1/* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22*/ 23 24/* 25 * RFCOMM sockets. 26 */ 27#include <linux/compat.h> 28#include <linux/export.h> 29#include <linux/debugfs.h> 30#include <linux/sched/signal.h> 31 32#include <net/bluetooth/bluetooth.h> 33#include <net/bluetooth/hci_core.h> 34#include <net/bluetooth/l2cap.h> 35#include <net/bluetooth/rfcomm.h> 36 37static const struct proto_ops rfcomm_sock_ops; 38 39static struct bt_sock_list rfcomm_sk_list = { 40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock) 41}; 42 43static void rfcomm_sock_close(struct sock *sk); 44static void rfcomm_sock_kill(struct sock *sk); 45 46/* ---- DLC callbacks ---- 47 * 48 * called under rfcomm_dlc_lock() 49 */ 50static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb) 51{ 52 struct sock *sk = d->owner; 53 if (!sk) 54 return; 55 56 atomic_add(skb->len, &sk->sk_rmem_alloc); 57 skb_queue_tail(&sk->sk_receive_queue, skb); 58 sk->sk_data_ready(sk); 59 60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) 61 rfcomm_dlc_throttle(d); 62} 63 64static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) 65{ 66 struct sock *sk = d->owner, *parent; 67 68 if (!sk) 69 return; 70 71 BT_DBG("dlc %p state %ld err %d", d, d->state, err); 72 73 spin_lock_bh(&sk->sk_lock.slock); 74 75 if (err) 76 sk->sk_err = err; 77 78 sk->sk_state = d->state; 79 80 parent = bt_sk(sk)->parent; 81 if (parent) { 82 if (d->state == BT_CLOSED) { 83 sock_set_flag(sk, SOCK_ZAPPED); 84 bt_accept_unlink(sk); 85 } 86 parent->sk_data_ready(parent); 87 } else { 88 if (d->state == BT_CONNECTED) 89 rfcomm_session_getaddr(d->session, 90 &rfcomm_pi(sk)->src, NULL); 91 sk->sk_state_change(sk); 92 } 93 94 spin_unlock_bh(&sk->sk_lock.slock); 95 96 if (parent && sock_flag(sk, SOCK_ZAPPED)) { 97 /* We have to drop DLC lock here, otherwise 98 * rfcomm_sock_destruct() will dead lock. */ 99 rfcomm_dlc_unlock(d); 100 rfcomm_sock_kill(sk); 101 rfcomm_dlc_lock(d); 102 } 103} 104 105/* ---- Socket functions ---- */ 106static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src) 107{ 108 struct sock *sk = NULL; 109 110 sk_for_each(sk, &rfcomm_sk_list.head) { 111 if (rfcomm_pi(sk)->channel != channel) 112 continue; 113 114 if (bacmp(&rfcomm_pi(sk)->src, src)) 115 continue; 116 117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN) 118 break; 119 } 120 121 return sk ? sk : NULL; 122} 123 124/* Find socket with channel and source bdaddr. 125 * Returns closest match. 126 */ 127static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src) 128{ 129 struct sock *sk = NULL, *sk1 = NULL; 130 131 read_lock(&rfcomm_sk_list.lock); 132 133 sk_for_each(sk, &rfcomm_sk_list.head) { 134 if (state && sk->sk_state != state) 135 continue; 136 137 if (rfcomm_pi(sk)->channel == channel) { 138 /* Exact match. */ 139 if (!bacmp(&rfcomm_pi(sk)->src, src)) 140 break; 141 142 /* Closest match */ 143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) 144 sk1 = sk; 145 } 146 } 147 148 read_unlock(&rfcomm_sk_list.lock); 149 150 return sk ? sk : sk1; 151} 152 153static void rfcomm_sock_destruct(struct sock *sk) 154{ 155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 156 157 BT_DBG("sk %p dlc %p", sk, d); 158 159 skb_queue_purge(&sk->sk_receive_queue); 160 skb_queue_purge(&sk->sk_write_queue); 161 162 rfcomm_dlc_lock(d); 163 rfcomm_pi(sk)->dlc = NULL; 164 165 /* Detach DLC if it's owned by this socket */ 166 if (d->owner == sk) 167 d->owner = NULL; 168 rfcomm_dlc_unlock(d); 169 170 rfcomm_dlc_put(d); 171} 172 173static void rfcomm_sock_cleanup_listen(struct sock *parent) 174{ 175 struct sock *sk; 176 177 BT_DBG("parent %p", parent); 178 179 /* Close not yet accepted dlcs */ 180 while ((sk = bt_accept_dequeue(parent, NULL))) { 181 rfcomm_sock_close(sk); 182 rfcomm_sock_kill(sk); 183 } 184 185 parent->sk_state = BT_CLOSED; 186 sock_set_flag(parent, SOCK_ZAPPED); 187} 188 189/* Kill socket (only if zapped and orphan) 190 * Must be called on unlocked socket. 191 */ 192static void rfcomm_sock_kill(struct sock *sk) 193{ 194 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 195 return; 196 197 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt)); 198 199 /* Kill poor orphan */ 200 bt_sock_unlink(&rfcomm_sk_list, sk); 201 sock_set_flag(sk, SOCK_DEAD); 202 sock_put(sk); 203} 204 205static void __rfcomm_sock_close(struct sock *sk) 206{ 207 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 208 209 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 210 211 switch (sk->sk_state) { 212 case BT_LISTEN: 213 rfcomm_sock_cleanup_listen(sk); 214 break; 215 216 case BT_CONNECT: 217 case BT_CONNECT2: 218 case BT_CONFIG: 219 case BT_CONNECTED: 220 rfcomm_dlc_close(d, 0); 221 fallthrough; 222 223 default: 224 sock_set_flag(sk, SOCK_ZAPPED); 225 break; 226 } 227} 228 229/* Close socket. 230 * Must be called on unlocked socket. 231 */ 232static void rfcomm_sock_close(struct sock *sk) 233{ 234 lock_sock(sk); 235 __rfcomm_sock_close(sk); 236 release_sock(sk); 237} 238 239static void rfcomm_sock_init(struct sock *sk, struct sock *parent) 240{ 241 struct rfcomm_pinfo *pi = rfcomm_pi(sk); 242 243 BT_DBG("sk %p", sk); 244 245 if (parent) { 246 sk->sk_type = parent->sk_type; 247 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP, 248 &bt_sk(parent)->flags); 249 250 pi->sec_level = rfcomm_pi(parent)->sec_level; 251 pi->role_switch = rfcomm_pi(parent)->role_switch; 252 253 security_sk_clone(parent, sk); 254 } else { 255 pi->dlc->defer_setup = 0; 256 257 pi->sec_level = BT_SECURITY_LOW; 258 pi->role_switch = 0; 259 } 260 261 pi->dlc->sec_level = pi->sec_level; 262 pi->dlc->role_switch = pi->role_switch; 263} 264 265static struct proto rfcomm_proto = { 266 .name = "RFCOMM", 267 .owner = THIS_MODULE, 268 .obj_size = sizeof(struct rfcomm_pinfo) 269}; 270 271static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern) 272{ 273 struct rfcomm_dlc *d; 274 struct sock *sk; 275 276 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern); 277 if (!sk) 278 return NULL; 279 280 sock_init_data(sock, sk); 281 INIT_LIST_HEAD(&bt_sk(sk)->accept_q); 282 283 d = rfcomm_dlc_alloc(prio); 284 if (!d) { 285 sk_free(sk); 286 return NULL; 287 } 288 289 d->data_ready = rfcomm_sk_data_ready; 290 d->state_change = rfcomm_sk_state_change; 291 292 rfcomm_pi(sk)->dlc = d; 293 d->owner = sk; 294 295 sk->sk_destruct = rfcomm_sock_destruct; 296 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT; 297 298 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 299 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 300 301 sock_reset_flag(sk, SOCK_ZAPPED); 302 303 sk->sk_protocol = proto; 304 sk->sk_state = BT_OPEN; 305 306 bt_sock_link(&rfcomm_sk_list, sk); 307 308 BT_DBG("sk %p", sk); 309 return sk; 310} 311 312static int rfcomm_sock_create(struct net *net, struct socket *sock, 313 int protocol, int kern) 314{ 315 struct sock *sk; 316 317 BT_DBG("sock %p", sock); 318 319 sock->state = SS_UNCONNECTED; 320 321 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW) 322 return -ESOCKTNOSUPPORT; 323 324 sock->ops = &rfcomm_sock_ops; 325 326 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 327 if (!sk) 328 return -ENOMEM; 329 330 rfcomm_sock_init(sk, NULL); 331 return 0; 332} 333 334static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) 335{ 336 struct sockaddr_rc sa; 337 struct sock *sk = sock->sk; 338 int len, err = 0; 339 340 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) || 341 addr->sa_family != AF_BLUETOOTH) 342 return -EINVAL; 343 344 memset(&sa, 0, sizeof(sa)); 345 len = min_t(unsigned int, sizeof(sa), addr_len); 346 memcpy(&sa, addr, len); 347 348 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr); 349 350 lock_sock(sk); 351 352 if (sk->sk_state != BT_OPEN) { 353 err = -EBADFD; 354 goto done; 355 } 356 357 if (sk->sk_type != SOCK_STREAM) { 358 err = -EINVAL; 359 goto done; 360 } 361 362 write_lock(&rfcomm_sk_list.lock); 363 364 if (sa.rc_channel && 365 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) { 366 err = -EADDRINUSE; 367 } else { 368 /* Save source address */ 369 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr); 370 rfcomm_pi(sk)->channel = sa.rc_channel; 371 sk->sk_state = BT_BOUND; 372 } 373 374 write_unlock(&rfcomm_sk_list.lock); 375 376done: 377 release_sock(sk); 378 return err; 379} 380 381static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags) 382{ 383 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 384 struct sock *sk = sock->sk; 385 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 386 int err = 0; 387 388 BT_DBG("sk %p", sk); 389 390 if (alen < sizeof(struct sockaddr_rc) || 391 addr->sa_family != AF_BLUETOOTH) 392 return -EINVAL; 393 394 lock_sock(sk); 395 396 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { 397 err = -EBADFD; 398 goto done; 399 } 400 401 if (sk->sk_type != SOCK_STREAM) { 402 err = -EINVAL; 403 goto done; 404 } 405 406 sk->sk_state = BT_CONNECT; 407 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr); 408 rfcomm_pi(sk)->channel = sa->rc_channel; 409 410 d->sec_level = rfcomm_pi(sk)->sec_level; 411 d->role_switch = rfcomm_pi(sk)->role_switch; 412 413 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr, 414 sa->rc_channel); 415 if (!err) 416 err = bt_sock_wait_state(sk, BT_CONNECTED, 417 sock_sndtimeo(sk, flags & O_NONBLOCK)); 418 419done: 420 release_sock(sk); 421 return err; 422} 423 424static int rfcomm_sock_listen(struct socket *sock, int backlog) 425{ 426 struct sock *sk = sock->sk; 427 int err = 0; 428 429 BT_DBG("sk %p backlog %d", sk, backlog); 430 431 lock_sock(sk); 432 433 if (sk->sk_state != BT_BOUND) { 434 err = -EBADFD; 435 goto done; 436 } 437 438 if (sk->sk_type != SOCK_STREAM) { 439 err = -EINVAL; 440 goto done; 441 } 442 443 if (!rfcomm_pi(sk)->channel) { 444 bdaddr_t *src = &rfcomm_pi(sk)->src; 445 u8 channel; 446 447 err = -EINVAL; 448 449 write_lock(&rfcomm_sk_list.lock); 450 451 for (channel = 1; channel < 31; channel++) 452 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) { 453 rfcomm_pi(sk)->channel = channel; 454 err = 0; 455 break; 456 } 457 458 write_unlock(&rfcomm_sk_list.lock); 459 460 if (err < 0) 461 goto done; 462 } 463 464 sk->sk_max_ack_backlog = backlog; 465 sk->sk_ack_backlog = 0; 466 sk->sk_state = BT_LISTEN; 467 468done: 469 release_sock(sk); 470 return err; 471} 472 473static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags, 474 bool kern) 475{ 476 DEFINE_WAIT_FUNC(wait, woken_wake_function); 477 struct sock *sk = sock->sk, *nsk; 478 long timeo; 479 int err = 0; 480 481 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 482 483 if (sk->sk_type != SOCK_STREAM) { 484 err = -EINVAL; 485 goto done; 486 } 487 488 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 489 490 BT_DBG("sk %p timeo %ld", sk, timeo); 491 492 /* Wait for an incoming connection. (wake-one). */ 493 add_wait_queue_exclusive(sk_sleep(sk), &wait); 494 while (1) { 495 if (sk->sk_state != BT_LISTEN) { 496 err = -EBADFD; 497 break; 498 } 499 500 nsk = bt_accept_dequeue(sk, newsock); 501 if (nsk) 502 break; 503 504 if (!timeo) { 505 err = -EAGAIN; 506 break; 507 } 508 509 if (signal_pending(current)) { 510 err = sock_intr_errno(timeo); 511 break; 512 } 513 514 release_sock(sk); 515 516 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 517 518 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 519 } 520 remove_wait_queue(sk_sleep(sk), &wait); 521 522 if (err) 523 goto done; 524 525 newsock->state = SS_CONNECTED; 526 527 BT_DBG("new socket %p", nsk); 528 529done: 530 release_sock(sk); 531 return err; 532} 533 534static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer) 535{ 536 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 537 struct sock *sk = sock->sk; 538 539 BT_DBG("sock %p, sk %p", sock, sk); 540 541 if (peer && sk->sk_state != BT_CONNECTED && 542 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2) 543 return -ENOTCONN; 544 545 memset(sa, 0, sizeof(*sa)); 546 sa->rc_family = AF_BLUETOOTH; 547 sa->rc_channel = rfcomm_pi(sk)->channel; 548 if (peer) 549 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst); 550 else 551 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src); 552 553 return sizeof(struct sockaddr_rc); 554} 555 556static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg, 557 size_t len) 558{ 559 struct sock *sk = sock->sk; 560 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 561 struct sk_buff *skb; 562 int sent; 563 564 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags)) 565 return -ENOTCONN; 566 567 if (msg->msg_flags & MSG_OOB) 568 return -EOPNOTSUPP; 569 570 if (sk->sk_shutdown & SEND_SHUTDOWN) 571 return -EPIPE; 572 573 BT_DBG("sock %p, sk %p", sock, sk); 574 575 lock_sock(sk); 576 577 sent = bt_sock_wait_ready(sk, msg->msg_flags); 578 579 release_sock(sk); 580 581 if (sent) 582 return sent; 583 584 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, 585 RFCOMM_SKB_TAIL_RESERVE); 586 if (IS_ERR(skb)) 587 return PTR_ERR(skb); 588 589 sent = rfcomm_dlc_send(d, skb); 590 if (sent < 0) 591 kfree_skb(skb); 592 593 return sent; 594} 595 596static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg, 597 size_t size, int flags) 598{ 599 struct sock *sk = sock->sk; 600 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 601 int len; 602 603 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 604 rfcomm_dlc_accept(d); 605 return 0; 606 } 607 608 len = bt_sock_stream_recvmsg(sock, msg, size, flags); 609 610 lock_sock(sk); 611 if (!(flags & MSG_PEEK) && len > 0) 612 atomic_sub(len, &sk->sk_rmem_alloc); 613 614 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2)) 615 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc); 616 release_sock(sk); 617 618 return len; 619} 620 621static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, 622 sockptr_t optval, unsigned int optlen) 623{ 624 struct sock *sk = sock->sk; 625 int err = 0; 626 u32 opt; 627 628 BT_DBG("sk %p", sk); 629 630 lock_sock(sk); 631 632 switch (optname) { 633 case RFCOMM_LM: 634 if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { 635 err = -EFAULT; 636 break; 637 } 638 639 if (opt & RFCOMM_LM_FIPS) { 640 err = -EINVAL; 641 break; 642 } 643 644 if (opt & RFCOMM_LM_AUTH) 645 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW; 646 if (opt & RFCOMM_LM_ENCRYPT) 647 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM; 648 if (opt & RFCOMM_LM_SECURE) 649 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH; 650 651 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER); 652 break; 653 654 default: 655 err = -ENOPROTOOPT; 656 break; 657 } 658 659 release_sock(sk); 660 return err; 661} 662 663static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, 664 sockptr_t optval, unsigned int optlen) 665{ 666 struct sock *sk = sock->sk; 667 struct bt_security sec; 668 int err = 0; 669 u32 opt; 670 671 BT_DBG("sk %p", sk); 672 673 if (level == SOL_RFCOMM) 674 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen); 675 676 if (level != SOL_BLUETOOTH) 677 return -ENOPROTOOPT; 678 679 lock_sock(sk); 680 681 switch (optname) { 682 case BT_SECURITY: 683 if (sk->sk_type != SOCK_STREAM) { 684 err = -EINVAL; 685 break; 686 } 687 688 sec.level = BT_SECURITY_LOW; 689 690 err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); 691 if (err) 692 break; 693 694 if (sec.level > BT_SECURITY_HIGH) { 695 err = -EINVAL; 696 break; 697 } 698 699 rfcomm_pi(sk)->sec_level = sec.level; 700 break; 701 702 case BT_DEFER_SETUP: 703 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 704 err = -EINVAL; 705 break; 706 } 707 708 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 709 if (err) 710 break; 711 712 if (opt) 713 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 714 else 715 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 716 717 break; 718 719 default: 720 err = -ENOPROTOOPT; 721 break; 722 } 723 724 release_sock(sk); 725 return err; 726} 727 728static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 729{ 730 struct sock *sk = sock->sk; 731 struct sock *l2cap_sk; 732 struct l2cap_conn *conn; 733 struct rfcomm_conninfo cinfo; 734 int len, err = 0; 735 u32 opt; 736 737 BT_DBG("sk %p", sk); 738 739 if (get_user(len, optlen)) 740 return -EFAULT; 741 742 lock_sock(sk); 743 744 switch (optname) { 745 case RFCOMM_LM: 746 switch (rfcomm_pi(sk)->sec_level) { 747 case BT_SECURITY_LOW: 748 opt = RFCOMM_LM_AUTH; 749 break; 750 case BT_SECURITY_MEDIUM: 751 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT; 752 break; 753 case BT_SECURITY_HIGH: 754 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 755 RFCOMM_LM_SECURE; 756 break; 757 case BT_SECURITY_FIPS: 758 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 759 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS; 760 break; 761 default: 762 opt = 0; 763 break; 764 } 765 766 if (rfcomm_pi(sk)->role_switch) 767 opt |= RFCOMM_LM_MASTER; 768 769 if (put_user(opt, (u32 __user *) optval)) 770 err = -EFAULT; 771 772 break; 773 774 case RFCOMM_CONNINFO: 775 if (sk->sk_state != BT_CONNECTED && 776 !rfcomm_pi(sk)->dlc->defer_setup) { 777 err = -ENOTCONN; 778 break; 779 } 780 781 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; 782 conn = l2cap_pi(l2cap_sk)->chan->conn; 783 784 memset(&cinfo, 0, sizeof(cinfo)); 785 cinfo.hci_handle = conn->hcon->handle; 786 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 787 788 len = min_t(unsigned int, len, sizeof(cinfo)); 789 if (copy_to_user(optval, (char *) &cinfo, len)) 790 err = -EFAULT; 791 792 break; 793 794 default: 795 err = -ENOPROTOOPT; 796 break; 797 } 798 799 release_sock(sk); 800 return err; 801} 802 803static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 804{ 805 struct sock *sk = sock->sk; 806 struct bt_security sec; 807 int len, err = 0; 808 809 BT_DBG("sk %p", sk); 810 811 if (level == SOL_RFCOMM) 812 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen); 813 814 if (level != SOL_BLUETOOTH) 815 return -ENOPROTOOPT; 816 817 if (get_user(len, optlen)) 818 return -EFAULT; 819 820 lock_sock(sk); 821 822 switch (optname) { 823 case BT_SECURITY: 824 if (sk->sk_type != SOCK_STREAM) { 825 err = -EINVAL; 826 break; 827 } 828 829 sec.level = rfcomm_pi(sk)->sec_level; 830 sec.key_size = 0; 831 832 len = min_t(unsigned int, len, sizeof(sec)); 833 if (copy_to_user(optval, (char *) &sec, len)) 834 err = -EFAULT; 835 836 break; 837 838 case BT_DEFER_SETUP: 839 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 840 err = -EINVAL; 841 break; 842 } 843 844 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 845 (u32 __user *) optval)) 846 err = -EFAULT; 847 848 break; 849 850 default: 851 err = -ENOPROTOOPT; 852 break; 853 } 854 855 release_sock(sk); 856 return err; 857} 858 859static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 860{ 861 struct sock *sk __maybe_unused = sock->sk; 862 int err; 863 864 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg); 865 866 err = bt_sock_ioctl(sock, cmd, arg); 867 868 if (err == -ENOIOCTLCMD) { 869#ifdef CONFIG_BT_RFCOMM_TTY 870 lock_sock(sk); 871 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg); 872 release_sock(sk); 873#else 874 err = -EOPNOTSUPP; 875#endif 876 } 877 878 return err; 879} 880 881#ifdef CONFIG_COMPAT 882static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 883{ 884 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 885} 886#endif 887 888static int rfcomm_sock_shutdown(struct socket *sock, int how) 889{ 890 struct sock *sk = sock->sk; 891 int err = 0; 892 893 BT_DBG("sock %p, sk %p", sock, sk); 894 895 if (!sk) 896 return 0; 897 898 lock_sock(sk); 899 if (!sk->sk_shutdown) { 900 sk->sk_shutdown = SHUTDOWN_MASK; 901 __rfcomm_sock_close(sk); 902 903 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 904 !(current->flags & PF_EXITING)) 905 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 906 } 907 release_sock(sk); 908 return err; 909} 910 911static int rfcomm_sock_release(struct socket *sock) 912{ 913 struct sock *sk = sock->sk; 914 int err; 915 916 BT_DBG("sock %p, sk %p", sock, sk); 917 918 if (!sk) 919 return 0; 920 921 err = rfcomm_sock_shutdown(sock, 2); 922 923 sock_orphan(sk); 924 rfcomm_sock_kill(sk); 925 return err; 926} 927 928/* ---- RFCOMM core layer callbacks ---- 929 * 930 * called under rfcomm_lock() 931 */ 932int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d) 933{ 934 struct sock *sk, *parent; 935 bdaddr_t src, dst; 936 int result = 0; 937 938 BT_DBG("session %p channel %d", s, channel); 939 940 rfcomm_session_getaddr(s, &src, &dst); 941 942 /* Check if we have socket listening on channel */ 943 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src); 944 if (!parent) 945 return 0; 946 947 bh_lock_sock(parent); 948 949 /* Check for backlog size */ 950 if (sk_acceptq_is_full(parent)) { 951 BT_DBG("backlog full %d", parent->sk_ack_backlog); 952 goto done; 953 } 954 955 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0); 956 if (!sk) 957 goto done; 958 959 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM); 960 961 rfcomm_sock_init(sk, parent); 962 bacpy(&rfcomm_pi(sk)->src, &src); 963 bacpy(&rfcomm_pi(sk)->dst, &dst); 964 rfcomm_pi(sk)->channel = channel; 965 966 sk->sk_state = BT_CONFIG; 967 bt_accept_enqueue(parent, sk, true); 968 969 /* Accept connection and return socket DLC */ 970 *d = rfcomm_pi(sk)->dlc; 971 result = 1; 972 973done: 974 bh_unlock_sock(parent); 975 976 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags)) 977 parent->sk_state_change(parent); 978 979 return result; 980} 981 982static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p) 983{ 984 struct sock *sk; 985 986 read_lock(&rfcomm_sk_list.lock); 987 988 sk_for_each(sk, &rfcomm_sk_list.head) { 989 seq_printf(f, "%pMR %pMR %d %d\n", 990 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst, 991 sk->sk_state, rfcomm_pi(sk)->channel); 992 } 993 994 read_unlock(&rfcomm_sk_list.lock); 995 996 return 0; 997} 998 999DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs); 1000 1001static struct dentry *rfcomm_sock_debugfs; 1002 1003static const struct proto_ops rfcomm_sock_ops = { 1004 .family = PF_BLUETOOTH, 1005 .owner = THIS_MODULE, 1006 .release = rfcomm_sock_release, 1007 .bind = rfcomm_sock_bind, 1008 .connect = rfcomm_sock_connect, 1009 .listen = rfcomm_sock_listen, 1010 .accept = rfcomm_sock_accept, 1011 .getname = rfcomm_sock_getname, 1012 .sendmsg = rfcomm_sock_sendmsg, 1013 .recvmsg = rfcomm_sock_recvmsg, 1014 .shutdown = rfcomm_sock_shutdown, 1015 .setsockopt = rfcomm_sock_setsockopt, 1016 .getsockopt = rfcomm_sock_getsockopt, 1017 .ioctl = rfcomm_sock_ioctl, 1018 .gettstamp = sock_gettstamp, 1019 .poll = bt_sock_poll, 1020 .socketpair = sock_no_socketpair, 1021 .mmap = sock_no_mmap, 1022#ifdef CONFIG_COMPAT 1023 .compat_ioctl = rfcomm_sock_compat_ioctl, 1024#endif 1025}; 1026 1027static const struct net_proto_family rfcomm_sock_family_ops = { 1028 .family = PF_BLUETOOTH, 1029 .owner = THIS_MODULE, 1030 .create = rfcomm_sock_create 1031}; 1032 1033int __init rfcomm_init_sockets(void) 1034{ 1035 int err; 1036 1037 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr)); 1038 1039 err = proto_register(&rfcomm_proto, 0); 1040 if (err < 0) 1041 return err; 1042 1043 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops); 1044 if (err < 0) { 1045 BT_ERR("RFCOMM socket layer registration failed"); 1046 goto error; 1047 } 1048 1049 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL); 1050 if (err < 0) { 1051 BT_ERR("Failed to create RFCOMM proc file"); 1052 bt_sock_unregister(BTPROTO_RFCOMM); 1053 goto error; 1054 } 1055 1056 BT_INFO("RFCOMM socket layer initialized"); 1057 1058 if (IS_ERR_OR_NULL(bt_debugfs)) 1059 return 0; 1060 1061 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444, 1062 bt_debugfs, NULL, 1063 &rfcomm_sock_debugfs_fops); 1064 1065 return 0; 1066 1067error: 1068 proto_unregister(&rfcomm_proto); 1069 return err; 1070} 1071 1072void __exit rfcomm_cleanup_sockets(void) 1073{ 1074 bt_procfs_cleanup(&init_net, "rfcomm"); 1075 1076 debugfs_remove(rfcomm_sock_debugfs); 1077 1078 bt_sock_unregister(BTPROTO_RFCOMM); 1079 1080 proto_unregister(&rfcomm_proto); 1081} 1082