1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 27 #include <linux/module.h> 28 29 #include <linux/types.h> 30 #include <linux/capability.h> 31 #include <linux/errno.h> 32 #include <linux/kernel.h> 33 #include <linux/slab.h> 34 #include <linux/poll.h> 35 #include <linux/fcntl.h> 36 #include <linux/init.h> 37 #include <linux/skbuff.h> 38 #include <linux/workqueue.h> 39 #include <linux/interrupt.h> 40 #include <linux/compat.h> 41 #include <linux/socket.h> 42 #include <linux/ioctl.h> 43 #include <net/sock.h> 44 45 #include <asm/system.h> 46 #include <asm/uaccess.h> 47 #include <asm/unaligned.h> 48 49 #include <net/bluetooth/bluetooth.h> 50 #include <net/bluetooth/hci_core.h> 51 52 /* ----- HCI socket interface ----- */ 53 54 static inline int hci_test_bit(int nr, void *addr) 55 { 56 return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 57 } 58 59 /* Security filter */ 60 static struct hci_sec_filter hci_sec_filter = { 61 /* Packet types */ 62 0x10, 63 /* Events */ 64 { 0x1000d9fe, 0x0000b00c }, 65 /* Commands */ 66 { 67 { 0x0 }, 68 /* OGF_LINK_CTL */ 69 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 70 /* OGF_LINK_POLICY */ 71 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 72 /* OGF_HOST_CTL */ 73 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 74 /* OGF_INFO_PARAM */ 75 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 76 /* OGF_STATUS_PARAM */ 77 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 78 } 79 }; 80 81 static struct bt_sock_list hci_sk_list = { 82 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 83 }; 84 85 /* Send frame to RAW socket */ 86 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 87 { 88 struct sock *sk; 89 struct hlist_node *node; 90 91 BT_DBG("hdev %p len %d", hdev, skb->len); 92 93 read_lock(&hci_sk_list.lock); 94 sk_for_each(sk, node, &hci_sk_list.head) { 95 struct hci_filter *flt; 96 struct sk_buff *nskb; 97 98 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 99 continue; 100 101 /* Don't send frame to the socket it came from */ 102 if (skb->sk == sk) 103 continue; 104 105 /* Apply filter */ 106 flt = &hci_pi(sk)->filter; 107 108 if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ? 109 0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS), &flt->type_mask)) 110 continue; 111 112 if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) { 113 register int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 114 115 if (!hci_test_bit(evt, &flt->event_mask)) 116 continue; 117 118 if (flt->opcode && 119 ((evt == HCI_EV_CMD_COMPLETE && 120 flt->opcode != 121 get_unaligned((__le16 *)(skb->data + 3))) || 122 (evt == HCI_EV_CMD_STATUS && 123 flt->opcode != 124 get_unaligned((__le16 *)(skb->data + 4))))) 125 continue; 126 } 127 128 if (!(nskb = skb_clone(skb, GFP_ATOMIC))) 129 continue; 130 131 /* Put type byte before the data */ 132 memcpy(skb_push(nskb, 1), &bt_cb(nskb)->pkt_type, 1); 133 134 if (sock_queue_rcv_skb(sk, nskb)) 135 kfree_skb(nskb); 136 } 137 read_unlock(&hci_sk_list.lock); 138 } 139 140 static int hci_sock_release(struct socket *sock) 141 { 142 struct sock *sk = sock->sk; 143 struct hci_dev *hdev; 144 145 BT_DBG("sock %p sk %p", sock, sk); 146 147 if (!sk) 148 return 0; 149 150 hdev = hci_pi(sk)->hdev; 151 152 bt_sock_unlink(&hci_sk_list, sk); 153 154 if (hdev) { 155 atomic_dec(&hdev->promisc); 156 hci_dev_put(hdev); 157 } 158 159 sock_orphan(sk); 160 161 skb_queue_purge(&sk->sk_receive_queue); 162 skb_queue_purge(&sk->sk_write_queue); 163 164 sock_put(sk); 165 return 0; 166 } 167 168 /* Ioctls that require bound socket */ 169 static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg) 170 { 171 struct hci_dev *hdev = hci_pi(sk)->hdev; 172 173 if (!hdev) 174 return -EBADFD; 175 176 switch (cmd) { 177 case HCISETRAW: 178 if (!capable(CAP_NET_ADMIN)) 179 return -EACCES; 180 181 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 182 return -EPERM; 183 184 if (arg) 185 set_bit(HCI_RAW, &hdev->flags); 186 else 187 clear_bit(HCI_RAW, &hdev->flags); 188 189 return 0; 190 191 case HCIGETCONNINFO: 192 return hci_get_conn_info(hdev, (void __user *) arg); 193 194 case HCIGETAUTHINFO: 195 return hci_get_auth_info(hdev, (void __user *) arg); 196 197 default: 198 if (hdev->ioctl) 199 return hdev->ioctl(hdev, cmd, arg); 200 return -EINVAL; 201 } 202 } 203 204 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 205 { 206 struct sock *sk = sock->sk; 207 void __user *argp = (void __user *) arg; 208 int err; 209 210 BT_DBG("cmd %x arg %lx", cmd, arg); 211 212 switch (cmd) { 213 case HCIGETDEVLIST: 214 return hci_get_dev_list(argp); 215 216 case HCIGETDEVINFO: 217 return hci_get_dev_info(argp); 218 219 case HCIGETCONNLIST: 220 return hci_get_conn_list(argp); 221 222 case HCIDEVUP: 223 if (!capable(CAP_NET_ADMIN)) 224 return -EACCES; 225 return hci_dev_open(arg); 226 227 case HCIDEVDOWN: 228 if (!capable(CAP_NET_ADMIN)) 229 return -EACCES; 230 return hci_dev_close(arg); 231 232 case HCIDEVRESET: 233 if (!capable(CAP_NET_ADMIN)) 234 return -EACCES; 235 return hci_dev_reset(arg); 236 237 case HCIDEVRESTAT: 238 if (!capable(CAP_NET_ADMIN)) 239 return -EACCES; 240 return hci_dev_reset_stat(arg); 241 242 case HCISETSCAN: 243 case HCISETAUTH: 244 case HCISETENCRYPT: 245 case HCISETPTYPE: 246 case HCISETLINKPOL: 247 case HCISETLINKMODE: 248 case HCISETACLMTU: 249 case HCISETSCOMTU: 250 if (!capable(CAP_NET_ADMIN)) 251 return -EACCES; 252 return hci_dev_cmd(cmd, argp); 253 254 case HCIINQUIRY: 255 return hci_inquiry(argp); 256 257 default: 258 lock_sock(sk); 259 err = hci_sock_bound_ioctl(sk, cmd, arg); 260 release_sock(sk); 261 return err; 262 } 263 } 264 265 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) 266 { 267 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 268 struct sock *sk = sock->sk; 269 struct hci_dev *hdev = NULL; 270 int err = 0; 271 272 BT_DBG("sock %p sk %p", sock, sk); 273 274 if (!haddr || haddr->hci_family != AF_BLUETOOTH) 275 return -EINVAL; 276 277 lock_sock(sk); 278 279 if (hci_pi(sk)->hdev) { 280 err = -EALREADY; 281 goto done; 282 } 283 284 if (haddr->hci_dev != HCI_DEV_NONE) { 285 if (!(hdev = hci_dev_get(haddr->hci_dev))) { 286 err = -ENODEV; 287 goto done; 288 } 289 290 atomic_inc(&hdev->promisc); 291 } 292 293 hci_pi(sk)->hdev = hdev; 294 sk->sk_state = BT_BOUND; 295 296 done: 297 release_sock(sk); 298 return err; 299 } 300 301 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *addr_len, int peer) 302 { 303 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 304 struct sock *sk = sock->sk; 305 struct hci_dev *hdev = hci_pi(sk)->hdev; 306 307 BT_DBG("sock %p sk %p", sock, sk); 308 309 if (!hdev) 310 return -EBADFD; 311 312 lock_sock(sk); 313 314 *addr_len = sizeof(*haddr); 315 haddr->hci_family = AF_BLUETOOTH; 316 haddr->hci_dev = hdev->id; 317 318 release_sock(sk); 319 return 0; 320 } 321 322 static inline void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, struct sk_buff *skb) 323 { 324 __u32 mask = hci_pi(sk)->cmsg_mask; 325 326 if (mask & HCI_CMSG_DIR) { 327 int incoming = bt_cb(skb)->incoming; 328 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), &incoming); 329 } 330 331 if (mask & HCI_CMSG_TSTAMP) { 332 #ifdef CONFIG_COMPAT 333 struct compat_timeval ctv; 334 #endif 335 struct timeval tv; 336 void *data; 337 int len; 338 339 skb_get_timestamp(skb, &tv); 340 341 data = &tv; 342 len = sizeof(tv); 343 #ifdef CONFIG_COMPAT 344 if (msg->msg_flags & MSG_CMSG_COMPAT) { 345 ctv.tv_sec = tv.tv_sec; 346 ctv.tv_usec = tv.tv_usec; 347 data = &ctv; 348 len = sizeof(ctv); 349 } 350 #endif 351 352 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 353 } 354 } 355 356 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 357 struct msghdr *msg, size_t len, int flags) 358 { 359 int noblock = flags & MSG_DONTWAIT; 360 struct sock *sk = sock->sk; 361 struct sk_buff *skb; 362 int copied, err; 363 364 BT_DBG("sock %p, sk %p", sock, sk); 365 366 if (flags & (MSG_OOB)) 367 return -EOPNOTSUPP; 368 369 if (sk->sk_state == BT_CLOSED) 370 return 0; 371 372 if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) 373 return err; 374 375 msg->msg_namelen = 0; 376 377 copied = skb->len; 378 if (len < copied) { 379 msg->msg_flags |= MSG_TRUNC; 380 copied = len; 381 } 382 383 skb_reset_transport_header(skb); 384 err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 385 386 hci_sock_cmsg(sk, msg, skb); 387 388 skb_free_datagram(sk, skb); 389 390 return err ? : copied; 391 } 392 393 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 394 struct msghdr *msg, size_t len) 395 { 396 struct sock *sk = sock->sk; 397 struct hci_dev *hdev; 398 struct sk_buff *skb; 399 int err; 400 401 BT_DBG("sock %p sk %p", sock, sk); 402 403 if (msg->msg_flags & MSG_OOB) 404 return -EOPNOTSUPP; 405 406 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE)) 407 return -EINVAL; 408 409 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 410 return -EINVAL; 411 412 lock_sock(sk); 413 414 if (!(hdev = hci_pi(sk)->hdev)) { 415 err = -EBADFD; 416 goto done; 417 } 418 419 if (!test_bit(HCI_UP, &hdev->flags)) { 420 err = -ENETDOWN; 421 goto done; 422 } 423 424 if (!(skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err))) 425 goto done; 426 427 if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) { 428 err = -EFAULT; 429 goto drop; 430 } 431 432 bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); 433 skb_pull(skb, 1); 434 skb->dev = (void *) hdev; 435 436 if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { 437 u16 opcode = get_unaligned_le16(skb->data); 438 u16 ogf = hci_opcode_ogf(opcode); 439 u16 ocf = hci_opcode_ocf(opcode); 440 441 if (((ogf > HCI_SFLT_MAX_OGF) || 442 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, &hci_sec_filter.ocf_mask[ogf])) && 443 !capable(CAP_NET_RAW)) { 444 err = -EPERM; 445 goto drop; 446 } 447 448 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) { 449 skb_queue_tail(&hdev->raw_q, skb); 450 tasklet_schedule(&hdev->tx_task); 451 } else { 452 skb_queue_tail(&hdev->cmd_q, skb); 453 tasklet_schedule(&hdev->cmd_task); 454 } 455 } else { 456 if (!capable(CAP_NET_RAW)) { 457 err = -EPERM; 458 goto drop; 459 } 460 461 skb_queue_tail(&hdev->raw_q, skb); 462 tasklet_schedule(&hdev->tx_task); 463 } 464 465 err = len; 466 467 done: 468 release_sock(sk); 469 return err; 470 471 drop: 472 kfree_skb(skb); 473 goto done; 474 } 475 476 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int len) 477 { 478 struct hci_ufilter uf = { .opcode = 0 }; 479 struct sock *sk = sock->sk; 480 int err = 0, opt = 0; 481 482 BT_DBG("sk %p, opt %d", sk, optname); 483 484 lock_sock(sk); 485 486 switch (optname) { 487 case HCI_DATA_DIR: 488 if (get_user(opt, (int __user *)optval)) { 489 err = -EFAULT; 490 break; 491 } 492 493 if (opt) 494 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 495 else 496 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 497 break; 498 499 case HCI_TIME_STAMP: 500 if (get_user(opt, (int __user *)optval)) { 501 err = -EFAULT; 502 break; 503 } 504 505 if (opt) 506 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 507 else 508 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 509 break; 510 511 case HCI_FILTER: 512 { 513 struct hci_filter *f = &hci_pi(sk)->filter; 514 515 uf.type_mask = f->type_mask; 516 uf.opcode = f->opcode; 517 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 518 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 519 } 520 521 len = min_t(unsigned int, len, sizeof(uf)); 522 if (copy_from_user(&uf, optval, len)) { 523 err = -EFAULT; 524 break; 525 } 526 527 if (!capable(CAP_NET_RAW)) { 528 uf.type_mask &= hci_sec_filter.type_mask; 529 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 530 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 531 } 532 533 { 534 struct hci_filter *f = &hci_pi(sk)->filter; 535 536 f->type_mask = uf.type_mask; 537 f->opcode = uf.opcode; 538 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 539 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 540 } 541 break; 542 543 default: 544 err = -ENOPROTOOPT; 545 break; 546 } 547 548 release_sock(sk); 549 return err; 550 } 551 552 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 553 { 554 struct hci_ufilter uf; 555 struct sock *sk = sock->sk; 556 int len, opt; 557 558 if (get_user(len, optlen)) 559 return -EFAULT; 560 561 switch (optname) { 562 case HCI_DATA_DIR: 563 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 564 opt = 1; 565 else 566 opt = 0; 567 568 if (put_user(opt, optval)) 569 return -EFAULT; 570 break; 571 572 case HCI_TIME_STAMP: 573 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 574 opt = 1; 575 else 576 opt = 0; 577 578 if (put_user(opt, optval)) 579 return -EFAULT; 580 break; 581 582 case HCI_FILTER: 583 { 584 struct hci_filter *f = &hci_pi(sk)->filter; 585 586 uf.type_mask = f->type_mask; 587 uf.opcode = f->opcode; 588 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 589 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 590 } 591 592 len = min_t(unsigned int, len, sizeof(uf)); 593 if (copy_to_user(optval, &uf, len)) 594 return -EFAULT; 595 break; 596 597 default: 598 return -ENOPROTOOPT; 599 break; 600 } 601 602 return 0; 603 } 604 605 static const struct proto_ops hci_sock_ops = { 606 .family = PF_BLUETOOTH, 607 .owner = THIS_MODULE, 608 .release = hci_sock_release, 609 .bind = hci_sock_bind, 610 .getname = hci_sock_getname, 611 .sendmsg = hci_sock_sendmsg, 612 .recvmsg = hci_sock_recvmsg, 613 .ioctl = hci_sock_ioctl, 614 .poll = datagram_poll, 615 .listen = sock_no_listen, 616 .shutdown = sock_no_shutdown, 617 .setsockopt = hci_sock_setsockopt, 618 .getsockopt = hci_sock_getsockopt, 619 .connect = sock_no_connect, 620 .socketpair = sock_no_socketpair, 621 .accept = sock_no_accept, 622 .mmap = sock_no_mmap 623 }; 624 625 static struct proto hci_sk_proto = { 626 .name = "HCI", 627 .owner = THIS_MODULE, 628 .obj_size = sizeof(struct hci_pinfo) 629 }; 630 631 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 632 int kern) 633 { 634 struct sock *sk; 635 636 BT_DBG("sock %p", sock); 637 638 if (sock->type != SOCK_RAW) 639 return -ESOCKTNOSUPPORT; 640 641 sock->ops = &hci_sock_ops; 642 643 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto); 644 if (!sk) 645 return -ENOMEM; 646 647 sock_init_data(sock, sk); 648 649 sock_reset_flag(sk, SOCK_ZAPPED); 650 651 sk->sk_protocol = protocol; 652 653 sock->state = SS_UNCONNECTED; 654 sk->sk_state = BT_OPEN; 655 656 bt_sock_link(&hci_sk_list, sk); 657 return 0; 658 } 659 660 static int hci_sock_dev_event(struct notifier_block *this, unsigned long event, void *ptr) 661 { 662 struct hci_dev *hdev = (struct hci_dev *) ptr; 663 struct hci_ev_si_device ev; 664 665 BT_DBG("hdev %s event %ld", hdev->name, event); 666 667 /* Send event to sockets */ 668 ev.event = event; 669 ev.dev_id = hdev->id; 670 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 671 672 if (event == HCI_DEV_UNREG) { 673 struct sock *sk; 674 struct hlist_node *node; 675 676 /* Detach sockets from device */ 677 read_lock(&hci_sk_list.lock); 678 sk_for_each(sk, node, &hci_sk_list.head) { 679 local_bh_disable(); 680 bh_lock_sock_nested(sk); 681 if (hci_pi(sk)->hdev == hdev) { 682 hci_pi(sk)->hdev = NULL; 683 sk->sk_err = EPIPE; 684 sk->sk_state = BT_OPEN; 685 sk->sk_state_change(sk); 686 687 hci_dev_put(hdev); 688 } 689 bh_unlock_sock(sk); 690 local_bh_enable(); 691 } 692 read_unlock(&hci_sk_list.lock); 693 } 694 695 return NOTIFY_DONE; 696 } 697 698 static const struct net_proto_family hci_sock_family_ops = { 699 .family = PF_BLUETOOTH, 700 .owner = THIS_MODULE, 701 .create = hci_sock_create, 702 }; 703 704 static struct notifier_block hci_sock_nblock = { 705 .notifier_call = hci_sock_dev_event 706 }; 707 708 int __init hci_sock_init(void) 709 { 710 int err; 711 712 err = proto_register(&hci_sk_proto, 0); 713 if (err < 0) 714 return err; 715 716 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 717 if (err < 0) 718 goto error; 719 720 hci_register_notifier(&hci_sock_nblock); 721 722 BT_INFO("HCI socket layer initialized"); 723 724 return 0; 725 726 error: 727 BT_ERR("HCI socket registration failed"); 728 proto_unregister(&hci_sk_proto); 729 return err; 730 } 731 732 void __exit hci_sock_cleanup(void) 733 { 734 if (bt_sock_unregister(BTPROTO_HCI) < 0) 735 BT_ERR("HCI socket unregistration failed"); 736 737 hci_unregister_notifier(&hci_sock_nblock); 738 739 proto_unregister(&hci_sk_proto); 740 } 741