent) {
b4450035
GP		 1097 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1098
bb58f747 1099 sk->sk_type = parent->sk_type;
c5daa683 1100 bt_sk(sk)->flags = bt_sk(parent)->flags;
bb58f747 1101
715ec005 1102 chan->chan_type = pchan->chan_type;
0c1bc5c6
GP		 1103 chan->imtu = pchan->imtu;
1104 chan->omtu = pchan->omtu;
b4450035 1105 chan->conf_state = pchan->conf_state;
0c1bc5c6 1106 chan->mode = pchan->mode;
47d1ec61
GP		 1107 chan->fcs = pchan->fcs;
1108 chan->max_tx = pchan->max_tx;
1109 chan->tx_win = pchan->tx_win;
6b3c7104 1110 chan->tx_win_max = pchan->tx_win_max;
4343478f 1111 chan->sec_level = pchan->sec_level;
d57b0e8b 1112 chan->flags = pchan->flags;
6230c9b4
PM		 1113
1114 security_sk_clone(parent, sk);
bb58f747 1115 } else {
715ec005
GP		 1116
1117 switch (sk->sk_type) {
1118 case SOCK_RAW:
1119 chan->chan_type = L2CAP_CHAN_RAW;
1120 break;
1121 case SOCK_DGRAM:
1122 chan->chan_type = L2CAP_CHAN_CONN_LESS;
1123 break;
1124 case SOCK_SEQPACKET:
1125 case SOCK_STREAM:
1126 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1127 break;
1128 }
1129
0c1bc5c6
GP		 1130 chan->imtu = L2CAP_DEFAULT_MTU;
1131 chan->omtu = 0;
bb58f747 1132 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
0c1bc5c6 1133 chan->mode = L2CAP_MODE_ERTM;
c1360a1c 1134 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
bb58f747 1135 } else {
0c1bc5c6 1136 chan->mode = L2CAP_MODE_BASIC;
bb58f747 1137 }
bd4b1653
AE		 1138
1139 l2cap_chan_set_defaults(chan);
bb58f747
GP		 1140 }
1141
1142 /* Default config options */
0c1bc5c6 1143 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
80808e43
GP		 1144
1145 chan->data = sk;
1146 chan->ops = &l2cap_chan_ops;
bb58f747
GP		 1147}
1148
1149static struct proto l2cap_proto = {
1150 .name = "L2CAP",
1151 .owner = THIS_MODULE,
1152 .obj_size = sizeof(struct l2cap_pinfo)
1153};
1154
80808e43 1155static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
bb58f747
GP		 1156{
1157 struct sock *sk;
dc50a06d 1158 struct l2cap_chan *chan;
bb58f747
GP		 1159
1160 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1161 if (!sk)
1162 return NULL;
1163
1164 sock_init_data(sock, sk);
1165 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1166
1167 sk->sk_destruct = l2cap_sock_destruct;
ba13ccd9 1168 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
bb58f747
GP		 1169
1170 sock_reset_flag(sk, SOCK_ZAPPED);
1171
1172 sk->sk_protocol = proto;
1173 sk->sk_state = BT_OPEN;
1174
eef1d9b6 1175 chan = l2cap_chan_create();
dc50a06d 1176 if (!chan) {
49dfbb91 1177 sk_free(sk);
dc50a06d
GP		 1178 return NULL;
1179 }
1180
61d6ef3e
MM		 1181 l2cap_chan_hold(chan);
1182
eef1d9b6
GP		 1183 chan->sk = sk;
1184
dc50a06d
GP		 1185 l2cap_pi(sk)->chan = chan;
1186
bb58f747
GP		 1187 return sk;
1188}
1189
1190static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1191 int kern)
1192{
1193 struct sock *sk;
1194
1195 BT_DBG("sock %p", sock);
1196
1197 sock->state = SS_UNCONNECTED;
1198
1199 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1200 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1201 return -ESOCKTNOSUPPORT;
1202
1203 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1204 return -EPERM;
1205
1206 sock->ops = &l2cap_sock_ops;
1207
1208 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1209 if (!sk)
1210 return -ENOMEM;
1211
1212 l2cap_sock_init(sk, NULL);
1213 return 0;
1214}
1215
cf2f90f5 1216static const struct proto_ops l2cap_sock_ops = {
65390587
GP		 1217 .family = PF_BLUETOOTH,
1218 .owner = THIS_MODULE,
1219 .release = l2cap_sock_release,
1220 .bind = l2cap_sock_bind,
1221 .connect = l2cap_sock_connect,
1222 .listen = l2cap_sock_listen,
1223 .accept = l2cap_sock_accept,
1224 .getname = l2cap_sock_getname,
1225 .sendmsg = l2cap_sock_sendmsg,
1226 .recvmsg = l2cap_sock_recvmsg,
1227 .poll = bt_sock_poll,
1228 .ioctl = bt_sock_ioctl,
1229 .mmap = sock_no_mmap,
1230 .socketpair = sock_no_socketpair,
1231 .shutdown = l2cap_sock_shutdown,
1232 .setsockopt = l2cap_sock_setsockopt,
1233 .getsockopt = l2cap_sock_getsockopt
1234};
1235
bb58f747
GP		 1236static const struct net_proto_family l2cap_sock_family_ops = {
1237 .family = PF_BLUETOOTH,
1238 .owner = THIS_MODULE,
1239 .create = l2cap_sock_create,
1240};
1241
1242int __init l2cap_init_sockets(void)
1243{
e2174ca4 1244 int err;
bb58f747 1245
e2174ca4
GP		 1246 err = proto_register(&l2cap_proto, 0);
1247 if (err < 0)
1248 return err;
bb58f747 1249
e2174ca4
GP		 1250 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1251 if (err < 0)
1252 goto error;
bb58f747 1253
e2174ca4 1254 BT_INFO("L2CAP socket layer initialized");
bb58f747 1255
e2174ca4 1256 return 0;
bb58f747
GP		 1257
1258error:
e2174ca4
GP		 1259 BT_ERR("L2CAP socket registration failed");
1260 proto_unregister(&l2cap_proto);
1261 return err;
bb58f747
GP		 1262}
1263
1264void l2cap_cleanup_sockets(void)
1265{
e2174ca4
GP		 1266 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
1267 BT_ERR("L2CAP socket unregistration failed");
bb58f747 1268
e2174ca4 1269 proto_unregister(&l2cap_proto);
bb58f747 1270}
kernel source for telekom puls (alcatel/mediatek)