1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM sockets.
26  */
27 #include <linux/compat.h>
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36 
37 static const struct proto_ops rfcomm_sock_ops;
38 
39 static struct bt_sock_list rfcomm_sk_list = {
40 	.lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42 
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45 
46 /* ---- DLC callbacks ----
47  *
48  * called under rfcomm_dlc_lock()
49  */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 	struct sock *sk = d->owner;
53 	if (!sk)
54 		return;
55 
56 	atomic_add(skb->len, &sk->sk_rmem_alloc);
57 	skb_queue_tail(&sk->sk_receive_queue, skb);
58 	sk->sk_data_ready(sk);
59 
60 	if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 		rfcomm_dlc_throttle(d);
62 }
63 
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 	struct sock *sk = d->owner, *parent;
67 
68 	if (!sk)
69 		return;
70 
71 	BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72 
73 	lock_sock(sk);
74 
75 	if (err)
76 		sk->sk_err = err;
77 
78 	sk->sk_state = d->state;
79 
80 	parent = bt_sk(sk)->parent;
81 	if (parent) {
82 		if (d->state == BT_CLOSED) {
83 			sock_set_flag(sk, SOCK_ZAPPED);
84 			bt_accept_unlink(sk);
85 		}
86 		parent->sk_data_ready(parent);
87 	} else {
88 		if (d->state == BT_CONNECTED)
89 			rfcomm_session_getaddr(d->session,
90 					       &rfcomm_pi(sk)->src, NULL);
91 		sk->sk_state_change(sk);
92 	}
93 
94 	release_sock(sk);
95 
96 	if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 		/* We have to drop DLC lock here, otherwise
98 		 * rfcomm_sock_destruct() will dead lock. */
99 		rfcomm_dlc_unlock(d);
100 		rfcomm_sock_kill(sk);
101 		rfcomm_dlc_lock(d);
102 	}
103 }
104 
105 /* ---- Socket functions ---- */
__rfcomm_get_listen_sock_by_addr(u8 channel,bdaddr_t * src)106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107 {
108 	struct sock *sk = NULL;
109 
110 	sk_for_each(sk, &rfcomm_sk_list.head) {
111 		if (rfcomm_pi(sk)->channel != channel)
112 			continue;
113 
114 		if (bacmp(&rfcomm_pi(sk)->src, src))
115 			continue;
116 
117 		if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 			break;
119 	}
120 
121 	return sk ? sk : NULL;
122 }
123 
124 /* Find socket with channel and source bdaddr.
125  * Returns closest match.
126  */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128 {
129 	struct sock *sk = NULL, *sk1 = NULL;
130 
131 	read_lock(&rfcomm_sk_list.lock);
132 
133 	sk_for_each(sk, &rfcomm_sk_list.head) {
134 		if (state && sk->sk_state != state)
135 			continue;
136 
137 		if (rfcomm_pi(sk)->channel == channel) {
138 			/* Exact match. */
139 			if (!bacmp(&rfcomm_pi(sk)->src, src))
140 				break;
141 
142 			/* Closest match */
143 			if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 				sk1 = sk;
145 		}
146 	}
147 
148 	read_unlock(&rfcomm_sk_list.lock);
149 
150 	return sk ? sk : sk1;
151 }
152 
rfcomm_sock_destruct(struct sock * sk)153 static void rfcomm_sock_destruct(struct sock *sk)
154 {
155 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156 
157 	BT_DBG("sk %p dlc %p", sk, d);
158 
159 	skb_queue_purge(&sk->sk_receive_queue);
160 	skb_queue_purge(&sk->sk_write_queue);
161 
162 	rfcomm_dlc_lock(d);
163 	rfcomm_pi(sk)->dlc = NULL;
164 
165 	/* Detach DLC if it's owned by this socket */
166 	if (d->owner == sk)
167 		d->owner = NULL;
168 	rfcomm_dlc_unlock(d);
169 
170 	rfcomm_dlc_put(d);
171 }
172 
rfcomm_sock_cleanup_listen(struct sock * parent)173 static void rfcomm_sock_cleanup_listen(struct sock *parent)
174 {
175 	struct sock *sk;
176 
177 	BT_DBG("parent %p", parent);
178 
179 	/* Close not yet accepted dlcs */
180 	while ((sk = bt_accept_dequeue(parent, NULL))) {
181 		rfcomm_sock_close(sk);
182 		rfcomm_sock_kill(sk);
183 	}
184 
185 	parent->sk_state  = BT_CLOSED;
186 	sock_set_flag(parent, SOCK_ZAPPED);
187 }
188 
189 /* Kill socket (only if zapped and orphan)
190  * Must be called on unlocked socket.
191  */
rfcomm_sock_kill(struct sock * sk)192 static void rfcomm_sock_kill(struct sock *sk)
193 {
194 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195 		return;
196 
197 	BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198 
199 	/* Kill poor orphan */
200 	bt_sock_unlink(&rfcomm_sk_list, sk);
201 	sock_set_flag(sk, SOCK_DEAD);
202 	sock_put(sk);
203 }
204 
__rfcomm_sock_close(struct sock * sk)205 static void __rfcomm_sock_close(struct sock *sk)
206 {
207 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208 
209 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210 
211 	switch (sk->sk_state) {
212 	case BT_LISTEN:
213 		rfcomm_sock_cleanup_listen(sk);
214 		break;
215 
216 	case BT_CONNECT:
217 	case BT_CONNECT2:
218 	case BT_CONFIG:
219 	case BT_CONNECTED:
220 		rfcomm_dlc_close(d, 0);
221 		fallthrough;
222 
223 	default:
224 		sock_set_flag(sk, SOCK_ZAPPED);
225 		break;
226 	}
227 }
228 
229 /* Close socket.
230  * Must be called on unlocked socket.
231  */
rfcomm_sock_close(struct sock * sk)232 static void rfcomm_sock_close(struct sock *sk)
233 {
234 	lock_sock(sk);
235 	__rfcomm_sock_close(sk);
236 	release_sock(sk);
237 }
238 
rfcomm_sock_init(struct sock * sk,struct sock * parent)239 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240 {
241 	struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242 
243 	BT_DBG("sk %p", sk);
244 
245 	if (parent) {
246 		sk->sk_type = parent->sk_type;
247 		pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248 						&bt_sk(parent)->flags);
249 
250 		pi->sec_level = rfcomm_pi(parent)->sec_level;
251 		pi->role_switch = rfcomm_pi(parent)->role_switch;
252 
253 		security_sk_clone(parent, sk);
254 	} else {
255 		pi->dlc->defer_setup = 0;
256 
257 		pi->sec_level = BT_SECURITY_LOW;
258 		pi->role_switch = 0;
259 	}
260 
261 	pi->dlc->sec_level = pi->sec_level;
262 	pi->dlc->role_switch = pi->role_switch;
263 }
264 
265 static struct proto rfcomm_proto = {
266 	.name		= "RFCOMM",
267 	.owner		= THIS_MODULE,
268 	.obj_size	= sizeof(struct rfcomm_pinfo)
269 };
270 
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)271 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
272 				      int proto, gfp_t prio, int kern)
273 {
274 	struct rfcomm_dlc *d;
275 	struct sock *sk;
276 
277 	sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
278 	if (!sk)
279 		return NULL;
280 
281 	d = rfcomm_dlc_alloc(prio);
282 	if (!d) {
283 		sk_free(sk);
284 		return NULL;
285 	}
286 
287 	d->data_ready   = rfcomm_sk_data_ready;
288 	d->state_change = rfcomm_sk_state_change;
289 
290 	rfcomm_pi(sk)->dlc = d;
291 	d->owner = sk;
292 
293 	sk->sk_destruct = rfcomm_sock_destruct;
294 	sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
295 
296 	sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
297 	sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
298 
299 	bt_sock_link(&rfcomm_sk_list, sk);
300 
301 	BT_DBG("sk %p", sk);
302 	return sk;
303 }
304 
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)305 static int rfcomm_sock_create(struct net *net, struct socket *sock,
306 			      int protocol, int kern)
307 {
308 	struct sock *sk;
309 
310 	BT_DBG("sock %p", sock);
311 
312 	sock->state = SS_UNCONNECTED;
313 
314 	if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
315 		return -ESOCKTNOSUPPORT;
316 
317 	sock->ops = &rfcomm_sock_ops;
318 
319 	sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
320 	if (!sk)
321 		return -ENOMEM;
322 
323 	rfcomm_sock_init(sk, NULL);
324 	return 0;
325 }
326 
rfcomm_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)327 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
328 {
329 	struct sockaddr_rc sa;
330 	struct sock *sk = sock->sk;
331 	int len, err = 0;
332 
333 	if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
334 	    addr->sa_family != AF_BLUETOOTH)
335 		return -EINVAL;
336 
337 	memset(&sa, 0, sizeof(sa));
338 	len = min_t(unsigned int, sizeof(sa), addr_len);
339 	memcpy(&sa, addr, len);
340 
341 	BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
342 
343 	lock_sock(sk);
344 
345 	if (sk->sk_state != BT_OPEN) {
346 		err = -EBADFD;
347 		goto done;
348 	}
349 
350 	if (sk->sk_type != SOCK_STREAM) {
351 		err = -EINVAL;
352 		goto done;
353 	}
354 
355 	write_lock(&rfcomm_sk_list.lock);
356 
357 	if (sa.rc_channel &&
358 	    __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
359 		err = -EADDRINUSE;
360 	} else {
361 		/* Save source address */
362 		bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
363 		rfcomm_pi(sk)->channel = sa.rc_channel;
364 		sk->sk_state = BT_BOUND;
365 	}
366 
367 	write_unlock(&rfcomm_sk_list.lock);
368 
369 done:
370 	release_sock(sk);
371 	return err;
372 }
373 
rfcomm_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)374 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
375 {
376 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
377 	struct sock *sk = sock->sk;
378 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
379 	int err = 0;
380 
381 	BT_DBG("sk %p", sk);
382 
383 	if (alen < sizeof(struct sockaddr_rc) ||
384 	    addr->sa_family != AF_BLUETOOTH)
385 		return -EINVAL;
386 
387 	sock_hold(sk);
388 	lock_sock(sk);
389 
390 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
391 		err = -EBADFD;
392 		goto done;
393 	}
394 
395 	if (sk->sk_type != SOCK_STREAM) {
396 		err = -EINVAL;
397 		goto done;
398 	}
399 
400 	sk->sk_state = BT_CONNECT;
401 	bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
402 	rfcomm_pi(sk)->channel = sa->rc_channel;
403 
404 	d->sec_level = rfcomm_pi(sk)->sec_level;
405 	d->role_switch = rfcomm_pi(sk)->role_switch;
406 
407 	/* Drop sock lock to avoid potential deadlock with the RFCOMM lock */
408 	release_sock(sk);
409 	err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
410 			      sa->rc_channel);
411 	lock_sock(sk);
412 	if (!err && !sock_flag(sk, SOCK_ZAPPED))
413 		err = bt_sock_wait_state(sk, BT_CONNECTED,
414 				sock_sndtimeo(sk, flags & O_NONBLOCK));
415 
416 done:
417 	release_sock(sk);
418 	sock_put(sk);
419 	return err;
420 }
421 
rfcomm_sock_listen(struct socket * sock,int backlog)422 static int rfcomm_sock_listen(struct socket *sock, int backlog)
423 {
424 	struct sock *sk = sock->sk;
425 	int err = 0;
426 
427 	BT_DBG("sk %p backlog %d", sk, backlog);
428 
429 	lock_sock(sk);
430 
431 	if (sk->sk_state != BT_BOUND) {
432 		err = -EBADFD;
433 		goto done;
434 	}
435 
436 	if (sk->sk_type != SOCK_STREAM) {
437 		err = -EINVAL;
438 		goto done;
439 	}
440 
441 	if (!rfcomm_pi(sk)->channel) {
442 		bdaddr_t *src = &rfcomm_pi(sk)->src;
443 		u8 channel;
444 
445 		err = -EINVAL;
446 
447 		write_lock(&rfcomm_sk_list.lock);
448 
449 		for (channel = 1; channel < 31; channel++)
450 			if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
451 				rfcomm_pi(sk)->channel = channel;
452 				err = 0;
453 				break;
454 			}
455 
456 		write_unlock(&rfcomm_sk_list.lock);
457 
458 		if (err < 0)
459 			goto done;
460 	}
461 
462 	sk->sk_max_ack_backlog = backlog;
463 	sk->sk_ack_backlog = 0;
464 	sk->sk_state = BT_LISTEN;
465 
466 done:
467 	release_sock(sk);
468 	return err;
469 }
470 
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)471 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
472 			      bool kern)
473 {
474 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
475 	struct sock *sk = sock->sk, *nsk;
476 	long timeo;
477 	int err = 0;
478 
479 	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
480 
481 	if (sk->sk_type != SOCK_STREAM) {
482 		err = -EINVAL;
483 		goto done;
484 	}
485 
486 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
487 
488 	BT_DBG("sk %p timeo %ld", sk, timeo);
489 
490 	/* Wait for an incoming connection. (wake-one). */
491 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
492 	while (1) {
493 		if (sk->sk_state != BT_LISTEN) {
494 			err = -EBADFD;
495 			break;
496 		}
497 
498 		nsk = bt_accept_dequeue(sk, newsock);
499 		if (nsk)
500 			break;
501 
502 		if (!timeo) {
503 			err = -EAGAIN;
504 			break;
505 		}
506 
507 		if (signal_pending(current)) {
508 			err = sock_intr_errno(timeo);
509 			break;
510 		}
511 
512 		release_sock(sk);
513 
514 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
515 
516 		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
517 	}
518 	remove_wait_queue(sk_sleep(sk), &wait);
519 
520 	if (err)
521 		goto done;
522 
523 	newsock->state = SS_CONNECTED;
524 
525 	BT_DBG("new socket %p", nsk);
526 
527 done:
528 	release_sock(sk);
529 	return err;
530 }
531 
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)532 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
533 {
534 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
535 	struct sock *sk = sock->sk;
536 
537 	BT_DBG("sock %p, sk %p", sock, sk);
538 
539 	if (peer && sk->sk_state != BT_CONNECTED &&
540 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
541 		return -ENOTCONN;
542 
543 	memset(sa, 0, sizeof(*sa));
544 	sa->rc_family  = AF_BLUETOOTH;
545 	sa->rc_channel = rfcomm_pi(sk)->channel;
546 	if (peer)
547 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
548 	else
549 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
550 
551 	return sizeof(struct sockaddr_rc);
552 }
553 
rfcomm_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)554 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
555 			       size_t len)
556 {
557 	struct sock *sk = sock->sk;
558 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
559 	struct sk_buff *skb;
560 	int sent;
561 
562 	if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
563 		return -ENOTCONN;
564 
565 	if (msg->msg_flags & MSG_OOB)
566 		return -EOPNOTSUPP;
567 
568 	if (sk->sk_shutdown & SEND_SHUTDOWN)
569 		return -EPIPE;
570 
571 	BT_DBG("sock %p, sk %p", sock, sk);
572 
573 	lock_sock(sk);
574 
575 	sent = bt_sock_wait_ready(sk, msg->msg_flags);
576 
577 	release_sock(sk);
578 
579 	if (sent)
580 		return sent;
581 
582 	skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
583 			      RFCOMM_SKB_TAIL_RESERVE);
584 	if (IS_ERR(skb))
585 		return PTR_ERR(skb);
586 
587 	sent = rfcomm_dlc_send(d, skb);
588 	if (sent < 0)
589 		kfree_skb(skb);
590 
591 	return sent;
592 }
593 
rfcomm_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)594 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
595 			       size_t size, int flags)
596 {
597 	struct sock *sk = sock->sk;
598 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
599 	int len;
600 
601 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
602 		rfcomm_dlc_accept(d);
603 		return 0;
604 	}
605 
606 	len = bt_sock_stream_recvmsg(sock, msg, size, flags);
607 
608 	lock_sock(sk);
609 	if (!(flags & MSG_PEEK) && len > 0)
610 		atomic_sub(len, &sk->sk_rmem_alloc);
611 
612 	if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
613 		rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
614 	release_sock(sk);
615 
616 	return len;
617 }
618 
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)619 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
620 		sockptr_t optval, unsigned int optlen)
621 {
622 	struct sock *sk = sock->sk;
623 	int err = 0;
624 	u32 opt;
625 
626 	BT_DBG("sk %p", sk);
627 
628 	lock_sock(sk);
629 
630 	switch (optname) {
631 	case RFCOMM_LM:
632 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
633 			err = -EFAULT;
634 			break;
635 		}
636 
637 		if (opt & RFCOMM_LM_FIPS) {
638 			err = -EINVAL;
639 			break;
640 		}
641 
642 		if (opt & RFCOMM_LM_AUTH)
643 			rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
644 		if (opt & RFCOMM_LM_ENCRYPT)
645 			rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
646 		if (opt & RFCOMM_LM_SECURE)
647 			rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
648 
649 		rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
650 		break;
651 
652 	default:
653 		err = -ENOPROTOOPT;
654 		break;
655 	}
656 
657 	release_sock(sk);
658 	return err;
659 }
660 
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)661 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
662 		sockptr_t optval, unsigned int optlen)
663 {
664 	struct sock *sk = sock->sk;
665 	struct bt_security sec;
666 	int err = 0;
667 	size_t len;
668 	u32 opt;
669 
670 	BT_DBG("sk %p", sk);
671 
672 	if (level == SOL_RFCOMM)
673 		return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
674 
675 	if (level != SOL_BLUETOOTH)
676 		return -ENOPROTOOPT;
677 
678 	lock_sock(sk);
679 
680 	switch (optname) {
681 	case BT_SECURITY:
682 		if (sk->sk_type != SOCK_STREAM) {
683 			err = -EINVAL;
684 			break;
685 		}
686 
687 		sec.level = BT_SECURITY_LOW;
688 
689 		len = min_t(unsigned int, sizeof(sec), optlen);
690 		if (copy_from_sockptr(&sec, optval, len)) {
691 			err = -EFAULT;
692 			break;
693 		}
694 
695 		if (sec.level > BT_SECURITY_HIGH) {
696 			err = -EINVAL;
697 			break;
698 		}
699 
700 		rfcomm_pi(sk)->sec_level = sec.level;
701 		break;
702 
703 	case BT_DEFER_SETUP:
704 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
705 			err = -EINVAL;
706 			break;
707 		}
708 
709 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
710 			err = -EFAULT;
711 			break;
712 		}
713 
714 		if (opt)
715 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
716 		else
717 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
718 
719 		break;
720 
721 	default:
722 		err = -ENOPROTOOPT;
723 		break;
724 	}
725 
726 	release_sock(sk);
727 	return err;
728 }
729 
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)730 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
731 {
732 	struct sock *sk = sock->sk;
733 	struct sock *l2cap_sk;
734 	struct l2cap_conn *conn;
735 	struct rfcomm_conninfo cinfo;
736 	int len, err = 0;
737 	u32 opt;
738 
739 	BT_DBG("sk %p", sk);
740 
741 	if (get_user(len, optlen))
742 		return -EFAULT;
743 
744 	lock_sock(sk);
745 
746 	switch (optname) {
747 	case RFCOMM_LM:
748 		switch (rfcomm_pi(sk)->sec_level) {
749 		case BT_SECURITY_LOW:
750 			opt = RFCOMM_LM_AUTH;
751 			break;
752 		case BT_SECURITY_MEDIUM:
753 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
754 			break;
755 		case BT_SECURITY_HIGH:
756 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
757 			      RFCOMM_LM_SECURE;
758 			break;
759 		case BT_SECURITY_FIPS:
760 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
761 			      RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
762 			break;
763 		default:
764 			opt = 0;
765 			break;
766 		}
767 
768 		if (rfcomm_pi(sk)->role_switch)
769 			opt |= RFCOMM_LM_MASTER;
770 
771 		if (put_user(opt, (u32 __user *) optval))
772 			err = -EFAULT;
773 
774 		break;
775 
776 	case RFCOMM_CONNINFO:
777 		if (sk->sk_state != BT_CONNECTED &&
778 					!rfcomm_pi(sk)->dlc->defer_setup) {
779 			err = -ENOTCONN;
780 			break;
781 		}
782 
783 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
784 		conn = l2cap_pi(l2cap_sk)->chan->conn;
785 
786 		memset(&cinfo, 0, sizeof(cinfo));
787 		cinfo.hci_handle = conn->hcon->handle;
788 		memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
789 
790 		len = min_t(unsigned int, len, sizeof(cinfo));
791 		if (copy_to_user(optval, (char *) &cinfo, len))
792 			err = -EFAULT;
793 
794 		break;
795 
796 	default:
797 		err = -ENOPROTOOPT;
798 		break;
799 	}
800 
801 	release_sock(sk);
802 	return err;
803 }
804 
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)805 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
806 {
807 	struct sock *sk = sock->sk;
808 	struct bt_security sec;
809 	int len, err = 0;
810 
811 	BT_DBG("sk %p", sk);
812 
813 	if (level == SOL_RFCOMM)
814 		return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
815 
816 	if (level != SOL_BLUETOOTH)
817 		return -ENOPROTOOPT;
818 
819 	if (get_user(len, optlen))
820 		return -EFAULT;
821 
822 	lock_sock(sk);
823 
824 	switch (optname) {
825 	case BT_SECURITY:
826 		if (sk->sk_type != SOCK_STREAM) {
827 			err = -EINVAL;
828 			break;
829 		}
830 
831 		sec.level = rfcomm_pi(sk)->sec_level;
832 		sec.key_size = 0;
833 
834 		len = min_t(unsigned int, len, sizeof(sec));
835 		if (copy_to_user(optval, (char *) &sec, len))
836 			err = -EFAULT;
837 
838 		break;
839 
840 	case BT_DEFER_SETUP:
841 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
842 			err = -EINVAL;
843 			break;
844 		}
845 
846 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
847 			     (u32 __user *) optval))
848 			err = -EFAULT;
849 
850 		break;
851 
852 	default:
853 		err = -ENOPROTOOPT;
854 		break;
855 	}
856 
857 	release_sock(sk);
858 	return err;
859 }
860 
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)861 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
862 {
863 	struct sock *sk __maybe_unused = sock->sk;
864 	int err;
865 
866 	BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
867 
868 	err = bt_sock_ioctl(sock, cmd, arg);
869 
870 	if (err == -ENOIOCTLCMD) {
871 #ifdef CONFIG_BT_RFCOMM_TTY
872 		lock_sock(sk);
873 		err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
874 		release_sock(sk);
875 #else
876 		err = -EOPNOTSUPP;
877 #endif
878 	}
879 
880 	return err;
881 }
882 
883 #ifdef CONFIG_COMPAT
rfcomm_sock_compat_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)884 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
885 {
886 	return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
887 }
888 #endif
889 
rfcomm_sock_shutdown(struct socket * sock,int how)890 static int rfcomm_sock_shutdown(struct socket *sock, int how)
891 {
892 	struct sock *sk = sock->sk;
893 	int err = 0;
894 
895 	BT_DBG("sock %p, sk %p", sock, sk);
896 
897 	if (!sk)
898 		return 0;
899 
900 	lock_sock(sk);
901 	if (!sk->sk_shutdown) {
902 		sk->sk_shutdown = SHUTDOWN_MASK;
903 
904 		release_sock(sk);
905 		__rfcomm_sock_close(sk);
906 		lock_sock(sk);
907 
908 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
909 		    !(current->flags & PF_EXITING))
910 			err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
911 	}
912 	release_sock(sk);
913 	return err;
914 }
915 
rfcomm_sock_release(struct socket * sock)916 static int rfcomm_sock_release(struct socket *sock)
917 {
918 	struct sock *sk = sock->sk;
919 	int err;
920 
921 	BT_DBG("sock %p, sk %p", sock, sk);
922 
923 	if (!sk)
924 		return 0;
925 
926 	err = rfcomm_sock_shutdown(sock, 2);
927 
928 	sock_orphan(sk);
929 	rfcomm_sock_kill(sk);
930 	return err;
931 }
932 
933 /* ---- RFCOMM core layer callbacks ----
934  *
935  * called under rfcomm_lock()
936  */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)937 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
938 {
939 	struct sock *sk, *parent;
940 	bdaddr_t src, dst;
941 	int result = 0;
942 
943 	BT_DBG("session %p channel %d", s, channel);
944 
945 	rfcomm_session_getaddr(s, &src, &dst);
946 
947 	/* Check if we have socket listening on channel */
948 	parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
949 	if (!parent)
950 		return 0;
951 
952 	lock_sock(parent);
953 
954 	/* Check for backlog size */
955 	if (sk_acceptq_is_full(parent)) {
956 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
957 		goto done;
958 	}
959 
960 	sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
961 	if (!sk)
962 		goto done;
963 
964 	bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
965 
966 	rfcomm_sock_init(sk, parent);
967 	bacpy(&rfcomm_pi(sk)->src, &src);
968 	bacpy(&rfcomm_pi(sk)->dst, &dst);
969 	rfcomm_pi(sk)->channel = channel;
970 
971 	sk->sk_state = BT_CONFIG;
972 	bt_accept_enqueue(parent, sk, true);
973 
974 	/* Accept connection and return socket DLC */
975 	*d = rfcomm_pi(sk)->dlc;
976 	result = 1;
977 
978 done:
979 	release_sock(parent);
980 
981 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
982 		parent->sk_state_change(parent);
983 
984 	return result;
985 }
986 
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)987 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
988 {
989 	struct sock *sk;
990 
991 	read_lock(&rfcomm_sk_list.lock);
992 
993 	sk_for_each(sk, &rfcomm_sk_list.head) {
994 		seq_printf(f, "%pMR %pMR %d %d\n",
995 			   &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
996 			   sk->sk_state, rfcomm_pi(sk)->channel);
997 	}
998 
999 	read_unlock(&rfcomm_sk_list.lock);
1000 
1001 	return 0;
1002 }
1003 
1004 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1005 
1006 static struct dentry *rfcomm_sock_debugfs;
1007 
1008 static const struct proto_ops rfcomm_sock_ops = {
1009 	.family		= PF_BLUETOOTH,
1010 	.owner		= THIS_MODULE,
1011 	.release	= rfcomm_sock_release,
1012 	.bind		= rfcomm_sock_bind,
1013 	.connect	= rfcomm_sock_connect,
1014 	.listen		= rfcomm_sock_listen,
1015 	.accept		= rfcomm_sock_accept,
1016 	.getname	= rfcomm_sock_getname,
1017 	.sendmsg	= rfcomm_sock_sendmsg,
1018 	.recvmsg	= rfcomm_sock_recvmsg,
1019 	.shutdown	= rfcomm_sock_shutdown,
1020 	.setsockopt	= rfcomm_sock_setsockopt,
1021 	.getsockopt	= rfcomm_sock_getsockopt,
1022 	.ioctl		= rfcomm_sock_ioctl,
1023 	.gettstamp	= sock_gettstamp,
1024 	.poll		= bt_sock_poll,
1025 	.socketpair	= sock_no_socketpair,
1026 	.mmap		= sock_no_mmap,
1027 #ifdef CONFIG_COMPAT
1028 	.compat_ioctl	= rfcomm_sock_compat_ioctl,
1029 #endif
1030 };
1031 
1032 static const struct net_proto_family rfcomm_sock_family_ops = {
1033 	.family		= PF_BLUETOOTH,
1034 	.owner		= THIS_MODULE,
1035 	.create		= rfcomm_sock_create
1036 };
1037 
rfcomm_init_sockets(void)1038 int __init rfcomm_init_sockets(void)
1039 {
1040 	int err;
1041 
1042 	BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1043 
1044 	err = proto_register(&rfcomm_proto, 0);
1045 	if (err < 0)
1046 		return err;
1047 
1048 	err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1049 	if (err < 0) {
1050 		BT_ERR("RFCOMM socket layer registration failed");
1051 		goto error;
1052 	}
1053 
1054 	err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1055 	if (err < 0) {
1056 		BT_ERR("Failed to create RFCOMM proc file");
1057 		bt_sock_unregister(BTPROTO_RFCOMM);
1058 		goto error;
1059 	}
1060 
1061 	BT_INFO("RFCOMM socket layer initialized");
1062 
1063 	if (IS_ERR_OR_NULL(bt_debugfs))
1064 		return 0;
1065 
1066 	rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1067 						  bt_debugfs, NULL,
1068 						  &rfcomm_sock_debugfs_fops);
1069 
1070 	return 0;
1071 
1072 error:
1073 	proto_unregister(&rfcomm_proto);
1074 	return err;
1075 }
1076 
rfcomm_cleanup_sockets(void)1077 void __exit rfcomm_cleanup_sockets(void)
1078 {
1079 	bt_procfs_cleanup(&init_net, "rfcomm");
1080 
1081 	debugfs_remove(rfcomm_sock_debugfs);
1082 
1083 	bt_sock_unregister(BTPROTO_RFCOMM);
1084 
1085 	proto_unregister(&rfcomm_proto);
1086 }
1087