xref: /openbmc/linux/net/bluetooth/l2cap_sock.c (revision 18afb028)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/filter.h>
33 #include <linux/sched/signal.h>
34 
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38 
39 #include "smp.h"
40 
41 static struct bt_sock_list l2cap_sk_list = {
42 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43 };
44 
45 static const struct proto_ops l2cap_sock_ops;
46 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 				     int proto, gfp_t prio, int kern);
49 static void l2cap_sock_cleanup_listen(struct sock *parent);
50 
51 bool l2cap_is_socket(struct socket *sock)
52 {
53 	return sock && sock->ops == &l2cap_sock_ops;
54 }
55 EXPORT_SYMBOL(l2cap_is_socket);
56 
57 static int l2cap_validate_bredr_psm(u16 psm)
58 {
59 	/* PSM must be odd and lsb of upper byte must be 0 */
60 	if ((psm & 0x0101) != 0x0001)
61 		return -EINVAL;
62 
63 	/* Restrict usage of well-known PSMs */
64 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 		return -EACCES;
66 
67 	return 0;
68 }
69 
70 static int l2cap_validate_le_psm(u16 psm)
71 {
72 	/* Valid LE_PSM ranges are defined only until 0x00ff */
73 	if (psm > L2CAP_PSM_LE_DYN_END)
74 		return -EINVAL;
75 
76 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 		return -EACCES;
79 
80 	return 0;
81 }
82 
83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84 {
85 	struct sock *sk = sock->sk;
86 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 	struct sockaddr_l2 la;
88 	int len, err = 0;
89 
90 	BT_DBG("sk %p", sk);
91 
92 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 	    addr->sa_family != AF_BLUETOOTH)
94 		return -EINVAL;
95 
96 	memset(&la, 0, sizeof(la));
97 	len = min_t(unsigned int, sizeof(la), alen);
98 	memcpy(&la, addr, len);
99 
100 	if (la.l2_cid && la.l2_psm)
101 		return -EINVAL;
102 
103 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 		return -EINVAL;
105 
106 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 		/* We only allow ATT user space socket */
108 		if (la.l2_cid &&
109 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 			return -EINVAL;
111 	}
112 
113 	lock_sock(sk);
114 
115 	if (sk->sk_state != BT_OPEN) {
116 		err = -EBADFD;
117 		goto done;
118 	}
119 
120 	if (la.l2_psm) {
121 		__u16 psm = __le16_to_cpu(la.l2_psm);
122 
123 		if (la.l2_bdaddr_type == BDADDR_BREDR)
124 			err = l2cap_validate_bredr_psm(psm);
125 		else
126 			err = l2cap_validate_le_psm(psm);
127 
128 		if (err)
129 			goto done;
130 	}
131 
132 	bacpy(&chan->src, &la.l2_bdaddr);
133 	chan->src_type = la.l2_bdaddr_type;
134 
135 	if (la.l2_cid)
136 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 	else
138 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139 
140 	if (err < 0)
141 		goto done;
142 
143 	switch (chan->chan_type) {
144 	case L2CAP_CHAN_CONN_LESS:
145 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 			chan->sec_level = BT_SECURITY_SDP;
147 		break;
148 	case L2CAP_CHAN_CONN_ORIENTED:
149 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 			chan->sec_level = BT_SECURITY_SDP;
152 		break;
153 	case L2CAP_CHAN_RAW:
154 		chan->sec_level = BT_SECURITY_SDP;
155 		break;
156 	case L2CAP_CHAN_FIXED:
157 		/* Fixed channels default to the L2CAP core not holding a
158 		 * hci_conn reference for them. For fixed channels mapping to
159 		 * L2CAP sockets we do want to hold a reference so set the
160 		 * appropriate flag to request it.
161 		 */
162 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 		break;
164 	}
165 
166 	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 	 */
169 	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
172 
173 	chan->state = BT_BOUND;
174 	sk->sk_state = BT_BOUND;
175 
176 done:
177 	release_sock(sk);
178 	return err;
179 }
180 
181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
182 			      int alen, int flags)
183 {
184 	struct sock *sk = sock->sk;
185 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 	struct sockaddr_l2 la;
187 	int len, err = 0;
188 	bool zapped;
189 
190 	BT_DBG("sk %p", sk);
191 
192 	lock_sock(sk);
193 	zapped = sock_flag(sk, SOCK_ZAPPED);
194 	release_sock(sk);
195 
196 	if (zapped)
197 		return -EINVAL;
198 
199 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 	    addr->sa_family != AF_BLUETOOTH)
201 		return -EINVAL;
202 
203 	memset(&la, 0, sizeof(la));
204 	len = min_t(unsigned int, sizeof(la), alen);
205 	memcpy(&la, addr, len);
206 
207 	if (la.l2_cid && la.l2_psm)
208 		return -EINVAL;
209 
210 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 		return -EINVAL;
212 
213 	/* Check that the socket wasn't bound to something that
214 	 * conflicts with the address given to connect(). If chan->src
215 	 * is BDADDR_ANY it means bind() was never used, in which case
216 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 	 */
218 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 		/* Old user space versions will try to incorrectly bind
221 		 * the ATT socket using BDADDR_BREDR. We need to accept
222 		 * this and fix up the source address type only when
223 		 * both the source CID and destination CID indicate
224 		 * ATT. Anything else is an invalid combination.
225 		 */
226 		if (chan->scid != L2CAP_CID_ATT ||
227 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 			return -EINVAL;
229 
230 		/* We don't have the hdev available here to make a
231 		 * better decision on random vs public, but since all
232 		 * user space versions that exhibit this issue anyway do
233 		 * not support random local addresses assuming public
234 		 * here is good enough.
235 		 */
236 		chan->src_type = BDADDR_LE_PUBLIC;
237 	}
238 
239 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 		return -EINVAL;
241 
242 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 		/* We only allow ATT user space socket */
244 		if (la.l2_cid &&
245 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 			return -EINVAL;
247 	}
248 
249 	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 	 */
252 	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
255 
256 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 				 &la.l2_bdaddr, la.l2_bdaddr_type);
258 	if (err)
259 		return err;
260 
261 	lock_sock(sk);
262 
263 	err = bt_sock_wait_state(sk, BT_CONNECTED,
264 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
265 
266 	release_sock(sk);
267 
268 	return err;
269 }
270 
271 static int l2cap_sock_listen(struct socket *sock, int backlog)
272 {
273 	struct sock *sk = sock->sk;
274 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
275 	int err = 0;
276 
277 	BT_DBG("sk %p backlog %d", sk, backlog);
278 
279 	lock_sock(sk);
280 
281 	if (sk->sk_state != BT_BOUND) {
282 		err = -EBADFD;
283 		goto done;
284 	}
285 
286 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
287 		err = -EINVAL;
288 		goto done;
289 	}
290 
291 	switch (chan->mode) {
292 	case L2CAP_MODE_BASIC:
293 	case L2CAP_MODE_LE_FLOWCTL:
294 		break;
295 	case L2CAP_MODE_EXT_FLOWCTL:
296 		if (!enable_ecred) {
297 			err = -EOPNOTSUPP;
298 			goto done;
299 		}
300 		break;
301 	case L2CAP_MODE_ERTM:
302 	case L2CAP_MODE_STREAMING:
303 		if (!disable_ertm)
304 			break;
305 		fallthrough;
306 	default:
307 		err = -EOPNOTSUPP;
308 		goto done;
309 	}
310 
311 	sk->sk_max_ack_backlog = backlog;
312 	sk->sk_ack_backlog = 0;
313 
314 	/* Listening channels need to use nested locking in order not to
315 	 * cause lockdep warnings when the created child channels end up
316 	 * being locked in the same thread as the parent channel.
317 	 */
318 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
319 
320 	chan->state = BT_LISTEN;
321 	sk->sk_state = BT_LISTEN;
322 
323 done:
324 	release_sock(sk);
325 	return err;
326 }
327 
328 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
329 			     int flags, bool kern)
330 {
331 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
332 	struct sock *sk = sock->sk, *nsk;
333 	long timeo;
334 	int err = 0;
335 
336 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
337 
338 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
339 
340 	BT_DBG("sk %p timeo %ld", sk, timeo);
341 
342 	/* Wait for an incoming connection. (wake-one). */
343 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
344 	while (1) {
345 		if (sk->sk_state != BT_LISTEN) {
346 			err = -EBADFD;
347 			break;
348 		}
349 
350 		nsk = bt_accept_dequeue(sk, newsock);
351 		if (nsk)
352 			break;
353 
354 		if (!timeo) {
355 			err = -EAGAIN;
356 			break;
357 		}
358 
359 		if (signal_pending(current)) {
360 			err = sock_intr_errno(timeo);
361 			break;
362 		}
363 
364 		release_sock(sk);
365 
366 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
367 
368 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
369 	}
370 	remove_wait_queue(sk_sleep(sk), &wait);
371 
372 	if (err)
373 		goto done;
374 
375 	newsock->state = SS_CONNECTED;
376 
377 	BT_DBG("new socket %p", nsk);
378 
379 done:
380 	release_sock(sk);
381 	return err;
382 }
383 
384 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
385 			      int peer)
386 {
387 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
388 	struct sock *sk = sock->sk;
389 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
390 
391 	BT_DBG("sock %p, sk %p", sock, sk);
392 
393 	if (peer && sk->sk_state != BT_CONNECTED &&
394 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
395 	    sk->sk_state != BT_CONFIG)
396 		return -ENOTCONN;
397 
398 	memset(la, 0, sizeof(struct sockaddr_l2));
399 	addr->sa_family = AF_BLUETOOTH;
400 
401 	la->l2_psm = chan->psm;
402 
403 	if (peer) {
404 		bacpy(&la->l2_bdaddr, &chan->dst);
405 		la->l2_cid = cpu_to_le16(chan->dcid);
406 		la->l2_bdaddr_type = chan->dst_type;
407 	} else {
408 		bacpy(&la->l2_bdaddr, &chan->src);
409 		la->l2_cid = cpu_to_le16(chan->scid);
410 		la->l2_bdaddr_type = chan->src_type;
411 	}
412 
413 	return sizeof(struct sockaddr_l2);
414 }
415 
416 static int l2cap_get_mode(struct l2cap_chan *chan)
417 {
418 	switch (chan->mode) {
419 	case L2CAP_MODE_BASIC:
420 		return BT_MODE_BASIC;
421 	case L2CAP_MODE_ERTM:
422 		return BT_MODE_ERTM;
423 	case L2CAP_MODE_STREAMING:
424 		return BT_MODE_STREAMING;
425 	case L2CAP_MODE_LE_FLOWCTL:
426 		return BT_MODE_LE_FLOWCTL;
427 	case L2CAP_MODE_EXT_FLOWCTL:
428 		return BT_MODE_EXT_FLOWCTL;
429 	}
430 
431 	return -EINVAL;
432 }
433 
434 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
435 				     char __user *optval, int __user *optlen)
436 {
437 	struct sock *sk = sock->sk;
438 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
439 	struct l2cap_options opts;
440 	struct l2cap_conninfo cinfo;
441 	int len, err = 0;
442 	u32 opt;
443 
444 	BT_DBG("sk %p", sk);
445 
446 	if (get_user(len, optlen))
447 		return -EFAULT;
448 
449 	lock_sock(sk);
450 
451 	switch (optname) {
452 	case L2CAP_OPTIONS:
453 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
454 		 * legacy ATT code depends on getsockopt for
455 		 * L2CAP_OPTIONS we need to let this pass.
456 		 */
457 		if (bdaddr_type_is_le(chan->src_type) &&
458 		    chan->scid != L2CAP_CID_ATT) {
459 			err = -EINVAL;
460 			break;
461 		}
462 
463 		/* Only BR/EDR modes are supported here */
464 		switch (chan->mode) {
465 		case L2CAP_MODE_BASIC:
466 		case L2CAP_MODE_ERTM:
467 		case L2CAP_MODE_STREAMING:
468 			break;
469 		default:
470 			err = -EINVAL;
471 			break;
472 		}
473 
474 		if (err < 0)
475 			break;
476 
477 		memset(&opts, 0, sizeof(opts));
478 		opts.imtu     = chan->imtu;
479 		opts.omtu     = chan->omtu;
480 		opts.flush_to = chan->flush_to;
481 		opts.mode     = chan->mode;
482 		opts.fcs      = chan->fcs;
483 		opts.max_tx   = chan->max_tx;
484 		opts.txwin_size = chan->tx_win;
485 
486 		BT_DBG("mode 0x%2.2x", chan->mode);
487 
488 		len = min_t(unsigned int, len, sizeof(opts));
489 		if (copy_to_user(optval, (char *) &opts, len))
490 			err = -EFAULT;
491 
492 		break;
493 
494 	case L2CAP_LM:
495 		switch (chan->sec_level) {
496 		case BT_SECURITY_LOW:
497 			opt = L2CAP_LM_AUTH;
498 			break;
499 		case BT_SECURITY_MEDIUM:
500 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
501 			break;
502 		case BT_SECURITY_HIGH:
503 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
504 			      L2CAP_LM_SECURE;
505 			break;
506 		case BT_SECURITY_FIPS:
507 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
508 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
509 			break;
510 		default:
511 			opt = 0;
512 			break;
513 		}
514 
515 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
516 			opt |= L2CAP_LM_MASTER;
517 
518 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
519 			opt |= L2CAP_LM_RELIABLE;
520 
521 		if (put_user(opt, (u32 __user *) optval))
522 			err = -EFAULT;
523 
524 		break;
525 
526 	case L2CAP_CONNINFO:
527 		if (sk->sk_state != BT_CONNECTED &&
528 		    !(sk->sk_state == BT_CONNECT2 &&
529 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
530 			err = -ENOTCONN;
531 			break;
532 		}
533 
534 		memset(&cinfo, 0, sizeof(cinfo));
535 		cinfo.hci_handle = chan->conn->hcon->handle;
536 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
537 
538 		len = min_t(unsigned int, len, sizeof(cinfo));
539 		if (copy_to_user(optval, (char *) &cinfo, len))
540 			err = -EFAULT;
541 
542 		break;
543 
544 	default:
545 		err = -ENOPROTOOPT;
546 		break;
547 	}
548 
549 	release_sock(sk);
550 	return err;
551 }
552 
553 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
554 				 char __user *optval, int __user *optlen)
555 {
556 	struct sock *sk = sock->sk;
557 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
558 	struct bt_security sec;
559 	struct bt_power pwr;
560 	u32 phys;
561 	int len, mode, err = 0;
562 
563 	BT_DBG("sk %p", sk);
564 
565 	if (level == SOL_L2CAP)
566 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
567 
568 	if (level != SOL_BLUETOOTH)
569 		return -ENOPROTOOPT;
570 
571 	if (get_user(len, optlen))
572 		return -EFAULT;
573 
574 	lock_sock(sk);
575 
576 	switch (optname) {
577 	case BT_SECURITY:
578 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
579 		    chan->chan_type != L2CAP_CHAN_FIXED &&
580 		    chan->chan_type != L2CAP_CHAN_RAW) {
581 			err = -EINVAL;
582 			break;
583 		}
584 
585 		memset(&sec, 0, sizeof(sec));
586 		if (chan->conn) {
587 			sec.level = chan->conn->hcon->sec_level;
588 
589 			if (sk->sk_state == BT_CONNECTED)
590 				sec.key_size = chan->conn->hcon->enc_key_size;
591 		} else {
592 			sec.level = chan->sec_level;
593 		}
594 
595 		len = min_t(unsigned int, len, sizeof(sec));
596 		if (copy_to_user(optval, (char *) &sec, len))
597 			err = -EFAULT;
598 
599 		break;
600 
601 	case BT_DEFER_SETUP:
602 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
603 			err = -EINVAL;
604 			break;
605 		}
606 
607 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
608 			     (u32 __user *) optval))
609 			err = -EFAULT;
610 
611 		break;
612 
613 	case BT_FLUSHABLE:
614 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
615 			     (u32 __user *) optval))
616 			err = -EFAULT;
617 
618 		break;
619 
620 	case BT_POWER:
621 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
622 		    && sk->sk_type != SOCK_RAW) {
623 			err = -EINVAL;
624 			break;
625 		}
626 
627 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
628 
629 		len = min_t(unsigned int, len, sizeof(pwr));
630 		if (copy_to_user(optval, (char *) &pwr, len))
631 			err = -EFAULT;
632 
633 		break;
634 
635 	case BT_CHANNEL_POLICY:
636 		if (put_user(chan->chan_policy, (u32 __user *) optval))
637 			err = -EFAULT;
638 		break;
639 
640 	case BT_SNDMTU:
641 		if (!bdaddr_type_is_le(chan->src_type)) {
642 			err = -EINVAL;
643 			break;
644 		}
645 
646 		if (sk->sk_state != BT_CONNECTED) {
647 			err = -ENOTCONN;
648 			break;
649 		}
650 
651 		if (put_user(chan->omtu, (u16 __user *) optval))
652 			err = -EFAULT;
653 		break;
654 
655 	case BT_RCVMTU:
656 		if (!bdaddr_type_is_le(chan->src_type)) {
657 			err = -EINVAL;
658 			break;
659 		}
660 
661 		if (put_user(chan->imtu, (u16 __user *) optval))
662 			err = -EFAULT;
663 		break;
664 
665 	case BT_PHY:
666 		if (sk->sk_state != BT_CONNECTED) {
667 			err = -ENOTCONN;
668 			break;
669 		}
670 
671 		phys = hci_conn_get_phy(chan->conn->hcon);
672 
673 		if (put_user(phys, (u32 __user *) optval))
674 			err = -EFAULT;
675 		break;
676 
677 	case BT_MODE:
678 		if (!enable_ecred) {
679 			err = -ENOPROTOOPT;
680 			break;
681 		}
682 
683 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
684 			err = -EINVAL;
685 			break;
686 		}
687 
688 		mode = l2cap_get_mode(chan);
689 		if (mode < 0) {
690 			err = mode;
691 			break;
692 		}
693 
694 		if (put_user(mode, (u8 __user *) optval))
695 			err = -EFAULT;
696 		break;
697 
698 	default:
699 		err = -ENOPROTOOPT;
700 		break;
701 	}
702 
703 	release_sock(sk);
704 	return err;
705 }
706 
707 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
708 {
709 	switch (chan->scid) {
710 	case L2CAP_CID_ATT:
711 		if (mtu < L2CAP_LE_MIN_MTU)
712 			return false;
713 		break;
714 
715 	default:
716 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
717 			return false;
718 	}
719 
720 	return true;
721 }
722 
723 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
724 				     sockptr_t optval, unsigned int optlen)
725 {
726 	struct sock *sk = sock->sk;
727 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
728 	struct l2cap_options opts;
729 	int len, err = 0;
730 	u32 opt;
731 
732 	BT_DBG("sk %p", sk);
733 
734 	lock_sock(sk);
735 
736 	switch (optname) {
737 	case L2CAP_OPTIONS:
738 		if (bdaddr_type_is_le(chan->src_type)) {
739 			err = -EINVAL;
740 			break;
741 		}
742 
743 		if (sk->sk_state == BT_CONNECTED) {
744 			err = -EINVAL;
745 			break;
746 		}
747 
748 		opts.imtu     = chan->imtu;
749 		opts.omtu     = chan->omtu;
750 		opts.flush_to = chan->flush_to;
751 		opts.mode     = chan->mode;
752 		opts.fcs      = chan->fcs;
753 		opts.max_tx   = chan->max_tx;
754 		opts.txwin_size = chan->tx_win;
755 
756 		len = min_t(unsigned int, sizeof(opts), optlen);
757 		if (copy_from_sockptr(&opts, optval, len)) {
758 			err = -EFAULT;
759 			break;
760 		}
761 
762 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
763 			err = -EINVAL;
764 			break;
765 		}
766 
767 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
768 			err = -EINVAL;
769 			break;
770 		}
771 
772 		/* Only BR/EDR modes are supported here */
773 		switch (opts.mode) {
774 		case L2CAP_MODE_BASIC:
775 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
776 			break;
777 		case L2CAP_MODE_ERTM:
778 		case L2CAP_MODE_STREAMING:
779 			if (!disable_ertm)
780 				break;
781 			fallthrough;
782 		default:
783 			err = -EINVAL;
784 			break;
785 		}
786 
787 		if (err < 0)
788 			break;
789 
790 		chan->mode = opts.mode;
791 
792 		BT_DBG("mode 0x%2.2x", chan->mode);
793 
794 		chan->imtu = opts.imtu;
795 		chan->omtu = opts.omtu;
796 		chan->fcs  = opts.fcs;
797 		chan->max_tx = opts.max_tx;
798 		chan->tx_win = opts.txwin_size;
799 		chan->flush_to = opts.flush_to;
800 		break;
801 
802 	case L2CAP_LM:
803 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
804 			err = -EFAULT;
805 			break;
806 		}
807 
808 		if (opt & L2CAP_LM_FIPS) {
809 			err = -EINVAL;
810 			break;
811 		}
812 
813 		if (opt & L2CAP_LM_AUTH)
814 			chan->sec_level = BT_SECURITY_LOW;
815 		if (opt & L2CAP_LM_ENCRYPT)
816 			chan->sec_level = BT_SECURITY_MEDIUM;
817 		if (opt & L2CAP_LM_SECURE)
818 			chan->sec_level = BT_SECURITY_HIGH;
819 
820 		if (opt & L2CAP_LM_MASTER)
821 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
822 		else
823 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
824 
825 		if (opt & L2CAP_LM_RELIABLE)
826 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
827 		else
828 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
829 		break;
830 
831 	default:
832 		err = -ENOPROTOOPT;
833 		break;
834 	}
835 
836 	release_sock(sk);
837 	return err;
838 }
839 
840 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
841 {
842 	switch (mode) {
843 	case BT_MODE_BASIC:
844 		if (bdaddr_type_is_le(chan->src_type))
845 			return -EINVAL;
846 		mode = L2CAP_MODE_BASIC;
847 		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
848 		break;
849 	case BT_MODE_ERTM:
850 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
851 			return -EINVAL;
852 		mode = L2CAP_MODE_ERTM;
853 		break;
854 	case BT_MODE_STREAMING:
855 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
856 			return -EINVAL;
857 		mode = L2CAP_MODE_STREAMING;
858 		break;
859 	case BT_MODE_LE_FLOWCTL:
860 		if (!bdaddr_type_is_le(chan->src_type))
861 			return -EINVAL;
862 		mode = L2CAP_MODE_LE_FLOWCTL;
863 		break;
864 	case BT_MODE_EXT_FLOWCTL:
865 		/* TODO: Add support for ECRED PDUs to BR/EDR */
866 		if (!bdaddr_type_is_le(chan->src_type))
867 			return -EINVAL;
868 		mode = L2CAP_MODE_EXT_FLOWCTL;
869 		break;
870 	default:
871 		return -EINVAL;
872 	}
873 
874 	chan->mode = mode;
875 
876 	return 0;
877 }
878 
879 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880 				 sockptr_t optval, unsigned int optlen)
881 {
882 	struct sock *sk = sock->sk;
883 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884 	struct bt_security sec;
885 	struct bt_power pwr;
886 	struct l2cap_conn *conn;
887 	int len, err = 0;
888 	u32 opt;
889 	u16 mtu;
890 	u8 mode;
891 
892 	BT_DBG("sk %p", sk);
893 
894 	if (level == SOL_L2CAP)
895 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896 
897 	if (level != SOL_BLUETOOTH)
898 		return -ENOPROTOOPT;
899 
900 	lock_sock(sk);
901 
902 	switch (optname) {
903 	case BT_SECURITY:
904 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905 		    chan->chan_type != L2CAP_CHAN_FIXED &&
906 		    chan->chan_type != L2CAP_CHAN_RAW) {
907 			err = -EINVAL;
908 			break;
909 		}
910 
911 		sec.level = BT_SECURITY_LOW;
912 
913 		len = min_t(unsigned int, sizeof(sec), optlen);
914 		if (copy_from_sockptr(&sec, optval, len)) {
915 			err = -EFAULT;
916 			break;
917 		}
918 
919 		if (sec.level < BT_SECURITY_LOW ||
920 		    sec.level > BT_SECURITY_FIPS) {
921 			err = -EINVAL;
922 			break;
923 		}
924 
925 		chan->sec_level = sec.level;
926 
927 		if (!chan->conn)
928 			break;
929 
930 		conn = chan->conn;
931 
932 		/* change security for LE channels */
933 		if (chan->scid == L2CAP_CID_ATT) {
934 			if (smp_conn_security(conn->hcon, sec.level)) {
935 				err = -EINVAL;
936 				break;
937 			}
938 
939 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
940 			sk->sk_state = BT_CONFIG;
941 			chan->state = BT_CONFIG;
942 
943 		/* or for ACL link */
944 		} else if ((sk->sk_state == BT_CONNECT2 &&
945 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
946 			   sk->sk_state == BT_CONNECTED) {
947 			if (!l2cap_chan_check_security(chan, true))
948 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
949 			else
950 				sk->sk_state_change(sk);
951 		} else {
952 			err = -EINVAL;
953 		}
954 		break;
955 
956 	case BT_DEFER_SETUP:
957 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
958 			err = -EINVAL;
959 			break;
960 		}
961 
962 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
963 			err = -EFAULT;
964 			break;
965 		}
966 
967 		if (opt) {
968 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
970 		} else {
971 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
972 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
973 		}
974 		break;
975 
976 	case BT_FLUSHABLE:
977 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
978 			err = -EFAULT;
979 			break;
980 		}
981 
982 		if (opt > BT_FLUSHABLE_ON) {
983 			err = -EINVAL;
984 			break;
985 		}
986 
987 		if (opt == BT_FLUSHABLE_OFF) {
988 			conn = chan->conn;
989 			/* proceed further only when we have l2cap_conn and
990 			   No Flush support in the LM */
991 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
992 				err = -EINVAL;
993 				break;
994 			}
995 		}
996 
997 		if (opt)
998 			set_bit(FLAG_FLUSHABLE, &chan->flags);
999 		else
1000 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
1001 		break;
1002 
1003 	case BT_POWER:
1004 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1005 		    chan->chan_type != L2CAP_CHAN_RAW) {
1006 			err = -EINVAL;
1007 			break;
1008 		}
1009 
1010 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1011 
1012 		len = min_t(unsigned int, sizeof(pwr), optlen);
1013 		if (copy_from_sockptr(&pwr, optval, len)) {
1014 			err = -EFAULT;
1015 			break;
1016 		}
1017 
1018 		if (pwr.force_active)
1019 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1020 		else
1021 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1022 		break;
1023 
1024 	case BT_CHANNEL_POLICY:
1025 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1026 			err = -EFAULT;
1027 			break;
1028 		}
1029 
1030 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1031 			err = -EINVAL;
1032 			break;
1033 		}
1034 
1035 		if (chan->mode != L2CAP_MODE_ERTM &&
1036 		    chan->mode != L2CAP_MODE_STREAMING) {
1037 			err = -EOPNOTSUPP;
1038 			break;
1039 		}
1040 
1041 		chan->chan_policy = (u8) opt;
1042 
1043 		if (sk->sk_state == BT_CONNECTED &&
1044 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
1045 			l2cap_move_start(chan);
1046 
1047 		break;
1048 
1049 	case BT_SNDMTU:
1050 		if (!bdaddr_type_is_le(chan->src_type)) {
1051 			err = -EINVAL;
1052 			break;
1053 		}
1054 
1055 		/* Setting is not supported as it's the remote side that
1056 		 * decides this.
1057 		 */
1058 		err = -EPERM;
1059 		break;
1060 
1061 	case BT_RCVMTU:
1062 		if (!bdaddr_type_is_le(chan->src_type)) {
1063 			err = -EINVAL;
1064 			break;
1065 		}
1066 
1067 		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1068 		    sk->sk_state == BT_CONNECTED) {
1069 			err = -EISCONN;
1070 			break;
1071 		}
1072 
1073 		if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
1074 			err = -EFAULT;
1075 			break;
1076 		}
1077 
1078 		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1079 		    sk->sk_state == BT_CONNECTED)
1080 			err = l2cap_chan_reconfigure(chan, mtu);
1081 		else
1082 			chan->imtu = mtu;
1083 
1084 		break;
1085 
1086 	case BT_MODE:
1087 		if (!enable_ecred) {
1088 			err = -ENOPROTOOPT;
1089 			break;
1090 		}
1091 
1092 		BT_DBG("sk->sk_state %u", sk->sk_state);
1093 
1094 		if (sk->sk_state != BT_BOUND) {
1095 			err = -EINVAL;
1096 			break;
1097 		}
1098 
1099 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1100 			err = -EINVAL;
1101 			break;
1102 		}
1103 
1104 		if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
1105 			err = -EFAULT;
1106 			break;
1107 		}
1108 
1109 		BT_DBG("mode %u", mode);
1110 
1111 		err = l2cap_set_mode(chan, mode);
1112 		if (err)
1113 			break;
1114 
1115 		BT_DBG("mode 0x%2.2x", chan->mode);
1116 
1117 		break;
1118 
1119 	default:
1120 		err = -ENOPROTOOPT;
1121 		break;
1122 	}
1123 
1124 	release_sock(sk);
1125 	return err;
1126 }
1127 
1128 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1129 			      size_t len)
1130 {
1131 	struct sock *sk = sock->sk;
1132 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1133 	int err;
1134 
1135 	BT_DBG("sock %p, sk %p", sock, sk);
1136 
1137 	err = sock_error(sk);
1138 	if (err)
1139 		return err;
1140 
1141 	if (msg->msg_flags & MSG_OOB)
1142 		return -EOPNOTSUPP;
1143 
1144 	if (sk->sk_state != BT_CONNECTED)
1145 		return -ENOTCONN;
1146 
1147 	lock_sock(sk);
1148 	err = bt_sock_wait_ready(sk, msg->msg_flags);
1149 	release_sock(sk);
1150 	if (err)
1151 		return err;
1152 
1153 	l2cap_chan_lock(chan);
1154 	err = l2cap_chan_send(chan, msg, len);
1155 	l2cap_chan_unlock(chan);
1156 
1157 	return err;
1158 }
1159 
1160 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1161 			      size_t len, int flags)
1162 {
1163 	struct sock *sk = sock->sk;
1164 	struct l2cap_pinfo *pi = l2cap_pi(sk);
1165 	int err;
1166 
1167 	lock_sock(sk);
1168 
1169 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1170 						    &bt_sk(sk)->flags)) {
1171 		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1172 			sk->sk_state = BT_CONNECTED;
1173 			pi->chan->state = BT_CONNECTED;
1174 			__l2cap_ecred_conn_rsp_defer(pi->chan);
1175 		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1176 			sk->sk_state = BT_CONNECTED;
1177 			pi->chan->state = BT_CONNECTED;
1178 			__l2cap_le_connect_rsp_defer(pi->chan);
1179 		} else {
1180 			sk->sk_state = BT_CONFIG;
1181 			pi->chan->state = BT_CONFIG;
1182 			__l2cap_connect_rsp_defer(pi->chan);
1183 		}
1184 
1185 		err = 0;
1186 		goto done;
1187 	}
1188 
1189 	release_sock(sk);
1190 
1191 	if (sock->type == SOCK_STREAM)
1192 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1193 	else
1194 		err = bt_sock_recvmsg(sock, msg, len, flags);
1195 
1196 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1197 		return err;
1198 
1199 	/* Attempt to put pending rx data in the socket buffer */
1200 
1201 	lock_sock(sk);
1202 
1203 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1204 		goto done;
1205 
1206 	if (pi->rx_busy_skb) {
1207 		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1208 			pi->rx_busy_skb = NULL;
1209 		else
1210 			goto done;
1211 	}
1212 
1213 	/* Restore data flow when half of the receive buffer is
1214 	 * available.  This avoids resending large numbers of
1215 	 * frames.
1216 	 */
1217 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1218 		l2cap_chan_busy(pi->chan, 0);
1219 
1220 done:
1221 	release_sock(sk);
1222 	return err;
1223 }
1224 
1225 /* Kill socket (only if zapped and orphan)
1226  * Must be called on unlocked socket, with l2cap channel lock.
1227  */
1228 static void l2cap_sock_kill(struct sock *sk)
1229 {
1230 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1231 		return;
1232 
1233 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1234 
1235 	/* Kill poor orphan */
1236 
1237 	l2cap_chan_put(l2cap_pi(sk)->chan);
1238 	sock_set_flag(sk, SOCK_DEAD);
1239 	sock_put(sk);
1240 }
1241 
1242 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1243 {
1244 	DECLARE_WAITQUEUE(wait, current);
1245 	int err = 0;
1246 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1247 	/* Timeout to prevent infinite loop */
1248 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1249 
1250 	add_wait_queue(sk_sleep(sk), &wait);
1251 	set_current_state(TASK_INTERRUPTIBLE);
1252 	do {
1253 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1254 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1255 		       jiffies_to_msecs(timeout - jiffies));
1256 
1257 		if (!timeo)
1258 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1259 
1260 		if (signal_pending(current)) {
1261 			err = sock_intr_errno(timeo);
1262 			break;
1263 		}
1264 
1265 		release_sock(sk);
1266 		timeo = schedule_timeout(timeo);
1267 		lock_sock(sk);
1268 		set_current_state(TASK_INTERRUPTIBLE);
1269 
1270 		err = sock_error(sk);
1271 		if (err)
1272 			break;
1273 
1274 		if (time_after(jiffies, timeout)) {
1275 			err = -ENOLINK;
1276 			break;
1277 		}
1278 
1279 	} while (chan->unacked_frames > 0 &&
1280 		 chan->state == BT_CONNECTED);
1281 
1282 	set_current_state(TASK_RUNNING);
1283 	remove_wait_queue(sk_sleep(sk), &wait);
1284 	return err;
1285 }
1286 
1287 static int l2cap_sock_shutdown(struct socket *sock, int how)
1288 {
1289 	struct sock *sk = sock->sk;
1290 	struct l2cap_chan *chan;
1291 	struct l2cap_conn *conn;
1292 	int err = 0;
1293 
1294 	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1295 
1296 	/* 'how' parameter is mapped to sk_shutdown as follows:
1297 	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1298 	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1299 	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1300 	 */
1301 	how++;
1302 
1303 	if (!sk)
1304 		return 0;
1305 
1306 	lock_sock(sk);
1307 
1308 	if ((sk->sk_shutdown & how) == how)
1309 		goto shutdown_already;
1310 
1311 	BT_DBG("Handling sock shutdown");
1312 
1313 	/* prevent sk structure from being freed whilst unlocked */
1314 	sock_hold(sk);
1315 
1316 	chan = l2cap_pi(sk)->chan;
1317 	/* prevent chan structure from being freed whilst unlocked */
1318 	l2cap_chan_hold(chan);
1319 
1320 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1321 
1322 	if (chan->mode == L2CAP_MODE_ERTM &&
1323 	    chan->unacked_frames > 0 &&
1324 	    chan->state == BT_CONNECTED) {
1325 		err = __l2cap_wait_ack(sk, chan);
1326 
1327 		/* After waiting for ACKs, check whether shutdown
1328 		 * has already been actioned to close the L2CAP
1329 		 * link such as by l2cap_disconnection_req().
1330 		 */
1331 		if ((sk->sk_shutdown & how) == how)
1332 			goto shutdown_matched;
1333 	}
1334 
1335 	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1336 	 * is already set
1337 	 */
1338 	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1339 		sk->sk_shutdown |= RCV_SHUTDOWN;
1340 		if ((sk->sk_shutdown & how) == how)
1341 			goto shutdown_matched;
1342 	}
1343 
1344 	sk->sk_shutdown |= SEND_SHUTDOWN;
1345 	release_sock(sk);
1346 
1347 	l2cap_chan_lock(chan);
1348 	conn = chan->conn;
1349 	if (conn)
1350 		/* prevent conn structure from being freed */
1351 		l2cap_conn_get(conn);
1352 	l2cap_chan_unlock(chan);
1353 
1354 	if (conn)
1355 		/* mutex lock must be taken before l2cap_chan_lock() */
1356 		mutex_lock(&conn->chan_lock);
1357 
1358 	l2cap_chan_lock(chan);
1359 	l2cap_chan_close(chan, 0);
1360 	l2cap_chan_unlock(chan);
1361 
1362 	if (conn) {
1363 		mutex_unlock(&conn->chan_lock);
1364 		l2cap_conn_put(conn);
1365 	}
1366 
1367 	lock_sock(sk);
1368 
1369 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1370 	    !(current->flags & PF_EXITING))
1371 		err = bt_sock_wait_state(sk, BT_CLOSED,
1372 					 sk->sk_lingertime);
1373 
1374 shutdown_matched:
1375 	l2cap_chan_put(chan);
1376 	sock_put(sk);
1377 
1378 shutdown_already:
1379 	if (!err && sk->sk_err)
1380 		err = -sk->sk_err;
1381 
1382 	release_sock(sk);
1383 
1384 	BT_DBG("Sock shutdown complete err: %d", err);
1385 
1386 	return err;
1387 }
1388 
1389 static int l2cap_sock_release(struct socket *sock)
1390 {
1391 	struct sock *sk = sock->sk;
1392 	int err;
1393 	struct l2cap_chan *chan;
1394 
1395 	BT_DBG("sock %p, sk %p", sock, sk);
1396 
1397 	if (!sk)
1398 		return 0;
1399 
1400 	l2cap_sock_cleanup_listen(sk);
1401 	bt_sock_unlink(&l2cap_sk_list, sk);
1402 
1403 	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1404 	chan = l2cap_pi(sk)->chan;
1405 
1406 	l2cap_chan_hold(chan);
1407 	l2cap_chan_lock(chan);
1408 
1409 	sock_orphan(sk);
1410 	l2cap_sock_kill(sk);
1411 
1412 	l2cap_chan_unlock(chan);
1413 	l2cap_chan_put(chan);
1414 
1415 	return err;
1416 }
1417 
1418 static void l2cap_sock_cleanup_listen(struct sock *parent)
1419 {
1420 	struct sock *sk;
1421 
1422 	BT_DBG("parent %p state %s", parent,
1423 	       state_to_string(parent->sk_state));
1424 
1425 	/* Close not yet accepted channels */
1426 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1427 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1428 
1429 		BT_DBG("child chan %p state %s", chan,
1430 		       state_to_string(chan->state));
1431 
1432 		l2cap_chan_hold(chan);
1433 		l2cap_chan_lock(chan);
1434 
1435 		__clear_chan_timer(chan);
1436 		l2cap_chan_close(chan, ECONNRESET);
1437 		l2cap_sock_kill(sk);
1438 
1439 		l2cap_chan_unlock(chan);
1440 		l2cap_chan_put(chan);
1441 	}
1442 }
1443 
1444 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1445 {
1446 	struct sock *sk, *parent = chan->data;
1447 
1448 	lock_sock(parent);
1449 
1450 	/* Check for backlog size */
1451 	if (sk_acceptq_is_full(parent)) {
1452 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1453 		release_sock(parent);
1454 		return NULL;
1455 	}
1456 
1457 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1458 			      GFP_ATOMIC, 0);
1459 	if (!sk) {
1460 		release_sock(parent);
1461 		return NULL;
1462         }
1463 
1464 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1465 
1466 	l2cap_sock_init(sk, parent);
1467 
1468 	bt_accept_enqueue(parent, sk, false);
1469 
1470 	release_sock(parent);
1471 
1472 	return l2cap_pi(sk)->chan;
1473 }
1474 
1475 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1476 {
1477 	struct sock *sk = chan->data;
1478 	int err;
1479 
1480 	lock_sock(sk);
1481 
1482 	if (l2cap_pi(sk)->rx_busy_skb) {
1483 		err = -ENOMEM;
1484 		goto done;
1485 	}
1486 
1487 	if (chan->mode != L2CAP_MODE_ERTM &&
1488 	    chan->mode != L2CAP_MODE_STREAMING) {
1489 		/* Even if no filter is attached, we could potentially
1490 		 * get errors from security modules, etc.
1491 		 */
1492 		err = sk_filter(sk, skb);
1493 		if (err)
1494 			goto done;
1495 	}
1496 
1497 	err = __sock_queue_rcv_skb(sk, skb);
1498 
1499 	/* For ERTM, handle one skb that doesn't fit into the recv
1500 	 * buffer.  This is important to do because the data frames
1501 	 * have already been acked, so the skb cannot be discarded.
1502 	 *
1503 	 * Notify the l2cap core that the buffer is full, so the
1504 	 * LOCAL_BUSY state is entered and no more frames are
1505 	 * acked and reassembled until there is buffer space
1506 	 * available.
1507 	 */
1508 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1509 		l2cap_pi(sk)->rx_busy_skb = skb;
1510 		l2cap_chan_busy(chan, 1);
1511 		err = 0;
1512 	}
1513 
1514 done:
1515 	release_sock(sk);
1516 
1517 	return err;
1518 }
1519 
1520 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1521 {
1522 	struct sock *sk = chan->data;
1523 
1524 	if (!sk)
1525 		return;
1526 
1527 	l2cap_sock_kill(sk);
1528 }
1529 
1530 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1531 {
1532 	struct sock *sk = chan->data;
1533 	struct sock *parent;
1534 
1535 	if (!sk)
1536 		return;
1537 
1538 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1539 
1540 	/* This callback can be called both for server (BT_LISTEN)
1541 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1542 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1543 	 * we need separation into separate nesting levels. The simplest
1544 	 * way to accomplish this is to inherit the nesting level used
1545 	 * for the channel.
1546 	 */
1547 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1548 
1549 	parent = bt_sk(sk)->parent;
1550 
1551 	switch (chan->state) {
1552 	case BT_OPEN:
1553 	case BT_BOUND:
1554 	case BT_CLOSED:
1555 		break;
1556 	case BT_LISTEN:
1557 		l2cap_sock_cleanup_listen(sk);
1558 		sk->sk_state = BT_CLOSED;
1559 		chan->state = BT_CLOSED;
1560 
1561 		break;
1562 	default:
1563 		sk->sk_state = BT_CLOSED;
1564 		chan->state = BT_CLOSED;
1565 
1566 		sk->sk_err = err;
1567 
1568 		if (parent) {
1569 			bt_accept_unlink(sk);
1570 			parent->sk_data_ready(parent);
1571 		} else {
1572 			sk->sk_state_change(sk);
1573 		}
1574 
1575 		break;
1576 	}
1577 	release_sock(sk);
1578 
1579 	/* Only zap after cleanup to avoid use after free race */
1580 	sock_set_flag(sk, SOCK_ZAPPED);
1581 
1582 }
1583 
1584 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1585 				       int err)
1586 {
1587 	struct sock *sk = chan->data;
1588 
1589 	sk->sk_state = state;
1590 
1591 	if (err)
1592 		sk->sk_err = err;
1593 }
1594 
1595 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1596 					       unsigned long hdr_len,
1597 					       unsigned long len, int nb)
1598 {
1599 	struct sock *sk = chan->data;
1600 	struct sk_buff *skb;
1601 	int err;
1602 
1603 	l2cap_chan_unlock(chan);
1604 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1605 	l2cap_chan_lock(chan);
1606 
1607 	if (!skb)
1608 		return ERR_PTR(err);
1609 
1610 	/* Channel lock is released before requesting new skb and then
1611 	 * reacquired thus we need to recheck channel state.
1612 	 */
1613 	if (chan->state != BT_CONNECTED) {
1614 		kfree_skb(skb);
1615 		return ERR_PTR(-ENOTCONN);
1616 	}
1617 
1618 	skb->priority = sk->sk_priority;
1619 
1620 	bt_cb(skb)->l2cap.chan = chan;
1621 
1622 	return skb;
1623 }
1624 
1625 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1626 {
1627 	struct sock *sk = chan->data;
1628 	struct sock *parent;
1629 
1630 	lock_sock(sk);
1631 
1632 	parent = bt_sk(sk)->parent;
1633 
1634 	BT_DBG("sk %p, parent %p", sk, parent);
1635 
1636 	sk->sk_state = BT_CONNECTED;
1637 	sk->sk_state_change(sk);
1638 
1639 	if (parent)
1640 		parent->sk_data_ready(parent);
1641 
1642 	release_sock(sk);
1643 }
1644 
1645 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1646 {
1647 	struct sock *parent, *sk = chan->data;
1648 
1649 	lock_sock(sk);
1650 
1651 	parent = bt_sk(sk)->parent;
1652 	if (parent)
1653 		parent->sk_data_ready(parent);
1654 
1655 	release_sock(sk);
1656 }
1657 
1658 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1659 {
1660 	struct sock *sk = chan->data;
1661 
1662 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1663 		sk->sk_state = BT_CONNECTED;
1664 		chan->state = BT_CONNECTED;
1665 	}
1666 
1667 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1668 	sk->sk_state_change(sk);
1669 }
1670 
1671 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1672 {
1673 	struct sock *sk = chan->data;
1674 
1675 	lock_sock(sk);
1676 	sk->sk_shutdown = SHUTDOWN_MASK;
1677 	release_sock(sk);
1678 }
1679 
1680 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1681 {
1682 	struct sock *sk = chan->data;
1683 
1684 	return sk->sk_sndtimeo;
1685 }
1686 
1687 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1688 {
1689 	struct sock *sk = chan->data;
1690 
1691 	return sk->sk_peer_pid;
1692 }
1693 
1694 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1695 {
1696 	struct sock *sk = chan->data;
1697 
1698 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1699 	sk->sk_state_change(sk);
1700 }
1701 
1702 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1703 {
1704 	struct sock *sk = chan->data;
1705 
1706 	switch (chan->mode) {
1707 	case L2CAP_MODE_ERTM:
1708 	case L2CAP_MODE_STREAMING:
1709 		return sk_filter(sk, skb);
1710 	}
1711 
1712 	return 0;
1713 }
1714 
1715 static const struct l2cap_ops l2cap_chan_ops = {
1716 	.name			= "L2CAP Socket Interface",
1717 	.new_connection		= l2cap_sock_new_connection_cb,
1718 	.recv			= l2cap_sock_recv_cb,
1719 	.close			= l2cap_sock_close_cb,
1720 	.teardown		= l2cap_sock_teardown_cb,
1721 	.state_change		= l2cap_sock_state_change_cb,
1722 	.ready			= l2cap_sock_ready_cb,
1723 	.defer			= l2cap_sock_defer_cb,
1724 	.resume			= l2cap_sock_resume_cb,
1725 	.suspend		= l2cap_sock_suspend_cb,
1726 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1727 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1728 	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1729 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1730 	.filter			= l2cap_sock_filter,
1731 };
1732 
1733 static void l2cap_sock_destruct(struct sock *sk)
1734 {
1735 	BT_DBG("sk %p", sk);
1736 
1737 	if (l2cap_pi(sk)->chan) {
1738 		l2cap_pi(sk)->chan->data = NULL;
1739 		l2cap_chan_put(l2cap_pi(sk)->chan);
1740 	}
1741 
1742 	if (l2cap_pi(sk)->rx_busy_skb) {
1743 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1744 		l2cap_pi(sk)->rx_busy_skb = NULL;
1745 	}
1746 
1747 	skb_queue_purge(&sk->sk_receive_queue);
1748 	skb_queue_purge(&sk->sk_write_queue);
1749 }
1750 
1751 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1752 			       int *msg_namelen)
1753 {
1754 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1755 
1756 	memset(la, 0, sizeof(struct sockaddr_l2));
1757 	la->l2_family = AF_BLUETOOTH;
1758 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1759 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1760 
1761 	*msg_namelen = sizeof(struct sockaddr_l2);
1762 }
1763 
1764 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1765 {
1766 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1767 
1768 	BT_DBG("sk %p", sk);
1769 
1770 	if (parent) {
1771 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1772 
1773 		sk->sk_type = parent->sk_type;
1774 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1775 
1776 		chan->chan_type = pchan->chan_type;
1777 		chan->imtu = pchan->imtu;
1778 		chan->omtu = pchan->omtu;
1779 		chan->conf_state = pchan->conf_state;
1780 		chan->mode = pchan->mode;
1781 		chan->fcs  = pchan->fcs;
1782 		chan->max_tx = pchan->max_tx;
1783 		chan->tx_win = pchan->tx_win;
1784 		chan->tx_win_max = pchan->tx_win_max;
1785 		chan->sec_level = pchan->sec_level;
1786 		chan->flags = pchan->flags;
1787 		chan->tx_credits = pchan->tx_credits;
1788 		chan->rx_credits = pchan->rx_credits;
1789 
1790 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1791 			chan->scid = pchan->scid;
1792 			chan->dcid = pchan->scid;
1793 		}
1794 
1795 		security_sk_clone(parent, sk);
1796 	} else {
1797 		switch (sk->sk_type) {
1798 		case SOCK_RAW:
1799 			chan->chan_type = L2CAP_CHAN_RAW;
1800 			break;
1801 		case SOCK_DGRAM:
1802 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1803 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1804 			break;
1805 		case SOCK_SEQPACKET:
1806 		case SOCK_STREAM:
1807 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1808 			break;
1809 		}
1810 
1811 		chan->imtu = L2CAP_DEFAULT_MTU;
1812 		chan->omtu = 0;
1813 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1814 			chan->mode = L2CAP_MODE_ERTM;
1815 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1816 		} else {
1817 			chan->mode = L2CAP_MODE_BASIC;
1818 		}
1819 
1820 		l2cap_chan_set_defaults(chan);
1821 	}
1822 
1823 	/* Default config options */
1824 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1825 
1826 	chan->data = sk;
1827 	chan->ops = &l2cap_chan_ops;
1828 }
1829 
1830 static struct proto l2cap_proto = {
1831 	.name		= "L2CAP",
1832 	.owner		= THIS_MODULE,
1833 	.obj_size	= sizeof(struct l2cap_pinfo)
1834 };
1835 
1836 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1837 				     int proto, gfp_t prio, int kern)
1838 {
1839 	struct sock *sk;
1840 	struct l2cap_chan *chan;
1841 
1842 	sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1843 	if (!sk)
1844 		return NULL;
1845 
1846 	sk->sk_destruct = l2cap_sock_destruct;
1847 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1848 
1849 	chan = l2cap_chan_create();
1850 	if (!chan) {
1851 		sk_free(sk);
1852 		return NULL;
1853 	}
1854 
1855 	l2cap_chan_hold(chan);
1856 
1857 	l2cap_pi(sk)->chan = chan;
1858 
1859 	return sk;
1860 }
1861 
1862 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1863 			     int kern)
1864 {
1865 	struct sock *sk;
1866 
1867 	BT_DBG("sock %p", sock);
1868 
1869 	sock->state = SS_UNCONNECTED;
1870 
1871 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1872 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1873 		return -ESOCKTNOSUPPORT;
1874 
1875 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1876 		return -EPERM;
1877 
1878 	sock->ops = &l2cap_sock_ops;
1879 
1880 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1881 	if (!sk)
1882 		return -ENOMEM;
1883 
1884 	l2cap_sock_init(sk, NULL);
1885 	bt_sock_link(&l2cap_sk_list, sk);
1886 	return 0;
1887 }
1888 
1889 static const struct proto_ops l2cap_sock_ops = {
1890 	.family		= PF_BLUETOOTH,
1891 	.owner		= THIS_MODULE,
1892 	.release	= l2cap_sock_release,
1893 	.bind		= l2cap_sock_bind,
1894 	.connect	= l2cap_sock_connect,
1895 	.listen		= l2cap_sock_listen,
1896 	.accept		= l2cap_sock_accept,
1897 	.getname	= l2cap_sock_getname,
1898 	.sendmsg	= l2cap_sock_sendmsg,
1899 	.recvmsg	= l2cap_sock_recvmsg,
1900 	.poll		= bt_sock_poll,
1901 	.ioctl		= bt_sock_ioctl,
1902 	.gettstamp	= sock_gettstamp,
1903 	.mmap		= sock_no_mmap,
1904 	.socketpair	= sock_no_socketpair,
1905 	.shutdown	= l2cap_sock_shutdown,
1906 	.setsockopt	= l2cap_sock_setsockopt,
1907 	.getsockopt	= l2cap_sock_getsockopt
1908 };
1909 
1910 static const struct net_proto_family l2cap_sock_family_ops = {
1911 	.family	= PF_BLUETOOTH,
1912 	.owner	= THIS_MODULE,
1913 	.create	= l2cap_sock_create,
1914 };
1915 
1916 int __init l2cap_init_sockets(void)
1917 {
1918 	int err;
1919 
1920 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1921 
1922 	err = proto_register(&l2cap_proto, 0);
1923 	if (err < 0)
1924 		return err;
1925 
1926 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1927 	if (err < 0) {
1928 		BT_ERR("L2CAP socket registration failed");
1929 		goto error;
1930 	}
1931 
1932 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1933 			     NULL);
1934 	if (err < 0) {
1935 		BT_ERR("Failed to create L2CAP proc file");
1936 		bt_sock_unregister(BTPROTO_L2CAP);
1937 		goto error;
1938 	}
1939 
1940 	BT_INFO("L2CAP socket layer initialized");
1941 
1942 	return 0;
1943 
1944 error:
1945 	proto_unregister(&l2cap_proto);
1946 	return err;
1947 }
1948 
1949 void l2cap_cleanup_sockets(void)
1950 {
1951 	bt_procfs_cleanup(&init_net, "l2cap");
1952 	bt_sock_unregister(BTPROTO_L2CAP);
1953 	proto_unregister(&l2cap_proto);
1954 }
1955