1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * RFCOMM sockets. 26 */ 27 #include <linux/compat.h> 28 #include <linux/export.h> 29 #include <linux/debugfs.h> 30 #include <linux/sched/signal.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/l2cap.h> 35 #include <net/bluetooth/rfcomm.h> 36 37 static const struct proto_ops rfcomm_sock_ops; 38 39 static struct bt_sock_list rfcomm_sk_list = { 40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock) 41 }; 42 43 static void rfcomm_sock_close(struct sock *sk); 44 static void rfcomm_sock_kill(struct sock *sk); 45 46 /* ---- DLC callbacks ---- 47 * 48 * called under rfcomm_dlc_lock() 49 */ 50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb) 51 { 52 struct sock *sk = d->owner; 53 if (!sk) 54 return; 55 56 atomic_add(skb->len, &sk->sk_rmem_alloc); 57 skb_queue_tail(&sk->sk_receive_queue, skb); 58 sk->sk_data_ready(sk); 59 60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) 61 rfcomm_dlc_throttle(d); 62 } 63 64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) 65 { 66 struct sock *sk = d->owner, *parent; 67 68 if (!sk) 69 return; 70 71 BT_DBG("dlc %p state %ld err %d", d, d->state, err); 72 73 lock_sock(sk); 74 75 if (err) 76 sk->sk_err = err; 77 78 sk->sk_state = d->state; 79 80 parent = bt_sk(sk)->parent; 81 if (parent) { 82 if (d->state == BT_CLOSED) { 83 sock_set_flag(sk, SOCK_ZAPPED); 84 bt_accept_unlink(sk); 85 } 86 parent->sk_data_ready(parent); 87 } else { 88 if (d->state == BT_CONNECTED) 89 rfcomm_session_getaddr(d->session, 90 &rfcomm_pi(sk)->src, NULL); 91 sk->sk_state_change(sk); 92 } 93 94 release_sock(sk); 95 96 if (parent && sock_flag(sk, SOCK_ZAPPED)) { 97 /* We have to drop DLC lock here, otherwise 98 * rfcomm_sock_destruct() will dead lock. */ 99 rfcomm_dlc_unlock(d); 100 rfcomm_sock_kill(sk); 101 rfcomm_dlc_lock(d); 102 } 103 } 104 105 /* ---- Socket functions ---- */ 106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src) 107 { 108 struct sock *sk = NULL; 109 110 sk_for_each(sk, &rfcomm_sk_list.head) { 111 if (rfcomm_pi(sk)->channel != channel) 112 continue; 113 114 if (bacmp(&rfcomm_pi(sk)->src, src)) 115 continue; 116 117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN) 118 break; 119 } 120 121 return sk ? sk : NULL; 122 } 123 124 /* Find socket with channel and source bdaddr. 125 * Returns closest match with an extra reference held. 126 */ 127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src) 128 { 129 struct sock *sk = NULL, *sk1 = NULL; 130 131 read_lock(&rfcomm_sk_list.lock); 132 133 sk_for_each(sk, &rfcomm_sk_list.head) { 134 if (state && sk->sk_state != state) 135 continue; 136 137 if (rfcomm_pi(sk)->channel == channel) { 138 /* Exact match. */ 139 if (!bacmp(&rfcomm_pi(sk)->src, src)) { 140 sock_hold(sk); 141 break; 142 } 143 144 /* Closest match */ 145 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) { 146 if (sk1) 147 sock_put(sk1); 148 149 sk1 = sk; 150 sock_hold(sk1); 151 } 152 } 153 } 154 155 if (sk && sk1) 156 sock_put(sk1); 157 158 read_unlock(&rfcomm_sk_list.lock); 159 160 return sk ? sk : sk1; 161 } 162 163 static void rfcomm_sock_destruct(struct sock *sk) 164 { 165 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 166 167 BT_DBG("sk %p dlc %p", sk, d); 168 169 skb_queue_purge(&sk->sk_receive_queue); 170 skb_queue_purge(&sk->sk_write_queue); 171 172 rfcomm_dlc_lock(d); 173 rfcomm_pi(sk)->dlc = NULL; 174 175 /* Detach DLC if it's owned by this socket */ 176 if (d->owner == sk) 177 d->owner = NULL; 178 rfcomm_dlc_unlock(d); 179 180 rfcomm_dlc_put(d); 181 } 182 183 static void rfcomm_sock_cleanup_listen(struct sock *parent) 184 { 185 struct sock *sk; 186 187 BT_DBG("parent %p", parent); 188 189 /* Close not yet accepted dlcs */ 190 while ((sk = bt_accept_dequeue(parent, NULL))) { 191 rfcomm_sock_close(sk); 192 rfcomm_sock_kill(sk); 193 /* Drop the reference handed back by bt_accept_dequeue(). */ 194 sock_put(sk); 195 } 196 197 parent->sk_state = BT_CLOSED; 198 sock_set_flag(parent, SOCK_ZAPPED); 199 } 200 201 /* Kill socket (only if zapped and orphan) 202 * Must be called on unlocked socket. 203 */ 204 static void rfcomm_sock_kill(struct sock *sk) 205 { 206 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 207 return; 208 209 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt)); 210 211 /* Kill poor orphan */ 212 bt_sock_unlink(&rfcomm_sk_list, sk); 213 sock_set_flag(sk, SOCK_DEAD); 214 sock_put(sk); 215 } 216 217 static void __rfcomm_sock_close(struct sock *sk) 218 { 219 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 220 221 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 222 223 switch (sk->sk_state) { 224 case BT_LISTEN: 225 rfcomm_sock_cleanup_listen(sk); 226 break; 227 228 case BT_CONNECT: 229 case BT_CONNECT2: 230 case BT_CONFIG: 231 case BT_CONNECTED: 232 rfcomm_dlc_close(d, 0); 233 fallthrough; 234 235 default: 236 sock_set_flag(sk, SOCK_ZAPPED); 237 break; 238 } 239 } 240 241 /* Close socket. 242 * Must be called on unlocked socket. 243 */ 244 static void rfcomm_sock_close(struct sock *sk) 245 { 246 lock_sock(sk); 247 __rfcomm_sock_close(sk); 248 release_sock(sk); 249 } 250 251 static void rfcomm_sock_init(struct sock *sk, struct sock *parent) 252 { 253 struct rfcomm_pinfo *pi = rfcomm_pi(sk); 254 255 BT_DBG("sk %p", sk); 256 257 if (parent) { 258 sk->sk_type = parent->sk_type; 259 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP, 260 &bt_sk(parent)->flags); 261 262 pi->sec_level = rfcomm_pi(parent)->sec_level; 263 pi->role_switch = rfcomm_pi(parent)->role_switch; 264 265 security_sk_clone(parent, sk); 266 } else { 267 pi->dlc->defer_setup = 0; 268 269 pi->sec_level = BT_SECURITY_LOW; 270 pi->role_switch = 0; 271 } 272 273 pi->dlc->sec_level = pi->sec_level; 274 pi->dlc->role_switch = pi->role_switch; 275 } 276 277 static struct proto rfcomm_proto = { 278 .name = "RFCOMM", 279 .owner = THIS_MODULE, 280 .obj_size = sizeof(struct rfcomm_pinfo) 281 }; 282 283 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, 284 int proto, gfp_t prio, int kern) 285 { 286 struct rfcomm_dlc *d; 287 struct sock *sk; 288 289 d = rfcomm_dlc_alloc(prio); 290 if (!d) 291 return NULL; 292 293 sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); 294 if (!sk) { 295 rfcomm_dlc_free(d); 296 return NULL; 297 } 298 299 d->data_ready = rfcomm_sk_data_ready; 300 d->state_change = rfcomm_sk_state_change; 301 302 rfcomm_pi(sk)->dlc = d; 303 d->owner = sk; 304 305 sk->sk_destruct = rfcomm_sock_destruct; 306 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT; 307 308 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 309 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 310 311 bt_sock_link(&rfcomm_sk_list, sk); 312 313 BT_DBG("sk %p", sk); 314 return sk; 315 } 316 317 static int rfcomm_sock_create(struct net *net, struct socket *sock, 318 int protocol, int kern) 319 { 320 struct sock *sk; 321 322 BT_DBG("sock %p", sock); 323 324 sock->state = SS_UNCONNECTED; 325 326 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW) 327 return -ESOCKTNOSUPPORT; 328 329 sock->ops = &rfcomm_sock_ops; 330 331 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 332 if (!sk) 333 return -ENOMEM; 334 335 rfcomm_sock_init(sk, NULL); 336 return 0; 337 } 338 339 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr_len) 340 { 341 struct sockaddr_rc sa; 342 struct sock *sk = sock->sk; 343 int len, err = 0; 344 345 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) || 346 addr->sa_family != AF_BLUETOOTH) 347 return -EINVAL; 348 349 memset(&sa, 0, sizeof(sa)); 350 len = min_t(unsigned int, sizeof(sa), addr_len); 351 memcpy(&sa, addr, len); 352 353 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr); 354 355 lock_sock(sk); 356 357 if (sk->sk_state != BT_OPEN) { 358 err = -EBADFD; 359 goto done; 360 } 361 362 if (sk->sk_type != SOCK_STREAM) { 363 err = -EINVAL; 364 goto done; 365 } 366 367 write_lock(&rfcomm_sk_list.lock); 368 369 if (sa.rc_channel && 370 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) { 371 err = -EADDRINUSE; 372 } else { 373 /* Save source address */ 374 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr); 375 rfcomm_pi(sk)->channel = sa.rc_channel; 376 sk->sk_state = BT_BOUND; 377 } 378 379 write_unlock(&rfcomm_sk_list.lock); 380 381 done: 382 release_sock(sk); 383 return err; 384 } 385 386 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr_unsized *addr, 387 int alen, int flags) 388 { 389 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 390 struct sock *sk = sock->sk; 391 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 392 int err = 0; 393 394 BT_DBG("sk %p", sk); 395 396 if (alen < sizeof(struct sockaddr_rc) || 397 addr->sa_family != AF_BLUETOOTH) 398 return -EINVAL; 399 400 sock_hold(sk); 401 lock_sock(sk); 402 403 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { 404 err = -EBADFD; 405 goto done; 406 } 407 408 if (sk->sk_type != SOCK_STREAM) { 409 err = -EINVAL; 410 goto done; 411 } 412 413 sk->sk_state = BT_CONNECT; 414 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr); 415 rfcomm_pi(sk)->channel = sa->rc_channel; 416 417 d->sec_level = rfcomm_pi(sk)->sec_level; 418 d->role_switch = rfcomm_pi(sk)->role_switch; 419 420 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */ 421 release_sock(sk); 422 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr, 423 sa->rc_channel); 424 lock_sock(sk); 425 if (!err && !sock_flag(sk, SOCK_ZAPPED)) 426 err = bt_sock_wait_state(sk, BT_CONNECTED, 427 sock_sndtimeo(sk, flags & O_NONBLOCK)); 428 429 done: 430 release_sock(sk); 431 sock_put(sk); 432 return err; 433 } 434 435 static int rfcomm_sock_listen(struct socket *sock, int backlog) 436 { 437 struct sock *sk = sock->sk; 438 int err = 0; 439 440 BT_DBG("sk %p backlog %d", sk, backlog); 441 442 lock_sock(sk); 443 444 if (sk->sk_state != BT_BOUND) { 445 err = -EBADFD; 446 goto done; 447 } 448 449 if (sk->sk_type != SOCK_STREAM) { 450 err = -EINVAL; 451 goto done; 452 } 453 454 if (!rfcomm_pi(sk)->channel) { 455 bdaddr_t *src = &rfcomm_pi(sk)->src; 456 u8 channel; 457 458 err = -EINVAL; 459 460 write_lock(&rfcomm_sk_list.lock); 461 462 for (channel = 1; channel < 31; channel++) 463 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) { 464 rfcomm_pi(sk)->channel = channel; 465 err = 0; 466 break; 467 } 468 469 write_unlock(&rfcomm_sk_list.lock); 470 471 if (err < 0) 472 goto done; 473 } 474 475 sk->sk_max_ack_backlog = backlog; 476 sk->sk_ack_backlog = 0; 477 sk->sk_state = BT_LISTEN; 478 479 done: 480 release_sock(sk); 481 return err; 482 } 483 484 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, 485 struct proto_accept_arg *arg) 486 { 487 DEFINE_WAIT_FUNC(wait, woken_wake_function); 488 struct sock *sk = sock->sk, *nsk; 489 long timeo; 490 int err = 0; 491 492 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 493 494 if (sk->sk_type != SOCK_STREAM) { 495 err = -EINVAL; 496 goto done; 497 } 498 499 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 500 501 BT_DBG("sk %p timeo %ld", sk, timeo); 502 503 /* Wait for an incoming connection. (wake-one). */ 504 add_wait_queue_exclusive(sk_sleep(sk), &wait); 505 while (1) { 506 if (sk->sk_state != BT_LISTEN) { 507 err = -EBADFD; 508 break; 509 } 510 511 nsk = bt_accept_dequeue(sk, newsock); 512 if (nsk) { 513 /* Drop the bridging ref from bt_accept_dequeue(); 514 * the grafted socket keeps nsk alive from here. 515 */ 516 sock_put(nsk); 517 break; 518 } 519 520 if (!timeo) { 521 err = -EAGAIN; 522 break; 523 } 524 525 if (signal_pending(current)) { 526 err = sock_intr_errno(timeo); 527 break; 528 } 529 530 release_sock(sk); 531 532 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 533 534 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 535 } 536 remove_wait_queue(sk_sleep(sk), &wait); 537 538 if (err) 539 goto done; 540 541 newsock->state = SS_CONNECTED; 542 543 BT_DBG("new socket %p", nsk); 544 545 done: 546 release_sock(sk); 547 return err; 548 } 549 550 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer) 551 { 552 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 553 struct sock *sk = sock->sk; 554 555 BT_DBG("sock %p, sk %p", sock, sk); 556 557 if (peer && sk->sk_state != BT_CONNECTED && 558 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2) 559 return -ENOTCONN; 560 561 memset(sa, 0, sizeof(*sa)); 562 sa->rc_family = AF_BLUETOOTH; 563 sa->rc_channel = rfcomm_pi(sk)->channel; 564 if (peer) 565 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst); 566 else 567 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src); 568 569 return sizeof(struct sockaddr_rc); 570 } 571 572 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg, 573 size_t len) 574 { 575 struct sock *sk = sock->sk; 576 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 577 struct sk_buff *skb; 578 int sent; 579 580 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags)) 581 return -ENOTCONN; 582 583 if (msg->msg_flags & MSG_OOB) 584 return -EOPNOTSUPP; 585 586 if (sk->sk_shutdown & SEND_SHUTDOWN) 587 return -EPIPE; 588 589 BT_DBG("sock %p, sk %p", sock, sk); 590 591 lock_sock(sk); 592 593 sent = bt_sock_wait_ready(sk, msg->msg_flags); 594 595 release_sock(sk); 596 597 if (sent) 598 return sent; 599 600 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, 601 RFCOMM_SKB_TAIL_RESERVE); 602 if (IS_ERR(skb)) 603 return PTR_ERR(skb); 604 605 sent = rfcomm_dlc_send(d, skb); 606 if (sent < 0) 607 kfree_skb(skb); 608 609 return sent; 610 } 611 612 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg, 613 size_t size, int flags) 614 { 615 struct sock *sk = sock->sk; 616 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 617 int len; 618 619 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 620 rfcomm_dlc_accept(d); 621 return 0; 622 } 623 624 len = bt_sock_stream_recvmsg(sock, msg, size, flags); 625 626 lock_sock(sk); 627 if (!(flags & MSG_PEEK) && len > 0) 628 atomic_sub(len, &sk->sk_rmem_alloc); 629 630 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2)) 631 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc); 632 release_sock(sk); 633 634 return len; 635 } 636 637 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, 638 sockptr_t optval, unsigned int optlen) 639 { 640 struct sock *sk = sock->sk; 641 int err = 0; 642 u32 opt; 643 644 BT_DBG("sk %p", sk); 645 646 lock_sock(sk); 647 648 switch (optname) { 649 case RFCOMM_LM: 650 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 651 if (err) 652 break; 653 654 if (opt & RFCOMM_LM_FIPS) { 655 err = -EINVAL; 656 break; 657 } 658 659 if (opt & RFCOMM_LM_AUTH) 660 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW; 661 if (opt & RFCOMM_LM_ENCRYPT) 662 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM; 663 if (opt & RFCOMM_LM_SECURE) 664 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH; 665 666 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER); 667 break; 668 669 default: 670 err = -ENOPROTOOPT; 671 break; 672 } 673 674 release_sock(sk); 675 return err; 676 } 677 678 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, 679 sockptr_t optval, unsigned int optlen) 680 { 681 struct sock *sk = sock->sk; 682 struct bt_security sec; 683 int err = 0; 684 u32 opt; 685 686 BT_DBG("sk %p", sk); 687 688 if (level == SOL_RFCOMM) 689 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen); 690 691 if (level != SOL_BLUETOOTH) 692 return -ENOPROTOOPT; 693 694 lock_sock(sk); 695 696 switch (optname) { 697 case BT_SECURITY: 698 if (sk->sk_type != SOCK_STREAM) { 699 err = -EINVAL; 700 break; 701 } 702 703 sec.level = BT_SECURITY_LOW; 704 705 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); 706 if (err) 707 break; 708 709 if (sec.level > BT_SECURITY_HIGH) { 710 err = -EINVAL; 711 break; 712 } 713 714 rfcomm_pi(sk)->sec_level = sec.level; 715 break; 716 717 case BT_DEFER_SETUP: 718 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 719 err = -EINVAL; 720 break; 721 } 722 723 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 724 if (err) 725 break; 726 727 if (opt) 728 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 729 else 730 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 731 732 break; 733 734 default: 735 err = -ENOPROTOOPT; 736 break; 737 } 738 739 release_sock(sk); 740 return err; 741 } 742 743 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 744 { 745 struct sock *sk = sock->sk; 746 struct sock *l2cap_sk; 747 struct l2cap_conn *conn; 748 struct rfcomm_conninfo cinfo; 749 int err = 0; 750 size_t len; 751 u32 opt; 752 753 BT_DBG("sk %p", sk); 754 755 if (get_user(len, optlen)) 756 return -EFAULT; 757 758 lock_sock(sk); 759 760 switch (optname) { 761 case RFCOMM_LM: 762 switch (rfcomm_pi(sk)->sec_level) { 763 case BT_SECURITY_LOW: 764 opt = RFCOMM_LM_AUTH; 765 break; 766 case BT_SECURITY_MEDIUM: 767 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT; 768 break; 769 case BT_SECURITY_HIGH: 770 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 771 RFCOMM_LM_SECURE; 772 break; 773 case BT_SECURITY_FIPS: 774 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 775 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS; 776 break; 777 default: 778 opt = 0; 779 break; 780 } 781 782 if (rfcomm_pi(sk)->role_switch) 783 opt |= RFCOMM_LM_MASTER; 784 785 if (put_user(opt, (u32 __user *) optval)) 786 err = -EFAULT; 787 788 break; 789 790 case RFCOMM_CONNINFO: 791 if (sk->sk_state != BT_CONNECTED && 792 !rfcomm_pi(sk)->dlc->defer_setup) { 793 err = -ENOTCONN; 794 break; 795 } 796 797 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; 798 conn = l2cap_pi(l2cap_sk)->chan->conn; 799 800 memset(&cinfo, 0, sizeof(cinfo)); 801 cinfo.hci_handle = conn->hcon->handle; 802 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 803 804 len = min(len, sizeof(cinfo)); 805 if (copy_to_user(optval, (char *) &cinfo, len)) 806 err = -EFAULT; 807 808 break; 809 810 default: 811 err = -ENOPROTOOPT; 812 break; 813 } 814 815 release_sock(sk); 816 return err; 817 } 818 819 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 820 { 821 struct sock *sk = sock->sk; 822 struct bt_security sec; 823 int err = 0; 824 size_t len; 825 826 BT_DBG("sk %p", sk); 827 828 if (level == SOL_RFCOMM) 829 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen); 830 831 if (level != SOL_BLUETOOTH) 832 return -ENOPROTOOPT; 833 834 if (get_user(len, optlen)) 835 return -EFAULT; 836 837 lock_sock(sk); 838 839 switch (optname) { 840 case BT_SECURITY: 841 if (sk->sk_type != SOCK_STREAM) { 842 err = -EINVAL; 843 break; 844 } 845 846 sec.level = rfcomm_pi(sk)->sec_level; 847 sec.key_size = 0; 848 849 len = min(len, sizeof(sec)); 850 if (copy_to_user(optval, (char *) &sec, len)) 851 err = -EFAULT; 852 853 break; 854 855 case BT_DEFER_SETUP: 856 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 857 err = -EINVAL; 858 break; 859 } 860 861 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 862 (u32 __user *) optval)) 863 err = -EFAULT; 864 865 break; 866 867 default: 868 err = -ENOPROTOOPT; 869 break; 870 } 871 872 release_sock(sk); 873 return err; 874 } 875 876 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 877 { 878 struct sock *sk __maybe_unused = sock->sk; 879 int err; 880 881 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg); 882 883 err = bt_sock_ioctl(sock, cmd, arg); 884 885 if (err == -ENOIOCTLCMD) { 886 #ifdef CONFIG_BT_RFCOMM_TTY 887 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg); 888 #else 889 err = -EOPNOTSUPP; 890 #endif 891 } 892 893 return err; 894 } 895 896 #ifdef CONFIG_COMPAT 897 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 898 { 899 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 900 } 901 #endif 902 903 static int rfcomm_sock_shutdown(struct socket *sock, int how) 904 { 905 struct sock *sk = sock->sk; 906 int err = 0; 907 908 BT_DBG("sock %p, sk %p", sock, sk); 909 910 if (!sk) 911 return 0; 912 913 lock_sock(sk); 914 if (!sk->sk_shutdown) { 915 sk->sk_shutdown = SHUTDOWN_MASK; 916 917 release_sock(sk); 918 __rfcomm_sock_close(sk); 919 lock_sock(sk); 920 921 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 922 !(current->flags & PF_EXITING)) 923 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 924 } 925 release_sock(sk); 926 return err; 927 } 928 929 static int rfcomm_sock_release(struct socket *sock) 930 { 931 struct sock *sk = sock->sk; 932 int err; 933 934 BT_DBG("sock %p, sk %p", sock, sk); 935 936 if (!sk) 937 return 0; 938 939 err = rfcomm_sock_shutdown(sock, 2); 940 941 sock_orphan(sk); 942 rfcomm_sock_kill(sk); 943 return err; 944 } 945 946 /* ---- RFCOMM core layer callbacks ---- 947 * 948 * called under rfcomm_lock() 949 */ 950 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d) 951 { 952 struct sock *sk, *parent; 953 bdaddr_t src, dst; 954 bool defer_setup = false; 955 int result = 0; 956 957 BT_DBG("session %p channel %d", s, channel); 958 959 rfcomm_session_getaddr(s, &src, &dst); 960 961 /* Check if we have socket listening on channel */ 962 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src); 963 if (!parent) 964 return 0; 965 966 lock_sock(parent); 967 968 if (parent->sk_state != BT_LISTEN) 969 goto done; 970 971 defer_setup = test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags); 972 973 /* Check for backlog size */ 974 if (sk_acceptq_is_full(parent)) { 975 BT_DBG("backlog full %d", parent->sk_ack_backlog); 976 goto done; 977 } 978 979 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0); 980 if (!sk) 981 goto done; 982 983 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM); 984 985 rfcomm_sock_init(sk, parent); 986 bacpy(&rfcomm_pi(sk)->src, &src); 987 bacpy(&rfcomm_pi(sk)->dst, &dst); 988 rfcomm_pi(sk)->channel = channel; 989 990 sk->sk_state = BT_CONFIG; 991 bt_accept_enqueue(parent, sk, true); 992 993 /* Accept connection and return socket DLC */ 994 *d = rfcomm_pi(sk)->dlc; 995 result = 1; 996 997 done: 998 release_sock(parent); 999 1000 if (defer_setup) 1001 parent->sk_state_change(parent); 1002 1003 sock_put(parent); 1004 1005 return result; 1006 } 1007 1008 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p) 1009 { 1010 struct sock *sk; 1011 1012 read_lock(&rfcomm_sk_list.lock); 1013 1014 sk_for_each(sk, &rfcomm_sk_list.head) { 1015 seq_printf(f, "%pMR %pMR %d %d\n", 1016 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst, 1017 sk->sk_state, rfcomm_pi(sk)->channel); 1018 } 1019 1020 read_unlock(&rfcomm_sk_list.lock); 1021 1022 return 0; 1023 } 1024 1025 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs); 1026 1027 static struct dentry *rfcomm_sock_debugfs; 1028 1029 static const struct proto_ops rfcomm_sock_ops = { 1030 .family = PF_BLUETOOTH, 1031 .owner = THIS_MODULE, 1032 .release = rfcomm_sock_release, 1033 .bind = rfcomm_sock_bind, 1034 .connect = rfcomm_sock_connect, 1035 .listen = rfcomm_sock_listen, 1036 .accept = rfcomm_sock_accept, 1037 .getname = rfcomm_sock_getname, 1038 .sendmsg = rfcomm_sock_sendmsg, 1039 .recvmsg = rfcomm_sock_recvmsg, 1040 .shutdown = rfcomm_sock_shutdown, 1041 .setsockopt = rfcomm_sock_setsockopt, 1042 .getsockopt = rfcomm_sock_getsockopt, 1043 .ioctl = rfcomm_sock_ioctl, 1044 .gettstamp = sock_gettstamp, 1045 .poll = bt_sock_poll, 1046 .socketpair = sock_no_socketpair, 1047 .mmap = sock_no_mmap, 1048 #ifdef CONFIG_COMPAT 1049 .compat_ioctl = rfcomm_sock_compat_ioctl, 1050 #endif 1051 }; 1052 1053 static const struct net_proto_family rfcomm_sock_family_ops = { 1054 .family = PF_BLUETOOTH, 1055 .owner = THIS_MODULE, 1056 .create = rfcomm_sock_create 1057 }; 1058 1059 int __init rfcomm_init_sockets(void) 1060 { 1061 int err; 1062 1063 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr)); 1064 1065 err = proto_register(&rfcomm_proto, 0); 1066 if (err < 0) 1067 return err; 1068 1069 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops); 1070 if (err < 0) { 1071 BT_ERR("RFCOMM socket layer registration failed"); 1072 goto error; 1073 } 1074 1075 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL); 1076 if (err < 0) { 1077 BT_ERR("Failed to create RFCOMM proc file"); 1078 bt_sock_unregister(BTPROTO_RFCOMM); 1079 goto error; 1080 } 1081 1082 BT_INFO("RFCOMM socket layer initialized"); 1083 1084 if (IS_ERR_OR_NULL(bt_debugfs)) 1085 return 0; 1086 1087 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444, 1088 bt_debugfs, NULL, 1089 &rfcomm_sock_debugfs_fops); 1090 1091 return 0; 1092 1093 error: 1094 proto_unregister(&rfcomm_proto); 1095 return err; 1096 } 1097 1098 void __exit rfcomm_cleanup_sockets(void) 1099 { 1100 bt_procfs_cleanup(&init_net, "rfcomm"); 1101 1102 debugfs_remove(rfcomm_sock_debugfs); 1103 1104 bt_sock_unregister(BTPROTO_RFCOMM); 1105 1106 proto_unregister(&rfcomm_proto); 1107 } 1108