xref: /openbmc/linux/net/bluetooth/l2cap_sock.c (revision 92a2c6b2)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 
37 #include "smp.h"
38 
39 static struct bt_sock_list l2cap_sk_list = {
40 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
41 };
42 
43 static const struct proto_ops l2cap_sock_ops;
44 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
45 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
46 				     int proto, gfp_t prio);
47 
48 bool l2cap_is_socket(struct socket *sock)
49 {
50 	return sock && sock->ops == &l2cap_sock_ops;
51 }
52 EXPORT_SYMBOL(l2cap_is_socket);
53 
54 static int l2cap_validate_bredr_psm(u16 psm)
55 {
56 	/* PSM must be odd and lsb of upper byte must be 0 */
57 	if ((psm & 0x0101) != 0x0001)
58 		return -EINVAL;
59 
60 	/* Restrict usage of well-known PSMs */
61 	if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE))
62 		return -EACCES;
63 
64 	return 0;
65 }
66 
67 static int l2cap_validate_le_psm(u16 psm)
68 {
69 	/* Valid LE_PSM ranges are defined only until 0x00ff */
70 	if (psm > 0x00ff)
71 		return -EINVAL;
72 
73 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
74 	if (psm <= 0x007f && !capable(CAP_NET_BIND_SERVICE))
75 		return -EACCES;
76 
77 	return 0;
78 }
79 
80 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
81 {
82 	struct sock *sk = sock->sk;
83 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
84 	struct sockaddr_l2 la;
85 	int len, err = 0;
86 
87 	BT_DBG("sk %p", sk);
88 
89 	if (!addr || addr->sa_family != AF_BLUETOOTH)
90 		return -EINVAL;
91 
92 	memset(&la, 0, sizeof(la));
93 	len = min_t(unsigned int, sizeof(la), alen);
94 	memcpy(&la, addr, len);
95 
96 	if (la.l2_cid && la.l2_psm)
97 		return -EINVAL;
98 
99 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 		return -EINVAL;
101 
102 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
103 		/* We only allow ATT user space socket */
104 		if (la.l2_cid &&
105 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
106 			return -EINVAL;
107 	}
108 
109 	lock_sock(sk);
110 
111 	if (sk->sk_state != BT_OPEN) {
112 		err = -EBADFD;
113 		goto done;
114 	}
115 
116 	if (la.l2_psm) {
117 		__u16 psm = __le16_to_cpu(la.l2_psm);
118 
119 		if (la.l2_bdaddr_type == BDADDR_BREDR)
120 			err = l2cap_validate_bredr_psm(psm);
121 		else
122 			err = l2cap_validate_le_psm(psm);
123 
124 		if (err)
125 			goto done;
126 	}
127 
128 	if (la.l2_cid)
129 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
130 	else
131 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
132 
133 	if (err < 0)
134 		goto done;
135 
136 	switch (chan->chan_type) {
137 	case L2CAP_CHAN_CONN_LESS:
138 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
139 			chan->sec_level = BT_SECURITY_SDP;
140 		break;
141 	case L2CAP_CHAN_CONN_ORIENTED:
142 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
143 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
144 			chan->sec_level = BT_SECURITY_SDP;
145 		break;
146 	case L2CAP_CHAN_RAW:
147 		chan->sec_level = BT_SECURITY_SDP;
148 		break;
149 	case L2CAP_CHAN_FIXED:
150 		/* Fixed channels default to the L2CAP core not holding a
151 		 * hci_conn reference for them. For fixed channels mapping to
152 		 * L2CAP sockets we do want to hold a reference so set the
153 		 * appropriate flag to request it.
154 		 */
155 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
156 		break;
157 	}
158 
159 	bacpy(&chan->src, &la.l2_bdaddr);
160 	chan->src_type = la.l2_bdaddr_type;
161 
162 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
163 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
164 
165 	chan->state = BT_BOUND;
166 	sk->sk_state = BT_BOUND;
167 
168 done:
169 	release_sock(sk);
170 	return err;
171 }
172 
173 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
174 			      int alen, int flags)
175 {
176 	struct sock *sk = sock->sk;
177 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
178 	struct sockaddr_l2 la;
179 	int len, err = 0;
180 
181 	BT_DBG("sk %p", sk);
182 
183 	if (!addr || alen < sizeof(addr->sa_family) ||
184 	    addr->sa_family != AF_BLUETOOTH)
185 		return -EINVAL;
186 
187 	memset(&la, 0, sizeof(la));
188 	len = min_t(unsigned int, sizeof(la), alen);
189 	memcpy(&la, addr, len);
190 
191 	if (la.l2_cid && la.l2_psm)
192 		return -EINVAL;
193 
194 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
195 		return -EINVAL;
196 
197 	/* Check that the socket wasn't bound to something that
198 	 * conflicts with the address given to connect(). If chan->src
199 	 * is BDADDR_ANY it means bind() was never used, in which case
200 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
201 	 */
202 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
203 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
204 		/* Old user space versions will try to incorrectly bind
205 		 * the ATT socket using BDADDR_BREDR. We need to accept
206 		 * this and fix up the source address type only when
207 		 * both the source CID and destination CID indicate
208 		 * ATT. Anything else is an invalid combination.
209 		 */
210 		if (chan->scid != L2CAP_CID_ATT ||
211 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
212 			return -EINVAL;
213 
214 		/* We don't have the hdev available here to make a
215 		 * better decision on random vs public, but since all
216 		 * user space versions that exhibit this issue anyway do
217 		 * not support random local addresses assuming public
218 		 * here is good enough.
219 		 */
220 		chan->src_type = BDADDR_LE_PUBLIC;
221 	}
222 
223 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
224 		return -EINVAL;
225 
226 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
227 		/* We only allow ATT user space socket */
228 		if (la.l2_cid &&
229 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
230 			return -EINVAL;
231 	}
232 
233 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
234 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
235 
236 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
237 				 &la.l2_bdaddr, la.l2_bdaddr_type);
238 	if (err)
239 		return err;
240 
241 	lock_sock(sk);
242 
243 	err = bt_sock_wait_state(sk, BT_CONNECTED,
244 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
245 
246 	release_sock(sk);
247 
248 	return err;
249 }
250 
251 static int l2cap_sock_listen(struct socket *sock, int backlog)
252 {
253 	struct sock *sk = sock->sk;
254 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
255 	int err = 0;
256 
257 	BT_DBG("sk %p backlog %d", sk, backlog);
258 
259 	lock_sock(sk);
260 
261 	if (sk->sk_state != BT_BOUND) {
262 		err = -EBADFD;
263 		goto done;
264 	}
265 
266 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
267 		err = -EINVAL;
268 		goto done;
269 	}
270 
271 	switch (chan->mode) {
272 	case L2CAP_MODE_BASIC:
273 	case L2CAP_MODE_LE_FLOWCTL:
274 		break;
275 	case L2CAP_MODE_ERTM:
276 	case L2CAP_MODE_STREAMING:
277 		if (!disable_ertm)
278 			break;
279 		/* fall through */
280 	default:
281 		err = -EOPNOTSUPP;
282 		goto done;
283 	}
284 
285 	sk->sk_max_ack_backlog = backlog;
286 	sk->sk_ack_backlog = 0;
287 
288 	/* Listening channels need to use nested locking in order not to
289 	 * cause lockdep warnings when the created child channels end up
290 	 * being locked in the same thread as the parent channel.
291 	 */
292 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
293 
294 	chan->state = BT_LISTEN;
295 	sk->sk_state = BT_LISTEN;
296 
297 done:
298 	release_sock(sk);
299 	return err;
300 }
301 
302 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
303 			     int flags)
304 {
305 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
306 	struct sock *sk = sock->sk, *nsk;
307 	long timeo;
308 	int err = 0;
309 
310 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
311 
312 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
313 
314 	BT_DBG("sk %p timeo %ld", sk, timeo);
315 
316 	/* Wait for an incoming connection. (wake-one). */
317 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
318 	while (1) {
319 		if (sk->sk_state != BT_LISTEN) {
320 			err = -EBADFD;
321 			break;
322 		}
323 
324 		nsk = bt_accept_dequeue(sk, newsock);
325 		if (nsk)
326 			break;
327 
328 		if (!timeo) {
329 			err = -EAGAIN;
330 			break;
331 		}
332 
333 		if (signal_pending(current)) {
334 			err = sock_intr_errno(timeo);
335 			break;
336 		}
337 
338 		release_sock(sk);
339 
340 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
341 
342 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
343 	}
344 	remove_wait_queue(sk_sleep(sk), &wait);
345 
346 	if (err)
347 		goto done;
348 
349 	newsock->state = SS_CONNECTED;
350 
351 	BT_DBG("new socket %p", nsk);
352 
353 done:
354 	release_sock(sk);
355 	return err;
356 }
357 
358 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
359 			      int *len, int peer)
360 {
361 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
362 	struct sock *sk = sock->sk;
363 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
364 
365 	BT_DBG("sock %p, sk %p", sock, sk);
366 
367 	if (peer && sk->sk_state != BT_CONNECTED &&
368 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
369 	    sk->sk_state != BT_CONFIG)
370 		return -ENOTCONN;
371 
372 	memset(la, 0, sizeof(struct sockaddr_l2));
373 	addr->sa_family = AF_BLUETOOTH;
374 	*len = sizeof(struct sockaddr_l2);
375 
376 	la->l2_psm = chan->psm;
377 
378 	if (peer) {
379 		bacpy(&la->l2_bdaddr, &chan->dst);
380 		la->l2_cid = cpu_to_le16(chan->dcid);
381 		la->l2_bdaddr_type = chan->dst_type;
382 	} else {
383 		bacpy(&la->l2_bdaddr, &chan->src);
384 		la->l2_cid = cpu_to_le16(chan->scid);
385 		la->l2_bdaddr_type = chan->src_type;
386 	}
387 
388 	return 0;
389 }
390 
391 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
392 				     char __user *optval, int __user *optlen)
393 {
394 	struct sock *sk = sock->sk;
395 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
396 	struct l2cap_options opts;
397 	struct l2cap_conninfo cinfo;
398 	int len, err = 0;
399 	u32 opt;
400 
401 	BT_DBG("sk %p", sk);
402 
403 	if (get_user(len, optlen))
404 		return -EFAULT;
405 
406 	lock_sock(sk);
407 
408 	switch (optname) {
409 	case L2CAP_OPTIONS:
410 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
411 		 * legacy ATT code depends on getsockopt for
412 		 * L2CAP_OPTIONS we need to let this pass.
413 		 */
414 		if (bdaddr_type_is_le(chan->src_type) &&
415 		    chan->scid != L2CAP_CID_ATT) {
416 			err = -EINVAL;
417 			break;
418 		}
419 
420 		memset(&opts, 0, sizeof(opts));
421 		opts.imtu     = chan->imtu;
422 		opts.omtu     = chan->omtu;
423 		opts.flush_to = chan->flush_to;
424 		opts.mode     = chan->mode;
425 		opts.fcs      = chan->fcs;
426 		opts.max_tx   = chan->max_tx;
427 		opts.txwin_size = chan->tx_win;
428 
429 		len = min_t(unsigned int, len, sizeof(opts));
430 		if (copy_to_user(optval, (char *) &opts, len))
431 			err = -EFAULT;
432 
433 		break;
434 
435 	case L2CAP_LM:
436 		switch (chan->sec_level) {
437 		case BT_SECURITY_LOW:
438 			opt = L2CAP_LM_AUTH;
439 			break;
440 		case BT_SECURITY_MEDIUM:
441 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
442 			break;
443 		case BT_SECURITY_HIGH:
444 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
445 			      L2CAP_LM_SECURE;
446 			break;
447 		case BT_SECURITY_FIPS:
448 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
449 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
450 			break;
451 		default:
452 			opt = 0;
453 			break;
454 		}
455 
456 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
457 			opt |= L2CAP_LM_MASTER;
458 
459 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
460 			opt |= L2CAP_LM_RELIABLE;
461 
462 		if (put_user(opt, (u32 __user *) optval))
463 			err = -EFAULT;
464 
465 		break;
466 
467 	case L2CAP_CONNINFO:
468 		if (sk->sk_state != BT_CONNECTED &&
469 		    !(sk->sk_state == BT_CONNECT2 &&
470 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
471 			err = -ENOTCONN;
472 			break;
473 		}
474 
475 		memset(&cinfo, 0, sizeof(cinfo));
476 		cinfo.hci_handle = chan->conn->hcon->handle;
477 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
478 
479 		len = min_t(unsigned int, len, sizeof(cinfo));
480 		if (copy_to_user(optval, (char *) &cinfo, len))
481 			err = -EFAULT;
482 
483 		break;
484 
485 	default:
486 		err = -ENOPROTOOPT;
487 		break;
488 	}
489 
490 	release_sock(sk);
491 	return err;
492 }
493 
494 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
495 				 char __user *optval, int __user *optlen)
496 {
497 	struct sock *sk = sock->sk;
498 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
499 	struct bt_security sec;
500 	struct bt_power pwr;
501 	int len, err = 0;
502 
503 	BT_DBG("sk %p", sk);
504 
505 	if (level == SOL_L2CAP)
506 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
507 
508 	if (level != SOL_BLUETOOTH)
509 		return -ENOPROTOOPT;
510 
511 	if (get_user(len, optlen))
512 		return -EFAULT;
513 
514 	lock_sock(sk);
515 
516 	switch (optname) {
517 	case BT_SECURITY:
518 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
519 		    chan->chan_type != L2CAP_CHAN_FIXED &&
520 		    chan->chan_type != L2CAP_CHAN_RAW) {
521 			err = -EINVAL;
522 			break;
523 		}
524 
525 		memset(&sec, 0, sizeof(sec));
526 		if (chan->conn) {
527 			sec.level = chan->conn->hcon->sec_level;
528 
529 			if (sk->sk_state == BT_CONNECTED)
530 				sec.key_size = chan->conn->hcon->enc_key_size;
531 		} else {
532 			sec.level = chan->sec_level;
533 		}
534 
535 		len = min_t(unsigned int, len, sizeof(sec));
536 		if (copy_to_user(optval, (char *) &sec, len))
537 			err = -EFAULT;
538 
539 		break;
540 
541 	case BT_DEFER_SETUP:
542 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
543 			err = -EINVAL;
544 			break;
545 		}
546 
547 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
548 			     (u32 __user *) optval))
549 			err = -EFAULT;
550 
551 		break;
552 
553 	case BT_FLUSHABLE:
554 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
555 			     (u32 __user *) optval))
556 			err = -EFAULT;
557 
558 		break;
559 
560 	case BT_POWER:
561 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
562 		    && sk->sk_type != SOCK_RAW) {
563 			err = -EINVAL;
564 			break;
565 		}
566 
567 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
568 
569 		len = min_t(unsigned int, len, sizeof(pwr));
570 		if (copy_to_user(optval, (char *) &pwr, len))
571 			err = -EFAULT;
572 
573 		break;
574 
575 	case BT_CHANNEL_POLICY:
576 		if (put_user(chan->chan_policy, (u32 __user *) optval))
577 			err = -EFAULT;
578 		break;
579 
580 	case BT_SNDMTU:
581 		if (!bdaddr_type_is_le(chan->src_type)) {
582 			err = -EINVAL;
583 			break;
584 		}
585 
586 		if (sk->sk_state != BT_CONNECTED) {
587 			err = -ENOTCONN;
588 			break;
589 		}
590 
591 		if (put_user(chan->omtu, (u16 __user *) optval))
592 			err = -EFAULT;
593 		break;
594 
595 	case BT_RCVMTU:
596 		if (!bdaddr_type_is_le(chan->src_type)) {
597 			err = -EINVAL;
598 			break;
599 		}
600 
601 		if (put_user(chan->imtu, (u16 __user *) optval))
602 			err = -EFAULT;
603 		break;
604 
605 	default:
606 		err = -ENOPROTOOPT;
607 		break;
608 	}
609 
610 	release_sock(sk);
611 	return err;
612 }
613 
614 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
615 {
616 	switch (chan->scid) {
617 	case L2CAP_CID_ATT:
618 		if (mtu < L2CAP_LE_MIN_MTU)
619 			return false;
620 		break;
621 
622 	default:
623 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
624 			return false;
625 	}
626 
627 	return true;
628 }
629 
630 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
631 				     char __user *optval, unsigned int optlen)
632 {
633 	struct sock *sk = sock->sk;
634 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
635 	struct l2cap_options opts;
636 	int len, err = 0;
637 	u32 opt;
638 
639 	BT_DBG("sk %p", sk);
640 
641 	lock_sock(sk);
642 
643 	switch (optname) {
644 	case L2CAP_OPTIONS:
645 		if (bdaddr_type_is_le(chan->src_type)) {
646 			err = -EINVAL;
647 			break;
648 		}
649 
650 		if (sk->sk_state == BT_CONNECTED) {
651 			err = -EINVAL;
652 			break;
653 		}
654 
655 		opts.imtu     = chan->imtu;
656 		opts.omtu     = chan->omtu;
657 		opts.flush_to = chan->flush_to;
658 		opts.mode     = chan->mode;
659 		opts.fcs      = chan->fcs;
660 		opts.max_tx   = chan->max_tx;
661 		opts.txwin_size = chan->tx_win;
662 
663 		len = min_t(unsigned int, sizeof(opts), optlen);
664 		if (copy_from_user((char *) &opts, optval, len)) {
665 			err = -EFAULT;
666 			break;
667 		}
668 
669 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
670 			err = -EINVAL;
671 			break;
672 		}
673 
674 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
675 			err = -EINVAL;
676 			break;
677 		}
678 
679 		chan->mode = opts.mode;
680 		switch (chan->mode) {
681 		case L2CAP_MODE_LE_FLOWCTL:
682 			break;
683 		case L2CAP_MODE_BASIC:
684 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
685 			break;
686 		case L2CAP_MODE_ERTM:
687 		case L2CAP_MODE_STREAMING:
688 			if (!disable_ertm)
689 				break;
690 			/* fall through */
691 		default:
692 			err = -EINVAL;
693 			break;
694 		}
695 
696 		chan->imtu = opts.imtu;
697 		chan->omtu = opts.omtu;
698 		chan->fcs  = opts.fcs;
699 		chan->max_tx = opts.max_tx;
700 		chan->tx_win = opts.txwin_size;
701 		chan->flush_to = opts.flush_to;
702 		break;
703 
704 	case L2CAP_LM:
705 		if (get_user(opt, (u32 __user *) optval)) {
706 			err = -EFAULT;
707 			break;
708 		}
709 
710 		if (opt & L2CAP_LM_FIPS) {
711 			err = -EINVAL;
712 			break;
713 		}
714 
715 		if (opt & L2CAP_LM_AUTH)
716 			chan->sec_level = BT_SECURITY_LOW;
717 		if (opt & L2CAP_LM_ENCRYPT)
718 			chan->sec_level = BT_SECURITY_MEDIUM;
719 		if (opt & L2CAP_LM_SECURE)
720 			chan->sec_level = BT_SECURITY_HIGH;
721 
722 		if (opt & L2CAP_LM_MASTER)
723 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
724 		else
725 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
726 
727 		if (opt & L2CAP_LM_RELIABLE)
728 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
729 		else
730 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
731 		break;
732 
733 	default:
734 		err = -ENOPROTOOPT;
735 		break;
736 	}
737 
738 	release_sock(sk);
739 	return err;
740 }
741 
742 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
743 				 char __user *optval, unsigned int optlen)
744 {
745 	struct sock *sk = sock->sk;
746 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
747 	struct bt_security sec;
748 	struct bt_power pwr;
749 	struct l2cap_conn *conn;
750 	int len, err = 0;
751 	u32 opt;
752 
753 	BT_DBG("sk %p", sk);
754 
755 	if (level == SOL_L2CAP)
756 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
757 
758 	if (level != SOL_BLUETOOTH)
759 		return -ENOPROTOOPT;
760 
761 	lock_sock(sk);
762 
763 	switch (optname) {
764 	case BT_SECURITY:
765 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
766 		    chan->chan_type != L2CAP_CHAN_FIXED &&
767 		    chan->chan_type != L2CAP_CHAN_RAW) {
768 			err = -EINVAL;
769 			break;
770 		}
771 
772 		sec.level = BT_SECURITY_LOW;
773 
774 		len = min_t(unsigned int, sizeof(sec), optlen);
775 		if (copy_from_user((char *) &sec, optval, len)) {
776 			err = -EFAULT;
777 			break;
778 		}
779 
780 		if (sec.level < BT_SECURITY_LOW ||
781 		    sec.level > BT_SECURITY_HIGH) {
782 			err = -EINVAL;
783 			break;
784 		}
785 
786 		chan->sec_level = sec.level;
787 
788 		if (!chan->conn)
789 			break;
790 
791 		conn = chan->conn;
792 
793 		/*change security for LE channels */
794 		if (chan->scid == L2CAP_CID_ATT) {
795 			if (smp_conn_security(conn->hcon, sec.level))
796 				break;
797 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
798 			sk->sk_state = BT_CONFIG;
799 			chan->state = BT_CONFIG;
800 
801 		/* or for ACL link */
802 		} else if ((sk->sk_state == BT_CONNECT2 &&
803 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
804 			   sk->sk_state == BT_CONNECTED) {
805 			if (!l2cap_chan_check_security(chan, true))
806 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
807 			else
808 				sk->sk_state_change(sk);
809 		} else {
810 			err = -EINVAL;
811 		}
812 		break;
813 
814 	case BT_DEFER_SETUP:
815 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
816 			err = -EINVAL;
817 			break;
818 		}
819 
820 		if (get_user(opt, (u32 __user *) optval)) {
821 			err = -EFAULT;
822 			break;
823 		}
824 
825 		if (opt) {
826 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
827 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
828 		} else {
829 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
830 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
831 		}
832 		break;
833 
834 	case BT_FLUSHABLE:
835 		if (get_user(opt, (u32 __user *) optval)) {
836 			err = -EFAULT;
837 			break;
838 		}
839 
840 		if (opt > BT_FLUSHABLE_ON) {
841 			err = -EINVAL;
842 			break;
843 		}
844 
845 		if (opt == BT_FLUSHABLE_OFF) {
846 			conn = chan->conn;
847 			/* proceed further only when we have l2cap_conn and
848 			   No Flush support in the LM */
849 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
850 				err = -EINVAL;
851 				break;
852 			}
853 		}
854 
855 		if (opt)
856 			set_bit(FLAG_FLUSHABLE, &chan->flags);
857 		else
858 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
859 		break;
860 
861 	case BT_POWER:
862 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
863 		    chan->chan_type != L2CAP_CHAN_RAW) {
864 			err = -EINVAL;
865 			break;
866 		}
867 
868 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
869 
870 		len = min_t(unsigned int, sizeof(pwr), optlen);
871 		if (copy_from_user((char *) &pwr, optval, len)) {
872 			err = -EFAULT;
873 			break;
874 		}
875 
876 		if (pwr.force_active)
877 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
878 		else
879 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
880 		break;
881 
882 	case BT_CHANNEL_POLICY:
883 		if (get_user(opt, (u32 __user *) optval)) {
884 			err = -EFAULT;
885 			break;
886 		}
887 
888 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
889 			err = -EINVAL;
890 			break;
891 		}
892 
893 		if (chan->mode != L2CAP_MODE_ERTM &&
894 		    chan->mode != L2CAP_MODE_STREAMING) {
895 			err = -EOPNOTSUPP;
896 			break;
897 		}
898 
899 		chan->chan_policy = (u8) opt;
900 
901 		if (sk->sk_state == BT_CONNECTED &&
902 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
903 			l2cap_move_start(chan);
904 
905 		break;
906 
907 	case BT_SNDMTU:
908 		if (!bdaddr_type_is_le(chan->src_type)) {
909 			err = -EINVAL;
910 			break;
911 		}
912 
913 		/* Setting is not supported as it's the remote side that
914 		 * decides this.
915 		 */
916 		err = -EPERM;
917 		break;
918 
919 	case BT_RCVMTU:
920 		if (!bdaddr_type_is_le(chan->src_type)) {
921 			err = -EINVAL;
922 			break;
923 		}
924 
925 		if (sk->sk_state == BT_CONNECTED) {
926 			err = -EISCONN;
927 			break;
928 		}
929 
930 		if (get_user(opt, (u32 __user *) optval)) {
931 			err = -EFAULT;
932 			break;
933 		}
934 
935 		chan->imtu = opt;
936 		break;
937 
938 	default:
939 		err = -ENOPROTOOPT;
940 		break;
941 	}
942 
943 	release_sock(sk);
944 	return err;
945 }
946 
947 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
948 			      struct msghdr *msg, size_t len)
949 {
950 	struct sock *sk = sock->sk;
951 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
952 	int err;
953 
954 	BT_DBG("sock %p, sk %p", sock, sk);
955 
956 	err = sock_error(sk);
957 	if (err)
958 		return err;
959 
960 	if (msg->msg_flags & MSG_OOB)
961 		return -EOPNOTSUPP;
962 
963 	if (sk->sk_state != BT_CONNECTED)
964 		return -ENOTCONN;
965 
966 	lock_sock(sk);
967 	err = bt_sock_wait_ready(sk, msg->msg_flags);
968 	release_sock(sk);
969 	if (err)
970 		return err;
971 
972 	l2cap_chan_lock(chan);
973 	err = l2cap_chan_send(chan, msg, len);
974 	l2cap_chan_unlock(chan);
975 
976 	return err;
977 }
978 
979 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
980 			      struct msghdr *msg, size_t len, int flags)
981 {
982 	struct sock *sk = sock->sk;
983 	struct l2cap_pinfo *pi = l2cap_pi(sk);
984 	int err;
985 
986 	lock_sock(sk);
987 
988 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
989 						    &bt_sk(sk)->flags)) {
990 		if (bdaddr_type_is_le(pi->chan->src_type)) {
991 			sk->sk_state = BT_CONNECTED;
992 			pi->chan->state = BT_CONNECTED;
993 			__l2cap_le_connect_rsp_defer(pi->chan);
994 		} else {
995 			sk->sk_state = BT_CONFIG;
996 			pi->chan->state = BT_CONFIG;
997 			__l2cap_connect_rsp_defer(pi->chan);
998 		}
999 
1000 		err = 0;
1001 		goto done;
1002 	}
1003 
1004 	release_sock(sk);
1005 
1006 	if (sock->type == SOCK_STREAM)
1007 		err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
1008 	else
1009 		err = bt_sock_recvmsg(iocb, sock, msg, len, flags);
1010 
1011 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1012 		return err;
1013 
1014 	/* Attempt to put pending rx data in the socket buffer */
1015 
1016 	lock_sock(sk);
1017 
1018 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1019 		goto done;
1020 
1021 	if (pi->rx_busy_skb) {
1022 		if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1023 			pi->rx_busy_skb = NULL;
1024 		else
1025 			goto done;
1026 	}
1027 
1028 	/* Restore data flow when half of the receive buffer is
1029 	 * available.  This avoids resending large numbers of
1030 	 * frames.
1031 	 */
1032 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1033 		l2cap_chan_busy(pi->chan, 0);
1034 
1035 done:
1036 	release_sock(sk);
1037 	return err;
1038 }
1039 
1040 /* Kill socket (only if zapped and orphan)
1041  * Must be called on unlocked socket.
1042  */
1043 static void l2cap_sock_kill(struct sock *sk)
1044 {
1045 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1046 		return;
1047 
1048 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1049 
1050 	/* Kill poor orphan */
1051 
1052 	l2cap_chan_put(l2cap_pi(sk)->chan);
1053 	sock_set_flag(sk, SOCK_DEAD);
1054 	sock_put(sk);
1055 }
1056 
1057 static int __l2cap_wait_ack(struct sock *sk)
1058 {
1059 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1060 	DECLARE_WAITQUEUE(wait, current);
1061 	int err = 0;
1062 	int timeo = HZ/5;
1063 
1064 	add_wait_queue(sk_sleep(sk), &wait);
1065 	set_current_state(TASK_INTERRUPTIBLE);
1066 	while (chan->unacked_frames > 0 && chan->conn) {
1067 		if (!timeo)
1068 			timeo = HZ/5;
1069 
1070 		if (signal_pending(current)) {
1071 			err = sock_intr_errno(timeo);
1072 			break;
1073 		}
1074 
1075 		release_sock(sk);
1076 		timeo = schedule_timeout(timeo);
1077 		lock_sock(sk);
1078 		set_current_state(TASK_INTERRUPTIBLE);
1079 
1080 		err = sock_error(sk);
1081 		if (err)
1082 			break;
1083 	}
1084 	set_current_state(TASK_RUNNING);
1085 	remove_wait_queue(sk_sleep(sk), &wait);
1086 	return err;
1087 }
1088 
1089 static int l2cap_sock_shutdown(struct socket *sock, int how)
1090 {
1091 	struct sock *sk = sock->sk;
1092 	struct l2cap_chan *chan;
1093 	struct l2cap_conn *conn;
1094 	int err = 0;
1095 
1096 	BT_DBG("sock %p, sk %p", sock, sk);
1097 
1098 	if (!sk)
1099 		return 0;
1100 
1101 	chan = l2cap_pi(sk)->chan;
1102 	conn = chan->conn;
1103 
1104 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1105 
1106 	if (conn)
1107 		mutex_lock(&conn->chan_lock);
1108 
1109 	l2cap_chan_lock(chan);
1110 	lock_sock(sk);
1111 
1112 	if (!sk->sk_shutdown) {
1113 		if (chan->mode == L2CAP_MODE_ERTM)
1114 			err = __l2cap_wait_ack(sk);
1115 
1116 		sk->sk_shutdown = SHUTDOWN_MASK;
1117 
1118 		release_sock(sk);
1119 		l2cap_chan_close(chan, 0);
1120 		lock_sock(sk);
1121 
1122 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1123 		    !(current->flags & PF_EXITING))
1124 			err = bt_sock_wait_state(sk, BT_CLOSED,
1125 						 sk->sk_lingertime);
1126 	}
1127 
1128 	if (!err && sk->sk_err)
1129 		err = -sk->sk_err;
1130 
1131 	release_sock(sk);
1132 	l2cap_chan_unlock(chan);
1133 
1134 	if (conn)
1135 		mutex_unlock(&conn->chan_lock);
1136 
1137 	return err;
1138 }
1139 
1140 static int l2cap_sock_release(struct socket *sock)
1141 {
1142 	struct sock *sk = sock->sk;
1143 	int err;
1144 
1145 	BT_DBG("sock %p, sk %p", sock, sk);
1146 
1147 	if (!sk)
1148 		return 0;
1149 
1150 	bt_sock_unlink(&l2cap_sk_list, sk);
1151 
1152 	err = l2cap_sock_shutdown(sock, 2);
1153 
1154 	sock_orphan(sk);
1155 	l2cap_sock_kill(sk);
1156 	return err;
1157 }
1158 
1159 static void l2cap_sock_cleanup_listen(struct sock *parent)
1160 {
1161 	struct sock *sk;
1162 
1163 	BT_DBG("parent %p state %s", parent,
1164 	       state_to_string(parent->sk_state));
1165 
1166 	/* Close not yet accepted channels */
1167 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1168 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1169 
1170 		BT_DBG("child chan %p state %s", chan,
1171 		       state_to_string(chan->state));
1172 
1173 		l2cap_chan_lock(chan);
1174 		__clear_chan_timer(chan);
1175 		l2cap_chan_close(chan, ECONNRESET);
1176 		l2cap_chan_unlock(chan);
1177 
1178 		l2cap_sock_kill(sk);
1179 	}
1180 }
1181 
1182 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1183 {
1184 	struct sock *sk, *parent = chan->data;
1185 
1186 	lock_sock(parent);
1187 
1188 	/* Check for backlog size */
1189 	if (sk_acceptq_is_full(parent)) {
1190 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1191 		release_sock(parent);
1192 		return NULL;
1193 	}
1194 
1195 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1196 			      GFP_ATOMIC);
1197 	if (!sk) {
1198 		release_sock(parent);
1199 		return NULL;
1200         }
1201 
1202 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1203 
1204 	l2cap_sock_init(sk, parent);
1205 
1206 	bt_accept_enqueue(parent, sk);
1207 
1208 	release_sock(parent);
1209 
1210 	return l2cap_pi(sk)->chan;
1211 }
1212 
1213 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1214 {
1215 	struct sock *sk = chan->data;
1216 	int err;
1217 
1218 	lock_sock(sk);
1219 
1220 	if (l2cap_pi(sk)->rx_busy_skb) {
1221 		err = -ENOMEM;
1222 		goto done;
1223 	}
1224 
1225 	err = sock_queue_rcv_skb(sk, skb);
1226 
1227 	/* For ERTM, handle one skb that doesn't fit into the recv
1228 	 * buffer.  This is important to do because the data frames
1229 	 * have already been acked, so the skb cannot be discarded.
1230 	 *
1231 	 * Notify the l2cap core that the buffer is full, so the
1232 	 * LOCAL_BUSY state is entered and no more frames are
1233 	 * acked and reassembled until there is buffer space
1234 	 * available.
1235 	 */
1236 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1237 		l2cap_pi(sk)->rx_busy_skb = skb;
1238 		l2cap_chan_busy(chan, 1);
1239 		err = 0;
1240 	}
1241 
1242 done:
1243 	release_sock(sk);
1244 
1245 	return err;
1246 }
1247 
1248 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1249 {
1250 	struct sock *sk = chan->data;
1251 
1252 	l2cap_sock_kill(sk);
1253 }
1254 
1255 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1256 {
1257 	struct sock *sk = chan->data;
1258 	struct sock *parent;
1259 
1260 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1261 
1262 	/* This callback can be called both for server (BT_LISTEN)
1263 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1264 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1265 	 * we need separation into separate nesting levels. The simplest
1266 	 * way to accomplish this is to inherit the nesting level used
1267 	 * for the channel.
1268 	 */
1269 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1270 
1271 	parent = bt_sk(sk)->parent;
1272 
1273 	sock_set_flag(sk, SOCK_ZAPPED);
1274 
1275 	switch (chan->state) {
1276 	case BT_OPEN:
1277 	case BT_BOUND:
1278 	case BT_CLOSED:
1279 		break;
1280 	case BT_LISTEN:
1281 		l2cap_sock_cleanup_listen(sk);
1282 		sk->sk_state = BT_CLOSED;
1283 		chan->state = BT_CLOSED;
1284 
1285 		break;
1286 	default:
1287 		sk->sk_state = BT_CLOSED;
1288 		chan->state = BT_CLOSED;
1289 
1290 		sk->sk_err = err;
1291 
1292 		if (parent) {
1293 			bt_accept_unlink(sk);
1294 			parent->sk_data_ready(parent);
1295 		} else {
1296 			sk->sk_state_change(sk);
1297 		}
1298 
1299 		break;
1300 	}
1301 
1302 	release_sock(sk);
1303 }
1304 
1305 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1306 				       int err)
1307 {
1308 	struct sock *sk = chan->data;
1309 
1310 	sk->sk_state = state;
1311 
1312 	if (err)
1313 		sk->sk_err = err;
1314 }
1315 
1316 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1317 					       unsigned long hdr_len,
1318 					       unsigned long len, int nb)
1319 {
1320 	struct sock *sk = chan->data;
1321 	struct sk_buff *skb;
1322 	int err;
1323 
1324 	l2cap_chan_unlock(chan);
1325 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1326 	l2cap_chan_lock(chan);
1327 
1328 	if (!skb)
1329 		return ERR_PTR(err);
1330 
1331 	skb->priority = sk->sk_priority;
1332 
1333 	bt_cb(skb)->chan = chan;
1334 
1335 	return skb;
1336 }
1337 
1338 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1339 {
1340 	struct sock *sk = chan->data;
1341 	struct sock *parent;
1342 
1343 	lock_sock(sk);
1344 
1345 	parent = bt_sk(sk)->parent;
1346 
1347 	BT_DBG("sk %p, parent %p", sk, parent);
1348 
1349 	sk->sk_state = BT_CONNECTED;
1350 	sk->sk_state_change(sk);
1351 
1352 	if (parent)
1353 		parent->sk_data_ready(parent);
1354 
1355 	release_sock(sk);
1356 }
1357 
1358 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1359 {
1360 	struct sock *parent, *sk = chan->data;
1361 
1362 	lock_sock(sk);
1363 
1364 	parent = bt_sk(sk)->parent;
1365 	if (parent)
1366 		parent->sk_data_ready(parent);
1367 
1368 	release_sock(sk);
1369 }
1370 
1371 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1372 {
1373 	struct sock *sk = chan->data;
1374 
1375 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1376 		sk->sk_state = BT_CONNECTED;
1377 		chan->state = BT_CONNECTED;
1378 	}
1379 
1380 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1381 	sk->sk_state_change(sk);
1382 }
1383 
1384 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1385 {
1386 	struct sock *sk = chan->data;
1387 
1388 	lock_sock(sk);
1389 	sk->sk_shutdown = SHUTDOWN_MASK;
1390 	release_sock(sk);
1391 }
1392 
1393 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1394 {
1395 	struct sock *sk = chan->data;
1396 
1397 	return sk->sk_sndtimeo;
1398 }
1399 
1400 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1401 {
1402 	struct sock *sk = chan->data;
1403 
1404 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1405 	sk->sk_state_change(sk);
1406 }
1407 
1408 static const struct l2cap_ops l2cap_chan_ops = {
1409 	.name			= "L2CAP Socket Interface",
1410 	.new_connection		= l2cap_sock_new_connection_cb,
1411 	.recv			= l2cap_sock_recv_cb,
1412 	.close			= l2cap_sock_close_cb,
1413 	.teardown		= l2cap_sock_teardown_cb,
1414 	.state_change		= l2cap_sock_state_change_cb,
1415 	.ready			= l2cap_sock_ready_cb,
1416 	.defer			= l2cap_sock_defer_cb,
1417 	.resume			= l2cap_sock_resume_cb,
1418 	.suspend		= l2cap_sock_suspend_cb,
1419 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1420 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1421 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1422 };
1423 
1424 static void l2cap_sock_destruct(struct sock *sk)
1425 {
1426 	BT_DBG("sk %p", sk);
1427 
1428 	if (l2cap_pi(sk)->chan)
1429 		l2cap_chan_put(l2cap_pi(sk)->chan);
1430 
1431 	if (l2cap_pi(sk)->rx_busy_skb) {
1432 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1433 		l2cap_pi(sk)->rx_busy_skb = NULL;
1434 	}
1435 
1436 	skb_queue_purge(&sk->sk_receive_queue);
1437 	skb_queue_purge(&sk->sk_write_queue);
1438 }
1439 
1440 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1441 			       int *msg_namelen)
1442 {
1443 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1444 
1445 	memset(la, 0, sizeof(struct sockaddr_l2));
1446 	la->l2_family = AF_BLUETOOTH;
1447 	la->l2_psm = bt_cb(skb)->psm;
1448 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->bdaddr);
1449 
1450 	*msg_namelen = sizeof(struct sockaddr_l2);
1451 }
1452 
1453 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1454 {
1455 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1456 
1457 	BT_DBG("sk %p", sk);
1458 
1459 	if (parent) {
1460 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1461 
1462 		sk->sk_type = parent->sk_type;
1463 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1464 
1465 		chan->chan_type = pchan->chan_type;
1466 		chan->imtu = pchan->imtu;
1467 		chan->omtu = pchan->omtu;
1468 		chan->conf_state = pchan->conf_state;
1469 		chan->mode = pchan->mode;
1470 		chan->fcs  = pchan->fcs;
1471 		chan->max_tx = pchan->max_tx;
1472 		chan->tx_win = pchan->tx_win;
1473 		chan->tx_win_max = pchan->tx_win_max;
1474 		chan->sec_level = pchan->sec_level;
1475 		chan->flags = pchan->flags;
1476 		chan->tx_credits = pchan->tx_credits;
1477 		chan->rx_credits = pchan->rx_credits;
1478 
1479 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1480 			chan->scid = pchan->scid;
1481 			chan->dcid = pchan->scid;
1482 		}
1483 
1484 		security_sk_clone(parent, sk);
1485 	} else {
1486 		switch (sk->sk_type) {
1487 		case SOCK_RAW:
1488 			chan->chan_type = L2CAP_CHAN_RAW;
1489 			break;
1490 		case SOCK_DGRAM:
1491 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1492 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1493 			break;
1494 		case SOCK_SEQPACKET:
1495 		case SOCK_STREAM:
1496 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1497 			break;
1498 		}
1499 
1500 		chan->imtu = L2CAP_DEFAULT_MTU;
1501 		chan->omtu = 0;
1502 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1503 			chan->mode = L2CAP_MODE_ERTM;
1504 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1505 		} else {
1506 			chan->mode = L2CAP_MODE_BASIC;
1507 		}
1508 
1509 		l2cap_chan_set_defaults(chan);
1510 	}
1511 
1512 	/* Default config options */
1513 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1514 
1515 	chan->data = sk;
1516 	chan->ops = &l2cap_chan_ops;
1517 }
1518 
1519 static struct proto l2cap_proto = {
1520 	.name		= "L2CAP",
1521 	.owner		= THIS_MODULE,
1522 	.obj_size	= sizeof(struct l2cap_pinfo)
1523 };
1524 
1525 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1526 				     int proto, gfp_t prio)
1527 {
1528 	struct sock *sk;
1529 	struct l2cap_chan *chan;
1530 
1531 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1532 	if (!sk)
1533 		return NULL;
1534 
1535 	sock_init_data(sock, sk);
1536 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1537 
1538 	sk->sk_destruct = l2cap_sock_destruct;
1539 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1540 
1541 	sock_reset_flag(sk, SOCK_ZAPPED);
1542 
1543 	sk->sk_protocol = proto;
1544 	sk->sk_state = BT_OPEN;
1545 
1546 	chan = l2cap_chan_create();
1547 	if (!chan) {
1548 		sk_free(sk);
1549 		return NULL;
1550 	}
1551 
1552 	l2cap_chan_hold(chan);
1553 
1554 	l2cap_pi(sk)->chan = chan;
1555 
1556 	return sk;
1557 }
1558 
1559 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1560 			     int kern)
1561 {
1562 	struct sock *sk;
1563 
1564 	BT_DBG("sock %p", sock);
1565 
1566 	sock->state = SS_UNCONNECTED;
1567 
1568 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1569 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1570 		return -ESOCKTNOSUPPORT;
1571 
1572 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1573 		return -EPERM;
1574 
1575 	sock->ops = &l2cap_sock_ops;
1576 
1577 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1578 	if (!sk)
1579 		return -ENOMEM;
1580 
1581 	l2cap_sock_init(sk, NULL);
1582 	bt_sock_link(&l2cap_sk_list, sk);
1583 	return 0;
1584 }
1585 
1586 static const struct proto_ops l2cap_sock_ops = {
1587 	.family		= PF_BLUETOOTH,
1588 	.owner		= THIS_MODULE,
1589 	.release	= l2cap_sock_release,
1590 	.bind		= l2cap_sock_bind,
1591 	.connect	= l2cap_sock_connect,
1592 	.listen		= l2cap_sock_listen,
1593 	.accept		= l2cap_sock_accept,
1594 	.getname	= l2cap_sock_getname,
1595 	.sendmsg	= l2cap_sock_sendmsg,
1596 	.recvmsg	= l2cap_sock_recvmsg,
1597 	.poll		= bt_sock_poll,
1598 	.ioctl		= bt_sock_ioctl,
1599 	.mmap		= sock_no_mmap,
1600 	.socketpair	= sock_no_socketpair,
1601 	.shutdown	= l2cap_sock_shutdown,
1602 	.setsockopt	= l2cap_sock_setsockopt,
1603 	.getsockopt	= l2cap_sock_getsockopt
1604 };
1605 
1606 static const struct net_proto_family l2cap_sock_family_ops = {
1607 	.family	= PF_BLUETOOTH,
1608 	.owner	= THIS_MODULE,
1609 	.create	= l2cap_sock_create,
1610 };
1611 
1612 int __init l2cap_init_sockets(void)
1613 {
1614 	int err;
1615 
1616 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1617 
1618 	err = proto_register(&l2cap_proto, 0);
1619 	if (err < 0)
1620 		return err;
1621 
1622 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1623 	if (err < 0) {
1624 		BT_ERR("L2CAP socket registration failed");
1625 		goto error;
1626 	}
1627 
1628 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1629 			     NULL);
1630 	if (err < 0) {
1631 		BT_ERR("Failed to create L2CAP proc file");
1632 		bt_sock_unregister(BTPROTO_L2CAP);
1633 		goto error;
1634 	}
1635 
1636 	BT_INFO("L2CAP socket layer initialized");
1637 
1638 	return 0;
1639 
1640 error:
1641 	proto_unregister(&l2cap_proto);
1642 	return err;
1643 }
1644 
1645 void l2cap_cleanup_sockets(void)
1646 {
1647 	bt_procfs_cleanup(&init_net, "l2cap");
1648 	bt_sock_unregister(BTPROTO_L2CAP);
1649 	proto_unregister(&l2cap_proto);
1650 }
1651