1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * RFCOMM sockets.
26 */
27
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/rfcomm.h>
35
36 static const struct proto_ops rfcomm_sock_ops;
37
38 static struct bt_sock_list rfcomm_sk_list = {
39 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
40 };
41
42 static void rfcomm_sock_close(struct sock *sk);
43 static void rfcomm_sock_kill(struct sock *sk);
44
45 /* ---- DLC callbacks ----
46 *
47 * called under rfcomm_dlc_lock()
48 */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)49 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
50 {
51 struct sock *sk = d->owner;
52 if (!sk)
53 return;
54
55 atomic_add(skb->len, &sk->sk_rmem_alloc);
56 skb_queue_tail(&sk->sk_receive_queue, skb);
57 sk->sk_data_ready(sk);
58
59 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
60 rfcomm_dlc_throttle(d);
61 }
62
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)63 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
64 {
65 struct sock *sk = d->owner, *parent;
66 unsigned long flags;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 local_irq_save(flags);
74 bh_lock_sock(sk);
75
76 if (err)
77 sk->sk_err = err;
78
79 sk->sk_state = d->state;
80
81 parent = bt_sk(sk)->parent;
82 if (parent) {
83 if (d->state == BT_CLOSED) {
84 sock_set_flag(sk, SOCK_ZAPPED);
85 bt_accept_unlink(sk);
86 }
87 parent->sk_data_ready(parent);
88 } else {
89 if (d->state == BT_CONNECTED)
90 rfcomm_session_getaddr(d->session,
91 &rfcomm_pi(sk)->src, NULL);
92 sk->sk_state_change(sk);
93 }
94
95 bh_unlock_sock(sk);
96 local_irq_restore(flags);
97
98 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
99 /* We have to drop DLC lock here, otherwise
100 * rfcomm_sock_destruct() will dead lock. */
101 rfcomm_dlc_unlock(d);
102 rfcomm_sock_kill(sk);
103 rfcomm_dlc_lock(d);
104 }
105 }
106
107 /* ---- Socket functions ---- */
__rfcomm_get_listen_sock_by_addr(u8 channel,bdaddr_t * src)108 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
109 {
110 struct sock *sk = NULL;
111
112 sk_for_each(sk, &rfcomm_sk_list.head) {
113 if (rfcomm_pi(sk)->channel != channel)
114 continue;
115
116 if (bacmp(&rfcomm_pi(sk)->src, src))
117 continue;
118
119 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
120 break;
121 }
122
123 return sk ? sk : NULL;
124 }
125
126 /* Find socket with channel and source bdaddr.
127 * Returns closest match.
128 */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)129 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
130 {
131 struct sock *sk = NULL, *sk1 = NULL;
132
133 read_lock(&rfcomm_sk_list.lock);
134
135 sk_for_each(sk, &rfcomm_sk_list.head) {
136 if (state && sk->sk_state != state)
137 continue;
138
139 if (rfcomm_pi(sk)->channel == channel) {
140 /* Exact match. */
141 if (!bacmp(&rfcomm_pi(sk)->src, src))
142 break;
143
144 /* Closest match */
145 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
146 sk1 = sk;
147 }
148 }
149
150 read_unlock(&rfcomm_sk_list.lock);
151
152 return sk ? sk : sk1;
153 }
154
rfcomm_sock_destruct(struct sock * sk)155 static void rfcomm_sock_destruct(struct sock *sk)
156 {
157 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
158
159 BT_DBG("sk %p dlc %p", sk, d);
160
161 skb_queue_purge(&sk->sk_receive_queue);
162 skb_queue_purge(&sk->sk_write_queue);
163
164 rfcomm_dlc_lock(d);
165 rfcomm_pi(sk)->dlc = NULL;
166
167 /* Detach DLC if it's owned by this socket */
168 if (d->owner == sk)
169 d->owner = NULL;
170 rfcomm_dlc_unlock(d);
171
172 rfcomm_dlc_put(d);
173 }
174
rfcomm_sock_cleanup_listen(struct sock * parent)175 static void rfcomm_sock_cleanup_listen(struct sock *parent)
176 {
177 struct sock *sk;
178
179 BT_DBG("parent %p", parent);
180
181 /* Close not yet accepted dlcs */
182 while ((sk = bt_accept_dequeue(parent, NULL))) {
183 rfcomm_sock_close(sk);
184 rfcomm_sock_kill(sk);
185 }
186
187 parent->sk_state = BT_CLOSED;
188 sock_set_flag(parent, SOCK_ZAPPED);
189 }
190
191 /* Kill socket (only if zapped and orphan)
192 * Must be called on unlocked socket.
193 */
rfcomm_sock_kill(struct sock * sk)194 static void rfcomm_sock_kill(struct sock *sk)
195 {
196 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
197 return;
198
199 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, atomic_read(&sk->sk_refcnt));
200
201 /* Kill poor orphan */
202 bt_sock_unlink(&rfcomm_sk_list, sk);
203 sock_set_flag(sk, SOCK_DEAD);
204 sock_put(sk);
205 }
206
__rfcomm_sock_close(struct sock * sk)207 static void __rfcomm_sock_close(struct sock *sk)
208 {
209 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
210
211 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
212
213 switch (sk->sk_state) {
214 case BT_LISTEN:
215 rfcomm_sock_cleanup_listen(sk);
216 break;
217
218 case BT_CONNECT:
219 case BT_CONNECT2:
220 case BT_CONFIG:
221 case BT_CONNECTED:
222 rfcomm_dlc_close(d, 0);
223
224 default:
225 sock_set_flag(sk, SOCK_ZAPPED);
226 break;
227 }
228 }
229
230 /* Close socket.
231 * Must be called on unlocked socket.
232 */
rfcomm_sock_close(struct sock * sk)233 static void rfcomm_sock_close(struct sock *sk)
234 {
235 lock_sock(sk);
236 __rfcomm_sock_close(sk);
237 release_sock(sk);
238 }
239
rfcomm_sock_init(struct sock * sk,struct sock * parent)240 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
241 {
242 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
243
244 BT_DBG("sk %p", sk);
245
246 if (parent) {
247 sk->sk_type = parent->sk_type;
248 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
249 &bt_sk(parent)->flags);
250
251 pi->sec_level = rfcomm_pi(parent)->sec_level;
252 pi->role_switch = rfcomm_pi(parent)->role_switch;
253
254 security_sk_clone(parent, sk);
255 } else {
256 pi->dlc->defer_setup = 0;
257
258 pi->sec_level = BT_SECURITY_LOW;
259 pi->role_switch = 0;
260 }
261
262 pi->dlc->sec_level = pi->sec_level;
263 pi->dlc->role_switch = pi->role_switch;
264 }
265
266 static struct proto rfcomm_proto = {
267 .name = "RFCOMM",
268 .owner = THIS_MODULE,
269 .obj_size = sizeof(struct rfcomm_pinfo)
270 };
271
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio)272 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
273 {
274 struct rfcomm_dlc *d;
275 struct sock *sk;
276
277 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto);
278 if (!sk)
279 return NULL;
280
281 sock_init_data(sock, sk);
282 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
283
284 d = rfcomm_dlc_alloc(prio);
285 if (!d) {
286 sk_free(sk);
287 return NULL;
288 }
289
290 d->data_ready = rfcomm_sk_data_ready;
291 d->state_change = rfcomm_sk_state_change;
292
293 rfcomm_pi(sk)->dlc = d;
294 d->owner = sk;
295
296 sk->sk_destruct = rfcomm_sock_destruct;
297 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
298
299 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
301
302 sock_reset_flag(sk, SOCK_ZAPPED);
303
304 sk->sk_protocol = proto;
305 sk->sk_state = BT_OPEN;
306
307 bt_sock_link(&rfcomm_sk_list, sk);
308
309 BT_DBG("sk %p", sk);
310 return sk;
311 }
312
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)313 static int rfcomm_sock_create(struct net *net, struct socket *sock,
314 int protocol, int kern)
315 {
316 struct sock *sk;
317
318 BT_DBG("sock %p", sock);
319
320 sock->state = SS_UNCONNECTED;
321
322 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
323 return -ESOCKTNOSUPPORT;
324
325 sock->ops = &rfcomm_sock_ops;
326
327 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC);
328 if (!sk)
329 return -ENOMEM;
330
331 rfcomm_sock_init(sk, NULL);
332 return 0;
333 }
334
rfcomm_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)335 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
336 {
337 struct sockaddr_rc sa;
338 struct sock *sk = sock->sk;
339 int len, err = 0;
340
341 if (!addr || addr->sa_family != AF_BLUETOOTH)
342 return -EINVAL;
343
344 memset(&sa, 0, sizeof(sa));
345 len = min_t(unsigned int, sizeof(sa), addr_len);
346 memcpy(&sa, addr, len);
347
348 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
349
350 lock_sock(sk);
351
352 if (sk->sk_state != BT_OPEN) {
353 err = -EBADFD;
354 goto done;
355 }
356
357 if (sk->sk_type != SOCK_STREAM) {
358 err = -EINVAL;
359 goto done;
360 }
361
362 write_lock(&rfcomm_sk_list.lock);
363
364 if (sa.rc_channel &&
365 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
366 err = -EADDRINUSE;
367 } else {
368 /* Save source address */
369 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
370 rfcomm_pi(sk)->channel = sa.rc_channel;
371 sk->sk_state = BT_BOUND;
372 }
373
374 write_unlock(&rfcomm_sk_list.lock);
375
376 done:
377 release_sock(sk);
378 return err;
379 }
380
rfcomm_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)381 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
382 {
383 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
384 struct sock *sk = sock->sk;
385 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
386 int err = 0;
387
388 BT_DBG("sk %p", sk);
389
390 if (alen < sizeof(struct sockaddr_rc) ||
391 addr->sa_family != AF_BLUETOOTH)
392 return -EINVAL;
393
394 lock_sock(sk);
395
396 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
397 err = -EBADFD;
398 goto done;
399 }
400
401 if (sk->sk_type != SOCK_STREAM) {
402 err = -EINVAL;
403 goto done;
404 }
405
406 sk->sk_state = BT_CONNECT;
407 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
408 rfcomm_pi(sk)->channel = sa->rc_channel;
409
410 d->sec_level = rfcomm_pi(sk)->sec_level;
411 d->role_switch = rfcomm_pi(sk)->role_switch;
412
413 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
414 sa->rc_channel);
415 if (!err)
416 err = bt_sock_wait_state(sk, BT_CONNECTED,
417 sock_sndtimeo(sk, flags & O_NONBLOCK));
418
419 done:
420 release_sock(sk);
421 return err;
422 }
423
rfcomm_sock_listen(struct socket * sock,int backlog)424 static int rfcomm_sock_listen(struct socket *sock, int backlog)
425 {
426 struct sock *sk = sock->sk;
427 int err = 0;
428
429 BT_DBG("sk %p backlog %d", sk, backlog);
430
431 lock_sock(sk);
432
433 if (sk->sk_state != BT_BOUND) {
434 err = -EBADFD;
435 goto done;
436 }
437
438 if (sk->sk_type != SOCK_STREAM) {
439 err = -EINVAL;
440 goto done;
441 }
442
443 if (!rfcomm_pi(sk)->channel) {
444 bdaddr_t *src = &rfcomm_pi(sk)->src;
445 u8 channel;
446
447 err = -EINVAL;
448
449 write_lock(&rfcomm_sk_list.lock);
450
451 for (channel = 1; channel < 31; channel++)
452 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
453 rfcomm_pi(sk)->channel = channel;
454 err = 0;
455 break;
456 }
457
458 write_unlock(&rfcomm_sk_list.lock);
459
460 if (err < 0)
461 goto done;
462 }
463
464 sk->sk_max_ack_backlog = backlog;
465 sk->sk_ack_backlog = 0;
466 sk->sk_state = BT_LISTEN;
467
468 done:
469 release_sock(sk);
470 return err;
471 }
472
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,int flags)473 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags)
474 {
475 DECLARE_WAITQUEUE(wait, current);
476 struct sock *sk = sock->sk, *nsk;
477 long timeo;
478 int err = 0;
479
480 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
481
482 if (sk->sk_type != SOCK_STREAM) {
483 err = -EINVAL;
484 goto done;
485 }
486
487 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
488
489 BT_DBG("sk %p timeo %ld", sk, timeo);
490
491 /* Wait for an incoming connection. (wake-one). */
492 add_wait_queue_exclusive(sk_sleep(sk), &wait);
493 while (1) {
494 set_current_state(TASK_INTERRUPTIBLE);
495
496 if (sk->sk_state != BT_LISTEN) {
497 err = -EBADFD;
498 break;
499 }
500
501 nsk = bt_accept_dequeue(sk, newsock);
502 if (nsk)
503 break;
504
505 if (!timeo) {
506 err = -EAGAIN;
507 break;
508 }
509
510 if (signal_pending(current)) {
511 err = sock_intr_errno(timeo);
512 break;
513 }
514
515 release_sock(sk);
516 timeo = schedule_timeout(timeo);
517 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
518 }
519 __set_current_state(TASK_RUNNING);
520 remove_wait_queue(sk_sleep(sk), &wait);
521
522 if (err)
523 goto done;
524
525 newsock->state = SS_CONNECTED;
526
527 BT_DBG("new socket %p", nsk);
528
529 done:
530 release_sock(sk);
531 return err;
532 }
533
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int * len,int peer)534 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
535 {
536 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
537 struct sock *sk = sock->sk;
538
539 BT_DBG("sock %p, sk %p", sock, sk);
540
541 if (peer && sk->sk_state != BT_CONNECTED &&
542 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
543 return -ENOTCONN;
544
545 memset(sa, 0, sizeof(*sa));
546 sa->rc_family = AF_BLUETOOTH;
547 sa->rc_channel = rfcomm_pi(sk)->channel;
548 if (peer)
549 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
550 else
551 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
552
553 *len = sizeof(struct sockaddr_rc);
554 return 0;
555 }
556
rfcomm_sock_sendmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t len)557 static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
558 struct msghdr *msg, size_t len)
559 {
560 struct sock *sk = sock->sk;
561 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
562 struct sk_buff *skb;
563 int sent;
564
565 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
566 return -ENOTCONN;
567
568 if (msg->msg_flags & MSG_OOB)
569 return -EOPNOTSUPP;
570
571 if (sk->sk_shutdown & SEND_SHUTDOWN)
572 return -EPIPE;
573
574 BT_DBG("sock %p, sk %p", sock, sk);
575
576 lock_sock(sk);
577
578 sent = bt_sock_wait_ready(sk, msg->msg_flags);
579 if (sent)
580 goto done;
581
582 while (len) {
583 size_t size = min_t(size_t, len, d->mtu);
584 int err;
585
586 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
587 msg->msg_flags & MSG_DONTWAIT, &err);
588 if (!skb) {
589 if (sent == 0)
590 sent = err;
591 break;
592 }
593 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
594
595 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
596 if (err) {
597 kfree_skb(skb);
598 if (sent == 0)
599 sent = err;
600 break;
601 }
602
603 skb->priority = sk->sk_priority;
604
605 err = rfcomm_dlc_send(d, skb);
606 if (err < 0) {
607 kfree_skb(skb);
608 if (sent == 0)
609 sent = err;
610 break;
611 }
612
613 sent += size;
614 len -= size;
615 }
616
617 done:
618 release_sock(sk);
619
620 return sent;
621 }
622
rfcomm_sock_recvmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t size,int flags)623 static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
624 struct msghdr *msg, size_t size, int flags)
625 {
626 struct sock *sk = sock->sk;
627 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
628 int len;
629
630 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
631 rfcomm_dlc_accept(d);
632 return 0;
633 }
634
635 len = bt_sock_stream_recvmsg(iocb, sock, msg, size, flags);
636
637 lock_sock(sk);
638 if (!(flags & MSG_PEEK) && len > 0)
639 atomic_sub(len, &sk->sk_rmem_alloc);
640
641 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
642 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
643 release_sock(sk);
644
645 return len;
646 }
647
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,char __user * optval,unsigned int optlen)648 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
649 {
650 struct sock *sk = sock->sk;
651 int err = 0;
652 u32 opt;
653
654 BT_DBG("sk %p", sk);
655
656 lock_sock(sk);
657
658 switch (optname) {
659 case RFCOMM_LM:
660 if (get_user(opt, (u32 __user *) optval)) {
661 err = -EFAULT;
662 break;
663 }
664
665 if (opt & RFCOMM_LM_FIPS) {
666 err = -EINVAL;
667 break;
668 }
669
670 if (opt & RFCOMM_LM_AUTH)
671 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
672 if (opt & RFCOMM_LM_ENCRYPT)
673 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
674 if (opt & RFCOMM_LM_SECURE)
675 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
676
677 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
678 break;
679
680 default:
681 err = -ENOPROTOOPT;
682 break;
683 }
684
685 release_sock(sk);
686 return err;
687 }
688
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int optlen)689 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
690 {
691 struct sock *sk = sock->sk;
692 struct bt_security sec;
693 int err = 0;
694 size_t len;
695 u32 opt;
696
697 BT_DBG("sk %p", sk);
698
699 if (level == SOL_RFCOMM)
700 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
701
702 if (level != SOL_BLUETOOTH)
703 return -ENOPROTOOPT;
704
705 lock_sock(sk);
706
707 switch (optname) {
708 case BT_SECURITY:
709 if (sk->sk_type != SOCK_STREAM) {
710 err = -EINVAL;
711 break;
712 }
713
714 sec.level = BT_SECURITY_LOW;
715
716 len = min_t(unsigned int, sizeof(sec), optlen);
717 if (copy_from_user((char *) &sec, optval, len)) {
718 err = -EFAULT;
719 break;
720 }
721
722 if (sec.level > BT_SECURITY_HIGH) {
723 err = -EINVAL;
724 break;
725 }
726
727 rfcomm_pi(sk)->sec_level = sec.level;
728 break;
729
730 case BT_DEFER_SETUP:
731 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
732 err = -EINVAL;
733 break;
734 }
735
736 if (get_user(opt, (u32 __user *) optval)) {
737 err = -EFAULT;
738 break;
739 }
740
741 if (opt)
742 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
743 else
744 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
745
746 break;
747
748 default:
749 err = -ENOPROTOOPT;
750 break;
751 }
752
753 release_sock(sk);
754 return err;
755 }
756
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)757 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
758 {
759 struct sock *sk = sock->sk;
760 struct sock *l2cap_sk;
761 struct l2cap_conn *conn;
762 struct rfcomm_conninfo cinfo;
763 int len, err = 0;
764 u32 opt;
765
766 BT_DBG("sk %p", sk);
767
768 if (get_user(len, optlen))
769 return -EFAULT;
770
771 lock_sock(sk);
772
773 switch (optname) {
774 case RFCOMM_LM:
775 switch (rfcomm_pi(sk)->sec_level) {
776 case BT_SECURITY_LOW:
777 opt = RFCOMM_LM_AUTH;
778 break;
779 case BT_SECURITY_MEDIUM:
780 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
781 break;
782 case BT_SECURITY_HIGH:
783 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
784 RFCOMM_LM_SECURE;
785 break;
786 case BT_SECURITY_FIPS:
787 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
788 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
789 break;
790 default:
791 opt = 0;
792 break;
793 }
794
795 if (rfcomm_pi(sk)->role_switch)
796 opt |= RFCOMM_LM_MASTER;
797
798 if (put_user(opt, (u32 __user *) optval))
799 err = -EFAULT;
800
801 break;
802
803 case RFCOMM_CONNINFO:
804 if (sk->sk_state != BT_CONNECTED &&
805 !rfcomm_pi(sk)->dlc->defer_setup) {
806 err = -ENOTCONN;
807 break;
808 }
809
810 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
811 conn = l2cap_pi(l2cap_sk)->chan->conn;
812
813 memset(&cinfo, 0, sizeof(cinfo));
814 cinfo.hci_handle = conn->hcon->handle;
815 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
816
817 len = min_t(unsigned int, len, sizeof(cinfo));
818 if (copy_to_user(optval, (char *) &cinfo, len))
819 err = -EFAULT;
820
821 break;
822
823 default:
824 err = -ENOPROTOOPT;
825 break;
826 }
827
828 release_sock(sk);
829 return err;
830 }
831
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)832 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
833 {
834 struct sock *sk = sock->sk;
835 struct bt_security sec;
836 int len, err = 0;
837
838 BT_DBG("sk %p", sk);
839
840 if (level == SOL_RFCOMM)
841 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
842
843 if (level != SOL_BLUETOOTH)
844 return -ENOPROTOOPT;
845
846 if (get_user(len, optlen))
847 return -EFAULT;
848
849 lock_sock(sk);
850
851 switch (optname) {
852 case BT_SECURITY:
853 if (sk->sk_type != SOCK_STREAM) {
854 err = -EINVAL;
855 break;
856 }
857
858 sec.level = rfcomm_pi(sk)->sec_level;
859 sec.key_size = 0;
860
861 len = min_t(unsigned int, len, sizeof(sec));
862 if (copy_to_user(optval, (char *) &sec, len))
863 err = -EFAULT;
864
865 break;
866
867 case BT_DEFER_SETUP:
868 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
869 err = -EINVAL;
870 break;
871 }
872
873 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
874 (u32 __user *) optval))
875 err = -EFAULT;
876
877 break;
878
879 default:
880 err = -ENOPROTOOPT;
881 break;
882 }
883
884 release_sock(sk);
885 return err;
886 }
887
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)888 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
889 {
890 struct sock *sk __maybe_unused = sock->sk;
891 int err;
892
893 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
894
895 err = bt_sock_ioctl(sock, cmd, arg);
896
897 if (err == -ENOIOCTLCMD) {
898 #ifdef CONFIG_BT_RFCOMM_TTY
899 lock_sock(sk);
900 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
901 release_sock(sk);
902 #else
903 err = -EOPNOTSUPP;
904 #endif
905 }
906
907 return err;
908 }
909
rfcomm_sock_shutdown(struct socket * sock,int how)910 static int rfcomm_sock_shutdown(struct socket *sock, int how)
911 {
912 struct sock *sk = sock->sk;
913 int err = 0;
914
915 BT_DBG("sock %p, sk %p", sock, sk);
916
917 if (!sk)
918 return 0;
919
920 lock_sock(sk);
921 if (!sk->sk_shutdown) {
922 sk->sk_shutdown = SHUTDOWN_MASK;
923 __rfcomm_sock_close(sk);
924
925 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
926 !(current->flags & PF_EXITING))
927 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
928 }
929 release_sock(sk);
930 return err;
931 }
932
rfcomm_sock_release(struct socket * sock)933 static int rfcomm_sock_release(struct socket *sock)
934 {
935 struct sock *sk = sock->sk;
936 int err;
937
938 BT_DBG("sock %p, sk %p", sock, sk);
939
940 if (!sk)
941 return 0;
942
943 err = rfcomm_sock_shutdown(sock, 2);
944
945 sock_orphan(sk);
946 rfcomm_sock_kill(sk);
947 return err;
948 }
949
950 /* ---- RFCOMM core layer callbacks ----
951 *
952 * called under rfcomm_lock()
953 */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)954 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
955 {
956 struct sock *sk, *parent;
957 bdaddr_t src, dst;
958 int result = 0;
959
960 BT_DBG("session %p channel %d", s, channel);
961
962 rfcomm_session_getaddr(s, &src, &dst);
963
964 /* Check if we have socket listening on channel */
965 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
966 if (!parent)
967 return 0;
968
969 bh_lock_sock(parent);
970
971 /* Check for backlog size */
972 if (sk_acceptq_is_full(parent)) {
973 BT_DBG("backlog full %d", parent->sk_ack_backlog);
974 goto done;
975 }
976
977 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC);
978 if (!sk)
979 goto done;
980
981 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
982
983 rfcomm_sock_init(sk, parent);
984 bacpy(&rfcomm_pi(sk)->src, &src);
985 bacpy(&rfcomm_pi(sk)->dst, &dst);
986 rfcomm_pi(sk)->channel = channel;
987
988 sk->sk_state = BT_CONFIG;
989 bt_accept_enqueue(parent, sk);
990
991 /* Accept connection and return socket DLC */
992 *d = rfcomm_pi(sk)->dlc;
993 result = 1;
994
995 done:
996 bh_unlock_sock(parent);
997
998 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
999 parent->sk_state_change(parent);
1000
1001 return result;
1002 }
1003
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)1004 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1005 {
1006 struct sock *sk;
1007
1008 read_lock(&rfcomm_sk_list.lock);
1009
1010 sk_for_each(sk, &rfcomm_sk_list.head) {
1011 seq_printf(f, "%pMR %pMR %d %d\n",
1012 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1013 sk->sk_state, rfcomm_pi(sk)->channel);
1014 }
1015
1016 read_unlock(&rfcomm_sk_list.lock);
1017
1018 return 0;
1019 }
1020
rfcomm_sock_debugfs_open(struct inode * inode,struct file * file)1021 static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
1022 {
1023 return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1024 }
1025
1026 static const struct file_operations rfcomm_sock_debugfs_fops = {
1027 .open = rfcomm_sock_debugfs_open,
1028 .read = seq_read,
1029 .llseek = seq_lseek,
1030 .release = single_release,
1031 };
1032
1033 static struct dentry *rfcomm_sock_debugfs;
1034
1035 static const struct proto_ops rfcomm_sock_ops = {
1036 .family = PF_BLUETOOTH,
1037 .owner = THIS_MODULE,
1038 .release = rfcomm_sock_release,
1039 .bind = rfcomm_sock_bind,
1040 .connect = rfcomm_sock_connect,
1041 .listen = rfcomm_sock_listen,
1042 .accept = rfcomm_sock_accept,
1043 .getname = rfcomm_sock_getname,
1044 .sendmsg = rfcomm_sock_sendmsg,
1045 .recvmsg = rfcomm_sock_recvmsg,
1046 .shutdown = rfcomm_sock_shutdown,
1047 .setsockopt = rfcomm_sock_setsockopt,
1048 .getsockopt = rfcomm_sock_getsockopt,
1049 .ioctl = rfcomm_sock_ioctl,
1050 .poll = bt_sock_poll,
1051 .socketpair = sock_no_socketpair,
1052 .mmap = sock_no_mmap
1053 };
1054
1055 static const struct net_proto_family rfcomm_sock_family_ops = {
1056 .family = PF_BLUETOOTH,
1057 .owner = THIS_MODULE,
1058 .create = rfcomm_sock_create
1059 };
1060
rfcomm_init_sockets(void)1061 int __init rfcomm_init_sockets(void)
1062 {
1063 int err;
1064
1065 err = proto_register(&rfcomm_proto, 0);
1066 if (err < 0)
1067 return err;
1068
1069 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1070 if (err < 0) {
1071 BT_ERR("RFCOMM socket layer registration failed");
1072 goto error;
1073 }
1074
1075 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1076 if (err < 0) {
1077 BT_ERR("Failed to create RFCOMM proc file");
1078 bt_sock_unregister(BTPROTO_RFCOMM);
1079 goto error;
1080 }
1081
1082 BT_INFO("RFCOMM socket layer initialized");
1083
1084 if (IS_ERR_OR_NULL(bt_debugfs))
1085 return 0;
1086
1087 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1088 bt_debugfs, NULL,
1089 &rfcomm_sock_debugfs_fops);
1090
1091 return 0;
1092
1093 error:
1094 proto_unregister(&rfcomm_proto);
1095 return err;
1096 }
1097
rfcomm_cleanup_sockets(void)1098 void __exit rfcomm_cleanup_sockets(void)
1099 {
1100 bt_procfs_cleanup(&init_net, "rfcomm");
1101
1102 debugfs_remove(rfcomm_sock_debugfs);
1103
1104 bt_sock_unregister(BTPROTO_RFCOMM);
1105
1106 proto_unregister(&rfcomm_proto);
1107 }
1108