1/* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22*/ 23 24/* 25 * RFCOMM sockets. 26 */ 27#include <linux/compat.h> 28#include <linux/export.h> 29#include <linux/debugfs.h> 30#include <linux/sched/signal.h> 31 32#include <net/bluetooth/bluetooth.h> 33#include <net/bluetooth/hci_core.h> 34#include <net/bluetooth/l2cap.h> 35#include <net/bluetooth/rfcomm.h> 36 37static const struct proto_ops rfcomm_sock_ops; 38 39static struct bt_sock_list rfcomm_sk_list = { 40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock) 41}; 42 43static void rfcomm_sock_close(struct sock *sk); 44static void rfcomm_sock_kill(struct sock *sk); 45 46/* ---- DLC callbacks ---- 47 * 48 * called under rfcomm_dlc_lock() 49 */ 50static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb) 51{ 52 struct sock *sk = d->owner; 53 if (!sk) 54 return; 55 56 atomic_add(skb->len, &sk->sk_rmem_alloc); 57 skb_queue_tail(&sk->sk_receive_queue, skb); 58 sk->sk_data_ready(sk); 59 60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) 61 rfcomm_dlc_throttle(d); 62} 63 64static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) 65{ 66 struct sock *sk = d->owner, *parent; 67 68 if (!sk) 69 return; 70 71 BT_DBG("dlc %p state %ld err %d", d, d->state, err); 72 73 lock_sock(sk); 74 75 if (err) 76 sk->sk_err = err; 77 78 sk->sk_state = d->state; 79 80 parent = bt_sk(sk)->parent; 81 if (parent) { 82 if (d->state == BT_CLOSED) { 83 sock_set_flag(sk, SOCK_ZAPPED); 84 bt_accept_unlink(sk); 85 } 86 parent->sk_data_ready(parent); 87 } else { 88 if (d->state == BT_CONNECTED) 89 rfcomm_session_getaddr(d->session, 90 &rfcomm_pi(sk)->src, NULL); 91 sk->sk_state_change(sk); 92 } 93 94 release_sock(sk); 95 96 if (parent && sock_flag(sk, SOCK_ZAPPED)) { 97 /* We have to drop DLC lock here, otherwise 98 * rfcomm_sock_destruct() will dead lock. */ 99 rfcomm_dlc_unlock(d); 100 rfcomm_sock_kill(sk); 101 rfcomm_dlc_lock(d); 102 } 103} 104 105/* ---- Socket functions ---- */ 106static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src) 107{ 108 struct sock *sk = NULL; 109 110 sk_for_each(sk, &rfcomm_sk_list.head) { 111 if (rfcomm_pi(sk)->channel != channel) 112 continue; 113 114 if (bacmp(&rfcomm_pi(sk)->src, src)) 115 continue; 116 117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN) 118 break; 119 } 120 121 return sk ? sk : NULL; 122} 123 124/* Find socket with channel and source bdaddr. 125 * Returns closest match. 126 */ 127static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src) 128{ 129 struct sock *sk = NULL, *sk1 = NULL; 130 131 read_lock(&rfcomm_sk_list.lock); 132 133 sk_for_each(sk, &rfcomm_sk_list.head) { 134 if (state && sk->sk_state != state) 135 continue; 136 137 if (rfcomm_pi(sk)->channel == channel) { 138 /* Exact match. */ 139 if (!bacmp(&rfcomm_pi(sk)->src, src)) 140 break; 141 142 /* Closest match */ 143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) 144 sk1 = sk; 145 } 146 } 147 148 read_unlock(&rfcomm_sk_list.lock); 149 150 return sk ? sk : sk1; 151} 152 153static void rfcomm_sock_destruct(struct sock *sk) 154{ 155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 156 157 BT_DBG("sk %p dlc %p", sk, d); 158 159 skb_queue_purge(&sk->sk_receive_queue); 160 skb_queue_purge(&sk->sk_write_queue); 161 162 rfcomm_dlc_lock(d); 163 rfcomm_pi(sk)->dlc = NULL; 164 165 /* Detach DLC if it's owned by this socket */ 166 if (d->owner == sk) 167 d->owner = NULL; 168 rfcomm_dlc_unlock(d); 169 170 rfcomm_dlc_put(d); 171} 172 173static void rfcomm_sock_cleanup_listen(struct sock *parent) 174{ 175 struct sock *sk; 176 177 BT_DBG("parent %p", parent); 178 179 /* Close not yet accepted dlcs */ 180 while ((sk = bt_accept_dequeue(parent, NULL))) { 181 rfcomm_sock_close(sk); 182 rfcomm_sock_kill(sk); 183 } 184 185 parent->sk_state = BT_CLOSED; 186 sock_set_flag(parent, SOCK_ZAPPED); 187} 188 189/* Kill socket (only if zapped and orphan) 190 * Must be called on unlocked socket. 191 */ 192static void rfcomm_sock_kill(struct sock *sk) 193{ 194 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 195 return; 196 197 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt)); 198 199 /* Kill poor orphan */ 200 bt_sock_unlink(&rfcomm_sk_list, sk); 201 sock_set_flag(sk, SOCK_DEAD); 202 sock_put(sk); 203} 204 205static void __rfcomm_sock_close(struct sock *sk) 206{ 207 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 208 209 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); 210 211 switch (sk->sk_state) { 212 case BT_LISTEN: 213 rfcomm_sock_cleanup_listen(sk); 214 break; 215 216 case BT_CONNECT: 217 case BT_CONNECT2: 218 case BT_CONFIG: 219 case BT_CONNECTED: 220 rfcomm_dlc_close(d, 0); 221 fallthrough; 222 223 default: 224 sock_set_flag(sk, SOCK_ZAPPED); 225 break; 226 } 227} 228 229/* Close socket. 230 * Must be called on unlocked socket. 231 */ 232static void rfcomm_sock_close(struct sock *sk) 233{ 234 lock_sock(sk); 235 __rfcomm_sock_close(sk); 236 release_sock(sk); 237} 238 239static void rfcomm_sock_init(struct sock *sk, struct sock *parent) 240{ 241 struct rfcomm_pinfo *pi = rfcomm_pi(sk); 242 243 BT_DBG("sk %p", sk); 244 245 if (parent) { 246 sk->sk_type = parent->sk_type; 247 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP, 248 &bt_sk(parent)->flags); 249 250 pi->sec_level = rfcomm_pi(parent)->sec_level; 251 pi->role_switch = rfcomm_pi(parent)->role_switch; 252 253 security_sk_clone(parent, sk); 254 } else { 255 pi->dlc->defer_setup = 0; 256 257 pi->sec_level = BT_SECURITY_LOW; 258 pi->role_switch = 0; 259 } 260 261 pi->dlc->sec_level = pi->sec_level; 262 pi->dlc->role_switch = pi->role_switch; 263} 264 265static struct proto rfcomm_proto = { 266 .name = "RFCOMM", 267 .owner = THIS_MODULE, 268 .obj_size = sizeof(struct rfcomm_pinfo) 269}; 270 271static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, 272 int proto, gfp_t prio, int kern) 273{ 274 struct rfcomm_dlc *d; 275 struct sock *sk; 276 277 sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); 278 if (!sk) 279 return NULL; 280 281 d = rfcomm_dlc_alloc(prio); 282 if (!d) { 283 sk_free(sk); 284 return NULL; 285 } 286 287 d->data_ready = rfcomm_sk_data_ready; 288 d->state_change = rfcomm_sk_state_change; 289 290 rfcomm_pi(sk)->dlc = d; 291 d->owner = sk; 292 293 sk->sk_destruct = rfcomm_sock_destruct; 294 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT; 295 296 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 297 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10; 298 299 bt_sock_link(&rfcomm_sk_list, sk); 300 301 BT_DBG("sk %p", sk); 302 return sk; 303} 304 305static int rfcomm_sock_create(struct net *net, struct socket *sock, 306 int protocol, int kern) 307{ 308 struct sock *sk; 309 310 BT_DBG("sock %p", sock); 311 312 sock->state = SS_UNCONNECTED; 313 314 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW) 315 return -ESOCKTNOSUPPORT; 316 317 sock->ops = &rfcomm_sock_ops; 318 319 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 320 if (!sk) 321 return -ENOMEM; 322 323 rfcomm_sock_init(sk, NULL); 324 return 0; 325} 326 327static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) 328{ 329 struct sockaddr_rc sa; 330 struct sock *sk = sock->sk; 331 int len, err = 0; 332 333 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) || 334 addr->sa_family != AF_BLUETOOTH) 335 return -EINVAL; 336 337 memset(&sa, 0, sizeof(sa)); 338 len = min_t(unsigned int, sizeof(sa), addr_len); 339 memcpy(&sa, addr, len); 340 341 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr); 342 343 lock_sock(sk); 344 345 if (sk->sk_state != BT_OPEN) { 346 err = -EBADFD; 347 goto done; 348 } 349 350 if (sk->sk_type != SOCK_STREAM) { 351 err = -EINVAL; 352 goto done; 353 } 354 355 write_lock(&rfcomm_sk_list.lock); 356 357 if (sa.rc_channel && 358 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) { 359 err = -EADDRINUSE; 360 } else { 361 /* Save source address */ 362 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr); 363 rfcomm_pi(sk)->channel = sa.rc_channel; 364 sk->sk_state = BT_BOUND; 365 } 366 367 write_unlock(&rfcomm_sk_list.lock); 368 369done: 370 release_sock(sk); 371 return err; 372} 373 374static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags) 375{ 376 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 377 struct sock *sk = sock->sk; 378 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 379 int err = 0; 380 381 BT_DBG("sk %p", sk); 382 383 if (alen < sizeof(struct sockaddr_rc) || 384 addr->sa_family != AF_BLUETOOTH) 385 return -EINVAL; 386 387 sock_hold(sk); 388 lock_sock(sk); 389 390 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { 391 err = -EBADFD; 392 goto done; 393 } 394 395 if (sk->sk_type != SOCK_STREAM) { 396 err = -EINVAL; 397 goto done; 398 } 399 400 sk->sk_state = BT_CONNECT; 401 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr); 402 rfcomm_pi(sk)->channel = sa->rc_channel; 403 404 d->sec_level = rfcomm_pi(sk)->sec_level; 405 d->role_switch = rfcomm_pi(sk)->role_switch; 406 407 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */ 408 release_sock(sk); 409 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr, 410 sa->rc_channel); 411 lock_sock(sk); 412 if (!err && !sock_flag(sk, SOCK_ZAPPED)) 413 err = bt_sock_wait_state(sk, BT_CONNECTED, 414 sock_sndtimeo(sk, flags & O_NONBLOCK)); 415 416done: 417 release_sock(sk); 418 sock_put(sk); 419 return err; 420} 421 422static int rfcomm_sock_listen(struct socket *sock, int backlog) 423{ 424 struct sock *sk = sock->sk; 425 int err = 0; 426 427 BT_DBG("sk %p backlog %d", sk, backlog); 428 429 lock_sock(sk); 430 431 if (sk->sk_state != BT_BOUND) { 432 err = -EBADFD; 433 goto done; 434 } 435 436 if (sk->sk_type != SOCK_STREAM) { 437 err = -EINVAL; 438 goto done; 439 } 440 441 if (!rfcomm_pi(sk)->channel) { 442 bdaddr_t *src = &rfcomm_pi(sk)->src; 443 u8 channel; 444 445 err = -EINVAL; 446 447 write_lock(&rfcomm_sk_list.lock); 448 449 for (channel = 1; channel < 31; channel++) 450 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) { 451 rfcomm_pi(sk)->channel = channel; 452 err = 0; 453 break; 454 } 455 456 write_unlock(&rfcomm_sk_list.lock); 457 458 if (err < 0) 459 goto done; 460 } 461 462 sk->sk_max_ack_backlog = backlog; 463 sk->sk_ack_backlog = 0; 464 sk->sk_state = BT_LISTEN; 465 466done: 467 release_sock(sk); 468 return err; 469} 470 471static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags, 472 bool kern) 473{ 474 DEFINE_WAIT_FUNC(wait, woken_wake_function); 475 struct sock *sk = sock->sk, *nsk; 476 long timeo; 477 int err = 0; 478 479 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 480 481 if (sk->sk_type != SOCK_STREAM) { 482 err = -EINVAL; 483 goto done; 484 } 485 486 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 487 488 BT_DBG("sk %p timeo %ld", sk, timeo); 489 490 /* Wait for an incoming connection. (wake-one). */ 491 add_wait_queue_exclusive(sk_sleep(sk), &wait); 492 while (1) { 493 if (sk->sk_state != BT_LISTEN) { 494 err = -EBADFD; 495 break; 496 } 497 498 nsk = bt_accept_dequeue(sk, newsock); 499 if (nsk) 500 break; 501 502 if (!timeo) { 503 err = -EAGAIN; 504 break; 505 } 506 507 if (signal_pending(current)) { 508 err = sock_intr_errno(timeo); 509 break; 510 } 511 512 release_sock(sk); 513 514 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 515 516 lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 517 } 518 remove_wait_queue(sk_sleep(sk), &wait); 519 520 if (err) 521 goto done; 522 523 newsock->state = SS_CONNECTED; 524 525 BT_DBG("new socket %p", nsk); 526 527done: 528 release_sock(sk); 529 return err; 530} 531 532static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer) 533{ 534 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 535 struct sock *sk = sock->sk; 536 537 BT_DBG("sock %p, sk %p", sock, sk); 538 539 if (peer && sk->sk_state != BT_CONNECTED && 540 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2) 541 return -ENOTCONN; 542 543 memset(sa, 0, sizeof(*sa)); 544 sa->rc_family = AF_BLUETOOTH; 545 sa->rc_channel = rfcomm_pi(sk)->channel; 546 if (peer) 547 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst); 548 else 549 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src); 550 551 return sizeof(struct sockaddr_rc); 552} 553 554static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg, 555 size_t len) 556{ 557 struct sock *sk = sock->sk; 558 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 559 struct sk_buff *skb; 560 int sent; 561 562 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags)) 563 return -ENOTCONN; 564 565 if (msg->msg_flags & MSG_OOB) 566 return -EOPNOTSUPP; 567 568 if (sk->sk_shutdown & SEND_SHUTDOWN) 569 return -EPIPE; 570 571 BT_DBG("sock %p, sk %p", sock, sk); 572 573 lock_sock(sk); 574 575 sent = bt_sock_wait_ready(sk, msg->msg_flags); 576 577 release_sock(sk); 578 579 if (sent) 580 return sent; 581 582 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, 583 RFCOMM_SKB_TAIL_RESERVE); 584 if (IS_ERR(skb)) 585 return PTR_ERR(skb); 586 587 sent = rfcomm_dlc_send(d, skb); 588 if (sent < 0) 589 kfree_skb(skb); 590 591 return sent; 592} 593 594static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg, 595 size_t size, int flags) 596{ 597 struct sock *sk = sock->sk; 598 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; 599 int len; 600 601 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 602 rfcomm_dlc_accept(d); 603 return 0; 604 } 605 606 len = bt_sock_stream_recvmsg(sock, msg, size, flags); 607 608 lock_sock(sk); 609 if (!(flags & MSG_PEEK) && len > 0) 610 atomic_sub(len, &sk->sk_rmem_alloc); 611 612 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2)) 613 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc); 614 release_sock(sk); 615 616 return len; 617} 618 619static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, 620 sockptr_t optval, unsigned int optlen) 621{ 622 struct sock *sk = sock->sk; 623 int err = 0; 624 u32 opt; 625 626 BT_DBG("sk %p", sk); 627 628 lock_sock(sk); 629 630 switch (optname) { 631 case RFCOMM_LM: 632 if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { 633 err = -EFAULT; 634 break; 635 } 636 637 if (opt & RFCOMM_LM_FIPS) { 638 err = -EINVAL; 639 break; 640 } 641 642 if (opt & RFCOMM_LM_AUTH) 643 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW; 644 if (opt & RFCOMM_LM_ENCRYPT) 645 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM; 646 if (opt & RFCOMM_LM_SECURE) 647 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH; 648 649 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER); 650 break; 651 652 default: 653 err = -ENOPROTOOPT; 654 break; 655 } 656 657 release_sock(sk); 658 return err; 659} 660 661static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, 662 sockptr_t optval, unsigned int optlen) 663{ 664 struct sock *sk = sock->sk; 665 struct bt_security sec; 666 int err = 0; 667 u32 opt; 668 669 BT_DBG("sk %p", sk); 670 671 if (level == SOL_RFCOMM) 672 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen); 673 674 if (level != SOL_BLUETOOTH) 675 return -ENOPROTOOPT; 676 677 lock_sock(sk); 678 679 switch (optname) { 680 case BT_SECURITY: 681 if (sk->sk_type != SOCK_STREAM) { 682 err = -EINVAL; 683 break; 684 } 685 686 sec.level = BT_SECURITY_LOW; 687 688 err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); 689 if (err) 690 break; 691 692 if (sec.level > BT_SECURITY_HIGH) { 693 err = -EINVAL; 694 break; 695 } 696 697 rfcomm_pi(sk)->sec_level = sec.level; 698 break; 699 700 case BT_DEFER_SETUP: 701 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 702 err = -EINVAL; 703 break; 704 } 705 706 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 707 if (err) 708 break; 709 710 if (opt) 711 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 712 else 713 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 714 715 break; 716 717 default: 718 err = -ENOPROTOOPT; 719 break; 720 } 721 722 release_sock(sk); 723 return err; 724} 725 726static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen) 727{ 728 struct sock *sk = sock->sk; 729 struct sock *l2cap_sk; 730 struct l2cap_conn *conn; 731 struct rfcomm_conninfo cinfo; 732 int len, err = 0; 733 u32 opt; 734 735 BT_DBG("sk %p", sk); 736 737 if (get_user(len, optlen)) 738 return -EFAULT; 739 740 lock_sock(sk); 741 742 switch (optname) { 743 case RFCOMM_LM: 744 switch (rfcomm_pi(sk)->sec_level) { 745 case BT_SECURITY_LOW: 746 opt = RFCOMM_LM_AUTH; 747 break; 748 case BT_SECURITY_MEDIUM: 749 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT; 750 break; 751 case BT_SECURITY_HIGH: 752 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 753 RFCOMM_LM_SECURE; 754 break; 755 case BT_SECURITY_FIPS: 756 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 757 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS; 758 break; 759 default: 760 opt = 0; 761 break; 762 } 763 764 if (rfcomm_pi(sk)->role_switch) 765 opt |= RFCOMM_LM_MASTER; 766 767 if (put_user(opt, (u32 __user *) optval)) 768 err = -EFAULT; 769 770 break; 771 772 case RFCOMM_CONNINFO: 773 if (sk->sk_state != BT_CONNECTED && 774 !rfcomm_pi(sk)->dlc->defer_setup) { 775 err = -ENOTCONN; 776 break; 777 } 778 779 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; 780 conn = l2cap_pi(l2cap_sk)->chan->conn; 781 782 memset(&cinfo, 0, sizeof(cinfo)); 783 cinfo.hci_handle = conn->hcon->handle; 784 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 785 786 len = min_t(unsigned int, len, sizeof(cinfo)); 787 if (copy_to_user(optval, (char *) &cinfo, len)) 788 err = -EFAULT; 789 790 break; 791 792 default: 793 err = -ENOPROTOOPT; 794 break; 795 } 796 797 release_sock(sk); 798 return err; 799} 800 801static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 802{ 803 struct sock *sk = sock->sk; 804 struct bt_security sec; 805 int len, err = 0; 806 807 BT_DBG("sk %p", sk); 808 809 if (level == SOL_RFCOMM) 810 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen); 811 812 if (level != SOL_BLUETOOTH) 813 return -ENOPROTOOPT; 814 815 if (get_user(len, optlen)) 816 return -EFAULT; 817 818 lock_sock(sk); 819 820 switch (optname) { 821 case BT_SECURITY: 822 if (sk->sk_type != SOCK_STREAM) { 823 err = -EINVAL; 824 break; 825 } 826 827 sec.level = rfcomm_pi(sk)->sec_level; 828 sec.key_size = 0; 829 830 len = min_t(unsigned int, len, sizeof(sec)); 831 if (copy_to_user(optval, (char *) &sec, len)) 832 err = -EFAULT; 833 834 break; 835 836 case BT_DEFER_SETUP: 837 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 838 err = -EINVAL; 839 break; 840 } 841 842 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 843 (u32 __user *) optval)) 844 err = -EFAULT; 845 846 break; 847 848 default: 849 err = -ENOPROTOOPT; 850 break; 851 } 852 853 release_sock(sk); 854 return err; 855} 856 857static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 858{ 859 struct sock *sk __maybe_unused = sock->sk; 860 int err; 861 862 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg); 863 864 err = bt_sock_ioctl(sock, cmd, arg); 865 866 if (err == -ENOIOCTLCMD) { 867#ifdef CONFIG_BT_RFCOMM_TTY 868 lock_sock(sk); 869 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg); 870 release_sock(sk); 871#else 872 err = -EOPNOTSUPP; 873#endif 874 } 875 876 return err; 877} 878 879#ifdef CONFIG_COMPAT 880static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 881{ 882 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 883} 884#endif 885 886static int rfcomm_sock_shutdown(struct socket *sock, int how) 887{ 888 struct sock *sk = sock->sk; 889 int err = 0; 890 891 BT_DBG("sock %p, sk %p", sock, sk); 892 893 if (!sk) 894 return 0; 895 896 lock_sock(sk); 897 if (!sk->sk_shutdown) { 898 sk->sk_shutdown = SHUTDOWN_MASK; 899 900 release_sock(sk); 901 __rfcomm_sock_close(sk); 902 lock_sock(sk); 903 904 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 905 !(current->flags & PF_EXITING)) 906 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); 907 } 908 release_sock(sk); 909 return err; 910} 911 912static int rfcomm_sock_release(struct socket *sock) 913{ 914 struct sock *sk = sock->sk; 915 int err; 916 917 BT_DBG("sock %p, sk %p", sock, sk); 918 919 if (!sk) 920 return 0; 921 922 err = rfcomm_sock_shutdown(sock, 2); 923 924 sock_orphan(sk); 925 rfcomm_sock_kill(sk); 926 return err; 927} 928 929/* ---- RFCOMM core layer callbacks ---- 930 * 931 * called under rfcomm_lock() 932 */ 933int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d) 934{ 935 struct sock *sk, *parent; 936 bdaddr_t src, dst; 937 int result = 0; 938 939 BT_DBG("session %p channel %d", s, channel); 940 941 rfcomm_session_getaddr(s, &src, &dst); 942 943 /* Check if we have socket listening on channel */ 944 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src); 945 if (!parent) 946 return 0; 947 948 lock_sock(parent); 949 950 /* Check for backlog size */ 951 if (sk_acceptq_is_full(parent)) { 952 BT_DBG("backlog full %d", parent->sk_ack_backlog); 953 goto done; 954 } 955 956 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0); 957 if (!sk) 958 goto done; 959 960 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM); 961 962 rfcomm_sock_init(sk, parent); 963 bacpy(&rfcomm_pi(sk)->src, &src); 964 bacpy(&rfcomm_pi(sk)->dst, &dst); 965 rfcomm_pi(sk)->channel = channel; 966 967 sk->sk_state = BT_CONFIG; 968 bt_accept_enqueue(parent, sk, true); 969 970 /* Accept connection and return socket DLC */ 971 *d = rfcomm_pi(sk)->dlc; 972 result = 1; 973 974done: 975 release_sock(parent); 976 977 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags)) 978 parent->sk_state_change(parent); 979 980 return result; 981} 982 983static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p) 984{ 985 struct sock *sk; 986 987 read_lock(&rfcomm_sk_list.lock); 988 989 sk_for_each(sk, &rfcomm_sk_list.head) { 990 seq_printf(f, "%pMR %pMR %d %d\n", 991 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst, 992 sk->sk_state, rfcomm_pi(sk)->channel); 993 } 994 995 read_unlock(&rfcomm_sk_list.lock); 996 997 return 0; 998} 999 1000DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs); 1001 1002static struct dentry *rfcomm_sock_debugfs; 1003 1004static const struct proto_ops rfcomm_sock_ops = { 1005 .family = PF_BLUETOOTH, 1006 .owner = THIS_MODULE, 1007 .release = rfcomm_sock_release, 1008 .bind = rfcomm_sock_bind, 1009 .connect = rfcomm_sock_connect, 1010 .listen = rfcomm_sock_listen, 1011 .accept = rfcomm_sock_accept, 1012 .getname = rfcomm_sock_getname, 1013 .sendmsg = rfcomm_sock_sendmsg, 1014 .recvmsg = rfcomm_sock_recvmsg, 1015 .shutdown = rfcomm_sock_shutdown, 1016 .setsockopt = rfcomm_sock_setsockopt, 1017 .getsockopt = rfcomm_sock_getsockopt, 1018 .ioctl = rfcomm_sock_ioctl, 1019 .gettstamp = sock_gettstamp, 1020 .poll = bt_sock_poll, 1021 .socketpair = sock_no_socketpair, 1022 .mmap = sock_no_mmap, 1023#ifdef CONFIG_COMPAT 1024 .compat_ioctl = rfcomm_sock_compat_ioctl, 1025#endif 1026}; 1027 1028static const struct net_proto_family rfcomm_sock_family_ops = { 1029 .family = PF_BLUETOOTH, 1030 .owner = THIS_MODULE, 1031 .create = rfcomm_sock_create 1032}; 1033 1034int __init rfcomm_init_sockets(void) 1035{ 1036 int err; 1037 1038 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr)); 1039 1040 err = proto_register(&rfcomm_proto, 0); 1041 if (err < 0) 1042 return err; 1043 1044 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops); 1045 if (err < 0) { 1046 BT_ERR("RFCOMM socket layer registration failed"); 1047 goto error; 1048 } 1049 1050 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL); 1051 if (err < 0) { 1052 BT_ERR("Failed to create RFCOMM proc file"); 1053 bt_sock_unregister(BTPROTO_RFCOMM); 1054 goto error; 1055 } 1056 1057 BT_INFO("RFCOMM socket layer initialized"); 1058 1059 if (IS_ERR_OR_NULL(bt_debugfs)) 1060 return 0; 1061 1062 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444, 1063 bt_debugfs, NULL, 1064 &rfcomm_sock_debugfs_fops); 1065 1066 return 0; 1067 1068error: 1069 proto_unregister(&rfcomm_proto); 1070 return err; 1071} 1072 1073void __exit rfcomm_cleanup_sockets(void) 1074{ 1075 bt_procfs_cleanup(&init_net, "rfcomm"); 1076 1077 debugfs_remove(rfcomm_sock_debugfs); 1078 1079 bt_sock_unregister(BTPROTO_RFCOMM); 1080 1081 proto_unregister(&rfcomm_proto); 1082} 1083