1
/*
2
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3
   Copyright (C) 2002 Maxim Krasnyansky <[email protected]>
4
   Copyright (C) 2002 Marcel Holtmann <[email protected]>
5

6
   This program is free software; you can redistribute it and/or modify
7
   it under the terms of the GNU General Public License version 2 as
8
   published by the Free Software Foundation;
9

10
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18

19
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21
   SOFTWARE IS DISCLAIMED.
22
*/
23

24
/*
25
 * RFCOMM sockets.
26
 */
27
#include <linux/compat.h>
28
#include <linux/export.h>
29
#include <linux/debugfs.h>
30
#include <linux/sched/signal.h>
31

32
#include <net/bluetooth/bluetooth.h>
33
#include <net/bluetooth/hci_core.h>
34
#include <net/bluetooth/l2cap.h>
35
#include <net/bluetooth/rfcomm.h>
36

37
static const struct proto_ops rfcomm_sock_ops;
38

39
static struct bt_sock_list rfcomm_sk_list = {
40
	.lock = __RW_LOCK_UNLOCKED(rfcomm_sk_list.lock)
41
};
42

43
static void rfcomm_sock_close(struct sock *sk);
44
static void rfcomm_sock_kill(struct sock *sk);
45

46
/* ---- DLC callbacks ----
47
 *
48
 * called under rfcomm_dlc_lock()
49
 */
50
static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
51
{
52
	struct sock *sk = d->owner;
53
	if (!sk)
54
		return;
55

56
	atomic_add(skb->len, &sk->sk_rmem_alloc);
57
	skb_queue_tail(&sk->sk_receive_queue, skb);
58
	sk->sk_data_ready(sk);
59

60
	if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
61
		rfcomm_dlc_throttle(d);
62
}
63

64
static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
65
{
66
	struct sock *sk = d->owner, *parent;
67

68
	if (!sk)
69
		return;
70

71
	BT_DBG("dlc %p state %ld err %d", d, d->state, err);
72

73
	lock_sock(sk);
74

75
	if (err)
76
		sk->sk_err = err;
77

78
	sk->sk_state = d->state;
79

80
	parent = bt_sk(sk)->parent;
81
	if (parent) {
82
		if (d->state == BT_CLOSED) {
83
			sock_set_flag(sk, SOCK_ZAPPED);
84
			bt_accept_unlink(sk);
85
		}
86
		parent->sk_data_ready(parent);
87
	} else {
88
		if (d->state == BT_CONNECTED)
89
			rfcomm_session_getaddr(d->session,
90
					       &rfcomm_pi(sk)->src, NULL);
91
		sk->sk_state_change(sk);
92
	}
93

94
	release_sock(sk);
95

96
	if (parent && sock_flag(sk, SOCK_ZAPPED)) {
97
		/* We have to drop DLC lock here, otherwise
98
		 * rfcomm_sock_destruct() will dead lock. */
99
		rfcomm_dlc_unlock(d);
100
		rfcomm_sock_kill(sk);
101
		rfcomm_dlc_lock(d);
102
	}
103
}
104

105
/* ---- Socket functions ---- */
106
static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
107
{
108
	struct sock *sk = NULL;
109

110
	sk_for_each(sk, &rfcomm_sk_list.head) {
111
		if (rfcomm_pi(sk)->channel != channel)
112
			continue;
113

114
		if (bacmp(&rfcomm_pi(sk)->src, src))
115
			continue;
116

117
		if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
118
			break;
119
	}
120

121
	return sk ? sk : NULL;
122
}
123

124
/* Find socket with channel and source bdaddr.
125
 * Returns closest match.
126
 */
127
static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
128
{
129
	struct sock *sk = NULL, *sk1 = NULL;
130

131
	read_lock(&rfcomm_sk_list.lock);
132

133
	sk_for_each(sk, &rfcomm_sk_list.head) {
134
		if (state && sk->sk_state != state)
135
			continue;
136

137
		if (rfcomm_pi(sk)->channel == channel) {
138
			/* Exact match. */
139
			if (!bacmp(&rfcomm_pi(sk)->src, src))
140
				break;
141

142
			/* Closest match */
143
			if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
144
				sk1 = sk;
145
		}
146
	}
147

148
	read_unlock(&rfcomm_sk_list.lock);
149

150
	return sk ? sk : sk1;
151
}
152

153
static void rfcomm_sock_destruct(struct sock *sk)
154
{
155
	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
156

157
	BT_DBG("sk %p dlc %p", sk, d);
158

159
	skb_queue_purge(&sk->sk_receive_queue);
160
	skb_queue_purge(&sk->sk_write_queue);
161

162
	rfcomm_dlc_lock(d);
163
	rfcomm_pi(sk)->dlc = NULL;
164

165
	/* Detach DLC if it's owned by this socket */
166
	if (d->owner == sk)
167
		d->owner = NULL;
168
	rfcomm_dlc_unlock(d);
169

170
	rfcomm_dlc_put(d);
171
}
172

173
static void rfcomm_sock_cleanup_listen(struct sock *parent)
174
{
175
	struct sock *sk;
176

177
	BT_DBG("parent %p", parent);
178

179
	/* Close not yet accepted dlcs */
180
	while ((sk = bt_accept_dequeue(parent, NULL))) {
181
		rfcomm_sock_close(sk);
182
		rfcomm_sock_kill(sk);
183
	}
184

185
	parent->sk_state  = BT_CLOSED;
186
	sock_set_flag(parent, SOCK_ZAPPED);
187
}
188

189
/* Kill socket (only if zapped and orphan)
190
 * Must be called on unlocked socket.
191
 */
192
static void rfcomm_sock_kill(struct sock *sk)
193
{
194
	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
195
		return;
196

197
	BT_DBG("sk %p state %d refcnt %d", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
198

199
	/* Kill poor orphan */
200
	bt_sock_unlink(&rfcomm_sk_list, sk);
201
	sock_set_flag(sk, SOCK_DEAD);
202
	sock_put(sk);
203
}
204

205
static void __rfcomm_sock_close(struct sock *sk)
206
{
207
	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
208

209
	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
210

211
	switch (sk->sk_state) {
212
	case BT_LISTEN:
213
		rfcomm_sock_cleanup_listen(sk);
214
		break;
215

216
	case BT_CONNECT:
217
	case BT_CONNECT2:
218
	case BT_CONFIG:
219
	case BT_CONNECTED:
220
		rfcomm_dlc_close(d, 0);
221
		fallthrough;
222

223
	default:
224
		sock_set_flag(sk, SOCK_ZAPPED);
225
		break;
226
	}
227
}
228

229
/* Close socket.
230
 * Must be called on unlocked socket.
231
 */
232
static void rfcomm_sock_close(struct sock *sk)
233
{
234
	lock_sock(sk);
235
	__rfcomm_sock_close(sk);
236
	release_sock(sk);
237
}
238

239
static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
240
{
241
	struct rfcomm_pinfo *pi = rfcomm_pi(sk);
242

243
	BT_DBG("sk %p", sk);
244

245
	if (parent) {
246
		sk->sk_type = parent->sk_type;
247
		pi->dlc->defer_setup = test_bit(BT_SK_DEFER_SETUP,
248
						&bt_sk(parent)->flags);
249

250
		pi->sec_level = rfcomm_pi(parent)->sec_level;
251
		pi->role_switch = rfcomm_pi(parent)->role_switch;
252

253
		security_sk_clone(parent, sk);
254
	} else {
255
		pi->dlc->defer_setup = 0;
256

257
		pi->sec_level = BT_SECURITY_LOW;
258
		pi->role_switch = 0;
259
	}
260

261
	pi->dlc->sec_level = pi->sec_level;
262
	pi->dlc->role_switch = pi->role_switch;
263
}
264

265
static struct proto rfcomm_proto = {
266
	.name		= "RFCOMM",
267
	.owner		= THIS_MODULE,
268
	.obj_size	= sizeof(struct rfcomm_pinfo)
269
};
270

271
static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
272
				      int proto, gfp_t prio, int kern)
273
{
274
	struct rfcomm_dlc *d;
275
	struct sock *sk;
276

277
	d = rfcomm_dlc_alloc(prio);
278
	if (!d)
279
		return NULL;
280

281
	sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
282
	if (!sk) {
283
		rfcomm_dlc_free(d);
284
		return NULL;
285
	}
286

287
	d->data_ready   = rfcomm_sk_data_ready;
288
	d->state_change = rfcomm_sk_state_change;
289

290
	rfcomm_pi(sk)->dlc = d;
291
	d->owner = sk;
292

293
	sk->sk_destruct = rfcomm_sock_destruct;
294
	sk->sk_sndtimeo = RFCOMM_CONN_TIMEOUT;
295

296
	sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
297
	sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
298

299
	bt_sock_link(&rfcomm_sk_list, sk);
300

301
	BT_DBG("sk %p", sk);
302
	return sk;
303
}
304

305
static int rfcomm_sock_create(struct net *net, struct socket *sock,
306
			      int protocol, int kern)
307
{
308
	struct sock *sk;
309

310
	BT_DBG("sock %p", sock);
311

312
	sock->state = SS_UNCONNECTED;
313

314
	if (sock->type != SOCK_STREAM && sock->type != SOCK_RAW)
315
		return -ESOCKTNOSUPPORT;
316

317
	sock->ops = &rfcomm_sock_ops;
318

319
	sk = rfcomm_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
320
	if (!sk)
321
		return -ENOMEM;
322

323
	rfcomm_sock_init(sk, NULL);
324
	return 0;
325
}
326

327
static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
328
{
329
	struct sockaddr_rc sa;
330
	struct sock *sk = sock->sk;
331
	int len, err = 0;
332

333
	if (!addr || addr_len < offsetofend(struct sockaddr, sa_family) ||
334
	    addr->sa_family != AF_BLUETOOTH)
335
		return -EINVAL;
336

337
	memset(&sa, 0, sizeof(sa));
338
	len = min_t(unsigned int, sizeof(sa), addr_len);
339
	memcpy(&sa, addr, len);
340

341
	BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
342

343
	lock_sock(sk);
344

345
	if (sk->sk_state != BT_OPEN) {
346
		err = -EBADFD;
347
		goto done;
348
	}
349

350
	if (sk->sk_type != SOCK_STREAM) {
351
		err = -EINVAL;
352
		goto done;
353
	}
354

355
	write_lock(&rfcomm_sk_list.lock);
356

357
	if (sa.rc_channel &&
358
	    __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
359
		err = -EADDRINUSE;
360
	} else {
361
		/* Save source address */
362
		bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
363
		rfcomm_pi(sk)->channel = sa.rc_channel;
364
		sk->sk_state = BT_BOUND;
365
	}
366

367
	write_unlock(&rfcomm_sk_list.lock);
368

369
done:
370
	release_sock(sk);
371
	return err;
372
}
373

374
static int rfcomm_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
375
{
376
	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
377
	struct sock *sk = sock->sk;
378
	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
379
	int err = 0;
380

381
	BT_DBG("sk %p", sk);
382

383
	if (alen < sizeof(struct sockaddr_rc) ||
384
	    addr->sa_family != AF_BLUETOOTH)
385
		return -EINVAL;
386

387
	sock_hold(sk);
388
	lock_sock(sk);
389

390
	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
391
		err = -EBADFD;
392
		goto done;
393
	}
394

395
	if (sk->sk_type != SOCK_STREAM) {
396
		err = -EINVAL;
397
		goto done;
398
	}
399

400
	sk->sk_state = BT_CONNECT;
401
	bacpy(&rfcomm_pi(sk)->dst, &sa->rc_bdaddr);
402
	rfcomm_pi(sk)->channel = sa->rc_channel;
403

404
	d->sec_level = rfcomm_pi(sk)->sec_level;
405
	d->role_switch = rfcomm_pi(sk)->role_switch;
406

407
	/* Drop sock lock to avoid potential deadlock with the RFCOMM lock */
408
	release_sock(sk);
409
	err = rfcomm_dlc_open(d, &rfcomm_pi(sk)->src, &sa->rc_bdaddr,
410
			      sa->rc_channel);
411
	lock_sock(sk);
412
	if (!err && !sock_flag(sk, SOCK_ZAPPED))
413
		err = bt_sock_wait_state(sk, BT_CONNECTED,
414
				sock_sndtimeo(sk, flags & O_NONBLOCK));
415

416
done:
417
	release_sock(sk);
418
	sock_put(sk);
419
	return err;
420
}
421

422
static int rfcomm_sock_listen(struct socket *sock, int backlog)
423
{
424
	struct sock *sk = sock->sk;
425
	int err = 0;
426

427
	BT_DBG("sk %p backlog %d", sk, backlog);
428

429
	lock_sock(sk);
430

431
	if (sk->sk_state != BT_BOUND) {
432
		err = -EBADFD;
433
		goto done;
434
	}
435

436
	if (sk->sk_type != SOCK_STREAM) {
437
		err = -EINVAL;
438
		goto done;
439
	}
440

441
	if (!rfcomm_pi(sk)->channel) {
442
		bdaddr_t *src = &rfcomm_pi(sk)->src;
443
		u8 channel;
444

445
		err = -EINVAL;
446

447
		write_lock(&rfcomm_sk_list.lock);
448

449
		for (channel = 1; channel < 31; channel++)
450
			if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
451
				rfcomm_pi(sk)->channel = channel;
452
				err = 0;
453
				break;
454
			}
455

456
		write_unlock(&rfcomm_sk_list.lock);
457

458
		if (err < 0)
459
			goto done;
460
	}
461

462
	sk->sk_max_ack_backlog = backlog;
463
	sk->sk_ack_backlog = 0;
464
	sk->sk_state = BT_LISTEN;
465

466
done:
467
	release_sock(sk);
468
	return err;
469
}
470

471
static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock,
472
			      struct proto_accept_arg *arg)
473
{
474
	DEFINE_WAIT_FUNC(wait, woken_wake_function);
475
	struct sock *sk = sock->sk, *nsk;
476
	long timeo;
477
	int err = 0;
478

479
	lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
480

481
	if (sk->sk_type != SOCK_STREAM) {
482
		err = -EINVAL;
483
		goto done;
484
	}
485

486
	timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
487

488
	BT_DBG("sk %p timeo %ld", sk, timeo);
489

490
	/* Wait for an incoming connection. (wake-one). */
491
	add_wait_queue_exclusive(sk_sleep(sk), &wait);
492
	while (1) {
493
		if (sk->sk_state != BT_LISTEN) {
494
			err = -EBADFD;
495
			break;
496
		}
497

498
		nsk = bt_accept_dequeue(sk, newsock);
499
		if (nsk)
500
			break;
501

502
		if (!timeo) {
503
			err = -EAGAIN;
504
			break;
505
		}
506

507
		if (signal_pending(current)) {
508
			err = sock_intr_errno(timeo);
509
			break;
510
		}
511

512
		release_sock(sk);
513

514
		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
515

516
		lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
517
	}
518
	remove_wait_queue(sk_sleep(sk), &wait);
519

520
	if (err)
521
		goto done;
522

523
	newsock->state = SS_CONNECTED;
524

525
	BT_DBG("new socket %p", nsk);
526

527
done:
528
	release_sock(sk);
529
	return err;
530
}
531

532
static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int peer)
533
{
534
	struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
535
	struct sock *sk = sock->sk;
536

537
	BT_DBG("sock %p, sk %p", sock, sk);
538

539
	if (peer && sk->sk_state != BT_CONNECTED &&
540
	    sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
541
		return -ENOTCONN;
542

543
	memset(sa, 0, sizeof(*sa));
544
	sa->rc_family  = AF_BLUETOOTH;
545
	sa->rc_channel = rfcomm_pi(sk)->channel;
546
	if (peer)
547
		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->dst);
548
	else
549
		bacpy(&sa->rc_bdaddr, &rfcomm_pi(sk)->src);
550

551
	return sizeof(struct sockaddr_rc);
552
}
553

554
static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
555
			       size_t len)
556
{
557
	struct sock *sk = sock->sk;
558
	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
559
	struct sk_buff *skb;
560
	int sent;
561

562
	if (test_bit(RFCOMM_DEFER_SETUP, &d->flags))
563
		return -ENOTCONN;
564

565
	if (msg->msg_flags & MSG_OOB)
566
		return -EOPNOTSUPP;
567

568
	if (sk->sk_shutdown & SEND_SHUTDOWN)
569
		return -EPIPE;
570

571
	BT_DBG("sock %p, sk %p", sock, sk);
572

573
	lock_sock(sk);
574

575
	sent = bt_sock_wait_ready(sk, msg->msg_flags);
576

577
	release_sock(sk);
578

579
	if (sent)
580
		return sent;
581

582
	skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
583
			      RFCOMM_SKB_TAIL_RESERVE);
584
	if (IS_ERR(skb))
585
		return PTR_ERR(skb);
586

587
	sent = rfcomm_dlc_send(d, skb);
588
	if (sent < 0)
589
		kfree_skb(skb);
590

591
	return sent;
592
}
593

594
static int rfcomm_sock_recvmsg(struct socket *sock, struct msghdr *msg,
595
			       size_t size, int flags)
596
{
597
	struct sock *sk = sock->sk;
598
	struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc;
599
	int len;
600

601
	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
602
		rfcomm_dlc_accept(d);
603
		return 0;
604
	}
605

606
	len = bt_sock_stream_recvmsg(sock, msg, size, flags);
607

608
	lock_sock(sk);
609
	if (!(flags & MSG_PEEK) && len > 0)
610
		atomic_sub(len, &sk->sk_rmem_alloc);
611

612
	if (atomic_read(&sk->sk_rmem_alloc) <= (sk->sk_rcvbuf >> 2))
613
		rfcomm_dlc_unthrottle(rfcomm_pi(sk)->dlc);
614
	release_sock(sk);
615

616
	return len;
617
}
618

619
static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
620
		sockptr_t optval, unsigned int optlen)
621
{
622
	struct sock *sk = sock->sk;
623
	int err = 0;
624
	u32 opt;
625

626
	BT_DBG("sk %p", sk);
627

628
	lock_sock(sk);
629

630
	switch (optname) {
631
	case RFCOMM_LM:
632
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
633
		if (err)
634
			break;
635

636
		if (opt & RFCOMM_LM_FIPS) {
637
			err = -EINVAL;
638
			break;
639
		}
640

641
		if (opt & RFCOMM_LM_AUTH)
642
			rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
643
		if (opt & RFCOMM_LM_ENCRYPT)
644
			rfcomm_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
645
		if (opt & RFCOMM_LM_SECURE)
646
			rfcomm_pi(sk)->sec_level = BT_SECURITY_HIGH;
647

648
		rfcomm_pi(sk)->role_switch = (opt & RFCOMM_LM_MASTER);
649
		break;
650

651
	default:
652
		err = -ENOPROTOOPT;
653
		break;
654
	}
655

656
	release_sock(sk);
657
	return err;
658
}
659

660
static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
661
		sockptr_t optval, unsigned int optlen)
662
{
663
	struct sock *sk = sock->sk;
664
	struct bt_security sec;
665
	int err = 0;
666
	u32 opt;
667

668
	BT_DBG("sk %p", sk);
669

670
	if (level == SOL_RFCOMM)
671
		return rfcomm_sock_setsockopt_old(sock, optname, optval, optlen);
672

673
	if (level != SOL_BLUETOOTH)
674
		return -ENOPROTOOPT;
675

676
	lock_sock(sk);
677

678
	switch (optname) {
679
	case BT_SECURITY:
680
		if (sk->sk_type != SOCK_STREAM) {
681
			err = -EINVAL;
682
			break;
683
		}
684

685
		sec.level = BT_SECURITY_LOW;
686

687
		err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
688
		if (err)
689
			break;
690

691
		if (sec.level > BT_SECURITY_HIGH) {
692
			err = -EINVAL;
693
			break;
694
		}
695

696
		rfcomm_pi(sk)->sec_level = sec.level;
697
		break;
698

699
	case BT_DEFER_SETUP:
700
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
701
			err = -EINVAL;
702
			break;
703
		}
704

705
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
706
		if (err)
707
			break;
708

709
		if (opt)
710
			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
711
		else
712
			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
713

714
		break;
715

716
	default:
717
		err = -ENOPROTOOPT;
718
		break;
719
	}
720

721
	release_sock(sk);
722
	return err;
723
}
724

725
static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
726
{
727
	struct sock *sk = sock->sk;
728
	struct sock *l2cap_sk;
729
	struct l2cap_conn *conn;
730
	struct rfcomm_conninfo cinfo;
731
	int err = 0;
732
	size_t len;
733
	u32 opt;
734

735
	BT_DBG("sk %p", sk);
736

737
	if (get_user(len, optlen))
738
		return -EFAULT;
739

740
	lock_sock(sk);
741

742
	switch (optname) {
743
	case RFCOMM_LM:
744
		switch (rfcomm_pi(sk)->sec_level) {
745
		case BT_SECURITY_LOW:
746
			opt = RFCOMM_LM_AUTH;
747
			break;
748
		case BT_SECURITY_MEDIUM:
749
			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT;
750
			break;
751
		case BT_SECURITY_HIGH:
752
			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
753
			      RFCOMM_LM_SECURE;
754
			break;
755
		case BT_SECURITY_FIPS:
756
			opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
757
			      RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
758
			break;
759
		default:
760
			opt = 0;
761
			break;
762
		}
763

764
		if (rfcomm_pi(sk)->role_switch)
765
			opt |= RFCOMM_LM_MASTER;
766

767
		if (put_user(opt, (u32 __user *) optval))
768
			err = -EFAULT;
769

770
		break;
771

772
	case RFCOMM_CONNINFO:
773
		if (sk->sk_state != BT_CONNECTED &&
774
					!rfcomm_pi(sk)->dlc->defer_setup) {
775
			err = -ENOTCONN;
776
			break;
777
		}
778

779
		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
780
		conn = l2cap_pi(l2cap_sk)->chan->conn;
781

782
		memset(&cinfo, 0, sizeof(cinfo));
783
		cinfo.hci_handle = conn->hcon->handle;
784
		memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
785

786
		len = min(len, sizeof(cinfo));
787
		if (copy_to_user(optval, (char *) &cinfo, len))
788
			err = -EFAULT;
789

790
		break;
791

792
	default:
793
		err = -ENOPROTOOPT;
794
		break;
795
	}
796

797
	release_sock(sk);
798
	return err;
799
}
800

801
static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
802
{
803
	struct sock *sk = sock->sk;
804
	struct bt_security sec;
805
	int err = 0;
806
	size_t len;
807

808
	BT_DBG("sk %p", sk);
809

810
	if (level == SOL_RFCOMM)
811
		return rfcomm_sock_getsockopt_old(sock, optname, optval, optlen);
812

813
	if (level != SOL_BLUETOOTH)
814
		return -ENOPROTOOPT;
815

816
	if (get_user(len, optlen))
817
		return -EFAULT;
818

819
	lock_sock(sk);
820

821
	switch (optname) {
822
	case BT_SECURITY:
823
		if (sk->sk_type != SOCK_STREAM) {
824
			err = -EINVAL;
825
			break;
826
		}
827

828
		sec.level = rfcomm_pi(sk)->sec_level;
829
		sec.key_size = 0;
830

831
		len = min(len, sizeof(sec));
832
		if (copy_to_user(optval, (char *) &sec, len))
833
			err = -EFAULT;
834

835
		break;
836

837
	case BT_DEFER_SETUP:
838
		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
839
			err = -EINVAL;
840
			break;
841
		}
842

843
		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
844
			     (u32 __user *) optval))
845
			err = -EFAULT;
846

847
		break;
848

849
	default:
850
		err = -ENOPROTOOPT;
851
		break;
852
	}
853

854
	release_sock(sk);
855
	return err;
856
}
857

858
static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
859
{
860
	struct sock *sk __maybe_unused = sock->sk;
861
	int err;
862

863
	BT_DBG("sk %p cmd %x arg %lx", sk, cmd, arg);
864

865
	err = bt_sock_ioctl(sock, cmd, arg);
866

867
	if (err == -ENOIOCTLCMD) {
868
#ifdef CONFIG_BT_RFCOMM_TTY
869
		err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
870
#else
871
		err = -EOPNOTSUPP;
872
#endif
873
	}
874

875
	return err;
876
}
877

878
#ifdef CONFIG_COMPAT
879
static int rfcomm_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
880
{
881
	return rfcomm_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
882
}
883
#endif
884

885
static int rfcomm_sock_shutdown(struct socket *sock, int how)
886
{
887
	struct sock *sk = sock->sk;
888
	int err = 0;
889

890
	BT_DBG("sock %p, sk %p", sock, sk);
891

892
	if (!sk)
893
		return 0;
894

895
	lock_sock(sk);
896
	if (!sk->sk_shutdown) {
897
		sk->sk_shutdown = SHUTDOWN_MASK;
898

899
		release_sock(sk);
900
		__rfcomm_sock_close(sk);
901
		lock_sock(sk);
902

903
		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
904
		    !(current->flags & PF_EXITING))
905
			err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
906
	}
907
	release_sock(sk);
908
	return err;
909
}
910

911
static int rfcomm_sock_release(struct socket *sock)
912
{
913
	struct sock *sk = sock->sk;
914
	int err;
915

916
	BT_DBG("sock %p, sk %p", sock, sk);
917

918
	if (!sk)
919
		return 0;
920

921
	err = rfcomm_sock_shutdown(sock, 2);
922

923
	sock_orphan(sk);
924
	rfcomm_sock_kill(sk);
925
	return err;
926
}
927

928
/* ---- RFCOMM core layer callbacks ----
929
 *
930
 * called under rfcomm_lock()
931
 */
932
int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc **d)
933
{
934
	struct sock *sk, *parent;
935
	bdaddr_t src, dst;
936
	int result = 0;
937

938
	BT_DBG("session %p channel %d", s, channel);
939

940
	rfcomm_session_getaddr(s, &src, &dst);
941

942
	/* Check if we have socket listening on channel */
943
	parent = rfcomm_get_sock_by_channel(BT_LISTEN, channel, &src);
944
	if (!parent)
945
		return 0;
946

947
	lock_sock(parent);
948

949
	/* Check for backlog size */
950
	if (sk_acceptq_is_full(parent)) {
951
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
952
		goto done;
953
	}
954

955
	sk = rfcomm_sock_alloc(sock_net(parent), NULL, BTPROTO_RFCOMM, GFP_ATOMIC, 0);
956
	if (!sk)
957
		goto done;
958

959
	bt_sock_reclassify_lock(sk, BTPROTO_RFCOMM);
960

961
	rfcomm_sock_init(sk, parent);
962
	bacpy(&rfcomm_pi(sk)->src, &src);
963
	bacpy(&rfcomm_pi(sk)->dst, &dst);
964
	rfcomm_pi(sk)->channel = channel;
965

966
	sk->sk_state = BT_CONFIG;
967
	bt_accept_enqueue(parent, sk, true);
968

969
	/* Accept connection and return socket DLC */
970
	*d = rfcomm_pi(sk)->dlc;
971
	result = 1;
972

973
done:
974
	release_sock(parent);
975

976
	if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
977
		parent->sk_state_change(parent);
978

979
	return result;
980
}
981

982
static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
983
{
984
	struct sock *sk;
985

986
	read_lock(&rfcomm_sk_list.lock);
987

988
	sk_for_each(sk, &rfcomm_sk_list.head) {
989
		seq_printf(f, "%pMR %pMR %d %d\n",
990
			   &rfcomm_pi(sk)->src, &rfcomm_pi(sk)->dst,
991
			   sk->sk_state, rfcomm_pi(sk)->channel);
992
	}
993

994
	read_unlock(&rfcomm_sk_list.lock);
995

996
	return 0;
997
}
998

999
DEFINE_SHOW_ATTRIBUTE(rfcomm_sock_debugfs);
1000

1001
static struct dentry *rfcomm_sock_debugfs;
1002

1003
static const struct proto_ops rfcomm_sock_ops = {
1004
	.family		= PF_BLUETOOTH,
1005
	.owner		= THIS_MODULE,
1006
	.release	= rfcomm_sock_release,
1007
	.bind		= rfcomm_sock_bind,
1008
	.connect	= rfcomm_sock_connect,
1009
	.listen		= rfcomm_sock_listen,
1010
	.accept		= rfcomm_sock_accept,
1011
	.getname	= rfcomm_sock_getname,
1012
	.sendmsg	= rfcomm_sock_sendmsg,
1013
	.recvmsg	= rfcomm_sock_recvmsg,
1014
	.shutdown	= rfcomm_sock_shutdown,
1015
	.setsockopt	= rfcomm_sock_setsockopt,
1016
	.getsockopt	= rfcomm_sock_getsockopt,
1017
	.ioctl		= rfcomm_sock_ioctl,
1018
	.gettstamp	= sock_gettstamp,
1019
	.poll		= bt_sock_poll,
1020
	.socketpair	= sock_no_socketpair,
1021
	.mmap		= sock_no_mmap,
1022
#ifdef CONFIG_COMPAT
1023
	.compat_ioctl	= rfcomm_sock_compat_ioctl,
1024
#endif
1025
};
1026

1027
static const struct net_proto_family rfcomm_sock_family_ops = {
1028
	.family		= PF_BLUETOOTH,
1029
	.owner		= THIS_MODULE,
1030
	.create		= rfcomm_sock_create
1031
};
1032

1033
int __init rfcomm_init_sockets(void)
1034
{
1035
	int err;
1036

1037
	BUILD_BUG_ON(sizeof(struct sockaddr_rc) > sizeof(struct sockaddr));
1038

1039
	err = proto_register(&rfcomm_proto, 0);
1040
	if (err < 0)
1041
		return err;
1042

1043
	err = bt_sock_register(BTPROTO_RFCOMM, &rfcomm_sock_family_ops);
1044
	if (err < 0) {
1045
		BT_ERR("RFCOMM socket layer registration failed");
1046
		goto error;
1047
	}
1048

1049
	err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
1050
	if (err < 0) {
1051
		BT_ERR("Failed to create RFCOMM proc file");
1052
		bt_sock_unregister(BTPROTO_RFCOMM);
1053
		goto error;
1054
	}
1055

1056
	BT_INFO("RFCOMM socket layer initialized");
1057

1058
	if (IS_ERR_OR_NULL(bt_debugfs))
1059
		return 0;
1060

1061
	rfcomm_sock_debugfs = debugfs_create_file("rfcomm", 0444,
1062
						  bt_debugfs, NULL,
1063
						  &rfcomm_sock_debugfs_fops);
1064

1065
	return 0;
1066

1067
error:
1068
	proto_unregister(&rfcomm_proto);
1069
	return err;
1070
}
1071

1072
void __exit rfcomm_cleanup_sockets(void)
1073
{
1074
	bt_procfs_cleanup(&init_net, "rfcomm");
1075

1076
	debugfs_remove(rfcomm_sock_debugfs);
1077

1078
	bt_sock_unregister(BTPROTO_RFCOMM);
1079

1080
	proto_unregister(&rfcomm_proto);
1081
}
1082

1083