xref: /linux/net/bluetooth/rfcomm/sock.c (revision 4e0ae876f77bc01a7e77724dea57b4b82bd53244)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM sockets.
26  */
27 
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36 
37 static const struct proto_ops rfcomm_sock_ops;
38 
39 static struct bt_sock_list rfcomm_sk_list = {
40 	.lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42 
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45 
46 /* ---- DLC callbacks ----
47  *
48  * called under rfcomm_dlc_lock()
49  */
50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 	struct sock *sk = d->owner;
53 	if (!sk)
54 		return;
55 
56 	atomic_add(skb->len, &sk->sk_rmem_alloc);
57 	skb_queue_tail(&sk->sk_receive_queue, skb);
58 	sk->sk_data_ready(sk);
59 
60 	if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 		rfcomm_dlc_throttle(d);
62 }
63 
64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 	struct sock *sk = d->owner, *parent;
67 	unsigned long flags;
68 
69 	if (!sk)
70 		return;
71 
72 	BT_DBG("dlc %p state %ld err %d", d, d->state, err);
73 
74 	local_irq_save(flags);
75 	bh_lock_sock(sk);
76 
77 	if (err)
78 		sk->sk_err = err;
79 
80 	sk->sk_state = d->state;
81 
82 	parent = bt_sk(sk)->parent;
83 	if (parent) {
84 		if (d->state == BT_CLOSED) {
85 			sock_set_flag(sk, SOCK_ZAPPED);
86 			bt_accept_unlink(sk);
87 		}
88 		parent->sk_data_ready(parent);
89 	} else {
90 		if (d->state == BT_CONNECTED)
91 			rfcomm_session_getaddr(d->session,
92 					       &rfcomm_pi(sk)->src, NULL);
93 		sk->sk_state_change(sk);
94 	}
95 
96 	bh_unlock_sock(sk);
97 	local_irq_restore(flags);
98 
99 	if (parent && sock_flag(sk, SOCK_ZAPPED)) {
100 		/* We have to drop DLC lock here, otherwise
101 		 * rfcomm_sock_destruct() will dead lock. */
102 		rfcomm_dlc_unlock(d);
103 		rfcomm_sock_kill(sk);
104 		rfcomm_dlc_lock(d);
105 	}
106 }
107 
108 /* ---- Socket functions ---- */
109 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
110 {
111 	struct sock *sk = NULL;
112 
113 	sk_for_each(sk, &rfcomm_sk_list.head) {
114 		if (rfcomm_pi(sk)->channel != channel)
115 			continue;
116 
117 		if (bacmp(&rfcomm_pi(sk)->src, src))
118 			continue;
119 
120 		if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
121 			break;
122 	}
123 
124 	return sk ? sk : NULL;
125 }
126 
127 /* Find socket with channel and source bdaddr.
128  * Returns closest match.
129  */
130 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
131 {
132 	struct sock *sk = NULL, *sk1 = NULL;
133 
134 	read_lock(&rfcomm_sk_list.lock);
135 
136 	sk_for_each(sk, &rfcomm_sk_list.head) {
137 		if (state && sk->sk_state != state)
138 			continue;
139 
140 		if (rfcomm_pi(sk)->channel == channel) {
141 			/* Exact match. */
142 			if (!bacmp(&rfcomm_pi(sk)->src, src))
143 				break;
144 
145 			/* Closest match */
146 			if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
147 				sk1 = sk;
148 		}
149 	}
150 
151 	read_unlock(&rfcomm_sk_list.lock);
152 
153 	return sk ? sk : sk1;
154 }
155 
156 static void rfcomm_sock_destruct(struct sock *sk)
157 {
158 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
159 
160 	BT_DBG("sk %p dlc %p", sk, d);
161 
162 	skb_queue_purge(&sk->sk_receive_queue);
163 	skb_queue_purge(&sk->sk_write_queue);
164 
165 	rfcomm_dlc_lock(d);
166 	rfcomm_pi(sk)->dlc = NULL;
167 
168 	/* Detach DLC if it's owned by this socket */
169 	if (d->owner == sk)
170 		d->owner = NULL;
171 	rfcomm_dlc_unlock(d);
172 
173 	rfcomm_dlc_put(d);
174 }
175 
176 static void rfcomm_sock_cleanup_listen(struct sock *parent)
177 {
178 	struct sock *sk;
179 
180 	BT_DBG("parent %p", parent);
181 
182 	/* Close not yet accepted dlcs */
183 	while ((sk = bt_accept_dequeue(parent, NULL))) {
184 		rfcomm_sock_close(sk);
185 		rfcomm_sock_kill(sk);
186 	}
187 
188 	parent->sk_state  = BT_CLOSED;
189 	sock_set_flag(parent, SOCK_ZAPPED);
190 }
191 
192 /* Kill socket (only if zapped and orphan)
193  * Must be called on unlocked socket.
194  */
195 static void rfcomm_sock_kill(struct sock *sk)
196 {
197 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
198 		return;
199 
200 	BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
201 
202 	/* Kill poor orphan */
203 	bt_sock_unlink(&rfcomm_sk_list, sk);
204 	sock_set_flag(sk, SOCK_DEAD);
205 	sock_put(sk);
206 }
207 
208 static void __rfcomm_sock_close(struct sock *sk)
209 {
210 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
211 
212 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
213 
214 	switch (sk->sk_state) {
215 	case BT_LISTEN:
216 		rfcomm_sock_cleanup_listen(sk);
217 		break;
218 
219 	case BT_CONNECT:
220 	case BT_CONNECT2:
221 	case BT_CONFIG:
222 	case BT_CONNECTED:
223 		rfcomm_dlc_close(d, 0);
224 		/* fall through */
225 
226 	default:
227 		sock_set_flag(sk, SOCK_ZAPPED);
228 		break;
229 	}
230 }
231 
232 /* Close socket.
233  * Must be called on unlocked socket.
234  */
235 static void rfcomm_sock_close(struct sock *sk)
236 {
237 	lock_sock(sk);
238 	__rfcomm_sock_close(sk);
239 	release_sock(sk);
240 }
241 
242 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
243 {
244 	struct rfcomm_pinfo *pi = rfcomm_pi(sk);
245 
246 	BT_DBG("sk %p", sk);
247 
248 	if (parent) {
249 		sk->sk_type = parent->sk_type;
250 		pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
251 						&bt_sk(parent)->flags);
252 
253 		pi->sec_level = rfcomm_pi(parent)->sec_level;
254 		pi->role_switch = rfcomm_pi(parent)->role_switch;
255 
256 		security_sk_clone(parent, sk);
257 	} else {
258 		pi->dlc->defer_setup = 0;
259 
260 		pi->sec_level = BT_SECURITY_LOW;
261 		pi->role_switch = 0;
262 	}
263 
264 	pi->dlc->sec_level = pi->sec_level;
265 	pi->dlc->role_switch = pi->role_switch;
266 }
267 
268 static struct proto rfcomm_proto = {
269 	.name		= "RFCOMM",
270 	.owner		= THIS_MODULE,
271 	.obj_size	= sizeof(struct rfcomm_pinfo)
272 };
273 
274 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
275 {
276 	struct rfcomm_dlc *d;
277 	struct sock *sk;
278 
279 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
280 	if (!sk)
281 		return NULL;
282 
283 	sock_init_data(sock, sk);
284 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
285 
286 	d = rfcomm_dlc_alloc(prio);
287 	if (!d) {
288 		sk_free(sk);
289 		return NULL;
290 	}
291 
292 	d->data_ready   = rfcomm_sk_data_ready;
293 	d->state_change = rfcomm_sk_state_change;
294 
295 	rfcomm_pi(sk)->dlc = d;
296 	d->owner = sk;
297 
298 	sk->sk_destruct = rfcomm_sock_destruct;
299 	sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
300 
301 	sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
302 	sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
303 
304 	sock_reset_flag(sk, SOCK_ZAPPED);
305 
306 	sk->sk_protocol = proto;
307 	sk->sk_state    = BT_OPEN;
308 
309 	bt_sock_link(&rfcomm_sk_list, sk);
310 
311 	BT_DBG("sk %p", sk);
312 	return sk;
313 }
314 
315 static int rfcomm_sock_create(struct net *net, struct socket *sock,
316 			      int protocol, int kern)
317 {
318 	struct sock *sk;
319 
320 	BT_DBG("sock %p", sock);
321 
322 	sock->state = SS_UNCONNECTED;
323 
324 	if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
325 		return -ESOCKTNOSUPPORT;
326 
327 	sock->ops = &rfcomm_sock_ops;
328 
329 	sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
330 	if (!sk)
331 		return -ENOMEM;
332 
333 	rfcomm_sock_init(sk, NULL);
334 	return 0;
335 }
336 
337 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
338 {
339 	struct sockaddr_rc sa;
340 	struct sock *sk = sock->sk;
341 	int len, err = 0;
342 
343 	if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
344 	    addr->sa_family != AF_BLUETOOTH)
345 		return -EINVAL;
346 
347 	memset(&sa, 0, sizeof(sa));
348 	len = min_t(unsigned int, sizeof(sa), addr_len);
349 	memcpy(&sa, addr, len);
350 
351 	BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
352 
353 	lock_sock(sk);
354 
355 	if (sk->sk_state != BT_OPEN) {
356 		err = -EBADFD;
357 		goto done;
358 	}
359 
360 	if (sk->sk_type != SOCK_STREAM) {
361 		err = -EINVAL;
362 		goto done;
363 	}
364 
365 	write_lock(&rfcomm_sk_list.lock);
366 
367 	if (sa.rc_channel &&
368 	    __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
369 		err = -EADDRINUSE;
370 	} else {
371 		/* Save source address */
372 		bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
373 		rfcomm_pi(sk)->channel = sa.rc_channel;
374 		sk->sk_state = BT_BOUND;
375 	}
376 
377 	write_unlock(&rfcomm_sk_list.lock);
378 
379 done:
380 	release_sock(sk);
381 	return err;
382 }
383 
384 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
385 {
386 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
387 	struct sock *sk = sock->sk;
388 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
389 	int err = 0;
390 
391 	BT_DBG("sk %p", sk);
392 
393 	if (alen < sizeof(struct sockaddr_rc) ||
394 	    addr->sa_family != AF_BLUETOOTH)
395 		return -EINVAL;
396 
397 	lock_sock(sk);
398 
399 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
400 		err = -EBADFD;
401 		goto done;
402 	}
403 
404 	if (sk->sk_type != SOCK_STREAM) {
405 		err = -EINVAL;
406 		goto done;
407 	}
408 
409 	sk->sk_state = BT_CONNECT;
410 	bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
411 	rfcomm_pi(sk)->channel = sa->rc_channel;
412 
413 	d->sec_level = rfcomm_pi(sk)->sec_level;
414 	d->role_switch = rfcomm_pi(sk)->role_switch;
415 
416 	err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
417 			      sa->rc_channel);
418 	if (!err)
419 		err = bt_sock_wait_state(sk, BT_CONNECTED,
420 				sock_sndtimeo(sk, flags & O_NONBLOCK));
421 
422 done:
423 	release_sock(sk);
424 	return err;
425 }
426 
427 static int rfcomm_sock_listen(struct socket *sock, int backlog)
428 {
429 	struct sock *sk = sock->sk;
430 	int err = 0;
431 
432 	BT_DBG("sk %p backlog %d", sk, backlog);
433 
434 	lock_sock(sk);
435 
436 	if (sk->sk_state != BT_BOUND) {
437 		err = -EBADFD;
438 		goto done;
439 	}
440 
441 	if (sk->sk_type != SOCK_STREAM) {
442 		err = -EINVAL;
443 		goto done;
444 	}
445 
446 	if (!rfcomm_pi(sk)->channel) {
447 		bdaddr_t *src = &rfcomm_pi(sk)->src;
448 		u8 channel;
449 
450 		err = -EINVAL;
451 
452 		write_lock(&rfcomm_sk_list.lock);
453 
454 		for (channel = 1; channel < 31; channel++)
455 			if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
456 				rfcomm_pi(sk)->channel = channel;
457 				err = 0;
458 				break;
459 			}
460 
461 		write_unlock(&rfcomm_sk_list.lock);
462 
463 		if (err < 0)
464 			goto done;
465 	}
466 
467 	sk->sk_max_ack_backlog = backlog;
468 	sk->sk_ack_backlog = 0;
469 	sk->sk_state = BT_LISTEN;
470 
471 done:
472 	release_sock(sk);
473 	return err;
474 }
475 
476 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
477 			      bool kern)
478 {
479 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
480 	struct sock *sk = sock->sk, *nsk;
481 	long timeo;
482 	int err = 0;
483 
484 	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
485 
486 	if (sk->sk_type != SOCK_STREAM) {
487 		err = -EINVAL;
488 		goto done;
489 	}
490 
491 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
492 
493 	BT_DBG("sk %p timeo %ld", sk, timeo);
494 
495 	/* Wait for an incoming connection. (wake-one). */
496 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
497 	while (1) {
498 		if (sk->sk_state != BT_LISTEN) {
499 			err = -EBADFD;
500 			break;
501 		}
502 
503 		nsk = bt_accept_dequeue(sk, newsock);
504 		if (nsk)
505 			break;
506 
507 		if (!timeo) {
508 			err = -EAGAIN;
509 			break;
510 		}
511 
512 		if (signal_pending(current)) {
513 			err = sock_intr_errno(timeo);
514 			break;
515 		}
516 
517 		release_sock(sk);
518 
519 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
520 
521 		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
522 	}
523 	remove_wait_queue(sk_sleep(sk), &wait);
524 
525 	if (err)
526 		goto done;
527 
528 	newsock->state = SS_CONNECTED;
529 
530 	BT_DBG("new socket %p", nsk);
531 
532 done:
533 	release_sock(sk);
534 	return err;
535 }
536 
537 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
538 {
539 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
540 	struct sock *sk = sock->sk;
541 
542 	BT_DBG("sock %p, sk %p", sock, sk);
543 
544 	if (peer && sk->sk_state != BT_CONNECTED &&
545 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
546 		return -ENOTCONN;
547 
548 	memset(sa, 0, sizeof(*sa));
549 	sa->rc_family  = AF_BLUETOOTH;
550 	sa->rc_channel = rfcomm_pi(sk)->channel;
551 	if (peer)
552 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
553 	else
554 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
555 
556 	return sizeof(struct sockaddr_rc);
557 }
558 
559 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
560 			       size_t len)
561 {
562 	struct sock *sk = sock->sk;
563 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
564 	struct sk_buff *skb;
565 	int sent;
566 
567 	if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
568 		return -ENOTCONN;
569 
570 	if (msg->msg_flags & MSG_OOB)
571 		return -EOPNOTSUPP;
572 
573 	if (sk->sk_shutdown & SEND_SHUTDOWN)
574 		return -EPIPE;
575 
576 	BT_DBG("sock %p, sk %p", sock, sk);
577 
578 	lock_sock(sk);
579 
580 	sent = bt_sock_wait_ready(sk, msg->msg_flags);
581 	if (sent)
582 		goto done;
583 
584 	while (len) {
585 		size_t size = min_t(size_t, len, d->mtu);
586 		int err;
587 
588 		skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
589 				msg->msg_flags & MSG_DONTWAIT, &err);
590 		if (!skb) {
591 			if (sent == 0)
592 				sent = err;
593 			break;
594 		}
595 		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
596 
597 		err = memcpy_from_msg(skb_put(skb, size), msg, size);
598 		if (err) {
599 			kfree_skb(skb);
600 			if (sent == 0)
601 				sent = err;
602 			break;
603 		}
604 
605 		skb->priority = sk->sk_priority;
606 
607 		err = rfcomm_dlc_send(d, skb);
608 		if (err < 0) {
609 			kfree_skb(skb);
610 			if (sent == 0)
611 				sent = err;
612 			break;
613 		}
614 
615 		sent += size;
616 		len  -= size;
617 	}
618 
619 done:
620 	release_sock(sk);
621 
622 	return sent;
623 }
624 
625 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
626 			       size_t size, int flags)
627 {
628 	struct sock *sk = sock->sk;
629 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
630 	int len;
631 
632 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
633 		rfcomm_dlc_accept(d);
634 		return 0;
635 	}
636 
637 	len = bt_sock_stream_recvmsg(sock, msg, size, flags);
638 
639 	lock_sock(sk);
640 	if (!(flags & MSG_PEEK) && len > 0)
641 		atomic_sub(len, &sk->sk_rmem_alloc);
642 
643 	if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
644 		rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
645 	release_sock(sk);
646 
647 	return len;
648 }
649 
650 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
651 {
652 	struct sock *sk = sock->sk;
653 	int err = 0;
654 	u32 opt;
655 
656 	BT_DBG("sk %p", sk);
657 
658 	lock_sock(sk);
659 
660 	switch (optname) {
661 	case RFCOMM_LM:
662 		if (get_user(opt, (u32 __user *) optval)) {
663 			err = -EFAULT;
664 			break;
665 		}
666 
667 		if (opt & RFCOMM_LM_FIPS) {
668 			err = -EINVAL;
669 			break;
670 		}
671 
672 		if (opt & RFCOMM_LM_AUTH)
673 			rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
674 		if (opt & RFCOMM_LM_ENCRYPT)
675 			rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
676 		if (opt & RFCOMM_LM_SECURE)
677 			rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
678 
679 		rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
680 		break;
681 
682 	default:
683 		err = -ENOPROTOOPT;
684 		break;
685 	}
686 
687 	release_sock(sk);
688 	return err;
689 }
690 
691 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
692 {
693 	struct sock *sk = sock->sk;
694 	struct bt_security sec;
695 	int err = 0;
696 	size_t len;
697 	u32 opt;
698 
699 	BT_DBG("sk %p", sk);
700 
701 	if (level == SOL_RFCOMM)
702 		return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
703 
704 	if (level != SOL_BLUETOOTH)
705 		return -ENOPROTOOPT;
706 
707 	lock_sock(sk);
708 
709 	switch (optname) {
710 	case BT_SECURITY:
711 		if (sk->sk_type != SOCK_STREAM) {
712 			err = -EINVAL;
713 			break;
714 		}
715 
716 		sec.level = BT_SECURITY_LOW;
717 
718 		len = min_t(unsigned int, sizeof(sec), optlen);
719 		if (copy_from_user((char *) &sec, optval, len)) {
720 			err = -EFAULT;
721 			break;
722 		}
723 
724 		if (sec.level > BT_SECURITY_HIGH) {
725 			err = -EINVAL;
726 			break;
727 		}
728 
729 		rfcomm_pi(sk)->sec_level = sec.level;
730 		break;
731 
732 	case BT_DEFER_SETUP:
733 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
734 			err = -EINVAL;
735 			break;
736 		}
737 
738 		if (get_user(opt, (u32 __user *) optval)) {
739 			err = -EFAULT;
740 			break;
741 		}
742 
743 		if (opt)
744 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
745 		else
746 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
747 
748 		break;
749 
750 	default:
751 		err = -ENOPROTOOPT;
752 		break;
753 	}
754 
755 	release_sock(sk);
756 	return err;
757 }
758 
759 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
760 {
761 	struct sock *sk = sock->sk;
762 	struct sock *l2cap_sk;
763 	struct l2cap_conn *conn;
764 	struct rfcomm_conninfo cinfo;
765 	int len, err = 0;
766 	u32 opt;
767 
768 	BT_DBG("sk %p", sk);
769 
770 	if (get_user(len, optlen))
771 		return -EFAULT;
772 
773 	lock_sock(sk);
774 
775 	switch (optname) {
776 	case RFCOMM_LM:
777 		switch (rfcomm_pi(sk)->sec_level) {
778 		case BT_SECURITY_LOW:
779 			opt = RFCOMM_LM_AUTH;
780 			break;
781 		case BT_SECURITY_MEDIUM:
782 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
783 			break;
784 		case BT_SECURITY_HIGH:
785 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
786 			      RFCOMM_LM_SECURE;
787 			break;
788 		case BT_SECURITY_FIPS:
789 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
790 			      RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
791 			break;
792 		default:
793 			opt = 0;
794 			break;
795 		}
796 
797 		if (rfcomm_pi(sk)->role_switch)
798 			opt |= RFCOMM_LM_MASTER;
799 
800 		if (put_user(opt, (u32 __user *) optval))
801 			err = -EFAULT;
802 
803 		break;
804 
805 	case RFCOMM_CONNINFO:
806 		if (sk->sk_state != BT_CONNECTED &&
807 					!rfcomm_pi(sk)->dlc->defer_setup) {
808 			err = -ENOTCONN;
809 			break;
810 		}
811 
812 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
813 		conn = l2cap_pi(l2cap_sk)->chan->conn;
814 
815 		memset(&cinfo, 0, sizeof(cinfo));
816 		cinfo.hci_handle = conn->hcon->handle;
817 		memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
818 
819 		len = min_t(unsigned int, len, sizeof(cinfo));
820 		if (copy_to_user(optval, (char *) &cinfo, len))
821 			err = -EFAULT;
822 
823 		break;
824 
825 	default:
826 		err = -ENOPROTOOPT;
827 		break;
828 	}
829 
830 	release_sock(sk);
831 	return err;
832 }
833 
834 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
835 {
836 	struct sock *sk = sock->sk;
837 	struct bt_security sec;
838 	int len, err = 0;
839 
840 	BT_DBG("sk %p", sk);
841 
842 	if (level == SOL_RFCOMM)
843 		return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
844 
845 	if (level != SOL_BLUETOOTH)
846 		return -ENOPROTOOPT;
847 
848 	if (get_user(len, optlen))
849 		return -EFAULT;
850 
851 	lock_sock(sk);
852 
853 	switch (optname) {
854 	case BT_SECURITY:
855 		if (sk->sk_type != SOCK_STREAM) {
856 			err = -EINVAL;
857 			break;
858 		}
859 
860 		sec.level = rfcomm_pi(sk)->sec_level;
861 		sec.key_size = 0;
862 
863 		len = min_t(unsigned int, len, sizeof(sec));
864 		if (copy_to_user(optval, (char *) &sec, len))
865 			err = -EFAULT;
866 
867 		break;
868 
869 	case BT_DEFER_SETUP:
870 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
871 			err = -EINVAL;
872 			break;
873 		}
874 
875 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
876 			     (u32 __user *) optval))
877 			err = -EFAULT;
878 
879 		break;
880 
881 	default:
882 		err = -ENOPROTOOPT;
883 		break;
884 	}
885 
886 	release_sock(sk);
887 	return err;
888 }
889 
890 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
891 {
892 	struct sock *sk __maybe_unused = sock->sk;
893 	int err;
894 
895 	BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
896 
897 	err = bt_sock_ioctl(sock, cmd, arg);
898 
899 	if (err == -ENOIOCTLCMD) {
900 #ifdef CONFIG_BT_RFCOMM_TTY
901 		lock_sock(sk);
902 		err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
903 		release_sock(sk);
904 #else
905 		err = -EOPNOTSUPP;
906 #endif
907 	}
908 
909 	return err;
910 }
911 
912 static int rfcomm_sock_shutdown(struct socket *sock, int how)
913 {
914 	struct sock *sk = sock->sk;
915 	int err = 0;
916 
917 	BT_DBG("sock %p, sk %p", sock, sk);
918 
919 	if (!sk)
920 		return 0;
921 
922 	lock_sock(sk);
923 	if (!sk->sk_shutdown) {
924 		sk->sk_shutdown = SHUTDOWN_MASK;
925 		__rfcomm_sock_close(sk);
926 
927 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
928 		    !(current->flags & PF_EXITING))
929 			err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
930 	}
931 	release_sock(sk);
932 	return err;
933 }
934 
935 static int rfcomm_sock_release(struct socket *sock)
936 {
937 	struct sock *sk = sock->sk;
938 	int err;
939 
940 	BT_DBG("sock %p, sk %p", sock, sk);
941 
942 	if (!sk)
943 		return 0;
944 
945 	err = rfcomm_sock_shutdown(sock, 2);
946 
947 	sock_orphan(sk);
948 	rfcomm_sock_kill(sk);
949 	return err;
950 }
951 
952 /* ---- RFCOMM core layer callbacks ----
953  *
954  * called under rfcomm_lock()
955  */
956 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
957 {
958 	struct sock *sk, *parent;
959 	bdaddr_t src, dst;
960 	int result = 0;
961 
962 	BT_DBG("session %p channel %d", s, channel);
963 
964 	rfcomm_session_getaddr(s, &src, &dst);
965 
966 	/* Check if we have socket listening on channel */
967 	parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
968 	if (!parent)
969 		return 0;
970 
971 	bh_lock_sock(parent);
972 
973 	/* Check for backlog size */
974 	if (sk_acceptq_is_full(parent)) {
975 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
976 		goto done;
977 	}
978 
979 	sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
980 	if (!sk)
981 		goto done;
982 
983 	bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
984 
985 	rfcomm_sock_init(sk, parent);
986 	bacpy(&rfcomm_pi(sk)->src, &src);
987 	bacpy(&rfcomm_pi(sk)->dst, &dst);
988 	rfcomm_pi(sk)->channel = channel;
989 
990 	sk->sk_state = BT_CONFIG;
991 	bt_accept_enqueue(parent, sk, true);
992 
993 	/* Accept connection and return socket DLC */
994 	*d = rfcomm_pi(sk)->dlc;
995 	result = 1;
996 
997 done:
998 	bh_unlock_sock(parent);
999 
1000 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1001 		parent->sk_state_change(parent);
1002 
1003 	return result;
1004 }
1005 
1006 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1007 {
1008 	struct sock *sk;
1009 
1010 	read_lock(&rfcomm_sk_list.lock);
1011 
1012 	sk_for_each(sk, &rfcomm_sk_list.head) {
1013 		seq_printf(f, "%pMR %pMR %d %d\n",
1014 			   &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1015 			   sk->sk_state, rfcomm_pi(sk)->channel);
1016 	}
1017 
1018 	read_unlock(&rfcomm_sk_list.lock);
1019 
1020 	return 0;
1021 }
1022 
1023 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1024 
1025 static struct dentry *rfcomm_sock_debugfs;
1026 
1027 static const struct proto_ops rfcomm_sock_ops = {
1028 	.family		= PF_BLUETOOTH,
1029 	.owner		= THIS_MODULE,
1030 	.release	= rfcomm_sock_release,
1031 	.bind		= rfcomm_sock_bind,
1032 	.connect	= rfcomm_sock_connect,
1033 	.listen		= rfcomm_sock_listen,
1034 	.accept		= rfcomm_sock_accept,
1035 	.getname	= rfcomm_sock_getname,
1036 	.sendmsg	= rfcomm_sock_sendmsg,
1037 	.recvmsg	= rfcomm_sock_recvmsg,
1038 	.shutdown	= rfcomm_sock_shutdown,
1039 	.setsockopt	= rfcomm_sock_setsockopt,
1040 	.getsockopt	= rfcomm_sock_getsockopt,
1041 	.ioctl		= rfcomm_sock_ioctl,
1042 	.poll		= bt_sock_poll,
1043 	.socketpair	= sock_no_socketpair,
1044 	.mmap		= sock_no_mmap
1045 };
1046 
1047 static const struct net_proto_family rfcomm_sock_family_ops = {
1048 	.family		= PF_BLUETOOTH,
1049 	.owner		= THIS_MODULE,
1050 	.create		= rfcomm_sock_create
1051 };
1052 
1053 int __init rfcomm_init_sockets(void)
1054 {
1055 	int err;
1056 
1057 	BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1058 
1059 	err = proto_register(&rfcomm_proto, 0);
1060 	if (err < 0)
1061 		return err;
1062 
1063 	err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1064 	if (err < 0) {
1065 		BT_ERR("RFCOMM socket layer registration failed");
1066 		goto error;
1067 	}
1068 
1069 	err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1070 	if (err < 0) {
1071 		BT_ERR("Failed to create RFCOMM proc file");
1072 		bt_sock_unregister(BTPROTO_RFCOMM);
1073 		goto error;
1074 	}
1075 
1076 	BT_INFO("RFCOMM socket layer initialized");
1077 
1078 	if (IS_ERR_OR_NULL(bt_debugfs))
1079 		return 0;
1080 
1081 	rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1082 						  bt_debugfs, NULL,
1083 						  &rfcomm_sock_debugfs_fops);
1084 
1085 	return 0;
1086 
1087 error:
1088 	proto_unregister(&rfcomm_proto);
1089 	return err;
1090 }
1091 
1092 void __exit rfcomm_cleanup_sockets(void)
1093 {
1094 	bt_procfs_cleanup(&init_net, "rfcomm");
1095 
1096 	debugfs_remove(rfcomm_sock_debugfs);
1097 
1098 	bt_sock_unregister(BTPROTO_RFCOMM);
1099 
1100 	proto_unregister(&rfcomm_proto);
1101 }
1102