xref: /openbmc/linux/net/bluetooth/l2cap_sock.c (revision 657c45b3)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/filter.h>
33 #include <linux/sched/signal.h>
34 
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38 
39 #include "smp.h"
40 
41 static struct bt_sock_list l2cap_sk_list = {
42 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43 };
44 
45 static const struct proto_ops l2cap_sock_ops;
46 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 				     int proto, gfp_t prio, int kern);
49 static void l2cap_sock_cleanup_listen(struct sock *parent);
50 
51 bool l2cap_is_socket(struct socket *sock)
52 {
53 	return sock && sock->ops == &l2cap_sock_ops;
54 }
55 EXPORT_SYMBOL(l2cap_is_socket);
56 
57 static int l2cap_validate_bredr_psm(u16 psm)
58 {
59 	/* PSM must be odd and lsb of upper byte must be 0 */
60 	if ((psm & 0x0101) != 0x0001)
61 		return -EINVAL;
62 
63 	/* Restrict usage of well-known PSMs */
64 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 		return -EACCES;
66 
67 	return 0;
68 }
69 
70 static int l2cap_validate_le_psm(u16 psm)
71 {
72 	/* Valid LE_PSM ranges are defined only until 0x00ff */
73 	if (psm > L2CAP_PSM_LE_DYN_END)
74 		return -EINVAL;
75 
76 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 		return -EACCES;
79 
80 	return 0;
81 }
82 
83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84 {
85 	struct sock *sk = sock->sk;
86 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 	struct sockaddr_l2 la;
88 	int len, err = 0;
89 
90 	BT_DBG("sk %p", sk);
91 
92 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 	    addr->sa_family != AF_BLUETOOTH)
94 		return -EINVAL;
95 
96 	memset(&la, 0, sizeof(la));
97 	len = min_t(unsigned int, sizeof(la), alen);
98 	memcpy(&la, addr, len);
99 
100 	if (la.l2_cid && la.l2_psm)
101 		return -EINVAL;
102 
103 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 		return -EINVAL;
105 
106 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 		/* We only allow ATT user space socket */
108 		if (la.l2_cid &&
109 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 			return -EINVAL;
111 	}
112 
113 	lock_sock(sk);
114 
115 	if (sk->sk_state != BT_OPEN) {
116 		err = -EBADFD;
117 		goto done;
118 	}
119 
120 	if (la.l2_psm) {
121 		__u16 psm = __le16_to_cpu(la.l2_psm);
122 
123 		if (la.l2_bdaddr_type == BDADDR_BREDR)
124 			err = l2cap_validate_bredr_psm(psm);
125 		else
126 			err = l2cap_validate_le_psm(psm);
127 
128 		if (err)
129 			goto done;
130 	}
131 
132 	bacpy(&chan->src, &la.l2_bdaddr);
133 	chan->src_type = la.l2_bdaddr_type;
134 
135 	if (la.l2_cid)
136 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 	else
138 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139 
140 	if (err < 0)
141 		goto done;
142 
143 	switch (chan->chan_type) {
144 	case L2CAP_CHAN_CONN_LESS:
145 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 			chan->sec_level = BT_SECURITY_SDP;
147 		break;
148 	case L2CAP_CHAN_CONN_ORIENTED:
149 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 			chan->sec_level = BT_SECURITY_SDP;
152 		break;
153 	case L2CAP_CHAN_RAW:
154 		chan->sec_level = BT_SECURITY_SDP;
155 		break;
156 	case L2CAP_CHAN_FIXED:
157 		/* Fixed channels default to the L2CAP core not holding a
158 		 * hci_conn reference for them. For fixed channels mapping to
159 		 * L2CAP sockets we do want to hold a reference so set the
160 		 * appropriate flag to request it.
161 		 */
162 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 		break;
164 	}
165 
166 	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 	 */
169 	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
172 
173 	chan->state = BT_BOUND;
174 	sk->sk_state = BT_BOUND;
175 
176 done:
177 	release_sock(sk);
178 	return err;
179 }
180 
181 static void l2cap_sock_init_pid(struct sock *sk)
182 {
183 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
184 
185 	/* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to
186 	 * group the channels being requested.
187 	 */
188 	if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
189 		return;
190 
191 	spin_lock(&sk->sk_peer_lock);
192 	sk->sk_peer_pid = get_pid(task_tgid(current));
193 	spin_unlock(&sk->sk_peer_lock);
194 }
195 
196 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
197 			      int alen, int flags)
198 {
199 	struct sock *sk = sock->sk;
200 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
201 	struct sockaddr_l2 la;
202 	int len, err = 0;
203 	bool zapped;
204 
205 	BT_DBG("sk %p", sk);
206 
207 	lock_sock(sk);
208 	zapped = sock_flag(sk, SOCK_ZAPPED);
209 	release_sock(sk);
210 
211 	if (zapped)
212 		return -EINVAL;
213 
214 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
215 	    addr->sa_family != AF_BLUETOOTH)
216 		return -EINVAL;
217 
218 	memset(&la, 0, sizeof(la));
219 	len = min_t(unsigned int, sizeof(la), alen);
220 	memcpy(&la, addr, len);
221 
222 	if (la.l2_cid && la.l2_psm)
223 		return -EINVAL;
224 
225 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
226 		return -EINVAL;
227 
228 	/* Check that the socket wasn't bound to something that
229 	 * conflicts with the address given to connect(). If chan->src
230 	 * is BDADDR_ANY it means bind() was never used, in which case
231 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
232 	 */
233 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
234 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
235 		/* Old user space versions will try to incorrectly bind
236 		 * the ATT socket using BDADDR_BREDR. We need to accept
237 		 * this and fix up the source address type only when
238 		 * both the source CID and destination CID indicate
239 		 * ATT. Anything else is an invalid combination.
240 		 */
241 		if (chan->scid != L2CAP_CID_ATT ||
242 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
243 			return -EINVAL;
244 
245 		/* We don't have the hdev available here to make a
246 		 * better decision on random vs public, but since all
247 		 * user space versions that exhibit this issue anyway do
248 		 * not support random local addresses assuming public
249 		 * here is good enough.
250 		 */
251 		chan->src_type = BDADDR_LE_PUBLIC;
252 	}
253 
254 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
255 		return -EINVAL;
256 
257 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
258 		/* We only allow ATT user space socket */
259 		if (la.l2_cid &&
260 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
261 			return -EINVAL;
262 	}
263 
264 	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
265 	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
266 	 */
267 	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
268 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
269 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
270 
271 	l2cap_sock_init_pid(sk);
272 
273 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
274 				 &la.l2_bdaddr, la.l2_bdaddr_type);
275 	if (err)
276 		return err;
277 
278 	lock_sock(sk);
279 
280 	err = bt_sock_wait_state(sk, BT_CONNECTED,
281 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
282 
283 	release_sock(sk);
284 
285 	return err;
286 }
287 
288 static int l2cap_sock_listen(struct socket *sock, int backlog)
289 {
290 	struct sock *sk = sock->sk;
291 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
292 	int err = 0;
293 
294 	BT_DBG("sk %p backlog %d", sk, backlog);
295 
296 	lock_sock(sk);
297 
298 	if (sk->sk_state != BT_BOUND) {
299 		err = -EBADFD;
300 		goto done;
301 	}
302 
303 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
304 		err = -EINVAL;
305 		goto done;
306 	}
307 
308 	switch (chan->mode) {
309 	case L2CAP_MODE_BASIC:
310 	case L2CAP_MODE_LE_FLOWCTL:
311 		break;
312 	case L2CAP_MODE_EXT_FLOWCTL:
313 		if (!enable_ecred) {
314 			err = -EOPNOTSUPP;
315 			goto done;
316 		}
317 		break;
318 	case L2CAP_MODE_ERTM:
319 	case L2CAP_MODE_STREAMING:
320 		if (!disable_ertm)
321 			break;
322 		fallthrough;
323 	default:
324 		err = -EOPNOTSUPP;
325 		goto done;
326 	}
327 
328 	l2cap_sock_init_pid(sk);
329 
330 	sk->sk_max_ack_backlog = backlog;
331 	sk->sk_ack_backlog = 0;
332 
333 	/* Listening channels need to use nested locking in order not to
334 	 * cause lockdep warnings when the created child channels end up
335 	 * being locked in the same thread as the parent channel.
336 	 */
337 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
338 
339 	chan->state = BT_LISTEN;
340 	sk->sk_state = BT_LISTEN;
341 
342 done:
343 	release_sock(sk);
344 	return err;
345 }
346 
347 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
348 			     int flags, bool kern)
349 {
350 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
351 	struct sock *sk = sock->sk, *nsk;
352 	long timeo;
353 	int err = 0;
354 
355 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
356 
357 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
358 
359 	BT_DBG("sk %p timeo %ld", sk, timeo);
360 
361 	/* Wait for an incoming connection. (wake-one). */
362 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
363 	while (1) {
364 		if (sk->sk_state != BT_LISTEN) {
365 			err = -EBADFD;
366 			break;
367 		}
368 
369 		nsk = bt_accept_dequeue(sk, newsock);
370 		if (nsk)
371 			break;
372 
373 		if (!timeo) {
374 			err = -EAGAIN;
375 			break;
376 		}
377 
378 		if (signal_pending(current)) {
379 			err = sock_intr_errno(timeo);
380 			break;
381 		}
382 
383 		release_sock(sk);
384 
385 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
386 
387 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
388 	}
389 	remove_wait_queue(sk_sleep(sk), &wait);
390 
391 	if (err)
392 		goto done;
393 
394 	newsock->state = SS_CONNECTED;
395 
396 	BT_DBG("new socket %p", nsk);
397 
398 done:
399 	release_sock(sk);
400 	return err;
401 }
402 
403 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
404 			      int peer)
405 {
406 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
407 	struct sock *sk = sock->sk;
408 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
409 
410 	BT_DBG("sock %p, sk %p", sock, sk);
411 
412 	if (peer && sk->sk_state != BT_CONNECTED &&
413 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
414 	    sk->sk_state != BT_CONFIG)
415 		return -ENOTCONN;
416 
417 	memset(la, 0, sizeof(struct sockaddr_l2));
418 	addr->sa_family = AF_BLUETOOTH;
419 
420 	la->l2_psm = chan->psm;
421 
422 	if (peer) {
423 		bacpy(&la->l2_bdaddr, &chan->dst);
424 		la->l2_cid = cpu_to_le16(chan->dcid);
425 		la->l2_bdaddr_type = chan->dst_type;
426 	} else {
427 		bacpy(&la->l2_bdaddr, &chan->src);
428 		la->l2_cid = cpu_to_le16(chan->scid);
429 		la->l2_bdaddr_type = chan->src_type;
430 	}
431 
432 	return sizeof(struct sockaddr_l2);
433 }
434 
435 static int l2cap_get_mode(struct l2cap_chan *chan)
436 {
437 	switch (chan->mode) {
438 	case L2CAP_MODE_BASIC:
439 		return BT_MODE_BASIC;
440 	case L2CAP_MODE_ERTM:
441 		return BT_MODE_ERTM;
442 	case L2CAP_MODE_STREAMING:
443 		return BT_MODE_STREAMING;
444 	case L2CAP_MODE_LE_FLOWCTL:
445 		return BT_MODE_LE_FLOWCTL;
446 	case L2CAP_MODE_EXT_FLOWCTL:
447 		return BT_MODE_EXT_FLOWCTL;
448 	}
449 
450 	return -EINVAL;
451 }
452 
453 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
454 				     char __user *optval, int __user *optlen)
455 {
456 	struct sock *sk = sock->sk;
457 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
458 	struct l2cap_options opts;
459 	struct l2cap_conninfo cinfo;
460 	int len, err = 0;
461 	u32 opt;
462 
463 	BT_DBG("sk %p", sk);
464 
465 	if (get_user(len, optlen))
466 		return -EFAULT;
467 
468 	lock_sock(sk);
469 
470 	switch (optname) {
471 	case L2CAP_OPTIONS:
472 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
473 		 * legacy ATT code depends on getsockopt for
474 		 * L2CAP_OPTIONS we need to let this pass.
475 		 */
476 		if (bdaddr_type_is_le(chan->src_type) &&
477 		    chan->scid != L2CAP_CID_ATT) {
478 			err = -EINVAL;
479 			break;
480 		}
481 
482 		/* Only BR/EDR modes are supported here */
483 		switch (chan->mode) {
484 		case L2CAP_MODE_BASIC:
485 		case L2CAP_MODE_ERTM:
486 		case L2CAP_MODE_STREAMING:
487 			break;
488 		default:
489 			err = -EINVAL;
490 			break;
491 		}
492 
493 		if (err < 0)
494 			break;
495 
496 		memset(&opts, 0, sizeof(opts));
497 		opts.imtu     = chan->imtu;
498 		opts.omtu     = chan->omtu;
499 		opts.flush_to = chan->flush_to;
500 		opts.mode     = chan->mode;
501 		opts.fcs      = chan->fcs;
502 		opts.max_tx   = chan->max_tx;
503 		opts.txwin_size = chan->tx_win;
504 
505 		BT_DBG("mode 0x%2.2x", chan->mode);
506 
507 		len = min_t(unsigned int, len, sizeof(opts));
508 		if (copy_to_user(optval, (char *) &opts, len))
509 			err = -EFAULT;
510 
511 		break;
512 
513 	case L2CAP_LM:
514 		switch (chan->sec_level) {
515 		case BT_SECURITY_LOW:
516 			opt = L2CAP_LM_AUTH;
517 			break;
518 		case BT_SECURITY_MEDIUM:
519 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
520 			break;
521 		case BT_SECURITY_HIGH:
522 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
523 			      L2CAP_LM_SECURE;
524 			break;
525 		case BT_SECURITY_FIPS:
526 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
527 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
528 			break;
529 		default:
530 			opt = 0;
531 			break;
532 		}
533 
534 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
535 			opt |= L2CAP_LM_MASTER;
536 
537 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
538 			opt |= L2CAP_LM_RELIABLE;
539 
540 		if (put_user(opt, (u32 __user *) optval))
541 			err = -EFAULT;
542 
543 		break;
544 
545 	case L2CAP_CONNINFO:
546 		if (sk->sk_state != BT_CONNECTED &&
547 		    !(sk->sk_state == BT_CONNECT2 &&
548 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
549 			err = -ENOTCONN;
550 			break;
551 		}
552 
553 		memset(&cinfo, 0, sizeof(cinfo));
554 		cinfo.hci_handle = chan->conn->hcon->handle;
555 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
556 
557 		len = min_t(unsigned int, len, sizeof(cinfo));
558 		if (copy_to_user(optval, (char *) &cinfo, len))
559 			err = -EFAULT;
560 
561 		break;
562 
563 	default:
564 		err = -ENOPROTOOPT;
565 		break;
566 	}
567 
568 	release_sock(sk);
569 	return err;
570 }
571 
572 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
573 				 char __user *optval, int __user *optlen)
574 {
575 	struct sock *sk = sock->sk;
576 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
577 	struct bt_security sec;
578 	struct bt_power pwr;
579 	u32 phys;
580 	int len, mode, err = 0;
581 
582 	BT_DBG("sk %p", sk);
583 
584 	if (level == SOL_L2CAP)
585 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
586 
587 	if (level != SOL_BLUETOOTH)
588 		return -ENOPROTOOPT;
589 
590 	if (get_user(len, optlen))
591 		return -EFAULT;
592 
593 	lock_sock(sk);
594 
595 	switch (optname) {
596 	case BT_SECURITY:
597 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
598 		    chan->chan_type != L2CAP_CHAN_FIXED &&
599 		    chan->chan_type != L2CAP_CHAN_RAW) {
600 			err = -EINVAL;
601 			break;
602 		}
603 
604 		memset(&sec, 0, sizeof(sec));
605 		if (chan->conn) {
606 			sec.level = chan->conn->hcon->sec_level;
607 
608 			if (sk->sk_state == BT_CONNECTED)
609 				sec.key_size = chan->conn->hcon->enc_key_size;
610 		} else {
611 			sec.level = chan->sec_level;
612 		}
613 
614 		len = min_t(unsigned int, len, sizeof(sec));
615 		if (copy_to_user(optval, (char *) &sec, len))
616 			err = -EFAULT;
617 
618 		break;
619 
620 	case BT_DEFER_SETUP:
621 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
622 			err = -EINVAL;
623 			break;
624 		}
625 
626 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
627 			     (u32 __user *) optval))
628 			err = -EFAULT;
629 
630 		break;
631 
632 	case BT_FLUSHABLE:
633 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
634 			     (u32 __user *) optval))
635 			err = -EFAULT;
636 
637 		break;
638 
639 	case BT_POWER:
640 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
641 		    && sk->sk_type != SOCK_RAW) {
642 			err = -EINVAL;
643 			break;
644 		}
645 
646 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
647 
648 		len = min_t(unsigned int, len, sizeof(pwr));
649 		if (copy_to_user(optval, (char *) &pwr, len))
650 			err = -EFAULT;
651 
652 		break;
653 
654 	case BT_CHANNEL_POLICY:
655 		if (put_user(chan->chan_policy, (u32 __user *) optval))
656 			err = -EFAULT;
657 		break;
658 
659 	case BT_SNDMTU:
660 		if (!bdaddr_type_is_le(chan->src_type)) {
661 			err = -EINVAL;
662 			break;
663 		}
664 
665 		if (sk->sk_state != BT_CONNECTED) {
666 			err = -ENOTCONN;
667 			break;
668 		}
669 
670 		if (put_user(chan->omtu, (u16 __user *) optval))
671 			err = -EFAULT;
672 		break;
673 
674 	case BT_RCVMTU:
675 		if (!bdaddr_type_is_le(chan->src_type)) {
676 			err = -EINVAL;
677 			break;
678 		}
679 
680 		if (put_user(chan->imtu, (u16 __user *) optval))
681 			err = -EFAULT;
682 		break;
683 
684 	case BT_PHY:
685 		if (sk->sk_state != BT_CONNECTED) {
686 			err = -ENOTCONN;
687 			break;
688 		}
689 
690 		phys = hci_conn_get_phy(chan->conn->hcon);
691 
692 		if (put_user(phys, (u32 __user *) optval))
693 			err = -EFAULT;
694 		break;
695 
696 	case BT_MODE:
697 		if (!enable_ecred) {
698 			err = -ENOPROTOOPT;
699 			break;
700 		}
701 
702 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
703 			err = -EINVAL;
704 			break;
705 		}
706 
707 		mode = l2cap_get_mode(chan);
708 		if (mode < 0) {
709 			err = mode;
710 			break;
711 		}
712 
713 		if (put_user(mode, (u8 __user *) optval))
714 			err = -EFAULT;
715 		break;
716 
717 	default:
718 		err = -ENOPROTOOPT;
719 		break;
720 	}
721 
722 	release_sock(sk);
723 	return err;
724 }
725 
726 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
727 {
728 	switch (chan->scid) {
729 	case L2CAP_CID_ATT:
730 		if (mtu < L2CAP_LE_MIN_MTU)
731 			return false;
732 		break;
733 
734 	default:
735 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
736 			return false;
737 	}
738 
739 	return true;
740 }
741 
742 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
743 				     sockptr_t optval, unsigned int optlen)
744 {
745 	struct sock *sk = sock->sk;
746 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
747 	struct l2cap_options opts;
748 	int len, err = 0;
749 	u32 opt;
750 
751 	BT_DBG("sk %p", sk);
752 
753 	lock_sock(sk);
754 
755 	switch (optname) {
756 	case L2CAP_OPTIONS:
757 		if (bdaddr_type_is_le(chan->src_type)) {
758 			err = -EINVAL;
759 			break;
760 		}
761 
762 		if (sk->sk_state == BT_CONNECTED) {
763 			err = -EINVAL;
764 			break;
765 		}
766 
767 		opts.imtu     = chan->imtu;
768 		opts.omtu     = chan->omtu;
769 		opts.flush_to = chan->flush_to;
770 		opts.mode     = chan->mode;
771 		opts.fcs      = chan->fcs;
772 		opts.max_tx   = chan->max_tx;
773 		opts.txwin_size = chan->tx_win;
774 
775 		len = min_t(unsigned int, sizeof(opts), optlen);
776 		if (copy_from_sockptr(&opts, optval, len)) {
777 			err = -EFAULT;
778 			break;
779 		}
780 
781 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
782 			err = -EINVAL;
783 			break;
784 		}
785 
786 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
787 			err = -EINVAL;
788 			break;
789 		}
790 
791 		/* Only BR/EDR modes are supported here */
792 		switch (opts.mode) {
793 		case L2CAP_MODE_BASIC:
794 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
795 			break;
796 		case L2CAP_MODE_ERTM:
797 		case L2CAP_MODE_STREAMING:
798 			if (!disable_ertm)
799 				break;
800 			fallthrough;
801 		default:
802 			err = -EINVAL;
803 			break;
804 		}
805 
806 		if (err < 0)
807 			break;
808 
809 		chan->mode = opts.mode;
810 
811 		BT_DBG("mode 0x%2.2x", chan->mode);
812 
813 		chan->imtu = opts.imtu;
814 		chan->omtu = opts.omtu;
815 		chan->fcs  = opts.fcs;
816 		chan->max_tx = opts.max_tx;
817 		chan->tx_win = opts.txwin_size;
818 		chan->flush_to = opts.flush_to;
819 		break;
820 
821 	case L2CAP_LM:
822 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
823 			err = -EFAULT;
824 			break;
825 		}
826 
827 		if (opt & L2CAP_LM_FIPS) {
828 			err = -EINVAL;
829 			break;
830 		}
831 
832 		if (opt & L2CAP_LM_AUTH)
833 			chan->sec_level = BT_SECURITY_LOW;
834 		if (opt & L2CAP_LM_ENCRYPT)
835 			chan->sec_level = BT_SECURITY_MEDIUM;
836 		if (opt & L2CAP_LM_SECURE)
837 			chan->sec_level = BT_SECURITY_HIGH;
838 
839 		if (opt & L2CAP_LM_MASTER)
840 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
841 		else
842 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
843 
844 		if (opt & L2CAP_LM_RELIABLE)
845 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
846 		else
847 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
848 		break;
849 
850 	default:
851 		err = -ENOPROTOOPT;
852 		break;
853 	}
854 
855 	release_sock(sk);
856 	return err;
857 }
858 
859 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
860 {
861 	switch (mode) {
862 	case BT_MODE_BASIC:
863 		if (bdaddr_type_is_le(chan->src_type))
864 			return -EINVAL;
865 		mode = L2CAP_MODE_BASIC;
866 		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
867 		break;
868 	case BT_MODE_ERTM:
869 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
870 			return -EINVAL;
871 		mode = L2CAP_MODE_ERTM;
872 		break;
873 	case BT_MODE_STREAMING:
874 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
875 			return -EINVAL;
876 		mode = L2CAP_MODE_STREAMING;
877 		break;
878 	case BT_MODE_LE_FLOWCTL:
879 		if (!bdaddr_type_is_le(chan->src_type))
880 			return -EINVAL;
881 		mode = L2CAP_MODE_LE_FLOWCTL;
882 		break;
883 	case BT_MODE_EXT_FLOWCTL:
884 		/* TODO: Add support for ECRED PDUs to BR/EDR */
885 		if (!bdaddr_type_is_le(chan->src_type))
886 			return -EINVAL;
887 		mode = L2CAP_MODE_EXT_FLOWCTL;
888 		break;
889 	default:
890 		return -EINVAL;
891 	}
892 
893 	chan->mode = mode;
894 
895 	return 0;
896 }
897 
898 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
899 				 sockptr_t optval, unsigned int optlen)
900 {
901 	struct sock *sk = sock->sk;
902 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
903 	struct bt_security sec;
904 	struct bt_power pwr;
905 	struct l2cap_conn *conn;
906 	int len, err = 0;
907 	u32 opt;
908 	u16 mtu;
909 	u8 mode;
910 
911 	BT_DBG("sk %p", sk);
912 
913 	if (level == SOL_L2CAP)
914 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
915 
916 	if (level != SOL_BLUETOOTH)
917 		return -ENOPROTOOPT;
918 
919 	lock_sock(sk);
920 
921 	switch (optname) {
922 	case BT_SECURITY:
923 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
924 		    chan->chan_type != L2CAP_CHAN_FIXED &&
925 		    chan->chan_type != L2CAP_CHAN_RAW) {
926 			err = -EINVAL;
927 			break;
928 		}
929 
930 		sec.level = BT_SECURITY_LOW;
931 
932 		len = min_t(unsigned int, sizeof(sec), optlen);
933 		if (copy_from_sockptr(&sec, optval, len)) {
934 			err = -EFAULT;
935 			break;
936 		}
937 
938 		if (sec.level < BT_SECURITY_LOW ||
939 		    sec.level > BT_SECURITY_FIPS) {
940 			err = -EINVAL;
941 			break;
942 		}
943 
944 		chan->sec_level = sec.level;
945 
946 		if (!chan->conn)
947 			break;
948 
949 		conn = chan->conn;
950 
951 		/* change security for LE channels */
952 		if (chan->scid == L2CAP_CID_ATT) {
953 			if (smp_conn_security(conn->hcon, sec.level)) {
954 				err = -EINVAL;
955 				break;
956 			}
957 
958 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
959 			sk->sk_state = BT_CONFIG;
960 			chan->state = BT_CONFIG;
961 
962 		/* or for ACL link */
963 		} else if ((sk->sk_state == BT_CONNECT2 &&
964 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
965 			   sk->sk_state == BT_CONNECTED) {
966 			if (!l2cap_chan_check_security(chan, true))
967 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
968 			else
969 				sk->sk_state_change(sk);
970 		} else {
971 			err = -EINVAL;
972 		}
973 		break;
974 
975 	case BT_DEFER_SETUP:
976 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
977 			err = -EINVAL;
978 			break;
979 		}
980 
981 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
982 			err = -EFAULT;
983 			break;
984 		}
985 
986 		if (opt) {
987 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
988 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
989 		} else {
990 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
991 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
992 		}
993 		break;
994 
995 	case BT_FLUSHABLE:
996 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
997 			err = -EFAULT;
998 			break;
999 		}
1000 
1001 		if (opt > BT_FLUSHABLE_ON) {
1002 			err = -EINVAL;
1003 			break;
1004 		}
1005 
1006 		if (opt == BT_FLUSHABLE_OFF) {
1007 			conn = chan->conn;
1008 			/* proceed further only when we have l2cap_conn and
1009 			   No Flush support in the LM */
1010 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
1011 				err = -EINVAL;
1012 				break;
1013 			}
1014 		}
1015 
1016 		if (opt)
1017 			set_bit(FLAG_FLUSHABLE, &chan->flags);
1018 		else
1019 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
1020 		break;
1021 
1022 	case BT_POWER:
1023 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1024 		    chan->chan_type != L2CAP_CHAN_RAW) {
1025 			err = -EINVAL;
1026 			break;
1027 		}
1028 
1029 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1030 
1031 		len = min_t(unsigned int, sizeof(pwr), optlen);
1032 		if (copy_from_sockptr(&pwr, optval, len)) {
1033 			err = -EFAULT;
1034 			break;
1035 		}
1036 
1037 		if (pwr.force_active)
1038 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1039 		else
1040 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1041 		break;
1042 
1043 	case BT_CHANNEL_POLICY:
1044 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1045 			err = -EFAULT;
1046 			break;
1047 		}
1048 
1049 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1050 			err = -EINVAL;
1051 			break;
1052 		}
1053 
1054 		if (chan->mode != L2CAP_MODE_ERTM &&
1055 		    chan->mode != L2CAP_MODE_STREAMING) {
1056 			err = -EOPNOTSUPP;
1057 			break;
1058 		}
1059 
1060 		chan->chan_policy = (u8) opt;
1061 
1062 		if (sk->sk_state == BT_CONNECTED &&
1063 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
1064 			l2cap_move_start(chan);
1065 
1066 		break;
1067 
1068 	case BT_SNDMTU:
1069 		if (!bdaddr_type_is_le(chan->src_type)) {
1070 			err = -EINVAL;
1071 			break;
1072 		}
1073 
1074 		/* Setting is not supported as it's the remote side that
1075 		 * decides this.
1076 		 */
1077 		err = -EPERM;
1078 		break;
1079 
1080 	case BT_RCVMTU:
1081 		if (!bdaddr_type_is_le(chan->src_type)) {
1082 			err = -EINVAL;
1083 			break;
1084 		}
1085 
1086 		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1087 		    sk->sk_state == BT_CONNECTED) {
1088 			err = -EISCONN;
1089 			break;
1090 		}
1091 
1092 		if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
1093 			err = -EFAULT;
1094 			break;
1095 		}
1096 
1097 		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1098 		    sk->sk_state == BT_CONNECTED)
1099 			err = l2cap_chan_reconfigure(chan, mtu);
1100 		else
1101 			chan->imtu = mtu;
1102 
1103 		break;
1104 
1105 	case BT_MODE:
1106 		if (!enable_ecred) {
1107 			err = -ENOPROTOOPT;
1108 			break;
1109 		}
1110 
1111 		BT_DBG("sk->sk_state %u", sk->sk_state);
1112 
1113 		if (sk->sk_state != BT_BOUND) {
1114 			err = -EINVAL;
1115 			break;
1116 		}
1117 
1118 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1119 			err = -EINVAL;
1120 			break;
1121 		}
1122 
1123 		if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
1124 			err = -EFAULT;
1125 			break;
1126 		}
1127 
1128 		BT_DBG("mode %u", mode);
1129 
1130 		err = l2cap_set_mode(chan, mode);
1131 		if (err)
1132 			break;
1133 
1134 		BT_DBG("mode 0x%2.2x", chan->mode);
1135 
1136 		break;
1137 
1138 	default:
1139 		err = -ENOPROTOOPT;
1140 		break;
1141 	}
1142 
1143 	release_sock(sk);
1144 	return err;
1145 }
1146 
1147 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1148 			      size_t len)
1149 {
1150 	struct sock *sk = sock->sk;
1151 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1152 	int err;
1153 
1154 	BT_DBG("sock %p, sk %p", sock, sk);
1155 
1156 	err = sock_error(sk);
1157 	if (err)
1158 		return err;
1159 
1160 	if (msg->msg_flags & MSG_OOB)
1161 		return -EOPNOTSUPP;
1162 
1163 	if (sk->sk_state != BT_CONNECTED)
1164 		return -ENOTCONN;
1165 
1166 	lock_sock(sk);
1167 	err = bt_sock_wait_ready(sk, msg->msg_flags);
1168 	release_sock(sk);
1169 	if (err)
1170 		return err;
1171 
1172 	l2cap_chan_lock(chan);
1173 	err = l2cap_chan_send(chan, msg, len);
1174 	l2cap_chan_unlock(chan);
1175 
1176 	return err;
1177 }
1178 
1179 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1180 			      size_t len, int flags)
1181 {
1182 	struct sock *sk = sock->sk;
1183 	struct l2cap_pinfo *pi = l2cap_pi(sk);
1184 	int err;
1185 
1186 	lock_sock(sk);
1187 
1188 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1189 						    &bt_sk(sk)->flags)) {
1190 		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1191 			sk->sk_state = BT_CONNECTED;
1192 			pi->chan->state = BT_CONNECTED;
1193 			__l2cap_ecred_conn_rsp_defer(pi->chan);
1194 		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1195 			sk->sk_state = BT_CONNECTED;
1196 			pi->chan->state = BT_CONNECTED;
1197 			__l2cap_le_connect_rsp_defer(pi->chan);
1198 		} else {
1199 			sk->sk_state = BT_CONFIG;
1200 			pi->chan->state = BT_CONFIG;
1201 			__l2cap_connect_rsp_defer(pi->chan);
1202 		}
1203 
1204 		err = 0;
1205 		goto done;
1206 	}
1207 
1208 	release_sock(sk);
1209 
1210 	if (sock->type == SOCK_STREAM)
1211 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1212 	else
1213 		err = bt_sock_recvmsg(sock, msg, len, flags);
1214 
1215 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1216 		return err;
1217 
1218 	/* Attempt to put pending rx data in the socket buffer */
1219 
1220 	lock_sock(sk);
1221 
1222 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1223 		goto done;
1224 
1225 	if (pi->rx_busy_skb) {
1226 		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1227 			pi->rx_busy_skb = NULL;
1228 		else
1229 			goto done;
1230 	}
1231 
1232 	/* Restore data flow when half of the receive buffer is
1233 	 * available.  This avoids resending large numbers of
1234 	 * frames.
1235 	 */
1236 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1237 		l2cap_chan_busy(pi->chan, 0);
1238 
1239 done:
1240 	release_sock(sk);
1241 	return err;
1242 }
1243 
1244 /* Kill socket (only if zapped and orphan)
1245  * Must be called on unlocked socket, with l2cap channel lock.
1246  */
1247 static void l2cap_sock_kill(struct sock *sk)
1248 {
1249 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1250 		return;
1251 
1252 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1253 
1254 	/* Kill poor orphan */
1255 
1256 	l2cap_chan_put(l2cap_pi(sk)->chan);
1257 	sock_set_flag(sk, SOCK_DEAD);
1258 	sock_put(sk);
1259 }
1260 
1261 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1262 {
1263 	DECLARE_WAITQUEUE(wait, current);
1264 	int err = 0;
1265 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1266 	/* Timeout to prevent infinite loop */
1267 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1268 
1269 	add_wait_queue(sk_sleep(sk), &wait);
1270 	set_current_state(TASK_INTERRUPTIBLE);
1271 	do {
1272 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1273 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1274 		       jiffies_to_msecs(timeout - jiffies));
1275 
1276 		if (!timeo)
1277 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1278 
1279 		if (signal_pending(current)) {
1280 			err = sock_intr_errno(timeo);
1281 			break;
1282 		}
1283 
1284 		release_sock(sk);
1285 		timeo = schedule_timeout(timeo);
1286 		lock_sock(sk);
1287 		set_current_state(TASK_INTERRUPTIBLE);
1288 
1289 		err = sock_error(sk);
1290 		if (err)
1291 			break;
1292 
1293 		if (time_after(jiffies, timeout)) {
1294 			err = -ENOLINK;
1295 			break;
1296 		}
1297 
1298 	} while (chan->unacked_frames > 0 &&
1299 		 chan->state == BT_CONNECTED);
1300 
1301 	set_current_state(TASK_RUNNING);
1302 	remove_wait_queue(sk_sleep(sk), &wait);
1303 	return err;
1304 }
1305 
1306 static int l2cap_sock_shutdown(struct socket *sock, int how)
1307 {
1308 	struct sock *sk = sock->sk;
1309 	struct l2cap_chan *chan;
1310 	struct l2cap_conn *conn;
1311 	int err = 0;
1312 
1313 	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1314 
1315 	/* 'how' parameter is mapped to sk_shutdown as follows:
1316 	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1317 	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1318 	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1319 	 */
1320 	how++;
1321 
1322 	if (!sk)
1323 		return 0;
1324 
1325 	lock_sock(sk);
1326 
1327 	if ((sk->sk_shutdown & how) == how)
1328 		goto shutdown_already;
1329 
1330 	BT_DBG("Handling sock shutdown");
1331 
1332 	/* prevent sk structure from being freed whilst unlocked */
1333 	sock_hold(sk);
1334 
1335 	chan = l2cap_pi(sk)->chan;
1336 	/* prevent chan structure from being freed whilst unlocked */
1337 	l2cap_chan_hold(chan);
1338 
1339 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1340 
1341 	if (chan->mode == L2CAP_MODE_ERTM &&
1342 	    chan->unacked_frames > 0 &&
1343 	    chan->state == BT_CONNECTED) {
1344 		err = __l2cap_wait_ack(sk, chan);
1345 
1346 		/* After waiting for ACKs, check whether shutdown
1347 		 * has already been actioned to close the L2CAP
1348 		 * link such as by l2cap_disconnection_req().
1349 		 */
1350 		if ((sk->sk_shutdown & how) == how)
1351 			goto shutdown_matched;
1352 	}
1353 
1354 	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1355 	 * is already set
1356 	 */
1357 	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1358 		sk->sk_shutdown |= RCV_SHUTDOWN;
1359 		if ((sk->sk_shutdown & how) == how)
1360 			goto shutdown_matched;
1361 	}
1362 
1363 	sk->sk_shutdown |= SEND_SHUTDOWN;
1364 	release_sock(sk);
1365 
1366 	l2cap_chan_lock(chan);
1367 	conn = chan->conn;
1368 	if (conn)
1369 		/* prevent conn structure from being freed */
1370 		l2cap_conn_get(conn);
1371 	l2cap_chan_unlock(chan);
1372 
1373 	if (conn)
1374 		/* mutex lock must be taken before l2cap_chan_lock() */
1375 		mutex_lock(&conn->chan_lock);
1376 
1377 	l2cap_chan_lock(chan);
1378 	l2cap_chan_close(chan, 0);
1379 	l2cap_chan_unlock(chan);
1380 
1381 	if (conn) {
1382 		mutex_unlock(&conn->chan_lock);
1383 		l2cap_conn_put(conn);
1384 	}
1385 
1386 	lock_sock(sk);
1387 
1388 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1389 	    !(current->flags & PF_EXITING))
1390 		err = bt_sock_wait_state(sk, BT_CLOSED,
1391 					 sk->sk_lingertime);
1392 
1393 shutdown_matched:
1394 	l2cap_chan_put(chan);
1395 	sock_put(sk);
1396 
1397 shutdown_already:
1398 	if (!err && sk->sk_err)
1399 		err = -sk->sk_err;
1400 
1401 	release_sock(sk);
1402 
1403 	BT_DBG("Sock shutdown complete err: %d", err);
1404 
1405 	return err;
1406 }
1407 
1408 static int l2cap_sock_release(struct socket *sock)
1409 {
1410 	struct sock *sk = sock->sk;
1411 	int err;
1412 	struct l2cap_chan *chan;
1413 
1414 	BT_DBG("sock %p, sk %p", sock, sk);
1415 
1416 	if (!sk)
1417 		return 0;
1418 
1419 	l2cap_sock_cleanup_listen(sk);
1420 	bt_sock_unlink(&l2cap_sk_list, sk);
1421 
1422 	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1423 	chan = l2cap_pi(sk)->chan;
1424 
1425 	l2cap_chan_hold(chan);
1426 	l2cap_chan_lock(chan);
1427 
1428 	sock_orphan(sk);
1429 	l2cap_sock_kill(sk);
1430 
1431 	l2cap_chan_unlock(chan);
1432 	l2cap_chan_put(chan);
1433 
1434 	return err;
1435 }
1436 
1437 static void l2cap_sock_cleanup_listen(struct sock *parent)
1438 {
1439 	struct sock *sk;
1440 
1441 	BT_DBG("parent %p state %s", parent,
1442 	       state_to_string(parent->sk_state));
1443 
1444 	/* Close not yet accepted channels */
1445 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1446 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1447 
1448 		BT_DBG("child chan %p state %s", chan,
1449 		       state_to_string(chan->state));
1450 
1451 		l2cap_chan_hold(chan);
1452 		l2cap_chan_lock(chan);
1453 
1454 		__clear_chan_timer(chan);
1455 		l2cap_chan_close(chan, ECONNRESET);
1456 		l2cap_sock_kill(sk);
1457 
1458 		l2cap_chan_unlock(chan);
1459 		l2cap_chan_put(chan);
1460 	}
1461 }
1462 
1463 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1464 {
1465 	struct sock *sk, *parent = chan->data;
1466 
1467 	lock_sock(parent);
1468 
1469 	/* Check for backlog size */
1470 	if (sk_acceptq_is_full(parent)) {
1471 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1472 		release_sock(parent);
1473 		return NULL;
1474 	}
1475 
1476 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1477 			      GFP_ATOMIC, 0);
1478 	if (!sk) {
1479 		release_sock(parent);
1480 		return NULL;
1481         }
1482 
1483 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1484 
1485 	l2cap_sock_init(sk, parent);
1486 
1487 	bt_accept_enqueue(parent, sk, false);
1488 
1489 	release_sock(parent);
1490 
1491 	return l2cap_pi(sk)->chan;
1492 }
1493 
1494 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1495 {
1496 	struct sock *sk = chan->data;
1497 	int err;
1498 
1499 	lock_sock(sk);
1500 
1501 	if (l2cap_pi(sk)->rx_busy_skb) {
1502 		err = -ENOMEM;
1503 		goto done;
1504 	}
1505 
1506 	if (chan->mode != L2CAP_MODE_ERTM &&
1507 	    chan->mode != L2CAP_MODE_STREAMING) {
1508 		/* Even if no filter is attached, we could potentially
1509 		 * get errors from security modules, etc.
1510 		 */
1511 		err = sk_filter(sk, skb);
1512 		if (err)
1513 			goto done;
1514 	}
1515 
1516 	err = __sock_queue_rcv_skb(sk, skb);
1517 
1518 	/* For ERTM, handle one skb that doesn't fit into the recv
1519 	 * buffer.  This is important to do because the data frames
1520 	 * have already been acked, so the skb cannot be discarded.
1521 	 *
1522 	 * Notify the l2cap core that the buffer is full, so the
1523 	 * LOCAL_BUSY state is entered and no more frames are
1524 	 * acked and reassembled until there is buffer space
1525 	 * available.
1526 	 */
1527 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1528 		l2cap_pi(sk)->rx_busy_skb = skb;
1529 		l2cap_chan_busy(chan, 1);
1530 		err = 0;
1531 	}
1532 
1533 done:
1534 	release_sock(sk);
1535 
1536 	return err;
1537 }
1538 
1539 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1540 {
1541 	struct sock *sk = chan->data;
1542 
1543 	if (!sk)
1544 		return;
1545 
1546 	l2cap_sock_kill(sk);
1547 }
1548 
1549 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1550 {
1551 	struct sock *sk = chan->data;
1552 	struct sock *parent;
1553 
1554 	if (!sk)
1555 		return;
1556 
1557 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1558 
1559 	/* This callback can be called both for server (BT_LISTEN)
1560 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1561 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1562 	 * we need separation into separate nesting levels. The simplest
1563 	 * way to accomplish this is to inherit the nesting level used
1564 	 * for the channel.
1565 	 */
1566 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1567 
1568 	parent = bt_sk(sk)->parent;
1569 
1570 	switch (chan->state) {
1571 	case BT_OPEN:
1572 	case BT_BOUND:
1573 	case BT_CLOSED:
1574 		break;
1575 	case BT_LISTEN:
1576 		l2cap_sock_cleanup_listen(sk);
1577 		sk->sk_state = BT_CLOSED;
1578 		chan->state = BT_CLOSED;
1579 
1580 		break;
1581 	default:
1582 		sk->sk_state = BT_CLOSED;
1583 		chan->state = BT_CLOSED;
1584 
1585 		sk->sk_err = err;
1586 
1587 		if (parent) {
1588 			bt_accept_unlink(sk);
1589 			parent->sk_data_ready(parent);
1590 		} else {
1591 			sk->sk_state_change(sk);
1592 		}
1593 
1594 		break;
1595 	}
1596 	release_sock(sk);
1597 
1598 	/* Only zap after cleanup to avoid use after free race */
1599 	sock_set_flag(sk, SOCK_ZAPPED);
1600 
1601 }
1602 
1603 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1604 				       int err)
1605 {
1606 	struct sock *sk = chan->data;
1607 
1608 	sk->sk_state = state;
1609 
1610 	if (err)
1611 		sk->sk_err = err;
1612 }
1613 
1614 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1615 					       unsigned long hdr_len,
1616 					       unsigned long len, int nb)
1617 {
1618 	struct sock *sk = chan->data;
1619 	struct sk_buff *skb;
1620 	int err;
1621 
1622 	l2cap_chan_unlock(chan);
1623 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1624 	l2cap_chan_lock(chan);
1625 
1626 	if (!skb)
1627 		return ERR_PTR(err);
1628 
1629 	/* Channel lock is released before requesting new skb and then
1630 	 * reacquired thus we need to recheck channel state.
1631 	 */
1632 	if (chan->state != BT_CONNECTED) {
1633 		kfree_skb(skb);
1634 		return ERR_PTR(-ENOTCONN);
1635 	}
1636 
1637 	skb->priority = sk->sk_priority;
1638 
1639 	bt_cb(skb)->l2cap.chan = chan;
1640 
1641 	return skb;
1642 }
1643 
1644 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1645 {
1646 	struct sock *sk = chan->data;
1647 	struct sock *parent;
1648 
1649 	lock_sock(sk);
1650 
1651 	parent = bt_sk(sk)->parent;
1652 
1653 	BT_DBG("sk %p, parent %p", sk, parent);
1654 
1655 	sk->sk_state = BT_CONNECTED;
1656 	sk->sk_state_change(sk);
1657 
1658 	if (parent)
1659 		parent->sk_data_ready(parent);
1660 
1661 	release_sock(sk);
1662 }
1663 
1664 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1665 {
1666 	struct sock *parent, *sk = chan->data;
1667 
1668 	lock_sock(sk);
1669 
1670 	parent = bt_sk(sk)->parent;
1671 	if (parent)
1672 		parent->sk_data_ready(parent);
1673 
1674 	release_sock(sk);
1675 }
1676 
1677 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1678 {
1679 	struct sock *sk = chan->data;
1680 
1681 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1682 		sk->sk_state = BT_CONNECTED;
1683 		chan->state = BT_CONNECTED;
1684 	}
1685 
1686 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1687 	sk->sk_state_change(sk);
1688 }
1689 
1690 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1691 {
1692 	struct sock *sk = chan->data;
1693 
1694 	lock_sock(sk);
1695 	sk->sk_shutdown = SHUTDOWN_MASK;
1696 	release_sock(sk);
1697 }
1698 
1699 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1700 {
1701 	struct sock *sk = chan->data;
1702 
1703 	return sk->sk_sndtimeo;
1704 }
1705 
1706 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1707 {
1708 	struct sock *sk = chan->data;
1709 
1710 	return sk->sk_peer_pid;
1711 }
1712 
1713 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1714 {
1715 	struct sock *sk = chan->data;
1716 
1717 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1718 	sk->sk_state_change(sk);
1719 }
1720 
1721 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1722 {
1723 	struct sock *sk = chan->data;
1724 
1725 	switch (chan->mode) {
1726 	case L2CAP_MODE_ERTM:
1727 	case L2CAP_MODE_STREAMING:
1728 		return sk_filter(sk, skb);
1729 	}
1730 
1731 	return 0;
1732 }
1733 
1734 static const struct l2cap_ops l2cap_chan_ops = {
1735 	.name			= "L2CAP Socket Interface",
1736 	.new_connection		= l2cap_sock_new_connection_cb,
1737 	.recv			= l2cap_sock_recv_cb,
1738 	.close			= l2cap_sock_close_cb,
1739 	.teardown		= l2cap_sock_teardown_cb,
1740 	.state_change		= l2cap_sock_state_change_cb,
1741 	.ready			= l2cap_sock_ready_cb,
1742 	.defer			= l2cap_sock_defer_cb,
1743 	.resume			= l2cap_sock_resume_cb,
1744 	.suspend		= l2cap_sock_suspend_cb,
1745 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1746 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1747 	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1748 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1749 	.filter			= l2cap_sock_filter,
1750 };
1751 
1752 static void l2cap_sock_destruct(struct sock *sk)
1753 {
1754 	BT_DBG("sk %p", sk);
1755 
1756 	if (l2cap_pi(sk)->chan) {
1757 		l2cap_pi(sk)->chan->data = NULL;
1758 		l2cap_chan_put(l2cap_pi(sk)->chan);
1759 	}
1760 
1761 	if (l2cap_pi(sk)->rx_busy_skb) {
1762 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1763 		l2cap_pi(sk)->rx_busy_skb = NULL;
1764 	}
1765 
1766 	skb_queue_purge(&sk->sk_receive_queue);
1767 	skb_queue_purge(&sk->sk_write_queue);
1768 }
1769 
1770 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1771 			       int *msg_namelen)
1772 {
1773 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1774 
1775 	memset(la, 0, sizeof(struct sockaddr_l2));
1776 	la->l2_family = AF_BLUETOOTH;
1777 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1778 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1779 
1780 	*msg_namelen = sizeof(struct sockaddr_l2);
1781 }
1782 
1783 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1784 {
1785 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1786 
1787 	BT_DBG("sk %p", sk);
1788 
1789 	if (parent) {
1790 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1791 
1792 		sk->sk_type = parent->sk_type;
1793 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1794 
1795 		chan->chan_type = pchan->chan_type;
1796 		chan->imtu = pchan->imtu;
1797 		chan->omtu = pchan->omtu;
1798 		chan->conf_state = pchan->conf_state;
1799 		chan->mode = pchan->mode;
1800 		chan->fcs  = pchan->fcs;
1801 		chan->max_tx = pchan->max_tx;
1802 		chan->tx_win = pchan->tx_win;
1803 		chan->tx_win_max = pchan->tx_win_max;
1804 		chan->sec_level = pchan->sec_level;
1805 		chan->flags = pchan->flags;
1806 		chan->tx_credits = pchan->tx_credits;
1807 		chan->rx_credits = pchan->rx_credits;
1808 
1809 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1810 			chan->scid = pchan->scid;
1811 			chan->dcid = pchan->scid;
1812 		}
1813 
1814 		security_sk_clone(parent, sk);
1815 	} else {
1816 		switch (sk->sk_type) {
1817 		case SOCK_RAW:
1818 			chan->chan_type = L2CAP_CHAN_RAW;
1819 			break;
1820 		case SOCK_DGRAM:
1821 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1822 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1823 			break;
1824 		case SOCK_SEQPACKET:
1825 		case SOCK_STREAM:
1826 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1827 			break;
1828 		}
1829 
1830 		chan->imtu = L2CAP_DEFAULT_MTU;
1831 		chan->omtu = 0;
1832 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1833 			chan->mode = L2CAP_MODE_ERTM;
1834 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1835 		} else {
1836 			chan->mode = L2CAP_MODE_BASIC;
1837 		}
1838 
1839 		l2cap_chan_set_defaults(chan);
1840 	}
1841 
1842 	/* Default config options */
1843 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1844 
1845 	chan->data = sk;
1846 	chan->ops = &l2cap_chan_ops;
1847 }
1848 
1849 static struct proto l2cap_proto = {
1850 	.name		= "L2CAP",
1851 	.owner		= THIS_MODULE,
1852 	.obj_size	= sizeof(struct l2cap_pinfo)
1853 };
1854 
1855 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1856 				     int proto, gfp_t prio, int kern)
1857 {
1858 	struct sock *sk;
1859 	struct l2cap_chan *chan;
1860 
1861 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1862 	if (!sk)
1863 		return NULL;
1864 
1865 	sock_init_data(sock, sk);
1866 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1867 
1868 	sk->sk_destruct = l2cap_sock_destruct;
1869 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1870 
1871 	sock_reset_flag(sk, SOCK_ZAPPED);
1872 
1873 	sk->sk_protocol = proto;
1874 	sk->sk_state = BT_OPEN;
1875 
1876 	chan = l2cap_chan_create();
1877 	if (!chan) {
1878 		sk_free(sk);
1879 		return NULL;
1880 	}
1881 
1882 	l2cap_chan_hold(chan);
1883 
1884 	l2cap_pi(sk)->chan = chan;
1885 
1886 	return sk;
1887 }
1888 
1889 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1890 			     int kern)
1891 {
1892 	struct sock *sk;
1893 
1894 	BT_DBG("sock %p", sock);
1895 
1896 	sock->state = SS_UNCONNECTED;
1897 
1898 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1899 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1900 		return -ESOCKTNOSUPPORT;
1901 
1902 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1903 		return -EPERM;
1904 
1905 	sock->ops = &l2cap_sock_ops;
1906 
1907 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1908 	if (!sk)
1909 		return -ENOMEM;
1910 
1911 	l2cap_sock_init(sk, NULL);
1912 	bt_sock_link(&l2cap_sk_list, sk);
1913 	return 0;
1914 }
1915 
1916 static const struct proto_ops l2cap_sock_ops = {
1917 	.family		= PF_BLUETOOTH,
1918 	.owner		= THIS_MODULE,
1919 	.release	= l2cap_sock_release,
1920 	.bind		= l2cap_sock_bind,
1921 	.connect	= l2cap_sock_connect,
1922 	.listen		= l2cap_sock_listen,
1923 	.accept		= l2cap_sock_accept,
1924 	.getname	= l2cap_sock_getname,
1925 	.sendmsg	= l2cap_sock_sendmsg,
1926 	.recvmsg	= l2cap_sock_recvmsg,
1927 	.poll		= bt_sock_poll,
1928 	.ioctl		= bt_sock_ioctl,
1929 	.gettstamp	= sock_gettstamp,
1930 	.mmap		= sock_no_mmap,
1931 	.socketpair	= sock_no_socketpair,
1932 	.shutdown	= l2cap_sock_shutdown,
1933 	.setsockopt	= l2cap_sock_setsockopt,
1934 	.getsockopt	= l2cap_sock_getsockopt
1935 };
1936 
1937 static const struct net_proto_family l2cap_sock_family_ops = {
1938 	.family	= PF_BLUETOOTH,
1939 	.owner	= THIS_MODULE,
1940 	.create	= l2cap_sock_create,
1941 };
1942 
1943 int __init l2cap_init_sockets(void)
1944 {
1945 	int err;
1946 
1947 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1948 
1949 	err = proto_register(&l2cap_proto, 0);
1950 	if (err < 0)
1951 		return err;
1952 
1953 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1954 	if (err < 0) {
1955 		BT_ERR("L2CAP socket registration failed");
1956 		goto error;
1957 	}
1958 
1959 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1960 			     NULL);
1961 	if (err < 0) {
1962 		BT_ERR("Failed to create L2CAP proc file");
1963 		bt_sock_unregister(BTPROTO_L2CAP);
1964 		goto error;
1965 	}
1966 
1967 	BT_INFO("L2CAP socket layer initialized");
1968 
1969 	return 0;
1970 
1971 error:
1972 	proto_unregister(&l2cap_proto);
1973 	return err;
1974 }
1975 
1976 void l2cap_cleanup_sockets(void)
1977 {
1978 	bt_procfs_cleanup(&init_net, "l2cap");
1979 	bt_sock_unregister(BTPROTO_L2CAP);
1980 	proto_unregister(&l2cap_proto);
1981 }
1982