1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * RFCOMM sockets.
26 */
27
28 #include <linux/module.h>
29
30 #include <linux/types.h>
31 #include <linux/errno.h>
32 #include <linux/kernel.h>
33 #include <linux/sched.h>
34 #include <linux/slab.h>
35 #include <linux/poll.h>
36 #include <linux/fcntl.h>
37 #include <linux/init.h>
38 #include <linux/interrupt.h>
39 #include <linux/socket.h>
40 #include <linux/skbuff.h>
41 #include <linux/list.h>
42 #include <linux/device.h>
43 #include <linux/debugfs.h>
44 #include <linux/seq_file.h>
45 #include <linux/security.h>
46 #include <net/sock.h>
47
48 #include <linux/uaccess.h>
49
50 #include <net/bluetooth/bluetooth.h>
51 #include <net/bluetooth/hci_core.h>
52 #include <net/bluetooth/l2cap.h>
53 #include <net/bluetooth/rfcomm.h>
54
55 static const struct proto_ops rfcomm_sock_ops;
56
57 static struct bt_sock_list rfcomm_sk_list = {
58 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
59 };
60
61 static void rfcomm_sock_close(struct sock *sk);
62 static void rfcomm_sock_kill(struct sock *sk);
63
64 /* ---- DLC callbacks ----
65 *
66 * called under rfcomm_dlc_lock()
67 */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)68 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
69 {
70 struct sock *sk = d->owner;
71 if (!sk)
72 return;
73
74 atomic_add(skb->len, &sk->sk_rmem_alloc);
75 skb_queue_tail(&sk->sk_receive_queue, skb);
76 sk->sk_data_ready(sk, skb->len);
77
78 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
79 rfcomm_dlc_throttle(d);
80 }
81
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)82 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
83 {
84 struct sock *sk = d->owner, *parent;
85 unsigned long flags;
86
87 if (!sk)
88 return;
89
90 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
91
92 local_irq_save(flags);
93 bh_lock_sock(sk);
94
95 if (err)
96 sk->sk_err = err;
97
98 sk->sk_state = d->state;
99
100 parent = bt_sk(sk)->parent;
101 if (parent) {
102 if (d->state == BT_CLOSED) {
103 sock_set_flag(sk, SOCK_ZAPPED);
104 bt_accept_unlink(sk);
105 }
106 parent->sk_data_ready(parent, 0);
107 } else {
108 if (d->state == BT_CONNECTED)
109 rfcomm_session_getaddr(d->session, &bt_sk(sk)->src, NULL);
110 sk->sk_state_change(sk);
111 }
112
113 bh_unlock_sock(sk);
114 local_irq_restore(flags);
115
116 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
117 /* We have to drop DLC lock here, otherwise
118 * rfcomm_sock_destruct() will dead lock. */
119 rfcomm_dlc_unlock(d);
120 rfcomm_sock_kill(sk);
121 rfcomm_dlc_lock(d);
122 }
123 }
124
125 /* ---- Socket functions ---- */
__rfcomm_get_sock_by_addr(u8 channel,bdaddr_t * src)126 static struct sock *__rfcomm_get_sock_by_addr(u8 channel, bdaddr_t *src)
127 {
128 struct sock *sk = NULL;
129 struct hlist_node *node;
130
131 sk_for_each(sk, node, &rfcomm_sk_list.head) {
132 if (rfcomm_pi(sk)->channel == channel &&
133 !bacmp(&bt_sk(sk)->src, src))
134 break;
135 }
136
137 return node ? sk : NULL;
138 }
139
140 /* Find socket with channel and source bdaddr.
141 * Returns closest match.
142 */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)143 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
144 {
145 struct sock *sk = NULL, *sk1 = NULL;
146 struct hlist_node *node;
147
148 read_lock(&rfcomm_sk_list.lock);
149
150 sk_for_each(sk, node, &rfcomm_sk_list.head) {
151 if (state && sk->sk_state != state)
152 continue;
153
154 if (rfcomm_pi(sk)->channel == channel) {
155 /* Exact match. */
156 if (!bacmp(&bt_sk(sk)->src, src))
157 break;
158
159 /* Closest match */
160 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
161 sk1 = sk;
162 }
163 }
164
165 read_unlock(&rfcomm_sk_list.lock);
166
167 return node ? sk : sk1;
168 }
169
rfcomm_sock_destruct(struct sock * sk)170 static void rfcomm_sock_destruct(struct sock *sk)
171 {
172 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
173
174 BT_DBG("sk %p dlc %p", sk, d);
175
176 skb_queue_purge(&sk->sk_receive_queue);
177 skb_queue_purge(&sk->sk_write_queue);
178
179 rfcomm_dlc_lock(d);
180 rfcomm_pi(sk)->dlc = NULL;
181
182 /* Detach DLC if it's owned by this socket */
183 if (d->owner == sk)
184 d->owner = NULL;
185 rfcomm_dlc_unlock(d);
186
187 rfcomm_dlc_put(d);
188 }
189
rfcomm_sock_cleanup_listen(struct sock * parent)190 static void rfcomm_sock_cleanup_listen(struct sock *parent)
191 {
192 struct sock *sk;
193
194 BT_DBG("parent %p", parent);
195
196 /* Close not yet accepted dlcs */
197 while ((sk = bt_accept_dequeue(parent, NULL))) {
198 rfcomm_sock_close(sk);
199 rfcomm_sock_kill(sk);
200 }
201
202 parent->sk_state = BT_CLOSED;
203 sock_set_flag(parent, SOCK_ZAPPED);
204 }
205
206 /* Kill socket (only if zapped and orphan)
207 * Must be called on unlocked socket.
208 */
rfcomm_sock_kill(struct sock * sk)209 static void rfcomm_sock_kill(struct sock *sk)
210 {
211 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
212 return;
213
214 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, atomic_read(&sk->sk_refcnt));
215
216 /* Kill poor orphan */
217 bt_sock_unlink(&rfcomm_sk_list, sk);
218 sock_set_flag(sk, SOCK_DEAD);
219 sock_put(sk);
220 }
221
__rfcomm_sock_close(struct sock * sk)222 static void __rfcomm_sock_close(struct sock *sk)
223 {
224 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
225
226 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
227
228 switch (sk->sk_state) {
229 case BT_LISTEN:
230 rfcomm_sock_cleanup_listen(sk);
231 break;
232
233 case BT_CONNECT:
234 case BT_CONNECT2:
235 case BT_CONFIG:
236 case BT_CONNECTED:
237 rfcomm_dlc_close(d, 0);
238
239 default:
240 sock_set_flag(sk, SOCK_ZAPPED);
241 break;
242 }
243 }
244
245 /* Close socket.
246 * Must be called on unlocked socket.
247 */
rfcomm_sock_close(struct sock * sk)248 static void rfcomm_sock_close(struct sock *sk)
249 {
250 lock_sock(sk);
251 __rfcomm_sock_close(sk);
252 release_sock(sk);
253 }
254
rfcomm_sock_init(struct sock * sk,struct sock * parent)255 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
256 {
257 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
258
259 BT_DBG("sk %p", sk);
260
261 if (parent) {
262 sk->sk_type = parent->sk_type;
263 pi->dlc->defer_setup = bt_sk(parent)->defer_setup;
264
265 pi->sec_level = rfcomm_pi(parent)->sec_level;
266 pi->role_switch = rfcomm_pi(parent)->role_switch;
267
268 security_sk_clone(parent, sk);
269 } else {
270 pi->dlc->defer_setup = 0;
271
272 pi->sec_level = BT_SECURITY_LOW;
273 pi->role_switch = 0;
274 }
275
276 pi->dlc->sec_level = pi->sec_level;
277 pi->dlc->role_switch = pi->role_switch;
278 }
279
280 static struct proto rfcomm_proto = {
281 .name = "RFCOMM",
282 .owner = THIS_MODULE,
283 .obj_size = sizeof(struct rfcomm_pinfo)
284 };
285
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio)286 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
287 {
288 struct rfcomm_dlc *d;
289 struct sock *sk;
290
291 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto);
292 if (!sk)
293 return NULL;
294
295 sock_init_data(sock, sk);
296 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
297
298 d = rfcomm_dlc_alloc(prio);
299 if (!d) {
300 sk_free(sk);
301 return NULL;
302 }
303
304 d->data_ready = rfcomm_sk_data_ready;
305 d->state_change = rfcomm_sk_state_change;
306
307 rfcomm_pi(sk)->dlc = d;
308 d->owner = sk;
309
310 sk->sk_destruct = rfcomm_sock_destruct;
311 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
312
313 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
314 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
315
316 sock_reset_flag(sk, SOCK_ZAPPED);
317
318 sk->sk_protocol = proto;
319 sk->sk_state = BT_OPEN;
320
321 bt_sock_link(&rfcomm_sk_list, sk);
322
323 BT_DBG("sk %p", sk);
324 return sk;
325 }
326
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)327 static int rfcomm_sock_create(struct net *net, struct socket *sock,
328 int protocol, int kern)
329 {
330 struct sock *sk;
331
332 BT_DBG("sock %p", sock);
333
334 sock->state = SS_UNCONNECTED;
335
336 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
337 return -ESOCKTNOSUPPORT;
338
339 sock->ops = &rfcomm_sock_ops;
340
341 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC);
342 if (!sk)
343 return -ENOMEM;
344
345 rfcomm_sock_init(sk, NULL);
346 return 0;
347 }
348
rfcomm_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)349 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
350 {
351 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
352 struct sock *sk = sock->sk;
353 int err = 0;
354
355 BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
356
357 if (!addr || addr->sa_family != AF_BLUETOOTH)
358 return -EINVAL;
359
360 lock_sock(sk);
361
362 if (sk->sk_state != BT_OPEN) {
363 err = -EBADFD;
364 goto done;
365 }
366
367 if (sk->sk_type != SOCK_STREAM) {
368 err = -EINVAL;
369 goto done;
370 }
371
372 write_lock(&rfcomm_sk_list.lock);
373
374 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
375 err = -EADDRINUSE;
376 } else {
377 /* Save source address */
378 bacpy(&bt_sk(sk)->src, &sa->rc_bdaddr);
379 rfcomm_pi(sk)->channel = sa->rc_channel;
380 sk->sk_state = BT_BOUND;
381 }
382
383 write_unlock(&rfcomm_sk_list.lock);
384
385 done:
386 release_sock(sk);
387 return err;
388 }
389
rfcomm_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)390 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
391 {
392 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
393 struct sock *sk = sock->sk;
394 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
395 int err = 0;
396
397 BT_DBG("sk %p", sk);
398
399 if (alen < sizeof(struct sockaddr_rc) ||
400 addr->sa_family != AF_BLUETOOTH)
401 return -EINVAL;
402
403 lock_sock(sk);
404
405 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
406 err = -EBADFD;
407 goto done;
408 }
409
410 if (sk->sk_type != SOCK_STREAM) {
411 err = -EINVAL;
412 goto done;
413 }
414
415 sk->sk_state = BT_CONNECT;
416 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr);
417 rfcomm_pi(sk)->channel = sa->rc_channel;
418
419 d->sec_level = rfcomm_pi(sk)->sec_level;
420 d->role_switch = rfcomm_pi(sk)->role_switch;
421
422 err = rfcomm_dlc_open(d, &bt_sk(sk)->src, &sa->rc_bdaddr, sa->rc_channel);
423 if (!err)
424 err = bt_sock_wait_state(sk, BT_CONNECTED,
425 sock_sndtimeo(sk, flags & O_NONBLOCK));
426
427 done:
428 release_sock(sk);
429 return err;
430 }
431
rfcomm_sock_listen(struct socket * sock,int backlog)432 static int rfcomm_sock_listen(struct socket *sock, int backlog)
433 {
434 struct sock *sk = sock->sk;
435 int err = 0;
436
437 BT_DBG("sk %p backlog %d", sk, backlog);
438
439 lock_sock(sk);
440
441 if (sk->sk_state != BT_BOUND) {
442 err = -EBADFD;
443 goto done;
444 }
445
446 if (sk->sk_type != SOCK_STREAM) {
447 err = -EINVAL;
448 goto done;
449 }
450
451 if (!rfcomm_pi(sk)->channel) {
452 bdaddr_t *src = &bt_sk(sk)->src;
453 u8 channel;
454
455 err = -EINVAL;
456
457 write_lock(&rfcomm_sk_list.lock);
458
459 for (channel = 1; channel < 31; channel++)
460 if (!__rfcomm_get_sock_by_addr(channel, src)) {
461 rfcomm_pi(sk)->channel = channel;
462 err = 0;
463 break;
464 }
465
466 write_unlock(&rfcomm_sk_list.lock);
467
468 if (err < 0)
469 goto done;
470 }
471
472 sk->sk_max_ack_backlog = backlog;
473 sk->sk_ack_backlog = 0;
474 sk->sk_state = BT_LISTEN;
475
476 done:
477 release_sock(sk);
478 return err;
479 }
480
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,int flags)481 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags)
482 {
483 DECLARE_WAITQUEUE(wait, current);
484 struct sock *sk = sock->sk, *nsk;
485 long timeo;
486 int err = 0;
487
488 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
489
490 if (sk->sk_type != SOCK_STREAM) {
491 err = -EINVAL;
492 goto done;
493 }
494
495 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
496
497 BT_DBG("sk %p timeo %ld", sk, timeo);
498
499 /* Wait for an incoming connection. (wake-one). */
500 add_wait_queue_exclusive(sk_sleep(sk), &wait);
501 while (1) {
502 set_current_state(TASK_INTERRUPTIBLE);
503
504 if (sk->sk_state != BT_LISTEN) {
505 err = -EBADFD;
506 break;
507 }
508
509 nsk = bt_accept_dequeue(sk, newsock);
510 if (nsk)
511 break;
512
513 if (!timeo) {
514 err = -EAGAIN;
515 break;
516 }
517
518 if (signal_pending(current)) {
519 err = sock_intr_errno(timeo);
520 break;
521 }
522
523 release_sock(sk);
524 timeo = schedule_timeout(timeo);
525 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
526 }
527 __set_current_state(TASK_RUNNING);
528 remove_wait_queue(sk_sleep(sk), &wait);
529
530 if (err)
531 goto done;
532
533 newsock->state = SS_CONNECTED;
534
535 BT_DBG("new socket %p", nsk);
536
537 done:
538 release_sock(sk);
539 return err;
540 }
541
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int * len,int peer)542 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
543 {
544 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
545 struct sock *sk = sock->sk;
546
547 BT_DBG("sock %p, sk %p", sock, sk);
548
549 memset(sa, 0, sizeof(*sa));
550 sa->rc_family = AF_BLUETOOTH;
551 sa->rc_channel = rfcomm_pi(sk)->channel;
552 if (peer)
553 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->dst);
554 else
555 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->src);
556
557 *len = sizeof(struct sockaddr_rc);
558 return 0;
559 }
560
rfcomm_sock_sendmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t len)561 static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
562 struct msghdr *msg, size_t len)
563 {
564 struct sock *sk = sock->sk;
565 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
566 struct sk_buff *skb;
567 int sent = 0;
568
569 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
570 return -ENOTCONN;
571
572 if (msg->msg_flags & MSG_OOB)
573 return -EOPNOTSUPP;
574
575 if (sk->sk_shutdown & SEND_SHUTDOWN)
576 return -EPIPE;
577
578 BT_DBG("sock %p, sk %p", sock, sk);
579
580 lock_sock(sk);
581
582 while (len) {
583 size_t size = min_t(size_t, len, d->mtu);
584 int err;
585
586 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
587 msg->msg_flags & MSG_DONTWAIT, &err);
588 if (!skb) {
589 if (sent == 0)
590 sent = err;
591 break;
592 }
593 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
594
595 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
596 if (err) {
597 kfree_skb(skb);
598 if (sent == 0)
599 sent = err;
600 break;
601 }
602
603 skb->priority = sk->sk_priority;
604
605 err = rfcomm_dlc_send(d, skb);
606 if (err < 0) {
607 kfree_skb(skb);
608 if (sent == 0)
609 sent = err;
610 break;
611 }
612
613 sent += size;
614 len -= size;
615 }
616
617 release_sock(sk);
618
619 return sent;
620 }
621
rfcomm_sock_recvmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t size,int flags)622 static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
623 struct msghdr *msg, size_t size, int flags)
624 {
625 struct sock *sk = sock->sk;
626 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
627 int len;
628
629 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
630 rfcomm_dlc_accept(d);
631 return 0;
632 }
633
634 len = bt_sock_stream_recvmsg(iocb, sock, msg, size, flags);
635
636 lock_sock(sk);
637 if (!(flags & MSG_PEEK) && len > 0)
638 atomic_sub(len, &sk->sk_rmem_alloc);
639
640 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
641 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
642 release_sock(sk);
643
644 return len;
645 }
646
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,char __user * optval,unsigned int optlen)647 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
648 {
649 struct sock *sk = sock->sk;
650 int err = 0;
651 u32 opt;
652
653 BT_DBG("sk %p", sk);
654
655 lock_sock(sk);
656
657 switch (optname) {
658 case RFCOMM_LM:
659 if (get_user(opt, (u32 __user *) optval)) {
660 err = -EFAULT;
661 break;
662 }
663
664 if (opt & RFCOMM_LM_AUTH)
665 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
666 if (opt & RFCOMM_LM_ENCRYPT)
667 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
668 if (opt & RFCOMM_LM_SECURE)
669 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
670
671 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
672 break;
673
674 default:
675 err = -ENOPROTOOPT;
676 break;
677 }
678
679 release_sock(sk);
680 return err;
681 }
682
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int optlen)683 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
684 {
685 struct sock *sk = sock->sk;
686 struct bt_security sec;
687 int err = 0;
688 size_t len;
689 u32 opt;
690
691 BT_DBG("sk %p", sk);
692
693 if (level == SOL_RFCOMM)
694 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
695
696 if (level != SOL_BLUETOOTH)
697 return -ENOPROTOOPT;
698
699 lock_sock(sk);
700
701 switch (optname) {
702 case BT_SECURITY:
703 if (sk->sk_type != SOCK_STREAM) {
704 err = -EINVAL;
705 break;
706 }
707
708 sec.level = BT_SECURITY_LOW;
709
710 len = min_t(unsigned int, sizeof(sec), optlen);
711 if (copy_from_user((char *) &sec, optval, len)) {
712 err = -EFAULT;
713 break;
714 }
715
716 if (sec.level > BT_SECURITY_HIGH) {
717 err = -EINVAL;
718 break;
719 }
720
721 rfcomm_pi(sk)->sec_level = sec.level;
722 break;
723
724 case BT_DEFER_SETUP:
725 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
726 err = -EINVAL;
727 break;
728 }
729
730 if (get_user(opt, (u32 __user *) optval)) {
731 err = -EFAULT;
732 break;
733 }
734
735 bt_sk(sk)->defer_setup = opt;
736 break;
737
738 default:
739 err = -ENOPROTOOPT;
740 break;
741 }
742
743 release_sock(sk);
744 return err;
745 }
746
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)747 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
748 {
749 struct sock *sk = sock->sk;
750 struct rfcomm_conninfo cinfo;
751 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
752 int len, err = 0;
753 u32 opt;
754
755 BT_DBG("sk %p", sk);
756
757 if (get_user(len, optlen))
758 return -EFAULT;
759
760 lock_sock(sk);
761
762 switch (optname) {
763 case RFCOMM_LM:
764 switch (rfcomm_pi(sk)->sec_level) {
765 case BT_SECURITY_LOW:
766 opt = RFCOMM_LM_AUTH;
767 break;
768 case BT_SECURITY_MEDIUM:
769 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
770 break;
771 case BT_SECURITY_HIGH:
772 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
773 RFCOMM_LM_SECURE;
774 break;
775 default:
776 opt = 0;
777 break;
778 }
779
780 if (rfcomm_pi(sk)->role_switch)
781 opt |= RFCOMM_LM_MASTER;
782
783 if (put_user(opt, (u32 __user *) optval))
784 err = -EFAULT;
785 break;
786
787 case RFCOMM_CONNINFO:
788 if (sk->sk_state != BT_CONNECTED &&
789 !rfcomm_pi(sk)->dlc->defer_setup) {
790 err = -ENOTCONN;
791 break;
792 }
793
794 memset(&cinfo, 0, sizeof(cinfo));
795 cinfo.hci_handle = conn->hcon->handle;
796 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
797
798 len = min_t(unsigned int, len, sizeof(cinfo));
799 if (copy_to_user(optval, (char *) &cinfo, len))
800 err = -EFAULT;
801
802 break;
803
804 default:
805 err = -ENOPROTOOPT;
806 break;
807 }
808
809 release_sock(sk);
810 return err;
811 }
812
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)813 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
814 {
815 struct sock *sk = sock->sk;
816 struct bt_security sec;
817 int len, err = 0;
818
819 BT_DBG("sk %p", sk);
820
821 if (level == SOL_RFCOMM)
822 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
823
824 if (level != SOL_BLUETOOTH)
825 return -ENOPROTOOPT;
826
827 if (get_user(len, optlen))
828 return -EFAULT;
829
830 lock_sock(sk);
831
832 switch (optname) {
833 case BT_SECURITY:
834 if (sk->sk_type != SOCK_STREAM) {
835 err = -EINVAL;
836 break;
837 }
838
839 sec.level = rfcomm_pi(sk)->sec_level;
840 sec.key_size = 0;
841
842 len = min_t(unsigned int, len, sizeof(sec));
843 if (copy_to_user(optval, (char *) &sec, len))
844 err = -EFAULT;
845
846 break;
847
848 case BT_DEFER_SETUP:
849 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
850 err = -EINVAL;
851 break;
852 }
853
854 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
855 err = -EFAULT;
856
857 break;
858
859 default:
860 err = -ENOPROTOOPT;
861 break;
862 }
863
864 release_sock(sk);
865 return err;
866 }
867
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)868 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
869 {
870 struct sock *sk __maybe_unused = sock->sk;
871 int err;
872
873 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
874
875 err = bt_sock_ioctl(sock, cmd, arg);
876
877 if (err == -ENOIOCTLCMD) {
878 #ifdef CONFIG_BT_RFCOMM_TTY
879 lock_sock(sk);
880 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
881 release_sock(sk);
882 #else
883 err = -EOPNOTSUPP;
884 #endif
885 }
886
887 return err;
888 }
889
rfcomm_sock_shutdown(struct socket * sock,int how)890 static int rfcomm_sock_shutdown(struct socket *sock, int how)
891 {
892 struct sock *sk = sock->sk;
893 int err = 0;
894
895 BT_DBG("sock %p, sk %p", sock, sk);
896
897 if (!sk)
898 return 0;
899
900 lock_sock(sk);
901 if (!sk->sk_shutdown) {
902 sk->sk_shutdown = SHUTDOWN_MASK;
903 __rfcomm_sock_close(sk);
904
905 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
906 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
907 }
908 release_sock(sk);
909 return err;
910 }
911
rfcomm_sock_release(struct socket * sock)912 static int rfcomm_sock_release(struct socket *sock)
913 {
914 struct sock *sk = sock->sk;
915 int err;
916
917 BT_DBG("sock %p, sk %p", sock, sk);
918
919 if (!sk)
920 return 0;
921
922 err = rfcomm_sock_shutdown(sock, 2);
923
924 sock_orphan(sk);
925 rfcomm_sock_kill(sk);
926 return err;
927 }
928
929 /* ---- RFCOMM core layer callbacks ----
930 *
931 * called under rfcomm_lock()
932 */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)933 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
934 {
935 struct sock *sk, *parent;
936 bdaddr_t src, dst;
937 int result = 0;
938
939 BT_DBG("session %p channel %d", s, channel);
940
941 rfcomm_session_getaddr(s, &src, &dst);
942
943 /* Check if we have socket listening on channel */
944 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
945 if (!parent)
946 return 0;
947
948 bh_lock_sock(parent);
949
950 /* Check for backlog size */
951 if (sk_acceptq_is_full(parent)) {
952 BT_DBG("backlog full %d", parent->sk_ack_backlog);
953 goto done;
954 }
955
956 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC);
957 if (!sk)
958 goto done;
959
960 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
961
962 rfcomm_sock_init(sk, parent);
963 bacpy(&bt_sk(sk)->src, &src);
964 bacpy(&bt_sk(sk)->dst, &dst);
965 rfcomm_pi(sk)->channel = channel;
966
967 sk->sk_state = BT_CONFIG;
968 bt_accept_enqueue(parent, sk);
969
970 /* Accept connection and return socket DLC */
971 *d = rfcomm_pi(sk)->dlc;
972 result = 1;
973
974 done:
975 bh_unlock_sock(parent);
976
977 if (bt_sk(parent)->defer_setup)
978 parent->sk_state_change(parent);
979
980 return result;
981 }
982
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)983 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
984 {
985 struct sock *sk;
986 struct hlist_node *node;
987
988 read_lock(&rfcomm_sk_list.lock);
989
990 sk_for_each(sk, node, &rfcomm_sk_list.head) {
991 seq_printf(f, "%s %s %d %d\n",
992 batostr(&bt_sk(sk)->src),
993 batostr(&bt_sk(sk)->dst),
994 sk->sk_state, rfcomm_pi(sk)->channel);
995 }
996
997 read_unlock(&rfcomm_sk_list.lock);
998
999 return 0;
1000 }
1001
rfcomm_sock_debugfs_open(struct inode * inode,struct file * file)1002 static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
1003 {
1004 return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1005 }
1006
1007 static const struct file_operations rfcomm_sock_debugfs_fops = {
1008 .open = rfcomm_sock_debugfs_open,
1009 .read = seq_read,
1010 .llseek = seq_lseek,
1011 .release = single_release,
1012 };
1013
1014 static struct dentry *rfcomm_sock_debugfs;
1015
1016 static const struct proto_ops rfcomm_sock_ops = {
1017 .family = PF_BLUETOOTH,
1018 .owner = THIS_MODULE,
1019 .release = rfcomm_sock_release,
1020 .bind = rfcomm_sock_bind,
1021 .connect = rfcomm_sock_connect,
1022 .listen = rfcomm_sock_listen,
1023 .accept = rfcomm_sock_accept,
1024 .getname = rfcomm_sock_getname,
1025 .sendmsg = rfcomm_sock_sendmsg,
1026 .recvmsg = rfcomm_sock_recvmsg,
1027 .shutdown = rfcomm_sock_shutdown,
1028 .setsockopt = rfcomm_sock_setsockopt,
1029 .getsockopt = rfcomm_sock_getsockopt,
1030 .ioctl = rfcomm_sock_ioctl,
1031 .poll = bt_sock_poll,
1032 .socketpair = sock_no_socketpair,
1033 .mmap = sock_no_mmap
1034 };
1035
1036 static const struct net_proto_family rfcomm_sock_family_ops = {
1037 .family = PF_BLUETOOTH,
1038 .owner = THIS_MODULE,
1039 .create = rfcomm_sock_create
1040 };
1041
rfcomm_init_sockets(void)1042 int __init rfcomm_init_sockets(void)
1043 {
1044 int err;
1045
1046 err = proto_register(&rfcomm_proto, 0);
1047 if (err < 0)
1048 return err;
1049
1050 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1051 if (err < 0)
1052 goto error;
1053
1054 if (bt_debugfs) {
1055 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1056 bt_debugfs, NULL, &rfcomm_sock_debugfs_fops);
1057 if (!rfcomm_sock_debugfs)
1058 BT_ERR("Failed to create RFCOMM debug file");
1059 }
1060
1061 BT_INFO("RFCOMM socket layer initialized");
1062
1063 return 0;
1064
1065 error:
1066 BT_ERR("RFCOMM socket layer registration failed");
1067 proto_unregister(&rfcomm_proto);
1068 return err;
1069 }
1070
rfcomm_cleanup_sockets(void)1071 void __exit rfcomm_cleanup_sockets(void)
1072 {
1073 debugfs_remove(rfcomm_sock_debugfs);
1074
1075 if (bt_sock_unregister(BTPROTO_RFCOMM) < 0)
1076 BT_ERR("RFCOMM socket layer unregistration failed");
1077
1078 proto_unregister(&rfcomm_proto);
1079 }
1080