1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 27 #include <linux/export.h> 28 #include <asm/unaligned.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/hci_mon.h> 33 34 static atomic_t monitor_promisc = ATOMIC_INIT(0); 35 36 /* ----- HCI socket interface ----- */ 37 38 static inline int hci_test_bit(int nr, void *addr) 39 { 40 return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 41 } 42 43 /* Security filter */ 44 static struct hci_sec_filter hci_sec_filter = { 45 /* Packet types */ 46 0x10, 47 /* Events */ 48 { 0x1000d9fe, 0x0000b00c }, 49 /* Commands */ 50 { 51 { 0x0 }, 52 /* OGF_LINK_CTL */ 53 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 54 /* OGF_LINK_POLICY */ 55 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 56 /* OGF_HOST_CTL */ 57 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 58 /* OGF_INFO_PARAM */ 59 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 60 /* OGF_STATUS_PARAM */ 61 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 62 } 63 }; 64 65 static struct bt_sock_list hci_sk_list = { 66 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 67 }; 68 69 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) 70 { 71 struct hci_filter *flt; 72 int flt_type, flt_event; 73 74 /* Apply filter */ 75 flt = &hci_pi(sk)->filter; 76 77 if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) 78 flt_type = 0; 79 else 80 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS; 81 82 if (!test_bit(flt_type, &flt->type_mask)) 83 return true; 84 85 /* Extra filter for event packets only */ 86 if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT) 87 return false; 88 89 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 90 91 if (!hci_test_bit(flt_event, &flt->event_mask)) 92 return true; 93 94 /* Check filter only when opcode is set */ 95 if (!flt->opcode) 96 return false; 97 98 if (flt_event == HCI_EV_CMD_COMPLETE && 99 flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) 100 return true; 101 102 if (flt_event == HCI_EV_CMD_STATUS && 103 flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) 104 return true; 105 106 return false; 107 } 108 109 /* Send frame to RAW socket */ 110 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 111 { 112 struct sock *sk; 113 struct sk_buff *skb_copy = NULL; 114 115 BT_DBG("hdev %p len %d", hdev, skb->len); 116 117 read_lock(&hci_sk_list.lock); 118 119 sk_for_each(sk, &hci_sk_list.head) { 120 struct sk_buff *nskb; 121 122 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 123 continue; 124 125 /* Don't send frame to the socket it came from */ 126 if (skb->sk == sk) 127 continue; 128 129 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { 130 if (is_filtered_packet(sk, skb)) 131 continue; 132 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 133 if (!bt_cb(skb)->incoming) 134 continue; 135 if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT && 136 bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && 137 bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) 138 continue; 139 } else { 140 /* Don't send frame to other channel types */ 141 continue; 142 } 143 144 if (!skb_copy) { 145 /* Create a private copy with headroom */ 146 skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC); 147 if (!skb_copy) 148 continue; 149 150 /* Put type byte before the data */ 151 memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1); 152 } 153 154 nskb = skb_clone(skb_copy, GFP_ATOMIC); 155 if (!nskb) 156 continue; 157 158 if (sock_queue_rcv_skb(sk, nskb)) 159 kfree_skb(nskb); 160 } 161 162 read_unlock(&hci_sk_list.lock); 163 164 kfree_skb(skb_copy); 165 } 166 167 /* Send frame to control socket */ 168 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk) 169 { 170 struct sock *sk; 171 172 BT_DBG("len %d", skb->len); 173 174 read_lock(&hci_sk_list.lock); 175 176 sk_for_each(sk, &hci_sk_list.head) { 177 struct sk_buff *nskb; 178 179 /* Skip the original socket */ 180 if (sk == skip_sk) 181 continue; 182 183 if (sk->sk_state != BT_BOUND) 184 continue; 185 186 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) 187 continue; 188 189 nskb = skb_clone(skb, GFP_ATOMIC); 190 if (!nskb) 191 continue; 192 193 if (sock_queue_rcv_skb(sk, nskb)) 194 kfree_skb(nskb); 195 } 196 197 read_unlock(&hci_sk_list.lock); 198 } 199 200 /* Send frame to monitor socket */ 201 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) 202 { 203 struct sock *sk; 204 struct sk_buff *skb_copy = NULL; 205 __le16 opcode; 206 207 if (!atomic_read(&monitor_promisc)) 208 return; 209 210 BT_DBG("hdev %p len %d", hdev, skb->len); 211 212 switch (bt_cb(skb)->pkt_type) { 213 case HCI_COMMAND_PKT: 214 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); 215 break; 216 case HCI_EVENT_PKT: 217 opcode = cpu_to_le16(HCI_MON_EVENT_PKT); 218 break; 219 case HCI_ACLDATA_PKT: 220 if (bt_cb(skb)->incoming) 221 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); 222 else 223 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); 224 break; 225 case HCI_SCODATA_PKT: 226 if (bt_cb(skb)->incoming) 227 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); 228 else 229 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); 230 break; 231 default: 232 return; 233 } 234 235 read_lock(&hci_sk_list.lock); 236 237 sk_for_each(sk, &hci_sk_list.head) { 238 struct sk_buff *nskb; 239 240 if (sk->sk_state != BT_BOUND) 241 continue; 242 243 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR) 244 continue; 245 246 if (!skb_copy) { 247 struct hci_mon_hdr *hdr; 248 249 /* Create a private copy with headroom */ 250 skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE, 251 GFP_ATOMIC); 252 if (!skb_copy) 253 continue; 254 255 /* Put header before the data */ 256 hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE); 257 hdr->opcode = opcode; 258 hdr->index = cpu_to_le16(hdev->id); 259 hdr->len = cpu_to_le16(skb->len); 260 } 261 262 nskb = skb_clone(skb_copy, GFP_ATOMIC); 263 if (!nskb) 264 continue; 265 266 if (sock_queue_rcv_skb(sk, nskb)) 267 kfree_skb(nskb); 268 } 269 270 read_unlock(&hci_sk_list.lock); 271 272 kfree_skb(skb_copy); 273 } 274 275 static void send_monitor_event(struct sk_buff *skb) 276 { 277 struct sock *sk; 278 279 BT_DBG("len %d", skb->len); 280 281 read_lock(&hci_sk_list.lock); 282 283 sk_for_each(sk, &hci_sk_list.head) { 284 struct sk_buff *nskb; 285 286 if (sk->sk_state != BT_BOUND) 287 continue; 288 289 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR) 290 continue; 291 292 nskb = skb_clone(skb, GFP_ATOMIC); 293 if (!nskb) 294 continue; 295 296 if (sock_queue_rcv_skb(sk, nskb)) 297 kfree_skb(nskb); 298 } 299 300 read_unlock(&hci_sk_list.lock); 301 } 302 303 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) 304 { 305 struct hci_mon_hdr *hdr; 306 struct hci_mon_new_index *ni; 307 struct sk_buff *skb; 308 __le16 opcode; 309 310 switch (event) { 311 case HCI_DEV_REG: 312 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); 313 if (!skb) 314 return NULL; 315 316 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE); 317 ni->type = hdev->dev_type; 318 ni->bus = hdev->bus; 319 bacpy(&ni->bdaddr, &hdev->bdaddr); 320 memcpy(ni->name, hdev->name, 8); 321 322 opcode = cpu_to_le16(HCI_MON_NEW_INDEX); 323 break; 324 325 case HCI_DEV_UNREG: 326 skb = bt_skb_alloc(0, GFP_ATOMIC); 327 if (!skb) 328 return NULL; 329 330 opcode = cpu_to_le16(HCI_MON_DEL_INDEX); 331 break; 332 333 default: 334 return NULL; 335 } 336 337 __net_timestamp(skb); 338 339 hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE); 340 hdr->opcode = opcode; 341 hdr->index = cpu_to_le16(hdev->id); 342 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 343 344 return skb; 345 } 346 347 static void send_monitor_replay(struct sock *sk) 348 { 349 struct hci_dev *hdev; 350 351 read_lock(&hci_dev_list_lock); 352 353 list_for_each_entry(hdev, &hci_dev_list, list) { 354 struct sk_buff *skb; 355 356 skb = create_monitor_event(hdev, HCI_DEV_REG); 357 if (!skb) 358 continue; 359 360 if (sock_queue_rcv_skb(sk, skb)) 361 kfree_skb(skb); 362 } 363 364 read_unlock(&hci_dev_list_lock); 365 } 366 367 /* Generate internal stack event */ 368 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) 369 { 370 struct hci_event_hdr *hdr; 371 struct hci_ev_stack_internal *ev; 372 struct sk_buff *skb; 373 374 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); 375 if (!skb) 376 return; 377 378 hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE); 379 hdr->evt = HCI_EV_STACK_INTERNAL; 380 hdr->plen = sizeof(*ev) + dlen; 381 382 ev = (void *) skb_put(skb, sizeof(*ev) + dlen); 383 ev->type = type; 384 memcpy(ev->data, data, dlen); 385 386 bt_cb(skb)->incoming = 1; 387 __net_timestamp(skb); 388 389 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 390 hci_send_to_sock(hdev, skb); 391 kfree_skb(skb); 392 } 393 394 void hci_sock_dev_event(struct hci_dev *hdev, int event) 395 { 396 struct hci_ev_si_device ev; 397 398 BT_DBG("hdev %s event %d", hdev->name, event); 399 400 /* Send event to monitor */ 401 if (atomic_read(&monitor_promisc)) { 402 struct sk_buff *skb; 403 404 skb = create_monitor_event(hdev, event); 405 if (skb) { 406 send_monitor_event(skb); 407 kfree_skb(skb); 408 } 409 } 410 411 /* Send event to sockets */ 412 ev.event = event; 413 ev.dev_id = hdev->id; 414 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 415 416 if (event == HCI_DEV_UNREG) { 417 struct sock *sk; 418 419 /* Detach sockets from device */ 420 read_lock(&hci_sk_list.lock); 421 sk_for_each(sk, &hci_sk_list.head) { 422 bh_lock_sock_nested(sk); 423 if (hci_pi(sk)->hdev == hdev) { 424 hci_pi(sk)->hdev = NULL; 425 sk->sk_err = EPIPE; 426 sk->sk_state = BT_OPEN; 427 sk->sk_state_change(sk); 428 429 hci_dev_put(hdev); 430 } 431 bh_unlock_sock(sk); 432 } 433 read_unlock(&hci_sk_list.lock); 434 } 435 } 436 437 static int hci_sock_release(struct socket *sock) 438 { 439 struct sock *sk = sock->sk; 440 struct hci_dev *hdev; 441 442 BT_DBG("sock %p sk %p", sock, sk); 443 444 if (!sk) 445 return 0; 446 447 hdev = hci_pi(sk)->hdev; 448 449 if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR) 450 atomic_dec(&monitor_promisc); 451 452 bt_sock_unlink(&hci_sk_list, sk); 453 454 if (hdev) { 455 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 456 mgmt_index_added(hdev); 457 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 458 hci_dev_close(hdev->id); 459 } 460 461 atomic_dec(&hdev->promisc); 462 hci_dev_put(hdev); 463 } 464 465 sock_orphan(sk); 466 467 skb_queue_purge(&sk->sk_receive_queue); 468 skb_queue_purge(&sk->sk_write_queue); 469 470 sock_put(sk); 471 return 0; 472 } 473 474 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) 475 { 476 bdaddr_t bdaddr; 477 int err; 478 479 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 480 return -EFAULT; 481 482 hci_dev_lock(hdev); 483 484 err = hci_blacklist_add(hdev, &bdaddr, BDADDR_BREDR); 485 486 hci_dev_unlock(hdev); 487 488 return err; 489 } 490 491 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) 492 { 493 bdaddr_t bdaddr; 494 int err; 495 496 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 497 return -EFAULT; 498 499 hci_dev_lock(hdev); 500 501 err = hci_blacklist_del(hdev, &bdaddr, BDADDR_BREDR); 502 503 hci_dev_unlock(hdev); 504 505 return err; 506 } 507 508 /* Ioctls that require bound socket */ 509 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, 510 unsigned long arg) 511 { 512 struct hci_dev *hdev = hci_pi(sk)->hdev; 513 514 if (!hdev) 515 return -EBADFD; 516 517 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) 518 return -EBUSY; 519 520 if (hdev->dev_type != HCI_BREDR) 521 return -EOPNOTSUPP; 522 523 switch (cmd) { 524 case HCISETRAW: 525 if (!capable(CAP_NET_ADMIN)) 526 return -EPERM; 527 528 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 529 return -EPERM; 530 531 if (arg) 532 set_bit(HCI_RAW, &hdev->flags); 533 else 534 clear_bit(HCI_RAW, &hdev->flags); 535 536 return 0; 537 538 case HCIGETCONNINFO: 539 return hci_get_conn_info(hdev, (void __user *) arg); 540 541 case HCIGETAUTHINFO: 542 return hci_get_auth_info(hdev, (void __user *) arg); 543 544 case HCIBLOCKADDR: 545 if (!capable(CAP_NET_ADMIN)) 546 return -EPERM; 547 return hci_sock_blacklist_add(hdev, (void __user *) arg); 548 549 case HCIUNBLOCKADDR: 550 if (!capable(CAP_NET_ADMIN)) 551 return -EPERM; 552 return hci_sock_blacklist_del(hdev, (void __user *) arg); 553 } 554 555 return -ENOIOCTLCMD; 556 } 557 558 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, 559 unsigned long arg) 560 { 561 void __user *argp = (void __user *) arg; 562 struct sock *sk = sock->sk; 563 int err; 564 565 BT_DBG("cmd %x arg %lx", cmd, arg); 566 567 lock_sock(sk); 568 569 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 570 err = -EBADFD; 571 goto done; 572 } 573 574 release_sock(sk); 575 576 switch (cmd) { 577 case HCIGETDEVLIST: 578 return hci_get_dev_list(argp); 579 580 case HCIGETDEVINFO: 581 return hci_get_dev_info(argp); 582 583 case HCIGETCONNLIST: 584 return hci_get_conn_list(argp); 585 586 case HCIDEVUP: 587 if (!capable(CAP_NET_ADMIN)) 588 return -EPERM; 589 return hci_dev_open(arg); 590 591 case HCIDEVDOWN: 592 if (!capable(CAP_NET_ADMIN)) 593 return -EPERM; 594 return hci_dev_close(arg); 595 596 case HCIDEVRESET: 597 if (!capable(CAP_NET_ADMIN)) 598 return -EPERM; 599 return hci_dev_reset(arg); 600 601 case HCIDEVRESTAT: 602 if (!capable(CAP_NET_ADMIN)) 603 return -EPERM; 604 return hci_dev_reset_stat(arg); 605 606 case HCISETSCAN: 607 case HCISETAUTH: 608 case HCISETENCRYPT: 609 case HCISETPTYPE: 610 case HCISETLINKPOL: 611 case HCISETLINKMODE: 612 case HCISETACLMTU: 613 case HCISETSCOMTU: 614 if (!capable(CAP_NET_ADMIN)) 615 return -EPERM; 616 return hci_dev_cmd(cmd, argp); 617 618 case HCIINQUIRY: 619 return hci_inquiry(argp); 620 } 621 622 lock_sock(sk); 623 624 err = hci_sock_bound_ioctl(sk, cmd, arg); 625 626 done: 627 release_sock(sk); 628 return err; 629 } 630 631 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, 632 int addr_len) 633 { 634 struct sockaddr_hci haddr; 635 struct sock *sk = sock->sk; 636 struct hci_dev *hdev = NULL; 637 int len, err = 0; 638 639 BT_DBG("sock %p sk %p", sock, sk); 640 641 if (!addr) 642 return -EINVAL; 643 644 memset(&haddr, 0, sizeof(haddr)); 645 len = min_t(unsigned int, sizeof(haddr), addr_len); 646 memcpy(&haddr, addr, len); 647 648 if (haddr.hci_family != AF_BLUETOOTH) 649 return -EINVAL; 650 651 lock_sock(sk); 652 653 if (sk->sk_state == BT_BOUND) { 654 err = -EALREADY; 655 goto done; 656 } 657 658 switch (haddr.hci_channel) { 659 case HCI_CHANNEL_RAW: 660 if (hci_pi(sk)->hdev) { 661 err = -EALREADY; 662 goto done; 663 } 664 665 if (haddr.hci_dev != HCI_DEV_NONE) { 666 hdev = hci_dev_get(haddr.hci_dev); 667 if (!hdev) { 668 err = -ENODEV; 669 goto done; 670 } 671 672 atomic_inc(&hdev->promisc); 673 } 674 675 hci_pi(sk)->hdev = hdev; 676 break; 677 678 case HCI_CHANNEL_USER: 679 if (hci_pi(sk)->hdev) { 680 err = -EALREADY; 681 goto done; 682 } 683 684 if (haddr.hci_dev == HCI_DEV_NONE) { 685 err = -EINVAL; 686 goto done; 687 } 688 689 if (!capable(CAP_NET_ADMIN)) { 690 err = -EPERM; 691 goto done; 692 } 693 694 hdev = hci_dev_get(haddr.hci_dev); 695 if (!hdev) { 696 err = -ENODEV; 697 goto done; 698 } 699 700 if (test_bit(HCI_UP, &hdev->flags) || 701 test_bit(HCI_INIT, &hdev->flags) || 702 test_bit(HCI_SETUP, &hdev->dev_flags)) { 703 err = -EBUSY; 704 hci_dev_put(hdev); 705 goto done; 706 } 707 708 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) { 709 err = -EUSERS; 710 hci_dev_put(hdev); 711 goto done; 712 } 713 714 mgmt_index_removed(hdev); 715 716 err = hci_dev_open(hdev->id); 717 if (err) { 718 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 719 mgmt_index_added(hdev); 720 hci_dev_put(hdev); 721 goto done; 722 } 723 724 atomic_inc(&hdev->promisc); 725 726 hci_pi(sk)->hdev = hdev; 727 break; 728 729 case HCI_CHANNEL_CONTROL: 730 if (haddr.hci_dev != HCI_DEV_NONE) { 731 err = -EINVAL; 732 goto done; 733 } 734 735 if (!capable(CAP_NET_ADMIN)) { 736 err = -EPERM; 737 goto done; 738 } 739 740 break; 741 742 case HCI_CHANNEL_MONITOR: 743 if (haddr.hci_dev != HCI_DEV_NONE) { 744 err = -EINVAL; 745 goto done; 746 } 747 748 if (!capable(CAP_NET_RAW)) { 749 err = -EPERM; 750 goto done; 751 } 752 753 send_monitor_replay(sk); 754 755 atomic_inc(&monitor_promisc); 756 break; 757 758 default: 759 err = -EINVAL; 760 goto done; 761 } 762 763 764 hci_pi(sk)->channel = haddr.hci_channel; 765 sk->sk_state = BT_BOUND; 766 767 done: 768 release_sock(sk); 769 return err; 770 } 771 772 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, 773 int *addr_len, int peer) 774 { 775 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 776 struct sock *sk = sock->sk; 777 struct hci_dev *hdev; 778 int err = 0; 779 780 BT_DBG("sock %p sk %p", sock, sk); 781 782 if (peer) 783 return -EOPNOTSUPP; 784 785 lock_sock(sk); 786 787 hdev = hci_pi(sk)->hdev; 788 if (!hdev) { 789 err = -EBADFD; 790 goto done; 791 } 792 793 *addr_len = sizeof(*haddr); 794 haddr->hci_family = AF_BLUETOOTH; 795 haddr->hci_dev = hdev->id; 796 haddr->hci_channel= hci_pi(sk)->channel; 797 798 done: 799 release_sock(sk); 800 return err; 801 } 802 803 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, 804 struct sk_buff *skb) 805 { 806 __u32 mask = hci_pi(sk)->cmsg_mask; 807 808 if (mask & HCI_CMSG_DIR) { 809 int incoming = bt_cb(skb)->incoming; 810 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), 811 &incoming); 812 } 813 814 if (mask & HCI_CMSG_TSTAMP) { 815 #ifdef CONFIG_COMPAT 816 struct compat_timeval ctv; 817 #endif 818 struct timeval tv; 819 void *data; 820 int len; 821 822 skb_get_timestamp(skb, &tv); 823 824 data = &tv; 825 len = sizeof(tv); 826 #ifdef CONFIG_COMPAT 827 if (!COMPAT_USE_64BIT_TIME && 828 (msg->msg_flags & MSG_CMSG_COMPAT)) { 829 ctv.tv_sec = tv.tv_sec; 830 ctv.tv_usec = tv.tv_usec; 831 data = &ctv; 832 len = sizeof(ctv); 833 } 834 #endif 835 836 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 837 } 838 } 839 840 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 841 struct msghdr *msg, size_t len, int flags) 842 { 843 int noblock = flags & MSG_DONTWAIT; 844 struct sock *sk = sock->sk; 845 struct sk_buff *skb; 846 int copied, err; 847 848 BT_DBG("sock %p, sk %p", sock, sk); 849 850 if (flags & (MSG_OOB)) 851 return -EOPNOTSUPP; 852 853 if (sk->sk_state == BT_CLOSED) 854 return 0; 855 856 skb = skb_recv_datagram(sk, flags, noblock, &err); 857 if (!skb) 858 return err; 859 860 copied = skb->len; 861 if (len < copied) { 862 msg->msg_flags |= MSG_TRUNC; 863 copied = len; 864 } 865 866 skb_reset_transport_header(skb); 867 err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 868 869 switch (hci_pi(sk)->channel) { 870 case HCI_CHANNEL_RAW: 871 hci_sock_cmsg(sk, msg, skb); 872 break; 873 case HCI_CHANNEL_USER: 874 case HCI_CHANNEL_CONTROL: 875 case HCI_CHANNEL_MONITOR: 876 sock_recv_timestamp(msg, sk, skb); 877 break; 878 } 879 880 skb_free_datagram(sk, skb); 881 882 return err ? : copied; 883 } 884 885 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 886 struct msghdr *msg, size_t len) 887 { 888 struct sock *sk = sock->sk; 889 struct hci_dev *hdev; 890 struct sk_buff *skb; 891 int err; 892 893 BT_DBG("sock %p sk %p", sock, sk); 894 895 if (msg->msg_flags & MSG_OOB) 896 return -EOPNOTSUPP; 897 898 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE)) 899 return -EINVAL; 900 901 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 902 return -EINVAL; 903 904 lock_sock(sk); 905 906 switch (hci_pi(sk)->channel) { 907 case HCI_CHANNEL_RAW: 908 case HCI_CHANNEL_USER: 909 break; 910 case HCI_CHANNEL_CONTROL: 911 err = mgmt_control(sk, msg, len); 912 goto done; 913 case HCI_CHANNEL_MONITOR: 914 err = -EOPNOTSUPP; 915 goto done; 916 default: 917 err = -EINVAL; 918 goto done; 919 } 920 921 hdev = hci_pi(sk)->hdev; 922 if (!hdev) { 923 err = -EBADFD; 924 goto done; 925 } 926 927 if (!test_bit(HCI_UP, &hdev->flags)) { 928 err = -ENETDOWN; 929 goto done; 930 } 931 932 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); 933 if (!skb) 934 goto done; 935 936 if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) { 937 err = -EFAULT; 938 goto drop; 939 } 940 941 bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); 942 skb_pull(skb, 1); 943 944 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 945 /* No permission check is needed for user channel 946 * since that gets enforced when binding the socket. 947 * 948 * However check that the packet type is valid. 949 */ 950 if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT && 951 bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && 952 bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) { 953 err = -EINVAL; 954 goto drop; 955 } 956 957 skb_queue_tail(&hdev->raw_q, skb); 958 queue_work(hdev->workqueue, &hdev->tx_work); 959 } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { 960 u16 opcode = get_unaligned_le16(skb->data); 961 u16 ogf = hci_opcode_ogf(opcode); 962 u16 ocf = hci_opcode_ocf(opcode); 963 964 if (((ogf > HCI_SFLT_MAX_OGF) || 965 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, 966 &hci_sec_filter.ocf_mask[ogf])) && 967 !capable(CAP_NET_RAW)) { 968 err = -EPERM; 969 goto drop; 970 } 971 972 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) { 973 skb_queue_tail(&hdev->raw_q, skb); 974 queue_work(hdev->workqueue, &hdev->tx_work); 975 } else { 976 /* Stand-alone HCI commands must be flaged as 977 * single-command requests. 978 */ 979 bt_cb(skb)->req.start = true; 980 981 skb_queue_tail(&hdev->cmd_q, skb); 982 queue_work(hdev->workqueue, &hdev->cmd_work); 983 } 984 } else { 985 if (!capable(CAP_NET_RAW)) { 986 err = -EPERM; 987 goto drop; 988 } 989 990 skb_queue_tail(&hdev->raw_q, skb); 991 queue_work(hdev->workqueue, &hdev->tx_work); 992 } 993 994 err = len; 995 996 done: 997 release_sock(sk); 998 return err; 999 1000 drop: 1001 kfree_skb(skb); 1002 goto done; 1003 } 1004 1005 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 1006 char __user *optval, unsigned int len) 1007 { 1008 struct hci_ufilter uf = { .opcode = 0 }; 1009 struct sock *sk = sock->sk; 1010 int err = 0, opt = 0; 1011 1012 BT_DBG("sk %p, opt %d", sk, optname); 1013 1014 lock_sock(sk); 1015 1016 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1017 err = -EBADFD; 1018 goto done; 1019 } 1020 1021 switch (optname) { 1022 case HCI_DATA_DIR: 1023 if (get_user(opt, (int __user *)optval)) { 1024 err = -EFAULT; 1025 break; 1026 } 1027 1028 if (opt) 1029 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 1030 else 1031 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 1032 break; 1033 1034 case HCI_TIME_STAMP: 1035 if (get_user(opt, (int __user *)optval)) { 1036 err = -EFAULT; 1037 break; 1038 } 1039 1040 if (opt) 1041 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 1042 else 1043 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 1044 break; 1045 1046 case HCI_FILTER: 1047 { 1048 struct hci_filter *f = &hci_pi(sk)->filter; 1049 1050 uf.type_mask = f->type_mask; 1051 uf.opcode = f->opcode; 1052 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1053 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1054 } 1055 1056 len = min_t(unsigned int, len, sizeof(uf)); 1057 if (copy_from_user(&uf, optval, len)) { 1058 err = -EFAULT; 1059 break; 1060 } 1061 1062 if (!capable(CAP_NET_RAW)) { 1063 uf.type_mask &= hci_sec_filter.type_mask; 1064 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 1065 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 1066 } 1067 1068 { 1069 struct hci_filter *f = &hci_pi(sk)->filter; 1070 1071 f->type_mask = uf.type_mask; 1072 f->opcode = uf.opcode; 1073 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 1074 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 1075 } 1076 break; 1077 1078 default: 1079 err = -ENOPROTOOPT; 1080 break; 1081 } 1082 1083 done: 1084 release_sock(sk); 1085 return err; 1086 } 1087 1088 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, 1089 char __user *optval, int __user *optlen) 1090 { 1091 struct hci_ufilter uf; 1092 struct sock *sk = sock->sk; 1093 int len, opt, err = 0; 1094 1095 BT_DBG("sk %p, opt %d", sk, optname); 1096 1097 if (get_user(len, optlen)) 1098 return -EFAULT; 1099 1100 lock_sock(sk); 1101 1102 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1103 err = -EBADFD; 1104 goto done; 1105 } 1106 1107 switch (optname) { 1108 case HCI_DATA_DIR: 1109 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 1110 opt = 1; 1111 else 1112 opt = 0; 1113 1114 if (put_user(opt, optval)) 1115 err = -EFAULT; 1116 break; 1117 1118 case HCI_TIME_STAMP: 1119 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 1120 opt = 1; 1121 else 1122 opt = 0; 1123 1124 if (put_user(opt, optval)) 1125 err = -EFAULT; 1126 break; 1127 1128 case HCI_FILTER: 1129 { 1130 struct hci_filter *f = &hci_pi(sk)->filter; 1131 1132 memset(&uf, 0, sizeof(uf)); 1133 uf.type_mask = f->type_mask; 1134 uf.opcode = f->opcode; 1135 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1136 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1137 } 1138 1139 len = min_t(unsigned int, len, sizeof(uf)); 1140 if (copy_to_user(optval, &uf, len)) 1141 err = -EFAULT; 1142 break; 1143 1144 default: 1145 err = -ENOPROTOOPT; 1146 break; 1147 } 1148 1149 done: 1150 release_sock(sk); 1151 return err; 1152 } 1153 1154 static const struct proto_ops hci_sock_ops = { 1155 .family = PF_BLUETOOTH, 1156 .owner = THIS_MODULE, 1157 .release = hci_sock_release, 1158 .bind = hci_sock_bind, 1159 .getname = hci_sock_getname, 1160 .sendmsg = hci_sock_sendmsg, 1161 .recvmsg = hci_sock_recvmsg, 1162 .ioctl = hci_sock_ioctl, 1163 .poll = datagram_poll, 1164 .listen = sock_no_listen, 1165 .shutdown = sock_no_shutdown, 1166 .setsockopt = hci_sock_setsockopt, 1167 .getsockopt = hci_sock_getsockopt, 1168 .connect = sock_no_connect, 1169 .socketpair = sock_no_socketpair, 1170 .accept = sock_no_accept, 1171 .mmap = sock_no_mmap 1172 }; 1173 1174 static struct proto hci_sk_proto = { 1175 .name = "HCI", 1176 .owner = THIS_MODULE, 1177 .obj_size = sizeof(struct hci_pinfo) 1178 }; 1179 1180 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 1181 int kern) 1182 { 1183 struct sock *sk; 1184 1185 BT_DBG("sock %p", sock); 1186 1187 if (sock->type != SOCK_RAW) 1188 return -ESOCKTNOSUPPORT; 1189 1190 sock->ops = &hci_sock_ops; 1191 1192 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto); 1193 if (!sk) 1194 return -ENOMEM; 1195 1196 sock_init_data(sock, sk); 1197 1198 sock_reset_flag(sk, SOCK_ZAPPED); 1199 1200 sk->sk_protocol = protocol; 1201 1202 sock->state = SS_UNCONNECTED; 1203 sk->sk_state = BT_OPEN; 1204 1205 bt_sock_link(&hci_sk_list, sk); 1206 return 0; 1207 } 1208 1209 static const struct net_proto_family hci_sock_family_ops = { 1210 .family = PF_BLUETOOTH, 1211 .owner = THIS_MODULE, 1212 .create = hci_sock_create, 1213 }; 1214 1215 int __init hci_sock_init(void) 1216 { 1217 int err; 1218 1219 err = proto_register(&hci_sk_proto, 0); 1220 if (err < 0) 1221 return err; 1222 1223 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 1224 if (err < 0) { 1225 BT_ERR("HCI socket registration failed"); 1226 goto error; 1227 } 1228 1229 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); 1230 if (err < 0) { 1231 BT_ERR("Failed to create HCI proc file"); 1232 bt_sock_unregister(BTPROTO_HCI); 1233 goto error; 1234 } 1235 1236 BT_INFO("HCI socket layer initialized"); 1237 1238 return 0; 1239 1240 error: 1241 proto_unregister(&hci_sk_proto); 1242 return err; 1243 } 1244 1245 void hci_sock_cleanup(void) 1246 { 1247 bt_procfs_cleanup(&init_net, "hci"); 1248 bt_sock_unregister(BTPROTO_HCI); 1249 proto_unregister(&hci_sk_proto); 1250 } 1251