1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 4 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 5 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 6 7 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 8 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 9 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 10 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 11 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 12 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 16 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 17 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 18 SOFTWARE IS DISCLAIMED. 19 */ 20 21 /* 22 * RFCOMM sockets. 23 */ 24 #include <linux/compat.h> 25 #include <linux/export.h> 26 #include <linux/debugfs.h> 27 #include <linux/sched/signal.h> 28 #include <linux/uio.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/l2cap.h> 33 #include <net/bluetooth/rfcomm.h> 34 35 static const struct proto_ops rfcomm_sock_ops; 36 37 static struct bt_sock_list rfcomm_sk_list = { 38 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock) 39 }; 40 41 static void rfcomm_sock_close(struct sock *sk); 42 static void rfcomm_sock_kill(struct sock *sk); 43 44 /* ---- DLC callbacks ---- 45 * 46 * called under rfcomm_dlc_lock() 47 */ 48 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb) 49 { 50 struct sock *sk = d->owner; 51 if (!sk) 52 return; 53 54 atomic_add(skb->len, &sk->sk_rmem_alloc); 55 skb_queue_tail(&sk->sk_receive_queue, skb); 56 sk->sk_data_ready(sk); 57 58 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) 59 rfcomm_dlc_throttle(d); 60 } 61 62 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) 63 { 64 struct sock *sk = d->owner, *parent; 65 66 if (!sk) 67 return; 68 69 BT_DBG("dlc %p state %ld err %d", d, d->state, err); 70 71 lock_sock(sk); 72 73 if (err) 74 sk->sk_err = err; 75 76 sk->sk_state = d->state; 77 78 parent = bt_sk(sk)->parent; 79 if (parent) { 80 if (d->state == BT_CLOSED) { 81 sock_set_flag(sk, SOCK_ZAPPED); 82 bt_accept_unlink(sk); 83 } 84 parent->sk_data_ready(parent); 85 } else { 86 if (d->state == BT_CONNECTED) 87 rfcomm_session_getaddr(d->session, 88 &rfcomm_pi(sk)->src, NULL); 89 sk->sk_state_change(sk); 90 } 91 92 release_sock(sk); 93 94 if (parent && sock_flag(sk, SOCK_ZAPPED)) { 95 /* We have to drop DLC lock here, otherwise 96 * rfcomm_sock_destruct() will dead lock. */ 97 rfcomm_dlc_unlock(d); 98 rfcomm_sock_kill(sk); 99 rfcomm_dlc_lock(d); 100 } 101 } 102 103 /* ---- Socket functions ---- */ 104 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src) 105 { 106 struct sock *sk = NULL; 107 108 sk_for_each(sk, &rfcomm_sk_list.head) { 109 if (rfcomm_pi(sk)->channel != channel) 110 continue; 111 112 if (bacmp(&rfcomm_pi(sk)->src, src)) 113 continue; 114 115 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN) 116 break; 117 } 118 119 return sk ? sk : NULL; 120 } 121 122 /* Find socket with channel and source bdaddr. 123 * Returns closest match with an extra reference held. 124 */ 125 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src) 126 { 127 struct sock *sk = NULL, *sk1 = NULL; 128 129 read_lock(&rfcomm_sk_list.lock); 130 131 sk_for_each(sk, &rfcomm_sk_list.head) { 132 if (state && sk->sk_state != state) 133 continue; 134 135 if (rfcomm_pi(sk)->channel == channel) { 136 /* Exact match. */ 137 if (!bacmp(&rfcomm_pi(sk)->src, src)) { 138 sock_hold(sk); 139 break; 140 } 141 142 /* Closest match */ 143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) { 144 if (sk1) 145 sock_put(sk1); 146 147 sk1 = sk; 148 sock_hold(sk1); 149 } 150 } 151 } 152 153 if (sk && sk1) 154 sock_put(sk1); 155 156 read_unlock(&rfcomm_sk_list.lock); 157 158 return sk ? sk : sk1; 159 } 160 161 static void rfcomm_sock_destruct(struct sock *sk) 162 { 163 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 164 165 BT_DBG("sk %p dlc %p", sk, d); 166 167 skb_queue_purge(&sk->sk_receive_queue); 168 skb_queue_purge(&sk->sk_write_queue); 169 170 rfcomm_dlc_lock(d); 171 rfcomm_pi(sk)->dlc = NULL; 172 173 /* Detach DLC if it's owned by this socket */ 174 if (d->owner == sk) 175 d->owner = NULL; 176 rfcomm_dlc_unlock(d); 177 178 rfcomm_dlc_put(d); 179 } 180 181 static void rfcomm_sock_cleanup_listen(struct sock *parent) 182 { 183 struct sock *sk; 184 185 BT_DBG("parent %p", parent); 186 187 /* Close not yet accepted dlcs */ 188 while ((sk = bt_accept_dequeue(parent, NULL))) { 189 rfcomm_sock_close(sk); 190 rfcomm_sock_kill(sk); 191 /* Drop the reference handed back by bt_accept_dequeue(). */ 192 sock_put(sk); 193 } 194 195 parent->sk_state = BT_CLOSED; 196 sock_set_flag(parent, SOCK_ZAPPED); 197 } 198 199 /* Kill socket (only if zapped and orphan) 200 * Must be called on unlocked socket. 201 */ 202 static void rfcomm_sock_kill(struct sock *sk) 203 { 204 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 205 return; 206 207 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt)); 208 209 /* Kill poor orphan */ 210 bt_sock_unlink(&rfcomm_sk_list, sk); 211 sock_set_flag(sk, SOCK_DEAD); 212 sock_put(sk); 213 } 214 215 static void __rfcomm_sock_close(struct sock *sk) 216 { 217 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 218 219 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 220 221 switch (sk->sk_state) { 222 case BT_LISTEN: 223 rfcomm_sock_cleanup_listen(sk); 224 break; 225 226 case BT_CONNECT: 227 case BT_CONNECT2: 228 case BT_CONFIG: 229 case BT_CONNECTED: 230 rfcomm_dlc_close(d, 0); 231 fallthrough; 232 233 default: 234 sock_set_flag(sk, SOCK_ZAPPED); 235 break; 236 } 237 } 238 239 /* Close socket. 240 * Must be called on unlocked socket. 241 */ 242 static void rfcomm_sock_close(struct sock *sk) 243 { 244 lock_sock(sk); 245 __rfcomm_sock_close(sk); 246 release_sock(sk); 247 } 248 249 static void rfcomm_sock_init(struct sock *sk, struct sock *parent) 250 { 251 struct rfcomm_pinfo *pi = rfcomm_pi(sk); 252 253 BT_DBG("sk %p", sk); 254 255 if (parent) { 256 sk->sk_type = parent->sk_type; 257 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP, 258 &bt_sk(parent)->flags); 259 260 pi->sec_level = rfcomm_pi(parent)->sec_level; 261 pi->role_switch = rfcomm_pi(parent)->role_switch; 262 263 security_sk_clone(parent, sk); 264 } else { 265 pi->dlc->defer_setup = 0; 266 267 pi->sec_level = BT_SECURITY_LOW; 268 pi->role_switch = 0; 269 } 270 271 pi->dlc->sec_level = pi->sec_level; 272 pi->dlc->role_switch = pi->role_switch; 273 } 274 275 static struct proto rfcomm_proto = { 276 .name = "RFCOMM", 277 .owner = THIS_MODULE, 278 .obj_size = sizeof(struct rfcomm_pinfo) 279 }; 280 281 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, 282 int proto, gfp_t prio, int kern) 283 { 284 struct rfcomm_dlc *d; 285 struct sock *sk; 286 287 d = rfcomm_dlc_alloc(prio); 288 if (!d) 289 return NULL; 290 291 sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); 292 if (!sk) { 293 rfcomm_dlc_free(d); 294 return NULL; 295 } 296 297 d->data_ready = rfcomm_sk_data_ready; 298 d->state_change = rfcomm_sk_state_change; 299 300 rfcomm_pi(sk)->dlc = d; 301 d->owner = sk; 302 303 sk->sk_destruct = rfcomm_sock_destruct; 304 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT; 305 306 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 307 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 308 309 bt_sock_link(&rfcomm_sk_list, sk); 310 311 BT_DBG("sk %p", sk); 312 return sk; 313 } 314 315 static int rfcomm_sock_create(struct net *net, struct socket *sock, 316 int protocol, int kern) 317 { 318 struct sock *sk; 319 320 BT_DBG("sock %p", sock); 321 322 sock->state = SS_UNCONNECTED; 323 324 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW) 325 return -ESOCKTNOSUPPORT; 326 327 sock->ops = &rfcomm_sock_ops; 328 329 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 330 if (!sk) 331 return -ENOMEM; 332 333 rfcomm_sock_init(sk, NULL); 334 return 0; 335 } 336 337 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr_len) 338 { 339 struct sockaddr_rc sa; 340 struct sock *sk = sock->sk; 341 int len, err = 0; 342 343 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) || 344 addr->sa_family != AF_BLUETOOTH) 345 return -EINVAL; 346 347 memset(&sa, 0, sizeof(sa)); 348 len = min_t(unsigned int, sizeof(sa), addr_len); 349 memcpy(&sa, addr, len); 350 351 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr); 352 353 lock_sock(sk); 354 355 if (sk->sk_state != BT_OPEN) { 356 err = -EBADFD; 357 goto done; 358 } 359 360 if (sk->sk_type != SOCK_STREAM) { 361 err = -EINVAL; 362 goto done; 363 } 364 365 write_lock(&rfcomm_sk_list.lock); 366 367 if (sa.rc_channel && 368 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) { 369 err = -EADDRINUSE; 370 } else { 371 /* Save source address */ 372 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr); 373 rfcomm_pi(sk)->channel = sa.rc_channel; 374 sk->sk_state = BT_BOUND; 375 } 376 377 write_unlock(&rfcomm_sk_list.lock); 378 379 done: 380 release_sock(sk); 381 return err; 382 } 383 384 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr_unsized *addr, 385 int alen, int flags) 386 { 387 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 388 struct sock *sk = sock->sk; 389 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 390 int err = 0; 391 392 BT_DBG("sk %p", sk); 393 394 if (alen < sizeof(struct sockaddr_rc) || 395 addr->sa_family != AF_BLUETOOTH) 396 return -EINVAL; 397 398 sock_hold(sk); 399 lock_sock(sk); 400 401 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { 402 err = -EBADFD; 403 goto done; 404 } 405 406 if (sk->sk_type != SOCK_STREAM) { 407 err = -EINVAL; 408 goto done; 409 } 410 411 sk->sk_state = BT_CONNECT; 412 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr); 413 rfcomm_pi(sk)->channel = sa->rc_channel; 414 415 d->sec_level = rfcomm_pi(sk)->sec_level; 416 d->role_switch = rfcomm_pi(sk)->role_switch; 417 418 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */ 419 release_sock(sk); 420 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr, 421 sa->rc_channel); 422 lock_sock(sk); 423 if (!err && !sock_flag(sk, SOCK_ZAPPED)) 424 err = bt_sock_wait_state(sk, BT_CONNECTED, 425 sock_sndtimeo(sk, flags & O_NONBLOCK)); 426 427 done: 428 release_sock(sk); 429 sock_put(sk); 430 return err; 431 } 432 433 static int rfcomm_sock_listen(struct socket *sock, int backlog) 434 { 435 struct sock *sk = sock->sk; 436 int err = 0; 437 438 BT_DBG("sk %p backlog %d", sk, backlog); 439 440 lock_sock(sk); 441 442 if (sk->sk_state != BT_BOUND) { 443 err = -EBADFD; 444 goto done; 445 } 446 447 if (sk->sk_type != SOCK_STREAM) { 448 err = -EINVAL; 449 goto done; 450 } 451 452 if (!rfcomm_pi(sk)->channel) { 453 bdaddr_t *src = &rfcomm_pi(sk)->src; 454 u8 channel; 455 456 err = -EINVAL; 457 458 write_lock(&rfcomm_sk_list.lock); 459 460 for (channel = 1; channel < 31; channel++) 461 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) { 462 rfcomm_pi(sk)->channel = channel; 463 err = 0; 464 break; 465 } 466 467 write_unlock(&rfcomm_sk_list.lock); 468 469 if (err < 0) 470 goto done; 471 } 472 473 sk->sk_max_ack_backlog = backlog; 474 sk->sk_ack_backlog = 0; 475 sk->sk_state = BT_LISTEN; 476 477 done: 478 release_sock(sk); 479 return err; 480 } 481 482 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, 483 struct proto_accept_arg *arg) 484 { 485 DEFINE_WAIT_FUNC(wait, woken_wake_function); 486 struct sock *sk = sock->sk, *nsk; 487 long timeo; 488 int err = 0; 489 490 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 491 492 if (sk->sk_type != SOCK_STREAM) { 493 err = -EINVAL; 494 goto done; 495 } 496 497 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 498 499 BT_DBG("sk %p timeo %ld", sk, timeo); 500 501 /* Wait for an incoming connection. (wake-one). */ 502 add_wait_queue_exclusive(sk_sleep(sk), &wait); 503 while (1) { 504 if (sk->sk_state != BT_LISTEN) { 505 err = -EBADFD; 506 break; 507 } 508 509 nsk = bt_accept_dequeue(sk, newsock); 510 if (nsk) { 511 /* Drop the bridging ref from bt_accept_dequeue(); 512 * the grafted socket keeps nsk alive from here. 513 */ 514 sock_put(nsk); 515 break; 516 } 517 518 if (!timeo) { 519 err = -EAGAIN; 520 break; 521 } 522 523 if (signal_pending(current)) { 524 err = sock_intr_errno(timeo); 525 break; 526 } 527 528 release_sock(sk); 529 530 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 531 532 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 533 } 534 remove_wait_queue(sk_sleep(sk), &wait); 535 536 if (err) 537 goto done; 538 539 newsock->state = SS_CONNECTED; 540 541 BT_DBG("new socket %p", nsk); 542 543 done: 544 release_sock(sk); 545 return err; 546 } 547 548 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer) 549 { 550 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 551 struct sock *sk = sock->sk; 552 553 BT_DBG("sock %p, sk %p", sock, sk); 554 555 if (peer && sk->sk_state != BT_CONNECTED && 556 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2) 557 return -ENOTCONN; 558 559 memset(sa, 0, sizeof(*sa)); 560 sa->rc_family = AF_BLUETOOTH; 561 sa->rc_channel = rfcomm_pi(sk)->channel; 562 if (peer) 563 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst); 564 else 565 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src); 566 567 return sizeof(struct sockaddr_rc); 568 } 569 570 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg, 571 size_t len) 572 { 573 struct sock *sk = sock->sk; 574 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 575 struct sk_buff *skb; 576 int sent; 577 578 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags)) 579 return -ENOTCONN; 580 581 if (msg->msg_flags & MSG_OOB) 582 return -EOPNOTSUPP; 583 584 if (sk->sk_shutdown & SEND_SHUTDOWN) 585 return -EPIPE; 586 587 BT_DBG("sock %p, sk %p", sock, sk); 588 589 lock_sock(sk); 590 591 sent = bt_sock_wait_ready(sk, msg->msg_flags); 592 593 release_sock(sk); 594 595 if (sent) 596 return sent; 597 598 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, 599 RFCOMM_SKB_TAIL_RESERVE); 600 if (IS_ERR(skb)) 601 return PTR_ERR(skb); 602 603 sent = rfcomm_dlc_send(d, skb); 604 if (sent < 0) 605 kfree_skb(skb); 606 607 return sent; 608 } 609 610 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg, 611 size_t size, int flags) 612 { 613 struct sock *sk = sock->sk; 614 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 615 int len; 616 617 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 618 rfcomm_dlc_accept(d); 619 return 0; 620 } 621 622 len = bt_sock_stream_recvmsg(sock, msg, size, flags); 623 624 lock_sock(sk); 625 if (!(flags & MSG_PEEK) && len > 0) 626 atomic_sub(len, &sk->sk_rmem_alloc); 627 628 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2)) 629 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc); 630 release_sock(sk); 631 632 return len; 633 } 634 635 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, 636 sockptr_t optval, unsigned int optlen) 637 { 638 struct sock *sk = sock->sk; 639 int err = 0; 640 u32 opt; 641 642 BT_DBG("sk %p", sk); 643 644 lock_sock(sk); 645 646 switch (optname) { 647 case RFCOMM_LM: 648 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 649 if (err) 650 break; 651 652 if (opt & RFCOMM_LM_FIPS) { 653 err = -EINVAL; 654 break; 655 } 656 657 if (opt & RFCOMM_LM_AUTH) 658 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW; 659 if (opt & RFCOMM_LM_ENCRYPT) 660 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM; 661 if (opt & RFCOMM_LM_SECURE) 662 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH; 663 664 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER); 665 break; 666 667 default: 668 err = -ENOPROTOOPT; 669 break; 670 } 671 672 release_sock(sk); 673 return err; 674 } 675 676 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, 677 sockptr_t optval, unsigned int optlen) 678 { 679 struct sock *sk = sock->sk; 680 struct bt_security sec; 681 int err = 0; 682 u32 opt; 683 684 BT_DBG("sk %p", sk); 685 686 if (level == SOL_RFCOMM) 687 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen); 688 689 if (level != SOL_BLUETOOTH) 690 return -ENOPROTOOPT; 691 692 lock_sock(sk); 693 694 switch (optname) { 695 case BT_SECURITY: 696 if (sk->sk_type != SOCK_STREAM) { 697 err = -EINVAL; 698 break; 699 } 700 701 sec.level = BT_SECURITY_LOW; 702 703 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); 704 if (err) 705 break; 706 707 if (sec.level > BT_SECURITY_HIGH) { 708 err = -EINVAL; 709 break; 710 } 711 712 rfcomm_pi(sk)->sec_level = sec.level; 713 break; 714 715 case BT_DEFER_SETUP: 716 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 717 err = -EINVAL; 718 break; 719 } 720 721 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 722 if (err) 723 break; 724 725 if (opt) 726 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 727 else 728 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 729 730 break; 731 732 default: 733 err = -ENOPROTOOPT; 734 break; 735 } 736 737 release_sock(sk); 738 return err; 739 } 740 741 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, 742 sockopt_t *sopt) 743 { 744 struct sock *sk = sock->sk; 745 struct sock *l2cap_sk; 746 struct l2cap_conn *conn; 747 struct rfcomm_conninfo cinfo; 748 int err = 0; 749 size_t len; 750 u32 opt; 751 752 BT_DBG("sk %p", sk); 753 754 len = sopt->optlen; 755 756 lock_sock(sk); 757 758 switch (optname) { 759 case RFCOMM_LM: 760 switch (rfcomm_pi(sk)->sec_level) { 761 case BT_SECURITY_LOW: 762 opt = RFCOMM_LM_AUTH; 763 break; 764 case BT_SECURITY_MEDIUM: 765 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT; 766 break; 767 case BT_SECURITY_HIGH: 768 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 769 RFCOMM_LM_SECURE; 770 break; 771 case BT_SECURITY_FIPS: 772 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 773 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS; 774 break; 775 default: 776 opt = 0; 777 break; 778 } 779 780 if (rfcomm_pi(sk)->role_switch) 781 opt |= RFCOMM_LM_MASTER; 782 783 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 784 sizeof(opt)) 785 err = -EFAULT; 786 787 break; 788 789 case RFCOMM_CONNINFO: 790 if (sk->sk_state != BT_CONNECTED && 791 !rfcomm_pi(sk)->dlc->defer_setup) { 792 err = -ENOTCONN; 793 break; 794 } 795 796 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; 797 conn = l2cap_pi(l2cap_sk)->chan->conn; 798 799 memset(&cinfo, 0, sizeof(cinfo)); 800 cinfo.hci_handle = conn->hcon->handle; 801 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 802 803 len = min(len, sizeof(cinfo)); 804 if (copy_to_iter(&cinfo, len, &sopt->iter_out) != len) 805 err = -EFAULT; 806 807 break; 808 809 default: 810 err = -ENOPROTOOPT; 811 break; 812 } 813 814 release_sock(sk); 815 return err; 816 } 817 818 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, 819 sockopt_t *sopt) 820 { 821 struct sock *sk = sock->sk; 822 struct bt_security sec; 823 int err = 0; 824 size_t len; 825 u32 opt; 826 827 BT_DBG("sk %p", sk); 828 829 if (level == SOL_RFCOMM) 830 return rfcomm_sock_getsockopt_old(sock, optname, sopt); 831 832 if (level != SOL_BLUETOOTH) 833 return -ENOPROTOOPT; 834 835 len = sopt->optlen; 836 837 lock_sock(sk); 838 839 switch (optname) { 840 case BT_SECURITY: 841 if (sk->sk_type != SOCK_STREAM) { 842 err = -EINVAL; 843 break; 844 } 845 846 sec.level = rfcomm_pi(sk)->sec_level; 847 sec.key_size = 0; 848 849 len = min(len, sizeof(sec)); 850 if (copy_to_iter(&sec, len, &sopt->iter_out) != len) 851 err = -EFAULT; 852 853 break; 854 855 case BT_DEFER_SETUP: 856 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 857 err = -EINVAL; 858 break; 859 } 860 861 opt = test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 862 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 863 sizeof(opt)) 864 err = -EFAULT; 865 866 break; 867 868 default: 869 err = -ENOPROTOOPT; 870 break; 871 } 872 873 release_sock(sk); 874 return err; 875 } 876 877 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 878 { 879 struct sock *sk __maybe_unused = sock->sk; 880 int err; 881 882 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg); 883 884 err = bt_sock_ioctl(sock, cmd, arg); 885 886 if (err == -ENOIOCTLCMD) { 887 #ifdef CONFIG_BT_RFCOMM_TTY 888 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg); 889 #else 890 err = -EOPNOTSUPP; 891 #endif 892 } 893 894 return err; 895 } 896 897 #ifdef CONFIG_COMPAT 898 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 899 { 900 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 901 } 902 #endif 903 904 static int rfcomm_sock_shutdown(struct socket *sock, int how) 905 { 906 struct sock *sk = sock->sk; 907 int err = 0; 908 909 BT_DBG("sock %p, sk %p", sock, sk); 910 911 if (!sk) 912 return 0; 913 914 lock_sock(sk); 915 if (!sk->sk_shutdown) { 916 sk->sk_shutdown = SHUTDOWN_MASK; 917 918 release_sock(sk); 919 __rfcomm_sock_close(sk); 920 lock_sock(sk); 921 922 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 923 !(current->flags & PF_EXITING)) 924 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 925 } 926 release_sock(sk); 927 return err; 928 } 929 930 static int rfcomm_sock_release(struct socket *sock) 931 { 932 struct sock *sk = sock->sk; 933 int err; 934 935 BT_DBG("sock %p, sk %p", sock, sk); 936 937 if (!sk) 938 return 0; 939 940 err = rfcomm_sock_shutdown(sock, 2); 941 942 sock_orphan(sk); 943 rfcomm_sock_kill(sk); 944 return err; 945 } 946 947 /* ---- RFCOMM core layer callbacks ---- 948 * 949 * called under rfcomm_lock() 950 */ 951 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d) 952 { 953 struct sock *sk, *parent; 954 bdaddr_t src, dst; 955 bool defer_setup = false; 956 int result = 0; 957 958 BT_DBG("session %p channel %d", s, channel); 959 960 rfcomm_session_getaddr(s, &src, &dst); 961 962 /* Check if we have socket listening on channel */ 963 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src); 964 if (!parent) 965 return 0; 966 967 lock_sock(parent); 968 969 if (parent->sk_state != BT_LISTEN) 970 goto done; 971 972 defer_setup = test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags); 973 974 /* Check for backlog size */ 975 if (sk_acceptq_is_full(parent)) { 976 BT_DBG("backlog full %d", parent->sk_ack_backlog); 977 goto done; 978 } 979 980 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0); 981 if (!sk) 982 goto done; 983 984 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM); 985 986 rfcomm_sock_init(sk, parent); 987 bacpy(&rfcomm_pi(sk)->src, &src); 988 bacpy(&rfcomm_pi(sk)->dst, &dst); 989 rfcomm_pi(sk)->channel = channel; 990 991 sk->sk_state = BT_CONFIG; 992 bt_accept_enqueue(parent, sk, true); 993 994 /* Accept connection and return socket DLC */ 995 *d = rfcomm_pi(sk)->dlc; 996 result = 1; 997 998 done: 999 release_sock(parent); 1000 1001 if (defer_setup) 1002 parent->sk_state_change(parent); 1003 1004 sock_put(parent); 1005 1006 return result; 1007 } 1008 1009 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p) 1010 { 1011 struct sock *sk; 1012 1013 read_lock(&rfcomm_sk_list.lock); 1014 1015 sk_for_each(sk, &rfcomm_sk_list.head) { 1016 seq_printf(f, "%pMR %pMR %d %d\n", 1017 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst, 1018 sk->sk_state, rfcomm_pi(sk)->channel); 1019 } 1020 1021 read_unlock(&rfcomm_sk_list.lock); 1022 1023 return 0; 1024 } 1025 1026 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs); 1027 1028 static struct dentry *rfcomm_sock_debugfs; 1029 1030 static const struct proto_ops rfcomm_sock_ops = { 1031 .family = PF_BLUETOOTH, 1032 .owner = THIS_MODULE, 1033 .release = rfcomm_sock_release, 1034 .bind = rfcomm_sock_bind, 1035 .connect = rfcomm_sock_connect, 1036 .listen = rfcomm_sock_listen, 1037 .accept = rfcomm_sock_accept, 1038 .getname = rfcomm_sock_getname, 1039 .sendmsg = rfcomm_sock_sendmsg, 1040 .recvmsg = rfcomm_sock_recvmsg, 1041 .shutdown = rfcomm_sock_shutdown, 1042 .setsockopt = rfcomm_sock_setsockopt, 1043 .getsockopt_iter = rfcomm_sock_getsockopt, 1044 .ioctl = rfcomm_sock_ioctl, 1045 .gettstamp = sock_gettstamp, 1046 .poll = bt_sock_poll, 1047 .socketpair = sock_no_socketpair, 1048 .mmap = sock_no_mmap, 1049 #ifdef CONFIG_COMPAT 1050 .compat_ioctl = rfcomm_sock_compat_ioctl, 1051 #endif 1052 }; 1053 1054 static const struct net_proto_family rfcomm_sock_family_ops = { 1055 .family = PF_BLUETOOTH, 1056 .owner = THIS_MODULE, 1057 .create = rfcomm_sock_create 1058 }; 1059 1060 int __init rfcomm_init_sockets(void) 1061 { 1062 int err; 1063 1064 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr)); 1065 1066 err = proto_register(&rfcomm_proto, 0); 1067 if (err < 0) 1068 return err; 1069 1070 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops); 1071 if (err < 0) { 1072 BT_ERR("RFCOMM socket layer registration failed"); 1073 goto error; 1074 } 1075 1076 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL); 1077 if (err < 0) { 1078 BT_ERR("Failed to create RFCOMM proc file"); 1079 bt_sock_unregister(BTPROTO_RFCOMM); 1080 goto error; 1081 } 1082 1083 BT_INFO("RFCOMM socket layer initialized"); 1084 1085 if (IS_ERR_OR_NULL(bt_debugfs)) 1086 return 0; 1087 1088 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444, 1089 bt_debugfs, NULL, 1090 &rfcomm_sock_debugfs_fops); 1091 1092 return 0; 1093 1094 error: 1095 proto_unregister(&rfcomm_proto); 1096 return err; 1097 } 1098 1099 void __exit rfcomm_cleanup_sockets(void) 1100 { 1101 bt_procfs_cleanup(&init_net, "rfcomm"); 1102 1103 debugfs_remove(rfcomm_sock_debugfs); 1104 1105 bt_sock_unregister(BTPROTO_RFCOMM); 1106 1107 proto_unregister(&rfcomm_proto); 1108 } 1109