• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI sockets. */
26 
27 #include <linux/export.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_mon.h>
33 
34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
35 
36 /* ----- HCI socket interface ----- */
37 
hci_test_bit(int nr,void * addr)38 static inline int hci_test_bit(int nr, void *addr)
39 {
40 	return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
41 }
42 
43 /* Security filter */
44 static struct hci_sec_filter hci_sec_filter = {
45 	/* Packet types */
46 	0x10,
47 	/* Events */
48 	{ 0x1000d9fe, 0x0000b00c },
49 	/* Commands */
50 	{
51 		{ 0x0 },
52 		/* OGF_LINK_CTL */
53 		{ 0xbe000006, 0x00000001, 0x00000000, 0x00 },
54 		/* OGF_LINK_POLICY */
55 		{ 0x00005200, 0x00000000, 0x00000000, 0x00 },
56 		/* OGF_HOST_CTL */
57 		{ 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
58 		/* OGF_INFO_PARAM */
59 		{ 0x000002be, 0x00000000, 0x00000000, 0x00 },
60 		/* OGF_STATUS_PARAM */
61 		{ 0x000000ea, 0x00000000, 0x00000000, 0x00 }
62 	}
63 };
64 
65 static struct bt_sock_list hci_sk_list = {
66 	.lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
67 };
68 
69 /* Send frame to RAW socket */
hci_send_to_sock(struct hci_dev * hdev,struct sk_buff * skb)70 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
71 {
72 	struct sock *sk;
73 	struct sk_buff *skb_copy = NULL;
74 
75 	BT_DBG("hdev %p len %d", hdev, skb->len);
76 
77 	read_lock(&hci_sk_list.lock);
78 
79 	sk_for_each(sk, &hci_sk_list.head) {
80 		struct hci_filter *flt;
81 		struct sk_buff *nskb;
82 
83 		if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
84 			continue;
85 
86 		/* Don't send frame to the socket it came from */
87 		if (skb->sk == sk)
88 			continue;
89 
90 		if (hci_pi(sk)->channel != HCI_CHANNEL_RAW)
91 			continue;
92 
93 		/* Apply filter */
94 		flt = &hci_pi(sk)->filter;
95 
96 		if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ?
97 			      0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS),
98 			      &flt->type_mask))
99 			continue;
100 
101 		if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) {
102 			int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
103 
104 			if (!hci_test_bit(evt, &flt->event_mask))
105 				continue;
106 
107 			if (flt->opcode &&
108 			    ((evt == HCI_EV_CMD_COMPLETE &&
109 			      flt->opcode !=
110 			      get_unaligned((__le16 *)(skb->data + 3))) ||
111 			     (evt == HCI_EV_CMD_STATUS &&
112 			      flt->opcode !=
113 			      get_unaligned((__le16 *)(skb->data + 4)))))
114 				continue;
115 		}
116 
117 		if (!skb_copy) {
118 			/* Create a private copy with headroom */
119 			skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
120 			if (!skb_copy)
121 				continue;
122 
123 			/* Put type byte before the data */
124 			memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
125 		}
126 
127 		nskb = skb_clone(skb_copy, GFP_ATOMIC);
128 		if (!nskb)
129 			continue;
130 
131 		if (sock_queue_rcv_skb(sk, nskb))
132 			kfree_skb(nskb);
133 	}
134 
135 	read_unlock(&hci_sk_list.lock);
136 
137 	kfree_skb(skb_copy);
138 }
139 
140 /* Send frame to control socket */
hci_send_to_control(struct sk_buff * skb,struct sock * skip_sk)141 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
142 {
143 	struct sock *sk;
144 
145 	BT_DBG("len %d", skb->len);
146 
147 	read_lock(&hci_sk_list.lock);
148 
149 	sk_for_each(sk, &hci_sk_list.head) {
150 		struct sk_buff *nskb;
151 
152 		/* Skip the original socket */
153 		if (sk == skip_sk)
154 			continue;
155 
156 		if (sk->sk_state != BT_BOUND)
157 			continue;
158 
159 		if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
160 			continue;
161 
162 		nskb = skb_clone(skb, GFP_ATOMIC);
163 		if (!nskb)
164 			continue;
165 
166 		if (sock_queue_rcv_skb(sk, nskb))
167 			kfree_skb(nskb);
168 	}
169 
170 	read_unlock(&hci_sk_list.lock);
171 }
172 
173 /* Send frame to monitor socket */
hci_send_to_monitor(struct hci_dev * hdev,struct sk_buff * skb)174 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
175 {
176 	struct sock *sk;
177 	struct sk_buff *skb_copy = NULL;
178 	__le16 opcode;
179 
180 	if (!atomic_read(&monitor_promisc))
181 		return;
182 
183 	BT_DBG("hdev %p len %d", hdev, skb->len);
184 
185 	switch (bt_cb(skb)->pkt_type) {
186 	case HCI_COMMAND_PKT:
187 		opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
188 		break;
189 	case HCI_EVENT_PKT:
190 		opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
191 		break;
192 	case HCI_ACLDATA_PKT:
193 		if (bt_cb(skb)->incoming)
194 			opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
195 		else
196 			opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
197 		break;
198 	case HCI_SCODATA_PKT:
199 		if (bt_cb(skb)->incoming)
200 			opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
201 		else
202 			opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
203 		break;
204 	default:
205 		return;
206 	}
207 
208 	read_lock(&hci_sk_list.lock);
209 
210 	sk_for_each(sk, &hci_sk_list.head) {
211 		struct sk_buff *nskb;
212 
213 		if (sk->sk_state != BT_BOUND)
214 			continue;
215 
216 		if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
217 			continue;
218 
219 		if (!skb_copy) {
220 			struct hci_mon_hdr *hdr;
221 
222 			/* Create a private copy with headroom */
223 			skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
224 					       GFP_ATOMIC);
225 			if (!skb_copy)
226 				continue;
227 
228 			/* Put header before the data */
229 			hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
230 			hdr->opcode = opcode;
231 			hdr->index = cpu_to_le16(hdev->id);
232 			hdr->len = cpu_to_le16(skb->len);
233 		}
234 
235 		nskb = skb_clone(skb_copy, GFP_ATOMIC);
236 		if (!nskb)
237 			continue;
238 
239 		if (sock_queue_rcv_skb(sk, nskb))
240 			kfree_skb(nskb);
241 	}
242 
243 	read_unlock(&hci_sk_list.lock);
244 
245 	kfree_skb(skb_copy);
246 }
247 
send_monitor_event(struct sk_buff * skb)248 static void send_monitor_event(struct sk_buff *skb)
249 {
250 	struct sock *sk;
251 
252 	BT_DBG("len %d", skb->len);
253 
254 	read_lock(&hci_sk_list.lock);
255 
256 	sk_for_each(sk, &hci_sk_list.head) {
257 		struct sk_buff *nskb;
258 
259 		if (sk->sk_state != BT_BOUND)
260 			continue;
261 
262 		if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
263 			continue;
264 
265 		nskb = skb_clone(skb, GFP_ATOMIC);
266 		if (!nskb)
267 			continue;
268 
269 		if (sock_queue_rcv_skb(sk, nskb))
270 			kfree_skb(nskb);
271 	}
272 
273 	read_unlock(&hci_sk_list.lock);
274 }
275 
create_monitor_event(struct hci_dev * hdev,int event)276 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
277 {
278 	struct hci_mon_hdr *hdr;
279 	struct hci_mon_new_index *ni;
280 	struct sk_buff *skb;
281 	__le16 opcode;
282 
283 	switch (event) {
284 	case HCI_DEV_REG:
285 		skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
286 		if (!skb)
287 			return NULL;
288 
289 		ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
290 		ni->type = hdev->dev_type;
291 		ni->bus = hdev->bus;
292 		bacpy(&ni->bdaddr, &hdev->bdaddr);
293 		memcpy(ni->name, hdev->name, 8);
294 
295 		opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
296 		break;
297 
298 	case HCI_DEV_UNREG:
299 		skb = bt_skb_alloc(0, GFP_ATOMIC);
300 		if (!skb)
301 			return NULL;
302 
303 		opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
304 		break;
305 
306 	default:
307 		return NULL;
308 	}
309 
310 	__net_timestamp(skb);
311 
312 	hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
313 	hdr->opcode = opcode;
314 	hdr->index = cpu_to_le16(hdev->id);
315 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
316 
317 	return skb;
318 }
319 
send_monitor_replay(struct sock * sk)320 static void send_monitor_replay(struct sock *sk)
321 {
322 	struct hci_dev *hdev;
323 
324 	read_lock(&hci_dev_list_lock);
325 
326 	list_for_each_entry(hdev, &hci_dev_list, list) {
327 		struct sk_buff *skb;
328 
329 		skb = create_monitor_event(hdev, HCI_DEV_REG);
330 		if (!skb)
331 			continue;
332 
333 		if (sock_queue_rcv_skb(sk, skb))
334 			kfree_skb(skb);
335 	}
336 
337 	read_unlock(&hci_dev_list_lock);
338 }
339 
340 /* Generate internal stack event */
hci_si_event(struct hci_dev * hdev,int type,int dlen,void * data)341 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
342 {
343 	struct hci_event_hdr *hdr;
344 	struct hci_ev_stack_internal *ev;
345 	struct sk_buff *skb;
346 
347 	skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
348 	if (!skb)
349 		return;
350 
351 	hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
352 	hdr->evt  = HCI_EV_STACK_INTERNAL;
353 	hdr->plen = sizeof(*ev) + dlen;
354 
355 	ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
356 	ev->type = type;
357 	memcpy(ev->data, data, dlen);
358 
359 	bt_cb(skb)->incoming = 1;
360 	__net_timestamp(skb);
361 
362 	bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
363 	skb->dev = (void *) hdev;
364 	hci_send_to_sock(hdev, skb);
365 	kfree_skb(skb);
366 }
367 
hci_sock_dev_event(struct hci_dev * hdev,int event)368 void hci_sock_dev_event(struct hci_dev *hdev, int event)
369 {
370 	struct hci_ev_si_device ev;
371 
372 	BT_DBG("hdev %s event %d", hdev->name, event);
373 
374 	/* Send event to monitor */
375 	if (atomic_read(&monitor_promisc)) {
376 		struct sk_buff *skb;
377 
378 		skb = create_monitor_event(hdev, event);
379 		if (skb) {
380 			send_monitor_event(skb);
381 			kfree_skb(skb);
382 		}
383 	}
384 
385 	/* Send event to sockets */
386 	ev.event  = event;
387 	ev.dev_id = hdev->id;
388 	hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
389 
390 	if (event == HCI_DEV_UNREG) {
391 		struct sock *sk;
392 
393 		/* Detach sockets from device */
394 		read_lock(&hci_sk_list.lock);
395 		sk_for_each(sk, &hci_sk_list.head) {
396 			bh_lock_sock_nested(sk);
397 			if (hci_pi(sk)->hdev == hdev) {
398 				hci_pi(sk)->hdev = NULL;
399 				sk->sk_err = EPIPE;
400 				sk->sk_state = BT_OPEN;
401 				sk->sk_state_change(sk);
402 
403 				hci_dev_put(hdev);
404 			}
405 			bh_unlock_sock(sk);
406 		}
407 		read_unlock(&hci_sk_list.lock);
408 	}
409 }
410 
hci_sock_release(struct socket * sock)411 static int hci_sock_release(struct socket *sock)
412 {
413 	struct sock *sk = sock->sk;
414 	struct hci_dev *hdev;
415 
416 	BT_DBG("sock %p sk %p", sock, sk);
417 
418 	if (!sk)
419 		return 0;
420 
421 	hdev = hci_pi(sk)->hdev;
422 
423 	if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
424 		atomic_dec(&monitor_promisc);
425 
426 	bt_sock_unlink(&hci_sk_list, sk);
427 
428 	if (hdev) {
429 		atomic_dec(&hdev->promisc);
430 		hci_dev_put(hdev);
431 	}
432 
433 	sock_orphan(sk);
434 
435 	skb_queue_purge(&sk->sk_receive_queue);
436 	skb_queue_purge(&sk->sk_write_queue);
437 
438 	sock_put(sk);
439 	return 0;
440 }
441 
hci_sock_blacklist_add(struct hci_dev * hdev,void __user * arg)442 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
443 {
444 	bdaddr_t bdaddr;
445 	int err;
446 
447 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
448 		return -EFAULT;
449 
450 	hci_dev_lock(hdev);
451 
452 	err = hci_blacklist_add(hdev, &bdaddr, 0);
453 
454 	hci_dev_unlock(hdev);
455 
456 	return err;
457 }
458 
hci_sock_blacklist_del(struct hci_dev * hdev,void __user * arg)459 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
460 {
461 	bdaddr_t bdaddr;
462 	int err;
463 
464 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
465 		return -EFAULT;
466 
467 	hci_dev_lock(hdev);
468 
469 	err = hci_blacklist_del(hdev, &bdaddr, 0);
470 
471 	hci_dev_unlock(hdev);
472 
473 	return err;
474 }
475 
476 /* Ioctls that require bound socket */
hci_sock_bound_ioctl(struct sock * sk,unsigned int cmd,unsigned long arg)477 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
478 				unsigned long arg)
479 {
480 	struct hci_dev *hdev = hci_pi(sk)->hdev;
481 
482 	if (!hdev)
483 		return -EBADFD;
484 
485 	switch (cmd) {
486 	case HCISETRAW:
487 		if (!capable(CAP_NET_ADMIN))
488 			return -EPERM;
489 
490 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
491 			return -EPERM;
492 
493 		if (arg)
494 			set_bit(HCI_RAW, &hdev->flags);
495 		else
496 			clear_bit(HCI_RAW, &hdev->flags);
497 
498 		return 0;
499 
500 	case HCIGETCONNINFO:
501 		return hci_get_conn_info(hdev, (void __user *) arg);
502 
503 	case HCIGETAUTHINFO:
504 		return hci_get_auth_info(hdev, (void __user *) arg);
505 
506 	case HCIBLOCKADDR:
507 		if (!capable(CAP_NET_ADMIN))
508 			return -EPERM;
509 		return hci_sock_blacklist_add(hdev, (void __user *) arg);
510 
511 	case HCIUNBLOCKADDR:
512 		if (!capable(CAP_NET_ADMIN))
513 			return -EPERM;
514 		return hci_sock_blacklist_del(hdev, (void __user *) arg);
515 
516 	default:
517 		if (hdev->ioctl)
518 			return hdev->ioctl(hdev, cmd, arg);
519 		return -EINVAL;
520 	}
521 }
522 
hci_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)523 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
524 			  unsigned long arg)
525 {
526 	struct sock *sk = sock->sk;
527 	void __user *argp = (void __user *) arg;
528 	int err;
529 
530 	BT_DBG("cmd %x arg %lx", cmd, arg);
531 
532 	switch (cmd) {
533 	case HCIGETDEVLIST:
534 		return hci_get_dev_list(argp);
535 
536 	case HCIGETDEVINFO:
537 		return hci_get_dev_info(argp);
538 
539 	case HCIGETCONNLIST:
540 		return hci_get_conn_list(argp);
541 
542 	case HCIDEVUP:
543 		if (!capable(CAP_NET_ADMIN))
544 			return -EPERM;
545 		return hci_dev_open(arg);
546 
547 	case HCIDEVDOWN:
548 		if (!capable(CAP_NET_ADMIN))
549 			return -EPERM;
550 		return hci_dev_close(arg);
551 
552 	case HCIDEVRESET:
553 		if (!capable(CAP_NET_ADMIN))
554 			return -EPERM;
555 		return hci_dev_reset(arg);
556 
557 	case HCIDEVRESTAT:
558 		if (!capable(CAP_NET_ADMIN))
559 			return -EPERM;
560 		return hci_dev_reset_stat(arg);
561 
562 	case HCISETSCAN:
563 	case HCISETAUTH:
564 	case HCISETENCRYPT:
565 	case HCISETPTYPE:
566 	case HCISETLINKPOL:
567 	case HCISETLINKMODE:
568 	case HCISETACLMTU:
569 	case HCISETSCOMTU:
570 		if (!capable(CAP_NET_ADMIN))
571 			return -EPERM;
572 		return hci_dev_cmd(cmd, argp);
573 
574 	case HCIINQUIRY:
575 		return hci_inquiry(argp);
576 
577 	default:
578 		lock_sock(sk);
579 		err = hci_sock_bound_ioctl(sk, cmd, arg);
580 		release_sock(sk);
581 		return err;
582 	}
583 }
584 
hci_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)585 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
586 			 int addr_len)
587 {
588 	struct sockaddr_hci haddr;
589 	struct sock *sk = sock->sk;
590 	struct hci_dev *hdev = NULL;
591 	int len, err = 0;
592 
593 	BT_DBG("sock %p sk %p", sock, sk);
594 
595 	if (!addr)
596 		return -EINVAL;
597 
598 	memset(&haddr, 0, sizeof(haddr));
599 	len = min_t(unsigned int, sizeof(haddr), addr_len);
600 	memcpy(&haddr, addr, len);
601 
602 	if (haddr.hci_family != AF_BLUETOOTH)
603 		return -EINVAL;
604 
605 	lock_sock(sk);
606 
607 	if (sk->sk_state == BT_BOUND) {
608 		err = -EALREADY;
609 		goto done;
610 	}
611 
612 	switch (haddr.hci_channel) {
613 	case HCI_CHANNEL_RAW:
614 		if (hci_pi(sk)->hdev) {
615 			err = -EALREADY;
616 			goto done;
617 		}
618 
619 		if (haddr.hci_dev != HCI_DEV_NONE) {
620 			hdev = hci_dev_get(haddr.hci_dev);
621 			if (!hdev) {
622 				err = -ENODEV;
623 				goto done;
624 			}
625 
626 			atomic_inc(&hdev->promisc);
627 		}
628 
629 		hci_pi(sk)->hdev = hdev;
630 		break;
631 
632 	case HCI_CHANNEL_CONTROL:
633 		if (haddr.hci_dev != HCI_DEV_NONE) {
634 			err = -EINVAL;
635 			goto done;
636 		}
637 
638 		if (!capable(CAP_NET_ADMIN)) {
639 			err = -EPERM;
640 			goto done;
641 		}
642 
643 		break;
644 
645 	case HCI_CHANNEL_MONITOR:
646 		if (haddr.hci_dev != HCI_DEV_NONE) {
647 			err = -EINVAL;
648 			goto done;
649 		}
650 
651 		if (!capable(CAP_NET_RAW)) {
652 			err = -EPERM;
653 			goto done;
654 		}
655 
656 		send_monitor_replay(sk);
657 
658 		atomic_inc(&monitor_promisc);
659 		break;
660 
661 	default:
662 		err = -EINVAL;
663 		goto done;
664 	}
665 
666 
667 	hci_pi(sk)->channel = haddr.hci_channel;
668 	sk->sk_state = BT_BOUND;
669 
670 done:
671 	release_sock(sk);
672 	return err;
673 }
674 
hci_sock_getname(struct socket * sock,struct sockaddr * addr,int * addr_len,int peer)675 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
676 			    int *addr_len, int peer)
677 {
678 	struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
679 	struct sock *sk = sock->sk;
680 	struct hci_dev *hdev = hci_pi(sk)->hdev;
681 
682 	BT_DBG("sock %p sk %p", sock, sk);
683 
684 	if (!hdev)
685 		return -EBADFD;
686 
687 	lock_sock(sk);
688 
689 	*addr_len = sizeof(*haddr);
690 	haddr->hci_family = AF_BLUETOOTH;
691 	haddr->hci_dev    = hdev->id;
692 	haddr->hci_channel= 0;
693 
694 	release_sock(sk);
695 	return 0;
696 }
697 
hci_sock_cmsg(struct sock * sk,struct msghdr * msg,struct sk_buff * skb)698 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
699 			  struct sk_buff *skb)
700 {
701 	__u32 mask = hci_pi(sk)->cmsg_mask;
702 
703 	if (mask & HCI_CMSG_DIR) {
704 		int incoming = bt_cb(skb)->incoming;
705 		put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
706 			 &incoming);
707 	}
708 
709 	if (mask & HCI_CMSG_TSTAMP) {
710 #ifdef CONFIG_COMPAT
711 		struct compat_timeval ctv;
712 #endif
713 		struct timeval tv;
714 		void *data;
715 		int len;
716 
717 		skb_get_timestamp(skb, &tv);
718 
719 		data = &tv;
720 		len = sizeof(tv);
721 #ifdef CONFIG_COMPAT
722 		if (!COMPAT_USE_64BIT_TIME &&
723 		    (msg->msg_flags & MSG_CMSG_COMPAT)) {
724 			ctv.tv_sec = tv.tv_sec;
725 			ctv.tv_usec = tv.tv_usec;
726 			data = &ctv;
727 			len = sizeof(ctv);
728 		}
729 #endif
730 
731 		put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
732 	}
733 }
734 
hci_sock_recvmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t len,int flags)735 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
736 			    struct msghdr *msg, size_t len, int flags)
737 {
738 	int noblock = flags & MSG_DONTWAIT;
739 	struct sock *sk = sock->sk;
740 	struct sk_buff *skb;
741 	int copied, err;
742 
743 	BT_DBG("sock %p, sk %p", sock, sk);
744 
745 	if (flags & (MSG_OOB))
746 		return -EOPNOTSUPP;
747 
748 	if (sk->sk_state == BT_CLOSED)
749 		return 0;
750 
751 	skb = skb_recv_datagram(sk, flags, noblock, &err);
752 	if (!skb)
753 		return err;
754 
755 	msg->msg_namelen = 0;
756 
757 	copied = skb->len;
758 	if (len < copied) {
759 		msg->msg_flags |= MSG_TRUNC;
760 		copied = len;
761 	}
762 
763 	skb_reset_transport_header(skb);
764 	err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
765 
766 	switch (hci_pi(sk)->channel) {
767 	case HCI_CHANNEL_RAW:
768 		hci_sock_cmsg(sk, msg, skb);
769 		break;
770 	case HCI_CHANNEL_CONTROL:
771 	case HCI_CHANNEL_MONITOR:
772 		sock_recv_timestamp(msg, sk, skb);
773 		break;
774 	}
775 
776 	skb_free_datagram(sk, skb);
777 
778 	return err ? : copied;
779 }
780 
hci_sock_sendmsg(struct kiocb * iocb,struct socket * sock,struct msghdr * msg,size_t len)781 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
782 			    struct msghdr *msg, size_t len)
783 {
784 	struct sock *sk = sock->sk;
785 	struct hci_dev *hdev;
786 	struct sk_buff *skb;
787 	int err;
788 
789 	BT_DBG("sock %p sk %p", sock, sk);
790 
791 	if (msg->msg_flags & MSG_OOB)
792 		return -EOPNOTSUPP;
793 
794 	if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
795 		return -EINVAL;
796 
797 	if (len < 4 || len > HCI_MAX_FRAME_SIZE)
798 		return -EINVAL;
799 
800 	lock_sock(sk);
801 
802 	switch (hci_pi(sk)->channel) {
803 	case HCI_CHANNEL_RAW:
804 		break;
805 	case HCI_CHANNEL_CONTROL:
806 		err = mgmt_control(sk, msg, len);
807 		goto done;
808 	case HCI_CHANNEL_MONITOR:
809 		err = -EOPNOTSUPP;
810 		goto done;
811 	default:
812 		err = -EINVAL;
813 		goto done;
814 	}
815 
816 	hdev = hci_pi(sk)->hdev;
817 	if (!hdev) {
818 		err = -EBADFD;
819 		goto done;
820 	}
821 
822 	if (!test_bit(HCI_UP, &hdev->flags)) {
823 		err = -ENETDOWN;
824 		goto done;
825 	}
826 
827 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
828 	if (!skb)
829 		goto done;
830 
831 	if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
832 		err = -EFAULT;
833 		goto drop;
834 	}
835 
836 	bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
837 	skb_pull(skb, 1);
838 	skb->dev = (void *) hdev;
839 
840 	if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
841 		u16 opcode = get_unaligned_le16(skb->data);
842 		u16 ogf = hci_opcode_ogf(opcode);
843 		u16 ocf = hci_opcode_ocf(opcode);
844 
845 		if (((ogf > HCI_SFLT_MAX_OGF) ||
846 		     !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
847 				   &hci_sec_filter.ocf_mask[ogf])) &&
848 		    !capable(CAP_NET_RAW)) {
849 			err = -EPERM;
850 			goto drop;
851 		}
852 
853 		if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
854 			skb_queue_tail(&hdev->raw_q, skb);
855 			queue_work(hdev->workqueue, &hdev->tx_work);
856 		} else {
857 			/* Stand-alone HCI commands must be flaged as
858 			 * single-command requests.
859 			 */
860 			bt_cb(skb)->req.start = true;
861 
862 			skb_queue_tail(&hdev->cmd_q, skb);
863 			queue_work(hdev->workqueue, &hdev->cmd_work);
864 		}
865 	} else {
866 		if (!capable(CAP_NET_RAW)) {
867 			err = -EPERM;
868 			goto drop;
869 		}
870 
871 		skb_queue_tail(&hdev->raw_q, skb);
872 		queue_work(hdev->workqueue, &hdev->tx_work);
873 	}
874 
875 	err = len;
876 
877 done:
878 	release_sock(sk);
879 	return err;
880 
881 drop:
882 	kfree_skb(skb);
883 	goto done;
884 }
885 
hci_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int len)886 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
887 			       char __user *optval, unsigned int len)
888 {
889 	struct hci_ufilter uf = { .opcode = 0 };
890 	struct sock *sk = sock->sk;
891 	int err = 0, opt = 0;
892 
893 	BT_DBG("sk %p, opt %d", sk, optname);
894 
895 	lock_sock(sk);
896 
897 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
898 		err = -EINVAL;
899 		goto done;
900 	}
901 
902 	switch (optname) {
903 	case HCI_DATA_DIR:
904 		if (get_user(opt, (int __user *)optval)) {
905 			err = -EFAULT;
906 			break;
907 		}
908 
909 		if (opt)
910 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
911 		else
912 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
913 		break;
914 
915 	case HCI_TIME_STAMP:
916 		if (get_user(opt, (int __user *)optval)) {
917 			err = -EFAULT;
918 			break;
919 		}
920 
921 		if (opt)
922 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
923 		else
924 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
925 		break;
926 
927 	case HCI_FILTER:
928 		{
929 			struct hci_filter *f = &hci_pi(sk)->filter;
930 
931 			uf.type_mask = f->type_mask;
932 			uf.opcode    = f->opcode;
933 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
934 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
935 		}
936 
937 		len = min_t(unsigned int, len, sizeof(uf));
938 		if (copy_from_user(&uf, optval, len)) {
939 			err = -EFAULT;
940 			break;
941 		}
942 
943 		if (!capable(CAP_NET_RAW)) {
944 			uf.type_mask &= hci_sec_filter.type_mask;
945 			uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
946 			uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
947 		}
948 
949 		{
950 			struct hci_filter *f = &hci_pi(sk)->filter;
951 
952 			f->type_mask = uf.type_mask;
953 			f->opcode    = uf.opcode;
954 			*((u32 *) f->event_mask + 0) = uf.event_mask[0];
955 			*((u32 *) f->event_mask + 1) = uf.event_mask[1];
956 		}
957 		break;
958 
959 	default:
960 		err = -ENOPROTOOPT;
961 		break;
962 	}
963 
964 done:
965 	release_sock(sk);
966 	return err;
967 }
968 
hci_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)969 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
970 			       char __user *optval, int __user *optlen)
971 {
972 	struct hci_ufilter uf;
973 	struct sock *sk = sock->sk;
974 	int len, opt, err = 0;
975 
976 	BT_DBG("sk %p, opt %d", sk, optname);
977 
978 	if (get_user(len, optlen))
979 		return -EFAULT;
980 
981 	lock_sock(sk);
982 
983 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
984 		err = -EINVAL;
985 		goto done;
986 	}
987 
988 	switch (optname) {
989 	case HCI_DATA_DIR:
990 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
991 			opt = 1;
992 		else
993 			opt = 0;
994 
995 		if (put_user(opt, optval))
996 			err = -EFAULT;
997 		break;
998 
999 	case HCI_TIME_STAMP:
1000 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1001 			opt = 1;
1002 		else
1003 			opt = 0;
1004 
1005 		if (put_user(opt, optval))
1006 			err = -EFAULT;
1007 		break;
1008 
1009 	case HCI_FILTER:
1010 		{
1011 			struct hci_filter *f = &hci_pi(sk)->filter;
1012 
1013 			memset(&uf, 0, sizeof(uf));
1014 			uf.type_mask = f->type_mask;
1015 			uf.opcode    = f->opcode;
1016 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1017 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1018 		}
1019 
1020 		len = min_t(unsigned int, len, sizeof(uf));
1021 		if (copy_to_user(optval, &uf, len))
1022 			err = -EFAULT;
1023 		break;
1024 
1025 	default:
1026 		err = -ENOPROTOOPT;
1027 		break;
1028 	}
1029 
1030 done:
1031 	release_sock(sk);
1032 	return err;
1033 }
1034 
1035 static const struct proto_ops hci_sock_ops = {
1036 	.family		= PF_BLUETOOTH,
1037 	.owner		= THIS_MODULE,
1038 	.release	= hci_sock_release,
1039 	.bind		= hci_sock_bind,
1040 	.getname	= hci_sock_getname,
1041 	.sendmsg	= hci_sock_sendmsg,
1042 	.recvmsg	= hci_sock_recvmsg,
1043 	.ioctl		= hci_sock_ioctl,
1044 	.poll		= datagram_poll,
1045 	.listen		= sock_no_listen,
1046 	.shutdown	= sock_no_shutdown,
1047 	.setsockopt	= hci_sock_setsockopt,
1048 	.getsockopt	= hci_sock_getsockopt,
1049 	.connect	= sock_no_connect,
1050 	.socketpair	= sock_no_socketpair,
1051 	.accept		= sock_no_accept,
1052 	.mmap		= sock_no_mmap
1053 };
1054 
1055 static struct proto hci_sk_proto = {
1056 	.name		= "HCI",
1057 	.owner		= THIS_MODULE,
1058 	.obj_size	= sizeof(struct hci_pinfo)
1059 };
1060 
hci_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1061 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1062 			   int kern)
1063 {
1064 	struct sock *sk;
1065 
1066 	BT_DBG("sock %p", sock);
1067 
1068 	if (sock->type != SOCK_RAW)
1069 		return -ESOCKTNOSUPPORT;
1070 
1071 	sock->ops = &hci_sock_ops;
1072 
1073 	sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1074 	if (!sk)
1075 		return -ENOMEM;
1076 
1077 	sock_init_data(sock, sk);
1078 
1079 	sock_reset_flag(sk, SOCK_ZAPPED);
1080 
1081 	sk->sk_protocol = protocol;
1082 
1083 	sock->state = SS_UNCONNECTED;
1084 	sk->sk_state = BT_OPEN;
1085 
1086 	bt_sock_link(&hci_sk_list, sk);
1087 	return 0;
1088 }
1089 
1090 static const struct net_proto_family hci_sock_family_ops = {
1091 	.family	= PF_BLUETOOTH,
1092 	.owner	= THIS_MODULE,
1093 	.create	= hci_sock_create,
1094 };
1095 
hci_sock_init(void)1096 int __init hci_sock_init(void)
1097 {
1098 	int err;
1099 
1100 	err = proto_register(&hci_sk_proto, 0);
1101 	if (err < 0)
1102 		return err;
1103 
1104 	err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1105 	if (err < 0) {
1106 		BT_ERR("HCI socket registration failed");
1107 		goto error;
1108 	}
1109 
1110 	err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1111 	if (err < 0) {
1112 		BT_ERR("Failed to create HCI proc file");
1113 		bt_sock_unregister(BTPROTO_HCI);
1114 		goto error;
1115 	}
1116 
1117 	BT_INFO("HCI socket layer initialized");
1118 
1119 	return 0;
1120 
1121 error:
1122 	proto_unregister(&hci_sk_proto);
1123 	return err;
1124 }
1125 
hci_sock_cleanup(void)1126 void hci_sock_cleanup(void)
1127 {
1128 	bt_procfs_cleanup(&init_net, "hci");
1129 	bt_sock_unregister(BTPROTO_HCI);
1130 	proto_unregister(&hci_sk_proto);
1131 }
1132