1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * RFCOMM sockets.
26 */
27 #include <linux/compat.h>
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36
37 static const struct proto_ops rfcomm_sock_ops;
38
39 static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45
46 /* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62 }
63
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 struct sock *sk = d->owner, *parent;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 lock_sock(sk);
74
75 if (err)
76 sk->sk_err = err;
77
78 sk->sk_state = d->state;
79
80 parent = bt_sk(sk)->parent;
81 if (parent) {
82 if (d->state == BT_CLOSED) {
83 sock_set_flag(sk, SOCK_ZAPPED);
84 bt_accept_unlink(sk);
85 }
86 parent->sk_data_ready(parent);
87 } else {
88 if (d->state == BT_CONNECTED)
89 rfcomm_session_getaddr(d->session,
90 &rfcomm_pi(sk)->src, NULL);
91 sk->sk_state_change(sk);
92 }
93
94 release_sock(sk);
95
96 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 /* We have to drop DLC lock here, otherwise
98 * rfcomm_sock_destruct() will dead lock. */
99 rfcomm_dlc_unlock(d);
100 rfcomm_sock_kill(sk);
101 rfcomm_dlc_lock(d);
102 }
103 }
104
105 /* ---- Socket functions ---- */
__rfcomm_get_listen_sock_by_addr(u8 channel,bdaddr_t * src)106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107 {
108 struct sock *sk = NULL;
109
110 sk_for_each(sk, &rfcomm_sk_list.head) {
111 if (rfcomm_pi(sk)->channel != channel)
112 continue;
113
114 if (bacmp(&rfcomm_pi(sk)->src, src))
115 continue;
116
117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 break;
119 }
120
121 return sk ? sk : NULL;
122 }
123
124 /* Find socket with channel and source bdaddr.
125 * Returns closest match.
126 */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128 {
129 struct sock *sk = NULL, *sk1 = NULL;
130
131 read_lock(&rfcomm_sk_list.lock);
132
133 sk_for_each(sk, &rfcomm_sk_list.head) {
134 if (state && sk->sk_state != state)
135 continue;
136
137 if (rfcomm_pi(sk)->channel == channel) {
138 /* Exact match. */
139 if (!bacmp(&rfcomm_pi(sk)->src, src))
140 break;
141
142 /* Closest match */
143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 sk1 = sk;
145 }
146 }
147
148 read_unlock(&rfcomm_sk_list.lock);
149
150 return sk ? sk : sk1;
151 }
152
rfcomm_sock_destruct(struct sock * sk)153 static void rfcomm_sock_destruct(struct sock *sk)
154 {
155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156
157 BT_DBG("sk %p dlc %p", sk, d);
158
159 skb_queue_purge(&sk->sk_receive_queue);
160 skb_queue_purge(&sk->sk_write_queue);
161
162 rfcomm_dlc_lock(d);
163 rfcomm_pi(sk)->dlc = NULL;
164
165 /* Detach DLC if it's owned by this socket */
166 if (d->owner == sk)
167 d->owner = NULL;
168 rfcomm_dlc_unlock(d);
169
170 rfcomm_dlc_put(d);
171 }
172
rfcomm_sock_cleanup_listen(struct sock * parent)173 static void rfcomm_sock_cleanup_listen(struct sock *parent)
174 {
175 struct sock *sk;
176
177 BT_DBG("parent %p", parent);
178
179 /* Close not yet accepted dlcs */
180 while ((sk = bt_accept_dequeue(parent, NULL))) {
181 rfcomm_sock_close(sk);
182 rfcomm_sock_kill(sk);
183 /* Drop the reference handed back by bt_accept_dequeue(). */
184 sock_put(sk);
185 }
186
187 parent->sk_state = BT_CLOSED;
188 sock_set_flag(parent, SOCK_ZAPPED);
189 }
190
191 /* Kill socket (only if zapped and orphan)
192 * Must be called on unlocked socket.
193 */
rfcomm_sock_kill(struct sock * sk)194 static void rfcomm_sock_kill(struct sock *sk)
195 {
196 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
197 return;
198
199 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
200
201 /* Kill poor orphan */
202 bt_sock_unlink(&rfcomm_sk_list, sk);
203 sock_set_flag(sk, SOCK_DEAD);
204 sock_put(sk);
205 }
206
__rfcomm_sock_close(struct sock * sk)207 static void __rfcomm_sock_close(struct sock *sk)
208 {
209 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
210
211 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
212
213 switch (sk->sk_state) {
214 case BT_LISTEN:
215 rfcomm_sock_cleanup_listen(sk);
216 break;
217
218 case BT_CONNECT:
219 case BT_CONNECT2:
220 case BT_CONFIG:
221 case BT_CONNECTED:
222 rfcomm_dlc_close(d, 0);
223 fallthrough;
224
225 default:
226 sock_set_flag(sk, SOCK_ZAPPED);
227 break;
228 }
229 }
230
231 /* Close socket.
232 * Must be called on unlocked socket.
233 */
rfcomm_sock_close(struct sock * sk)234 static void rfcomm_sock_close(struct sock *sk)
235 {
236 lock_sock(sk);
237 __rfcomm_sock_close(sk);
238 release_sock(sk);
239 }
240
rfcomm_sock_init(struct sock * sk,struct sock * parent)241 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
242 {
243 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
244
245 BT_DBG("sk %p", sk);
246
247 if (parent) {
248 sk->sk_type = parent->sk_type;
249 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
250 &bt_sk(parent)->flags);
251
252 pi->sec_level = rfcomm_pi(parent)->sec_level;
253 pi->role_switch = rfcomm_pi(parent)->role_switch;
254
255 security_sk_clone(parent, sk);
256 } else {
257 pi->dlc->defer_setup = 0;
258
259 pi->sec_level = BT_SECURITY_LOW;
260 pi->role_switch = 0;
261 }
262
263 pi->dlc->sec_level = pi->sec_level;
264 pi->dlc->role_switch = pi->role_switch;
265 }
266
267 static struct proto rfcomm_proto = {
268 .name = "RFCOMM",
269 .owner = THIS_MODULE,
270 .obj_size = sizeof(struct rfcomm_pinfo)
271 };
272
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio,int kern)273 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
274 int proto, gfp_t prio, int kern)
275 {
276 struct rfcomm_dlc *d;
277 struct sock *sk;
278
279 d = rfcomm_dlc_alloc(prio);
280 if (!d)
281 return NULL;
282
283 sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
284 if (!sk) {
285 rfcomm_dlc_free(d);
286 return NULL;
287 }
288
289 d->data_ready = rfcomm_sk_data_ready;
290 d->state_change = rfcomm_sk_state_change;
291
292 rfcomm_pi(sk)->dlc = d;
293 d->owner = sk;
294
295 sk->sk_destruct = rfcomm_sock_destruct;
296 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
297
298 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
299 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300
301 bt_sock_link(&rfcomm_sk_list, sk);
302
303 BT_DBG("sk %p", sk);
304 return sk;
305 }
306
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)307 static int rfcomm_sock_create(struct net *net, struct socket *sock,
308 int protocol, int kern)
309 {
310 struct sock *sk;
311
312 BT_DBG("sock %p", sock);
313
314 sock->state = SS_UNCONNECTED;
315
316 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
317 return -ESOCKTNOSUPPORT;
318
319 sock->ops = &rfcomm_sock_ops;
320
321 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
322 if (!sk)
323 return -ENOMEM;
324
325 rfcomm_sock_init(sk, NULL);
326 return 0;
327 }
328
rfcomm_sock_bind(struct socket * sock,struct sockaddr_unsized * addr,int addr_len)329 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr_len)
330 {
331 struct sockaddr_rc sa;
332 struct sock *sk = sock->sk;
333 int len, err = 0;
334
335 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
336 addr->sa_family != AF_BLUETOOTH)
337 return -EINVAL;
338
339 memset(&sa, 0, sizeof(sa));
340 len = min_t(unsigned int, sizeof(sa), addr_len);
341 memcpy(&sa, addr, len);
342
343 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
344
345 lock_sock(sk);
346
347 if (sk->sk_state != BT_OPEN) {
348 err = -EBADFD;
349 goto done;
350 }
351
352 if (sk->sk_type != SOCK_STREAM) {
353 err = -EINVAL;
354 goto done;
355 }
356
357 write_lock(&rfcomm_sk_list.lock);
358
359 if (sa.rc_channel &&
360 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
361 err = -EADDRINUSE;
362 } else {
363 /* Save source address */
364 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
365 rfcomm_pi(sk)->channel = sa.rc_channel;
366 sk->sk_state = BT_BOUND;
367 }
368
369 write_unlock(&rfcomm_sk_list.lock);
370
371 done:
372 release_sock(sk);
373 return err;
374 }
375
rfcomm_sock_connect(struct socket * sock,struct sockaddr_unsized * addr,int alen,int flags)376 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
377 int alen, int flags)
378 {
379 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
380 struct sock *sk = sock->sk;
381 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
382 int err = 0;
383
384 BT_DBG("sk %p", sk);
385
386 if (alen < sizeof(struct sockaddr_rc) ||
387 addr->sa_family != AF_BLUETOOTH)
388 return -EINVAL;
389
390 sock_hold(sk);
391 lock_sock(sk);
392
393 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
394 err = -EBADFD;
395 goto done;
396 }
397
398 if (sk->sk_type != SOCK_STREAM) {
399 err = -EINVAL;
400 goto done;
401 }
402
403 sk->sk_state = BT_CONNECT;
404 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
405 rfcomm_pi(sk)->channel = sa->rc_channel;
406
407 d->sec_level = rfcomm_pi(sk)->sec_level;
408 d->role_switch = rfcomm_pi(sk)->role_switch;
409
410 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */
411 release_sock(sk);
412 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
413 sa->rc_channel);
414 lock_sock(sk);
415 if (!err && !sock_flag(sk, SOCK_ZAPPED))
416 err = bt_sock_wait_state(sk, BT_CONNECTED,
417 sock_sndtimeo(sk, flags & O_NONBLOCK));
418
419 done:
420 release_sock(sk);
421 sock_put(sk);
422 return err;
423 }
424
rfcomm_sock_listen(struct socket * sock,int backlog)425 static int rfcomm_sock_listen(struct socket *sock, int backlog)
426 {
427 struct sock *sk = sock->sk;
428 int err = 0;
429
430 BT_DBG("sk %p backlog %d", sk, backlog);
431
432 lock_sock(sk);
433
434 if (sk->sk_state != BT_BOUND) {
435 err = -EBADFD;
436 goto done;
437 }
438
439 if (sk->sk_type != SOCK_STREAM) {
440 err = -EINVAL;
441 goto done;
442 }
443
444 if (!rfcomm_pi(sk)->channel) {
445 bdaddr_t *src = &rfcomm_pi(sk)->src;
446 u8 channel;
447
448 err = -EINVAL;
449
450 write_lock(&rfcomm_sk_list.lock);
451
452 for (channel = 1; channel < 31; channel++)
453 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
454 rfcomm_pi(sk)->channel = channel;
455 err = 0;
456 break;
457 }
458
459 write_unlock(&rfcomm_sk_list.lock);
460
461 if (err < 0)
462 goto done;
463 }
464
465 sk->sk_max_ack_backlog = backlog;
466 sk->sk_ack_backlog = 0;
467 sk->sk_state = BT_LISTEN;
468
469 done:
470 release_sock(sk);
471 return err;
472 }
473
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,struct proto_accept_arg * arg)474 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock,
475 struct proto_accept_arg *arg)
476 {
477 DEFINE_WAIT_FUNC(wait, woken_wake_function);
478 struct sock *sk = sock->sk, *nsk;
479 long timeo;
480 int err = 0;
481
482 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
483
484 if (sk->sk_type != SOCK_STREAM) {
485 err = -EINVAL;
486 goto done;
487 }
488
489 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
490
491 BT_DBG("sk %p timeo %ld", sk, timeo);
492
493 /* Wait for an incoming connection. (wake-one). */
494 add_wait_queue_exclusive(sk_sleep(sk), &wait);
495 while (1) {
496 if (sk->sk_state != BT_LISTEN) {
497 err = -EBADFD;
498 break;
499 }
500
501 nsk = bt_accept_dequeue(sk, newsock);
502 if (nsk) {
503 /* Drop the bridging ref from bt_accept_dequeue();
504 * the grafted socket keeps nsk alive from here.
505 */
506 sock_put(nsk);
507 break;
508 }
509
510 if (!timeo) {
511 err = -EAGAIN;
512 break;
513 }
514
515 if (signal_pending(current)) {
516 err = sock_intr_errno(timeo);
517 break;
518 }
519
520 release_sock(sk);
521
522 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
523
524 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
525 }
526 remove_wait_queue(sk_sleep(sk), &wait);
527
528 if (err)
529 goto done;
530
531 newsock->state = SS_CONNECTED;
532
533 BT_DBG("new socket %p", nsk);
534
535 done:
536 release_sock(sk);
537 return err;
538 }
539
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)540 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
541 {
542 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
543 struct sock *sk = sock->sk;
544
545 BT_DBG("sock %p, sk %p", sock, sk);
546
547 if (peer && sk->sk_state != BT_CONNECTED &&
548 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
549 return -ENOTCONN;
550
551 memset(sa, 0, sizeof(*sa));
552 sa->rc_family = AF_BLUETOOTH;
553 sa->rc_channel = rfcomm_pi(sk)->channel;
554 if (peer)
555 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
556 else
557 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
558
559 return sizeof(struct sockaddr_rc);
560 }
561
rfcomm_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)562 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
563 size_t len)
564 {
565 struct sock *sk = sock->sk;
566 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
567 struct sk_buff *skb;
568 int sent;
569
570 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
571 return -ENOTCONN;
572
573 if (msg->msg_flags & MSG_OOB)
574 return -EOPNOTSUPP;
575
576 if (sk->sk_shutdown & SEND_SHUTDOWN)
577 return -EPIPE;
578
579 BT_DBG("sock %p, sk %p", sock, sk);
580
581 lock_sock(sk);
582
583 sent = bt_sock_wait_ready(sk, msg->msg_flags);
584
585 release_sock(sk);
586
587 if (sent)
588 return sent;
589
590 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
591 RFCOMM_SKB_TAIL_RESERVE);
592 if (IS_ERR(skb))
593 return PTR_ERR(skb);
594
595 sent = rfcomm_dlc_send(d, skb);
596 if (sent < 0)
597 kfree_skb(skb);
598
599 return sent;
600 }
601
rfcomm_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)602 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
603 size_t size, int flags)
604 {
605 struct sock *sk = sock->sk;
606 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
607 int len;
608
609 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
610 rfcomm_dlc_accept(d);
611 return 0;
612 }
613
614 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
615
616 lock_sock(sk);
617 if (!(flags & MSG_PEEK) && len > 0)
618 atomic_sub(len, &sk->sk_rmem_alloc);
619
620 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
621 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
622 release_sock(sk);
623
624 return len;
625 }
626
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,sockptr_t optval,unsigned int optlen)627 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
628 sockptr_t optval, unsigned int optlen)
629 {
630 struct sock *sk = sock->sk;
631 int err = 0;
632 u32 opt;
633
634 BT_DBG("sk %p", sk);
635
636 lock_sock(sk);
637
638 switch (optname) {
639 case RFCOMM_LM:
640 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
641 if (err)
642 break;
643
644 if (opt & RFCOMM_LM_FIPS) {
645 err = -EINVAL;
646 break;
647 }
648
649 if (opt & RFCOMM_LM_AUTH)
650 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
651 if (opt & RFCOMM_LM_ENCRYPT)
652 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
653 if (opt & RFCOMM_LM_SECURE)
654 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
655
656 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
657 break;
658
659 default:
660 err = -ENOPROTOOPT;
661 break;
662 }
663
664 release_sock(sk);
665 return err;
666 }
667
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)668 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
669 sockptr_t optval, unsigned int optlen)
670 {
671 struct sock *sk = sock->sk;
672 struct bt_security sec;
673 int err = 0;
674 u32 opt;
675
676 BT_DBG("sk %p", sk);
677
678 if (level == SOL_RFCOMM)
679 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
680
681 if (level != SOL_BLUETOOTH)
682 return -ENOPROTOOPT;
683
684 lock_sock(sk);
685
686 switch (optname) {
687 case BT_SECURITY:
688 if (sk->sk_type != SOCK_STREAM) {
689 err = -EINVAL;
690 break;
691 }
692
693 sec.level = BT_SECURITY_LOW;
694
695 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
696 if (err)
697 break;
698
699 if (sec.level > BT_SECURITY_HIGH) {
700 err = -EINVAL;
701 break;
702 }
703
704 rfcomm_pi(sk)->sec_level = sec.level;
705 break;
706
707 case BT_DEFER_SETUP:
708 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
709 err = -EINVAL;
710 break;
711 }
712
713 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
714 if (err)
715 break;
716
717 if (opt)
718 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
719 else
720 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
721
722 break;
723
724 default:
725 err = -ENOPROTOOPT;
726 break;
727 }
728
729 release_sock(sk);
730 return err;
731 }
732
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)733 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
734 {
735 struct sock *sk = sock->sk;
736 struct sock *l2cap_sk;
737 struct l2cap_conn *conn;
738 struct rfcomm_conninfo cinfo;
739 int err = 0;
740 size_t len;
741 u32 opt;
742
743 BT_DBG("sk %p", sk);
744
745 if (get_user(len, optlen))
746 return -EFAULT;
747
748 lock_sock(sk);
749
750 switch (optname) {
751 case RFCOMM_LM:
752 switch (rfcomm_pi(sk)->sec_level) {
753 case BT_SECURITY_LOW:
754 opt = RFCOMM_LM_AUTH;
755 break;
756 case BT_SECURITY_MEDIUM:
757 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
758 break;
759 case BT_SECURITY_HIGH:
760 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
761 RFCOMM_LM_SECURE;
762 break;
763 case BT_SECURITY_FIPS:
764 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
765 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
766 break;
767 default:
768 opt = 0;
769 break;
770 }
771
772 if (rfcomm_pi(sk)->role_switch)
773 opt |= RFCOMM_LM_MASTER;
774
775 if (put_user(opt, (u32 __user *) optval))
776 err = -EFAULT;
777
778 break;
779
780 case RFCOMM_CONNINFO:
781 if (sk->sk_state != BT_CONNECTED &&
782 !rfcomm_pi(sk)->dlc->defer_setup) {
783 err = -ENOTCONN;
784 break;
785 }
786
787 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
788 conn = l2cap_pi(l2cap_sk)->chan->conn;
789
790 memset(&cinfo, 0, sizeof(cinfo));
791 cinfo.hci_handle = conn->hcon->handle;
792 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
793
794 len = min(len, sizeof(cinfo));
795 if (copy_to_user(optval, (char *) &cinfo, len))
796 err = -EFAULT;
797
798 break;
799
800 default:
801 err = -ENOPROTOOPT;
802 break;
803 }
804
805 release_sock(sk);
806 return err;
807 }
808
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)809 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
810 {
811 struct sock *sk = sock->sk;
812 struct bt_security sec;
813 int err = 0;
814 size_t len;
815
816 BT_DBG("sk %p", sk);
817
818 if (level == SOL_RFCOMM)
819 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
820
821 if (level != SOL_BLUETOOTH)
822 return -ENOPROTOOPT;
823
824 if (get_user(len, optlen))
825 return -EFAULT;
826
827 lock_sock(sk);
828
829 switch (optname) {
830 case BT_SECURITY:
831 if (sk->sk_type != SOCK_STREAM) {
832 err = -EINVAL;
833 break;
834 }
835
836 sec.level = rfcomm_pi(sk)->sec_level;
837 sec.key_size = 0;
838
839 len = min(len, sizeof(sec));
840 if (copy_to_user(optval, (char *) &sec, len))
841 err = -EFAULT;
842
843 break;
844
845 case BT_DEFER_SETUP:
846 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
847 err = -EINVAL;
848 break;
849 }
850
851 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
852 (u32 __user *) optval))
853 err = -EFAULT;
854
855 break;
856
857 default:
858 err = -ENOPROTOOPT;
859 break;
860 }
861
862 release_sock(sk);
863 return err;
864 }
865
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)866 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
867 {
868 struct sock *sk __maybe_unused = sock->sk;
869 int err;
870
871 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
872
873 err = bt_sock_ioctl(sock, cmd, arg);
874
875 if (err == -ENOIOCTLCMD) {
876 #ifdef CONFIG_BT_RFCOMM_TTY
877 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
878 #else
879 err = -EOPNOTSUPP;
880 #endif
881 }
882
883 return err;
884 }
885
886 #ifdef CONFIG_COMPAT
rfcomm_sock_compat_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)887 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
888 {
889 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
890 }
891 #endif
892
rfcomm_sock_shutdown(struct socket * sock,int how)893 static int rfcomm_sock_shutdown(struct socket *sock, int how)
894 {
895 struct sock *sk = sock->sk;
896 int err = 0;
897
898 BT_DBG("sock %p, sk %p", sock, sk);
899
900 if (!sk)
901 return 0;
902
903 lock_sock(sk);
904 if (!sk->sk_shutdown) {
905 sk->sk_shutdown = SHUTDOWN_MASK;
906
907 release_sock(sk);
908 __rfcomm_sock_close(sk);
909 lock_sock(sk);
910
911 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
912 !(current->flags & PF_EXITING))
913 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
914 }
915 release_sock(sk);
916 return err;
917 }
918
rfcomm_sock_release(struct socket * sock)919 static int rfcomm_sock_release(struct socket *sock)
920 {
921 struct sock *sk = sock->sk;
922 int err;
923
924 BT_DBG("sock %p, sk %p", sock, sk);
925
926 if (!sk)
927 return 0;
928
929 err = rfcomm_sock_shutdown(sock, 2);
930
931 sock_orphan(sk);
932 rfcomm_sock_kill(sk);
933 return err;
934 }
935
936 /* ---- RFCOMM core layer callbacks ----
937 *
938 * called under rfcomm_lock()
939 */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)940 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
941 {
942 struct sock *sk, *parent;
943 bdaddr_t src, dst;
944 int result = 0;
945
946 BT_DBG("session %p channel %d", s, channel);
947
948 rfcomm_session_getaddr(s, &src, &dst);
949
950 /* Check if we have socket listening on channel */
951 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
952 if (!parent)
953 return 0;
954
955 lock_sock(parent);
956
957 /* Check for backlog size */
958 if (sk_acceptq_is_full(parent)) {
959 BT_DBG("backlog full %d", parent->sk_ack_backlog);
960 goto done;
961 }
962
963 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
964 if (!sk)
965 goto done;
966
967 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
968
969 rfcomm_sock_init(sk, parent);
970 bacpy(&rfcomm_pi(sk)->src, &src);
971 bacpy(&rfcomm_pi(sk)->dst, &dst);
972 rfcomm_pi(sk)->channel = channel;
973
974 sk->sk_state = BT_CONFIG;
975 bt_accept_enqueue(parent, sk, true);
976
977 /* Accept connection and return socket DLC */
978 *d = rfcomm_pi(sk)->dlc;
979 result = 1;
980
981 done:
982 release_sock(parent);
983
984 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
985 parent->sk_state_change(parent);
986
987 return result;
988 }
989
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)990 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
991 {
992 struct sock *sk;
993
994 read_lock(&rfcomm_sk_list.lock);
995
996 sk_for_each(sk, &rfcomm_sk_list.head) {
997 seq_printf(f, "%pMR %pMR %d %d\n",
998 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
999 sk->sk_state, rfcomm_pi(sk)->channel);
1000 }
1001
1002 read_unlock(&rfcomm_sk_list.lock);
1003
1004 return 0;
1005 }
1006
1007 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1008
1009 static struct dentry *rfcomm_sock_debugfs;
1010
1011 static const struct proto_ops rfcomm_sock_ops = {
1012 .family = PF_BLUETOOTH,
1013 .owner = THIS_MODULE,
1014 .release = rfcomm_sock_release,
1015 .bind = rfcomm_sock_bind,
1016 .connect = rfcomm_sock_connect,
1017 .listen = rfcomm_sock_listen,
1018 .accept = rfcomm_sock_accept,
1019 .getname = rfcomm_sock_getname,
1020 .sendmsg = rfcomm_sock_sendmsg,
1021 .recvmsg = rfcomm_sock_recvmsg,
1022 .shutdown = rfcomm_sock_shutdown,
1023 .setsockopt = rfcomm_sock_setsockopt,
1024 .getsockopt = rfcomm_sock_getsockopt,
1025 .ioctl = rfcomm_sock_ioctl,
1026 .gettstamp = sock_gettstamp,
1027 .poll = bt_sock_poll,
1028 .socketpair = sock_no_socketpair,
1029 .mmap = sock_no_mmap,
1030 #ifdef CONFIG_COMPAT
1031 .compat_ioctl = rfcomm_sock_compat_ioctl,
1032 #endif
1033 };
1034
1035 static const struct net_proto_family rfcomm_sock_family_ops = {
1036 .family = PF_BLUETOOTH,
1037 .owner = THIS_MODULE,
1038 .create = rfcomm_sock_create
1039 };
1040
rfcomm_init_sockets(void)1041 int __init rfcomm_init_sockets(void)
1042 {
1043 int err;
1044
1045 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1046
1047 err = proto_register(&rfcomm_proto, 0);
1048 if (err < 0)
1049 return err;
1050
1051 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1052 if (err < 0) {
1053 BT_ERR("RFCOMM socket layer registration failed");
1054 goto error;
1055 }
1056
1057 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1058 if (err < 0) {
1059 BT_ERR("Failed to create RFCOMM proc file");
1060 bt_sock_unregister(BTPROTO_RFCOMM);
1061 goto error;
1062 }
1063
1064 BT_INFO("RFCOMM socket layer initialized");
1065
1066 if (IS_ERR_OR_NULL(bt_debugfs))
1067 return 0;
1068
1069 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1070 bt_debugfs, NULL,
1071 &rfcomm_sock_debugfs_fops);
1072
1073 return 0;
1074
1075 error:
1076 proto_unregister(&rfcomm_proto);
1077 return err;
1078 }
1079
rfcomm_cleanup_sockets(void)1080 void __exit rfcomm_cleanup_sockets(void)
1081 {
1082 bt_procfs_cleanup(&init_net, "rfcomm");
1083
1084 debugfs_remove(rfcomm_sock_debugfs);
1085
1086 bt_sock_unregister(BTPROTO_RFCOMM);
1087
1088 proto_unregister(&rfcomm_proto);
1089 }
1090