1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * RFCOMM sockets.
26 */
27 #include <linux/compat.h>
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36
37 static const struct proto_ops rfcomm_sock_ops;
38
39 static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45
46 /* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62 }
63
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 struct sock *sk = d->owner, *parent;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 lock_sock(sk);
74
75 if (err)
76 sk->sk_err = err;
77
78 sk->sk_state = d->state;
79
80 parent = bt_sk(sk)->parent;
81 if (parent) {
82 if (d->state == BT_CLOSED) {
83 sock_set_flag(sk, SOCK_ZAPPED);
84 bt_accept_unlink(sk);
85 }
86 parent->sk_data_ready(parent);
87 } else {
88 if (d->state == BT_CONNECTED)
89 rfcomm_session_getaddr(d->session,
90 &rfcomm_pi(sk)->src, NULL);
91 sk->sk_state_change(sk);
92 }
93
94 release_sock(sk);
95
96 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 /* We have to drop DLC lock here, otherwise
98 * rfcomm_sock_destruct() will dead lock. */
99 rfcomm_dlc_unlock(d);
100 rfcomm_sock_kill(sk);
101 rfcomm_dlc_lock(d);
102 }
103 }
104
105 /* ---- Socket functions ---- */
__rfcomm_get_listen_sock_by_addr(u8 channel,bdaddr_t * src)106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107 {
108 struct sock *sk = NULL;
109
110 sk_for_each(sk, &rfcomm_sk_list.head) {
111 if (rfcomm_pi(sk)->channel != channel)
112 continue;
113
114 if (bacmp(&rfcomm_pi(sk)->src, src))
115 continue;
116
117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 break;
119 }
120
121 return sk ? sk : NULL;
122 }
123
124 /* Find socket with channel and source bdaddr.
125 * Returns closest match.
126 */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128 {
129 struct sock *sk = NULL, *sk1 = NULL;
130
131 read_lock(&rfcomm_sk_list.lock);
132
133 sk_for_each(sk, &rfcomm_sk_list.head) {
134 if (state && sk->sk_state != state)
135 continue;
136
137 if (rfcomm_pi(sk)->channel == channel) {
138 /* Exact match. */
139 if (!bacmp(&rfcomm_pi(sk)->src, src))
140 break;
141
142 /* Closest match */
143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 sk1 = sk;
145 }
146 }
147
148 read_unlock(&rfcomm_sk_list.lock);
149
150 return sk ? sk : sk1;
151 }
152
rfcomm_sock_destruct(struct sock * sk)153 static void rfcomm_sock_destruct(struct sock *sk)
154 {
155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156
157 BT_DBG("sk %p dlc %p", sk, d);
158
159 skb_queue_purge(&sk->sk_receive_queue);
160 skb_queue_purge(&sk->sk_write_queue);
161
162 rfcomm_dlc_lock(d);
163 rfcomm_pi(sk)->dlc = NULL;
164
165 /* Detach DLC if it's owned by this socket */
166 if (d->owner == sk)
167 d->owner = NULL;
168 rfcomm_dlc_unlock(d);
169
170 rfcomm_dlc_put(d);
171 }
172
rfcomm_sock_cleanup_listen(struct sock * parent)173 static void rfcomm_sock_cleanup_listen(struct sock *parent)
174 {
175 struct sock *sk;
176
177 BT_DBG("parent %p", parent);
178
179 /* Close not yet accepted dlcs */
180 while ((sk = bt_accept_dequeue(parent, NULL))) {
181 rfcomm_sock_close(sk);
182 rfcomm_sock_kill(sk);
183 }
184
185 parent->sk_state = BT_CLOSED;
186 sock_set_flag(parent, SOCK_ZAPPED);
187 }
188
189 /* Kill socket (only if zapped and orphan)
190 * Must be called on unlocked socket.
191 */
rfcomm_sock_kill(struct sock * sk)192 static void rfcomm_sock_kill(struct sock *sk)
193 {
194 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195 return;
196
197 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198
199 /* Kill poor orphan */
200 bt_sock_unlink(&rfcomm_sk_list, sk);
201 sock_set_flag(sk, SOCK_DEAD);
202 sock_put(sk);
203 }
204
__rfcomm_sock_close(struct sock * sk)205 static void __rfcomm_sock_close(struct sock *sk)
206 {
207 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208
209 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210
211 switch (sk->sk_state) {
212 case BT_LISTEN:
213 rfcomm_sock_cleanup_listen(sk);
214 break;
215
216 case BT_CONNECT:
217 case BT_CONNECT2:
218 case BT_CONFIG:
219 case BT_CONNECTED:
220 rfcomm_dlc_close(d, 0);
221 fallthrough;
222
223 default:
224 sock_set_flag(sk, SOCK_ZAPPED);
225 break;
226 }
227 }
228
229 /* Close socket.
230 * Must be called on unlocked socket.
231 */
rfcomm_sock_close(struct sock * sk)232 static void rfcomm_sock_close(struct sock *sk)
233 {
234 lock_sock(sk);
235 __rfcomm_sock_close(sk);
236 release_sock(sk);
237 }
238
rfcomm_sock_init(struct sock * sk,struct sock * parent)239 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240 {
241 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242
243 BT_DBG("sk %p", sk);
244
245 if (parent) {
246 sk->sk_type = parent->sk_type;
247 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248 &bt_sk(parent)->flags);
249
250 pi->sec_level = rfcomm_pi(parent)->sec_level;
251 pi->role_switch = rfcomm_pi(parent)->role_switch;
252
253 security_sk_clone(parent, sk);
254 } else {
255 pi->dlc->defer_setup = 0;
256
257 pi->sec_level = BT_SECURITY_LOW;
258 pi->role_switch = 0;
259 }
260
261 pi->dlc->sec_level = pi->sec_level;
262 pi->dlc->role_switch = pi->role_switch;
263 }
264
265 static struct proto rfcomm_proto = {
266 .name = "RFCOMM",
267 .owner = THIS_MODULE,
268 .obj_size = sizeof(struct rfcomm_pinfo)
269 };
270
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)271 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
272 {
273 struct rfcomm_dlc *d;
274 struct sock *sk;
275
276 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
277 if (!sk)
278 return NULL;
279
280 sock_init_data(sock, sk);
281 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
282
283 d = rfcomm_dlc_alloc(prio);
284 if (!d) {
285 sk_free(sk);
286 return NULL;
287 }
288
289 d->data_ready = rfcomm_sk_data_ready;
290 d->state_change = rfcomm_sk_state_change;
291
292 rfcomm_pi(sk)->dlc = d;
293 d->owner = sk;
294
295 sk->sk_destruct = rfcomm_sock_destruct;
296 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
297
298 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
299 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300
301 sock_reset_flag(sk, SOCK_ZAPPED);
302
303 sk->sk_protocol = proto;
304 sk->sk_state = BT_OPEN;
305
306 bt_sock_link(&rfcomm_sk_list, sk);
307
308 BT_DBG("sk %p", sk);
309 return sk;
310 }
311
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)312 static int rfcomm_sock_create(struct net *net, struct socket *sock,
313 int protocol, int kern)
314 {
315 struct sock *sk;
316
317 BT_DBG("sock %p", sock);
318
319 sock->state = SS_UNCONNECTED;
320
321 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
322 return -ESOCKTNOSUPPORT;
323
324 sock->ops = &rfcomm_sock_ops;
325
326 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
327 if (!sk)
328 return -ENOMEM;
329
330 rfcomm_sock_init(sk, NULL);
331 return 0;
332 }
333
rfcomm_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)334 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
335 {
336 struct sockaddr_rc sa;
337 struct sock *sk = sock->sk;
338 int len, err = 0;
339
340 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
341 addr->sa_family != AF_BLUETOOTH)
342 return -EINVAL;
343
344 memset(&sa, 0, sizeof(sa));
345 len = min_t(unsigned int, sizeof(sa), addr_len);
346 memcpy(&sa, addr, len);
347
348 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
349
350 lock_sock(sk);
351
352 if (sk->sk_state != BT_OPEN) {
353 err = -EBADFD;
354 goto done;
355 }
356
357 if (sk->sk_type != SOCK_STREAM) {
358 err = -EINVAL;
359 goto done;
360 }
361
362 write_lock(&rfcomm_sk_list.lock);
363
364 if (sa.rc_channel &&
365 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
366 err = -EADDRINUSE;
367 } else {
368 /* Save source address */
369 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
370 rfcomm_pi(sk)->channel = sa.rc_channel;
371 sk->sk_state = BT_BOUND;
372 }
373
374 write_unlock(&rfcomm_sk_list.lock);
375
376 done:
377 release_sock(sk);
378 return err;
379 }
380
rfcomm_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)381 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
382 {
383 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
384 struct sock *sk = sock->sk;
385 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
386 int err = 0;
387
388 BT_DBG("sk %p", sk);
389
390 if (alen < sizeof(struct sockaddr_rc) ||
391 addr->sa_family != AF_BLUETOOTH)
392 return -EINVAL;
393
394 lock_sock(sk);
395
396 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
397 err = -EBADFD;
398 goto done;
399 }
400
401 if (sk->sk_type != SOCK_STREAM) {
402 err = -EINVAL;
403 goto done;
404 }
405
406 sk->sk_state = BT_CONNECT;
407 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
408 rfcomm_pi(sk)->channel = sa->rc_channel;
409
410 d->sec_level = rfcomm_pi(sk)->sec_level;
411 d->role_switch = rfcomm_pi(sk)->role_switch;
412
413 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
414 sa->rc_channel);
415 if (!err)
416 err = bt_sock_wait_state(sk, BT_CONNECTED,
417 sock_sndtimeo(sk, flags & O_NONBLOCK));
418
419 done:
420 release_sock(sk);
421 return err;
422 }
423
rfcomm_sock_listen(struct socket * sock,int backlog)424 static int rfcomm_sock_listen(struct socket *sock, int backlog)
425 {
426 struct sock *sk = sock->sk;
427 int err = 0;
428
429 BT_DBG("sk %p backlog %d", sk, backlog);
430
431 lock_sock(sk);
432
433 if (sk->sk_state != BT_BOUND) {
434 err = -EBADFD;
435 goto done;
436 }
437
438 if (sk->sk_type != SOCK_STREAM) {
439 err = -EINVAL;
440 goto done;
441 }
442
443 if (!rfcomm_pi(sk)->channel) {
444 bdaddr_t *src = &rfcomm_pi(sk)->src;
445 u8 channel;
446
447 err = -EINVAL;
448
449 write_lock(&rfcomm_sk_list.lock);
450
451 for (channel = 1; channel < 31; channel++)
452 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
453 rfcomm_pi(sk)->channel = channel;
454 err = 0;
455 break;
456 }
457
458 write_unlock(&rfcomm_sk_list.lock);
459
460 if (err < 0)
461 goto done;
462 }
463
464 sk->sk_max_ack_backlog = backlog;
465 sk->sk_ack_backlog = 0;
466 sk->sk_state = BT_LISTEN;
467
468 done:
469 release_sock(sk);
470 return err;
471 }
472
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)473 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
474 bool kern)
475 {
476 DEFINE_WAIT_FUNC(wait, woken_wake_function);
477 struct sock *sk = sock->sk, *nsk;
478 long timeo;
479 int err = 0;
480
481 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
482
483 if (sk->sk_type != SOCK_STREAM) {
484 err = -EINVAL;
485 goto done;
486 }
487
488 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
489
490 BT_DBG("sk %p timeo %ld", sk, timeo);
491
492 /* Wait for an incoming connection. (wake-one). */
493 add_wait_queue_exclusive(sk_sleep(sk), &wait);
494 while (1) {
495 if (sk->sk_state != BT_LISTEN) {
496 err = -EBADFD;
497 break;
498 }
499
500 nsk = bt_accept_dequeue(sk, newsock);
501 if (nsk)
502 break;
503
504 if (!timeo) {
505 err = -EAGAIN;
506 break;
507 }
508
509 if (signal_pending(current)) {
510 err = sock_intr_errno(timeo);
511 break;
512 }
513
514 release_sock(sk);
515
516 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
517
518 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
519 }
520 remove_wait_queue(sk_sleep(sk), &wait);
521
522 if (err)
523 goto done;
524
525 newsock->state = SS_CONNECTED;
526
527 BT_DBG("new socket %p", nsk);
528
529 done:
530 release_sock(sk);
531 return err;
532 }
533
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)534 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
535 {
536 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
537 struct sock *sk = sock->sk;
538
539 BT_DBG("sock %p, sk %p", sock, sk);
540
541 if (peer && sk->sk_state != BT_CONNECTED &&
542 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
543 return -ENOTCONN;
544
545 memset(sa, 0, sizeof(*sa));
546 sa->rc_family = AF_BLUETOOTH;
547 sa->rc_channel = rfcomm_pi(sk)->channel;
548 if (peer)
549 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
550 else
551 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
552
553 return sizeof(struct sockaddr_rc);
554 }
555
rfcomm_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)556 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
557 size_t len)
558 {
559 struct sock *sk = sock->sk;
560 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
561 struct sk_buff *skb;
562 int sent;
563
564 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
565 return -ENOTCONN;
566
567 if (msg->msg_flags & MSG_OOB)
568 return -EOPNOTSUPP;
569
570 if (sk->sk_shutdown & SEND_SHUTDOWN)
571 return -EPIPE;
572
573 BT_DBG("sock %p, sk %p", sock, sk);
574
575 lock_sock(sk);
576
577 sent = bt_sock_wait_ready(sk, msg->msg_flags);
578
579 release_sock(sk);
580
581 if (sent)
582 return sent;
583
584 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
585 RFCOMM_SKB_TAIL_RESERVE);
586 if (IS_ERR(skb))
587 return PTR_ERR(skb);
588
589 sent = rfcomm_dlc_send(d, skb);
590 if (sent < 0)
591 kfree_skb(skb);
592
593 return sent;
594 }
595
rfcomm_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)596 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
597 size_t size, int flags)
598 {
599 struct sock *sk = sock->sk;
600 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
601 int len;
602
603 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
604 rfcomm_dlc_accept(d);
605 return 0;
606 }
607
608 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
609
610 lock_sock(sk);
611 if (!(flags & MSG_PEEK) && len > 0)
612 atomic_sub(len, &sk->sk_rmem_alloc);
613
614 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
615 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
616 release_sock(sk);
617
618 return len;
619 }
620
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)621 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
622 sockptr_t optval, unsigned int optlen)
623 {
624 struct sock *sk = sock->sk;
625 int err = 0;
626 u32 opt;
627
628 BT_DBG("sk %p", sk);
629
630 lock_sock(sk);
631
632 switch (optname) {
633 case RFCOMM_LM:
634 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
635 err = -EFAULT;
636 break;
637 }
638
639 if (opt & RFCOMM_LM_FIPS) {
640 err = -EINVAL;
641 break;
642 }
643
644 if (opt & RFCOMM_LM_AUTH)
645 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
646 if (opt & RFCOMM_LM_ENCRYPT)
647 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
648 if (opt & RFCOMM_LM_SECURE)
649 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
650
651 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
652 break;
653
654 default:
655 err = -ENOPROTOOPT;
656 break;
657 }
658
659 release_sock(sk);
660 return err;
661 }
662
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)663 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
664 sockptr_t optval, unsigned int optlen)
665 {
666 struct sock *sk = sock->sk;
667 struct bt_security sec;
668 int err = 0;
669 size_t len;
670 u32 opt;
671
672 BT_DBG("sk %p", sk);
673
674 if (level == SOL_RFCOMM)
675 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
676
677 if (level != SOL_BLUETOOTH)
678 return -ENOPROTOOPT;
679
680 lock_sock(sk);
681
682 switch (optname) {
683 case BT_SECURITY:
684 if (sk->sk_type != SOCK_STREAM) {
685 err = -EINVAL;
686 break;
687 }
688
689 sec.level = BT_SECURITY_LOW;
690
691 len = min_t(unsigned int, sizeof(sec), optlen);
692 if (copy_from_sockptr(&sec, optval, len)) {
693 err = -EFAULT;
694 break;
695 }
696
697 if (sec.level > BT_SECURITY_HIGH) {
698 err = -EINVAL;
699 break;
700 }
701
702 rfcomm_pi(sk)->sec_level = sec.level;
703 break;
704
705 case BT_DEFER_SETUP:
706 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
707 err = -EINVAL;
708 break;
709 }
710
711 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
712 err = -EFAULT;
713 break;
714 }
715
716 if (opt)
717 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
718 else
719 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
720
721 break;
722
723 default:
724 err = -ENOPROTOOPT;
725 break;
726 }
727
728 release_sock(sk);
729 return err;
730 }
731
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)732 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
733 {
734 struct sock *sk = sock->sk;
735 struct sock *l2cap_sk;
736 struct l2cap_conn *conn;
737 struct rfcomm_conninfo cinfo;
738 int len, err = 0;
739 u32 opt;
740
741 BT_DBG("sk %p", sk);
742
743 if (get_user(len, optlen))
744 return -EFAULT;
745
746 lock_sock(sk);
747
748 switch (optname) {
749 case RFCOMM_LM:
750 switch (rfcomm_pi(sk)->sec_level) {
751 case BT_SECURITY_LOW:
752 opt = RFCOMM_LM_AUTH;
753 break;
754 case BT_SECURITY_MEDIUM:
755 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
756 break;
757 case BT_SECURITY_HIGH:
758 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
759 RFCOMM_LM_SECURE;
760 break;
761 case BT_SECURITY_FIPS:
762 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
763 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
764 break;
765 default:
766 opt = 0;
767 break;
768 }
769
770 if (rfcomm_pi(sk)->role_switch)
771 opt |= RFCOMM_LM_MASTER;
772
773 if (put_user(opt, (u32 __user *) optval))
774 err = -EFAULT;
775
776 break;
777
778 case RFCOMM_CONNINFO:
779 if (sk->sk_state != BT_CONNECTED &&
780 !rfcomm_pi(sk)->dlc->defer_setup) {
781 err = -ENOTCONN;
782 break;
783 }
784
785 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
786 conn = l2cap_pi(l2cap_sk)->chan->conn;
787
788 memset(&cinfo, 0, sizeof(cinfo));
789 cinfo.hci_handle = conn->hcon->handle;
790 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
791
792 len = min_t(unsigned int, len, sizeof(cinfo));
793 if (copy_to_user(optval, (char *) &cinfo, len))
794 err = -EFAULT;
795
796 break;
797
798 default:
799 err = -ENOPROTOOPT;
800 break;
801 }
802
803 release_sock(sk);
804 return err;
805 }
806
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)807 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
808 {
809 struct sock *sk = sock->sk;
810 struct bt_security sec;
811 int len, err = 0;
812
813 BT_DBG("sk %p", sk);
814
815 if (level == SOL_RFCOMM)
816 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
817
818 if (level != SOL_BLUETOOTH)
819 return -ENOPROTOOPT;
820
821 if (get_user(len, optlen))
822 return -EFAULT;
823
824 lock_sock(sk);
825
826 switch (optname) {
827 case BT_SECURITY:
828 if (sk->sk_type != SOCK_STREAM) {
829 err = -EINVAL;
830 break;
831 }
832
833 sec.level = rfcomm_pi(sk)->sec_level;
834 sec.key_size = 0;
835
836 len = min_t(unsigned int, len, sizeof(sec));
837 if (copy_to_user(optval, (char *) &sec, len))
838 err = -EFAULT;
839
840 break;
841
842 case BT_DEFER_SETUP:
843 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
844 err = -EINVAL;
845 break;
846 }
847
848 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
849 (u32 __user *) optval))
850 err = -EFAULT;
851
852 break;
853
854 default:
855 err = -ENOPROTOOPT;
856 break;
857 }
858
859 release_sock(sk);
860 return err;
861 }
862
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)863 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
864 {
865 struct sock *sk __maybe_unused = sock->sk;
866 int err;
867
868 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
869
870 err = bt_sock_ioctl(sock, cmd, arg);
871
872 if (err == -ENOIOCTLCMD) {
873 #ifdef CONFIG_BT_RFCOMM_TTY
874 lock_sock(sk);
875 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
876 release_sock(sk);
877 #else
878 err = -EOPNOTSUPP;
879 #endif
880 }
881
882 return err;
883 }
884
885 #ifdef CONFIG_COMPAT
rfcomm_sock_compat_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)886 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
887 {
888 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
889 }
890 #endif
891
rfcomm_sock_shutdown(struct socket * sock,int how)892 static int rfcomm_sock_shutdown(struct socket *sock, int how)
893 {
894 struct sock *sk = sock->sk;
895 int err = 0;
896
897 BT_DBG("sock %p, sk %p", sock, sk);
898
899 if (!sk)
900 return 0;
901
902 lock_sock(sk);
903 if (!sk->sk_shutdown) {
904 sk->sk_shutdown = SHUTDOWN_MASK;
905
906 release_sock(sk);
907 __rfcomm_sock_close(sk);
908 lock_sock(sk);
909
910 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
911 !(current->flags & PF_EXITING))
912 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
913 }
914 release_sock(sk);
915 return err;
916 }
917
rfcomm_sock_release(struct socket * sock)918 static int rfcomm_sock_release(struct socket *sock)
919 {
920 struct sock *sk = sock->sk;
921 int err;
922
923 BT_DBG("sock %p, sk %p", sock, sk);
924
925 if (!sk)
926 return 0;
927
928 err = rfcomm_sock_shutdown(sock, 2);
929
930 sock_orphan(sk);
931 rfcomm_sock_kill(sk);
932 return err;
933 }
934
935 /* ---- RFCOMM core layer callbacks ----
936 *
937 * called under rfcomm_lock()
938 */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)939 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
940 {
941 struct sock *sk, *parent;
942 bdaddr_t src, dst;
943 int result = 0;
944
945 BT_DBG("session %p channel %d", s, channel);
946
947 rfcomm_session_getaddr(s, &src, &dst);
948
949 /* Check if we have socket listening on channel */
950 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
951 if (!parent)
952 return 0;
953
954 lock_sock(parent);
955
956 /* Check for backlog size */
957 if (sk_acceptq_is_full(parent)) {
958 BT_DBG("backlog full %d", parent->sk_ack_backlog);
959 goto done;
960 }
961
962 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
963 if (!sk)
964 goto done;
965
966 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
967
968 rfcomm_sock_init(sk, parent);
969 bacpy(&rfcomm_pi(sk)->src, &src);
970 bacpy(&rfcomm_pi(sk)->dst, &dst);
971 rfcomm_pi(sk)->channel = channel;
972
973 sk->sk_state = BT_CONFIG;
974 bt_accept_enqueue(parent, sk, true);
975
976 /* Accept connection and return socket DLC */
977 *d = rfcomm_pi(sk)->dlc;
978 result = 1;
979
980 done:
981 release_sock(parent);
982
983 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
984 parent->sk_state_change(parent);
985
986 return result;
987 }
988
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)989 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
990 {
991 struct sock *sk;
992
993 read_lock(&rfcomm_sk_list.lock);
994
995 sk_for_each(sk, &rfcomm_sk_list.head) {
996 seq_printf(f, "%pMR %pMR %d %d\n",
997 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
998 sk->sk_state, rfcomm_pi(sk)->channel);
999 }
1000
1001 read_unlock(&rfcomm_sk_list.lock);
1002
1003 return 0;
1004 }
1005
1006 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1007
1008 static struct dentry *rfcomm_sock_debugfs;
1009
1010 static const struct proto_ops rfcomm_sock_ops = {
1011 .family = PF_BLUETOOTH,
1012 .owner = THIS_MODULE,
1013 .release = rfcomm_sock_release,
1014 .bind = rfcomm_sock_bind,
1015 .connect = rfcomm_sock_connect,
1016 .listen = rfcomm_sock_listen,
1017 .accept = rfcomm_sock_accept,
1018 .getname = rfcomm_sock_getname,
1019 .sendmsg = rfcomm_sock_sendmsg,
1020 .recvmsg = rfcomm_sock_recvmsg,
1021 .shutdown = rfcomm_sock_shutdown,
1022 .setsockopt = rfcomm_sock_setsockopt,
1023 .getsockopt = rfcomm_sock_getsockopt,
1024 .ioctl = rfcomm_sock_ioctl,
1025 .gettstamp = sock_gettstamp,
1026 .poll = bt_sock_poll,
1027 .socketpair = sock_no_socketpair,
1028 .mmap = sock_no_mmap,
1029 #ifdef CONFIG_COMPAT
1030 .compat_ioctl = rfcomm_sock_compat_ioctl,
1031 #endif
1032 };
1033
1034 static const struct net_proto_family rfcomm_sock_family_ops = {
1035 .family = PF_BLUETOOTH,
1036 .owner = THIS_MODULE,
1037 .create = rfcomm_sock_create
1038 };
1039
rfcomm_init_sockets(void)1040 int __init rfcomm_init_sockets(void)
1041 {
1042 int err;
1043
1044 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1045
1046 err = proto_register(&rfcomm_proto, 0);
1047 if (err < 0)
1048 return err;
1049
1050 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1051 if (err < 0) {
1052 BT_ERR("RFCOMM socket layer registration failed");
1053 goto error;
1054 }
1055
1056 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1057 if (err < 0) {
1058 BT_ERR("Failed to create RFCOMM proc file");
1059 bt_sock_unregister(BTPROTO_RFCOMM);
1060 goto error;
1061 }
1062
1063 BT_INFO("RFCOMM socket layer initialized");
1064
1065 if (IS_ERR_OR_NULL(bt_debugfs))
1066 return 0;
1067
1068 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1069 bt_debugfs, NULL,
1070 &rfcomm_sock_debugfs_fops);
1071
1072 return 0;
1073
1074 error:
1075 proto_unregister(&rfcomm_proto);
1076 return err;
1077 }
1078
rfcomm_cleanup_sockets(void)1079 void __exit rfcomm_cleanup_sockets(void)
1080 {
1081 bt_procfs_cleanup(&init_net, "rfcomm");
1082
1083 debugfs_remove(rfcomm_sock_debugfs);
1084
1085 bt_sock_unregister(BTPROTO_RFCOMM);
1086
1087 proto_unregister(&rfcomm_proto);
1088 }
1089
