Loading...
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27
28#include <linux/module.h>
29
30#include <linux/types.h>
31#include <linux/errno.h>
32#include <linux/kernel.h>
33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
41#include <linux/list.h>
42#include <linux/device.h>
43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
45#include <linux/security.h>
46#include <net/sock.h>
47
48#include <asm/system.h>
49#include <linux/uaccess.h>
50
51#include <net/bluetooth/bluetooth.h>
52#include <net/bluetooth/hci_core.h>
53#include <net/bluetooth/l2cap.h>
54#include <net/bluetooth/rfcomm.h>
55
56static const struct proto_ops rfcomm_sock_ops;
57
58static struct bt_sock_list rfcomm_sk_list = {
59 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
60};
61
62static void rfcomm_sock_close(struct sock *sk);
63static void rfcomm_sock_kill(struct sock *sk);
64
65/* ---- DLC callbacks ----
66 *
67 * called under rfcomm_dlc_lock()
68 */
69static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
70{
71 struct sock *sk = d->owner;
72 if (!sk)
73 return;
74
75 atomic_add(skb->len, &sk->sk_rmem_alloc);
76 skb_queue_tail(&sk->sk_receive_queue, skb);
77 sk->sk_data_ready(sk, skb->len);
78
79 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
80 rfcomm_dlc_throttle(d);
81}
82
83static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
84{
85 struct sock *sk = d->owner, *parent;
86 unsigned long flags;
87
88 if (!sk)
89 return;
90
91 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
92
93 local_irq_save(flags);
94 bh_lock_sock(sk);
95
96 if (err)
97 sk->sk_err = err;
98
99 sk->sk_state = d->state;
100
101 parent = bt_sk(sk)->parent;
102 if (parent) {
103 if (d->state == BT_CLOSED) {
104 sock_set_flag(sk, SOCK_ZAPPED);
105 bt_accept_unlink(sk);
106 }
107 parent->sk_data_ready(parent, 0);
108 } else {
109 if (d->state == BT_CONNECTED)
110 rfcomm_session_getaddr(d->session, &bt_sk(sk)->src, NULL);
111 sk->sk_state_change(sk);
112 }
113
114 bh_unlock_sock(sk);
115 local_irq_restore(flags);
116
117 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
118 /* We have to drop DLC lock here, otherwise
119 * rfcomm_sock_destruct() will dead lock. */
120 rfcomm_dlc_unlock(d);
121 rfcomm_sock_kill(sk);
122 rfcomm_dlc_lock(d);
123 }
124}
125
126/* ---- Socket functions ---- */
127static struct sock *__rfcomm_get_sock_by_addr(u8 channel, bdaddr_t *src)
128{
129 struct sock *sk = NULL;
130 struct hlist_node *node;
131
132 sk_for_each(sk, node, &rfcomm_sk_list.head) {
133 if (rfcomm_pi(sk)->channel == channel &&
134 !bacmp(&bt_sk(sk)->src, src))
135 break;
136 }
137
138 return node ? sk : NULL;
139}
140
141/* Find socket with channel and source bdaddr.
142 * Returns closest match.
143 */
144static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
145{
146 struct sock *sk = NULL, *sk1 = NULL;
147 struct hlist_node *node;
148
149 read_lock(&rfcomm_sk_list.lock);
150
151 sk_for_each(sk, node, &rfcomm_sk_list.head) {
152 if (state && sk->sk_state != state)
153 continue;
154
155 if (rfcomm_pi(sk)->channel == channel) {
156 /* Exact match. */
157 if (!bacmp(&bt_sk(sk)->src, src))
158 break;
159
160 /* Closest match */
161 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
162 sk1 = sk;
163 }
164 }
165
166 read_unlock(&rfcomm_sk_list.lock);
167
168 return node ? sk : sk1;
169}
170
171static void rfcomm_sock_destruct(struct sock *sk)
172{
173 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
174
175 BT_DBG("sk %p dlc %p", sk, d);
176
177 skb_queue_purge(&sk->sk_receive_queue);
178 skb_queue_purge(&sk->sk_write_queue);
179
180 rfcomm_dlc_lock(d);
181 rfcomm_pi(sk)->dlc = NULL;
182
183 /* Detach DLC if it's owned by this socket */
184 if (d->owner == sk)
185 d->owner = NULL;
186 rfcomm_dlc_unlock(d);
187
188 rfcomm_dlc_put(d);
189}
190
191static void rfcomm_sock_cleanup_listen(struct sock *parent)
192{
193 struct sock *sk;
194
195 BT_DBG("parent %p", parent);
196
197 /* Close not yet accepted dlcs */
198 while ((sk = bt_accept_dequeue(parent, NULL))) {
199 rfcomm_sock_close(sk);
200 rfcomm_sock_kill(sk);
201 }
202
203 parent->sk_state = BT_CLOSED;
204 sock_set_flag(parent, SOCK_ZAPPED);
205}
206
207/* Kill socket (only if zapped and orphan)
208 * Must be called on unlocked socket.
209 */
210static void rfcomm_sock_kill(struct sock *sk)
211{
212 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
213 return;
214
215 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, atomic_read(&sk->sk_refcnt));
216
217 /* Kill poor orphan */
218 bt_sock_unlink(&rfcomm_sk_list, sk);
219 sock_set_flag(sk, SOCK_DEAD);
220 sock_put(sk);
221}
222
223static void __rfcomm_sock_close(struct sock *sk)
224{
225 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
226
227 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
228
229 switch (sk->sk_state) {
230 case BT_LISTEN:
231 rfcomm_sock_cleanup_listen(sk);
232 break;
233
234 case BT_CONNECT:
235 case BT_CONNECT2:
236 case BT_CONFIG:
237 case BT_CONNECTED:
238 rfcomm_dlc_close(d, 0);
239
240 default:
241 sock_set_flag(sk, SOCK_ZAPPED);
242 break;
243 }
244}
245
246/* Close socket.
247 * Must be called on unlocked socket.
248 */
249static void rfcomm_sock_close(struct sock *sk)
250{
251 lock_sock(sk);
252 __rfcomm_sock_close(sk);
253 release_sock(sk);
254}
255
256static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
257{
258 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
259
260 BT_DBG("sk %p", sk);
261
262 if (parent) {
263 sk->sk_type = parent->sk_type;
264 pi->dlc->defer_setup = bt_sk(parent)->defer_setup;
265
266 pi->sec_level = rfcomm_pi(parent)->sec_level;
267 pi->role_switch = rfcomm_pi(parent)->role_switch;
268
269 security_sk_clone(parent, sk);
270 } else {
271 pi->dlc->defer_setup = 0;
272
273 pi->sec_level = BT_SECURITY_LOW;
274 pi->role_switch = 0;
275 }
276
277 pi->dlc->sec_level = pi->sec_level;
278 pi->dlc->role_switch = pi->role_switch;
279}
280
281static struct proto rfcomm_proto = {
282 .name = "RFCOMM",
283 .owner = THIS_MODULE,
284 .obj_size = sizeof(struct rfcomm_pinfo)
285};
286
287static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
288{
289 struct rfcomm_dlc *d;
290 struct sock *sk;
291
292 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto);
293 if (!sk)
294 return NULL;
295
296 sock_init_data(sock, sk);
297 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
298
299 d = rfcomm_dlc_alloc(prio);
300 if (!d) {
301 sk_free(sk);
302 return NULL;
303 }
304
305 d->data_ready = rfcomm_sk_data_ready;
306 d->state_change = rfcomm_sk_state_change;
307
308 rfcomm_pi(sk)->dlc = d;
309 d->owner = sk;
310
311 sk->sk_destruct = rfcomm_sock_destruct;
312 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
313
314 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
315 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
316
317 sock_reset_flag(sk, SOCK_ZAPPED);
318
319 sk->sk_protocol = proto;
320 sk->sk_state = BT_OPEN;
321
322 bt_sock_link(&rfcomm_sk_list, sk);
323
324 BT_DBG("sk %p", sk);
325 return sk;
326}
327
328static int rfcomm_sock_create(struct net *net, struct socket *sock,
329 int protocol, int kern)
330{
331 struct sock *sk;
332
333 BT_DBG("sock %p", sock);
334
335 sock->state = SS_UNCONNECTED;
336
337 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
338 return -ESOCKTNOSUPPORT;
339
340 sock->ops = &rfcomm_sock_ops;
341
342 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC);
343 if (!sk)
344 return -ENOMEM;
345
346 rfcomm_sock_init(sk, NULL);
347 return 0;
348}
349
350static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
351{
352 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
353 struct sock *sk = sock->sk;
354 int err = 0;
355
356 BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
357
358 if (!addr || addr->sa_family != AF_BLUETOOTH)
359 return -EINVAL;
360
361 lock_sock(sk);
362
363 if (sk->sk_state != BT_OPEN) {
364 err = -EBADFD;
365 goto done;
366 }
367
368 if (sk->sk_type != SOCK_STREAM) {
369 err = -EINVAL;
370 goto done;
371 }
372
373 write_lock_bh(&rfcomm_sk_list.lock);
374
375 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
376 err = -EADDRINUSE;
377 } else {
378 /* Save source address */
379 bacpy(&bt_sk(sk)->src, &sa->rc_bdaddr);
380 rfcomm_pi(sk)->channel = sa->rc_channel;
381 sk->sk_state = BT_BOUND;
382 }
383
384 write_unlock_bh(&rfcomm_sk_list.lock);
385
386done:
387 release_sock(sk);
388 return err;
389}
390
391static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
392{
393 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
394 struct sock *sk = sock->sk;
395 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
396 int err = 0;
397
398 BT_DBG("sk %p", sk);
399
400 if (alen < sizeof(struct sockaddr_rc) ||
401 addr->sa_family != AF_BLUETOOTH)
402 return -EINVAL;
403
404 lock_sock(sk);
405
406 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
407 err = -EBADFD;
408 goto done;
409 }
410
411 if (sk->sk_type != SOCK_STREAM) {
412 err = -EINVAL;
413 goto done;
414 }
415
416 sk->sk_state = BT_CONNECT;
417 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr);
418 rfcomm_pi(sk)->channel = sa->rc_channel;
419
420 d->sec_level = rfcomm_pi(sk)->sec_level;
421 d->role_switch = rfcomm_pi(sk)->role_switch;
422
423 err = rfcomm_dlc_open(d, &bt_sk(sk)->src, &sa->rc_bdaddr, sa->rc_channel);
424 if (!err)
425 err = bt_sock_wait_state(sk, BT_CONNECTED,
426 sock_sndtimeo(sk, flags & O_NONBLOCK));
427
428done:
429 release_sock(sk);
430 return err;
431}
432
433static int rfcomm_sock_listen(struct socket *sock, int backlog)
434{
435 struct sock *sk = sock->sk;
436 int err = 0;
437
438 BT_DBG("sk %p backlog %d", sk, backlog);
439
440 lock_sock(sk);
441
442 if (sk->sk_state != BT_BOUND) {
443 err = -EBADFD;
444 goto done;
445 }
446
447 if (sk->sk_type != SOCK_STREAM) {
448 err = -EINVAL;
449 goto done;
450 }
451
452 if (!rfcomm_pi(sk)->channel) {
453 bdaddr_t *src = &bt_sk(sk)->src;
454 u8 channel;
455
456 err = -EINVAL;
457
458 write_lock_bh(&rfcomm_sk_list.lock);
459
460 for (channel = 1; channel < 31; channel++)
461 if (!__rfcomm_get_sock_by_addr(channel, src)) {
462 rfcomm_pi(sk)->channel = channel;
463 err = 0;
464 break;
465 }
466
467 write_unlock_bh(&rfcomm_sk_list.lock);
468
469 if (err < 0)
470 goto done;
471 }
472
473 sk->sk_max_ack_backlog = backlog;
474 sk->sk_ack_backlog = 0;
475 sk->sk_state = BT_LISTEN;
476
477done:
478 release_sock(sk);
479 return err;
480}
481
482static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags)
483{
484 DECLARE_WAITQUEUE(wait, current);
485 struct sock *sk = sock->sk, *nsk;
486 long timeo;
487 int err = 0;
488
489 lock_sock(sk);
490
491 if (sk->sk_type != SOCK_STREAM) {
492 err = -EINVAL;
493 goto done;
494 }
495
496 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
497
498 BT_DBG("sk %p timeo %ld", sk, timeo);
499
500 /* Wait for an incoming connection. (wake-one). */
501 add_wait_queue_exclusive(sk_sleep(sk), &wait);
502 while (1) {
503 set_current_state(TASK_INTERRUPTIBLE);
504
505 if (sk->sk_state != BT_LISTEN) {
506 err = -EBADFD;
507 break;
508 }
509
510 nsk = bt_accept_dequeue(sk, newsock);
511 if (nsk)
512 break;
513
514 if (!timeo) {
515 err = -EAGAIN;
516 break;
517 }
518
519 if (signal_pending(current)) {
520 err = sock_intr_errno(timeo);
521 break;
522 }
523
524 release_sock(sk);
525 timeo = schedule_timeout(timeo);
526 lock_sock(sk);
527 }
528 __set_current_state(TASK_RUNNING);
529 remove_wait_queue(sk_sleep(sk), &wait);
530
531 if (err)
532 goto done;
533
534 newsock->state = SS_CONNECTED;
535
536 BT_DBG("new socket %p", nsk);
537
538done:
539 release_sock(sk);
540 return err;
541}
542
543static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
544{
545 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
546 struct sock *sk = sock->sk;
547
548 BT_DBG("sock %p, sk %p", sock, sk);
549
550 sa->rc_family = AF_BLUETOOTH;
551 sa->rc_channel = rfcomm_pi(sk)->channel;
552 if (peer)
553 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->dst);
554 else
555 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->src);
556
557 *len = sizeof(struct sockaddr_rc);
558 return 0;
559}
560
561static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
562 struct msghdr *msg, size_t len)
563{
564 struct sock *sk = sock->sk;
565 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
566 struct sk_buff *skb;
567 int sent = 0;
568
569 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
570 return -ENOTCONN;
571
572 if (msg->msg_flags & MSG_OOB)
573 return -EOPNOTSUPP;
574
575 if (sk->sk_shutdown & SEND_SHUTDOWN)
576 return -EPIPE;
577
578 BT_DBG("sock %p, sk %p", sock, sk);
579
580 lock_sock(sk);
581
582 while (len) {
583 size_t size = min_t(size_t, len, d->mtu);
584 int err;
585
586 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
587 msg->msg_flags & MSG_DONTWAIT, &err);
588 if (!skb) {
589 if (sent == 0)
590 sent = err;
591 break;
592 }
593 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
594
595 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
596 if (err) {
597 kfree_skb(skb);
598 if (sent == 0)
599 sent = err;
600 break;
601 }
602
603 err = rfcomm_dlc_send(d, skb);
604 if (err < 0) {
605 kfree_skb(skb);
606 if (sent == 0)
607 sent = err;
608 break;
609 }
610
611 sent += size;
612 len -= size;
613 }
614
615 release_sock(sk);
616
617 return sent;
618}
619
620static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
621 struct msghdr *msg, size_t size, int flags)
622{
623 struct sock *sk = sock->sk;
624 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
625 int len;
626
627 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
628 rfcomm_dlc_accept(d);
629 return 0;
630 }
631
632 len = bt_sock_stream_recvmsg(iocb, sock, msg, size, flags);
633
634 lock_sock(sk);
635 if (!(flags & MSG_PEEK) && len > 0)
636 atomic_sub(len, &sk->sk_rmem_alloc);
637
638 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
639 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
640 release_sock(sk);
641
642 return len;
643}
644
645static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
646{
647 struct sock *sk = sock->sk;
648 int err = 0;
649 u32 opt;
650
651 BT_DBG("sk %p", sk);
652
653 lock_sock(sk);
654
655 switch (optname) {
656 case RFCOMM_LM:
657 if (get_user(opt, (u32 __user *) optval)) {
658 err = -EFAULT;
659 break;
660 }
661
662 if (opt & RFCOMM_LM_AUTH)
663 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
664 if (opt & RFCOMM_LM_ENCRYPT)
665 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
666 if (opt & RFCOMM_LM_SECURE)
667 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
668
669 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
670 break;
671
672 default:
673 err = -ENOPROTOOPT;
674 break;
675 }
676
677 release_sock(sk);
678 return err;
679}
680
681static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
682{
683 struct sock *sk = sock->sk;
684 struct bt_security sec;
685 int err = 0;
686 size_t len;
687 u32 opt;
688
689 BT_DBG("sk %p", sk);
690
691 if (level == SOL_RFCOMM)
692 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
693
694 if (level != SOL_BLUETOOTH)
695 return -ENOPROTOOPT;
696
697 lock_sock(sk);
698
699 switch (optname) {
700 case BT_SECURITY:
701 if (sk->sk_type != SOCK_STREAM) {
702 err = -EINVAL;
703 break;
704 }
705
706 sec.level = BT_SECURITY_LOW;
707
708 len = min_t(unsigned int, sizeof(sec), optlen);
709 if (copy_from_user((char *) &sec, optval, len)) {
710 err = -EFAULT;
711 break;
712 }
713
714 if (sec.level > BT_SECURITY_HIGH) {
715 err = -EINVAL;
716 break;
717 }
718
719 rfcomm_pi(sk)->sec_level = sec.level;
720 break;
721
722 case BT_DEFER_SETUP:
723 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
724 err = -EINVAL;
725 break;
726 }
727
728 if (get_user(opt, (u32 __user *) optval)) {
729 err = -EFAULT;
730 break;
731 }
732
733 bt_sk(sk)->defer_setup = opt;
734 break;
735
736 default:
737 err = -ENOPROTOOPT;
738 break;
739 }
740
741 release_sock(sk);
742 return err;
743}
744
745static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
746{
747 struct sock *sk = sock->sk;
748 struct rfcomm_conninfo cinfo;
749 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
750 int len, err = 0;
751 u32 opt;
752
753 BT_DBG("sk %p", sk);
754
755 if (get_user(len, optlen))
756 return -EFAULT;
757
758 lock_sock(sk);
759
760 switch (optname) {
761 case RFCOMM_LM:
762 switch (rfcomm_pi(sk)->sec_level) {
763 case BT_SECURITY_LOW:
764 opt = RFCOMM_LM_AUTH;
765 break;
766 case BT_SECURITY_MEDIUM:
767 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
768 break;
769 case BT_SECURITY_HIGH:
770 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
771 RFCOMM_LM_SECURE;
772 break;
773 default:
774 opt = 0;
775 break;
776 }
777
778 if (rfcomm_pi(sk)->role_switch)
779 opt |= RFCOMM_LM_MASTER;
780
781 if (put_user(opt, (u32 __user *) optval))
782 err = -EFAULT;
783 break;
784
785 case RFCOMM_CONNINFO:
786 if (sk->sk_state != BT_CONNECTED &&
787 !rfcomm_pi(sk)->dlc->defer_setup) {
788 err = -ENOTCONN;
789 break;
790 }
791
792 memset(&cinfo, 0, sizeof(cinfo));
793 cinfo.hci_handle = conn->hcon->handle;
794 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
795
796 len = min_t(unsigned int, len, sizeof(cinfo));
797 if (copy_to_user(optval, (char *) &cinfo, len))
798 err = -EFAULT;
799
800 break;
801
802 default:
803 err = -ENOPROTOOPT;
804 break;
805 }
806
807 release_sock(sk);
808 return err;
809}
810
811static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
812{
813 struct sock *sk = sock->sk;
814 struct bt_security sec;
815 int len, err = 0;
816
817 BT_DBG("sk %p", sk);
818
819 if (level == SOL_RFCOMM)
820 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
821
822 if (level != SOL_BLUETOOTH)
823 return -ENOPROTOOPT;
824
825 if (get_user(len, optlen))
826 return -EFAULT;
827
828 lock_sock(sk);
829
830 switch (optname) {
831 case BT_SECURITY:
832 if (sk->sk_type != SOCK_STREAM) {
833 err = -EINVAL;
834 break;
835 }
836
837 sec.level = rfcomm_pi(sk)->sec_level;
838
839 len = min_t(unsigned int, len, sizeof(sec));
840 if (copy_to_user(optval, (char *) &sec, len))
841 err = -EFAULT;
842
843 break;
844
845 case BT_DEFER_SETUP:
846 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
847 err = -EINVAL;
848 break;
849 }
850
851 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
852 err = -EFAULT;
853
854 break;
855
856 default:
857 err = -ENOPROTOOPT;
858 break;
859 }
860
861 release_sock(sk);
862 return err;
863}
864
865static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
866{
867 struct sock *sk __maybe_unused = sock->sk;
868 int err;
869
870 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
871
872 err = bt_sock_ioctl(sock, cmd, arg);
873
874 if (err == -ENOIOCTLCMD) {
875#ifdef CONFIG_BT_RFCOMM_TTY
876 lock_sock(sk);
877 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
878 release_sock(sk);
879#else
880 err = -EOPNOTSUPP;
881#endif
882 }
883
884 return err;
885}
886
887static int rfcomm_sock_shutdown(struct socket *sock, int how)
888{
889 struct sock *sk = sock->sk;
890 int err = 0;
891
892 BT_DBG("sock %p, sk %p", sock, sk);
893
894 if (!sk)
895 return 0;
896
897 lock_sock(sk);
898 if (!sk->sk_shutdown) {
899 sk->sk_shutdown = SHUTDOWN_MASK;
900 __rfcomm_sock_close(sk);
901
902 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
903 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
904 }
905 release_sock(sk);
906 return err;
907}
908
909static int rfcomm_sock_release(struct socket *sock)
910{
911 struct sock *sk = sock->sk;
912 int err;
913
914 BT_DBG("sock %p, sk %p", sock, sk);
915
916 if (!sk)
917 return 0;
918
919 err = rfcomm_sock_shutdown(sock, 2);
920
921 sock_orphan(sk);
922 rfcomm_sock_kill(sk);
923 return err;
924}
925
926/* ---- RFCOMM core layer callbacks ----
927 *
928 * called under rfcomm_lock()
929 */
930int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
931{
932 struct sock *sk, *parent;
933 bdaddr_t src, dst;
934 int result = 0;
935
936 BT_DBG("session %p channel %d", s, channel);
937
938 rfcomm_session_getaddr(s, &src, &dst);
939
940 /* Check if we have socket listening on channel */
941 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
942 if (!parent)
943 return 0;
944
945 bh_lock_sock(parent);
946
947 /* Check for backlog size */
948 if (sk_acceptq_is_full(parent)) {
949 BT_DBG("backlog full %d", parent->sk_ack_backlog);
950 goto done;
951 }
952
953 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC);
954 if (!sk)
955 goto done;
956
957 rfcomm_sock_init(sk, parent);
958 bacpy(&bt_sk(sk)->src, &src);
959 bacpy(&bt_sk(sk)->dst, &dst);
960 rfcomm_pi(sk)->channel = channel;
961
962 sk->sk_state = BT_CONFIG;
963 bt_accept_enqueue(parent, sk);
964
965 /* Accept connection and return socket DLC */
966 *d = rfcomm_pi(sk)->dlc;
967 result = 1;
968
969done:
970 bh_unlock_sock(parent);
971
972 if (bt_sk(parent)->defer_setup)
973 parent->sk_state_change(parent);
974
975 return result;
976}
977
978static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
979{
980 struct sock *sk;
981 struct hlist_node *node;
982
983 read_lock_bh(&rfcomm_sk_list.lock);
984
985 sk_for_each(sk, node, &rfcomm_sk_list.head) {
986 seq_printf(f, "%s %s %d %d\n",
987 batostr(&bt_sk(sk)->src),
988 batostr(&bt_sk(sk)->dst),
989 sk->sk_state, rfcomm_pi(sk)->channel);
990 }
991
992 read_unlock_bh(&rfcomm_sk_list.lock);
993
994 return 0;
995}
996
997static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
998{
999 return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1000}
1001
1002static const struct file_operations rfcomm_sock_debugfs_fops = {
1003 .open = rfcomm_sock_debugfs_open,
1004 .read = seq_read,
1005 .llseek = seq_lseek,
1006 .release = single_release,
1007};
1008
1009static struct dentry *rfcomm_sock_debugfs;
1010
1011static const struct proto_ops rfcomm_sock_ops = {
1012 .family = PF_BLUETOOTH,
1013 .owner = THIS_MODULE,
1014 .release = rfcomm_sock_release,
1015 .bind = rfcomm_sock_bind,
1016 .connect = rfcomm_sock_connect,
1017 .listen = rfcomm_sock_listen,
1018 .accept = rfcomm_sock_accept,
1019 .getname = rfcomm_sock_getname,
1020 .sendmsg = rfcomm_sock_sendmsg,
1021 .recvmsg = rfcomm_sock_recvmsg,
1022 .shutdown = rfcomm_sock_shutdown,
1023 .setsockopt = rfcomm_sock_setsockopt,
1024 .getsockopt = rfcomm_sock_getsockopt,
1025 .ioctl = rfcomm_sock_ioctl,
1026 .poll = bt_sock_poll,
1027 .socketpair = sock_no_socketpair,
1028 .mmap = sock_no_mmap
1029};
1030
1031static const struct net_proto_family rfcomm_sock_family_ops = {
1032 .family = PF_BLUETOOTH,
1033 .owner = THIS_MODULE,
1034 .create = rfcomm_sock_create
1035};
1036
1037int __init rfcomm_init_sockets(void)
1038{
1039 int err;
1040
1041 err = proto_register(&rfcomm_proto, 0);
1042 if (err < 0)
1043 return err;
1044
1045 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1046 if (err < 0)
1047 goto error;
1048
1049 if (bt_debugfs) {
1050 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1051 bt_debugfs, NULL, &rfcomm_sock_debugfs_fops);
1052 if (!rfcomm_sock_debugfs)
1053 BT_ERR("Failed to create RFCOMM debug file");
1054 }
1055
1056 BT_INFO("RFCOMM socket layer initialized");
1057
1058 return 0;
1059
1060error:
1061 BT_ERR("RFCOMM socket layer registration failed");
1062 proto_unregister(&rfcomm_proto);
1063 return err;
1064}
1065
1066void __exit rfcomm_cleanup_sockets(void)
1067{
1068 debugfs_remove(rfcomm_sock_debugfs);
1069
1070 if (bt_sock_unregister(BTPROTO_RFCOMM) < 0)
1071 BT_ERR("RFCOMM socket layer unregistration failed");
1072
1073 proto_unregister(&rfcomm_proto);
1074}
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27#include <linux/compat.h>
28#include <linux/export.h>
29#include <linux/debugfs.h>
30#include <linux/sched/signal.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/l2cap.h>
35#include <net/bluetooth/rfcomm.h>
36
37static const struct proto_ops rfcomm_sock_ops;
38
39static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41};
42
43static void rfcomm_sock_close(struct sock *sk);
44static void rfcomm_sock_kill(struct sock *sk);
45
46/* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
50static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51{
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62}
63
64static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65{
66 struct sock *sk = d->owner, *parent;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 lock_sock(sk);
74
75 if (err)
76 sk->sk_err = err;
77
78 sk->sk_state = d->state;
79
80 parent = bt_sk(sk)->parent;
81 if (parent) {
82 if (d->state == BT_CLOSED) {
83 sock_set_flag(sk, SOCK_ZAPPED);
84 bt_accept_unlink(sk);
85 }
86 parent->sk_data_ready(parent);
87 } else {
88 if (d->state == BT_CONNECTED)
89 rfcomm_session_getaddr(d->session,
90 &rfcomm_pi(sk)->src, NULL);
91 sk->sk_state_change(sk);
92 }
93
94 release_sock(sk);
95
96 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 /* We have to drop DLC lock here, otherwise
98 * rfcomm_sock_destruct() will dead lock. */
99 rfcomm_dlc_unlock(d);
100 rfcomm_sock_kill(sk);
101 rfcomm_dlc_lock(d);
102 }
103}
104
105/* ---- Socket functions ---- */
106static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107{
108 struct sock *sk = NULL;
109
110 sk_for_each(sk, &rfcomm_sk_list.head) {
111 if (rfcomm_pi(sk)->channel != channel)
112 continue;
113
114 if (bacmp(&rfcomm_pi(sk)->src, src))
115 continue;
116
117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 break;
119 }
120
121 return sk ? sk : NULL;
122}
123
124/* Find socket with channel and source bdaddr.
125 * Returns closest match.
126 */
127static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128{
129 struct sock *sk = NULL, *sk1 = NULL;
130
131 read_lock(&rfcomm_sk_list.lock);
132
133 sk_for_each(sk, &rfcomm_sk_list.head) {
134 if (state && sk->sk_state != state)
135 continue;
136
137 if (rfcomm_pi(sk)->channel == channel) {
138 /* Exact match. */
139 if (!bacmp(&rfcomm_pi(sk)->src, src))
140 break;
141
142 /* Closest match */
143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 sk1 = sk;
145 }
146 }
147
148 read_unlock(&rfcomm_sk_list.lock);
149
150 return sk ? sk : sk1;
151}
152
153static void rfcomm_sock_destruct(struct sock *sk)
154{
155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156
157 BT_DBG("sk %p dlc %p", sk, d);
158
159 skb_queue_purge(&sk->sk_receive_queue);
160 skb_queue_purge(&sk->sk_write_queue);
161
162 rfcomm_dlc_lock(d);
163 rfcomm_pi(sk)->dlc = NULL;
164
165 /* Detach DLC if it's owned by this socket */
166 if (d->owner == sk)
167 d->owner = NULL;
168 rfcomm_dlc_unlock(d);
169
170 rfcomm_dlc_put(d);
171}
172
173static void rfcomm_sock_cleanup_listen(struct sock *parent)
174{
175 struct sock *sk;
176
177 BT_DBG("parent %p", parent);
178
179 /* Close not yet accepted dlcs */
180 while ((sk = bt_accept_dequeue(parent, NULL))) {
181 rfcomm_sock_close(sk);
182 rfcomm_sock_kill(sk);
183 }
184
185 parent->sk_state = BT_CLOSED;
186 sock_set_flag(parent, SOCK_ZAPPED);
187}
188
189/* Kill socket (only if zapped and orphan)
190 * Must be called on unlocked socket.
191 */
192static void rfcomm_sock_kill(struct sock *sk)
193{
194 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195 return;
196
197 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198
199 /* Kill poor orphan */
200 bt_sock_unlink(&rfcomm_sk_list, sk);
201 sock_set_flag(sk, SOCK_DEAD);
202 sock_put(sk);
203}
204
205static void __rfcomm_sock_close(struct sock *sk)
206{
207 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208
209 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210
211 switch (sk->sk_state) {
212 case BT_LISTEN:
213 rfcomm_sock_cleanup_listen(sk);
214 break;
215
216 case BT_CONNECT:
217 case BT_CONNECT2:
218 case BT_CONFIG:
219 case BT_CONNECTED:
220 rfcomm_dlc_close(d, 0);
221 fallthrough;
222
223 default:
224 sock_set_flag(sk, SOCK_ZAPPED);
225 break;
226 }
227}
228
229/* Close socket.
230 * Must be called on unlocked socket.
231 */
232static void rfcomm_sock_close(struct sock *sk)
233{
234 lock_sock(sk);
235 __rfcomm_sock_close(sk);
236 release_sock(sk);
237}
238
239static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240{
241 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242
243 BT_DBG("sk %p", sk);
244
245 if (parent) {
246 sk->sk_type = parent->sk_type;
247 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248 &bt_sk(parent)->flags);
249
250 pi->sec_level = rfcomm_pi(parent)->sec_level;
251 pi->role_switch = rfcomm_pi(parent)->role_switch;
252
253 security_sk_clone(parent, sk);
254 } else {
255 pi->dlc->defer_setup = 0;
256
257 pi->sec_level = BT_SECURITY_LOW;
258 pi->role_switch = 0;
259 }
260
261 pi->dlc->sec_level = pi->sec_level;
262 pi->dlc->role_switch = pi->role_switch;
263}
264
265static struct proto rfcomm_proto = {
266 .name = "RFCOMM",
267 .owner = THIS_MODULE,
268 .obj_size = sizeof(struct rfcomm_pinfo)
269};
270
271static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
272{
273 struct rfcomm_dlc *d;
274 struct sock *sk;
275
276 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
277 if (!sk)
278 return NULL;
279
280 sock_init_data(sock, sk);
281 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
282
283 d = rfcomm_dlc_alloc(prio);
284 if (!d) {
285 sk_free(sk);
286 return NULL;
287 }
288
289 d->data_ready = rfcomm_sk_data_ready;
290 d->state_change = rfcomm_sk_state_change;
291
292 rfcomm_pi(sk)->dlc = d;
293 d->owner = sk;
294
295 sk->sk_destruct = rfcomm_sock_destruct;
296 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
297
298 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
299 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300
301 sock_reset_flag(sk, SOCK_ZAPPED);
302
303 sk->sk_protocol = proto;
304 sk->sk_state = BT_OPEN;
305
306 bt_sock_link(&rfcomm_sk_list, sk);
307
308 BT_DBG("sk %p", sk);
309 return sk;
310}
311
312static int rfcomm_sock_create(struct net *net, struct socket *sock,
313 int protocol, int kern)
314{
315 struct sock *sk;
316
317 BT_DBG("sock %p", sock);
318
319 sock->state = SS_UNCONNECTED;
320
321 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
322 return -ESOCKTNOSUPPORT;
323
324 sock->ops = &rfcomm_sock_ops;
325
326 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
327 if (!sk)
328 return -ENOMEM;
329
330 rfcomm_sock_init(sk, NULL);
331 return 0;
332}
333
334static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
335{
336 struct sockaddr_rc sa;
337 struct sock *sk = sock->sk;
338 int len, err = 0;
339
340 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
341 addr->sa_family != AF_BLUETOOTH)
342 return -EINVAL;
343
344 memset(&sa, 0, sizeof(sa));
345 len = min_t(unsigned int, sizeof(sa), addr_len);
346 memcpy(&sa, addr, len);
347
348 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
349
350 lock_sock(sk);
351
352 if (sk->sk_state != BT_OPEN) {
353 err = -EBADFD;
354 goto done;
355 }
356
357 if (sk->sk_type != SOCK_STREAM) {
358 err = -EINVAL;
359 goto done;
360 }
361
362 write_lock(&rfcomm_sk_list.lock);
363
364 if (sa.rc_channel &&
365 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
366 err = -EADDRINUSE;
367 } else {
368 /* Save source address */
369 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
370 rfcomm_pi(sk)->channel = sa.rc_channel;
371 sk->sk_state = BT_BOUND;
372 }
373
374 write_unlock(&rfcomm_sk_list.lock);
375
376done:
377 release_sock(sk);
378 return err;
379}
380
381static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
382{
383 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
384 struct sock *sk = sock->sk;
385 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
386 int err = 0;
387
388 BT_DBG("sk %p", sk);
389
390 if (alen < sizeof(struct sockaddr_rc) ||
391 addr->sa_family != AF_BLUETOOTH)
392 return -EINVAL;
393
394 sock_hold(sk);
395 lock_sock(sk);
396
397 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
398 err = -EBADFD;
399 goto done;
400 }
401
402 if (sk->sk_type != SOCK_STREAM) {
403 err = -EINVAL;
404 goto done;
405 }
406
407 sk->sk_state = BT_CONNECT;
408 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
409 rfcomm_pi(sk)->channel = sa->rc_channel;
410
411 d->sec_level = rfcomm_pi(sk)->sec_level;
412 d->role_switch = rfcomm_pi(sk)->role_switch;
413
414 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */
415 release_sock(sk);
416 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
417 sa->rc_channel);
418 lock_sock(sk);
419 if (!err && !sock_flag(sk, SOCK_ZAPPED))
420 err = bt_sock_wait_state(sk, BT_CONNECTED,
421 sock_sndtimeo(sk, flags & O_NONBLOCK));
422
423done:
424 release_sock(sk);
425 sock_put(sk);
426 return err;
427}
428
429static int rfcomm_sock_listen(struct socket *sock, int backlog)
430{
431 struct sock *sk = sock->sk;
432 int err = 0;
433
434 BT_DBG("sk %p backlog %d", sk, backlog);
435
436 lock_sock(sk);
437
438 if (sk->sk_state != BT_BOUND) {
439 err = -EBADFD;
440 goto done;
441 }
442
443 if (sk->sk_type != SOCK_STREAM) {
444 err = -EINVAL;
445 goto done;
446 }
447
448 if (!rfcomm_pi(sk)->channel) {
449 bdaddr_t *src = &rfcomm_pi(sk)->src;
450 u8 channel;
451
452 err = -EINVAL;
453
454 write_lock(&rfcomm_sk_list.lock);
455
456 for (channel = 1; channel < 31; channel++)
457 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
458 rfcomm_pi(sk)->channel = channel;
459 err = 0;
460 break;
461 }
462
463 write_unlock(&rfcomm_sk_list.lock);
464
465 if (err < 0)
466 goto done;
467 }
468
469 sk->sk_max_ack_backlog = backlog;
470 sk->sk_ack_backlog = 0;
471 sk->sk_state = BT_LISTEN;
472
473done:
474 release_sock(sk);
475 return err;
476}
477
478static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
479 bool kern)
480{
481 DEFINE_WAIT_FUNC(wait, woken_wake_function);
482 struct sock *sk = sock->sk, *nsk;
483 long timeo;
484 int err = 0;
485
486 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
487
488 if (sk->sk_type != SOCK_STREAM) {
489 err = -EINVAL;
490 goto done;
491 }
492
493 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
494
495 BT_DBG("sk %p timeo %ld", sk, timeo);
496
497 /* Wait for an incoming connection. (wake-one). */
498 add_wait_queue_exclusive(sk_sleep(sk), &wait);
499 while (1) {
500 if (sk->sk_state != BT_LISTEN) {
501 err = -EBADFD;
502 break;
503 }
504
505 nsk = bt_accept_dequeue(sk, newsock);
506 if (nsk)
507 break;
508
509 if (!timeo) {
510 err = -EAGAIN;
511 break;
512 }
513
514 if (signal_pending(current)) {
515 err = sock_intr_errno(timeo);
516 break;
517 }
518
519 release_sock(sk);
520
521 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
522
523 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
524 }
525 remove_wait_queue(sk_sleep(sk), &wait);
526
527 if (err)
528 goto done;
529
530 newsock->state = SS_CONNECTED;
531
532 BT_DBG("new socket %p", nsk);
533
534done:
535 release_sock(sk);
536 return err;
537}
538
539static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
540{
541 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
542 struct sock *sk = sock->sk;
543
544 BT_DBG("sock %p, sk %p", sock, sk);
545
546 if (peer && sk->sk_state != BT_CONNECTED &&
547 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
548 return -ENOTCONN;
549
550 memset(sa, 0, sizeof(*sa));
551 sa->rc_family = AF_BLUETOOTH;
552 sa->rc_channel = rfcomm_pi(sk)->channel;
553 if (peer)
554 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
555 else
556 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
557
558 return sizeof(struct sockaddr_rc);
559}
560
561static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
562 size_t len)
563{
564 struct sock *sk = sock->sk;
565 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
566 struct sk_buff *skb;
567 int sent;
568
569 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
570 return -ENOTCONN;
571
572 if (msg->msg_flags & MSG_OOB)
573 return -EOPNOTSUPP;
574
575 if (sk->sk_shutdown & SEND_SHUTDOWN)
576 return -EPIPE;
577
578 BT_DBG("sock %p, sk %p", sock, sk);
579
580 lock_sock(sk);
581
582 sent = bt_sock_wait_ready(sk, msg->msg_flags);
583
584 release_sock(sk);
585
586 if (sent)
587 return sent;
588
589 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
590 RFCOMM_SKB_TAIL_RESERVE);
591 if (IS_ERR(skb))
592 return PTR_ERR(skb);
593
594 sent = rfcomm_dlc_send(d, skb);
595 if (sent < 0)
596 kfree_skb(skb);
597
598 return sent;
599}
600
601static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
602 size_t size, int flags)
603{
604 struct sock *sk = sock->sk;
605 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
606 int len;
607
608 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
609 rfcomm_dlc_accept(d);
610 return 0;
611 }
612
613 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
614
615 lock_sock(sk);
616 if (!(flags & MSG_PEEK) && len > 0)
617 atomic_sub(len, &sk->sk_rmem_alloc);
618
619 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
620 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
621 release_sock(sk);
622
623 return len;
624}
625
626static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
627 sockptr_t optval, unsigned int optlen)
628{
629 struct sock *sk = sock->sk;
630 int err = 0;
631 u32 opt;
632
633 BT_DBG("sk %p", sk);
634
635 lock_sock(sk);
636
637 switch (optname) {
638 case RFCOMM_LM:
639 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
640 err = -EFAULT;
641 break;
642 }
643
644 if (opt & RFCOMM_LM_FIPS) {
645 err = -EINVAL;
646 break;
647 }
648
649 if (opt & RFCOMM_LM_AUTH)
650 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
651 if (opt & RFCOMM_LM_ENCRYPT)
652 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
653 if (opt & RFCOMM_LM_SECURE)
654 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
655
656 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
657 break;
658
659 default:
660 err = -ENOPROTOOPT;
661 break;
662 }
663
664 release_sock(sk);
665 return err;
666}
667
668static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
669 sockptr_t optval, unsigned int optlen)
670{
671 struct sock *sk = sock->sk;
672 struct bt_security sec;
673 int err = 0;
674 size_t len;
675 u32 opt;
676
677 BT_DBG("sk %p", sk);
678
679 if (level == SOL_RFCOMM)
680 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
681
682 if (level != SOL_BLUETOOTH)
683 return -ENOPROTOOPT;
684
685 lock_sock(sk);
686
687 switch (optname) {
688 case BT_SECURITY:
689 if (sk->sk_type != SOCK_STREAM) {
690 err = -EINVAL;
691 break;
692 }
693
694 sec.level = BT_SECURITY_LOW;
695
696 len = min_t(unsigned int, sizeof(sec), optlen);
697 if (copy_from_sockptr(&sec, optval, len)) {
698 err = -EFAULT;
699 break;
700 }
701
702 if (sec.level > BT_SECURITY_HIGH) {
703 err = -EINVAL;
704 break;
705 }
706
707 rfcomm_pi(sk)->sec_level = sec.level;
708 break;
709
710 case BT_DEFER_SETUP:
711 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
712 err = -EINVAL;
713 break;
714 }
715
716 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
717 err = -EFAULT;
718 break;
719 }
720
721 if (opt)
722 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
723 else
724 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
725
726 break;
727
728 default:
729 err = -ENOPROTOOPT;
730 break;
731 }
732
733 release_sock(sk);
734 return err;
735}
736
737static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
738{
739 struct sock *sk = sock->sk;
740 struct sock *l2cap_sk;
741 struct l2cap_conn *conn;
742 struct rfcomm_conninfo cinfo;
743 int len, err = 0;
744 u32 opt;
745
746 BT_DBG("sk %p", sk);
747
748 if (get_user(len, optlen))
749 return -EFAULT;
750
751 lock_sock(sk);
752
753 switch (optname) {
754 case RFCOMM_LM:
755 switch (rfcomm_pi(sk)->sec_level) {
756 case BT_SECURITY_LOW:
757 opt = RFCOMM_LM_AUTH;
758 break;
759 case BT_SECURITY_MEDIUM:
760 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
761 break;
762 case BT_SECURITY_HIGH:
763 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
764 RFCOMM_LM_SECURE;
765 break;
766 case BT_SECURITY_FIPS:
767 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
768 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
769 break;
770 default:
771 opt = 0;
772 break;
773 }
774
775 if (rfcomm_pi(sk)->role_switch)
776 opt |= RFCOMM_LM_MASTER;
777
778 if (put_user(opt, (u32 __user *) optval))
779 err = -EFAULT;
780
781 break;
782
783 case RFCOMM_CONNINFO:
784 if (sk->sk_state != BT_CONNECTED &&
785 !rfcomm_pi(sk)->dlc->defer_setup) {
786 err = -ENOTCONN;
787 break;
788 }
789
790 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
791 conn = l2cap_pi(l2cap_sk)->chan->conn;
792
793 memset(&cinfo, 0, sizeof(cinfo));
794 cinfo.hci_handle = conn->hcon->handle;
795 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
796
797 len = min_t(unsigned int, len, sizeof(cinfo));
798 if (copy_to_user(optval, (char *) &cinfo, len))
799 err = -EFAULT;
800
801 break;
802
803 default:
804 err = -ENOPROTOOPT;
805 break;
806 }
807
808 release_sock(sk);
809 return err;
810}
811
812static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
813{
814 struct sock *sk = sock->sk;
815 struct bt_security sec;
816 int len, err = 0;
817
818 BT_DBG("sk %p", sk);
819
820 if (level == SOL_RFCOMM)
821 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
822
823 if (level != SOL_BLUETOOTH)
824 return -ENOPROTOOPT;
825
826 if (get_user(len, optlen))
827 return -EFAULT;
828
829 lock_sock(sk);
830
831 switch (optname) {
832 case BT_SECURITY:
833 if (sk->sk_type != SOCK_STREAM) {
834 err = -EINVAL;
835 break;
836 }
837
838 sec.level = rfcomm_pi(sk)->sec_level;
839 sec.key_size = 0;
840
841 len = min_t(unsigned int, len, sizeof(sec));
842 if (copy_to_user(optval, (char *) &sec, len))
843 err = -EFAULT;
844
845 break;
846
847 case BT_DEFER_SETUP:
848 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
849 err = -EINVAL;
850 break;
851 }
852
853 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
854 (u32 __user *) optval))
855 err = -EFAULT;
856
857 break;
858
859 default:
860 err = -ENOPROTOOPT;
861 break;
862 }
863
864 release_sock(sk);
865 return err;
866}
867
868static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
869{
870 struct sock *sk __maybe_unused = sock->sk;
871 int err;
872
873 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
874
875 err = bt_sock_ioctl(sock, cmd, arg);
876
877 if (err == -ENOIOCTLCMD) {
878#ifdef CONFIG_BT_RFCOMM_TTY
879 lock_sock(sk);
880 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
881 release_sock(sk);
882#else
883 err = -EOPNOTSUPP;
884#endif
885 }
886
887 return err;
888}
889
890#ifdef CONFIG_COMPAT
891static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
892{
893 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
894}
895#endif
896
897static int rfcomm_sock_shutdown(struct socket *sock, int how)
898{
899 struct sock *sk = sock->sk;
900 int err = 0;
901
902 BT_DBG("sock %p, sk %p", sock, sk);
903
904 if (!sk)
905 return 0;
906
907 lock_sock(sk);
908 if (!sk->sk_shutdown) {
909 sk->sk_shutdown = SHUTDOWN_MASK;
910
911 release_sock(sk);
912 __rfcomm_sock_close(sk);
913 lock_sock(sk);
914
915 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
916 !(current->flags & PF_EXITING))
917 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
918 }
919 release_sock(sk);
920 return err;
921}
922
923static int rfcomm_sock_release(struct socket *sock)
924{
925 struct sock *sk = sock->sk;
926 int err;
927
928 BT_DBG("sock %p, sk %p", sock, sk);
929
930 if (!sk)
931 return 0;
932
933 err = rfcomm_sock_shutdown(sock, 2);
934
935 sock_orphan(sk);
936 rfcomm_sock_kill(sk);
937 return err;
938}
939
940/* ---- RFCOMM core layer callbacks ----
941 *
942 * called under rfcomm_lock()
943 */
944int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
945{
946 struct sock *sk, *parent;
947 bdaddr_t src, dst;
948 int result = 0;
949
950 BT_DBG("session %p channel %d", s, channel);
951
952 rfcomm_session_getaddr(s, &src, &dst);
953
954 /* Check if we have socket listening on channel */
955 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
956 if (!parent)
957 return 0;
958
959 lock_sock(parent);
960
961 /* Check for backlog size */
962 if (sk_acceptq_is_full(parent)) {
963 BT_DBG("backlog full %d", parent->sk_ack_backlog);
964 goto done;
965 }
966
967 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
968 if (!sk)
969 goto done;
970
971 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
972
973 rfcomm_sock_init(sk, parent);
974 bacpy(&rfcomm_pi(sk)->src, &src);
975 bacpy(&rfcomm_pi(sk)->dst, &dst);
976 rfcomm_pi(sk)->channel = channel;
977
978 sk->sk_state = BT_CONFIG;
979 bt_accept_enqueue(parent, sk, true);
980
981 /* Accept connection and return socket DLC */
982 *d = rfcomm_pi(sk)->dlc;
983 result = 1;
984
985done:
986 release_sock(parent);
987
988 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
989 parent->sk_state_change(parent);
990
991 return result;
992}
993
994static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
995{
996 struct sock *sk;
997
998 read_lock(&rfcomm_sk_list.lock);
999
1000 sk_for_each(sk, &rfcomm_sk_list.head) {
1001 seq_printf(f, "%pMR %pMR %d %d\n",
1002 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1003 sk->sk_state, rfcomm_pi(sk)->channel);
1004 }
1005
1006 read_unlock(&rfcomm_sk_list.lock);
1007
1008 return 0;
1009}
1010
1011DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1012
1013static struct dentry *rfcomm_sock_debugfs;
1014
1015static const struct proto_ops rfcomm_sock_ops = {
1016 .family = PF_BLUETOOTH,
1017 .owner = THIS_MODULE,
1018 .release = rfcomm_sock_release,
1019 .bind = rfcomm_sock_bind,
1020 .connect = rfcomm_sock_connect,
1021 .listen = rfcomm_sock_listen,
1022 .accept = rfcomm_sock_accept,
1023 .getname = rfcomm_sock_getname,
1024 .sendmsg = rfcomm_sock_sendmsg,
1025 .recvmsg = rfcomm_sock_recvmsg,
1026 .shutdown = rfcomm_sock_shutdown,
1027 .setsockopt = rfcomm_sock_setsockopt,
1028 .getsockopt = rfcomm_sock_getsockopt,
1029 .ioctl = rfcomm_sock_ioctl,
1030 .gettstamp = sock_gettstamp,
1031 .poll = bt_sock_poll,
1032 .socketpair = sock_no_socketpair,
1033 .mmap = sock_no_mmap,
1034#ifdef CONFIG_COMPAT
1035 .compat_ioctl = rfcomm_sock_compat_ioctl,
1036#endif
1037};
1038
1039static const struct net_proto_family rfcomm_sock_family_ops = {
1040 .family = PF_BLUETOOTH,
1041 .owner = THIS_MODULE,
1042 .create = rfcomm_sock_create
1043};
1044
1045int __init rfcomm_init_sockets(void)
1046{
1047 int err;
1048
1049 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1050
1051 err = proto_register(&rfcomm_proto, 0);
1052 if (err < 0)
1053 return err;
1054
1055 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1056 if (err < 0) {
1057 BT_ERR("RFCOMM socket layer registration failed");
1058 goto error;
1059 }
1060
1061 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1062 if (err < 0) {
1063 BT_ERR("Failed to create RFCOMM proc file");
1064 bt_sock_unregister(BTPROTO_RFCOMM);
1065 goto error;
1066 }
1067
1068 BT_INFO("RFCOMM socket layer initialized");
1069
1070 if (IS_ERR_OR_NULL(bt_debugfs))
1071 return 0;
1072
1073 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1074 bt_debugfs, NULL,
1075 &rfcomm_sock_debugfs_fops);
1076
1077 return 0;
1078
1079error:
1080 proto_unregister(&rfcomm_proto);
1081 return err;
1082}
1083
1084void __exit rfcomm_cleanup_sockets(void)
1085{
1086 bt_procfs_cleanup(&init_net, "rfcomm");
1087
1088 debugfs_remove(rfcomm_sock_debugfs);
1089
1090 bt_sock_unregister(BTPROTO_RFCOMM);
1091
1092 proto_unregister(&rfcomm_proto);
1093}