xref: /openbmc/linux/net/bluetooth/rfcomm/sock.c (revision 54618888)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM sockets.
26  */
27 #include <linux/compat.h>
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36 
37 static const struct proto_ops rfcomm_sock_ops;
38 
39 static struct bt_sock_list rfcomm_sk_list = {
40 	.lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42 
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45 
46 /* ---- DLC callbacks ----
47  *
48  * called under rfcomm_dlc_lock()
49  */
50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 	struct sock *sk = d->owner;
53 	if (!sk)
54 		return;
55 
56 	atomic_add(skb->len, &sk->sk_rmem_alloc);
57 	skb_queue_tail(&sk->sk_receive_queue, skb);
58 	sk->sk_data_ready(sk);
59 
60 	if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 		rfcomm_dlc_throttle(d);
62 }
63 
64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 	struct sock *sk = d->owner, *parent;
67 
68 	if (!sk)
69 		return;
70 
71 	BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72 
73 	lock_sock(sk);
74 
75 	if (err)
76 		sk->sk_err = err;
77 
78 	sk->sk_state = d->state;
79 
80 	parent = bt_sk(sk)->parent;
81 	if (parent) {
82 		if (d->state == BT_CLOSED) {
83 			sock_set_flag(sk, SOCK_ZAPPED);
84 			bt_accept_unlink(sk);
85 		}
86 		parent->sk_data_ready(parent);
87 	} else {
88 		if (d->state == BT_CONNECTED)
89 			rfcomm_session_getaddr(d->session,
90 					       &rfcomm_pi(sk)->src, NULL);
91 		sk->sk_state_change(sk);
92 	}
93 
94 	release_sock(sk);
95 
96 	if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 		/* We have to drop DLC lock here, otherwise
98 		 * rfcomm_sock_destruct() will dead lock. */
99 		rfcomm_dlc_unlock(d);
100 		rfcomm_sock_kill(sk);
101 		rfcomm_dlc_lock(d);
102 	}
103 }
104 
105 /* ---- Socket functions ---- */
106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107 {
108 	struct sock *sk = NULL;
109 
110 	sk_for_each(sk, &rfcomm_sk_list.head) {
111 		if (rfcomm_pi(sk)->channel != channel)
112 			continue;
113 
114 		if (bacmp(&rfcomm_pi(sk)->src, src))
115 			continue;
116 
117 		if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 			break;
119 	}
120 
121 	return sk ? sk : NULL;
122 }
123 
124 /* Find socket with channel and source bdaddr.
125  * Returns closest match.
126  */
127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128 {
129 	struct sock *sk = NULL, *sk1 = NULL;
130 
131 	read_lock(&rfcomm_sk_list.lock);
132 
133 	sk_for_each(sk, &rfcomm_sk_list.head) {
134 		if (state && sk->sk_state != state)
135 			continue;
136 
137 		if (rfcomm_pi(sk)->channel == channel) {
138 			/* Exact match. */
139 			if (!bacmp(&rfcomm_pi(sk)->src, src))
140 				break;
141 
142 			/* Closest match */
143 			if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 				sk1 = sk;
145 		}
146 	}
147 
148 	read_unlock(&rfcomm_sk_list.lock);
149 
150 	return sk ? sk : sk1;
151 }
152 
153 static void rfcomm_sock_destruct(struct sock *sk)
154 {
155 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156 
157 	BT_DBG("sk %p dlc %p", sk, d);
158 
159 	skb_queue_purge(&sk->sk_receive_queue);
160 	skb_queue_purge(&sk->sk_write_queue);
161 
162 	rfcomm_dlc_lock(d);
163 	rfcomm_pi(sk)->dlc = NULL;
164 
165 	/* Detach DLC if it's owned by this socket */
166 	if (d->owner == sk)
167 		d->owner = NULL;
168 	rfcomm_dlc_unlock(d);
169 
170 	rfcomm_dlc_put(d);
171 }
172 
173 static void rfcomm_sock_cleanup_listen(struct sock *parent)
174 {
175 	struct sock *sk;
176 
177 	BT_DBG("parent %p", parent);
178 
179 	/* Close not yet accepted dlcs */
180 	while ((sk = bt_accept_dequeue(parent, NULL))) {
181 		rfcomm_sock_close(sk);
182 		rfcomm_sock_kill(sk);
183 	}
184 
185 	parent->sk_state  = BT_CLOSED;
186 	sock_set_flag(parent, SOCK_ZAPPED);
187 }
188 
189 /* Kill socket (only if zapped and orphan)
190  * Must be called on unlocked socket.
191  */
192 static void rfcomm_sock_kill(struct sock *sk)
193 {
194 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195 		return;
196 
197 	BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198 
199 	/* Kill poor orphan */
200 	bt_sock_unlink(&rfcomm_sk_list, sk);
201 	sock_set_flag(sk, SOCK_DEAD);
202 	sock_put(sk);
203 }
204 
205 static void __rfcomm_sock_close(struct sock *sk)
206 {
207 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208 
209 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210 
211 	switch (sk->sk_state) {
212 	case BT_LISTEN:
213 		rfcomm_sock_cleanup_listen(sk);
214 		break;
215 
216 	case BT_CONNECT:
217 	case BT_CONNECT2:
218 	case BT_CONFIG:
219 	case BT_CONNECTED:
220 		rfcomm_dlc_close(d, 0);
221 		fallthrough;
222 
223 	default:
224 		sock_set_flag(sk, SOCK_ZAPPED);
225 		break;
226 	}
227 }
228 
229 /* Close socket.
230  * Must be called on unlocked socket.
231  */
232 static void rfcomm_sock_close(struct sock *sk)
233 {
234 	lock_sock(sk);
235 	__rfcomm_sock_close(sk);
236 	release_sock(sk);
237 }
238 
239 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240 {
241 	struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242 
243 	BT_DBG("sk %p", sk);
244 
245 	if (parent) {
246 		sk->sk_type = parent->sk_type;
247 		pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248 						&bt_sk(parent)->flags);
249 
250 		pi->sec_level = rfcomm_pi(parent)->sec_level;
251 		pi->role_switch = rfcomm_pi(parent)->role_switch;
252 
253 		security_sk_clone(parent, sk);
254 	} else {
255 		pi->dlc->defer_setup = 0;
256 
257 		pi->sec_level = BT_SECURITY_LOW;
258 		pi->role_switch = 0;
259 	}
260 
261 	pi->dlc->sec_level = pi->sec_level;
262 	pi->dlc->role_switch = pi->role_switch;
263 }
264 
265 static struct proto rfcomm_proto = {
266 	.name		= "RFCOMM",
267 	.owner		= THIS_MODULE,
268 	.obj_size	= sizeof(struct rfcomm_pinfo)
269 };
270 
271 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
272 {
273 	struct rfcomm_dlc *d;
274 	struct sock *sk;
275 
276 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
277 	if (!sk)
278 		return NULL;
279 
280 	sock_init_data(sock, sk);
281 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
282 
283 	d = rfcomm_dlc_alloc(prio);
284 	if (!d) {
285 		sk_free(sk);
286 		return NULL;
287 	}
288 
289 	d->data_ready   = rfcomm_sk_data_ready;
290 	d->state_change = rfcomm_sk_state_change;
291 
292 	rfcomm_pi(sk)->dlc = d;
293 	d->owner = sk;
294 
295 	sk->sk_destruct = rfcomm_sock_destruct;
296 	sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
297 
298 	sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
299 	sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300 
301 	sock_reset_flag(sk, SOCK_ZAPPED);
302 
303 	sk->sk_protocol = proto;
304 	sk->sk_state    = BT_OPEN;
305 
306 	bt_sock_link(&rfcomm_sk_list, sk);
307 
308 	BT_DBG("sk %p", sk);
309 	return sk;
310 }
311 
312 static int rfcomm_sock_create(struct net *net, struct socket *sock,
313 			      int protocol, int kern)
314 {
315 	struct sock *sk;
316 
317 	BT_DBG("sock %p", sock);
318 
319 	sock->state = SS_UNCONNECTED;
320 
321 	if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
322 		return -ESOCKTNOSUPPORT;
323 
324 	sock->ops = &rfcomm_sock_ops;
325 
326 	sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
327 	if (!sk)
328 		return -ENOMEM;
329 
330 	rfcomm_sock_init(sk, NULL);
331 	return 0;
332 }
333 
334 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
335 {
336 	struct sockaddr_rc sa;
337 	struct sock *sk = sock->sk;
338 	int len, err = 0;
339 
340 	if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
341 	    addr->sa_family != AF_BLUETOOTH)
342 		return -EINVAL;
343 
344 	memset(&sa, 0, sizeof(sa));
345 	len = min_t(unsigned int, sizeof(sa), addr_len);
346 	memcpy(&sa, addr, len);
347 
348 	BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
349 
350 	lock_sock(sk);
351 
352 	if (sk->sk_state != BT_OPEN) {
353 		err = -EBADFD;
354 		goto done;
355 	}
356 
357 	if (sk->sk_type != SOCK_STREAM) {
358 		err = -EINVAL;
359 		goto done;
360 	}
361 
362 	write_lock(&rfcomm_sk_list.lock);
363 
364 	if (sa.rc_channel &&
365 	    __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
366 		err = -EADDRINUSE;
367 	} else {
368 		/* Save source address */
369 		bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
370 		rfcomm_pi(sk)->channel = sa.rc_channel;
371 		sk->sk_state = BT_BOUND;
372 	}
373 
374 	write_unlock(&rfcomm_sk_list.lock);
375 
376 done:
377 	release_sock(sk);
378 	return err;
379 }
380 
381 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
382 {
383 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
384 	struct sock *sk = sock->sk;
385 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
386 	int err = 0;
387 
388 	BT_DBG("sk %p", sk);
389 
390 	if (alen < sizeof(struct sockaddr_rc) ||
391 	    addr->sa_family != AF_BLUETOOTH)
392 		return -EINVAL;
393 
394 	sock_hold(sk);
395 	lock_sock(sk);
396 
397 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
398 		err = -EBADFD;
399 		goto done;
400 	}
401 
402 	if (sk->sk_type != SOCK_STREAM) {
403 		err = -EINVAL;
404 		goto done;
405 	}
406 
407 	sk->sk_state = BT_CONNECT;
408 	bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
409 	rfcomm_pi(sk)->channel = sa->rc_channel;
410 
411 	d->sec_level = rfcomm_pi(sk)->sec_level;
412 	d->role_switch = rfcomm_pi(sk)->role_switch;
413 
414 	/* Drop sock lock to avoid potential deadlock with the RFCOMM lock */
415 	release_sock(sk);
416 	err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
417 			      sa->rc_channel);
418 	lock_sock(sk);
419 	if (!err && !sock_flag(sk, SOCK_ZAPPED))
420 		err = bt_sock_wait_state(sk, BT_CONNECTED,
421 				sock_sndtimeo(sk, flags & O_NONBLOCK));
422 
423 done:
424 	release_sock(sk);
425 	sock_put(sk);
426 	return err;
427 }
428 
429 static int rfcomm_sock_listen(struct socket *sock, int backlog)
430 {
431 	struct sock *sk = sock->sk;
432 	int err = 0;
433 
434 	BT_DBG("sk %p backlog %d", sk, backlog);
435 
436 	lock_sock(sk);
437 
438 	if (sk->sk_state != BT_BOUND) {
439 		err = -EBADFD;
440 		goto done;
441 	}
442 
443 	if (sk->sk_type != SOCK_STREAM) {
444 		err = -EINVAL;
445 		goto done;
446 	}
447 
448 	if (!rfcomm_pi(sk)->channel) {
449 		bdaddr_t *src = &rfcomm_pi(sk)->src;
450 		u8 channel;
451 
452 		err = -EINVAL;
453 
454 		write_lock(&rfcomm_sk_list.lock);
455 
456 		for (channel = 1; channel < 31; channel++)
457 			if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
458 				rfcomm_pi(sk)->channel = channel;
459 				err = 0;
460 				break;
461 			}
462 
463 		write_unlock(&rfcomm_sk_list.lock);
464 
465 		if (err < 0)
466 			goto done;
467 	}
468 
469 	sk->sk_max_ack_backlog = backlog;
470 	sk->sk_ack_backlog = 0;
471 	sk->sk_state = BT_LISTEN;
472 
473 done:
474 	release_sock(sk);
475 	return err;
476 }
477 
478 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
479 			      bool kern)
480 {
481 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
482 	struct sock *sk = sock->sk, *nsk;
483 	long timeo;
484 	int err = 0;
485 
486 	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
487 
488 	if (sk->sk_type != SOCK_STREAM) {
489 		err = -EINVAL;
490 		goto done;
491 	}
492 
493 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
494 
495 	BT_DBG("sk %p timeo %ld", sk, timeo);
496 
497 	/* Wait for an incoming connection. (wake-one). */
498 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
499 	while (1) {
500 		if (sk->sk_state != BT_LISTEN) {
501 			err = -EBADFD;
502 			break;
503 		}
504 
505 		nsk = bt_accept_dequeue(sk, newsock);
506 		if (nsk)
507 			break;
508 
509 		if (!timeo) {
510 			err = -EAGAIN;
511 			break;
512 		}
513 
514 		if (signal_pending(current)) {
515 			err = sock_intr_errno(timeo);
516 			break;
517 		}
518 
519 		release_sock(sk);
520 
521 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
522 
523 		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
524 	}
525 	remove_wait_queue(sk_sleep(sk), &wait);
526 
527 	if (err)
528 		goto done;
529 
530 	newsock->state = SS_CONNECTED;
531 
532 	BT_DBG("new socket %p", nsk);
533 
534 done:
535 	release_sock(sk);
536 	return err;
537 }
538 
539 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
540 {
541 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
542 	struct sock *sk = sock->sk;
543 
544 	BT_DBG("sock %p, sk %p", sock, sk);
545 
546 	if (peer && sk->sk_state != BT_CONNECTED &&
547 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
548 		return -ENOTCONN;
549 
550 	memset(sa, 0, sizeof(*sa));
551 	sa->rc_family  = AF_BLUETOOTH;
552 	sa->rc_channel = rfcomm_pi(sk)->channel;
553 	if (peer)
554 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
555 	else
556 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
557 
558 	return sizeof(struct sockaddr_rc);
559 }
560 
561 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
562 			       size_t len)
563 {
564 	struct sock *sk = sock->sk;
565 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
566 	struct sk_buff *skb;
567 	int sent;
568 
569 	if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
570 		return -ENOTCONN;
571 
572 	if (msg->msg_flags & MSG_OOB)
573 		return -EOPNOTSUPP;
574 
575 	if (sk->sk_shutdown & SEND_SHUTDOWN)
576 		return -EPIPE;
577 
578 	BT_DBG("sock %p, sk %p", sock, sk);
579 
580 	lock_sock(sk);
581 
582 	sent = bt_sock_wait_ready(sk, msg->msg_flags);
583 
584 	release_sock(sk);
585 
586 	if (sent)
587 		return sent;
588 
589 	skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
590 			      RFCOMM_SKB_TAIL_RESERVE);
591 	if (IS_ERR(skb))
592 		return PTR_ERR(skb);
593 
594 	sent = rfcomm_dlc_send(d, skb);
595 	if (sent < 0)
596 		kfree_skb(skb);
597 
598 	return sent;
599 }
600 
601 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
602 			       size_t size, int flags)
603 {
604 	struct sock *sk = sock->sk;
605 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
606 	int len;
607 
608 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
609 		rfcomm_dlc_accept(d);
610 		return 0;
611 	}
612 
613 	len = bt_sock_stream_recvmsg(sock, msg, size, flags);
614 
615 	lock_sock(sk);
616 	if (!(flags & MSG_PEEK) && len > 0)
617 		atomic_sub(len, &sk->sk_rmem_alloc);
618 
619 	if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
620 		rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
621 	release_sock(sk);
622 
623 	return len;
624 }
625 
626 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
627 		sockptr_t optval, unsigned int optlen)
628 {
629 	struct sock *sk = sock->sk;
630 	int err = 0;
631 	u32 opt;
632 
633 	BT_DBG("sk %p", sk);
634 
635 	lock_sock(sk);
636 
637 	switch (optname) {
638 	case RFCOMM_LM:
639 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
640 			err = -EFAULT;
641 			break;
642 		}
643 
644 		if (opt & RFCOMM_LM_FIPS) {
645 			err = -EINVAL;
646 			break;
647 		}
648 
649 		if (opt & RFCOMM_LM_AUTH)
650 			rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
651 		if (opt & RFCOMM_LM_ENCRYPT)
652 			rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
653 		if (opt & RFCOMM_LM_SECURE)
654 			rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
655 
656 		rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
657 		break;
658 
659 	default:
660 		err = -ENOPROTOOPT;
661 		break;
662 	}
663 
664 	release_sock(sk);
665 	return err;
666 }
667 
668 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
669 		sockptr_t optval, unsigned int optlen)
670 {
671 	struct sock *sk = sock->sk;
672 	struct bt_security sec;
673 	int err = 0;
674 	size_t len;
675 	u32 opt;
676 
677 	BT_DBG("sk %p", sk);
678 
679 	if (level == SOL_RFCOMM)
680 		return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
681 
682 	if (level != SOL_BLUETOOTH)
683 		return -ENOPROTOOPT;
684 
685 	lock_sock(sk);
686 
687 	switch (optname) {
688 	case BT_SECURITY:
689 		if (sk->sk_type != SOCK_STREAM) {
690 			err = -EINVAL;
691 			break;
692 		}
693 
694 		sec.level = BT_SECURITY_LOW;
695 
696 		len = min_t(unsigned int, sizeof(sec), optlen);
697 		if (copy_from_sockptr(&sec, optval, len)) {
698 			err = -EFAULT;
699 			break;
700 		}
701 
702 		if (sec.level > BT_SECURITY_HIGH) {
703 			err = -EINVAL;
704 			break;
705 		}
706 
707 		rfcomm_pi(sk)->sec_level = sec.level;
708 		break;
709 
710 	case BT_DEFER_SETUP:
711 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
712 			err = -EINVAL;
713 			break;
714 		}
715 
716 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
717 			err = -EFAULT;
718 			break;
719 		}
720 
721 		if (opt)
722 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
723 		else
724 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
725 
726 		break;
727 
728 	default:
729 		err = -ENOPROTOOPT;
730 		break;
731 	}
732 
733 	release_sock(sk);
734 	return err;
735 }
736 
737 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
738 {
739 	struct sock *sk = sock->sk;
740 	struct sock *l2cap_sk;
741 	struct l2cap_conn *conn;
742 	struct rfcomm_conninfo cinfo;
743 	int len, err = 0;
744 	u32 opt;
745 
746 	BT_DBG("sk %p", sk);
747 
748 	if (get_user(len, optlen))
749 		return -EFAULT;
750 
751 	lock_sock(sk);
752 
753 	switch (optname) {
754 	case RFCOMM_LM:
755 		switch (rfcomm_pi(sk)->sec_level) {
756 		case BT_SECURITY_LOW:
757 			opt = RFCOMM_LM_AUTH;
758 			break;
759 		case BT_SECURITY_MEDIUM:
760 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
761 			break;
762 		case BT_SECURITY_HIGH:
763 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
764 			      RFCOMM_LM_SECURE;
765 			break;
766 		case BT_SECURITY_FIPS:
767 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
768 			      RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
769 			break;
770 		default:
771 			opt = 0;
772 			break;
773 		}
774 
775 		if (rfcomm_pi(sk)->role_switch)
776 			opt |= RFCOMM_LM_MASTER;
777 
778 		if (put_user(opt, (u32 __user *) optval))
779 			err = -EFAULT;
780 
781 		break;
782 
783 	case RFCOMM_CONNINFO:
784 		if (sk->sk_state != BT_CONNECTED &&
785 					!rfcomm_pi(sk)->dlc->defer_setup) {
786 			err = -ENOTCONN;
787 			break;
788 		}
789 
790 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
791 		conn = l2cap_pi(l2cap_sk)->chan->conn;
792 
793 		memset(&cinfo, 0, sizeof(cinfo));
794 		cinfo.hci_handle = conn->hcon->handle;
795 		memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
796 
797 		len = min_t(unsigned int, len, sizeof(cinfo));
798 		if (copy_to_user(optval, (char *) &cinfo, len))
799 			err = -EFAULT;
800 
801 		break;
802 
803 	default:
804 		err = -ENOPROTOOPT;
805 		break;
806 	}
807 
808 	release_sock(sk);
809 	return err;
810 }
811 
812 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
813 {
814 	struct sock *sk = sock->sk;
815 	struct bt_security sec;
816 	int len, err = 0;
817 
818 	BT_DBG("sk %p", sk);
819 
820 	if (level == SOL_RFCOMM)
821 		return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
822 
823 	if (level != SOL_BLUETOOTH)
824 		return -ENOPROTOOPT;
825 
826 	if (get_user(len, optlen))
827 		return -EFAULT;
828 
829 	lock_sock(sk);
830 
831 	switch (optname) {
832 	case BT_SECURITY:
833 		if (sk->sk_type != SOCK_STREAM) {
834 			err = -EINVAL;
835 			break;
836 		}
837 
838 		sec.level = rfcomm_pi(sk)->sec_level;
839 		sec.key_size = 0;
840 
841 		len = min_t(unsigned int, len, sizeof(sec));
842 		if (copy_to_user(optval, (char *) &sec, len))
843 			err = -EFAULT;
844 
845 		break;
846 
847 	case BT_DEFER_SETUP:
848 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
849 			err = -EINVAL;
850 			break;
851 		}
852 
853 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
854 			     (u32 __user *) optval))
855 			err = -EFAULT;
856 
857 		break;
858 
859 	default:
860 		err = -ENOPROTOOPT;
861 		break;
862 	}
863 
864 	release_sock(sk);
865 	return err;
866 }
867 
868 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
869 {
870 	struct sock *sk __maybe_unused = sock->sk;
871 	int err;
872 
873 	BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
874 
875 	err = bt_sock_ioctl(sock, cmd, arg);
876 
877 	if (err == -ENOIOCTLCMD) {
878 #ifdef CONFIG_BT_RFCOMM_TTY
879 		lock_sock(sk);
880 		err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
881 		release_sock(sk);
882 #else
883 		err = -EOPNOTSUPP;
884 #endif
885 	}
886 
887 	return err;
888 }
889 
890 #ifdef CONFIG_COMPAT
891 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
892 {
893 	return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
894 }
895 #endif
896 
897 static int rfcomm_sock_shutdown(struct socket *sock, int how)
898 {
899 	struct sock *sk = sock->sk;
900 	int err = 0;
901 
902 	BT_DBG("sock %p, sk %p", sock, sk);
903 
904 	if (!sk)
905 		return 0;
906 
907 	lock_sock(sk);
908 	if (!sk->sk_shutdown) {
909 		sk->sk_shutdown = SHUTDOWN_MASK;
910 
911 		release_sock(sk);
912 		__rfcomm_sock_close(sk);
913 		lock_sock(sk);
914 
915 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
916 		    !(current->flags & PF_EXITING))
917 			err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
918 	}
919 	release_sock(sk);
920 	return err;
921 }
922 
923 static int rfcomm_sock_release(struct socket *sock)
924 {
925 	struct sock *sk = sock->sk;
926 	int err;
927 
928 	BT_DBG("sock %p, sk %p", sock, sk);
929 
930 	if (!sk)
931 		return 0;
932 
933 	err = rfcomm_sock_shutdown(sock, 2);
934 
935 	sock_orphan(sk);
936 	rfcomm_sock_kill(sk);
937 	return err;
938 }
939 
940 /* ---- RFCOMM core layer callbacks ----
941  *
942  * called under rfcomm_lock()
943  */
944 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
945 {
946 	struct sock *sk, *parent;
947 	bdaddr_t src, dst;
948 	int result = 0;
949 
950 	BT_DBG("session %p channel %d", s, channel);
951 
952 	rfcomm_session_getaddr(s, &src, &dst);
953 
954 	/* Check if we have socket listening on channel */
955 	parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
956 	if (!parent)
957 		return 0;
958 
959 	lock_sock(parent);
960 
961 	/* Check for backlog size */
962 	if (sk_acceptq_is_full(parent)) {
963 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
964 		goto done;
965 	}
966 
967 	sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
968 	if (!sk)
969 		goto done;
970 
971 	bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
972 
973 	rfcomm_sock_init(sk, parent);
974 	bacpy(&rfcomm_pi(sk)->src, &src);
975 	bacpy(&rfcomm_pi(sk)->dst, &dst);
976 	rfcomm_pi(sk)->channel = channel;
977 
978 	sk->sk_state = BT_CONFIG;
979 	bt_accept_enqueue(parent, sk, true);
980 
981 	/* Accept connection and return socket DLC */
982 	*d = rfcomm_pi(sk)->dlc;
983 	result = 1;
984 
985 done:
986 	release_sock(parent);
987 
988 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
989 		parent->sk_state_change(parent);
990 
991 	return result;
992 }
993 
994 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
995 {
996 	struct sock *sk;
997 
998 	read_lock(&rfcomm_sk_list.lock);
999 
1000 	sk_for_each(sk, &rfcomm_sk_list.head) {
1001 		seq_printf(f, "%pMR %pMR %d %d\n",
1002 			   &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1003 			   sk->sk_state, rfcomm_pi(sk)->channel);
1004 	}
1005 
1006 	read_unlock(&rfcomm_sk_list.lock);
1007 
1008 	return 0;
1009 }
1010 
1011 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1012 
1013 static struct dentry *rfcomm_sock_debugfs;
1014 
1015 static const struct proto_ops rfcomm_sock_ops = {
1016 	.family		= PF_BLUETOOTH,
1017 	.owner		= THIS_MODULE,
1018 	.release	= rfcomm_sock_release,
1019 	.bind		= rfcomm_sock_bind,
1020 	.connect	= rfcomm_sock_connect,
1021 	.listen		= rfcomm_sock_listen,
1022 	.accept		= rfcomm_sock_accept,
1023 	.getname	= rfcomm_sock_getname,
1024 	.sendmsg	= rfcomm_sock_sendmsg,
1025 	.recvmsg	= rfcomm_sock_recvmsg,
1026 	.shutdown	= rfcomm_sock_shutdown,
1027 	.setsockopt	= rfcomm_sock_setsockopt,
1028 	.getsockopt	= rfcomm_sock_getsockopt,
1029 	.ioctl		= rfcomm_sock_ioctl,
1030 	.gettstamp	= sock_gettstamp,
1031 	.poll		= bt_sock_poll,
1032 	.socketpair	= sock_no_socketpair,
1033 	.mmap		= sock_no_mmap,
1034 #ifdef CONFIG_COMPAT
1035 	.compat_ioctl	= rfcomm_sock_compat_ioctl,
1036 #endif
1037 };
1038 
1039 static const struct net_proto_family rfcomm_sock_family_ops = {
1040 	.family		= PF_BLUETOOTH,
1041 	.owner		= THIS_MODULE,
1042 	.create		= rfcomm_sock_create
1043 };
1044 
1045 int __init rfcomm_init_sockets(void)
1046 {
1047 	int err;
1048 
1049 	BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1050 
1051 	err = proto_register(&rfcomm_proto, 0);
1052 	if (err < 0)
1053 		return err;
1054 
1055 	err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1056 	if (err < 0) {
1057 		BT_ERR("RFCOMM socket layer registration failed");
1058 		goto error;
1059 	}
1060 
1061 	err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1062 	if (err < 0) {
1063 		BT_ERR("Failed to create RFCOMM proc file");
1064 		bt_sock_unregister(BTPROTO_RFCOMM);
1065 		goto error;
1066 	}
1067 
1068 	BT_INFO("RFCOMM socket layer initialized");
1069 
1070 	if (IS_ERR_OR_NULL(bt_debugfs))
1071 		return 0;
1072 
1073 	rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1074 						  bt_debugfs, NULL,
1075 						  &rfcomm_sock_debugfs_fops);
1076 
1077 	return 0;
1078 
1079 error:
1080 	proto_unregister(&rfcomm_proto);
1081 	return err;
1082 }
1083 
1084 void __exit rfcomm_cleanup_sockets(void)
1085 {
1086 	bt_procfs_cleanup(&init_net, "rfcomm");
1087 
1088 	debugfs_remove(rfcomm_sock_debugfs);
1089 
1090 	bt_sock_unregister(BTPROTO_RFCOMM);
1091 
1092 	proto_unregister(&rfcomm_proto);
1093 }
1094