projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix __l2cap_no_conn_pending() usage with all channels
[linux-2.6-block.git] / net / bluetooth / l2cap_sock.c
CommitLineData
bb58f747
GP		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
bb58f747
GP		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP sockets. */
29
9149761a 30#include <linux/module.h>
bc3b2d7f 31#include <linux/export.h>
6230c9b4 32
bb58f747 33#include <net/bluetooth/bluetooth.h>
33575df7 34#include <net/bluetooth/hci_core.h>
bb58f747 35#include <net/bluetooth/l2cap.h>
ac4b7236
MH		 36
37#include "smp.h"
bb58f747 38
5b28d95c
MY		 39static struct bt_sock_list l2cap_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
41};
42
cf2f90f5 43static const struct proto_ops l2cap_sock_ops;
80808e43 44static void l2cap_sock_init(struct sock *sk, struct sock *parent);
2d792818
GP		 45static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
46 int proto, gfp_t prio);
cf2f90f5 47
b3916db3
DH		 48bool l2cap_is_socket(struct socket *sock)
49{
50 return sock && sock->ops == &l2cap_sock_ops;
51}
52EXPORT_SYMBOL(l2cap_is_socket);
53
4946096d
JH		 54static int l2cap_validate_bredr_psm(u16 psm)
55{
56 /* PSM must be odd and lsb of upper byte must be 0 */
57 if ((psm & 0x0101) != 0x0001)
58 return -EINVAL;
59
60 /* Restrict usage of well-known PSMs */
61 if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE))
62 return -EACCES;
63
64 return 0;
65}
66
67static int l2cap_validate_le_psm(u16 psm)
68{
69 /* Valid LE_PSM ranges are defined only until 0x00ff */
70 if (psm > 0x00ff)
71 return -EINVAL;
72
73 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
74 if (psm <= 0x007f && !capable(CAP_NET_BIND_SERVICE))
75 return -EACCES;
76
77 return 0;
78}
79
af6bcd82
GP		 80static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
81{
82 struct sock *sk = sock->sk;
4343478f 83 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
af6bcd82
GP		 84 struct sockaddr_l2 la;
85 int len, err = 0;
86
87 BT_DBG("sk %p", sk);
88
89 if (!addr || addr->sa_family != AF_BLUETOOTH)
90 return -EINVAL;
91
92 memset(&la, 0, sizeof(la));
93 len = min_t(unsigned int, sizeof(la), alen);
94 memcpy(&la, addr, len);
95
b62f328b 96 if (la.l2_cid && la.l2_psm)
af6bcd82
GP		 97 return -EINVAL;
98
80c1a2e7
JH		 99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 return -EINVAL;
101
21626e62
JH		 102 if (la.l2_cid) {
103 /* When the socket gets created it defaults to
104 * CHAN_CONN_ORIENTED, so we need to overwrite the
105 * default here.
106 */
107 chan->chan_type = L2CAP_CHAN_FIXED;
108 chan->omtu = L2CAP_DEFAULT_MTU;
109 }
110
bfe4655f 111 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
bfe4655f 112 /* We only allow ATT user space socket */
9149761a 113 if (la.l2_cid &&
dcf4adbf 114 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
bfe4655f
JH		 115 return -EINVAL;
116 }
117
af6bcd82
GP		 118 lock_sock(sk);
119
120 if (sk->sk_state != BT_OPEN) {
121 err = -EBADFD;
122 goto done;
123 }
124
125 if (la.l2_psm) {
126 __u16 psm = __le16_to_cpu(la.l2_psm);
127
4946096d
JH		 128 if (la.l2_bdaddr_type == BDADDR_BREDR)
129 err = l2cap_validate_bredr_psm(psm);
130 else
131 err = l2cap_validate_le_psm(psm);
af6bcd82 132
4946096d 133 if (err)
af6bcd82 134 goto done;
af6bcd82
GP		 135 }
136
9e4425ff 137 if (la.l2_cid)
6e4aff10 138 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
9e4425ff
GP		 139 else
140 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
af6bcd82 141
9e4425ff
GP		 142 if (err < 0)
143 goto done;
af6bcd82 144
6a974b50 145 switch (chan->chan_type) {
3124b843
MH		 146 case L2CAP_CHAN_CONN_LESS:
147 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
148 chan->sec_level = BT_SECURITY_SDP;
149 break;
6a974b50
MH		 150 case L2CAP_CHAN_CONN_ORIENTED:
151 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
152 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
153 chan->sec_level = BT_SECURITY_SDP;
154 break;
cb6ca8e1
JH		 155 case L2CAP_CHAN_RAW:
156 chan->sec_level = BT_SECURITY_SDP;
157 break;
6a974b50 158 }
b62f328b 159
7eafc59e 160 bacpy(&chan->src, &la.l2_bdaddr);
4f1654e0 161 chan->src_type = la.l2_bdaddr_type;
89bc500e 162
38319713 163 if (chan->psm && bdaddr_type_is_le(chan->src_type))
0ce43ce6 164 chan->mode = L2CAP_MODE_LE_FLOWCTL;
38319713 165
89bc500e 166 chan->state = BT_BOUND;
9e4425ff 167 sk->sk_state = BT_BOUND;
af6bcd82
GP		 168
169done:
170 release_sock(sk);
171 return err;
172}
173
2d792818
GP		 174static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
175 int alen, int flags)
4e34c50b
GP		 176{
177 struct sock *sk = sock->sk;
0c1bc5c6 178 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
4e34c50b
GP		 179 struct sockaddr_l2 la;
180 int len, err = 0;
181
182 BT_DBG("sk %p", sk);
183
184 if (!addr || alen < sizeof(addr->sa_family) ||
185 addr->sa_family != AF_BLUETOOTH)
186 return -EINVAL;
187
188 memset(&la, 0, sizeof(la));
189 len = min_t(unsigned int, sizeof(la), alen);
190 memcpy(&la, addr, len);
191
acd7d370 192 if (la.l2_cid && la.l2_psm)
4e34c50b
GP		 193 return -EINVAL;
194
80c1a2e7
JH		 195 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
196 return -EINVAL;
197
eb622495
JH		 198 /* Check that the socket wasn't bound to something that
199 * conflicts with the address given to connect(). If chan->src
200 * is BDADDR_ANY it means bind() was never used, in which case
201 * chan->src_type and la.l2_bdaddr_type do not need to match.
202 */
203 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
204 bdaddr_type_is_le(la.l2_bdaddr_type)) {
205 /* Old user space versions will try to incorrectly bind
206 * the ATT socket using BDADDR_BREDR. We need to accept
207 * this and fix up the source address type only when
208 * both the source CID and destination CID indicate
209 * ATT. Anything else is an invalid combination.
210 */
211 if (chan->scid != L2CAP_CID_ATT ||
dcf4adbf 212 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
eb622495
JH		 213 return -EINVAL;
214
215 /* We don't have the hdev available here to make a
216 * better decision on random vs public, but since all
217 * user space versions that exhibit this issue anyway do
218 * not support random local addresses assuming public
219 * here is good enough.
220 */
221 chan->src_type = BDADDR_LE_PUBLIC;
222 }
1f209383
JH		 223
224 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
225 return -EINVAL;
226
bfe4655f 227 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
bfe4655f 228 /* We only allow ATT user space socket */
9149761a 229 if (la.l2_cid &&
dcf4adbf 230 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
bfe4655f
JH		 231 return -EINVAL;
232 }
233
38319713 234 if (chan->psm && bdaddr_type_is_le(chan->src_type))
0ce43ce6 235 chan->mode = L2CAP_MODE_LE_FLOWCTL;
38319713 236
6e4aff10 237 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
8e9f9892 238 &la.l2_bdaddr, la.l2_bdaddr_type);
4e34c50b 239 if (err)
b3fb611e 240 return err;
4e34c50b 241
6be36555
AE		 242 lock_sock(sk);
243
4e34c50b 244 err = bt_sock_wait_state(sk, BT_CONNECTED,
2d792818 245 sock_sndtimeo(sk, flags & O_NONBLOCK));
b3fb611e
AE		 246
247 release_sock(sk);
248
4e34c50b
GP		 249 return err;
250}
251
af6bcd82
GP		 252static int l2cap_sock_listen(struct socket *sock, int backlog)
253{
254 struct sock *sk = sock->sk;
0c1bc5c6 255 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
af6bcd82
GP		 256 int err = 0;
257
258 BT_DBG("sk %p backlog %d", sk, backlog);
259
260 lock_sock(sk);
261
6b3af733 262 if (sk->sk_state != BT_BOUND) {
af6bcd82
GP		 263 err = -EBADFD;
264 goto done;
265 }
266
6b3af733
MH		 267 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
268 err = -EINVAL;
269 goto done;
270 }
271
0c1bc5c6 272 switch (chan->mode) {
af6bcd82 273 case L2CAP_MODE_BASIC:
38319713 274 case L2CAP_MODE_LE_FLOWCTL:
af6bcd82
GP		 275 break;
276 case L2CAP_MODE_ERTM:
277 case L2CAP_MODE_STREAMING:
278 if (!disable_ertm)
279 break;
280 /* fall through */
281 default:
beb19e4c 282 err = -EOPNOTSUPP;
af6bcd82
GP		 283 goto done;
284 }
285
af6bcd82
GP		 286 sk->sk_max_ack_backlog = backlog;
287 sk->sk_ack_backlog = 0;
89bc500e
GP		 288
289 chan->state = BT_LISTEN;
af6bcd82
GP		 290 sk->sk_state = BT_LISTEN;
291
292done:
293 release_sock(sk);
294 return err;
295}
296
2d792818
GP		 297static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
298 int flags)
c47b7c72
GP		 299{
300 DECLARE_WAITQUEUE(wait, current);
301 struct sock *sk = sock->sk, *nsk;
302 long timeo;
303 int err = 0;
304
305 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
306
c47b7c72
GP		 307 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
308
309 BT_DBG("sk %p timeo %ld", sk, timeo);
310
311 /* Wait for an incoming connection. (wake-one). */
312 add_wait_queue_exclusive(sk_sleep(sk), &wait);
f9a3c20a 313 while (1) {
c47b7c72 314 set_current_state(TASK_INTERRUPTIBLE);
f9a3c20a
PH		 315
316 if (sk->sk_state != BT_LISTEN) {
317 err = -EBADFD;
c47b7c72
GP		 318 break;
319 }
320
f9a3c20a
PH		 321 nsk = bt_accept_dequeue(sk, newsock);
322 if (nsk)
323 break;
c47b7c72 324
f9a3c20a
PH		 325 if (!timeo) {
326 err = -EAGAIN;
c47b7c72
GP		 327 break;
328 }
329
330 if (signal_pending(current)) {
331 err = sock_intr_errno(timeo);
332 break;
333 }
f9a3c20a
PH		 334
335 release_sock(sk);
336 timeo = schedule_timeout(timeo);
337 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
c47b7c72 338 }
f9a3c20a 339 __set_current_state(TASK_RUNNING);
c47b7c72
GP		 340 remove_wait_queue(sk_sleep(sk), &wait);
341
342 if (err)
343 goto done;
344
345 newsock->state = SS_CONNECTED;
346
347 BT_DBG("new socket %p", nsk);
348
349done:
350 release_sock(sk);
351 return err;
352}
353
2d792818
GP		 354static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
355 int *len, int peer)
d7175d55
GP		 356{
357 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
358 struct sock *sk = sock->sk;
0c1bc5c6 359 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
d7175d55
GP		 360
361 BT_DBG("sock %p, sk %p", sock, sk);
362
e8b1ab9e 363 if (peer && sk->sk_state != BT_CONNECTED &&
bf19d51b
JH		 364 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
365 sk->sk_state != BT_CONFIG)
b783fbc3
JH		 366 return -ENOTCONN;
367
792039c7 368 memset(la, 0, sizeof(struct sockaddr_l2));
d7175d55
GP		 369 addr->sa_family = AF_BLUETOOTH;
370 *len = sizeof(struct sockaddr_l2);
371
d7e5e76b
JH		 372 la->l2_psm = chan->psm;
373
d7175d55 374 if (peer) {
7eafc59e 375 bacpy(&la->l2_bdaddr, &chan->dst);
fe4128e0 376 la->l2_cid = cpu_to_le16(chan->dcid);
4f1654e0 377 la->l2_bdaddr_type = chan->dst_type;
d7175d55 378 } else {
7eafc59e 379 bacpy(&la->l2_bdaddr, &chan->src);
fe4128e0 380 la->l2_cid = cpu_to_le16(chan->scid);
4f1654e0 381 la->l2_bdaddr_type = chan->src_type;
d7175d55
GP		 382 }
383
384 return 0;
385}
386
2d792818
GP		 387static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
388 char __user *optval, int __user *optlen)
99f4808d
GP		 389{
390 struct sock *sk = sock->sk;
4343478f 391 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
99f4808d
GP		 392 struct l2cap_options opts;
393 struct l2cap_conninfo cinfo;
394 int len, err = 0;
395 u32 opt;
396
397 BT_DBG("sk %p", sk);
398
399 if (get_user(len, optlen))
400 return -EFAULT;
401
402 lock_sock(sk);
403
404 switch (optname) {
405 case L2CAP_OPTIONS:
64b4f8dc
JH		 406 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
407 * legacy ATT code depends on getsockopt for
408 * L2CAP_OPTIONS we need to let this pass.
409 */
410 if (bdaddr_type_is_le(chan->src_type) &&
411 chan->scid != L2CAP_CID_ATT) {
412 err = -EINVAL;
413 break;
414 }
415
e3fb592b 416 memset(&opts, 0, sizeof(opts));
0c1bc5c6
GP		 417 opts.imtu = chan->imtu;
418 opts.omtu = chan->omtu;
419 opts.flush_to = chan->flush_to;
420 opts.mode = chan->mode;
47d1ec61
GP		 421 opts.fcs = chan->fcs;
422 opts.max_tx = chan->max_tx;
6327eb98 423 opts.txwin_size = chan->tx_win;
99f4808d
GP		 424
425 len = min_t(unsigned int, len, sizeof(opts));
426 if (copy_to_user(optval, (char *) &opts, len))
427 err = -EFAULT;
428
429 break;
430
431 case L2CAP_LM:
4343478f 432 switch (chan->sec_level) {
99f4808d
GP		 433 case BT_SECURITY_LOW:
434 opt = L2CAP_LM_AUTH;
435 break;
436 case BT_SECURITY_MEDIUM:
437 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
438 break;
439 case BT_SECURITY_HIGH:
440 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2d792818 441 L2CAP_LM_SECURE;
99f4808d 442 break;
7d513e92
MH		 443 case BT_SECURITY_FIPS:
444 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
445 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
446 break;
99f4808d
GP		 447 default:
448 opt = 0;
449 break;
450 }
451
43bd0f32 452 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
99f4808d
GP		 453 opt |= L2CAP_LM_MASTER;
454
ecf61bdb 455 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
99f4808d
GP		 456 opt |= L2CAP_LM_RELIABLE;
457
458 if (put_user(opt, (u32 __user *) optval))
459 err = -EFAULT;
7d513e92 460
99f4808d
GP		 461 break;
462
463 case L2CAP_CONNINFO:
464 if (sk->sk_state != BT_CONNECTED &&
c5daa683
GP		 465 !(sk->sk_state == BT_CONNECT2 &&
466 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
99f4808d
GP		 467 err = -ENOTCONN;
468 break;
469 }
470
8d03e971 471 memset(&cinfo, 0, sizeof(cinfo));
8c1d787b
GP		 472 cinfo.hci_handle = chan->conn->hcon->handle;
473 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
99f4808d
GP		 474
475 len = min_t(unsigned int, len, sizeof(cinfo));
476 if (copy_to_user(optval, (char *) &cinfo, len))
477 err = -EFAULT;
478
479 break;
480
481 default:
482 err = -ENOPROTOOPT;
483 break;
484 }
485
486 release_sock(sk);
487 return err;
488}
489
2d792818
GP		 490static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
491 char __user *optval, int __user *optlen)
99f4808d
GP		 492{
493 struct sock *sk = sock->sk;
4343478f 494 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
99f4808d 495 struct bt_security sec;
14b12d0b 496 struct bt_power pwr;
99f4808d
GP		 497 int len, err = 0;
498
499 BT_DBG("sk %p", sk);
500
501 if (level == SOL_L2CAP)
502 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
503
504 if (level != SOL_BLUETOOTH)
505 return -ENOPROTOOPT;
506
507 if (get_user(len, optlen))
508 return -EFAULT;
509
510 lock_sock(sk);
511
512 switch (optname) {
513 case BT_SECURITY:
715ec005 514 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
e0c888ad 515 chan->chan_type != L2CAP_CHAN_FIXED &&
2d792818 516 chan->chan_type != L2CAP_CHAN_RAW) {
99f4808d
GP		 517 err = -EINVAL;
518 break;
519 }
520
8f360119 521 memset(&sec, 0, sizeof(sec));
85e34368 522 if (chan->conn) {
c6585a4d 523 sec.level = chan->conn->hcon->sec_level;
99f4808d 524
85e34368
AE		 525 if (sk->sk_state == BT_CONNECTED)
526 sec.key_size = chan->conn->hcon->enc_key_size;
527 } else {
528 sec.level = chan->sec_level;
529 }
8f360119 530
99f4808d
GP		 531 len = min_t(unsigned int, len, sizeof(sec));
532 if (copy_to_user(optval, (char *) &sec, len))
533 err = -EFAULT;
534
535 break;
536
537 case BT_DEFER_SETUP:
538 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
539 err = -EINVAL;
540 break;
541 }
542
c5daa683
GP		 543 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
544 (u32 __user *) optval))
99f4808d
GP		 545 err = -EFAULT;
546
547 break;
548
549 case BT_FLUSHABLE:
d57b0e8b 550 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
2d792818 551 (u32 __user *) optval))
99f4808d
GP		 552 err = -EFAULT;
553
554 break;
555
14b12d0b
JG		 556 case BT_POWER:
557 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2d792818 558 && sk->sk_type != SOCK_RAW) {
14b12d0b
JG		 559 err = -EINVAL;
560 break;
561 }
562
15770b1a 563 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b
JG		 564
565 len = min_t(unsigned int, len, sizeof(pwr));
566 if (copy_to_user(optval, (char *) &pwr, len))
567 err = -EFAULT;
568
569 break;
570
2ea66482 571 case BT_CHANNEL_POLICY:
2ea66482
MM		 572 if (put_user(chan->chan_policy, (u32 __user *) optval))
573 err = -EFAULT;
574 break;
575
1f435424 576 case BT_SNDMTU:
1f435424
JH		 577 if (!bdaddr_type_is_le(chan->src_type)) {
578 err = -EINVAL;
579 break;
580 }
581
582 if (sk->sk_state != BT_CONNECTED) {
583 err = -ENOTCONN;
584 break;
585 }
586
587 if (put_user(chan->omtu, (u16 __user *) optval))
588 err = -EFAULT;
589 break;
590
591 case BT_RCVMTU:
1f435424
JH		 592 if (!bdaddr_type_is_le(chan->src_type)) {
593 err = -EINVAL;
594 break;
595 }
596
597 if (put_user(chan->imtu, (u16 __user *) optval))
598 err = -EFAULT;
599 break;
600
99f4808d
GP		 601 default:
602 err = -ENOPROTOOPT;
603 break;
604 }
605
606 release_sock(sk);
607 return err;
608}
609
682877c3
AG		 610static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
611{
612 switch (chan->scid) {
073d1cf3 613 case L2CAP_CID_ATT:
8c3a4f00 614 if (mtu < L2CAP_LE_MIN_MTU)
682877c3
AG		 615 return false;
616 break;
617
618 default:
619 if (mtu < L2CAP_DEFAULT_MIN_MTU)
620 return false;
621 }
622
623 return true;
624}
625
2d792818
GP		 626static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
627 char __user *optval, unsigned int optlen)
33575df7
GP		 628{
629 struct sock *sk = sock->sk;
b4450035 630 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
33575df7
GP		 631 struct l2cap_options opts;
632 int len, err = 0;
633 u32 opt;
634
635 BT_DBG("sk %p", sk);
636
637 lock_sock(sk);
638
639 switch (optname) {
640 case L2CAP_OPTIONS:
64b4f8dc
JH		 641 if (bdaddr_type_is_le(chan->src_type)) {
642 err = -EINVAL;
643 break;
644 }
645
33575df7
GP		 646 if (sk->sk_state == BT_CONNECTED) {
647 err = -EINVAL;
648 break;
649 }
650
0c1bc5c6
GP		 651 opts.imtu = chan->imtu;
652 opts.omtu = chan->omtu;
653 opts.flush_to = chan->flush_to;
654 opts.mode = chan->mode;
47d1ec61
GP		 655 opts.fcs = chan->fcs;
656 opts.max_tx = chan->max_tx;
6327eb98 657 opts.txwin_size = chan->tx_win;
33575df7
GP		 658
659 len = min_t(unsigned int, sizeof(opts), optlen);
660 if (copy_from_user((char *) &opts, optval, len)) {
661 err = -EFAULT;
662 break;
663 }
664
6327eb98 665 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
33575df7
GP		 666 err = -EINVAL;
667 break;
668 }
669
682877c3
AG		 670 if (!l2cap_valid_mtu(chan, opts.imtu)) {
671 err = -EINVAL;
672 break;
673 }
674
0c1bc5c6
GP		 675 chan->mode = opts.mode;
676 switch (chan->mode) {
38319713
JH		 677 case L2CAP_MODE_LE_FLOWCTL:
678 break;
33575df7 679 case L2CAP_MODE_BASIC:
c1360a1c 680 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
33575df7
GP		 681 break;
682 case L2CAP_MODE_ERTM:
683 case L2CAP_MODE_STREAMING:
684 if (!disable_ertm)
685 break;
686 /* fall through */
687 default:
688 err = -EINVAL;
689 break;
690 }
691
0c1bc5c6
GP		 692 chan->imtu = opts.imtu;
693 chan->omtu = opts.omtu;
47d1ec61
GP		 694 chan->fcs = opts.fcs;
695 chan->max_tx = opts.max_tx;
6327eb98 696 chan->tx_win = opts.txwin_size;
12d59781 697 chan->flush_to = opts.flush_to;
33575df7
GP		 698 break;
699
700 case L2CAP_LM:
701 if (get_user(opt, (u32 __user *) optval)) {
702 err = -EFAULT;
703 break;
704 }
705
7d513e92
MH		 706 if (opt & L2CAP_LM_FIPS) {
707 err = -EINVAL;
708 break;
709 }
710
33575df7 711 if (opt & L2CAP_LM_AUTH)
4343478f 712 chan->sec_level = BT_SECURITY_LOW;
33575df7 713 if (opt & L2CAP_LM_ENCRYPT)
4343478f 714 chan->sec_level = BT_SECURITY_MEDIUM;
33575df7 715 if (opt & L2CAP_LM_SECURE)
4343478f 716 chan->sec_level = BT_SECURITY_HIGH;
33575df7 717
43bd0f32
AE		 718 if (opt & L2CAP_LM_MASTER)
719 set_bit(FLAG_ROLE_SWITCH, &chan->flags);
720 else
721 clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
ecf61bdb
AE		 722
723 if (opt & L2CAP_LM_RELIABLE)
724 set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
725 else
726 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
33575df7
GP		 727 break;
728
729 default:
730 err = -ENOPROTOOPT;
731 break;
732 }
733
734 release_sock(sk);
735 return err;
736}
737
2d792818
GP		 738static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
739 char __user *optval, unsigned int optlen)
33575df7
GP		 740{
741 struct sock *sk = sock->sk;
4343478f 742 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
33575df7 743 struct bt_security sec;
14b12d0b 744 struct bt_power pwr;
f1cb9af5 745 struct l2cap_conn *conn;
33575df7
GP		 746 int len, err = 0;
747 u32 opt;
748
749 BT_DBG("sk %p", sk);
750
751 if (level == SOL_L2CAP)
752 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
753
754 if (level != SOL_BLUETOOTH)
755 return -ENOPROTOOPT;
756
757 lock_sock(sk);
758
759 switch (optname) {
760 case BT_SECURITY:
715ec005 761 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
e0c888ad 762 chan->chan_type != L2CAP_CHAN_FIXED &&
2d792818 763 chan->chan_type != L2CAP_CHAN_RAW) {
33575df7
GP		 764 err = -EINVAL;
765 break;
766 }
767
768 sec.level = BT_SECURITY_LOW;
769
770 len = min_t(unsigned int, sizeof(sec), optlen);
771 if (copy_from_user((char *) &sec, optval, len)) {
772 err = -EFAULT;
773 break;
774 }
775
776 if (sec.level < BT_SECURITY_LOW ||
2d792818 777 sec.level > BT_SECURITY_HIGH) {
33575df7
GP		 778 err = -EINVAL;
779 break;
780 }
781
4343478f 782 chan->sec_level = sec.level;
f1cb9af5 783
0bee1d60
GP		 784 if (!chan->conn)
785 break;
786
f1cb9af5 787 conn = chan->conn;
0bee1d60
GP		 788
789 /*change security for LE channels */
073d1cf3 790 if (chan->scid == L2CAP_CID_ATT) {
cc110922 791 if (smp_conn_security(conn->hcon, sec.level))
f1cb9af5 792 break;
f1cb9af5 793 sk->sk_state = BT_CONFIG;
3542b854 794 chan->state = BT_CONFIG;
0bee1d60 795
a7d7723a
GP		 796 /* or for ACL link */
797 } else if ((sk->sk_state == BT_CONNECT2 &&
2d792818 798 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
a7d7723a 799 sk->sk_state == BT_CONNECTED) {
e7cafc45 800 if (!l2cap_chan_check_security(chan, true))
c5daa683 801 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 802 else
803 sk->sk_state_change(sk);
0bee1d60
GP		 804 } else {
805 err = -EINVAL;
f1cb9af5 806 }
33575df7
GP		 807 break;
808
809 case BT_DEFER_SETUP:
810 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
811 err = -EINVAL;
812 break;
813 }
814
815 if (get_user(opt, (u32 __user *) optval)) {
816 err = -EFAULT;
817 break;
818 }
819
bdc25783 820 if (opt) {
c5daa683 821 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
bdc25783
MH		 822 set_bit(FLAG_DEFER_SETUP, &chan->flags);
823 } else {
c5daa683 824 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
bdc25783
MH		 825 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
826 }
33575df7
GP		 827 break;
828
829 case BT_FLUSHABLE:
830 if (get_user(opt, (u32 __user *) optval)) {
831 err = -EFAULT;
832 break;
833 }
834
835 if (opt > BT_FLUSHABLE_ON) {
836 err = -EINVAL;
837 break;
838 }
839
840 if (opt == BT_FLUSHABLE_OFF) {
c1f23a2b 841 conn = chan->conn;
25985edc 842 /* proceed further only when we have l2cap_conn and
33575df7
GP		 843 No Flush support in the LM */
844 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
845 err = -EINVAL;
846 break;
847 }
848 }
849
d57b0e8b
AE		 850 if (opt)
851 set_bit(FLAG_FLUSHABLE, &chan->flags);
852 else
853 clear_bit(FLAG_FLUSHABLE, &chan->flags);
33575df7
GP		 854 break;
855
14b12d0b
JG		 856 case BT_POWER:
857 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
2d792818 858 chan->chan_type != L2CAP_CHAN_RAW) {
14b12d0b
JG		 859 err = -EINVAL;
860 break;
861 }
862
863 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
864
865 len = min_t(unsigned int, sizeof(pwr), optlen);
866 if (copy_from_user((char *) &pwr, optval, len)) {
867 err = -EFAULT;
868 break;
869 }
15770b1a
AE		 870
871 if (pwr.force_active)
872 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
873 else
874 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b
JG		 875 break;
876
2ea66482 877 case BT_CHANNEL_POLICY:
2ea66482
MM		 878 if (get_user(opt, (u32 __user *) optval)) {
879 err = -EFAULT;
880 break;
881 }
882
883 if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) {
884 err = -EINVAL;
885 break;
886 }
887
888 if (chan->mode != L2CAP_MODE_ERTM &&
2d792818 889 chan->mode != L2CAP_MODE_STREAMING) {
2ea66482
MM		 890 err = -EOPNOTSUPP;
891 break;
892 }
893
894 chan->chan_policy = (u8) opt;
3f7a56c4
MM		 895
896 if (sk->sk_state == BT_CONNECTED &&
897 chan->move_role == L2CAP_MOVE_ROLE_NONE)
898 l2cap_move_start(chan);
899
14b12d0b
JG		 900 break;
901
1f435424 902 case BT_SNDMTU:
1f435424
JH		 903 if (!bdaddr_type_is_le(chan->src_type)) {
904 err = -EINVAL;
905 break;
906 }
907
908 /* Setting is not supported as it's the remote side that
909 * decides this.
910 */
911 err = -EPERM;
912 break;
913
914 case BT_RCVMTU:
1f435424
JH		 915 if (!bdaddr_type_is_le(chan->src_type)) {
916 err = -EINVAL;
917 break;
918 }
919
920 if (sk->sk_state == BT_CONNECTED) {
921 err = -EISCONN;
922 break;
923 }
924
925 if (get_user(opt, (u32 __user *) optval)) {
926 err = -EFAULT;
927 break;
928 }
929
930 chan->imtu = opt;
931 break;
932
33575df7
GP		 933 default:
934 err = -ENOPROTOOPT;
935 break;
936 }
937
938 release_sock(sk);
939 return err;
940}
fd83ccdb 941
2d792818
GP		 942static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
943 struct msghdr *msg, size_t len)
fd83ccdb
GP		 944{
945 struct sock *sk = sock->sk;
0c1bc5c6 946 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
fd83ccdb
GP		 947 int err;
948
949 BT_DBG("sock %p, sk %p", sock, sk);
950
951 err = sock_error(sk);
952 if (err)
953 return err;
954
955 if (msg->msg_flags & MSG_OOB)
956 return -EOPNOTSUPP;
957
a6a5568c 958 if (sk->sk_state != BT_CONNECTED)
9a91a04a 959 return -ENOTCONN;
fd83ccdb 960
e793dcf0
JH		 961 lock_sock(sk);
962 err = bt_sock_wait_ready(sk, msg->msg_flags);
963 release_sock(sk);
964 if (err)
965 return err;
966
a6a5568c 967 l2cap_chan_lock(chan);
8d46321c 968 err = l2cap_chan_send(chan, msg, len);
a6a5568c 969 l2cap_chan_unlock(chan);
fd83ccdb 970
fd83ccdb
GP		 971 return err;
972}
33575df7 973
2d792818
GP		 974static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
975 struct msghdr *msg, size_t len, int flags)
68983259
GP		 976{
977 struct sock *sk = sock->sk;
e328140f
MM		 978 struct l2cap_pinfo *pi = l2cap_pi(sk);
979 int err;
68983259
GP		 980
981 lock_sock(sk);
982
c5daa683
GP		 983 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
984 &bt_sk(sk)->flags)) {
38319713
JH		 985 if (bdaddr_type_is_le(pi->chan->src_type)) {
986 sk->sk_state = BT_CONNECTED;
987 pi->chan->state = BT_CONNECTED;
988 __l2cap_le_connect_rsp_defer(pi->chan);
989 } else {
990 sk->sk_state = BT_CONFIG;
991 pi->chan->state = BT_CONFIG;
992 __l2cap_connect_rsp_defer(pi->chan);
993 }
8c1d787b 994
970871bc
JH		 995 err = 0;
996 goto done;
68983259
GP		 997 }
998
999 release_sock(sk);
1000
1001 if (sock->type == SOCK_STREAM)
e328140f
MM		 1002 err = bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
1003 else
1004 err = bt_sock_recvmsg(iocb, sock, msg, len, flags);
1005
1006 if (pi->chan->mode != L2CAP_MODE_ERTM)
1007 return err;
1008
1009 /* Attempt to put pending rx data in the socket buffer */
1010
1011 lock_sock(sk);
1012
1013 if (!test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state))
1014 goto done;
1015
1016 if (pi->rx_busy_skb) {
1017 if (!sock_queue_rcv_skb(sk, pi->rx_busy_skb))
1018 pi->rx_busy_skb = NULL;
1019 else
1020 goto done;
1021 }
1022
1023 /* Restore data flow when half of the receive buffer is
1024 * available. This avoids resending large numbers of
1025 * frames.
1026 */
1027 if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1028 l2cap_chan_busy(pi->chan, 0);
68983259 1029
e328140f
MM		 1030done:
1031 release_sock(sk);
1032 return err;
68983259
GP		 1033}
1034
05fc1576
GP		 1035/* Kill socket (only if zapped and orphan)
1036 * Must be called on unlocked socket.
1037 */
ba3bd0ee 1038static void l2cap_sock_kill(struct sock *sk)
05fc1576
GP		 1039{
1040 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1041 return;
1042
e05dcc32 1043 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
05fc1576
GP		 1044
1045 /* Kill poor orphan */
6ff5abbf 1046
4af66c69 1047 l2cap_chan_put(l2cap_pi(sk)->chan);
05fc1576
GP		 1048 sock_set_flag(sk, SOCK_DEAD);
1049 sock_put(sk);
1050}
1051
dc25306b
GP		 1052static int __l2cap_wait_ack(struct sock *sk)
1053{
1054 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1055 DECLARE_WAITQUEUE(wait, current);
1056 int err = 0;
1057 int timeo = HZ/5;
1058
1059 add_wait_queue(sk_sleep(sk), &wait);
1060 set_current_state(TASK_INTERRUPTIBLE);
1061 while (chan->unacked_frames > 0 && chan->conn) {
1062 if (!timeo)
1063 timeo = HZ/5;
1064
1065 if (signal_pending(current)) {
1066 err = sock_intr_errno(timeo);
1067 break;
1068 }
1069
1070 release_sock(sk);
1071 timeo = schedule_timeout(timeo);
1072 lock_sock(sk);
1073 set_current_state(TASK_INTERRUPTIBLE);
1074
1075 err = sock_error(sk);
1076 if (err)
1077 break;
1078 }
1079 set_current_state(TASK_RUNNING);
1080 remove_wait_queue(sk_sleep(sk), &wait);
1081 return err;
1082}
1083
dcba0dba
GP		 1084static int l2cap_sock_shutdown(struct socket *sock, int how)
1085{
1086 struct sock *sk = sock->sk;
7ddb6e0f 1087 struct l2cap_chan *chan;
3df91ea2 1088 struct l2cap_conn *conn;
dcba0dba
GP		 1089 int err = 0;
1090
1091 BT_DBG("sock %p, sk %p", sock, sk);
1092
1093 if (!sk)
1094 return 0;
1095
7ddb6e0f 1096 chan = l2cap_pi(sk)->chan;
3df91ea2
AE		 1097 conn = chan->conn;
1098
1099 if (conn)
1100 mutex_lock(&conn->chan_lock);
7ddb6e0f 1101
6be36555 1102 l2cap_chan_lock(chan);
dcba0dba 1103 lock_sock(sk);
6be36555 1104
dcba0dba 1105 if (!sk->sk_shutdown) {
0c1bc5c6 1106 if (chan->mode == L2CAP_MODE_ERTM)
dcba0dba
GP		 1107 err = __l2cap_wait_ack(sk);
1108
1109 sk->sk_shutdown = SHUTDOWN_MASK;
3df91ea2 1110
6be36555 1111 release_sock(sk);
0f852724 1112 l2cap_chan_close(chan, 0);
6be36555 1113 lock_sock(sk);
dcba0dba 1114
093facf3
VD		 1115 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1116 !(current->flags & PF_EXITING))
dcba0dba 1117 err = bt_sock_wait_state(sk, BT_CLOSED,
2d792818 1118 sk->sk_lingertime);
dcba0dba
GP		 1119 }
1120
1121 if (!err && sk->sk_err)
1122 err = -sk->sk_err;
1123
1124 release_sock(sk);
6be36555 1125 l2cap_chan_unlock(chan);
3df91ea2
AE		 1126
1127 if (conn)
1128 mutex_unlock(&conn->chan_lock);
1129
dcba0dba
GP		 1130 return err;
1131}
1132
554f05bb
GP		 1133static int l2cap_sock_release(struct socket *sock)
1134{
1135 struct sock *sk = sock->sk;
1136 int err;
1137
1138 BT_DBG("sock %p, sk %p", sock, sk);
1139
1140 if (!sk)
1141 return 0;
1142
5b28d95c
MY		 1143 bt_sock_unlink(&l2cap_sk_list, sk);
1144
554f05bb
GP		 1145 err = l2cap_sock_shutdown(sock, 2);
1146
1147 sock_orphan(sk);
1148 l2cap_sock_kill(sk);
1149 return err;
1150}
1151
c0df7f6e
AE		 1152static void l2cap_sock_cleanup_listen(struct sock *parent)
1153{
1154 struct sock *sk;
1155
1156 BT_DBG("parent %p", parent);
1157
1158 /* Close not yet accepted channels */
1159 while ((sk = bt_accept_dequeue(parent, NULL))) {
1160 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1161
1162 l2cap_chan_lock(chan);
1163 __clear_chan_timer(chan);
1164 l2cap_chan_close(chan, ECONNRESET);
1165 l2cap_chan_unlock(chan);
1166
1167 l2cap_sock_kill(sk);
1168 }
1169}
1170
80b98027 1171static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
80808e43 1172{
80b98027 1173 struct sock *sk, *parent = chan->data;
80808e43 1174
8ffb9290
GP		 1175 lock_sock(parent);
1176
53826692
GP		 1177 /* Check for backlog size */
1178 if (sk_acceptq_is_full(parent)) {
1179 BT_DBG("backlog full %d", parent->sk_ack_backlog);
8a96f3cd 1180 release_sock(parent);
53826692
GP		 1181 return NULL;
1182 }
1183
80808e43 1184 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
2d792818 1185 GFP_ATOMIC);
8a96f3cd
JT		 1186 if (!sk) {
1187 release_sock(parent);
80808e43 1188 return NULL;
8a96f3cd 1189 }
80808e43 1190
d22015aa
OP		 1191 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1192
80808e43
GP		 1193 l2cap_sock_init(sk, parent);
1194
644912e1
GP		 1195 bt_accept_enqueue(parent, sk);
1196
8ffb9290
GP		 1197 release_sock(parent);
1198
80808e43
GP		 1199 return l2cap_pi(sk)->chan;
1200}
1201
80b98027 1202static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
23070494 1203{
80b98027 1204 struct sock *sk = chan->data;
84b34d98 1205 int err;
e328140f 1206
6be36555
AE		 1207 lock_sock(sk);
1208
84b34d98 1209 if (l2cap_pi(sk)->rx_busy_skb) {
6be36555
AE		 1210 err = -ENOMEM;
1211 goto done;
1212 }
e328140f
MM		 1213
1214 err = sock_queue_rcv_skb(sk, skb);
1215
1216 /* For ERTM, handle one skb that doesn't fit into the recv
1217 * buffer. This is important to do because the data frames
1218 * have already been acked, so the skb cannot be discarded.
1219 *
1220 * Notify the l2cap core that the buffer is full, so the
1221 * LOCAL_BUSY state is entered and no more frames are
1222 * acked and reassembled until there is buffer space
1223 * available.
1224 */
84b34d98
MH		 1225 if (err < 0 && chan->mode == L2CAP_MODE_ERTM) {
1226 l2cap_pi(sk)->rx_busy_skb = skb;
1227 l2cap_chan_busy(chan, 1);
e328140f
MM		 1228 err = 0;
1229 }
23070494 1230
6be36555
AE		 1231done:
1232 release_sock(sk);
1233
e328140f 1234 return err;
23070494
GP		 1235}
1236
80b98027 1237static void l2cap_sock_close_cb(struct l2cap_chan *chan)
ba3bd0ee 1238{
80b98027 1239 struct sock *sk = chan->data;
ba3bd0ee
GP		 1240
1241 l2cap_sock_kill(sk);
1242}
1243
c0df7f6e
AE		 1244static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1245{
1246 struct sock *sk = chan->data;
1247 struct sock *parent;
1248
1249 lock_sock(sk);
1250
1251 parent = bt_sk(sk)->parent;
1252
1253 sock_set_flag(sk, SOCK_ZAPPED);
1254
1255 switch (chan->state) {
1256 case BT_OPEN:
1257 case BT_BOUND:
1258 case BT_CLOSED:
1259 break;
1260 case BT_LISTEN:
1261 l2cap_sock_cleanup_listen(sk);
1262 sk->sk_state = BT_CLOSED;
1263 chan->state = BT_CLOSED;
1264
1265 break;
1266 default:
1267 sk->sk_state = BT_CLOSED;
1268 chan->state = BT_CLOSED;
1269
1270 sk->sk_err = err;
1271
1272 if (parent) {
1273 bt_accept_unlink(sk);
676d2369 1274 parent->sk_data_ready(parent);
c0df7f6e
AE		 1275 } else {
1276 sk->sk_state_change(sk);
1277 }
1278
1279 break;
1280 }
1281
1282 release_sock(sk);
1283}
1284
53f52121
GP		 1285static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1286 int err)
89bc500e 1287{
80b98027 1288 struct sock *sk = chan->data;
89bc500e
GP		 1289
1290 sk->sk_state = state;
53f52121
GP		 1291
1292 if (err)
1293 sk->sk_err = err;
89bc500e
GP		 1294}
1295
2f7719ce 1296static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
d9fbd02b 1297 unsigned long hdr_len,
90338947 1298 unsigned long len, int nb)
2f7719ce 1299{
0f2c6153 1300 struct sock *sk = chan->data;
90338947
GP		 1301 struct sk_buff *skb;
1302 int err;
1303
a6a5568c 1304 l2cap_chan_unlock(chan);
d9fbd02b 1305 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
a6a5568c
MM		 1306 l2cap_chan_lock(chan);
1307
90338947
GP		 1308 if (!skb)
1309 return ERR_PTR(err);
2f7719ce 1310
8d46321c
MH		 1311 skb->priority = sk->sk_priority;
1312
0e790c64
GP		 1313 bt_cb(skb)->chan = chan;
1314
90338947 1315 return skb;
2f7719ce
AE		 1316}
1317
0498878b
JR		 1318static int l2cap_sock_memcpy_fromiovec_cb(struct l2cap_chan *chan,
1319 unsigned char *kdata,
1320 struct iovec *iov, int len)
1321{
1322 return memcpy_fromiovec(kdata, iov, len);
1323}
1324
54a59aa2
AE		 1325static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1326{
1327 struct sock *sk = chan->data;
1328 struct sock *parent;
1329
1330 lock_sock(sk);
1331
1332 parent = bt_sk(sk)->parent;
1333
1334 BT_DBG("sk %p, parent %p", sk, parent);
1335
1336 sk->sk_state = BT_CONNECTED;
1337 sk->sk_state_change(sk);
1338
1339 if (parent)
676d2369 1340 parent->sk_data_ready(parent);
54a59aa2
AE		 1341
1342 release_sock(sk);
1343}
1344
2dc4e510
GP		 1345static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1346{
acdcabf5
GP		 1347 struct sock *parent, *sk = chan->data;
1348
1349 lock_sock(sk);
2dc4e510 1350
acdcabf5 1351 parent = bt_sk(sk)->parent;
2dc4e510 1352 if (parent)
676d2369 1353 parent->sk_data_ready(parent);
acdcabf5
GP		 1354
1355 release_sock(sk);
2dc4e510
GP		 1356}
1357
d97c899b
MH		 1358static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1359{
1360 struct sock *sk = chan->data;
1361
1362 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1363 sk->sk_state_change(sk);
1364}
1365
5ec1bbe5
GP		 1366static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1367{
1368 struct sock *sk = chan->data;
1369
1370 lock_sock(sk);
1371 sk->sk_shutdown = SHUTDOWN_MASK;
1372 release_sock(sk);
1373}
1374
8d836d71
GP		 1375static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1376{
1377 struct sock *sk = chan->data;
1378
1379 return sk->sk_sndtimeo;
1380}
1381
837776f7
JH		 1382static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1383{
1384 struct sock *sk = chan->data;
1385
1386 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1387 sk->sk_state_change(sk);
1388}
1389
67f86a45 1390static const struct l2cap_ops l2cap_chan_ops = {
0498878b
JR		 1391 .name = "L2CAP Socket Interface",
1392 .new_connection = l2cap_sock_new_connection_cb,
1393 .recv = l2cap_sock_recv_cb,
1394 .close = l2cap_sock_close_cb,
1395 .teardown = l2cap_sock_teardown_cb,
1396 .state_change = l2cap_sock_state_change_cb,
1397 .ready = l2cap_sock_ready_cb,
1398 .defer = l2cap_sock_defer_cb,
1399 .resume = l2cap_sock_resume_cb,
1400 .suspend = l2cap_sock_suspend_cb,
1401 .set_shutdown = l2cap_sock_set_shutdown_cb,
1402 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
1403 .alloc_skb = l2cap_sock_alloc_skb_cb,
1404 .memcpy_fromiovec = l2cap_sock_memcpy_fromiovec_cb,
80808e43
GP		 1405};
1406
bb58f747
GP		 1407static void l2cap_sock_destruct(struct sock *sk)
1408{
1409 BT_DBG("sk %p", sk);
1410
23d3a869
SL		 1411 if (l2cap_pi(sk)->chan)
1412 l2cap_chan_put(l2cap_pi(sk)->chan);
84b34d98 1413
e328140f
MM		 1414 if (l2cap_pi(sk)->rx_busy_skb) {
1415 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
1416 l2cap_pi(sk)->rx_busy_skb = NULL;
1417 }
1418
bb58f747
GP		 1419 skb_queue_purge(&sk->sk_receive_queue);
1420 skb_queue_purge(&sk->sk_write_queue);
1421}
1422
2edf870d
MH		 1423static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1424 int *msg_namelen)
1425{
342dfc30 1426 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
2edf870d
MH		 1427
1428 memset(la, 0, sizeof(struct sockaddr_l2));
1429 la->l2_family = AF_BLUETOOTH;
1430 la->l2_psm = bt_cb(skb)->psm;
1431 bacpy(&la->l2_bdaddr, &bt_cb(skb)->bdaddr);
1432
1433 *msg_namelen = sizeof(struct sockaddr_l2);
1434}
1435
80808e43 1436static void l2cap_sock_init(struct sock *sk, struct sock *parent)
bb58f747 1437{
84b34d98 1438 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
bb58f747
GP		 1439
1440 BT_DBG("sk %p", sk);
1441
1442 if (parent) {
b4450035
GP		 1443 struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1444
bb58f747 1445 sk->sk_type = parent->sk_type;
c5daa683 1446 bt_sk(sk)->flags = bt_sk(parent)->flags;
bb58f747 1447
715ec005 1448 chan->chan_type = pchan->chan_type;
0c1bc5c6
GP		 1449 chan->imtu = pchan->imtu;
1450 chan->omtu = pchan->omtu;
b4450035 1451 chan->conf_state = pchan->conf_state;
0c1bc5c6 1452 chan->mode = pchan->mode;
47d1ec61
GP		 1453 chan->fcs = pchan->fcs;
1454 chan->max_tx = pchan->max_tx;
1455 chan->tx_win = pchan->tx_win;
6b3c7104 1456 chan->tx_win_max = pchan->tx_win_max;
4343478f 1457 chan->sec_level = pchan->sec_level;
d57b0e8b 1458 chan->flags = pchan->flags;
0cd75f7e
JH		 1459 chan->tx_credits = pchan->tx_credits;
1460 chan->rx_credits = pchan->rx_credits;
6230c9b4 1461
7a8e5a31
JH		 1462 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1463 chan->scid = pchan->scid;
1464 chan->dcid = pchan->scid;
1465 }
1466
6230c9b4 1467 security_sk_clone(parent, sk);
bb58f747 1468 } else {
715ec005
GP		 1469 switch (sk->sk_type) {
1470 case SOCK_RAW:
1471 chan->chan_type = L2CAP_CHAN_RAW;
1472 break;
1473 case SOCK_DGRAM:
1474 chan->chan_type = L2CAP_CHAN_CONN_LESS;
2edf870d 1475 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
715ec005
GP		 1476 break;
1477 case SOCK_SEQPACKET:
1478 case SOCK_STREAM:
1479 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1480 break;
1481 }
1482
0c1bc5c6
GP		 1483 chan->imtu = L2CAP_DEFAULT_MTU;
1484 chan->omtu = 0;
bb58f747 1485 if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
0c1bc5c6 1486 chan->mode = L2CAP_MODE_ERTM;
c1360a1c 1487 set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
bb58f747 1488 } else {
0c1bc5c6 1489 chan->mode = L2CAP_MODE_BASIC;
bb58f747 1490 }
bd4b1653
AE		 1491
1492 l2cap_chan_set_defaults(chan);
bb58f747
GP		 1493 }
1494
1495 /* Default config options */
0c1bc5c6 1496 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
80808e43
GP		 1497
1498 chan->data = sk;
1499 chan->ops = &l2cap_chan_ops;
bb58f747
GP		 1500}
1501
1502static struct proto l2cap_proto = {
1503 .name = "L2CAP",
1504 .owner = THIS_MODULE,
1505 .obj_size = sizeof(struct l2cap_pinfo)
1506};
1507
2d792818
GP		 1508static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1509 int proto, gfp_t prio)
bb58f747
GP		 1510{
1511 struct sock *sk;
dc50a06d 1512 struct l2cap_chan *chan;
bb58f747
GP		 1513
1514 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1515 if (!sk)
1516 return NULL;
1517
1518 sock_init_data(sock, sk);
1519 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
1520
1521 sk->sk_destruct = l2cap_sock_destruct;
ba13ccd9 1522 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
bb58f747
GP		 1523
1524 sock_reset_flag(sk, SOCK_ZAPPED);
1525
1526 sk->sk_protocol = proto;
1527 sk->sk_state = BT_OPEN;
1528
eef1d9b6 1529 chan = l2cap_chan_create();
dc50a06d 1530 if (!chan) {
49dfbb91 1531 sk_free(sk);
dc50a06d
GP		 1532 return NULL;
1533 }
1534
61d6ef3e
MM		 1535 l2cap_chan_hold(chan);
1536
dc50a06d
GP		 1537 l2cap_pi(sk)->chan = chan;
1538
bb58f747
GP		 1539 return sk;
1540}
1541
1542static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1543 int kern)
1544{
1545 struct sock *sk;
1546
1547 BT_DBG("sock %p", sock);
1548
1549 sock->state = SS_UNCONNECTED;
1550
1551 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
2d792818 1552 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
bb58f747
GP		 1553 return -ESOCKTNOSUPPORT;
1554
1555 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1556 return -EPERM;
1557
1558 sock->ops = &l2cap_sock_ops;
1559
1560 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1561 if (!sk)
1562 return -ENOMEM;
1563
1564 l2cap_sock_init(sk, NULL);
5b28d95c 1565 bt_sock_link(&l2cap_sk_list, sk);
bb58f747
GP		 1566 return 0;
1567}
1568
cf2f90f5 1569static const struct proto_ops l2cap_sock_ops = {
65390587
GP		 1570 .family = PF_BLUETOOTH,
1571 .owner = THIS_MODULE,
1572 .release = l2cap_sock_release,
1573 .bind = l2cap_sock_bind,
1574 .connect = l2cap_sock_connect,
1575 .listen = l2cap_sock_listen,
1576 .accept = l2cap_sock_accept,
1577 .getname = l2cap_sock_getname,
1578 .sendmsg = l2cap_sock_sendmsg,
1579 .recvmsg = l2cap_sock_recvmsg,
1580 .poll = bt_sock_poll,
1581 .ioctl = bt_sock_ioctl,
1582 .mmap = sock_no_mmap,
1583 .socketpair = sock_no_socketpair,
1584 .shutdown = l2cap_sock_shutdown,
1585 .setsockopt = l2cap_sock_setsockopt,
1586 .getsockopt = l2cap_sock_getsockopt
1587};
1588
bb58f747
GP		 1589static const struct net_proto_family l2cap_sock_family_ops = {
1590 .family = PF_BLUETOOTH,
1591 .owner = THIS_MODULE,
1592 .create = l2cap_sock_create,
1593};
1594
1595int __init l2cap_init_sockets(void)
1596{
e2174ca4 1597 int err;
bb58f747 1598
e2174ca4
GP		 1599 err = proto_register(&l2cap_proto, 0);
1600 if (err < 0)
1601 return err;
bb58f747 1602
e2174ca4 1603 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
5b28d95c
MY		 1604 if (err < 0) {
1605 BT_ERR("L2CAP socket registration failed");
e2174ca4 1606 goto error;
5b28d95c
MY		 1607 }
1608
b0316615 1609 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
2d792818 1610 NULL);
5b28d95c
MY		 1611 if (err < 0) {
1612 BT_ERR("Failed to create L2CAP proc file");
1613 bt_sock_unregister(BTPROTO_L2CAP);
1614 goto error;
1615 }
bb58f747 1616
e2174ca4 1617 BT_INFO("L2CAP socket layer initialized");
bb58f747 1618
e2174ca4 1619 return 0;
bb58f747
GP		 1620
1621error:
e2174ca4
GP		 1622 proto_unregister(&l2cap_proto);
1623 return err;
bb58f747
GP		 1624}
1625
1626void l2cap_cleanup_sockets(void)
1627{
5b28d95c 1628 bt_procfs_cleanup(&init_net, "l2cap");
5e9d7f86 1629 bt_sock_unregister(BTPROTO_L2CAP);
e2174ca4 1630 proto_unregister(&l2cap_proto);
bb58f747 1631}
Linux 6.x block layer and io_uring tree(s)