xref: /openbmc/linux/net/bluetooth/rfcomm/sock.c (revision fc7a6209)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM sockets.
26  */
27 #include <linux/compat.h>
28 #include <linux/export.h>
29 #include <linux/debugfs.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/rfcomm.h>
36 
37 static const struct proto_ops rfcomm_sock_ops;
38 
39 static struct bt_sock_list rfcomm_sk_list = {
40 	.lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41 };
42 
43 static void rfcomm_sock_close(struct sock *sk);
44 static void rfcomm_sock_kill(struct sock *sk);
45 
46 /* ---- DLC callbacks ----
47  *
48  * called under rfcomm_dlc_lock()
49  */
50 static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51 {
52 	struct sock *sk = d->owner;
53 	if (!sk)
54 		return;
55 
56 	atomic_add(skb->len, &sk->sk_rmem_alloc);
57 	skb_queue_tail(&sk->sk_receive_queue, skb);
58 	sk->sk_data_ready(sk);
59 
60 	if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61 		rfcomm_dlc_throttle(d);
62 }
63 
64 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65 {
66 	struct sock *sk = d->owner, *parent;
67 
68 	if (!sk)
69 		return;
70 
71 	BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72 
73 	spin_lock_bh(&sk->sk_lock.slock);
74 
75 	if (err)
76 		sk->sk_err = err;
77 
78 	sk->sk_state = d->state;
79 
80 	parent = bt_sk(sk)->parent;
81 	if (parent) {
82 		if (d->state == BT_CLOSED) {
83 			sock_set_flag(sk, SOCK_ZAPPED);
84 			bt_accept_unlink(sk);
85 		}
86 		parent->sk_data_ready(parent);
87 	} else {
88 		if (d->state == BT_CONNECTED)
89 			rfcomm_session_getaddr(d->session,
90 					       &rfcomm_pi(sk)->src, NULL);
91 		sk->sk_state_change(sk);
92 	}
93 
94 	spin_unlock_bh(&sk->sk_lock.slock);
95 
96 	if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97 		/* We have to drop DLC lock here, otherwise
98 		 * rfcomm_sock_destruct() will dead lock. */
99 		rfcomm_dlc_unlock(d);
100 		rfcomm_sock_kill(sk);
101 		rfcomm_dlc_lock(d);
102 	}
103 }
104 
105 /* ---- Socket functions ---- */
106 static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107 {
108 	struct sock *sk = NULL;
109 
110 	sk_for_each(sk, &rfcomm_sk_list.head) {
111 		if (rfcomm_pi(sk)->channel != channel)
112 			continue;
113 
114 		if (bacmp(&rfcomm_pi(sk)->src, src))
115 			continue;
116 
117 		if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118 			break;
119 	}
120 
121 	return sk ? sk : NULL;
122 }
123 
124 /* Find socket with channel and source bdaddr.
125  * Returns closest match.
126  */
127 static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128 {
129 	struct sock *sk = NULL, *sk1 = NULL;
130 
131 	read_lock(&rfcomm_sk_list.lock);
132 
133 	sk_for_each(sk, &rfcomm_sk_list.head) {
134 		if (state && sk->sk_state != state)
135 			continue;
136 
137 		if (rfcomm_pi(sk)->channel == channel) {
138 			/* Exact match. */
139 			if (!bacmp(&rfcomm_pi(sk)->src, src))
140 				break;
141 
142 			/* Closest match */
143 			if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144 				sk1 = sk;
145 		}
146 	}
147 
148 	read_unlock(&rfcomm_sk_list.lock);
149 
150 	return sk ? sk : sk1;
151 }
152 
153 static void rfcomm_sock_destruct(struct sock *sk)
154 {
155 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156 
157 	BT_DBG("sk %p dlc %p", sk, d);
158 
159 	skb_queue_purge(&sk->sk_receive_queue);
160 	skb_queue_purge(&sk->sk_write_queue);
161 
162 	rfcomm_dlc_lock(d);
163 	rfcomm_pi(sk)->dlc = NULL;
164 
165 	/* Detach DLC if it's owned by this socket */
166 	if (d->owner == sk)
167 		d->owner = NULL;
168 	rfcomm_dlc_unlock(d);
169 
170 	rfcomm_dlc_put(d);
171 }
172 
173 static void rfcomm_sock_cleanup_listen(struct sock *parent)
174 {
175 	struct sock *sk;
176 
177 	BT_DBG("parent %p", parent);
178 
179 	/* Close not yet accepted dlcs */
180 	while ((sk = bt_accept_dequeue(parent, NULL))) {
181 		rfcomm_sock_close(sk);
182 		rfcomm_sock_kill(sk);
183 	}
184 
185 	parent->sk_state  = BT_CLOSED;
186 	sock_set_flag(parent, SOCK_ZAPPED);
187 }
188 
189 /* Kill socket (only if zapped and orphan)
190  * Must be called on unlocked socket.
191  */
192 static void rfcomm_sock_kill(struct sock *sk)
193 {
194 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195 		return;
196 
197 	BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198 
199 	/* Kill poor orphan */
200 	bt_sock_unlink(&rfcomm_sk_list, sk);
201 	sock_set_flag(sk, SOCK_DEAD);
202 	sock_put(sk);
203 }
204 
205 static void __rfcomm_sock_close(struct sock *sk)
206 {
207 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208 
209 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210 
211 	switch (sk->sk_state) {
212 	case BT_LISTEN:
213 		rfcomm_sock_cleanup_listen(sk);
214 		break;
215 
216 	case BT_CONNECT:
217 	case BT_CONNECT2:
218 	case BT_CONFIG:
219 	case BT_CONNECTED:
220 		rfcomm_dlc_close(d, 0);
221 		fallthrough;
222 
223 	default:
224 		sock_set_flag(sk, SOCK_ZAPPED);
225 		break;
226 	}
227 }
228 
229 /* Close socket.
230  * Must be called on unlocked socket.
231  */
232 static void rfcomm_sock_close(struct sock *sk)
233 {
234 	lock_sock(sk);
235 	__rfcomm_sock_close(sk);
236 	release_sock(sk);
237 }
238 
239 static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240 {
241 	struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242 
243 	BT_DBG("sk %p", sk);
244 
245 	if (parent) {
246 		sk->sk_type = parent->sk_type;
247 		pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248 						&bt_sk(parent)->flags);
249 
250 		pi->sec_level = rfcomm_pi(parent)->sec_level;
251 		pi->role_switch = rfcomm_pi(parent)->role_switch;
252 
253 		security_sk_clone(parent, sk);
254 	} else {
255 		pi->dlc->defer_setup = 0;
256 
257 		pi->sec_level = BT_SECURITY_LOW;
258 		pi->role_switch = 0;
259 	}
260 
261 	pi->dlc->sec_level = pi->sec_level;
262 	pi->dlc->role_switch = pi->role_switch;
263 }
264 
265 static struct proto rfcomm_proto = {
266 	.name		= "RFCOMM",
267 	.owner		= THIS_MODULE,
268 	.obj_size	= sizeof(struct rfcomm_pinfo)
269 };
270 
271 static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
272 {
273 	struct rfcomm_dlc *d;
274 	struct sock *sk;
275 
276 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
277 	if (!sk)
278 		return NULL;
279 
280 	sock_init_data(sock, sk);
281 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
282 
283 	d = rfcomm_dlc_alloc(prio);
284 	if (!d) {
285 		sk_free(sk);
286 		return NULL;
287 	}
288 
289 	d->data_ready   = rfcomm_sk_data_ready;
290 	d->state_change = rfcomm_sk_state_change;
291 
292 	rfcomm_pi(sk)->dlc = d;
293 	d->owner = sk;
294 
295 	sk->sk_destruct = rfcomm_sock_destruct;
296 	sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
297 
298 	sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
299 	sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
300 
301 	sock_reset_flag(sk, SOCK_ZAPPED);
302 
303 	sk->sk_protocol = proto;
304 	sk->sk_state    = BT_OPEN;
305 
306 	bt_sock_link(&rfcomm_sk_list, sk);
307 
308 	BT_DBG("sk %p", sk);
309 	return sk;
310 }
311 
312 static int rfcomm_sock_create(struct net *net, struct socket *sock,
313 			      int protocol, int kern)
314 {
315 	struct sock *sk;
316 
317 	BT_DBG("sock %p", sock);
318 
319 	sock->state = SS_UNCONNECTED;
320 
321 	if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
322 		return -ESOCKTNOSUPPORT;
323 
324 	sock->ops = &rfcomm_sock_ops;
325 
326 	sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
327 	if (!sk)
328 		return -ENOMEM;
329 
330 	rfcomm_sock_init(sk, NULL);
331 	return 0;
332 }
333 
334 static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
335 {
336 	struct sockaddr_rc sa;
337 	struct sock *sk = sock->sk;
338 	int len, err = 0;
339 
340 	if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
341 	    addr->sa_family != AF_BLUETOOTH)
342 		return -EINVAL;
343 
344 	memset(&sa, 0, sizeof(sa));
345 	len = min_t(unsigned int, sizeof(sa), addr_len);
346 	memcpy(&sa, addr, len);
347 
348 	BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
349 
350 	lock_sock(sk);
351 
352 	if (sk->sk_state != BT_OPEN) {
353 		err = -EBADFD;
354 		goto done;
355 	}
356 
357 	if (sk->sk_type != SOCK_STREAM) {
358 		err = -EINVAL;
359 		goto done;
360 	}
361 
362 	write_lock(&rfcomm_sk_list.lock);
363 
364 	if (sa.rc_channel &&
365 	    __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
366 		err = -EADDRINUSE;
367 	} else {
368 		/* Save source address */
369 		bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
370 		rfcomm_pi(sk)->channel = sa.rc_channel;
371 		sk->sk_state = BT_BOUND;
372 	}
373 
374 	write_unlock(&rfcomm_sk_list.lock);
375 
376 done:
377 	release_sock(sk);
378 	return err;
379 }
380 
381 static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
382 {
383 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
384 	struct sock *sk = sock->sk;
385 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
386 	int err = 0;
387 
388 	BT_DBG("sk %p", sk);
389 
390 	if (alen < sizeof(struct sockaddr_rc) ||
391 	    addr->sa_family != AF_BLUETOOTH)
392 		return -EINVAL;
393 
394 	lock_sock(sk);
395 
396 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
397 		err = -EBADFD;
398 		goto done;
399 	}
400 
401 	if (sk->sk_type != SOCK_STREAM) {
402 		err = -EINVAL;
403 		goto done;
404 	}
405 
406 	sk->sk_state = BT_CONNECT;
407 	bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
408 	rfcomm_pi(sk)->channel = sa->rc_channel;
409 
410 	d->sec_level = rfcomm_pi(sk)->sec_level;
411 	d->role_switch = rfcomm_pi(sk)->role_switch;
412 
413 	err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
414 			      sa->rc_channel);
415 	if (!err)
416 		err = bt_sock_wait_state(sk, BT_CONNECTED,
417 				sock_sndtimeo(sk, flags & O_NONBLOCK));
418 
419 done:
420 	release_sock(sk);
421 	return err;
422 }
423 
424 static int rfcomm_sock_listen(struct socket *sock, int backlog)
425 {
426 	struct sock *sk = sock->sk;
427 	int err = 0;
428 
429 	BT_DBG("sk %p backlog %d", sk, backlog);
430 
431 	lock_sock(sk);
432 
433 	if (sk->sk_state != BT_BOUND) {
434 		err = -EBADFD;
435 		goto done;
436 	}
437 
438 	if (sk->sk_type != SOCK_STREAM) {
439 		err = -EINVAL;
440 		goto done;
441 	}
442 
443 	if (!rfcomm_pi(sk)->channel) {
444 		bdaddr_t *src = &rfcomm_pi(sk)->src;
445 		u8 channel;
446 
447 		err = -EINVAL;
448 
449 		write_lock(&rfcomm_sk_list.lock);
450 
451 		for (channel = 1; channel < 31; channel++)
452 			if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
453 				rfcomm_pi(sk)->channel = channel;
454 				err = 0;
455 				break;
456 			}
457 
458 		write_unlock(&rfcomm_sk_list.lock);
459 
460 		if (err < 0)
461 			goto done;
462 	}
463 
464 	sk->sk_max_ack_backlog = backlog;
465 	sk->sk_ack_backlog = 0;
466 	sk->sk_state = BT_LISTEN;
467 
468 done:
469 	release_sock(sk);
470 	return err;
471 }
472 
473 static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
474 			      bool kern)
475 {
476 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
477 	struct sock *sk = sock->sk, *nsk;
478 	long timeo;
479 	int err = 0;
480 
481 	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
482 
483 	if (sk->sk_type != SOCK_STREAM) {
484 		err = -EINVAL;
485 		goto done;
486 	}
487 
488 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
489 
490 	BT_DBG("sk %p timeo %ld", sk, timeo);
491 
492 	/* Wait for an incoming connection. (wake-one). */
493 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
494 	while (1) {
495 		if (sk->sk_state != BT_LISTEN) {
496 			err = -EBADFD;
497 			break;
498 		}
499 
500 		nsk = bt_accept_dequeue(sk, newsock);
501 		if (nsk)
502 			break;
503 
504 		if (!timeo) {
505 			err = -EAGAIN;
506 			break;
507 		}
508 
509 		if (signal_pending(current)) {
510 			err = sock_intr_errno(timeo);
511 			break;
512 		}
513 
514 		release_sock(sk);
515 
516 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
517 
518 		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
519 	}
520 	remove_wait_queue(sk_sleep(sk), &wait);
521 
522 	if (err)
523 		goto done;
524 
525 	newsock->state = SS_CONNECTED;
526 
527 	BT_DBG("new socket %p", nsk);
528 
529 done:
530 	release_sock(sk);
531 	return err;
532 }
533 
534 static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
535 {
536 	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
537 	struct sock *sk = sock->sk;
538 
539 	BT_DBG("sock %p, sk %p", sock, sk);
540 
541 	if (peer && sk->sk_state != BT_CONNECTED &&
542 	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
543 		return -ENOTCONN;
544 
545 	memset(sa, 0, sizeof(*sa));
546 	sa->rc_family  = AF_BLUETOOTH;
547 	sa->rc_channel = rfcomm_pi(sk)->channel;
548 	if (peer)
549 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
550 	else
551 		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
552 
553 	return sizeof(struct sockaddr_rc);
554 }
555 
556 static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
557 			       size_t len)
558 {
559 	struct sock *sk = sock->sk;
560 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
561 	struct sk_buff *skb;
562 	int sent;
563 
564 	if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
565 		return -ENOTCONN;
566 
567 	if (msg->msg_flags & MSG_OOB)
568 		return -EOPNOTSUPP;
569 
570 	if (sk->sk_shutdown & SEND_SHUTDOWN)
571 		return -EPIPE;
572 
573 	BT_DBG("sock %p, sk %p", sock, sk);
574 
575 	lock_sock(sk);
576 
577 	sent = bt_sock_wait_ready(sk, msg->msg_flags);
578 	if (sent)
579 		goto done;
580 
581 	while (len) {
582 		size_t size = min_t(size_t, len, d->mtu);
583 		int err;
584 
585 		skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
586 				msg->msg_flags & MSG_DONTWAIT, &err);
587 		if (!skb) {
588 			if (sent == 0)
589 				sent = err;
590 			break;
591 		}
592 		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
593 
594 		err = memcpy_from_msg(skb_put(skb, size), msg, size);
595 		if (err) {
596 			kfree_skb(skb);
597 			if (sent == 0)
598 				sent = err;
599 			break;
600 		}
601 
602 		skb->priority = sk->sk_priority;
603 
604 		err = rfcomm_dlc_send(d, skb);
605 		if (err < 0) {
606 			kfree_skb(skb);
607 			if (sent == 0)
608 				sent = err;
609 			break;
610 		}
611 
612 		sent += size;
613 		len  -= size;
614 	}
615 
616 done:
617 	release_sock(sk);
618 
619 	return sent;
620 }
621 
622 static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
623 			       size_t size, int flags)
624 {
625 	struct sock *sk = sock->sk;
626 	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
627 	int len;
628 
629 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
630 		rfcomm_dlc_accept(d);
631 		return 0;
632 	}
633 
634 	len = bt_sock_stream_recvmsg(sock, msg, size, flags);
635 
636 	lock_sock(sk);
637 	if (!(flags & MSG_PEEK) && len > 0)
638 		atomic_sub(len, &sk->sk_rmem_alloc);
639 
640 	if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
641 		rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
642 	release_sock(sk);
643 
644 	return len;
645 }
646 
647 static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
648 		sockptr_t optval, unsigned int optlen)
649 {
650 	struct sock *sk = sock->sk;
651 	int err = 0;
652 	u32 opt;
653 
654 	BT_DBG("sk %p", sk);
655 
656 	lock_sock(sk);
657 
658 	switch (optname) {
659 	case RFCOMM_LM:
660 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
661 			err = -EFAULT;
662 			break;
663 		}
664 
665 		if (opt & RFCOMM_LM_FIPS) {
666 			err = -EINVAL;
667 			break;
668 		}
669 
670 		if (opt & RFCOMM_LM_AUTH)
671 			rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
672 		if (opt & RFCOMM_LM_ENCRYPT)
673 			rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
674 		if (opt & RFCOMM_LM_SECURE)
675 			rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
676 
677 		rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
678 		break;
679 
680 	default:
681 		err = -ENOPROTOOPT;
682 		break;
683 	}
684 
685 	release_sock(sk);
686 	return err;
687 }
688 
689 static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
690 		sockptr_t optval, unsigned int optlen)
691 {
692 	struct sock *sk = sock->sk;
693 	struct bt_security sec;
694 	int err = 0;
695 	size_t len;
696 	u32 opt;
697 
698 	BT_DBG("sk %p", sk);
699 
700 	if (level == SOL_RFCOMM)
701 		return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
702 
703 	if (level != SOL_BLUETOOTH)
704 		return -ENOPROTOOPT;
705 
706 	lock_sock(sk);
707 
708 	switch (optname) {
709 	case BT_SECURITY:
710 		if (sk->sk_type != SOCK_STREAM) {
711 			err = -EINVAL;
712 			break;
713 		}
714 
715 		sec.level = BT_SECURITY_LOW;
716 
717 		len = min_t(unsigned int, sizeof(sec), optlen);
718 		if (copy_from_sockptr(&sec, optval, len)) {
719 			err = -EFAULT;
720 			break;
721 		}
722 
723 		if (sec.level > BT_SECURITY_HIGH) {
724 			err = -EINVAL;
725 			break;
726 		}
727 
728 		rfcomm_pi(sk)->sec_level = sec.level;
729 		break;
730 
731 	case BT_DEFER_SETUP:
732 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
733 			err = -EINVAL;
734 			break;
735 		}
736 
737 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
738 			err = -EFAULT;
739 			break;
740 		}
741 
742 		if (opt)
743 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
744 		else
745 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
746 
747 		break;
748 
749 	default:
750 		err = -ENOPROTOOPT;
751 		break;
752 	}
753 
754 	release_sock(sk);
755 	return err;
756 }
757 
758 static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
759 {
760 	struct sock *sk = sock->sk;
761 	struct sock *l2cap_sk;
762 	struct l2cap_conn *conn;
763 	struct rfcomm_conninfo cinfo;
764 	int len, err = 0;
765 	u32 opt;
766 
767 	BT_DBG("sk %p", sk);
768 
769 	if (get_user(len, optlen))
770 		return -EFAULT;
771 
772 	lock_sock(sk);
773 
774 	switch (optname) {
775 	case RFCOMM_LM:
776 		switch (rfcomm_pi(sk)->sec_level) {
777 		case BT_SECURITY_LOW:
778 			opt = RFCOMM_LM_AUTH;
779 			break;
780 		case BT_SECURITY_MEDIUM:
781 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
782 			break;
783 		case BT_SECURITY_HIGH:
784 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
785 			      RFCOMM_LM_SECURE;
786 			break;
787 		case BT_SECURITY_FIPS:
788 			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
789 			      RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
790 			break;
791 		default:
792 			opt = 0;
793 			break;
794 		}
795 
796 		if (rfcomm_pi(sk)->role_switch)
797 			opt |= RFCOMM_LM_MASTER;
798 
799 		if (put_user(opt, (u32 __user *) optval))
800 			err = -EFAULT;
801 
802 		break;
803 
804 	case RFCOMM_CONNINFO:
805 		if (sk->sk_state != BT_CONNECTED &&
806 					!rfcomm_pi(sk)->dlc->defer_setup) {
807 			err = -ENOTCONN;
808 			break;
809 		}
810 
811 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
812 		conn = l2cap_pi(l2cap_sk)->chan->conn;
813 
814 		memset(&cinfo, 0, sizeof(cinfo));
815 		cinfo.hci_handle = conn->hcon->handle;
816 		memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
817 
818 		len = min_t(unsigned int, len, sizeof(cinfo));
819 		if (copy_to_user(optval, (char *) &cinfo, len))
820 			err = -EFAULT;
821 
822 		break;
823 
824 	default:
825 		err = -ENOPROTOOPT;
826 		break;
827 	}
828 
829 	release_sock(sk);
830 	return err;
831 }
832 
833 static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
834 {
835 	struct sock *sk = sock->sk;
836 	struct bt_security sec;
837 	int len, err = 0;
838 
839 	BT_DBG("sk %p", sk);
840 
841 	if (level == SOL_RFCOMM)
842 		return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
843 
844 	if (level != SOL_BLUETOOTH)
845 		return -ENOPROTOOPT;
846 
847 	if (get_user(len, optlen))
848 		return -EFAULT;
849 
850 	lock_sock(sk);
851 
852 	switch (optname) {
853 	case BT_SECURITY:
854 		if (sk->sk_type != SOCK_STREAM) {
855 			err = -EINVAL;
856 			break;
857 		}
858 
859 		sec.level = rfcomm_pi(sk)->sec_level;
860 		sec.key_size = 0;
861 
862 		len = min_t(unsigned int, len, sizeof(sec));
863 		if (copy_to_user(optval, (char *) &sec, len))
864 			err = -EFAULT;
865 
866 		break;
867 
868 	case BT_DEFER_SETUP:
869 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
870 			err = -EINVAL;
871 			break;
872 		}
873 
874 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
875 			     (u32 __user *) optval))
876 			err = -EFAULT;
877 
878 		break;
879 
880 	default:
881 		err = -ENOPROTOOPT;
882 		break;
883 	}
884 
885 	release_sock(sk);
886 	return err;
887 }
888 
889 static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
890 {
891 	struct sock *sk __maybe_unused = sock->sk;
892 	int err;
893 
894 	BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
895 
896 	err = bt_sock_ioctl(sock, cmd, arg);
897 
898 	if (err == -ENOIOCTLCMD) {
899 #ifdef CONFIG_BT_RFCOMM_TTY
900 		lock_sock(sk);
901 		err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
902 		release_sock(sk);
903 #else
904 		err = -EOPNOTSUPP;
905 #endif
906 	}
907 
908 	return err;
909 }
910 
911 #ifdef CONFIG_COMPAT
912 static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
913 {
914 	return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
915 }
916 #endif
917 
918 static int rfcomm_sock_shutdown(struct socket *sock, int how)
919 {
920 	struct sock *sk = sock->sk;
921 	int err = 0;
922 
923 	BT_DBG("sock %p, sk %p", sock, sk);
924 
925 	if (!sk)
926 		return 0;
927 
928 	lock_sock(sk);
929 	if (!sk->sk_shutdown) {
930 		sk->sk_shutdown = SHUTDOWN_MASK;
931 		__rfcomm_sock_close(sk);
932 
933 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
934 		    !(current->flags & PF_EXITING))
935 			err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
936 	}
937 	release_sock(sk);
938 	return err;
939 }
940 
941 static int rfcomm_sock_release(struct socket *sock)
942 {
943 	struct sock *sk = sock->sk;
944 	int err;
945 
946 	BT_DBG("sock %p, sk %p", sock, sk);
947 
948 	if (!sk)
949 		return 0;
950 
951 	err = rfcomm_sock_shutdown(sock, 2);
952 
953 	sock_orphan(sk);
954 	rfcomm_sock_kill(sk);
955 	return err;
956 }
957 
958 /* ---- RFCOMM core layer callbacks ----
959  *
960  * called under rfcomm_lock()
961  */
962 int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
963 {
964 	struct sock *sk, *parent;
965 	bdaddr_t src, dst;
966 	int result = 0;
967 
968 	BT_DBG("session %p channel %d", s, channel);
969 
970 	rfcomm_session_getaddr(s, &src, &dst);
971 
972 	/* Check if we have socket listening on channel */
973 	parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
974 	if (!parent)
975 		return 0;
976 
977 	bh_lock_sock(parent);
978 
979 	/* Check for backlog size */
980 	if (sk_acceptq_is_full(parent)) {
981 		BT_DBG("backlog full %d", parent->sk_ack_backlog);
982 		goto done;
983 	}
984 
985 	sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
986 	if (!sk)
987 		goto done;
988 
989 	bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
990 
991 	rfcomm_sock_init(sk, parent);
992 	bacpy(&rfcomm_pi(sk)->src, &src);
993 	bacpy(&rfcomm_pi(sk)->dst, &dst);
994 	rfcomm_pi(sk)->channel = channel;
995 
996 	sk->sk_state = BT_CONFIG;
997 	bt_accept_enqueue(parent, sk, true);
998 
999 	/* Accept connection and return socket DLC */
1000 	*d = rfcomm_pi(sk)->dlc;
1001 	result = 1;
1002 
1003 done:
1004 	bh_unlock_sock(parent);
1005 
1006 	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1007 		parent->sk_state_change(parent);
1008 
1009 	return result;
1010 }
1011 
1012 static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
1013 {
1014 	struct sock *sk;
1015 
1016 	read_lock(&rfcomm_sk_list.lock);
1017 
1018 	sk_for_each(sk, &rfcomm_sk_list.head) {
1019 		seq_printf(f, "%pMR %pMR %d %d\n",
1020 			   &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
1021 			   sk->sk_state, rfcomm_pi(sk)->channel);
1022 	}
1023 
1024 	read_unlock(&rfcomm_sk_list.lock);
1025 
1026 	return 0;
1027 }
1028 
1029 DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1030 
1031 static struct dentry *rfcomm_sock_debugfs;
1032 
1033 static const struct proto_ops rfcomm_sock_ops = {
1034 	.family		= PF_BLUETOOTH,
1035 	.owner		= THIS_MODULE,
1036 	.release	= rfcomm_sock_release,
1037 	.bind		= rfcomm_sock_bind,
1038 	.connect	= rfcomm_sock_connect,
1039 	.listen		= rfcomm_sock_listen,
1040 	.accept		= rfcomm_sock_accept,
1041 	.getname	= rfcomm_sock_getname,
1042 	.sendmsg	= rfcomm_sock_sendmsg,
1043 	.recvmsg	= rfcomm_sock_recvmsg,
1044 	.shutdown	= rfcomm_sock_shutdown,
1045 	.setsockopt	= rfcomm_sock_setsockopt,
1046 	.getsockopt	= rfcomm_sock_getsockopt,
1047 	.ioctl		= rfcomm_sock_ioctl,
1048 	.gettstamp	= sock_gettstamp,
1049 	.poll		= bt_sock_poll,
1050 	.socketpair	= sock_no_socketpair,
1051 	.mmap		= sock_no_mmap,
1052 #ifdef CONFIG_COMPAT
1053 	.compat_ioctl	= rfcomm_sock_compat_ioctl,
1054 #endif
1055 };
1056 
1057 static const struct net_proto_family rfcomm_sock_family_ops = {
1058 	.family		= PF_BLUETOOTH,
1059 	.owner		= THIS_MODULE,
1060 	.create		= rfcomm_sock_create
1061 };
1062 
1063 int __init rfcomm_init_sockets(void)
1064 {
1065 	int err;
1066 
1067 	BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1068 
1069 	err = proto_register(&rfcomm_proto, 0);
1070 	if (err < 0)
1071 		return err;
1072 
1073 	err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1074 	if (err < 0) {
1075 		BT_ERR("RFCOMM socket layer registration failed");
1076 		goto error;
1077 	}
1078 
1079 	err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1080 	if (err < 0) {
1081 		BT_ERR("Failed to create RFCOMM proc file");
1082 		bt_sock_unregister(BTPROTO_RFCOMM);
1083 		goto error;
1084 	}
1085 
1086 	BT_INFO("RFCOMM socket layer initialized");
1087 
1088 	if (IS_ERR_OR_NULL(bt_debugfs))
1089 		return 0;
1090 
1091 	rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1092 						  bt_debugfs, NULL,
1093 						  &rfcomm_sock_debugfs_fops);
1094 
1095 	return 0;
1096 
1097 error:
1098 	proto_unregister(&rfcomm_proto);
1099 	return err;
1100 }
1101 
1102 void __exit rfcomm_cleanup_sockets(void)
1103 {
1104 	bt_procfs_cleanup(&init_net, "rfcomm");
1105 
1106 	debugfs_remove(rfcomm_sock_debugfs);
1107 
1108 	bt_sock_unregister(BTPROTO_RFCOMM);
1109 
1110 	proto_unregister(&rfcomm_proto);
1111 }
1112