1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 #include <linux/compat.h> 27 #include <linux/export.h> 28 #include <linux/utsname.h> 29 #include <linux/sched.h> 30 #include <asm/unaligned.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/hci_mon.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "mgmt_util.h" 38 39 static LIST_HEAD(mgmt_chan_list); 40 static DEFINE_MUTEX(mgmt_chan_list_lock); 41 42 static DEFINE_IDA(sock_cookie_ida); 43 44 static atomic_t monitor_promisc = ATOMIC_INIT(0); 45 46 /* ----- HCI socket interface ----- */ 47 48 /* Socket info */ 49 #define hci_pi(sk) ((struct hci_pinfo *) sk) 50 51 struct hci_pinfo { 52 struct bt_sock bt; 53 struct hci_dev *hdev; 54 struct hci_filter filter; 55 __u32 cmsg_mask; 56 unsigned short channel; 57 unsigned long flags; 58 __u32 cookie; 59 char comm[TASK_COMM_LEN]; 60 }; 61 62 void hci_sock_set_flag(struct sock *sk, int nr) 63 { 64 set_bit(nr, &hci_pi(sk)->flags); 65 } 66 67 void hci_sock_clear_flag(struct sock *sk, int nr) 68 { 69 clear_bit(nr, &hci_pi(sk)->flags); 70 } 71 72 int hci_sock_test_flag(struct sock *sk, int nr) 73 { 74 return test_bit(nr, &hci_pi(sk)->flags); 75 } 76 77 unsigned short hci_sock_get_channel(struct sock *sk) 78 { 79 return hci_pi(sk)->channel; 80 } 81 82 u32 hci_sock_get_cookie(struct sock *sk) 83 { 84 return hci_pi(sk)->cookie; 85 } 86 87 static bool hci_sock_gen_cookie(struct sock *sk) 88 { 89 int id = hci_pi(sk)->cookie; 90 91 if (!id) { 92 id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL); 93 if (id < 0) 94 id = 0xffffffff; 95 96 hci_pi(sk)->cookie = id; 97 get_task_comm(hci_pi(sk)->comm, current); 98 return true; 99 } 100 101 return false; 102 } 103 104 static void hci_sock_free_cookie(struct sock *sk) 105 { 106 int id = hci_pi(sk)->cookie; 107 108 if (id) { 109 hci_pi(sk)->cookie = 0xffffffff; 110 ida_simple_remove(&sock_cookie_ida, id); 111 } 112 } 113 114 static inline int hci_test_bit(int nr, const void *addr) 115 { 116 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 117 } 118 119 /* Security filter */ 120 #define HCI_SFLT_MAX_OGF 5 121 122 struct hci_sec_filter { 123 __u32 type_mask; 124 __u32 event_mask[2]; 125 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4]; 126 }; 127 128 static const struct hci_sec_filter hci_sec_filter = { 129 /* Packet types */ 130 0x10, 131 /* Events */ 132 { 0x1000d9fe, 0x0000b00c }, 133 /* Commands */ 134 { 135 { 0x0 }, 136 /* OGF_LINK_CTL */ 137 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 138 /* OGF_LINK_POLICY */ 139 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 140 /* OGF_HOST_CTL */ 141 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 142 /* OGF_INFO_PARAM */ 143 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 144 /* OGF_STATUS_PARAM */ 145 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 146 } 147 }; 148 149 static struct bt_sock_list hci_sk_list = { 150 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 151 }; 152 153 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) 154 { 155 struct hci_filter *flt; 156 int flt_type, flt_event; 157 158 /* Apply filter */ 159 flt = &hci_pi(sk)->filter; 160 161 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS; 162 163 if (!test_bit(flt_type, &flt->type_mask)) 164 return true; 165 166 /* Extra filter for event packets only */ 167 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT) 168 return false; 169 170 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 171 172 if (!hci_test_bit(flt_event, &flt->event_mask)) 173 return true; 174 175 /* Check filter only when opcode is set */ 176 if (!flt->opcode) 177 return false; 178 179 if (flt_event == HCI_EV_CMD_COMPLETE && 180 flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) 181 return true; 182 183 if (flt_event == HCI_EV_CMD_STATUS && 184 flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) 185 return true; 186 187 return false; 188 } 189 190 /* Send frame to RAW socket */ 191 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 192 { 193 struct sock *sk; 194 struct sk_buff *skb_copy = NULL; 195 196 BT_DBG("hdev %p len %d", hdev, skb->len); 197 198 read_lock(&hci_sk_list.lock); 199 200 sk_for_each(sk, &hci_sk_list.head) { 201 struct sk_buff *nskb; 202 203 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 204 continue; 205 206 /* Don't send frame to the socket it came from */ 207 if (skb->sk == sk) 208 continue; 209 210 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { 211 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 212 hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 213 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 214 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 215 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) 216 continue; 217 if (is_filtered_packet(sk, skb)) 218 continue; 219 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 220 if (!bt_cb(skb)->incoming) 221 continue; 222 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 223 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 224 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 225 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) 226 continue; 227 } else { 228 /* Don't send frame to other channel types */ 229 continue; 230 } 231 232 if (!skb_copy) { 233 /* Create a private copy with headroom */ 234 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true); 235 if (!skb_copy) 236 continue; 237 238 /* Put type byte before the data */ 239 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1); 240 } 241 242 nskb = skb_clone(skb_copy, GFP_ATOMIC); 243 if (!nskb) 244 continue; 245 246 if (sock_queue_rcv_skb(sk, nskb)) 247 kfree_skb(nskb); 248 } 249 250 read_unlock(&hci_sk_list.lock); 251 252 kfree_skb(skb_copy); 253 } 254 255 /* Send frame to sockets with specific channel */ 256 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 257 int flag, struct sock *skip_sk) 258 { 259 struct sock *sk; 260 261 BT_DBG("channel %u len %d", channel, skb->len); 262 263 sk_for_each(sk, &hci_sk_list.head) { 264 struct sk_buff *nskb; 265 266 /* Ignore socket without the flag set */ 267 if (!hci_sock_test_flag(sk, flag)) 268 continue; 269 270 /* Skip the original socket */ 271 if (sk == skip_sk) 272 continue; 273 274 if (sk->sk_state != BT_BOUND) 275 continue; 276 277 if (hci_pi(sk)->channel != channel) 278 continue; 279 280 nskb = skb_clone(skb, GFP_ATOMIC); 281 if (!nskb) 282 continue; 283 284 if (sock_queue_rcv_skb(sk, nskb)) 285 kfree_skb(nskb); 286 } 287 288 } 289 290 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 291 int flag, struct sock *skip_sk) 292 { 293 read_lock(&hci_sk_list.lock); 294 __hci_send_to_channel(channel, skb, flag, skip_sk); 295 read_unlock(&hci_sk_list.lock); 296 } 297 298 /* Send frame to monitor socket */ 299 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) 300 { 301 struct sk_buff *skb_copy = NULL; 302 struct hci_mon_hdr *hdr; 303 __le16 opcode; 304 305 if (!atomic_read(&monitor_promisc)) 306 return; 307 308 BT_DBG("hdev %p len %d", hdev, skb->len); 309 310 switch (hci_skb_pkt_type(skb)) { 311 case HCI_COMMAND_PKT: 312 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); 313 break; 314 case HCI_EVENT_PKT: 315 opcode = cpu_to_le16(HCI_MON_EVENT_PKT); 316 break; 317 case HCI_ACLDATA_PKT: 318 if (bt_cb(skb)->incoming) 319 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); 320 else 321 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); 322 break; 323 case HCI_SCODATA_PKT: 324 if (bt_cb(skb)->incoming) 325 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); 326 else 327 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); 328 break; 329 case HCI_ISODATA_PKT: 330 if (bt_cb(skb)->incoming) 331 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT); 332 else 333 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT); 334 break; 335 case HCI_DIAG_PKT: 336 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG); 337 break; 338 default: 339 return; 340 } 341 342 /* Create a private copy with headroom */ 343 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true); 344 if (!skb_copy) 345 return; 346 347 /* Put header before the data */ 348 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE); 349 hdr->opcode = opcode; 350 hdr->index = cpu_to_le16(hdev->id); 351 hdr->len = cpu_to_le16(skb->len); 352 353 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy, 354 HCI_SOCK_TRUSTED, NULL); 355 kfree_skb(skb_copy); 356 } 357 358 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event, 359 void *data, u16 data_len, ktime_t tstamp, 360 int flag, struct sock *skip_sk) 361 { 362 struct sock *sk; 363 __le16 index; 364 365 if (hdev) 366 index = cpu_to_le16(hdev->id); 367 else 368 index = cpu_to_le16(MGMT_INDEX_NONE); 369 370 read_lock(&hci_sk_list.lock); 371 372 sk_for_each(sk, &hci_sk_list.head) { 373 struct hci_mon_hdr *hdr; 374 struct sk_buff *skb; 375 376 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) 377 continue; 378 379 /* Ignore socket without the flag set */ 380 if (!hci_sock_test_flag(sk, flag)) 381 continue; 382 383 /* Skip the original socket */ 384 if (sk == skip_sk) 385 continue; 386 387 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC); 388 if (!skb) 389 continue; 390 391 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 392 put_unaligned_le16(event, skb_put(skb, 2)); 393 394 if (data) 395 skb_put_data(skb, data, data_len); 396 397 skb->tstamp = tstamp; 398 399 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 400 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT); 401 hdr->index = index; 402 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 403 404 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 405 HCI_SOCK_TRUSTED, NULL); 406 kfree_skb(skb); 407 } 408 409 read_unlock(&hci_sk_list.lock); 410 } 411 412 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) 413 { 414 struct hci_mon_hdr *hdr; 415 struct hci_mon_new_index *ni; 416 struct hci_mon_index_info *ii; 417 struct sk_buff *skb; 418 __le16 opcode; 419 420 switch (event) { 421 case HCI_DEV_REG: 422 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); 423 if (!skb) 424 return NULL; 425 426 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE); 427 ni->type = hdev->dev_type; 428 ni->bus = hdev->bus; 429 bacpy(&ni->bdaddr, &hdev->bdaddr); 430 memcpy(ni->name, hdev->name, 8); 431 432 opcode = cpu_to_le16(HCI_MON_NEW_INDEX); 433 break; 434 435 case HCI_DEV_UNREG: 436 skb = bt_skb_alloc(0, GFP_ATOMIC); 437 if (!skb) 438 return NULL; 439 440 opcode = cpu_to_le16(HCI_MON_DEL_INDEX); 441 break; 442 443 case HCI_DEV_SETUP: 444 if (hdev->manufacturer == 0xffff) 445 return NULL; 446 447 /* fall through */ 448 449 case HCI_DEV_UP: 450 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC); 451 if (!skb) 452 return NULL; 453 454 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE); 455 bacpy(&ii->bdaddr, &hdev->bdaddr); 456 ii->manufacturer = cpu_to_le16(hdev->manufacturer); 457 458 opcode = cpu_to_le16(HCI_MON_INDEX_INFO); 459 break; 460 461 case HCI_DEV_OPEN: 462 skb = bt_skb_alloc(0, GFP_ATOMIC); 463 if (!skb) 464 return NULL; 465 466 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX); 467 break; 468 469 case HCI_DEV_CLOSE: 470 skb = bt_skb_alloc(0, GFP_ATOMIC); 471 if (!skb) 472 return NULL; 473 474 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX); 475 break; 476 477 default: 478 return NULL; 479 } 480 481 __net_timestamp(skb); 482 483 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 484 hdr->opcode = opcode; 485 hdr->index = cpu_to_le16(hdev->id); 486 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 487 488 return skb; 489 } 490 491 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk) 492 { 493 struct hci_mon_hdr *hdr; 494 struct sk_buff *skb; 495 u16 format; 496 u8 ver[3]; 497 u32 flags; 498 499 /* No message needed when cookie is not present */ 500 if (!hci_pi(sk)->cookie) 501 return NULL; 502 503 switch (hci_pi(sk)->channel) { 504 case HCI_CHANNEL_RAW: 505 format = 0x0000; 506 ver[0] = BT_SUBSYS_VERSION; 507 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 508 break; 509 case HCI_CHANNEL_USER: 510 format = 0x0001; 511 ver[0] = BT_SUBSYS_VERSION; 512 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 513 break; 514 case HCI_CHANNEL_CONTROL: 515 format = 0x0002; 516 mgmt_fill_version_info(ver); 517 break; 518 default: 519 /* No message for unsupported format */ 520 return NULL; 521 } 522 523 skb = bt_skb_alloc(14 + TASK_COMM_LEN , GFP_ATOMIC); 524 if (!skb) 525 return NULL; 526 527 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0; 528 529 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 530 put_unaligned_le16(format, skb_put(skb, 2)); 531 skb_put_data(skb, ver, sizeof(ver)); 532 put_unaligned_le32(flags, skb_put(skb, 4)); 533 skb_put_u8(skb, TASK_COMM_LEN); 534 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN); 535 536 __net_timestamp(skb); 537 538 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 539 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN); 540 if (hci_pi(sk)->hdev) 541 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 542 else 543 hdr->index = cpu_to_le16(HCI_DEV_NONE); 544 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 545 546 return skb; 547 } 548 549 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk) 550 { 551 struct hci_mon_hdr *hdr; 552 struct sk_buff *skb; 553 554 /* No message needed when cookie is not present */ 555 if (!hci_pi(sk)->cookie) 556 return NULL; 557 558 switch (hci_pi(sk)->channel) { 559 case HCI_CHANNEL_RAW: 560 case HCI_CHANNEL_USER: 561 case HCI_CHANNEL_CONTROL: 562 break; 563 default: 564 /* No message for unsupported format */ 565 return NULL; 566 } 567 568 skb = bt_skb_alloc(4, GFP_ATOMIC); 569 if (!skb) 570 return NULL; 571 572 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 573 574 __net_timestamp(skb); 575 576 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 577 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE); 578 if (hci_pi(sk)->hdev) 579 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 580 else 581 hdr->index = cpu_to_le16(HCI_DEV_NONE); 582 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 583 584 return skb; 585 } 586 587 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index, 588 u16 opcode, u16 len, 589 const void *buf) 590 { 591 struct hci_mon_hdr *hdr; 592 struct sk_buff *skb; 593 594 skb = bt_skb_alloc(6 + len, GFP_ATOMIC); 595 if (!skb) 596 return NULL; 597 598 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 599 put_unaligned_le16(opcode, skb_put(skb, 2)); 600 601 if (buf) 602 skb_put_data(skb, buf, len); 603 604 __net_timestamp(skb); 605 606 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 607 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND); 608 hdr->index = cpu_to_le16(index); 609 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 610 611 return skb; 612 } 613 614 static void __printf(2, 3) 615 send_monitor_note(struct sock *sk, const char *fmt, ...) 616 { 617 size_t len; 618 struct hci_mon_hdr *hdr; 619 struct sk_buff *skb; 620 va_list args; 621 622 va_start(args, fmt); 623 len = vsnprintf(NULL, 0, fmt, args); 624 va_end(args); 625 626 skb = bt_skb_alloc(len + 1, GFP_ATOMIC); 627 if (!skb) 628 return; 629 630 va_start(args, fmt); 631 vsprintf(skb_put(skb, len), fmt, args); 632 *(u8 *)skb_put(skb, 1) = 0; 633 va_end(args); 634 635 __net_timestamp(skb); 636 637 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); 638 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE); 639 hdr->index = cpu_to_le16(HCI_DEV_NONE); 640 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 641 642 if (sock_queue_rcv_skb(sk, skb)) 643 kfree_skb(skb); 644 } 645 646 static void send_monitor_replay(struct sock *sk) 647 { 648 struct hci_dev *hdev; 649 650 read_lock(&hci_dev_list_lock); 651 652 list_for_each_entry(hdev, &hci_dev_list, list) { 653 struct sk_buff *skb; 654 655 skb = create_monitor_event(hdev, HCI_DEV_REG); 656 if (!skb) 657 continue; 658 659 if (sock_queue_rcv_skb(sk, skb)) 660 kfree_skb(skb); 661 662 if (!test_bit(HCI_RUNNING, &hdev->flags)) 663 continue; 664 665 skb = create_monitor_event(hdev, HCI_DEV_OPEN); 666 if (!skb) 667 continue; 668 669 if (sock_queue_rcv_skb(sk, skb)) 670 kfree_skb(skb); 671 672 if (test_bit(HCI_UP, &hdev->flags)) 673 skb = create_monitor_event(hdev, HCI_DEV_UP); 674 else if (hci_dev_test_flag(hdev, HCI_SETUP)) 675 skb = create_monitor_event(hdev, HCI_DEV_SETUP); 676 else 677 skb = NULL; 678 679 if (skb) { 680 if (sock_queue_rcv_skb(sk, skb)) 681 kfree_skb(skb); 682 } 683 } 684 685 read_unlock(&hci_dev_list_lock); 686 } 687 688 static void send_monitor_control_replay(struct sock *mon_sk) 689 { 690 struct sock *sk; 691 692 read_lock(&hci_sk_list.lock); 693 694 sk_for_each(sk, &hci_sk_list.head) { 695 struct sk_buff *skb; 696 697 skb = create_monitor_ctrl_open(sk); 698 if (!skb) 699 continue; 700 701 if (sock_queue_rcv_skb(mon_sk, skb)) 702 kfree_skb(skb); 703 } 704 705 read_unlock(&hci_sk_list.lock); 706 } 707 708 /* Generate internal stack event */ 709 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) 710 { 711 struct hci_event_hdr *hdr; 712 struct hci_ev_stack_internal *ev; 713 struct sk_buff *skb; 714 715 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); 716 if (!skb) 717 return; 718 719 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE); 720 hdr->evt = HCI_EV_STACK_INTERNAL; 721 hdr->plen = sizeof(*ev) + dlen; 722 723 ev = skb_put(skb, sizeof(*ev) + dlen); 724 ev->type = type; 725 memcpy(ev->data, data, dlen); 726 727 bt_cb(skb)->incoming = 1; 728 __net_timestamp(skb); 729 730 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 731 hci_send_to_sock(hdev, skb); 732 kfree_skb(skb); 733 } 734 735 void hci_sock_dev_event(struct hci_dev *hdev, int event) 736 { 737 BT_DBG("hdev %s event %d", hdev->name, event); 738 739 if (atomic_read(&monitor_promisc)) { 740 struct sk_buff *skb; 741 742 /* Send event to monitor */ 743 skb = create_monitor_event(hdev, event); 744 if (skb) { 745 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 746 HCI_SOCK_TRUSTED, NULL); 747 kfree_skb(skb); 748 } 749 } 750 751 if (event <= HCI_DEV_DOWN) { 752 struct hci_ev_si_device ev; 753 754 /* Send event to sockets */ 755 ev.event = event; 756 ev.dev_id = hdev->id; 757 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 758 } 759 760 if (event == HCI_DEV_UNREG) { 761 struct sock *sk; 762 763 /* Detach sockets from device */ 764 read_lock(&hci_sk_list.lock); 765 sk_for_each(sk, &hci_sk_list.head) { 766 bh_lock_sock_nested(sk); 767 if (hci_pi(sk)->hdev == hdev) { 768 hci_pi(sk)->hdev = NULL; 769 sk->sk_err = EPIPE; 770 sk->sk_state = BT_OPEN; 771 sk->sk_state_change(sk); 772 773 hci_dev_put(hdev); 774 } 775 bh_unlock_sock(sk); 776 } 777 read_unlock(&hci_sk_list.lock); 778 } 779 } 780 781 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel) 782 { 783 struct hci_mgmt_chan *c; 784 785 list_for_each_entry(c, &mgmt_chan_list, list) { 786 if (c->channel == channel) 787 return c; 788 } 789 790 return NULL; 791 } 792 793 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel) 794 { 795 struct hci_mgmt_chan *c; 796 797 mutex_lock(&mgmt_chan_list_lock); 798 c = __hci_mgmt_chan_find(channel); 799 mutex_unlock(&mgmt_chan_list_lock); 800 801 return c; 802 } 803 804 int hci_mgmt_chan_register(struct hci_mgmt_chan *c) 805 { 806 if (c->channel < HCI_CHANNEL_CONTROL) 807 return -EINVAL; 808 809 mutex_lock(&mgmt_chan_list_lock); 810 if (__hci_mgmt_chan_find(c->channel)) { 811 mutex_unlock(&mgmt_chan_list_lock); 812 return -EALREADY; 813 } 814 815 list_add_tail(&c->list, &mgmt_chan_list); 816 817 mutex_unlock(&mgmt_chan_list_lock); 818 819 return 0; 820 } 821 EXPORT_SYMBOL(hci_mgmt_chan_register); 822 823 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c) 824 { 825 mutex_lock(&mgmt_chan_list_lock); 826 list_del(&c->list); 827 mutex_unlock(&mgmt_chan_list_lock); 828 } 829 EXPORT_SYMBOL(hci_mgmt_chan_unregister); 830 831 static int hci_sock_release(struct socket *sock) 832 { 833 struct sock *sk = sock->sk; 834 struct hci_dev *hdev; 835 struct sk_buff *skb; 836 837 BT_DBG("sock %p sk %p", sock, sk); 838 839 if (!sk) 840 return 0; 841 842 lock_sock(sk); 843 844 switch (hci_pi(sk)->channel) { 845 case HCI_CHANNEL_MONITOR: 846 atomic_dec(&monitor_promisc); 847 break; 848 case HCI_CHANNEL_RAW: 849 case HCI_CHANNEL_USER: 850 case HCI_CHANNEL_CONTROL: 851 /* Send event to monitor */ 852 skb = create_monitor_ctrl_close(sk); 853 if (skb) { 854 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 855 HCI_SOCK_TRUSTED, NULL); 856 kfree_skb(skb); 857 } 858 859 hci_sock_free_cookie(sk); 860 break; 861 } 862 863 bt_sock_unlink(&hci_sk_list, sk); 864 865 hdev = hci_pi(sk)->hdev; 866 if (hdev) { 867 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 868 /* When releasing a user channel exclusive access, 869 * call hci_dev_do_close directly instead of calling 870 * hci_dev_close to ensure the exclusive access will 871 * be released and the controller brought back down. 872 * 873 * The checking of HCI_AUTO_OFF is not needed in this 874 * case since it will have been cleared already when 875 * opening the user channel. 876 */ 877 hci_dev_do_close(hdev); 878 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 879 mgmt_index_added(hdev); 880 } 881 882 atomic_dec(&hdev->promisc); 883 hci_dev_put(hdev); 884 } 885 886 sock_orphan(sk); 887 888 skb_queue_purge(&sk->sk_receive_queue); 889 skb_queue_purge(&sk->sk_write_queue); 890 891 release_sock(sk); 892 sock_put(sk); 893 return 0; 894 } 895 896 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) 897 { 898 bdaddr_t bdaddr; 899 int err; 900 901 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 902 return -EFAULT; 903 904 hci_dev_lock(hdev); 905 906 err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR); 907 908 hci_dev_unlock(hdev); 909 910 return err; 911 } 912 913 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) 914 { 915 bdaddr_t bdaddr; 916 int err; 917 918 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 919 return -EFAULT; 920 921 hci_dev_lock(hdev); 922 923 err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR); 924 925 hci_dev_unlock(hdev); 926 927 return err; 928 } 929 930 /* Ioctls that require bound socket */ 931 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, 932 unsigned long arg) 933 { 934 struct hci_dev *hdev = hci_pi(sk)->hdev; 935 936 if (!hdev) 937 return -EBADFD; 938 939 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 940 return -EBUSY; 941 942 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 943 return -EOPNOTSUPP; 944 945 if (hdev->dev_type != HCI_PRIMARY) 946 return -EOPNOTSUPP; 947 948 switch (cmd) { 949 case HCISETRAW: 950 if (!capable(CAP_NET_ADMIN)) 951 return -EPERM; 952 return -EOPNOTSUPP; 953 954 case HCIGETCONNINFO: 955 return hci_get_conn_info(hdev, (void __user *)arg); 956 957 case HCIGETAUTHINFO: 958 return hci_get_auth_info(hdev, (void __user *)arg); 959 960 case HCIBLOCKADDR: 961 if (!capable(CAP_NET_ADMIN)) 962 return -EPERM; 963 return hci_sock_blacklist_add(hdev, (void __user *)arg); 964 965 case HCIUNBLOCKADDR: 966 if (!capable(CAP_NET_ADMIN)) 967 return -EPERM; 968 return hci_sock_blacklist_del(hdev, (void __user *)arg); 969 } 970 971 return -ENOIOCTLCMD; 972 } 973 974 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, 975 unsigned long arg) 976 { 977 void __user *argp = (void __user *)arg; 978 struct sock *sk = sock->sk; 979 int err; 980 981 BT_DBG("cmd %x arg %lx", cmd, arg); 982 983 lock_sock(sk); 984 985 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 986 err = -EBADFD; 987 goto done; 988 } 989 990 /* When calling an ioctl on an unbound raw socket, then ensure 991 * that the monitor gets informed. Ensure that the resulting event 992 * is only send once by checking if the cookie exists or not. The 993 * socket cookie will be only ever generated once for the lifetime 994 * of a given socket. 995 */ 996 if (hci_sock_gen_cookie(sk)) { 997 struct sk_buff *skb; 998 999 if (capable(CAP_NET_ADMIN)) 1000 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1001 1002 /* Send event to monitor */ 1003 skb = create_monitor_ctrl_open(sk); 1004 if (skb) { 1005 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1006 HCI_SOCK_TRUSTED, NULL); 1007 kfree_skb(skb); 1008 } 1009 } 1010 1011 release_sock(sk); 1012 1013 switch (cmd) { 1014 case HCIGETDEVLIST: 1015 return hci_get_dev_list(argp); 1016 1017 case HCIGETDEVINFO: 1018 return hci_get_dev_info(argp); 1019 1020 case HCIGETCONNLIST: 1021 return hci_get_conn_list(argp); 1022 1023 case HCIDEVUP: 1024 if (!capable(CAP_NET_ADMIN)) 1025 return -EPERM; 1026 return hci_dev_open(arg); 1027 1028 case HCIDEVDOWN: 1029 if (!capable(CAP_NET_ADMIN)) 1030 return -EPERM; 1031 return hci_dev_close(arg); 1032 1033 case HCIDEVRESET: 1034 if (!capable(CAP_NET_ADMIN)) 1035 return -EPERM; 1036 return hci_dev_reset(arg); 1037 1038 case HCIDEVRESTAT: 1039 if (!capable(CAP_NET_ADMIN)) 1040 return -EPERM; 1041 return hci_dev_reset_stat(arg); 1042 1043 case HCISETSCAN: 1044 case HCISETAUTH: 1045 case HCISETENCRYPT: 1046 case HCISETPTYPE: 1047 case HCISETLINKPOL: 1048 case HCISETLINKMODE: 1049 case HCISETACLMTU: 1050 case HCISETSCOMTU: 1051 if (!capable(CAP_NET_ADMIN)) 1052 return -EPERM; 1053 return hci_dev_cmd(cmd, argp); 1054 1055 case HCIINQUIRY: 1056 return hci_inquiry(argp); 1057 } 1058 1059 lock_sock(sk); 1060 1061 err = hci_sock_bound_ioctl(sk, cmd, arg); 1062 1063 done: 1064 release_sock(sk); 1065 return err; 1066 } 1067 1068 #ifdef CONFIG_COMPAT 1069 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd, 1070 unsigned long arg) 1071 { 1072 switch (cmd) { 1073 case HCIDEVUP: 1074 case HCIDEVDOWN: 1075 case HCIDEVRESET: 1076 case HCIDEVRESTAT: 1077 return hci_sock_ioctl(sock, cmd, arg); 1078 } 1079 1080 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 1081 } 1082 #endif 1083 1084 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, 1085 int addr_len) 1086 { 1087 struct sockaddr_hci haddr; 1088 struct sock *sk = sock->sk; 1089 struct hci_dev *hdev = NULL; 1090 struct sk_buff *skb; 1091 int len, err = 0; 1092 1093 BT_DBG("sock %p sk %p", sock, sk); 1094 1095 if (!addr) 1096 return -EINVAL; 1097 1098 memset(&haddr, 0, sizeof(haddr)); 1099 len = min_t(unsigned int, sizeof(haddr), addr_len); 1100 memcpy(&haddr, addr, len); 1101 1102 if (haddr.hci_family != AF_BLUETOOTH) 1103 return -EINVAL; 1104 1105 lock_sock(sk); 1106 1107 if (sk->sk_state == BT_BOUND) { 1108 err = -EALREADY; 1109 goto done; 1110 } 1111 1112 switch (haddr.hci_channel) { 1113 case HCI_CHANNEL_RAW: 1114 if (hci_pi(sk)->hdev) { 1115 err = -EALREADY; 1116 goto done; 1117 } 1118 1119 if (haddr.hci_dev != HCI_DEV_NONE) { 1120 hdev = hci_dev_get(haddr.hci_dev); 1121 if (!hdev) { 1122 err = -ENODEV; 1123 goto done; 1124 } 1125 1126 atomic_inc(&hdev->promisc); 1127 } 1128 1129 hci_pi(sk)->channel = haddr.hci_channel; 1130 1131 if (!hci_sock_gen_cookie(sk)) { 1132 /* In the case when a cookie has already been assigned, 1133 * then there has been already an ioctl issued against 1134 * an unbound socket and with that triggerd an open 1135 * notification. Send a close notification first to 1136 * allow the state transition to bounded. 1137 */ 1138 skb = create_monitor_ctrl_close(sk); 1139 if (skb) { 1140 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1141 HCI_SOCK_TRUSTED, NULL); 1142 kfree_skb(skb); 1143 } 1144 } 1145 1146 if (capable(CAP_NET_ADMIN)) 1147 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1148 1149 hci_pi(sk)->hdev = hdev; 1150 1151 /* Send event to monitor */ 1152 skb = create_monitor_ctrl_open(sk); 1153 if (skb) { 1154 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1155 HCI_SOCK_TRUSTED, NULL); 1156 kfree_skb(skb); 1157 } 1158 break; 1159 1160 case HCI_CHANNEL_USER: 1161 if (hci_pi(sk)->hdev) { 1162 err = -EALREADY; 1163 goto done; 1164 } 1165 1166 if (haddr.hci_dev == HCI_DEV_NONE) { 1167 err = -EINVAL; 1168 goto done; 1169 } 1170 1171 if (!capable(CAP_NET_ADMIN)) { 1172 err = -EPERM; 1173 goto done; 1174 } 1175 1176 hdev = hci_dev_get(haddr.hci_dev); 1177 if (!hdev) { 1178 err = -ENODEV; 1179 goto done; 1180 } 1181 1182 if (test_bit(HCI_INIT, &hdev->flags) || 1183 hci_dev_test_flag(hdev, HCI_SETUP) || 1184 hci_dev_test_flag(hdev, HCI_CONFIG) || 1185 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) && 1186 test_bit(HCI_UP, &hdev->flags))) { 1187 err = -EBUSY; 1188 hci_dev_put(hdev); 1189 goto done; 1190 } 1191 1192 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) { 1193 err = -EUSERS; 1194 hci_dev_put(hdev); 1195 goto done; 1196 } 1197 1198 mgmt_index_removed(hdev); 1199 1200 err = hci_dev_open(hdev->id); 1201 if (err) { 1202 if (err == -EALREADY) { 1203 /* In case the transport is already up and 1204 * running, clear the error here. 1205 * 1206 * This can happen when opening a user 1207 * channel and HCI_AUTO_OFF grace period 1208 * is still active. 1209 */ 1210 err = 0; 1211 } else { 1212 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 1213 mgmt_index_added(hdev); 1214 hci_dev_put(hdev); 1215 goto done; 1216 } 1217 } 1218 1219 hci_pi(sk)->channel = haddr.hci_channel; 1220 1221 if (!hci_sock_gen_cookie(sk)) { 1222 /* In the case when a cookie has already been assigned, 1223 * this socket will transition from a raw socket into 1224 * a user channel socket. For a clean transition, send 1225 * the close notification first. 1226 */ 1227 skb = create_monitor_ctrl_close(sk); 1228 if (skb) { 1229 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1230 HCI_SOCK_TRUSTED, NULL); 1231 kfree_skb(skb); 1232 } 1233 } 1234 1235 /* The user channel is restricted to CAP_NET_ADMIN 1236 * capabilities and with that implicitly trusted. 1237 */ 1238 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1239 1240 hci_pi(sk)->hdev = hdev; 1241 1242 /* Send event to monitor */ 1243 skb = create_monitor_ctrl_open(sk); 1244 if (skb) { 1245 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1246 HCI_SOCK_TRUSTED, NULL); 1247 kfree_skb(skb); 1248 } 1249 1250 atomic_inc(&hdev->promisc); 1251 break; 1252 1253 case HCI_CHANNEL_MONITOR: 1254 if (haddr.hci_dev != HCI_DEV_NONE) { 1255 err = -EINVAL; 1256 goto done; 1257 } 1258 1259 if (!capable(CAP_NET_RAW)) { 1260 err = -EPERM; 1261 goto done; 1262 } 1263 1264 hci_pi(sk)->channel = haddr.hci_channel; 1265 1266 /* The monitor interface is restricted to CAP_NET_RAW 1267 * capabilities and with that implicitly trusted. 1268 */ 1269 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1270 1271 send_monitor_note(sk, "Linux version %s (%s)", 1272 init_utsname()->release, 1273 init_utsname()->machine); 1274 send_monitor_note(sk, "Bluetooth subsystem version %u.%u", 1275 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION); 1276 send_monitor_replay(sk); 1277 send_monitor_control_replay(sk); 1278 1279 atomic_inc(&monitor_promisc); 1280 break; 1281 1282 case HCI_CHANNEL_LOGGING: 1283 if (haddr.hci_dev != HCI_DEV_NONE) { 1284 err = -EINVAL; 1285 goto done; 1286 } 1287 1288 if (!capable(CAP_NET_ADMIN)) { 1289 err = -EPERM; 1290 goto done; 1291 } 1292 1293 hci_pi(sk)->channel = haddr.hci_channel; 1294 break; 1295 1296 default: 1297 if (!hci_mgmt_chan_find(haddr.hci_channel)) { 1298 err = -EINVAL; 1299 goto done; 1300 } 1301 1302 if (haddr.hci_dev != HCI_DEV_NONE) { 1303 err = -EINVAL; 1304 goto done; 1305 } 1306 1307 /* Users with CAP_NET_ADMIN capabilities are allowed 1308 * access to all management commands and events. For 1309 * untrusted users the interface is restricted and 1310 * also only untrusted events are sent. 1311 */ 1312 if (capable(CAP_NET_ADMIN)) 1313 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1314 1315 hci_pi(sk)->channel = haddr.hci_channel; 1316 1317 /* At the moment the index and unconfigured index events 1318 * are enabled unconditionally. Setting them on each 1319 * socket when binding keeps this functionality. They 1320 * however might be cleared later and then sending of these 1321 * events will be disabled, but that is then intentional. 1322 * 1323 * This also enables generic events that are safe to be 1324 * received by untrusted users. Example for such events 1325 * are changes to settings, class of device, name etc. 1326 */ 1327 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) { 1328 if (!hci_sock_gen_cookie(sk)) { 1329 /* In the case when a cookie has already been 1330 * assigned, this socket will transtion from 1331 * a raw socket into a control socket. To 1332 * allow for a clean transtion, send the 1333 * close notification first. 1334 */ 1335 skb = create_monitor_ctrl_close(sk); 1336 if (skb) { 1337 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1338 HCI_SOCK_TRUSTED, NULL); 1339 kfree_skb(skb); 1340 } 1341 } 1342 1343 /* Send event to monitor */ 1344 skb = create_monitor_ctrl_open(sk); 1345 if (skb) { 1346 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1347 HCI_SOCK_TRUSTED, NULL); 1348 kfree_skb(skb); 1349 } 1350 1351 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS); 1352 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS); 1353 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS); 1354 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS); 1355 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS); 1356 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS); 1357 } 1358 break; 1359 } 1360 1361 sk->sk_state = BT_BOUND; 1362 1363 done: 1364 release_sock(sk); 1365 return err; 1366 } 1367 1368 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, 1369 int peer) 1370 { 1371 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr; 1372 struct sock *sk = sock->sk; 1373 struct hci_dev *hdev; 1374 int err = 0; 1375 1376 BT_DBG("sock %p sk %p", sock, sk); 1377 1378 if (peer) 1379 return -EOPNOTSUPP; 1380 1381 lock_sock(sk); 1382 1383 hdev = hci_pi(sk)->hdev; 1384 if (!hdev) { 1385 err = -EBADFD; 1386 goto done; 1387 } 1388 1389 haddr->hci_family = AF_BLUETOOTH; 1390 haddr->hci_dev = hdev->id; 1391 haddr->hci_channel= hci_pi(sk)->channel; 1392 err = sizeof(*haddr); 1393 1394 done: 1395 release_sock(sk); 1396 return err; 1397 } 1398 1399 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, 1400 struct sk_buff *skb) 1401 { 1402 __u32 mask = hci_pi(sk)->cmsg_mask; 1403 1404 if (mask & HCI_CMSG_DIR) { 1405 int incoming = bt_cb(skb)->incoming; 1406 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), 1407 &incoming); 1408 } 1409 1410 if (mask & HCI_CMSG_TSTAMP) { 1411 #ifdef CONFIG_COMPAT 1412 struct old_timeval32 ctv; 1413 #endif 1414 struct __kernel_old_timeval tv; 1415 void *data; 1416 int len; 1417 1418 skb_get_timestamp(skb, &tv); 1419 1420 data = &tv; 1421 len = sizeof(tv); 1422 #ifdef CONFIG_COMPAT 1423 if (!COMPAT_USE_64BIT_TIME && 1424 (msg->msg_flags & MSG_CMSG_COMPAT)) { 1425 ctv.tv_sec = tv.tv_sec; 1426 ctv.tv_usec = tv.tv_usec; 1427 data = &ctv; 1428 len = sizeof(ctv); 1429 } 1430 #endif 1431 1432 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 1433 } 1434 } 1435 1436 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1437 size_t len, int flags) 1438 { 1439 int noblock = flags & MSG_DONTWAIT; 1440 struct sock *sk = sock->sk; 1441 struct sk_buff *skb; 1442 int copied, err; 1443 unsigned int skblen; 1444 1445 BT_DBG("sock %p, sk %p", sock, sk); 1446 1447 if (flags & MSG_OOB) 1448 return -EOPNOTSUPP; 1449 1450 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING) 1451 return -EOPNOTSUPP; 1452 1453 if (sk->sk_state == BT_CLOSED) 1454 return 0; 1455 1456 skb = skb_recv_datagram(sk, flags, noblock, &err); 1457 if (!skb) 1458 return err; 1459 1460 skblen = skb->len; 1461 copied = skb->len; 1462 if (len < copied) { 1463 msg->msg_flags |= MSG_TRUNC; 1464 copied = len; 1465 } 1466 1467 skb_reset_transport_header(skb); 1468 err = skb_copy_datagram_msg(skb, 0, msg, copied); 1469 1470 switch (hci_pi(sk)->channel) { 1471 case HCI_CHANNEL_RAW: 1472 hci_sock_cmsg(sk, msg, skb); 1473 break; 1474 case HCI_CHANNEL_USER: 1475 case HCI_CHANNEL_MONITOR: 1476 sock_recv_timestamp(msg, sk, skb); 1477 break; 1478 default: 1479 if (hci_mgmt_chan_find(hci_pi(sk)->channel)) 1480 sock_recv_timestamp(msg, sk, skb); 1481 break; 1482 } 1483 1484 skb_free_datagram(sk, skb); 1485 1486 if (flags & MSG_TRUNC) 1487 copied = skblen; 1488 1489 return err ? : copied; 1490 } 1491 1492 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk, 1493 struct msghdr *msg, size_t msglen) 1494 { 1495 void *buf; 1496 u8 *cp; 1497 struct mgmt_hdr *hdr; 1498 u16 opcode, index, len; 1499 struct hci_dev *hdev = NULL; 1500 const struct hci_mgmt_handler *handler; 1501 bool var_len, no_hdev; 1502 int err; 1503 1504 BT_DBG("got %zu bytes", msglen); 1505 1506 if (msglen < sizeof(*hdr)) 1507 return -EINVAL; 1508 1509 buf = kmalloc(msglen, GFP_KERNEL); 1510 if (!buf) 1511 return -ENOMEM; 1512 1513 if (memcpy_from_msg(buf, msg, msglen)) { 1514 err = -EFAULT; 1515 goto done; 1516 } 1517 1518 hdr = buf; 1519 opcode = __le16_to_cpu(hdr->opcode); 1520 index = __le16_to_cpu(hdr->index); 1521 len = __le16_to_cpu(hdr->len); 1522 1523 if (len != msglen - sizeof(*hdr)) { 1524 err = -EINVAL; 1525 goto done; 1526 } 1527 1528 if (chan->channel == HCI_CHANNEL_CONTROL) { 1529 struct sk_buff *skb; 1530 1531 /* Send event to monitor */ 1532 skb = create_monitor_ctrl_command(sk, index, opcode, len, 1533 buf + sizeof(*hdr)); 1534 if (skb) { 1535 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1536 HCI_SOCK_TRUSTED, NULL); 1537 kfree_skb(skb); 1538 } 1539 } 1540 1541 if (opcode >= chan->handler_count || 1542 chan->handlers[opcode].func == NULL) { 1543 BT_DBG("Unknown op %u", opcode); 1544 err = mgmt_cmd_status(sk, index, opcode, 1545 MGMT_STATUS_UNKNOWN_COMMAND); 1546 goto done; 1547 } 1548 1549 handler = &chan->handlers[opcode]; 1550 1551 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) && 1552 !(handler->flags & HCI_MGMT_UNTRUSTED)) { 1553 err = mgmt_cmd_status(sk, index, opcode, 1554 MGMT_STATUS_PERMISSION_DENIED); 1555 goto done; 1556 } 1557 1558 if (index != MGMT_INDEX_NONE) { 1559 hdev = hci_dev_get(index); 1560 if (!hdev) { 1561 err = mgmt_cmd_status(sk, index, opcode, 1562 MGMT_STATUS_INVALID_INDEX); 1563 goto done; 1564 } 1565 1566 if (hci_dev_test_flag(hdev, HCI_SETUP) || 1567 hci_dev_test_flag(hdev, HCI_CONFIG) || 1568 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 1569 err = mgmt_cmd_status(sk, index, opcode, 1570 MGMT_STATUS_INVALID_INDEX); 1571 goto done; 1572 } 1573 1574 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && 1575 !(handler->flags & HCI_MGMT_UNCONFIGURED)) { 1576 err = mgmt_cmd_status(sk, index, opcode, 1577 MGMT_STATUS_INVALID_INDEX); 1578 goto done; 1579 } 1580 } 1581 1582 if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) { 1583 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV); 1584 if (no_hdev != !hdev) { 1585 err = mgmt_cmd_status(sk, index, opcode, 1586 MGMT_STATUS_INVALID_INDEX); 1587 goto done; 1588 } 1589 } 1590 1591 var_len = (handler->flags & HCI_MGMT_VAR_LEN); 1592 if ((var_len && len < handler->data_len) || 1593 (!var_len && len != handler->data_len)) { 1594 err = mgmt_cmd_status(sk, index, opcode, 1595 MGMT_STATUS_INVALID_PARAMS); 1596 goto done; 1597 } 1598 1599 if (hdev && chan->hdev_init) 1600 chan->hdev_init(sk, hdev); 1601 1602 cp = buf + sizeof(*hdr); 1603 1604 err = handler->func(sk, hdev, cp, len); 1605 if (err < 0) 1606 goto done; 1607 1608 err = msglen; 1609 1610 done: 1611 if (hdev) 1612 hci_dev_put(hdev); 1613 1614 kfree(buf); 1615 return err; 1616 } 1617 1618 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len) 1619 { 1620 struct hci_mon_hdr *hdr; 1621 struct sk_buff *skb; 1622 struct hci_dev *hdev; 1623 u16 index; 1624 int err; 1625 1626 /* The logging frame consists at minimum of the standard header, 1627 * the priority byte, the ident length byte and at least one string 1628 * terminator NUL byte. Anything shorter are invalid packets. 1629 */ 1630 if (len < sizeof(*hdr) + 3) 1631 return -EINVAL; 1632 1633 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); 1634 if (!skb) 1635 return err; 1636 1637 if (memcpy_from_msg(skb_put(skb, len), msg, len)) { 1638 err = -EFAULT; 1639 goto drop; 1640 } 1641 1642 hdr = (void *)skb->data; 1643 1644 if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) { 1645 err = -EINVAL; 1646 goto drop; 1647 } 1648 1649 if (__le16_to_cpu(hdr->opcode) == 0x0000) { 1650 __u8 priority = skb->data[sizeof(*hdr)]; 1651 __u8 ident_len = skb->data[sizeof(*hdr) + 1]; 1652 1653 /* Only the priorities 0-7 are valid and with that any other 1654 * value results in an invalid packet. 1655 * 1656 * The priority byte is followed by an ident length byte and 1657 * the NUL terminated ident string. Check that the ident 1658 * length is not overflowing the packet and also that the 1659 * ident string itself is NUL terminated. In case the ident 1660 * length is zero, the length value actually doubles as NUL 1661 * terminator identifier. 1662 * 1663 * The message follows the ident string (if present) and 1664 * must be NUL terminated. Otherwise it is not a valid packet. 1665 */ 1666 if (priority > 7 || skb->data[len - 1] != 0x00 || 1667 ident_len > len - sizeof(*hdr) - 3 || 1668 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) { 1669 err = -EINVAL; 1670 goto drop; 1671 } 1672 } else { 1673 err = -EINVAL; 1674 goto drop; 1675 } 1676 1677 index = __le16_to_cpu(hdr->index); 1678 1679 if (index != MGMT_INDEX_NONE) { 1680 hdev = hci_dev_get(index); 1681 if (!hdev) { 1682 err = -ENODEV; 1683 goto drop; 1684 } 1685 } else { 1686 hdev = NULL; 1687 } 1688 1689 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING); 1690 1691 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL); 1692 err = len; 1693 1694 if (hdev) 1695 hci_dev_put(hdev); 1696 1697 drop: 1698 kfree_skb(skb); 1699 return err; 1700 } 1701 1702 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1703 size_t len) 1704 { 1705 struct sock *sk = sock->sk; 1706 struct hci_mgmt_chan *chan; 1707 struct hci_dev *hdev; 1708 struct sk_buff *skb; 1709 int err; 1710 1711 BT_DBG("sock %p sk %p", sock, sk); 1712 1713 if (msg->msg_flags & MSG_OOB) 1714 return -EOPNOTSUPP; 1715 1716 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE| 1717 MSG_CMSG_COMPAT)) 1718 return -EINVAL; 1719 1720 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 1721 return -EINVAL; 1722 1723 lock_sock(sk); 1724 1725 switch (hci_pi(sk)->channel) { 1726 case HCI_CHANNEL_RAW: 1727 case HCI_CHANNEL_USER: 1728 break; 1729 case HCI_CHANNEL_MONITOR: 1730 err = -EOPNOTSUPP; 1731 goto done; 1732 case HCI_CHANNEL_LOGGING: 1733 err = hci_logging_frame(sk, msg, len); 1734 goto done; 1735 default: 1736 mutex_lock(&mgmt_chan_list_lock); 1737 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel); 1738 if (chan) 1739 err = hci_mgmt_cmd(chan, sk, msg, len); 1740 else 1741 err = -EINVAL; 1742 1743 mutex_unlock(&mgmt_chan_list_lock); 1744 goto done; 1745 } 1746 1747 hdev = hci_pi(sk)->hdev; 1748 if (!hdev) { 1749 err = -EBADFD; 1750 goto done; 1751 } 1752 1753 if (!test_bit(HCI_UP, &hdev->flags)) { 1754 err = -ENETDOWN; 1755 goto done; 1756 } 1757 1758 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); 1759 if (!skb) 1760 goto done; 1761 1762 if (memcpy_from_msg(skb_put(skb, len), msg, len)) { 1763 err = -EFAULT; 1764 goto drop; 1765 } 1766 1767 hci_skb_pkt_type(skb) = skb->data[0]; 1768 skb_pull(skb, 1); 1769 1770 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 1771 /* No permission check is needed for user channel 1772 * since that gets enforced when binding the socket. 1773 * 1774 * However check that the packet type is valid. 1775 */ 1776 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 1777 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1778 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 1779 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) { 1780 err = -EINVAL; 1781 goto drop; 1782 } 1783 1784 skb_queue_tail(&hdev->raw_q, skb); 1785 queue_work(hdev->workqueue, &hdev->tx_work); 1786 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) { 1787 u16 opcode = get_unaligned_le16(skb->data); 1788 u16 ogf = hci_opcode_ogf(opcode); 1789 u16 ocf = hci_opcode_ocf(opcode); 1790 1791 if (((ogf > HCI_SFLT_MAX_OGF) || 1792 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, 1793 &hci_sec_filter.ocf_mask[ogf])) && 1794 !capable(CAP_NET_RAW)) { 1795 err = -EPERM; 1796 goto drop; 1797 } 1798 1799 /* Since the opcode has already been extracted here, store 1800 * a copy of the value for later use by the drivers. 1801 */ 1802 hci_skb_opcode(skb) = opcode; 1803 1804 if (ogf == 0x3f) { 1805 skb_queue_tail(&hdev->raw_q, skb); 1806 queue_work(hdev->workqueue, &hdev->tx_work); 1807 } else { 1808 /* Stand-alone HCI commands must be flagged as 1809 * single-command requests. 1810 */ 1811 bt_cb(skb)->hci.req_flags |= HCI_REQ_START; 1812 1813 skb_queue_tail(&hdev->cmd_q, skb); 1814 queue_work(hdev->workqueue, &hdev->cmd_work); 1815 } 1816 } else { 1817 if (!capable(CAP_NET_RAW)) { 1818 err = -EPERM; 1819 goto drop; 1820 } 1821 1822 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1823 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 1824 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) { 1825 err = -EINVAL; 1826 goto drop; 1827 } 1828 1829 skb_queue_tail(&hdev->raw_q, skb); 1830 queue_work(hdev->workqueue, &hdev->tx_work); 1831 } 1832 1833 err = len; 1834 1835 done: 1836 release_sock(sk); 1837 return err; 1838 1839 drop: 1840 kfree_skb(skb); 1841 goto done; 1842 } 1843 1844 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 1845 char __user *optval, unsigned int len) 1846 { 1847 struct hci_ufilter uf = { .opcode = 0 }; 1848 struct sock *sk = sock->sk; 1849 int err = 0, opt = 0; 1850 1851 BT_DBG("sk %p, opt %d", sk, optname); 1852 1853 if (level != SOL_HCI) 1854 return -ENOPROTOOPT; 1855 1856 lock_sock(sk); 1857 1858 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1859 err = -EBADFD; 1860 goto done; 1861 } 1862 1863 switch (optname) { 1864 case HCI_DATA_DIR: 1865 if (get_user(opt, (int __user *)optval)) { 1866 err = -EFAULT; 1867 break; 1868 } 1869 1870 if (opt) 1871 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 1872 else 1873 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 1874 break; 1875 1876 case HCI_TIME_STAMP: 1877 if (get_user(opt, (int __user *)optval)) { 1878 err = -EFAULT; 1879 break; 1880 } 1881 1882 if (opt) 1883 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 1884 else 1885 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 1886 break; 1887 1888 case HCI_FILTER: 1889 { 1890 struct hci_filter *f = &hci_pi(sk)->filter; 1891 1892 uf.type_mask = f->type_mask; 1893 uf.opcode = f->opcode; 1894 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1895 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1896 } 1897 1898 len = min_t(unsigned int, len, sizeof(uf)); 1899 if (copy_from_user(&uf, optval, len)) { 1900 err = -EFAULT; 1901 break; 1902 } 1903 1904 if (!capable(CAP_NET_RAW)) { 1905 uf.type_mask &= hci_sec_filter.type_mask; 1906 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 1907 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 1908 } 1909 1910 { 1911 struct hci_filter *f = &hci_pi(sk)->filter; 1912 1913 f->type_mask = uf.type_mask; 1914 f->opcode = uf.opcode; 1915 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 1916 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 1917 } 1918 break; 1919 1920 default: 1921 err = -ENOPROTOOPT; 1922 break; 1923 } 1924 1925 done: 1926 release_sock(sk); 1927 return err; 1928 } 1929 1930 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, 1931 char __user *optval, int __user *optlen) 1932 { 1933 struct hci_ufilter uf; 1934 struct sock *sk = sock->sk; 1935 int len, opt, err = 0; 1936 1937 BT_DBG("sk %p, opt %d", sk, optname); 1938 1939 if (level != SOL_HCI) 1940 return -ENOPROTOOPT; 1941 1942 if (get_user(len, optlen)) 1943 return -EFAULT; 1944 1945 lock_sock(sk); 1946 1947 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1948 err = -EBADFD; 1949 goto done; 1950 } 1951 1952 switch (optname) { 1953 case HCI_DATA_DIR: 1954 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 1955 opt = 1; 1956 else 1957 opt = 0; 1958 1959 if (put_user(opt, optval)) 1960 err = -EFAULT; 1961 break; 1962 1963 case HCI_TIME_STAMP: 1964 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 1965 opt = 1; 1966 else 1967 opt = 0; 1968 1969 if (put_user(opt, optval)) 1970 err = -EFAULT; 1971 break; 1972 1973 case HCI_FILTER: 1974 { 1975 struct hci_filter *f = &hci_pi(sk)->filter; 1976 1977 memset(&uf, 0, sizeof(uf)); 1978 uf.type_mask = f->type_mask; 1979 uf.opcode = f->opcode; 1980 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1981 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1982 } 1983 1984 len = min_t(unsigned int, len, sizeof(uf)); 1985 if (copy_to_user(optval, &uf, len)) 1986 err = -EFAULT; 1987 break; 1988 1989 default: 1990 err = -ENOPROTOOPT; 1991 break; 1992 } 1993 1994 done: 1995 release_sock(sk); 1996 return err; 1997 } 1998 1999 static const struct proto_ops hci_sock_ops = { 2000 .family = PF_BLUETOOTH, 2001 .owner = THIS_MODULE, 2002 .release = hci_sock_release, 2003 .bind = hci_sock_bind, 2004 .getname = hci_sock_getname, 2005 .sendmsg = hci_sock_sendmsg, 2006 .recvmsg = hci_sock_recvmsg, 2007 .ioctl = hci_sock_ioctl, 2008 #ifdef CONFIG_COMPAT 2009 .compat_ioctl = hci_sock_compat_ioctl, 2010 #endif 2011 .poll = datagram_poll, 2012 .listen = sock_no_listen, 2013 .shutdown = sock_no_shutdown, 2014 .setsockopt = hci_sock_setsockopt, 2015 .getsockopt = hci_sock_getsockopt, 2016 .connect = sock_no_connect, 2017 .socketpair = sock_no_socketpair, 2018 .accept = sock_no_accept, 2019 .mmap = sock_no_mmap 2020 }; 2021 2022 static struct proto hci_sk_proto = { 2023 .name = "HCI", 2024 .owner = THIS_MODULE, 2025 .obj_size = sizeof(struct hci_pinfo) 2026 }; 2027 2028 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 2029 int kern) 2030 { 2031 struct sock *sk; 2032 2033 BT_DBG("sock %p", sock); 2034 2035 if (sock->type != SOCK_RAW) 2036 return -ESOCKTNOSUPPORT; 2037 2038 sock->ops = &hci_sock_ops; 2039 2040 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern); 2041 if (!sk) 2042 return -ENOMEM; 2043 2044 sock_init_data(sock, sk); 2045 2046 sock_reset_flag(sk, SOCK_ZAPPED); 2047 2048 sk->sk_protocol = protocol; 2049 2050 sock->state = SS_UNCONNECTED; 2051 sk->sk_state = BT_OPEN; 2052 2053 bt_sock_link(&hci_sk_list, sk); 2054 return 0; 2055 } 2056 2057 static const struct net_proto_family hci_sock_family_ops = { 2058 .family = PF_BLUETOOTH, 2059 .owner = THIS_MODULE, 2060 .create = hci_sock_create, 2061 }; 2062 2063 int __init hci_sock_init(void) 2064 { 2065 int err; 2066 2067 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr)); 2068 2069 err = proto_register(&hci_sk_proto, 0); 2070 if (err < 0) 2071 return err; 2072 2073 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 2074 if (err < 0) { 2075 BT_ERR("HCI socket registration failed"); 2076 goto error; 2077 } 2078 2079 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); 2080 if (err < 0) { 2081 BT_ERR("Failed to create HCI proc file"); 2082 bt_sock_unregister(BTPROTO_HCI); 2083 goto error; 2084 } 2085 2086 BT_INFO("HCI socket layer initialized"); 2087 2088 return 0; 2089 2090 error: 2091 proto_unregister(&hci_sk_proto); 2092 return err; 2093 } 2094 2095 void hci_sock_cleanup(void) 2096 { 2097 bt_procfs_cleanup(&init_net, "hci"); 2098 bt_sock_unregister(BTPROTO_HCI); 2099 proto_unregister(&hci_sk_proto); 2100 } 2101