xref: /linux/net/bluetooth/l2cap_sock.c (revision c532de5a67a70f8533d495f8f2aaa9a0491c3ad0)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7 
8    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License version 2 as
12    published by the Free Software Foundation;
13 
14    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 
23    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25    SOFTWARE IS DISCLAIMED.
26 */
27 
28 /* Bluetooth L2CAP sockets. */
29 
30 #include <linux/module.h>
31 #include <linux/export.h>
32 #include <linux/filter.h>
33 #include <linux/sched/signal.h>
34 
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38 
39 #include "smp.h"
40 
41 static struct bt_sock_list l2cap_sk_list = {
42 	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43 };
44 
45 static const struct proto_ops l2cap_sock_ops;
46 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48 				     int proto, gfp_t prio, int kern);
49 static void l2cap_sock_cleanup_listen(struct sock *parent);
50 
51 bool l2cap_is_socket(struct socket *sock)
52 {
53 	return sock && sock->ops == &l2cap_sock_ops;
54 }
55 EXPORT_SYMBOL(l2cap_is_socket);
56 
57 static int l2cap_validate_bredr_psm(u16 psm)
58 {
59 	/* PSM must be odd and lsb of upper byte must be 0 */
60 	if ((psm & 0x0101) != 0x0001)
61 		return -EINVAL;
62 
63 	/* Restrict usage of well-known PSMs */
64 	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65 		return -EACCES;
66 
67 	return 0;
68 }
69 
70 static int l2cap_validate_le_psm(u16 psm)
71 {
72 	/* Valid LE_PSM ranges are defined only until 0x00ff */
73 	if (psm > L2CAP_PSM_LE_DYN_END)
74 		return -EINVAL;
75 
76 	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77 	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78 		return -EACCES;
79 
80 	return 0;
81 }
82 
83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
84 {
85 	struct sock *sk = sock->sk;
86 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87 	struct sockaddr_l2 la;
88 	int len, err = 0;
89 
90 	BT_DBG("sk %p", sk);
91 
92 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93 	    addr->sa_family != AF_BLUETOOTH)
94 		return -EINVAL;
95 
96 	memset(&la, 0, sizeof(la));
97 	len = min_t(unsigned int, sizeof(la), alen);
98 	memcpy(&la, addr, len);
99 
100 	if (la.l2_cid && la.l2_psm)
101 		return -EINVAL;
102 
103 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104 		return -EINVAL;
105 
106 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107 		/* We only allow ATT user space socket */
108 		if (la.l2_cid &&
109 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110 			return -EINVAL;
111 	}
112 
113 	lock_sock(sk);
114 
115 	if (sk->sk_state != BT_OPEN) {
116 		err = -EBADFD;
117 		goto done;
118 	}
119 
120 	if (la.l2_psm) {
121 		__u16 psm = __le16_to_cpu(la.l2_psm);
122 
123 		if (la.l2_bdaddr_type == BDADDR_BREDR)
124 			err = l2cap_validate_bredr_psm(psm);
125 		else
126 			err = l2cap_validate_le_psm(psm);
127 
128 		if (err)
129 			goto done;
130 	}
131 
132 	bacpy(&chan->src, &la.l2_bdaddr);
133 	chan->src_type = la.l2_bdaddr_type;
134 
135 	if (la.l2_cid)
136 		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137 	else
138 		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139 
140 	if (err < 0)
141 		goto done;
142 
143 	switch (chan->chan_type) {
144 	case L2CAP_CHAN_CONN_LESS:
145 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146 			chan->sec_level = BT_SECURITY_SDP;
147 		break;
148 	case L2CAP_CHAN_CONN_ORIENTED:
149 		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150 		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151 			chan->sec_level = BT_SECURITY_SDP;
152 		break;
153 	case L2CAP_CHAN_RAW:
154 		chan->sec_level = BT_SECURITY_SDP;
155 		break;
156 	case L2CAP_CHAN_FIXED:
157 		/* Fixed channels default to the L2CAP core not holding a
158 		 * hci_conn reference for them. For fixed channels mapping to
159 		 * L2CAP sockets we do want to hold a reference so set the
160 		 * appropriate flag to request it.
161 		 */
162 		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163 		break;
164 	}
165 
166 	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167 	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168 	 */
169 	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
172 
173 	chan->state = BT_BOUND;
174 	sk->sk_state = BT_BOUND;
175 
176 done:
177 	release_sock(sk);
178 	return err;
179 }
180 
181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
182 			      int alen, int flags)
183 {
184 	struct sock *sk = sock->sk;
185 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186 	struct sockaddr_l2 la;
187 	int len, err = 0;
188 	bool zapped;
189 
190 	BT_DBG("sk %p", sk);
191 
192 	lock_sock(sk);
193 	zapped = sock_flag(sk, SOCK_ZAPPED);
194 	release_sock(sk);
195 
196 	if (zapped)
197 		return -EINVAL;
198 
199 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200 	    addr->sa_family != AF_BLUETOOTH)
201 		return -EINVAL;
202 
203 	memset(&la, 0, sizeof(la));
204 	len = min_t(unsigned int, sizeof(la), alen);
205 	memcpy(&la, addr, len);
206 
207 	if (la.l2_cid && la.l2_psm)
208 		return -EINVAL;
209 
210 	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211 		return -EINVAL;
212 
213 	/* Check that the socket wasn't bound to something that
214 	 * conflicts with the address given to connect(). If chan->src
215 	 * is BDADDR_ANY it means bind() was never used, in which case
216 	 * chan->src_type and la.l2_bdaddr_type do not need to match.
217 	 */
218 	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219 	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
220 		/* Old user space versions will try to incorrectly bind
221 		 * the ATT socket using BDADDR_BREDR. We need to accept
222 		 * this and fix up the source address type only when
223 		 * both the source CID and destination CID indicate
224 		 * ATT. Anything else is an invalid combination.
225 		 */
226 		if (chan->scid != L2CAP_CID_ATT ||
227 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228 			return -EINVAL;
229 
230 		/* We don't have the hdev available here to make a
231 		 * better decision on random vs public, but since all
232 		 * user space versions that exhibit this issue anyway do
233 		 * not support random local addresses assuming public
234 		 * here is good enough.
235 		 */
236 		chan->src_type = BDADDR_LE_PUBLIC;
237 	}
238 
239 	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240 		return -EINVAL;
241 
242 	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243 		/* We only allow ATT user space socket */
244 		if (la.l2_cid &&
245 		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246 			return -EINVAL;
247 	}
248 
249 	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250 	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251 	 */
252 	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254 		chan->mode = L2CAP_MODE_LE_FLOWCTL;
255 
256 	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257 				 &la.l2_bdaddr, la.l2_bdaddr_type,
258 				 sk->sk_sndtimeo);
259 	if (err)
260 		return err;
261 
262 	lock_sock(sk);
263 
264 	err = bt_sock_wait_state(sk, BT_CONNECTED,
265 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
266 
267 	release_sock(sk);
268 
269 	return err;
270 }
271 
272 static int l2cap_sock_listen(struct socket *sock, int backlog)
273 {
274 	struct sock *sk = sock->sk;
275 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
276 	int err = 0;
277 
278 	BT_DBG("sk %p backlog %d", sk, backlog);
279 
280 	lock_sock(sk);
281 
282 	if (sk->sk_state != BT_BOUND) {
283 		err = -EBADFD;
284 		goto done;
285 	}
286 
287 	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
288 		err = -EINVAL;
289 		goto done;
290 	}
291 
292 	switch (chan->mode) {
293 	case L2CAP_MODE_BASIC:
294 	case L2CAP_MODE_LE_FLOWCTL:
295 		break;
296 	case L2CAP_MODE_EXT_FLOWCTL:
297 		if (!enable_ecred) {
298 			err = -EOPNOTSUPP;
299 			goto done;
300 		}
301 		break;
302 	case L2CAP_MODE_ERTM:
303 	case L2CAP_MODE_STREAMING:
304 		if (!disable_ertm)
305 			break;
306 		fallthrough;
307 	default:
308 		err = -EOPNOTSUPP;
309 		goto done;
310 	}
311 
312 	sk->sk_max_ack_backlog = backlog;
313 	sk->sk_ack_backlog = 0;
314 
315 	/* Listening channels need to use nested locking in order not to
316 	 * cause lockdep warnings when the created child channels end up
317 	 * being locked in the same thread as the parent channel.
318 	 */
319 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
320 
321 	chan->state = BT_LISTEN;
322 	sk->sk_state = BT_LISTEN;
323 
324 done:
325 	release_sock(sk);
326 	return err;
327 }
328 
329 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
330 			     struct proto_accept_arg *arg)
331 {
332 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
333 	struct sock *sk = sock->sk, *nsk;
334 	long timeo;
335 	int err = 0;
336 
337 	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
338 
339 	timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
340 
341 	BT_DBG("sk %p timeo %ld", sk, timeo);
342 
343 	/* Wait for an incoming connection. (wake-one). */
344 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
345 	while (1) {
346 		if (sk->sk_state != BT_LISTEN) {
347 			err = -EBADFD;
348 			break;
349 		}
350 
351 		nsk = bt_accept_dequeue(sk, newsock);
352 		if (nsk)
353 			break;
354 
355 		if (!timeo) {
356 			err = -EAGAIN;
357 			break;
358 		}
359 
360 		if (signal_pending(current)) {
361 			err = sock_intr_errno(timeo);
362 			break;
363 		}
364 
365 		release_sock(sk);
366 
367 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
368 
369 		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
370 	}
371 	remove_wait_queue(sk_sleep(sk), &wait);
372 
373 	if (err)
374 		goto done;
375 
376 	newsock->state = SS_CONNECTED;
377 
378 	BT_DBG("new socket %p", nsk);
379 
380 done:
381 	release_sock(sk);
382 	return err;
383 }
384 
385 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
386 			      int peer)
387 {
388 	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
389 	struct sock *sk = sock->sk;
390 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391 
392 	BT_DBG("sock %p, sk %p", sock, sk);
393 
394 	if (peer && sk->sk_state != BT_CONNECTED &&
395 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
396 	    sk->sk_state != BT_CONFIG)
397 		return -ENOTCONN;
398 
399 	memset(la, 0, sizeof(struct sockaddr_l2));
400 	addr->sa_family = AF_BLUETOOTH;
401 
402 	la->l2_psm = chan->psm;
403 
404 	if (peer) {
405 		bacpy(&la->l2_bdaddr, &chan->dst);
406 		la->l2_cid = cpu_to_le16(chan->dcid);
407 		la->l2_bdaddr_type = chan->dst_type;
408 	} else {
409 		bacpy(&la->l2_bdaddr, &chan->src);
410 		la->l2_cid = cpu_to_le16(chan->scid);
411 		la->l2_bdaddr_type = chan->src_type;
412 	}
413 
414 	return sizeof(struct sockaddr_l2);
415 }
416 
417 static int l2cap_get_mode(struct l2cap_chan *chan)
418 {
419 	switch (chan->mode) {
420 	case L2CAP_MODE_BASIC:
421 		return BT_MODE_BASIC;
422 	case L2CAP_MODE_ERTM:
423 		return BT_MODE_ERTM;
424 	case L2CAP_MODE_STREAMING:
425 		return BT_MODE_STREAMING;
426 	case L2CAP_MODE_LE_FLOWCTL:
427 		return BT_MODE_LE_FLOWCTL;
428 	case L2CAP_MODE_EXT_FLOWCTL:
429 		return BT_MODE_EXT_FLOWCTL;
430 	}
431 
432 	return -EINVAL;
433 }
434 
435 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
436 				     char __user *optval, int __user *optlen)
437 {
438 	struct sock *sk = sock->sk;
439 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
440 	struct l2cap_options opts;
441 	struct l2cap_conninfo cinfo;
442 	int err = 0;
443 	size_t len;
444 	u32 opt;
445 
446 	BT_DBG("sk %p", sk);
447 
448 	if (get_user(len, optlen))
449 		return -EFAULT;
450 
451 	lock_sock(sk);
452 
453 	switch (optname) {
454 	case L2CAP_OPTIONS:
455 		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
456 		 * legacy ATT code depends on getsockopt for
457 		 * L2CAP_OPTIONS we need to let this pass.
458 		 */
459 		if (bdaddr_type_is_le(chan->src_type) &&
460 		    chan->scid != L2CAP_CID_ATT) {
461 			err = -EINVAL;
462 			break;
463 		}
464 
465 		/* Only BR/EDR modes are supported here */
466 		switch (chan->mode) {
467 		case L2CAP_MODE_BASIC:
468 		case L2CAP_MODE_ERTM:
469 		case L2CAP_MODE_STREAMING:
470 			break;
471 		default:
472 			err = -EINVAL;
473 			break;
474 		}
475 
476 		if (err < 0)
477 			break;
478 
479 		memset(&opts, 0, sizeof(opts));
480 		opts.imtu     = chan->imtu;
481 		opts.omtu     = chan->omtu;
482 		opts.flush_to = chan->flush_to;
483 		opts.mode     = chan->mode;
484 		opts.fcs      = chan->fcs;
485 		opts.max_tx   = chan->max_tx;
486 		opts.txwin_size = chan->tx_win;
487 
488 		BT_DBG("mode 0x%2.2x", chan->mode);
489 
490 		len = min(len, sizeof(opts));
491 		if (copy_to_user(optval, (char *) &opts, len))
492 			err = -EFAULT;
493 
494 		break;
495 
496 	case L2CAP_LM:
497 		switch (chan->sec_level) {
498 		case BT_SECURITY_LOW:
499 			opt = L2CAP_LM_AUTH;
500 			break;
501 		case BT_SECURITY_MEDIUM:
502 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
503 			break;
504 		case BT_SECURITY_HIGH:
505 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
506 			      L2CAP_LM_SECURE;
507 			break;
508 		case BT_SECURITY_FIPS:
509 			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
510 			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
511 			break;
512 		default:
513 			opt = 0;
514 			break;
515 		}
516 
517 		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
518 			opt |= L2CAP_LM_MASTER;
519 
520 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
521 			opt |= L2CAP_LM_RELIABLE;
522 
523 		if (put_user(opt, (u32 __user *) optval))
524 			err = -EFAULT;
525 
526 		break;
527 
528 	case L2CAP_CONNINFO:
529 		if (sk->sk_state != BT_CONNECTED &&
530 		    !(sk->sk_state == BT_CONNECT2 &&
531 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
532 			err = -ENOTCONN;
533 			break;
534 		}
535 
536 		memset(&cinfo, 0, sizeof(cinfo));
537 		cinfo.hci_handle = chan->conn->hcon->handle;
538 		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
539 
540 		len = min(len, sizeof(cinfo));
541 		if (copy_to_user(optval, (char *) &cinfo, len))
542 			err = -EFAULT;
543 
544 		break;
545 
546 	default:
547 		err = -ENOPROTOOPT;
548 		break;
549 	}
550 
551 	release_sock(sk);
552 	return err;
553 }
554 
555 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
556 				 char __user *optval, int __user *optlen)
557 {
558 	struct sock *sk = sock->sk;
559 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
560 	struct bt_security sec;
561 	struct bt_power pwr;
562 	u32 phys;
563 	int len, mode, err = 0;
564 
565 	BT_DBG("sk %p", sk);
566 
567 	if (level == SOL_L2CAP)
568 		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
569 
570 	if (level != SOL_BLUETOOTH)
571 		return -ENOPROTOOPT;
572 
573 	if (get_user(len, optlen))
574 		return -EFAULT;
575 
576 	lock_sock(sk);
577 
578 	switch (optname) {
579 	case BT_SECURITY:
580 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
581 		    chan->chan_type != L2CAP_CHAN_FIXED &&
582 		    chan->chan_type != L2CAP_CHAN_RAW) {
583 			err = -EINVAL;
584 			break;
585 		}
586 
587 		memset(&sec, 0, sizeof(sec));
588 		if (chan->conn) {
589 			sec.level = chan->conn->hcon->sec_level;
590 
591 			if (sk->sk_state == BT_CONNECTED)
592 				sec.key_size = chan->conn->hcon->enc_key_size;
593 		} else {
594 			sec.level = chan->sec_level;
595 		}
596 
597 		len = min_t(unsigned int, len, sizeof(sec));
598 		if (copy_to_user(optval, (char *) &sec, len))
599 			err = -EFAULT;
600 
601 		break;
602 
603 	case BT_DEFER_SETUP:
604 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
605 			err = -EINVAL;
606 			break;
607 		}
608 
609 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
610 			     (u32 __user *) optval))
611 			err = -EFAULT;
612 
613 		break;
614 
615 	case BT_FLUSHABLE:
616 		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
617 			     (u32 __user *) optval))
618 			err = -EFAULT;
619 
620 		break;
621 
622 	case BT_POWER:
623 		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
624 		    && sk->sk_type != SOCK_RAW) {
625 			err = -EINVAL;
626 			break;
627 		}
628 
629 		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
630 
631 		len = min_t(unsigned int, len, sizeof(pwr));
632 		if (copy_to_user(optval, (char *) &pwr, len))
633 			err = -EFAULT;
634 
635 		break;
636 
637 	case BT_CHANNEL_POLICY:
638 		if (put_user(chan->chan_policy, (u32 __user *) optval))
639 			err = -EFAULT;
640 		break;
641 
642 	case BT_SNDMTU:
643 		if (!bdaddr_type_is_le(chan->src_type)) {
644 			err = -EINVAL;
645 			break;
646 		}
647 
648 		if (sk->sk_state != BT_CONNECTED) {
649 			err = -ENOTCONN;
650 			break;
651 		}
652 
653 		if (put_user(chan->omtu, (u16 __user *) optval))
654 			err = -EFAULT;
655 		break;
656 
657 	case BT_RCVMTU:
658 		if (!bdaddr_type_is_le(chan->src_type)) {
659 			err = -EINVAL;
660 			break;
661 		}
662 
663 		if (put_user(chan->imtu, (u16 __user *) optval))
664 			err = -EFAULT;
665 		break;
666 
667 	case BT_PHY:
668 		if (sk->sk_state != BT_CONNECTED) {
669 			err = -ENOTCONN;
670 			break;
671 		}
672 
673 		phys = hci_conn_get_phy(chan->conn->hcon);
674 
675 		if (put_user(phys, (u32 __user *) optval))
676 			err = -EFAULT;
677 		break;
678 
679 	case BT_MODE:
680 		if (!enable_ecred) {
681 			err = -ENOPROTOOPT;
682 			break;
683 		}
684 
685 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
686 			err = -EINVAL;
687 			break;
688 		}
689 
690 		mode = l2cap_get_mode(chan);
691 		if (mode < 0) {
692 			err = mode;
693 			break;
694 		}
695 
696 		if (put_user(mode, (u8 __user *) optval))
697 			err = -EFAULT;
698 		break;
699 
700 	default:
701 		err = -ENOPROTOOPT;
702 		break;
703 	}
704 
705 	release_sock(sk);
706 	return err;
707 }
708 
709 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
710 {
711 	switch (chan->scid) {
712 	case L2CAP_CID_ATT:
713 		if (mtu < L2CAP_LE_MIN_MTU)
714 			return false;
715 		break;
716 
717 	default:
718 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
719 			return false;
720 	}
721 
722 	return true;
723 }
724 
725 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
726 				     sockptr_t optval, unsigned int optlen)
727 {
728 	struct sock *sk = sock->sk;
729 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
730 	struct l2cap_options opts;
731 	int err = 0;
732 	u32 opt;
733 
734 	BT_DBG("sk %p", sk);
735 
736 	lock_sock(sk);
737 
738 	switch (optname) {
739 	case L2CAP_OPTIONS:
740 		if (bdaddr_type_is_le(chan->src_type)) {
741 			err = -EINVAL;
742 			break;
743 		}
744 
745 		if (sk->sk_state == BT_CONNECTED) {
746 			err = -EINVAL;
747 			break;
748 		}
749 
750 		opts.imtu     = chan->imtu;
751 		opts.omtu     = chan->omtu;
752 		opts.flush_to = chan->flush_to;
753 		opts.mode     = chan->mode;
754 		opts.fcs      = chan->fcs;
755 		opts.max_tx   = chan->max_tx;
756 		opts.txwin_size = chan->tx_win;
757 
758 		err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen);
759 		if (err)
760 			break;
761 
762 		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
763 			err = -EINVAL;
764 			break;
765 		}
766 
767 		if (!l2cap_valid_mtu(chan, opts.imtu)) {
768 			err = -EINVAL;
769 			break;
770 		}
771 
772 		/* Only BR/EDR modes are supported here */
773 		switch (opts.mode) {
774 		case L2CAP_MODE_BASIC:
775 			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
776 			break;
777 		case L2CAP_MODE_ERTM:
778 		case L2CAP_MODE_STREAMING:
779 			if (!disable_ertm)
780 				break;
781 			fallthrough;
782 		default:
783 			err = -EINVAL;
784 			break;
785 		}
786 
787 		if (err < 0)
788 			break;
789 
790 		chan->mode = opts.mode;
791 
792 		BT_DBG("mode 0x%2.2x", chan->mode);
793 
794 		chan->imtu = opts.imtu;
795 		chan->omtu = opts.omtu;
796 		chan->fcs  = opts.fcs;
797 		chan->max_tx = opts.max_tx;
798 		chan->tx_win = opts.txwin_size;
799 		chan->flush_to = opts.flush_to;
800 		break;
801 
802 	case L2CAP_LM:
803 		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
804 		if (err)
805 			break;
806 
807 		if (opt & L2CAP_LM_FIPS) {
808 			err = -EINVAL;
809 			break;
810 		}
811 
812 		if (opt & L2CAP_LM_AUTH)
813 			chan->sec_level = BT_SECURITY_LOW;
814 		if (opt & L2CAP_LM_ENCRYPT)
815 			chan->sec_level = BT_SECURITY_MEDIUM;
816 		if (opt & L2CAP_LM_SECURE)
817 			chan->sec_level = BT_SECURITY_HIGH;
818 
819 		if (opt & L2CAP_LM_MASTER)
820 			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
821 		else
822 			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
823 
824 		if (opt & L2CAP_LM_RELIABLE)
825 			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
826 		else
827 			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
828 		break;
829 
830 	default:
831 		err = -ENOPROTOOPT;
832 		break;
833 	}
834 
835 	release_sock(sk);
836 	return err;
837 }
838 
839 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
840 {
841 	switch (mode) {
842 	case BT_MODE_BASIC:
843 		if (bdaddr_type_is_le(chan->src_type))
844 			return -EINVAL;
845 		mode = L2CAP_MODE_BASIC;
846 		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
847 		break;
848 	case BT_MODE_ERTM:
849 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
850 			return -EINVAL;
851 		mode = L2CAP_MODE_ERTM;
852 		break;
853 	case BT_MODE_STREAMING:
854 		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
855 			return -EINVAL;
856 		mode = L2CAP_MODE_STREAMING;
857 		break;
858 	case BT_MODE_LE_FLOWCTL:
859 		if (!bdaddr_type_is_le(chan->src_type))
860 			return -EINVAL;
861 		mode = L2CAP_MODE_LE_FLOWCTL;
862 		break;
863 	case BT_MODE_EXT_FLOWCTL:
864 		/* TODO: Add support for ECRED PDUs to BR/EDR */
865 		if (!bdaddr_type_is_le(chan->src_type))
866 			return -EINVAL;
867 		mode = L2CAP_MODE_EXT_FLOWCTL;
868 		break;
869 	default:
870 		return -EINVAL;
871 	}
872 
873 	chan->mode = mode;
874 
875 	return 0;
876 }
877 
878 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
879 				 sockptr_t optval, unsigned int optlen)
880 {
881 	struct sock *sk = sock->sk;
882 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
883 	struct bt_security sec;
884 	struct bt_power pwr;
885 	struct l2cap_conn *conn;
886 	int err = 0;
887 	u32 opt;
888 	u16 mtu;
889 	u8 mode;
890 
891 	BT_DBG("sk %p", sk);
892 
893 	if (level == SOL_L2CAP)
894 		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
895 
896 	if (level != SOL_BLUETOOTH)
897 		return -ENOPROTOOPT;
898 
899 	lock_sock(sk);
900 
901 	switch (optname) {
902 	case BT_SECURITY:
903 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
904 		    chan->chan_type != L2CAP_CHAN_FIXED &&
905 		    chan->chan_type != L2CAP_CHAN_RAW) {
906 			err = -EINVAL;
907 			break;
908 		}
909 
910 		sec.level = BT_SECURITY_LOW;
911 
912 		err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
913 		if (err)
914 			break;
915 
916 		if (sec.level < BT_SECURITY_LOW ||
917 		    sec.level > BT_SECURITY_FIPS) {
918 			err = -EINVAL;
919 			break;
920 		}
921 
922 		chan->sec_level = sec.level;
923 
924 		if (!chan->conn)
925 			break;
926 
927 		conn = chan->conn;
928 
929 		/* change security for LE channels */
930 		if (chan->scid == L2CAP_CID_ATT) {
931 			if (smp_conn_security(conn->hcon, sec.level)) {
932 				err = -EINVAL;
933 				break;
934 			}
935 
936 			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
937 			sk->sk_state = BT_CONFIG;
938 			chan->state = BT_CONFIG;
939 
940 		/* or for ACL link */
941 		} else if ((sk->sk_state == BT_CONNECT2 &&
942 			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
943 			   sk->sk_state == BT_CONNECTED) {
944 			if (!l2cap_chan_check_security(chan, true))
945 				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
946 			else
947 				sk->sk_state_change(sk);
948 		} else {
949 			err = -EINVAL;
950 		}
951 		break;
952 
953 	case BT_DEFER_SETUP:
954 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
955 			err = -EINVAL;
956 			break;
957 		}
958 
959 		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
960 		if (err)
961 			break;
962 
963 		if (opt) {
964 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
965 			set_bit(FLAG_DEFER_SETUP, &chan->flags);
966 		} else {
967 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
968 			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
969 		}
970 		break;
971 
972 	case BT_FLUSHABLE:
973 		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
974 		if (err)
975 			break;
976 
977 		if (opt > BT_FLUSHABLE_ON) {
978 			err = -EINVAL;
979 			break;
980 		}
981 
982 		if (opt == BT_FLUSHABLE_OFF) {
983 			conn = chan->conn;
984 			/* proceed further only when we have l2cap_conn and
985 			   No Flush support in the LM */
986 			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
987 				err = -EINVAL;
988 				break;
989 			}
990 		}
991 
992 		if (opt)
993 			set_bit(FLAG_FLUSHABLE, &chan->flags);
994 		else
995 			clear_bit(FLAG_FLUSHABLE, &chan->flags);
996 		break;
997 
998 	case BT_POWER:
999 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1000 		    chan->chan_type != L2CAP_CHAN_RAW) {
1001 			err = -EINVAL;
1002 			break;
1003 		}
1004 
1005 		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1006 
1007 		err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1008 		if (err)
1009 			break;
1010 
1011 		if (pwr.force_active)
1012 			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1013 		else
1014 			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1015 		break;
1016 
1017 	case BT_CHANNEL_POLICY:
1018 		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1019 		if (err)
1020 			break;
1021 
1022 		err = -EOPNOTSUPP;
1023 		break;
1024 
1025 	case BT_SNDMTU:
1026 		if (!bdaddr_type_is_le(chan->src_type)) {
1027 			err = -EINVAL;
1028 			break;
1029 		}
1030 
1031 		/* Setting is not supported as it's the remote side that
1032 		 * decides this.
1033 		 */
1034 		err = -EPERM;
1035 		break;
1036 
1037 	case BT_RCVMTU:
1038 		if (!bdaddr_type_is_le(chan->src_type)) {
1039 			err = -EINVAL;
1040 			break;
1041 		}
1042 
1043 		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1044 		    sk->sk_state == BT_CONNECTED) {
1045 			err = -EISCONN;
1046 			break;
1047 		}
1048 
1049 		err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1050 		if (err)
1051 			break;
1052 
1053 		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1054 		    sk->sk_state == BT_CONNECTED)
1055 			err = l2cap_chan_reconfigure(chan, mtu);
1056 		else
1057 			chan->imtu = mtu;
1058 
1059 		break;
1060 
1061 	case BT_MODE:
1062 		if (!enable_ecred) {
1063 			err = -ENOPROTOOPT;
1064 			break;
1065 		}
1066 
1067 		BT_DBG("sk->sk_state %u", sk->sk_state);
1068 
1069 		if (sk->sk_state != BT_BOUND) {
1070 			err = -EINVAL;
1071 			break;
1072 		}
1073 
1074 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1075 			err = -EINVAL;
1076 			break;
1077 		}
1078 
1079 		err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen);
1080 		if (err)
1081 			break;
1082 
1083 		BT_DBG("mode %u", mode);
1084 
1085 		err = l2cap_set_mode(chan, mode);
1086 		if (err)
1087 			break;
1088 
1089 		BT_DBG("mode 0x%2.2x", chan->mode);
1090 
1091 		break;
1092 
1093 	default:
1094 		err = -ENOPROTOOPT;
1095 		break;
1096 	}
1097 
1098 	release_sock(sk);
1099 	return err;
1100 }
1101 
1102 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1103 			      size_t len)
1104 {
1105 	struct sock *sk = sock->sk;
1106 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1107 	int err;
1108 
1109 	BT_DBG("sock %p, sk %p", sock, sk);
1110 
1111 	err = sock_error(sk);
1112 	if (err)
1113 		return err;
1114 
1115 	if (msg->msg_flags & MSG_OOB)
1116 		return -EOPNOTSUPP;
1117 
1118 	if (sk->sk_state != BT_CONNECTED)
1119 		return -ENOTCONN;
1120 
1121 	lock_sock(sk);
1122 	err = bt_sock_wait_ready(sk, msg->msg_flags);
1123 	release_sock(sk);
1124 	if (err)
1125 		return err;
1126 
1127 	l2cap_chan_lock(chan);
1128 	err = l2cap_chan_send(chan, msg, len);
1129 	l2cap_chan_unlock(chan);
1130 
1131 	return err;
1132 }
1133 
1134 static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1135 {
1136 	struct sock *sk = chan->data;
1137 	ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1138 	int expected_skbs, skb_overhead;
1139 
1140 	if (avail <= 0) {
1141 		l2cap_chan_rx_avail(chan, 0);
1142 		return;
1143 	}
1144 
1145 	if (!chan->mps) {
1146 		l2cap_chan_rx_avail(chan, -1);
1147 		return;
1148 	}
1149 
1150 	/* Correct available memory by estimated sk_buff overhead.
1151 	 * This is significant due to small transfer sizes. However, accept
1152 	 * at least one full packet if receive space is non-zero.
1153 	 */
1154 	expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1155 	skb_overhead = expected_skbs * sizeof(struct sk_buff);
1156 	if (skb_overhead < avail)
1157 		l2cap_chan_rx_avail(chan, avail - skb_overhead);
1158 	else
1159 		l2cap_chan_rx_avail(chan, -1);
1160 }
1161 
1162 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1163 			      size_t len, int flags)
1164 {
1165 	struct sock *sk = sock->sk;
1166 	struct l2cap_pinfo *pi = l2cap_pi(sk);
1167 	int err;
1168 
1169 	lock_sock(sk);
1170 
1171 	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1172 						    &bt_sk(sk)->flags)) {
1173 		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1174 			sk->sk_state = BT_CONNECTED;
1175 			pi->chan->state = BT_CONNECTED;
1176 			__l2cap_ecred_conn_rsp_defer(pi->chan);
1177 		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1178 			sk->sk_state = BT_CONNECTED;
1179 			pi->chan->state = BT_CONNECTED;
1180 			__l2cap_le_connect_rsp_defer(pi->chan);
1181 		} else {
1182 			sk->sk_state = BT_CONFIG;
1183 			pi->chan->state = BT_CONFIG;
1184 			__l2cap_connect_rsp_defer(pi->chan);
1185 		}
1186 
1187 		err = 0;
1188 		goto done;
1189 	}
1190 
1191 	release_sock(sk);
1192 
1193 	if (sock->type == SOCK_STREAM)
1194 		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1195 	else
1196 		err = bt_sock_recvmsg(sock, msg, len, flags);
1197 
1198 	if (pi->chan->mode != L2CAP_MODE_ERTM &&
1199 	    pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1200 	    pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1201 		return err;
1202 
1203 	lock_sock(sk);
1204 
1205 	l2cap_publish_rx_avail(pi->chan);
1206 
1207 	/* Attempt to put pending rx data in the socket buffer */
1208 	while (!list_empty(&pi->rx_busy)) {
1209 		struct l2cap_rx_busy *rx_busy =
1210 			list_first_entry(&pi->rx_busy,
1211 					 struct l2cap_rx_busy,
1212 					 list);
1213 		if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1214 			goto done;
1215 		list_del(&rx_busy->list);
1216 		kfree(rx_busy);
1217 	}
1218 
1219 	/* Restore data flow when half of the receive buffer is
1220 	 * available.  This avoids resending large numbers of
1221 	 * frames.
1222 	 */
1223 	if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1224 	    atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1225 		l2cap_chan_busy(pi->chan, 0);
1226 
1227 done:
1228 	release_sock(sk);
1229 	return err;
1230 }
1231 
1232 /* Kill socket (only if zapped and orphan)
1233  * Must be called on unlocked socket, with l2cap channel lock.
1234  */
1235 static void l2cap_sock_kill(struct sock *sk)
1236 {
1237 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1238 		return;
1239 
1240 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1241 
1242 	/* Sock is dead, so set chan data to NULL, avoid other task use invalid
1243 	 * sock pointer.
1244 	 */
1245 	l2cap_pi(sk)->chan->data = NULL;
1246 	/* Kill poor orphan */
1247 
1248 	l2cap_chan_put(l2cap_pi(sk)->chan);
1249 	sock_set_flag(sk, SOCK_DEAD);
1250 	sock_put(sk);
1251 }
1252 
1253 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1254 {
1255 	DECLARE_WAITQUEUE(wait, current);
1256 	int err = 0;
1257 	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1258 	/* Timeout to prevent infinite loop */
1259 	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1260 
1261 	add_wait_queue(sk_sleep(sk), &wait);
1262 	set_current_state(TASK_INTERRUPTIBLE);
1263 	do {
1264 		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1265 		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1266 		       jiffies_to_msecs(timeout - jiffies));
1267 
1268 		if (!timeo)
1269 			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1270 
1271 		if (signal_pending(current)) {
1272 			err = sock_intr_errno(timeo);
1273 			break;
1274 		}
1275 
1276 		release_sock(sk);
1277 		timeo = schedule_timeout(timeo);
1278 		lock_sock(sk);
1279 		set_current_state(TASK_INTERRUPTIBLE);
1280 
1281 		err = sock_error(sk);
1282 		if (err)
1283 			break;
1284 
1285 		if (time_after(jiffies, timeout)) {
1286 			err = -ENOLINK;
1287 			break;
1288 		}
1289 
1290 	} while (chan->unacked_frames > 0 &&
1291 		 chan->state == BT_CONNECTED);
1292 
1293 	set_current_state(TASK_RUNNING);
1294 	remove_wait_queue(sk_sleep(sk), &wait);
1295 	return err;
1296 }
1297 
1298 static int l2cap_sock_shutdown(struct socket *sock, int how)
1299 {
1300 	struct sock *sk = sock->sk;
1301 	struct l2cap_chan *chan;
1302 	struct l2cap_conn *conn;
1303 	int err = 0;
1304 
1305 	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1306 
1307 	/* 'how' parameter is mapped to sk_shutdown as follows:
1308 	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1309 	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1310 	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1311 	 */
1312 	how++;
1313 
1314 	if (!sk)
1315 		return 0;
1316 
1317 	lock_sock(sk);
1318 
1319 	if ((sk->sk_shutdown & how) == how)
1320 		goto shutdown_already;
1321 
1322 	BT_DBG("Handling sock shutdown");
1323 
1324 	/* prevent sk structure from being freed whilst unlocked */
1325 	sock_hold(sk);
1326 
1327 	chan = l2cap_pi(sk)->chan;
1328 	/* prevent chan structure from being freed whilst unlocked */
1329 	l2cap_chan_hold(chan);
1330 
1331 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1332 
1333 	if (chan->mode == L2CAP_MODE_ERTM &&
1334 	    chan->unacked_frames > 0 &&
1335 	    chan->state == BT_CONNECTED) {
1336 		err = __l2cap_wait_ack(sk, chan);
1337 
1338 		/* After waiting for ACKs, check whether shutdown
1339 		 * has already been actioned to close the L2CAP
1340 		 * link such as by l2cap_disconnection_req().
1341 		 */
1342 		if ((sk->sk_shutdown & how) == how)
1343 			goto shutdown_matched;
1344 	}
1345 
1346 	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1347 	 * is already set
1348 	 */
1349 	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1350 		sk->sk_shutdown |= RCV_SHUTDOWN;
1351 		if ((sk->sk_shutdown & how) == how)
1352 			goto shutdown_matched;
1353 	}
1354 
1355 	sk->sk_shutdown |= SEND_SHUTDOWN;
1356 	release_sock(sk);
1357 
1358 	l2cap_chan_lock(chan);
1359 	conn = chan->conn;
1360 	if (conn)
1361 		/* prevent conn structure from being freed */
1362 		l2cap_conn_get(conn);
1363 	l2cap_chan_unlock(chan);
1364 
1365 	if (conn)
1366 		/* mutex lock must be taken before l2cap_chan_lock() */
1367 		mutex_lock(&conn->chan_lock);
1368 
1369 	l2cap_chan_lock(chan);
1370 	l2cap_chan_close(chan, 0);
1371 	l2cap_chan_unlock(chan);
1372 
1373 	if (conn) {
1374 		mutex_unlock(&conn->chan_lock);
1375 		l2cap_conn_put(conn);
1376 	}
1377 
1378 	lock_sock(sk);
1379 
1380 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1381 	    !(current->flags & PF_EXITING))
1382 		err = bt_sock_wait_state(sk, BT_CLOSED,
1383 					 sk->sk_lingertime);
1384 
1385 shutdown_matched:
1386 	l2cap_chan_put(chan);
1387 	sock_put(sk);
1388 
1389 shutdown_already:
1390 	if (!err && sk->sk_err)
1391 		err = -sk->sk_err;
1392 
1393 	release_sock(sk);
1394 
1395 	BT_DBG("Sock shutdown complete err: %d", err);
1396 
1397 	return err;
1398 }
1399 
1400 static int l2cap_sock_release(struct socket *sock)
1401 {
1402 	struct sock *sk = sock->sk;
1403 	int err;
1404 	struct l2cap_chan *chan;
1405 
1406 	BT_DBG("sock %p, sk %p", sock, sk);
1407 
1408 	if (!sk)
1409 		return 0;
1410 
1411 	l2cap_sock_cleanup_listen(sk);
1412 	bt_sock_unlink(&l2cap_sk_list, sk);
1413 
1414 	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1415 	chan = l2cap_pi(sk)->chan;
1416 
1417 	l2cap_chan_hold(chan);
1418 	l2cap_chan_lock(chan);
1419 
1420 	sock_orphan(sk);
1421 	l2cap_sock_kill(sk);
1422 
1423 	l2cap_chan_unlock(chan);
1424 	l2cap_chan_put(chan);
1425 
1426 	return err;
1427 }
1428 
1429 static void l2cap_sock_cleanup_listen(struct sock *parent)
1430 {
1431 	struct sock *sk;
1432 
1433 	BT_DBG("parent %p state %s", parent,
1434 	       state_to_string(parent->sk_state));
1435 
1436 	/* Close not yet accepted channels */
1437 	while ((sk = bt_accept_dequeue(parent, NULL))) {
1438 		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1439 
1440 		BT_DBG("child chan %p state %s", chan,
1441 		       state_to_string(chan->state));
1442 
1443 		l2cap_chan_hold(chan);
1444 		l2cap_chan_lock(chan);
1445 
1446 		__clear_chan_timer(chan);
1447 		l2cap_chan_close(chan, ECONNRESET);
1448 		l2cap_sock_kill(sk);
1449 
1450 		l2cap_chan_unlock(chan);
1451 		l2cap_chan_put(chan);
1452 	}
1453 }
1454 
1455 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1456 {
1457 	struct sock *sk, *parent = chan->data;
1458 
1459 	lock_sock(parent);
1460 
1461 	/* Check for backlog size */
1462 	if (sk_acceptq_is_full(parent)) {
1463 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1464 		release_sock(parent);
1465 		return NULL;
1466 	}
1467 
1468 	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1469 			      GFP_ATOMIC, 0);
1470 	if (!sk) {
1471 		release_sock(parent);
1472 		return NULL;
1473         }
1474 
1475 	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1476 
1477 	l2cap_sock_init(sk, parent);
1478 
1479 	bt_accept_enqueue(parent, sk, false);
1480 
1481 	release_sock(parent);
1482 
1483 	return l2cap_pi(sk)->chan;
1484 }
1485 
1486 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1487 {
1488 	struct sock *sk;
1489 	struct l2cap_pinfo *pi;
1490 	int err;
1491 
1492 	sk = chan->data;
1493 	if (!sk)
1494 		return -ENXIO;
1495 
1496 	pi = l2cap_pi(sk);
1497 	lock_sock(sk);
1498 	if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1499 		err = -ENOMEM;
1500 		goto done;
1501 	}
1502 
1503 	if (chan->mode != L2CAP_MODE_ERTM &&
1504 	    chan->mode != L2CAP_MODE_STREAMING &&
1505 	    chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1506 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1507 		/* Even if no filter is attached, we could potentially
1508 		 * get errors from security modules, etc.
1509 		 */
1510 		err = sk_filter(sk, skb);
1511 		if (err)
1512 			goto done;
1513 	}
1514 
1515 	err = __sock_queue_rcv_skb(sk, skb);
1516 
1517 	l2cap_publish_rx_avail(chan);
1518 
1519 	/* For ERTM and LE, handle a skb that doesn't fit into the recv
1520 	 * buffer.  This is important to do because the data frames
1521 	 * have already been acked, so the skb cannot be discarded.
1522 	 *
1523 	 * Notify the l2cap core that the buffer is full, so the
1524 	 * LOCAL_BUSY state is entered and no more frames are
1525 	 * acked and reassembled until there is buffer space
1526 	 * available.
1527 	 */
1528 	if (err < 0 &&
1529 	    (chan->mode == L2CAP_MODE_ERTM ||
1530 	     chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1531 	     chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1532 		struct l2cap_rx_busy *rx_busy =
1533 			kmalloc(sizeof(*rx_busy), GFP_KERNEL);
1534 		if (!rx_busy) {
1535 			err = -ENOMEM;
1536 			goto done;
1537 		}
1538 		rx_busy->skb = skb;
1539 		list_add_tail(&rx_busy->list, &pi->rx_busy);
1540 		l2cap_chan_busy(chan, 1);
1541 		err = 0;
1542 	}
1543 
1544 done:
1545 	release_sock(sk);
1546 
1547 	return err;
1548 }
1549 
1550 static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1551 {
1552 	struct sock *sk = chan->data;
1553 
1554 	if (!sk)
1555 		return;
1556 
1557 	l2cap_sock_kill(sk);
1558 }
1559 
1560 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1561 {
1562 	struct sock *sk = chan->data;
1563 	struct sock *parent;
1564 
1565 	if (!sk)
1566 		return;
1567 
1568 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1569 
1570 	/* This callback can be called both for server (BT_LISTEN)
1571 	 * sockets as well as "normal" ones. To avoid lockdep warnings
1572 	 * with child socket locking (through l2cap_sock_cleanup_listen)
1573 	 * we need separation into separate nesting levels. The simplest
1574 	 * way to accomplish this is to inherit the nesting level used
1575 	 * for the channel.
1576 	 */
1577 	lock_sock_nested(sk, atomic_read(&chan->nesting));
1578 
1579 	parent = bt_sk(sk)->parent;
1580 
1581 	switch (chan->state) {
1582 	case BT_OPEN:
1583 	case BT_BOUND:
1584 	case BT_CLOSED:
1585 		break;
1586 	case BT_LISTEN:
1587 		l2cap_sock_cleanup_listen(sk);
1588 		sk->sk_state = BT_CLOSED;
1589 		chan->state = BT_CLOSED;
1590 
1591 		break;
1592 	default:
1593 		sk->sk_state = BT_CLOSED;
1594 		chan->state = BT_CLOSED;
1595 
1596 		sk->sk_err = err;
1597 
1598 		if (parent) {
1599 			bt_accept_unlink(sk);
1600 			parent->sk_data_ready(parent);
1601 		} else {
1602 			sk->sk_state_change(sk);
1603 		}
1604 
1605 		break;
1606 	}
1607 	release_sock(sk);
1608 
1609 	/* Only zap after cleanup to avoid use after free race */
1610 	sock_set_flag(sk, SOCK_ZAPPED);
1611 
1612 }
1613 
1614 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1615 				       int err)
1616 {
1617 	struct sock *sk = chan->data;
1618 
1619 	sk->sk_state = state;
1620 
1621 	if (err)
1622 		sk->sk_err = err;
1623 }
1624 
1625 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1626 					       unsigned long hdr_len,
1627 					       unsigned long len, int nb)
1628 {
1629 	struct sock *sk = chan->data;
1630 	struct sk_buff *skb;
1631 	int err;
1632 
1633 	l2cap_chan_unlock(chan);
1634 	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1635 	l2cap_chan_lock(chan);
1636 
1637 	if (!skb)
1638 		return ERR_PTR(err);
1639 
1640 	/* Channel lock is released before requesting new skb and then
1641 	 * reacquired thus we need to recheck channel state.
1642 	 */
1643 	if (chan->state != BT_CONNECTED) {
1644 		kfree_skb(skb);
1645 		return ERR_PTR(-ENOTCONN);
1646 	}
1647 
1648 	skb->priority = READ_ONCE(sk->sk_priority);
1649 
1650 	bt_cb(skb)->l2cap.chan = chan;
1651 
1652 	return skb;
1653 }
1654 
1655 static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1656 {
1657 	struct sock *sk = chan->data;
1658 	struct sock *parent;
1659 
1660 	lock_sock(sk);
1661 
1662 	parent = bt_sk(sk)->parent;
1663 
1664 	BT_DBG("sk %p, parent %p", sk, parent);
1665 
1666 	sk->sk_state = BT_CONNECTED;
1667 	sk->sk_state_change(sk);
1668 
1669 	if (parent)
1670 		parent->sk_data_ready(parent);
1671 
1672 	release_sock(sk);
1673 }
1674 
1675 static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1676 {
1677 	struct sock *parent, *sk = chan->data;
1678 
1679 	lock_sock(sk);
1680 
1681 	parent = bt_sk(sk)->parent;
1682 	if (parent)
1683 		parent->sk_data_ready(parent);
1684 
1685 	release_sock(sk);
1686 }
1687 
1688 static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1689 {
1690 	struct sock *sk = chan->data;
1691 
1692 	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1693 		sk->sk_state = BT_CONNECTED;
1694 		chan->state = BT_CONNECTED;
1695 	}
1696 
1697 	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1698 	sk->sk_state_change(sk);
1699 }
1700 
1701 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1702 {
1703 	struct sock *sk = chan->data;
1704 
1705 	lock_sock(sk);
1706 	sk->sk_shutdown = SHUTDOWN_MASK;
1707 	release_sock(sk);
1708 }
1709 
1710 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1711 {
1712 	struct sock *sk = chan->data;
1713 
1714 	return sk->sk_sndtimeo;
1715 }
1716 
1717 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1718 {
1719 	struct sock *sk = chan->data;
1720 
1721 	return sk->sk_peer_pid;
1722 }
1723 
1724 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1725 {
1726 	struct sock *sk = chan->data;
1727 
1728 	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1729 	sk->sk_state_change(sk);
1730 }
1731 
1732 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1733 {
1734 	struct sock *sk = chan->data;
1735 
1736 	switch (chan->mode) {
1737 	case L2CAP_MODE_ERTM:
1738 	case L2CAP_MODE_STREAMING:
1739 		return sk_filter(sk, skb);
1740 	}
1741 
1742 	return 0;
1743 }
1744 
1745 static const struct l2cap_ops l2cap_chan_ops = {
1746 	.name			= "L2CAP Socket Interface",
1747 	.new_connection		= l2cap_sock_new_connection_cb,
1748 	.recv			= l2cap_sock_recv_cb,
1749 	.close			= l2cap_sock_close_cb,
1750 	.teardown		= l2cap_sock_teardown_cb,
1751 	.state_change		= l2cap_sock_state_change_cb,
1752 	.ready			= l2cap_sock_ready_cb,
1753 	.defer			= l2cap_sock_defer_cb,
1754 	.resume			= l2cap_sock_resume_cb,
1755 	.suspend		= l2cap_sock_suspend_cb,
1756 	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1757 	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1758 	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1759 	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1760 	.filter			= l2cap_sock_filter,
1761 };
1762 
1763 static void l2cap_sock_destruct(struct sock *sk)
1764 {
1765 	struct l2cap_rx_busy *rx_busy, *next;
1766 
1767 	BT_DBG("sk %p", sk);
1768 
1769 	if (l2cap_pi(sk)->chan) {
1770 		l2cap_pi(sk)->chan->data = NULL;
1771 		l2cap_chan_put(l2cap_pi(sk)->chan);
1772 	}
1773 
1774 	list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1775 		kfree_skb(rx_busy->skb);
1776 		list_del(&rx_busy->list);
1777 		kfree(rx_busy);
1778 	}
1779 
1780 	skb_queue_purge(&sk->sk_receive_queue);
1781 	skb_queue_purge(&sk->sk_write_queue);
1782 }
1783 
1784 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1785 			       int *msg_namelen)
1786 {
1787 	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1788 
1789 	memset(la, 0, sizeof(struct sockaddr_l2));
1790 	la->l2_family = AF_BLUETOOTH;
1791 	la->l2_psm = bt_cb(skb)->l2cap.psm;
1792 	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1793 
1794 	*msg_namelen = sizeof(struct sockaddr_l2);
1795 }
1796 
1797 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1798 {
1799 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1800 
1801 	BT_DBG("sk %p", sk);
1802 
1803 	if (parent) {
1804 		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1805 
1806 		sk->sk_type = parent->sk_type;
1807 		bt_sk(sk)->flags = bt_sk(parent)->flags;
1808 
1809 		chan->chan_type = pchan->chan_type;
1810 		chan->imtu = pchan->imtu;
1811 		chan->omtu = pchan->omtu;
1812 		chan->conf_state = pchan->conf_state;
1813 		chan->mode = pchan->mode;
1814 		chan->fcs  = pchan->fcs;
1815 		chan->max_tx = pchan->max_tx;
1816 		chan->tx_win = pchan->tx_win;
1817 		chan->tx_win_max = pchan->tx_win_max;
1818 		chan->sec_level = pchan->sec_level;
1819 		chan->flags = pchan->flags;
1820 		chan->tx_credits = pchan->tx_credits;
1821 		chan->rx_credits = pchan->rx_credits;
1822 
1823 		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1824 			chan->scid = pchan->scid;
1825 			chan->dcid = pchan->scid;
1826 		}
1827 
1828 		security_sk_clone(parent, sk);
1829 	} else {
1830 		switch (sk->sk_type) {
1831 		case SOCK_RAW:
1832 			chan->chan_type = L2CAP_CHAN_RAW;
1833 			break;
1834 		case SOCK_DGRAM:
1835 			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1836 			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1837 			break;
1838 		case SOCK_SEQPACKET:
1839 		case SOCK_STREAM:
1840 			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1841 			break;
1842 		}
1843 
1844 		chan->imtu = L2CAP_DEFAULT_MTU;
1845 		chan->omtu = 0;
1846 		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1847 			chan->mode = L2CAP_MODE_ERTM;
1848 			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1849 		} else {
1850 			chan->mode = L2CAP_MODE_BASIC;
1851 		}
1852 
1853 		l2cap_chan_set_defaults(chan);
1854 	}
1855 
1856 	/* Default config options */
1857 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1858 
1859 	chan->data = sk;
1860 	chan->ops = &l2cap_chan_ops;
1861 
1862 	l2cap_publish_rx_avail(chan);
1863 }
1864 
1865 static struct proto l2cap_proto = {
1866 	.name		= "L2CAP",
1867 	.owner		= THIS_MODULE,
1868 	.obj_size	= sizeof(struct l2cap_pinfo)
1869 };
1870 
1871 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1872 				     int proto, gfp_t prio, int kern)
1873 {
1874 	struct sock *sk;
1875 	struct l2cap_chan *chan;
1876 
1877 	sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1878 	if (!sk)
1879 		return NULL;
1880 
1881 	sk->sk_destruct = l2cap_sock_destruct;
1882 	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1883 
1884 	INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1885 
1886 	chan = l2cap_chan_create();
1887 	if (!chan) {
1888 		sk_free(sk);
1889 		return NULL;
1890 	}
1891 
1892 	l2cap_chan_hold(chan);
1893 
1894 	l2cap_pi(sk)->chan = chan;
1895 
1896 	return sk;
1897 }
1898 
1899 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1900 			     int kern)
1901 {
1902 	struct sock *sk;
1903 
1904 	BT_DBG("sock %p", sock);
1905 
1906 	sock->state = SS_UNCONNECTED;
1907 
1908 	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1909 	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1910 		return -ESOCKTNOSUPPORT;
1911 
1912 	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1913 		return -EPERM;
1914 
1915 	sock->ops = &l2cap_sock_ops;
1916 
1917 	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1918 	if (!sk)
1919 		return -ENOMEM;
1920 
1921 	l2cap_sock_init(sk, NULL);
1922 	bt_sock_link(&l2cap_sk_list, sk);
1923 	return 0;
1924 }
1925 
1926 static const struct proto_ops l2cap_sock_ops = {
1927 	.family		= PF_BLUETOOTH,
1928 	.owner		= THIS_MODULE,
1929 	.release	= l2cap_sock_release,
1930 	.bind		= l2cap_sock_bind,
1931 	.connect	= l2cap_sock_connect,
1932 	.listen		= l2cap_sock_listen,
1933 	.accept		= l2cap_sock_accept,
1934 	.getname	= l2cap_sock_getname,
1935 	.sendmsg	= l2cap_sock_sendmsg,
1936 	.recvmsg	= l2cap_sock_recvmsg,
1937 	.poll		= bt_sock_poll,
1938 	.ioctl		= bt_sock_ioctl,
1939 	.gettstamp	= sock_gettstamp,
1940 	.mmap		= sock_no_mmap,
1941 	.socketpair	= sock_no_socketpair,
1942 	.shutdown	= l2cap_sock_shutdown,
1943 	.setsockopt	= l2cap_sock_setsockopt,
1944 	.getsockopt	= l2cap_sock_getsockopt
1945 };
1946 
1947 static const struct net_proto_family l2cap_sock_family_ops = {
1948 	.family	= PF_BLUETOOTH,
1949 	.owner	= THIS_MODULE,
1950 	.create	= l2cap_sock_create,
1951 };
1952 
1953 int __init l2cap_init_sockets(void)
1954 {
1955 	int err;
1956 
1957 	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1958 
1959 	err = proto_register(&l2cap_proto, 0);
1960 	if (err < 0)
1961 		return err;
1962 
1963 	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
1964 	if (err < 0) {
1965 		BT_ERR("L2CAP socket registration failed");
1966 		goto error;
1967 	}
1968 
1969 	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
1970 			     NULL);
1971 	if (err < 0) {
1972 		BT_ERR("Failed to create L2CAP proc file");
1973 		bt_sock_unregister(BTPROTO_L2CAP);
1974 		goto error;
1975 	}
1976 
1977 	BT_INFO("L2CAP socket layer initialized");
1978 
1979 	return 0;
1980 
1981 error:
1982 	proto_unregister(&l2cap_proto);
1983 	return err;
1984 }
1985 
1986 void l2cap_cleanup_sockets(void)
1987 {
1988 	bt_procfs_cleanup(&init_net, "l2cap");
1989 	bt_sock_unregister(BTPROTO_L2CAP);
1990 	proto_unregister(&l2cap_proto);
1991 }
1992