1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 27 #include <linux/export.h> 28 #include <asm/unaligned.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/hci_mon.h> 33 34 static atomic_t monitor_promisc = ATOMIC_INIT(0); 35 36 /* ----- HCI socket interface ----- */ 37 38 static inline int hci_test_bit(int nr, void *addr) 39 { 40 return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 41 } 42 43 /* Security filter */ 44 static struct hci_sec_filter hci_sec_filter = { 45 /* Packet types */ 46 0x10, 47 /* Events */ 48 { 0x1000d9fe, 0x0000b00c }, 49 /* Commands */ 50 { 51 { 0x0 }, 52 /* OGF_LINK_CTL */ 53 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 54 /* OGF_LINK_POLICY */ 55 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 56 /* OGF_HOST_CTL */ 57 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 58 /* OGF_INFO_PARAM */ 59 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 60 /* OGF_STATUS_PARAM */ 61 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 62 } 63 }; 64 65 static struct bt_sock_list hci_sk_list = { 66 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 67 }; 68 69 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) 70 { 71 struct hci_filter *flt; 72 int flt_type, flt_event; 73 74 /* Apply filter */ 75 flt = &hci_pi(sk)->filter; 76 77 if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) 78 flt_type = 0; 79 else 80 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS; 81 82 if (!test_bit(flt_type, &flt->type_mask)) 83 return true; 84 85 /* Extra filter for event packets only */ 86 if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT) 87 return false; 88 89 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 90 91 if (!hci_test_bit(flt_event, &flt->event_mask)) 92 return true; 93 94 /* Check filter only when opcode is set */ 95 if (!flt->opcode) 96 return false; 97 98 if (flt_event == HCI_EV_CMD_COMPLETE && 99 flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) 100 return true; 101 102 if (flt_event == HCI_EV_CMD_STATUS && 103 flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) 104 return true; 105 106 return false; 107 } 108 109 /* Send frame to RAW socket */ 110 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 111 { 112 struct sock *sk; 113 struct sk_buff *skb_copy = NULL; 114 115 BT_DBG("hdev %p len %d", hdev, skb->len); 116 117 read_lock(&hci_sk_list.lock); 118 119 sk_for_each(sk, &hci_sk_list.head) { 120 struct sk_buff *nskb; 121 122 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 123 continue; 124 125 /* Don't send frame to the socket it came from */ 126 if (skb->sk == sk) 127 continue; 128 129 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { 130 if (is_filtered_packet(sk, skb)) 131 continue; 132 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 133 if (!bt_cb(skb)->incoming) 134 continue; 135 if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT && 136 bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && 137 bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) 138 continue; 139 } else { 140 /* Don't send frame to other channel types */ 141 continue; 142 } 143 144 if (!skb_copy) { 145 /* Create a private copy with headroom */ 146 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true); 147 if (!skb_copy) 148 continue; 149 150 /* Put type byte before the data */ 151 memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1); 152 } 153 154 nskb = skb_clone(skb_copy, GFP_ATOMIC); 155 if (!nskb) 156 continue; 157 158 if (sock_queue_rcv_skb(sk, nskb)) 159 kfree_skb(nskb); 160 } 161 162 read_unlock(&hci_sk_list.lock); 163 164 kfree_skb(skb_copy); 165 } 166 167 /* Send frame to control socket */ 168 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk) 169 { 170 struct sock *sk; 171 172 BT_DBG("len %d", skb->len); 173 174 read_lock(&hci_sk_list.lock); 175 176 sk_for_each(sk, &hci_sk_list.head) { 177 struct sk_buff *nskb; 178 179 /* Skip the original socket */ 180 if (sk == skip_sk) 181 continue; 182 183 if (sk->sk_state != BT_BOUND) 184 continue; 185 186 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) 187 continue; 188 189 nskb = skb_clone(skb, GFP_ATOMIC); 190 if (!nskb) 191 continue; 192 193 if (sock_queue_rcv_skb(sk, nskb)) 194 kfree_skb(nskb); 195 } 196 197 read_unlock(&hci_sk_list.lock); 198 } 199 200 /* Send frame to monitor socket */ 201 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) 202 { 203 struct sock *sk; 204 struct sk_buff *skb_copy = NULL; 205 __le16 opcode; 206 207 if (!atomic_read(&monitor_promisc)) 208 return; 209 210 BT_DBG("hdev %p len %d", hdev, skb->len); 211 212 switch (bt_cb(skb)->pkt_type) { 213 case HCI_COMMAND_PKT: 214 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); 215 break; 216 case HCI_EVENT_PKT: 217 opcode = cpu_to_le16(HCI_MON_EVENT_PKT); 218 break; 219 case HCI_ACLDATA_PKT: 220 if (bt_cb(skb)->incoming) 221 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); 222 else 223 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); 224 break; 225 case HCI_SCODATA_PKT: 226 if (bt_cb(skb)->incoming) 227 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); 228 else 229 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); 230 break; 231 default: 232 return; 233 } 234 235 read_lock(&hci_sk_list.lock); 236 237 sk_for_each(sk, &hci_sk_list.head) { 238 struct sk_buff *nskb; 239 240 if (sk->sk_state != BT_BOUND) 241 continue; 242 243 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR) 244 continue; 245 246 if (!skb_copy) { 247 struct hci_mon_hdr *hdr; 248 249 /* Create a private copy with headroom */ 250 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, 251 GFP_ATOMIC, true); 252 if (!skb_copy) 253 continue; 254 255 /* Put header before the data */ 256 hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE); 257 hdr->opcode = opcode; 258 hdr->index = cpu_to_le16(hdev->id); 259 hdr->len = cpu_to_le16(skb->len); 260 } 261 262 nskb = skb_clone(skb_copy, GFP_ATOMIC); 263 if (!nskb) 264 continue; 265 266 if (sock_queue_rcv_skb(sk, nskb)) 267 kfree_skb(nskb); 268 } 269 270 read_unlock(&hci_sk_list.lock); 271 272 kfree_skb(skb_copy); 273 } 274 275 static void send_monitor_event(struct sk_buff *skb) 276 { 277 struct sock *sk; 278 279 BT_DBG("len %d", skb->len); 280 281 read_lock(&hci_sk_list.lock); 282 283 sk_for_each(sk, &hci_sk_list.head) { 284 struct sk_buff *nskb; 285 286 if (sk->sk_state != BT_BOUND) 287 continue; 288 289 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR) 290 continue; 291 292 nskb = skb_clone(skb, GFP_ATOMIC); 293 if (!nskb) 294 continue; 295 296 if (sock_queue_rcv_skb(sk, nskb)) 297 kfree_skb(nskb); 298 } 299 300 read_unlock(&hci_sk_list.lock); 301 } 302 303 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) 304 { 305 struct hci_mon_hdr *hdr; 306 struct hci_mon_new_index *ni; 307 struct sk_buff *skb; 308 __le16 opcode; 309 310 switch (event) { 311 case HCI_DEV_REG: 312 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); 313 if (!skb) 314 return NULL; 315 316 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE); 317 ni->type = hdev->dev_type; 318 ni->bus = hdev->bus; 319 bacpy(&ni->bdaddr, &hdev->bdaddr); 320 memcpy(ni->name, hdev->name, 8); 321 322 opcode = cpu_to_le16(HCI_MON_NEW_INDEX); 323 break; 324 325 case HCI_DEV_UNREG: 326 skb = bt_skb_alloc(0, GFP_ATOMIC); 327 if (!skb) 328 return NULL; 329 330 opcode = cpu_to_le16(HCI_MON_DEL_INDEX); 331 break; 332 333 default: 334 return NULL; 335 } 336 337 __net_timestamp(skb); 338 339 hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE); 340 hdr->opcode = opcode; 341 hdr->index = cpu_to_le16(hdev->id); 342 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 343 344 return skb; 345 } 346 347 static void send_monitor_replay(struct sock *sk) 348 { 349 struct hci_dev *hdev; 350 351 read_lock(&hci_dev_list_lock); 352 353 list_for_each_entry(hdev, &hci_dev_list, list) { 354 struct sk_buff *skb; 355 356 skb = create_monitor_event(hdev, HCI_DEV_REG); 357 if (!skb) 358 continue; 359 360 if (sock_queue_rcv_skb(sk, skb)) 361 kfree_skb(skb); 362 } 363 364 read_unlock(&hci_dev_list_lock); 365 } 366 367 /* Generate internal stack event */ 368 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) 369 { 370 struct hci_event_hdr *hdr; 371 struct hci_ev_stack_internal *ev; 372 struct sk_buff *skb; 373 374 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); 375 if (!skb) 376 return; 377 378 hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE); 379 hdr->evt = HCI_EV_STACK_INTERNAL; 380 hdr->plen = sizeof(*ev) + dlen; 381 382 ev = (void *) skb_put(skb, sizeof(*ev) + dlen); 383 ev->type = type; 384 memcpy(ev->data, data, dlen); 385 386 bt_cb(skb)->incoming = 1; 387 __net_timestamp(skb); 388 389 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 390 hci_send_to_sock(hdev, skb); 391 kfree_skb(skb); 392 } 393 394 void hci_sock_dev_event(struct hci_dev *hdev, int event) 395 { 396 struct hci_ev_si_device ev; 397 398 BT_DBG("hdev %s event %d", hdev->name, event); 399 400 /* Send event to monitor */ 401 if (atomic_read(&monitor_promisc)) { 402 struct sk_buff *skb; 403 404 skb = create_monitor_event(hdev, event); 405 if (skb) { 406 send_monitor_event(skb); 407 kfree_skb(skb); 408 } 409 } 410 411 /* Send event to sockets */ 412 ev.event = event; 413 ev.dev_id = hdev->id; 414 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 415 416 if (event == HCI_DEV_UNREG) { 417 struct sock *sk; 418 419 /* Detach sockets from device */ 420 read_lock(&hci_sk_list.lock); 421 sk_for_each(sk, &hci_sk_list.head) { 422 bh_lock_sock_nested(sk); 423 if (hci_pi(sk)->hdev == hdev) { 424 hci_pi(sk)->hdev = NULL; 425 sk->sk_err = EPIPE; 426 sk->sk_state = BT_OPEN; 427 sk->sk_state_change(sk); 428 429 hci_dev_put(hdev); 430 } 431 bh_unlock_sock(sk); 432 } 433 read_unlock(&hci_sk_list.lock); 434 } 435 } 436 437 static int hci_sock_release(struct socket *sock) 438 { 439 struct sock *sk = sock->sk; 440 struct hci_dev *hdev; 441 442 BT_DBG("sock %p sk %p", sock, sk); 443 444 if (!sk) 445 return 0; 446 447 hdev = hci_pi(sk)->hdev; 448 449 if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR) 450 atomic_dec(&monitor_promisc); 451 452 bt_sock_unlink(&hci_sk_list, sk); 453 454 if (hdev) { 455 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 456 mgmt_index_added(hdev); 457 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 458 hci_dev_close(hdev->id); 459 } 460 461 atomic_dec(&hdev->promisc); 462 hci_dev_put(hdev); 463 } 464 465 sock_orphan(sk); 466 467 skb_queue_purge(&sk->sk_receive_queue); 468 skb_queue_purge(&sk->sk_write_queue); 469 470 sock_put(sk); 471 return 0; 472 } 473 474 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) 475 { 476 bdaddr_t bdaddr; 477 int err; 478 479 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 480 return -EFAULT; 481 482 hci_dev_lock(hdev); 483 484 err = hci_blacklist_add(hdev, &bdaddr, BDADDR_BREDR); 485 486 hci_dev_unlock(hdev); 487 488 return err; 489 } 490 491 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) 492 { 493 bdaddr_t bdaddr; 494 int err; 495 496 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 497 return -EFAULT; 498 499 hci_dev_lock(hdev); 500 501 err = hci_blacklist_del(hdev, &bdaddr, BDADDR_BREDR); 502 503 hci_dev_unlock(hdev); 504 505 return err; 506 } 507 508 /* Ioctls that require bound socket */ 509 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, 510 unsigned long arg) 511 { 512 struct hci_dev *hdev = hci_pi(sk)->hdev; 513 514 if (!hdev) 515 return -EBADFD; 516 517 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) 518 return -EBUSY; 519 520 if (hdev->dev_type != HCI_BREDR) 521 return -EOPNOTSUPP; 522 523 switch (cmd) { 524 case HCISETRAW: 525 if (!capable(CAP_NET_ADMIN)) 526 return -EPERM; 527 return -EOPNOTSUPP; 528 529 case HCIGETCONNINFO: 530 return hci_get_conn_info(hdev, (void __user *) arg); 531 532 case HCIGETAUTHINFO: 533 return hci_get_auth_info(hdev, (void __user *) arg); 534 535 case HCIBLOCKADDR: 536 if (!capable(CAP_NET_ADMIN)) 537 return -EPERM; 538 return hci_sock_blacklist_add(hdev, (void __user *) arg); 539 540 case HCIUNBLOCKADDR: 541 if (!capable(CAP_NET_ADMIN)) 542 return -EPERM; 543 return hci_sock_blacklist_del(hdev, (void __user *) arg); 544 } 545 546 return -ENOIOCTLCMD; 547 } 548 549 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, 550 unsigned long arg) 551 { 552 void __user *argp = (void __user *) arg; 553 struct sock *sk = sock->sk; 554 int err; 555 556 BT_DBG("cmd %x arg %lx", cmd, arg); 557 558 lock_sock(sk); 559 560 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 561 err = -EBADFD; 562 goto done; 563 } 564 565 release_sock(sk); 566 567 switch (cmd) { 568 case HCIGETDEVLIST: 569 return hci_get_dev_list(argp); 570 571 case HCIGETDEVINFO: 572 return hci_get_dev_info(argp); 573 574 case HCIGETCONNLIST: 575 return hci_get_conn_list(argp); 576 577 case HCIDEVUP: 578 if (!capable(CAP_NET_ADMIN)) 579 return -EPERM; 580 return hci_dev_open(arg); 581 582 case HCIDEVDOWN: 583 if (!capable(CAP_NET_ADMIN)) 584 return -EPERM; 585 return hci_dev_close(arg); 586 587 case HCIDEVRESET: 588 if (!capable(CAP_NET_ADMIN)) 589 return -EPERM; 590 return hci_dev_reset(arg); 591 592 case HCIDEVRESTAT: 593 if (!capable(CAP_NET_ADMIN)) 594 return -EPERM; 595 return hci_dev_reset_stat(arg); 596 597 case HCISETSCAN: 598 case HCISETAUTH: 599 case HCISETENCRYPT: 600 case HCISETPTYPE: 601 case HCISETLINKPOL: 602 case HCISETLINKMODE: 603 case HCISETACLMTU: 604 case HCISETSCOMTU: 605 if (!capable(CAP_NET_ADMIN)) 606 return -EPERM; 607 return hci_dev_cmd(cmd, argp); 608 609 case HCIINQUIRY: 610 return hci_inquiry(argp); 611 } 612 613 lock_sock(sk); 614 615 err = hci_sock_bound_ioctl(sk, cmd, arg); 616 617 done: 618 release_sock(sk); 619 return err; 620 } 621 622 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, 623 int addr_len) 624 { 625 struct sockaddr_hci haddr; 626 struct sock *sk = sock->sk; 627 struct hci_dev *hdev = NULL; 628 int len, err = 0; 629 630 BT_DBG("sock %p sk %p", sock, sk); 631 632 if (!addr) 633 return -EINVAL; 634 635 memset(&haddr, 0, sizeof(haddr)); 636 len = min_t(unsigned int, sizeof(haddr), addr_len); 637 memcpy(&haddr, addr, len); 638 639 if (haddr.hci_family != AF_BLUETOOTH) 640 return -EINVAL; 641 642 lock_sock(sk); 643 644 if (sk->sk_state == BT_BOUND) { 645 err = -EALREADY; 646 goto done; 647 } 648 649 switch (haddr.hci_channel) { 650 case HCI_CHANNEL_RAW: 651 if (hci_pi(sk)->hdev) { 652 err = -EALREADY; 653 goto done; 654 } 655 656 if (haddr.hci_dev != HCI_DEV_NONE) { 657 hdev = hci_dev_get(haddr.hci_dev); 658 if (!hdev) { 659 err = -ENODEV; 660 goto done; 661 } 662 663 atomic_inc(&hdev->promisc); 664 } 665 666 hci_pi(sk)->hdev = hdev; 667 break; 668 669 case HCI_CHANNEL_USER: 670 if (hci_pi(sk)->hdev) { 671 err = -EALREADY; 672 goto done; 673 } 674 675 if (haddr.hci_dev == HCI_DEV_NONE) { 676 err = -EINVAL; 677 goto done; 678 } 679 680 if (!capable(CAP_NET_ADMIN)) { 681 err = -EPERM; 682 goto done; 683 } 684 685 hdev = hci_dev_get(haddr.hci_dev); 686 if (!hdev) { 687 err = -ENODEV; 688 goto done; 689 } 690 691 if (test_bit(HCI_UP, &hdev->flags) || 692 test_bit(HCI_INIT, &hdev->flags) || 693 test_bit(HCI_SETUP, &hdev->dev_flags)) { 694 err = -EBUSY; 695 hci_dev_put(hdev); 696 goto done; 697 } 698 699 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) { 700 err = -EUSERS; 701 hci_dev_put(hdev); 702 goto done; 703 } 704 705 mgmt_index_removed(hdev); 706 707 err = hci_dev_open(hdev->id); 708 if (err) { 709 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 710 mgmt_index_added(hdev); 711 hci_dev_put(hdev); 712 goto done; 713 } 714 715 atomic_inc(&hdev->promisc); 716 717 hci_pi(sk)->hdev = hdev; 718 break; 719 720 case HCI_CHANNEL_CONTROL: 721 if (haddr.hci_dev != HCI_DEV_NONE) { 722 err = -EINVAL; 723 goto done; 724 } 725 726 if (!capable(CAP_NET_ADMIN)) { 727 err = -EPERM; 728 goto done; 729 } 730 731 break; 732 733 case HCI_CHANNEL_MONITOR: 734 if (haddr.hci_dev != HCI_DEV_NONE) { 735 err = -EINVAL; 736 goto done; 737 } 738 739 if (!capable(CAP_NET_RAW)) { 740 err = -EPERM; 741 goto done; 742 } 743 744 send_monitor_replay(sk); 745 746 atomic_inc(&monitor_promisc); 747 break; 748 749 default: 750 err = -EINVAL; 751 goto done; 752 } 753 754 755 hci_pi(sk)->channel = haddr.hci_channel; 756 sk->sk_state = BT_BOUND; 757 758 done: 759 release_sock(sk); 760 return err; 761 } 762 763 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, 764 int *addr_len, int peer) 765 { 766 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 767 struct sock *sk = sock->sk; 768 struct hci_dev *hdev; 769 int err = 0; 770 771 BT_DBG("sock %p sk %p", sock, sk); 772 773 if (peer) 774 return -EOPNOTSUPP; 775 776 lock_sock(sk); 777 778 hdev = hci_pi(sk)->hdev; 779 if (!hdev) { 780 err = -EBADFD; 781 goto done; 782 } 783 784 *addr_len = sizeof(*haddr); 785 haddr->hci_family = AF_BLUETOOTH; 786 haddr->hci_dev = hdev->id; 787 haddr->hci_channel= hci_pi(sk)->channel; 788 789 done: 790 release_sock(sk); 791 return err; 792 } 793 794 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, 795 struct sk_buff *skb) 796 { 797 __u32 mask = hci_pi(sk)->cmsg_mask; 798 799 if (mask & HCI_CMSG_DIR) { 800 int incoming = bt_cb(skb)->incoming; 801 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), 802 &incoming); 803 } 804 805 if (mask & HCI_CMSG_TSTAMP) { 806 #ifdef CONFIG_COMPAT 807 struct compat_timeval ctv; 808 #endif 809 struct timeval tv; 810 void *data; 811 int len; 812 813 skb_get_timestamp(skb, &tv); 814 815 data = &tv; 816 len = sizeof(tv); 817 #ifdef CONFIG_COMPAT 818 if (!COMPAT_USE_64BIT_TIME && 819 (msg->msg_flags & MSG_CMSG_COMPAT)) { 820 ctv.tv_sec = tv.tv_sec; 821 ctv.tv_usec = tv.tv_usec; 822 data = &ctv; 823 len = sizeof(ctv); 824 } 825 #endif 826 827 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 828 } 829 } 830 831 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 832 struct msghdr *msg, size_t len, int flags) 833 { 834 int noblock = flags & MSG_DONTWAIT; 835 struct sock *sk = sock->sk; 836 struct sk_buff *skb; 837 int copied, err; 838 839 BT_DBG("sock %p, sk %p", sock, sk); 840 841 if (flags & (MSG_OOB)) 842 return -EOPNOTSUPP; 843 844 if (sk->sk_state == BT_CLOSED) 845 return 0; 846 847 skb = skb_recv_datagram(sk, flags, noblock, &err); 848 if (!skb) 849 return err; 850 851 copied = skb->len; 852 if (len < copied) { 853 msg->msg_flags |= MSG_TRUNC; 854 copied = len; 855 } 856 857 skb_reset_transport_header(skb); 858 err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 859 860 switch (hci_pi(sk)->channel) { 861 case HCI_CHANNEL_RAW: 862 hci_sock_cmsg(sk, msg, skb); 863 break; 864 case HCI_CHANNEL_USER: 865 case HCI_CHANNEL_CONTROL: 866 case HCI_CHANNEL_MONITOR: 867 sock_recv_timestamp(msg, sk, skb); 868 break; 869 } 870 871 skb_free_datagram(sk, skb); 872 873 return err ? : copied; 874 } 875 876 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 877 struct msghdr *msg, size_t len) 878 { 879 struct sock *sk = sock->sk; 880 struct hci_dev *hdev; 881 struct sk_buff *skb; 882 int err; 883 884 BT_DBG("sock %p sk %p", sock, sk); 885 886 if (msg->msg_flags & MSG_OOB) 887 return -EOPNOTSUPP; 888 889 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE)) 890 return -EINVAL; 891 892 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 893 return -EINVAL; 894 895 lock_sock(sk); 896 897 switch (hci_pi(sk)->channel) { 898 case HCI_CHANNEL_RAW: 899 case HCI_CHANNEL_USER: 900 break; 901 case HCI_CHANNEL_CONTROL: 902 err = mgmt_control(sk, msg, len); 903 goto done; 904 case HCI_CHANNEL_MONITOR: 905 err = -EOPNOTSUPP; 906 goto done; 907 default: 908 err = -EINVAL; 909 goto done; 910 } 911 912 hdev = hci_pi(sk)->hdev; 913 if (!hdev) { 914 err = -EBADFD; 915 goto done; 916 } 917 918 if (!test_bit(HCI_UP, &hdev->flags)) { 919 err = -ENETDOWN; 920 goto done; 921 } 922 923 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); 924 if (!skb) 925 goto done; 926 927 if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) { 928 err = -EFAULT; 929 goto drop; 930 } 931 932 bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); 933 skb_pull(skb, 1); 934 935 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 936 /* No permission check is needed for user channel 937 * since that gets enforced when binding the socket. 938 * 939 * However check that the packet type is valid. 940 */ 941 if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT && 942 bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && 943 bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) { 944 err = -EINVAL; 945 goto drop; 946 } 947 948 skb_queue_tail(&hdev->raw_q, skb); 949 queue_work(hdev->workqueue, &hdev->tx_work); 950 } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { 951 u16 opcode = get_unaligned_le16(skb->data); 952 u16 ogf = hci_opcode_ogf(opcode); 953 u16 ocf = hci_opcode_ocf(opcode); 954 955 if (((ogf > HCI_SFLT_MAX_OGF) || 956 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, 957 &hci_sec_filter.ocf_mask[ogf])) && 958 !capable(CAP_NET_RAW)) { 959 err = -EPERM; 960 goto drop; 961 } 962 963 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) { 964 skb_queue_tail(&hdev->raw_q, skb); 965 queue_work(hdev->workqueue, &hdev->tx_work); 966 } else { 967 /* Stand-alone HCI commands must be flaged as 968 * single-command requests. 969 */ 970 bt_cb(skb)->req.start = true; 971 972 skb_queue_tail(&hdev->cmd_q, skb); 973 queue_work(hdev->workqueue, &hdev->cmd_work); 974 } 975 } else { 976 if (!capable(CAP_NET_RAW)) { 977 err = -EPERM; 978 goto drop; 979 } 980 981 skb_queue_tail(&hdev->raw_q, skb); 982 queue_work(hdev->workqueue, &hdev->tx_work); 983 } 984 985 err = len; 986 987 done: 988 release_sock(sk); 989 return err; 990 991 drop: 992 kfree_skb(skb); 993 goto done; 994 } 995 996 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 997 char __user *optval, unsigned int len) 998 { 999 struct hci_ufilter uf = { .opcode = 0 }; 1000 struct sock *sk = sock->sk; 1001 int err = 0, opt = 0; 1002 1003 BT_DBG("sk %p, opt %d", sk, optname); 1004 1005 lock_sock(sk); 1006 1007 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1008 err = -EBADFD; 1009 goto done; 1010 } 1011 1012 switch (optname) { 1013 case HCI_DATA_DIR: 1014 if (get_user(opt, (int __user *)optval)) { 1015 err = -EFAULT; 1016 break; 1017 } 1018 1019 if (opt) 1020 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 1021 else 1022 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 1023 break; 1024 1025 case HCI_TIME_STAMP: 1026 if (get_user(opt, (int __user *)optval)) { 1027 err = -EFAULT; 1028 break; 1029 } 1030 1031 if (opt) 1032 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 1033 else 1034 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 1035 break; 1036 1037 case HCI_FILTER: 1038 { 1039 struct hci_filter *f = &hci_pi(sk)->filter; 1040 1041 uf.type_mask = f->type_mask; 1042 uf.opcode = f->opcode; 1043 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1044 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1045 } 1046 1047 len = min_t(unsigned int, len, sizeof(uf)); 1048 if (copy_from_user(&uf, optval, len)) { 1049 err = -EFAULT; 1050 break; 1051 } 1052 1053 if (!capable(CAP_NET_RAW)) { 1054 uf.type_mask &= hci_sec_filter.type_mask; 1055 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 1056 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 1057 } 1058 1059 { 1060 struct hci_filter *f = &hci_pi(sk)->filter; 1061 1062 f->type_mask = uf.type_mask; 1063 f->opcode = uf.opcode; 1064 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 1065 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 1066 } 1067 break; 1068 1069 default: 1070 err = -ENOPROTOOPT; 1071 break; 1072 } 1073 1074 done: 1075 release_sock(sk); 1076 return err; 1077 } 1078 1079 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, 1080 char __user *optval, int __user *optlen) 1081 { 1082 struct hci_ufilter uf; 1083 struct sock *sk = sock->sk; 1084 int len, opt, err = 0; 1085 1086 BT_DBG("sk %p, opt %d", sk, optname); 1087 1088 if (get_user(len, optlen)) 1089 return -EFAULT; 1090 1091 lock_sock(sk); 1092 1093 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1094 err = -EBADFD; 1095 goto done; 1096 } 1097 1098 switch (optname) { 1099 case HCI_DATA_DIR: 1100 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 1101 opt = 1; 1102 else 1103 opt = 0; 1104 1105 if (put_user(opt, optval)) 1106 err = -EFAULT; 1107 break; 1108 1109 case HCI_TIME_STAMP: 1110 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 1111 opt = 1; 1112 else 1113 opt = 0; 1114 1115 if (put_user(opt, optval)) 1116 err = -EFAULT; 1117 break; 1118 1119 case HCI_FILTER: 1120 { 1121 struct hci_filter *f = &hci_pi(sk)->filter; 1122 1123 memset(&uf, 0, sizeof(uf)); 1124 uf.type_mask = f->type_mask; 1125 uf.opcode = f->opcode; 1126 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1127 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1128 } 1129 1130 len = min_t(unsigned int, len, sizeof(uf)); 1131 if (copy_to_user(optval, &uf, len)) 1132 err = -EFAULT; 1133 break; 1134 1135 default: 1136 err = -ENOPROTOOPT; 1137 break; 1138 } 1139 1140 done: 1141 release_sock(sk); 1142 return err; 1143 } 1144 1145 static const struct proto_ops hci_sock_ops = { 1146 .family = PF_BLUETOOTH, 1147 .owner = THIS_MODULE, 1148 .release = hci_sock_release, 1149 .bind = hci_sock_bind, 1150 .getname = hci_sock_getname, 1151 .sendmsg = hci_sock_sendmsg, 1152 .recvmsg = hci_sock_recvmsg, 1153 .ioctl = hci_sock_ioctl, 1154 .poll = datagram_poll, 1155 .listen = sock_no_listen, 1156 .shutdown = sock_no_shutdown, 1157 .setsockopt = hci_sock_setsockopt, 1158 .getsockopt = hci_sock_getsockopt, 1159 .connect = sock_no_connect, 1160 .socketpair = sock_no_socketpair, 1161 .accept = sock_no_accept, 1162 .mmap = sock_no_mmap 1163 }; 1164 1165 static struct proto hci_sk_proto = { 1166 .name = "HCI", 1167 .owner = THIS_MODULE, 1168 .obj_size = sizeof(struct hci_pinfo) 1169 }; 1170 1171 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 1172 int kern) 1173 { 1174 struct sock *sk; 1175 1176 BT_DBG("sock %p", sock); 1177 1178 if (sock->type != SOCK_RAW) 1179 return -ESOCKTNOSUPPORT; 1180 1181 sock->ops = &hci_sock_ops; 1182 1183 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto); 1184 if (!sk) 1185 return -ENOMEM; 1186 1187 sock_init_data(sock, sk); 1188 1189 sock_reset_flag(sk, SOCK_ZAPPED); 1190 1191 sk->sk_protocol = protocol; 1192 1193 sock->state = SS_UNCONNECTED; 1194 sk->sk_state = BT_OPEN; 1195 1196 bt_sock_link(&hci_sk_list, sk); 1197 return 0; 1198 } 1199 1200 static const struct net_proto_family hci_sock_family_ops = { 1201 .family = PF_BLUETOOTH, 1202 .owner = THIS_MODULE, 1203 .create = hci_sock_create, 1204 }; 1205 1206 int __init hci_sock_init(void) 1207 { 1208 int err; 1209 1210 err = proto_register(&hci_sk_proto, 0); 1211 if (err < 0) 1212 return err; 1213 1214 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 1215 if (err < 0) { 1216 BT_ERR("HCI socket registration failed"); 1217 goto error; 1218 } 1219 1220 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); 1221 if (err < 0) { 1222 BT_ERR("Failed to create HCI proc file"); 1223 bt_sock_unregister(BTPROTO_HCI); 1224 goto error; 1225 } 1226 1227 BT_INFO("HCI socket layer initialized"); 1228 1229 return 0; 1230 1231 error: 1232 proto_unregister(&hci_sk_proto); 1233 return err; 1234 } 1235 1236 void hci_sock_cleanup(void) 1237 { 1238 bt_procfs_cleanup(&init_net, "hci"); 1239 bt_sock_unregister(BTPROTO_HCI); 1240 proto_unregister(&hci_sk_proto); 1241 } 1242