1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * RFCOMM sockets. 26 */ 27 #include <linux/compat.h> 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 #include <linux/sched/signal.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/l2cap.h> 35 #include <net/bluetooth/rfcomm.h> 36 37 static const struct proto_ops rfcomm_sock_ops; 38 39 static struct bt_sock_list rfcomm_sk_list = { 40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock) 41 }; 42 43 static void rfcomm_sock_close(struct sock *sk); 44 static void rfcomm_sock_kill(struct sock *sk); 45 46 /* ---- DLC callbacks ---- 47 * 48 * called under rfcomm_dlc_lock() 49 */ 50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb) 51 { 52 struct sock *sk = d->owner; 53 if (!sk) 54 return; 55 56 atomic_add(skb->len, &sk->sk_rmem_alloc); 57 skb_queue_tail(&sk->sk_receive_queue, skb); 58 sk->sk_data_ready(sk); 59 60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) 61 rfcomm_dlc_throttle(d); 62 } 63 64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) 65 { 66 struct sock *sk = d->owner, *parent; 67 68 if (!sk) 69 return; 70 71 BT_DBG("dlc %p state %ld err %d", d, d->state, err); 72 73 lock_sock(sk); 74 75 if (err) 76 sk->sk_err = err; 77 78 sk->sk_state = d->state; 79 80 parent = bt_sk(sk)->parent; 81 if (parent) { 82 if (d->state == BT_CLOSED) { 83 sock_set_flag(sk, SOCK_ZAPPED); 84 bt_accept_unlink(sk); 85 } 86 parent->sk_data_ready(parent); 87 } else { 88 if (d->state == BT_CONNECTED) 89 rfcomm_session_getaddr(d->session, 90 &rfcomm_pi(sk)->src, NULL); 91 sk->sk_state_change(sk); 92 } 93 94 release_sock(sk); 95 96 if (parent && sock_flag(sk, SOCK_ZAPPED)) { 97 /* We have to drop DLC lock here, otherwise 98 * rfcomm_sock_destruct() will dead lock. */ 99 rfcomm_dlc_unlock(d); 100 rfcomm_sock_kill(sk); 101 rfcomm_dlc_lock(d); 102 } 103 } 104 105 /* ---- Socket functions ---- */ 106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src) 107 { 108 struct sock *sk = NULL; 109 110 sk_for_each(sk, &rfcomm_sk_list.head) { 111 if (rfcomm_pi(sk)->channel != channel) 112 continue; 113 114 if (bacmp(&rfcomm_pi(sk)->src, src)) 115 continue; 116 117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN) 118 break; 119 } 120 121 return sk ? sk : NULL; 122 } 123 124 /* Find socket with channel and source bdaddr. 125 * Returns closest match. 126 */ 127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src) 128 { 129 struct sock *sk = NULL, *sk1 = NULL; 130 131 read_lock(&rfcomm_sk_list.lock); 132 133 sk_for_each(sk, &rfcomm_sk_list.head) { 134 if (state && sk->sk_state != state) 135 continue; 136 137 if (rfcomm_pi(sk)->channel == channel) { 138 /* Exact match. */ 139 if (!bacmp(&rfcomm_pi(sk)->src, src)) 140 break; 141 142 /* Closest match */ 143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) 144 sk1 = sk; 145 } 146 } 147 148 read_unlock(&rfcomm_sk_list.lock); 149 150 return sk ? sk : sk1; 151 } 152 153 static void rfcomm_sock_destruct(struct sock *sk) 154 { 155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 156 157 BT_DBG("sk %p dlc %p", sk, d); 158 159 skb_queue_purge(&sk->sk_receive_queue); 160 skb_queue_purge(&sk->sk_write_queue); 161 162 rfcomm_dlc_lock(d); 163 rfcomm_pi(sk)->dlc = NULL; 164 165 /* Detach DLC if it's owned by this socket */ 166 if (d->owner == sk) 167 d->owner = NULL; 168 rfcomm_dlc_unlock(d); 169 170 rfcomm_dlc_put(d); 171 } 172 173 static void rfcomm_sock_cleanup_listen(struct sock *parent) 174 { 175 struct sock *sk; 176 177 BT_DBG("parent %p", parent); 178 179 /* Close not yet accepted dlcs */ 180 while ((sk = bt_accept_dequeue(parent, NULL))) { 181 rfcomm_sock_close(sk); 182 rfcomm_sock_kill(sk); 183 } 184 185 parent->sk_state = BT_CLOSED; 186 sock_set_flag(parent, SOCK_ZAPPED); 187 } 188 189 /* Kill socket (only if zapped and orphan) 190 * Must be called on unlocked socket. 191 */ 192 static void rfcomm_sock_kill(struct sock *sk) 193 { 194 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 195 return; 196 197 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt)); 198 199 /* Kill poor orphan */ 200 bt_sock_unlink(&rfcomm_sk_list, sk); 201 sock_set_flag(sk, SOCK_DEAD); 202 sock_put(sk); 203 } 204 205 static void __rfcomm_sock_close(struct sock *sk) 206 { 207 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 208 209 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 210 211 switch (sk->sk_state) { 212 case BT_LISTEN: 213 rfcomm_sock_cleanup_listen(sk); 214 break; 215 216 case BT_CONNECT: 217 case BT_CONNECT2: 218 case BT_CONFIG: 219 case BT_CONNECTED: 220 rfcomm_dlc_close(d, 0); 221 fallthrough; 222 223 default: 224 sock_set_flag(sk, SOCK_ZAPPED); 225 break; 226 } 227 } 228 229 /* Close socket. 230 * Must be called on unlocked socket. 231 */ 232 static void rfcomm_sock_close(struct sock *sk) 233 { 234 lock_sock(sk); 235 __rfcomm_sock_close(sk); 236 release_sock(sk); 237 } 238 239 static void rfcomm_sock_init(struct sock *sk, struct sock *parent) 240 { 241 struct rfcomm_pinfo *pi = rfcomm_pi(sk); 242 243 BT_DBG("sk %p", sk); 244 245 if (parent) { 246 sk->sk_type = parent->sk_type; 247 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP, 248 &bt_sk(parent)->flags); 249 250 pi->sec_level = rfcomm_pi(parent)->sec_level; 251 pi->role_switch = rfcomm_pi(parent)->role_switch; 252 253 security_sk_clone(parent, sk); 254 } else { 255 pi->dlc->defer_setup = 0; 256 257 pi->sec_level = BT_SECURITY_LOW; 258 pi->role_switch = 0; 259 } 260 261 pi->dlc->sec_level = pi->sec_level; 262 pi->dlc->role_switch = pi->role_switch; 263 } 264 265 static struct proto rfcomm_proto = { 266 .name = "RFCOMM", 267 .owner = THIS_MODULE, 268 .obj_size = sizeof(struct rfcomm_pinfo) 269 }; 270 271 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, 272 int proto, gfp_t prio, int kern) 273 { 274 struct rfcomm_dlc *d; 275 struct sock *sk; 276 277 d = rfcomm_dlc_alloc(prio); 278 if (!d) 279 return NULL; 280 281 sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); 282 if (!sk) { 283 rfcomm_dlc_free(d); 284 return NULL; 285 } 286 287 d->data_ready = rfcomm_sk_data_ready; 288 d->state_change = rfcomm_sk_state_change; 289 290 rfcomm_pi(sk)->dlc = d; 291 d->owner = sk; 292 293 sk->sk_destruct = rfcomm_sock_destruct; 294 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT; 295 296 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 297 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 298 299 bt_sock_link(&rfcomm_sk_list, sk); 300 301 BT_DBG("sk %p", sk); 302 return sk; 303 } 304 305 static int rfcomm_sock_create(struct net *net, struct socket *sock, 306 int protocol, int kern) 307 { 308 struct sock *sk; 309 310 BT_DBG("sock %p", sock); 311 312 sock->state = SS_UNCONNECTED; 313 314 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW) 315 return -ESOCKTNOSUPPORT; 316 317 sock->ops = &rfcomm_sock_ops; 318 319 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 320 if (!sk) 321 return -ENOMEM; 322 323 rfcomm_sock_init(sk, NULL); 324 return 0; 325 } 326 327 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr_len) 328 { 329 struct sockaddr_rc sa; 330 struct sock *sk = sock->sk; 331 int len, err = 0; 332 333 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) || 334 addr->sa_family != AF_BLUETOOTH) 335 return -EINVAL; 336 337 memset(&sa, 0, sizeof(sa)); 338 len = min_t(unsigned int, sizeof(sa), addr_len); 339 memcpy(&sa, addr, len); 340 341 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr); 342 343 lock_sock(sk); 344 345 if (sk->sk_state != BT_OPEN) { 346 err = -EBADFD; 347 goto done; 348 } 349 350 if (sk->sk_type != SOCK_STREAM) { 351 err = -EINVAL; 352 goto done; 353 } 354 355 write_lock(&rfcomm_sk_list.lock); 356 357 if (sa.rc_channel && 358 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) { 359 err = -EADDRINUSE; 360 } else { 361 /* Save source address */ 362 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr); 363 rfcomm_pi(sk)->channel = sa.rc_channel; 364 sk->sk_state = BT_BOUND; 365 } 366 367 write_unlock(&rfcomm_sk_list.lock); 368 369 done: 370 release_sock(sk); 371 return err; 372 } 373 374 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr_unsized *addr, 375 int alen, int flags) 376 { 377 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 378 struct sock *sk = sock->sk; 379 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 380 int err = 0; 381 382 BT_DBG("sk %p", sk); 383 384 if (alen < sizeof(struct sockaddr_rc) || 385 addr->sa_family != AF_BLUETOOTH) 386 return -EINVAL; 387 388 sock_hold(sk); 389 lock_sock(sk); 390 391 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { 392 err = -EBADFD; 393 goto done; 394 } 395 396 if (sk->sk_type != SOCK_STREAM) { 397 err = -EINVAL; 398 goto done; 399 } 400 401 sk->sk_state = BT_CONNECT; 402 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr); 403 rfcomm_pi(sk)->channel = sa->rc_channel; 404 405 d->sec_level = rfcomm_pi(sk)->sec_level; 406 d->role_switch = rfcomm_pi(sk)->role_switch; 407 408 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */ 409 release_sock(sk); 410 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr, 411 sa->rc_channel); 412 lock_sock(sk); 413 if (!err && !sock_flag(sk, SOCK_ZAPPED)) 414 err = bt_sock_wait_state(sk, BT_CONNECTED, 415 sock_sndtimeo(sk, flags & O_NONBLOCK)); 416 417 done: 418 release_sock(sk); 419 sock_put(sk); 420 return err; 421 } 422 423 static int rfcomm_sock_listen(struct socket *sock, int backlog) 424 { 425 struct sock *sk = sock->sk; 426 int err = 0; 427 428 BT_DBG("sk %p backlog %d", sk, backlog); 429 430 lock_sock(sk); 431 432 if (sk->sk_state != BT_BOUND) { 433 err = -EBADFD; 434 goto done; 435 } 436 437 if (sk->sk_type != SOCK_STREAM) { 438 err = -EINVAL; 439 goto done; 440 } 441 442 if (!rfcomm_pi(sk)->channel) { 443 bdaddr_t *src = &rfcomm_pi(sk)->src; 444 u8 channel; 445 446 err = -EINVAL; 447 448 write_lock(&rfcomm_sk_list.lock); 449 450 for (channel = 1; channel < 31; channel++) 451 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) { 452 rfcomm_pi(sk)->channel = channel; 453 err = 0; 454 break; 455 } 456 457 write_unlock(&rfcomm_sk_list.lock); 458 459 if (err < 0) 460 goto done; 461 } 462 463 sk->sk_max_ack_backlog = backlog; 464 sk->sk_ack_backlog = 0; 465 sk->sk_state = BT_LISTEN; 466 467 done: 468 release_sock(sk); 469 return err; 470 } 471 472 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, 473 struct proto_accept_arg *arg) 474 { 475 DEFINE_WAIT_FUNC(wait, woken_wake_function); 476 struct sock *sk = sock->sk, *nsk; 477 long timeo; 478 int err = 0; 479 480 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 481 482 if (sk->sk_type != SOCK_STREAM) { 483 err = -EINVAL; 484 goto done; 485 } 486 487 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 488 489 BT_DBG("sk %p timeo %ld", sk, timeo); 490 491 /* Wait for an incoming connection. (wake-one). */ 492 add_wait_queue_exclusive(sk_sleep(sk), &wait); 493 while (1) { 494 if (sk->sk_state != BT_LISTEN) { 495 err = -EBADFD; 496 break; 497 } 498 499 nsk = bt_accept_dequeue(sk, newsock); 500 if (nsk) 501 break; 502 503 if (!timeo) { 504 err = -EAGAIN; 505 break; 506 } 507 508 if (signal_pending(current)) { 509 err = sock_intr_errno(timeo); 510 break; 511 } 512 513 release_sock(sk); 514 515 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 516 517 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 518 } 519 remove_wait_queue(sk_sleep(sk), &wait); 520 521 if (err) 522 goto done; 523 524 newsock->state = SS_CONNECTED; 525 526 BT_DBG("new socket %p", nsk); 527 528 done: 529 release_sock(sk); 530 return err; 531 } 532 533 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer) 534 { 535 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 536 struct sock *sk = sock->sk; 537 538 BT_DBG("sock %p, sk %p", sock, sk); 539 540 if (peer && sk->sk_state != BT_CONNECTED && 541 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2) 542 return -ENOTCONN; 543 544 memset(sa, 0, sizeof(*sa)); 545 sa->rc_family = AF_BLUETOOTH; 546 sa->rc_channel = rfcomm_pi(sk)->channel; 547 if (peer) 548 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst); 549 else 550 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src); 551 552 return sizeof(struct sockaddr_rc); 553 } 554 555 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg, 556 size_t len) 557 { 558 struct sock *sk = sock->sk; 559 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 560 struct sk_buff *skb; 561 int sent; 562 563 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags)) 564 return -ENOTCONN; 565 566 if (msg->msg_flags & MSG_OOB) 567 return -EOPNOTSUPP; 568 569 if (sk->sk_shutdown & SEND_SHUTDOWN) 570 return -EPIPE; 571 572 BT_DBG("sock %p, sk %p", sock, sk); 573 574 lock_sock(sk); 575 576 sent = bt_sock_wait_ready(sk, msg->msg_flags); 577 578 release_sock(sk); 579 580 if (sent) 581 return sent; 582 583 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, 584 RFCOMM_SKB_TAIL_RESERVE); 585 if (IS_ERR(skb)) 586 return PTR_ERR(skb); 587 588 sent = rfcomm_dlc_send(d, skb); 589 if (sent < 0) 590 kfree_skb(skb); 591 592 return sent; 593 } 594 595 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg, 596 size_t size, int flags) 597 { 598 struct sock *sk = sock->sk; 599 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 600 int len; 601 602 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 603 rfcomm_dlc_accept(d); 604 return 0; 605 } 606 607 len = bt_sock_stream_recvmsg(sock, msg, size, flags); 608 609 lock_sock(sk); 610 if (!(flags & MSG_PEEK) && len > 0) 611 atomic_sub(len, &sk->sk_rmem_alloc); 612 613 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2)) 614 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc); 615 release_sock(sk); 616 617 return len; 618 } 619 620 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, 621 sockptr_t optval, unsigned int optlen) 622 { 623 struct sock *sk = sock->sk; 624 int err = 0; 625 u32 opt; 626 627 BT_DBG("sk %p", sk); 628 629 lock_sock(sk); 630 631 switch (optname) { 632 case RFCOMM_LM: 633 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 634 if (err) 635 break; 636 637 if (opt & RFCOMM_LM_FIPS) { 638 err = -EINVAL; 639 break; 640 } 641 642 if (opt & RFCOMM_LM_AUTH) 643 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW; 644 if (opt & RFCOMM_LM_ENCRYPT) 645 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM; 646 if (opt & RFCOMM_LM_SECURE) 647 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH; 648 649 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER); 650 break; 651 652 default: 653 err = -ENOPROTOOPT; 654 break; 655 } 656 657 release_sock(sk); 658 return err; 659 } 660 661 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, 662 sockptr_t optval, unsigned int optlen) 663 { 664 struct sock *sk = sock->sk; 665 struct bt_security sec; 666 int err = 0; 667 u32 opt; 668 669 BT_DBG("sk %p", sk); 670 671 if (level == SOL_RFCOMM) 672 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen); 673 674 if (level != SOL_BLUETOOTH) 675 return -ENOPROTOOPT; 676 677 lock_sock(sk); 678 679 switch (optname) { 680 case BT_SECURITY: 681 if (sk->sk_type != SOCK_STREAM) { 682 err = -EINVAL; 683 break; 684 } 685 686 sec.level = BT_SECURITY_LOW; 687 688 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); 689 if (err) 690 break; 691 692 if (sec.level > BT_SECURITY_HIGH) { 693 err = -EINVAL; 694 break; 695 } 696 697 rfcomm_pi(sk)->sec_level = sec.level; 698 break; 699 700 case BT_DEFER_SETUP: 701 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 702 err = -EINVAL; 703 break; 704 } 705 706 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 707 if (err) 708 break; 709 710 if (opt) 711 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 712 else 713 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 714 715 break; 716 717 default: 718 err = -ENOPROTOOPT; 719 break; 720 } 721 722 release_sock(sk); 723 return err; 724 } 725 726 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 727 { 728 struct sock *sk = sock->sk; 729 struct sock *l2cap_sk; 730 struct l2cap_conn *conn; 731 struct rfcomm_conninfo cinfo; 732 int err = 0; 733 size_t len; 734 u32 opt; 735 736 BT_DBG("sk %p", sk); 737 738 if (get_user(len, optlen)) 739 return -EFAULT; 740 741 lock_sock(sk); 742 743 switch (optname) { 744 case RFCOMM_LM: 745 switch (rfcomm_pi(sk)->sec_level) { 746 case BT_SECURITY_LOW: 747 opt = RFCOMM_LM_AUTH; 748 break; 749 case BT_SECURITY_MEDIUM: 750 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT; 751 break; 752 case BT_SECURITY_HIGH: 753 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 754 RFCOMM_LM_SECURE; 755 break; 756 case BT_SECURITY_FIPS: 757 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 758 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS; 759 break; 760 default: 761 opt = 0; 762 break; 763 } 764 765 if (rfcomm_pi(sk)->role_switch) 766 opt |= RFCOMM_LM_MASTER; 767 768 if (put_user(opt, (u32 __user *) optval)) 769 err = -EFAULT; 770 771 break; 772 773 case RFCOMM_CONNINFO: 774 if (sk->sk_state != BT_CONNECTED && 775 !rfcomm_pi(sk)->dlc->defer_setup) { 776 err = -ENOTCONN; 777 break; 778 } 779 780 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; 781 conn = l2cap_pi(l2cap_sk)->chan->conn; 782 783 memset(&cinfo, 0, sizeof(cinfo)); 784 cinfo.hci_handle = conn->hcon->handle; 785 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 786 787 len = min(len, sizeof(cinfo)); 788 if (copy_to_user(optval, (char *) &cinfo, len)) 789 err = -EFAULT; 790 791 break; 792 793 default: 794 err = -ENOPROTOOPT; 795 break; 796 } 797 798 release_sock(sk); 799 return err; 800 } 801 802 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 803 { 804 struct sock *sk = sock->sk; 805 struct bt_security sec; 806 int err = 0; 807 size_t len; 808 809 BT_DBG("sk %p", sk); 810 811 if (level == SOL_RFCOMM) 812 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen); 813 814 if (level != SOL_BLUETOOTH) 815 return -ENOPROTOOPT; 816 817 if (get_user(len, optlen)) 818 return -EFAULT; 819 820 lock_sock(sk); 821 822 switch (optname) { 823 case BT_SECURITY: 824 if (sk->sk_type != SOCK_STREAM) { 825 err = -EINVAL; 826 break; 827 } 828 829 sec.level = rfcomm_pi(sk)->sec_level; 830 sec.key_size = 0; 831 832 len = min(len, sizeof(sec)); 833 if (copy_to_user(optval, (char *) &sec, len)) 834 err = -EFAULT; 835 836 break; 837 838 case BT_DEFER_SETUP: 839 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 840 err = -EINVAL; 841 break; 842 } 843 844 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 845 (u32 __user *) optval)) 846 err = -EFAULT; 847 848 break; 849 850 default: 851 err = -ENOPROTOOPT; 852 break; 853 } 854 855 release_sock(sk); 856 return err; 857 } 858 859 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 860 { 861 struct sock *sk __maybe_unused = sock->sk; 862 int err; 863 864 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg); 865 866 err = bt_sock_ioctl(sock, cmd, arg); 867 868 if (err == -ENOIOCTLCMD) { 869 #ifdef CONFIG_BT_RFCOMM_TTY 870 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg); 871 #else 872 err = -EOPNOTSUPP; 873 #endif 874 } 875 876 return err; 877 } 878 879 #ifdef CONFIG_COMPAT 880 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 881 { 882 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 883 } 884 #endif 885 886 static int rfcomm_sock_shutdown(struct socket *sock, int how) 887 { 888 struct sock *sk = sock->sk; 889 int err = 0; 890 891 BT_DBG("sock %p, sk %p", sock, sk); 892 893 if (!sk) 894 return 0; 895 896 lock_sock(sk); 897 if (!sk->sk_shutdown) { 898 sk->sk_shutdown = SHUTDOWN_MASK; 899 900 release_sock(sk); 901 __rfcomm_sock_close(sk); 902 lock_sock(sk); 903 904 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 905 !(current->flags & PF_EXITING)) 906 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 907 } 908 release_sock(sk); 909 return err; 910 } 911 912 static int rfcomm_sock_release(struct socket *sock) 913 { 914 struct sock *sk = sock->sk; 915 int err; 916 917 BT_DBG("sock %p, sk %p", sock, sk); 918 919 if (!sk) 920 return 0; 921 922 err = rfcomm_sock_shutdown(sock, 2); 923 924 sock_orphan(sk); 925 rfcomm_sock_kill(sk); 926 return err; 927 } 928 929 /* ---- RFCOMM core layer callbacks ---- 930 * 931 * called under rfcomm_lock() 932 */ 933 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d) 934 { 935 struct sock *sk, *parent; 936 bdaddr_t src, dst; 937 int result = 0; 938 939 BT_DBG("session %p channel %d", s, channel); 940 941 rfcomm_session_getaddr(s, &src, &dst); 942 943 /* Check if we have socket listening on channel */ 944 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src); 945 if (!parent) 946 return 0; 947 948 lock_sock(parent); 949 950 /* Check for backlog size */ 951 if (sk_acceptq_is_full(parent)) { 952 BT_DBG("backlog full %d", parent->sk_ack_backlog); 953 goto done; 954 } 955 956 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0); 957 if (!sk) 958 goto done; 959 960 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM); 961 962 rfcomm_sock_init(sk, parent); 963 bacpy(&rfcomm_pi(sk)->src, &src); 964 bacpy(&rfcomm_pi(sk)->dst, &dst); 965 rfcomm_pi(sk)->channel = channel; 966 967 sk->sk_state = BT_CONFIG; 968 bt_accept_enqueue(parent, sk, true); 969 970 /* Accept connection and return socket DLC */ 971 *d = rfcomm_pi(sk)->dlc; 972 result = 1; 973 974 done: 975 release_sock(parent); 976 977 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags)) 978 parent->sk_state_change(parent); 979 980 return result; 981 } 982 983 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p) 984 { 985 struct sock *sk; 986 987 read_lock(&rfcomm_sk_list.lock); 988 989 sk_for_each(sk, &rfcomm_sk_list.head) { 990 seq_printf(f, "%pMR %pMR %d %d\n", 991 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst, 992 sk->sk_state, rfcomm_pi(sk)->channel); 993 } 994 995 read_unlock(&rfcomm_sk_list.lock); 996 997 return 0; 998 } 999 1000 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs); 1001 1002 static struct dentry *rfcomm_sock_debugfs; 1003 1004 static const struct proto_ops rfcomm_sock_ops = { 1005 .family = PF_BLUETOOTH, 1006 .owner = THIS_MODULE, 1007 .release = rfcomm_sock_release, 1008 .bind = rfcomm_sock_bind, 1009 .connect = rfcomm_sock_connect, 1010 .listen = rfcomm_sock_listen, 1011 .accept = rfcomm_sock_accept, 1012 .getname = rfcomm_sock_getname, 1013 .sendmsg = rfcomm_sock_sendmsg, 1014 .recvmsg = rfcomm_sock_recvmsg, 1015 .shutdown = rfcomm_sock_shutdown, 1016 .setsockopt = rfcomm_sock_setsockopt, 1017 .getsockopt = rfcomm_sock_getsockopt, 1018 .ioctl = rfcomm_sock_ioctl, 1019 .gettstamp = sock_gettstamp, 1020 .poll = bt_sock_poll, 1021 .socketpair = sock_no_socketpair, 1022 .mmap = sock_no_mmap, 1023 #ifdef CONFIG_COMPAT 1024 .compat_ioctl = rfcomm_sock_compat_ioctl, 1025 #endif 1026 }; 1027 1028 static const struct net_proto_family rfcomm_sock_family_ops = { 1029 .family = PF_BLUETOOTH, 1030 .owner = THIS_MODULE, 1031 .create = rfcomm_sock_create 1032 }; 1033 1034 int __init rfcomm_init_sockets(void) 1035 { 1036 int err; 1037 1038 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr)); 1039 1040 err = proto_register(&rfcomm_proto, 0); 1041 if (err < 0) 1042 return err; 1043 1044 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops); 1045 if (err < 0) { 1046 BT_ERR("RFCOMM socket layer registration failed"); 1047 goto error; 1048 } 1049 1050 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL); 1051 if (err < 0) { 1052 BT_ERR("Failed to create RFCOMM proc file"); 1053 bt_sock_unregister(BTPROTO_RFCOMM); 1054 goto error; 1055 } 1056 1057 BT_INFO("RFCOMM socket layer initialized"); 1058 1059 if (IS_ERR_OR_NULL(bt_debugfs)) 1060 return 0; 1061 1062 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444, 1063 bt_debugfs, NULL, 1064 &rfcomm_sock_debugfs_fops); 1065 1066 return 0; 1067 1068 error: 1069 proto_unregister(&rfcomm_proto); 1070 return err; 1071 } 1072 1073 void __exit rfcomm_cleanup_sockets(void) 1074 { 1075 bt_procfs_cleanup(&init_net, "rfcomm"); 1076 1077 debugfs_remove(rfcomm_sock_debugfs); 1078 1079 bt_sock_unregister(BTPROTO_RFCOMM); 1080 1081 proto_unregister(&rfcomm_proto); 1082 } 1083