1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 #include <linux/compat.h> 27 #include <linux/export.h> 28 #include <linux/utsname.h> 29 #include <linux/sched.h> 30 #include <asm/unaligned.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/hci_mon.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "mgmt_util.h" 38 39 static LIST_HEAD(mgmt_chan_list); 40 static DEFINE_MUTEX(mgmt_chan_list_lock); 41 42 static DEFINE_IDA(sock_cookie_ida); 43 44 static atomic_t monitor_promisc = ATOMIC_INIT(0); 45 46 /* ----- HCI socket interface ----- */ 47 48 /* Socket info */ 49 #define hci_pi(sk) ((struct hci_pinfo *) sk) 50 51 struct hci_pinfo { 52 struct bt_sock bt; 53 struct hci_dev *hdev; 54 struct hci_filter filter; 55 __u32 cmsg_mask; 56 unsigned short channel; 57 unsigned long flags; 58 __u32 cookie; 59 char comm[TASK_COMM_LEN]; 60 }; 61 62 void hci_sock_set_flag(struct sock *sk, int nr) 63 { 64 set_bit(nr, &hci_pi(sk)->flags); 65 } 66 67 void hci_sock_clear_flag(struct sock *sk, int nr) 68 { 69 clear_bit(nr, &hci_pi(sk)->flags); 70 } 71 72 int hci_sock_test_flag(struct sock *sk, int nr) 73 { 74 return test_bit(nr, &hci_pi(sk)->flags); 75 } 76 77 unsigned short hci_sock_get_channel(struct sock *sk) 78 { 79 return hci_pi(sk)->channel; 80 } 81 82 u32 hci_sock_get_cookie(struct sock *sk) 83 { 84 return hci_pi(sk)->cookie; 85 } 86 87 static bool hci_sock_gen_cookie(struct sock *sk) 88 { 89 int id = hci_pi(sk)->cookie; 90 91 if (!id) { 92 id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL); 93 if (id < 0) 94 id = 0xffffffff; 95 96 hci_pi(sk)->cookie = id; 97 get_task_comm(hci_pi(sk)->comm, current); 98 return true; 99 } 100 101 return false; 102 } 103 104 static void hci_sock_free_cookie(struct sock *sk) 105 { 106 int id = hci_pi(sk)->cookie; 107 108 if (id) { 109 hci_pi(sk)->cookie = 0xffffffff; 110 ida_simple_remove(&sock_cookie_ida, id); 111 } 112 } 113 114 static inline int hci_test_bit(int nr, const void *addr) 115 { 116 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 117 } 118 119 /* Security filter */ 120 #define HCI_SFLT_MAX_OGF 5 121 122 struct hci_sec_filter { 123 __u32 type_mask; 124 __u32 event_mask[2]; 125 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4]; 126 }; 127 128 static const struct hci_sec_filter hci_sec_filter = { 129 /* Packet types */ 130 0x10, 131 /* Events */ 132 { 0x1000d9fe, 0x0000b00c }, 133 /* Commands */ 134 { 135 { 0x0 }, 136 /* OGF_LINK_CTL */ 137 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 138 /* OGF_LINK_POLICY */ 139 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 140 /* OGF_HOST_CTL */ 141 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 142 /* OGF_INFO_PARAM */ 143 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 144 /* OGF_STATUS_PARAM */ 145 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 146 } 147 }; 148 149 static struct bt_sock_list hci_sk_list = { 150 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 151 }; 152 153 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) 154 { 155 struct hci_filter *flt; 156 int flt_type, flt_event; 157 158 /* Apply filter */ 159 flt = &hci_pi(sk)->filter; 160 161 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS; 162 163 if (!test_bit(flt_type, &flt->type_mask)) 164 return true; 165 166 /* Extra filter for event packets only */ 167 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT) 168 return false; 169 170 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 171 172 if (!hci_test_bit(flt_event, &flt->event_mask)) 173 return true; 174 175 /* Check filter only when opcode is set */ 176 if (!flt->opcode) 177 return false; 178 179 if (flt_event == HCI_EV_CMD_COMPLETE && 180 flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) 181 return true; 182 183 if (flt_event == HCI_EV_CMD_STATUS && 184 flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) 185 return true; 186 187 return false; 188 } 189 190 /* Send frame to RAW socket */ 191 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 192 { 193 struct sock *sk; 194 struct sk_buff *skb_copy = NULL; 195 196 BT_DBG("hdev %p len %d", hdev, skb->len); 197 198 read_lock(&hci_sk_list.lock); 199 200 sk_for_each(sk, &hci_sk_list.head) { 201 struct sk_buff *nskb; 202 203 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 204 continue; 205 206 /* Don't send frame to the socket it came from */ 207 if (skb->sk == sk) 208 continue; 209 210 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { 211 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 212 hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 213 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 214 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) 215 continue; 216 if (is_filtered_packet(sk, skb)) 217 continue; 218 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 219 if (!bt_cb(skb)->incoming) 220 continue; 221 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 222 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 223 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) 224 continue; 225 } else { 226 /* Don't send frame to other channel types */ 227 continue; 228 } 229 230 if (!skb_copy) { 231 /* Create a private copy with headroom */ 232 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true); 233 if (!skb_copy) 234 continue; 235 236 /* Put type byte before the data */ 237 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1); 238 } 239 240 nskb = skb_clone(skb_copy, GFP_ATOMIC); 241 if (!nskb) 242 continue; 243 244 if (sock_queue_rcv_skb(sk, nskb)) 245 kfree_skb(nskb); 246 } 247 248 read_unlock(&hci_sk_list.lock); 249 250 kfree_skb(skb_copy); 251 } 252 253 /* Send frame to sockets with specific channel */ 254 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 255 int flag, struct sock *skip_sk) 256 { 257 struct sock *sk; 258 259 BT_DBG("channel %u len %d", channel, skb->len); 260 261 sk_for_each(sk, &hci_sk_list.head) { 262 struct sk_buff *nskb; 263 264 /* Ignore socket without the flag set */ 265 if (!hci_sock_test_flag(sk, flag)) 266 continue; 267 268 /* Skip the original socket */ 269 if (sk == skip_sk) 270 continue; 271 272 if (sk->sk_state != BT_BOUND) 273 continue; 274 275 if (hci_pi(sk)->channel != channel) 276 continue; 277 278 nskb = skb_clone(skb, GFP_ATOMIC); 279 if (!nskb) 280 continue; 281 282 if (sock_queue_rcv_skb(sk, nskb)) 283 kfree_skb(nskb); 284 } 285 286 } 287 288 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 289 int flag, struct sock *skip_sk) 290 { 291 read_lock(&hci_sk_list.lock); 292 __hci_send_to_channel(channel, skb, flag, skip_sk); 293 read_unlock(&hci_sk_list.lock); 294 } 295 296 /* Send frame to monitor socket */ 297 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) 298 { 299 struct sk_buff *skb_copy = NULL; 300 struct hci_mon_hdr *hdr; 301 __le16 opcode; 302 303 if (!atomic_read(&monitor_promisc)) 304 return; 305 306 BT_DBG("hdev %p len %d", hdev, skb->len); 307 308 switch (hci_skb_pkt_type(skb)) { 309 case HCI_COMMAND_PKT: 310 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); 311 break; 312 case HCI_EVENT_PKT: 313 opcode = cpu_to_le16(HCI_MON_EVENT_PKT); 314 break; 315 case HCI_ACLDATA_PKT: 316 if (bt_cb(skb)->incoming) 317 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); 318 else 319 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); 320 break; 321 case HCI_SCODATA_PKT: 322 if (bt_cb(skb)->incoming) 323 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); 324 else 325 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); 326 break; 327 case HCI_DIAG_PKT: 328 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG); 329 break; 330 default: 331 return; 332 } 333 334 /* Create a private copy with headroom */ 335 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true); 336 if (!skb_copy) 337 return; 338 339 /* Put header before the data */ 340 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE); 341 hdr->opcode = opcode; 342 hdr->index = cpu_to_le16(hdev->id); 343 hdr->len = cpu_to_le16(skb->len); 344 345 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy, 346 HCI_SOCK_TRUSTED, NULL); 347 kfree_skb(skb_copy); 348 } 349 350 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event, 351 void *data, u16 data_len, ktime_t tstamp, 352 int flag, struct sock *skip_sk) 353 { 354 struct sock *sk; 355 __le16 index; 356 357 if (hdev) 358 index = cpu_to_le16(hdev->id); 359 else 360 index = cpu_to_le16(MGMT_INDEX_NONE); 361 362 read_lock(&hci_sk_list.lock); 363 364 sk_for_each(sk, &hci_sk_list.head) { 365 struct hci_mon_hdr *hdr; 366 struct sk_buff *skb; 367 368 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) 369 continue; 370 371 /* Ignore socket without the flag set */ 372 if (!hci_sock_test_flag(sk, flag)) 373 continue; 374 375 /* Skip the original socket */ 376 if (sk == skip_sk) 377 continue; 378 379 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC); 380 if (!skb) 381 continue; 382 383 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 384 put_unaligned_le16(event, skb_put(skb, 2)); 385 386 if (data) 387 skb_put_data(skb, data, data_len); 388 389 skb->tstamp = tstamp; 390 391 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 392 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT); 393 hdr->index = index; 394 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 395 396 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 397 HCI_SOCK_TRUSTED, NULL); 398 kfree_skb(skb); 399 } 400 401 read_unlock(&hci_sk_list.lock); 402 } 403 404 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) 405 { 406 struct hci_mon_hdr *hdr; 407 struct hci_mon_new_index *ni; 408 struct hci_mon_index_info *ii; 409 struct sk_buff *skb; 410 __le16 opcode; 411 412 switch (event) { 413 case HCI_DEV_REG: 414 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); 415 if (!skb) 416 return NULL; 417 418 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE); 419 ni->type = hdev->dev_type; 420 ni->bus = hdev->bus; 421 bacpy(&ni->bdaddr, &hdev->bdaddr); 422 memcpy(ni->name, hdev->name, 8); 423 424 opcode = cpu_to_le16(HCI_MON_NEW_INDEX); 425 break; 426 427 case HCI_DEV_UNREG: 428 skb = bt_skb_alloc(0, GFP_ATOMIC); 429 if (!skb) 430 return NULL; 431 432 opcode = cpu_to_le16(HCI_MON_DEL_INDEX); 433 break; 434 435 case HCI_DEV_SETUP: 436 if (hdev->manufacturer == 0xffff) 437 return NULL; 438 439 /* fall through */ 440 441 case HCI_DEV_UP: 442 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC); 443 if (!skb) 444 return NULL; 445 446 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE); 447 bacpy(&ii->bdaddr, &hdev->bdaddr); 448 ii->manufacturer = cpu_to_le16(hdev->manufacturer); 449 450 opcode = cpu_to_le16(HCI_MON_INDEX_INFO); 451 break; 452 453 case HCI_DEV_OPEN: 454 skb = bt_skb_alloc(0, GFP_ATOMIC); 455 if (!skb) 456 return NULL; 457 458 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX); 459 break; 460 461 case HCI_DEV_CLOSE: 462 skb = bt_skb_alloc(0, GFP_ATOMIC); 463 if (!skb) 464 return NULL; 465 466 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX); 467 break; 468 469 default: 470 return NULL; 471 } 472 473 __net_timestamp(skb); 474 475 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 476 hdr->opcode = opcode; 477 hdr->index = cpu_to_le16(hdev->id); 478 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 479 480 return skb; 481 } 482 483 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk) 484 { 485 struct hci_mon_hdr *hdr; 486 struct sk_buff *skb; 487 u16 format; 488 u8 ver[3]; 489 u32 flags; 490 491 /* No message needed when cookie is not present */ 492 if (!hci_pi(sk)->cookie) 493 return NULL; 494 495 switch (hci_pi(sk)->channel) { 496 case HCI_CHANNEL_RAW: 497 format = 0x0000; 498 ver[0] = BT_SUBSYS_VERSION; 499 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 500 break; 501 case HCI_CHANNEL_USER: 502 format = 0x0001; 503 ver[0] = BT_SUBSYS_VERSION; 504 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 505 break; 506 case HCI_CHANNEL_CONTROL: 507 format = 0x0002; 508 mgmt_fill_version_info(ver); 509 break; 510 default: 511 /* No message for unsupported format */ 512 return NULL; 513 } 514 515 skb = bt_skb_alloc(14 + TASK_COMM_LEN , GFP_ATOMIC); 516 if (!skb) 517 return NULL; 518 519 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0; 520 521 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 522 put_unaligned_le16(format, skb_put(skb, 2)); 523 skb_put_data(skb, ver, sizeof(ver)); 524 put_unaligned_le32(flags, skb_put(skb, 4)); 525 skb_put_u8(skb, TASK_COMM_LEN); 526 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN); 527 528 __net_timestamp(skb); 529 530 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 531 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN); 532 if (hci_pi(sk)->hdev) 533 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 534 else 535 hdr->index = cpu_to_le16(HCI_DEV_NONE); 536 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 537 538 return skb; 539 } 540 541 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk) 542 { 543 struct hci_mon_hdr *hdr; 544 struct sk_buff *skb; 545 546 /* No message needed when cookie is not present */ 547 if (!hci_pi(sk)->cookie) 548 return NULL; 549 550 switch (hci_pi(sk)->channel) { 551 case HCI_CHANNEL_RAW: 552 case HCI_CHANNEL_USER: 553 case HCI_CHANNEL_CONTROL: 554 break; 555 default: 556 /* No message for unsupported format */ 557 return NULL; 558 } 559 560 skb = bt_skb_alloc(4, GFP_ATOMIC); 561 if (!skb) 562 return NULL; 563 564 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 565 566 __net_timestamp(skb); 567 568 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 569 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE); 570 if (hci_pi(sk)->hdev) 571 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 572 else 573 hdr->index = cpu_to_le16(HCI_DEV_NONE); 574 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 575 576 return skb; 577 } 578 579 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index, 580 u16 opcode, u16 len, 581 const void *buf) 582 { 583 struct hci_mon_hdr *hdr; 584 struct sk_buff *skb; 585 586 skb = bt_skb_alloc(6 + len, GFP_ATOMIC); 587 if (!skb) 588 return NULL; 589 590 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 591 put_unaligned_le16(opcode, skb_put(skb, 2)); 592 593 if (buf) 594 skb_put_data(skb, buf, len); 595 596 __net_timestamp(skb); 597 598 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 599 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND); 600 hdr->index = cpu_to_le16(index); 601 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 602 603 return skb; 604 } 605 606 static void __printf(2, 3) 607 send_monitor_note(struct sock *sk, const char *fmt, ...) 608 { 609 size_t len; 610 struct hci_mon_hdr *hdr; 611 struct sk_buff *skb; 612 va_list args; 613 614 va_start(args, fmt); 615 len = vsnprintf(NULL, 0, fmt, args); 616 va_end(args); 617 618 skb = bt_skb_alloc(len + 1, GFP_ATOMIC); 619 if (!skb) 620 return; 621 622 va_start(args, fmt); 623 vsprintf(skb_put(skb, len), fmt, args); 624 *(u8 *)skb_put(skb, 1) = 0; 625 va_end(args); 626 627 __net_timestamp(skb); 628 629 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); 630 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE); 631 hdr->index = cpu_to_le16(HCI_DEV_NONE); 632 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 633 634 if (sock_queue_rcv_skb(sk, skb)) 635 kfree_skb(skb); 636 } 637 638 static void send_monitor_replay(struct sock *sk) 639 { 640 struct hci_dev *hdev; 641 642 read_lock(&hci_dev_list_lock); 643 644 list_for_each_entry(hdev, &hci_dev_list, list) { 645 struct sk_buff *skb; 646 647 skb = create_monitor_event(hdev, HCI_DEV_REG); 648 if (!skb) 649 continue; 650 651 if (sock_queue_rcv_skb(sk, skb)) 652 kfree_skb(skb); 653 654 if (!test_bit(HCI_RUNNING, &hdev->flags)) 655 continue; 656 657 skb = create_monitor_event(hdev, HCI_DEV_OPEN); 658 if (!skb) 659 continue; 660 661 if (sock_queue_rcv_skb(sk, skb)) 662 kfree_skb(skb); 663 664 if (test_bit(HCI_UP, &hdev->flags)) 665 skb = create_monitor_event(hdev, HCI_DEV_UP); 666 else if (hci_dev_test_flag(hdev, HCI_SETUP)) 667 skb = create_monitor_event(hdev, HCI_DEV_SETUP); 668 else 669 skb = NULL; 670 671 if (skb) { 672 if (sock_queue_rcv_skb(sk, skb)) 673 kfree_skb(skb); 674 } 675 } 676 677 read_unlock(&hci_dev_list_lock); 678 } 679 680 static void send_monitor_control_replay(struct sock *mon_sk) 681 { 682 struct sock *sk; 683 684 read_lock(&hci_sk_list.lock); 685 686 sk_for_each(sk, &hci_sk_list.head) { 687 struct sk_buff *skb; 688 689 skb = create_monitor_ctrl_open(sk); 690 if (!skb) 691 continue; 692 693 if (sock_queue_rcv_skb(mon_sk, skb)) 694 kfree_skb(skb); 695 } 696 697 read_unlock(&hci_sk_list.lock); 698 } 699 700 /* Generate internal stack event */ 701 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) 702 { 703 struct hci_event_hdr *hdr; 704 struct hci_ev_stack_internal *ev; 705 struct sk_buff *skb; 706 707 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); 708 if (!skb) 709 return; 710 711 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE); 712 hdr->evt = HCI_EV_STACK_INTERNAL; 713 hdr->plen = sizeof(*ev) + dlen; 714 715 ev = skb_put(skb, sizeof(*ev) + dlen); 716 ev->type = type; 717 memcpy(ev->data, data, dlen); 718 719 bt_cb(skb)->incoming = 1; 720 __net_timestamp(skb); 721 722 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 723 hci_send_to_sock(hdev, skb); 724 kfree_skb(skb); 725 } 726 727 void hci_sock_dev_event(struct hci_dev *hdev, int event) 728 { 729 BT_DBG("hdev %s event %d", hdev->name, event); 730 731 if (atomic_read(&monitor_promisc)) { 732 struct sk_buff *skb; 733 734 /* Send event to monitor */ 735 skb = create_monitor_event(hdev, event); 736 if (skb) { 737 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 738 HCI_SOCK_TRUSTED, NULL); 739 kfree_skb(skb); 740 } 741 } 742 743 if (event <= HCI_DEV_DOWN) { 744 struct hci_ev_si_device ev; 745 746 /* Send event to sockets */ 747 ev.event = event; 748 ev.dev_id = hdev->id; 749 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 750 } 751 752 if (event == HCI_DEV_UNREG) { 753 struct sock *sk; 754 755 /* Detach sockets from device */ 756 read_lock(&hci_sk_list.lock); 757 sk_for_each(sk, &hci_sk_list.head) { 758 bh_lock_sock_nested(sk); 759 if (hci_pi(sk)->hdev == hdev) { 760 hci_pi(sk)->hdev = NULL; 761 sk->sk_err = EPIPE; 762 sk->sk_state = BT_OPEN; 763 sk->sk_state_change(sk); 764 765 hci_dev_put(hdev); 766 } 767 bh_unlock_sock(sk); 768 } 769 read_unlock(&hci_sk_list.lock); 770 } 771 } 772 773 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel) 774 { 775 struct hci_mgmt_chan *c; 776 777 list_for_each_entry(c, &mgmt_chan_list, list) { 778 if (c->channel == channel) 779 return c; 780 } 781 782 return NULL; 783 } 784 785 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel) 786 { 787 struct hci_mgmt_chan *c; 788 789 mutex_lock(&mgmt_chan_list_lock); 790 c = __hci_mgmt_chan_find(channel); 791 mutex_unlock(&mgmt_chan_list_lock); 792 793 return c; 794 } 795 796 int hci_mgmt_chan_register(struct hci_mgmt_chan *c) 797 { 798 if (c->channel < HCI_CHANNEL_CONTROL) 799 return -EINVAL; 800 801 mutex_lock(&mgmt_chan_list_lock); 802 if (__hci_mgmt_chan_find(c->channel)) { 803 mutex_unlock(&mgmt_chan_list_lock); 804 return -EALREADY; 805 } 806 807 list_add_tail(&c->list, &mgmt_chan_list); 808 809 mutex_unlock(&mgmt_chan_list_lock); 810 811 return 0; 812 } 813 EXPORT_SYMBOL(hci_mgmt_chan_register); 814 815 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c) 816 { 817 mutex_lock(&mgmt_chan_list_lock); 818 list_del(&c->list); 819 mutex_unlock(&mgmt_chan_list_lock); 820 } 821 EXPORT_SYMBOL(hci_mgmt_chan_unregister); 822 823 static int hci_sock_release(struct socket *sock) 824 { 825 struct sock *sk = sock->sk; 826 struct hci_dev *hdev; 827 struct sk_buff *skb; 828 829 BT_DBG("sock %p sk %p", sock, sk); 830 831 if (!sk) 832 return 0; 833 834 switch (hci_pi(sk)->channel) { 835 case HCI_CHANNEL_MONITOR: 836 atomic_dec(&monitor_promisc); 837 break; 838 case HCI_CHANNEL_RAW: 839 case HCI_CHANNEL_USER: 840 case HCI_CHANNEL_CONTROL: 841 /* Send event to monitor */ 842 skb = create_monitor_ctrl_close(sk); 843 if (skb) { 844 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 845 HCI_SOCK_TRUSTED, NULL); 846 kfree_skb(skb); 847 } 848 849 hci_sock_free_cookie(sk); 850 break; 851 } 852 853 bt_sock_unlink(&hci_sk_list, sk); 854 855 hdev = hci_pi(sk)->hdev; 856 if (hdev) { 857 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 858 /* When releasing a user channel exclusive access, 859 * call hci_dev_do_close directly instead of calling 860 * hci_dev_close to ensure the exclusive access will 861 * be released and the controller brought back down. 862 * 863 * The checking of HCI_AUTO_OFF is not needed in this 864 * case since it will have been cleared already when 865 * opening the user channel. 866 */ 867 hci_dev_do_close(hdev); 868 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 869 mgmt_index_added(hdev); 870 } 871 872 atomic_dec(&hdev->promisc); 873 hci_dev_put(hdev); 874 } 875 876 sock_orphan(sk); 877 878 skb_queue_purge(&sk->sk_receive_queue); 879 skb_queue_purge(&sk->sk_write_queue); 880 881 sock_put(sk); 882 return 0; 883 } 884 885 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) 886 { 887 bdaddr_t bdaddr; 888 int err; 889 890 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 891 return -EFAULT; 892 893 hci_dev_lock(hdev); 894 895 err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR); 896 897 hci_dev_unlock(hdev); 898 899 return err; 900 } 901 902 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) 903 { 904 bdaddr_t bdaddr; 905 int err; 906 907 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 908 return -EFAULT; 909 910 hci_dev_lock(hdev); 911 912 err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR); 913 914 hci_dev_unlock(hdev); 915 916 return err; 917 } 918 919 /* Ioctls that require bound socket */ 920 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, 921 unsigned long arg) 922 { 923 struct hci_dev *hdev = hci_pi(sk)->hdev; 924 925 if (!hdev) 926 return -EBADFD; 927 928 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 929 return -EBUSY; 930 931 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 932 return -EOPNOTSUPP; 933 934 if (hdev->dev_type != HCI_PRIMARY) 935 return -EOPNOTSUPP; 936 937 switch (cmd) { 938 case HCISETRAW: 939 if (!capable(CAP_NET_ADMIN)) 940 return -EPERM; 941 return -EOPNOTSUPP; 942 943 case HCIGETCONNINFO: 944 return hci_get_conn_info(hdev, (void __user *)arg); 945 946 case HCIGETAUTHINFO: 947 return hci_get_auth_info(hdev, (void __user *)arg); 948 949 case HCIBLOCKADDR: 950 if (!capable(CAP_NET_ADMIN)) 951 return -EPERM; 952 return hci_sock_blacklist_add(hdev, (void __user *)arg); 953 954 case HCIUNBLOCKADDR: 955 if (!capable(CAP_NET_ADMIN)) 956 return -EPERM; 957 return hci_sock_blacklist_del(hdev, (void __user *)arg); 958 } 959 960 return -ENOIOCTLCMD; 961 } 962 963 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, 964 unsigned long arg) 965 { 966 void __user *argp = (void __user *)arg; 967 struct sock *sk = sock->sk; 968 int err; 969 970 BT_DBG("cmd %x arg %lx", cmd, arg); 971 972 lock_sock(sk); 973 974 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 975 err = -EBADFD; 976 goto done; 977 } 978 979 /* When calling an ioctl on an unbound raw socket, then ensure 980 * that the monitor gets informed. Ensure that the resulting event 981 * is only send once by checking if the cookie exists or not. The 982 * socket cookie will be only ever generated once for the lifetime 983 * of a given socket. 984 */ 985 if (hci_sock_gen_cookie(sk)) { 986 struct sk_buff *skb; 987 988 if (capable(CAP_NET_ADMIN)) 989 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 990 991 /* Send event to monitor */ 992 skb = create_monitor_ctrl_open(sk); 993 if (skb) { 994 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 995 HCI_SOCK_TRUSTED, NULL); 996 kfree_skb(skb); 997 } 998 } 999 1000 release_sock(sk); 1001 1002 switch (cmd) { 1003 case HCIGETDEVLIST: 1004 return hci_get_dev_list(argp); 1005 1006 case HCIGETDEVINFO: 1007 return hci_get_dev_info(argp); 1008 1009 case HCIGETCONNLIST: 1010 return hci_get_conn_list(argp); 1011 1012 case HCIDEVUP: 1013 if (!capable(CAP_NET_ADMIN)) 1014 return -EPERM; 1015 return hci_dev_open(arg); 1016 1017 case HCIDEVDOWN: 1018 if (!capable(CAP_NET_ADMIN)) 1019 return -EPERM; 1020 return hci_dev_close(arg); 1021 1022 case HCIDEVRESET: 1023 if (!capable(CAP_NET_ADMIN)) 1024 return -EPERM; 1025 return hci_dev_reset(arg); 1026 1027 case HCIDEVRESTAT: 1028 if (!capable(CAP_NET_ADMIN)) 1029 return -EPERM; 1030 return hci_dev_reset_stat(arg); 1031 1032 case HCISETSCAN: 1033 case HCISETAUTH: 1034 case HCISETENCRYPT: 1035 case HCISETPTYPE: 1036 case HCISETLINKPOL: 1037 case HCISETLINKMODE: 1038 case HCISETACLMTU: 1039 case HCISETSCOMTU: 1040 if (!capable(CAP_NET_ADMIN)) 1041 return -EPERM; 1042 return hci_dev_cmd(cmd, argp); 1043 1044 case HCIINQUIRY: 1045 return hci_inquiry(argp); 1046 } 1047 1048 lock_sock(sk); 1049 1050 err = hci_sock_bound_ioctl(sk, cmd, arg); 1051 1052 done: 1053 release_sock(sk); 1054 return err; 1055 } 1056 1057 #ifdef CONFIG_COMPAT 1058 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd, 1059 unsigned long arg) 1060 { 1061 switch (cmd) { 1062 case HCIDEVUP: 1063 case HCIDEVDOWN: 1064 case HCIDEVRESET: 1065 case HCIDEVRESTAT: 1066 return hci_sock_ioctl(sock, cmd, arg); 1067 } 1068 1069 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 1070 } 1071 #endif 1072 1073 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, 1074 int addr_len) 1075 { 1076 struct sockaddr_hci haddr; 1077 struct sock *sk = sock->sk; 1078 struct hci_dev *hdev = NULL; 1079 struct sk_buff *skb; 1080 int len, err = 0; 1081 1082 BT_DBG("sock %p sk %p", sock, sk); 1083 1084 if (!addr) 1085 return -EINVAL; 1086 1087 memset(&haddr, 0, sizeof(haddr)); 1088 len = min_t(unsigned int, sizeof(haddr), addr_len); 1089 memcpy(&haddr, addr, len); 1090 1091 if (haddr.hci_family != AF_BLUETOOTH) 1092 return -EINVAL; 1093 1094 lock_sock(sk); 1095 1096 if (sk->sk_state == BT_BOUND) { 1097 err = -EALREADY; 1098 goto done; 1099 } 1100 1101 switch (haddr.hci_channel) { 1102 case HCI_CHANNEL_RAW: 1103 if (hci_pi(sk)->hdev) { 1104 err = -EALREADY; 1105 goto done; 1106 } 1107 1108 if (haddr.hci_dev != HCI_DEV_NONE) { 1109 hdev = hci_dev_get(haddr.hci_dev); 1110 if (!hdev) { 1111 err = -ENODEV; 1112 goto done; 1113 } 1114 1115 atomic_inc(&hdev->promisc); 1116 } 1117 1118 hci_pi(sk)->channel = haddr.hci_channel; 1119 1120 if (!hci_sock_gen_cookie(sk)) { 1121 /* In the case when a cookie has already been assigned, 1122 * then there has been already an ioctl issued against 1123 * an unbound socket and with that triggerd an open 1124 * notification. Send a close notification first to 1125 * allow the state transition to bounded. 1126 */ 1127 skb = create_monitor_ctrl_close(sk); 1128 if (skb) { 1129 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1130 HCI_SOCK_TRUSTED, NULL); 1131 kfree_skb(skb); 1132 } 1133 } 1134 1135 if (capable(CAP_NET_ADMIN)) 1136 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1137 1138 hci_pi(sk)->hdev = hdev; 1139 1140 /* Send event to monitor */ 1141 skb = create_monitor_ctrl_open(sk); 1142 if (skb) { 1143 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1144 HCI_SOCK_TRUSTED, NULL); 1145 kfree_skb(skb); 1146 } 1147 break; 1148 1149 case HCI_CHANNEL_USER: 1150 if (hci_pi(sk)->hdev) { 1151 err = -EALREADY; 1152 goto done; 1153 } 1154 1155 if (haddr.hci_dev == HCI_DEV_NONE) { 1156 err = -EINVAL; 1157 goto done; 1158 } 1159 1160 if (!capable(CAP_NET_ADMIN)) { 1161 err = -EPERM; 1162 goto done; 1163 } 1164 1165 hdev = hci_dev_get(haddr.hci_dev); 1166 if (!hdev) { 1167 err = -ENODEV; 1168 goto done; 1169 } 1170 1171 if (test_bit(HCI_INIT, &hdev->flags) || 1172 hci_dev_test_flag(hdev, HCI_SETUP) || 1173 hci_dev_test_flag(hdev, HCI_CONFIG) || 1174 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) && 1175 test_bit(HCI_UP, &hdev->flags))) { 1176 err = -EBUSY; 1177 hci_dev_put(hdev); 1178 goto done; 1179 } 1180 1181 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) { 1182 err = -EUSERS; 1183 hci_dev_put(hdev); 1184 goto done; 1185 } 1186 1187 mgmt_index_removed(hdev); 1188 1189 err = hci_dev_open(hdev->id); 1190 if (err) { 1191 if (err == -EALREADY) { 1192 /* In case the transport is already up and 1193 * running, clear the error here. 1194 * 1195 * This can happen when opening a user 1196 * channel and HCI_AUTO_OFF grace period 1197 * is still active. 1198 */ 1199 err = 0; 1200 } else { 1201 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 1202 mgmt_index_added(hdev); 1203 hci_dev_put(hdev); 1204 goto done; 1205 } 1206 } 1207 1208 hci_pi(sk)->channel = haddr.hci_channel; 1209 1210 if (!hci_sock_gen_cookie(sk)) { 1211 /* In the case when a cookie has already been assigned, 1212 * this socket will transition from a raw socket into 1213 * a user channel socket. For a clean transition, send 1214 * the close notification first. 1215 */ 1216 skb = create_monitor_ctrl_close(sk); 1217 if (skb) { 1218 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1219 HCI_SOCK_TRUSTED, NULL); 1220 kfree_skb(skb); 1221 } 1222 } 1223 1224 /* The user channel is restricted to CAP_NET_ADMIN 1225 * capabilities and with that implicitly trusted. 1226 */ 1227 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1228 1229 hci_pi(sk)->hdev = hdev; 1230 1231 /* Send event to monitor */ 1232 skb = create_monitor_ctrl_open(sk); 1233 if (skb) { 1234 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1235 HCI_SOCK_TRUSTED, NULL); 1236 kfree_skb(skb); 1237 } 1238 1239 atomic_inc(&hdev->promisc); 1240 break; 1241 1242 case HCI_CHANNEL_MONITOR: 1243 if (haddr.hci_dev != HCI_DEV_NONE) { 1244 err = -EINVAL; 1245 goto done; 1246 } 1247 1248 if (!capable(CAP_NET_RAW)) { 1249 err = -EPERM; 1250 goto done; 1251 } 1252 1253 hci_pi(sk)->channel = haddr.hci_channel; 1254 1255 /* The monitor interface is restricted to CAP_NET_RAW 1256 * capabilities and with that implicitly trusted. 1257 */ 1258 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1259 1260 send_monitor_note(sk, "Linux version %s (%s)", 1261 init_utsname()->release, 1262 init_utsname()->machine); 1263 send_monitor_note(sk, "Bluetooth subsystem version %u.%u", 1264 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION); 1265 send_monitor_replay(sk); 1266 send_monitor_control_replay(sk); 1267 1268 atomic_inc(&monitor_promisc); 1269 break; 1270 1271 case HCI_CHANNEL_LOGGING: 1272 if (haddr.hci_dev != HCI_DEV_NONE) { 1273 err = -EINVAL; 1274 goto done; 1275 } 1276 1277 if (!capable(CAP_NET_ADMIN)) { 1278 err = -EPERM; 1279 goto done; 1280 } 1281 1282 hci_pi(sk)->channel = haddr.hci_channel; 1283 break; 1284 1285 default: 1286 if (!hci_mgmt_chan_find(haddr.hci_channel)) { 1287 err = -EINVAL; 1288 goto done; 1289 } 1290 1291 if (haddr.hci_dev != HCI_DEV_NONE) { 1292 err = -EINVAL; 1293 goto done; 1294 } 1295 1296 /* Users with CAP_NET_ADMIN capabilities are allowed 1297 * access to all management commands and events. For 1298 * untrusted users the interface is restricted and 1299 * also only untrusted events are sent. 1300 */ 1301 if (capable(CAP_NET_ADMIN)) 1302 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1303 1304 hci_pi(sk)->channel = haddr.hci_channel; 1305 1306 /* At the moment the index and unconfigured index events 1307 * are enabled unconditionally. Setting them on each 1308 * socket when binding keeps this functionality. They 1309 * however might be cleared later and then sending of these 1310 * events will be disabled, but that is then intentional. 1311 * 1312 * This also enables generic events that are safe to be 1313 * received by untrusted users. Example for such events 1314 * are changes to settings, class of device, name etc. 1315 */ 1316 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) { 1317 if (!hci_sock_gen_cookie(sk)) { 1318 /* In the case when a cookie has already been 1319 * assigned, this socket will transtion from 1320 * a raw socket into a control socket. To 1321 * allow for a clean transtion, send the 1322 * close notification first. 1323 */ 1324 skb = create_monitor_ctrl_close(sk); 1325 if (skb) { 1326 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1327 HCI_SOCK_TRUSTED, NULL); 1328 kfree_skb(skb); 1329 } 1330 } 1331 1332 /* Send event to monitor */ 1333 skb = create_monitor_ctrl_open(sk); 1334 if (skb) { 1335 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1336 HCI_SOCK_TRUSTED, NULL); 1337 kfree_skb(skb); 1338 } 1339 1340 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS); 1341 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS); 1342 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS); 1343 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS); 1344 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS); 1345 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS); 1346 } 1347 break; 1348 } 1349 1350 sk->sk_state = BT_BOUND; 1351 1352 done: 1353 release_sock(sk); 1354 return err; 1355 } 1356 1357 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, 1358 int peer) 1359 { 1360 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr; 1361 struct sock *sk = sock->sk; 1362 struct hci_dev *hdev; 1363 int err = 0; 1364 1365 BT_DBG("sock %p sk %p", sock, sk); 1366 1367 if (peer) 1368 return -EOPNOTSUPP; 1369 1370 lock_sock(sk); 1371 1372 hdev = hci_pi(sk)->hdev; 1373 if (!hdev) { 1374 err = -EBADFD; 1375 goto done; 1376 } 1377 1378 haddr->hci_family = AF_BLUETOOTH; 1379 haddr->hci_dev = hdev->id; 1380 haddr->hci_channel= hci_pi(sk)->channel; 1381 err = sizeof(*haddr); 1382 1383 done: 1384 release_sock(sk); 1385 return err; 1386 } 1387 1388 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, 1389 struct sk_buff *skb) 1390 { 1391 __u32 mask = hci_pi(sk)->cmsg_mask; 1392 1393 if (mask & HCI_CMSG_DIR) { 1394 int incoming = bt_cb(skb)->incoming; 1395 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), 1396 &incoming); 1397 } 1398 1399 if (mask & HCI_CMSG_TSTAMP) { 1400 #ifdef CONFIG_COMPAT 1401 struct old_timeval32 ctv; 1402 #endif 1403 struct __kernel_old_timeval tv; 1404 void *data; 1405 int len; 1406 1407 skb_get_timestamp(skb, &tv); 1408 1409 data = &tv; 1410 len = sizeof(tv); 1411 #ifdef CONFIG_COMPAT 1412 if (!COMPAT_USE_64BIT_TIME && 1413 (msg->msg_flags & MSG_CMSG_COMPAT)) { 1414 ctv.tv_sec = tv.tv_sec; 1415 ctv.tv_usec = tv.tv_usec; 1416 data = &ctv; 1417 len = sizeof(ctv); 1418 } 1419 #endif 1420 1421 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 1422 } 1423 } 1424 1425 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1426 size_t len, int flags) 1427 { 1428 int noblock = flags & MSG_DONTWAIT; 1429 struct sock *sk = sock->sk; 1430 struct sk_buff *skb; 1431 int copied, err; 1432 unsigned int skblen; 1433 1434 BT_DBG("sock %p, sk %p", sock, sk); 1435 1436 if (flags & MSG_OOB) 1437 return -EOPNOTSUPP; 1438 1439 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING) 1440 return -EOPNOTSUPP; 1441 1442 if (sk->sk_state == BT_CLOSED) 1443 return 0; 1444 1445 skb = skb_recv_datagram(sk, flags, noblock, &err); 1446 if (!skb) 1447 return err; 1448 1449 skblen = skb->len; 1450 copied = skb->len; 1451 if (len < copied) { 1452 msg->msg_flags |= MSG_TRUNC; 1453 copied = len; 1454 } 1455 1456 skb_reset_transport_header(skb); 1457 err = skb_copy_datagram_msg(skb, 0, msg, copied); 1458 1459 switch (hci_pi(sk)->channel) { 1460 case HCI_CHANNEL_RAW: 1461 hci_sock_cmsg(sk, msg, skb); 1462 break; 1463 case HCI_CHANNEL_USER: 1464 case HCI_CHANNEL_MONITOR: 1465 sock_recv_timestamp(msg, sk, skb); 1466 break; 1467 default: 1468 if (hci_mgmt_chan_find(hci_pi(sk)->channel)) 1469 sock_recv_timestamp(msg, sk, skb); 1470 break; 1471 } 1472 1473 skb_free_datagram(sk, skb); 1474 1475 if (flags & MSG_TRUNC) 1476 copied = skblen; 1477 1478 return err ? : copied; 1479 } 1480 1481 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk, 1482 struct msghdr *msg, size_t msglen) 1483 { 1484 void *buf; 1485 u8 *cp; 1486 struct mgmt_hdr *hdr; 1487 u16 opcode, index, len; 1488 struct hci_dev *hdev = NULL; 1489 const struct hci_mgmt_handler *handler; 1490 bool var_len, no_hdev; 1491 int err; 1492 1493 BT_DBG("got %zu bytes", msglen); 1494 1495 if (msglen < sizeof(*hdr)) 1496 return -EINVAL; 1497 1498 buf = kmalloc(msglen, GFP_KERNEL); 1499 if (!buf) 1500 return -ENOMEM; 1501 1502 if (memcpy_from_msg(buf, msg, msglen)) { 1503 err = -EFAULT; 1504 goto done; 1505 } 1506 1507 hdr = buf; 1508 opcode = __le16_to_cpu(hdr->opcode); 1509 index = __le16_to_cpu(hdr->index); 1510 len = __le16_to_cpu(hdr->len); 1511 1512 if (len != msglen - sizeof(*hdr)) { 1513 err = -EINVAL; 1514 goto done; 1515 } 1516 1517 if (chan->channel == HCI_CHANNEL_CONTROL) { 1518 struct sk_buff *skb; 1519 1520 /* Send event to monitor */ 1521 skb = create_monitor_ctrl_command(sk, index, opcode, len, 1522 buf + sizeof(*hdr)); 1523 if (skb) { 1524 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1525 HCI_SOCK_TRUSTED, NULL); 1526 kfree_skb(skb); 1527 } 1528 } 1529 1530 if (opcode >= chan->handler_count || 1531 chan->handlers[opcode].func == NULL) { 1532 BT_DBG("Unknown op %u", opcode); 1533 err = mgmt_cmd_status(sk, index, opcode, 1534 MGMT_STATUS_UNKNOWN_COMMAND); 1535 goto done; 1536 } 1537 1538 handler = &chan->handlers[opcode]; 1539 1540 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) && 1541 !(handler->flags & HCI_MGMT_UNTRUSTED)) { 1542 err = mgmt_cmd_status(sk, index, opcode, 1543 MGMT_STATUS_PERMISSION_DENIED); 1544 goto done; 1545 } 1546 1547 if (index != MGMT_INDEX_NONE) { 1548 hdev = hci_dev_get(index); 1549 if (!hdev) { 1550 err = mgmt_cmd_status(sk, index, opcode, 1551 MGMT_STATUS_INVALID_INDEX); 1552 goto done; 1553 } 1554 1555 if (hci_dev_test_flag(hdev, HCI_SETUP) || 1556 hci_dev_test_flag(hdev, HCI_CONFIG) || 1557 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 1558 err = mgmt_cmd_status(sk, index, opcode, 1559 MGMT_STATUS_INVALID_INDEX); 1560 goto done; 1561 } 1562 1563 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && 1564 !(handler->flags & HCI_MGMT_UNCONFIGURED)) { 1565 err = mgmt_cmd_status(sk, index, opcode, 1566 MGMT_STATUS_INVALID_INDEX); 1567 goto done; 1568 } 1569 } 1570 1571 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV); 1572 if (no_hdev != !hdev) { 1573 err = mgmt_cmd_status(sk, index, opcode, 1574 MGMT_STATUS_INVALID_INDEX); 1575 goto done; 1576 } 1577 1578 var_len = (handler->flags & HCI_MGMT_VAR_LEN); 1579 if ((var_len && len < handler->data_len) || 1580 (!var_len && len != handler->data_len)) { 1581 err = mgmt_cmd_status(sk, index, opcode, 1582 MGMT_STATUS_INVALID_PARAMS); 1583 goto done; 1584 } 1585 1586 if (hdev && chan->hdev_init) 1587 chan->hdev_init(sk, hdev); 1588 1589 cp = buf + sizeof(*hdr); 1590 1591 err = handler->func(sk, hdev, cp, len); 1592 if (err < 0) 1593 goto done; 1594 1595 err = msglen; 1596 1597 done: 1598 if (hdev) 1599 hci_dev_put(hdev); 1600 1601 kfree(buf); 1602 return err; 1603 } 1604 1605 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len) 1606 { 1607 struct hci_mon_hdr *hdr; 1608 struct sk_buff *skb; 1609 struct hci_dev *hdev; 1610 u16 index; 1611 int err; 1612 1613 /* The logging frame consists at minimum of the standard header, 1614 * the priority byte, the ident length byte and at least one string 1615 * terminator NUL byte. Anything shorter are invalid packets. 1616 */ 1617 if (len < sizeof(*hdr) + 3) 1618 return -EINVAL; 1619 1620 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); 1621 if (!skb) 1622 return err; 1623 1624 if (memcpy_from_msg(skb_put(skb, len), msg, len)) { 1625 err = -EFAULT; 1626 goto drop; 1627 } 1628 1629 hdr = (void *)skb->data; 1630 1631 if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) { 1632 err = -EINVAL; 1633 goto drop; 1634 } 1635 1636 if (__le16_to_cpu(hdr->opcode) == 0x0000) { 1637 __u8 priority = skb->data[sizeof(*hdr)]; 1638 __u8 ident_len = skb->data[sizeof(*hdr) + 1]; 1639 1640 /* Only the priorities 0-7 are valid and with that any other 1641 * value results in an invalid packet. 1642 * 1643 * The priority byte is followed by an ident length byte and 1644 * the NUL terminated ident string. Check that the ident 1645 * length is not overflowing the packet and also that the 1646 * ident string itself is NUL terminated. In case the ident 1647 * length is zero, the length value actually doubles as NUL 1648 * terminator identifier. 1649 * 1650 * The message follows the ident string (if present) and 1651 * must be NUL terminated. Otherwise it is not a valid packet. 1652 */ 1653 if (priority > 7 || skb->data[len - 1] != 0x00 || 1654 ident_len > len - sizeof(*hdr) - 3 || 1655 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) { 1656 err = -EINVAL; 1657 goto drop; 1658 } 1659 } else { 1660 err = -EINVAL; 1661 goto drop; 1662 } 1663 1664 index = __le16_to_cpu(hdr->index); 1665 1666 if (index != MGMT_INDEX_NONE) { 1667 hdev = hci_dev_get(index); 1668 if (!hdev) { 1669 err = -ENODEV; 1670 goto drop; 1671 } 1672 } else { 1673 hdev = NULL; 1674 } 1675 1676 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING); 1677 1678 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL); 1679 err = len; 1680 1681 if (hdev) 1682 hci_dev_put(hdev); 1683 1684 drop: 1685 kfree_skb(skb); 1686 return err; 1687 } 1688 1689 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1690 size_t len) 1691 { 1692 struct sock *sk = sock->sk; 1693 struct hci_mgmt_chan *chan; 1694 struct hci_dev *hdev; 1695 struct sk_buff *skb; 1696 int err; 1697 1698 BT_DBG("sock %p sk %p", sock, sk); 1699 1700 if (msg->msg_flags & MSG_OOB) 1701 return -EOPNOTSUPP; 1702 1703 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE| 1704 MSG_CMSG_COMPAT)) 1705 return -EINVAL; 1706 1707 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 1708 return -EINVAL; 1709 1710 lock_sock(sk); 1711 1712 switch (hci_pi(sk)->channel) { 1713 case HCI_CHANNEL_RAW: 1714 case HCI_CHANNEL_USER: 1715 break; 1716 case HCI_CHANNEL_MONITOR: 1717 err = -EOPNOTSUPP; 1718 goto done; 1719 case HCI_CHANNEL_LOGGING: 1720 err = hci_logging_frame(sk, msg, len); 1721 goto done; 1722 default: 1723 mutex_lock(&mgmt_chan_list_lock); 1724 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel); 1725 if (chan) 1726 err = hci_mgmt_cmd(chan, sk, msg, len); 1727 else 1728 err = -EINVAL; 1729 1730 mutex_unlock(&mgmt_chan_list_lock); 1731 goto done; 1732 } 1733 1734 hdev = hci_pi(sk)->hdev; 1735 if (!hdev) { 1736 err = -EBADFD; 1737 goto done; 1738 } 1739 1740 if (!test_bit(HCI_UP, &hdev->flags)) { 1741 err = -ENETDOWN; 1742 goto done; 1743 } 1744 1745 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); 1746 if (!skb) 1747 goto done; 1748 1749 if (memcpy_from_msg(skb_put(skb, len), msg, len)) { 1750 err = -EFAULT; 1751 goto drop; 1752 } 1753 1754 hci_skb_pkt_type(skb) = skb->data[0]; 1755 skb_pull(skb, 1); 1756 1757 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 1758 /* No permission check is needed for user channel 1759 * since that gets enforced when binding the socket. 1760 * 1761 * However check that the packet type is valid. 1762 */ 1763 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 1764 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1765 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) { 1766 err = -EINVAL; 1767 goto drop; 1768 } 1769 1770 skb_queue_tail(&hdev->raw_q, skb); 1771 queue_work(hdev->workqueue, &hdev->tx_work); 1772 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) { 1773 u16 opcode = get_unaligned_le16(skb->data); 1774 u16 ogf = hci_opcode_ogf(opcode); 1775 u16 ocf = hci_opcode_ocf(opcode); 1776 1777 if (((ogf > HCI_SFLT_MAX_OGF) || 1778 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, 1779 &hci_sec_filter.ocf_mask[ogf])) && 1780 !capable(CAP_NET_RAW)) { 1781 err = -EPERM; 1782 goto drop; 1783 } 1784 1785 /* Since the opcode has already been extracted here, store 1786 * a copy of the value for later use by the drivers. 1787 */ 1788 hci_skb_opcode(skb) = opcode; 1789 1790 if (ogf == 0x3f) { 1791 skb_queue_tail(&hdev->raw_q, skb); 1792 queue_work(hdev->workqueue, &hdev->tx_work); 1793 } else { 1794 /* Stand-alone HCI commands must be flagged as 1795 * single-command requests. 1796 */ 1797 bt_cb(skb)->hci.req_flags |= HCI_REQ_START; 1798 1799 skb_queue_tail(&hdev->cmd_q, skb); 1800 queue_work(hdev->workqueue, &hdev->cmd_work); 1801 } 1802 } else { 1803 if (!capable(CAP_NET_RAW)) { 1804 err = -EPERM; 1805 goto drop; 1806 } 1807 1808 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1809 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) { 1810 err = -EINVAL; 1811 goto drop; 1812 } 1813 1814 skb_queue_tail(&hdev->raw_q, skb); 1815 queue_work(hdev->workqueue, &hdev->tx_work); 1816 } 1817 1818 err = len; 1819 1820 done: 1821 release_sock(sk); 1822 return err; 1823 1824 drop: 1825 kfree_skb(skb); 1826 goto done; 1827 } 1828 1829 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 1830 char __user *optval, unsigned int len) 1831 { 1832 struct hci_ufilter uf = { .opcode = 0 }; 1833 struct sock *sk = sock->sk; 1834 int err = 0, opt = 0; 1835 1836 BT_DBG("sk %p, opt %d", sk, optname); 1837 1838 if (level != SOL_HCI) 1839 return -ENOPROTOOPT; 1840 1841 lock_sock(sk); 1842 1843 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1844 err = -EBADFD; 1845 goto done; 1846 } 1847 1848 switch (optname) { 1849 case HCI_DATA_DIR: 1850 if (get_user(opt, (int __user *)optval)) { 1851 err = -EFAULT; 1852 break; 1853 } 1854 1855 if (opt) 1856 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 1857 else 1858 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 1859 break; 1860 1861 case HCI_TIME_STAMP: 1862 if (get_user(opt, (int __user *)optval)) { 1863 err = -EFAULT; 1864 break; 1865 } 1866 1867 if (opt) 1868 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 1869 else 1870 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 1871 break; 1872 1873 case HCI_FILTER: 1874 { 1875 struct hci_filter *f = &hci_pi(sk)->filter; 1876 1877 uf.type_mask = f->type_mask; 1878 uf.opcode = f->opcode; 1879 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1880 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1881 } 1882 1883 len = min_t(unsigned int, len, sizeof(uf)); 1884 if (copy_from_user(&uf, optval, len)) { 1885 err = -EFAULT; 1886 break; 1887 } 1888 1889 if (!capable(CAP_NET_RAW)) { 1890 uf.type_mask &= hci_sec_filter.type_mask; 1891 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 1892 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 1893 } 1894 1895 { 1896 struct hci_filter *f = &hci_pi(sk)->filter; 1897 1898 f->type_mask = uf.type_mask; 1899 f->opcode = uf.opcode; 1900 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 1901 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 1902 } 1903 break; 1904 1905 default: 1906 err = -ENOPROTOOPT; 1907 break; 1908 } 1909 1910 done: 1911 release_sock(sk); 1912 return err; 1913 } 1914 1915 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, 1916 char __user *optval, int __user *optlen) 1917 { 1918 struct hci_ufilter uf; 1919 struct sock *sk = sock->sk; 1920 int len, opt, err = 0; 1921 1922 BT_DBG("sk %p, opt %d", sk, optname); 1923 1924 if (level != SOL_HCI) 1925 return -ENOPROTOOPT; 1926 1927 if (get_user(len, optlen)) 1928 return -EFAULT; 1929 1930 lock_sock(sk); 1931 1932 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1933 err = -EBADFD; 1934 goto done; 1935 } 1936 1937 switch (optname) { 1938 case HCI_DATA_DIR: 1939 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 1940 opt = 1; 1941 else 1942 opt = 0; 1943 1944 if (put_user(opt, optval)) 1945 err = -EFAULT; 1946 break; 1947 1948 case HCI_TIME_STAMP: 1949 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 1950 opt = 1; 1951 else 1952 opt = 0; 1953 1954 if (put_user(opt, optval)) 1955 err = -EFAULT; 1956 break; 1957 1958 case HCI_FILTER: 1959 { 1960 struct hci_filter *f = &hci_pi(sk)->filter; 1961 1962 memset(&uf, 0, sizeof(uf)); 1963 uf.type_mask = f->type_mask; 1964 uf.opcode = f->opcode; 1965 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1966 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1967 } 1968 1969 len = min_t(unsigned int, len, sizeof(uf)); 1970 if (copy_to_user(optval, &uf, len)) 1971 err = -EFAULT; 1972 break; 1973 1974 default: 1975 err = -ENOPROTOOPT; 1976 break; 1977 } 1978 1979 done: 1980 release_sock(sk); 1981 return err; 1982 } 1983 1984 static const struct proto_ops hci_sock_ops = { 1985 .family = PF_BLUETOOTH, 1986 .owner = THIS_MODULE, 1987 .release = hci_sock_release, 1988 .bind = hci_sock_bind, 1989 .getname = hci_sock_getname, 1990 .sendmsg = hci_sock_sendmsg, 1991 .recvmsg = hci_sock_recvmsg, 1992 .ioctl = hci_sock_ioctl, 1993 #ifdef CONFIG_COMPAT 1994 .compat_ioctl = hci_sock_compat_ioctl, 1995 #endif 1996 .poll = datagram_poll, 1997 .listen = sock_no_listen, 1998 .shutdown = sock_no_shutdown, 1999 .setsockopt = hci_sock_setsockopt, 2000 .getsockopt = hci_sock_getsockopt, 2001 .connect = sock_no_connect, 2002 .socketpair = sock_no_socketpair, 2003 .accept = sock_no_accept, 2004 .mmap = sock_no_mmap 2005 }; 2006 2007 static struct proto hci_sk_proto = { 2008 .name = "HCI", 2009 .owner = THIS_MODULE, 2010 .obj_size = sizeof(struct hci_pinfo) 2011 }; 2012 2013 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 2014 int kern) 2015 { 2016 struct sock *sk; 2017 2018 BT_DBG("sock %p", sock); 2019 2020 if (sock->type != SOCK_RAW) 2021 return -ESOCKTNOSUPPORT; 2022 2023 sock->ops = &hci_sock_ops; 2024 2025 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern); 2026 if (!sk) 2027 return -ENOMEM; 2028 2029 sock_init_data(sock, sk); 2030 2031 sock_reset_flag(sk, SOCK_ZAPPED); 2032 2033 sk->sk_protocol = protocol; 2034 2035 sock->state = SS_UNCONNECTED; 2036 sk->sk_state = BT_OPEN; 2037 2038 bt_sock_link(&hci_sk_list, sk); 2039 return 0; 2040 } 2041 2042 static const struct net_proto_family hci_sock_family_ops = { 2043 .family = PF_BLUETOOTH, 2044 .owner = THIS_MODULE, 2045 .create = hci_sock_create, 2046 }; 2047 2048 int __init hci_sock_init(void) 2049 { 2050 int err; 2051 2052 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr)); 2053 2054 err = proto_register(&hci_sk_proto, 0); 2055 if (err < 0) 2056 return err; 2057 2058 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 2059 if (err < 0) { 2060 BT_ERR("HCI socket registration failed"); 2061 goto error; 2062 } 2063 2064 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); 2065 if (err < 0) { 2066 BT_ERR("Failed to create HCI proc file"); 2067 bt_sock_unregister(BTPROTO_HCI); 2068 goto error; 2069 } 2070 2071 BT_INFO("HCI socket layer initialized"); 2072 2073 return 0; 2074 2075 error: 2076 proto_unregister(&hci_sk_proto); 2077 return err; 2078 } 2079 2080 void hci_sock_cleanup(void) 2081 { 2082 bt_procfs_cleanup(&init_net, "hci"); 2083 bt_sock_unregister(BTPROTO_HCI); 2084 proto_unregister(&hci_sk_proto); 2085 } 2086