CoCalc -- l2cap

GitHub Repository: torvalds/linux
Path: blob/master/net/bluetooth/l2cap_sock.c
⁵⁴³³⁹ views
1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (C) 2000-2001 Qualcomm Incorporated
4
   Copyright (C) 2009-2010 Gustavo F. Padovan <[email protected]>
5
   Copyright (C) 2010 Google Inc.
6
   Copyright (C) 2011 ProFUSION Embedded Systems
7

8
   Written 2000,2001 by Maxim Krasnyansky <[email protected]>
9

10
   This program is free software; you can redistribute it and/or modify
11
   it under the terms of the GNU General Public License version 2 as
12
   published by the Free Software Foundation;
13

14
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22

23
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25
   SOFTWARE IS DISCLAIMED.
26
*/
27

28
/* Bluetooth L2CAP sockets. */
29

30
#include <linux/module.h>
31
#include <linux/export.h>
32
#include <linux/filter.h>
33
#include <linux/sched/signal.h>
34

35
#include <net/bluetooth/bluetooth.h>
36
#include <net/bluetooth/hci_core.h>
37
#include <net/bluetooth/l2cap.h>
38

39
#include "smp.h"
40

41
static struct bt_sock_list l2cap_sk_list = {
42
	.lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43
};
44

45
static const struct proto_ops l2cap_sock_ops;
46
static void l2cap_sock_init(struct sock *sk, struct sock *parent);
47
static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
48
				     int proto, gfp_t prio, int kern);
49
static void l2cap_sock_cleanup_listen(struct sock *parent);
50

51
bool l2cap_is_socket(struct socket *sock)
52
{
53
	return sock && sock->ops == &l2cap_sock_ops;
54
}
55
EXPORT_SYMBOL(l2cap_is_socket);
56

57
static int l2cap_validate_bredr_psm(u16 psm)
58
{
59
	/* PSM must be odd and lsb of upper byte must be 0 */
60
	if ((psm & 0x0101) != 0x0001)
61
		return -EINVAL;
62

63
	/* Restrict usage of well-known PSMs */
64
	if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE))
65
		return -EACCES;
66

67
	return 0;
68
}
69

70
static int l2cap_validate_le_psm(u16 psm)
71
{
72
	/* Valid LE_PSM ranges are defined only until 0x00ff */
73
	if (psm > L2CAP_PSM_LE_DYN_END)
74
		return -EINVAL;
75

76
	/* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */
77
	if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE))
78
		return -EACCES;
79

80
	return 0;
81
}
82

83
static int l2cap_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int alen)
84
{
85
	struct sock *sk = sock->sk;
86
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
87
	struct sockaddr_l2 la;
88
	int len, err = 0;
89

90
	BT_DBG("sk %p", sk);
91

92
	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
93
	    addr->sa_family != AF_BLUETOOTH)
94
		return -EINVAL;
95

96
	memset(&la, 0, sizeof(la));
97
	len = min_t(unsigned int, sizeof(la), alen);
98
	memcpy(&la, addr, len);
99

100
	if (la.l2_cid && la.l2_psm)
101
		return -EINVAL;
102

103
	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
104
		return -EINVAL;
105

106
	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
107
		/* We only allow ATT user space socket */
108
		if (la.l2_cid &&
109
		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
110
			return -EINVAL;
111
	}
112

113
	lock_sock(sk);
114

115
	if (sk->sk_state != BT_OPEN) {
116
		err = -EBADFD;
117
		goto done;
118
	}
119

120
	if (la.l2_psm) {
121
		__u16 psm = __le16_to_cpu(la.l2_psm);
122

123
		if (la.l2_bdaddr_type == BDADDR_BREDR)
124
			err = l2cap_validate_bredr_psm(psm);
125
		else
126
			err = l2cap_validate_le_psm(psm);
127

128
		if (err)
129
			goto done;
130
	}
131

132
	bacpy(&chan->src, &la.l2_bdaddr);
133
	chan->src_type = la.l2_bdaddr_type;
134

135
	if (la.l2_cid)
136
		err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
137
	else
138
		err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
139

140
	if (err < 0)
141
		goto done;
142

143
	switch (chan->chan_type) {
144
	case L2CAP_CHAN_CONN_LESS:
145
		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP)
146
			chan->sec_level = BT_SECURITY_SDP;
147
		break;
148
	case L2CAP_CHAN_CONN_ORIENTED:
149
		if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP ||
150
		    __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM)
151
			chan->sec_level = BT_SECURITY_SDP;
152
		break;
153
	case L2CAP_CHAN_RAW:
154
		chan->sec_level = BT_SECURITY_SDP;
155
		break;
156
	case L2CAP_CHAN_FIXED:
157
		/* Fixed channels default to the L2CAP core not holding a
158
		 * hci_conn reference for them. For fixed channels mapping to
159
		 * L2CAP sockets we do want to hold a reference so set the
160
		 * appropriate flag to request it.
161
		 */
162
		set_bit(FLAG_HOLD_HCI_CONN, &chan->flags);
163
		break;
164
	}
165

166
	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
167
	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
168
	 */
169
	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
170
	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
171
		chan->mode = L2CAP_MODE_LE_FLOWCTL;
172

173
	chan->state = BT_BOUND;
174
	sk->sk_state = BT_BOUND;
175

176
done:
177
	release_sock(sk);
178
	return err;
179
}
180

181
static int l2cap_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
182
			      int alen, int flags)
183
{
184
	struct sock *sk = sock->sk;
185
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
186
	struct sockaddr_l2 la;
187
	int len, err = 0;
188
	bool zapped;
189

190
	BT_DBG("sk %p", sk);
191

192
	lock_sock(sk);
193
	zapped = sock_flag(sk, SOCK_ZAPPED);
194
	release_sock(sk);
195

196
	if (zapped)
197
		return -EINVAL;
198

199
	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
200
	    addr->sa_family != AF_BLUETOOTH)
201
		return -EINVAL;
202

203
	memset(&la, 0, sizeof(la));
204
	len = min_t(unsigned int, sizeof(la), alen);
205
	memcpy(&la, addr, len);
206

207
	if (la.l2_cid && la.l2_psm)
208
		return -EINVAL;
209

210
	if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
211
		return -EINVAL;
212

213
	/* Check that the socket wasn't bound to something that
214
	 * conflicts with the address given to connect(). If chan->src
215
	 * is BDADDR_ANY it means bind() was never used, in which case
216
	 * chan->src_type and la.l2_bdaddr_type do not need to match.
217
	 */
218
	if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) &&
219
	    bdaddr_type_is_le(la.l2_bdaddr_type)) {
220
		/* Old user space versions will try to incorrectly bind
221
		 * the ATT socket using BDADDR_BREDR. We need to accept
222
		 * this and fix up the source address type only when
223
		 * both the source CID and destination CID indicate
224
		 * ATT. Anything else is an invalid combination.
225
		 */
226
		if (chan->scid != L2CAP_CID_ATT ||
227
		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
228
			return -EINVAL;
229

230
		/* We don't have the hdev available here to make a
231
		 * better decision on random vs public, but since all
232
		 * user space versions that exhibit this issue anyway do
233
		 * not support random local addresses assuming public
234
		 * here is good enough.
235
		 */
236
		chan->src_type = BDADDR_LE_PUBLIC;
237
	}
238

239
	if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR)
240
		return -EINVAL;
241

242
	if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
243
		/* We only allow ATT user space socket */
244
		if (la.l2_cid &&
245
		    la.l2_cid != cpu_to_le16(L2CAP_CID_ATT))
246
			return -EINVAL;
247
	}
248

249
	/* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
250
	 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
251
	 */
252
	if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
253
	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
254
		chan->mode = L2CAP_MODE_LE_FLOWCTL;
255

256
	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
257
				 &la.l2_bdaddr, la.l2_bdaddr_type,
258
				 READ_ONCE(sk->sk_sndtimeo));
259
	if (err)
260
		return err;
261

262
	lock_sock(sk);
263

264
	err = bt_sock_wait_state(sk, BT_CONNECTED,
265
				 sock_sndtimeo(sk, flags & O_NONBLOCK));
266

267
	release_sock(sk);
268

269
	return err;
270
}
271

272
static int l2cap_sock_listen(struct socket *sock, int backlog)
273
{
274
	struct sock *sk = sock->sk;
275
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
276
	int err = 0;
277

278
	BT_DBG("sk %p backlog %d", sk, backlog);
279

280
	lock_sock(sk);
281

282
	if (sk->sk_state != BT_BOUND) {
283
		err = -EBADFD;
284
		goto done;
285
	}
286

287
	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) {
288
		err = -EINVAL;
289
		goto done;
290
	}
291

292
	switch (chan->mode) {
293
	case L2CAP_MODE_BASIC:
294
	case L2CAP_MODE_LE_FLOWCTL:
295
		break;
296
	case L2CAP_MODE_EXT_FLOWCTL:
297
		if (!enable_ecred) {
298
			err = -EOPNOTSUPP;
299
			goto done;
300
		}
301
		break;
302
	case L2CAP_MODE_ERTM:
303
	case L2CAP_MODE_STREAMING:
304
		if (!disable_ertm)
305
			break;
306
		fallthrough;
307
	default:
308
		err = -EOPNOTSUPP;
309
		goto done;
310
	}
311

312
	sk->sk_max_ack_backlog = backlog;
313
	sk->sk_ack_backlog = 0;
314

315
	/* Listening channels need to use nested locking in order not to
316
	 * cause lockdep warnings when the created child channels end up
317
	 * being locked in the same thread as the parent channel.
318
	 */
319
	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
320

321
	chan->state = BT_LISTEN;
322
	sk->sk_state = BT_LISTEN;
323

324
done:
325
	release_sock(sk);
326
	return err;
327
}
328

329
static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
330
			     struct proto_accept_arg *arg)
331
{
332
	DEFINE_WAIT_FUNC(wait, woken_wake_function);
333
	struct sock *sk = sock->sk, *nsk;
334
	long timeo;
335
	int err = 0;
336

337
	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
338

339
	timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
340

341
	BT_DBG("sk %p timeo %ld", sk, timeo);
342

343
	/* Wait for an incoming connection. (wake-one). */
344
	add_wait_queue_exclusive(sk_sleep(sk), &wait);
345
	while (1) {
346
		if (sk->sk_state != BT_LISTEN) {
347
			err = -EBADFD;
348
			break;
349
		}
350

351
		nsk = bt_accept_dequeue(sk, newsock);
352
		if (nsk)
353
			break;
354

355
		if (!timeo) {
356
			err = -EAGAIN;
357
			break;
358
		}
359

360
		if (signal_pending(current)) {
361
			err = sock_intr_errno(timeo);
362
			break;
363
		}
364

365
		release_sock(sk);
366

367
		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
368

369
		lock_sock_nested(sk, L2CAP_NESTING_PARENT);
370
	}
371
	remove_wait_queue(sk_sleep(sk), &wait);
372

373
	if (err)
374
		goto done;
375

376
	newsock->state = SS_CONNECTED;
377

378
	BT_DBG("new socket %p", nsk);
379

380
done:
381
	release_sock(sk);
382
	return err;
383
}
384

385
static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
386
			      int peer)
387
{
388
	struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
389
	struct sock *sk = sock->sk;
390
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
391

392
	BT_DBG("sock %p, sk %p", sock, sk);
393

394
	if (peer && sk->sk_state != BT_CONNECTED &&
395
	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 &&
396
	    sk->sk_state != BT_CONFIG)
397
		return -ENOTCONN;
398

399
	memset(la, 0, sizeof(struct sockaddr_l2));
400
	addr->sa_family = AF_BLUETOOTH;
401

402
	la->l2_psm = chan->psm;
403

404
	if (peer) {
405
		bacpy(&la->l2_bdaddr, &chan->dst);
406
		la->l2_cid = cpu_to_le16(chan->dcid);
407
		la->l2_bdaddr_type = chan->dst_type;
408
	} else {
409
		bacpy(&la->l2_bdaddr, &chan->src);
410
		la->l2_cid = cpu_to_le16(chan->scid);
411
		la->l2_bdaddr_type = chan->src_type;
412
	}
413

414
	return sizeof(struct sockaddr_l2);
415
}
416

417
static int l2cap_get_mode(struct l2cap_chan *chan)
418
{
419
	switch (chan->mode) {
420
	case L2CAP_MODE_BASIC:
421
		return BT_MODE_BASIC;
422
	case L2CAP_MODE_ERTM:
423
		return BT_MODE_ERTM;
424
	case L2CAP_MODE_STREAMING:
425
		return BT_MODE_STREAMING;
426
	case L2CAP_MODE_LE_FLOWCTL:
427
		return BT_MODE_LE_FLOWCTL;
428
	case L2CAP_MODE_EXT_FLOWCTL:
429
		return BT_MODE_EXT_FLOWCTL;
430
	}
431

432
	return -EINVAL;
433
}
434

435
static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
436
				     char __user *optval, int __user *optlen)
437
{
438
	struct sock *sk = sock->sk;
439
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
440
	struct l2cap_options opts;
441
	struct l2cap_conninfo cinfo;
442
	int err = 0;
443
	size_t len;
444
	u32 opt;
445

446
	BT_DBG("sk %p", sk);
447

448
	if (get_user(len, optlen))
449
		return -EFAULT;
450

451
	lock_sock(sk);
452

453
	switch (optname) {
454
	case L2CAP_OPTIONS:
455
		/* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since
456
		 * legacy ATT code depends on getsockopt for
457
		 * L2CAP_OPTIONS we need to let this pass.
458
		 */
459
		if (bdaddr_type_is_le(chan->src_type) &&
460
		    chan->scid != L2CAP_CID_ATT) {
461
			err = -EINVAL;
462
			break;
463
		}
464

465
		/* Only BR/EDR modes are supported here */
466
		switch (chan->mode) {
467
		case L2CAP_MODE_BASIC:
468
		case L2CAP_MODE_ERTM:
469
		case L2CAP_MODE_STREAMING:
470
			break;
471
		default:
472
			err = -EINVAL;
473
			break;
474
		}
475

476
		if (err < 0)
477
			break;
478

479
		memset(&opts, 0, sizeof(opts));
480
		opts.imtu     = chan->imtu;
481
		opts.omtu     = chan->omtu;
482
		opts.flush_to = chan->flush_to;
483
		opts.mode     = chan->mode;
484
		opts.fcs      = chan->fcs;
485
		opts.max_tx   = chan->max_tx;
486
		opts.txwin_size = chan->tx_win;
487

488
		BT_DBG("mode 0x%2.2x", chan->mode);
489

490
		len = min(len, sizeof(opts));
491
		if (copy_to_user(optval, (char *) &opts, len))
492
			err = -EFAULT;
493

494
		break;
495

496
	case L2CAP_LM:
497
		switch (chan->sec_level) {
498
		case BT_SECURITY_LOW:
499
			opt = L2CAP_LM_AUTH;
500
			break;
501
		case BT_SECURITY_MEDIUM:
502
			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
503
			break;
504
		case BT_SECURITY_HIGH:
505
			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
506
			      L2CAP_LM_SECURE;
507
			break;
508
		case BT_SECURITY_FIPS:
509
			opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
510
			      L2CAP_LM_SECURE | L2CAP_LM_FIPS;
511
			break;
512
		default:
513
			opt = 0;
514
			break;
515
		}
516

517
		if (test_bit(FLAG_ROLE_SWITCH, &chan->flags))
518
			opt |= L2CAP_LM_MASTER;
519

520
		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
521
			opt |= L2CAP_LM_RELIABLE;
522

523
		if (put_user(opt, (u32 __user *) optval))
524
			err = -EFAULT;
525

526
		break;
527

528
	case L2CAP_CONNINFO:
529
		if (sk->sk_state != BT_CONNECTED &&
530
		    !(sk->sk_state == BT_CONNECT2 &&
531
		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
532
			err = -ENOTCONN;
533
			break;
534
		}
535

536
		memset(&cinfo, 0, sizeof(cinfo));
537
		cinfo.hci_handle = chan->conn->hcon->handle;
538
		memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
539

540
		len = min(len, sizeof(cinfo));
541
		if (copy_to_user(optval, (char *) &cinfo, len))
542
			err = -EFAULT;
543

544
		break;
545

546
	default:
547
		err = -ENOPROTOOPT;
548
		break;
549
	}
550

551
	release_sock(sk);
552
	return err;
553
}
554

555
static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
556
				 char __user *optval, int __user *optlen)
557
{
558
	struct sock *sk = sock->sk;
559
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
560
	struct bt_security sec;
561
	struct bt_power pwr;
562
	u32 phys;
563
	int len, mode, err = 0;
564

565
	BT_DBG("sk %p", sk);
566

567
	if (level == SOL_L2CAP)
568
		return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
569

570
	if (level != SOL_BLUETOOTH)
571
		return -ENOPROTOOPT;
572

573
	if (get_user(len, optlen))
574
		return -EFAULT;
575

576
	lock_sock(sk);
577

578
	switch (optname) {
579
	case BT_SECURITY:
580
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
581
		    chan->chan_type != L2CAP_CHAN_FIXED &&
582
		    chan->chan_type != L2CAP_CHAN_RAW) {
583
			err = -EINVAL;
584
			break;
585
		}
586

587
		memset(&sec, 0, sizeof(sec));
588
		if (chan->conn) {
589
			sec.level = chan->conn->hcon->sec_level;
590

591
			if (sk->sk_state == BT_CONNECTED)
592
				sec.key_size = chan->conn->hcon->enc_key_size;
593
		} else {
594
			sec.level = chan->sec_level;
595
		}
596

597
		len = min_t(unsigned int, len, sizeof(sec));
598
		if (copy_to_user(optval, (char *) &sec, len))
599
			err = -EFAULT;
600

601
		break;
602

603
	case BT_DEFER_SETUP:
604
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
605
			err = -EINVAL;
606
			break;
607
		}
608

609
		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
610
			     (u32 __user *) optval))
611
			err = -EFAULT;
612

613
		break;
614

615
	case BT_FLUSHABLE:
616
		if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
617
			     (u32 __user *) optval))
618
			err = -EFAULT;
619

620
		break;
621

622
	case BT_POWER:
623
		if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
624
		    && sk->sk_type != SOCK_RAW) {
625
			err = -EINVAL;
626
			break;
627
		}
628

629
		pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
630

631
		len = min_t(unsigned int, len, sizeof(pwr));
632
		if (copy_to_user(optval, (char *) &pwr, len))
633
			err = -EFAULT;
634

635
		break;
636

637
	case BT_CHANNEL_POLICY:
638
		if (put_user(chan->chan_policy, (u32 __user *) optval))
639
			err = -EFAULT;
640
		break;
641

642
	case BT_SNDMTU:
643
		if (!bdaddr_type_is_le(chan->src_type)) {
644
			err = -EINVAL;
645
			break;
646
		}
647

648
		if (sk->sk_state != BT_CONNECTED) {
649
			err = -ENOTCONN;
650
			break;
651
		}
652

653
		if (put_user(chan->omtu, (u16 __user *) optval))
654
			err = -EFAULT;
655
		break;
656

657
	case BT_RCVMTU:
658
		if (!bdaddr_type_is_le(chan->src_type)) {
659
			err = -EINVAL;
660
			break;
661
		}
662

663
		if (put_user(chan->imtu, (u16 __user *) optval))
664
			err = -EFAULT;
665
		break;
666

667
	case BT_PHY:
668
		if (sk->sk_state != BT_CONNECTED) {
669
			err = -ENOTCONN;
670
			break;
671
		}
672

673
		phys = hci_conn_get_phy(chan->conn->hcon);
674

675
		if (put_user(phys, (u32 __user *) optval))
676
			err = -EFAULT;
677
		break;
678

679
	case BT_MODE:
680
		if (!enable_ecred) {
681
			err = -ENOPROTOOPT;
682
			break;
683
		}
684

685
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
686
			err = -EINVAL;
687
			break;
688
		}
689

690
		mode = l2cap_get_mode(chan);
691
		if (mode < 0) {
692
			err = mode;
693
			break;
694
		}
695

696
		if (put_user(mode, (u8 __user *) optval))
697
			err = -EFAULT;
698
		break;
699

700
	default:
701
		err = -ENOPROTOOPT;
702
		break;
703
	}
704

705
	release_sock(sk);
706
	return err;
707
}
708

709
static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
710
{
711
	switch (chan->scid) {
712
	case L2CAP_CID_ATT:
713
		if (mtu && mtu < L2CAP_LE_MIN_MTU)
714
			return false;
715
		break;
716

717
	default:
718
		if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU)
719
			return false;
720
	}
721

722
	return true;
723
}
724

725
static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
726
				     sockptr_t optval, unsigned int optlen)
727
{
728
	struct sock *sk = sock->sk;
729
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
730
	struct l2cap_options opts;
731
	int err = 0;
732
	u32 opt;
733

734
	BT_DBG("sk %p", sk);
735

736
	lock_sock(sk);
737

738
	switch (optname) {
739
	case L2CAP_OPTIONS:
740
		if (bdaddr_type_is_le(chan->src_type)) {
741
			err = -EINVAL;
742
			break;
743
		}
744

745
		if (sk->sk_state == BT_CONNECTED) {
746
			err = -EINVAL;
747
			break;
748
		}
749

750
		opts.imtu     = chan->imtu;
751
		opts.omtu     = chan->omtu;
752
		opts.flush_to = chan->flush_to;
753
		opts.mode     = chan->mode;
754
		opts.fcs      = chan->fcs;
755
		opts.max_tx   = chan->max_tx;
756
		opts.txwin_size = chan->tx_win;
757

758
		err = copy_safe_from_sockptr(&opts, sizeof(opts), optval,
759
					     optlen);
760
		if (err)
761
			break;
762

763
		if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
764
			err = -EINVAL;
765
			break;
766
		}
767

768
		if (!l2cap_valid_mtu(chan, opts.imtu)) {
769
			err = -EINVAL;
770
			break;
771
		}
772

773
		/* Only BR/EDR modes are supported here */
774
		switch (opts.mode) {
775
		case L2CAP_MODE_BASIC:
776
			clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
777
			break;
778
		case L2CAP_MODE_ERTM:
779
		case L2CAP_MODE_STREAMING:
780
			if (!disable_ertm)
781
				break;
782
			fallthrough;
783
		default:
784
			err = -EINVAL;
785
			break;
786
		}
787

788
		if (err < 0)
789
			break;
790

791
		chan->mode = opts.mode;
792

793
		BT_DBG("mode 0x%2.2x", chan->mode);
794

795
		chan->imtu = opts.imtu;
796
		chan->omtu = opts.omtu;
797
		chan->fcs  = opts.fcs;
798
		chan->max_tx = opts.max_tx;
799
		chan->tx_win = opts.txwin_size;
800
		chan->flush_to = opts.flush_to;
801
		break;
802

803
	case L2CAP_LM:
804
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
805
		if (err)
806
			break;
807

808
		if (opt & L2CAP_LM_FIPS) {
809
			err = -EINVAL;
810
			break;
811
		}
812

813
		if (opt & L2CAP_LM_AUTH)
814
			chan->sec_level = BT_SECURITY_LOW;
815
		if (opt & L2CAP_LM_ENCRYPT)
816
			chan->sec_level = BT_SECURITY_MEDIUM;
817
		if (opt & L2CAP_LM_SECURE)
818
			chan->sec_level = BT_SECURITY_HIGH;
819

820
		if (opt & L2CAP_LM_MASTER)
821
			set_bit(FLAG_ROLE_SWITCH, &chan->flags);
822
		else
823
			clear_bit(FLAG_ROLE_SWITCH, &chan->flags);
824

825
		if (opt & L2CAP_LM_RELIABLE)
826
			set_bit(FLAG_FORCE_RELIABLE, &chan->flags);
827
		else
828
			clear_bit(FLAG_FORCE_RELIABLE, &chan->flags);
829
		break;
830

831
	default:
832
		err = -ENOPROTOOPT;
833
		break;
834
	}
835

836
	release_sock(sk);
837
	return err;
838
}
839

840
static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode)
841
{
842
	switch (mode) {
843
	case BT_MODE_BASIC:
844
		if (bdaddr_type_is_le(chan->src_type))
845
			return -EINVAL;
846
		mode = L2CAP_MODE_BASIC;
847
		clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
848
		break;
849
	case BT_MODE_ERTM:
850
		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
851
			return -EINVAL;
852
		mode = L2CAP_MODE_ERTM;
853
		break;
854
	case BT_MODE_STREAMING:
855
		if (!disable_ertm || bdaddr_type_is_le(chan->src_type))
856
			return -EINVAL;
857
		mode = L2CAP_MODE_STREAMING;
858
		break;
859
	case BT_MODE_LE_FLOWCTL:
860
		if (!bdaddr_type_is_le(chan->src_type))
861
			return -EINVAL;
862
		mode = L2CAP_MODE_LE_FLOWCTL;
863
		break;
864
	case BT_MODE_EXT_FLOWCTL:
865
		/* TODO: Add support for ECRED PDUs to BR/EDR */
866
		if (!bdaddr_type_is_le(chan->src_type))
867
			return -EINVAL;
868
		mode = L2CAP_MODE_EXT_FLOWCTL;
869
		break;
870
	default:
871
		return -EINVAL;
872
	}
873

874
	chan->mode = mode;
875

876
	return 0;
877
}
878

879
static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880
				 sockptr_t optval, unsigned int optlen)
881
{
882
	struct sock *sk = sock->sk;
883
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884
	struct bt_security sec;
885
	struct bt_power pwr;
886
	struct l2cap_conn *conn;
887
	int err = 0;
888
	u32 opt, phys;
889
	u16 mtu;
890
	u8 mode;
891

892
	BT_DBG("sk %p", sk);
893

894
	if (level == SOL_L2CAP)
895
		return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896

897
	if (level != SOL_BLUETOOTH)
898
		return -ENOPROTOOPT;
899

900
	lock_sock(sk);
901

902
	switch (optname) {
903
	case BT_SECURITY:
904
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905
		    chan->chan_type != L2CAP_CHAN_FIXED &&
906
		    chan->chan_type != L2CAP_CHAN_RAW) {
907
			err = -EINVAL;
908
			break;
909
		}
910

911
		sec.level = BT_SECURITY_LOW;
912

913
		err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
914
		if (err)
915
			break;
916

917
		if (sec.level < BT_SECURITY_LOW ||
918
		    sec.level > BT_SECURITY_FIPS) {
919
			err = -EINVAL;
920
			break;
921
		}
922

923
		chan->sec_level = sec.level;
924

925
		if (!chan->conn)
926
			break;
927

928
		conn = chan->conn;
929

930
		/* change security for LE channels */
931
		if (chan->scid == L2CAP_CID_ATT) {
932
			if (smp_conn_security(conn->hcon, sec.level)) {
933
				err = -EINVAL;
934
				break;
935
			}
936

937
			set_bit(FLAG_PENDING_SECURITY, &chan->flags);
938
			sk->sk_state = BT_CONFIG;
939
			chan->state = BT_CONFIG;
940

941
		/* or for ACL link */
942
		} else if ((sk->sk_state == BT_CONNECT2 &&
943
			    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
944
			   sk->sk_state == BT_CONNECTED) {
945
			if (!l2cap_chan_check_security(chan, true))
946
				set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
947
			else
948
				sk->sk_state_change(sk);
949
		} else {
950
			err = -EINVAL;
951
		}
952
		break;
953

954
	case BT_DEFER_SETUP:
955
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
956
			err = -EINVAL;
957
			break;
958
		}
959

960
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
961
		if (err)
962
			break;
963

964
		if (opt) {
965
			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
966
			set_bit(FLAG_DEFER_SETUP, &chan->flags);
967
		} else {
968
			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969
			clear_bit(FLAG_DEFER_SETUP, &chan->flags);
970
		}
971
		break;
972

973
	case BT_FLUSHABLE:
974
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
975
		if (err)
976
			break;
977

978
		if (opt > BT_FLUSHABLE_ON) {
979
			err = -EINVAL;
980
			break;
981
		}
982

983
		if (opt == BT_FLUSHABLE_OFF) {
984
			conn = chan->conn;
985
			/* proceed further only when we have l2cap_conn and
986
			   No Flush support in the LM */
987
			if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
988
				err = -EINVAL;
989
				break;
990
			}
991
		}
992

993
		if (opt)
994
			set_bit(FLAG_FLUSHABLE, &chan->flags);
995
		else
996
			clear_bit(FLAG_FLUSHABLE, &chan->flags);
997
		break;
998

999
	case BT_POWER:
1000
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1001
		    chan->chan_type != L2CAP_CHAN_RAW) {
1002
			err = -EINVAL;
1003
			break;
1004
		}
1005

1006
		pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1007

1008
		err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1009
		if (err)
1010
			break;
1011

1012
		if (pwr.force_active)
1013
			set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1014
		else
1015
			clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1016
		break;
1017

1018
	case BT_CHANNEL_POLICY:
1019
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1020
		if (err)
1021
			break;
1022

1023
		err = -EOPNOTSUPP;
1024
		break;
1025

1026
	case BT_SNDMTU:
1027
		if (!bdaddr_type_is_le(chan->src_type)) {
1028
			err = -EINVAL;
1029
			break;
1030
		}
1031

1032
		/* Setting is not supported as it's the remote side that
1033
		 * decides this.
1034
		 */
1035
		err = -EPERM;
1036
		break;
1037

1038
	case BT_RCVMTU:
1039
		if (!bdaddr_type_is_le(chan->src_type)) {
1040
			err = -EINVAL;
1041
			break;
1042
		}
1043

1044
		if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1045
		    sk->sk_state == BT_CONNECTED) {
1046
			err = -EISCONN;
1047
			break;
1048
		}
1049

1050
		err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1051
		if (err)
1052
			break;
1053

1054
		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1055
		    sk->sk_state == BT_CONNECTED)
1056
			err = l2cap_chan_reconfigure(chan, mtu);
1057
		else
1058
			chan->imtu = mtu;
1059

1060
		break;
1061

1062
	case BT_PHY:
1063
		if (sk->sk_state != BT_CONNECTED) {
1064
			err = -ENOTCONN;
1065
			break;
1066
		}
1067

1068
		err = copy_safe_from_sockptr(&phys, sizeof(phys), optval,
1069
					     optlen);
1070
		if (err)
1071
			break;
1072

1073
		if (!chan->conn)
1074
			break;
1075

1076
		conn = chan->conn;
1077
		err = hci_conn_set_phy(conn->hcon, phys);
1078
		break;
1079

1080
	case BT_MODE:
1081
		if (!enable_ecred) {
1082
			err = -ENOPROTOOPT;
1083
			break;
1084
		}
1085

1086
		BT_DBG("sk->sk_state %u", sk->sk_state);
1087

1088
		if (sk->sk_state != BT_BOUND) {
1089
			err = -EINVAL;
1090
			break;
1091
		}
1092

1093
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1094
			err = -EINVAL;
1095
			break;
1096
		}
1097

1098
		err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
1099
					     optlen);
1100
		if (err)
1101
			break;
1102

1103
		BT_DBG("mode %u", mode);
1104

1105
		err = l2cap_set_mode(chan, mode);
1106
		if (err)
1107
			break;
1108

1109
		BT_DBG("mode 0x%2.2x", chan->mode);
1110

1111
		break;
1112

1113
	default:
1114
		err = -ENOPROTOOPT;
1115
		break;
1116
	}
1117

1118
	release_sock(sk);
1119
	return err;
1120
}
1121

1122
static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1123
			      size_t len)
1124
{
1125
	struct sock *sk = sock->sk;
1126
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1127
	struct sockcm_cookie sockc;
1128
	int err;
1129

1130
	BT_DBG("sock %p, sk %p", sock, sk);
1131

1132
	err = sock_error(sk);
1133
	if (err)
1134
		return err;
1135

1136
	if (msg->msg_flags & MSG_OOB)
1137
		return -EOPNOTSUPP;
1138

1139
	if (sk->sk_state != BT_CONNECTED)
1140
		return -ENOTCONN;
1141

1142
	hci_sockcm_init(&sockc, sk);
1143

1144
	if (msg->msg_controllen) {
1145
		err = sock_cmsg_send(sk, msg, &sockc);
1146
		if (err)
1147
			return err;
1148
	}
1149

1150
	lock_sock(sk);
1151
	err = bt_sock_wait_ready(sk, msg->msg_flags);
1152
	release_sock(sk);
1153
	if (err)
1154
		return err;
1155

1156
	l2cap_chan_lock(chan);
1157
	err = l2cap_chan_send(chan, msg, len, &sockc);
1158
	l2cap_chan_unlock(chan);
1159

1160
	return err;
1161
}
1162

1163
static void l2cap_publish_rx_avail(struct l2cap_chan *chan)
1164
{
1165
	struct sock *sk = chan->data;
1166
	ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc);
1167
	int expected_skbs, skb_overhead;
1168

1169
	if (avail <= 0) {
1170
		l2cap_chan_rx_avail(chan, 0);
1171
		return;
1172
	}
1173

1174
	if (!chan->mps) {
1175
		l2cap_chan_rx_avail(chan, -1);
1176
		return;
1177
	}
1178

1179
	/* Correct available memory by estimated sk_buff overhead.
1180
	 * This is significant due to small transfer sizes. However, accept
1181
	 * at least one full packet if receive space is non-zero.
1182
	 */
1183
	expected_skbs = DIV_ROUND_UP(avail, chan->mps);
1184
	skb_overhead = expected_skbs * sizeof(struct sk_buff);
1185
	if (skb_overhead < avail)
1186
		l2cap_chan_rx_avail(chan, avail - skb_overhead);
1187
	else
1188
		l2cap_chan_rx_avail(chan, -1);
1189
}
1190

1191
static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1192
			      size_t len, int flags)
1193
{
1194
	struct sock *sk = sock->sk;
1195
	struct l2cap_pinfo *pi = l2cap_pi(sk);
1196
	int err;
1197

1198
	if (unlikely(flags & MSG_ERRQUEUE))
1199
		return sock_recv_errqueue(sk, msg, len, SOL_BLUETOOTH,
1200
					  BT_SCM_ERROR);
1201

1202
	lock_sock(sk);
1203

1204
	if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP,
1205
						    &bt_sk(sk)->flags)) {
1206
		if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
1207
			sk->sk_state = BT_CONNECTED;
1208
			pi->chan->state = BT_CONNECTED;
1209
			__l2cap_ecred_conn_rsp_defer(pi->chan);
1210
		} else if (bdaddr_type_is_le(pi->chan->src_type)) {
1211
			sk->sk_state = BT_CONNECTED;
1212
			pi->chan->state = BT_CONNECTED;
1213
			__l2cap_le_connect_rsp_defer(pi->chan);
1214
		} else {
1215
			sk->sk_state = BT_CONFIG;
1216
			pi->chan->state = BT_CONFIG;
1217
			__l2cap_connect_rsp_defer(pi->chan);
1218
		}
1219

1220
		err = 0;
1221
		goto done;
1222
	}
1223

1224
	release_sock(sk);
1225

1226
	if (sock->type == SOCK_STREAM)
1227
		err = bt_sock_stream_recvmsg(sock, msg, len, flags);
1228
	else
1229
		err = bt_sock_recvmsg(sock, msg, len, flags);
1230

1231
	if (pi->chan->mode != L2CAP_MODE_ERTM &&
1232
	    pi->chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1233
	    pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL)
1234
		return err;
1235

1236
	lock_sock(sk);
1237

1238
	l2cap_publish_rx_avail(pi->chan);
1239

1240
	/* Attempt to put pending rx data in the socket buffer */
1241
	while (!list_empty(&pi->rx_busy)) {
1242
		struct l2cap_rx_busy *rx_busy =
1243
			list_first_entry(&pi->rx_busy,
1244
					 struct l2cap_rx_busy,
1245
					 list);
1246
		if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0)
1247
			goto done;
1248
		list_del(&rx_busy->list);
1249
		kfree(rx_busy);
1250
	}
1251

1252
	/* Restore data flow when half of the receive buffer is
1253
	 * available.  This avoids resending large numbers of
1254
	 * frames.
1255
	 */
1256
	if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) &&
1257
	    atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1)
1258
		l2cap_chan_busy(pi->chan, 0);
1259

1260
done:
1261
	release_sock(sk);
1262
	return err;
1263
}
1264

1265
/* Kill socket (only if zapped and orphan)
1266
 * Must be called on unlocked socket, with l2cap channel lock.
1267
 */
1268
static void l2cap_sock_kill(struct sock *sk)
1269
{
1270
	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
1271
		return;
1272

1273
	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
1274

1275
	/* Sock is dead, so set chan data to NULL, avoid other task use invalid
1276
	 * sock pointer.
1277
	 */
1278
	l2cap_pi(sk)->chan->data = NULL;
1279
	/* Kill poor orphan */
1280

1281
	l2cap_chan_put(l2cap_pi(sk)->chan);
1282
	sock_set_flag(sk, SOCK_DEAD);
1283
	sock_put(sk);
1284
}
1285

1286
static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan)
1287
{
1288
	DECLARE_WAITQUEUE(wait, current);
1289
	int err = 0;
1290
	int timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1291
	/* Timeout to prevent infinite loop */
1292
	unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT;
1293

1294
	add_wait_queue(sk_sleep(sk), &wait);
1295
	set_current_state(TASK_INTERRUPTIBLE);
1296
	do {
1297
		BT_DBG("Waiting for %d ACKs, timeout %04d ms",
1298
		       chan->unacked_frames, time_after(jiffies, timeout) ? 0 :
1299
		       jiffies_to_msecs(timeout - jiffies));
1300

1301
		if (!timeo)
1302
			timeo = L2CAP_WAIT_ACK_POLL_PERIOD;
1303

1304
		if (signal_pending(current)) {
1305
			err = sock_intr_errno(timeo);
1306
			break;
1307
		}
1308

1309
		release_sock(sk);
1310
		timeo = schedule_timeout(timeo);
1311
		lock_sock(sk);
1312
		set_current_state(TASK_INTERRUPTIBLE);
1313

1314
		err = sock_error(sk);
1315
		if (err)
1316
			break;
1317

1318
		if (time_after(jiffies, timeout)) {
1319
			err = -ENOLINK;
1320
			break;
1321
		}
1322

1323
	} while (chan->unacked_frames > 0 &&
1324
		 chan->state == BT_CONNECTED);
1325

1326
	set_current_state(TASK_RUNNING);
1327
	remove_wait_queue(sk_sleep(sk), &wait);
1328
	return err;
1329
}
1330

1331
static int l2cap_sock_shutdown(struct socket *sock, int how)
1332
{
1333
	struct sock *sk = sock->sk;
1334
	struct l2cap_chan *chan;
1335
	struct l2cap_conn *conn;
1336
	int err = 0;
1337

1338
	BT_DBG("sock %p, sk %p, how %d", sock, sk, how);
1339

1340
	/* 'how' parameter is mapped to sk_shutdown as follows:
1341
	 * SHUT_RD   (0) --> RCV_SHUTDOWN  (1)
1342
	 * SHUT_WR   (1) --> SEND_SHUTDOWN (2)
1343
	 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3)
1344
	 */
1345
	how++;
1346

1347
	if (!sk)
1348
		return 0;
1349

1350
	lock_sock(sk);
1351

1352
	if ((sk->sk_shutdown & how) == how)
1353
		goto shutdown_already;
1354

1355
	BT_DBG("Handling sock shutdown");
1356

1357
	/* prevent sk structure from being freed whilst unlocked */
1358
	sock_hold(sk);
1359

1360
	/* prevent chan structure from being freed whilst unlocked */
1361
	chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
1362
	if (!chan)
1363
		goto shutdown_already;
1364

1365
	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1366

1367
	if (chan->mode == L2CAP_MODE_ERTM &&
1368
	    chan->unacked_frames > 0 &&
1369
	    chan->state == BT_CONNECTED) {
1370
		err = __l2cap_wait_ack(sk, chan);
1371

1372
		/* After waiting for ACKs, check whether shutdown
1373
		 * has already been actioned to close the L2CAP
1374
		 * link such as by l2cap_disconnection_req().
1375
		 */
1376
		if ((sk->sk_shutdown & how) == how)
1377
			goto shutdown_matched;
1378
	}
1379

1380
	/* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN
1381
	 * is already set
1382
	 */
1383
	if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
1384
		sk->sk_shutdown |= RCV_SHUTDOWN;
1385
		if ((sk->sk_shutdown & how) == how)
1386
			goto shutdown_matched;
1387
	}
1388

1389
	sk->sk_shutdown |= SEND_SHUTDOWN;
1390
	release_sock(sk);
1391

1392
	l2cap_chan_lock(chan);
1393
	/* prevent conn structure from being freed */
1394
	conn = l2cap_conn_hold_unless_zero(chan->conn);
1395
	l2cap_chan_unlock(chan);
1396

1397
	if (conn)
1398
		/* mutex lock must be taken before l2cap_chan_lock() */
1399
		mutex_lock(&conn->lock);
1400

1401
	l2cap_chan_lock(chan);
1402
	l2cap_chan_close(chan, 0);
1403
	l2cap_chan_unlock(chan);
1404

1405
	if (conn) {
1406
		mutex_unlock(&conn->lock);
1407
		l2cap_conn_put(conn);
1408
	}
1409

1410
	lock_sock(sk);
1411

1412
	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1413
	    !(current->flags & PF_EXITING))
1414
		err = bt_sock_wait_state(sk, BT_CLOSED,
1415
					 sk->sk_lingertime);
1416

1417
shutdown_matched:
1418
	l2cap_chan_put(chan);
1419
	sock_put(sk);
1420

1421
shutdown_already:
1422
	if (!err && sk->sk_err)
1423
		err = -sk->sk_err;
1424

1425
	release_sock(sk);
1426

1427
	BT_DBG("Sock shutdown complete err: %d", err);
1428

1429
	return err;
1430
}
1431

1432
static int l2cap_sock_release(struct socket *sock)
1433
{
1434
	struct sock *sk = sock->sk;
1435
	int err;
1436
	struct l2cap_chan *chan;
1437

1438
	BT_DBG("sock %p, sk %p", sock, sk);
1439

1440
	if (!sk)
1441
		return 0;
1442

1443
	lock_sock_nested(sk, L2CAP_NESTING_PARENT);
1444
	l2cap_sock_cleanup_listen(sk);
1445
	release_sock(sk);
1446

1447
	bt_sock_unlink(&l2cap_sk_list, sk);
1448

1449
	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
1450
	chan = l2cap_pi(sk)->chan;
1451

1452
	l2cap_chan_hold(chan);
1453
	l2cap_chan_lock(chan);
1454

1455
	sock_orphan(sk);
1456
	l2cap_sock_kill(sk);
1457

1458
	l2cap_chan_unlock(chan);
1459
	l2cap_chan_put(chan);
1460

1461
	return err;
1462
}
1463

1464
static void l2cap_sock_cleanup_listen(struct sock *parent)
1465
{
1466
	struct sock *sk;
1467

1468
	BT_DBG("parent %p state %s", parent,
1469
	       state_to_string(parent->sk_state));
1470

1471
	/* Close not yet accepted channels */
1472
	while ((sk = bt_accept_dequeue(parent, NULL))) {
1473
		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1474

1475
		BT_DBG("child chan %p state %s", chan,
1476
		       state_to_string(chan->state));
1477

1478
		l2cap_chan_hold(chan);
1479
		l2cap_chan_lock(chan);
1480

1481
		__clear_chan_timer(chan);
1482
		l2cap_chan_close(chan, ECONNRESET);
1483
		l2cap_sock_kill(sk);
1484

1485
		l2cap_chan_unlock(chan);
1486
		l2cap_chan_put(chan);
1487
	}
1488
}
1489

1490
static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1491
{
1492
	struct sock *sk, *parent = chan->data;
1493

1494
	lock_sock(parent);
1495

1496
	/* Check for backlog size */
1497
	if (sk_acceptq_is_full(parent)) {
1498
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
1499
		release_sock(parent);
1500
		return NULL;
1501
	}
1502

1503
	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1504
			      GFP_ATOMIC, 0);
1505
	if (!sk) {
1506
		release_sock(parent);
1507
		return NULL;
1508
        }
1509

1510
	bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1511

1512
	l2cap_sock_init(sk, parent);
1513

1514
	bt_accept_enqueue(parent, sk, false);
1515

1516
	release_sock(parent);
1517

1518
	return l2cap_pi(sk)->chan;
1519
}
1520

1521
static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1522
{
1523
	struct sock *sk;
1524
	struct l2cap_pinfo *pi;
1525
	int err;
1526

1527
	sk = chan->data;
1528
	if (!sk)
1529
		return -ENXIO;
1530

1531
	pi = l2cap_pi(sk);
1532
	lock_sock(sk);
1533
	if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
1534
		err = -ENOMEM;
1535
		goto done;
1536
	}
1537

1538
	if (chan->mode != L2CAP_MODE_ERTM &&
1539
	    chan->mode != L2CAP_MODE_STREAMING &&
1540
	    chan->mode != L2CAP_MODE_LE_FLOWCTL &&
1541
	    chan->mode != L2CAP_MODE_EXT_FLOWCTL) {
1542
		/* Even if no filter is attached, we could potentially
1543
		 * get errors from security modules, etc.
1544
		 */
1545
		err = sk_filter(sk, skb);
1546
		if (err)
1547
			goto done;
1548
	}
1549

1550
	err = __sock_queue_rcv_skb(sk, skb);
1551

1552
	l2cap_publish_rx_avail(chan);
1553

1554
	/* For ERTM and LE, handle a skb that doesn't fit into the recv
1555
	 * buffer.  This is important to do because the data frames
1556
	 * have already been acked, so the skb cannot be discarded.
1557
	 *
1558
	 * Notify the l2cap core that the buffer is full, so the
1559
	 * LOCAL_BUSY state is entered and no more frames are
1560
	 * acked and reassembled until there is buffer space
1561
	 * available.
1562
	 */
1563
	if (err < 0 &&
1564
	    (chan->mode == L2CAP_MODE_ERTM ||
1565
	     chan->mode == L2CAP_MODE_LE_FLOWCTL ||
1566
	     chan->mode == L2CAP_MODE_EXT_FLOWCTL)) {
1567
		struct l2cap_rx_busy *rx_busy =
1568
			kmalloc(sizeof(*rx_busy), GFP_KERNEL);
1569
		if (!rx_busy) {
1570
			err = -ENOMEM;
1571
			goto done;
1572
		}
1573
		rx_busy->skb = skb;
1574
		list_add_tail(&rx_busy->list, &pi->rx_busy);
1575
		l2cap_chan_busy(chan, 1);
1576
		err = 0;
1577
	}
1578

1579
done:
1580
	release_sock(sk);
1581

1582
	return err;
1583
}
1584

1585
static void l2cap_sock_close_cb(struct l2cap_chan *chan)
1586
{
1587
	struct sock *sk = chan->data;
1588

1589
	if (!sk)
1590
		return;
1591

1592
	l2cap_sock_kill(sk);
1593
}
1594

1595
static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
1596
{
1597
	struct sock *sk = chan->data;
1598
	struct sock *parent;
1599

1600
	if (!sk)
1601
		return;
1602

1603
	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
1604

1605
	/* This callback can be called both for server (BT_LISTEN)
1606
	 * sockets as well as "normal" ones. To avoid lockdep warnings
1607
	 * with child socket locking (through l2cap_sock_cleanup_listen)
1608
	 * we need separation into separate nesting levels. The simplest
1609
	 * way to accomplish this is to inherit the nesting level used
1610
	 * for the channel.
1611
	 */
1612
	lock_sock_nested(sk, atomic_read(&chan->nesting));
1613

1614
	parent = bt_sk(sk)->parent;
1615

1616
	switch (chan->state) {
1617
	case BT_OPEN:
1618
	case BT_BOUND:
1619
	case BT_CLOSED:
1620
		break;
1621
	case BT_LISTEN:
1622
		l2cap_sock_cleanup_listen(sk);
1623
		sk->sk_state = BT_CLOSED;
1624
		chan->state = BT_CLOSED;
1625

1626
		break;
1627
	default:
1628
		sk->sk_state = BT_CLOSED;
1629
		chan->state = BT_CLOSED;
1630

1631
		sk->sk_err = err;
1632

1633
		if (parent) {
1634
			bt_accept_unlink(sk);
1635
			parent->sk_data_ready(parent);
1636
		} else {
1637
			sk->sk_state_change(sk);
1638
		}
1639

1640
		break;
1641
	}
1642
	release_sock(sk);
1643

1644
	/* Only zap after cleanup to avoid use after free race */
1645
	sock_set_flag(sk, SOCK_ZAPPED);
1646

1647
}
1648

1649
static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
1650
				       int err)
1651
{
1652
	struct sock *sk = chan->data;
1653

1654
	sk->sk_state = state;
1655

1656
	if (err)
1657
		sk->sk_err = err;
1658
}
1659

1660
static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
1661
					       unsigned long hdr_len,
1662
					       unsigned long len, int nb)
1663
{
1664
	struct sock *sk = chan->data;
1665
	struct sk_buff *skb;
1666
	int err;
1667

1668
	l2cap_chan_unlock(chan);
1669
	skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err);
1670
	l2cap_chan_lock(chan);
1671

1672
	if (!skb)
1673
		return ERR_PTR(err);
1674

1675
	/* Channel lock is released before requesting new skb and then
1676
	 * reacquired thus we need to recheck channel state.
1677
	 */
1678
	if (chan->state != BT_CONNECTED) {
1679
		kfree_skb(skb);
1680
		return ERR_PTR(-ENOTCONN);
1681
	}
1682

1683
	skb->priority = READ_ONCE(sk->sk_priority);
1684

1685
	bt_cb(skb)->l2cap.chan = chan;
1686

1687
	return skb;
1688
}
1689

1690
static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
1691
{
1692
	struct sock *sk = chan->data;
1693
	struct sock *parent;
1694

1695
	lock_sock(sk);
1696

1697
	parent = bt_sk(sk)->parent;
1698

1699
	BT_DBG("sk %p, parent %p", sk, parent);
1700

1701
	sk->sk_state = BT_CONNECTED;
1702
	sk->sk_state_change(sk);
1703

1704
	if (parent)
1705
		parent->sk_data_ready(parent);
1706

1707
	release_sock(sk);
1708
}
1709

1710
static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
1711
{
1712
	struct sock *parent, *sk = chan->data;
1713

1714
	lock_sock(sk);
1715

1716
	parent = bt_sk(sk)->parent;
1717
	if (parent)
1718
		parent->sk_data_ready(parent);
1719

1720
	release_sock(sk);
1721
}
1722

1723
static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1724
{
1725
	struct sock *sk = chan->data;
1726

1727
	if (!sk)
1728
		return;
1729

1730
	if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1731
		sk->sk_state = BT_CONNECTED;
1732
		chan->state = BT_CONNECTED;
1733
	}
1734

1735
	clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1736
	sk->sk_state_change(sk);
1737
}
1738

1739
static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
1740
{
1741
	struct sock *sk = chan->data;
1742

1743
	lock_sock(sk);
1744
	sk->sk_shutdown = SHUTDOWN_MASK;
1745
	release_sock(sk);
1746
}
1747

1748
static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
1749
{
1750
	struct sock *sk = chan->data;
1751

1752
	return READ_ONCE(sk->sk_sndtimeo);
1753
}
1754

1755
static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan)
1756
{
1757
	struct sock *sk = chan->data;
1758

1759
	return sk->sk_peer_pid;
1760
}
1761

1762
static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
1763
{
1764
	struct sock *sk = chan->data;
1765

1766
	set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1767
	sk->sk_state_change(sk);
1768
}
1769

1770
static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
1771
{
1772
	struct sock *sk = chan->data;
1773

1774
	switch (chan->mode) {
1775
	case L2CAP_MODE_ERTM:
1776
	case L2CAP_MODE_STREAMING:
1777
		return sk_filter(sk, skb);
1778
	}
1779

1780
	return 0;
1781
}
1782

1783
static const struct l2cap_ops l2cap_chan_ops = {
1784
	.name			= "L2CAP Socket Interface",
1785
	.new_connection		= l2cap_sock_new_connection_cb,
1786
	.recv			= l2cap_sock_recv_cb,
1787
	.close			= l2cap_sock_close_cb,
1788
	.teardown		= l2cap_sock_teardown_cb,
1789
	.state_change		= l2cap_sock_state_change_cb,
1790
	.ready			= l2cap_sock_ready_cb,
1791
	.defer			= l2cap_sock_defer_cb,
1792
	.resume			= l2cap_sock_resume_cb,
1793
	.suspend		= l2cap_sock_suspend_cb,
1794
	.set_shutdown		= l2cap_sock_set_shutdown_cb,
1795
	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
1796
	.get_peer_pid		= l2cap_sock_get_peer_pid_cb,
1797
	.alloc_skb		= l2cap_sock_alloc_skb_cb,
1798
	.filter			= l2cap_sock_filter,
1799
};
1800

1801
static void l2cap_sock_destruct(struct sock *sk)
1802
{
1803
	struct l2cap_rx_busy *rx_busy, *next;
1804

1805
	BT_DBG("sk %p", sk);
1806

1807
	if (l2cap_pi(sk)->chan) {
1808
		l2cap_pi(sk)->chan->data = NULL;
1809
		l2cap_chan_put(l2cap_pi(sk)->chan);
1810
	}
1811

1812
	list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
1813
		kfree_skb(rx_busy->skb);
1814
		list_del(&rx_busy->list);
1815
		kfree(rx_busy);
1816
	}
1817

1818
	skb_queue_purge(&sk->sk_receive_queue);
1819
	skb_queue_purge(&sk->sk_write_queue);
1820
}
1821

1822
static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
1823
			       int *msg_namelen)
1824
{
1825
	DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name);
1826

1827
	memset(la, 0, sizeof(struct sockaddr_l2));
1828
	la->l2_family = AF_BLUETOOTH;
1829
	la->l2_psm = bt_cb(skb)->l2cap.psm;
1830
	bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr);
1831

1832
	*msg_namelen = sizeof(struct sockaddr_l2);
1833
}
1834

1835
static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1836
{
1837
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1838

1839
	BT_DBG("sk %p", sk);
1840

1841
	if (parent) {
1842
		struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
1843

1844
		sk->sk_type = parent->sk_type;
1845
		bt_sk(sk)->flags = bt_sk(parent)->flags;
1846

1847
		chan->chan_type = pchan->chan_type;
1848
		chan->imtu = pchan->imtu;
1849
		chan->omtu = pchan->omtu;
1850
		chan->conf_state = pchan->conf_state;
1851
		chan->mode = pchan->mode;
1852
		chan->fcs  = pchan->fcs;
1853
		chan->max_tx = pchan->max_tx;
1854
		chan->tx_win = pchan->tx_win;
1855
		chan->tx_win_max = pchan->tx_win_max;
1856
		chan->sec_level = pchan->sec_level;
1857
		chan->flags = pchan->flags;
1858
		chan->tx_credits = pchan->tx_credits;
1859
		chan->rx_credits = pchan->rx_credits;
1860

1861
		if (chan->chan_type == L2CAP_CHAN_FIXED) {
1862
			chan->scid = pchan->scid;
1863
			chan->dcid = pchan->scid;
1864
		}
1865

1866
		security_sk_clone(parent, sk);
1867
	} else {
1868
		switch (sk->sk_type) {
1869
		case SOCK_RAW:
1870
			chan->chan_type = L2CAP_CHAN_RAW;
1871
			break;
1872
		case SOCK_DGRAM:
1873
			chan->chan_type = L2CAP_CHAN_CONN_LESS;
1874
			bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name;
1875
			break;
1876
		case SOCK_SEQPACKET:
1877
		case SOCK_STREAM:
1878
			chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
1879
			break;
1880
		}
1881

1882
		chan->imtu = L2CAP_DEFAULT_MTU;
1883
		chan->omtu = 0;
1884
		if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
1885
			chan->mode = L2CAP_MODE_ERTM;
1886
			set_bit(CONF_STATE2_DEVICE, &chan->conf_state);
1887
		} else {
1888
			chan->mode = L2CAP_MODE_BASIC;
1889
		}
1890

1891
		l2cap_chan_set_defaults(chan);
1892
	}
1893

1894
	/* Default config options */
1895
	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
1896

1897
	chan->data = sk;
1898
	chan->ops = &l2cap_chan_ops;
1899

1900
	l2cap_publish_rx_avail(chan);
1901
}
1902

1903
static struct proto l2cap_proto = {
1904
	.name		= "L2CAP",
1905
	.owner		= THIS_MODULE,
1906
	.obj_size	= sizeof(struct l2cap_pinfo)
1907
};
1908

1909
static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
1910
				     int proto, gfp_t prio, int kern)
1911
{
1912
	struct sock *sk;
1913
	struct l2cap_chan *chan;
1914

1915
	sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
1916
	if (!sk)
1917
		return NULL;
1918

1919
	sk->sk_destruct = l2cap_sock_destruct;
1920
	sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
1921

1922
	INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
1923

1924
	chan = l2cap_chan_create();
1925
	if (!chan) {
1926
		sk_free(sk);
1927
		if (sock)
1928
			sock->sk = NULL;
1929
		return NULL;
1930
	}
1931

1932
	l2cap_chan_hold(chan);
1933

1934
	l2cap_pi(sk)->chan = chan;
1935

1936
	return sk;
1937
}
1938

1939
static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
1940
			     int kern)
1941
{
1942
	struct sock *sk;
1943

1944
	BT_DBG("sock %p", sock);
1945

1946
	sock->state = SS_UNCONNECTED;
1947

1948
	if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1949
	    sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
1950
		return -ESOCKTNOSUPPORT;
1951

1952
	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1953
		return -EPERM;
1954

1955
	sock->ops = &l2cap_sock_ops;
1956

1957
	sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
1958
	if (!sk)
1959
		return -ENOMEM;
1960

1961
	l2cap_sock_init(sk, NULL);
1962
	bt_sock_link(&l2cap_sk_list, sk);
1963
	return 0;
1964
}
1965

1966
static const struct proto_ops l2cap_sock_ops = {
1967
	.family		= PF_BLUETOOTH,
1968
	.owner		= THIS_MODULE,
1969
	.release	= l2cap_sock_release,
1970
	.bind		= l2cap_sock_bind,
1971
	.connect	= l2cap_sock_connect,
1972
	.listen		= l2cap_sock_listen,
1973
	.accept		= l2cap_sock_accept,
1974
	.getname	= l2cap_sock_getname,
1975
	.sendmsg	= l2cap_sock_sendmsg,
1976
	.recvmsg	= l2cap_sock_recvmsg,
1977
	.poll		= bt_sock_poll,
1978
	.ioctl		= bt_sock_ioctl,
1979
	.gettstamp	= sock_gettstamp,
1980
	.mmap		= sock_no_mmap,
1981
	.socketpair	= sock_no_socketpair,
1982
	.shutdown	= l2cap_sock_shutdown,
1983
	.setsockopt	= l2cap_sock_setsockopt,
1984
	.getsockopt	= l2cap_sock_getsockopt
1985
};
1986

1987
static const struct net_proto_family l2cap_sock_family_ops = {
1988
	.family	= PF_BLUETOOTH,
1989
	.owner	= THIS_MODULE,
1990
	.create	= l2cap_sock_create,
1991
};
1992

1993
int __init l2cap_init_sockets(void)
1994
{
1995
	int err;
1996

1997
	BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr));
1998

1999
	err = proto_register(&l2cap_proto, 0);
2000
	if (err < 0)
2001
		return err;
2002

2003
	err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
2004
	if (err < 0) {
2005
		BT_ERR("L2CAP socket registration failed");
2006
		goto error;
2007
	}
2008

2009
	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
2010
			     NULL);
2011
	if (err < 0) {
2012
		BT_ERR("Failed to create L2CAP proc file");
2013
		bt_sock_unregister(BTPROTO_L2CAP);
2014
		goto error;
2015
	}
2016

2017
	BT_INFO("L2CAP socket layer initialized");
2018

2019
	return 0;
2020

2021
error:
2022
	proto_unregister(&l2cap_proto);
2023
	return err;
2024
}
2025

2026
void l2cap_cleanup_sockets(void)
2027
{
2028
	bt_procfs_cleanup(&init_net, "l2cap");
2029
	bt_sock_unregister(BTPROTO_L2CAP);
2030
	proto_unregister(&l2cap_proto);
2031
}
2032

2033
Product

Resources

Company
