Loading...
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27#include <linux/compat.h>
28#include <linux/export.h>
29#include <linux/debugfs.h>
30#include <linux/sched/signal.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/l2cap.h>
35#include <net/bluetooth/rfcomm.h>
36
37static const struct proto_ops rfcomm_sock_ops;
38
39static struct bt_sock_list rfcomm_sk_list = {
40 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41};
42
43static void rfcomm_sock_close(struct sock *sk);
44static void rfcomm_sock_kill(struct sock *sk);
45
46/* ---- DLC callbacks ----
47 *
48 * called under rfcomm_dlc_lock()
49 */
50static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51{
52 struct sock *sk = d->owner;
53 if (!sk)
54 return;
55
56 atomic_add(skb->len, &sk->sk_rmem_alloc);
57 skb_queue_tail(&sk->sk_receive_queue, skb);
58 sk->sk_data_ready(sk);
59
60 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 rfcomm_dlc_throttle(d);
62}
63
64static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65{
66 struct sock *sk = d->owner, *parent;
67
68 if (!sk)
69 return;
70
71 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72
73 lock_sock(sk);
74
75 if (err)
76 sk->sk_err = err;
77
78 sk->sk_state = d->state;
79
80 parent = bt_sk(sk)->parent;
81 if (parent) {
82 if (d->state == BT_CLOSED) {
83 sock_set_flag(sk, SOCK_ZAPPED);
84 bt_accept_unlink(sk);
85 }
86 parent->sk_data_ready(parent);
87 } else {
88 if (d->state == BT_CONNECTED)
89 rfcomm_session_getaddr(d->session,
90 &rfcomm_pi(sk)->src, NULL);
91 sk->sk_state_change(sk);
92 }
93
94 release_sock(sk);
95
96 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 /* We have to drop DLC lock here, otherwise
98 * rfcomm_sock_destruct() will dead lock. */
99 rfcomm_dlc_unlock(d);
100 rfcomm_sock_kill(sk);
101 rfcomm_dlc_lock(d);
102 }
103}
104
105/* ---- Socket functions ---- */
106static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107{
108 struct sock *sk = NULL;
109
110 sk_for_each(sk, &rfcomm_sk_list.head) {
111 if (rfcomm_pi(sk)->channel != channel)
112 continue;
113
114 if (bacmp(&rfcomm_pi(sk)->src, src))
115 continue;
116
117 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 break;
119 }
120
121 return sk ? sk : NULL;
122}
123
124/* Find socket with channel and source bdaddr.
125 * Returns closest match.
126 */
127static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128{
129 struct sock *sk = NULL, *sk1 = NULL;
130
131 read_lock(&rfcomm_sk_list.lock);
132
133 sk_for_each(sk, &rfcomm_sk_list.head) {
134 if (state && sk->sk_state != state)
135 continue;
136
137 if (rfcomm_pi(sk)->channel == channel) {
138 /* Exact match. */
139 if (!bacmp(&rfcomm_pi(sk)->src, src))
140 break;
141
142 /* Closest match */
143 if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 sk1 = sk;
145 }
146 }
147
148 read_unlock(&rfcomm_sk_list.lock);
149
150 return sk ? sk : sk1;
151}
152
153static void rfcomm_sock_destruct(struct sock *sk)
154{
155 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156
157 BT_DBG("sk %p dlc %p", sk, d);
158
159 skb_queue_purge(&sk->sk_receive_queue);
160 skb_queue_purge(&sk->sk_write_queue);
161
162 rfcomm_dlc_lock(d);
163 rfcomm_pi(sk)->dlc = NULL;
164
165 /* Detach DLC if it's owned by this socket */
166 if (d->owner == sk)
167 d->owner = NULL;
168 rfcomm_dlc_unlock(d);
169
170 rfcomm_dlc_put(d);
171}
172
173static void rfcomm_sock_cleanup_listen(struct sock *parent)
174{
175 struct sock *sk;
176
177 BT_DBG("parent %p", parent);
178
179 /* Close not yet accepted dlcs */
180 while ((sk = bt_accept_dequeue(parent, NULL))) {
181 rfcomm_sock_close(sk);
182 rfcomm_sock_kill(sk);
183 }
184
185 parent->sk_state = BT_CLOSED;
186 sock_set_flag(parent, SOCK_ZAPPED);
187}
188
189/* Kill socket (only if zapped and orphan)
190 * Must be called on unlocked socket.
191 */
192static void rfcomm_sock_kill(struct sock *sk)
193{
194 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195 return;
196
197 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198
199 /* Kill poor orphan */
200 bt_sock_unlink(&rfcomm_sk_list, sk);
201 sock_set_flag(sk, SOCK_DEAD);
202 sock_put(sk);
203}
204
205static void __rfcomm_sock_close(struct sock *sk)
206{
207 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208
209 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210
211 switch (sk->sk_state) {
212 case BT_LISTEN:
213 rfcomm_sock_cleanup_listen(sk);
214 break;
215
216 case BT_CONNECT:
217 case BT_CONNECT2:
218 case BT_CONFIG:
219 case BT_CONNECTED:
220 rfcomm_dlc_close(d, 0);
221 fallthrough;
222
223 default:
224 sock_set_flag(sk, SOCK_ZAPPED);
225 break;
226 }
227}
228
229/* Close socket.
230 * Must be called on unlocked socket.
231 */
232static void rfcomm_sock_close(struct sock *sk)
233{
234 lock_sock(sk);
235 __rfcomm_sock_close(sk);
236 release_sock(sk);
237}
238
239static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240{
241 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242
243 BT_DBG("sk %p", sk);
244
245 if (parent) {
246 sk->sk_type = parent->sk_type;
247 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248 &bt_sk(parent)->flags);
249
250 pi->sec_level = rfcomm_pi(parent)->sec_level;
251 pi->role_switch = rfcomm_pi(parent)->role_switch;
252
253 security_sk_clone(parent, sk);
254 } else {
255 pi->dlc->defer_setup = 0;
256
257 pi->sec_level = BT_SECURITY_LOW;
258 pi->role_switch = 0;
259 }
260
261 pi->dlc->sec_level = pi->sec_level;
262 pi->dlc->role_switch = pi->role_switch;
263}
264
265static struct proto rfcomm_proto = {
266 .name = "RFCOMM",
267 .owner = THIS_MODULE,
268 .obj_size = sizeof(struct rfcomm_pinfo)
269};
270
271static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
272 int proto, gfp_t prio, int kern)
273{
274 struct rfcomm_dlc *d;
275 struct sock *sk;
276
277 sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
278 if (!sk)
279 return NULL;
280
281 d = rfcomm_dlc_alloc(prio);
282 if (!d) {
283 sk_free(sk);
284 return NULL;
285 }
286
287 d->data_ready = rfcomm_sk_data_ready;
288 d->state_change = rfcomm_sk_state_change;
289
290 rfcomm_pi(sk)->dlc = d;
291 d->owner = sk;
292
293 sk->sk_destruct = rfcomm_sock_destruct;
294 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
295
296 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
297 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
298
299 bt_sock_link(&rfcomm_sk_list, sk);
300
301 BT_DBG("sk %p", sk);
302 return sk;
303}
304
305static int rfcomm_sock_create(struct net *net, struct socket *sock,
306 int protocol, int kern)
307{
308 struct sock *sk;
309
310 BT_DBG("sock %p", sock);
311
312 sock->state = SS_UNCONNECTED;
313
314 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
315 return -ESOCKTNOSUPPORT;
316
317 sock->ops = &rfcomm_sock_ops;
318
319 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
320 if (!sk)
321 return -ENOMEM;
322
323 rfcomm_sock_init(sk, NULL);
324 return 0;
325}
326
327static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
328{
329 struct sockaddr_rc sa;
330 struct sock *sk = sock->sk;
331 int len, err = 0;
332
333 if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
334 addr->sa_family != AF_BLUETOOTH)
335 return -EINVAL;
336
337 memset(&sa, 0, sizeof(sa));
338 len = min_t(unsigned int, sizeof(sa), addr_len);
339 memcpy(&sa, addr, len);
340
341 BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
342
343 lock_sock(sk);
344
345 if (sk->sk_state != BT_OPEN) {
346 err = -EBADFD;
347 goto done;
348 }
349
350 if (sk->sk_type != SOCK_STREAM) {
351 err = -EINVAL;
352 goto done;
353 }
354
355 write_lock(&rfcomm_sk_list.lock);
356
357 if (sa.rc_channel &&
358 __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
359 err = -EADDRINUSE;
360 } else {
361 /* Save source address */
362 bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
363 rfcomm_pi(sk)->channel = sa.rc_channel;
364 sk->sk_state = BT_BOUND;
365 }
366
367 write_unlock(&rfcomm_sk_list.lock);
368
369done:
370 release_sock(sk);
371 return err;
372}
373
374static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
375{
376 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
377 struct sock *sk = sock->sk;
378 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
379 int err = 0;
380
381 BT_DBG("sk %p", sk);
382
383 if (alen < sizeof(struct sockaddr_rc) ||
384 addr->sa_family != AF_BLUETOOTH)
385 return -EINVAL;
386
387 sock_hold(sk);
388 lock_sock(sk);
389
390 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
391 err = -EBADFD;
392 goto done;
393 }
394
395 if (sk->sk_type != SOCK_STREAM) {
396 err = -EINVAL;
397 goto done;
398 }
399
400 sk->sk_state = BT_CONNECT;
401 bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
402 rfcomm_pi(sk)->channel = sa->rc_channel;
403
404 d->sec_level = rfcomm_pi(sk)->sec_level;
405 d->role_switch = rfcomm_pi(sk)->role_switch;
406
407 /* Drop sock lock to avoid potential deadlock with the RFCOMM lock */
408 release_sock(sk);
409 err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
410 sa->rc_channel);
411 lock_sock(sk);
412 if (!err && !sock_flag(sk, SOCK_ZAPPED))
413 err = bt_sock_wait_state(sk, BT_CONNECTED,
414 sock_sndtimeo(sk, flags & O_NONBLOCK));
415
416done:
417 release_sock(sk);
418 sock_put(sk);
419 return err;
420}
421
422static int rfcomm_sock_listen(struct socket *sock, int backlog)
423{
424 struct sock *sk = sock->sk;
425 int err = 0;
426
427 BT_DBG("sk %p backlog %d", sk, backlog);
428
429 lock_sock(sk);
430
431 if (sk->sk_state != BT_BOUND) {
432 err = -EBADFD;
433 goto done;
434 }
435
436 if (sk->sk_type != SOCK_STREAM) {
437 err = -EINVAL;
438 goto done;
439 }
440
441 if (!rfcomm_pi(sk)->channel) {
442 bdaddr_t *src = &rfcomm_pi(sk)->src;
443 u8 channel;
444
445 err = -EINVAL;
446
447 write_lock(&rfcomm_sk_list.lock);
448
449 for (channel = 1; channel < 31; channel++)
450 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
451 rfcomm_pi(sk)->channel = channel;
452 err = 0;
453 break;
454 }
455
456 write_unlock(&rfcomm_sk_list.lock);
457
458 if (err < 0)
459 goto done;
460 }
461
462 sk->sk_max_ack_backlog = backlog;
463 sk->sk_ack_backlog = 0;
464 sk->sk_state = BT_LISTEN;
465
466done:
467 release_sock(sk);
468 return err;
469}
470
471static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
472 bool kern)
473{
474 DEFINE_WAIT_FUNC(wait, woken_wake_function);
475 struct sock *sk = sock->sk, *nsk;
476 long timeo;
477 int err = 0;
478
479 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
480
481 if (sk->sk_type != SOCK_STREAM) {
482 err = -EINVAL;
483 goto done;
484 }
485
486 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
487
488 BT_DBG("sk %p timeo %ld", sk, timeo);
489
490 /* Wait for an incoming connection. (wake-one). */
491 add_wait_queue_exclusive(sk_sleep(sk), &wait);
492 while (1) {
493 if (sk->sk_state != BT_LISTEN) {
494 err = -EBADFD;
495 break;
496 }
497
498 nsk = bt_accept_dequeue(sk, newsock);
499 if (nsk)
500 break;
501
502 if (!timeo) {
503 err = -EAGAIN;
504 break;
505 }
506
507 if (signal_pending(current)) {
508 err = sock_intr_errno(timeo);
509 break;
510 }
511
512 release_sock(sk);
513
514 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
515
516 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
517 }
518 remove_wait_queue(sk_sleep(sk), &wait);
519
520 if (err)
521 goto done;
522
523 newsock->state = SS_CONNECTED;
524
525 BT_DBG("new socket %p", nsk);
526
527done:
528 release_sock(sk);
529 return err;
530}
531
532static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
533{
534 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
535 struct sock *sk = sock->sk;
536
537 BT_DBG("sock %p, sk %p", sock, sk);
538
539 if (peer && sk->sk_state != BT_CONNECTED &&
540 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
541 return -ENOTCONN;
542
543 memset(sa, 0, sizeof(*sa));
544 sa->rc_family = AF_BLUETOOTH;
545 sa->rc_channel = rfcomm_pi(sk)->channel;
546 if (peer)
547 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
548 else
549 bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
550
551 return sizeof(struct sockaddr_rc);
552}
553
554static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
555 size_t len)
556{
557 struct sock *sk = sock->sk;
558 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
559 struct sk_buff *skb;
560 int sent;
561
562 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
563 return -ENOTCONN;
564
565 if (msg->msg_flags & MSG_OOB)
566 return -EOPNOTSUPP;
567
568 if (sk->sk_shutdown & SEND_SHUTDOWN)
569 return -EPIPE;
570
571 BT_DBG("sock %p, sk %p", sock, sk);
572
573 lock_sock(sk);
574
575 sent = bt_sock_wait_ready(sk, msg->msg_flags);
576
577 release_sock(sk);
578
579 if (sent)
580 return sent;
581
582 skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
583 RFCOMM_SKB_TAIL_RESERVE);
584 if (IS_ERR(skb))
585 return PTR_ERR(skb);
586
587 sent = rfcomm_dlc_send(d, skb);
588 if (sent < 0)
589 kfree_skb(skb);
590
591 return sent;
592}
593
594static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
595 size_t size, int flags)
596{
597 struct sock *sk = sock->sk;
598 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
599 int len;
600
601 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
602 rfcomm_dlc_accept(d);
603 return 0;
604 }
605
606 len = bt_sock_stream_recvmsg(sock, msg, size, flags);
607
608 lock_sock(sk);
609 if (!(flags & MSG_PEEK) && len > 0)
610 atomic_sub(len, &sk->sk_rmem_alloc);
611
612 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
613 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
614 release_sock(sk);
615
616 return len;
617}
618
619static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
620 sockptr_t optval, unsigned int optlen)
621{
622 struct sock *sk = sock->sk;
623 int err = 0;
624 u32 opt;
625
626 BT_DBG("sk %p", sk);
627
628 lock_sock(sk);
629
630 switch (optname) {
631 case RFCOMM_LM:
632 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
633 err = -EFAULT;
634 break;
635 }
636
637 if (opt & RFCOMM_LM_FIPS) {
638 err = -EINVAL;
639 break;
640 }
641
642 if (opt & RFCOMM_LM_AUTH)
643 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
644 if (opt & RFCOMM_LM_ENCRYPT)
645 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
646 if (opt & RFCOMM_LM_SECURE)
647 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
648
649 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
650 break;
651
652 default:
653 err = -ENOPROTOOPT;
654 break;
655 }
656
657 release_sock(sk);
658 return err;
659}
660
661static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
662 sockptr_t optval, unsigned int optlen)
663{
664 struct sock *sk = sock->sk;
665 struct bt_security sec;
666 int err = 0;
667 size_t len;
668 u32 opt;
669
670 BT_DBG("sk %p", sk);
671
672 if (level == SOL_RFCOMM)
673 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
674
675 if (level != SOL_BLUETOOTH)
676 return -ENOPROTOOPT;
677
678 lock_sock(sk);
679
680 switch (optname) {
681 case BT_SECURITY:
682 if (sk->sk_type != SOCK_STREAM) {
683 err = -EINVAL;
684 break;
685 }
686
687 sec.level = BT_SECURITY_LOW;
688
689 len = min_t(unsigned int, sizeof(sec), optlen);
690 if (copy_from_sockptr(&sec, optval, len)) {
691 err = -EFAULT;
692 break;
693 }
694
695 if (sec.level > BT_SECURITY_HIGH) {
696 err = -EINVAL;
697 break;
698 }
699
700 rfcomm_pi(sk)->sec_level = sec.level;
701 break;
702
703 case BT_DEFER_SETUP:
704 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
705 err = -EINVAL;
706 break;
707 }
708
709 if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
710 err = -EFAULT;
711 break;
712 }
713
714 if (opt)
715 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
716 else
717 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
718
719 break;
720
721 default:
722 err = -ENOPROTOOPT;
723 break;
724 }
725
726 release_sock(sk);
727 return err;
728}
729
730static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
731{
732 struct sock *sk = sock->sk;
733 struct sock *l2cap_sk;
734 struct l2cap_conn *conn;
735 struct rfcomm_conninfo cinfo;
736 int len, err = 0;
737 u32 opt;
738
739 BT_DBG("sk %p", sk);
740
741 if (get_user(len, optlen))
742 return -EFAULT;
743
744 lock_sock(sk);
745
746 switch (optname) {
747 case RFCOMM_LM:
748 switch (rfcomm_pi(sk)->sec_level) {
749 case BT_SECURITY_LOW:
750 opt = RFCOMM_LM_AUTH;
751 break;
752 case BT_SECURITY_MEDIUM:
753 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
754 break;
755 case BT_SECURITY_HIGH:
756 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
757 RFCOMM_LM_SECURE;
758 break;
759 case BT_SECURITY_FIPS:
760 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
761 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
762 break;
763 default:
764 opt = 0;
765 break;
766 }
767
768 if (rfcomm_pi(sk)->role_switch)
769 opt |= RFCOMM_LM_MASTER;
770
771 if (put_user(opt, (u32 __user *) optval))
772 err = -EFAULT;
773
774 break;
775
776 case RFCOMM_CONNINFO:
777 if (sk->sk_state != BT_CONNECTED &&
778 !rfcomm_pi(sk)->dlc->defer_setup) {
779 err = -ENOTCONN;
780 break;
781 }
782
783 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
784 conn = l2cap_pi(l2cap_sk)->chan->conn;
785
786 memset(&cinfo, 0, sizeof(cinfo));
787 cinfo.hci_handle = conn->hcon->handle;
788 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
789
790 len = min_t(unsigned int, len, sizeof(cinfo));
791 if (copy_to_user(optval, (char *) &cinfo, len))
792 err = -EFAULT;
793
794 break;
795
796 default:
797 err = -ENOPROTOOPT;
798 break;
799 }
800
801 release_sock(sk);
802 return err;
803}
804
805static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
806{
807 struct sock *sk = sock->sk;
808 struct bt_security sec;
809 int len, err = 0;
810
811 BT_DBG("sk %p", sk);
812
813 if (level == SOL_RFCOMM)
814 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
815
816 if (level != SOL_BLUETOOTH)
817 return -ENOPROTOOPT;
818
819 if (get_user(len, optlen))
820 return -EFAULT;
821
822 lock_sock(sk);
823
824 switch (optname) {
825 case BT_SECURITY:
826 if (sk->sk_type != SOCK_STREAM) {
827 err = -EINVAL;
828 break;
829 }
830
831 sec.level = rfcomm_pi(sk)->sec_level;
832 sec.key_size = 0;
833
834 len = min_t(unsigned int, len, sizeof(sec));
835 if (copy_to_user(optval, (char *) &sec, len))
836 err = -EFAULT;
837
838 break;
839
840 case BT_DEFER_SETUP:
841 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
842 err = -EINVAL;
843 break;
844 }
845
846 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
847 (u32 __user *) optval))
848 err = -EFAULT;
849
850 break;
851
852 default:
853 err = -ENOPROTOOPT;
854 break;
855 }
856
857 release_sock(sk);
858 return err;
859}
860
861static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
862{
863 struct sock *sk __maybe_unused = sock->sk;
864 int err;
865
866 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
867
868 err = bt_sock_ioctl(sock, cmd, arg);
869
870 if (err == -ENOIOCTLCMD) {
871#ifdef CONFIG_BT_RFCOMM_TTY
872 lock_sock(sk);
873 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
874 release_sock(sk);
875#else
876 err = -EOPNOTSUPP;
877#endif
878 }
879
880 return err;
881}
882
883#ifdef CONFIG_COMPAT
884static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
885{
886 return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
887}
888#endif
889
890static int rfcomm_sock_shutdown(struct socket *sock, int how)
891{
892 struct sock *sk = sock->sk;
893 int err = 0;
894
895 BT_DBG("sock %p, sk %p", sock, sk);
896
897 if (!sk)
898 return 0;
899
900 lock_sock(sk);
901 if (!sk->sk_shutdown) {
902 sk->sk_shutdown = SHUTDOWN_MASK;
903
904 release_sock(sk);
905 __rfcomm_sock_close(sk);
906 lock_sock(sk);
907
908 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
909 !(current->flags & PF_EXITING))
910 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
911 }
912 release_sock(sk);
913 return err;
914}
915
916static int rfcomm_sock_release(struct socket *sock)
917{
918 struct sock *sk = sock->sk;
919 int err;
920
921 BT_DBG("sock %p, sk %p", sock, sk);
922
923 if (!sk)
924 return 0;
925
926 err = rfcomm_sock_shutdown(sock, 2);
927
928 sock_orphan(sk);
929 rfcomm_sock_kill(sk);
930 return err;
931}
932
933/* ---- RFCOMM core layer callbacks ----
934 *
935 * called under rfcomm_lock()
936 */
937int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
938{
939 struct sock *sk, *parent;
940 bdaddr_t src, dst;
941 int result = 0;
942
943 BT_DBG("session %p channel %d", s, channel);
944
945 rfcomm_session_getaddr(s, &src, &dst);
946
947 /* Check if we have socket listening on channel */
948 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
949 if (!parent)
950 return 0;
951
952 lock_sock(parent);
953
954 /* Check for backlog size */
955 if (sk_acceptq_is_full(parent)) {
956 BT_DBG("backlog full %d", parent->sk_ack_backlog);
957 goto done;
958 }
959
960 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
961 if (!sk)
962 goto done;
963
964 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
965
966 rfcomm_sock_init(sk, parent);
967 bacpy(&rfcomm_pi(sk)->src, &src);
968 bacpy(&rfcomm_pi(sk)->dst, &dst);
969 rfcomm_pi(sk)->channel = channel;
970
971 sk->sk_state = BT_CONFIG;
972 bt_accept_enqueue(parent, sk, true);
973
974 /* Accept connection and return socket DLC */
975 *d = rfcomm_pi(sk)->dlc;
976 result = 1;
977
978done:
979 release_sock(parent);
980
981 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
982 parent->sk_state_change(parent);
983
984 return result;
985}
986
987static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
988{
989 struct sock *sk;
990
991 read_lock(&rfcomm_sk_list.lock);
992
993 sk_for_each(sk, &rfcomm_sk_list.head) {
994 seq_printf(f, "%pMR %pMR %d %d\n",
995 &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
996 sk->sk_state, rfcomm_pi(sk)->channel);
997 }
998
999 read_unlock(&rfcomm_sk_list.lock);
1000
1001 return 0;
1002}
1003
1004DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1005
1006static struct dentry *rfcomm_sock_debugfs;
1007
1008static const struct proto_ops rfcomm_sock_ops = {
1009 .family = PF_BLUETOOTH,
1010 .owner = THIS_MODULE,
1011 .release = rfcomm_sock_release,
1012 .bind = rfcomm_sock_bind,
1013 .connect = rfcomm_sock_connect,
1014 .listen = rfcomm_sock_listen,
1015 .accept = rfcomm_sock_accept,
1016 .getname = rfcomm_sock_getname,
1017 .sendmsg = rfcomm_sock_sendmsg,
1018 .recvmsg = rfcomm_sock_recvmsg,
1019 .shutdown = rfcomm_sock_shutdown,
1020 .setsockopt = rfcomm_sock_setsockopt,
1021 .getsockopt = rfcomm_sock_getsockopt,
1022 .ioctl = rfcomm_sock_ioctl,
1023 .gettstamp = sock_gettstamp,
1024 .poll = bt_sock_poll,
1025 .socketpair = sock_no_socketpair,
1026 .mmap = sock_no_mmap,
1027#ifdef CONFIG_COMPAT
1028 .compat_ioctl = rfcomm_sock_compat_ioctl,
1029#endif
1030};
1031
1032static const struct net_proto_family rfcomm_sock_family_ops = {
1033 .family = PF_BLUETOOTH,
1034 .owner = THIS_MODULE,
1035 .create = rfcomm_sock_create
1036};
1037
1038int __init rfcomm_init_sockets(void)
1039{
1040 int err;
1041
1042 BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1043
1044 err = proto_register(&rfcomm_proto, 0);
1045 if (err < 0)
1046 return err;
1047
1048 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1049 if (err < 0) {
1050 BT_ERR("RFCOMM socket layer registration failed");
1051 goto error;
1052 }
1053
1054 err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1055 if (err < 0) {
1056 BT_ERR("Failed to create RFCOMM proc file");
1057 bt_sock_unregister(BTPROTO_RFCOMM);
1058 goto error;
1059 }
1060
1061 BT_INFO("RFCOMM socket layer initialized");
1062
1063 if (IS_ERR_OR_NULL(bt_debugfs))
1064 return 0;
1065
1066 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1067 bt_debugfs, NULL,
1068 &rfcomm_sock_debugfs_fops);
1069
1070 return 0;
1071
1072error:
1073 proto_unregister(&rfcomm_proto);
1074 return err;
1075}
1076
1077void __exit rfcomm_cleanup_sockets(void)
1078{
1079 bt_procfs_cleanup(&init_net, "rfcomm");
1080
1081 debugfs_remove(rfcomm_sock_debugfs);
1082
1083 bt_sock_unregister(BTPROTO_RFCOMM);
1084
1085 proto_unregister(&rfcomm_proto);
1086}
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * RFCOMM sockets.
26 */
27
28#include <linux/module.h>
29
30#include <linux/types.h>
31#include <linux/errno.h>
32#include <linux/kernel.h>
33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
41#include <linux/list.h>
42#include <linux/device.h>
43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
45#include <linux/security.h>
46#include <net/sock.h>
47
48#include <linux/uaccess.h>
49
50#include <net/bluetooth/bluetooth.h>
51#include <net/bluetooth/hci_core.h>
52#include <net/bluetooth/l2cap.h>
53#include <net/bluetooth/rfcomm.h>
54
55static const struct proto_ops rfcomm_sock_ops;
56
57static struct bt_sock_list rfcomm_sk_list = {
58 .lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
59};
60
61static void rfcomm_sock_close(struct sock *sk);
62static void rfcomm_sock_kill(struct sock *sk);
63
64/* ---- DLC callbacks ----
65 *
66 * called under rfcomm_dlc_lock()
67 */
68static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
69{
70 struct sock *sk = d->owner;
71 if (!sk)
72 return;
73
74 atomic_add(skb->len, &sk->sk_rmem_alloc);
75 skb_queue_tail(&sk->sk_receive_queue, skb);
76 sk->sk_data_ready(sk, skb->len);
77
78 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
79 rfcomm_dlc_throttle(d);
80}
81
82static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
83{
84 struct sock *sk = d->owner, *parent;
85 unsigned long flags;
86
87 if (!sk)
88 return;
89
90 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
91
92 local_irq_save(flags);
93 bh_lock_sock(sk);
94
95 if (err)
96 sk->sk_err = err;
97
98 sk->sk_state = d->state;
99
100 parent = bt_sk(sk)->parent;
101 if (parent) {
102 if (d->state == BT_CLOSED) {
103 sock_set_flag(sk, SOCK_ZAPPED);
104 bt_accept_unlink(sk);
105 }
106 parent->sk_data_ready(parent, 0);
107 } else {
108 if (d->state == BT_CONNECTED)
109 rfcomm_session_getaddr(d->session, &bt_sk(sk)->src, NULL);
110 sk->sk_state_change(sk);
111 }
112
113 bh_unlock_sock(sk);
114 local_irq_restore(flags);
115
116 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
117 /* We have to drop DLC lock here, otherwise
118 * rfcomm_sock_destruct() will dead lock. */
119 rfcomm_dlc_unlock(d);
120 rfcomm_sock_kill(sk);
121 rfcomm_dlc_lock(d);
122 }
123}
124
125/* ---- Socket functions ---- */
126static struct sock *__rfcomm_get_sock_by_addr(u8 channel, bdaddr_t *src)
127{
128 struct sock *sk = NULL;
129 struct hlist_node *node;
130
131 sk_for_each(sk, node, &rfcomm_sk_list.head) {
132 if (rfcomm_pi(sk)->channel == channel &&
133 !bacmp(&bt_sk(sk)->src, src))
134 break;
135 }
136
137 return node ? sk : NULL;
138}
139
140/* Find socket with channel and source bdaddr.
141 * Returns closest match.
142 */
143static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
144{
145 struct sock *sk = NULL, *sk1 = NULL;
146 struct hlist_node *node;
147
148 read_lock(&rfcomm_sk_list.lock);
149
150 sk_for_each(sk, node, &rfcomm_sk_list.head) {
151 if (state && sk->sk_state != state)
152 continue;
153
154 if (rfcomm_pi(sk)->channel == channel) {
155 /* Exact match. */
156 if (!bacmp(&bt_sk(sk)->src, src))
157 break;
158
159 /* Closest match */
160 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
161 sk1 = sk;
162 }
163 }
164
165 read_unlock(&rfcomm_sk_list.lock);
166
167 return node ? sk : sk1;
168}
169
170static void rfcomm_sock_destruct(struct sock *sk)
171{
172 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
173
174 BT_DBG("sk %p dlc %p", sk, d);
175
176 skb_queue_purge(&sk->sk_receive_queue);
177 skb_queue_purge(&sk->sk_write_queue);
178
179 rfcomm_dlc_lock(d);
180 rfcomm_pi(sk)->dlc = NULL;
181
182 /* Detach DLC if it's owned by this socket */
183 if (d->owner == sk)
184 d->owner = NULL;
185 rfcomm_dlc_unlock(d);
186
187 rfcomm_dlc_put(d);
188}
189
190static void rfcomm_sock_cleanup_listen(struct sock *parent)
191{
192 struct sock *sk;
193
194 BT_DBG("parent %p", parent);
195
196 /* Close not yet accepted dlcs */
197 while ((sk = bt_accept_dequeue(parent, NULL))) {
198 rfcomm_sock_close(sk);
199 rfcomm_sock_kill(sk);
200 }
201
202 parent->sk_state = BT_CLOSED;
203 sock_set_flag(parent, SOCK_ZAPPED);
204}
205
206/* Kill socket (only if zapped and orphan)
207 * Must be called on unlocked socket.
208 */
209static void rfcomm_sock_kill(struct sock *sk)
210{
211 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
212 return;
213
214 BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, atomic_read(&sk->sk_refcnt));
215
216 /* Kill poor orphan */
217 bt_sock_unlink(&rfcomm_sk_list, sk);
218 sock_set_flag(sk, SOCK_DEAD);
219 sock_put(sk);
220}
221
222static void __rfcomm_sock_close(struct sock *sk)
223{
224 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
225
226 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
227
228 switch (sk->sk_state) {
229 case BT_LISTEN:
230 rfcomm_sock_cleanup_listen(sk);
231 break;
232
233 case BT_CONNECT:
234 case BT_CONNECT2:
235 case BT_CONFIG:
236 case BT_CONNECTED:
237 rfcomm_dlc_close(d, 0);
238
239 default:
240 sock_set_flag(sk, SOCK_ZAPPED);
241 break;
242 }
243}
244
245/* Close socket.
246 * Must be called on unlocked socket.
247 */
248static void rfcomm_sock_close(struct sock *sk)
249{
250 lock_sock(sk);
251 __rfcomm_sock_close(sk);
252 release_sock(sk);
253}
254
255static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
256{
257 struct rfcomm_pinfo *pi = rfcomm_pi(sk);
258
259 BT_DBG("sk %p", sk);
260
261 if (parent) {
262 sk->sk_type = parent->sk_type;
263 pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
264 &bt_sk(parent)->flags);
265
266 pi->sec_level = rfcomm_pi(parent)->sec_level;
267 pi->role_switch = rfcomm_pi(parent)->role_switch;
268
269 security_sk_clone(parent, sk);
270 } else {
271 pi->dlc->defer_setup = 0;
272
273 pi->sec_level = BT_SECURITY_LOW;
274 pi->role_switch = 0;
275 }
276
277 pi->dlc->sec_level = pi->sec_level;
278 pi->dlc->role_switch = pi->role_switch;
279}
280
281static struct proto rfcomm_proto = {
282 .name = "RFCOMM",
283 .owner = THIS_MODULE,
284 .obj_size = sizeof(struct rfcomm_pinfo)
285};
286
287static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
288{
289 struct rfcomm_dlc *d;
290 struct sock *sk;
291
292 sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto);
293 if (!sk)
294 return NULL;
295
296 sock_init_data(sock, sk);
297 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
298
299 d = rfcomm_dlc_alloc(prio);
300 if (!d) {
301 sk_free(sk);
302 return NULL;
303 }
304
305 d->data_ready = rfcomm_sk_data_ready;
306 d->state_change = rfcomm_sk_state_change;
307
308 rfcomm_pi(sk)->dlc = d;
309 d->owner = sk;
310
311 sk->sk_destruct = rfcomm_sock_destruct;
312 sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
313
314 sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
315 sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
316
317 sock_reset_flag(sk, SOCK_ZAPPED);
318
319 sk->sk_protocol = proto;
320 sk->sk_state = BT_OPEN;
321
322 bt_sock_link(&rfcomm_sk_list, sk);
323
324 BT_DBG("sk %p", sk);
325 return sk;
326}
327
328static int rfcomm_sock_create(struct net *net, struct socket *sock,
329 int protocol, int kern)
330{
331 struct sock *sk;
332
333 BT_DBG("sock %p", sock);
334
335 sock->state = SS_UNCONNECTED;
336
337 if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
338 return -ESOCKTNOSUPPORT;
339
340 sock->ops = &rfcomm_sock_ops;
341
342 sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC);
343 if (!sk)
344 return -ENOMEM;
345
346 rfcomm_sock_init(sk, NULL);
347 return 0;
348}
349
350static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
351{
352 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
353 struct sock *sk = sock->sk;
354 int err = 0;
355
356 BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
357
358 if (!addr || addr->sa_family != AF_BLUETOOTH)
359 return -EINVAL;
360
361 lock_sock(sk);
362
363 if (sk->sk_state != BT_OPEN) {
364 err = -EBADFD;
365 goto done;
366 }
367
368 if (sk->sk_type != SOCK_STREAM) {
369 err = -EINVAL;
370 goto done;
371 }
372
373 write_lock(&rfcomm_sk_list.lock);
374
375 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
376 err = -EADDRINUSE;
377 } else {
378 /* Save source address */
379 bacpy(&bt_sk(sk)->src, &sa->rc_bdaddr);
380 rfcomm_pi(sk)->channel = sa->rc_channel;
381 sk->sk_state = BT_BOUND;
382 }
383
384 write_unlock(&rfcomm_sk_list.lock);
385
386done:
387 release_sock(sk);
388 return err;
389}
390
391static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
392{
393 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
394 struct sock *sk = sock->sk;
395 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
396 int err = 0;
397
398 BT_DBG("sk %p", sk);
399
400 if (alen < sizeof(struct sockaddr_rc) ||
401 addr->sa_family != AF_BLUETOOTH)
402 return -EINVAL;
403
404 lock_sock(sk);
405
406 if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
407 err = -EBADFD;
408 goto done;
409 }
410
411 if (sk->sk_type != SOCK_STREAM) {
412 err = -EINVAL;
413 goto done;
414 }
415
416 sk->sk_state = BT_CONNECT;
417 bacpy(&bt_sk(sk)->dst, &sa->rc_bdaddr);
418 rfcomm_pi(sk)->channel = sa->rc_channel;
419
420 d->sec_level = rfcomm_pi(sk)->sec_level;
421 d->role_switch = rfcomm_pi(sk)->role_switch;
422
423 err = rfcomm_dlc_open(d, &bt_sk(sk)->src, &sa->rc_bdaddr, sa->rc_channel);
424 if (!err)
425 err = bt_sock_wait_state(sk, BT_CONNECTED,
426 sock_sndtimeo(sk, flags & O_NONBLOCK));
427
428done:
429 release_sock(sk);
430 return err;
431}
432
433static int rfcomm_sock_listen(struct socket *sock, int backlog)
434{
435 struct sock *sk = sock->sk;
436 int err = 0;
437
438 BT_DBG("sk %p backlog %d", sk, backlog);
439
440 lock_sock(sk);
441
442 if (sk->sk_state != BT_BOUND) {
443 err = -EBADFD;
444 goto done;
445 }
446
447 if (sk->sk_type != SOCK_STREAM) {
448 err = -EINVAL;
449 goto done;
450 }
451
452 if (!rfcomm_pi(sk)->channel) {
453 bdaddr_t *src = &bt_sk(sk)->src;
454 u8 channel;
455
456 err = -EINVAL;
457
458 write_lock(&rfcomm_sk_list.lock);
459
460 for (channel = 1; channel < 31; channel++)
461 if (!__rfcomm_get_sock_by_addr(channel, src)) {
462 rfcomm_pi(sk)->channel = channel;
463 err = 0;
464 break;
465 }
466
467 write_unlock(&rfcomm_sk_list.lock);
468
469 if (err < 0)
470 goto done;
471 }
472
473 sk->sk_max_ack_backlog = backlog;
474 sk->sk_ack_backlog = 0;
475 sk->sk_state = BT_LISTEN;
476
477done:
478 release_sock(sk);
479 return err;
480}
481
482static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags)
483{
484 DECLARE_WAITQUEUE(wait, current);
485 struct sock *sk = sock->sk, *nsk;
486 long timeo;
487 int err = 0;
488
489 lock_sock(sk);
490
491 if (sk->sk_type != SOCK_STREAM) {
492 err = -EINVAL;
493 goto done;
494 }
495
496 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
497
498 BT_DBG("sk %p timeo %ld", sk, timeo);
499
500 /* Wait for an incoming connection. (wake-one). */
501 add_wait_queue_exclusive(sk_sleep(sk), &wait);
502 while (1) {
503 set_current_state(TASK_INTERRUPTIBLE);
504
505 if (sk->sk_state != BT_LISTEN) {
506 err = -EBADFD;
507 break;
508 }
509
510 nsk = bt_accept_dequeue(sk, newsock);
511 if (nsk)
512 break;
513
514 if (!timeo) {
515 err = -EAGAIN;
516 break;
517 }
518
519 if (signal_pending(current)) {
520 err = sock_intr_errno(timeo);
521 break;
522 }
523
524 release_sock(sk);
525 timeo = schedule_timeout(timeo);
526 lock_sock(sk);
527 }
528 __set_current_state(TASK_RUNNING);
529 remove_wait_queue(sk_sleep(sk), &wait);
530
531 if (err)
532 goto done;
533
534 newsock->state = SS_CONNECTED;
535
536 BT_DBG("new socket %p", nsk);
537
538done:
539 release_sock(sk);
540 return err;
541}
542
543static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
544{
545 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
546 struct sock *sk = sock->sk;
547
548 BT_DBG("sock %p, sk %p", sock, sk);
549
550 memset(sa, 0, sizeof(*sa));
551 sa->rc_family = AF_BLUETOOTH;
552 sa->rc_channel = rfcomm_pi(sk)->channel;
553 if (peer)
554 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->dst);
555 else
556 bacpy(&sa->rc_bdaddr, &bt_sk(sk)->src);
557
558 *len = sizeof(struct sockaddr_rc);
559 return 0;
560}
561
562static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
563 struct msghdr *msg, size_t len)
564{
565 struct sock *sk = sock->sk;
566 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
567 struct sk_buff *skb;
568 int sent = 0;
569
570 if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
571 return -ENOTCONN;
572
573 if (msg->msg_flags & MSG_OOB)
574 return -EOPNOTSUPP;
575
576 if (sk->sk_shutdown & SEND_SHUTDOWN)
577 return -EPIPE;
578
579 BT_DBG("sock %p, sk %p", sock, sk);
580
581 lock_sock(sk);
582
583 while (len) {
584 size_t size = min_t(size_t, len, d->mtu);
585 int err;
586
587 skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
588 msg->msg_flags & MSG_DONTWAIT, &err);
589 if (!skb) {
590 if (sent == 0)
591 sent = err;
592 break;
593 }
594 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
595
596 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
597 if (err) {
598 kfree_skb(skb);
599 if (sent == 0)
600 sent = err;
601 break;
602 }
603
604 skb->priority = sk->sk_priority;
605
606 err = rfcomm_dlc_send(d, skb);
607 if (err < 0) {
608 kfree_skb(skb);
609 if (sent == 0)
610 sent = err;
611 break;
612 }
613
614 sent += size;
615 len -= size;
616 }
617
618 release_sock(sk);
619
620 return sent;
621}
622
623static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
624 struct msghdr *msg, size_t size, int flags)
625{
626 struct sock *sk = sock->sk;
627 struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
628 int len;
629
630 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
631 rfcomm_dlc_accept(d);
632 return 0;
633 }
634
635 len = bt_sock_stream_recvmsg(iocb, sock, msg, size, flags);
636
637 lock_sock(sk);
638 if (!(flags & MSG_PEEK) && len > 0)
639 atomic_sub(len, &sk->sk_rmem_alloc);
640
641 if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
642 rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
643 release_sock(sk);
644
645 return len;
646}
647
648static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
649{
650 struct sock *sk = sock->sk;
651 int err = 0;
652 u32 opt;
653
654 BT_DBG("sk %p", sk);
655
656 lock_sock(sk);
657
658 switch (optname) {
659 case RFCOMM_LM:
660 if (get_user(opt, (u32 __user *) optval)) {
661 err = -EFAULT;
662 break;
663 }
664
665 if (opt & RFCOMM_LM_AUTH)
666 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
667 if (opt & RFCOMM_LM_ENCRYPT)
668 rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
669 if (opt & RFCOMM_LM_SECURE)
670 rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
671
672 rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
673 break;
674
675 default:
676 err = -ENOPROTOOPT;
677 break;
678 }
679
680 release_sock(sk);
681 return err;
682}
683
684static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
685{
686 struct sock *sk = sock->sk;
687 struct bt_security sec;
688 int err = 0;
689 size_t len;
690 u32 opt;
691
692 BT_DBG("sk %p", sk);
693
694 if (level == SOL_RFCOMM)
695 return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
696
697 if (level != SOL_BLUETOOTH)
698 return -ENOPROTOOPT;
699
700 lock_sock(sk);
701
702 switch (optname) {
703 case BT_SECURITY:
704 if (sk->sk_type != SOCK_STREAM) {
705 err = -EINVAL;
706 break;
707 }
708
709 sec.level = BT_SECURITY_LOW;
710
711 len = min_t(unsigned int, sizeof(sec), optlen);
712 if (copy_from_user((char *) &sec, optval, len)) {
713 err = -EFAULT;
714 break;
715 }
716
717 if (sec.level > BT_SECURITY_HIGH) {
718 err = -EINVAL;
719 break;
720 }
721
722 rfcomm_pi(sk)->sec_level = sec.level;
723 break;
724
725 case BT_DEFER_SETUP:
726 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
727 err = -EINVAL;
728 break;
729 }
730
731 if (get_user(opt, (u32 __user *) optval)) {
732 err = -EFAULT;
733 break;
734 }
735
736 if (opt)
737 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
738 else
739 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
740
741 break;
742
743 default:
744 err = -ENOPROTOOPT;
745 break;
746 }
747
748 release_sock(sk);
749 return err;
750}
751
752static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
753{
754 struct sock *sk = sock->sk;
755 struct rfcomm_conninfo cinfo;
756 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
757 int len, err = 0;
758 u32 opt;
759
760 BT_DBG("sk %p", sk);
761
762 if (get_user(len, optlen))
763 return -EFAULT;
764
765 lock_sock(sk);
766
767 switch (optname) {
768 case RFCOMM_LM:
769 switch (rfcomm_pi(sk)->sec_level) {
770 case BT_SECURITY_LOW:
771 opt = RFCOMM_LM_AUTH;
772 break;
773 case BT_SECURITY_MEDIUM:
774 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
775 break;
776 case BT_SECURITY_HIGH:
777 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
778 RFCOMM_LM_SECURE;
779 break;
780 default:
781 opt = 0;
782 break;
783 }
784
785 if (rfcomm_pi(sk)->role_switch)
786 opt |= RFCOMM_LM_MASTER;
787
788 if (put_user(opt, (u32 __user *) optval))
789 err = -EFAULT;
790 break;
791
792 case RFCOMM_CONNINFO:
793 if (sk->sk_state != BT_CONNECTED &&
794 !rfcomm_pi(sk)->dlc->defer_setup) {
795 err = -ENOTCONN;
796 break;
797 }
798
799 memset(&cinfo, 0, sizeof(cinfo));
800 cinfo.hci_handle = conn->hcon->handle;
801 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
802
803 len = min_t(unsigned int, len, sizeof(cinfo));
804 if (copy_to_user(optval, (char *) &cinfo, len))
805 err = -EFAULT;
806
807 break;
808
809 default:
810 err = -ENOPROTOOPT;
811 break;
812 }
813
814 release_sock(sk);
815 return err;
816}
817
818static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
819{
820 struct sock *sk = sock->sk;
821 struct bt_security sec;
822 int len, err = 0;
823
824 BT_DBG("sk %p", sk);
825
826 if (level == SOL_RFCOMM)
827 return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
828
829 if (level != SOL_BLUETOOTH)
830 return -ENOPROTOOPT;
831
832 if (get_user(len, optlen))
833 return -EFAULT;
834
835 lock_sock(sk);
836
837 switch (optname) {
838 case BT_SECURITY:
839 if (sk->sk_type != SOCK_STREAM) {
840 err = -EINVAL;
841 break;
842 }
843
844 sec.level = rfcomm_pi(sk)->sec_level;
845 sec.key_size = 0;
846
847 len = min_t(unsigned int, len, sizeof(sec));
848 if (copy_to_user(optval, (char *) &sec, len))
849 err = -EFAULT;
850
851 break;
852
853 case BT_DEFER_SETUP:
854 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
855 err = -EINVAL;
856 break;
857 }
858
859 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
860 (u32 __user *) optval))
861 err = -EFAULT;
862
863 break;
864
865 default:
866 err = -ENOPROTOOPT;
867 break;
868 }
869
870 release_sock(sk);
871 return err;
872}
873
874static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
875{
876 struct sock *sk __maybe_unused = sock->sk;
877 int err;
878
879 BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
880
881 err = bt_sock_ioctl(sock, cmd, arg);
882
883 if (err == -ENOIOCTLCMD) {
884#ifdef CONFIG_BT_RFCOMM_TTY
885 lock_sock(sk);
886 err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
887 release_sock(sk);
888#else
889 err = -EOPNOTSUPP;
890#endif
891 }
892
893 return err;
894}
895
896static int rfcomm_sock_shutdown(struct socket *sock, int how)
897{
898 struct sock *sk = sock->sk;
899 int err = 0;
900
901 BT_DBG("sock %p, sk %p", sock, sk);
902
903 if (!sk)
904 return 0;
905
906 lock_sock(sk);
907 if (!sk->sk_shutdown) {
908 sk->sk_shutdown = SHUTDOWN_MASK;
909 __rfcomm_sock_close(sk);
910
911 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
912 err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
913 }
914 release_sock(sk);
915 return err;
916}
917
918static int rfcomm_sock_release(struct socket *sock)
919{
920 struct sock *sk = sock->sk;
921 int err;
922
923 BT_DBG("sock %p, sk %p", sock, sk);
924
925 if (!sk)
926 return 0;
927
928 err = rfcomm_sock_shutdown(sock, 2);
929
930 sock_orphan(sk);
931 rfcomm_sock_kill(sk);
932 return err;
933}
934
935/* ---- RFCOMM core layer callbacks ----
936 *
937 * called under rfcomm_lock()
938 */
939int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
940{
941 struct sock *sk, *parent;
942 bdaddr_t src, dst;
943 int result = 0;
944
945 BT_DBG("session %p channel %d", s, channel);
946
947 rfcomm_session_getaddr(s, &src, &dst);
948
949 /* Check if we have socket listening on channel */
950 parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
951 if (!parent)
952 return 0;
953
954 bh_lock_sock(parent);
955
956 /* Check for backlog size */
957 if (sk_acceptq_is_full(parent)) {
958 BT_DBG("backlog full %d", parent->sk_ack_backlog);
959 goto done;
960 }
961
962 sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC);
963 if (!sk)
964 goto done;
965
966 bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
967
968 rfcomm_sock_init(sk, parent);
969 bacpy(&bt_sk(sk)->src, &src);
970 bacpy(&bt_sk(sk)->dst, &dst);
971 rfcomm_pi(sk)->channel = channel;
972
973 sk->sk_state = BT_CONFIG;
974 bt_accept_enqueue(parent, sk);
975
976 /* Accept connection and return socket DLC */
977 *d = rfcomm_pi(sk)->dlc;
978 result = 1;
979
980done:
981 bh_unlock_sock(parent);
982
983 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
984 parent->sk_state_change(parent);
985
986 return result;
987}
988
989static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
990{
991 struct sock *sk;
992 struct hlist_node *node;
993
994 read_lock(&rfcomm_sk_list.lock);
995
996 sk_for_each(sk, node, &rfcomm_sk_list.head) {
997 seq_printf(f, "%s %s %d %d\n",
998 batostr(&bt_sk(sk)->src),
999 batostr(&bt_sk(sk)->dst),
1000 sk->sk_state, rfcomm_pi(sk)->channel);
1001 }
1002
1003 read_unlock(&rfcomm_sk_list.lock);
1004
1005 return 0;
1006}
1007
1008static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
1009{
1010 return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1011}
1012
1013static const struct file_operations rfcomm_sock_debugfs_fops = {
1014 .open = rfcomm_sock_debugfs_open,
1015 .read = seq_read,
1016 .llseek = seq_lseek,
1017 .release = single_release,
1018};
1019
1020static struct dentry *rfcomm_sock_debugfs;
1021
1022static const struct proto_ops rfcomm_sock_ops = {
1023 .family = PF_BLUETOOTH,
1024 .owner = THIS_MODULE,
1025 .release = rfcomm_sock_release,
1026 .bind = rfcomm_sock_bind,
1027 .connect = rfcomm_sock_connect,
1028 .listen = rfcomm_sock_listen,
1029 .accept = rfcomm_sock_accept,
1030 .getname = rfcomm_sock_getname,
1031 .sendmsg = rfcomm_sock_sendmsg,
1032 .recvmsg = rfcomm_sock_recvmsg,
1033 .shutdown = rfcomm_sock_shutdown,
1034 .setsockopt = rfcomm_sock_setsockopt,
1035 .getsockopt = rfcomm_sock_getsockopt,
1036 .ioctl = rfcomm_sock_ioctl,
1037 .poll = bt_sock_poll,
1038 .socketpair = sock_no_socketpair,
1039 .mmap = sock_no_mmap
1040};
1041
1042static const struct net_proto_family rfcomm_sock_family_ops = {
1043 .family = PF_BLUETOOTH,
1044 .owner = THIS_MODULE,
1045 .create = rfcomm_sock_create
1046};
1047
1048int __init rfcomm_init_sockets(void)
1049{
1050 int err;
1051
1052 err = proto_register(&rfcomm_proto, 0);
1053 if (err < 0)
1054 return err;
1055
1056 err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1057 if (err < 0)
1058 goto error;
1059
1060 if (bt_debugfs) {
1061 rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1062 bt_debugfs, NULL, &rfcomm_sock_debugfs_fops);
1063 if (!rfcomm_sock_debugfs)
1064 BT_ERR("Failed to create RFCOMM debug file");
1065 }
1066
1067 BT_INFO("RFCOMM socket layer initialized");
1068
1069 return 0;
1070
1071error:
1072 BT_ERR("RFCOMM socket layer registration failed");
1073 proto_unregister(&rfcomm_proto);
1074 return err;
1075}
1076
1077void __exit rfcomm_cleanup_sockets(void)
1078{
1079 debugfs_remove(rfcomm_sock_debugfs);
1080
1081 if (bt_sock_unregister(BTPROTO_RFCOMM) < 0)
1082 BT_ERR("RFCOMM socket layer unregistration failed");
1083
1084 proto_unregister(&rfcomm_proto);
1085}