1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * RFCOMM sockets.
26 */
27
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36
37 static const struct proto_ops rfcomm_sock_ops;
38
39 static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45
46 /* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62 }
63
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 struct sock *sk = d->owner, *parent;
67 unsigned long flags;
68
69 if (!sk)
70 return;
71
72 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
73
74 local_irq_save(flags);
75 bh_lock_sock(sk);
76
77 if (err)
78 sk->sk_err = err;
79
80 sk->sk_state = d->state;
81
82 parent = bt_sk(sk)->parent;
83 if (parent) {
84 if (d->state == BT_CLOSED) {
85 sock_set_flag(sk, SOCK_ZAPPED);
86 bt_accept_unlink(sk);
87 }
88 parent->sk_data_ready(parent);
89 } else {
90 if (d->state == BT_CONNECTED)
91 rfcomm_session_getaddr(d->session,
92 &rfcomm_pi(sk)->src, NULL);
93 sk->sk_state_change(sk);
94 }
95
96 bh_unlock_sock(sk);
97 local_irq_restore(flags);
98
99 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
100 /* We have to drop DLC lock here, otherwise
101 * rfcomm_sock_destruct() will dead lock. */
102 rfcomm_dlc_unlock(d);
103 rfcomm_sock_kill(sk);
104 rfcomm_dlc_lock(d);
105 }
106 }
107
108 /* ---- Socket functions ---- */
__rfcomm_get_listen_sock_by_addr(u8 channel,bdaddr_t * src)109 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
110 {
111 struct sock *sk = NULL;
112
113 sk_for_each(sk, &rfcomm_sk_list.head) {
114 if (rfcomm_pi(sk)->channel != channel)
115 continue;
116
117 if (bacmp(&rfcomm_pi(sk)->src, src))
118 continue;
119
120 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
121 break;
122 }
123
124 return sk ? sk : NULL;
125 }
126
127 /* Find socket with channel and source bdaddr.
128 * Returns closest match.
129 */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)130 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
131 {
132 struct sock *sk = NULL, *sk1 = NULL;
133
134 read_lock(&rfcomm_sk_list.lock);
135
136 sk_for_each(sk, &rfcomm_sk_list.head) {
137 if (state && sk->sk_state != state)
138 continue;
139
140 if (rfcomm_pi(sk)->channel == channel) {
141 /* Exact match. */
142 if (!bacmp(&rfcomm_pi(sk)->src, src))
143 break;
144
145 /* Closest match */
146 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
147 sk1 = sk;
148 }
149 }
150
151 read_unlock(&rfcomm_sk_list.lock);
152
153 return sk ? sk : sk1;
154 }
155
rfcomm_sock_destruct(struct sock * sk)156 static void rfcomm_sock_destruct(struct sock *sk)
157 {
158 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
159
160 BT_DBG("sk %p dlc %p", sk, d);
161
162 skb_queue_purge(&sk->sk_receive_queue);
163 skb_queue_purge(&sk->sk_write_queue);
164
165 rfcomm_dlc_lock(d);
166 rfcomm_pi(sk)->dlc = NULL;
167
168 /* Detach DLC if it's owned by this socket */
169 if (d->owner == sk)
170 d->owner = NULL;
171 rfcomm_dlc_unlock(d);
172
173 rfcomm_dlc_put(d);
174 }
175
rfcomm_sock_cleanup_listen(struct sock * parent)176 static void rfcomm_sock_cleanup_listen(struct sock *parent)
177 {
178 struct sock *sk;
179
180 BT_DBG("parent %p", parent);
181
182 /* Close not yet accepted dlcs */
183 while ((sk = bt_accept_dequeue(parent, NULL))) {
184 rfcomm_sock_close(sk);
185 rfcomm_sock_kill(sk);
186 }
187
188 parent->sk_state = BT_CLOSED;
189 sock_set_flag(parent, SOCK_ZAPPED);
190 }
191
192 /* Kill socket (only if zapped and orphan)
193 * Must be called on unlocked socket.
194 */
rfcomm_sock_kill(struct sock * sk)195 static void rfcomm_sock_kill(struct sock *sk)
196 {
197 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
198 return;
199
200 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
201
202 /* Kill poor orphan */
203 bt_sock_unlink(&rfcomm_sk_list, sk);
204 sock_set_flag(sk, SOCK_DEAD);
205 sock_put(sk);
206 }
207
__rfcomm_sock_close(struct sock * sk)208 static void __rfcomm_sock_close(struct sock *sk)
209 {
210 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
211
212 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
213
214 switch (sk->sk_state) {
215 case BT_LISTEN:
216 rfcomm_sock_cleanup_listen(sk);
217 break;
218
219 case BT_CONNECT:
220 case BT_CONNECT2:
221 case BT_CONFIG:
222 case BT_CONNECTED:
223 rfcomm_dlc_close(d, 0);
224 /* fall through */
225
226 default:
227 sock_set_flag(sk, SOCK_ZAPPED);
228 break;
229 }
230 }
231
232 /* Close socket.
233 * Must be called on unlocked socket.
234 */
rfcomm_sock_close(struct sock * sk)235 static void rfcomm_sock_close(struct sock *sk)
236 {
237 lock_sock(sk);
238 __rfcomm_sock_close(sk);
239 release_sock(sk);
240 }
241
rfcomm_sock_init(struct sock * sk,struct sock * parent)242 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
243 {
244 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
245
246 BT_DBG("sk %p", sk);
247
248 if (parent) {
249 sk->sk_type = parent->sk_type;
250 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
251 &bt_sk(parent)->flags);
252
253 pi->sec_level = rfcomm_pi(parent)->sec_level;
254 pi->role_switch = rfcomm_pi(parent)->role_switch;
255
256 security_sk_clone(parent, sk);
257 } else {
258 pi->dlc->defer_setup = 0;
259
260 pi->sec_level = BT_SECURITY_LOW;
261 pi->role_switch = 0;
262 }
263
264 pi->dlc->sec_level = pi->sec_level;
265 pi->dlc->role_switch = pi->role_switch;
266 }
267
268 static struct proto rfcomm_proto = {
269 .name = "RFCOMM",
270 .owner = THIS_MODULE,
271 .obj_size = sizeof(struct rfcomm_pinfo)
272 };
273
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)274 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
275 {
276 struct rfcomm_dlc *d;
277 struct sock *sk;
278
279 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
280 if (!sk)
281 return NULL;
282
283 sock_init_data(sock, sk);
284 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
285
286 d = rfcomm_dlc_alloc(prio);
287 if (!d) {
288 sk_free(sk);
289 return NULL;
290 }
291
292 d->data_ready = rfcomm_sk_data_ready;
293 d->state_change = rfcomm_sk_state_change;
294
295 rfcomm_pi(sk)->dlc = d;
296 d->owner = sk;
297
298 sk->sk_destruct = rfcomm_sock_destruct;
299 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
300
301 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
302 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
303
304 sock_reset_flag(sk, SOCK_ZAPPED);
305
306 sk->sk_protocol = proto;
307 sk->sk_state = BT_OPEN;
308
309 bt_sock_link(&rfcomm_sk_list, sk);
310
311 BT_DBG("sk %p", sk);
312 return sk;
313 }
314
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)315 static int rfcomm_sock_create(struct net *net, struct socket *sock,
316 int protocol, int kern)
317 {
318 struct sock *sk;
319
320 BT_DBG("sock %p", sock);
321
322 sock->state = SS_UNCONNECTED;
323
324 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
325 return -ESOCKTNOSUPPORT;
326
327 sock->ops = &rfcomm_sock_ops;
328
329 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
330 if (!sk)
331 return -ENOMEM;
332
333 rfcomm_sock_init(sk, NULL);
334 return 0;
335 }
336
rfcomm_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)337 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
338 {
339 struct sockaddr_rc sa;
340 struct sock *sk = sock->sk;
341 int len, err = 0;
342
343 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
344 addr->sa_family != AF_BLUETOOTH)
345 return -EINVAL;
346
347 memset(&sa, 0, sizeof(sa));
348 len = min_t(unsigned int, sizeof(sa), addr_len);
349 memcpy(&sa, addr, len);
350
351 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
352
353 lock_sock(sk);
354
355 if (sk->sk_state != BT_OPEN) {
356 err = -EBADFD;
357 goto done;
358 }
359
360 if (sk->sk_type != SOCK_STREAM) {
361 err = -EINVAL;
362 goto done;
363 }
364
365 write_lock(&rfcomm_sk_list.lock);
366
367 if (sa.rc_channel &&
368 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
369 err = -EADDRINUSE;
370 } else {
371 /* Save source address */
372 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
373 rfcomm_pi(sk)->channel = sa.rc_channel;
374 sk->sk_state = BT_BOUND;
375 }
376
377 write_unlock(&rfcomm_sk_list.lock);
378
379 done:
380 release_sock(sk);
381 return err;
382 }
383
rfcomm_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)384 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
385 {
386 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
387 struct sock *sk = sock->sk;
388 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
389 int err = 0;
390
391 BT_DBG("sk %p", sk);
392
393 if (alen < sizeof(struct sockaddr_rc) ||
394 addr->sa_family != AF_BLUETOOTH)
395 return -EINVAL;
396
397 lock_sock(sk);
398
399 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
400 err = -EBADFD;
401 goto done;
402 }
403
404 if (sk->sk_type != SOCK_STREAM) {
405 err = -EINVAL;
406 goto done;
407 }
408
409 sk->sk_state = BT_CONNECT;
410 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
411 rfcomm_pi(sk)->channel = sa->rc_channel;
412
413 d->sec_level = rfcomm_pi(sk)->sec_level;
414 d->role_switch = rfcomm_pi(sk)->role_switch;
415
416 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
417 sa->rc_channel);
418 if (!err)
419 err = bt_sock_wait_state(sk, BT_CONNECTED,
420 sock_sndtimeo(sk, flags & O_NONBLOCK));
421
422 done:
423 release_sock(sk);
424 return err;
425 }
426
rfcomm_sock_listen(struct socket * sock,int backlog)427 static int rfcomm_sock_listen(struct socket *sock, int backlog)
428 {
429 struct sock *sk = sock->sk;
430 int err = 0;
431
432 BT_DBG("sk %p backlog %d", sk, backlog);
433
434 lock_sock(sk);
435
436 if (sk->sk_state != BT_BOUND) {
437 err = -EBADFD;
438 goto done;
439 }
440
441 if (sk->sk_type != SOCK_STREAM) {
442 err = -EINVAL;
443 goto done;
444 }
445
446 if (!rfcomm_pi(sk)->channel) {
447 bdaddr_t *src = &rfcomm_pi(sk)->src;
448 u8 channel;
449
450 err = -EINVAL;
451
452 write_lock(&rfcomm_sk_list.lock);
453
454 for (channel = 1; channel < 31; channel++)
455 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
456 rfcomm_pi(sk)->channel = channel;
457 err = 0;
458 break;
459 }
460
461 write_unlock(&rfcomm_sk_list.lock);
462
463 if (err < 0)
464 goto done;
465 }
466
467 sk->sk_max_ack_backlog = backlog;
468 sk->sk_ack_backlog = 0;
469 sk->sk_state = BT_LISTEN;
470
471 done:
472 release_sock(sk);
473 return err;
474 }
475
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)476 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
477 bool kern)
478 {
479 DEFINE_WAIT_FUNC(wait, woken_wake_function);
480 struct sock *sk = sock->sk, *nsk;
481 long timeo;
482 int err = 0;
483
484 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
485
486 if (sk->sk_type != SOCK_STREAM) {
487 err = -EINVAL;
488 goto done;
489 }
490
491 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
492
493 BT_DBG("sk %p timeo %ld", sk, timeo);
494
495 /* Wait for an incoming connection. (wake-one). */
496 add_wait_queue_exclusive(sk_sleep(sk), &wait);
497 while (1) {
498 if (sk->sk_state != BT_LISTEN) {
499 err = -EBADFD;
500 break;
501 }
502
503 nsk = bt_accept_dequeue(sk, newsock);
504 if (nsk)
505 break;
506
507 if (!timeo) {
508 err = -EAGAIN;
509 break;
510 }
511
512 if (signal_pending(current)) {
513 err = sock_intr_errno(timeo);
514 break;
515 }
516
517 release_sock(sk);
518
519 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
520
521 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
522 }
523 remove_wait_queue(sk_sleep(sk), &wait);
524
525 if (err)
526 goto done;
527
528 newsock->state = SS_CONNECTED;
529
530 BT_DBG("new socket %p", nsk);
531
532 done:
533 release_sock(sk);
534 return err;
535 }
536
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)537 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
538 {
539 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
540 struct sock *sk = sock->sk;
541
542 BT_DBG("sock %p, sk %p", sock, sk);
543
544 if (peer && sk->sk_state != BT_CONNECTED &&
545 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
546 return -ENOTCONN;
547
548 memset(sa, 0, sizeof(*sa));
549 sa->rc_family = AF_BLUETOOTH;
550 sa->rc_channel = rfcomm_pi(sk)->channel;
551 if (peer)
552 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
553 else
554 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
555
556 return sizeof(struct sockaddr_rc);
557 }
558
rfcomm_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)559 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
560 size_t len)
561 {
562 struct sock *sk = sock->sk;
563 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
564 struct sk_buff *skb;
565 int sent;
566
567 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
568 return -ENOTCONN;
569
570 if (msg->msg_flags & MSG_OOB)
571 return -EOPNOTSUPP;
572
573 if (sk->sk_shutdown & SEND_SHUTDOWN)
574 return -EPIPE;
575
576 BT_DBG("sock %p, sk %p", sock, sk);
577
578 lock_sock(sk);
579
580 sent = bt_sock_wait_ready(sk, msg->msg_flags);
581
582 release_sock(sk);
583
584 if (sent)
585 return sent;
586
587 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
588 RFCOMM_SKB_TAIL_RESERVE);
589 if (IS_ERR(skb))
590 return PTR_ERR(skb);
591
592 sent = rfcomm_dlc_send(d, skb);
593 if (sent < 0)
594 kfree_skb(skb);
595
596 return sent;
597 }
598
rfcomm_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)599 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
600 size_t size, int flags)
601 {
602 struct sock *sk = sock->sk;
603 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
604 int len;
605
606 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
607 rfcomm_dlc_accept(d);
608 return 0;
609 }
610
611 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
612
613 lock_sock(sk);
614 if (!(flags & MSG_PEEK) && len > 0)
615 atomic_sub(len, &sk->sk_rmem_alloc);
616
617 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
618 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
619 release_sock(sk);
620
621 return len;
622 }
623
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,char __user * optval,unsigned int optlen)624 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
625 {
626 struct sock *sk = sock->sk;
627 int err = 0;
628 u32 opt;
629
630 BT_DBG("sk %p", sk);
631
632 lock_sock(sk);
633
634 switch (optname) {
635 case RFCOMM_LM:
636 if (get_user(opt, (u32 __user *) optval)) {
637 err = -EFAULT;
638 break;
639 }
640
641 if (opt & RFCOMM_LM_FIPS) {
642 err = -EINVAL;
643 break;
644 }
645
646 if (opt & RFCOMM_LM_AUTH)
647 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
648 if (opt & RFCOMM_LM_ENCRYPT)
649 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
650 if (opt & RFCOMM_LM_SECURE)
651 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
652
653 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
654 break;
655
656 default:
657 err = -ENOPROTOOPT;
658 break;
659 }
660
661 release_sock(sk);
662 return err;
663 }
664
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int optlen)665 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
666 {
667 struct sock *sk = sock->sk;
668 struct bt_security sec;
669 int err = 0;
670 size_t len;
671 u32 opt;
672
673 BT_DBG("sk %p", sk);
674
675 if (level == SOL_RFCOMM)
676 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
677
678 if (level != SOL_BLUETOOTH)
679 return -ENOPROTOOPT;
680
681 lock_sock(sk);
682
683 switch (optname) {
684 case BT_SECURITY:
685 if (sk->sk_type != SOCK_STREAM) {
686 err = -EINVAL;
687 break;
688 }
689
690 sec.level = BT_SECURITY_LOW;
691
692 len = min_t(unsigned int, sizeof(sec), optlen);
693 if (copy_from_user((char *) &sec, optval, len)) {
694 err = -EFAULT;
695 break;
696 }
697
698 if (sec.level > BT_SECURITY_HIGH) {
699 err = -EINVAL;
700 break;
701 }
702
703 rfcomm_pi(sk)->sec_level = sec.level;
704 break;
705
706 case BT_DEFER_SETUP:
707 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
708 err = -EINVAL;
709 break;
710 }
711
712 if (get_user(opt, (u32 __user *) optval)) {
713 err = -EFAULT;
714 break;
715 }
716
717 if (opt)
718 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
719 else
720 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
721
722 break;
723
724 default:
725 err = -ENOPROTOOPT;
726 break;
727 }
728
729 release_sock(sk);
730 return err;
731 }
732
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)733 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
734 {
735 struct sock *sk = sock->sk;
736 struct sock *l2cap_sk;
737 struct l2cap_conn *conn;
738 struct rfcomm_conninfo cinfo;
739 int len, err = 0;
740 u32 opt;
741
742 BT_DBG("sk %p", sk);
743
744 if (get_user(len, optlen))
745 return -EFAULT;
746
747 lock_sock(sk);
748
749 switch (optname) {
750 case RFCOMM_LM:
751 switch (rfcomm_pi(sk)->sec_level) {
752 case BT_SECURITY_LOW:
753 opt = RFCOMM_LM_AUTH;
754 break;
755 case BT_SECURITY_MEDIUM:
756 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
757 break;
758 case BT_SECURITY_HIGH:
759 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
760 RFCOMM_LM_SECURE;
761 break;
762 case BT_SECURITY_FIPS:
763 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
764 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
765 break;
766 default:
767 opt = 0;
768 break;
769 }
770
771 if (rfcomm_pi(sk)->role_switch)
772 opt |= RFCOMM_LM_MASTER;
773
774 if (put_user(opt, (u32 __user *) optval))
775 err = -EFAULT;
776
777 break;
778
779 case RFCOMM_CONNINFO:
780 if (sk->sk_state != BT_CONNECTED &&
781 !rfcomm_pi(sk)->dlc->defer_setup) {
782 err = -ENOTCONN;
783 break;
784 }
785
786 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
787 conn = l2cap_pi(l2cap_sk)->chan->conn;
788
789 memset(&cinfo, 0, sizeof(cinfo));
790 cinfo.hci_handle = conn->hcon->handle;
791 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
792
793 len = min_t(unsigned int, len, sizeof(cinfo));
794 if (copy_to_user(optval, (char *) &cinfo, len))
795 err = -EFAULT;
796
797 break;
798
799 default:
800 err = -ENOPROTOOPT;
801 break;
802 }
803
804 release_sock(sk);
805 return err;
806 }
807
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)808 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
809 {
810 struct sock *sk = sock->sk;
811 struct bt_security sec;
812 int len, err = 0;
813
814 BT_DBG("sk %p", sk);
815
816 if (level == SOL_RFCOMM)
817 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
818
819 if (level != SOL_BLUETOOTH)
820 return -ENOPROTOOPT;
821
822 if (get_user(len, optlen))
823 return -EFAULT;
824
825 lock_sock(sk);
826
827 switch (optname) {
828 case BT_SECURITY:
829 if (sk->sk_type != SOCK_STREAM) {
830 err = -EINVAL;
831 break;
832 }
833
834 sec.level = rfcomm_pi(sk)->sec_level;
835 sec.key_size = 0;
836
837 len = min_t(unsigned int, len, sizeof(sec));
838 if (copy_to_user(optval, (char *) &sec, len))
839 err = -EFAULT;
840
841 break;
842
843 case BT_DEFER_SETUP:
844 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
845 err = -EINVAL;
846 break;
847 }
848
849 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
850 (u32 __user *) optval))
851 err = -EFAULT;
852
853 break;
854
855 default:
856 err = -ENOPROTOOPT;
857 break;
858 }
859
860 release_sock(sk);
861 return err;
862 }
863
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)864 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
865 {
866 struct sock *sk __maybe_unused = sock->sk;
867 int err;
868
869 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
870
871 err = bt_sock_ioctl(sock, cmd, arg);
872
873 if (err == -ENOIOCTLCMD) {
874 #ifdef CONFIG_BT_RFCOMM_TTY
875 lock_sock(sk);
876 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
877 release_sock(sk);
878 #else
879 err = -EOPNOTSUPP;
880 #endif
881 }
882
883 return err;
884 }
885
rfcomm_sock_shutdown(struct socket * sock,int how)886 static int rfcomm_sock_shutdown(struct socket *sock, int how)
887 {
888 struct sock *sk = sock->sk;
889 int err = 0;
890
891 BT_DBG("sock %p, sk %p", sock, sk);
892
893 if (!sk)
894 return 0;
895
896 lock_sock(sk);
897 if (!sk->sk_shutdown) {
898 sk->sk_shutdown = SHUTDOWN_MASK;
899 __rfcomm_sock_close(sk);
900
901 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
902 !(current->flags & PF_EXITING))
903 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
904 }
905 release_sock(sk);
906 return err;
907 }
908
rfcomm_sock_release(struct socket * sock)909 static int rfcomm_sock_release(struct socket *sock)
910 {
911 struct sock *sk = sock->sk;
912 int err;
913
914 BT_DBG("sock %p, sk %p", sock, sk);
915
916 if (!sk)
917 return 0;
918
919 err = rfcomm_sock_shutdown(sock, 2);
920
921 sock_orphan(sk);
922 rfcomm_sock_kill(sk);
923 return err;
924 }
925
926 /* ---- RFCOMM core layer callbacks ----
927 *
928 * called under rfcomm_lock()
929 */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)930 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
931 {
932 struct sock *sk, *parent;
933 bdaddr_t src, dst;
934 int result = 0;
935
936 BT_DBG("session %p channel %d", s, channel);
937
938 rfcomm_session_getaddr(s, &src, &dst);
939
940 /* Check if we have socket listening on channel */
941 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
942 if (!parent)
943 return 0;
944
945 bh_lock_sock(parent);
946
947 /* Check for backlog size */
948 if (sk_acceptq_is_full(parent)) {
949 BT_DBG("backlog full %d", parent->sk_ack_backlog);
950 goto done;
951 }
952
953 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
954 if (!sk)
955 goto done;
956
957 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
958
959 rfcomm_sock_init(sk, parent);
960 bacpy(&rfcomm_pi(sk)->src, &src);
961 bacpy(&rfcomm_pi(sk)->dst, &dst);
962 rfcomm_pi(sk)->channel = channel;
963
964 sk->sk_state = BT_CONFIG;
965 bt_accept_enqueue(parent, sk, true);
966
967 /* Accept connection and return socket DLC */
968 *d = rfcomm_pi(sk)->dlc;
969 result = 1;
970
971 done:
972 bh_unlock_sock(parent);
973
974 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
975 parent->sk_state_change(parent);
976
977 return result;
978 }
979
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)980 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
981 {
982 struct sock *sk;
983
984 read_lock(&rfcomm_sk_list.lock);
985
986 sk_for_each(sk, &rfcomm_sk_list.head) {
987 seq_printf(f, "%pMR %pMR %d %d\n",
988 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
989 sk->sk_state, rfcomm_pi(sk)->channel);
990 }
991
992 read_unlock(&rfcomm_sk_list.lock);
993
994 return 0;
995 }
996
997 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
998
999 static struct dentry *rfcomm_sock_debugfs;
1000
1001 static const struct proto_ops rfcomm_sock_ops = {
1002 .family = PF_BLUETOOTH,
1003 .owner = THIS_MODULE,
1004 .release = rfcomm_sock_release,
1005 .bind = rfcomm_sock_bind,
1006 .connect = rfcomm_sock_connect,
1007 .listen = rfcomm_sock_listen,
1008 .accept = rfcomm_sock_accept,
1009 .getname = rfcomm_sock_getname,
1010 .sendmsg = rfcomm_sock_sendmsg,
1011 .recvmsg = rfcomm_sock_recvmsg,
1012 .shutdown = rfcomm_sock_shutdown,
1013 .setsockopt = rfcomm_sock_setsockopt,
1014 .getsockopt = rfcomm_sock_getsockopt,
1015 .ioctl = rfcomm_sock_ioctl,
1016 .gettstamp = sock_gettstamp,
1017 .poll = bt_sock_poll,
1018 .socketpair = sock_no_socketpair,
1019 .mmap = sock_no_mmap
1020 };
1021
1022 static const struct net_proto_family rfcomm_sock_family_ops = {
1023 .family = PF_BLUETOOTH,
1024 .owner = THIS_MODULE,
1025 .create = rfcomm_sock_create
1026 };
1027
rfcomm_init_sockets(void)1028 int __init rfcomm_init_sockets(void)
1029 {
1030 int err;
1031
1032 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1033
1034 err = proto_register(&rfcomm_proto, 0);
1035 if (err < 0)
1036 return err;
1037
1038 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1039 if (err < 0) {
1040 BT_ERR("RFCOMM socket layer registration failed");
1041 goto error;
1042 }
1043
1044 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1045 if (err < 0) {
1046 BT_ERR("Failed to create RFCOMM proc file");
1047 bt_sock_unregister(BTPROTO_RFCOMM);
1048 goto error;
1049 }
1050
1051 BT_INFO("RFCOMM socket layer initialized");
1052
1053 if (IS_ERR_OR_NULL(bt_debugfs))
1054 return 0;
1055
1056 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1057 bt_debugfs, NULL,
1058 &rfcomm_sock_debugfs_fops);
1059
1060 return 0;
1061
1062 error:
1063 proto_unregister(&rfcomm_proto);
1064 return err;
1065 }
1066
rfcomm_cleanup_sockets(void)1067 void __exit rfcomm_cleanup_sockets(void)
1068 {
1069 bt_procfs_cleanup(&init_net, "rfcomm");
1070
1071 debugfs_remove(rfcomm_sock_debugfs);
1072
1073 bt_sock_unregister(BTPROTO_RFCOMM);
1074
1075 proto_unregister(&rfcomm_proto);
1076 }
1077