xref: /openbmc/linux/net/bluetooth/rfcomm/sock.c (revision 93707cbabcc8baf2b2b5f4a99c1f08ee83eb7abd)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM sockets.
26  */
27 
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36 
37 static const struct proto_ops rfcomm_sock_ops;
38 
39 static struct bt_sock_list rfcomm_sk_list = {
40 	.lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42 
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45 
46 /* ---- DLC callbacks ----
47  *
48  * called under rfcomm_dlc_lock()
49  */
50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 	struct sock *sk = d->owner;
53 	if (!sk)
54 		return;
55 
56 	atomic_add(skb->len, &sk->sk_rmem_alloc);
57 	skb_queue_tail(&sk->sk_receive_queue, skb);
58 	sk->sk_data_ready(sk);
59 
60 	if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 		rfcomm_dlc_throttle(d);
62 }
63 
64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 	struct sock *sk = d->owner, *parent;
67 	unsigned long flags;
68 
69 	if (!sk)
70 		return;
71 
72 	BT_DBG("dlc %p state %ld err %d", d, d->state, err);
73 
74 	local_irq_save(flags);
75 	bh_lock_sock(sk);
76 
77 	if (err)
78 		sk->sk_err = err;
79 
80 	sk->sk_state = d->state;
81 
82 	parent = bt_sk(sk)->parent;
83 	if (parent) {
84 		if (d->state == BT_CLOSED) {
85 			sock_set_flag(sk, SOCK_ZAPPED);
86 			bt_accept_unlink(sk);
87 		}
88 		parent->sk_data_ready(parent);
89 	} else {
90 		if (d->state == BT_CONNECTED)
91 			rfcomm_session_getaddr(d->session,
92 					       &rfcomm_pi(sk)->src, NULL);
93 		sk->sk_state_change(sk);
94 	}
95 
96 	bh_unlock_sock(sk);
97 	local_irq_restore(flags);
98 
99 	if (parent && sock_flag(sk, SOCK_ZAPPED)) {
100 		/* We have to drop DLC lock here, otherwise
101 		 * rfcomm_sock_destruct() will dead lock. */
102 		rfcomm_dlc_unlock(d);
103 		rfcomm_sock_kill(sk);
104 		rfcomm_dlc_lock(d);
105 	}
106 }
107 
108 /* ---- Socket functions ---- */
109 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
110 {
111 	struct sock *sk = NULL;
112 
113 	sk_for_each(sk, &rfcomm_sk_list.head) {
114 		if (rfcomm_pi(sk)->channel != channel)
115 			continue;
116 
117 		if (bacmp(&rfcomm_pi(sk)->src, src))
118 			continue;
119 
120 		if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
121 			break;
122 	}
123 
124 	return sk ? sk : NULL;
125 }
126 
127 /* Find socket with channel and source bdaddr.
128  * Returns closest match.
129  */
130 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
131 {
132 	struct sock *sk = NULL, *sk1 = NULL;
133 
134 	read_lock(&rfcomm_sk_list.lock);
135 
136 	sk_for_each(sk, &rfcomm_sk_list.head) {
137 		if (state && sk->sk_state != state)
138 			continue;
139 
140 		if (rfcomm_pi(sk)->channel == channel) {
141 			/* Exact match. */
142 			if (!bacmp(&rfcomm_pi(sk)->src, src))
143 				break;
144 
145 			/* Closest match */
146 			if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
147 				sk1 = sk;
148 		}
149 	}
150 
151 	read_unlock(&rfcomm_sk_list.lock);
152 
153 	return sk ? sk : sk1;
154 }
155 
156 static void rfcomm_sock_destruct(struct sock *sk)
157 {
158 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
159 
160 	BT_DBG("sk %p dlc %p", sk, d);
161 
162 	skb_queue_purge(&sk->sk_receive_queue);
163 	skb_queue_purge(&sk->sk_write_queue);
164 
165 	rfcomm_dlc_lock(d);
166 	rfcomm_pi(sk)->dlc = NULL;
167 
168 	/* Detach DLC if it's owned by this socket */
169 	if (d->owner == sk)
170 		d->owner = NULL;
171 	rfcomm_dlc_unlock(d);
172 
173 	rfcomm_dlc_put(d);
174 }
175 
176 static void rfcomm_sock_cleanup_listen(struct sock *parent)
177 {
178 	struct sock *sk;
179 
180 	BT_DBG("parent %p", parent);
181 
182 	/* Close not yet accepted dlcs */
183 	while ((sk = bt_accept_dequeue(parent, NULL))) {
184 		rfcomm_sock_close(sk);
185 		rfcomm_sock_kill(sk);
186 	}
187 
188 	parent->sk_state  = BT_CLOSED;
189 	sock_set_flag(parent, SOCK_ZAPPED);
190 }
191 
192 /* Kill socket (only if zapped and orphan)
193  * Must be called on unlocked socket.
194  */
195 static void rfcomm_sock_kill(struct sock *sk)
196 {
197 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
198 		return;
199 
200 	BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
201 
202 	/* Kill poor orphan */
203 	bt_sock_unlink(&rfcomm_sk_list, sk);
204 	sock_set_flag(sk, SOCK_DEAD);
205 	sock_put(sk);
206 }
207 
208 static void __rfcomm_sock_close(struct sock *sk)
209 {
210 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
211 
212 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
213 
214 	switch (sk->sk_state) {
215 	case BT_LISTEN:
216 		rfcomm_sock_cleanup_listen(sk);
217 		break;
218 
219 	case BT_CONNECT:
220 	case BT_CONNECT2:
221 	case BT_CONFIG:
222 	case BT_CONNECTED:
223 		rfcomm_dlc_close(d, 0);
224 
225 	default:
226 		sock_set_flag(sk, SOCK_ZAPPED);
227 		break;
228 	}
229 }
230 
231 /* Close socket.
232  * Must be called on unlocked socket.
233  */
234 static void rfcomm_sock_close(struct sock *sk)
235 {
236 	lock_sock(sk);
237 	__rfcomm_sock_close(sk);
238 	release_sock(sk);
239 }
240 
241 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
242 {
243 	struct rfcomm_pinfo *pi = rfcomm_pi(sk);
244 
245 	BT_DBG("sk %p", sk);
246 
247 	if (parent) {
248 		sk->sk_type = parent->sk_type;
249 		pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
250 						&bt_sk(parent)->flags);
251 
252 		pi->sec_level = rfcomm_pi(parent)->sec_level;
253 		pi->role_switch = rfcomm_pi(parent)->role_switch;
254 
255 		security_sk_clone(parent, sk);
256 	} else {
257 		pi->dlc->defer_setup = 0;
258 
259 		pi->sec_level = BT_SECURITY_LOW;
260 		pi->role_switch = 0;
261 	}
262 
263 	pi->dlc->sec_level = pi->sec_level;
264 	pi->dlc->role_switch = pi->role_switch;
265 }
266 
267 static struct proto rfcomm_proto = {
268 	.name		= "RFCOMM",
269 	.owner		= THIS_MODULE,
270 	.obj_size	= sizeof(struct rfcomm_pinfo)
271 };
272 
273 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
274 {
275 	struct rfcomm_dlc *d;
276 	struct sock *sk;
277 
278 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
279 	if (!sk)
280 		return NULL;
281 
282 	sock_init_data(sock, sk);
283 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
284 
285 	d = rfcomm_dlc_alloc(prio);
286 	if (!d) {
287 		sk_free(sk);
288 		return NULL;
289 	}
290 
291 	d->data_ready   = rfcomm_sk_data_ready;
292 	d->state_change = rfcomm_sk_state_change;
293 
294 	rfcomm_pi(sk)->dlc = d;
295 	d->owner = sk;
296 
297 	sk->sk_destruct = rfcomm_sock_destruct;
298 	sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
299 
300 	sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
301 	sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
302 
303 	sock_reset_flag(sk, SOCK_ZAPPED);
304 
305 	sk->sk_protocol = proto;
306 	sk->sk_state    = BT_OPEN;
307 
308 	bt_sock_link(&rfcomm_sk_list, sk);
309 
310 	BT_DBG("sk %p", sk);
311 	return sk;
312 }
313 
314 static int rfcomm_sock_create(struct net *net, struct socket *sock,
315 			      int protocol, int kern)
316 {
317 	struct sock *sk;
318 
319 	BT_DBG("sock %p", sock);
320 
321 	sock->state = SS_UNCONNECTED;
322 
323 	if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
324 		return -ESOCKTNOSUPPORT;
325 
326 	sock->ops = &rfcomm_sock_ops;
327 
328 	sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
329 	if (!sk)
330 		return -ENOMEM;
331 
332 	rfcomm_sock_init(sk, NULL);
333 	return 0;
334 }
335 
336 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
337 {
338 	struct sockaddr_rc sa;
339 	struct sock *sk = sock->sk;
340 	int len, err = 0;
341 
342 	if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
343 	    addr->sa_family != AF_BLUETOOTH)
344 		return -EINVAL;
345 
346 	memset(&sa, 0, sizeof(sa));
347 	len = min_t(unsigned int, sizeof(sa), addr_len);
348 	memcpy(&sa, addr, len);
349 
350 	BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
351 
352 	lock_sock(sk);
353 
354 	if (sk->sk_state != BT_OPEN) {
355 		err = -EBADFD;
356 		goto done;
357 	}
358 
359 	if (sk->sk_type != SOCK_STREAM) {
360 		err = -EINVAL;
361 		goto done;
362 	}
363 
364 	write_lock(&rfcomm_sk_list.lock);
365 
366 	if (sa.rc_channel &&
367 	    __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
368 		err = -EADDRINUSE;
369 	} else {
370 		/* Save source address */
371 		bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
372 		rfcomm_pi(sk)->channel = sa.rc_channel;
373 		sk->sk_state = BT_BOUND;
374 	}
375 
376 	write_unlock(&rfcomm_sk_list.lock);
377 
378 done:
379 	release_sock(sk);
380 	return err;
381 }
382 
383 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
384 {
385 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
386 	struct sock *sk = sock->sk;
387 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
388 	int err = 0;
389 
390 	BT_DBG("sk %p", sk);
391 
392 	if (alen < sizeof(struct sockaddr_rc) ||
393 	    addr->sa_family != AF_BLUETOOTH)
394 		return -EINVAL;
395 
396 	lock_sock(sk);
397 
398 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
399 		err = -EBADFD;
400 		goto done;
401 	}
402 
403 	if (sk->sk_type != SOCK_STREAM) {
404 		err = -EINVAL;
405 		goto done;
406 	}
407 
408 	sk->sk_state = BT_CONNECT;
409 	bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
410 	rfcomm_pi(sk)->channel = sa->rc_channel;
411 
412 	d->sec_level = rfcomm_pi(sk)->sec_level;
413 	d->role_switch = rfcomm_pi(sk)->role_switch;
414 
415 	err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
416 			      sa->rc_channel);
417 	if (!err)
418 		err = bt_sock_wait_state(sk, BT_CONNECTED,
419 				sock_sndtimeo(sk, flags & O_NONBLOCK));
420 
421 done:
422 	release_sock(sk);
423 	return err;
424 }
425 
426 static int rfcomm_sock_listen(struct socket *sock, int backlog)
427 {
428 	struct sock *sk = sock->sk;
429 	int err = 0;
430 
431 	BT_DBG("sk %p backlog %d", sk, backlog);
432 
433 	lock_sock(sk);
434 
435 	if (sk->sk_state != BT_BOUND) {
436 		err = -EBADFD;
437 		goto done;
438 	}
439 
440 	if (sk->sk_type != SOCK_STREAM) {
441 		err = -EINVAL;
442 		goto done;
443 	}
444 
445 	if (!rfcomm_pi(sk)->channel) {
446 		bdaddr_t *src = &rfcomm_pi(sk)->src;
447 		u8 channel;
448 
449 		err = -EINVAL;
450 
451 		write_lock(&rfcomm_sk_list.lock);
452 
453 		for (channel = 1; channel < 31; channel++)
454 			if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
455 				rfcomm_pi(sk)->channel = channel;
456 				err = 0;
457 				break;
458 			}
459 
460 		write_unlock(&rfcomm_sk_list.lock);
461 
462 		if (err < 0)
463 			goto done;
464 	}
465 
466 	sk->sk_max_ack_backlog = backlog;
467 	sk->sk_ack_backlog = 0;
468 	sk->sk_state = BT_LISTEN;
469 
470 done:
471 	release_sock(sk);
472 	return err;
473 }
474 
475 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
476 			      bool kern)
477 {
478 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
479 	struct sock *sk = sock->sk, *nsk;
480 	long timeo;
481 	int err = 0;
482 
483 	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
484 
485 	if (sk->sk_type != SOCK_STREAM) {
486 		err = -EINVAL;
487 		goto done;
488 	}
489 
490 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
491 
492 	BT_DBG("sk %p timeo %ld", sk, timeo);
493 
494 	/* Wait for an incoming connection. (wake-one). */
495 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
496 	while (1) {
497 		if (sk->sk_state != BT_LISTEN) {
498 			err = -EBADFD;
499 			break;
500 		}
501 
502 		nsk = bt_accept_dequeue(sk, newsock);
503 		if (nsk)
504 			break;
505 
506 		if (!timeo) {
507 			err = -EAGAIN;
508 			break;
509 		}
510 
511 		if (signal_pending(current)) {
512 			err = sock_intr_errno(timeo);
513 			break;
514 		}
515 
516 		release_sock(sk);
517 
518 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
519 
520 		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
521 	}
522 	remove_wait_queue(sk_sleep(sk), &wait);
523 
524 	if (err)
525 		goto done;
526 
527 	newsock->state = SS_CONNECTED;
528 
529 	BT_DBG("new socket %p", nsk);
530 
531 done:
532 	release_sock(sk);
533 	return err;
534 }
535 
536 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
537 {
538 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
539 	struct sock *sk = sock->sk;
540 
541 	BT_DBG("sock %p, sk %p", sock, sk);
542 
543 	if (peer && sk->sk_state != BT_CONNECTED &&
544 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
545 		return -ENOTCONN;
546 
547 	memset(sa, 0, sizeof(*sa));
548 	sa->rc_family  = AF_BLUETOOTH;
549 	sa->rc_channel = rfcomm_pi(sk)->channel;
550 	if (peer)
551 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
552 	else
553 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
554 
555 	return sizeof(struct sockaddr_rc);
556 }
557 
558 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
559 			       size_t len)
560 {
561 	struct sock *sk = sock->sk;
562 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
563 	struct sk_buff *skb;
564 	int sent;
565 
566 	if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
567 		return -ENOTCONN;
568 
569 	if (msg->msg_flags & MSG_OOB)
570 		return -EOPNOTSUPP;
571 
572 	if (sk->sk_shutdown & SEND_SHUTDOWN)
573 		return -EPIPE;
574 
575 	BT_DBG("sock %p, sk %p", sock, sk);
576 
577 	lock_sock(sk);
578 
579 	sent = bt_sock_wait_ready(sk, msg->msg_flags);
580 	if (sent)
581 		goto done;
582 
583 	while (len) {
584 		size_t size = min_t(size_t, len, d->mtu);
585 		int err;
586 
587 		skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
588 				msg->msg_flags & MSG_DONTWAIT, &err);
589 		if (!skb) {
590 			if (sent == 0)
591 				sent = err;
592 			break;
593 		}
594 		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
595 
596 		err = memcpy_from_msg(skb_put(skb, size), msg, size);
597 		if (err) {
598 			kfree_skb(skb);
599 			if (sent == 0)
600 				sent = err;
601 			break;
602 		}
603 
604 		skb->priority = sk->sk_priority;
605 
606 		err = rfcomm_dlc_send(d, skb);
607 		if (err < 0) {
608 			kfree_skb(skb);
609 			if (sent == 0)
610 				sent = err;
611 			break;
612 		}
613 
614 		sent += size;
615 		len  -= size;
616 	}
617 
618 done:
619 	release_sock(sk);
620 
621 	return sent;
622 }
623 
624 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
625 			       size_t size, int flags)
626 {
627 	struct sock *sk = sock->sk;
628 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
629 	int len;
630 
631 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
632 		rfcomm_dlc_accept(d);
633 		return 0;
634 	}
635 
636 	len = bt_sock_stream_recvmsg(sock, msg, size, flags);
637 
638 	lock_sock(sk);
639 	if (!(flags & MSG_PEEK) && len > 0)
640 		atomic_sub(len, &sk->sk_rmem_alloc);
641 
642 	if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
643 		rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
644 	release_sock(sk);
645 
646 	return len;
647 }
648 
649 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
650 {
651 	struct sock *sk = sock->sk;
652 	int err = 0;
653 	u32 opt;
654 
655 	BT_DBG("sk %p", sk);
656 
657 	lock_sock(sk);
658 
659 	switch (optname) {
660 	case RFCOMM_LM:
661 		if (get_user(opt, (u32 __user *) optval)) {
662 			err = -EFAULT;
663 			break;
664 		}
665 
666 		if (opt & RFCOMM_LM_FIPS) {
667 			err = -EINVAL;
668 			break;
669 		}
670 
671 		if (opt & RFCOMM_LM_AUTH)
672 			rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
673 		if (opt & RFCOMM_LM_ENCRYPT)
674 			rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
675 		if (opt & RFCOMM_LM_SECURE)
676 			rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
677 
678 		rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
679 		break;
680 
681 	default:
682 		err = -ENOPROTOOPT;
683 		break;
684 	}
685 
686 	release_sock(sk);
687 	return err;
688 }
689 
690 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
691 {
692 	struct sock *sk = sock->sk;
693 	struct bt_security sec;
694 	int err = 0;
695 	size_t len;
696 	u32 opt;
697 
698 	BT_DBG("sk %p", sk);
699 
700 	if (level == SOL_RFCOMM)
701 		return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
702 
703 	if (level != SOL_BLUETOOTH)
704 		return -ENOPROTOOPT;
705 
706 	lock_sock(sk);
707 
708 	switch (optname) {
709 	case BT_SECURITY:
710 		if (sk->sk_type != SOCK_STREAM) {
711 			err = -EINVAL;
712 			break;
713 		}
714 
715 		sec.level = BT_SECURITY_LOW;
716 
717 		len = min_t(unsigned int, sizeof(sec), optlen);
718 		if (copy_from_user((char *) &sec, optval, len)) {
719 			err = -EFAULT;
720 			break;
721 		}
722 
723 		if (sec.level > BT_SECURITY_HIGH) {
724 			err = -EINVAL;
725 			break;
726 		}
727 
728 		rfcomm_pi(sk)->sec_level = sec.level;
729 		break;
730 
731 	case BT_DEFER_SETUP:
732 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
733 			err = -EINVAL;
734 			break;
735 		}
736 
737 		if (get_user(opt, (u32 __user *) optval)) {
738 			err = -EFAULT;
739 			break;
740 		}
741 
742 		if (opt)
743 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
744 		else
745 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
746 
747 		break;
748 
749 	default:
750 		err = -ENOPROTOOPT;
751 		break;
752 	}
753 
754 	release_sock(sk);
755 	return err;
756 }
757 
758 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
759 {
760 	struct sock *sk = sock->sk;
761 	struct sock *l2cap_sk;
762 	struct l2cap_conn *conn;
763 	struct rfcomm_conninfo cinfo;
764 	int len, err = 0;
765 	u32 opt;
766 
767 	BT_DBG("sk %p", sk);
768 
769 	if (get_user(len, optlen))
770 		return -EFAULT;
771 
772 	lock_sock(sk);
773 
774 	switch (optname) {
775 	case RFCOMM_LM:
776 		switch (rfcomm_pi(sk)->sec_level) {
777 		case BT_SECURITY_LOW:
778 			opt = RFCOMM_LM_AUTH;
779 			break;
780 		case BT_SECURITY_MEDIUM:
781 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
782 			break;
783 		case BT_SECURITY_HIGH:
784 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
785 			      RFCOMM_LM_SECURE;
786 			break;
787 		case BT_SECURITY_FIPS:
788 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
789 			      RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
790 			break;
791 		default:
792 			opt = 0;
793 			break;
794 		}
795 
796 		if (rfcomm_pi(sk)->role_switch)
797 			opt |= RFCOMM_LM_MASTER;
798 
799 		if (put_user(opt, (u32 __user *) optval))
800 			err = -EFAULT;
801 
802 		break;
803 
804 	case RFCOMM_CONNINFO:
805 		if (sk->sk_state != BT_CONNECTED &&
806 					!rfcomm_pi(sk)->dlc->defer_setup) {
807 			err = -ENOTCONN;
808 			break;
809 		}
810 
811 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
812 		conn = l2cap_pi(l2cap_sk)->chan->conn;
813 
814 		memset(&cinfo, 0, sizeof(cinfo));
815 		cinfo.hci_handle = conn->hcon->handle;
816 		memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
817 
818 		len = min_t(unsigned int, len, sizeof(cinfo));
819 		if (copy_to_user(optval, (char *) &cinfo, len))
820 			err = -EFAULT;
821 
822 		break;
823 
824 	default:
825 		err = -ENOPROTOOPT;
826 		break;
827 	}
828 
829 	release_sock(sk);
830 	return err;
831 }
832 
833 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
834 {
835 	struct sock *sk = sock->sk;
836 	struct bt_security sec;
837 	int len, err = 0;
838 
839 	BT_DBG("sk %p", sk);
840 
841 	if (level == SOL_RFCOMM)
842 		return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
843 
844 	if (level != SOL_BLUETOOTH)
845 		return -ENOPROTOOPT;
846 
847 	if (get_user(len, optlen))
848 		return -EFAULT;
849 
850 	lock_sock(sk);
851 
852 	switch (optname) {
853 	case BT_SECURITY:
854 		if (sk->sk_type != SOCK_STREAM) {
855 			err = -EINVAL;
856 			break;
857 		}
858 
859 		sec.level = rfcomm_pi(sk)->sec_level;
860 		sec.key_size = 0;
861 
862 		len = min_t(unsigned int, len, sizeof(sec));
863 		if (copy_to_user(optval, (char *) &sec, len))
864 			err = -EFAULT;
865 
866 		break;
867 
868 	case BT_DEFER_SETUP:
869 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
870 			err = -EINVAL;
871 			break;
872 		}
873 
874 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
875 			     (u32 __user *) optval))
876 			err = -EFAULT;
877 
878 		break;
879 
880 	default:
881 		err = -ENOPROTOOPT;
882 		break;
883 	}
884 
885 	release_sock(sk);
886 	return err;
887 }
888 
889 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
890 {
891 	struct sock *sk __maybe_unused = sock->sk;
892 	int err;
893 
894 	BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
895 
896 	err = bt_sock_ioctl(sock, cmd, arg);
897 
898 	if (err == -ENOIOCTLCMD) {
899 #ifdef CONFIG_BT_RFCOMM_TTY
900 		lock_sock(sk);
901 		err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
902 		release_sock(sk);
903 #else
904 		err = -EOPNOTSUPP;
905 #endif
906 	}
907 
908 	return err;
909 }
910 
911 static int rfcomm_sock_shutdown(struct socket *sock, int how)
912 {
913 	struct sock *sk = sock->sk;
914 	int err = 0;
915 
916 	BT_DBG("sock %p, sk %p", sock, sk);
917 
918 	if (!sk)
919 		return 0;
920 
921 	lock_sock(sk);
922 	if (!sk->sk_shutdown) {
923 		sk->sk_shutdown = SHUTDOWN_MASK;
924 		__rfcomm_sock_close(sk);
925 
926 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
927 		    !(current->flags & PF_EXITING))
928 			err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
929 	}
930 	release_sock(sk);
931 	return err;
932 }
933 
934 static int rfcomm_sock_release(struct socket *sock)
935 {
936 	struct sock *sk = sock->sk;
937 	int err;
938 
939 	BT_DBG("sock %p, sk %p", sock, sk);
940 
941 	if (!sk)
942 		return 0;
943 
944 	err = rfcomm_sock_shutdown(sock, 2);
945 
946 	sock_orphan(sk);
947 	rfcomm_sock_kill(sk);
948 	return err;
949 }
950 
951 /* ---- RFCOMM core layer callbacks ----
952  *
953  * called under rfcomm_lock()
954  */
955 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
956 {
957 	struct sock *sk, *parent;
958 	bdaddr_t src, dst;
959 	int result = 0;
960 
961 	BT_DBG("session %p channel %d", s, channel);
962 
963 	rfcomm_session_getaddr(s, &src, &dst);
964 
965 	/* Check if we have socket listening on channel */
966 	parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
967 	if (!parent)
968 		return 0;
969 
970 	bh_lock_sock(parent);
971 
972 	/* Check for backlog size */
973 	if (sk_acceptq_is_full(parent)) {
974 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
975 		goto done;
976 	}
977 
978 	sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
979 	if (!sk)
980 		goto done;
981 
982 	bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
983 
984 	rfcomm_sock_init(sk, parent);
985 	bacpy(&rfcomm_pi(sk)->src, &src);
986 	bacpy(&rfcomm_pi(sk)->dst, &dst);
987 	rfcomm_pi(sk)->channel = channel;
988 
989 	sk->sk_state = BT_CONFIG;
990 	bt_accept_enqueue(parent, sk);
991 
992 	/* Accept connection and return socket DLC */
993 	*d = rfcomm_pi(sk)->dlc;
994 	result = 1;
995 
996 done:
997 	bh_unlock_sock(parent);
998 
999 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1000 		parent->sk_state_change(parent);
1001 
1002 	return result;
1003 }
1004 
1005 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1006 {
1007 	struct sock *sk;
1008 
1009 	read_lock(&rfcomm_sk_list.lock);
1010 
1011 	sk_for_each(sk, &rfcomm_sk_list.head) {
1012 		seq_printf(f, "%pMR %pMR %d %d\n",
1013 			   &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1014 			   sk->sk_state, rfcomm_pi(sk)->channel);
1015 	}
1016 
1017 	read_unlock(&rfcomm_sk_list.lock);
1018 
1019 	return 0;
1020 }
1021 
1022 static int rfcomm_sock_debugfs_open(struct inode *inode, struct file *file)
1023 {
1024 	return single_open(file, rfcomm_sock_debugfs_show, inode->i_private);
1025 }
1026 
1027 static const struct file_operations rfcomm_sock_debugfs_fops = {
1028 	.open		= rfcomm_sock_debugfs_open,
1029 	.read		= seq_read,
1030 	.llseek		= seq_lseek,
1031 	.release	= single_release,
1032 };
1033 
1034 static struct dentry *rfcomm_sock_debugfs;
1035 
1036 static const struct proto_ops rfcomm_sock_ops = {
1037 	.family		= PF_BLUETOOTH,
1038 	.owner		= THIS_MODULE,
1039 	.release	= rfcomm_sock_release,
1040 	.bind		= rfcomm_sock_bind,
1041 	.connect	= rfcomm_sock_connect,
1042 	.listen		= rfcomm_sock_listen,
1043 	.accept		= rfcomm_sock_accept,
1044 	.getname	= rfcomm_sock_getname,
1045 	.sendmsg	= rfcomm_sock_sendmsg,
1046 	.recvmsg	= rfcomm_sock_recvmsg,
1047 	.shutdown	= rfcomm_sock_shutdown,
1048 	.setsockopt	= rfcomm_sock_setsockopt,
1049 	.getsockopt	= rfcomm_sock_getsockopt,
1050 	.ioctl		= rfcomm_sock_ioctl,
1051 	.poll		= bt_sock_poll,
1052 	.socketpair	= sock_no_socketpair,
1053 	.mmap		= sock_no_mmap
1054 };
1055 
1056 static const struct net_proto_family rfcomm_sock_family_ops = {
1057 	.family		= PF_BLUETOOTH,
1058 	.owner		= THIS_MODULE,
1059 	.create		= rfcomm_sock_create
1060 };
1061 
1062 int __init rfcomm_init_sockets(void)
1063 {
1064 	int err;
1065 
1066 	BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1067 
1068 	err = proto_register(&rfcomm_proto, 0);
1069 	if (err < 0)
1070 		return err;
1071 
1072 	err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1073 	if (err < 0) {
1074 		BT_ERR("RFCOMM socket layer registration failed");
1075 		goto error;
1076 	}
1077 
1078 	err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1079 	if (err < 0) {
1080 		BT_ERR("Failed to create RFCOMM proc file");
1081 		bt_sock_unregister(BTPROTO_RFCOMM);
1082 		goto error;
1083 	}
1084 
1085 	BT_INFO("RFCOMM socket layer initialized");
1086 
1087 	if (IS_ERR_OR_NULL(bt_debugfs))
1088 		return 0;
1089 
1090 	rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1091 						  bt_debugfs, NULL,
1092 						  &rfcomm_sock_debugfs_fops);
1093 
1094 	return 0;
1095 
1096 error:
1097 	proto_unregister(&rfcomm_proto);
1098 	return err;
1099 }
1100 
1101 void __exit rfcomm_cleanup_sockets(void)
1102 {
1103 	bt_procfs_cleanup(&init_net, "rfcomm");
1104 
1105 	debugfs_remove(rfcomm_sock_debugfs);
1106 
1107 	bt_sock_unregister(BTPROTO_RFCOMM);
1108 
1109 	proto_unregister(&rfcomm_proto);
1110 }
1111