xref: /openbmc/linux/net/bluetooth/l2cap_sock.c (revision f5ad1c74)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37 
38 #include "smp.h"
39 
40 static struct bt_sock_list l2cap_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43 
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 				     int proto, gfp_t prio, int kern);
48 
49 bool l2cap_is_socket(struct socket *sock)
50 {
51 	return sock && sock->ops == &l2cap_sock_ops;
52 }
53 EXPORT_SYMBOL(l2cap_is_socket);
54 
55 static int l2cap_validate_bredr_psm(u16 psm)
56 {
57 	/* PSM must be odd and lsb of upper byte must be 0 */
58 	if ((psm & 0x0101) != 0x0001)
59 		return -EINVAL;
60 
61 	/* Restrict usage of well-known PSMs */
62 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 		return -EACCES;
64 
65 	return 0;
66 }
67 
68 static int l2cap_validate_le_psm(u16 psm)
69 {
70 	/* Valid LE_PSM ranges are defined only until 0x00ff */
71 	if (psm > L2CAP_PSM_LE_DYN_END)
72 		return -EINVAL;
73 
74 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 		return -EACCES;
77 
78 	return 0;
79 }
80 
81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82 {
83 	struct sock *sk = sock->sk;
84 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 	struct sockaddr_l2 la;
86 	int len, err = 0;
87 
88 	BT_DBG("sk %p", sk);
89 
90 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 	    addr->sa_family != AF_BLUETOOTH)
92 		return -EINVAL;
93 
94 	memset(&la, 0, sizeof(la));
95 	len = min_t(unsigned int, sizeof(la), alen);
96 	memcpy(&la, addr, len);
97 
98 	if (la.l2_cid && la.l2_psm)
99 		return -EINVAL;
100 
101 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 		return -EINVAL;
103 
104 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 		/* We only allow ATT user space socket */
106 		if (la.l2_cid &&
107 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 			return -EINVAL;
109 	}
110 
111 	lock_sock(sk);
112 
113 	if (sk->sk_state != BT_OPEN) {
114 		err = -EBADFD;
115 		goto done;
116 	}
117 
118 	if (la.l2_psm) {
119 		__u16 psm = __le16_to_cpu(la.l2_psm);
120 
121 		if (la.l2_bdaddr_type == BDADDR_BREDR)
122 			err = l2cap_validate_bredr_psm(psm);
123 		else
124 			err = l2cap_validate_le_psm(psm);
125 
126 		if (err)
127 			goto done;
128 	}
129 
130 	bacpy(&chan->src, &la.l2_bdaddr);
131 	chan->src_type = la.l2_bdaddr_type;
132 
133 	if (la.l2_cid)
134 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 	else
136 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137 
138 	if (err < 0)
139 		goto done;
140 
141 	switch (chan->chan_type) {
142 	case L2CAP_CHAN_CONN_LESS:
143 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 			chan->sec_level = BT_SECURITY_SDP;
145 		break;
146 	case L2CAP_CHAN_CONN_ORIENTED:
147 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 			chan->sec_level = BT_SECURITY_SDP;
150 		break;
151 	case L2CAP_CHAN_RAW:
152 		chan->sec_level = BT_SECURITY_SDP;
153 		break;
154 	case L2CAP_CHAN_FIXED:
155 		/* Fixed channels default to the L2CAP core not holding a
156 		 * hci_conn reference for them. For fixed channels mapping to
157 		 * L2CAP sockets we do want to hold a reference so set the
158 		 * appropriate flag to request it.
159 		 */
160 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 		break;
162 	}
163 
164 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
166 
167 	chan->state = BT_BOUND;
168 	sk->sk_state = BT_BOUND;
169 
170 done:
171 	release_sock(sk);
172 	return err;
173 }
174 
175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 			      int alen, int flags)
177 {
178 	struct sock *sk = sock->sk;
179 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 	struct sockaddr_l2 la;
181 	int len, err = 0;
182 
183 	BT_DBG("sk %p", sk);
184 
185 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 	    addr->sa_family != AF_BLUETOOTH)
187 		return -EINVAL;
188 
189 	memset(&la, 0, sizeof(la));
190 	len = min_t(unsigned int, sizeof(la), alen);
191 	memcpy(&la, addr, len);
192 
193 	if (la.l2_cid && la.l2_psm)
194 		return -EINVAL;
195 
196 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 		return -EINVAL;
198 
199 	/* Check that the socket wasn't bound to something that
200 	 * conflicts with the address given to connect(). If chan->src
201 	 * is BDADDR_ANY it means bind() was never used, in which case
202 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 	 */
204 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 		/* Old user space versions will try to incorrectly bind
207 		 * the ATT socket using BDADDR_BREDR. We need to accept
208 		 * this and fix up the source address type only when
209 		 * both the source CID and destination CID indicate
210 		 * ATT. Anything else is an invalid combination.
211 		 */
212 		if (chan->scid != L2CAP_CID_ATT ||
213 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 			return -EINVAL;
215 
216 		/* We don't have the hdev available here to make a
217 		 * better decision on random vs public, but since all
218 		 * user space versions that exhibit this issue anyway do
219 		 * not support random local addresses assuming public
220 		 * here is good enough.
221 		 */
222 		chan->src_type = BDADDR_LE_PUBLIC;
223 	}
224 
225 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 		return -EINVAL;
227 
228 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 		/* We only allow ATT user space socket */
230 		if (la.l2_cid &&
231 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 			return -EINVAL;
233 	}
234 
235 	if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
236 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
237 
238 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 				 &la.l2_bdaddr, la.l2_bdaddr_type);
240 	if (err)
241 		return err;
242 
243 	lock_sock(sk);
244 
245 	err = bt_sock_wait_state(sk, BT_CONNECTED,
246 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
247 
248 	release_sock(sk);
249 
250 	return err;
251 }
252 
253 static int l2cap_sock_listen(struct socket *sock, int backlog)
254 {
255 	struct sock *sk = sock->sk;
256 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 	int err = 0;
258 
259 	BT_DBG("sk %p backlog %d", sk, backlog);
260 
261 	lock_sock(sk);
262 
263 	if (sk->sk_state != BT_BOUND) {
264 		err = -EBADFD;
265 		goto done;
266 	}
267 
268 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 		err = -EINVAL;
270 		goto done;
271 	}
272 
273 	switch (chan->mode) {
274 	case L2CAP_MODE_BASIC:
275 	case L2CAP_MODE_LE_FLOWCTL:
276 		break;
277 	case L2CAP_MODE_EXT_FLOWCTL:
278 		if (!enable_ecred) {
279 			err = -EOPNOTSUPP;
280 			goto done;
281 		}
282 		break;
283 	case L2CAP_MODE_ERTM:
284 	case L2CAP_MODE_STREAMING:
285 		if (!disable_ertm)
286 			break;
287 		fallthrough;
288 	default:
289 		err = -EOPNOTSUPP;
290 		goto done;
291 	}
292 
293 	sk->sk_max_ack_backlog = backlog;
294 	sk->sk_ack_backlog = 0;
295 
296 	/* Listening channels need to use nested locking in order not to
297 	 * cause lockdep warnings when the created child channels end up
298 	 * being locked in the same thread as the parent channel.
299 	 */
300 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
301 
302 	chan->state = BT_LISTEN;
303 	sk->sk_state = BT_LISTEN;
304 
305 done:
306 	release_sock(sk);
307 	return err;
308 }
309 
310 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
311 			     int flags, bool kern)
312 {
313 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
314 	struct sock *sk = sock->sk, *nsk;
315 	long timeo;
316 	int err = 0;
317 
318 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
319 
320 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
321 
322 	BT_DBG("sk %p timeo %ld", sk, timeo);
323 
324 	/* Wait for an incoming connection. (wake-one). */
325 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
326 	while (1) {
327 		if (sk->sk_state != BT_LISTEN) {
328 			err = -EBADFD;
329 			break;
330 		}
331 
332 		nsk = bt_accept_dequeue(sk, newsock);
333 		if (nsk)
334 			break;
335 
336 		if (!timeo) {
337 			err = -EAGAIN;
338 			break;
339 		}
340 
341 		if (signal_pending(current)) {
342 			err = sock_intr_errno(timeo);
343 			break;
344 		}
345 
346 		release_sock(sk);
347 
348 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
349 
350 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
351 	}
352 	remove_wait_queue(sk_sleep(sk), &wait);
353 
354 	if (err)
355 		goto done;
356 
357 	newsock->state = SS_CONNECTED;
358 
359 	BT_DBG("new socket %p", nsk);
360 
361 done:
362 	release_sock(sk);
363 	return err;
364 }
365 
366 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
367 			      int peer)
368 {
369 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
370 	struct sock *sk = sock->sk;
371 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
372 
373 	BT_DBG("sock %p, sk %p", sock, sk);
374 
375 	if (peer && sk->sk_state != BT_CONNECTED &&
376 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
377 	    sk->sk_state != BT_CONFIG)
378 		return -ENOTCONN;
379 
380 	memset(la, 0, sizeof(struct sockaddr_l2));
381 	addr->sa_family = AF_BLUETOOTH;
382 
383 	la->l2_psm = chan->psm;
384 
385 	if (peer) {
386 		bacpy(&la->l2_bdaddr, &chan->dst);
387 		la->l2_cid = cpu_to_le16(chan->dcid);
388 		la->l2_bdaddr_type = chan->dst_type;
389 	} else {
390 		bacpy(&la->l2_bdaddr, &chan->src);
391 		la->l2_cid = cpu_to_le16(chan->scid);
392 		la->l2_bdaddr_type = chan->src_type;
393 	}
394 
395 	return sizeof(struct sockaddr_l2);
396 }
397 
398 static int l2cap_get_mode(struct l2cap_chan *chan)
399 {
400 	switch (chan->mode) {
401 	case L2CAP_MODE_BASIC:
402 		return BT_MODE_BASIC;
403 	case L2CAP_MODE_ERTM:
404 		return BT_MODE_ERTM;
405 	case L2CAP_MODE_STREAMING:
406 		return BT_MODE_STREAMING;
407 	case L2CAP_MODE_LE_FLOWCTL:
408 		return BT_MODE_LE_FLOWCTL;
409 	case L2CAP_MODE_EXT_FLOWCTL:
410 		return BT_MODE_EXT_FLOWCTL;
411 	}
412 
413 	return -EINVAL;
414 }
415 
416 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
417 				     char __user *optval, int __user *optlen)
418 {
419 	struct sock *sk = sock->sk;
420 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
421 	struct l2cap_options opts;
422 	struct l2cap_conninfo cinfo;
423 	int len, err = 0;
424 	u32 opt;
425 
426 	BT_DBG("sk %p", sk);
427 
428 	if (get_user(len, optlen))
429 		return -EFAULT;
430 
431 	lock_sock(sk);
432 
433 	switch (optname) {
434 	case L2CAP_OPTIONS:
435 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
436 		 * legacy ATT code depends on getsockopt for
437 		 * L2CAP_OPTIONS we need to let this pass.
438 		 */
439 		if (bdaddr_type_is_le(chan->src_type) &&
440 		    chan->scid != L2CAP_CID_ATT) {
441 			err = -EINVAL;
442 			break;
443 		}
444 
445 		/* Only BR/EDR modes are supported here */
446 		switch (chan->mode) {
447 		case L2CAP_MODE_BASIC:
448 		case L2CAP_MODE_ERTM:
449 		case L2CAP_MODE_STREAMING:
450 			break;
451 		default:
452 			err = -EINVAL;
453 			break;
454 		}
455 
456 		if (err < 0)
457 			break;
458 
459 		memset(&opts, 0, sizeof(opts));
460 		opts.imtu     = chan->imtu;
461 		opts.omtu     = chan->omtu;
462 		opts.flush_to = chan->flush_to;
463 		opts.mode     = chan->mode;
464 		opts.fcs      = chan->fcs;
465 		opts.max_tx   = chan->max_tx;
466 		opts.txwin_size = chan->tx_win;
467 
468 		BT_DBG("mode 0x%2.2x", chan->mode);
469 
470 		len = min_t(unsigned int, len, sizeof(opts));
471 		if (copy_to_user(optval, (char *) &opts, len))
472 			err = -EFAULT;
473 
474 		break;
475 
476 	case L2CAP_LM:
477 		switch (chan->sec_level) {
478 		case BT_SECURITY_LOW:
479 			opt = L2CAP_LM_AUTH;
480 			break;
481 		case BT_SECURITY_MEDIUM:
482 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
483 			break;
484 		case BT_SECURITY_HIGH:
485 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
486 			      L2CAP_LM_SECURE;
487 			break;
488 		case BT_SECURITY_FIPS:
489 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
490 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
491 			break;
492 		default:
493 			opt = 0;
494 			break;
495 		}
496 
497 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
498 			opt |= L2CAP_LM_MASTER;
499 
500 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
501 			opt |= L2CAP_LM_RELIABLE;
502 
503 		if (put_user(opt, (u32 __user *) optval))
504 			err = -EFAULT;
505 
506 		break;
507 
508 	case L2CAP_CONNINFO:
509 		if (sk->sk_state != BT_CONNECTED &&
510 		    !(sk->sk_state == BT_CONNECT2 &&
511 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
512 			err = -ENOTCONN;
513 			break;
514 		}
515 
516 		memset(&cinfo, 0, sizeof(cinfo));
517 		cinfo.hci_handle = chan->conn->hcon->handle;
518 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
519 
520 		len = min_t(unsigned int, len, sizeof(cinfo));
521 		if (copy_to_user(optval, (char *) &cinfo, len))
522 			err = -EFAULT;
523 
524 		break;
525 
526 	default:
527 		err = -ENOPROTOOPT;
528 		break;
529 	}
530 
531 	release_sock(sk);
532 	return err;
533 }
534 
535 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
536 				 char __user *optval, int __user *optlen)
537 {
538 	struct sock *sk = sock->sk;
539 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
540 	struct bt_security sec;
541 	struct bt_power pwr;
542 	u32 phys;
543 	int len, mode, err = 0;
544 
545 	BT_DBG("sk %p", sk);
546 
547 	if (level == SOL_L2CAP)
548 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
549 
550 	if (level != SOL_BLUETOOTH)
551 		return -ENOPROTOOPT;
552 
553 	if (get_user(len, optlen))
554 		return -EFAULT;
555 
556 	lock_sock(sk);
557 
558 	switch (optname) {
559 	case BT_SECURITY:
560 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
561 		    chan->chan_type != L2CAP_CHAN_FIXED &&
562 		    chan->chan_type != L2CAP_CHAN_RAW) {
563 			err = -EINVAL;
564 			break;
565 		}
566 
567 		memset(&sec, 0, sizeof(sec));
568 		if (chan->conn) {
569 			sec.level = chan->conn->hcon->sec_level;
570 
571 			if (sk->sk_state == BT_CONNECTED)
572 				sec.key_size = chan->conn->hcon->enc_key_size;
573 		} else {
574 			sec.level = chan->sec_level;
575 		}
576 
577 		len = min_t(unsigned int, len, sizeof(sec));
578 		if (copy_to_user(optval, (char *) &sec, len))
579 			err = -EFAULT;
580 
581 		break;
582 
583 	case BT_DEFER_SETUP:
584 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
585 			err = -EINVAL;
586 			break;
587 		}
588 
589 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
590 			     (u32 __user *) optval))
591 			err = -EFAULT;
592 
593 		break;
594 
595 	case BT_FLUSHABLE:
596 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
597 			     (u32 __user *) optval))
598 			err = -EFAULT;
599 
600 		break;
601 
602 	case BT_POWER:
603 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
604 		    && sk->sk_type != SOCK_RAW) {
605 			err = -EINVAL;
606 			break;
607 		}
608 
609 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
610 
611 		len = min_t(unsigned int, len, sizeof(pwr));
612 		if (copy_to_user(optval, (char *) &pwr, len))
613 			err = -EFAULT;
614 
615 		break;
616 
617 	case BT_CHANNEL_POLICY:
618 		if (put_user(chan->chan_policy, (u32 __user *) optval))
619 			err = -EFAULT;
620 		break;
621 
622 	case BT_SNDMTU:
623 		if (!bdaddr_type_is_le(chan->src_type)) {
624 			err = -EINVAL;
625 			break;
626 		}
627 
628 		if (sk->sk_state != BT_CONNECTED) {
629 			err = -ENOTCONN;
630 			break;
631 		}
632 
633 		if (put_user(chan->omtu, (u16 __user *) optval))
634 			err = -EFAULT;
635 		break;
636 
637 	case BT_RCVMTU:
638 		if (!bdaddr_type_is_le(chan->src_type)) {
639 			err = -EINVAL;
640 			break;
641 		}
642 
643 		if (put_user(chan->imtu, (u16 __user *) optval))
644 			err = -EFAULT;
645 		break;
646 
647 	case BT_PHY:
648 		if (sk->sk_state != BT_CONNECTED) {
649 			err = -ENOTCONN;
650 			break;
651 		}
652 
653 		phys = hci_conn_get_phy(chan->conn->hcon);
654 
655 		if (put_user(phys, (u32 __user *) optval))
656 			err = -EFAULT;
657 		break;
658 
659 	case BT_MODE:
660 		if (!enable_ecred) {
661 			err = -ENOPROTOOPT;
662 			break;
663 		}
664 
665 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
666 			err = -EINVAL;
667 			break;
668 		}
669 
670 		mode = l2cap_get_mode(chan);
671 		if (mode < 0) {
672 			err = mode;
673 			break;
674 		}
675 
676 		if (put_user(mode, (u8 __user *) optval))
677 			err = -EFAULT;
678 		break;
679 
680 	default:
681 		err = -ENOPROTOOPT;
682 		break;
683 	}
684 
685 	release_sock(sk);
686 	return err;
687 }
688 
689 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
690 {
691 	switch (chan->scid) {
692 	case L2CAP_CID_ATT:
693 		if (mtu < L2CAP_LE_MIN_MTU)
694 			return false;
695 		break;
696 
697 	default:
698 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
699 			return false;
700 	}
701 
702 	return true;
703 }
704 
705 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
706 				     sockptr_t optval, unsigned int optlen)
707 {
708 	struct sock *sk = sock->sk;
709 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
710 	struct l2cap_options opts;
711 	int len, err = 0;
712 	u32 opt;
713 
714 	BT_DBG("sk %p", sk);
715 
716 	lock_sock(sk);
717 
718 	switch (optname) {
719 	case L2CAP_OPTIONS:
720 		if (bdaddr_type_is_le(chan->src_type)) {
721 			err = -EINVAL;
722 			break;
723 		}
724 
725 		if (sk->sk_state == BT_CONNECTED) {
726 			err = -EINVAL;
727 			break;
728 		}
729 
730 		opts.imtu     = chan->imtu;
731 		opts.omtu     = chan->omtu;
732 		opts.flush_to = chan->flush_to;
733 		opts.mode     = chan->mode;
734 		opts.fcs      = chan->fcs;
735 		opts.max_tx   = chan->max_tx;
736 		opts.txwin_size = chan->tx_win;
737 
738 		len = min_t(unsigned int, sizeof(opts), optlen);
739 		if (copy_from_sockptr(&opts, optval, len)) {
740 			err = -EFAULT;
741 			break;
742 		}
743 
744 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
745 			err = -EINVAL;
746 			break;
747 		}
748 
749 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
750 			err = -EINVAL;
751 			break;
752 		}
753 
754 		/* Only BR/EDR modes are supported here */
755 		switch (opts.mode) {
756 		case L2CAP_MODE_BASIC:
757 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
758 			break;
759 		case L2CAP_MODE_ERTM:
760 		case L2CAP_MODE_STREAMING:
761 			if (!disable_ertm)
762 				break;
763 			fallthrough;
764 		default:
765 			err = -EINVAL;
766 			break;
767 		}
768 
769 		if (err < 0)
770 			break;
771 
772 		chan->mode = opts.mode;
773 
774 		BT_DBG("mode 0x%2.2x", chan->mode);
775 
776 		chan->imtu = opts.imtu;
777 		chan->omtu = opts.omtu;
778 		chan->fcs  = opts.fcs;
779 		chan->max_tx = opts.max_tx;
780 		chan->tx_win = opts.txwin_size;
781 		chan->flush_to = opts.flush_to;
782 		break;
783 
784 	case L2CAP_LM:
785 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
786 			err = -EFAULT;
787 			break;
788 		}
789 
790 		if (opt & L2CAP_LM_FIPS) {
791 			err = -EINVAL;
792 			break;
793 		}
794 
795 		if (opt & L2CAP_LM_AUTH)
796 			chan->sec_level = BT_SECURITY_LOW;
797 		if (opt & L2CAP_LM_ENCRYPT)
798 			chan->sec_level = BT_SECURITY_MEDIUM;
799 		if (opt & L2CAP_LM_SECURE)
800 			chan->sec_level = BT_SECURITY_HIGH;
801 
802 		if (opt & L2CAP_LM_MASTER)
803 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
804 		else
805 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
806 
807 		if (opt & L2CAP_LM_RELIABLE)
808 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
809 		else
810 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
811 		break;
812 
813 	default:
814 		err = -ENOPROTOOPT;
815 		break;
816 	}
817 
818 	release_sock(sk);
819 	return err;
820 }
821 
822 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
823 {
824 	switch (mode) {
825 	case BT_MODE_BASIC:
826 		if (bdaddr_type_is_le(chan->src_type))
827 			return -EINVAL;
828 		mode = L2CAP_MODE_BASIC;
829 		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
830 		break;
831 	case BT_MODE_ERTM:
832 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
833 			return -EINVAL;
834 		mode = L2CAP_MODE_ERTM;
835 		break;
836 	case BT_MODE_STREAMING:
837 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
838 			return -EINVAL;
839 		mode = L2CAP_MODE_STREAMING;
840 		break;
841 	case BT_MODE_LE_FLOWCTL:
842 		if (!bdaddr_type_is_le(chan->src_type))
843 			return -EINVAL;
844 		mode = L2CAP_MODE_LE_FLOWCTL;
845 		break;
846 	case BT_MODE_EXT_FLOWCTL:
847 		/* TODO: Add support for ECRED PDUs to BR/EDR */
848 		if (!bdaddr_type_is_le(chan->src_type))
849 			return -EINVAL;
850 		mode = L2CAP_MODE_EXT_FLOWCTL;
851 		break;
852 	default:
853 		return -EINVAL;
854 	}
855 
856 	chan->mode = mode;
857 
858 	return 0;
859 }
860 
861 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
862 				 sockptr_t optval, unsigned int optlen)
863 {
864 	struct sock *sk = sock->sk;
865 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
866 	struct bt_security sec;
867 	struct bt_power pwr;
868 	struct l2cap_conn *conn;
869 	int len, err = 0;
870 	u32 opt;
871 
872 	BT_DBG("sk %p", sk);
873 
874 	if (level == SOL_L2CAP)
875 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
876 
877 	if (level != SOL_BLUETOOTH)
878 		return -ENOPROTOOPT;
879 
880 	lock_sock(sk);
881 
882 	switch (optname) {
883 	case BT_SECURITY:
884 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
885 		    chan->chan_type != L2CAP_CHAN_FIXED &&
886 		    chan->chan_type != L2CAP_CHAN_RAW) {
887 			err = -EINVAL;
888 			break;
889 		}
890 
891 		sec.level = BT_SECURITY_LOW;
892 
893 		len = min_t(unsigned int, sizeof(sec), optlen);
894 		if (copy_from_sockptr(&sec, optval, len)) {
895 			err = -EFAULT;
896 			break;
897 		}
898 
899 		if (sec.level < BT_SECURITY_LOW ||
900 		    sec.level > BT_SECURITY_FIPS) {
901 			err = -EINVAL;
902 			break;
903 		}
904 
905 		chan->sec_level = sec.level;
906 
907 		if (!chan->conn)
908 			break;
909 
910 		conn = chan->conn;
911 
912 		/* change security for LE channels */
913 		if (chan->scid == L2CAP_CID_ATT) {
914 			if (smp_conn_security(conn->hcon, sec.level)) {
915 				err = -EINVAL;
916 				break;
917 			}
918 
919 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
920 			sk->sk_state = BT_CONFIG;
921 			chan->state = BT_CONFIG;
922 
923 		/* or for ACL link */
924 		} else if ((sk->sk_state == BT_CONNECT2 &&
925 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
926 			   sk->sk_state == BT_CONNECTED) {
927 			if (!l2cap_chan_check_security(chan, true))
928 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
929 			else
930 				sk->sk_state_change(sk);
931 		} else {
932 			err = -EINVAL;
933 		}
934 		break;
935 
936 	case BT_DEFER_SETUP:
937 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
938 			err = -EINVAL;
939 			break;
940 		}
941 
942 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
943 			err = -EFAULT;
944 			break;
945 		}
946 
947 		if (opt) {
948 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
949 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
950 		} else {
951 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
952 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
953 		}
954 		break;
955 
956 	case BT_FLUSHABLE:
957 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
958 			err = -EFAULT;
959 			break;
960 		}
961 
962 		if (opt > BT_FLUSHABLE_ON) {
963 			err = -EINVAL;
964 			break;
965 		}
966 
967 		if (opt == BT_FLUSHABLE_OFF) {
968 			conn = chan->conn;
969 			/* proceed further only when we have l2cap_conn and
970 			   No Flush support in the LM */
971 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
972 				err = -EINVAL;
973 				break;
974 			}
975 		}
976 
977 		if (opt)
978 			set_bit(FLAG_FLUSHABLE, &chan->flags);
979 		else
980 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
981 		break;
982 
983 	case BT_POWER:
984 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
985 		    chan->chan_type != L2CAP_CHAN_RAW) {
986 			err = -EINVAL;
987 			break;
988 		}
989 
990 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
991 
992 		len = min_t(unsigned int, sizeof(pwr), optlen);
993 		if (copy_from_sockptr(&pwr, optval, len)) {
994 			err = -EFAULT;
995 			break;
996 		}
997 
998 		if (pwr.force_active)
999 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1000 		else
1001 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1002 		break;
1003 
1004 	case BT_CHANNEL_POLICY:
1005 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1006 			err = -EFAULT;
1007 			break;
1008 		}
1009 
1010 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1011 			err = -EINVAL;
1012 			break;
1013 		}
1014 
1015 		if (chan->mode != L2CAP_MODE_ERTM &&
1016 		    chan->mode != L2CAP_MODE_STREAMING) {
1017 			err = -EOPNOTSUPP;
1018 			break;
1019 		}
1020 
1021 		chan->chan_policy = (u8) opt;
1022 
1023 		if (sk->sk_state == BT_CONNECTED &&
1024 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
1025 			l2cap_move_start(chan);
1026 
1027 		break;
1028 
1029 	case BT_SNDMTU:
1030 		if (!bdaddr_type_is_le(chan->src_type)) {
1031 			err = -EINVAL;
1032 			break;
1033 		}
1034 
1035 		/* Setting is not supported as it's the remote side that
1036 		 * decides this.
1037 		 */
1038 		err = -EPERM;
1039 		break;
1040 
1041 	case BT_RCVMTU:
1042 		if (!bdaddr_type_is_le(chan->src_type)) {
1043 			err = -EINVAL;
1044 			break;
1045 		}
1046 
1047 		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1048 		    sk->sk_state == BT_CONNECTED) {
1049 			err = -EISCONN;
1050 			break;
1051 		}
1052 
1053 		if (copy_from_sockptr(&opt, optval, sizeof(u16))) {
1054 			err = -EFAULT;
1055 			break;
1056 		}
1057 
1058 		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1059 		    sk->sk_state == BT_CONNECTED)
1060 			err = l2cap_chan_reconfigure(chan, opt);
1061 		else
1062 			chan->imtu = opt;
1063 
1064 		break;
1065 
1066 	case BT_MODE:
1067 		if (!enable_ecred) {
1068 			err = -ENOPROTOOPT;
1069 			break;
1070 		}
1071 
1072 		BT_DBG("sk->sk_state %u", sk->sk_state);
1073 
1074 		if (sk->sk_state != BT_BOUND) {
1075 			err = -EINVAL;
1076 			break;
1077 		}
1078 
1079 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1080 			err = -EINVAL;
1081 			break;
1082 		}
1083 
1084 		if (copy_from_sockptr(&opt, optval, sizeof(u8))) {
1085 			err = -EFAULT;
1086 			break;
1087 		}
1088 
1089 		BT_DBG("opt %u", opt);
1090 
1091 		err = l2cap_set_mode(chan, opt);
1092 		if (err)
1093 			break;
1094 
1095 		BT_DBG("mode 0x%2.2x", chan->mode);
1096 
1097 		break;
1098 
1099 	default:
1100 		err = -ENOPROTOOPT;
1101 		break;
1102 	}
1103 
1104 	release_sock(sk);
1105 	return err;
1106 }
1107 
1108 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1109 			      size_t len)
1110 {
1111 	struct sock *sk = sock->sk;
1112 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1113 	int err;
1114 
1115 	BT_DBG("sock %p, sk %p", sock, sk);
1116 
1117 	err = sock_error(sk);
1118 	if (err)
1119 		return err;
1120 
1121 	if (msg->msg_flags & MSG_OOB)
1122 		return -EOPNOTSUPP;
1123 
1124 	if (sk->sk_state != BT_CONNECTED)
1125 		return -ENOTCONN;
1126 
1127 	lock_sock(sk);
1128 	err = bt_sock_wait_ready(sk, msg->msg_flags);
1129 	release_sock(sk);
1130 	if (err)
1131 		return err;
1132 
1133 	l2cap_chan_lock(chan);
1134 	err = l2cap_chan_send(chan, msg, len);
1135 	l2cap_chan_unlock(chan);
1136 
1137 	return err;
1138 }
1139 
1140 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1141 			      size_t len, int flags)
1142 {
1143 	struct sock *sk = sock->sk;
1144 	struct l2cap_pinfo *pi = l2cap_pi(sk);
1145 	int err;
1146 
1147 	lock_sock(sk);
1148 
1149 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1150 						    &bt_sk(sk)->flags)) {
1151 		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1152 			sk->sk_state = BT_CONNECTED;
1153 			pi->chan->state = BT_CONNECTED;
1154 			__l2cap_ecred_conn_rsp_defer(pi->chan);
1155 		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1156 			sk->sk_state = BT_CONNECTED;
1157 			pi->chan->state = BT_CONNECTED;
1158 			__l2cap_le_connect_rsp_defer(pi->chan);
1159 		} else {
1160 			sk->sk_state = BT_CONFIG;
1161 			pi->chan->state = BT_CONFIG;
1162 			__l2cap_connect_rsp_defer(pi->chan);
1163 		}
1164 
1165 		err = 0;
1166 		goto done;
1167 	}
1168 
1169 	release_sock(sk);
1170 
1171 	if (sock->type == SOCK_STREAM)
1172 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1173 	else
1174 		err = bt_sock_recvmsg(sock, msg, len, flags);
1175 
1176 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1177 		return err;
1178 
1179 	/* Attempt to put pending rx data in the socket buffer */
1180 
1181 	lock_sock(sk);
1182 
1183 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1184 		goto done;
1185 
1186 	if (pi->rx_busy_skb) {
1187 		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1188 			pi->rx_busy_skb = NULL;
1189 		else
1190 			goto done;
1191 	}
1192 
1193 	/* Restore data flow when half of the receive buffer is
1194 	 * available.  This avoids resending large numbers of
1195 	 * frames.
1196 	 */
1197 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1198 		l2cap_chan_busy(pi->chan, 0);
1199 
1200 done:
1201 	release_sock(sk);
1202 	return err;
1203 }
1204 
1205 /* Kill socket (only if zapped and orphan)
1206  * Must be called on unlocked socket, with l2cap channel lock.
1207  */
1208 static void l2cap_sock_kill(struct sock *sk)
1209 {
1210 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1211 		return;
1212 
1213 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1214 
1215 	/* Kill poor orphan */
1216 
1217 	l2cap_chan_put(l2cap_pi(sk)->chan);
1218 	sock_set_flag(sk, SOCK_DEAD);
1219 	sock_put(sk);
1220 }
1221 
1222 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1223 {
1224 	DECLARE_WAITQUEUE(wait, current);
1225 	int err = 0;
1226 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1227 	/* Timeout to prevent infinite loop */
1228 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1229 
1230 	add_wait_queue(sk_sleep(sk), &wait);
1231 	set_current_state(TASK_INTERRUPTIBLE);
1232 	do {
1233 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1234 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1235 		       jiffies_to_msecs(timeout - jiffies));
1236 
1237 		if (!timeo)
1238 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1239 
1240 		if (signal_pending(current)) {
1241 			err = sock_intr_errno(timeo);
1242 			break;
1243 		}
1244 
1245 		release_sock(sk);
1246 		timeo = schedule_timeout(timeo);
1247 		lock_sock(sk);
1248 		set_current_state(TASK_INTERRUPTIBLE);
1249 
1250 		err = sock_error(sk);
1251 		if (err)
1252 			break;
1253 
1254 		if (time_after(jiffies, timeout)) {
1255 			err = -ENOLINK;
1256 			break;
1257 		}
1258 
1259 	} while (chan->unacked_frames > 0 &&
1260 		 chan->state == BT_CONNECTED);
1261 
1262 	set_current_state(TASK_RUNNING);
1263 	remove_wait_queue(sk_sleep(sk), &wait);
1264 	return err;
1265 }
1266 
1267 static int l2cap_sock_shutdown(struct socket *sock, int how)
1268 {
1269 	struct sock *sk = sock->sk;
1270 	struct l2cap_chan *chan;
1271 	struct l2cap_conn *conn;
1272 	int err = 0;
1273 
1274 	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1275 
1276 	/* 'how' parameter is mapped to sk_shutdown as follows:
1277 	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1278 	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1279 	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1280 	 */
1281 	how++;
1282 
1283 	if (!sk)
1284 		return 0;
1285 
1286 	lock_sock(sk);
1287 
1288 	if ((sk->sk_shutdown & how) == how)
1289 		goto shutdown_already;
1290 
1291 	BT_DBG("Handling sock shutdown");
1292 
1293 	/* prevent sk structure from being freed whilst unlocked */
1294 	sock_hold(sk);
1295 
1296 	chan = l2cap_pi(sk)->chan;
1297 	/* prevent chan structure from being freed whilst unlocked */
1298 	l2cap_chan_hold(chan);
1299 
1300 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1301 
1302 	if (chan->mode == L2CAP_MODE_ERTM &&
1303 	    chan->unacked_frames > 0 &&
1304 	    chan->state == BT_CONNECTED) {
1305 		err = __l2cap_wait_ack(sk, chan);
1306 
1307 		/* After waiting for ACKs, check whether shutdown
1308 		 * has already been actioned to close the L2CAP
1309 		 * link such as by l2cap_disconnection_req().
1310 		 */
1311 		if ((sk->sk_shutdown & how) == how)
1312 			goto shutdown_matched;
1313 	}
1314 
1315 	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1316 	 * is already set
1317 	 */
1318 	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1319 		sk->sk_shutdown |= RCV_SHUTDOWN;
1320 		if ((sk->sk_shutdown & how) == how)
1321 			goto shutdown_matched;
1322 	}
1323 
1324 	sk->sk_shutdown |= SEND_SHUTDOWN;
1325 	release_sock(sk);
1326 
1327 	l2cap_chan_lock(chan);
1328 	conn = chan->conn;
1329 	if (conn)
1330 		/* prevent conn structure from being freed */
1331 		l2cap_conn_get(conn);
1332 	l2cap_chan_unlock(chan);
1333 
1334 	if (conn)
1335 		/* mutex lock must be taken before l2cap_chan_lock() */
1336 		mutex_lock(&conn->chan_lock);
1337 
1338 	l2cap_chan_lock(chan);
1339 	l2cap_chan_close(chan, 0);
1340 	l2cap_chan_unlock(chan);
1341 
1342 	if (conn) {
1343 		mutex_unlock(&conn->chan_lock);
1344 		l2cap_conn_put(conn);
1345 	}
1346 
1347 	lock_sock(sk);
1348 
1349 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1350 	    !(current->flags & PF_EXITING))
1351 		err = bt_sock_wait_state(sk, BT_CLOSED,
1352 					 sk->sk_lingertime);
1353 
1354 shutdown_matched:
1355 	l2cap_chan_put(chan);
1356 	sock_put(sk);
1357 
1358 shutdown_already:
1359 	if (!err && sk->sk_err)
1360 		err = -sk->sk_err;
1361 
1362 	release_sock(sk);
1363 
1364 	BT_DBG("Sock shutdown complete err: %d", err);
1365 
1366 	return err;
1367 }
1368 
1369 static int l2cap_sock_release(struct socket *sock)
1370 {
1371 	struct sock *sk = sock->sk;
1372 	int err;
1373 	struct l2cap_chan *chan;
1374 
1375 	BT_DBG("sock %p, sk %p", sock, sk);
1376 
1377 	if (!sk)
1378 		return 0;
1379 
1380 	bt_sock_unlink(&l2cap_sk_list, sk);
1381 
1382 	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1383 	chan = l2cap_pi(sk)->chan;
1384 
1385 	l2cap_chan_hold(chan);
1386 	l2cap_chan_lock(chan);
1387 
1388 	sock_orphan(sk);
1389 	l2cap_sock_kill(sk);
1390 
1391 	l2cap_chan_unlock(chan);
1392 	l2cap_chan_put(chan);
1393 
1394 	return err;
1395 }
1396 
1397 static void l2cap_sock_cleanup_listen(struct sock *parent)
1398 {
1399 	struct sock *sk;
1400 
1401 	BT_DBG("parent %p state %s", parent,
1402 	       state_to_string(parent->sk_state));
1403 
1404 	/* Close not yet accepted channels */
1405 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1406 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1407 
1408 		BT_DBG("child chan %p state %s", chan,
1409 		       state_to_string(chan->state));
1410 
1411 		l2cap_chan_hold(chan);
1412 		l2cap_chan_lock(chan);
1413 
1414 		__clear_chan_timer(chan);
1415 		l2cap_chan_close(chan, ECONNRESET);
1416 		l2cap_sock_kill(sk);
1417 
1418 		l2cap_chan_unlock(chan);
1419 		l2cap_chan_put(chan);
1420 	}
1421 }
1422 
1423 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1424 {
1425 	struct sock *sk, *parent = chan->data;
1426 
1427 	lock_sock(parent);
1428 
1429 	/* Check for backlog size */
1430 	if (sk_acceptq_is_full(parent)) {
1431 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1432 		release_sock(parent);
1433 		return NULL;
1434 	}
1435 
1436 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1437 			      GFP_ATOMIC, 0);
1438 	if (!sk) {
1439 		release_sock(parent);
1440 		return NULL;
1441         }
1442 
1443 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1444 
1445 	l2cap_sock_init(sk, parent);
1446 
1447 	bt_accept_enqueue(parent, sk, false);
1448 
1449 	release_sock(parent);
1450 
1451 	return l2cap_pi(sk)->chan;
1452 }
1453 
1454 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1455 {
1456 	struct sock *sk = chan->data;
1457 	int err;
1458 
1459 	lock_sock(sk);
1460 
1461 	if (l2cap_pi(sk)->rx_busy_skb) {
1462 		err = -ENOMEM;
1463 		goto done;
1464 	}
1465 
1466 	if (chan->mode != L2CAP_MODE_ERTM &&
1467 	    chan->mode != L2CAP_MODE_STREAMING) {
1468 		/* Even if no filter is attached, we could potentially
1469 		 * get errors from security modules, etc.
1470 		 */
1471 		err = sk_filter(sk, skb);
1472 		if (err)
1473 			goto done;
1474 	}
1475 
1476 	err = __sock_queue_rcv_skb(sk, skb);
1477 
1478 	/* For ERTM, handle one skb that doesn't fit into the recv
1479 	 * buffer.  This is important to do because the data frames
1480 	 * have already been acked, so the skb cannot be discarded.
1481 	 *
1482 	 * Notify the l2cap core that the buffer is full, so the
1483 	 * LOCAL_BUSY state is entered and no more frames are
1484 	 * acked and reassembled until there is buffer space
1485 	 * available.
1486 	 */
1487 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1488 		l2cap_pi(sk)->rx_busy_skb = skb;
1489 		l2cap_chan_busy(chan, 1);
1490 		err = 0;
1491 	}
1492 
1493 done:
1494 	release_sock(sk);
1495 
1496 	return err;
1497 }
1498 
1499 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1500 {
1501 	struct sock *sk = chan->data;
1502 
1503 	l2cap_sock_kill(sk);
1504 }
1505 
1506 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1507 {
1508 	struct sock *sk = chan->data;
1509 	struct sock *parent;
1510 
1511 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1512 
1513 	/* This callback can be called both for server (BT_LISTEN)
1514 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1515 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1516 	 * we need separation into separate nesting levels. The simplest
1517 	 * way to accomplish this is to inherit the nesting level used
1518 	 * for the channel.
1519 	 */
1520 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1521 
1522 	parent = bt_sk(sk)->parent;
1523 
1524 	switch (chan->state) {
1525 	case BT_OPEN:
1526 	case BT_BOUND:
1527 	case BT_CLOSED:
1528 		break;
1529 	case BT_LISTEN:
1530 		l2cap_sock_cleanup_listen(sk);
1531 		sk->sk_state = BT_CLOSED;
1532 		chan->state = BT_CLOSED;
1533 
1534 		break;
1535 	default:
1536 		sk->sk_state = BT_CLOSED;
1537 		chan->state = BT_CLOSED;
1538 
1539 		sk->sk_err = err;
1540 
1541 		if (parent) {
1542 			bt_accept_unlink(sk);
1543 			parent->sk_data_ready(parent);
1544 		} else {
1545 			sk->sk_state_change(sk);
1546 		}
1547 
1548 		break;
1549 	}
1550 	release_sock(sk);
1551 
1552 	/* Only zap after cleanup to avoid use after free race */
1553 	sock_set_flag(sk, SOCK_ZAPPED);
1554 
1555 }
1556 
1557 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1558 				       int err)
1559 {
1560 	struct sock *sk = chan->data;
1561 
1562 	sk->sk_state = state;
1563 
1564 	if (err)
1565 		sk->sk_err = err;
1566 }
1567 
1568 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1569 					       unsigned long hdr_len,
1570 					       unsigned long len, int nb)
1571 {
1572 	struct sock *sk = chan->data;
1573 	struct sk_buff *skb;
1574 	int err;
1575 
1576 	l2cap_chan_unlock(chan);
1577 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1578 	l2cap_chan_lock(chan);
1579 
1580 	if (!skb)
1581 		return ERR_PTR(err);
1582 
1583 	skb->priority = sk->sk_priority;
1584 
1585 	bt_cb(skb)->l2cap.chan = chan;
1586 
1587 	return skb;
1588 }
1589 
1590 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1591 {
1592 	struct sock *sk = chan->data;
1593 	struct sock *parent;
1594 
1595 	lock_sock(sk);
1596 
1597 	parent = bt_sk(sk)->parent;
1598 
1599 	BT_DBG("sk %p, parent %p", sk, parent);
1600 
1601 	sk->sk_state = BT_CONNECTED;
1602 	sk->sk_state_change(sk);
1603 
1604 	if (parent)
1605 		parent->sk_data_ready(parent);
1606 
1607 	release_sock(sk);
1608 }
1609 
1610 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1611 {
1612 	struct sock *parent, *sk = chan->data;
1613 
1614 	lock_sock(sk);
1615 
1616 	parent = bt_sk(sk)->parent;
1617 	if (parent)
1618 		parent->sk_data_ready(parent);
1619 
1620 	release_sock(sk);
1621 }
1622 
1623 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1624 {
1625 	struct sock *sk = chan->data;
1626 
1627 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1628 		sk->sk_state = BT_CONNECTED;
1629 		chan->state = BT_CONNECTED;
1630 	}
1631 
1632 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1633 	sk->sk_state_change(sk);
1634 }
1635 
1636 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1637 {
1638 	struct sock *sk = chan->data;
1639 
1640 	lock_sock(sk);
1641 	sk->sk_shutdown = SHUTDOWN_MASK;
1642 	release_sock(sk);
1643 }
1644 
1645 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1646 {
1647 	struct sock *sk = chan->data;
1648 
1649 	return sk->sk_sndtimeo;
1650 }
1651 
1652 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1653 {
1654 	struct sock *sk = chan->data;
1655 
1656 	return sk->sk_peer_pid;
1657 }
1658 
1659 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1660 {
1661 	struct sock *sk = chan->data;
1662 
1663 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1664 	sk->sk_state_change(sk);
1665 }
1666 
1667 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1668 {
1669 	struct sock *sk = chan->data;
1670 
1671 	switch (chan->mode) {
1672 	case L2CAP_MODE_ERTM:
1673 	case L2CAP_MODE_STREAMING:
1674 		return sk_filter(sk, skb);
1675 	}
1676 
1677 	return 0;
1678 }
1679 
1680 static const struct l2cap_ops l2cap_chan_ops = {
1681 	.name			= "L2CAP Socket Interface",
1682 	.new_connection		= l2cap_sock_new_connection_cb,
1683 	.recv			= l2cap_sock_recv_cb,
1684 	.close			= l2cap_sock_close_cb,
1685 	.teardown		= l2cap_sock_teardown_cb,
1686 	.state_change		= l2cap_sock_state_change_cb,
1687 	.ready			= l2cap_sock_ready_cb,
1688 	.defer			= l2cap_sock_defer_cb,
1689 	.resume			= l2cap_sock_resume_cb,
1690 	.suspend		= l2cap_sock_suspend_cb,
1691 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1692 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1693 	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1694 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1695 	.filter			= l2cap_sock_filter,
1696 };
1697 
1698 static void l2cap_sock_destruct(struct sock *sk)
1699 {
1700 	BT_DBG("sk %p", sk);
1701 
1702 	if (l2cap_pi(sk)->chan)
1703 		l2cap_chan_put(l2cap_pi(sk)->chan);
1704 
1705 	if (l2cap_pi(sk)->rx_busy_skb) {
1706 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1707 		l2cap_pi(sk)->rx_busy_skb = NULL;
1708 	}
1709 
1710 	skb_queue_purge(&sk->sk_receive_queue);
1711 	skb_queue_purge(&sk->sk_write_queue);
1712 }
1713 
1714 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1715 			       int *msg_namelen)
1716 {
1717 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1718 
1719 	memset(la, 0, sizeof(struct sockaddr_l2));
1720 	la->l2_family = AF_BLUETOOTH;
1721 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1722 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1723 
1724 	*msg_namelen = sizeof(struct sockaddr_l2);
1725 }
1726 
1727 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1728 {
1729 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1730 
1731 	BT_DBG("sk %p", sk);
1732 
1733 	if (parent) {
1734 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1735 
1736 		sk->sk_type = parent->sk_type;
1737 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1738 
1739 		chan->chan_type = pchan->chan_type;
1740 		chan->imtu = pchan->imtu;
1741 		chan->omtu = pchan->omtu;
1742 		chan->conf_state = pchan->conf_state;
1743 		chan->mode = pchan->mode;
1744 		chan->fcs  = pchan->fcs;
1745 		chan->max_tx = pchan->max_tx;
1746 		chan->tx_win = pchan->tx_win;
1747 		chan->tx_win_max = pchan->tx_win_max;
1748 		chan->sec_level = pchan->sec_level;
1749 		chan->flags = pchan->flags;
1750 		chan->tx_credits = pchan->tx_credits;
1751 		chan->rx_credits = pchan->rx_credits;
1752 
1753 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1754 			chan->scid = pchan->scid;
1755 			chan->dcid = pchan->scid;
1756 		}
1757 
1758 		security_sk_clone(parent, sk);
1759 	} else {
1760 		switch (sk->sk_type) {
1761 		case SOCK_RAW:
1762 			chan->chan_type = L2CAP_CHAN_RAW;
1763 			break;
1764 		case SOCK_DGRAM:
1765 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1766 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1767 			break;
1768 		case SOCK_SEQPACKET:
1769 		case SOCK_STREAM:
1770 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1771 			break;
1772 		}
1773 
1774 		chan->imtu = L2CAP_DEFAULT_MTU;
1775 		chan->omtu = 0;
1776 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1777 			chan->mode = L2CAP_MODE_ERTM;
1778 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1779 		} else {
1780 			chan->mode = L2CAP_MODE_BASIC;
1781 		}
1782 
1783 		l2cap_chan_set_defaults(chan);
1784 	}
1785 
1786 	/* Default config options */
1787 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1788 
1789 	chan->data = sk;
1790 	chan->ops = &l2cap_chan_ops;
1791 }
1792 
1793 static struct proto l2cap_proto = {
1794 	.name		= "L2CAP",
1795 	.owner		= THIS_MODULE,
1796 	.obj_size	= sizeof(struct l2cap_pinfo)
1797 };
1798 
1799 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1800 				     int proto, gfp_t prio, int kern)
1801 {
1802 	struct sock *sk;
1803 	struct l2cap_chan *chan;
1804 
1805 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1806 	if (!sk)
1807 		return NULL;
1808 
1809 	sock_init_data(sock, sk);
1810 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1811 
1812 	sk->sk_destruct = l2cap_sock_destruct;
1813 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1814 
1815 	sock_reset_flag(sk, SOCK_ZAPPED);
1816 
1817 	sk->sk_protocol = proto;
1818 	sk->sk_state = BT_OPEN;
1819 
1820 	chan = l2cap_chan_create();
1821 	if (!chan) {
1822 		sk_free(sk);
1823 		return NULL;
1824 	}
1825 
1826 	l2cap_chan_hold(chan);
1827 
1828 	l2cap_pi(sk)->chan = chan;
1829 
1830 	return sk;
1831 }
1832 
1833 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1834 			     int kern)
1835 {
1836 	struct sock *sk;
1837 
1838 	BT_DBG("sock %p", sock);
1839 
1840 	sock->state = SS_UNCONNECTED;
1841 
1842 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1843 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1844 		return -ESOCKTNOSUPPORT;
1845 
1846 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1847 		return -EPERM;
1848 
1849 	sock->ops = &l2cap_sock_ops;
1850 
1851 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1852 	if (!sk)
1853 		return -ENOMEM;
1854 
1855 	l2cap_sock_init(sk, NULL);
1856 	bt_sock_link(&l2cap_sk_list, sk);
1857 	return 0;
1858 }
1859 
1860 static const struct proto_ops l2cap_sock_ops = {
1861 	.family		= PF_BLUETOOTH,
1862 	.owner		= THIS_MODULE,
1863 	.release	= l2cap_sock_release,
1864 	.bind		= l2cap_sock_bind,
1865 	.connect	= l2cap_sock_connect,
1866 	.listen		= l2cap_sock_listen,
1867 	.accept		= l2cap_sock_accept,
1868 	.getname	= l2cap_sock_getname,
1869 	.sendmsg	= l2cap_sock_sendmsg,
1870 	.recvmsg	= l2cap_sock_recvmsg,
1871 	.poll		= bt_sock_poll,
1872 	.ioctl		= bt_sock_ioctl,
1873 	.gettstamp	= sock_gettstamp,
1874 	.mmap		= sock_no_mmap,
1875 	.socketpair	= sock_no_socketpair,
1876 	.shutdown	= l2cap_sock_shutdown,
1877 	.setsockopt	= l2cap_sock_setsockopt,
1878 	.getsockopt	= l2cap_sock_getsockopt
1879 };
1880 
1881 static const struct net_proto_family l2cap_sock_family_ops = {
1882 	.family	= PF_BLUETOOTH,
1883 	.owner	= THIS_MODULE,
1884 	.create	= l2cap_sock_create,
1885 };
1886 
1887 int __init l2cap_init_sockets(void)
1888 {
1889 	int err;
1890 
1891 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1892 
1893 	err = proto_register(&l2cap_proto, 0);
1894 	if (err < 0)
1895 		return err;
1896 
1897 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1898 	if (err < 0) {
1899 		BT_ERR("L2CAP socket registration failed");
1900 		goto error;
1901 	}
1902 
1903 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1904 			     NULL);
1905 	if (err < 0) {
1906 		BT_ERR("Failed to create L2CAP proc file");
1907 		bt_sock_unregister(BTPROTO_L2CAP);
1908 		goto error;
1909 	}
1910 
1911 	BT_INFO("L2CAP socket layer initialized");
1912 
1913 	return 0;
1914 
1915 error:
1916 	proto_unregister(&l2cap_proto);
1917 	return err;
1918 }
1919 
1920 void l2cap_cleanup_sockets(void)
1921 {
1922 	bt_procfs_cleanup(&init_net, "l2cap");
1923 	bt_sock_unregister(BTPROTO_L2CAP);
1924 	proto_unregister(&l2cap_proto);
1925 }
1926