xref: /openbmc/linux/net/bluetooth/l2cap_sock.c (revision 15e3ae36)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37 
38 #include "smp.h"
39 
40 static struct bt_sock_list l2cap_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43 
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 				     int proto, gfp_t prio, int kern);
48 
49 bool l2cap_is_socket(struct socket *sock)
50 {
51 	return sock && sock->ops == &l2cap_sock_ops;
52 }
53 EXPORT_SYMBOL(l2cap_is_socket);
54 
55 static int l2cap_validate_bredr_psm(u16 psm)
56 {
57 	/* PSM must be odd and lsb of upper byte must be 0 */
58 	if ((psm & 0x0101) != 0x0001)
59 		return -EINVAL;
60 
61 	/* Restrict usage of well-known PSMs */
62 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 		return -EACCES;
64 
65 	return 0;
66 }
67 
68 static int l2cap_validate_le_psm(u16 psm)
69 {
70 	/* Valid LE_PSM ranges are defined only until 0x00ff */
71 	if (psm > L2CAP_PSM_LE_DYN_END)
72 		return -EINVAL;
73 
74 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 		return -EACCES;
77 
78 	return 0;
79 }
80 
81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82 {
83 	struct sock *sk = sock->sk;
84 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 	struct sockaddr_l2 la;
86 	int len, err = 0;
87 
88 	BT_DBG("sk %p", sk);
89 
90 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 	    addr->sa_family != AF_BLUETOOTH)
92 		return -EINVAL;
93 
94 	memset(&la, 0, sizeof(la));
95 	len = min_t(unsigned int, sizeof(la), alen);
96 	memcpy(&la, addr, len);
97 
98 	if (la.l2_cid && la.l2_psm)
99 		return -EINVAL;
100 
101 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 		return -EINVAL;
103 
104 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 		/* We only allow ATT user space socket */
106 		if (la.l2_cid &&
107 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 			return -EINVAL;
109 	}
110 
111 	lock_sock(sk);
112 
113 	if (sk->sk_state != BT_OPEN) {
114 		err = -EBADFD;
115 		goto done;
116 	}
117 
118 	if (la.l2_psm) {
119 		__u16 psm = __le16_to_cpu(la.l2_psm);
120 
121 		if (la.l2_bdaddr_type == BDADDR_BREDR)
122 			err = l2cap_validate_bredr_psm(psm);
123 		else
124 			err = l2cap_validate_le_psm(psm);
125 
126 		if (err)
127 			goto done;
128 	}
129 
130 	bacpy(&chan->src, &la.l2_bdaddr);
131 	chan->src_type = la.l2_bdaddr_type;
132 
133 	if (la.l2_cid)
134 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 	else
136 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137 
138 	if (err < 0)
139 		goto done;
140 
141 	switch (chan->chan_type) {
142 	case L2CAP_CHAN_CONN_LESS:
143 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 			chan->sec_level = BT_SECURITY_SDP;
145 		break;
146 	case L2CAP_CHAN_CONN_ORIENTED:
147 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 			chan->sec_level = BT_SECURITY_SDP;
150 		break;
151 	case L2CAP_CHAN_RAW:
152 		chan->sec_level = BT_SECURITY_SDP;
153 		break;
154 	case L2CAP_CHAN_FIXED:
155 		/* Fixed channels default to the L2CAP core not holding a
156 		 * hci_conn reference for them. For fixed channels mapping to
157 		 * L2CAP sockets we do want to hold a reference so set the
158 		 * appropriate flag to request it.
159 		 */
160 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 		break;
162 	}
163 
164 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
166 
167 	chan->state = BT_BOUND;
168 	sk->sk_state = BT_BOUND;
169 
170 done:
171 	release_sock(sk);
172 	return err;
173 }
174 
175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 			      int alen, int flags)
177 {
178 	struct sock *sk = sock->sk;
179 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 	struct sockaddr_l2 la;
181 	int len, err = 0;
182 
183 	BT_DBG("sk %p", sk);
184 
185 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 	    addr->sa_family != AF_BLUETOOTH)
187 		return -EINVAL;
188 
189 	memset(&la, 0, sizeof(la));
190 	len = min_t(unsigned int, sizeof(la), alen);
191 	memcpy(&la, addr, len);
192 
193 	if (la.l2_cid && la.l2_psm)
194 		return -EINVAL;
195 
196 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 		return -EINVAL;
198 
199 	/* Check that the socket wasn't bound to something that
200 	 * conflicts with the address given to connect(). If chan->src
201 	 * is BDADDR_ANY it means bind() was never used, in which case
202 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 	 */
204 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 		/* Old user space versions will try to incorrectly bind
207 		 * the ATT socket using BDADDR_BREDR. We need to accept
208 		 * this and fix up the source address type only when
209 		 * both the source CID and destination CID indicate
210 		 * ATT. Anything else is an invalid combination.
211 		 */
212 		if (chan->scid != L2CAP_CID_ATT ||
213 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 			return -EINVAL;
215 
216 		/* We don't have the hdev available here to make a
217 		 * better decision on random vs public, but since all
218 		 * user space versions that exhibit this issue anyway do
219 		 * not support random local addresses assuming public
220 		 * here is good enough.
221 		 */
222 		chan->src_type = BDADDR_LE_PUBLIC;
223 	}
224 
225 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 		return -EINVAL;
227 
228 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 		/* We only allow ATT user space socket */
230 		if (la.l2_cid &&
231 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 			return -EINVAL;
233 	}
234 
235 	if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
236 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
237 
238 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 				 &la.l2_bdaddr, la.l2_bdaddr_type);
240 	if (err)
241 		return err;
242 
243 	lock_sock(sk);
244 
245 	err = bt_sock_wait_state(sk, BT_CONNECTED,
246 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
247 
248 	release_sock(sk);
249 
250 	return err;
251 }
252 
253 static int l2cap_sock_listen(struct socket *sock, int backlog)
254 {
255 	struct sock *sk = sock->sk;
256 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 	int err = 0;
258 
259 	BT_DBG("sk %p backlog %d", sk, backlog);
260 
261 	lock_sock(sk);
262 
263 	if (sk->sk_state != BT_BOUND) {
264 		err = -EBADFD;
265 		goto done;
266 	}
267 
268 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 		err = -EINVAL;
270 		goto done;
271 	}
272 
273 	switch (chan->mode) {
274 	case L2CAP_MODE_BASIC:
275 	case L2CAP_MODE_LE_FLOWCTL:
276 		break;
277 	case L2CAP_MODE_EXT_FLOWCTL:
278 		if (!enable_ecred) {
279 			err = -EOPNOTSUPP;
280 			goto done;
281 		}
282 		break;
283 	case L2CAP_MODE_ERTM:
284 	case L2CAP_MODE_STREAMING:
285 		if (!disable_ertm)
286 			break;
287 		/* fall through */
288 	default:
289 		err = -EOPNOTSUPP;
290 		goto done;
291 	}
292 
293 	sk->sk_max_ack_backlog = backlog;
294 	sk->sk_ack_backlog = 0;
295 
296 	/* Listening channels need to use nested locking in order not to
297 	 * cause lockdep warnings when the created child channels end up
298 	 * being locked in the same thread as the parent channel.
299 	 */
300 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
301 
302 	chan->state = BT_LISTEN;
303 	sk->sk_state = BT_LISTEN;
304 
305 done:
306 	release_sock(sk);
307 	return err;
308 }
309 
310 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
311 			     int flags, bool kern)
312 {
313 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
314 	struct sock *sk = sock->sk, *nsk;
315 	long timeo;
316 	int err = 0;
317 
318 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
319 
320 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
321 
322 	BT_DBG("sk %p timeo %ld", sk, timeo);
323 
324 	/* Wait for an incoming connection. (wake-one). */
325 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
326 	while (1) {
327 		if (sk->sk_state != BT_LISTEN) {
328 			err = -EBADFD;
329 			break;
330 		}
331 
332 		nsk = bt_accept_dequeue(sk, newsock);
333 		if (nsk)
334 			break;
335 
336 		if (!timeo) {
337 			err = -EAGAIN;
338 			break;
339 		}
340 
341 		if (signal_pending(current)) {
342 			err = sock_intr_errno(timeo);
343 			break;
344 		}
345 
346 		release_sock(sk);
347 
348 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
349 
350 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
351 	}
352 	remove_wait_queue(sk_sleep(sk), &wait);
353 
354 	if (err)
355 		goto done;
356 
357 	newsock->state = SS_CONNECTED;
358 
359 	BT_DBG("new socket %p", nsk);
360 
361 done:
362 	release_sock(sk);
363 	return err;
364 }
365 
366 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
367 			      int peer)
368 {
369 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
370 	struct sock *sk = sock->sk;
371 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
372 
373 	BT_DBG("sock %p, sk %p", sock, sk);
374 
375 	if (peer && sk->sk_state != BT_CONNECTED &&
376 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
377 	    sk->sk_state != BT_CONFIG)
378 		return -ENOTCONN;
379 
380 	memset(la, 0, sizeof(struct sockaddr_l2));
381 	addr->sa_family = AF_BLUETOOTH;
382 
383 	la->l2_psm = chan->psm;
384 
385 	if (peer) {
386 		bacpy(&la->l2_bdaddr, &chan->dst);
387 		la->l2_cid = cpu_to_le16(chan->dcid);
388 		la->l2_bdaddr_type = chan->dst_type;
389 	} else {
390 		bacpy(&la->l2_bdaddr, &chan->src);
391 		la->l2_cid = cpu_to_le16(chan->scid);
392 		la->l2_bdaddr_type = chan->src_type;
393 	}
394 
395 	return sizeof(struct sockaddr_l2);
396 }
397 
398 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
399 				     char __user *optval, int __user *optlen)
400 {
401 	struct sock *sk = sock->sk;
402 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
403 	struct l2cap_options opts;
404 	struct l2cap_conninfo cinfo;
405 	int len, err = 0;
406 	u32 opt;
407 
408 	BT_DBG("sk %p", sk);
409 
410 	if (get_user(len, optlen))
411 		return -EFAULT;
412 
413 	lock_sock(sk);
414 
415 	switch (optname) {
416 	case L2CAP_OPTIONS:
417 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
418 		 * legacy ATT code depends on getsockopt for
419 		 * L2CAP_OPTIONS we need to let this pass.
420 		 */
421 		if (bdaddr_type_is_le(chan->src_type) &&
422 		    chan->scid != L2CAP_CID_ATT) {
423 			err = -EINVAL;
424 			break;
425 		}
426 
427 		memset(&opts, 0, sizeof(opts));
428 		opts.imtu     = chan->imtu;
429 		opts.omtu     = chan->omtu;
430 		opts.flush_to = chan->flush_to;
431 		opts.mode     = chan->mode;
432 		opts.fcs      = chan->fcs;
433 		opts.max_tx   = chan->max_tx;
434 		opts.txwin_size = chan->tx_win;
435 
436 		BT_DBG("mode 0x%2.2x", chan->mode);
437 
438 		len = min_t(unsigned int, len, sizeof(opts));
439 		if (copy_to_user(optval, (char *) &opts, len))
440 			err = -EFAULT;
441 
442 		break;
443 
444 	case L2CAP_LM:
445 		switch (chan->sec_level) {
446 		case BT_SECURITY_LOW:
447 			opt = L2CAP_LM_AUTH;
448 			break;
449 		case BT_SECURITY_MEDIUM:
450 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
451 			break;
452 		case BT_SECURITY_HIGH:
453 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
454 			      L2CAP_LM_SECURE;
455 			break;
456 		case BT_SECURITY_FIPS:
457 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
458 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
459 			break;
460 		default:
461 			opt = 0;
462 			break;
463 		}
464 
465 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
466 			opt |= L2CAP_LM_MASTER;
467 
468 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
469 			opt |= L2CAP_LM_RELIABLE;
470 
471 		if (put_user(opt, (u32 __user *) optval))
472 			err = -EFAULT;
473 
474 		break;
475 
476 	case L2CAP_CONNINFO:
477 		if (sk->sk_state != BT_CONNECTED &&
478 		    !(sk->sk_state == BT_CONNECT2 &&
479 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
480 			err = -ENOTCONN;
481 			break;
482 		}
483 
484 		memset(&cinfo, 0, sizeof(cinfo));
485 		cinfo.hci_handle = chan->conn->hcon->handle;
486 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
487 
488 		len = min_t(unsigned int, len, sizeof(cinfo));
489 		if (copy_to_user(optval, (char *) &cinfo, len))
490 			err = -EFAULT;
491 
492 		break;
493 
494 	default:
495 		err = -ENOPROTOOPT;
496 		break;
497 	}
498 
499 	release_sock(sk);
500 	return err;
501 }
502 
503 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
504 				 char __user *optval, int __user *optlen)
505 {
506 	struct sock *sk = sock->sk;
507 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
508 	struct bt_security sec;
509 	struct bt_power pwr;
510 	u32 phys;
511 	int len, err = 0;
512 
513 	BT_DBG("sk %p", sk);
514 
515 	if (level == SOL_L2CAP)
516 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
517 
518 	if (level != SOL_BLUETOOTH)
519 		return -ENOPROTOOPT;
520 
521 	if (get_user(len, optlen))
522 		return -EFAULT;
523 
524 	lock_sock(sk);
525 
526 	switch (optname) {
527 	case BT_SECURITY:
528 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
529 		    chan->chan_type != L2CAP_CHAN_FIXED &&
530 		    chan->chan_type != L2CAP_CHAN_RAW) {
531 			err = -EINVAL;
532 			break;
533 		}
534 
535 		memset(&sec, 0, sizeof(sec));
536 		if (chan->conn) {
537 			sec.level = chan->conn->hcon->sec_level;
538 
539 			if (sk->sk_state == BT_CONNECTED)
540 				sec.key_size = chan->conn->hcon->enc_key_size;
541 		} else {
542 			sec.level = chan->sec_level;
543 		}
544 
545 		len = min_t(unsigned int, len, sizeof(sec));
546 		if (copy_to_user(optval, (char *) &sec, len))
547 			err = -EFAULT;
548 
549 		break;
550 
551 	case BT_DEFER_SETUP:
552 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
553 			err = -EINVAL;
554 			break;
555 		}
556 
557 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
558 			     (u32 __user *) optval))
559 			err = -EFAULT;
560 
561 		break;
562 
563 	case BT_FLUSHABLE:
564 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
565 			     (u32 __user *) optval))
566 			err = -EFAULT;
567 
568 		break;
569 
570 	case BT_POWER:
571 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
572 		    && sk->sk_type != SOCK_RAW) {
573 			err = -EINVAL;
574 			break;
575 		}
576 
577 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
578 
579 		len = min_t(unsigned int, len, sizeof(pwr));
580 		if (copy_to_user(optval, (char *) &pwr, len))
581 			err = -EFAULT;
582 
583 		break;
584 
585 	case BT_CHANNEL_POLICY:
586 		if (put_user(chan->chan_policy, (u32 __user *) optval))
587 			err = -EFAULT;
588 		break;
589 
590 	case BT_SNDMTU:
591 		if (!bdaddr_type_is_le(chan->src_type)) {
592 			err = -EINVAL;
593 			break;
594 		}
595 
596 		if (sk->sk_state != BT_CONNECTED) {
597 			err = -ENOTCONN;
598 			break;
599 		}
600 
601 		if (put_user(chan->omtu, (u16 __user *) optval))
602 			err = -EFAULT;
603 		break;
604 
605 	case BT_RCVMTU:
606 		if (!bdaddr_type_is_le(chan->src_type)) {
607 			err = -EINVAL;
608 			break;
609 		}
610 
611 		if (put_user(chan->imtu, (u16 __user *) optval))
612 			err = -EFAULT;
613 		break;
614 
615 	case BT_PHY:
616 		if (sk->sk_state != BT_CONNECTED) {
617 			err = -ENOTCONN;
618 			break;
619 		}
620 
621 		phys = hci_conn_get_phy(chan->conn->hcon);
622 
623 		if (put_user(phys, (u32 __user *) optval))
624 			err = -EFAULT;
625 		break;
626 
627 	default:
628 		err = -ENOPROTOOPT;
629 		break;
630 	}
631 
632 	release_sock(sk);
633 	return err;
634 }
635 
636 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
637 {
638 	switch (chan->scid) {
639 	case L2CAP_CID_ATT:
640 		if (mtu < L2CAP_LE_MIN_MTU)
641 			return false;
642 		break;
643 
644 	default:
645 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
646 			return false;
647 	}
648 
649 	return true;
650 }
651 
652 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
653 				     char __user *optval, unsigned int optlen)
654 {
655 	struct sock *sk = sock->sk;
656 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
657 	struct l2cap_options opts;
658 	int len, err = 0;
659 	u32 opt;
660 
661 	BT_DBG("sk %p", sk);
662 
663 	lock_sock(sk);
664 
665 	switch (optname) {
666 	case L2CAP_OPTIONS:
667 		if (bdaddr_type_is_le(chan->src_type)) {
668 			err = -EINVAL;
669 			break;
670 		}
671 
672 		if (sk->sk_state == BT_CONNECTED) {
673 			err = -EINVAL;
674 			break;
675 		}
676 
677 		opts.imtu     = chan->imtu;
678 		opts.omtu     = chan->omtu;
679 		opts.flush_to = chan->flush_to;
680 		opts.mode     = chan->mode;
681 		opts.fcs      = chan->fcs;
682 		opts.max_tx   = chan->max_tx;
683 		opts.txwin_size = chan->tx_win;
684 
685 		len = min_t(unsigned int, sizeof(opts), optlen);
686 		if (copy_from_user((char *) &opts, optval, len)) {
687 			err = -EFAULT;
688 			break;
689 		}
690 
691 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
692 			err = -EINVAL;
693 			break;
694 		}
695 
696 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
697 			err = -EINVAL;
698 			break;
699 		}
700 
701 		chan->mode = opts.mode;
702 		switch (chan->mode) {
703 		case L2CAP_MODE_LE_FLOWCTL:
704 			break;
705 		case L2CAP_MODE_BASIC:
706 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
707 			break;
708 		case L2CAP_MODE_ERTM:
709 		case L2CAP_MODE_STREAMING:
710 			if (!disable_ertm)
711 				break;
712 			/* fall through */
713 		default:
714 			err = -EINVAL;
715 			break;
716 		}
717 
718 		BT_DBG("mode 0x%2.2x", chan->mode);
719 
720 		chan->imtu = opts.imtu;
721 		chan->omtu = opts.omtu;
722 		chan->fcs  = opts.fcs;
723 		chan->max_tx = opts.max_tx;
724 		chan->tx_win = opts.txwin_size;
725 		chan->flush_to = opts.flush_to;
726 		break;
727 
728 	case L2CAP_LM:
729 		if (get_user(opt, (u32 __user *) optval)) {
730 			err = -EFAULT;
731 			break;
732 		}
733 
734 		if (opt & L2CAP_LM_FIPS) {
735 			err = -EINVAL;
736 			break;
737 		}
738 
739 		if (opt & L2CAP_LM_AUTH)
740 			chan->sec_level = BT_SECURITY_LOW;
741 		if (opt & L2CAP_LM_ENCRYPT)
742 			chan->sec_level = BT_SECURITY_MEDIUM;
743 		if (opt & L2CAP_LM_SECURE)
744 			chan->sec_level = BT_SECURITY_HIGH;
745 
746 		if (opt & L2CAP_LM_MASTER)
747 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
748 		else
749 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
750 
751 		if (opt & L2CAP_LM_RELIABLE)
752 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
753 		else
754 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
755 		break;
756 
757 	default:
758 		err = -ENOPROTOOPT;
759 		break;
760 	}
761 
762 	release_sock(sk);
763 	return err;
764 }
765 
766 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
767 				 char __user *optval, unsigned int optlen)
768 {
769 	struct sock *sk = sock->sk;
770 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
771 	struct bt_security sec;
772 	struct bt_power pwr;
773 	struct l2cap_conn *conn;
774 	int len, err = 0;
775 	u32 opt;
776 
777 	BT_DBG("sk %p", sk);
778 
779 	if (level == SOL_L2CAP)
780 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
781 
782 	if (level != SOL_BLUETOOTH)
783 		return -ENOPROTOOPT;
784 
785 	lock_sock(sk);
786 
787 	switch (optname) {
788 	case BT_SECURITY:
789 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
790 		    chan->chan_type != L2CAP_CHAN_FIXED &&
791 		    chan->chan_type != L2CAP_CHAN_RAW) {
792 			err = -EINVAL;
793 			break;
794 		}
795 
796 		sec.level = BT_SECURITY_LOW;
797 
798 		len = min_t(unsigned int, sizeof(sec), optlen);
799 		if (copy_from_user((char *) &sec, optval, len)) {
800 			err = -EFAULT;
801 			break;
802 		}
803 
804 		if (sec.level < BT_SECURITY_LOW ||
805 		    sec.level > BT_SECURITY_FIPS) {
806 			err = -EINVAL;
807 			break;
808 		}
809 
810 		chan->sec_level = sec.level;
811 
812 		if (!chan->conn)
813 			break;
814 
815 		conn = chan->conn;
816 
817 		/* change security for LE channels */
818 		if (chan->scid == L2CAP_CID_ATT) {
819 			if (smp_conn_security(conn->hcon, sec.level)) {
820 				err = -EINVAL;
821 				break;
822 			}
823 
824 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
825 			sk->sk_state = BT_CONFIG;
826 			chan->state = BT_CONFIG;
827 
828 		/* or for ACL link */
829 		} else if ((sk->sk_state == BT_CONNECT2 &&
830 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
831 			   sk->sk_state == BT_CONNECTED) {
832 			if (!l2cap_chan_check_security(chan, true))
833 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
834 			else
835 				sk->sk_state_change(sk);
836 		} else {
837 			err = -EINVAL;
838 		}
839 		break;
840 
841 	case BT_DEFER_SETUP:
842 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
843 			err = -EINVAL;
844 			break;
845 		}
846 
847 		if (get_user(opt, (u32 __user *) optval)) {
848 			err = -EFAULT;
849 			break;
850 		}
851 
852 		if (opt) {
853 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
854 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
855 		} else {
856 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
857 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
858 		}
859 		break;
860 
861 	case BT_FLUSHABLE:
862 		if (get_user(opt, (u32 __user *) optval)) {
863 			err = -EFAULT;
864 			break;
865 		}
866 
867 		if (opt > BT_FLUSHABLE_ON) {
868 			err = -EINVAL;
869 			break;
870 		}
871 
872 		if (opt == BT_FLUSHABLE_OFF) {
873 			conn = chan->conn;
874 			/* proceed further only when we have l2cap_conn and
875 			   No Flush support in the LM */
876 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
877 				err = -EINVAL;
878 				break;
879 			}
880 		}
881 
882 		if (opt)
883 			set_bit(FLAG_FLUSHABLE, &chan->flags);
884 		else
885 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
886 		break;
887 
888 	case BT_POWER:
889 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
890 		    chan->chan_type != L2CAP_CHAN_RAW) {
891 			err = -EINVAL;
892 			break;
893 		}
894 
895 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
896 
897 		len = min_t(unsigned int, sizeof(pwr), optlen);
898 		if (copy_from_user((char *) &pwr, optval, len)) {
899 			err = -EFAULT;
900 			break;
901 		}
902 
903 		if (pwr.force_active)
904 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
905 		else
906 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
907 		break;
908 
909 	case BT_CHANNEL_POLICY:
910 		if (get_user(opt, (u32 __user *) optval)) {
911 			err = -EFAULT;
912 			break;
913 		}
914 
915 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
916 			err = -EINVAL;
917 			break;
918 		}
919 
920 		if (chan->mode != L2CAP_MODE_ERTM &&
921 		    chan->mode != L2CAP_MODE_STREAMING) {
922 			err = -EOPNOTSUPP;
923 			break;
924 		}
925 
926 		chan->chan_policy = (u8) opt;
927 
928 		if (sk->sk_state == BT_CONNECTED &&
929 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
930 			l2cap_move_start(chan);
931 
932 		break;
933 
934 	case BT_SNDMTU:
935 		if (!bdaddr_type_is_le(chan->src_type)) {
936 			err = -EINVAL;
937 			break;
938 		}
939 
940 		/* Setting is not supported as it's the remote side that
941 		 * decides this.
942 		 */
943 		err = -EPERM;
944 		break;
945 
946 	case BT_RCVMTU:
947 		if (!bdaddr_type_is_le(chan->src_type)) {
948 			err = -EINVAL;
949 			break;
950 		}
951 
952 		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
953 		    sk->sk_state == BT_CONNECTED) {
954 			err = -EISCONN;
955 			break;
956 		}
957 
958 		if (get_user(opt, (u16 __user *) optval)) {
959 			err = -EFAULT;
960 			break;
961 		}
962 
963 		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
964 		    sk->sk_state == BT_CONNECTED)
965 			err = l2cap_chan_reconfigure(chan, opt);
966 		else
967 			chan->imtu = opt;
968 
969 		break;
970 
971 	default:
972 		err = -ENOPROTOOPT;
973 		break;
974 	}
975 
976 	release_sock(sk);
977 	return err;
978 }
979 
980 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
981 			      size_t len)
982 {
983 	struct sock *sk = sock->sk;
984 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
985 	int err;
986 
987 	BT_DBG("sock %p, sk %p", sock, sk);
988 
989 	err = sock_error(sk);
990 	if (err)
991 		return err;
992 
993 	if (msg->msg_flags & MSG_OOB)
994 		return -EOPNOTSUPP;
995 
996 	if (sk->sk_state != BT_CONNECTED)
997 		return -ENOTCONN;
998 
999 	lock_sock(sk);
1000 	err = bt_sock_wait_ready(sk, msg->msg_flags);
1001 	release_sock(sk);
1002 	if (err)
1003 		return err;
1004 
1005 	l2cap_chan_lock(chan);
1006 	err = l2cap_chan_send(chan, msg, len);
1007 	l2cap_chan_unlock(chan);
1008 
1009 	return err;
1010 }
1011 
1012 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1013 			      size_t len, int flags)
1014 {
1015 	struct sock *sk = sock->sk;
1016 	struct l2cap_pinfo *pi = l2cap_pi(sk);
1017 	int err;
1018 
1019 	lock_sock(sk);
1020 
1021 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1022 						    &bt_sk(sk)->flags)) {
1023 		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1024 			sk->sk_state = BT_CONNECTED;
1025 			pi->chan->state = BT_CONNECTED;
1026 			__l2cap_ecred_conn_rsp_defer(pi->chan);
1027 		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1028 			sk->sk_state = BT_CONNECTED;
1029 			pi->chan->state = BT_CONNECTED;
1030 			__l2cap_le_connect_rsp_defer(pi->chan);
1031 		} else {
1032 			sk->sk_state = BT_CONFIG;
1033 			pi->chan->state = BT_CONFIG;
1034 			__l2cap_connect_rsp_defer(pi->chan);
1035 		}
1036 
1037 		err = 0;
1038 		goto done;
1039 	}
1040 
1041 	release_sock(sk);
1042 
1043 	if (sock->type == SOCK_STREAM)
1044 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1045 	else
1046 		err = bt_sock_recvmsg(sock, msg, len, flags);
1047 
1048 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1049 		return err;
1050 
1051 	/* Attempt to put pending rx data in the socket buffer */
1052 
1053 	lock_sock(sk);
1054 
1055 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1056 		goto done;
1057 
1058 	if (pi->rx_busy_skb) {
1059 		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1060 			pi->rx_busy_skb = NULL;
1061 		else
1062 			goto done;
1063 	}
1064 
1065 	/* Restore data flow when half of the receive buffer is
1066 	 * available.  This avoids resending large numbers of
1067 	 * frames.
1068 	 */
1069 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1070 		l2cap_chan_busy(pi->chan, 0);
1071 
1072 done:
1073 	release_sock(sk);
1074 	return err;
1075 }
1076 
1077 /* Kill socket (only if zapped and orphan)
1078  * Must be called on unlocked socket, with l2cap channel lock.
1079  */
1080 static void l2cap_sock_kill(struct sock *sk)
1081 {
1082 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1083 		return;
1084 
1085 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1086 
1087 	/* Kill poor orphan */
1088 
1089 	l2cap_chan_put(l2cap_pi(sk)->chan);
1090 	sock_set_flag(sk, SOCK_DEAD);
1091 	sock_put(sk);
1092 }
1093 
1094 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1095 {
1096 	DECLARE_WAITQUEUE(wait, current);
1097 	int err = 0;
1098 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1099 	/* Timeout to prevent infinite loop */
1100 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1101 
1102 	add_wait_queue(sk_sleep(sk), &wait);
1103 	set_current_state(TASK_INTERRUPTIBLE);
1104 	do {
1105 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1106 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1107 		       jiffies_to_msecs(timeout - jiffies));
1108 
1109 		if (!timeo)
1110 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1111 
1112 		if (signal_pending(current)) {
1113 			err = sock_intr_errno(timeo);
1114 			break;
1115 		}
1116 
1117 		release_sock(sk);
1118 		timeo = schedule_timeout(timeo);
1119 		lock_sock(sk);
1120 		set_current_state(TASK_INTERRUPTIBLE);
1121 
1122 		err = sock_error(sk);
1123 		if (err)
1124 			break;
1125 
1126 		if (time_after(jiffies, timeout)) {
1127 			err = -ENOLINK;
1128 			break;
1129 		}
1130 
1131 	} while (chan->unacked_frames > 0 &&
1132 		 chan->state == BT_CONNECTED);
1133 
1134 	set_current_state(TASK_RUNNING);
1135 	remove_wait_queue(sk_sleep(sk), &wait);
1136 	return err;
1137 }
1138 
1139 static int l2cap_sock_shutdown(struct socket *sock, int how)
1140 {
1141 	struct sock *sk = sock->sk;
1142 	struct l2cap_chan *chan;
1143 	struct l2cap_conn *conn;
1144 	int err = 0;
1145 
1146 	BT_DBG("sock %p, sk %p", sock, sk);
1147 
1148 	if (!sk)
1149 		return 0;
1150 
1151 	lock_sock(sk);
1152 
1153 	if (sk->sk_shutdown)
1154 		goto shutdown_already;
1155 
1156 	BT_DBG("Handling sock shutdown");
1157 
1158 	/* prevent sk structure from being freed whilst unlocked */
1159 	sock_hold(sk);
1160 
1161 	chan = l2cap_pi(sk)->chan;
1162 	/* prevent chan structure from being freed whilst unlocked */
1163 	l2cap_chan_hold(chan);
1164 
1165 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1166 
1167 	if (chan->mode == L2CAP_MODE_ERTM &&
1168 	    chan->unacked_frames > 0 &&
1169 	    chan->state == BT_CONNECTED) {
1170 		err = __l2cap_wait_ack(sk, chan);
1171 
1172 		/* After waiting for ACKs, check whether shutdown
1173 		 * has already been actioned to close the L2CAP
1174 		 * link such as by l2cap_disconnection_req().
1175 		 */
1176 		if (sk->sk_shutdown)
1177 			goto has_shutdown;
1178 	}
1179 
1180 	sk->sk_shutdown = SHUTDOWN_MASK;
1181 	release_sock(sk);
1182 
1183 	l2cap_chan_lock(chan);
1184 	conn = chan->conn;
1185 	if (conn)
1186 		/* prevent conn structure from being freed */
1187 		l2cap_conn_get(conn);
1188 	l2cap_chan_unlock(chan);
1189 
1190 	if (conn)
1191 		/* mutex lock must be taken before l2cap_chan_lock() */
1192 		mutex_lock(&conn->chan_lock);
1193 
1194 	l2cap_chan_lock(chan);
1195 	l2cap_chan_close(chan, 0);
1196 	l2cap_chan_unlock(chan);
1197 
1198 	if (conn) {
1199 		mutex_unlock(&conn->chan_lock);
1200 		l2cap_conn_put(conn);
1201 	}
1202 
1203 	lock_sock(sk);
1204 
1205 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1206 	    !(current->flags & PF_EXITING))
1207 		err = bt_sock_wait_state(sk, BT_CLOSED,
1208 					 sk->sk_lingertime);
1209 
1210 has_shutdown:
1211 	l2cap_chan_put(chan);
1212 	sock_put(sk);
1213 
1214 shutdown_already:
1215 	if (!err && sk->sk_err)
1216 		err = -sk->sk_err;
1217 
1218 	release_sock(sk);
1219 
1220 	BT_DBG("Sock shutdown complete err: %d", err);
1221 
1222 	return err;
1223 }
1224 
1225 static int l2cap_sock_release(struct socket *sock)
1226 {
1227 	struct sock *sk = sock->sk;
1228 	int err;
1229 	struct l2cap_chan *chan;
1230 
1231 	BT_DBG("sock %p, sk %p", sock, sk);
1232 
1233 	if (!sk)
1234 		return 0;
1235 
1236 	bt_sock_unlink(&l2cap_sk_list, sk);
1237 
1238 	err = l2cap_sock_shutdown(sock, 2);
1239 	chan = l2cap_pi(sk)->chan;
1240 
1241 	l2cap_chan_hold(chan);
1242 	l2cap_chan_lock(chan);
1243 
1244 	sock_orphan(sk);
1245 	l2cap_sock_kill(sk);
1246 
1247 	l2cap_chan_unlock(chan);
1248 	l2cap_chan_put(chan);
1249 
1250 	return err;
1251 }
1252 
1253 static void l2cap_sock_cleanup_listen(struct sock *parent)
1254 {
1255 	struct sock *sk;
1256 
1257 	BT_DBG("parent %p state %s", parent,
1258 	       state_to_string(parent->sk_state));
1259 
1260 	/* Close not yet accepted channels */
1261 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1262 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1263 
1264 		BT_DBG("child chan %p state %s", chan,
1265 		       state_to_string(chan->state));
1266 
1267 		l2cap_chan_hold(chan);
1268 		l2cap_chan_lock(chan);
1269 
1270 		__clear_chan_timer(chan);
1271 		l2cap_chan_close(chan, ECONNRESET);
1272 		l2cap_sock_kill(sk);
1273 
1274 		l2cap_chan_unlock(chan);
1275 		l2cap_chan_put(chan);
1276 	}
1277 }
1278 
1279 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1280 {
1281 	struct sock *sk, *parent = chan->data;
1282 
1283 	lock_sock(parent);
1284 
1285 	/* Check for backlog size */
1286 	if (sk_acceptq_is_full(parent)) {
1287 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1288 		release_sock(parent);
1289 		return NULL;
1290 	}
1291 
1292 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1293 			      GFP_ATOMIC, 0);
1294 	if (!sk) {
1295 		release_sock(parent);
1296 		return NULL;
1297         }
1298 
1299 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1300 
1301 	l2cap_sock_init(sk, parent);
1302 
1303 	bt_accept_enqueue(parent, sk, false);
1304 
1305 	release_sock(parent);
1306 
1307 	return l2cap_pi(sk)->chan;
1308 }
1309 
1310 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1311 {
1312 	struct sock *sk = chan->data;
1313 	int err;
1314 
1315 	lock_sock(sk);
1316 
1317 	if (l2cap_pi(sk)->rx_busy_skb) {
1318 		err = -ENOMEM;
1319 		goto done;
1320 	}
1321 
1322 	if (chan->mode != L2CAP_MODE_ERTM &&
1323 	    chan->mode != L2CAP_MODE_STREAMING) {
1324 		/* Even if no filter is attached, we could potentially
1325 		 * get errors from security modules, etc.
1326 		 */
1327 		err = sk_filter(sk, skb);
1328 		if (err)
1329 			goto done;
1330 	}
1331 
1332 	err = __sock_queue_rcv_skb(sk, skb);
1333 
1334 	/* For ERTM, handle one skb that doesn't fit into the recv
1335 	 * buffer.  This is important to do because the data frames
1336 	 * have already been acked, so the skb cannot be discarded.
1337 	 *
1338 	 * Notify the l2cap core that the buffer is full, so the
1339 	 * LOCAL_BUSY state is entered and no more frames are
1340 	 * acked and reassembled until there is buffer space
1341 	 * available.
1342 	 */
1343 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1344 		l2cap_pi(sk)->rx_busy_skb = skb;
1345 		l2cap_chan_busy(chan, 1);
1346 		err = 0;
1347 	}
1348 
1349 done:
1350 	release_sock(sk);
1351 
1352 	return err;
1353 }
1354 
1355 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1356 {
1357 	struct sock *sk = chan->data;
1358 
1359 	l2cap_sock_kill(sk);
1360 }
1361 
1362 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1363 {
1364 	struct sock *sk = chan->data;
1365 	struct sock *parent;
1366 
1367 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1368 
1369 	/* This callback can be called both for server (BT_LISTEN)
1370 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1371 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1372 	 * we need separation into separate nesting levels. The simplest
1373 	 * way to accomplish this is to inherit the nesting level used
1374 	 * for the channel.
1375 	 */
1376 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1377 
1378 	parent = bt_sk(sk)->parent;
1379 
1380 	sock_set_flag(sk, SOCK_ZAPPED);
1381 
1382 	switch (chan->state) {
1383 	case BT_OPEN:
1384 	case BT_BOUND:
1385 	case BT_CLOSED:
1386 		break;
1387 	case BT_LISTEN:
1388 		l2cap_sock_cleanup_listen(sk);
1389 		sk->sk_state = BT_CLOSED;
1390 		chan->state = BT_CLOSED;
1391 
1392 		break;
1393 	default:
1394 		sk->sk_state = BT_CLOSED;
1395 		chan->state = BT_CLOSED;
1396 
1397 		sk->sk_err = err;
1398 
1399 		if (parent) {
1400 			bt_accept_unlink(sk);
1401 			parent->sk_data_ready(parent);
1402 		} else {
1403 			sk->sk_state_change(sk);
1404 		}
1405 
1406 		break;
1407 	}
1408 
1409 	release_sock(sk);
1410 }
1411 
1412 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1413 				       int err)
1414 {
1415 	struct sock *sk = chan->data;
1416 
1417 	sk->sk_state = state;
1418 
1419 	if (err)
1420 		sk->sk_err = err;
1421 }
1422 
1423 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1424 					       unsigned long hdr_len,
1425 					       unsigned long len, int nb)
1426 {
1427 	struct sock *sk = chan->data;
1428 	struct sk_buff *skb;
1429 	int err;
1430 
1431 	l2cap_chan_unlock(chan);
1432 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1433 	l2cap_chan_lock(chan);
1434 
1435 	if (!skb)
1436 		return ERR_PTR(err);
1437 
1438 	skb->priority = sk->sk_priority;
1439 
1440 	bt_cb(skb)->l2cap.chan = chan;
1441 
1442 	return skb;
1443 }
1444 
1445 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1446 {
1447 	struct sock *sk = chan->data;
1448 	struct sock *parent;
1449 
1450 	lock_sock(sk);
1451 
1452 	parent = bt_sk(sk)->parent;
1453 
1454 	BT_DBG("sk %p, parent %p", sk, parent);
1455 
1456 	sk->sk_state = BT_CONNECTED;
1457 	sk->sk_state_change(sk);
1458 
1459 	if (parent)
1460 		parent->sk_data_ready(parent);
1461 
1462 	release_sock(sk);
1463 }
1464 
1465 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1466 {
1467 	struct sock *parent, *sk = chan->data;
1468 
1469 	lock_sock(sk);
1470 
1471 	parent = bt_sk(sk)->parent;
1472 	if (parent)
1473 		parent->sk_data_ready(parent);
1474 
1475 	release_sock(sk);
1476 }
1477 
1478 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1479 {
1480 	struct sock *sk = chan->data;
1481 
1482 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1483 		sk->sk_state = BT_CONNECTED;
1484 		chan->state = BT_CONNECTED;
1485 	}
1486 
1487 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1488 	sk->sk_state_change(sk);
1489 }
1490 
1491 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1492 {
1493 	struct sock *sk = chan->data;
1494 
1495 	lock_sock(sk);
1496 	sk->sk_shutdown = SHUTDOWN_MASK;
1497 	release_sock(sk);
1498 }
1499 
1500 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1501 {
1502 	struct sock *sk = chan->data;
1503 
1504 	return sk->sk_sndtimeo;
1505 }
1506 
1507 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1508 {
1509 	struct sock *sk = chan->data;
1510 
1511 	return sk->sk_peer_pid;
1512 }
1513 
1514 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1515 {
1516 	struct sock *sk = chan->data;
1517 
1518 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1519 	sk->sk_state_change(sk);
1520 }
1521 
1522 static const struct l2cap_ops l2cap_chan_ops = {
1523 	.name			= "L2CAP Socket Interface",
1524 	.new_connection		= l2cap_sock_new_connection_cb,
1525 	.recv			= l2cap_sock_recv_cb,
1526 	.close			= l2cap_sock_close_cb,
1527 	.teardown		= l2cap_sock_teardown_cb,
1528 	.state_change		= l2cap_sock_state_change_cb,
1529 	.ready			= l2cap_sock_ready_cb,
1530 	.defer			= l2cap_sock_defer_cb,
1531 	.resume			= l2cap_sock_resume_cb,
1532 	.suspend		= l2cap_sock_suspend_cb,
1533 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1534 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1535 	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1536 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1537 };
1538 
1539 static void l2cap_sock_destruct(struct sock *sk)
1540 {
1541 	BT_DBG("sk %p", sk);
1542 
1543 	if (l2cap_pi(sk)->chan)
1544 		l2cap_chan_put(l2cap_pi(sk)->chan);
1545 
1546 	if (l2cap_pi(sk)->rx_busy_skb) {
1547 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1548 		l2cap_pi(sk)->rx_busy_skb = NULL;
1549 	}
1550 
1551 	skb_queue_purge(&sk->sk_receive_queue);
1552 	skb_queue_purge(&sk->sk_write_queue);
1553 }
1554 
1555 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1556 			       int *msg_namelen)
1557 {
1558 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1559 
1560 	memset(la, 0, sizeof(struct sockaddr_l2));
1561 	la->l2_family = AF_BLUETOOTH;
1562 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1563 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1564 
1565 	*msg_namelen = sizeof(struct sockaddr_l2);
1566 }
1567 
1568 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1569 {
1570 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1571 
1572 	BT_DBG("sk %p", sk);
1573 
1574 	if (parent) {
1575 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1576 
1577 		sk->sk_type = parent->sk_type;
1578 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1579 
1580 		chan->chan_type = pchan->chan_type;
1581 		chan->imtu = pchan->imtu;
1582 		chan->omtu = pchan->omtu;
1583 		chan->conf_state = pchan->conf_state;
1584 		chan->mode = pchan->mode;
1585 		chan->fcs  = pchan->fcs;
1586 		chan->max_tx = pchan->max_tx;
1587 		chan->tx_win = pchan->tx_win;
1588 		chan->tx_win_max = pchan->tx_win_max;
1589 		chan->sec_level = pchan->sec_level;
1590 		chan->flags = pchan->flags;
1591 		chan->tx_credits = pchan->tx_credits;
1592 		chan->rx_credits = pchan->rx_credits;
1593 
1594 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1595 			chan->scid = pchan->scid;
1596 			chan->dcid = pchan->scid;
1597 		}
1598 
1599 		security_sk_clone(parent, sk);
1600 	} else {
1601 		switch (sk->sk_type) {
1602 		case SOCK_RAW:
1603 			chan->chan_type = L2CAP_CHAN_RAW;
1604 			break;
1605 		case SOCK_DGRAM:
1606 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1607 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1608 			break;
1609 		case SOCK_SEQPACKET:
1610 		case SOCK_STREAM:
1611 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1612 			break;
1613 		}
1614 
1615 		chan->imtu = L2CAP_DEFAULT_MTU;
1616 		chan->omtu = 0;
1617 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1618 			chan->mode = L2CAP_MODE_ERTM;
1619 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1620 		} else {
1621 			chan->mode = L2CAP_MODE_BASIC;
1622 		}
1623 
1624 		l2cap_chan_set_defaults(chan);
1625 	}
1626 
1627 	/* Default config options */
1628 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1629 
1630 	chan->data = sk;
1631 	chan->ops = &l2cap_chan_ops;
1632 }
1633 
1634 static struct proto l2cap_proto = {
1635 	.name		= "L2CAP",
1636 	.owner		= THIS_MODULE,
1637 	.obj_size	= sizeof(struct l2cap_pinfo)
1638 };
1639 
1640 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1641 				     int proto, gfp_t prio, int kern)
1642 {
1643 	struct sock *sk;
1644 	struct l2cap_chan *chan;
1645 
1646 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1647 	if (!sk)
1648 		return NULL;
1649 
1650 	sock_init_data(sock, sk);
1651 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1652 
1653 	sk->sk_destruct = l2cap_sock_destruct;
1654 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1655 
1656 	sock_reset_flag(sk, SOCK_ZAPPED);
1657 
1658 	sk->sk_protocol = proto;
1659 	sk->sk_state = BT_OPEN;
1660 
1661 	chan = l2cap_chan_create();
1662 	if (!chan) {
1663 		sk_free(sk);
1664 		return NULL;
1665 	}
1666 
1667 	l2cap_chan_hold(chan);
1668 
1669 	l2cap_pi(sk)->chan = chan;
1670 
1671 	return sk;
1672 }
1673 
1674 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1675 			     int kern)
1676 {
1677 	struct sock *sk;
1678 
1679 	BT_DBG("sock %p", sock);
1680 
1681 	sock->state = SS_UNCONNECTED;
1682 
1683 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1684 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1685 		return -ESOCKTNOSUPPORT;
1686 
1687 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1688 		return -EPERM;
1689 
1690 	sock->ops = &l2cap_sock_ops;
1691 
1692 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1693 	if (!sk)
1694 		return -ENOMEM;
1695 
1696 	l2cap_sock_init(sk, NULL);
1697 	bt_sock_link(&l2cap_sk_list, sk);
1698 	return 0;
1699 }
1700 
1701 static const struct proto_ops l2cap_sock_ops = {
1702 	.family		= PF_BLUETOOTH,
1703 	.owner		= THIS_MODULE,
1704 	.release	= l2cap_sock_release,
1705 	.bind		= l2cap_sock_bind,
1706 	.connect	= l2cap_sock_connect,
1707 	.listen		= l2cap_sock_listen,
1708 	.accept		= l2cap_sock_accept,
1709 	.getname	= l2cap_sock_getname,
1710 	.sendmsg	= l2cap_sock_sendmsg,
1711 	.recvmsg	= l2cap_sock_recvmsg,
1712 	.poll		= bt_sock_poll,
1713 	.ioctl		= bt_sock_ioctl,
1714 	.gettstamp	= sock_gettstamp,
1715 	.mmap		= sock_no_mmap,
1716 	.socketpair	= sock_no_socketpair,
1717 	.shutdown	= l2cap_sock_shutdown,
1718 	.setsockopt	= l2cap_sock_setsockopt,
1719 	.getsockopt	= l2cap_sock_getsockopt
1720 };
1721 
1722 static const struct net_proto_family l2cap_sock_family_ops = {
1723 	.family	= PF_BLUETOOTH,
1724 	.owner	= THIS_MODULE,
1725 	.create	= l2cap_sock_create,
1726 };
1727 
1728 int __init l2cap_init_sockets(void)
1729 {
1730 	int err;
1731 
1732 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1733 
1734 	err = proto_register(&l2cap_proto, 0);
1735 	if (err < 0)
1736 		return err;
1737 
1738 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1739 	if (err < 0) {
1740 		BT_ERR("L2CAP socket registration failed");
1741 		goto error;
1742 	}
1743 
1744 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1745 			     NULL);
1746 	if (err < 0) {
1747 		BT_ERR("Failed to create L2CAP proc file");
1748 		bt_sock_unregister(BTPROTO_L2CAP);
1749 		goto error;
1750 	}
1751 
1752 	BT_INFO("L2CAP socket layer initialized");
1753 
1754 	return 0;
1755 
1756 error:
1757 	proto_unregister(&l2cap_proto);
1758 	return err;
1759 }
1760 
1761 void l2cap_cleanup_sockets(void)
1762 {
1763 	bt_procfs_cleanup(&init_net, "l2cap");
1764 	bt_sock_unregister(BTPROTO_L2CAP);
1765 	proto_unregister(&l2cap_proto);
1766 }
1767