xref: /openbmc/linux/net/bluetooth/l2cap_sock.c (revision 8730046c)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 
37 #include "smp.h"
38 
39 static struct bt_sock_list l2cap_sk_list = {
40 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
41 };
42 
43 static const struct proto_ops l2cap_sock_ops;
44 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
45 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
46 				     int proto, gfp_t prio, int kern);
47 
48 bool l2cap_is_socket(struct socket *sock)
49 {
50 	return sock && sock->ops == &l2cap_sock_ops;
51 }
52 EXPORT_SYMBOL(l2cap_is_socket);
53 
54 static int l2cap_validate_bredr_psm(u16 psm)
55 {
56 	/* PSM must be odd and lsb of upper byte must be 0 */
57 	if ((psm & 0x0101) != 0x0001)
58 		return -EINVAL;
59 
60 	/* Restrict usage of well-known PSMs */
61 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
62 		return -EACCES;
63 
64 	return 0;
65 }
66 
67 static int l2cap_validate_le_psm(u16 psm)
68 {
69 	/* Valid LE_PSM ranges are defined only until 0x00ff */
70 	if (psm > L2CAP_PSM_LE_DYN_END)
71 		return -EINVAL;
72 
73 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
74 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
75 		return -EACCES;
76 
77 	return 0;
78 }
79 
80 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
81 {
82 	struct sock *sk = sock->sk;
83 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
84 	struct sockaddr_l2 la;
85 	int len, err = 0;
86 
87 	BT_DBG("sk %p", sk);
88 
89 	if (!addr || addr->sa_family != AF_BLUETOOTH)
90 		return -EINVAL;
91 
92 	memset(&la, 0, sizeof(la));
93 	len = min_t(unsigned int, sizeof(la), alen);
94 	memcpy(&la, addr, len);
95 
96 	if (la.l2_cid && la.l2_psm)
97 		return -EINVAL;
98 
99 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 		return -EINVAL;
101 
102 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
103 		/* We only allow ATT user space socket */
104 		if (la.l2_cid &&
105 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
106 			return -EINVAL;
107 	}
108 
109 	lock_sock(sk);
110 
111 	if (sk->sk_state != BT_OPEN) {
112 		err = -EBADFD;
113 		goto done;
114 	}
115 
116 	if (la.l2_psm) {
117 		__u16 psm = __le16_to_cpu(la.l2_psm);
118 
119 		if (la.l2_bdaddr_type == BDADDR_BREDR)
120 			err = l2cap_validate_bredr_psm(psm);
121 		else
122 			err = l2cap_validate_le_psm(psm);
123 
124 		if (err)
125 			goto done;
126 	}
127 
128 	bacpy(&chan->src, &la.l2_bdaddr);
129 	chan->src_type = la.l2_bdaddr_type;
130 
131 	if (la.l2_cid)
132 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
133 	else
134 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
135 
136 	if (err < 0)
137 		goto done;
138 
139 	switch (chan->chan_type) {
140 	case L2CAP_CHAN_CONN_LESS:
141 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
142 			chan->sec_level = BT_SECURITY_SDP;
143 		break;
144 	case L2CAP_CHAN_CONN_ORIENTED:
145 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
146 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
147 			chan->sec_level = BT_SECURITY_SDP;
148 		break;
149 	case L2CAP_CHAN_RAW:
150 		chan->sec_level = BT_SECURITY_SDP;
151 		break;
152 	case L2CAP_CHAN_FIXED:
153 		/* Fixed channels default to the L2CAP core not holding a
154 		 * hci_conn reference for them. For fixed channels mapping to
155 		 * L2CAP sockets we do want to hold a reference so set the
156 		 * appropriate flag to request it.
157 		 */
158 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
159 		break;
160 	}
161 
162 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
163 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
164 
165 	chan->state = BT_BOUND;
166 	sk->sk_state = BT_BOUND;
167 
168 done:
169 	release_sock(sk);
170 	return err;
171 }
172 
173 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
174 			      int alen, int flags)
175 {
176 	struct sock *sk = sock->sk;
177 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
178 	struct sockaddr_l2 la;
179 	int len, err = 0;
180 
181 	BT_DBG("sk %p", sk);
182 
183 	if (!addr || alen < sizeof(addr->sa_family) ||
184 	    addr->sa_family != AF_BLUETOOTH)
185 		return -EINVAL;
186 
187 	memset(&la, 0, sizeof(la));
188 	len = min_t(unsigned int, sizeof(la), alen);
189 	memcpy(&la, addr, len);
190 
191 	if (la.l2_cid && la.l2_psm)
192 		return -EINVAL;
193 
194 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
195 		return -EINVAL;
196 
197 	/* Check that the socket wasn't bound to something that
198 	 * conflicts with the address given to connect(). If chan->src
199 	 * is BDADDR_ANY it means bind() was never used, in which case
200 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
201 	 */
202 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
203 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
204 		/* Old user space versions will try to incorrectly bind
205 		 * the ATT socket using BDADDR_BREDR. We need to accept
206 		 * this and fix up the source address type only when
207 		 * both the source CID and destination CID indicate
208 		 * ATT. Anything else is an invalid combination.
209 		 */
210 		if (chan->scid != L2CAP_CID_ATT ||
211 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
212 			return -EINVAL;
213 
214 		/* We don't have the hdev available here to make a
215 		 * better decision on random vs public, but since all
216 		 * user space versions that exhibit this issue anyway do
217 		 * not support random local addresses assuming public
218 		 * here is good enough.
219 		 */
220 		chan->src_type = BDADDR_LE_PUBLIC;
221 	}
222 
223 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
224 		return -EINVAL;
225 
226 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
227 		/* We only allow ATT user space socket */
228 		if (la.l2_cid &&
229 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
230 			return -EINVAL;
231 	}
232 
233 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
234 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
235 
236 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
237 				 &la.l2_bdaddr, la.l2_bdaddr_type);
238 	if (err)
239 		return err;
240 
241 	lock_sock(sk);
242 
243 	err = bt_sock_wait_state(sk, BT_CONNECTED,
244 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
245 
246 	release_sock(sk);
247 
248 	return err;
249 }
250 
251 static int l2cap_sock_listen(struct socket *sock, int backlog)
252 {
253 	struct sock *sk = sock->sk;
254 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
255 	int err = 0;
256 
257 	BT_DBG("sk %p backlog %d", sk, backlog);
258 
259 	lock_sock(sk);
260 
261 	if (sk->sk_state != BT_BOUND) {
262 		err = -EBADFD;
263 		goto done;
264 	}
265 
266 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
267 		err = -EINVAL;
268 		goto done;
269 	}
270 
271 	switch (chan->mode) {
272 	case L2CAP_MODE_BASIC:
273 	case L2CAP_MODE_LE_FLOWCTL:
274 		break;
275 	case L2CAP_MODE_ERTM:
276 	case L2CAP_MODE_STREAMING:
277 		if (!disable_ertm)
278 			break;
279 		/* fall through */
280 	default:
281 		err = -EOPNOTSUPP;
282 		goto done;
283 	}
284 
285 	sk->sk_max_ack_backlog = backlog;
286 	sk->sk_ack_backlog = 0;
287 
288 	/* Listening channels need to use nested locking in order not to
289 	 * cause lockdep warnings when the created child channels end up
290 	 * being locked in the same thread as the parent channel.
291 	 */
292 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
293 
294 	chan->state = BT_LISTEN;
295 	sk->sk_state = BT_LISTEN;
296 
297 done:
298 	release_sock(sk);
299 	return err;
300 }
301 
302 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
303 			     int flags)
304 {
305 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
306 	struct sock *sk = sock->sk, *nsk;
307 	long timeo;
308 	int err = 0;
309 
310 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
311 
312 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
313 
314 	BT_DBG("sk %p timeo %ld", sk, timeo);
315 
316 	/* Wait for an incoming connection. (wake-one). */
317 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
318 	while (1) {
319 		if (sk->sk_state != BT_LISTEN) {
320 			err = -EBADFD;
321 			break;
322 		}
323 
324 		nsk = bt_accept_dequeue(sk, newsock);
325 		if (nsk)
326 			break;
327 
328 		if (!timeo) {
329 			err = -EAGAIN;
330 			break;
331 		}
332 
333 		if (signal_pending(current)) {
334 			err = sock_intr_errno(timeo);
335 			break;
336 		}
337 
338 		release_sock(sk);
339 
340 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
341 
342 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
343 	}
344 	remove_wait_queue(sk_sleep(sk), &wait);
345 
346 	if (err)
347 		goto done;
348 
349 	newsock->state = SS_CONNECTED;
350 
351 	BT_DBG("new socket %p", nsk);
352 
353 done:
354 	release_sock(sk);
355 	return err;
356 }
357 
358 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
359 			      int *len, int peer)
360 {
361 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
362 	struct sock *sk = sock->sk;
363 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
364 
365 	BT_DBG("sock %p, sk %p", sock, sk);
366 
367 	if (peer && sk->sk_state != BT_CONNECTED &&
368 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
369 	    sk->sk_state != BT_CONFIG)
370 		return -ENOTCONN;
371 
372 	memset(la, 0, sizeof(struct sockaddr_l2));
373 	addr->sa_family = AF_BLUETOOTH;
374 	*len = sizeof(struct sockaddr_l2);
375 
376 	la->l2_psm = chan->psm;
377 
378 	if (peer) {
379 		bacpy(&la->l2_bdaddr, &chan->dst);
380 		la->l2_cid = cpu_to_le16(chan->dcid);
381 		la->l2_bdaddr_type = chan->dst_type;
382 	} else {
383 		bacpy(&la->l2_bdaddr, &chan->src);
384 		la->l2_cid = cpu_to_le16(chan->scid);
385 		la->l2_bdaddr_type = chan->src_type;
386 	}
387 
388 	return 0;
389 }
390 
391 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
392 				     char __user *optval, int __user *optlen)
393 {
394 	struct sock *sk = sock->sk;
395 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
396 	struct l2cap_options opts;
397 	struct l2cap_conninfo cinfo;
398 	int len, err = 0;
399 	u32 opt;
400 
401 	BT_DBG("sk %p", sk);
402 
403 	if (get_user(len, optlen))
404 		return -EFAULT;
405 
406 	lock_sock(sk);
407 
408 	switch (optname) {
409 	case L2CAP_OPTIONS:
410 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
411 		 * legacy ATT code depends on getsockopt for
412 		 * L2CAP_OPTIONS we need to let this pass.
413 		 */
414 		if (bdaddr_type_is_le(chan->src_type) &&
415 		    chan->scid != L2CAP_CID_ATT) {
416 			err = -EINVAL;
417 			break;
418 		}
419 
420 		memset(&opts, 0, sizeof(opts));
421 		opts.imtu     = chan->imtu;
422 		opts.omtu     = chan->omtu;
423 		opts.flush_to = chan->flush_to;
424 		opts.mode     = chan->mode;
425 		opts.fcs      = chan->fcs;
426 		opts.max_tx   = chan->max_tx;
427 		opts.txwin_size = chan->tx_win;
428 
429 		len = min_t(unsigned int, len, sizeof(opts));
430 		if (copy_to_user(optval, (char *) &opts, len))
431 			err = -EFAULT;
432 
433 		break;
434 
435 	case L2CAP_LM:
436 		switch (chan->sec_level) {
437 		case BT_SECURITY_LOW:
438 			opt = L2CAP_LM_AUTH;
439 			break;
440 		case BT_SECURITY_MEDIUM:
441 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
442 			break;
443 		case BT_SECURITY_HIGH:
444 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
445 			      L2CAP_LM_SECURE;
446 			break;
447 		case BT_SECURITY_FIPS:
448 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
449 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
450 			break;
451 		default:
452 			opt = 0;
453 			break;
454 		}
455 
456 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
457 			opt |= L2CAP_LM_MASTER;
458 
459 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
460 			opt |= L2CAP_LM_RELIABLE;
461 
462 		if (put_user(opt, (u32 __user *) optval))
463 			err = -EFAULT;
464 
465 		break;
466 
467 	case L2CAP_CONNINFO:
468 		if (sk->sk_state != BT_CONNECTED &&
469 		    !(sk->sk_state == BT_CONNECT2 &&
470 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
471 			err = -ENOTCONN;
472 			break;
473 		}
474 
475 		memset(&cinfo, 0, sizeof(cinfo));
476 		cinfo.hci_handle = chan->conn->hcon->handle;
477 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
478 
479 		len = min_t(unsigned int, len, sizeof(cinfo));
480 		if (copy_to_user(optval, (char *) &cinfo, len))
481 			err = -EFAULT;
482 
483 		break;
484 
485 	default:
486 		err = -ENOPROTOOPT;
487 		break;
488 	}
489 
490 	release_sock(sk);
491 	return err;
492 }
493 
494 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
495 				 char __user *optval, int __user *optlen)
496 {
497 	struct sock *sk = sock->sk;
498 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
499 	struct bt_security sec;
500 	struct bt_power pwr;
501 	int len, err = 0;
502 
503 	BT_DBG("sk %p", sk);
504 
505 	if (level == SOL_L2CAP)
506 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
507 
508 	if (level != SOL_BLUETOOTH)
509 		return -ENOPROTOOPT;
510 
511 	if (get_user(len, optlen))
512 		return -EFAULT;
513 
514 	lock_sock(sk);
515 
516 	switch (optname) {
517 	case BT_SECURITY:
518 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
519 		    chan->chan_type != L2CAP_CHAN_FIXED &&
520 		    chan->chan_type != L2CAP_CHAN_RAW) {
521 			err = -EINVAL;
522 			break;
523 		}
524 
525 		memset(&sec, 0, sizeof(sec));
526 		if (chan->conn) {
527 			sec.level = chan->conn->hcon->sec_level;
528 
529 			if (sk->sk_state == BT_CONNECTED)
530 				sec.key_size = chan->conn->hcon->enc_key_size;
531 		} else {
532 			sec.level = chan->sec_level;
533 		}
534 
535 		len = min_t(unsigned int, len, sizeof(sec));
536 		if (copy_to_user(optval, (char *) &sec, len))
537 			err = -EFAULT;
538 
539 		break;
540 
541 	case BT_DEFER_SETUP:
542 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
543 			err = -EINVAL;
544 			break;
545 		}
546 
547 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
548 			     (u32 __user *) optval))
549 			err = -EFAULT;
550 
551 		break;
552 
553 	case BT_FLUSHABLE:
554 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
555 			     (u32 __user *) optval))
556 			err = -EFAULT;
557 
558 		break;
559 
560 	case BT_POWER:
561 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
562 		    && sk->sk_type != SOCK_RAW) {
563 			err = -EINVAL;
564 			break;
565 		}
566 
567 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
568 
569 		len = min_t(unsigned int, len, sizeof(pwr));
570 		if (copy_to_user(optval, (char *) &pwr, len))
571 			err = -EFAULT;
572 
573 		break;
574 
575 	case BT_CHANNEL_POLICY:
576 		if (put_user(chan->chan_policy, (u32 __user *) optval))
577 			err = -EFAULT;
578 		break;
579 
580 	case BT_SNDMTU:
581 		if (!bdaddr_type_is_le(chan->src_type)) {
582 			err = -EINVAL;
583 			break;
584 		}
585 
586 		if (sk->sk_state != BT_CONNECTED) {
587 			err = -ENOTCONN;
588 			break;
589 		}
590 
591 		if (put_user(chan->omtu, (u16 __user *) optval))
592 			err = -EFAULT;
593 		break;
594 
595 	case BT_RCVMTU:
596 		if (!bdaddr_type_is_le(chan->src_type)) {
597 			err = -EINVAL;
598 			break;
599 		}
600 
601 		if (put_user(chan->imtu, (u16 __user *) optval))
602 			err = -EFAULT;
603 		break;
604 
605 	default:
606 		err = -ENOPROTOOPT;
607 		break;
608 	}
609 
610 	release_sock(sk);
611 	return err;
612 }
613 
614 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
615 {
616 	switch (chan->scid) {
617 	case L2CAP_CID_ATT:
618 		if (mtu < L2CAP_LE_MIN_MTU)
619 			return false;
620 		break;
621 
622 	default:
623 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
624 			return false;
625 	}
626 
627 	return true;
628 }
629 
630 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
631 				     char __user *optval, unsigned int optlen)
632 {
633 	struct sock *sk = sock->sk;
634 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
635 	struct l2cap_options opts;
636 	int len, err = 0;
637 	u32 opt;
638 
639 	BT_DBG("sk %p", sk);
640 
641 	lock_sock(sk);
642 
643 	switch (optname) {
644 	case L2CAP_OPTIONS:
645 		if (bdaddr_type_is_le(chan->src_type)) {
646 			err = -EINVAL;
647 			break;
648 		}
649 
650 		if (sk->sk_state == BT_CONNECTED) {
651 			err = -EINVAL;
652 			break;
653 		}
654 
655 		opts.imtu     = chan->imtu;
656 		opts.omtu     = chan->omtu;
657 		opts.flush_to = chan->flush_to;
658 		opts.mode     = chan->mode;
659 		opts.fcs      = chan->fcs;
660 		opts.max_tx   = chan->max_tx;
661 		opts.txwin_size = chan->tx_win;
662 
663 		len = min_t(unsigned int, sizeof(opts), optlen);
664 		if (copy_from_user((char *) &opts, optval, len)) {
665 			err = -EFAULT;
666 			break;
667 		}
668 
669 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
670 			err = -EINVAL;
671 			break;
672 		}
673 
674 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
675 			err = -EINVAL;
676 			break;
677 		}
678 
679 		chan->mode = opts.mode;
680 		switch (chan->mode) {
681 		case L2CAP_MODE_LE_FLOWCTL:
682 			break;
683 		case L2CAP_MODE_BASIC:
684 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
685 			break;
686 		case L2CAP_MODE_ERTM:
687 		case L2CAP_MODE_STREAMING:
688 			if (!disable_ertm)
689 				break;
690 			/* fall through */
691 		default:
692 			err = -EINVAL;
693 			break;
694 		}
695 
696 		chan->imtu = opts.imtu;
697 		chan->omtu = opts.omtu;
698 		chan->fcs  = opts.fcs;
699 		chan->max_tx = opts.max_tx;
700 		chan->tx_win = opts.txwin_size;
701 		chan->flush_to = opts.flush_to;
702 		break;
703 
704 	case L2CAP_LM:
705 		if (get_user(opt, (u32 __user *) optval)) {
706 			err = -EFAULT;
707 			break;
708 		}
709 
710 		if (opt & L2CAP_LM_FIPS) {
711 			err = -EINVAL;
712 			break;
713 		}
714 
715 		if (opt & L2CAP_LM_AUTH)
716 			chan->sec_level = BT_SECURITY_LOW;
717 		if (opt & L2CAP_LM_ENCRYPT)
718 			chan->sec_level = BT_SECURITY_MEDIUM;
719 		if (opt & L2CAP_LM_SECURE)
720 			chan->sec_level = BT_SECURITY_HIGH;
721 
722 		if (opt & L2CAP_LM_MASTER)
723 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
724 		else
725 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
726 
727 		if (opt & L2CAP_LM_RELIABLE)
728 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
729 		else
730 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
731 		break;
732 
733 	default:
734 		err = -ENOPROTOOPT;
735 		break;
736 	}
737 
738 	release_sock(sk);
739 	return err;
740 }
741 
742 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
743 				 char __user *optval, unsigned int optlen)
744 {
745 	struct sock *sk = sock->sk;
746 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
747 	struct bt_security sec;
748 	struct bt_power pwr;
749 	struct l2cap_conn *conn;
750 	int len, err = 0;
751 	u32 opt;
752 
753 	BT_DBG("sk %p", sk);
754 
755 	if (level == SOL_L2CAP)
756 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
757 
758 	if (level != SOL_BLUETOOTH)
759 		return -ENOPROTOOPT;
760 
761 	lock_sock(sk);
762 
763 	switch (optname) {
764 	case BT_SECURITY:
765 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
766 		    chan->chan_type != L2CAP_CHAN_FIXED &&
767 		    chan->chan_type != L2CAP_CHAN_RAW) {
768 			err = -EINVAL;
769 			break;
770 		}
771 
772 		sec.level = BT_SECURITY_LOW;
773 
774 		len = min_t(unsigned int, sizeof(sec), optlen);
775 		if (copy_from_user((char *) &sec, optval, len)) {
776 			err = -EFAULT;
777 			break;
778 		}
779 
780 		if (sec.level < BT_SECURITY_LOW ||
781 		    sec.level > BT_SECURITY_FIPS) {
782 			err = -EINVAL;
783 			break;
784 		}
785 
786 		chan->sec_level = sec.level;
787 
788 		if (!chan->conn)
789 			break;
790 
791 		conn = chan->conn;
792 
793 		/*change security for LE channels */
794 		if (chan->scid == L2CAP_CID_ATT) {
795 			if (smp_conn_security(conn->hcon, sec.level))
796 				break;
797 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
798 			sk->sk_state = BT_CONFIG;
799 			chan->state = BT_CONFIG;
800 
801 		/* or for ACL link */
802 		} else if ((sk->sk_state == BT_CONNECT2 &&
803 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
804 			   sk->sk_state == BT_CONNECTED) {
805 			if (!l2cap_chan_check_security(chan, true))
806 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
807 			else
808 				sk->sk_state_change(sk);
809 		} else {
810 			err = -EINVAL;
811 		}
812 		break;
813 
814 	case BT_DEFER_SETUP:
815 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
816 			err = -EINVAL;
817 			break;
818 		}
819 
820 		if (get_user(opt, (u32 __user *) optval)) {
821 			err = -EFAULT;
822 			break;
823 		}
824 
825 		if (opt) {
826 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
827 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
828 		} else {
829 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
830 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
831 		}
832 		break;
833 
834 	case BT_FLUSHABLE:
835 		if (get_user(opt, (u32 __user *) optval)) {
836 			err = -EFAULT;
837 			break;
838 		}
839 
840 		if (opt > BT_FLUSHABLE_ON) {
841 			err = -EINVAL;
842 			break;
843 		}
844 
845 		if (opt == BT_FLUSHABLE_OFF) {
846 			conn = chan->conn;
847 			/* proceed further only when we have l2cap_conn and
848 			   No Flush support in the LM */
849 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
850 				err = -EINVAL;
851 				break;
852 			}
853 		}
854 
855 		if (opt)
856 			set_bit(FLAG_FLUSHABLE, &chan->flags);
857 		else
858 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
859 		break;
860 
861 	case BT_POWER:
862 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
863 		    chan->chan_type != L2CAP_CHAN_RAW) {
864 			err = -EINVAL;
865 			break;
866 		}
867 
868 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
869 
870 		len = min_t(unsigned int, sizeof(pwr), optlen);
871 		if (copy_from_user((char *) &pwr, optval, len)) {
872 			err = -EFAULT;
873 			break;
874 		}
875 
876 		if (pwr.force_active)
877 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
878 		else
879 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
880 		break;
881 
882 	case BT_CHANNEL_POLICY:
883 		if (get_user(opt, (u32 __user *) optval)) {
884 			err = -EFAULT;
885 			break;
886 		}
887 
888 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
889 			err = -EINVAL;
890 			break;
891 		}
892 
893 		if (chan->mode != L2CAP_MODE_ERTM &&
894 		    chan->mode != L2CAP_MODE_STREAMING) {
895 			err = -EOPNOTSUPP;
896 			break;
897 		}
898 
899 		chan->chan_policy = (u8) opt;
900 
901 		if (sk->sk_state == BT_CONNECTED &&
902 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
903 			l2cap_move_start(chan);
904 
905 		break;
906 
907 	case BT_SNDMTU:
908 		if (!bdaddr_type_is_le(chan->src_type)) {
909 			err = -EINVAL;
910 			break;
911 		}
912 
913 		/* Setting is not supported as it's the remote side that
914 		 * decides this.
915 		 */
916 		err = -EPERM;
917 		break;
918 
919 	case BT_RCVMTU:
920 		if (!bdaddr_type_is_le(chan->src_type)) {
921 			err = -EINVAL;
922 			break;
923 		}
924 
925 		if (sk->sk_state == BT_CONNECTED) {
926 			err = -EISCONN;
927 			break;
928 		}
929 
930 		if (get_user(opt, (u16 __user *) optval)) {
931 			err = -EFAULT;
932 			break;
933 		}
934 
935 		chan->imtu = opt;
936 		break;
937 
938 	default:
939 		err = -ENOPROTOOPT;
940 		break;
941 	}
942 
943 	release_sock(sk);
944 	return err;
945 }
946 
947 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
948 			      size_t len)
949 {
950 	struct sock *sk = sock->sk;
951 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
952 	int err;
953 
954 	BT_DBG("sock %p, sk %p", sock, sk);
955 
956 	err = sock_error(sk);
957 	if (err)
958 		return err;
959 
960 	if (msg->msg_flags & MSG_OOB)
961 		return -EOPNOTSUPP;
962 
963 	if (sk->sk_state != BT_CONNECTED)
964 		return -ENOTCONN;
965 
966 	lock_sock(sk);
967 	err = bt_sock_wait_ready(sk, msg->msg_flags);
968 	release_sock(sk);
969 	if (err)
970 		return err;
971 
972 	l2cap_chan_lock(chan);
973 	err = l2cap_chan_send(chan, msg, len);
974 	l2cap_chan_unlock(chan);
975 
976 	return err;
977 }
978 
979 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
980 			      size_t len, int flags)
981 {
982 	struct sock *sk = sock->sk;
983 	struct l2cap_pinfo *pi = l2cap_pi(sk);
984 	int err;
985 
986 	lock_sock(sk);
987 
988 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
989 						    &bt_sk(sk)->flags)) {
990 		if (bdaddr_type_is_le(pi->chan->src_type)) {
991 			sk->sk_state = BT_CONNECTED;
992 			pi->chan->state = BT_CONNECTED;
993 			__l2cap_le_connect_rsp_defer(pi->chan);
994 		} else {
995 			sk->sk_state = BT_CONFIG;
996 			pi->chan->state = BT_CONFIG;
997 			__l2cap_connect_rsp_defer(pi->chan);
998 		}
999 
1000 		err = 0;
1001 		goto done;
1002 	}
1003 
1004 	release_sock(sk);
1005 
1006 	if (sock->type == SOCK_STREAM)
1007 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1008 	else
1009 		err = bt_sock_recvmsg(sock, msg, len, flags);
1010 
1011 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1012 		return err;
1013 
1014 	/* Attempt to put pending rx data in the socket buffer */
1015 
1016 	lock_sock(sk);
1017 
1018 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1019 		goto done;
1020 
1021 	if (pi->rx_busy_skb) {
1022 		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1023 			pi->rx_busy_skb = NULL;
1024 		else
1025 			goto done;
1026 	}
1027 
1028 	/* Restore data flow when half of the receive buffer is
1029 	 * available.  This avoids resending large numbers of
1030 	 * frames.
1031 	 */
1032 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1033 		l2cap_chan_busy(pi->chan, 0);
1034 
1035 done:
1036 	release_sock(sk);
1037 	return err;
1038 }
1039 
1040 /* Kill socket (only if zapped and orphan)
1041  * Must be called on unlocked socket.
1042  */
1043 static void l2cap_sock_kill(struct sock *sk)
1044 {
1045 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1046 		return;
1047 
1048 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1049 
1050 	/* Kill poor orphan */
1051 
1052 	l2cap_chan_put(l2cap_pi(sk)->chan);
1053 	sock_set_flag(sk, SOCK_DEAD);
1054 	sock_put(sk);
1055 }
1056 
1057 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1058 {
1059 	DECLARE_WAITQUEUE(wait, current);
1060 	int err = 0;
1061 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1062 	/* Timeout to prevent infinite loop */
1063 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1064 
1065 	add_wait_queue(sk_sleep(sk), &wait);
1066 	set_current_state(TASK_INTERRUPTIBLE);
1067 	do {
1068 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1069 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1070 		       jiffies_to_msecs(timeout - jiffies));
1071 
1072 		if (!timeo)
1073 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1074 
1075 		if (signal_pending(current)) {
1076 			err = sock_intr_errno(timeo);
1077 			break;
1078 		}
1079 
1080 		release_sock(sk);
1081 		timeo = schedule_timeout(timeo);
1082 		lock_sock(sk);
1083 		set_current_state(TASK_INTERRUPTIBLE);
1084 
1085 		err = sock_error(sk);
1086 		if (err)
1087 			break;
1088 
1089 		if (time_after(jiffies, timeout)) {
1090 			err = -ENOLINK;
1091 			break;
1092 		}
1093 
1094 	} while (chan->unacked_frames > 0 &&
1095 		 chan->state == BT_CONNECTED);
1096 
1097 	set_current_state(TASK_RUNNING);
1098 	remove_wait_queue(sk_sleep(sk), &wait);
1099 	return err;
1100 }
1101 
1102 static int l2cap_sock_shutdown(struct socket *sock, int how)
1103 {
1104 	struct sock *sk = sock->sk;
1105 	struct l2cap_chan *chan;
1106 	struct l2cap_conn *conn;
1107 	int err = 0;
1108 
1109 	BT_DBG("sock %p, sk %p", sock, sk);
1110 
1111 	if (!sk)
1112 		return 0;
1113 
1114 	lock_sock(sk);
1115 
1116 	if (sk->sk_shutdown)
1117 		goto shutdown_already;
1118 
1119 	BT_DBG("Handling sock shutdown");
1120 
1121 	/* prevent sk structure from being freed whilst unlocked */
1122 	sock_hold(sk);
1123 
1124 	chan = l2cap_pi(sk)->chan;
1125 	/* prevent chan structure from being freed whilst unlocked */
1126 	l2cap_chan_hold(chan);
1127 
1128 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1129 
1130 	if (chan->mode == L2CAP_MODE_ERTM &&
1131 	    chan->unacked_frames > 0 &&
1132 	    chan->state == BT_CONNECTED) {
1133 		err = __l2cap_wait_ack(sk, chan);
1134 
1135 		/* After waiting for ACKs, check whether shutdown
1136 		 * has already been actioned to close the L2CAP
1137 		 * link such as by l2cap_disconnection_req().
1138 		 */
1139 		if (sk->sk_shutdown)
1140 			goto has_shutdown;
1141 	}
1142 
1143 	sk->sk_shutdown = SHUTDOWN_MASK;
1144 	release_sock(sk);
1145 
1146 	l2cap_chan_lock(chan);
1147 	conn = chan->conn;
1148 	if (conn)
1149 		/* prevent conn structure from being freed */
1150 		l2cap_conn_get(conn);
1151 	l2cap_chan_unlock(chan);
1152 
1153 	if (conn)
1154 		/* mutex lock must be taken before l2cap_chan_lock() */
1155 		mutex_lock(&conn->chan_lock);
1156 
1157 	l2cap_chan_lock(chan);
1158 	l2cap_chan_close(chan, 0);
1159 	l2cap_chan_unlock(chan);
1160 
1161 	if (conn) {
1162 		mutex_unlock(&conn->chan_lock);
1163 		l2cap_conn_put(conn);
1164 	}
1165 
1166 	lock_sock(sk);
1167 
1168 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1169 	    !(current->flags & PF_EXITING))
1170 		err = bt_sock_wait_state(sk, BT_CLOSED,
1171 					 sk->sk_lingertime);
1172 
1173 has_shutdown:
1174 	l2cap_chan_put(chan);
1175 	sock_put(sk);
1176 
1177 shutdown_already:
1178 	if (!err && sk->sk_err)
1179 		err = -sk->sk_err;
1180 
1181 	release_sock(sk);
1182 
1183 	BT_DBG("Sock shutdown complete err: %d", err);
1184 
1185 	return err;
1186 }
1187 
1188 static int l2cap_sock_release(struct socket *sock)
1189 {
1190 	struct sock *sk = sock->sk;
1191 	int err;
1192 
1193 	BT_DBG("sock %p, sk %p", sock, sk);
1194 
1195 	if (!sk)
1196 		return 0;
1197 
1198 	bt_sock_unlink(&l2cap_sk_list, sk);
1199 
1200 	err = l2cap_sock_shutdown(sock, 2);
1201 
1202 	sock_orphan(sk);
1203 	l2cap_sock_kill(sk);
1204 	return err;
1205 }
1206 
1207 static void l2cap_sock_cleanup_listen(struct sock *parent)
1208 {
1209 	struct sock *sk;
1210 
1211 	BT_DBG("parent %p state %s", parent,
1212 	       state_to_string(parent->sk_state));
1213 
1214 	/* Close not yet accepted channels */
1215 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1216 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1217 
1218 		BT_DBG("child chan %p state %s", chan,
1219 		       state_to_string(chan->state));
1220 
1221 		l2cap_chan_lock(chan);
1222 		__clear_chan_timer(chan);
1223 		l2cap_chan_close(chan, ECONNRESET);
1224 		l2cap_chan_unlock(chan);
1225 
1226 		l2cap_sock_kill(sk);
1227 	}
1228 }
1229 
1230 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1231 {
1232 	struct sock *sk, *parent = chan->data;
1233 
1234 	lock_sock(parent);
1235 
1236 	/* Check for backlog size */
1237 	if (sk_acceptq_is_full(parent)) {
1238 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1239 		release_sock(parent);
1240 		return NULL;
1241 	}
1242 
1243 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1244 			      GFP_ATOMIC, 0);
1245 	if (!sk) {
1246 		release_sock(parent);
1247 		return NULL;
1248         }
1249 
1250 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1251 
1252 	l2cap_sock_init(sk, parent);
1253 
1254 	bt_accept_enqueue(parent, sk);
1255 
1256 	release_sock(parent);
1257 
1258 	return l2cap_pi(sk)->chan;
1259 }
1260 
1261 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1262 {
1263 	struct sock *sk = chan->data;
1264 	int err;
1265 
1266 	lock_sock(sk);
1267 
1268 	if (l2cap_pi(sk)->rx_busy_skb) {
1269 		err = -ENOMEM;
1270 		goto done;
1271 	}
1272 
1273 	if (chan->mode != L2CAP_MODE_ERTM &&
1274 	    chan->mode != L2CAP_MODE_STREAMING) {
1275 		/* Even if no filter is attached, we could potentially
1276 		 * get errors from security modules, etc.
1277 		 */
1278 		err = sk_filter(sk, skb);
1279 		if (err)
1280 			goto done;
1281 	}
1282 
1283 	err = __sock_queue_rcv_skb(sk, skb);
1284 
1285 	/* For ERTM, handle one skb that doesn't fit into the recv
1286 	 * buffer.  This is important to do because the data frames
1287 	 * have already been acked, so the skb cannot be discarded.
1288 	 *
1289 	 * Notify the l2cap core that the buffer is full, so the
1290 	 * LOCAL_BUSY state is entered and no more frames are
1291 	 * acked and reassembled until there is buffer space
1292 	 * available.
1293 	 */
1294 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1295 		l2cap_pi(sk)->rx_busy_skb = skb;
1296 		l2cap_chan_busy(chan, 1);
1297 		err = 0;
1298 	}
1299 
1300 done:
1301 	release_sock(sk);
1302 
1303 	return err;
1304 }
1305 
1306 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1307 {
1308 	struct sock *sk = chan->data;
1309 
1310 	l2cap_sock_kill(sk);
1311 }
1312 
1313 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1314 {
1315 	struct sock *sk = chan->data;
1316 	struct sock *parent;
1317 
1318 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1319 
1320 	/* This callback can be called both for server (BT_LISTEN)
1321 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1322 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1323 	 * we need separation into separate nesting levels. The simplest
1324 	 * way to accomplish this is to inherit the nesting level used
1325 	 * for the channel.
1326 	 */
1327 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1328 
1329 	parent = bt_sk(sk)->parent;
1330 
1331 	sock_set_flag(sk, SOCK_ZAPPED);
1332 
1333 	switch (chan->state) {
1334 	case BT_OPEN:
1335 	case BT_BOUND:
1336 	case BT_CLOSED:
1337 		break;
1338 	case BT_LISTEN:
1339 		l2cap_sock_cleanup_listen(sk);
1340 		sk->sk_state = BT_CLOSED;
1341 		chan->state = BT_CLOSED;
1342 
1343 		break;
1344 	default:
1345 		sk->sk_state = BT_CLOSED;
1346 		chan->state = BT_CLOSED;
1347 
1348 		sk->sk_err = err;
1349 
1350 		if (parent) {
1351 			bt_accept_unlink(sk);
1352 			parent->sk_data_ready(parent);
1353 		} else {
1354 			sk->sk_state_change(sk);
1355 		}
1356 
1357 		break;
1358 	}
1359 
1360 	release_sock(sk);
1361 }
1362 
1363 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1364 				       int err)
1365 {
1366 	struct sock *sk = chan->data;
1367 
1368 	sk->sk_state = state;
1369 
1370 	if (err)
1371 		sk->sk_err = err;
1372 }
1373 
1374 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1375 					       unsigned long hdr_len,
1376 					       unsigned long len, int nb)
1377 {
1378 	struct sock *sk = chan->data;
1379 	struct sk_buff *skb;
1380 	int err;
1381 
1382 	l2cap_chan_unlock(chan);
1383 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1384 	l2cap_chan_lock(chan);
1385 
1386 	if (!skb)
1387 		return ERR_PTR(err);
1388 
1389 	skb->priority = sk->sk_priority;
1390 
1391 	bt_cb(skb)->l2cap.chan = chan;
1392 
1393 	return skb;
1394 }
1395 
1396 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1397 {
1398 	struct sock *sk = chan->data;
1399 	struct sock *parent;
1400 
1401 	lock_sock(sk);
1402 
1403 	parent = bt_sk(sk)->parent;
1404 
1405 	BT_DBG("sk %p, parent %p", sk, parent);
1406 
1407 	sk->sk_state = BT_CONNECTED;
1408 	sk->sk_state_change(sk);
1409 
1410 	if (parent)
1411 		parent->sk_data_ready(parent);
1412 
1413 	release_sock(sk);
1414 }
1415 
1416 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1417 {
1418 	struct sock *parent, *sk = chan->data;
1419 
1420 	lock_sock(sk);
1421 
1422 	parent = bt_sk(sk)->parent;
1423 	if (parent)
1424 		parent->sk_data_ready(parent);
1425 
1426 	release_sock(sk);
1427 }
1428 
1429 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1430 {
1431 	struct sock *sk = chan->data;
1432 
1433 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1434 		sk->sk_state = BT_CONNECTED;
1435 		chan->state = BT_CONNECTED;
1436 	}
1437 
1438 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1439 	sk->sk_state_change(sk);
1440 }
1441 
1442 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1443 {
1444 	struct sock *sk = chan->data;
1445 
1446 	lock_sock(sk);
1447 	sk->sk_shutdown = SHUTDOWN_MASK;
1448 	release_sock(sk);
1449 }
1450 
1451 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1452 {
1453 	struct sock *sk = chan->data;
1454 
1455 	return sk->sk_sndtimeo;
1456 }
1457 
1458 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1459 {
1460 	struct sock *sk = chan->data;
1461 
1462 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1463 	sk->sk_state_change(sk);
1464 }
1465 
1466 static const struct l2cap_ops l2cap_chan_ops = {
1467 	.name			= "L2CAP Socket Interface",
1468 	.new_connection		= l2cap_sock_new_connection_cb,
1469 	.recv			= l2cap_sock_recv_cb,
1470 	.close			= l2cap_sock_close_cb,
1471 	.teardown		= l2cap_sock_teardown_cb,
1472 	.state_change		= l2cap_sock_state_change_cb,
1473 	.ready			= l2cap_sock_ready_cb,
1474 	.defer			= l2cap_sock_defer_cb,
1475 	.resume			= l2cap_sock_resume_cb,
1476 	.suspend		= l2cap_sock_suspend_cb,
1477 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1478 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1479 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1480 };
1481 
1482 static void l2cap_sock_destruct(struct sock *sk)
1483 {
1484 	BT_DBG("sk %p", sk);
1485 
1486 	if (l2cap_pi(sk)->chan)
1487 		l2cap_chan_put(l2cap_pi(sk)->chan);
1488 
1489 	if (l2cap_pi(sk)->rx_busy_skb) {
1490 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1491 		l2cap_pi(sk)->rx_busy_skb = NULL;
1492 	}
1493 
1494 	skb_queue_purge(&sk->sk_receive_queue);
1495 	skb_queue_purge(&sk->sk_write_queue);
1496 }
1497 
1498 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1499 			       int *msg_namelen)
1500 {
1501 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1502 
1503 	memset(la, 0, sizeof(struct sockaddr_l2));
1504 	la->l2_family = AF_BLUETOOTH;
1505 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1506 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1507 
1508 	*msg_namelen = sizeof(struct sockaddr_l2);
1509 }
1510 
1511 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1512 {
1513 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1514 
1515 	BT_DBG("sk %p", sk);
1516 
1517 	if (parent) {
1518 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1519 
1520 		sk->sk_type = parent->sk_type;
1521 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1522 
1523 		chan->chan_type = pchan->chan_type;
1524 		chan->imtu = pchan->imtu;
1525 		chan->omtu = pchan->omtu;
1526 		chan->conf_state = pchan->conf_state;
1527 		chan->mode = pchan->mode;
1528 		chan->fcs  = pchan->fcs;
1529 		chan->max_tx = pchan->max_tx;
1530 		chan->tx_win = pchan->tx_win;
1531 		chan->tx_win_max = pchan->tx_win_max;
1532 		chan->sec_level = pchan->sec_level;
1533 		chan->flags = pchan->flags;
1534 		chan->tx_credits = pchan->tx_credits;
1535 		chan->rx_credits = pchan->rx_credits;
1536 
1537 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1538 			chan->scid = pchan->scid;
1539 			chan->dcid = pchan->scid;
1540 		}
1541 
1542 		security_sk_clone(parent, sk);
1543 	} else {
1544 		switch (sk->sk_type) {
1545 		case SOCK_RAW:
1546 			chan->chan_type = L2CAP_CHAN_RAW;
1547 			break;
1548 		case SOCK_DGRAM:
1549 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1550 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1551 			break;
1552 		case SOCK_SEQPACKET:
1553 		case SOCK_STREAM:
1554 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1555 			break;
1556 		}
1557 
1558 		chan->imtu = L2CAP_DEFAULT_MTU;
1559 		chan->omtu = 0;
1560 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1561 			chan->mode = L2CAP_MODE_ERTM;
1562 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1563 		} else {
1564 			chan->mode = L2CAP_MODE_BASIC;
1565 		}
1566 
1567 		l2cap_chan_set_defaults(chan);
1568 	}
1569 
1570 	/* Default config options */
1571 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1572 
1573 	chan->data = sk;
1574 	chan->ops = &l2cap_chan_ops;
1575 }
1576 
1577 static struct proto l2cap_proto = {
1578 	.name		= "L2CAP",
1579 	.owner		= THIS_MODULE,
1580 	.obj_size	= sizeof(struct l2cap_pinfo)
1581 };
1582 
1583 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1584 				     int proto, gfp_t prio, int kern)
1585 {
1586 	struct sock *sk;
1587 	struct l2cap_chan *chan;
1588 
1589 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1590 	if (!sk)
1591 		return NULL;
1592 
1593 	sock_init_data(sock, sk);
1594 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1595 
1596 	sk->sk_destruct = l2cap_sock_destruct;
1597 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1598 
1599 	sock_reset_flag(sk, SOCK_ZAPPED);
1600 
1601 	sk->sk_protocol = proto;
1602 	sk->sk_state = BT_OPEN;
1603 
1604 	chan = l2cap_chan_create();
1605 	if (!chan) {
1606 		sk_free(sk);
1607 		return NULL;
1608 	}
1609 
1610 	l2cap_chan_hold(chan);
1611 
1612 	l2cap_pi(sk)->chan = chan;
1613 
1614 	return sk;
1615 }
1616 
1617 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1618 			     int kern)
1619 {
1620 	struct sock *sk;
1621 
1622 	BT_DBG("sock %p", sock);
1623 
1624 	sock->state = SS_UNCONNECTED;
1625 
1626 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1627 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1628 		return -ESOCKTNOSUPPORT;
1629 
1630 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1631 		return -EPERM;
1632 
1633 	sock->ops = &l2cap_sock_ops;
1634 
1635 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1636 	if (!sk)
1637 		return -ENOMEM;
1638 
1639 	l2cap_sock_init(sk, NULL);
1640 	bt_sock_link(&l2cap_sk_list, sk);
1641 	return 0;
1642 }
1643 
1644 static const struct proto_ops l2cap_sock_ops = {
1645 	.family		= PF_BLUETOOTH,
1646 	.owner		= THIS_MODULE,
1647 	.release	= l2cap_sock_release,
1648 	.bind		= l2cap_sock_bind,
1649 	.connect	= l2cap_sock_connect,
1650 	.listen		= l2cap_sock_listen,
1651 	.accept		= l2cap_sock_accept,
1652 	.getname	= l2cap_sock_getname,
1653 	.sendmsg	= l2cap_sock_sendmsg,
1654 	.recvmsg	= l2cap_sock_recvmsg,
1655 	.poll		= bt_sock_poll,
1656 	.ioctl		= bt_sock_ioctl,
1657 	.mmap		= sock_no_mmap,
1658 	.socketpair	= sock_no_socketpair,
1659 	.shutdown	= l2cap_sock_shutdown,
1660 	.setsockopt	= l2cap_sock_setsockopt,
1661 	.getsockopt	= l2cap_sock_getsockopt
1662 };
1663 
1664 static const struct net_proto_family l2cap_sock_family_ops = {
1665 	.family	= PF_BLUETOOTH,
1666 	.owner	= THIS_MODULE,
1667 	.create	= l2cap_sock_create,
1668 };
1669 
1670 int __init l2cap_init_sockets(void)
1671 {
1672 	int err;
1673 
1674 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1675 
1676 	err = proto_register(&l2cap_proto, 0);
1677 	if (err < 0)
1678 		return err;
1679 
1680 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1681 	if (err < 0) {
1682 		BT_ERR("L2CAP socket registration failed");
1683 		goto error;
1684 	}
1685 
1686 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1687 			     NULL);
1688 	if (err < 0) {
1689 		BT_ERR("Failed to create L2CAP proc file");
1690 		bt_sock_unregister(BTPROTO_L2CAP);
1691 		goto error;
1692 	}
1693 
1694 	BT_INFO("L2CAP socket layer initialized");
1695 
1696 	return 0;
1697 
1698 error:
1699 	proto_unregister(&l2cap_proto);
1700 	return err;
1701 }
1702 
1703 void l2cap_cleanup_sockets(void)
1704 {
1705 	bt_procfs_cleanup(&init_net, "l2cap");
1706 	bt_sock_unregister(BTPROTO_L2CAP);
1707 	proto_unregister(&l2cap_proto);
1708 }
1709