1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 *
4 * Bluetooth virtual HCI driver
5 *
6 * Copyright (C) 2000-2001 Qualcomm Incorporated
7 * Copyright (C) 2002-2003 Maxim Krasnyansky <maxk@qualcomm.com>
8 * Copyright (C) 2004-2006 Marcel Holtmann <marcel@holtmann.org>
9 */
10
11 #include <linux/module.h>
12 #include <asm/unaligned.h>
13
14 #include <linux/kernel.h>
15 #include <linux/init.h>
16 #include <linux/slab.h>
17 #include <linux/types.h>
18 #include <linux/errno.h>
19 #include <linux/sched.h>
20 #include <linux/poll.h>
21
22 #include <linux/skbuff.h>
23 #include <linux/miscdevice.h>
24
25 #include <net/bluetooth/bluetooth.h>
26 #include <net/bluetooth/hci_core.h>
27
28 #define VERSION "1.5"
29
30 static bool amp;
31
32 struct vhci_data {
33 struct hci_dev *hdev;
34
35 wait_queue_head_t read_wait;
36 struct sk_buff_head readq;
37
38 struct mutex open_mutex;
39 struct delayed_work open_timeout;
40 };
41
vhci_open_dev(struct hci_dev * hdev)42 static int vhci_open_dev(struct hci_dev *hdev)
43 {
44 return 0;
45 }
46
vhci_close_dev(struct hci_dev * hdev)47 static int vhci_close_dev(struct hci_dev *hdev)
48 {
49 struct vhci_data *data = hci_get_drvdata(hdev);
50
51 skb_queue_purge(&data->readq);
52
53 return 0;
54 }
55
vhci_flush(struct hci_dev * hdev)56 static int vhci_flush(struct hci_dev *hdev)
57 {
58 struct vhci_data *data = hci_get_drvdata(hdev);
59
60 skb_queue_purge(&data->readq);
61
62 return 0;
63 }
64
vhci_send_frame(struct hci_dev * hdev,struct sk_buff * skb)65 static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
66 {
67 struct vhci_data *data = hci_get_drvdata(hdev);
68
69 memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
70 skb_queue_tail(&data->readq, skb);
71
72 wake_up_interruptible(&data->read_wait);
73 return 0;
74 }
75
__vhci_create_device(struct vhci_data * data,__u8 opcode)76 static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
77 {
78 struct hci_dev *hdev;
79 struct sk_buff *skb;
80 __u8 dev_type;
81
82 if (data->hdev)
83 return -EBADFD;
84
85 /* bits 0-1 are dev_type (Primary or AMP) */
86 dev_type = opcode & 0x03;
87
88 if (dev_type != HCI_PRIMARY && dev_type != HCI_AMP)
89 return -EINVAL;
90
91 /* bits 2-5 are reserved (must be zero) */
92 if (opcode & 0x3c)
93 return -EINVAL;
94
95 skb = bt_skb_alloc(4, GFP_KERNEL);
96 if (!skb)
97 return -ENOMEM;
98
99 hdev = hci_alloc_dev();
100 if (!hdev) {
101 kfree_skb(skb);
102 return -ENOMEM;
103 }
104
105 data->hdev = hdev;
106
107 hdev->bus = HCI_VIRTUAL;
108 hdev->dev_type = dev_type;
109 hci_set_drvdata(hdev, data);
110
111 hdev->open = vhci_open_dev;
112 hdev->close = vhci_close_dev;
113 hdev->flush = vhci_flush;
114 hdev->send = vhci_send_frame;
115
116 /* bit 6 is for external configuration */
117 if (opcode & 0x40)
118 set_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks);
119
120 /* bit 7 is for raw device */
121 if (opcode & 0x80)
122 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
123
124 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
125
126 if (hci_register_dev(hdev) < 0) {
127 BT_ERR("Can't register HCI device");
128 hci_free_dev(hdev);
129 data->hdev = NULL;
130 kfree_skb(skb);
131 return -EBUSY;
132 }
133
134 hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
135
136 skb_put_u8(skb, 0xff);
137 skb_put_u8(skb, opcode);
138 put_unaligned_le16(hdev->id, skb_put(skb, 2));
139 skb_queue_tail(&data->readq, skb);
140
141 wake_up_interruptible(&data->read_wait);
142 return 0;
143 }
144
vhci_create_device(struct vhci_data * data,__u8 opcode)145 static int vhci_create_device(struct vhci_data *data, __u8 opcode)
146 {
147 int err;
148
149 mutex_lock(&data->open_mutex);
150 err = __vhci_create_device(data, opcode);
151 mutex_unlock(&data->open_mutex);
152
153 return err;
154 }
155
vhci_get_user(struct vhci_data * data,struct iov_iter * from)156 static inline ssize_t vhci_get_user(struct vhci_data *data,
157 struct iov_iter *from)
158 {
159 size_t len = iov_iter_count(from);
160 struct sk_buff *skb;
161 __u8 pkt_type, opcode;
162 int ret;
163
164 if (len < 2 || len > HCI_MAX_FRAME_SIZE)
165 return -EINVAL;
166
167 skb = bt_skb_alloc(len, GFP_KERNEL);
168 if (!skb)
169 return -ENOMEM;
170
171 if (!copy_from_iter_full(skb_put(skb, len), len, from)) {
172 kfree_skb(skb);
173 return -EFAULT;
174 }
175
176 pkt_type = *((__u8 *) skb->data);
177 skb_pull(skb, 1);
178
179 switch (pkt_type) {
180 case HCI_EVENT_PKT:
181 case HCI_ACLDATA_PKT:
182 case HCI_SCODATA_PKT:
183 case HCI_ISODATA_PKT:
184 if (!data->hdev) {
185 kfree_skb(skb);
186 return -ENODEV;
187 }
188
189 hci_skb_pkt_type(skb) = pkt_type;
190
191 ret = hci_recv_frame(data->hdev, skb);
192 break;
193
194 case HCI_VENDOR_PKT:
195 cancel_delayed_work_sync(&data->open_timeout);
196
197 opcode = *((__u8 *) skb->data);
198 skb_pull(skb, 1);
199
200 if (skb->len > 0) {
201 kfree_skb(skb);
202 return -EINVAL;
203 }
204
205 kfree_skb(skb);
206
207 ret = vhci_create_device(data, opcode);
208 break;
209
210 default:
211 kfree_skb(skb);
212 return -EINVAL;
213 }
214
215 return (ret < 0) ? ret : len;
216 }
217
vhci_put_user(struct vhci_data * data,struct sk_buff * skb,char __user * buf,int count)218 static inline ssize_t vhci_put_user(struct vhci_data *data,
219 struct sk_buff *skb,
220 char __user *buf, int count)
221 {
222 char __user *ptr = buf;
223 int len;
224
225 len = min_t(unsigned int, skb->len, count);
226
227 if (copy_to_user(ptr, skb->data, len))
228 return -EFAULT;
229
230 if (!data->hdev)
231 return len;
232
233 data->hdev->stat.byte_tx += len;
234
235 switch (hci_skb_pkt_type(skb)) {
236 case HCI_COMMAND_PKT:
237 data->hdev->stat.cmd_tx++;
238 break;
239 case HCI_ACLDATA_PKT:
240 data->hdev->stat.acl_tx++;
241 break;
242 case HCI_SCODATA_PKT:
243 data->hdev->stat.sco_tx++;
244 break;
245 }
246
247 return len;
248 }
249
vhci_read(struct file * file,char __user * buf,size_t count,loff_t * pos)250 static ssize_t vhci_read(struct file *file,
251 char __user *buf, size_t count, loff_t *pos)
252 {
253 struct vhci_data *data = file->private_data;
254 struct sk_buff *skb;
255 ssize_t ret = 0;
256
257 while (count) {
258 skb = skb_dequeue(&data->readq);
259 if (skb) {
260 ret = vhci_put_user(data, skb, buf, count);
261 if (ret < 0)
262 skb_queue_head(&data->readq, skb);
263 else
264 kfree_skb(skb);
265 break;
266 }
267
268 if (file->f_flags & O_NONBLOCK) {
269 ret = -EAGAIN;
270 break;
271 }
272
273 ret = wait_event_interruptible(data->read_wait,
274 !skb_queue_empty(&data->readq));
275 if (ret < 0)
276 break;
277 }
278
279 return ret;
280 }
281
vhci_write(struct kiocb * iocb,struct iov_iter * from)282 static ssize_t vhci_write(struct kiocb *iocb, struct iov_iter *from)
283 {
284 struct file *file = iocb->ki_filp;
285 struct vhci_data *data = file->private_data;
286
287 return vhci_get_user(data, from);
288 }
289
vhci_poll(struct file * file,poll_table * wait)290 static __poll_t vhci_poll(struct file *file, poll_table *wait)
291 {
292 struct vhci_data *data = file->private_data;
293
294 poll_wait(file, &data->read_wait, wait);
295
296 if (!skb_queue_empty(&data->readq))
297 return EPOLLIN | EPOLLRDNORM;
298
299 return EPOLLOUT | EPOLLWRNORM;
300 }
301
vhci_open_timeout(struct work_struct * work)302 static void vhci_open_timeout(struct work_struct *work)
303 {
304 struct vhci_data *data = container_of(work, struct vhci_data,
305 open_timeout.work);
306
307 vhci_create_device(data, amp ? HCI_AMP : HCI_PRIMARY);
308 }
309
vhci_open(struct inode * inode,struct file * file)310 static int vhci_open(struct inode *inode, struct file *file)
311 {
312 struct vhci_data *data;
313
314 data = kzalloc(sizeof(struct vhci_data), GFP_KERNEL);
315 if (!data)
316 return -ENOMEM;
317
318 skb_queue_head_init(&data->readq);
319 init_waitqueue_head(&data->read_wait);
320
321 mutex_init(&data->open_mutex);
322 INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout);
323
324 file->private_data = data;
325 nonseekable_open(inode, file);
326
327 schedule_delayed_work(&data->open_timeout, msecs_to_jiffies(1000));
328
329 return 0;
330 }
331
vhci_release(struct inode * inode,struct file * file)332 static int vhci_release(struct inode *inode, struct file *file)
333 {
334 struct vhci_data *data = file->private_data;
335 struct hci_dev *hdev;
336
337 cancel_delayed_work_sync(&data->open_timeout);
338
339 hdev = data->hdev;
340
341 if (hdev) {
342 hci_unregister_dev(hdev);
343 hci_free_dev(hdev);
344 }
345
346 skb_queue_purge(&data->readq);
347 file->private_data = NULL;
348 kfree(data);
349
350 return 0;
351 }
352
353 static const struct file_operations vhci_fops = {
354 .owner = THIS_MODULE,
355 .read = vhci_read,
356 .write_iter = vhci_write,
357 .poll = vhci_poll,
358 .open = vhci_open,
359 .release = vhci_release,
360 .llseek = no_llseek,
361 };
362
363 static struct miscdevice vhci_miscdev = {
364 .name = "vhci",
365 .fops = &vhci_fops,
366 .minor = VHCI_MINOR,
367 };
368 module_misc_device(vhci_miscdev);
369
370 module_param(amp, bool, 0644);
371 MODULE_PARM_DESC(amp, "Create AMP controller device");
372
373 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
374 MODULE_DESCRIPTION("Bluetooth virtual HCI driver ver " VERSION);
375 MODULE_VERSION(VERSION);
376 MODULE_LICENSE("GPL");
377 MODULE_ALIAS("devname:vhci");
378 MODULE_ALIAS_MISCDEV(VHCI_MINOR);
379