xref: /linux/net/bluetooth/l2cap_sock.c (revision 95298d63c67673c654c08952672d016212b26054)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/sched/signal.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/l2cap.h>
37 
38 #include "smp.h"
39 
40 static struct bt_sock_list l2cap_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
42 };
43 
44 static const struct proto_ops l2cap_sock_ops;
45 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
46 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
47 				     int proto, gfp_t prio, int kern);
48 
49 bool l2cap_is_socket(struct socket *sock)
50 {
51 	return sock && sock->ops == &l2cap_sock_ops;
52 }
53 EXPORT_SYMBOL(l2cap_is_socket);
54 
55 static int l2cap_validate_bredr_psm(u16 psm)
56 {
57 	/* PSM must be odd and lsb of upper byte must be 0 */
58 	if ((psm & 0x0101) != 0x0001)
59 		return -EINVAL;
60 
61 	/* Restrict usage of well-known PSMs */
62 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
63 		return -EACCES;
64 
65 	return 0;
66 }
67 
68 static int l2cap_validate_le_psm(u16 psm)
69 {
70 	/* Valid LE_PSM ranges are defined only until 0x00ff */
71 	if (psm > L2CAP_PSM_LE_DYN_END)
72 		return -EINVAL;
73 
74 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
75 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
76 		return -EACCES;
77 
78 	return 0;
79 }
80 
81 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
82 {
83 	struct sock *sk = sock->sk;
84 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
85 	struct sockaddr_l2 la;
86 	int len, err = 0;
87 
88 	BT_DBG("sk %p", sk);
89 
90 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
91 	    addr->sa_family != AF_BLUETOOTH)
92 		return -EINVAL;
93 
94 	memset(&la, 0, sizeof(la));
95 	len = min_t(unsigned int, sizeof(la), alen);
96 	memcpy(&la, addr, len);
97 
98 	if (la.l2_cid && la.l2_psm)
99 		return -EINVAL;
100 
101 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 		return -EINVAL;
103 
104 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 		/* We only allow ATT user space socket */
106 		if (la.l2_cid &&
107 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
108 			return -EINVAL;
109 	}
110 
111 	lock_sock(sk);
112 
113 	if (sk->sk_state != BT_OPEN) {
114 		err = -EBADFD;
115 		goto done;
116 	}
117 
118 	if (la.l2_psm) {
119 		__u16 psm = __le16_to_cpu(la.l2_psm);
120 
121 		if (la.l2_bdaddr_type == BDADDR_BREDR)
122 			err = l2cap_validate_bredr_psm(psm);
123 		else
124 			err = l2cap_validate_le_psm(psm);
125 
126 		if (err)
127 			goto done;
128 	}
129 
130 	bacpy(&chan->src, &la.l2_bdaddr);
131 	chan->src_type = la.l2_bdaddr_type;
132 
133 	if (la.l2_cid)
134 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
135 	else
136 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
137 
138 	if (err < 0)
139 		goto done;
140 
141 	switch (chan->chan_type) {
142 	case L2CAP_CHAN_CONN_LESS:
143 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
144 			chan->sec_level = BT_SECURITY_SDP;
145 		break;
146 	case L2CAP_CHAN_CONN_ORIENTED:
147 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
148 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
149 			chan->sec_level = BT_SECURITY_SDP;
150 		break;
151 	case L2CAP_CHAN_RAW:
152 		chan->sec_level = BT_SECURITY_SDP;
153 		break;
154 	case L2CAP_CHAN_FIXED:
155 		/* Fixed channels default to the L2CAP core not holding a
156 		 * hci_conn reference for them. For fixed channels mapping to
157 		 * L2CAP sockets we do want to hold a reference so set the
158 		 * appropriate flag to request it.
159 		 */
160 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
161 		break;
162 	}
163 
164 	if (chan->psm && bdaddr_type_is_le(chan->src_type))
165 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
166 
167 	chan->state = BT_BOUND;
168 	sk->sk_state = BT_BOUND;
169 
170 done:
171 	release_sock(sk);
172 	return err;
173 }
174 
175 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
176 			      int alen, int flags)
177 {
178 	struct sock *sk = sock->sk;
179 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
180 	struct sockaddr_l2 la;
181 	int len, err = 0;
182 
183 	BT_DBG("sk %p", sk);
184 
185 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
186 	    addr->sa_family != AF_BLUETOOTH)
187 		return -EINVAL;
188 
189 	memset(&la, 0, sizeof(la));
190 	len = min_t(unsigned int, sizeof(la), alen);
191 	memcpy(&la, addr, len);
192 
193 	if (la.l2_cid && la.l2_psm)
194 		return -EINVAL;
195 
196 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
197 		return -EINVAL;
198 
199 	/* Check that the socket wasn't bound to something that
200 	 * conflicts with the address given to connect(). If chan->src
201 	 * is BDADDR_ANY it means bind() was never used, in which case
202 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
203 	 */
204 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
205 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
206 		/* Old user space versions will try to incorrectly bind
207 		 * the ATT socket using BDADDR_BREDR. We need to accept
208 		 * this and fix up the source address type only when
209 		 * both the source CID and destination CID indicate
210 		 * ATT. Anything else is an invalid combination.
211 		 */
212 		if (chan->scid != L2CAP_CID_ATT ||
213 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
214 			return -EINVAL;
215 
216 		/* We don't have the hdev available here to make a
217 		 * better decision on random vs public, but since all
218 		 * user space versions that exhibit this issue anyway do
219 		 * not support random local addresses assuming public
220 		 * here is good enough.
221 		 */
222 		chan->src_type = BDADDR_LE_PUBLIC;
223 	}
224 
225 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
226 		return -EINVAL;
227 
228 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
229 		/* We only allow ATT user space socket */
230 		if (la.l2_cid &&
231 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
232 			return -EINVAL;
233 	}
234 
235 	if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
236 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
237 
238 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
239 				 &la.l2_bdaddr, la.l2_bdaddr_type);
240 	if (err)
241 		return err;
242 
243 	lock_sock(sk);
244 
245 	err = bt_sock_wait_state(sk, BT_CONNECTED,
246 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
247 
248 	release_sock(sk);
249 
250 	return err;
251 }
252 
253 static int l2cap_sock_listen(struct socket *sock, int backlog)
254 {
255 	struct sock *sk = sock->sk;
256 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
257 	int err = 0;
258 
259 	BT_DBG("sk %p backlog %d", sk, backlog);
260 
261 	lock_sock(sk);
262 
263 	if (sk->sk_state != BT_BOUND) {
264 		err = -EBADFD;
265 		goto done;
266 	}
267 
268 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
269 		err = -EINVAL;
270 		goto done;
271 	}
272 
273 	switch (chan->mode) {
274 	case L2CAP_MODE_BASIC:
275 	case L2CAP_MODE_LE_FLOWCTL:
276 		break;
277 	case L2CAP_MODE_EXT_FLOWCTL:
278 		if (!enable_ecred) {
279 			err = -EOPNOTSUPP;
280 			goto done;
281 		}
282 		break;
283 	case L2CAP_MODE_ERTM:
284 	case L2CAP_MODE_STREAMING:
285 		if (!disable_ertm)
286 			break;
287 		/* fall through */
288 	default:
289 		err = -EOPNOTSUPP;
290 		goto done;
291 	}
292 
293 	sk->sk_max_ack_backlog = backlog;
294 	sk->sk_ack_backlog = 0;
295 
296 	/* Listening channels need to use nested locking in order not to
297 	 * cause lockdep warnings when the created child channels end up
298 	 * being locked in the same thread as the parent channel.
299 	 */
300 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
301 
302 	chan->state = BT_LISTEN;
303 	sk->sk_state = BT_LISTEN;
304 
305 done:
306 	release_sock(sk);
307 	return err;
308 }
309 
310 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
311 			     int flags, bool kern)
312 {
313 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
314 	struct sock *sk = sock->sk, *nsk;
315 	long timeo;
316 	int err = 0;
317 
318 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
319 
320 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
321 
322 	BT_DBG("sk %p timeo %ld", sk, timeo);
323 
324 	/* Wait for an incoming connection. (wake-one). */
325 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
326 	while (1) {
327 		if (sk->sk_state != BT_LISTEN) {
328 			err = -EBADFD;
329 			break;
330 		}
331 
332 		nsk = bt_accept_dequeue(sk, newsock);
333 		if (nsk)
334 			break;
335 
336 		if (!timeo) {
337 			err = -EAGAIN;
338 			break;
339 		}
340 
341 		if (signal_pending(current)) {
342 			err = sock_intr_errno(timeo);
343 			break;
344 		}
345 
346 		release_sock(sk);
347 
348 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
349 
350 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
351 	}
352 	remove_wait_queue(sk_sleep(sk), &wait);
353 
354 	if (err)
355 		goto done;
356 
357 	newsock->state = SS_CONNECTED;
358 
359 	BT_DBG("new socket %p", nsk);
360 
361 done:
362 	release_sock(sk);
363 	return err;
364 }
365 
366 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
367 			      int peer)
368 {
369 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
370 	struct sock *sk = sock->sk;
371 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
372 
373 	BT_DBG("sock %p, sk %p", sock, sk);
374 
375 	if (peer && sk->sk_state != BT_CONNECTED &&
376 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
377 	    sk->sk_state != BT_CONFIG)
378 		return -ENOTCONN;
379 
380 	memset(la, 0, sizeof(struct sockaddr_l2));
381 	addr->sa_family = AF_BLUETOOTH;
382 
383 	la->l2_psm = chan->psm;
384 
385 	if (peer) {
386 		bacpy(&la->l2_bdaddr, &chan->dst);
387 		la->l2_cid = cpu_to_le16(chan->dcid);
388 		la->l2_bdaddr_type = chan->dst_type;
389 	} else {
390 		bacpy(&la->l2_bdaddr, &chan->src);
391 		la->l2_cid = cpu_to_le16(chan->scid);
392 		la->l2_bdaddr_type = chan->src_type;
393 	}
394 
395 	return sizeof(struct sockaddr_l2);
396 }
397 
398 static int l2cap_get_mode(struct l2cap_chan *chan)
399 {
400 	switch (chan->mode) {
401 	case L2CAP_MODE_BASIC:
402 		return BT_MODE_BASIC;
403 	case L2CAP_MODE_ERTM:
404 		return BT_MODE_ERTM;
405 	case L2CAP_MODE_STREAMING:
406 		return BT_MODE_STREAMING;
407 	case L2CAP_MODE_LE_FLOWCTL:
408 		return BT_MODE_LE_FLOWCTL;
409 	case L2CAP_MODE_EXT_FLOWCTL:
410 		return BT_MODE_EXT_FLOWCTL;
411 	}
412 
413 	return -EINVAL;
414 }
415 
416 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
417 				     char __user *optval, int __user *optlen)
418 {
419 	struct sock *sk = sock->sk;
420 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
421 	struct l2cap_options opts;
422 	struct l2cap_conninfo cinfo;
423 	int len, err = 0;
424 	u32 opt;
425 
426 	BT_DBG("sk %p", sk);
427 
428 	if (get_user(len, optlen))
429 		return -EFAULT;
430 
431 	lock_sock(sk);
432 
433 	switch (optname) {
434 	case L2CAP_OPTIONS:
435 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
436 		 * legacy ATT code depends on getsockopt for
437 		 * L2CAP_OPTIONS we need to let this pass.
438 		 */
439 		if (bdaddr_type_is_le(chan->src_type) &&
440 		    chan->scid != L2CAP_CID_ATT) {
441 			err = -EINVAL;
442 			break;
443 		}
444 
445 		/* Only BR/EDR modes are supported here */
446 		switch (chan->mode) {
447 		case L2CAP_MODE_BASIC:
448 		case L2CAP_MODE_ERTM:
449 		case L2CAP_MODE_STREAMING:
450 			break;
451 		default:
452 			err = -EINVAL;
453 			break;
454 		}
455 
456 		if (err < 0)
457 			break;
458 
459 		memset(&opts, 0, sizeof(opts));
460 		opts.imtu     = chan->imtu;
461 		opts.omtu     = chan->omtu;
462 		opts.flush_to = chan->flush_to;
463 		opts.mode     = chan->mode;
464 		opts.fcs      = chan->fcs;
465 		opts.max_tx   = chan->max_tx;
466 		opts.txwin_size = chan->tx_win;
467 
468 		BT_DBG("mode 0x%2.2x", chan->mode);
469 
470 		len = min_t(unsigned int, len, sizeof(opts));
471 		if (copy_to_user(optval, (char *) &opts, len))
472 			err = -EFAULT;
473 
474 		break;
475 
476 	case L2CAP_LM:
477 		switch (chan->sec_level) {
478 		case BT_SECURITY_LOW:
479 			opt = L2CAP_LM_AUTH;
480 			break;
481 		case BT_SECURITY_MEDIUM:
482 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
483 			break;
484 		case BT_SECURITY_HIGH:
485 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
486 			      L2CAP_LM_SECURE;
487 			break;
488 		case BT_SECURITY_FIPS:
489 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
490 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
491 			break;
492 		default:
493 			opt = 0;
494 			break;
495 		}
496 
497 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
498 			opt |= L2CAP_LM_MASTER;
499 
500 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
501 			opt |= L2CAP_LM_RELIABLE;
502 
503 		if (put_user(opt, (u32 __user *) optval))
504 			err = -EFAULT;
505 
506 		break;
507 
508 	case L2CAP_CONNINFO:
509 		if (sk->sk_state != BT_CONNECTED &&
510 		    !(sk->sk_state == BT_CONNECT2 &&
511 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
512 			err = -ENOTCONN;
513 			break;
514 		}
515 
516 		memset(&cinfo, 0, sizeof(cinfo));
517 		cinfo.hci_handle = chan->conn->hcon->handle;
518 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
519 
520 		len = min_t(unsigned int, len, sizeof(cinfo));
521 		if (copy_to_user(optval, (char *) &cinfo, len))
522 			err = -EFAULT;
523 
524 		break;
525 
526 	default:
527 		err = -ENOPROTOOPT;
528 		break;
529 	}
530 
531 	release_sock(sk);
532 	return err;
533 }
534 
535 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
536 				 char __user *optval, int __user *optlen)
537 {
538 	struct sock *sk = sock->sk;
539 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
540 	struct bt_security sec;
541 	struct bt_power pwr;
542 	u32 phys;
543 	int len, mode, err = 0;
544 
545 	BT_DBG("sk %p", sk);
546 
547 	if (level == SOL_L2CAP)
548 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
549 
550 	if (level != SOL_BLUETOOTH)
551 		return -ENOPROTOOPT;
552 
553 	if (get_user(len, optlen))
554 		return -EFAULT;
555 
556 	lock_sock(sk);
557 
558 	switch (optname) {
559 	case BT_SECURITY:
560 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
561 		    chan->chan_type != L2CAP_CHAN_FIXED &&
562 		    chan->chan_type != L2CAP_CHAN_RAW) {
563 			err = -EINVAL;
564 			break;
565 		}
566 
567 		memset(&sec, 0, sizeof(sec));
568 		if (chan->conn) {
569 			sec.level = chan->conn->hcon->sec_level;
570 
571 			if (sk->sk_state == BT_CONNECTED)
572 				sec.key_size = chan->conn->hcon->enc_key_size;
573 		} else {
574 			sec.level = chan->sec_level;
575 		}
576 
577 		len = min_t(unsigned int, len, sizeof(sec));
578 		if (copy_to_user(optval, (char *) &sec, len))
579 			err = -EFAULT;
580 
581 		break;
582 
583 	case BT_DEFER_SETUP:
584 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
585 			err = -EINVAL;
586 			break;
587 		}
588 
589 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
590 			     (u32 __user *) optval))
591 			err = -EFAULT;
592 
593 		break;
594 
595 	case BT_FLUSHABLE:
596 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
597 			     (u32 __user *) optval))
598 			err = -EFAULT;
599 
600 		break;
601 
602 	case BT_POWER:
603 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
604 		    && sk->sk_type != SOCK_RAW) {
605 			err = -EINVAL;
606 			break;
607 		}
608 
609 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
610 
611 		len = min_t(unsigned int, len, sizeof(pwr));
612 		if (copy_to_user(optval, (char *) &pwr, len))
613 			err = -EFAULT;
614 
615 		break;
616 
617 	case BT_CHANNEL_POLICY:
618 		if (put_user(chan->chan_policy, (u32 __user *) optval))
619 			err = -EFAULT;
620 		break;
621 
622 	case BT_SNDMTU:
623 		if (!bdaddr_type_is_le(chan->src_type)) {
624 			err = -EINVAL;
625 			break;
626 		}
627 
628 		if (sk->sk_state != BT_CONNECTED) {
629 			err = -ENOTCONN;
630 			break;
631 		}
632 
633 		if (put_user(chan->omtu, (u16 __user *) optval))
634 			err = -EFAULT;
635 		break;
636 
637 	case BT_RCVMTU:
638 		if (!bdaddr_type_is_le(chan->src_type)) {
639 			err = -EINVAL;
640 			break;
641 		}
642 
643 		if (put_user(chan->imtu, (u16 __user *) optval))
644 			err = -EFAULT;
645 		break;
646 
647 	case BT_PHY:
648 		if (sk->sk_state != BT_CONNECTED) {
649 			err = -ENOTCONN;
650 			break;
651 		}
652 
653 		phys = hci_conn_get_phy(chan->conn->hcon);
654 
655 		if (put_user(phys, (u32 __user *) optval))
656 			err = -EFAULT;
657 		break;
658 
659 	case BT_MODE:
660 		if (!enable_ecred) {
661 			err = -ENOPROTOOPT;
662 			break;
663 		}
664 
665 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
666 			err = -EINVAL;
667 			break;
668 		}
669 
670 		mode = l2cap_get_mode(chan);
671 		if (mode < 0) {
672 			err = mode;
673 			break;
674 		}
675 
676 		if (put_user(mode, (u8 __user *) optval))
677 			err = -EFAULT;
678 		break;
679 
680 	default:
681 		err = -ENOPROTOOPT;
682 		break;
683 	}
684 
685 	release_sock(sk);
686 	return err;
687 }
688 
689 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
690 {
691 	switch (chan->scid) {
692 	case L2CAP_CID_ATT:
693 		if (mtu < L2CAP_LE_MIN_MTU)
694 			return false;
695 		break;
696 
697 	default:
698 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
699 			return false;
700 	}
701 
702 	return true;
703 }
704 
705 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
706 				     char __user *optval, unsigned int optlen)
707 {
708 	struct sock *sk = sock->sk;
709 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
710 	struct l2cap_options opts;
711 	int len, err = 0;
712 	u32 opt;
713 
714 	BT_DBG("sk %p", sk);
715 
716 	lock_sock(sk);
717 
718 	switch (optname) {
719 	case L2CAP_OPTIONS:
720 		if (bdaddr_type_is_le(chan->src_type)) {
721 			err = -EINVAL;
722 			break;
723 		}
724 
725 		if (sk->sk_state == BT_CONNECTED) {
726 			err = -EINVAL;
727 			break;
728 		}
729 
730 		opts.imtu     = chan->imtu;
731 		opts.omtu     = chan->omtu;
732 		opts.flush_to = chan->flush_to;
733 		opts.mode     = chan->mode;
734 		opts.fcs      = chan->fcs;
735 		opts.max_tx   = chan->max_tx;
736 		opts.txwin_size = chan->tx_win;
737 
738 		len = min_t(unsigned int, sizeof(opts), optlen);
739 		if (copy_from_user((char *) &opts, optval, len)) {
740 			err = -EFAULT;
741 			break;
742 		}
743 
744 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
745 			err = -EINVAL;
746 			break;
747 		}
748 
749 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
750 			err = -EINVAL;
751 			break;
752 		}
753 
754 		/* Only BR/EDR modes are supported here */
755 		switch (opts.mode) {
756 		case L2CAP_MODE_BASIC:
757 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
758 			break;
759 		case L2CAP_MODE_ERTM:
760 		case L2CAP_MODE_STREAMING:
761 			if (!disable_ertm)
762 				break;
763 			/* fall through */
764 		default:
765 			err = -EINVAL;
766 			break;
767 		}
768 
769 		if (err < 0)
770 			break;
771 
772 		chan->mode = opts.mode;
773 
774 		BT_DBG("mode 0x%2.2x", chan->mode);
775 
776 		chan->imtu = opts.imtu;
777 		chan->omtu = opts.omtu;
778 		chan->fcs  = opts.fcs;
779 		chan->max_tx = opts.max_tx;
780 		chan->tx_win = opts.txwin_size;
781 		chan->flush_to = opts.flush_to;
782 		break;
783 
784 	case L2CAP_LM:
785 		if (get_user(opt, (u32 __user *) optval)) {
786 			err = -EFAULT;
787 			break;
788 		}
789 
790 		if (opt & L2CAP_LM_FIPS) {
791 			err = -EINVAL;
792 			break;
793 		}
794 
795 		if (opt & L2CAP_LM_AUTH)
796 			chan->sec_level = BT_SECURITY_LOW;
797 		if (opt & L2CAP_LM_ENCRYPT)
798 			chan->sec_level = BT_SECURITY_MEDIUM;
799 		if (opt & L2CAP_LM_SECURE)
800 			chan->sec_level = BT_SECURITY_HIGH;
801 
802 		if (opt & L2CAP_LM_MASTER)
803 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
804 		else
805 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
806 
807 		if (opt & L2CAP_LM_RELIABLE)
808 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
809 		else
810 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
811 		break;
812 
813 	default:
814 		err = -ENOPROTOOPT;
815 		break;
816 	}
817 
818 	release_sock(sk);
819 	return err;
820 }
821 
822 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
823 {
824 	switch (mode) {
825 	case BT_MODE_BASIC:
826 		if (bdaddr_type_is_le(chan->src_type))
827 			return -EINVAL;
828 		mode = L2CAP_MODE_BASIC;
829 		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
830 		break;
831 	case BT_MODE_ERTM:
832 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
833 			return -EINVAL;
834 		mode = L2CAP_MODE_ERTM;
835 		break;
836 	case BT_MODE_STREAMING:
837 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
838 			return -EINVAL;
839 		mode = L2CAP_MODE_STREAMING;
840 		break;
841 	case BT_MODE_LE_FLOWCTL:
842 		if (!bdaddr_type_is_le(chan->src_type))
843 			return -EINVAL;
844 		mode = L2CAP_MODE_LE_FLOWCTL;
845 		break;
846 	case BT_MODE_EXT_FLOWCTL:
847 		/* TODO: Add support for ECRED PDUs to BR/EDR */
848 		if (!bdaddr_type_is_le(chan->src_type))
849 			return -EINVAL;
850 		mode = L2CAP_MODE_EXT_FLOWCTL;
851 		break;
852 	default:
853 		return -EINVAL;
854 	}
855 
856 	chan->mode = mode;
857 
858 	return 0;
859 }
860 
861 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
862 				 char __user *optval, unsigned int optlen)
863 {
864 	struct sock *sk = sock->sk;
865 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
866 	struct bt_security sec;
867 	struct bt_power pwr;
868 	struct l2cap_conn *conn;
869 	int len, err = 0;
870 	u32 opt;
871 
872 	BT_DBG("sk %p", sk);
873 
874 	if (level == SOL_L2CAP)
875 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
876 
877 	if (level != SOL_BLUETOOTH)
878 		return -ENOPROTOOPT;
879 
880 	lock_sock(sk);
881 
882 	switch (optname) {
883 	case BT_SECURITY:
884 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
885 		    chan->chan_type != L2CAP_CHAN_FIXED &&
886 		    chan->chan_type != L2CAP_CHAN_RAW) {
887 			err = -EINVAL;
888 			break;
889 		}
890 
891 		sec.level = BT_SECURITY_LOW;
892 
893 		len = min_t(unsigned int, sizeof(sec), optlen);
894 		if (copy_from_user((char *) &sec, optval, len)) {
895 			err = -EFAULT;
896 			break;
897 		}
898 
899 		if (sec.level < BT_SECURITY_LOW ||
900 		    sec.level > BT_SECURITY_FIPS) {
901 			err = -EINVAL;
902 			break;
903 		}
904 
905 		chan->sec_level = sec.level;
906 
907 		if (!chan->conn)
908 			break;
909 
910 		conn = chan->conn;
911 
912 		/* change security for LE channels */
913 		if (chan->scid == L2CAP_CID_ATT) {
914 			if (smp_conn_security(conn->hcon, sec.level)) {
915 				err = -EINVAL;
916 				break;
917 			}
918 
919 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
920 			sk->sk_state = BT_CONFIG;
921 			chan->state = BT_CONFIG;
922 
923 		/* or for ACL link */
924 		} else if ((sk->sk_state == BT_CONNECT2 &&
925 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
926 			   sk->sk_state == BT_CONNECTED) {
927 			if (!l2cap_chan_check_security(chan, true))
928 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
929 			else
930 				sk->sk_state_change(sk);
931 		} else {
932 			err = -EINVAL;
933 		}
934 		break;
935 
936 	case BT_DEFER_SETUP:
937 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
938 			err = -EINVAL;
939 			break;
940 		}
941 
942 		if (get_user(opt, (u32 __user *) optval)) {
943 			err = -EFAULT;
944 			break;
945 		}
946 
947 		if (opt) {
948 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
949 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
950 		} else {
951 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
952 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
953 		}
954 		break;
955 
956 	case BT_FLUSHABLE:
957 		if (get_user(opt, (u32 __user *) optval)) {
958 			err = -EFAULT;
959 			break;
960 		}
961 
962 		if (opt > BT_FLUSHABLE_ON) {
963 			err = -EINVAL;
964 			break;
965 		}
966 
967 		if (opt == BT_FLUSHABLE_OFF) {
968 			conn = chan->conn;
969 			/* proceed further only when we have l2cap_conn and
970 			   No Flush support in the LM */
971 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
972 				err = -EINVAL;
973 				break;
974 			}
975 		}
976 
977 		if (opt)
978 			set_bit(FLAG_FLUSHABLE, &chan->flags);
979 		else
980 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
981 		break;
982 
983 	case BT_POWER:
984 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
985 		    chan->chan_type != L2CAP_CHAN_RAW) {
986 			err = -EINVAL;
987 			break;
988 		}
989 
990 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
991 
992 		len = min_t(unsigned int, sizeof(pwr), optlen);
993 		if (copy_from_user((char *) &pwr, optval, len)) {
994 			err = -EFAULT;
995 			break;
996 		}
997 
998 		if (pwr.force_active)
999 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1000 		else
1001 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1002 		break;
1003 
1004 	case BT_CHANNEL_POLICY:
1005 		if (get_user(opt, (u32 __user *) optval)) {
1006 			err = -EFAULT;
1007 			break;
1008 		}
1009 
1010 		if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
1011 			err = -EINVAL;
1012 			break;
1013 		}
1014 
1015 		if (chan->mode != L2CAP_MODE_ERTM &&
1016 		    chan->mode != L2CAP_MODE_STREAMING) {
1017 			err = -EOPNOTSUPP;
1018 			break;
1019 		}
1020 
1021 		chan->chan_policy = (u8) opt;
1022 
1023 		if (sk->sk_state == BT_CONNECTED &&
1024 		    chan->move_role == L2CAP_MOVE_ROLE_NONE)
1025 			l2cap_move_start(chan);
1026 
1027 		break;
1028 
1029 	case BT_SNDMTU:
1030 		if (!bdaddr_type_is_le(chan->src_type)) {
1031 			err = -EINVAL;
1032 			break;
1033 		}
1034 
1035 		/* Setting is not supported as it's the remote side that
1036 		 * decides this.
1037 		 */
1038 		err = -EPERM;
1039 		break;
1040 
1041 	case BT_RCVMTU:
1042 		if (!bdaddr_type_is_le(chan->src_type)) {
1043 			err = -EINVAL;
1044 			break;
1045 		}
1046 
1047 		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1048 		    sk->sk_state == BT_CONNECTED) {
1049 			err = -EISCONN;
1050 			break;
1051 		}
1052 
1053 		if (get_user(opt, (u16 __user *) optval)) {
1054 			err = -EFAULT;
1055 			break;
1056 		}
1057 
1058 		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1059 		    sk->sk_state == BT_CONNECTED)
1060 			err = l2cap_chan_reconfigure(chan, opt);
1061 		else
1062 			chan->imtu = opt;
1063 
1064 		break;
1065 
1066 	case BT_MODE:
1067 		if (!enable_ecred) {
1068 			err = -ENOPROTOOPT;
1069 			break;
1070 		}
1071 
1072 		BT_DBG("sk->sk_state %u", sk->sk_state);
1073 
1074 		if (sk->sk_state != BT_BOUND) {
1075 			err = -EINVAL;
1076 			break;
1077 		}
1078 
1079 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1080 			err = -EINVAL;
1081 			break;
1082 		}
1083 
1084 		if (get_user(opt, (u8 __user *) optval)) {
1085 			err = -EFAULT;
1086 			break;
1087 		}
1088 
1089 		BT_DBG("opt %u", opt);
1090 
1091 		err = l2cap_set_mode(chan, opt);
1092 		if (err)
1093 			break;
1094 
1095 		BT_DBG("mode 0x%2.2x", chan->mode);
1096 
1097 		break;
1098 
1099 	default:
1100 		err = -ENOPROTOOPT;
1101 		break;
1102 	}
1103 
1104 	release_sock(sk);
1105 	return err;
1106 }
1107 
1108 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1109 			      size_t len)
1110 {
1111 	struct sock *sk = sock->sk;
1112 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1113 	int err;
1114 
1115 	BT_DBG("sock %p, sk %p", sock, sk);
1116 
1117 	err = sock_error(sk);
1118 	if (err)
1119 		return err;
1120 
1121 	if (msg->msg_flags & MSG_OOB)
1122 		return -EOPNOTSUPP;
1123 
1124 	if (sk->sk_state != BT_CONNECTED)
1125 		return -ENOTCONN;
1126 
1127 	lock_sock(sk);
1128 	err = bt_sock_wait_ready(sk, msg->msg_flags);
1129 	release_sock(sk);
1130 	if (err)
1131 		return err;
1132 
1133 	l2cap_chan_lock(chan);
1134 	err = l2cap_chan_send(chan, msg, len);
1135 	l2cap_chan_unlock(chan);
1136 
1137 	return err;
1138 }
1139 
1140 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1141 			      size_t len, int flags)
1142 {
1143 	struct sock *sk = sock->sk;
1144 	struct l2cap_pinfo *pi = l2cap_pi(sk);
1145 	int err;
1146 
1147 	lock_sock(sk);
1148 
1149 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1150 						    &bt_sk(sk)->flags)) {
1151 		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1152 			sk->sk_state = BT_CONNECTED;
1153 			pi->chan->state = BT_CONNECTED;
1154 			__l2cap_ecred_conn_rsp_defer(pi->chan);
1155 		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1156 			sk->sk_state = BT_CONNECTED;
1157 			pi->chan->state = BT_CONNECTED;
1158 			__l2cap_le_connect_rsp_defer(pi->chan);
1159 		} else {
1160 			sk->sk_state = BT_CONFIG;
1161 			pi->chan->state = BT_CONFIG;
1162 			__l2cap_connect_rsp_defer(pi->chan);
1163 		}
1164 
1165 		err = 0;
1166 		goto done;
1167 	}
1168 
1169 	release_sock(sk);
1170 
1171 	if (sock->type == SOCK_STREAM)
1172 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1173 	else
1174 		err = bt_sock_recvmsg(sock, msg, len, flags);
1175 
1176 	if (pi->chan->mode != L2CAP_MODE_ERTM)
1177 		return err;
1178 
1179 	/* Attempt to put pending rx data in the socket buffer */
1180 
1181 	lock_sock(sk);
1182 
1183 	if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1184 		goto done;
1185 
1186 	if (pi->rx_busy_skb) {
1187 		if (!__sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1188 			pi->rx_busy_skb = NULL;
1189 		else
1190 			goto done;
1191 	}
1192 
1193 	/* Restore data flow when half of the receive buffer is
1194 	 * available.  This avoids resending large numbers of
1195 	 * frames.
1196 	 */
1197 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1198 		l2cap_chan_busy(pi->chan, 0);
1199 
1200 done:
1201 	release_sock(sk);
1202 	return err;
1203 }
1204 
1205 /* Kill socket (only if zapped and orphan)
1206  * Must be called on unlocked socket, with l2cap channel lock.
1207  */
1208 static void l2cap_sock_kill(struct sock *sk)
1209 {
1210 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1211 		return;
1212 
1213 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1214 
1215 	/* Kill poor orphan */
1216 
1217 	l2cap_chan_put(l2cap_pi(sk)->chan);
1218 	sock_set_flag(sk, SOCK_DEAD);
1219 	sock_put(sk);
1220 }
1221 
1222 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1223 {
1224 	DECLARE_WAITQUEUE(wait, current);
1225 	int err = 0;
1226 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1227 	/* Timeout to prevent infinite loop */
1228 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1229 
1230 	add_wait_queue(sk_sleep(sk), &wait);
1231 	set_current_state(TASK_INTERRUPTIBLE);
1232 	do {
1233 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1234 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1235 		       jiffies_to_msecs(timeout - jiffies));
1236 
1237 		if (!timeo)
1238 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1239 
1240 		if (signal_pending(current)) {
1241 			err = sock_intr_errno(timeo);
1242 			break;
1243 		}
1244 
1245 		release_sock(sk);
1246 		timeo = schedule_timeout(timeo);
1247 		lock_sock(sk);
1248 		set_current_state(TASK_INTERRUPTIBLE);
1249 
1250 		err = sock_error(sk);
1251 		if (err)
1252 			break;
1253 
1254 		if (time_after(jiffies, timeout)) {
1255 			err = -ENOLINK;
1256 			break;
1257 		}
1258 
1259 	} while (chan->unacked_frames > 0 &&
1260 		 chan->state == BT_CONNECTED);
1261 
1262 	set_current_state(TASK_RUNNING);
1263 	remove_wait_queue(sk_sleep(sk), &wait);
1264 	return err;
1265 }
1266 
1267 static int l2cap_sock_shutdown(struct socket *sock, int how)
1268 {
1269 	struct sock *sk = sock->sk;
1270 	struct l2cap_chan *chan;
1271 	struct l2cap_conn *conn;
1272 	int err = 0;
1273 
1274 	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1275 
1276 	/* 'how' parameter is mapped to sk_shutdown as follows:
1277 	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1278 	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1279 	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1280 	 */
1281 	how++;
1282 
1283 	if (!sk)
1284 		return 0;
1285 
1286 	lock_sock(sk);
1287 
1288 	if ((sk->sk_shutdown & how) == how)
1289 		goto shutdown_already;
1290 
1291 	BT_DBG("Handling sock shutdown");
1292 
1293 	/* prevent sk structure from being freed whilst unlocked */
1294 	sock_hold(sk);
1295 
1296 	chan = l2cap_pi(sk)->chan;
1297 	/* prevent chan structure from being freed whilst unlocked */
1298 	l2cap_chan_hold(chan);
1299 
1300 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1301 
1302 	if (chan->mode == L2CAP_MODE_ERTM &&
1303 	    chan->unacked_frames > 0 &&
1304 	    chan->state == BT_CONNECTED) {
1305 		err = __l2cap_wait_ack(sk, chan);
1306 
1307 		/* After waiting for ACKs, check whether shutdown
1308 		 * has already been actioned to close the L2CAP
1309 		 * link such as by l2cap_disconnection_req().
1310 		 */
1311 		if ((sk->sk_shutdown & how) == how)
1312 			goto shutdown_matched;
1313 	}
1314 
1315 	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1316 	 * is already set
1317 	 */
1318 	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1319 		sk->sk_shutdown |= RCV_SHUTDOWN;
1320 		if ((sk->sk_shutdown & how) == how)
1321 			goto shutdown_matched;
1322 	}
1323 
1324 	sk->sk_shutdown |= SEND_SHUTDOWN;
1325 	release_sock(sk);
1326 
1327 	l2cap_chan_lock(chan);
1328 	conn = chan->conn;
1329 	if (conn)
1330 		/* prevent conn structure from being freed */
1331 		l2cap_conn_get(conn);
1332 	l2cap_chan_unlock(chan);
1333 
1334 	if (conn)
1335 		/* mutex lock must be taken before l2cap_chan_lock() */
1336 		mutex_lock(&conn->chan_lock);
1337 
1338 	l2cap_chan_lock(chan);
1339 	l2cap_chan_close(chan, 0);
1340 	l2cap_chan_unlock(chan);
1341 
1342 	if (conn) {
1343 		mutex_unlock(&conn->chan_lock);
1344 		l2cap_conn_put(conn);
1345 	}
1346 
1347 	lock_sock(sk);
1348 
1349 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1350 	    !(current->flags & PF_EXITING))
1351 		err = bt_sock_wait_state(sk, BT_CLOSED,
1352 					 sk->sk_lingertime);
1353 
1354 shutdown_matched:
1355 	l2cap_chan_put(chan);
1356 	sock_put(sk);
1357 
1358 shutdown_already:
1359 	if (!err && sk->sk_err)
1360 		err = -sk->sk_err;
1361 
1362 	release_sock(sk);
1363 
1364 	BT_DBG("Sock shutdown complete err: %d", err);
1365 
1366 	return err;
1367 }
1368 
1369 static int l2cap_sock_release(struct socket *sock)
1370 {
1371 	struct sock *sk = sock->sk;
1372 	int err;
1373 	struct l2cap_chan *chan;
1374 
1375 	BT_DBG("sock %p, sk %p", sock, sk);
1376 
1377 	if (!sk)
1378 		return 0;
1379 
1380 	bt_sock_unlink(&l2cap_sk_list, sk);
1381 
1382 	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1383 	chan = l2cap_pi(sk)->chan;
1384 
1385 	l2cap_chan_hold(chan);
1386 	l2cap_chan_lock(chan);
1387 
1388 	sock_orphan(sk);
1389 	l2cap_sock_kill(sk);
1390 
1391 	l2cap_chan_unlock(chan);
1392 	l2cap_chan_put(chan);
1393 
1394 	return err;
1395 }
1396 
1397 static void l2cap_sock_cleanup_listen(struct sock *parent)
1398 {
1399 	struct sock *sk;
1400 
1401 	BT_DBG("parent %p state %s", parent,
1402 	       state_to_string(parent->sk_state));
1403 
1404 	/* Close not yet accepted channels */
1405 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1406 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1407 
1408 		BT_DBG("child chan %p state %s", chan,
1409 		       state_to_string(chan->state));
1410 
1411 		l2cap_chan_hold(chan);
1412 		l2cap_chan_lock(chan);
1413 
1414 		__clear_chan_timer(chan);
1415 		l2cap_chan_close(chan, ECONNRESET);
1416 		l2cap_sock_kill(sk);
1417 
1418 		l2cap_chan_unlock(chan);
1419 		l2cap_chan_put(chan);
1420 	}
1421 }
1422 
1423 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1424 {
1425 	struct sock *sk, *parent = chan->data;
1426 
1427 	lock_sock(parent);
1428 
1429 	/* Check for backlog size */
1430 	if (sk_acceptq_is_full(parent)) {
1431 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1432 		release_sock(parent);
1433 		return NULL;
1434 	}
1435 
1436 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1437 			      GFP_ATOMIC, 0);
1438 	if (!sk) {
1439 		release_sock(parent);
1440 		return NULL;
1441         }
1442 
1443 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1444 
1445 	l2cap_sock_init(sk, parent);
1446 
1447 	bt_accept_enqueue(parent, sk, false);
1448 
1449 	release_sock(parent);
1450 
1451 	return l2cap_pi(sk)->chan;
1452 }
1453 
1454 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1455 {
1456 	struct sock *sk = chan->data;
1457 	int err;
1458 
1459 	lock_sock(sk);
1460 
1461 	if (l2cap_pi(sk)->rx_busy_skb) {
1462 		err = -ENOMEM;
1463 		goto done;
1464 	}
1465 
1466 	if (chan->mode != L2CAP_MODE_ERTM &&
1467 	    chan->mode != L2CAP_MODE_STREAMING) {
1468 		/* Even if no filter is attached, we could potentially
1469 		 * get errors from security modules, etc.
1470 		 */
1471 		err = sk_filter(sk, skb);
1472 		if (err)
1473 			goto done;
1474 	}
1475 
1476 	err = __sock_queue_rcv_skb(sk, skb);
1477 
1478 	/* For ERTM, handle one skb that doesn't fit into the recv
1479 	 * buffer.  This is important to do because the data frames
1480 	 * have already been acked, so the skb cannot be discarded.
1481 	 *
1482 	 * Notify the l2cap core that the buffer is full, so the
1483 	 * LOCAL_BUSY state is entered and no more frames are
1484 	 * acked and reassembled until there is buffer space
1485 	 * available.
1486 	 */
1487 	if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1488 		l2cap_pi(sk)->rx_busy_skb = skb;
1489 		l2cap_chan_busy(chan, 1);
1490 		err = 0;
1491 	}
1492 
1493 done:
1494 	release_sock(sk);
1495 
1496 	return err;
1497 }
1498 
1499 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1500 {
1501 	struct sock *sk = chan->data;
1502 
1503 	l2cap_sock_kill(sk);
1504 }
1505 
1506 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1507 {
1508 	struct sock *sk = chan->data;
1509 	struct sock *parent;
1510 
1511 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1512 
1513 	/* This callback can be called both for server (BT_LISTEN)
1514 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1515 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1516 	 * we need separation into separate nesting levels. The simplest
1517 	 * way to accomplish this is to inherit the nesting level used
1518 	 * for the channel.
1519 	 */
1520 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1521 
1522 	parent = bt_sk(sk)->parent;
1523 
1524 	sock_set_flag(sk, SOCK_ZAPPED);
1525 
1526 	switch (chan->state) {
1527 	case BT_OPEN:
1528 	case BT_BOUND:
1529 	case BT_CLOSED:
1530 		break;
1531 	case BT_LISTEN:
1532 		l2cap_sock_cleanup_listen(sk);
1533 		sk->sk_state = BT_CLOSED;
1534 		chan->state = BT_CLOSED;
1535 
1536 		break;
1537 	default:
1538 		sk->sk_state = BT_CLOSED;
1539 		chan->state = BT_CLOSED;
1540 
1541 		sk->sk_err = err;
1542 
1543 		if (parent) {
1544 			bt_accept_unlink(sk);
1545 			parent->sk_data_ready(parent);
1546 		} else {
1547 			sk->sk_state_change(sk);
1548 		}
1549 
1550 		break;
1551 	}
1552 
1553 	release_sock(sk);
1554 }
1555 
1556 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1557 				       int err)
1558 {
1559 	struct sock *sk = chan->data;
1560 
1561 	sk->sk_state = state;
1562 
1563 	if (err)
1564 		sk->sk_err = err;
1565 }
1566 
1567 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1568 					       unsigned long hdr_len,
1569 					       unsigned long len, int nb)
1570 {
1571 	struct sock *sk = chan->data;
1572 	struct sk_buff *skb;
1573 	int err;
1574 
1575 	l2cap_chan_unlock(chan);
1576 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1577 	l2cap_chan_lock(chan);
1578 
1579 	if (!skb)
1580 		return ERR_PTR(err);
1581 
1582 	skb->priority = sk->sk_priority;
1583 
1584 	bt_cb(skb)->l2cap.chan = chan;
1585 
1586 	return skb;
1587 }
1588 
1589 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1590 {
1591 	struct sock *sk = chan->data;
1592 	struct sock *parent;
1593 
1594 	lock_sock(sk);
1595 
1596 	parent = bt_sk(sk)->parent;
1597 
1598 	BT_DBG("sk %p, parent %p", sk, parent);
1599 
1600 	sk->sk_state = BT_CONNECTED;
1601 	sk->sk_state_change(sk);
1602 
1603 	if (parent)
1604 		parent->sk_data_ready(parent);
1605 
1606 	release_sock(sk);
1607 }
1608 
1609 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1610 {
1611 	struct sock *parent, *sk = chan->data;
1612 
1613 	lock_sock(sk);
1614 
1615 	parent = bt_sk(sk)->parent;
1616 	if (parent)
1617 		parent->sk_data_ready(parent);
1618 
1619 	release_sock(sk);
1620 }
1621 
1622 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1623 {
1624 	struct sock *sk = chan->data;
1625 
1626 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1627 		sk->sk_state = BT_CONNECTED;
1628 		chan->state = BT_CONNECTED;
1629 	}
1630 
1631 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1632 	sk->sk_state_change(sk);
1633 }
1634 
1635 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1636 {
1637 	struct sock *sk = chan->data;
1638 
1639 	lock_sock(sk);
1640 	sk->sk_shutdown = SHUTDOWN_MASK;
1641 	release_sock(sk);
1642 }
1643 
1644 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1645 {
1646 	struct sock *sk = chan->data;
1647 
1648 	return sk->sk_sndtimeo;
1649 }
1650 
1651 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1652 {
1653 	struct sock *sk = chan->data;
1654 
1655 	return sk->sk_peer_pid;
1656 }
1657 
1658 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1659 {
1660 	struct sock *sk = chan->data;
1661 
1662 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1663 	sk->sk_state_change(sk);
1664 }
1665 
1666 static const struct l2cap_ops l2cap_chan_ops = {
1667 	.name			= "L2CAP Socket Interface",
1668 	.new_connection		= l2cap_sock_new_connection_cb,
1669 	.recv			= l2cap_sock_recv_cb,
1670 	.close			= l2cap_sock_close_cb,
1671 	.teardown		= l2cap_sock_teardown_cb,
1672 	.state_change		= l2cap_sock_state_change_cb,
1673 	.ready			= l2cap_sock_ready_cb,
1674 	.defer			= l2cap_sock_defer_cb,
1675 	.resume			= l2cap_sock_resume_cb,
1676 	.suspend		= l2cap_sock_suspend_cb,
1677 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1678 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1679 	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1680 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1681 };
1682 
1683 static void l2cap_sock_destruct(struct sock *sk)
1684 {
1685 	BT_DBG("sk %p", sk);
1686 
1687 	if (l2cap_pi(sk)->chan)
1688 		l2cap_chan_put(l2cap_pi(sk)->chan);
1689 
1690 	if (l2cap_pi(sk)->rx_busy_skb) {
1691 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1692 		l2cap_pi(sk)->rx_busy_skb = NULL;
1693 	}
1694 
1695 	skb_queue_purge(&sk->sk_receive_queue);
1696 	skb_queue_purge(&sk->sk_write_queue);
1697 }
1698 
1699 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1700 			       int *msg_namelen)
1701 {
1702 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1703 
1704 	memset(la, 0, sizeof(struct sockaddr_l2));
1705 	la->l2_family = AF_BLUETOOTH;
1706 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1707 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1708 
1709 	*msg_namelen = sizeof(struct sockaddr_l2);
1710 }
1711 
1712 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1713 {
1714 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1715 
1716 	BT_DBG("sk %p", sk);
1717 
1718 	if (parent) {
1719 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1720 
1721 		sk->sk_type = parent->sk_type;
1722 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1723 
1724 		chan->chan_type = pchan->chan_type;
1725 		chan->imtu = pchan->imtu;
1726 		chan->omtu = pchan->omtu;
1727 		chan->conf_state = pchan->conf_state;
1728 		chan->mode = pchan->mode;
1729 		chan->fcs  = pchan->fcs;
1730 		chan->max_tx = pchan->max_tx;
1731 		chan->tx_win = pchan->tx_win;
1732 		chan->tx_win_max = pchan->tx_win_max;
1733 		chan->sec_level = pchan->sec_level;
1734 		chan->flags = pchan->flags;
1735 		chan->tx_credits = pchan->tx_credits;
1736 		chan->rx_credits = pchan->rx_credits;
1737 
1738 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1739 			chan->scid = pchan->scid;
1740 			chan->dcid = pchan->scid;
1741 		}
1742 
1743 		security_sk_clone(parent, sk);
1744 	} else {
1745 		switch (sk->sk_type) {
1746 		case SOCK_RAW:
1747 			chan->chan_type = L2CAP_CHAN_RAW;
1748 			break;
1749 		case SOCK_DGRAM:
1750 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1751 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1752 			break;
1753 		case SOCK_SEQPACKET:
1754 		case SOCK_STREAM:
1755 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1756 			break;
1757 		}
1758 
1759 		chan->imtu = L2CAP_DEFAULT_MTU;
1760 		chan->omtu = 0;
1761 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1762 			chan->mode = L2CAP_MODE_ERTM;
1763 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1764 		} else {
1765 			chan->mode = L2CAP_MODE_BASIC;
1766 		}
1767 
1768 		l2cap_chan_set_defaults(chan);
1769 	}
1770 
1771 	/* Default config options */
1772 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1773 
1774 	chan->data = sk;
1775 	chan->ops = &l2cap_chan_ops;
1776 }
1777 
1778 static struct proto l2cap_proto = {
1779 	.name		= "L2CAP",
1780 	.owner		= THIS_MODULE,
1781 	.obj_size	= sizeof(struct l2cap_pinfo)
1782 };
1783 
1784 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1785 				     int proto, gfp_t prio, int kern)
1786 {
1787 	struct sock *sk;
1788 	struct l2cap_chan *chan;
1789 
1790 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
1791 	if (!sk)
1792 		return NULL;
1793 
1794 	sock_init_data(sock, sk);
1795 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1796 
1797 	sk->sk_destruct = l2cap_sock_destruct;
1798 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1799 
1800 	sock_reset_flag(sk, SOCK_ZAPPED);
1801 
1802 	sk->sk_protocol = proto;
1803 	sk->sk_state = BT_OPEN;
1804 
1805 	chan = l2cap_chan_create();
1806 	if (!chan) {
1807 		sk_free(sk);
1808 		return NULL;
1809 	}
1810 
1811 	l2cap_chan_hold(chan);
1812 
1813 	l2cap_pi(sk)->chan = chan;
1814 
1815 	return sk;
1816 }
1817 
1818 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1819 			     int kern)
1820 {
1821 	struct sock *sk;
1822 
1823 	BT_DBG("sock %p", sock);
1824 
1825 	sock->state = SS_UNCONNECTED;
1826 
1827 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1828 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1829 		return -ESOCKTNOSUPPORT;
1830 
1831 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1832 		return -EPERM;
1833 
1834 	sock->ops = &l2cap_sock_ops;
1835 
1836 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1837 	if (!sk)
1838 		return -ENOMEM;
1839 
1840 	l2cap_sock_init(sk, NULL);
1841 	bt_sock_link(&l2cap_sk_list, sk);
1842 	return 0;
1843 }
1844 
1845 static const struct proto_ops l2cap_sock_ops = {
1846 	.family		= PF_BLUETOOTH,
1847 	.owner		= THIS_MODULE,
1848 	.release	= l2cap_sock_release,
1849 	.bind		= l2cap_sock_bind,
1850 	.connect	= l2cap_sock_connect,
1851 	.listen		= l2cap_sock_listen,
1852 	.accept		= l2cap_sock_accept,
1853 	.getname	= l2cap_sock_getname,
1854 	.sendmsg	= l2cap_sock_sendmsg,
1855 	.recvmsg	= l2cap_sock_recvmsg,
1856 	.poll		= bt_sock_poll,
1857 	.ioctl		= bt_sock_ioctl,
1858 	.gettstamp	= sock_gettstamp,
1859 	.mmap		= sock_no_mmap,
1860 	.socketpair	= sock_no_socketpair,
1861 	.shutdown	= l2cap_sock_shutdown,
1862 	.setsockopt	= l2cap_sock_setsockopt,
1863 	.getsockopt	= l2cap_sock_getsockopt
1864 };
1865 
1866 static const struct net_proto_family l2cap_sock_family_ops = {
1867 	.family	= PF_BLUETOOTH,
1868 	.owner	= THIS_MODULE,
1869 	.create	= l2cap_sock_create,
1870 };
1871 
1872 int __init l2cap_init_sockets(void)
1873 {
1874 	int err;
1875 
1876 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1877 
1878 	err = proto_register(&l2cap_proto, 0);
1879 	if (err < 0)
1880 		return err;
1881 
1882 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1883 	if (err < 0) {
1884 		BT_ERR("L2CAP socket registration failed");
1885 		goto error;
1886 	}
1887 
1888 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1889 			     NULL);
1890 	if (err < 0) {
1891 		BT_ERR("Failed to create L2CAP proc file");
1892 		bt_sock_unregister(BTPROTO_L2CAP);
1893 		goto error;
1894 	}
1895 
1896 	BT_INFO("L2CAP socket layer initialized");
1897 
1898 	return 0;
1899 
1900 error:
1901 	proto_unregister(&l2cap_proto);
1902 	return err;
1903 }
1904 
1905 void l2cap_cleanup_sockets(void)
1906 {
1907 	bt_procfs_cleanup(&init_net, "l2cap");
1908 	bt_sock_unregister(BTPROTO_L2CAP);
1909 	proto_unregister(&l2cap_proto);
1910 }
1911