xref: /openbmc/linux/net/bluetooth/hci_sock.c (revision 54cbac81)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI sockets. */
26 
27 #include <linux/export.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_mon.h>
33 
34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
35 
36 /* ----- HCI socket interface ----- */
37 
38 static inline int hci_test_bit(int nr, void *addr)
39 {
40 	return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
41 }
42 
43 /* Security filter */
44 static struct hci_sec_filter hci_sec_filter = {
45 	/* Packet types */
46 	0x10,
47 	/* Events */
48 	{ 0x1000d9fe, 0x0000b00c },
49 	/* Commands */
50 	{
51 		{ 0x0 },
52 		/* OGF_LINK_CTL */
53 		{ 0xbe000006, 0x00000001, 0x00000000, 0x00 },
54 		/* OGF_LINK_POLICY */
55 		{ 0x00005200, 0x00000000, 0x00000000, 0x00 },
56 		/* OGF_HOST_CTL */
57 		{ 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
58 		/* OGF_INFO_PARAM */
59 		{ 0x000002be, 0x00000000, 0x00000000, 0x00 },
60 		/* OGF_STATUS_PARAM */
61 		{ 0x000000ea, 0x00000000, 0x00000000, 0x00 }
62 	}
63 };
64 
65 static struct bt_sock_list hci_sk_list = {
66 	.lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
67 };
68 
69 /* Send frame to RAW socket */
70 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
71 {
72 	struct sock *sk;
73 	struct hlist_node *node;
74 	struct sk_buff *skb_copy = NULL;
75 
76 	BT_DBG("hdev %p len %d", hdev, skb->len);
77 
78 	read_lock(&hci_sk_list.lock);
79 
80 	sk_for_each(sk, node, &hci_sk_list.head) {
81 		struct hci_filter *flt;
82 		struct sk_buff *nskb;
83 
84 		if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
85 			continue;
86 
87 		/* Don't send frame to the socket it came from */
88 		if (skb->sk == sk)
89 			continue;
90 
91 		if (hci_pi(sk)->channel != HCI_CHANNEL_RAW)
92 			continue;
93 
94 		/* Apply filter */
95 		flt = &hci_pi(sk)->filter;
96 
97 		if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ?
98 			      0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS),
99 			      &flt->type_mask))
100 			continue;
101 
102 		if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) {
103 			int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
104 
105 			if (!hci_test_bit(evt, &flt->event_mask))
106 				continue;
107 
108 			if (flt->opcode &&
109 			    ((evt == HCI_EV_CMD_COMPLETE &&
110 			      flt->opcode !=
111 			      get_unaligned((__le16 *)(skb->data + 3))) ||
112 			     (evt == HCI_EV_CMD_STATUS &&
113 			      flt->opcode !=
114 			      get_unaligned((__le16 *)(skb->data + 4)))))
115 				continue;
116 		}
117 
118 		if (!skb_copy) {
119 			/* Create a private copy with headroom */
120 			skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
121 			if (!skb_copy)
122 				continue;
123 
124 			/* Put type byte before the data */
125 			memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
126 		}
127 
128 		nskb = skb_clone(skb_copy, GFP_ATOMIC);
129 		if (!nskb)
130 			continue;
131 
132 		if (sock_queue_rcv_skb(sk, nskb))
133 			kfree_skb(nskb);
134 	}
135 
136 	read_unlock(&hci_sk_list.lock);
137 
138 	kfree_skb(skb_copy);
139 }
140 
141 /* Send frame to control socket */
142 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
143 {
144 	struct sock *sk;
145 	struct hlist_node *node;
146 
147 	BT_DBG("len %d", skb->len);
148 
149 	read_lock(&hci_sk_list.lock);
150 
151 	sk_for_each(sk, node, &hci_sk_list.head) {
152 		struct sk_buff *nskb;
153 
154 		/* Skip the original socket */
155 		if (sk == skip_sk)
156 			continue;
157 
158 		if (sk->sk_state != BT_BOUND)
159 			continue;
160 
161 		if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
162 			continue;
163 
164 		nskb = skb_clone(skb, GFP_ATOMIC);
165 		if (!nskb)
166 			continue;
167 
168 		if (sock_queue_rcv_skb(sk, nskb))
169 			kfree_skb(nskb);
170 	}
171 
172 	read_unlock(&hci_sk_list.lock);
173 }
174 
175 /* Send frame to monitor socket */
176 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
177 {
178 	struct sock *sk;
179 	struct hlist_node *node;
180 	struct sk_buff *skb_copy = NULL;
181 	__le16 opcode;
182 
183 	if (!atomic_read(&monitor_promisc))
184 		return;
185 
186 	BT_DBG("hdev %p len %d", hdev, skb->len);
187 
188 	switch (bt_cb(skb)->pkt_type) {
189 	case HCI_COMMAND_PKT:
190 		opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
191 		break;
192 	case HCI_EVENT_PKT:
193 		opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
194 		break;
195 	case HCI_ACLDATA_PKT:
196 		if (bt_cb(skb)->incoming)
197 			opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
198 		else
199 			opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
200 		break;
201 	case HCI_SCODATA_PKT:
202 		if (bt_cb(skb)->incoming)
203 			opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
204 		else
205 			opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
206 		break;
207 	default:
208 		return;
209 	}
210 
211 	read_lock(&hci_sk_list.lock);
212 
213 	sk_for_each(sk, node, &hci_sk_list.head) {
214 		struct sk_buff *nskb;
215 
216 		if (sk->sk_state != BT_BOUND)
217 			continue;
218 
219 		if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
220 			continue;
221 
222 		if (!skb_copy) {
223 			struct hci_mon_hdr *hdr;
224 
225 			/* Create a private copy with headroom */
226 			skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
227 					       GFP_ATOMIC);
228 			if (!skb_copy)
229 				continue;
230 
231 			/* Put header before the data */
232 			hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
233 			hdr->opcode = opcode;
234 			hdr->index = cpu_to_le16(hdev->id);
235 			hdr->len = cpu_to_le16(skb->len);
236 		}
237 
238 		nskb = skb_clone(skb_copy, GFP_ATOMIC);
239 		if (!nskb)
240 			continue;
241 
242 		if (sock_queue_rcv_skb(sk, nskb))
243 			kfree_skb(nskb);
244 	}
245 
246 	read_unlock(&hci_sk_list.lock);
247 
248 	kfree_skb(skb_copy);
249 }
250 
251 static void send_monitor_event(struct sk_buff *skb)
252 {
253 	struct sock *sk;
254 	struct hlist_node *node;
255 
256 	BT_DBG("len %d", skb->len);
257 
258 	read_lock(&hci_sk_list.lock);
259 
260 	sk_for_each(sk, node, &hci_sk_list.head) {
261 		struct sk_buff *nskb;
262 
263 		if (sk->sk_state != BT_BOUND)
264 			continue;
265 
266 		if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
267 			continue;
268 
269 		nskb = skb_clone(skb, GFP_ATOMIC);
270 		if (!nskb)
271 			continue;
272 
273 		if (sock_queue_rcv_skb(sk, nskb))
274 			kfree_skb(nskb);
275 	}
276 
277 	read_unlock(&hci_sk_list.lock);
278 }
279 
280 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
281 {
282 	struct hci_mon_hdr *hdr;
283 	struct hci_mon_new_index *ni;
284 	struct sk_buff *skb;
285 	__le16 opcode;
286 
287 	switch (event) {
288 	case HCI_DEV_REG:
289 		skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
290 		if (!skb)
291 			return NULL;
292 
293 		ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
294 		ni->type = hdev->dev_type;
295 		ni->bus = hdev->bus;
296 		bacpy(&ni->bdaddr, &hdev->bdaddr);
297 		memcpy(ni->name, hdev->name, 8);
298 
299 		opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
300 		break;
301 
302 	case HCI_DEV_UNREG:
303 		skb = bt_skb_alloc(0, GFP_ATOMIC);
304 		if (!skb)
305 			return NULL;
306 
307 		opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
308 		break;
309 
310 	default:
311 		return NULL;
312 	}
313 
314 	__net_timestamp(skb);
315 
316 	hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
317 	hdr->opcode = opcode;
318 	hdr->index = cpu_to_le16(hdev->id);
319 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
320 
321 	return skb;
322 }
323 
324 static void send_monitor_replay(struct sock *sk)
325 {
326 	struct hci_dev *hdev;
327 
328 	read_lock(&hci_dev_list_lock);
329 
330 	list_for_each_entry(hdev, &hci_dev_list, list) {
331 		struct sk_buff *skb;
332 
333 		skb = create_monitor_event(hdev, HCI_DEV_REG);
334 		if (!skb)
335 			continue;
336 
337 		if (sock_queue_rcv_skb(sk, skb))
338 			kfree_skb(skb);
339 	}
340 
341 	read_unlock(&hci_dev_list_lock);
342 }
343 
344 /* Generate internal stack event */
345 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
346 {
347 	struct hci_event_hdr *hdr;
348 	struct hci_ev_stack_internal *ev;
349 	struct sk_buff *skb;
350 
351 	skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
352 	if (!skb)
353 		return;
354 
355 	hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
356 	hdr->evt  = HCI_EV_STACK_INTERNAL;
357 	hdr->plen = sizeof(*ev) + dlen;
358 
359 	ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
360 	ev->type = type;
361 	memcpy(ev->data, data, dlen);
362 
363 	bt_cb(skb)->incoming = 1;
364 	__net_timestamp(skb);
365 
366 	bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
367 	skb->dev = (void *) hdev;
368 	hci_send_to_sock(hdev, skb);
369 	kfree_skb(skb);
370 }
371 
372 void hci_sock_dev_event(struct hci_dev *hdev, int event)
373 {
374 	struct hci_ev_si_device ev;
375 
376 	BT_DBG("hdev %s event %d", hdev->name, event);
377 
378 	/* Send event to monitor */
379 	if (atomic_read(&monitor_promisc)) {
380 		struct sk_buff *skb;
381 
382 		skb = create_monitor_event(hdev, event);
383 		if (skb) {
384 			send_monitor_event(skb);
385 			kfree_skb(skb);
386 		}
387 	}
388 
389 	/* Send event to sockets */
390 	ev.event  = event;
391 	ev.dev_id = hdev->id;
392 	hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
393 
394 	if (event == HCI_DEV_UNREG) {
395 		struct sock *sk;
396 		struct hlist_node *node;
397 
398 		/* Detach sockets from device */
399 		read_lock(&hci_sk_list.lock);
400 		sk_for_each(sk, node, &hci_sk_list.head) {
401 			bh_lock_sock_nested(sk);
402 			if (hci_pi(sk)->hdev == hdev) {
403 				hci_pi(sk)->hdev = NULL;
404 				sk->sk_err = EPIPE;
405 				sk->sk_state = BT_OPEN;
406 				sk->sk_state_change(sk);
407 
408 				hci_dev_put(hdev);
409 			}
410 			bh_unlock_sock(sk);
411 		}
412 		read_unlock(&hci_sk_list.lock);
413 	}
414 }
415 
416 static int hci_sock_release(struct socket *sock)
417 {
418 	struct sock *sk = sock->sk;
419 	struct hci_dev *hdev;
420 
421 	BT_DBG("sock %p sk %p", sock, sk);
422 
423 	if (!sk)
424 		return 0;
425 
426 	hdev = hci_pi(sk)->hdev;
427 
428 	if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
429 		atomic_dec(&monitor_promisc);
430 
431 	bt_sock_unlink(&hci_sk_list, sk);
432 
433 	if (hdev) {
434 		atomic_dec(&hdev->promisc);
435 		hci_dev_put(hdev);
436 	}
437 
438 	sock_orphan(sk);
439 
440 	skb_queue_purge(&sk->sk_receive_queue);
441 	skb_queue_purge(&sk->sk_write_queue);
442 
443 	sock_put(sk);
444 	return 0;
445 }
446 
447 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
448 {
449 	bdaddr_t bdaddr;
450 	int err;
451 
452 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
453 		return -EFAULT;
454 
455 	hci_dev_lock(hdev);
456 
457 	err = hci_blacklist_add(hdev, &bdaddr, 0);
458 
459 	hci_dev_unlock(hdev);
460 
461 	return err;
462 }
463 
464 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
465 {
466 	bdaddr_t bdaddr;
467 	int err;
468 
469 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
470 		return -EFAULT;
471 
472 	hci_dev_lock(hdev);
473 
474 	err = hci_blacklist_del(hdev, &bdaddr, 0);
475 
476 	hci_dev_unlock(hdev);
477 
478 	return err;
479 }
480 
481 /* Ioctls that require bound socket */
482 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
483 				unsigned long arg)
484 {
485 	struct hci_dev *hdev = hci_pi(sk)->hdev;
486 
487 	if (!hdev)
488 		return -EBADFD;
489 
490 	switch (cmd) {
491 	case HCISETRAW:
492 		if (!capable(CAP_NET_ADMIN))
493 			return -EPERM;
494 
495 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
496 			return -EPERM;
497 
498 		if (arg)
499 			set_bit(HCI_RAW, &hdev->flags);
500 		else
501 			clear_bit(HCI_RAW, &hdev->flags);
502 
503 		return 0;
504 
505 	case HCIGETCONNINFO:
506 		return hci_get_conn_info(hdev, (void __user *) arg);
507 
508 	case HCIGETAUTHINFO:
509 		return hci_get_auth_info(hdev, (void __user *) arg);
510 
511 	case HCIBLOCKADDR:
512 		if (!capable(CAP_NET_ADMIN))
513 			return -EPERM;
514 		return hci_sock_blacklist_add(hdev, (void __user *) arg);
515 
516 	case HCIUNBLOCKADDR:
517 		if (!capable(CAP_NET_ADMIN))
518 			return -EPERM;
519 		return hci_sock_blacklist_del(hdev, (void __user *) arg);
520 
521 	default:
522 		if (hdev->ioctl)
523 			return hdev->ioctl(hdev, cmd, arg);
524 		return -EINVAL;
525 	}
526 }
527 
528 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
529 			  unsigned long arg)
530 {
531 	struct sock *sk = sock->sk;
532 	void __user *argp = (void __user *) arg;
533 	int err;
534 
535 	BT_DBG("cmd %x arg %lx", cmd, arg);
536 
537 	switch (cmd) {
538 	case HCIGETDEVLIST:
539 		return hci_get_dev_list(argp);
540 
541 	case HCIGETDEVINFO:
542 		return hci_get_dev_info(argp);
543 
544 	case HCIGETCONNLIST:
545 		return hci_get_conn_list(argp);
546 
547 	case HCIDEVUP:
548 		if (!capable(CAP_NET_ADMIN))
549 			return -EPERM;
550 		return hci_dev_open(arg);
551 
552 	case HCIDEVDOWN:
553 		if (!capable(CAP_NET_ADMIN))
554 			return -EPERM;
555 		return hci_dev_close(arg);
556 
557 	case HCIDEVRESET:
558 		if (!capable(CAP_NET_ADMIN))
559 			return -EPERM;
560 		return hci_dev_reset(arg);
561 
562 	case HCIDEVRESTAT:
563 		if (!capable(CAP_NET_ADMIN))
564 			return -EPERM;
565 		return hci_dev_reset_stat(arg);
566 
567 	case HCISETSCAN:
568 	case HCISETAUTH:
569 	case HCISETENCRYPT:
570 	case HCISETPTYPE:
571 	case HCISETLINKPOL:
572 	case HCISETLINKMODE:
573 	case HCISETACLMTU:
574 	case HCISETSCOMTU:
575 		if (!capable(CAP_NET_ADMIN))
576 			return -EPERM;
577 		return hci_dev_cmd(cmd, argp);
578 
579 	case HCIINQUIRY:
580 		return hci_inquiry(argp);
581 
582 	default:
583 		lock_sock(sk);
584 		err = hci_sock_bound_ioctl(sk, cmd, arg);
585 		release_sock(sk);
586 		return err;
587 	}
588 }
589 
590 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
591 			 int addr_len)
592 {
593 	struct sockaddr_hci haddr;
594 	struct sock *sk = sock->sk;
595 	struct hci_dev *hdev = NULL;
596 	int len, err = 0;
597 
598 	BT_DBG("sock %p sk %p", sock, sk);
599 
600 	if (!addr)
601 		return -EINVAL;
602 
603 	memset(&haddr, 0, sizeof(haddr));
604 	len = min_t(unsigned int, sizeof(haddr), addr_len);
605 	memcpy(&haddr, addr, len);
606 
607 	if (haddr.hci_family != AF_BLUETOOTH)
608 		return -EINVAL;
609 
610 	lock_sock(sk);
611 
612 	if (sk->sk_state == BT_BOUND) {
613 		err = -EALREADY;
614 		goto done;
615 	}
616 
617 	switch (haddr.hci_channel) {
618 	case HCI_CHANNEL_RAW:
619 		if (hci_pi(sk)->hdev) {
620 			err = -EALREADY;
621 			goto done;
622 		}
623 
624 		if (haddr.hci_dev != HCI_DEV_NONE) {
625 			hdev = hci_dev_get(haddr.hci_dev);
626 			if (!hdev) {
627 				err = -ENODEV;
628 				goto done;
629 			}
630 
631 			atomic_inc(&hdev->promisc);
632 		}
633 
634 		hci_pi(sk)->hdev = hdev;
635 		break;
636 
637 	case HCI_CHANNEL_CONTROL:
638 		if (haddr.hci_dev != HCI_DEV_NONE) {
639 			err = -EINVAL;
640 			goto done;
641 		}
642 
643 		if (!capable(CAP_NET_ADMIN)) {
644 			err = -EPERM;
645 			goto done;
646 		}
647 
648 		break;
649 
650 	case HCI_CHANNEL_MONITOR:
651 		if (haddr.hci_dev != HCI_DEV_NONE) {
652 			err = -EINVAL;
653 			goto done;
654 		}
655 
656 		if (!capable(CAP_NET_RAW)) {
657 			err = -EPERM;
658 			goto done;
659 		}
660 
661 		send_monitor_replay(sk);
662 
663 		atomic_inc(&monitor_promisc);
664 		break;
665 
666 	default:
667 		err = -EINVAL;
668 		goto done;
669 	}
670 
671 
672 	hci_pi(sk)->channel = haddr.hci_channel;
673 	sk->sk_state = BT_BOUND;
674 
675 done:
676 	release_sock(sk);
677 	return err;
678 }
679 
680 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
681 			    int *addr_len, int peer)
682 {
683 	struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
684 	struct sock *sk = sock->sk;
685 	struct hci_dev *hdev = hci_pi(sk)->hdev;
686 
687 	BT_DBG("sock %p sk %p", sock, sk);
688 
689 	if (!hdev)
690 		return -EBADFD;
691 
692 	lock_sock(sk);
693 
694 	*addr_len = sizeof(*haddr);
695 	haddr->hci_family = AF_BLUETOOTH;
696 	haddr->hci_dev    = hdev->id;
697 	haddr->hci_channel= 0;
698 
699 	release_sock(sk);
700 	return 0;
701 }
702 
703 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
704 			  struct sk_buff *skb)
705 {
706 	__u32 mask = hci_pi(sk)->cmsg_mask;
707 
708 	if (mask & HCI_CMSG_DIR) {
709 		int incoming = bt_cb(skb)->incoming;
710 		put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
711 			 &incoming);
712 	}
713 
714 	if (mask & HCI_CMSG_TSTAMP) {
715 #ifdef CONFIG_COMPAT
716 		struct compat_timeval ctv;
717 #endif
718 		struct timeval tv;
719 		void *data;
720 		int len;
721 
722 		skb_get_timestamp(skb, &tv);
723 
724 		data = &tv;
725 		len = sizeof(tv);
726 #ifdef CONFIG_COMPAT
727 		if (!COMPAT_USE_64BIT_TIME &&
728 		    (msg->msg_flags & MSG_CMSG_COMPAT)) {
729 			ctv.tv_sec = tv.tv_sec;
730 			ctv.tv_usec = tv.tv_usec;
731 			data = &ctv;
732 			len = sizeof(ctv);
733 		}
734 #endif
735 
736 		put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
737 	}
738 }
739 
740 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
741 			    struct msghdr *msg, size_t len, int flags)
742 {
743 	int noblock = flags & MSG_DONTWAIT;
744 	struct sock *sk = sock->sk;
745 	struct sk_buff *skb;
746 	int copied, err;
747 
748 	BT_DBG("sock %p, sk %p", sock, sk);
749 
750 	if (flags & (MSG_OOB))
751 		return -EOPNOTSUPP;
752 
753 	if (sk->sk_state == BT_CLOSED)
754 		return 0;
755 
756 	skb = skb_recv_datagram(sk, flags, noblock, &err);
757 	if (!skb)
758 		return err;
759 
760 	msg->msg_namelen = 0;
761 
762 	copied = skb->len;
763 	if (len < copied) {
764 		msg->msg_flags |= MSG_TRUNC;
765 		copied = len;
766 	}
767 
768 	skb_reset_transport_header(skb);
769 	err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
770 
771 	switch (hci_pi(sk)->channel) {
772 	case HCI_CHANNEL_RAW:
773 		hci_sock_cmsg(sk, msg, skb);
774 		break;
775 	case HCI_CHANNEL_CONTROL:
776 	case HCI_CHANNEL_MONITOR:
777 		sock_recv_timestamp(msg, sk, skb);
778 		break;
779 	}
780 
781 	skb_free_datagram(sk, skb);
782 
783 	return err ? : copied;
784 }
785 
786 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
787 			    struct msghdr *msg, size_t len)
788 {
789 	struct sock *sk = sock->sk;
790 	struct hci_dev *hdev;
791 	struct sk_buff *skb;
792 	int err;
793 
794 	BT_DBG("sock %p sk %p", sock, sk);
795 
796 	if (msg->msg_flags & MSG_OOB)
797 		return -EOPNOTSUPP;
798 
799 	if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
800 		return -EINVAL;
801 
802 	if (len < 4 || len > HCI_MAX_FRAME_SIZE)
803 		return -EINVAL;
804 
805 	lock_sock(sk);
806 
807 	switch (hci_pi(sk)->channel) {
808 	case HCI_CHANNEL_RAW:
809 		break;
810 	case HCI_CHANNEL_CONTROL:
811 		err = mgmt_control(sk, msg, len);
812 		goto done;
813 	case HCI_CHANNEL_MONITOR:
814 		err = -EOPNOTSUPP;
815 		goto done;
816 	default:
817 		err = -EINVAL;
818 		goto done;
819 	}
820 
821 	hdev = hci_pi(sk)->hdev;
822 	if (!hdev) {
823 		err = -EBADFD;
824 		goto done;
825 	}
826 
827 	if (!test_bit(HCI_UP, &hdev->flags)) {
828 		err = -ENETDOWN;
829 		goto done;
830 	}
831 
832 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
833 	if (!skb)
834 		goto done;
835 
836 	if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
837 		err = -EFAULT;
838 		goto drop;
839 	}
840 
841 	bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
842 	skb_pull(skb, 1);
843 	skb->dev = (void *) hdev;
844 
845 	if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
846 		u16 opcode = get_unaligned_le16(skb->data);
847 		u16 ogf = hci_opcode_ogf(opcode);
848 		u16 ocf = hci_opcode_ocf(opcode);
849 
850 		if (((ogf > HCI_SFLT_MAX_OGF) ||
851 		     !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
852 				   &hci_sec_filter.ocf_mask[ogf])) &&
853 		    !capable(CAP_NET_RAW)) {
854 			err = -EPERM;
855 			goto drop;
856 		}
857 
858 		if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
859 			skb_queue_tail(&hdev->raw_q, skb);
860 			queue_work(hdev->workqueue, &hdev->tx_work);
861 		} else {
862 			skb_queue_tail(&hdev->cmd_q, skb);
863 			queue_work(hdev->workqueue, &hdev->cmd_work);
864 		}
865 	} else {
866 		if (!capable(CAP_NET_RAW)) {
867 			err = -EPERM;
868 			goto drop;
869 		}
870 
871 		skb_queue_tail(&hdev->raw_q, skb);
872 		queue_work(hdev->workqueue, &hdev->tx_work);
873 	}
874 
875 	err = len;
876 
877 done:
878 	release_sock(sk);
879 	return err;
880 
881 drop:
882 	kfree_skb(skb);
883 	goto done;
884 }
885 
886 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
887 			       char __user *optval, unsigned int len)
888 {
889 	struct hci_ufilter uf = { .opcode = 0 };
890 	struct sock *sk = sock->sk;
891 	int err = 0, opt = 0;
892 
893 	BT_DBG("sk %p, opt %d", sk, optname);
894 
895 	lock_sock(sk);
896 
897 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
898 		err = -EINVAL;
899 		goto done;
900 	}
901 
902 	switch (optname) {
903 	case HCI_DATA_DIR:
904 		if (get_user(opt, (int __user *)optval)) {
905 			err = -EFAULT;
906 			break;
907 		}
908 
909 		if (opt)
910 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
911 		else
912 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
913 		break;
914 
915 	case HCI_TIME_STAMP:
916 		if (get_user(opt, (int __user *)optval)) {
917 			err = -EFAULT;
918 			break;
919 		}
920 
921 		if (opt)
922 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
923 		else
924 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
925 		break;
926 
927 	case HCI_FILTER:
928 		{
929 			struct hci_filter *f = &hci_pi(sk)->filter;
930 
931 			uf.type_mask = f->type_mask;
932 			uf.opcode    = f->opcode;
933 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
934 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
935 		}
936 
937 		len = min_t(unsigned int, len, sizeof(uf));
938 		if (copy_from_user(&uf, optval, len)) {
939 			err = -EFAULT;
940 			break;
941 		}
942 
943 		if (!capable(CAP_NET_RAW)) {
944 			uf.type_mask &= hci_sec_filter.type_mask;
945 			uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
946 			uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
947 		}
948 
949 		{
950 			struct hci_filter *f = &hci_pi(sk)->filter;
951 
952 			f->type_mask = uf.type_mask;
953 			f->opcode    = uf.opcode;
954 			*((u32 *) f->event_mask + 0) = uf.event_mask[0];
955 			*((u32 *) f->event_mask + 1) = uf.event_mask[1];
956 		}
957 		break;
958 
959 	default:
960 		err = -ENOPROTOOPT;
961 		break;
962 	}
963 
964 done:
965 	release_sock(sk);
966 	return err;
967 }
968 
969 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
970 			       char __user *optval, int __user *optlen)
971 {
972 	struct hci_ufilter uf;
973 	struct sock *sk = sock->sk;
974 	int len, opt, err = 0;
975 
976 	BT_DBG("sk %p, opt %d", sk, optname);
977 
978 	if (get_user(len, optlen))
979 		return -EFAULT;
980 
981 	lock_sock(sk);
982 
983 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
984 		err = -EINVAL;
985 		goto done;
986 	}
987 
988 	switch (optname) {
989 	case HCI_DATA_DIR:
990 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
991 			opt = 1;
992 		else
993 			opt = 0;
994 
995 		if (put_user(opt, optval))
996 			err = -EFAULT;
997 		break;
998 
999 	case HCI_TIME_STAMP:
1000 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1001 			opt = 1;
1002 		else
1003 			opt = 0;
1004 
1005 		if (put_user(opt, optval))
1006 			err = -EFAULT;
1007 		break;
1008 
1009 	case HCI_FILTER:
1010 		{
1011 			struct hci_filter *f = &hci_pi(sk)->filter;
1012 
1013 			memset(&uf, 0, sizeof(uf));
1014 			uf.type_mask = f->type_mask;
1015 			uf.opcode    = f->opcode;
1016 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1017 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1018 		}
1019 
1020 		len = min_t(unsigned int, len, sizeof(uf));
1021 		if (copy_to_user(optval, &uf, len))
1022 			err = -EFAULT;
1023 		break;
1024 
1025 	default:
1026 		err = -ENOPROTOOPT;
1027 		break;
1028 	}
1029 
1030 done:
1031 	release_sock(sk);
1032 	return err;
1033 }
1034 
1035 static const struct proto_ops hci_sock_ops = {
1036 	.family		= PF_BLUETOOTH,
1037 	.owner		= THIS_MODULE,
1038 	.release	= hci_sock_release,
1039 	.bind		= hci_sock_bind,
1040 	.getname	= hci_sock_getname,
1041 	.sendmsg	= hci_sock_sendmsg,
1042 	.recvmsg	= hci_sock_recvmsg,
1043 	.ioctl		= hci_sock_ioctl,
1044 	.poll		= datagram_poll,
1045 	.listen		= sock_no_listen,
1046 	.shutdown	= sock_no_shutdown,
1047 	.setsockopt	= hci_sock_setsockopt,
1048 	.getsockopt	= hci_sock_getsockopt,
1049 	.connect	= sock_no_connect,
1050 	.socketpair	= sock_no_socketpair,
1051 	.accept		= sock_no_accept,
1052 	.mmap		= sock_no_mmap
1053 };
1054 
1055 static struct proto hci_sk_proto = {
1056 	.name		= "HCI",
1057 	.owner		= THIS_MODULE,
1058 	.obj_size	= sizeof(struct hci_pinfo)
1059 };
1060 
1061 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1062 			   int kern)
1063 {
1064 	struct sock *sk;
1065 
1066 	BT_DBG("sock %p", sock);
1067 
1068 	if (sock->type != SOCK_RAW)
1069 		return -ESOCKTNOSUPPORT;
1070 
1071 	sock->ops = &hci_sock_ops;
1072 
1073 	sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1074 	if (!sk)
1075 		return -ENOMEM;
1076 
1077 	sock_init_data(sock, sk);
1078 
1079 	sock_reset_flag(sk, SOCK_ZAPPED);
1080 
1081 	sk->sk_protocol = protocol;
1082 
1083 	sock->state = SS_UNCONNECTED;
1084 	sk->sk_state = BT_OPEN;
1085 
1086 	bt_sock_link(&hci_sk_list, sk);
1087 	return 0;
1088 }
1089 
1090 static const struct net_proto_family hci_sock_family_ops = {
1091 	.family	= PF_BLUETOOTH,
1092 	.owner	= THIS_MODULE,
1093 	.create	= hci_sock_create,
1094 };
1095 
1096 int __init hci_sock_init(void)
1097 {
1098 	int err;
1099 
1100 	err = proto_register(&hci_sk_proto, 0);
1101 	if (err < 0)
1102 		return err;
1103 
1104 	err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1105 	if (err < 0) {
1106 		BT_ERR("HCI socket registration failed");
1107 		goto error;
1108 	}
1109 
1110 	err = bt_procfs_init(THIS_MODULE, &init_net, "hci", &hci_sk_list, NULL);
1111 	if (err < 0) {
1112 		BT_ERR("Failed to create HCI proc file");
1113 		bt_sock_unregister(BTPROTO_HCI);
1114 		goto error;
1115 	}
1116 
1117 	BT_INFO("HCI socket layer initialized");
1118 
1119 	return 0;
1120 
1121 error:
1122 	proto_unregister(&hci_sk_proto);
1123 	return err;
1124 }
1125 
1126 void hci_sock_cleanup(void)
1127 {
1128 	bt_procfs_cleanup(&init_net, "hci");
1129 	if (bt_sock_unregister(BTPROTO_HCI) < 0)
1130 		BT_ERR("HCI socket unregistration failed");
1131 
1132 	proto_unregister(&hci_sk_proto);
1133 }
1134