• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI sockets. */
26 
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <linux/sched.h>
30 #include <asm/unaligned.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/hci_mon.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "mgmt_util.h"
38 
39 static LIST_HEAD(mgmt_chan_list);
40 static DEFINE_MUTEX(mgmt_chan_list_lock);
41 
42 static DEFINE_IDA(sock_cookie_ida);
43 
44 static atomic_t monitor_promisc = ATOMIC_INIT(0);
45 
46 /* ----- HCI socket interface ----- */
47 
48 /* Socket info */
49 #define hci_pi(sk) ((struct hci_pinfo *) sk)
50 
51 struct hci_pinfo {
52 	struct bt_sock    bt;
53 	struct hci_dev    *hdev;
54 	struct hci_filter filter;
55 	__u32             cmsg_mask;
56 	unsigned short    channel;
57 	unsigned long     flags;
58 	__u32             cookie;
59 	char              comm[TASK_COMM_LEN];
60 };
61 
hci_sock_set_flag(struct sock * sk,int nr)62 void hci_sock_set_flag(struct sock *sk, int nr)
63 {
64 	set_bit(nr, &hci_pi(sk)->flags);
65 }
66 
hci_sock_clear_flag(struct sock * sk,int nr)67 void hci_sock_clear_flag(struct sock *sk, int nr)
68 {
69 	clear_bit(nr, &hci_pi(sk)->flags);
70 }
71 
hci_sock_test_flag(struct sock * sk,int nr)72 int hci_sock_test_flag(struct sock *sk, int nr)
73 {
74 	return test_bit(nr, &hci_pi(sk)->flags);
75 }
76 
hci_sock_get_channel(struct sock * sk)77 unsigned short hci_sock_get_channel(struct sock *sk)
78 {
79 	return hci_pi(sk)->channel;
80 }
81 
hci_sock_get_cookie(struct sock * sk)82 u32 hci_sock_get_cookie(struct sock *sk)
83 {
84 	return hci_pi(sk)->cookie;
85 }
86 
hci_sock_gen_cookie(struct sock * sk)87 static bool hci_sock_gen_cookie(struct sock *sk)
88 {
89 	int id = hci_pi(sk)->cookie;
90 
91 	if (!id) {
92 		id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL);
93 		if (id < 0)
94 			id = 0xffffffff;
95 
96 		hci_pi(sk)->cookie = id;
97 		get_task_comm(hci_pi(sk)->comm, current);
98 		return true;
99 	}
100 
101 	return false;
102 }
103 
hci_sock_free_cookie(struct sock * sk)104 static void hci_sock_free_cookie(struct sock *sk)
105 {
106 	int id = hci_pi(sk)->cookie;
107 
108 	if (id) {
109 		hci_pi(sk)->cookie = 0xffffffff;
110 		ida_simple_remove(&sock_cookie_ida, id);
111 	}
112 }
113 
hci_test_bit(int nr,const void * addr)114 static inline int hci_test_bit(int nr, const void *addr)
115 {
116 	return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
117 }
118 
119 /* Security filter */
120 #define HCI_SFLT_MAX_OGF  5
121 
122 struct hci_sec_filter {
123 	__u32 type_mask;
124 	__u32 event_mask[2];
125 	__u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
126 };
127 
128 static const struct hci_sec_filter hci_sec_filter = {
129 	/* Packet types */
130 	0x10,
131 	/* Events */
132 	{ 0x1000d9fe, 0x0000b00c },
133 	/* Commands */
134 	{
135 		{ 0x0 },
136 		/* OGF_LINK_CTL */
137 		{ 0xbe000006, 0x00000001, 0x00000000, 0x00 },
138 		/* OGF_LINK_POLICY */
139 		{ 0x00005200, 0x00000000, 0x00000000, 0x00 },
140 		/* OGF_HOST_CTL */
141 		{ 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
142 		/* OGF_INFO_PARAM */
143 		{ 0x000002be, 0x00000000, 0x00000000, 0x00 },
144 		/* OGF_STATUS_PARAM */
145 		{ 0x000000ea, 0x00000000, 0x00000000, 0x00 }
146 	}
147 };
148 
149 static struct bt_sock_list hci_sk_list = {
150 	.lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
151 };
152 
is_filtered_packet(struct sock * sk,struct sk_buff * skb)153 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
154 {
155 	struct hci_filter *flt;
156 	int flt_type, flt_event;
157 
158 	/* Apply filter */
159 	flt = &hci_pi(sk)->filter;
160 
161 	flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
162 
163 	if (!test_bit(flt_type, &flt->type_mask))
164 		return true;
165 
166 	/* Extra filter for event packets only */
167 	if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
168 		return false;
169 
170 	flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
171 
172 	if (!hci_test_bit(flt_event, &flt->event_mask))
173 		return true;
174 
175 	/* Check filter only when opcode is set */
176 	if (!flt->opcode)
177 		return false;
178 
179 	if (flt_event == HCI_EV_CMD_COMPLETE &&
180 	    flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
181 		return true;
182 
183 	if (flt_event == HCI_EV_CMD_STATUS &&
184 	    flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
185 		return true;
186 
187 	return false;
188 }
189 
190 /* Send frame to RAW socket */
hci_send_to_sock(struct hci_dev * hdev,struct sk_buff * skb)191 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
192 {
193 	struct sock *sk;
194 	struct sk_buff *skb_copy = NULL;
195 
196 	BT_DBG("hdev %p len %d", hdev, skb->len);
197 
198 	read_lock(&hci_sk_list.lock);
199 
200 	sk_for_each(sk, &hci_sk_list.head) {
201 		struct sk_buff *nskb;
202 
203 		if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
204 			continue;
205 
206 		/* Don't send frame to the socket it came from */
207 		if (skb->sk == sk)
208 			continue;
209 
210 		if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
211 			if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
212 			    hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
213 			    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
214 			    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
215 				continue;
216 			if (is_filtered_packet(sk, skb))
217 				continue;
218 		} else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
219 			if (!bt_cb(skb)->incoming)
220 				continue;
221 			if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
222 			    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
223 			    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
224 				continue;
225 		} else {
226 			/* Don't send frame to other channel types */
227 			continue;
228 		}
229 
230 		if (!skb_copy) {
231 			/* Create a private copy with headroom */
232 			skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
233 			if (!skb_copy)
234 				continue;
235 
236 			/* Put type byte before the data */
237 			memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
238 		}
239 
240 		nskb = skb_clone(skb_copy, GFP_ATOMIC);
241 		if (!nskb)
242 			continue;
243 
244 		if (sock_queue_rcv_skb(sk, nskb))
245 			kfree_skb(nskb);
246 	}
247 
248 	read_unlock(&hci_sk_list.lock);
249 
250 	kfree_skb(skb_copy);
251 }
252 
253 /* Send frame to sockets with specific channel */
hci_send_to_channel(unsigned short channel,struct sk_buff * skb,int flag,struct sock * skip_sk)254 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
255 			 int flag, struct sock *skip_sk)
256 {
257 	struct sock *sk;
258 
259 	BT_DBG("channel %u len %d", channel, skb->len);
260 
261 	read_lock(&hci_sk_list.lock);
262 
263 	sk_for_each(sk, &hci_sk_list.head) {
264 		struct sk_buff *nskb;
265 
266 		/* Ignore socket without the flag set */
267 		if (!hci_sock_test_flag(sk, flag))
268 			continue;
269 
270 		/* Skip the original socket */
271 		if (sk == skip_sk)
272 			continue;
273 
274 		if (sk->sk_state != BT_BOUND)
275 			continue;
276 
277 		if (hci_pi(sk)->channel != channel)
278 			continue;
279 
280 		nskb = skb_clone(skb, GFP_ATOMIC);
281 		if (!nskb)
282 			continue;
283 
284 		if (sock_queue_rcv_skb(sk, nskb))
285 			kfree_skb(nskb);
286 	}
287 
288 	read_unlock(&hci_sk_list.lock);
289 }
290 
291 /* Send frame to monitor socket */
hci_send_to_monitor(struct hci_dev * hdev,struct sk_buff * skb)292 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
293 {
294 	struct sk_buff *skb_copy = NULL;
295 	struct hci_mon_hdr *hdr;
296 	__le16 opcode;
297 
298 	if (!atomic_read(&monitor_promisc))
299 		return;
300 
301 	BT_DBG("hdev %p len %d", hdev, skb->len);
302 
303 	switch (hci_skb_pkt_type(skb)) {
304 	case HCI_COMMAND_PKT:
305 		opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
306 		break;
307 	case HCI_EVENT_PKT:
308 		opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
309 		break;
310 	case HCI_ACLDATA_PKT:
311 		if (bt_cb(skb)->incoming)
312 			opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
313 		else
314 			opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
315 		break;
316 	case HCI_SCODATA_PKT:
317 		if (bt_cb(skb)->incoming)
318 			opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
319 		else
320 			opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
321 		break;
322 	case HCI_DIAG_PKT:
323 		opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
324 		break;
325 	default:
326 		return;
327 	}
328 
329 	/* Create a private copy with headroom */
330 	skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
331 	if (!skb_copy)
332 		return;
333 
334 	/* Put header before the data */
335 	hdr = (void *)skb_push(skb_copy, HCI_MON_HDR_SIZE);
336 	hdr->opcode = opcode;
337 	hdr->index = cpu_to_le16(hdev->id);
338 	hdr->len = cpu_to_le16(skb->len);
339 
340 	hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
341 			    HCI_SOCK_TRUSTED, NULL);
342 	kfree_skb(skb_copy);
343 }
344 
hci_send_monitor_ctrl_event(struct hci_dev * hdev,u16 event,void * data,u16 data_len,ktime_t tstamp,int flag,struct sock * skip_sk)345 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event,
346 				 void *data, u16 data_len, ktime_t tstamp,
347 				 int flag, struct sock *skip_sk)
348 {
349 	struct sock *sk;
350 	__le16 index;
351 
352 	if (hdev)
353 		index = cpu_to_le16(hdev->id);
354 	else
355 		index = cpu_to_le16(MGMT_INDEX_NONE);
356 
357 	read_lock(&hci_sk_list.lock);
358 
359 	sk_for_each(sk, &hci_sk_list.head) {
360 		struct hci_mon_hdr *hdr;
361 		struct sk_buff *skb;
362 
363 		if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
364 			continue;
365 
366 		/* Ignore socket without the flag set */
367 		if (!hci_sock_test_flag(sk, flag))
368 			continue;
369 
370 		/* Skip the original socket */
371 		if (sk == skip_sk)
372 			continue;
373 
374 		skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC);
375 		if (!skb)
376 			continue;
377 
378 		put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
379 		put_unaligned_le16(event, skb_put(skb, 2));
380 
381 		if (data)
382 			memcpy(skb_put(skb, data_len), data, data_len);
383 
384 		skb->tstamp = tstamp;
385 
386 		hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
387 		hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT);
388 		hdr->index = index;
389 		hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
390 
391 		hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
392 				    HCI_SOCK_TRUSTED, NULL);
393 		kfree_skb(skb);
394 	}
395 
396 	read_unlock(&hci_sk_list.lock);
397 }
398 
create_monitor_event(struct hci_dev * hdev,int event)399 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
400 {
401 	struct hci_mon_hdr *hdr;
402 	struct hci_mon_new_index *ni;
403 	struct hci_mon_index_info *ii;
404 	struct sk_buff *skb;
405 	__le16 opcode;
406 
407 	switch (event) {
408 	case HCI_DEV_REG:
409 		skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
410 		if (!skb)
411 			return NULL;
412 
413 		ni = (void *)skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
414 		ni->type = hdev->dev_type;
415 		ni->bus = hdev->bus;
416 		bacpy(&ni->bdaddr, &hdev->bdaddr);
417 		memcpy(ni->name, hdev->name, 8);
418 
419 		opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
420 		break;
421 
422 	case HCI_DEV_UNREG:
423 		skb = bt_skb_alloc(0, GFP_ATOMIC);
424 		if (!skb)
425 			return NULL;
426 
427 		opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
428 		break;
429 
430 	case HCI_DEV_SETUP:
431 		if (hdev->manufacturer == 0xffff)
432 			return NULL;
433 
434 		/* fall through */
435 
436 	case HCI_DEV_UP:
437 		skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
438 		if (!skb)
439 			return NULL;
440 
441 		ii = (void *)skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
442 		bacpy(&ii->bdaddr, &hdev->bdaddr);
443 		ii->manufacturer = cpu_to_le16(hdev->manufacturer);
444 
445 		opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
446 		break;
447 
448 	case HCI_DEV_OPEN:
449 		skb = bt_skb_alloc(0, GFP_ATOMIC);
450 		if (!skb)
451 			return NULL;
452 
453 		opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
454 		break;
455 
456 	case HCI_DEV_CLOSE:
457 		skb = bt_skb_alloc(0, GFP_ATOMIC);
458 		if (!skb)
459 			return NULL;
460 
461 		opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
462 		break;
463 
464 	default:
465 		return NULL;
466 	}
467 
468 	__net_timestamp(skb);
469 
470 	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
471 	hdr->opcode = opcode;
472 	hdr->index = cpu_to_le16(hdev->id);
473 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
474 
475 	return skb;
476 }
477 
create_monitor_ctrl_open(struct sock * sk)478 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk)
479 {
480 	struct hci_mon_hdr *hdr;
481 	struct sk_buff *skb;
482 	u16 format;
483 	u8 ver[3];
484 	u32 flags;
485 
486 	/* No message needed when cookie is not present */
487 	if (!hci_pi(sk)->cookie)
488 		return NULL;
489 
490 	switch (hci_pi(sk)->channel) {
491 	case HCI_CHANNEL_RAW:
492 		format = 0x0000;
493 		ver[0] = BT_SUBSYS_VERSION;
494 		put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
495 		break;
496 	case HCI_CHANNEL_USER:
497 		format = 0x0001;
498 		ver[0] = BT_SUBSYS_VERSION;
499 		put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
500 		break;
501 	case HCI_CHANNEL_CONTROL:
502 		format = 0x0002;
503 		mgmt_fill_version_info(ver);
504 		break;
505 	default:
506 		/* No message for unsupported format */
507 		return NULL;
508 	}
509 
510 	skb = bt_skb_alloc(14 + TASK_COMM_LEN , GFP_ATOMIC);
511 	if (!skb)
512 		return NULL;
513 
514 	flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0;
515 
516 	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
517 	put_unaligned_le16(format, skb_put(skb, 2));
518 	memcpy(skb_put(skb, sizeof(ver)), ver, sizeof(ver));
519 	put_unaligned_le32(flags, skb_put(skb, 4));
520 	*skb_put(skb, 1) = TASK_COMM_LEN;
521 	memcpy(skb_put(skb, TASK_COMM_LEN), hci_pi(sk)->comm, TASK_COMM_LEN);
522 
523 	__net_timestamp(skb);
524 
525 	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
526 	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN);
527 	if (hci_pi(sk)->hdev)
528 		hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
529 	else
530 		hdr->index = cpu_to_le16(HCI_DEV_NONE);
531 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
532 
533 	return skb;
534 }
535 
create_monitor_ctrl_close(struct sock * sk)536 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk)
537 {
538 	struct hci_mon_hdr *hdr;
539 	struct sk_buff *skb;
540 
541 	/* No message needed when cookie is not present */
542 	if (!hci_pi(sk)->cookie)
543 		return NULL;
544 
545 	switch (hci_pi(sk)->channel) {
546 	case HCI_CHANNEL_RAW:
547 	case HCI_CHANNEL_USER:
548 	case HCI_CHANNEL_CONTROL:
549 		break;
550 	default:
551 		/* No message for unsupported format */
552 		return NULL;
553 	}
554 
555 	skb = bt_skb_alloc(4, GFP_ATOMIC);
556 	if (!skb)
557 		return NULL;
558 
559 	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
560 
561 	__net_timestamp(skb);
562 
563 	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
564 	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE);
565 	if (hci_pi(sk)->hdev)
566 		hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
567 	else
568 		hdr->index = cpu_to_le16(HCI_DEV_NONE);
569 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
570 
571 	return skb;
572 }
573 
create_monitor_ctrl_command(struct sock * sk,u16 index,u16 opcode,u16 len,const void * buf)574 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index,
575 						   u16 opcode, u16 len,
576 						   const void *buf)
577 {
578 	struct hci_mon_hdr *hdr;
579 	struct sk_buff *skb;
580 
581 	skb = bt_skb_alloc(6 + len, GFP_ATOMIC);
582 	if (!skb)
583 		return NULL;
584 
585 	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
586 	put_unaligned_le16(opcode, skb_put(skb, 2));
587 
588 	if (buf)
589 		memcpy(skb_put(skb, len), buf, len);
590 
591 	__net_timestamp(skb);
592 
593 	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
594 	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND);
595 	hdr->index = cpu_to_le16(index);
596 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
597 
598 	return skb;
599 }
600 
601 static void __printf(2, 3)
send_monitor_note(struct sock * sk,const char * fmt,...)602 send_monitor_note(struct sock *sk, const char *fmt, ...)
603 {
604 	size_t len;
605 	struct hci_mon_hdr *hdr;
606 	struct sk_buff *skb;
607 	va_list args;
608 
609 	va_start(args, fmt);
610 	len = vsnprintf(NULL, 0, fmt, args);
611 	va_end(args);
612 
613 	skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
614 	if (!skb)
615 		return;
616 
617 	va_start(args, fmt);
618 	vsprintf(skb_put(skb, len), fmt, args);
619 	*skb_put(skb, 1) = 0;
620 	va_end(args);
621 
622 	__net_timestamp(skb);
623 
624 	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
625 	hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
626 	hdr->index = cpu_to_le16(HCI_DEV_NONE);
627 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
628 
629 	if (sock_queue_rcv_skb(sk, skb))
630 		kfree_skb(skb);
631 }
632 
send_monitor_replay(struct sock * sk)633 static void send_monitor_replay(struct sock *sk)
634 {
635 	struct hci_dev *hdev;
636 
637 	read_lock(&hci_dev_list_lock);
638 
639 	list_for_each_entry(hdev, &hci_dev_list, list) {
640 		struct sk_buff *skb;
641 
642 		skb = create_monitor_event(hdev, HCI_DEV_REG);
643 		if (!skb)
644 			continue;
645 
646 		if (sock_queue_rcv_skb(sk, skb))
647 			kfree_skb(skb);
648 
649 		if (!test_bit(HCI_RUNNING, &hdev->flags))
650 			continue;
651 
652 		skb = create_monitor_event(hdev, HCI_DEV_OPEN);
653 		if (!skb)
654 			continue;
655 
656 		if (sock_queue_rcv_skb(sk, skb))
657 			kfree_skb(skb);
658 
659 		if (test_bit(HCI_UP, &hdev->flags))
660 			skb = create_monitor_event(hdev, HCI_DEV_UP);
661 		else if (hci_dev_test_flag(hdev, HCI_SETUP))
662 			skb = create_monitor_event(hdev, HCI_DEV_SETUP);
663 		else
664 			skb = NULL;
665 
666 		if (skb) {
667 			if (sock_queue_rcv_skb(sk, skb))
668 				kfree_skb(skb);
669 		}
670 	}
671 
672 	read_unlock(&hci_dev_list_lock);
673 }
674 
send_monitor_control_replay(struct sock * mon_sk)675 static void send_monitor_control_replay(struct sock *mon_sk)
676 {
677 	struct sock *sk;
678 
679 	read_lock(&hci_sk_list.lock);
680 
681 	sk_for_each(sk, &hci_sk_list.head) {
682 		struct sk_buff *skb;
683 
684 		skb = create_monitor_ctrl_open(sk);
685 		if (!skb)
686 			continue;
687 
688 		if (sock_queue_rcv_skb(mon_sk, skb))
689 			kfree_skb(skb);
690 	}
691 
692 	read_unlock(&hci_sk_list.lock);
693 }
694 
695 /* Generate internal stack event */
hci_si_event(struct hci_dev * hdev,int type,int dlen,void * data)696 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
697 {
698 	struct hci_event_hdr *hdr;
699 	struct hci_ev_stack_internal *ev;
700 	struct sk_buff *skb;
701 
702 	skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
703 	if (!skb)
704 		return;
705 
706 	hdr = (void *)skb_put(skb, HCI_EVENT_HDR_SIZE);
707 	hdr->evt  = HCI_EV_STACK_INTERNAL;
708 	hdr->plen = sizeof(*ev) + dlen;
709 
710 	ev  = (void *)skb_put(skb, sizeof(*ev) + dlen);
711 	ev->type = type;
712 	memcpy(ev->data, data, dlen);
713 
714 	bt_cb(skb)->incoming = 1;
715 	__net_timestamp(skb);
716 
717 	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
718 	hci_send_to_sock(hdev, skb);
719 	kfree_skb(skb);
720 }
721 
hci_sock_dev_event(struct hci_dev * hdev,int event)722 void hci_sock_dev_event(struct hci_dev *hdev, int event)
723 {
724 	BT_DBG("hdev %s event %d", hdev->name, event);
725 
726 	if (atomic_read(&monitor_promisc)) {
727 		struct sk_buff *skb;
728 
729 		/* Send event to monitor */
730 		skb = create_monitor_event(hdev, event);
731 		if (skb) {
732 			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
733 					    HCI_SOCK_TRUSTED, NULL);
734 			kfree_skb(skb);
735 		}
736 	}
737 
738 	if (event <= HCI_DEV_DOWN) {
739 		struct hci_ev_si_device ev;
740 
741 		/* Send event to sockets */
742 		ev.event  = event;
743 		ev.dev_id = hdev->id;
744 		hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
745 	}
746 
747 	if (event == HCI_DEV_UNREG) {
748 		struct sock *sk;
749 
750 		/* Detach sockets from device */
751 		read_lock(&hci_sk_list.lock);
752 		sk_for_each(sk, &hci_sk_list.head) {
753 			bh_lock_sock_nested(sk);
754 			if (hci_pi(sk)->hdev == hdev) {
755 				hci_pi(sk)->hdev = NULL;
756 				sk->sk_err = EPIPE;
757 				sk->sk_state = BT_OPEN;
758 				sk->sk_state_change(sk);
759 
760 				hci_dev_put(hdev);
761 			}
762 			bh_unlock_sock(sk);
763 		}
764 		read_unlock(&hci_sk_list.lock);
765 	}
766 }
767 
__hci_mgmt_chan_find(unsigned short channel)768 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
769 {
770 	struct hci_mgmt_chan *c;
771 
772 	list_for_each_entry(c, &mgmt_chan_list, list) {
773 		if (c->channel == channel)
774 			return c;
775 	}
776 
777 	return NULL;
778 }
779 
hci_mgmt_chan_find(unsigned short channel)780 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
781 {
782 	struct hci_mgmt_chan *c;
783 
784 	mutex_lock(&mgmt_chan_list_lock);
785 	c = __hci_mgmt_chan_find(channel);
786 	mutex_unlock(&mgmt_chan_list_lock);
787 
788 	return c;
789 }
790 
hci_mgmt_chan_register(struct hci_mgmt_chan * c)791 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
792 {
793 	if (c->channel < HCI_CHANNEL_CONTROL)
794 		return -EINVAL;
795 
796 	mutex_lock(&mgmt_chan_list_lock);
797 	if (__hci_mgmt_chan_find(c->channel)) {
798 		mutex_unlock(&mgmt_chan_list_lock);
799 		return -EALREADY;
800 	}
801 
802 	list_add_tail(&c->list, &mgmt_chan_list);
803 
804 	mutex_unlock(&mgmt_chan_list_lock);
805 
806 	return 0;
807 }
808 EXPORT_SYMBOL(hci_mgmt_chan_register);
809 
hci_mgmt_chan_unregister(struct hci_mgmt_chan * c)810 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
811 {
812 	mutex_lock(&mgmt_chan_list_lock);
813 	list_del(&c->list);
814 	mutex_unlock(&mgmt_chan_list_lock);
815 }
816 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
817 
hci_sock_release(struct socket * sock)818 static int hci_sock_release(struct socket *sock)
819 {
820 	struct sock *sk = sock->sk;
821 	struct hci_dev *hdev;
822 	struct sk_buff *skb;
823 
824 	BT_DBG("sock %p sk %p", sock, sk);
825 
826 	if (!sk)
827 		return 0;
828 
829 	hdev = hci_pi(sk)->hdev;
830 
831 	switch (hci_pi(sk)->channel) {
832 	case HCI_CHANNEL_MONITOR:
833 		atomic_dec(&monitor_promisc);
834 		break;
835 	case HCI_CHANNEL_RAW:
836 	case HCI_CHANNEL_USER:
837 	case HCI_CHANNEL_CONTROL:
838 		/* Send event to monitor */
839 		skb = create_monitor_ctrl_close(sk);
840 		if (skb) {
841 			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
842 					    HCI_SOCK_TRUSTED, NULL);
843 			kfree_skb(skb);
844 		}
845 
846 		hci_sock_free_cookie(sk);
847 		break;
848 	}
849 
850 	bt_sock_unlink(&hci_sk_list, sk);
851 
852 	if (hdev) {
853 		if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
854 			/* When releasing an user channel exclusive access,
855 			 * call hci_dev_do_close directly instead of calling
856 			 * hci_dev_close to ensure the exclusive access will
857 			 * be released and the controller brought back down.
858 			 *
859 			 * The checking of HCI_AUTO_OFF is not needed in this
860 			 * case since it will have been cleared already when
861 			 * opening the user channel.
862 			 */
863 			hci_dev_do_close(hdev);
864 			hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
865 			mgmt_index_added(hdev);
866 		}
867 
868 		atomic_dec(&hdev->promisc);
869 		hci_dev_put(hdev);
870 	}
871 
872 	sock_orphan(sk);
873 
874 	skb_queue_purge(&sk->sk_receive_queue);
875 	skb_queue_purge(&sk->sk_write_queue);
876 
877 	sock_put(sk);
878 	return 0;
879 }
880 
hci_sock_blacklist_add(struct hci_dev * hdev,void __user * arg)881 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
882 {
883 	bdaddr_t bdaddr;
884 	int err;
885 
886 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
887 		return -EFAULT;
888 
889 	hci_dev_lock(hdev);
890 
891 	err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
892 
893 	hci_dev_unlock(hdev);
894 
895 	return err;
896 }
897 
hci_sock_blacklist_del(struct hci_dev * hdev,void __user * arg)898 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
899 {
900 	bdaddr_t bdaddr;
901 	int err;
902 
903 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
904 		return -EFAULT;
905 
906 	hci_dev_lock(hdev);
907 
908 	err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
909 
910 	hci_dev_unlock(hdev);
911 
912 	return err;
913 }
914 
915 /* Ioctls that require bound socket */
hci_sock_bound_ioctl(struct sock * sk,unsigned int cmd,unsigned long arg)916 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
917 				unsigned long arg)
918 {
919 	struct hci_dev *hdev = hci_pi(sk)->hdev;
920 
921 	if (!hdev)
922 		return -EBADFD;
923 
924 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
925 		return -EBUSY;
926 
927 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
928 		return -EOPNOTSUPP;
929 
930 	if (hdev->dev_type != HCI_PRIMARY)
931 		return -EOPNOTSUPP;
932 
933 	switch (cmd) {
934 	case HCISETRAW:
935 		if (!capable(CAP_NET_ADMIN))
936 			return -EPERM;
937 		return -EOPNOTSUPP;
938 
939 	case HCIGETCONNINFO:
940 		return hci_get_conn_info(hdev, (void __user *)arg);
941 
942 	case HCIGETAUTHINFO:
943 		return hci_get_auth_info(hdev, (void __user *)arg);
944 
945 	case HCIBLOCKADDR:
946 		if (!capable(CAP_NET_ADMIN))
947 			return -EPERM;
948 		return hci_sock_blacklist_add(hdev, (void __user *)arg);
949 
950 	case HCIUNBLOCKADDR:
951 		if (!capable(CAP_NET_ADMIN))
952 			return -EPERM;
953 		return hci_sock_blacklist_del(hdev, (void __user *)arg);
954 	}
955 
956 	return -ENOIOCTLCMD;
957 }
958 
hci_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)959 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
960 			  unsigned long arg)
961 {
962 	void __user *argp = (void __user *)arg;
963 	struct sock *sk = sock->sk;
964 	int err;
965 
966 	BT_DBG("cmd %x arg %lx", cmd, arg);
967 
968 	lock_sock(sk);
969 
970 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
971 		err = -EBADFD;
972 		goto done;
973 	}
974 
975 	/* When calling an ioctl on an unbound raw socket, then ensure
976 	 * that the monitor gets informed. Ensure that the resulting event
977 	 * is only send once by checking if the cookie exists or not. The
978 	 * socket cookie will be only ever generated once for the lifetime
979 	 * of a given socket.
980 	 */
981 	if (hci_sock_gen_cookie(sk)) {
982 		struct sk_buff *skb;
983 
984 		if (capable(CAP_NET_ADMIN))
985 			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
986 
987 		/* Send event to monitor */
988 		skb = create_monitor_ctrl_open(sk);
989 		if (skb) {
990 			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
991 					    HCI_SOCK_TRUSTED, NULL);
992 			kfree_skb(skb);
993 		}
994 	}
995 
996 	release_sock(sk);
997 
998 	switch (cmd) {
999 	case HCIGETDEVLIST:
1000 		return hci_get_dev_list(argp);
1001 
1002 	case HCIGETDEVINFO:
1003 		return hci_get_dev_info(argp);
1004 
1005 	case HCIGETCONNLIST:
1006 		return hci_get_conn_list(argp);
1007 
1008 	case HCIDEVUP:
1009 		if (!capable(CAP_NET_ADMIN))
1010 			return -EPERM;
1011 		return hci_dev_open(arg);
1012 
1013 	case HCIDEVDOWN:
1014 		if (!capable(CAP_NET_ADMIN))
1015 			return -EPERM;
1016 		return hci_dev_close(arg);
1017 
1018 	case HCIDEVRESET:
1019 		if (!capable(CAP_NET_ADMIN))
1020 			return -EPERM;
1021 		return hci_dev_reset(arg);
1022 
1023 	case HCIDEVRESTAT:
1024 		if (!capable(CAP_NET_ADMIN))
1025 			return -EPERM;
1026 		return hci_dev_reset_stat(arg);
1027 
1028 	case HCISETSCAN:
1029 	case HCISETAUTH:
1030 	case HCISETENCRYPT:
1031 	case HCISETPTYPE:
1032 	case HCISETLINKPOL:
1033 	case HCISETLINKMODE:
1034 	case HCISETACLMTU:
1035 	case HCISETSCOMTU:
1036 		if (!capable(CAP_NET_ADMIN))
1037 			return -EPERM;
1038 		return hci_dev_cmd(cmd, argp);
1039 
1040 	case HCIINQUIRY:
1041 		return hci_inquiry(argp);
1042 	}
1043 
1044 	lock_sock(sk);
1045 
1046 	err = hci_sock_bound_ioctl(sk, cmd, arg);
1047 
1048 done:
1049 	release_sock(sk);
1050 	return err;
1051 }
1052 
hci_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)1053 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
1054 			 int addr_len)
1055 {
1056 	struct sockaddr_hci haddr;
1057 	struct sock *sk = sock->sk;
1058 	struct hci_dev *hdev = NULL;
1059 	struct sk_buff *skb;
1060 	int len, err = 0;
1061 
1062 	BT_DBG("sock %p sk %p", sock, sk);
1063 
1064 	if (!addr)
1065 		return -EINVAL;
1066 
1067 	memset(&haddr, 0, sizeof(haddr));
1068 	len = min_t(unsigned int, sizeof(haddr), addr_len);
1069 	memcpy(&haddr, addr, len);
1070 
1071 	if (haddr.hci_family != AF_BLUETOOTH)
1072 		return -EINVAL;
1073 
1074 	lock_sock(sk);
1075 
1076 	if (sk->sk_state == BT_BOUND) {
1077 		err = -EALREADY;
1078 		goto done;
1079 	}
1080 
1081 	switch (haddr.hci_channel) {
1082 	case HCI_CHANNEL_RAW:
1083 		if (hci_pi(sk)->hdev) {
1084 			err = -EALREADY;
1085 			goto done;
1086 		}
1087 
1088 		if (haddr.hci_dev != HCI_DEV_NONE) {
1089 			hdev = hci_dev_get(haddr.hci_dev);
1090 			if (!hdev) {
1091 				err = -ENODEV;
1092 				goto done;
1093 			}
1094 
1095 			atomic_inc(&hdev->promisc);
1096 		}
1097 
1098 		hci_pi(sk)->channel = haddr.hci_channel;
1099 
1100 		if (!hci_sock_gen_cookie(sk)) {
1101 			/* In the case when a cookie has already been assigned,
1102 			 * then there has been already an ioctl issued against
1103 			 * an unbound socket and with that triggerd an open
1104 			 * notification. Send a close notification first to
1105 			 * allow the state transition to bounded.
1106 			 */
1107 			skb = create_monitor_ctrl_close(sk);
1108 			if (skb) {
1109 				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1110 						    HCI_SOCK_TRUSTED, NULL);
1111 				kfree_skb(skb);
1112 			}
1113 		}
1114 
1115 		if (capable(CAP_NET_ADMIN))
1116 			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1117 
1118 		hci_pi(sk)->hdev = hdev;
1119 
1120 		/* Send event to monitor */
1121 		skb = create_monitor_ctrl_open(sk);
1122 		if (skb) {
1123 			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1124 					    HCI_SOCK_TRUSTED, NULL);
1125 			kfree_skb(skb);
1126 		}
1127 		break;
1128 
1129 	case HCI_CHANNEL_USER:
1130 		if (hci_pi(sk)->hdev) {
1131 			err = -EALREADY;
1132 			goto done;
1133 		}
1134 
1135 		if (haddr.hci_dev == HCI_DEV_NONE) {
1136 			err = -EINVAL;
1137 			goto done;
1138 		}
1139 
1140 		if (!capable(CAP_NET_ADMIN)) {
1141 			err = -EPERM;
1142 			goto done;
1143 		}
1144 
1145 		hdev = hci_dev_get(haddr.hci_dev);
1146 		if (!hdev) {
1147 			err = -ENODEV;
1148 			goto done;
1149 		}
1150 
1151 		if (test_bit(HCI_INIT, &hdev->flags) ||
1152 		    hci_dev_test_flag(hdev, HCI_SETUP) ||
1153 		    hci_dev_test_flag(hdev, HCI_CONFIG) ||
1154 		    (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
1155 		     test_bit(HCI_UP, &hdev->flags))) {
1156 			err = -EBUSY;
1157 			hci_dev_put(hdev);
1158 			goto done;
1159 		}
1160 
1161 		if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
1162 			err = -EUSERS;
1163 			hci_dev_put(hdev);
1164 			goto done;
1165 		}
1166 
1167 		mgmt_index_removed(hdev);
1168 
1169 		err = hci_dev_open(hdev->id);
1170 		if (err) {
1171 			if (err == -EALREADY) {
1172 				/* In case the transport is already up and
1173 				 * running, clear the error here.
1174 				 *
1175 				 * This can happen when opening an user
1176 				 * channel and HCI_AUTO_OFF grace period
1177 				 * is still active.
1178 				 */
1179 				err = 0;
1180 			} else {
1181 				hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
1182 				mgmt_index_added(hdev);
1183 				hci_dev_put(hdev);
1184 				goto done;
1185 			}
1186 		}
1187 
1188 		hci_pi(sk)->channel = haddr.hci_channel;
1189 
1190 		if (!hci_sock_gen_cookie(sk)) {
1191 			/* In the case when a cookie has already been assigned,
1192 			 * this socket will transition from a raw socket into
1193 			 * an user channel socket. For a clean transition, send
1194 			 * the close notification first.
1195 			 */
1196 			skb = create_monitor_ctrl_close(sk);
1197 			if (skb) {
1198 				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1199 						    HCI_SOCK_TRUSTED, NULL);
1200 				kfree_skb(skb);
1201 			}
1202 		}
1203 
1204 		/* The user channel is restricted to CAP_NET_ADMIN
1205 		 * capabilities and with that implicitly trusted.
1206 		 */
1207 		hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1208 
1209 		hci_pi(sk)->hdev = hdev;
1210 
1211 		/* Send event to monitor */
1212 		skb = create_monitor_ctrl_open(sk);
1213 		if (skb) {
1214 			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1215 					    HCI_SOCK_TRUSTED, NULL);
1216 			kfree_skb(skb);
1217 		}
1218 
1219 		atomic_inc(&hdev->promisc);
1220 		break;
1221 
1222 	case HCI_CHANNEL_MONITOR:
1223 		if (haddr.hci_dev != HCI_DEV_NONE) {
1224 			err = -EINVAL;
1225 			goto done;
1226 		}
1227 
1228 		if (!capable(CAP_NET_RAW)) {
1229 			err = -EPERM;
1230 			goto done;
1231 		}
1232 
1233 		hci_pi(sk)->channel = haddr.hci_channel;
1234 
1235 		/* The monitor interface is restricted to CAP_NET_RAW
1236 		 * capabilities and with that implicitly trusted.
1237 		 */
1238 		hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1239 
1240 		send_monitor_note(sk, "Linux version %s (%s)",
1241 				  init_utsname()->release,
1242 				  init_utsname()->machine);
1243 		send_monitor_note(sk, "Bluetooth subsystem version %u.%u",
1244 				  BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);
1245 		send_monitor_replay(sk);
1246 		send_monitor_control_replay(sk);
1247 
1248 		atomic_inc(&monitor_promisc);
1249 		break;
1250 
1251 	case HCI_CHANNEL_LOGGING:
1252 		if (haddr.hci_dev != HCI_DEV_NONE) {
1253 			err = -EINVAL;
1254 			goto done;
1255 		}
1256 
1257 		if (!capable(CAP_NET_ADMIN)) {
1258 			err = -EPERM;
1259 			goto done;
1260 		}
1261 
1262 		hci_pi(sk)->channel = haddr.hci_channel;
1263 		break;
1264 
1265 	default:
1266 		if (!hci_mgmt_chan_find(haddr.hci_channel)) {
1267 			err = -EINVAL;
1268 			goto done;
1269 		}
1270 
1271 		if (haddr.hci_dev != HCI_DEV_NONE) {
1272 			err = -EINVAL;
1273 			goto done;
1274 		}
1275 
1276 		/* Users with CAP_NET_ADMIN capabilities are allowed
1277 		 * access to all management commands and events. For
1278 		 * untrusted users the interface is restricted and
1279 		 * also only untrusted events are sent.
1280 		 */
1281 		if (capable(CAP_NET_ADMIN))
1282 			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1283 
1284 		hci_pi(sk)->channel = haddr.hci_channel;
1285 
1286 		/* At the moment the index and unconfigured index events
1287 		 * are enabled unconditionally. Setting them on each
1288 		 * socket when binding keeps this functionality. They
1289 		 * however might be cleared later and then sending of these
1290 		 * events will be disabled, but that is then intentional.
1291 		 *
1292 		 * This also enables generic events that are safe to be
1293 		 * received by untrusted users. Example for such events
1294 		 * are changes to settings, class of device, name etc.
1295 		 */
1296 		if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) {
1297 			if (!hci_sock_gen_cookie(sk)) {
1298 				/* In the case when a cookie has already been
1299 				 * assigned, this socket will transtion from
1300 				 * a raw socket into a control socket. To
1301 				 * allow for a clean transtion, send the
1302 				 * close notification first.
1303 				 */
1304 				skb = create_monitor_ctrl_close(sk);
1305 				if (skb) {
1306 					hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1307 							    HCI_SOCK_TRUSTED, NULL);
1308 					kfree_skb(skb);
1309 				}
1310 			}
1311 
1312 			/* Send event to monitor */
1313 			skb = create_monitor_ctrl_open(sk);
1314 			if (skb) {
1315 				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1316 						    HCI_SOCK_TRUSTED, NULL);
1317 				kfree_skb(skb);
1318 			}
1319 
1320 			hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
1321 			hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
1322 			hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS);
1323 			hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS);
1324 			hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1325 			hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1326 		}
1327 		break;
1328 	}
1329 
1330 	sk->sk_state = BT_BOUND;
1331 
1332 done:
1333 	release_sock(sk);
1334 	return err;
1335 }
1336 
hci_sock_getname(struct socket * sock,struct sockaddr * addr,int * addr_len,int peer)1337 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
1338 			    int *addr_len, int peer)
1339 {
1340 	struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
1341 	struct sock *sk = sock->sk;
1342 	struct hci_dev *hdev;
1343 	int err = 0;
1344 
1345 	BT_DBG("sock %p sk %p", sock, sk);
1346 
1347 	if (peer)
1348 		return -EOPNOTSUPP;
1349 
1350 	lock_sock(sk);
1351 
1352 	hdev = hci_pi(sk)->hdev;
1353 	if (!hdev) {
1354 		err = -EBADFD;
1355 		goto done;
1356 	}
1357 
1358 	*addr_len = sizeof(*haddr);
1359 	haddr->hci_family = AF_BLUETOOTH;
1360 	haddr->hci_dev    = hdev->id;
1361 	haddr->hci_channel= hci_pi(sk)->channel;
1362 
1363 done:
1364 	release_sock(sk);
1365 	return err;
1366 }
1367 
hci_sock_cmsg(struct sock * sk,struct msghdr * msg,struct sk_buff * skb)1368 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1369 			  struct sk_buff *skb)
1370 {
1371 	__u32 mask = hci_pi(sk)->cmsg_mask;
1372 
1373 	if (mask & HCI_CMSG_DIR) {
1374 		int incoming = bt_cb(skb)->incoming;
1375 		put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1376 			 &incoming);
1377 	}
1378 
1379 	if (mask & HCI_CMSG_TSTAMP) {
1380 #ifdef CONFIG_COMPAT
1381 		struct compat_timeval ctv;
1382 #endif
1383 		struct timeval tv;
1384 		void *data;
1385 		int len;
1386 
1387 		skb_get_timestamp(skb, &tv);
1388 
1389 		data = &tv;
1390 		len = sizeof(tv);
1391 #ifdef CONFIG_COMPAT
1392 		if (!COMPAT_USE_64BIT_TIME &&
1393 		    (msg->msg_flags & MSG_CMSG_COMPAT)) {
1394 			ctv.tv_sec = tv.tv_sec;
1395 			ctv.tv_usec = tv.tv_usec;
1396 			data = &ctv;
1397 			len = sizeof(ctv);
1398 		}
1399 #endif
1400 
1401 		put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1402 	}
1403 }
1404 
hci_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1405 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1406 			    size_t len, int flags)
1407 {
1408 	int noblock = flags & MSG_DONTWAIT;
1409 	struct sock *sk = sock->sk;
1410 	struct sk_buff *skb;
1411 	int copied, err;
1412 	unsigned int skblen;
1413 
1414 	BT_DBG("sock %p, sk %p", sock, sk);
1415 
1416 	if (flags & MSG_OOB)
1417 		return -EOPNOTSUPP;
1418 
1419 	if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1420 		return -EOPNOTSUPP;
1421 
1422 	if (sk->sk_state == BT_CLOSED)
1423 		return 0;
1424 
1425 	skb = skb_recv_datagram(sk, flags, noblock, &err);
1426 	if (!skb)
1427 		return err;
1428 
1429 	skblen = skb->len;
1430 	copied = skb->len;
1431 	if (len < copied) {
1432 		msg->msg_flags |= MSG_TRUNC;
1433 		copied = len;
1434 	}
1435 
1436 	skb_reset_transport_header(skb);
1437 	err = skb_copy_datagram_msg(skb, 0, msg, copied);
1438 
1439 	switch (hci_pi(sk)->channel) {
1440 	case HCI_CHANNEL_RAW:
1441 		hci_sock_cmsg(sk, msg, skb);
1442 		break;
1443 	case HCI_CHANNEL_USER:
1444 	case HCI_CHANNEL_MONITOR:
1445 		sock_recv_timestamp(msg, sk, skb);
1446 		break;
1447 	default:
1448 		if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1449 			sock_recv_timestamp(msg, sk, skb);
1450 		break;
1451 	}
1452 
1453 	skb_free_datagram(sk, skb);
1454 
1455 	if (flags & MSG_TRUNC)
1456 		copied = skblen;
1457 
1458 	return err ? : copied;
1459 }
1460 
hci_mgmt_cmd(struct hci_mgmt_chan * chan,struct sock * sk,struct msghdr * msg,size_t msglen)1461 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1462 			struct msghdr *msg, size_t msglen)
1463 {
1464 	void *buf;
1465 	u8 *cp;
1466 	struct mgmt_hdr *hdr;
1467 	u16 opcode, index, len;
1468 	struct hci_dev *hdev = NULL;
1469 	const struct hci_mgmt_handler *handler;
1470 	bool var_len, no_hdev;
1471 	int err;
1472 
1473 	BT_DBG("got %zu bytes", msglen);
1474 
1475 	if (msglen < sizeof(*hdr))
1476 		return -EINVAL;
1477 
1478 	buf = kmalloc(msglen, GFP_KERNEL);
1479 	if (!buf)
1480 		return -ENOMEM;
1481 
1482 	if (memcpy_from_msg(buf, msg, msglen)) {
1483 		err = -EFAULT;
1484 		goto done;
1485 	}
1486 
1487 	hdr = buf;
1488 	opcode = __le16_to_cpu(hdr->opcode);
1489 	index = __le16_to_cpu(hdr->index);
1490 	len = __le16_to_cpu(hdr->len);
1491 
1492 	if (len != msglen - sizeof(*hdr)) {
1493 		err = -EINVAL;
1494 		goto done;
1495 	}
1496 
1497 	if (chan->channel == HCI_CHANNEL_CONTROL) {
1498 		struct sk_buff *skb;
1499 
1500 		/* Send event to monitor */
1501 		skb = create_monitor_ctrl_command(sk, index, opcode, len,
1502 						  buf + sizeof(*hdr));
1503 		if (skb) {
1504 			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1505 					    HCI_SOCK_TRUSTED, NULL);
1506 			kfree_skb(skb);
1507 		}
1508 	}
1509 
1510 	if (opcode >= chan->handler_count ||
1511 	    chan->handlers[opcode].func == NULL) {
1512 		BT_DBG("Unknown op %u", opcode);
1513 		err = mgmt_cmd_status(sk, index, opcode,
1514 				      MGMT_STATUS_UNKNOWN_COMMAND);
1515 		goto done;
1516 	}
1517 
1518 	handler = &chan->handlers[opcode];
1519 
1520 	if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1521 	    !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1522 		err = mgmt_cmd_status(sk, index, opcode,
1523 				      MGMT_STATUS_PERMISSION_DENIED);
1524 		goto done;
1525 	}
1526 
1527 	if (index != MGMT_INDEX_NONE) {
1528 		hdev = hci_dev_get(index);
1529 		if (!hdev) {
1530 			err = mgmt_cmd_status(sk, index, opcode,
1531 					      MGMT_STATUS_INVALID_INDEX);
1532 			goto done;
1533 		}
1534 
1535 		if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1536 		    hci_dev_test_flag(hdev, HCI_CONFIG) ||
1537 		    hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1538 			err = mgmt_cmd_status(sk, index, opcode,
1539 					      MGMT_STATUS_INVALID_INDEX);
1540 			goto done;
1541 		}
1542 
1543 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1544 		    !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1545 			err = mgmt_cmd_status(sk, index, opcode,
1546 					      MGMT_STATUS_INVALID_INDEX);
1547 			goto done;
1548 		}
1549 	}
1550 
1551 	no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1552 	if (no_hdev != !hdev) {
1553 		err = mgmt_cmd_status(sk, index, opcode,
1554 				      MGMT_STATUS_INVALID_INDEX);
1555 		goto done;
1556 	}
1557 
1558 	var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1559 	if ((var_len && len < handler->data_len) ||
1560 	    (!var_len && len != handler->data_len)) {
1561 		err = mgmt_cmd_status(sk, index, opcode,
1562 				      MGMT_STATUS_INVALID_PARAMS);
1563 		goto done;
1564 	}
1565 
1566 	if (hdev && chan->hdev_init)
1567 		chan->hdev_init(sk, hdev);
1568 
1569 	cp = buf + sizeof(*hdr);
1570 
1571 	err = handler->func(sk, hdev, cp, len);
1572 	if (err < 0)
1573 		goto done;
1574 
1575 	err = msglen;
1576 
1577 done:
1578 	if (hdev)
1579 		hci_dev_put(hdev);
1580 
1581 	kfree(buf);
1582 	return err;
1583 }
1584 
hci_logging_frame(struct sock * sk,struct msghdr * msg,int len)1585 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len)
1586 {
1587 	struct hci_mon_hdr *hdr;
1588 	struct sk_buff *skb;
1589 	struct hci_dev *hdev;
1590 	u16 index;
1591 	int err;
1592 
1593 	/* The logging frame consists at minimum of the standard header,
1594 	 * the priority byte, the ident length byte and at least one string
1595 	 * terminator NUL byte. Anything shorter are invalid packets.
1596 	 */
1597 	if (len < sizeof(*hdr) + 3)
1598 		return -EINVAL;
1599 
1600 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1601 	if (!skb)
1602 		return err;
1603 
1604 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1605 		err = -EFAULT;
1606 		goto drop;
1607 	}
1608 
1609 	hdr = (void *)skb->data;
1610 
1611 	if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) {
1612 		err = -EINVAL;
1613 		goto drop;
1614 	}
1615 
1616 	if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1617 		__u8 priority = skb->data[sizeof(*hdr)];
1618 		__u8 ident_len = skb->data[sizeof(*hdr) + 1];
1619 
1620 		/* Only the priorities 0-7 are valid and with that any other
1621 		 * value results in an invalid packet.
1622 		 *
1623 		 * The priority byte is followed by an ident length byte and
1624 		 * the NUL terminated ident string. Check that the ident
1625 		 * length is not overflowing the packet and also that the
1626 		 * ident string itself is NUL terminated. In case the ident
1627 		 * length is zero, the length value actually doubles as NUL
1628 		 * terminator identifier.
1629 		 *
1630 		 * The message follows the ident string (if present) and
1631 		 * must be NUL terminated. Otherwise it is not a valid packet.
1632 		 */
1633 		if (priority > 7 || skb->data[len - 1] != 0x00 ||
1634 		    ident_len > len - sizeof(*hdr) - 3 ||
1635 		    skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) {
1636 			err = -EINVAL;
1637 			goto drop;
1638 		}
1639 	} else {
1640 		err = -EINVAL;
1641 		goto drop;
1642 	}
1643 
1644 	index = __le16_to_cpu(hdr->index);
1645 
1646 	if (index != MGMT_INDEX_NONE) {
1647 		hdev = hci_dev_get(index);
1648 		if (!hdev) {
1649 			err = -ENODEV;
1650 			goto drop;
1651 		}
1652 	} else {
1653 		hdev = NULL;
1654 	}
1655 
1656 	hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1657 
1658 	hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1659 	err = len;
1660 
1661 	if (hdev)
1662 		hci_dev_put(hdev);
1663 
1664 drop:
1665 	kfree_skb(skb);
1666 	return err;
1667 }
1668 
hci_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1669 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1670 			    size_t len)
1671 {
1672 	struct sock *sk = sock->sk;
1673 	struct hci_mgmt_chan *chan;
1674 	struct hci_dev *hdev;
1675 	struct sk_buff *skb;
1676 	int err;
1677 
1678 	BT_DBG("sock %p sk %p", sock, sk);
1679 
1680 	if (msg->msg_flags & MSG_OOB)
1681 		return -EOPNOTSUPP;
1682 
1683 	if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE|
1684 			       MSG_CMSG_COMPAT))
1685 		return -EINVAL;
1686 
1687 	if (len < 4 || len > HCI_MAX_FRAME_SIZE)
1688 		return -EINVAL;
1689 
1690 	lock_sock(sk);
1691 
1692 	switch (hci_pi(sk)->channel) {
1693 	case HCI_CHANNEL_RAW:
1694 	case HCI_CHANNEL_USER:
1695 		break;
1696 	case HCI_CHANNEL_MONITOR:
1697 		err = -EOPNOTSUPP;
1698 		goto done;
1699 	case HCI_CHANNEL_LOGGING:
1700 		err = hci_logging_frame(sk, msg, len);
1701 		goto done;
1702 	default:
1703 		mutex_lock(&mgmt_chan_list_lock);
1704 		chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1705 		if (chan)
1706 			err = hci_mgmt_cmd(chan, sk, msg, len);
1707 		else
1708 			err = -EINVAL;
1709 
1710 		mutex_unlock(&mgmt_chan_list_lock);
1711 		goto done;
1712 	}
1713 
1714 	hdev = hci_pi(sk)->hdev;
1715 	if (!hdev) {
1716 		err = -EBADFD;
1717 		goto done;
1718 	}
1719 
1720 	if (!test_bit(HCI_UP, &hdev->flags)) {
1721 		err = -ENETDOWN;
1722 		goto done;
1723 	}
1724 
1725 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1726 	if (!skb)
1727 		goto done;
1728 
1729 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1730 		err = -EFAULT;
1731 		goto drop;
1732 	}
1733 
1734 	hci_skb_pkt_type(skb) = skb->data[0];
1735 	skb_pull(skb, 1);
1736 
1737 	if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1738 		/* No permission check is needed for user channel
1739 		 * since that gets enforced when binding the socket.
1740 		 *
1741 		 * However check that the packet type is valid.
1742 		 */
1743 		if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1744 		    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1745 		    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1746 			err = -EINVAL;
1747 			goto drop;
1748 		}
1749 
1750 		skb_queue_tail(&hdev->raw_q, skb);
1751 		queue_work(hdev->workqueue, &hdev->tx_work);
1752 	} else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1753 		u16 opcode = get_unaligned_le16(skb->data);
1754 		u16 ogf = hci_opcode_ogf(opcode);
1755 		u16 ocf = hci_opcode_ocf(opcode);
1756 
1757 		if (((ogf > HCI_SFLT_MAX_OGF) ||
1758 		     !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1759 				   &hci_sec_filter.ocf_mask[ogf])) &&
1760 		    !capable(CAP_NET_RAW)) {
1761 			err = -EPERM;
1762 			goto drop;
1763 		}
1764 
1765 		/* Since the opcode has already been extracted here, store
1766 		 * a copy of the value for later use by the drivers.
1767 		 */
1768 		hci_skb_opcode(skb) = opcode;
1769 
1770 		if (ogf == 0x3f) {
1771 			skb_queue_tail(&hdev->raw_q, skb);
1772 			queue_work(hdev->workqueue, &hdev->tx_work);
1773 		} else {
1774 			/* Stand-alone HCI commands must be flagged as
1775 			 * single-command requests.
1776 			 */
1777 			bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1778 
1779 			skb_queue_tail(&hdev->cmd_q, skb);
1780 			queue_work(hdev->workqueue, &hdev->cmd_work);
1781 		}
1782 	} else {
1783 		if (!capable(CAP_NET_RAW)) {
1784 			err = -EPERM;
1785 			goto drop;
1786 		}
1787 
1788 		if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1789 		    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1790 			err = -EINVAL;
1791 			goto drop;
1792 		}
1793 
1794 		skb_queue_tail(&hdev->raw_q, skb);
1795 		queue_work(hdev->workqueue, &hdev->tx_work);
1796 	}
1797 
1798 	err = len;
1799 
1800 done:
1801 	release_sock(sk);
1802 	return err;
1803 
1804 drop:
1805 	kfree_skb(skb);
1806 	goto done;
1807 }
1808 
hci_sock_setsockopt(struct socket * sock,int level,int optname,char __user * optval,unsigned int len)1809 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1810 			       char __user *optval, unsigned int len)
1811 {
1812 	struct hci_ufilter uf = { .opcode = 0 };
1813 	struct sock *sk = sock->sk;
1814 	int err = 0, opt = 0;
1815 
1816 	BT_DBG("sk %p, opt %d", sk, optname);
1817 
1818 	if (level != SOL_HCI)
1819 		return -ENOPROTOOPT;
1820 
1821 	lock_sock(sk);
1822 
1823 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1824 		err = -EBADFD;
1825 		goto done;
1826 	}
1827 
1828 	switch (optname) {
1829 	case HCI_DATA_DIR:
1830 		if (get_user(opt, (int __user *)optval)) {
1831 			err = -EFAULT;
1832 			break;
1833 		}
1834 
1835 		if (opt)
1836 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1837 		else
1838 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1839 		break;
1840 
1841 	case HCI_TIME_STAMP:
1842 		if (get_user(opt, (int __user *)optval)) {
1843 			err = -EFAULT;
1844 			break;
1845 		}
1846 
1847 		if (opt)
1848 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1849 		else
1850 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1851 		break;
1852 
1853 	case HCI_FILTER:
1854 		{
1855 			struct hci_filter *f = &hci_pi(sk)->filter;
1856 
1857 			uf.type_mask = f->type_mask;
1858 			uf.opcode    = f->opcode;
1859 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1860 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1861 		}
1862 
1863 		len = min_t(unsigned int, len, sizeof(uf));
1864 		if (copy_from_user(&uf, optval, len)) {
1865 			err = -EFAULT;
1866 			break;
1867 		}
1868 
1869 		if (!capable(CAP_NET_RAW)) {
1870 			uf.type_mask &= hci_sec_filter.type_mask;
1871 			uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1872 			uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1873 		}
1874 
1875 		{
1876 			struct hci_filter *f = &hci_pi(sk)->filter;
1877 
1878 			f->type_mask = uf.type_mask;
1879 			f->opcode    = uf.opcode;
1880 			*((u32 *) f->event_mask + 0) = uf.event_mask[0];
1881 			*((u32 *) f->event_mask + 1) = uf.event_mask[1];
1882 		}
1883 		break;
1884 
1885 	default:
1886 		err = -ENOPROTOOPT;
1887 		break;
1888 	}
1889 
1890 done:
1891 	release_sock(sk);
1892 	return err;
1893 }
1894 
hci_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)1895 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1896 			       char __user *optval, int __user *optlen)
1897 {
1898 	struct hci_ufilter uf;
1899 	struct sock *sk = sock->sk;
1900 	int len, opt, err = 0;
1901 
1902 	BT_DBG("sk %p, opt %d", sk, optname);
1903 
1904 	if (level != SOL_HCI)
1905 		return -ENOPROTOOPT;
1906 
1907 	if (get_user(len, optlen))
1908 		return -EFAULT;
1909 
1910 	lock_sock(sk);
1911 
1912 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1913 		err = -EBADFD;
1914 		goto done;
1915 	}
1916 
1917 	switch (optname) {
1918 	case HCI_DATA_DIR:
1919 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1920 			opt = 1;
1921 		else
1922 			opt = 0;
1923 
1924 		if (put_user(opt, optval))
1925 			err = -EFAULT;
1926 		break;
1927 
1928 	case HCI_TIME_STAMP:
1929 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1930 			opt = 1;
1931 		else
1932 			opt = 0;
1933 
1934 		if (put_user(opt, optval))
1935 			err = -EFAULT;
1936 		break;
1937 
1938 	case HCI_FILTER:
1939 		{
1940 			struct hci_filter *f = &hci_pi(sk)->filter;
1941 
1942 			memset(&uf, 0, sizeof(uf));
1943 			uf.type_mask = f->type_mask;
1944 			uf.opcode    = f->opcode;
1945 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1946 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1947 		}
1948 
1949 		len = min_t(unsigned int, len, sizeof(uf));
1950 		if (copy_to_user(optval, &uf, len))
1951 			err = -EFAULT;
1952 		break;
1953 
1954 	default:
1955 		err = -ENOPROTOOPT;
1956 		break;
1957 	}
1958 
1959 done:
1960 	release_sock(sk);
1961 	return err;
1962 }
1963 
1964 static const struct proto_ops hci_sock_ops = {
1965 	.family		= PF_BLUETOOTH,
1966 	.owner		= THIS_MODULE,
1967 	.release	= hci_sock_release,
1968 	.bind		= hci_sock_bind,
1969 	.getname	= hci_sock_getname,
1970 	.sendmsg	= hci_sock_sendmsg,
1971 	.recvmsg	= hci_sock_recvmsg,
1972 	.ioctl		= hci_sock_ioctl,
1973 	.poll		= datagram_poll,
1974 	.listen		= sock_no_listen,
1975 	.shutdown	= sock_no_shutdown,
1976 	.setsockopt	= hci_sock_setsockopt,
1977 	.getsockopt	= hci_sock_getsockopt,
1978 	.connect	= sock_no_connect,
1979 	.socketpair	= sock_no_socketpair,
1980 	.accept		= sock_no_accept,
1981 	.mmap		= sock_no_mmap
1982 };
1983 
1984 static struct proto hci_sk_proto = {
1985 	.name		= "HCI",
1986 	.owner		= THIS_MODULE,
1987 	.obj_size	= sizeof(struct hci_pinfo)
1988 };
1989 
hci_sock_create(struct net * net,struct socket * sock,int protocol,int kern)1990 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1991 			   int kern)
1992 {
1993 	struct sock *sk;
1994 
1995 	BT_DBG("sock %p", sock);
1996 
1997 	if (sock->type != SOCK_RAW)
1998 		return -ESOCKTNOSUPPORT;
1999 
2000 	sock->ops = &hci_sock_ops;
2001 
2002 	sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
2003 	if (!sk)
2004 		return -ENOMEM;
2005 
2006 	sock_init_data(sock, sk);
2007 
2008 	sock_reset_flag(sk, SOCK_ZAPPED);
2009 
2010 	sk->sk_protocol = protocol;
2011 
2012 	sock->state = SS_UNCONNECTED;
2013 	sk->sk_state = BT_OPEN;
2014 
2015 	bt_sock_link(&hci_sk_list, sk);
2016 	return 0;
2017 }
2018 
2019 static const struct net_proto_family hci_sock_family_ops = {
2020 	.family	= PF_BLUETOOTH,
2021 	.owner	= THIS_MODULE,
2022 	.create	= hci_sock_create,
2023 };
2024 
hci_sock_init(void)2025 int __init hci_sock_init(void)
2026 {
2027 	int err;
2028 
2029 	BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
2030 
2031 	err = proto_register(&hci_sk_proto, 0);
2032 	if (err < 0)
2033 		return err;
2034 
2035 	err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
2036 	if (err < 0) {
2037 		BT_ERR("HCI socket registration failed");
2038 		goto error;
2039 	}
2040 
2041 	err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
2042 	if (err < 0) {
2043 		BT_ERR("Failed to create HCI proc file");
2044 		bt_sock_unregister(BTPROTO_HCI);
2045 		goto error;
2046 	}
2047 
2048 	BT_INFO("HCI socket layer initialized");
2049 
2050 	return 0;
2051 
2052 error:
2053 	proto_unregister(&hci_sk_proto);
2054 	return err;
2055 }
2056 
hci_sock_cleanup(void)2057 void hci_sock_cleanup(void)
2058 {
2059 	bt_procfs_cleanup(&init_net, "hci");
2060 	bt_sock_unregister(BTPROTO_HCI);
2061 	proto_unregister(&hci_sk_proto);
2062 }
2063