Loading...
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27
28#include <linux/export.h>
29#include <linux/debugfs.h>
30
31#include <net/bluetooth/bluetooth.h>
32#include <net/bluetooth/hci_core.h>
33#include <net/bluetooth/l2cap.h>
34#include <net/bluetooth/rfcomm.h>
35
36static const struct proto_ops rfcomm_sock_ops;
37
38static struct bt_sock_list rfcomm_sk_list = {
39 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
40};
41
42static void rfcomm_sock_close(struct sock *sk);
43static void rfcomm_sock_kill(struct sock *sk);
44
45/* ---- DLC callbacks ----
46 *
47 * called under rfcomm_dlc_lock()
48 */
49static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
50{
51 struct sock *sk = d->owner;
52 if (!sk)
53 return;
54
55 atomic_add(skb->len, &sk->sk_rmem_alloc);
56 skb_queue_tail(&sk->sk_receive_queue, skb);
57 sk->sk_data_ready(sk);
58
59 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
60 rfcomm_dlc_throttle(d);
61}
62
63static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
64{
65 struct sock *sk = d->owner, *parent;
66 unsigned long flags;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 local_irq_save(flags);
74 bh_lock_sock(sk);
75
76 if (err)
77 sk->sk_err = err;
78
79 sk->sk_state = d->state;
80
81 parent = bt_sk(sk)->parent;
82 if (parent) {
83 if (d->state == BT_CLOSED) {
84 sock_set_flag(sk, SOCK_ZAPPED);
85 bt_accept_unlink(sk);
86 }
87 parent->sk_data_ready(parent);
88 } else {
89 if (d->state == BT_CONNECTED)
90 rfcomm_session_getaddr(d->session,
91 &rfcomm_pi(sk)->src, NULL);
92 sk->sk_state_change(sk);
93 }
94
95 bh_unlock_sock(sk);
96 local_irq_restore(flags);
97
98 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
99 /* We have to drop DLC lock here, otherwise
100 * rfcomm_sock_destruct() will dead lock. */
101 rfcomm_dlc_unlock(d);
102 rfcomm_sock_kill(sk);
103 rfcomm_dlc_lock(d);
104 }
105}
106
107/* ---- Socket functions ---- */
108static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
109{
110 struct sock *sk = NULL;
111
112 sk_for_each(sk, &rfcomm_sk_list.head) {
113 if (rfcomm_pi(sk)->channel != channel)
114 continue;
115
116 if (bacmp(&rfcomm_pi(sk)->src, src))
117 continue;
118
119 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
120 break;
121 }
122
123 return sk ? sk : NULL;
124}
125
126/* Find socket with channel and source bdaddr.
127 * Returns closest match.
128 */
129static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
130{
131 struct sock *sk = NULL, *sk1 = NULL;
132
133 read_lock(&rfcomm_sk_list.lock);
134
135 sk_for_each(sk, &rfcomm_sk_list.head) {
136 if (state && sk->sk_state != state)
137 continue;
138
139 if (rfcomm_pi(sk)->channel == channel) {
140 /* Exact match. */
141 if (!bacmp(&rfcomm_pi(sk)->src, src))
142 break;
143
144 /* Closest match */
145 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
146 sk1 = sk;
147 }
148 }
149
150 read_unlock(&rfcomm_sk_list.lock);
151
152 return sk ? sk : sk1;
153}
154
155static void rfcomm_sock_destruct(struct sock *sk)
156{
157 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
158
159 BT_DBG("sk %p dlc %p", sk, d);
160
161 skb_queue_purge(&sk->sk_receive_queue);
162 skb_queue_purge(&sk->sk_write_queue);
163
164 rfcomm_dlc_lock(d);
165 rfcomm_pi(sk)->dlc = NULL;
166
167 /* Detach DLC if it's owned by this socket */
168 if (d->owner == sk)
169 d->owner = NULL;
170 rfcomm_dlc_unlock(d);
171
172 rfcomm_dlc_put(d);
173}
174
175static void rfcomm_sock_cleanup_listen(struct sock *parent)
176{
177 struct sock *sk;
178
179 BT_DBG("parent %p", parent);
180
181 /* Close not yet accepted dlcs */
182 while ((sk = bt_accept_dequeue(parent, NULL))) {
183 rfcomm_sock_close(sk);
184 rfcomm_sock_kill(sk);
185 }
186
187 parent->sk_state = BT_CLOSED;
188 sock_set_flag(parent, SOCK_ZAPPED);
189}
190
191/* Kill socket (only if zapped and orphan)
192 * Must be called on unlocked socket.
193 */
194static void rfcomm_sock_kill(struct sock *sk)
195{
196 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
197 return;
198
199 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, atomic_read(&sk->sk_refcnt));
200
201 /* Kill poor orphan */
202 bt_sock_unlink(&rfcomm_sk_list, sk);
203 sock_set_flag(sk, SOCK_DEAD);
204 sock_put(sk);
205}
206
207static void __rfcomm_sock_close(struct sock *sk)
208{
209 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
210
211 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
212
213 switch (sk->sk_state) {
214 case BT_LISTEN:
215 rfcomm_sock_cleanup_listen(sk);
216 break;
217
218 case BT_CONNECT:
219 case BT_CONNECT2:
220 case BT_CONFIG:
221 case BT_CONNECTED:
222 rfcomm_dlc_close(d, 0);
223
224 default:
225 sock_set_flag(sk, SOCK_ZAPPED);
226 break;
227 }
228}
229
230/* Close socket.
231 * Must be called on unlocked socket.
232 */
233static void rfcomm_sock_close(struct sock *sk)
234{
235 lock_sock(sk);
236 __rfcomm_sock_close(sk);
237 release_sock(sk);
238}
239
240static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
241{
242 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
243
244 BT_DBG("sk %p", sk);
245
246 if (parent) {
247 sk->sk_type = parent->sk_type;
248 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
249 &bt_sk(parent)->flags);
250
251 pi->sec_level = rfcomm_pi(parent)->sec_level;
252 pi->role_switch = rfcomm_pi(parent)->role_switch;
253
254 security_sk_clone(parent, sk);
255 } else {
256 pi->dlc->defer_setup = 0;
257
258 pi->sec_level = BT_SECURITY_LOW;
259 pi->role_switch = 0;
260 }
261
262 pi->dlc->sec_level = pi->sec_level;
263 pi->dlc->role_switch = pi->role_switch;
264}
265
266static struct proto rfcomm_proto = {
267 .name = "RFCOMM",
268 .owner = THIS_MODULE,
269 .obj_size = sizeof(struct rfcomm_pinfo)
270};
271
272static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
273{
274 struct rfcomm_dlc *d;
275 struct sock *sk;
276
277 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
278 if (!sk)
279 return NULL;
280
281 sock_init_data(sock, sk);
282 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
283
284 d = rfcomm_dlc_alloc(prio);
285 if (!d) {
286 sk_free(sk);
287 return NULL;
288 }
289
290 d->data_ready = rfcomm_sk_data_ready;
291 d->state_change = rfcomm_sk_state_change;
292
293 rfcomm_pi(sk)->dlc = d;
294 d->owner = sk;
295
296 sk->sk_destruct = rfcomm_sock_destruct;
297 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
298
299 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
301
302 sock_reset_flag(sk, SOCK_ZAPPED);
303
304 sk->sk_protocol = proto;
305 sk->sk_state = BT_OPEN;
306
307 bt_sock_link(&rfcomm_sk_list, sk);
308
309 BT_DBG("sk %p", sk);
310 return sk;
311}
312
313static int rfcomm_sock_create(struct net *net, struct socket *sock,
314 int protocol, int kern)
315{
316 struct sock *sk;
317
318 BT_DBG("sock %p", sock);
319
320 sock->state = SS_UNCONNECTED;
321
322 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
323 return -ESOCKTNOSUPPORT;
324
325 sock->ops = &rfcomm_sock_ops;
326
327 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
328 if (!sk)
329 return -ENOMEM;
330
331 rfcomm_sock_init(sk, NULL);
332 return 0;
333}
334
335static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
336{
337 struct sockaddr_rc sa;
338 struct sock *sk = sock->sk;
339 int len, err = 0;
340
341 if (!addr || addr->sa_family != AF_BLUETOOTH)
342 return -EINVAL;
343
344 memset(&sa, 0, sizeof(sa));
345 len = min_t(unsigned int, sizeof(sa), addr_len);
346 memcpy(&sa, addr, len);
347
348 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
349
350 lock_sock(sk);
351
352 if (sk->sk_state != BT_OPEN) {
353 err = -EBADFD;
354 goto done;
355 }
356
357 if (sk->sk_type != SOCK_STREAM) {
358 err = -EINVAL;
359 goto done;
360 }
361
362 write_lock(&rfcomm_sk_list.lock);
363
364 if (sa.rc_channel &&
365 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
366 err = -EADDRINUSE;
367 } else {
368 /* Save source address */
369 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
370 rfcomm_pi(sk)->channel = sa.rc_channel;
371 sk->sk_state = BT_BOUND;
372 }
373
374 write_unlock(&rfcomm_sk_list.lock);
375
376done:
377 release_sock(sk);
378 return err;
379}
380
381static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
382{
383 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
384 struct sock *sk = sock->sk;
385 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
386 int err = 0;
387
388 BT_DBG("sk %p", sk);
389
390 if (alen < sizeof(struct sockaddr_rc) ||
391 addr->sa_family != AF_BLUETOOTH)
392 return -EINVAL;
393
394 lock_sock(sk);
395
396 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
397 err = -EBADFD;
398 goto done;
399 }
400
401 if (sk->sk_type != SOCK_STREAM) {
402 err = -EINVAL;
403 goto done;
404 }
405
406 sk->sk_state = BT_CONNECT;
407 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
408 rfcomm_pi(sk)->channel = sa->rc_channel;
409
410 d->sec_level = rfcomm_pi(sk)->sec_level;
411 d->role_switch = rfcomm_pi(sk)->role_switch;
412
413 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
414 sa->rc_channel);
415 if (!err)
416 err = bt_sock_wait_state(sk, BT_CONNECTED,
417 sock_sndtimeo(sk, flags & O_NONBLOCK));
418
419done:
420 release_sock(sk);
421 return err;
422}
423
424static int rfcomm_sock_listen(struct socket *sock, int backlog)
425{
426 struct sock *sk = sock->sk;
427 int err = 0;
428
429 BT_DBG("sk %p backlog %d", sk, backlog);
430
431 lock_sock(sk);
432
433 if (sk->sk_state != BT_BOUND) {
434 err = -EBADFD;
435 goto done;
436 }
437
438 if (sk->sk_type != SOCK_STREAM) {
439 err = -EINVAL;
440 goto done;
441 }
442
443 if (!rfcomm_pi(sk)->channel) {
444 bdaddr_t *src = &rfcomm_pi(sk)->src;
445 u8 channel;
446
447 err = -EINVAL;
448
449 write_lock(&rfcomm_sk_list.lock);
450
451 for (channel = 1; channel < 31; channel++)
452 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
453 rfcomm_pi(sk)->channel = channel;
454 err = 0;
455 break;
456 }
457
458 write_unlock(&rfcomm_sk_list.lock);
459
460 if (err < 0)
461 goto done;
462 }
463
464 sk->sk_max_ack_backlog = backlog;
465 sk->sk_ack_backlog = 0;
466 sk->sk_state = BT_LISTEN;
467
468done:
469 release_sock(sk);
470 return err;
471}
472
473static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags)
474{
475 DEFINE_WAIT_FUNC(wait, woken_wake_function);
476 struct sock *sk = sock->sk, *nsk;
477 long timeo;
478 int err = 0;
479
480 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
481
482 if (sk->sk_type != SOCK_STREAM) {
483 err = -EINVAL;
484 goto done;
485 }
486
487 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
488
489 BT_DBG("sk %p timeo %ld", sk, timeo);
490
491 /* Wait for an incoming connection. (wake-one). */
492 add_wait_queue_exclusive(sk_sleep(sk), &wait);
493 while (1) {
494 if (sk->sk_state != BT_LISTEN) {
495 err = -EBADFD;
496 break;
497 }
498
499 nsk = bt_accept_dequeue(sk, newsock);
500 if (nsk)
501 break;
502
503 if (!timeo) {
504 err = -EAGAIN;
505 break;
506 }
507
508 if (signal_pending(current)) {
509 err = sock_intr_errno(timeo);
510 break;
511 }
512
513 release_sock(sk);
514
515 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
516
517 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
518 }
519 remove_wait_queue(sk_sleep(sk), &wait);
520
521 if (err)
522 goto done;
523
524 newsock->state = SS_CONNECTED;
525
526 BT_DBG("new socket %p", nsk);
527
528done:
529 release_sock(sk);
530 return err;
531}
532
533static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
534{
535 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
536 struct sock *sk = sock->sk;
537
538 BT_DBG("sock %p, sk %p", sock, sk);
539
540 if (peer && sk->sk_state != BT_CONNECTED &&
541 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
542 return -ENOTCONN;
543
544 memset(sa, 0, sizeof(*sa));
545 sa->rc_family = AF_BLUETOOTH;
546 sa->rc_channel = rfcomm_pi(sk)->channel;
547 if (peer)
548 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
549 else
550 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
551
552 *len = sizeof(struct sockaddr_rc);
553 return 0;
554}
555
556static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
557 size_t len)
558{
559 struct sock *sk = sock->sk;
560 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
561 struct sk_buff *skb;
562 int sent;
563
564 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
565 return -ENOTCONN;
566
567 if (msg->msg_flags & MSG_OOB)
568 return -EOPNOTSUPP;
569
570 if (sk->sk_shutdown & SEND_SHUTDOWN)
571 return -EPIPE;
572
573 BT_DBG("sock %p, sk %p", sock, sk);
574
575 lock_sock(sk);
576
577 sent = bt_sock_wait_ready(sk, msg->msg_flags);
578 if (sent)
579 goto done;
580
581 while (len) {
582 size_t size = min_t(size_t, len, d->mtu);
583 int err;
584
585 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
586 msg->msg_flags & MSG_DONTWAIT, &err);
587 if (!skb) {
588 if (sent == 0)
589 sent = err;
590 break;
591 }
592 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
593
594 err = memcpy_from_msg(skb_put(skb, size), msg, size);
595 if (err) {
596 kfree_skb(skb);
597 if (sent == 0)
598 sent = err;
599 break;
600 }
601
602 skb->priority = sk->sk_priority;
603
604 err = rfcomm_dlc_send(d, skb);
605 if (err < 0) {
606 kfree_skb(skb);
607 if (sent == 0)
608 sent = err;
609 break;
610 }
611
612 sent += size;
613 len -= size;
614 }
615
616done:
617 release_sock(sk);
618
619 return sent;
620}
621
622static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
623 size_t size, int flags)
624{
625 struct sock *sk = sock->sk;
626 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
627 int len;
628
629 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
630 rfcomm_dlc_accept(d);
631 return 0;
632 }
633
634 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
635
636 lock_sock(sk);
637 if (!(flags & MSG_PEEK) && len > 0)
638 atomic_sub(len, &sk->sk_rmem_alloc);
639
640 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
641 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
642 release_sock(sk);
643
644 return len;
645}
646
647static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
648{
649 struct sock *sk = sock->sk;
650 int err = 0;
651 u32 opt;
652
653 BT_DBG("sk %p", sk);
654
655 lock_sock(sk);
656
657 switch (optname) {
658 case RFCOMM_LM:
659 if (get_user(opt, (u32 __user *) optval)) {
660 err = -EFAULT;
661 break;
662 }
663
664 if (opt & RFCOMM_LM_FIPS) {
665 err = -EINVAL;
666 break;
667 }
668
669 if (opt & RFCOMM_LM_AUTH)
670 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
671 if (opt & RFCOMM_LM_ENCRYPT)
672 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
673 if (opt & RFCOMM_LM_SECURE)
674 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
675
676 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
677 break;
678
679 default:
680 err = -ENOPROTOOPT;
681 break;
682 }
683
684 release_sock(sk);
685 return err;
686}
687
688static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
689{
690 struct sock *sk = sock->sk;
691 struct bt_security sec;
692 int err = 0;
693 size_t len;
694 u32 opt;
695
696 BT_DBG("sk %p", sk);
697
698 if (level == SOL_RFCOMM)
699 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
700
701 if (level != SOL_BLUETOOTH)
702 return -ENOPROTOOPT;
703
704 lock_sock(sk);
705
706 switch (optname) {
707 case BT_SECURITY:
708 if (sk->sk_type != SOCK_STREAM) {
709 err = -EINVAL;
710 break;
711 }
712
713 sec.level = BT_SECURITY_LOW;
714
715 len = min_t(unsigned int, sizeof(sec), optlen);
716 if (copy_from_user((char *) &sec, optval, len)) {
717 err = -EFAULT;
718 break;
719 }
720
721 if (sec.level > BT_SECURITY_HIGH) {
722 err = -EINVAL;
723 break;
724 }
725
726 rfcomm_pi(sk)->sec_level = sec.level;
727 break;
728
729 case BT_DEFER_SETUP:
730 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
731 err = -EINVAL;
732 break;
733 }
734
735 if (get_user(opt, (u32 __user *) optval)) {
736 err = -EFAULT;
737 break;
738 }
739
740 if (opt)
741 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
742 else
743 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
744
745 break;
746
747 default:
748 err = -ENOPROTOOPT;
749 break;
750 }
751
752 release_sock(sk);
753 return err;
754}
755
756static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
757{
758 struct sock *sk = sock->sk;
759 struct sock *l2cap_sk;
760 struct l2cap_conn *conn;
761 struct rfcomm_conninfo cinfo;
762 int len, err = 0;
763 u32 opt;
764
765 BT_DBG("sk %p", sk);
766
767 if (get_user(len, optlen))
768 return -EFAULT;
769
770 lock_sock(sk);
771
772 switch (optname) {
773 case RFCOMM_LM:
774 switch (rfcomm_pi(sk)->sec_level) {
775 case BT_SECURITY_LOW:
776 opt = RFCOMM_LM_AUTH;
777 break;
778 case BT_SECURITY_MEDIUM:
779 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
780 break;
781 case BT_SECURITY_HIGH:
782 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
783 RFCOMM_LM_SECURE;
784 break;
785 case BT_SECURITY_FIPS:
786 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
787 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
788 break;
789 default:
790 opt = 0;
791 break;
792 }
793
794 if (rfcomm_pi(sk)->role_switch)
795 opt |= RFCOMM_LM_MASTER;
796
797 if (put_user(opt, (u32 __user *) optval))
798 err = -EFAULT;
799
800 break;
801
802 case RFCOMM_CONNINFO:
803 if (sk->sk_state != BT_CONNECTED &&
804 !rfcomm_pi(sk)->dlc->defer_setup) {
805 err = -ENOTCONN;
806 break;
807 }
808
809 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
810 conn = l2cap_pi(l2cap_sk)->chan->conn;
811
812 memset(&cinfo, 0, sizeof(cinfo));
813 cinfo.hci_handle = conn->hcon->handle;
814 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
815
816 len = min_t(unsigned int, len, sizeof(cinfo));
817 if (copy_to_user(optval, (char *) &cinfo, len))
818 err = -EFAULT;
819
820 break;
821
822 default:
823 err = -ENOPROTOOPT;
824 break;
825 }
826
827 release_sock(sk);
828 return err;
829}
830
831static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
832{
833 struct sock *sk = sock->sk;
834 struct bt_security sec;
835 int len, err = 0;
836
837 BT_DBG("sk %p", sk);
838
839 if (level == SOL_RFCOMM)
840 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
841
842 if (level != SOL_BLUETOOTH)
843 return -ENOPROTOOPT;
844
845 if (get_user(len, optlen))
846 return -EFAULT;
847
848 lock_sock(sk);
849
850 switch (optname) {
851 case BT_SECURITY:
852 if (sk->sk_type != SOCK_STREAM) {
853 err = -EINVAL;
854 break;
855 }
856
857 sec.level = rfcomm_pi(sk)->sec_level;
858 sec.key_size = 0;
859
860 len = min_t(unsigned int, len, sizeof(sec));
861 if (copy_to_user(optval, (char *) &sec, len))
862 err = -EFAULT;
863
864 break;
865
866 case BT_DEFER_SETUP:
867 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
868 err = -EINVAL;
869 break;
870 }
871
872 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
873 (u32 __user *) optval))
874 err = -EFAULT;
875
876 break;
877
878 default:
879 err = -ENOPROTOOPT;
880 break;
881 }
882
883 release_sock(sk);
884 return err;
885}
886
887static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
888{
889 struct sock *sk __maybe_unused = sock->sk;
890 int err;
891
892 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
893
894 err = bt_sock_ioctl(sock, cmd, arg);
895
896 if (err == -ENOIOCTLCMD) {
897#ifdef CONFIG_BT_RFCOMM_TTY
898 lock_sock(sk);
899 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
900 release_sock(sk);
901#else
902 err = -EOPNOTSUPP;
903#endif
904 }
905
906 return err;
907}
908
909static int rfcomm_sock_shutdown(struct socket *sock, int how)
910{
911 struct sock *sk = sock->sk;
912 int err = 0;
913
914 BT_DBG("sock %p, sk %p", sock, sk);
915
916 if (!sk)
917 return 0;
918
919 lock_sock(sk);
920 if (!sk->sk_shutdown) {
921 sk->sk_shutdown = SHUTDOWN_MASK;
922 __rfcomm_sock_close(sk);
923
924 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
925 !(current->flags & PF_EXITING))
926 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
927 }
928 release_sock(sk);
929 return err;
930}
931
932static int rfcomm_sock_release(struct socket *sock)
933{
934 struct sock *sk = sock->sk;
935 int err;
936
937 BT_DBG("sock %p, sk %p", sock, sk);
938
939 if (!sk)
940 return 0;
941
942 err = rfcomm_sock_shutdown(sock, 2);
943
944 sock_orphan(sk);
945 rfcomm_sock_kill(sk);
946 return err;
947}
948
949/* ---- RFCOMM core layer callbacks ----
950 *
951 * called under rfcomm_lock()
952 */
953int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
954{
955 struct sock *sk, *parent;
956 bdaddr_t src, dst;
957 int result = 0;
958
959 BT_DBG("session %p channel %d", s, channel);
960
961 rfcomm_session_getaddr(s, &src, &dst);
962
963 /* Check if we have socket listening on channel */
964 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
965 if (!parent)
966 return 0;
967
968 bh_lock_sock(parent);
969
970 /* Check for backlog size */
971 if (sk_acceptq_is_full(parent)) {
972 BT_DBG("backlog full %d", parent->sk_ack_backlog);
973 goto done;
974 }
975
976 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
977 if (!sk)
978 goto done;
979
980 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
981
982 rfcomm_sock_init(sk, parent);
983 bacpy(&rfcomm_pi(sk)->src, &src);
984 bacpy(&rfcomm_pi(sk)->dst, &dst);
985 rfcomm_pi(sk)->channel = channel;
986
987 sk->sk_state = BT_CONFIG;
988 bt_accept_enqueue(parent, sk);
989
990 /* Accept connection and return socket DLC */
991 *d = rfcomm_pi(sk)->dlc;
992 result = 1;
993
994done:
995 bh_unlock_sock(parent);
996
997 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
998 parent->sk_state_change(parent);
999
1000 return result;
1001}
1002
1003static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1004{
1005 struct sock *sk;
1006
1007 read_lock(&rfcomm_sk_list.lock);
1008
1009 sk_for_each(sk, &rfcomm_sk_list.head) {
1010 seq_printf(f, "%pMR %pMR %d %d\n",
1011 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1012 sk->sk_state, rfcomm_pi(sk)->channel);
1013 }
1014
1015 read_unlock(&rfcomm_sk_list.lock);
1016
1017 return 0;
1018}
1019
1020static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
1021{
1022 return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1023}
1024
1025static const struct file_operations rfcomm_sock_debugfs_fops = {
1026 .open = rfcomm_sock_debugfs_open,
1027 .read = seq_read,
1028 .llseek = seq_lseek,
1029 .release = single_release,
1030};
1031
1032static struct dentry *rfcomm_sock_debugfs;
1033
1034static const struct proto_ops rfcomm_sock_ops = {
1035 .family = PF_BLUETOOTH,
1036 .owner = THIS_MODULE,
1037 .release = rfcomm_sock_release,
1038 .bind = rfcomm_sock_bind,
1039 .connect = rfcomm_sock_connect,
1040 .listen = rfcomm_sock_listen,
1041 .accept = rfcomm_sock_accept,
1042 .getname = rfcomm_sock_getname,
1043 .sendmsg = rfcomm_sock_sendmsg,
1044 .recvmsg = rfcomm_sock_recvmsg,
1045 .shutdown = rfcomm_sock_shutdown,
1046 .setsockopt = rfcomm_sock_setsockopt,
1047 .getsockopt = rfcomm_sock_getsockopt,
1048 .ioctl = rfcomm_sock_ioctl,
1049 .poll = bt_sock_poll,
1050 .socketpair = sock_no_socketpair,
1051 .mmap = sock_no_mmap
1052};
1053
1054static const struct net_proto_family rfcomm_sock_family_ops = {
1055 .family = PF_BLUETOOTH,
1056 .owner = THIS_MODULE,
1057 .create = rfcomm_sock_create
1058};
1059
1060int __init rfcomm_init_sockets(void)
1061{
1062 int err;
1063
1064 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1065
1066 err = proto_register(&rfcomm_proto, 0);
1067 if (err < 0)
1068 return err;
1069
1070 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1071 if (err < 0) {
1072 BT_ERR("RFCOMM socket layer registration failed");
1073 goto error;
1074 }
1075
1076 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1077 if (err < 0) {
1078 BT_ERR("Failed to create RFCOMM proc file");
1079 bt_sock_unregister(BTPROTO_RFCOMM);
1080 goto error;
1081 }
1082
1083 BT_INFO("RFCOMM socket layer initialized");
1084
1085 if (IS_ERR_OR_NULL(bt_debugfs))
1086 return 0;
1087
1088 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1089 bt_debugfs, NULL,
1090 &rfcomm_sock_debugfs_fops);
1091
1092 return 0;
1093
1094error:
1095 proto_unregister(&rfcomm_proto);
1096 return err;
1097}
1098
1099void __exit rfcomm_cleanup_sockets(void)
1100{
1101 bt_procfs_cleanup(&init_net, "rfcomm");
1102
1103 debugfs_remove(rfcomm_sock_debugfs);
1104
1105 bt_sock_unregister(BTPROTO_RFCOMM);
1106
1107 proto_unregister(&rfcomm_proto);
1108}
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27#include <linux/compat.h>
28#include <linux/export.h>
29#include <linux/debugfs.h>
30#include <linux/sched/signal.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/l2cap.h>
35#include <net/bluetooth/rfcomm.h>
36
37static const struct proto_ops rfcomm_sock_ops;
38
39static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41};
42
43static void rfcomm_sock_close(struct sock *sk);
44static void rfcomm_sock_kill(struct sock *sk);
45
46/* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
50static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51{
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62}
63
64static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65{
66 struct sock *sk = d->owner, *parent;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 spin_lock_bh(&sk->sk_lock.slock);
74
75 if (err)
76 sk->sk_err = err;
77
78 sk->sk_state = d->state;
79
80 parent = bt_sk(sk)->parent;
81 if (parent) {
82 if (d->state == BT_CLOSED) {
83 sock_set_flag(sk, SOCK_ZAPPED);
84 bt_accept_unlink(sk);
85 }
86 parent->sk_data_ready(parent);
87 } else {
88 if (d->state == BT_CONNECTED)
89 rfcomm_session_getaddr(d->session,
90 &rfcomm_pi(sk)->src, NULL);
91 sk->sk_state_change(sk);
92 }
93
94 spin_unlock_bh(&sk->sk_lock.slock);
95
96 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 /* We have to drop DLC lock here, otherwise
98 * rfcomm_sock_destruct() will dead lock. */
99 rfcomm_dlc_unlock(d);
100 rfcomm_sock_kill(sk);
101 rfcomm_dlc_lock(d);
102 }
103}
104
105/* ---- Socket functions ---- */
106static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107{
108 struct sock *sk = NULL;
109
110 sk_for_each(sk, &rfcomm_sk_list.head) {
111 if (rfcomm_pi(sk)->channel != channel)
112 continue;
113
114 if (bacmp(&rfcomm_pi(sk)->src, src))
115 continue;
116
117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 break;
119 }
120
121 return sk ? sk : NULL;
122}
123
124/* Find socket with channel and source bdaddr.
125 * Returns closest match.
126 */
127static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128{
129 struct sock *sk = NULL, *sk1 = NULL;
130
131 read_lock(&rfcomm_sk_list.lock);
132
133 sk_for_each(sk, &rfcomm_sk_list.head) {
134 if (state && sk->sk_state != state)
135 continue;
136
137 if (rfcomm_pi(sk)->channel == channel) {
138 /* Exact match. */
139 if (!bacmp(&rfcomm_pi(sk)->src, src))
140 break;
141
142 /* Closest match */
143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 sk1 = sk;
145 }
146 }
147
148 read_unlock(&rfcomm_sk_list.lock);
149
150 return sk ? sk : sk1;
151}
152
153static void rfcomm_sock_destruct(struct sock *sk)
154{
155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156
157 BT_DBG("sk %p dlc %p", sk, d);
158
159 skb_queue_purge(&sk->sk_receive_queue);
160 skb_queue_purge(&sk->sk_write_queue);
161
162 rfcomm_dlc_lock(d);
163 rfcomm_pi(sk)->dlc = NULL;
164
165 /* Detach DLC if it's owned by this socket */
166 if (d->owner == sk)
167 d->owner = NULL;
168 rfcomm_dlc_unlock(d);
169
170 rfcomm_dlc_put(d);
171}
172
173static void rfcomm_sock_cleanup_listen(struct sock *parent)
174{
175 struct sock *sk;
176
177 BT_DBG("parent %p", parent);
178
179 /* Close not yet accepted dlcs */
180 while ((sk = bt_accept_dequeue(parent, NULL))) {
181 rfcomm_sock_close(sk);
182 rfcomm_sock_kill(sk);
183 }
184
185 parent->sk_state = BT_CLOSED;
186 sock_set_flag(parent, SOCK_ZAPPED);
187}
188
189/* Kill socket (only if zapped and orphan)
190 * Must be called on unlocked socket.
191 */
192static void rfcomm_sock_kill(struct sock *sk)
193{
194 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195 return;
196
197 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198
199 /* Kill poor orphan */
200 bt_sock_unlink(&rfcomm_sk_list, sk);
201 sock_set_flag(sk, SOCK_DEAD);
202 sock_put(sk);
203}
204
205static void __rfcomm_sock_close(struct sock *sk)
206{
207 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208
209 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210
211 switch (sk->sk_state) {
212 case BT_LISTEN:
213 rfcomm_sock_cleanup_listen(sk);
214 break;
215
216 case BT_CONNECT:
217 case BT_CONNECT2:
218 case BT_CONFIG:
219 case BT_CONNECTED:
220 rfcomm_dlc_close(d, 0);
221 fallthrough;
222
223 default:
224 sock_set_flag(sk, SOCK_ZAPPED);
225 break;
226 }
227}
228
229/* Close socket.
230 * Must be called on unlocked socket.
231 */
232static void rfcomm_sock_close(struct sock *sk)
233{
234 lock_sock(sk);
235 __rfcomm_sock_close(sk);
236 release_sock(sk);
237}
238
239static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240{
241 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242
243 BT_DBG("sk %p", sk);
244
245 if (parent) {
246 sk->sk_type = parent->sk_type;
247 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248 &bt_sk(parent)->flags);
249
250 pi->sec_level = rfcomm_pi(parent)->sec_level;
251 pi->role_switch = rfcomm_pi(parent)->role_switch;
252
253 security_sk_clone(parent, sk);
254 } else {
255 pi->dlc->defer_setup = 0;
256
257 pi->sec_level = BT_SECURITY_LOW;
258 pi->role_switch = 0;
259 }
260
261 pi->dlc->sec_level = pi->sec_level;
262 pi->dlc->role_switch = pi->role_switch;
263}
264
265static struct proto rfcomm_proto = {
266 .name = "RFCOMM",
267 .owner = THIS_MODULE,
268 .obj_size = sizeof(struct rfcomm_pinfo)
269};
270
271static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
272{
273 struct rfcomm_dlc *d;
274 struct sock *sk;
275
276 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
277 if (!sk)
278 return NULL;
279
280 sock_init_data(sock, sk);
281 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
282
283 d = rfcomm_dlc_alloc(prio);
284 if (!d) {
285 sk_free(sk);
286 return NULL;
287 }
288
289 d->data_ready = rfcomm_sk_data_ready;
290 d->state_change = rfcomm_sk_state_change;
291
292 rfcomm_pi(sk)->dlc = d;
293 d->owner = sk;
294
295 sk->sk_destruct = rfcomm_sock_destruct;
296 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
297
298 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
299 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300
301 sock_reset_flag(sk, SOCK_ZAPPED);
302
303 sk->sk_protocol = proto;
304 sk->sk_state = BT_OPEN;
305
306 bt_sock_link(&rfcomm_sk_list, sk);
307
308 BT_DBG("sk %p", sk);
309 return sk;
310}
311
312static int rfcomm_sock_create(struct net *net, struct socket *sock,
313 int protocol, int kern)
314{
315 struct sock *sk;
316
317 BT_DBG("sock %p", sock);
318
319 sock->state = SS_UNCONNECTED;
320
321 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
322 return -ESOCKTNOSUPPORT;
323
324 sock->ops = &rfcomm_sock_ops;
325
326 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
327 if (!sk)
328 return -ENOMEM;
329
330 rfcomm_sock_init(sk, NULL);
331 return 0;
332}
333
334static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
335{
336 struct sockaddr_rc sa;
337 struct sock *sk = sock->sk;
338 int len, err = 0;
339
340 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
341 addr->sa_family != AF_BLUETOOTH)
342 return -EINVAL;
343
344 memset(&sa, 0, sizeof(sa));
345 len = min_t(unsigned int, sizeof(sa), addr_len);
346 memcpy(&sa, addr, len);
347
348 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
349
350 lock_sock(sk);
351
352 if (sk->sk_state != BT_OPEN) {
353 err = -EBADFD;
354 goto done;
355 }
356
357 if (sk->sk_type != SOCK_STREAM) {
358 err = -EINVAL;
359 goto done;
360 }
361
362 write_lock(&rfcomm_sk_list.lock);
363
364 if (sa.rc_channel &&
365 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
366 err = -EADDRINUSE;
367 } else {
368 /* Save source address */
369 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
370 rfcomm_pi(sk)->channel = sa.rc_channel;
371 sk->sk_state = BT_BOUND;
372 }
373
374 write_unlock(&rfcomm_sk_list.lock);
375
376done:
377 release_sock(sk);
378 return err;
379}
380
381static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
382{
383 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
384 struct sock *sk = sock->sk;
385 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
386 int err = 0;
387
388 BT_DBG("sk %p", sk);
389
390 if (alen < sizeof(struct sockaddr_rc) ||
391 addr->sa_family != AF_BLUETOOTH)
392 return -EINVAL;
393
394 lock_sock(sk);
395
396 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
397 err = -EBADFD;
398 goto done;
399 }
400
401 if (sk->sk_type != SOCK_STREAM) {
402 err = -EINVAL;
403 goto done;
404 }
405
406 sk->sk_state = BT_CONNECT;
407 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
408 rfcomm_pi(sk)->channel = sa->rc_channel;
409
410 d->sec_level = rfcomm_pi(sk)->sec_level;
411 d->role_switch = rfcomm_pi(sk)->role_switch;
412
413 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
414 sa->rc_channel);
415 if (!err)
416 err = bt_sock_wait_state(sk, BT_CONNECTED,
417 sock_sndtimeo(sk, flags & O_NONBLOCK));
418
419done:
420 release_sock(sk);
421 return err;
422}
423
424static int rfcomm_sock_listen(struct socket *sock, int backlog)
425{
426 struct sock *sk = sock->sk;
427 int err = 0;
428
429 BT_DBG("sk %p backlog %d", sk, backlog);
430
431 lock_sock(sk);
432
433 if (sk->sk_state != BT_BOUND) {
434 err = -EBADFD;
435 goto done;
436 }
437
438 if (sk->sk_type != SOCK_STREAM) {
439 err = -EINVAL;
440 goto done;
441 }
442
443 if (!rfcomm_pi(sk)->channel) {
444 bdaddr_t *src = &rfcomm_pi(sk)->src;
445 u8 channel;
446
447 err = -EINVAL;
448
449 write_lock(&rfcomm_sk_list.lock);
450
451 for (channel = 1; channel < 31; channel++)
452 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
453 rfcomm_pi(sk)->channel = channel;
454 err = 0;
455 break;
456 }
457
458 write_unlock(&rfcomm_sk_list.lock);
459
460 if (err < 0)
461 goto done;
462 }
463
464 sk->sk_max_ack_backlog = backlog;
465 sk->sk_ack_backlog = 0;
466 sk->sk_state = BT_LISTEN;
467
468done:
469 release_sock(sk);
470 return err;
471}
472
473static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
474 bool kern)
475{
476 DEFINE_WAIT_FUNC(wait, woken_wake_function);
477 struct sock *sk = sock->sk, *nsk;
478 long timeo;
479 int err = 0;
480
481 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
482
483 if (sk->sk_type != SOCK_STREAM) {
484 err = -EINVAL;
485 goto done;
486 }
487
488 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
489
490 BT_DBG("sk %p timeo %ld", sk, timeo);
491
492 /* Wait for an incoming connection. (wake-one). */
493 add_wait_queue_exclusive(sk_sleep(sk), &wait);
494 while (1) {
495 if (sk->sk_state != BT_LISTEN) {
496 err = -EBADFD;
497 break;
498 }
499
500 nsk = bt_accept_dequeue(sk, newsock);
501 if (nsk)
502 break;
503
504 if (!timeo) {
505 err = -EAGAIN;
506 break;
507 }
508
509 if (signal_pending(current)) {
510 err = sock_intr_errno(timeo);
511 break;
512 }
513
514 release_sock(sk);
515
516 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
517
518 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
519 }
520 remove_wait_queue(sk_sleep(sk), &wait);
521
522 if (err)
523 goto done;
524
525 newsock->state = SS_CONNECTED;
526
527 BT_DBG("new socket %p", nsk);
528
529done:
530 release_sock(sk);
531 return err;
532}
533
534static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
535{
536 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
537 struct sock *sk = sock->sk;
538
539 BT_DBG("sock %p, sk %p", sock, sk);
540
541 if (peer && sk->sk_state != BT_CONNECTED &&
542 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
543 return -ENOTCONN;
544
545 memset(sa, 0, sizeof(*sa));
546 sa->rc_family = AF_BLUETOOTH;
547 sa->rc_channel = rfcomm_pi(sk)->channel;
548 if (peer)
549 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
550 else
551 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
552
553 return sizeof(struct sockaddr_rc);
554}
555
556static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
557 size_t len)
558{
559 struct sock *sk = sock->sk;
560 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
561 struct sk_buff *skb;
562 int sent;
563
564 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
565 return -ENOTCONN;
566
567 if (msg->msg_flags & MSG_OOB)
568 return -EOPNOTSUPP;
569
570 if (sk->sk_shutdown & SEND_SHUTDOWN)
571 return -EPIPE;
572
573 BT_DBG("sock %p, sk %p", sock, sk);
574
575 lock_sock(sk);
576
577 sent = bt_sock_wait_ready(sk, msg->msg_flags);
578 if (sent)
579 goto done;
580
581 while (len) {
582 size_t size = min_t(size_t, len, d->mtu);
583 int err;
584
585 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
586 msg->msg_flags & MSG_DONTWAIT, &err);
587 if (!skb) {
588 if (sent == 0)
589 sent = err;
590 break;
591 }
592 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
593
594 err = memcpy_from_msg(skb_put(skb, size), msg, size);
595 if (err) {
596 kfree_skb(skb);
597 if (sent == 0)
598 sent = err;
599 break;
600 }
601
602 skb->priority = sk->sk_priority;
603
604 err = rfcomm_dlc_send(d, skb);
605 if (err < 0) {
606 kfree_skb(skb);
607 if (sent == 0)
608 sent = err;
609 break;
610 }
611
612 sent += size;
613 len -= size;
614 }
615
616done:
617 release_sock(sk);
618
619 return sent;
620}
621
622static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
623 size_t size, int flags)
624{
625 struct sock *sk = sock->sk;
626 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
627 int len;
628
629 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
630 rfcomm_dlc_accept(d);
631 return 0;
632 }
633
634 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
635
636 lock_sock(sk);
637 if (!(flags & MSG_PEEK) && len > 0)
638 atomic_sub(len, &sk->sk_rmem_alloc);
639
640 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
641 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
642 release_sock(sk);
643
644 return len;
645}
646
647static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
648 sockptr_t optval, unsigned int optlen)
649{
650 struct sock *sk = sock->sk;
651 int err = 0;
652 u32 opt;
653
654 BT_DBG("sk %p", sk);
655
656 lock_sock(sk);
657
658 switch (optname) {
659 case RFCOMM_LM:
660 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
661 err = -EFAULT;
662 break;
663 }
664
665 if (opt & RFCOMM_LM_FIPS) {
666 err = -EINVAL;
667 break;
668 }
669
670 if (opt & RFCOMM_LM_AUTH)
671 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
672 if (opt & RFCOMM_LM_ENCRYPT)
673 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
674 if (opt & RFCOMM_LM_SECURE)
675 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
676
677 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
678 break;
679
680 default:
681 err = -ENOPROTOOPT;
682 break;
683 }
684
685 release_sock(sk);
686 return err;
687}
688
689static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
690 sockptr_t optval, unsigned int optlen)
691{
692 struct sock *sk = sock->sk;
693 struct bt_security sec;
694 int err = 0;
695 size_t len;
696 u32 opt;
697
698 BT_DBG("sk %p", sk);
699
700 if (level == SOL_RFCOMM)
701 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
702
703 if (level != SOL_BLUETOOTH)
704 return -ENOPROTOOPT;
705
706 lock_sock(sk);
707
708 switch (optname) {
709 case BT_SECURITY:
710 if (sk->sk_type != SOCK_STREAM) {
711 err = -EINVAL;
712 break;
713 }
714
715 sec.level = BT_SECURITY_LOW;
716
717 len = min_t(unsigned int, sizeof(sec), optlen);
718 if (copy_from_sockptr(&sec, optval, len)) {
719 err = -EFAULT;
720 break;
721 }
722
723 if (sec.level > BT_SECURITY_HIGH) {
724 err = -EINVAL;
725 break;
726 }
727
728 rfcomm_pi(sk)->sec_level = sec.level;
729 break;
730
731 case BT_DEFER_SETUP:
732 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
733 err = -EINVAL;
734 break;
735 }
736
737 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
738 err = -EFAULT;
739 break;
740 }
741
742 if (opt)
743 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
744 else
745 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
746
747 break;
748
749 default:
750 err = -ENOPROTOOPT;
751 break;
752 }
753
754 release_sock(sk);
755 return err;
756}
757
758static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
759{
760 struct sock *sk = sock->sk;
761 struct sock *l2cap_sk;
762 struct l2cap_conn *conn;
763 struct rfcomm_conninfo cinfo;
764 int len, err = 0;
765 u32 opt;
766
767 BT_DBG("sk %p", sk);
768
769 if (get_user(len, optlen))
770 return -EFAULT;
771
772 lock_sock(sk);
773
774 switch (optname) {
775 case RFCOMM_LM:
776 switch (rfcomm_pi(sk)->sec_level) {
777 case BT_SECURITY_LOW:
778 opt = RFCOMM_LM_AUTH;
779 break;
780 case BT_SECURITY_MEDIUM:
781 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
782 break;
783 case BT_SECURITY_HIGH:
784 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
785 RFCOMM_LM_SECURE;
786 break;
787 case BT_SECURITY_FIPS:
788 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
789 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
790 break;
791 default:
792 opt = 0;
793 break;
794 }
795
796 if (rfcomm_pi(sk)->role_switch)
797 opt |= RFCOMM_LM_MASTER;
798
799 if (put_user(opt, (u32 __user *) optval))
800 err = -EFAULT;
801
802 break;
803
804 case RFCOMM_CONNINFO:
805 if (sk->sk_state != BT_CONNECTED &&
806 !rfcomm_pi(sk)->dlc->defer_setup) {
807 err = -ENOTCONN;
808 break;
809 }
810
811 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
812 conn = l2cap_pi(l2cap_sk)->chan->conn;
813
814 memset(&cinfo, 0, sizeof(cinfo));
815 cinfo.hci_handle = conn->hcon->handle;
816 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
817
818 len = min_t(unsigned int, len, sizeof(cinfo));
819 if (copy_to_user(optval, (char *) &cinfo, len))
820 err = -EFAULT;
821
822 break;
823
824 default:
825 err = -ENOPROTOOPT;
826 break;
827 }
828
829 release_sock(sk);
830 return err;
831}
832
833static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
834{
835 struct sock *sk = sock->sk;
836 struct bt_security sec;
837 int len, err = 0;
838
839 BT_DBG("sk %p", sk);
840
841 if (level == SOL_RFCOMM)
842 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
843
844 if (level != SOL_BLUETOOTH)
845 return -ENOPROTOOPT;
846
847 if (get_user(len, optlen))
848 return -EFAULT;
849
850 lock_sock(sk);
851
852 switch (optname) {
853 case BT_SECURITY:
854 if (sk->sk_type != SOCK_STREAM) {
855 err = -EINVAL;
856 break;
857 }
858
859 sec.level = rfcomm_pi(sk)->sec_level;
860 sec.key_size = 0;
861
862 len = min_t(unsigned int, len, sizeof(sec));
863 if (copy_to_user(optval, (char *) &sec, len))
864 err = -EFAULT;
865
866 break;
867
868 case BT_DEFER_SETUP:
869 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
870 err = -EINVAL;
871 break;
872 }
873
874 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
875 (u32 __user *) optval))
876 err = -EFAULT;
877
878 break;
879
880 default:
881 err = -ENOPROTOOPT;
882 break;
883 }
884
885 release_sock(sk);
886 return err;
887}
888
889static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
890{
891 struct sock *sk __maybe_unused = sock->sk;
892 int err;
893
894 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
895
896 err = bt_sock_ioctl(sock, cmd, arg);
897
898 if (err == -ENOIOCTLCMD) {
899#ifdef CONFIG_BT_RFCOMM_TTY
900 lock_sock(sk);
901 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
902 release_sock(sk);
903#else
904 err = -EOPNOTSUPP;
905#endif
906 }
907
908 return err;
909}
910
911#ifdef CONFIG_COMPAT
912static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
913{
914 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
915}
916#endif
917
918static int rfcomm_sock_shutdown(struct socket *sock, int how)
919{
920 struct sock *sk = sock->sk;
921 int err = 0;
922
923 BT_DBG("sock %p, sk %p", sock, sk);
924
925 if (!sk)
926 return 0;
927
928 lock_sock(sk);
929 if (!sk->sk_shutdown) {
930 sk->sk_shutdown = SHUTDOWN_MASK;
931 __rfcomm_sock_close(sk);
932
933 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
934 !(current->flags & PF_EXITING))
935 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
936 }
937 release_sock(sk);
938 return err;
939}
940
941static int rfcomm_sock_release(struct socket *sock)
942{
943 struct sock *sk = sock->sk;
944 int err;
945
946 BT_DBG("sock %p, sk %p", sock, sk);
947
948 if (!sk)
949 return 0;
950
951 err = rfcomm_sock_shutdown(sock, 2);
952
953 sock_orphan(sk);
954 rfcomm_sock_kill(sk);
955 return err;
956}
957
958/* ---- RFCOMM core layer callbacks ----
959 *
960 * called under rfcomm_lock()
961 */
962int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
963{
964 struct sock *sk, *parent;
965 bdaddr_t src, dst;
966 int result = 0;
967
968 BT_DBG("session %p channel %d", s, channel);
969
970 rfcomm_session_getaddr(s, &src, &dst);
971
972 /* Check if we have socket listening on channel */
973 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
974 if (!parent)
975 return 0;
976
977 bh_lock_sock(parent);
978
979 /* Check for backlog size */
980 if (sk_acceptq_is_full(parent)) {
981 BT_DBG("backlog full %d", parent->sk_ack_backlog);
982 goto done;
983 }
984
985 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
986 if (!sk)
987 goto done;
988
989 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
990
991 rfcomm_sock_init(sk, parent);
992 bacpy(&rfcomm_pi(sk)->src, &src);
993 bacpy(&rfcomm_pi(sk)->dst, &dst);
994 rfcomm_pi(sk)->channel = channel;
995
996 sk->sk_state = BT_CONFIG;
997 bt_accept_enqueue(parent, sk, true);
998
999 /* Accept connection and return socket DLC */
1000 *d = rfcomm_pi(sk)->dlc;
1001 result = 1;
1002
1003done:
1004 bh_unlock_sock(parent);
1005
1006 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1007 parent->sk_state_change(parent);
1008
1009 return result;
1010}
1011
1012static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1013{
1014 struct sock *sk;
1015
1016 read_lock(&rfcomm_sk_list.lock);
1017
1018 sk_for_each(sk, &rfcomm_sk_list.head) {
1019 seq_printf(f, "%pMR %pMR %d %d\n",
1020 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1021 sk->sk_state, rfcomm_pi(sk)->channel);
1022 }
1023
1024 read_unlock(&rfcomm_sk_list.lock);
1025
1026 return 0;
1027}
1028
1029DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1030
1031static struct dentry *rfcomm_sock_debugfs;
1032
1033static const struct proto_ops rfcomm_sock_ops = {
1034 .family = PF_BLUETOOTH,
1035 .owner = THIS_MODULE,
1036 .release = rfcomm_sock_release,
1037 .bind = rfcomm_sock_bind,
1038 .connect = rfcomm_sock_connect,
1039 .listen = rfcomm_sock_listen,
1040 .accept = rfcomm_sock_accept,
1041 .getname = rfcomm_sock_getname,
1042 .sendmsg = rfcomm_sock_sendmsg,
1043 .recvmsg = rfcomm_sock_recvmsg,
1044 .shutdown = rfcomm_sock_shutdown,
1045 .setsockopt = rfcomm_sock_setsockopt,
1046 .getsockopt = rfcomm_sock_getsockopt,
1047 .ioctl = rfcomm_sock_ioctl,
1048 .gettstamp = sock_gettstamp,
1049 .poll = bt_sock_poll,
1050 .socketpair = sock_no_socketpair,
1051 .mmap = sock_no_mmap,
1052#ifdef CONFIG_COMPAT
1053 .compat_ioctl = rfcomm_sock_compat_ioctl,
1054#endif
1055};
1056
1057static const struct net_proto_family rfcomm_sock_family_ops = {
1058 .family = PF_BLUETOOTH,
1059 .owner = THIS_MODULE,
1060 .create = rfcomm_sock_create
1061};
1062
1063int __init rfcomm_init_sockets(void)
1064{
1065 int err;
1066
1067 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1068
1069 err = proto_register(&rfcomm_proto, 0);
1070 if (err < 0)
1071 return err;
1072
1073 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1074 if (err < 0) {
1075 BT_ERR("RFCOMM socket layer registration failed");
1076 goto error;
1077 }
1078
1079 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1080 if (err < 0) {
1081 BT_ERR("Failed to create RFCOMM proc file");
1082 bt_sock_unregister(BTPROTO_RFCOMM);
1083 goto error;
1084 }
1085
1086 BT_INFO("RFCOMM socket layer initialized");
1087
1088 if (IS_ERR_OR_NULL(bt_debugfs))
1089 return 0;
1090
1091 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1092 bt_debugfs, NULL,
1093 &rfcomm_sock_debugfs_fops);
1094
1095 return 0;
1096
1097error:
1098 proto_unregister(&rfcomm_proto);
1099 return err;
1100}
1101
1102void __exit rfcomm_cleanup_sockets(void)
1103{
1104 bt_procfs_cleanup(&init_net, "rfcomm");
1105
1106 debugfs_remove(rfcomm_sock_debugfs);
1107
1108 bt_sock_unregister(BTPROTO_RFCOMM);
1109
1110 proto_unregister(&rfcomm_proto);
1111}