1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * RFCOMM sockets.
26 */
27
28 #include <linux/module.h>
29
30 #include <linux/types.h>
31 #include <linux/errno.h>
32 #include <linux/kernel.h>
33 #include <linux/sched.h>
34 #include <linux/slab.h>
35 #include <linux/poll.h>
36 #include <linux/fcntl.h>
37 #include <linux/init.h>
38 #include <linux/interrupt.h>
39 #include <linux/socket.h>
40 #include <linux/skbuff.h>
41 #include <linux/list.h>
42 #include <linux/device.h>
43 #include <linux/debugfs.h>
44 #include <linux/seq_file.h>
45 #include <linux/security.h>
46 #include <net/sock.h>
47
48 #include <asm/system.h>
49 #include <linux/uaccess.h>
50
51 #include <net/bluetooth/bluetooth.h>
52 #include <net/bluetooth/hci_core.h>
53 #include <net/bluetooth/l2cap.h>
54 #include <net/bluetooth/rfcomm.h>
55
56 static const struct proto_ops rfcomm_sock_ops;
57
58 static struct bt_sock_list rfcomm_sk_list = {
59 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
60 };
61
62 static void rfcomm_sock_close(struct sock *sk);
63 static void rfcomm_sock_kill(struct sock *sk);
64
65 /* ---- DLC callbacks ----
66 *
67 * called under rfcomm_dlc_lock()
68 */
rfcomm_sk_data_ready(struct rfcomm_dlc * d,struct sk_buff * skb)69 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
70 {
71 struct sock *sk = d->owner;
72 if (!sk)
73 return;
74
75 atomic_add(skb->len, &sk->sk_rmem_alloc);
76 skb_queue_tail(&sk->sk_receive_queue, skb);
77 sk->sk_data_ready(sk, skb->len);
78
79 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
80 rfcomm_dlc_throttle(d);
81 }
82
rfcomm_sk_state_change(struct rfcomm_dlc * d,int err)83 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
84 {
85 struct sock *sk = d->owner, *parent;
86 unsigned long flags;
87
88 if (!sk)
89 return;
90
91 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
92
93 local_irq_save(flags);
94 bh_lock_sock(sk);
95
96 if (err)
97 sk->sk_err = err;
98
99 sk->sk_state = d->state;
100
101 parent = bt_sk(sk)->parent;
102 if (parent) {
103 if (d->state == BT_CLOSED) {
104 sock_set_flag(sk, SOCK_ZAPPED);
105 bt_accept_unlink(sk);
106 }
107 parent->sk_data_ready(parent, 0);
108 } else {
109 if (d->state == BT_CONNECTED)
110 rfcomm_session_getaddr(d->session, &bt_sk(sk)->src, NULL);
111 sk->sk_state_change(sk);
112 }
113
114 bh_unlock_sock(sk);
115 local_irq_restore(flags);
116
117 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
118 /* We have to drop DLC lock here, otherwise
119 * rfcomm_sock_destruct() will dead lock. */
120 rfcomm_dlc_unlock(d);
121 rfcomm_sock_kill(sk);
122 rfcomm_dlc_lock(d);
123 }
124 }
125
126 /* ---- Socket functions ---- */
__rfcomm_get_sock_by_addr(u8 channel,bdaddr_t * src)127 static struct sock *__rfcomm_get_sock_by_addr(u8 channel, bdaddr_t *src)
128 {
129 struct sock *sk = NULL;
130 struct hlist_node *node;
131
132 sk_for_each(sk, node, &rfcomm_sk_list.head) {
133 if (rfcomm_pi(sk)->channel == channel &&
134 !bacmp(&bt_sk(sk)->src, src))
135 break;
136 }
137
138 return node ? sk : NULL;
139 }
140
141 /* Find socket with channel and source bdaddr.
142 * Returns closest match.
143 */
rfcomm_get_sock_by_channel(int state,u8 channel,bdaddr_t * src)144 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
145 {
146 struct sock *sk = NULL, *sk1 = NULL;
147 struct hlist_node *node;
148
149 read_lock(&rfcomm_sk_list.lock);
150
151 sk_for_each(sk, node, &rfcomm_sk_list.head) {
152 if (state && sk->sk_state != state)
153 continue;
154
155 if (rfcomm_pi(sk)->channel == channel) {
156 /* Exact match. */
157 if (!bacmp(&bt_sk(sk)->src, src))
158 break;
159
160 /* Closest match */
161 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
162 sk1 = sk;
163 }
164 }
165
166 read_unlock(&rfcomm_sk_list.lock);
167
168 return node ? sk : sk1;
169 }
170
rfcomm_sock_destruct(struct sock * sk)171 static void rfcomm_sock_destruct(struct sock *sk)
172 {
173 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
174
175 BT_DBG("sk %p dlc %p", sk, d);
176
177 skb_queue_purge(&sk->sk_receive_queue);
178 skb_queue_purge(&sk->sk_write_queue);
179
180 rfcomm_dlc_lock(d);
181 rfcomm_pi(sk)->dlc = NULL;
182
183 /* Detach DLC if it's owned by this socket */
184 if (d->owner == sk)
185 d->owner = NULL;
186 rfcomm_dlc_unlock(d);
187
188 rfcomm_dlc_put(d);
189 }
190
rfcomm_sock_cleanup_listen(struct sock * parent)191 static void rfcomm_sock_cleanup_listen(struct sock *parent)
192 {
193 struct sock *sk;
194
195 BT_DBG("parent %p", parent);
196
197 /* Close not yet accepted dlcs */
198 while ((sk = bt_accept_dequeue(parent, NULL))) {
199 rfcomm_sock_close(sk);
200 rfcomm_sock_kill(sk);
201 }
202
203 parent->sk_state = BT_CLOSED;
204 sock_set_flag(parent, SOCK_ZAPPED);
205 }
206
207 /* Kill socket (only if zapped and orphan)
208 * Must be called on unlocked socket.
209 */
rfcomm_sock_kill(struct sock * sk)210 static void rfcomm_sock_kill(struct sock *sk)
211 {
212 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
213 return;
214
215 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, atomic_read(&sk->sk_refcnt));
216
217 /* Kill poor orphan */
218 bt_sock_unlink(&rfcomm_sk_list, sk);
219 sock_set_flag(sk, SOCK_DEAD);
220 sock_put(sk);
221 }
222
__rfcomm_sock_close(struct sock * sk)223 static void __rfcomm_sock_close(struct sock *sk)
224 {
225 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
226
227 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
228
229 switch (sk->sk_state) {
230 case BT_LISTEN:
231 rfcomm_sock_cleanup_listen(sk);
232 break;
233
234 case BT_CONNECT:
235 case BT_CONNECT2:
236 case BT_CONFIG:
237 case BT_CONNECTED:
238 rfcomm_dlc_close(d, 0);
239
240 default:
241 sock_set_flag(sk, SOCK_ZAPPED);
242 break;
243 }
244 }
245
246 /* Close socket.
247 * Must be called on unlocked socket.
248 */
rfcomm_sock_close(struct sock * sk)249 static void rfcomm_sock_close(struct sock *sk)
250 {
251 lock_sock(sk);
252 __rfcomm_sock_close(sk);
253 release_sock(sk);
254 }
255
rfcomm_sock_init(struct sock * sk,struct sock * parent)256 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
257 {
258 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
259
260 BT_DBG("sk %p", sk);
261
262 if (parent) {
263 sk->sk_type = parent->sk_type;
264 pi->dlc->defer_setup = bt_sk(parent)->defer_setup;
265
266 pi->sec_level = rfcomm_pi(parent)->sec_level;
267 pi->role_switch = rfcomm_pi(parent)->role_switch;
268
269 security_sk_clone(parent, sk);
270 } else {
271 pi->dlc->defer_setup = 0;
272
273 pi->sec_level = BT_SECURITY_LOW;
274 pi->role_switch = 0;
275 }
276
277 pi->dlc->sec_level = pi->sec_level;
278 pi->dlc->role_switch = pi->role_switch;
279 }
280
281 static struct proto rfcomm_proto = {
282 .name = "RFCOMM",
283 .owner = THIS_MODULE,
284 .obj_size = sizeof(struct rfcomm_pinfo)
285 };
286
rfcomm_sock_alloc(struct net * net,struct socket * sock,int proto,gfp_t prio)287 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
288 {
289 struct rfcomm_dlc *d;
290 struct sock *sk;
291
292 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto);
293 if (!sk)
294 return NULL;
295
296 sock_init_data(sock, sk);
297 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
298
299 d = rfcomm_dlc_alloc(prio);
300 if (!d) {
301 sk_free(sk);
302 return NULL;
303 }
304
305 d->data_ready = rfcomm_sk_data_ready;
306 d->state_change = rfcomm_sk_state_change;
307
308 rfcomm_pi(sk)->dlc = d;
309 d->owner = sk;
310
311 sk->sk_destruct = rfcomm_sock_destruct;
312 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
313
314 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
315 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
316
317 sock_reset_flag(sk, SOCK_ZAPPED);
318
319 sk->sk_protocol = proto;
320 sk->sk_state = BT_OPEN;
321
322 bt_sock_link(&rfcomm_sk_list, sk);
323
324 BT_DBG("sk %p", sk);
325 return sk;
326 }
327
rfcomm_sock_create(struct net * net,struct socket * sock,int protocol,int kern)328 static int rfcomm_sock_create(struct net *net, struct socket *sock,
329 int protocol, int kern)
330 {
331 struct sock *sk;
332
333 BT_DBG("sock %p", sock);
334
335 sock->state = SS_UNCONNECTED;
336
337 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
338 return -ESOCKTNOSUPPORT;
339
340 sock->ops = &rfcomm_sock_ops;
341
342 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC);
343 if (!sk)
344 return -ENOMEM;
345
346 rfcomm_sock_init(sk, NULL);
347 return 0;
348 }
349
rfcomm_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)350 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
351 {
352 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
353 struct sock *sk = sock->sk;
354 int err = 0;
355
356 BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
357
358 if (!addr || addr->sa_family != AF_BLUETOOTH)
359 return -EINVAL;
360
361 lock_sock(sk);
362
363 if (sk->sk_state != BT_OPEN) {
364 err = -EBADFD;
365 goto done;
366 }
367
368 if (sk->sk_type != SOCK_STREAM) {
369 err = -EINVAL;
370 goto done;
371 }
372
373 write_lock(&rfcomm_sk_list.lock);
374
375 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
376 err = -EADDRINUSE;
377 } else {
378 /* Save source address */
379 bacpy(&bt_sk(sk)->src, &sa->rc_bdaddr);
380 rfcomm_pi(sk)->channel = sa->rc_channel;
381 sk->sk_state = BT_BOUND;
382 }
383
384 write_unlock(&rfcomm_sk_list.lock);
385
386 done:
387 release_sock(sk);
388 return err;
389 }
390
rfcomm_sock_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)391 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
392 {
393 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
394 struct sock *sk = sock->sk;
395 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
396 int err = 0;
397
398 BT_DBG("sk %p", sk);
399
400 if (alen < sizeof(struct sockaddr_rc) ||
401 addr->sa_family != AF_BLUETOOTH)
402 return -EINVAL;
403
404 lock_sock(sk);
405
406 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
407 err = -EBADFD;
408 goto done;
409 }
410
411 if (sk->sk_type != SOCK_STREAM) {
412 err = -EINVAL;
413 goto done;
414 }
415
416 sk->sk_state = BT_CONNECT;
417 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr);
418 rfcomm_pi(sk)->channel = sa->rc_channel;
419
420 d->sec_level = rfcomm_pi(sk)->sec_level;
421 d->role_switch = rfcomm_pi(sk)->role_switch;
422
423 err = rfcomm_dlc_open(d, &bt_sk(sk)->src, &sa->rc_bdaddr, sa->rc_channel);
424 if (!err)
425 err = bt_sock_wait_state(sk, BT_CONNECTED,
426 sock_sndtimeo(sk, flags & O_NONBLOCK));
427
428 done:
429 release_sock(sk);
430 return err;
431 }
432
rfcomm_sock_listen(struct socket * sock,int backlog)433 static int rfcomm_sock_listen(struct socket *sock, int backlog)
434 {
435 struct sock *sk = sock->sk;
436 int err = 0;
437
438 BT_DBG("sk %p backlog %d", sk, backlog);
439
440 lock_sock(sk);
441
442 if (sk->sk_state != BT_BOUND) {
443 err = -EBADFD;
444 goto done;
445 }
446
447 if (sk->sk_type != SOCK_STREAM) {
448 err = -EINVAL;
449 goto done;
450 }
451
452 if (!rfcomm_pi(sk)->channel) {
453 bdaddr_t *src = &bt_sk(sk)->src;
454 u8 channel;
455
456 err = -EINVAL;
457
458 write_lock(&rfcomm_sk_list.lock);
459
460 for (channel = 1; channel < 31; channel++)
461 if (!__rfcomm_get_sock_by_addr(channel, src)) {
462 rfcomm_pi(sk)->channel = channel;
463 err = 0;
464 break;
465 }
466
467 write_unlock(&rfcomm_sk_list.lock);
468
469 if (err < 0)
470 goto done;
471 }
472
473 sk->sk_max_ack_backlog = backlog;
474 sk->sk_ack_backlog = 0;
475 sk->sk_state = BT_LISTEN;
476
477 done:
478 release_sock(sk);
479 return err;
480 }
481
rfcomm_sock_accept(struct socket * sock,struct socket * newsock,int flags)482 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags)
483 {
484 DECLARE_WAITQUEUE(wait, current);
485 struct sock *sk = sock->sk, *nsk;
486 long timeo;
487 int err = 0;
488
489 lock_sock(sk);
490
491 if (sk->sk_type != SOCK_STREAM) {
492 err = -EINVAL;
493 goto done;
494 }
495
496 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
497
498 BT_DBG("sk %p timeo %ld", sk, timeo);
499
500 /* Wait for an incoming connection. (wake-one). */
501 add_wait_queue_exclusive(sk_sleep(sk), &wait);
502 while (1) {
503 set_current_state(TASK_INTERRUPTIBLE);
504
505 if (sk->sk_state != BT_LISTEN) {
506 err = -EBADFD;
507 break;
508 }
509
510 nsk = bt_accept_dequeue(sk, newsock);
511 if (nsk)
512 break;
513
514 if (!timeo) {
515 err = -EAGAIN;
516 break;
517 }
518
519 if (signal_pending(current)) {
520 err = sock_intr_errno(timeo);
521 break;
522 }
523
524 release_sock(sk);
525 timeo = schedule_timeout(timeo);
526 lock_sock(sk);
527 }
528 __set_current_state(TASK_RUNNING);
529 remove_wait_queue(sk_sleep(sk), &wait);
530
531 if (err)
532 goto done;
533
534 newsock->state = SS_CONNECTED;
535
536 BT_DBG("new socket %p", nsk);
537
538 done:
539 release_sock(sk);
540 return err;
541 }
542
rfcomm_sock_getname(struct socket * sock,struct sockaddr * addr,int * len,int peer)543 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
544 {
545 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
546 struct sock *sk = sock->sk;
547
548 BT_DBG("sock %p, sk %p", sock, sk);
549
550 sa->rc_family = AF_BLUETOOTH;
551 sa->rc_channel = rfcomm_pi(sk)->channel;
552 if (peer)
553 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->dst);
554 else
555 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->src);
556
557 *len = sizeof(struct sockaddr_rc);
558 return 0;
559 }
560
rfcomm_sock_sendmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t len)561 static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
562 struct msghdr *msg, size_t len)
563 {
564 struct sock *sk = sock->sk;
565 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
566 struct sk_buff *skb;
567 int sent = 0;
568
569 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
570 return -ENOTCONN;
571
572 if (msg->msg_flags & MSG_OOB)
573 return -EOPNOTSUPP;
574
575 if (sk->sk_shutdown & SEND_SHUTDOWN)
576 return -EPIPE;
577
578 BT_DBG("sock %p, sk %p", sock, sk);
579
580 lock_sock(sk);
581
582 while (len) {
583 size_t size = min_t(size_t, len, d->mtu);
584 int err;
585
586 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
587 msg->msg_flags & MSG_DONTWAIT, &err);
588 if (!skb) {
589 if (sent == 0)
590 sent = err;
591 break;
592 }
593 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
594
595 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
596 if (err) {
597 kfree_skb(skb);
598 if (sent == 0)
599 sent = err;
600 break;
601 }
602
603 skb->priority = sk->sk_priority;
604
605 err = rfcomm_dlc_send(d, skb);
606 if (err < 0) {
607 kfree_skb(skb);
608 if (sent == 0)
609 sent = err;
610 break;
611 }
612
613 sent += size;
614 len -= size;
615 }
616
617 release_sock(sk);
618
619 return sent;
620 }
621
rfcomm_sock_recvmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t size,int flags)622 static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
623 struct msghdr *msg, size_t size, int flags)
624 {
625 struct sock *sk = sock->sk;
626 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
627 int len;
628
629 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
630 rfcomm_dlc_accept(d);
631 return 0;
632 }
633
634 len = bt_sock_stream_recvmsg(iocb, sock, msg, size, flags);
635
636 lock_sock(sk);
637 if (!(flags & MSG_PEEK) && len > 0)
638 atomic_sub(len, &sk->sk_rmem_alloc);
639
640 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
641 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
642 release_sock(sk);
643
644 return len;
645 }
646
rfcomm_sock_setsockopt_old(struct socket * sock,int optname,char __user * optval,unsigned int optlen)647 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
648 {
649 struct sock *sk = sock->sk;
650 int err = 0;
651 u32 opt;
652
653 BT_DBG("sk %p", sk);
654
655 lock_sock(sk);
656
657 switch (optname) {
658 case RFCOMM_LM:
659 if (get_user(opt, (u32 __user *) optval)) {
660 err = -EFAULT;
661 break;
662 }
663
664 if (opt & RFCOMM_LM_AUTH)
665 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
666 if (opt & RFCOMM_LM_ENCRYPT)
667 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
668 if (opt & RFCOMM_LM_SECURE)
669 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
670
671 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
672 break;
673
674 default:
675 err = -ENOPROTOOPT;
676 break;
677 }
678
679 release_sock(sk);
680 return err;
681 }
682
rfcomm_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int optlen)683 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
684 {
685 struct sock *sk = sock->sk;
686 struct bt_security sec;
687 int err = 0;
688 size_t len;
689 u32 opt;
690
691 BT_DBG("sk %p", sk);
692
693 if (level == SOL_RFCOMM)
694 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
695
696 if (level != SOL_BLUETOOTH)
697 return -ENOPROTOOPT;
698
699 lock_sock(sk);
700
701 switch (optname) {
702 case BT_SECURITY:
703 if (sk->sk_type != SOCK_STREAM) {
704 err = -EINVAL;
705 break;
706 }
707
708 sec.level = BT_SECURITY_LOW;
709
710 len = min_t(unsigned int, sizeof(sec), optlen);
711 if (copy_from_user((char *) &sec, optval, len)) {
712 err = -EFAULT;
713 break;
714 }
715
716 if (sec.level > BT_SECURITY_HIGH) {
717 err = -EINVAL;
718 break;
719 }
720
721 rfcomm_pi(sk)->sec_level = sec.level;
722 break;
723
724 case BT_DEFER_SETUP:
725 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
726 err = -EINVAL;
727 break;
728 }
729
730 if (get_user(opt, (u32 __user *) optval)) {
731 err = -EFAULT;
732 break;
733 }
734
735 bt_sk(sk)->defer_setup = opt;
736 break;
737
738 default:
739 err = -ENOPROTOOPT;
740 break;
741 }
742
743 release_sock(sk);
744 return err;
745 }
746
rfcomm_sock_getsockopt_old(struct socket * sock,int optname,char __user * optval,int __user * optlen)747 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
748 {
749 struct sock *sk = sock->sk;
750 struct rfcomm_conninfo cinfo;
751 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
752 int len, err = 0;
753 u32 opt;
754
755 BT_DBG("sk %p", sk);
756
757 if (get_user(len, optlen))
758 return -EFAULT;
759
760 lock_sock(sk);
761
762 switch (optname) {
763 case RFCOMM_LM:
764 switch (rfcomm_pi(sk)->sec_level) {
765 case BT_SECURITY_LOW:
766 opt = RFCOMM_LM_AUTH;
767 break;
768 case BT_SECURITY_MEDIUM:
769 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
770 break;
771 case BT_SECURITY_HIGH:
772 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
773 RFCOMM_LM_SECURE;
774 break;
775 default:
776 opt = 0;
777 break;
778 }
779
780 if (rfcomm_pi(sk)->role_switch)
781 opt |= RFCOMM_LM_MASTER;
782
783 if (put_user(opt, (u32 __user *) optval))
784 err = -EFAULT;
785 break;
786
787 case RFCOMM_CONNINFO:
788 if (sk->sk_state != BT_CONNECTED &&
789 !rfcomm_pi(sk)->dlc->defer_setup) {
790 err = -ENOTCONN;
791 break;
792 }
793
794 memset(&cinfo, 0, sizeof(cinfo));
795 cinfo.hci_handle = conn->hcon->handle;
796 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
797
798 len = min_t(unsigned int, len, sizeof(cinfo));
799 if (copy_to_user(optval, (char *) &cinfo, len))
800 err = -EFAULT;
801
802 break;
803
804 default:
805 err = -ENOPROTOOPT;
806 break;
807 }
808
809 release_sock(sk);
810 return err;
811 }
812
rfcomm_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)813 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
814 {
815 struct sock *sk = sock->sk;
816 struct bt_security sec;
817 int len, err = 0;
818
819 BT_DBG("sk %p", sk);
820
821 if (level == SOL_RFCOMM)
822 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
823
824 if (level != SOL_BLUETOOTH)
825 return -ENOPROTOOPT;
826
827 if (get_user(len, optlen))
828 return -EFAULT;
829
830 lock_sock(sk);
831
832 switch (optname) {
833 case BT_SECURITY:
834 if (sk->sk_type != SOCK_STREAM) {
835 err = -EINVAL;
836 break;
837 }
838
839 sec.level = rfcomm_pi(sk)->sec_level;
840
841 len = min_t(unsigned int, len, sizeof(sec));
842 if (copy_to_user(optval, (char *) &sec, len))
843 err = -EFAULT;
844
845 break;
846
847 case BT_DEFER_SETUP:
848 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
849 err = -EINVAL;
850 break;
851 }
852
853 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
854 err = -EFAULT;
855
856 break;
857
858 default:
859 err = -ENOPROTOOPT;
860 break;
861 }
862
863 release_sock(sk);
864 return err;
865 }
866
rfcomm_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)867 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
868 {
869 struct sock *sk __maybe_unused = sock->sk;
870 int err;
871
872 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
873
874 err = bt_sock_ioctl(sock, cmd, arg);
875
876 if (err == -ENOIOCTLCMD) {
877 #ifdef CONFIG_BT_RFCOMM_TTY
878 lock_sock(sk);
879 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
880 release_sock(sk);
881 #else
882 err = -EOPNOTSUPP;
883 #endif
884 }
885
886 return err;
887 }
888
rfcomm_sock_shutdown(struct socket * sock,int how)889 static int rfcomm_sock_shutdown(struct socket *sock, int how)
890 {
891 struct sock *sk = sock->sk;
892 int err = 0;
893
894 BT_DBG("sock %p, sk %p", sock, sk);
895
896 if (!sk)
897 return 0;
898
899 lock_sock(sk);
900 if (!sk->sk_shutdown) {
901 sk->sk_shutdown = SHUTDOWN_MASK;
902 __rfcomm_sock_close(sk);
903
904 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
905 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
906 }
907 release_sock(sk);
908 return err;
909 }
910
rfcomm_sock_release(struct socket * sock)911 static int rfcomm_sock_release(struct socket *sock)
912 {
913 struct sock *sk = sock->sk;
914 int err;
915
916 BT_DBG("sock %p, sk %p", sock, sk);
917
918 if (!sk)
919 return 0;
920
921 err = rfcomm_sock_shutdown(sock, 2);
922
923 sock_orphan(sk);
924 rfcomm_sock_kill(sk);
925 return err;
926 }
927
928 /* ---- RFCOMM core layer callbacks ----
929 *
930 * called under rfcomm_lock()
931 */
rfcomm_connect_ind(struct rfcomm_session * s,u8 channel,struct rfcomm_dlc ** d)932 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
933 {
934 struct sock *sk, *parent;
935 bdaddr_t src, dst;
936 int result = 0;
937
938 BT_DBG("session %p channel %d", s, channel);
939
940 rfcomm_session_getaddr(s, &src, &dst);
941
942 /* Check if we have socket listening on channel */
943 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
944 if (!parent)
945 return 0;
946
947 bh_lock_sock(parent);
948
949 /* Check for backlog size */
950 if (sk_acceptq_is_full(parent)) {
951 BT_DBG("backlog full %d", parent->sk_ack_backlog);
952 goto done;
953 }
954
955 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC);
956 if (!sk)
957 goto done;
958
959 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
960
961 rfcomm_sock_init(sk, parent);
962 bacpy(&bt_sk(sk)->src, &src);
963 bacpy(&bt_sk(sk)->dst, &dst);
964 rfcomm_pi(sk)->channel = channel;
965
966 sk->sk_state = BT_CONFIG;
967 bt_accept_enqueue(parent, sk);
968
969 /* Accept connection and return socket DLC */
970 *d = rfcomm_pi(sk)->dlc;
971 result = 1;
972
973 done:
974 bh_unlock_sock(parent);
975
976 if (bt_sk(parent)->defer_setup)
977 parent->sk_state_change(parent);
978
979 return result;
980 }
981
rfcomm_sock_debugfs_show(struct seq_file * f,void * p)982 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
983 {
984 struct sock *sk;
985 struct hlist_node *node;
986
987 read_lock(&rfcomm_sk_list.lock);
988
989 sk_for_each(sk, node, &rfcomm_sk_list.head) {
990 seq_printf(f, "%s %s %d %d\n",
991 batostr(&bt_sk(sk)->src),
992 batostr(&bt_sk(sk)->dst),
993 sk->sk_state, rfcomm_pi(sk)->channel);
994 }
995
996 read_unlock(&rfcomm_sk_list.lock);
997
998 return 0;
999 }
1000
rfcomm_sock_debugfs_open(struct inode * inode,struct file * file)1001 static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
1002 {
1003 return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1004 }
1005
1006 static const struct file_operations rfcomm_sock_debugfs_fops = {
1007 .open = rfcomm_sock_debugfs_open,
1008 .read = seq_read,
1009 .llseek = seq_lseek,
1010 .release = single_release,
1011 };
1012
1013 static struct dentry *rfcomm_sock_debugfs;
1014
1015 static const struct proto_ops rfcomm_sock_ops = {
1016 .family = PF_BLUETOOTH,
1017 .owner = THIS_MODULE,
1018 .release = rfcomm_sock_release,
1019 .bind = rfcomm_sock_bind,
1020 .connect = rfcomm_sock_connect,
1021 .listen = rfcomm_sock_listen,
1022 .accept = rfcomm_sock_accept,
1023 .getname = rfcomm_sock_getname,
1024 .sendmsg = rfcomm_sock_sendmsg,
1025 .recvmsg = rfcomm_sock_recvmsg,
1026 .shutdown = rfcomm_sock_shutdown,
1027 .setsockopt = rfcomm_sock_setsockopt,
1028 .getsockopt = rfcomm_sock_getsockopt,
1029 .ioctl = rfcomm_sock_ioctl,
1030 .poll = bt_sock_poll,
1031 .socketpair = sock_no_socketpair,
1032 .mmap = sock_no_mmap
1033 };
1034
1035 static const struct net_proto_family rfcomm_sock_family_ops = {
1036 .family = PF_BLUETOOTH,
1037 .owner = THIS_MODULE,
1038 .create = rfcomm_sock_create
1039 };
1040
rfcomm_init_sockets(void)1041 int __init rfcomm_init_sockets(void)
1042 {
1043 int err;
1044
1045 err = proto_register(&rfcomm_proto, 0);
1046 if (err < 0)
1047 return err;
1048
1049 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1050 if (err < 0)
1051 goto error;
1052
1053 if (bt_debugfs) {
1054 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1055 bt_debugfs, NULL, &rfcomm_sock_debugfs_fops);
1056 if (!rfcomm_sock_debugfs)
1057 BT_ERR("Failed to create RFCOMM debug file");
1058 }
1059
1060 BT_INFO("RFCOMM socket layer initialized");
1061
1062 return 0;
1063
1064 error:
1065 BT_ERR("RFCOMM socket layer registration failed");
1066 proto_unregister(&rfcomm_proto);
1067 return err;
1068 }
1069
rfcomm_cleanup_sockets(void)1070 void __exit rfcomm_cleanup_sockets(void)
1071 {
1072 debugfs_remove(rfcomm_sock_debugfs);
1073
1074 if (bt_sock_unregister(BTPROTO_RFCOMM) < 0)
1075 BT_ERR("RFCOMM socket layer unregistration failed");
1076
1077 proto_unregister(&rfcomm_proto);
1078 }
1079