1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * RFCOMM sockets.
26 */
27 #include <linux/compat.h>
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36
37 static const struct proto_ops rfcomm_sock_ops;
38
39 static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45
46 /* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62 }
63
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 struct sock *sk = d->owner, *parent;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 lock_sock(sk);
74
75 if (err)
76 sk->sk_err = err;
77
78 sk->sk_state = d->state;
79
80 parent = bt_sk(sk)->parent;
81 if (parent) {
82 if (d->state == BT_CLOSED) {
83 sock_set_flag(sk, SOCK_ZAPPED);
84 bt_accept_unlink(sk);
85 }
86 parent->sk_data_ready(parent);
87 } else {
88 if (d->state == BT_CONNECTED)
89 rfcomm_session_getaddr(d->session,
90 &rfcomm_pi(sk)->src, NULL);
91 sk->sk_state_change(sk);
92 }
93
94 release_sock(sk);
95
96 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 /* We have to drop DLC lock here, otherwise
98 * rfcomm_sock_destruct() will dead lock. */
99 rfcomm_dlc_unlock(d);
100 rfcomm_sock_kill(sk);
101 rfcomm_dlc_lock(d);
102 }
103 }
104
105 /* ---- Socket functions ---- */
__rfcomm_get_listen_sock_by_addr(u8 channel,bdaddr_t * src)106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107 {
108 struct sock *sk = NULL;
109
110 sk_for_each(sk, &rfcomm_sk_list.head) {
111 if (rfcomm_pi(sk)->channel != channel)
112 continue;
113
114 if (bacmp(&rfcomm_pi(sk)->src, src))
115 continue;
116
117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 break;
119 }
120
121 return sk ? sk : NULL;
122 }
123
124 /* Find socket with channel and source bdaddr.
125 * Returns closest match with an extra reference held.
126 */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128 {
129 struct sock *sk = NULL, *sk1 = NULL;
130
131 read_lock(&rfcomm_sk_list.lock);
132
133 sk_for_each(sk, &rfcomm_sk_list.head) {
134 if (state && sk->sk_state != state)
135 continue;
136
137 if (rfcomm_pi(sk)->channel == channel) {
138 /* Exact match. */
139 if (!bacmp(&rfcomm_pi(sk)->src, src)) {
140 sock_hold(sk);
141 break;
142 }
143
144 /* Closest match */
145 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) {
146 if (sk1)
147 sock_put(sk1);
148
149 sk1 = sk;
150 sock_hold(sk1);
151 }
152 }
153 }
154
155 if (sk && sk1)
156 sock_put(sk1);
157
158 read_unlock(&rfcomm_sk_list.lock);
159
160 return sk ? sk : sk1;
161 }
162
rfcomm_sock_destruct(struct sock * sk)163 static void rfcomm_sock_destruct(struct sock *sk)
164 {
165 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
166
167 BT_DBG("sk %p dlc %p", sk, d);
168
169 skb_queue_purge(&sk->sk_receive_queue);
170 skb_queue_purge(&sk->sk_write_queue);
171
172 rfcomm_dlc_lock(d);
173 rfcomm_pi(sk)->dlc = NULL;
174
175 /* Detach DLC if it's owned by this socket */
176 if (d->owner == sk)
177 d->owner = NULL;
178 rfcomm_dlc_unlock(d);
179
180 rfcomm_dlc_put(d);
181 }
182
rfcomm_sock_cleanup_listen(struct sock * parent)183 static void rfcomm_sock_cleanup_listen(struct sock *parent)
184 {
185 struct sock *sk;
186
187 BT_DBG("parent %p", parent);
188
189 /* Close not yet accepted dlcs */
190 while ((sk = bt_accept_dequeue(parent, NULL))) {
191 rfcomm_sock_close(sk);
192 rfcomm_sock_kill(sk);
193 /* Drop the reference handed back by bt_accept_dequeue(). */
194 sock_put(sk);
195 }
196
197 parent->sk_state = BT_CLOSED;
198 sock_set_flag(parent, SOCK_ZAPPED);
199 }
200
201 /* Kill socket (only if zapped and orphan)
202 * Must be called on unlocked socket.
203 */
rfcomm_sock_kill(struct sock * sk)204 static void rfcomm_sock_kill(struct sock *sk)
205 {
206 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
207 return;
208
209 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
210
211 /* Kill poor orphan */
212 bt_sock_unlink(&rfcomm_sk_list, sk);
213 sock_set_flag(sk, SOCK_DEAD);
214 sock_put(sk);
215 }
216
__rfcomm_sock_close(struct sock * sk)217 static void __rfcomm_sock_close(struct sock *sk)
218 {
219 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
220
221 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
222
223 switch (sk->sk_state) {
224 case BT_LISTEN:
225 rfcomm_sock_cleanup_listen(sk);
226 break;
227
228 case BT_CONNECT:
229 case BT_CONNECT2:
230 case BT_CONFIG:
231 case BT_CONNECTED:
232 rfcomm_dlc_close(d, 0);
233 fallthrough;
234
235 default:
236 sock_set_flag(sk, SOCK_ZAPPED);
237 break;
238 }
239 }
240
241 /* Close socket.
242 * Must be called on unlocked socket.
243 */
rfcomm_sock_close(struct sock * sk)244 static void rfcomm_sock_close(struct sock *sk)
245 {
246 lock_sock(sk);
247 __rfcomm_sock_close(sk);
248 release_sock(sk);
249 }
250
rfcomm_sock_init(struct sock * sk,struct sock * parent)251 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
252 {
253 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
254
255 BT_DBG("sk %p", sk);
256
257 if (parent) {
258 sk->sk_type = parent->sk_type;
259 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
260 &bt_sk(parent)->flags);
261
262 pi->sec_level = rfcomm_pi(parent)->sec_level;
263 pi->role_switch = rfcomm_pi(parent)->role_switch;
264
265 security_sk_clone(parent, sk);
266 } else {
267 pi->dlc->defer_setup = 0;
268
269 pi->sec_level = BT_SECURITY_LOW;
270 pi->role_switch = 0;
271 }
272
273 pi->dlc->sec_level = pi->sec_level;
274 pi->dlc->role_switch = pi->role_switch;
275 }
276
277 static struct proto rfcomm_proto = {
278 .name = "RFCOMM",
279 .owner = THIS_MODULE,
280 .obj_size = sizeof(struct rfcomm_pinfo)
281 };
282
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)283 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
284 int proto, gfp_t prio, int kern)
285 {
286 struct rfcomm_dlc *d;
287 struct sock *sk;
288
289 d = rfcomm_dlc_alloc(prio);
290 if (!d)
291 return NULL;
292
293 sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
294 if (!sk) {
295 rfcomm_dlc_free(d);
296 return NULL;
297 }
298
299 d->data_ready = rfcomm_sk_data_ready;
300 d->state_change = rfcomm_sk_state_change;
301
302 rfcomm_pi(sk)->dlc = d;
303 d->owner = sk;
304
305 sk->sk_destruct = rfcomm_sock_destruct;
306 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
307
308 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
309 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
310
311 bt_sock_link(&rfcomm_sk_list, sk);
312
313 BT_DBG("sk %p", sk);
314 return sk;
315 }
316
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)317 static int rfcomm_sock_create(struct net *net, struct socket *sock,
318 int protocol, int kern)
319 {
320 struct sock *sk;
321
322 BT_DBG("sock %p", sock);
323
324 sock->state = SS_UNCONNECTED;
325
326 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
327 return -ESOCKTNOSUPPORT;
328
329 sock->ops = &rfcomm_sock_ops;
330
331 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
332 if (!sk)
333 return -ENOMEM;
334
335 rfcomm_sock_init(sk, NULL);
336 return 0;
337 }
338
rfcomm_sock_bind(struct socket * sock,struct sockaddr_unsized * addr,int addr_len)339 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr_len)
340 {
341 struct sockaddr_rc sa;
342 struct sock *sk = sock->sk;
343 int len, err = 0;
344
345 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
346 addr->sa_family != AF_BLUETOOTH)
347 return -EINVAL;
348
349 memset(&sa, 0, sizeof(sa));
350 len = min_t(unsigned int, sizeof(sa), addr_len);
351 memcpy(&sa, addr, len);
352
353 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
354
355 lock_sock(sk);
356
357 if (sk->sk_state != BT_OPEN) {
358 err = -EBADFD;
359 goto done;
360 }
361
362 if (sk->sk_type != SOCK_STREAM) {
363 err = -EINVAL;
364 goto done;
365 }
366
367 write_lock(&rfcomm_sk_list.lock);
368
369 if (sa.rc_channel &&
370 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
371 err = -EADDRINUSE;
372 } else {
373 /* Save source address */
374 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
375 rfcomm_pi(sk)->channel = sa.rc_channel;
376 sk->sk_state = BT_BOUND;
377 }
378
379 write_unlock(&rfcomm_sk_list.lock);
380
381 done:
382 release_sock(sk);
383 return err;
384 }
385
rfcomm_sock_connect(struct socket * sock,struct sockaddr_unsized * addr,int alen,int flags)386 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
387 int alen, int flags)
388 {
389 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
390 struct sock *sk = sock->sk;
391 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
392 int err = 0;
393
394 BT_DBG("sk %p", sk);
395
396 if (alen < sizeof(struct sockaddr_rc) ||
397 addr->sa_family != AF_BLUETOOTH)
398 return -EINVAL;
399
400 sock_hold(sk);
401 lock_sock(sk);
402
403 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
404 err = -EBADFD;
405 goto done;
406 }
407
408 if (sk->sk_type != SOCK_STREAM) {
409 err = -EINVAL;
410 goto done;
411 }
412
413 sk->sk_state = BT_CONNECT;
414 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
415 rfcomm_pi(sk)->channel = sa->rc_channel;
416
417 d->sec_level = rfcomm_pi(sk)->sec_level;
418 d->role_switch = rfcomm_pi(sk)->role_switch;
419
420 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */
421 release_sock(sk);
422 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
423 sa->rc_channel);
424 lock_sock(sk);
425 if (!err && !sock_flag(sk, SOCK_ZAPPED))
426 err = bt_sock_wait_state(sk, BT_CONNECTED,
427 sock_sndtimeo(sk, flags & O_NONBLOCK));
428
429 done:
430 release_sock(sk);
431 sock_put(sk);
432 return err;
433 }
434
rfcomm_sock_listen(struct socket * sock,int backlog)435 static int rfcomm_sock_listen(struct socket *sock, int backlog)
436 {
437 struct sock *sk = sock->sk;
438 int err = 0;
439
440 BT_DBG("sk %p backlog %d", sk, backlog);
441
442 lock_sock(sk);
443
444 if (sk->sk_state != BT_BOUND) {
445 err = -EBADFD;
446 goto done;
447 }
448
449 if (sk->sk_type != SOCK_STREAM) {
450 err = -EINVAL;
451 goto done;
452 }
453
454 if (!rfcomm_pi(sk)->channel) {
455 bdaddr_t *src = &rfcomm_pi(sk)->src;
456 u8 channel;
457
458 err = -EINVAL;
459
460 write_lock(&rfcomm_sk_list.lock);
461
462 for (channel = 1; channel < 31; channel++)
463 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
464 rfcomm_pi(sk)->channel = channel;
465 err = 0;
466 break;
467 }
468
469 write_unlock(&rfcomm_sk_list.lock);
470
471 if (err < 0)
472 goto done;
473 }
474
475 sk->sk_max_ack_backlog = backlog;
476 sk->sk_ack_backlog = 0;
477 sk->sk_state = BT_LISTEN;
478
479 done:
480 release_sock(sk);
481 return err;
482 }
483
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,struct proto_accept_arg * arg)484 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock,
485 struct proto_accept_arg *arg)
486 {
487 DEFINE_WAIT_FUNC(wait, woken_wake_function);
488 struct sock *sk = sock->sk, *nsk;
489 long timeo;
490 int err = 0;
491
492 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
493
494 if (sk->sk_type != SOCK_STREAM) {
495 err = -EINVAL;
496 goto done;
497 }
498
499 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
500
501 BT_DBG("sk %p timeo %ld", sk, timeo);
502
503 /* Wait for an incoming connection. (wake-one). */
504 add_wait_queue_exclusive(sk_sleep(sk), &wait);
505 while (1) {
506 if (sk->sk_state != BT_LISTEN) {
507 err = -EBADFD;
508 break;
509 }
510
511 nsk = bt_accept_dequeue(sk, newsock);
512 if (nsk) {
513 /* Drop the bridging ref from bt_accept_dequeue();
514 * the grafted socket keeps nsk alive from here.
515 */
516 sock_put(nsk);
517 break;
518 }
519
520 if (!timeo) {
521 err = -EAGAIN;
522 break;
523 }
524
525 if (signal_pending(current)) {
526 err = sock_intr_errno(timeo);
527 break;
528 }
529
530 release_sock(sk);
531
532 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
533
534 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
535 }
536 remove_wait_queue(sk_sleep(sk), &wait);
537
538 if (err)
539 goto done;
540
541 newsock->state = SS_CONNECTED;
542
543 BT_DBG("new socket %p", nsk);
544
545 done:
546 release_sock(sk);
547 return err;
548 }
549
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)550 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
551 {
552 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
553 struct sock *sk = sock->sk;
554
555 BT_DBG("sock %p, sk %p", sock, sk);
556
557 if (peer && sk->sk_state != BT_CONNECTED &&
558 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
559 return -ENOTCONN;
560
561 memset(sa, 0, sizeof(*sa));
562 sa->rc_family = AF_BLUETOOTH;
563 sa->rc_channel = rfcomm_pi(sk)->channel;
564 if (peer)
565 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
566 else
567 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
568
569 return sizeof(struct sockaddr_rc);
570 }
571
rfcomm_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)572 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
573 size_t len)
574 {
575 struct sock *sk = sock->sk;
576 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
577 struct sk_buff *skb;
578 int sent;
579
580 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
581 return -ENOTCONN;
582
583 if (msg->msg_flags & MSG_OOB)
584 return -EOPNOTSUPP;
585
586 if (sk->sk_shutdown & SEND_SHUTDOWN)
587 return -EPIPE;
588
589 BT_DBG("sock %p, sk %p", sock, sk);
590
591 lock_sock(sk);
592
593 sent = bt_sock_wait_ready(sk, msg->msg_flags);
594
595 release_sock(sk);
596
597 if (sent)
598 return sent;
599
600 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
601 RFCOMM_SKB_TAIL_RESERVE);
602 if (IS_ERR(skb))
603 return PTR_ERR(skb);
604
605 sent = rfcomm_dlc_send(d, skb);
606 if (sent < 0)
607 kfree_skb(skb);
608
609 return sent;
610 }
611
rfcomm_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)612 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
613 size_t size, int flags)
614 {
615 struct sock *sk = sock->sk;
616 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
617 int len;
618
619 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
620 rfcomm_dlc_accept(d);
621 return 0;
622 }
623
624 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
625
626 lock_sock(sk);
627 if (!(flags & MSG_PEEK) && len > 0)
628 atomic_sub(len, &sk->sk_rmem_alloc);
629
630 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
631 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
632 release_sock(sk);
633
634 return len;
635 }
636
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)637 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
638 sockptr_t optval, unsigned int optlen)
639 {
640 struct sock *sk = sock->sk;
641 int err = 0;
642 u32 opt;
643
644 BT_DBG("sk %p", sk);
645
646 lock_sock(sk);
647
648 switch (optname) {
649 case RFCOMM_LM:
650 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
651 if (err)
652 break;
653
654 if (opt & RFCOMM_LM_FIPS) {
655 err = -EINVAL;
656 break;
657 }
658
659 if (opt & RFCOMM_LM_AUTH)
660 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
661 if (opt & RFCOMM_LM_ENCRYPT)
662 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
663 if (opt & RFCOMM_LM_SECURE)
664 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
665
666 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
667 break;
668
669 default:
670 err = -ENOPROTOOPT;
671 break;
672 }
673
674 release_sock(sk);
675 return err;
676 }
677
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)678 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
679 sockptr_t optval, unsigned int optlen)
680 {
681 struct sock *sk = sock->sk;
682 struct bt_security sec;
683 int err = 0;
684 u32 opt;
685
686 BT_DBG("sk %p", sk);
687
688 if (level == SOL_RFCOMM)
689 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
690
691 if (level != SOL_BLUETOOTH)
692 return -ENOPROTOOPT;
693
694 lock_sock(sk);
695
696 switch (optname) {
697 case BT_SECURITY:
698 if (sk->sk_type != SOCK_STREAM) {
699 err = -EINVAL;
700 break;
701 }
702
703 sec.level = BT_SECURITY_LOW;
704
705 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
706 if (err)
707 break;
708
709 if (sec.level > BT_SECURITY_HIGH) {
710 err = -EINVAL;
711 break;
712 }
713
714 rfcomm_pi(sk)->sec_level = sec.level;
715 break;
716
717 case BT_DEFER_SETUP:
718 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
719 err = -EINVAL;
720 break;
721 }
722
723 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
724 if (err)
725 break;
726
727 if (opt)
728 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
729 else
730 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
731
732 break;
733
734 default:
735 err = -ENOPROTOOPT;
736 break;
737 }
738
739 release_sock(sk);
740 return err;
741 }
742
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)743 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
744 {
745 struct sock *sk = sock->sk;
746 struct sock *l2cap_sk;
747 struct l2cap_conn *conn;
748 struct rfcomm_conninfo cinfo;
749 int err = 0;
750 size_t len;
751 u32 opt;
752
753 BT_DBG("sk %p", sk);
754
755 if (get_user(len, optlen))
756 return -EFAULT;
757
758 lock_sock(sk);
759
760 switch (optname) {
761 case RFCOMM_LM:
762 switch (rfcomm_pi(sk)->sec_level) {
763 case BT_SECURITY_LOW:
764 opt = RFCOMM_LM_AUTH;
765 break;
766 case BT_SECURITY_MEDIUM:
767 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
768 break;
769 case BT_SECURITY_HIGH:
770 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
771 RFCOMM_LM_SECURE;
772 break;
773 case BT_SECURITY_FIPS:
774 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
775 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
776 break;
777 default:
778 opt = 0;
779 break;
780 }
781
782 if (rfcomm_pi(sk)->role_switch)
783 opt |= RFCOMM_LM_MASTER;
784
785 if (put_user(opt, (u32 __user *) optval))
786 err = -EFAULT;
787
788 break;
789
790 case RFCOMM_CONNINFO:
791 if (sk->sk_state != BT_CONNECTED &&
792 !rfcomm_pi(sk)->dlc->defer_setup) {
793 err = -ENOTCONN;
794 break;
795 }
796
797 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
798 conn = l2cap_pi(l2cap_sk)->chan->conn;
799
800 memset(&cinfo, 0, sizeof(cinfo));
801 cinfo.hci_handle = conn->hcon->handle;
802 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
803
804 len = min(len, sizeof(cinfo));
805 if (copy_to_user(optval, (char *) &cinfo, len))
806 err = -EFAULT;
807
808 break;
809
810 default:
811 err = -ENOPROTOOPT;
812 break;
813 }
814
815 release_sock(sk);
816 return err;
817 }
818
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)819 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
820 {
821 struct sock *sk = sock->sk;
822 struct bt_security sec;
823 int err = 0;
824 size_t len;
825
826 BT_DBG("sk %p", sk);
827
828 if (level == SOL_RFCOMM)
829 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
830
831 if (level != SOL_BLUETOOTH)
832 return -ENOPROTOOPT;
833
834 if (get_user(len, optlen))
835 return -EFAULT;
836
837 lock_sock(sk);
838
839 switch (optname) {
840 case BT_SECURITY:
841 if (sk->sk_type != SOCK_STREAM) {
842 err = -EINVAL;
843 break;
844 }
845
846 sec.level = rfcomm_pi(sk)->sec_level;
847 sec.key_size = 0;
848
849 len = min(len, sizeof(sec));
850 if (copy_to_user(optval, (char *) &sec, len))
851 err = -EFAULT;
852
853 break;
854
855 case BT_DEFER_SETUP:
856 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
857 err = -EINVAL;
858 break;
859 }
860
861 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
862 (u32 __user *) optval))
863 err = -EFAULT;
864
865 break;
866
867 default:
868 err = -ENOPROTOOPT;
869 break;
870 }
871
872 release_sock(sk);
873 return err;
874 }
875
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)876 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
877 {
878 struct sock *sk __maybe_unused = sock->sk;
879 int err;
880
881 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
882
883 err = bt_sock_ioctl(sock, cmd, arg);
884
885 if (err == -ENOIOCTLCMD) {
886 #ifdef CONFIG_BT_RFCOMM_TTY
887 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
888 #else
889 err = -EOPNOTSUPP;
890 #endif
891 }
892
893 return err;
894 }
895
896 #ifdef CONFIG_COMPAT
rfcomm_sock_compat_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)897 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
898 {
899 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
900 }
901 #endif
902
rfcomm_sock_shutdown(struct socket * sock,int how)903 static int rfcomm_sock_shutdown(struct socket *sock, int how)
904 {
905 struct sock *sk = sock->sk;
906 int err = 0;
907
908 BT_DBG("sock %p, sk %p", sock, sk);
909
910 if (!sk)
911 return 0;
912
913 lock_sock(sk);
914 if (!sk->sk_shutdown) {
915 sk->sk_shutdown = SHUTDOWN_MASK;
916
917 release_sock(sk);
918 __rfcomm_sock_close(sk);
919 lock_sock(sk);
920
921 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
922 !(current->flags & PF_EXITING))
923 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
924 }
925 release_sock(sk);
926 return err;
927 }
928
rfcomm_sock_release(struct socket * sock)929 static int rfcomm_sock_release(struct socket *sock)
930 {
931 struct sock *sk = sock->sk;
932 int err;
933
934 BT_DBG("sock %p, sk %p", sock, sk);
935
936 if (!sk)
937 return 0;
938
939 err = rfcomm_sock_shutdown(sock, 2);
940
941 sock_orphan(sk);
942 rfcomm_sock_kill(sk);
943 return err;
944 }
945
946 /* ---- RFCOMM core layer callbacks ----
947 *
948 * called under rfcomm_lock()
949 */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)950 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
951 {
952 struct sock *sk, *parent;
953 bdaddr_t src, dst;
954 bool defer_setup = false;
955 int result = 0;
956
957 BT_DBG("session %p channel %d", s, channel);
958
959 rfcomm_session_getaddr(s, &src, &dst);
960
961 /* Check if we have socket listening on channel */
962 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
963 if (!parent)
964 return 0;
965
966 lock_sock(parent);
967
968 if (parent->sk_state != BT_LISTEN)
969 goto done;
970
971 defer_setup = test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags);
972
973 /* Check for backlog size */
974 if (sk_acceptq_is_full(parent)) {
975 BT_DBG("backlog full %d", parent->sk_ack_backlog);
976 goto done;
977 }
978
979 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
980 if (!sk)
981 goto done;
982
983 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
984
985 rfcomm_sock_init(sk, parent);
986 bacpy(&rfcomm_pi(sk)->src, &src);
987 bacpy(&rfcomm_pi(sk)->dst, &dst);
988 rfcomm_pi(sk)->channel = channel;
989
990 sk->sk_state = BT_CONFIG;
991 bt_accept_enqueue(parent, sk, true);
992
993 /* Accept connection and return socket DLC */
994 *d = rfcomm_pi(sk)->dlc;
995 result = 1;
996
997 done:
998 release_sock(parent);
999
1000 if (defer_setup)
1001 parent->sk_state_change(parent);
1002
1003 sock_put(parent);
1004
1005 return result;
1006 }
1007
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)1008 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1009 {
1010 struct sock *sk;
1011
1012 read_lock(&rfcomm_sk_list.lock);
1013
1014 sk_for_each(sk, &rfcomm_sk_list.head) {
1015 seq_printf(f, "%pMR %pMR %d %d\n",
1016 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1017 sk->sk_state, rfcomm_pi(sk)->channel);
1018 }
1019
1020 read_unlock(&rfcomm_sk_list.lock);
1021
1022 return 0;
1023 }
1024
1025 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1026
1027 static struct dentry *rfcomm_sock_debugfs;
1028
1029 static const struct proto_ops rfcomm_sock_ops = {
1030 .family = PF_BLUETOOTH,
1031 .owner = THIS_MODULE,
1032 .release = rfcomm_sock_release,
1033 .bind = rfcomm_sock_bind,
1034 .connect = rfcomm_sock_connect,
1035 .listen = rfcomm_sock_listen,
1036 .accept = rfcomm_sock_accept,
1037 .getname = rfcomm_sock_getname,
1038 .sendmsg = rfcomm_sock_sendmsg,
1039 .recvmsg = rfcomm_sock_recvmsg,
1040 .shutdown = rfcomm_sock_shutdown,
1041 .setsockopt = rfcomm_sock_setsockopt,
1042 .getsockopt = rfcomm_sock_getsockopt,
1043 .ioctl = rfcomm_sock_ioctl,
1044 .gettstamp = sock_gettstamp,
1045 .poll = bt_sock_poll,
1046 .socketpair = sock_no_socketpair,
1047 .mmap = sock_no_mmap,
1048 #ifdef CONFIG_COMPAT
1049 .compat_ioctl = rfcomm_sock_compat_ioctl,
1050 #endif
1051 };
1052
1053 static const struct net_proto_family rfcomm_sock_family_ops = {
1054 .family = PF_BLUETOOTH,
1055 .owner = THIS_MODULE,
1056 .create = rfcomm_sock_create
1057 };
1058
rfcomm_init_sockets(void)1059 int __init rfcomm_init_sockets(void)
1060 {
1061 int err;
1062
1063 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1064
1065 err = proto_register(&rfcomm_proto, 0);
1066 if (err < 0)
1067 return err;
1068
1069 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1070 if (err < 0) {
1071 BT_ERR("RFCOMM socket layer registration failed");
1072 goto error;
1073 }
1074
1075 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1076 if (err < 0) {
1077 BT_ERR("Failed to create RFCOMM proc file");
1078 bt_sock_unregister(BTPROTO_RFCOMM);
1079 goto error;
1080 }
1081
1082 BT_INFO("RFCOMM socket layer initialized");
1083
1084 if (IS_ERR_OR_NULL(bt_debugfs))
1085 return 0;
1086
1087 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1088 bt_debugfs, NULL,
1089 &rfcomm_sock_debugfs_fops);
1090
1091 return 0;
1092
1093 error:
1094 proto_unregister(&rfcomm_proto);
1095 return err;
1096 }
1097
rfcomm_cleanup_sockets(void)1098 void __exit rfcomm_cleanup_sockets(void)
1099 {
1100 bt_procfs_cleanup(&init_net, "rfcomm");
1101
1102 debugfs_remove(rfcomm_sock_debugfs);
1103
1104 bt_sock_unregister(BTPROTO_RFCOMM);
1105
1106 proto_unregister(&rfcomm_proto);
1107 }
1108