1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 BlueZ - Bluetooth protocol stack for Linux 4 Copyright (C) 2000-2001 Qualcomm Incorporated 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 9 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 10 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 11 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 12 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 13 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 17 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 18 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 19 SOFTWARE IS DISCLAIMED. 20 */ 21 22 /* Bluetooth HCI sockets. */ 23 #include <linux/compat.h> 24 #include <linux/export.h> 25 #include <linux/utsname.h> 26 #include <linux/sched.h> 27 #include <linux/uio.h> 28 #include <linux/unaligned.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/hci_mon.h> 33 #include <net/bluetooth/mgmt.h> 34 35 #include "mgmt_util.h" 36 37 static LIST_HEAD(mgmt_chan_list); 38 static DEFINE_MUTEX(mgmt_chan_list_lock); 39 40 static DEFINE_IDA(sock_cookie_ida); 41 42 static atomic_t monitor_promisc = ATOMIC_INIT(0); 43 44 /* ----- HCI socket interface ----- */ 45 46 /* Socket info */ 47 #define hci_pi(sk) ((struct hci_pinfo *) sk) 48 49 struct hci_pinfo { 50 struct bt_sock bt; 51 struct hci_dev *hdev; 52 struct hci_filter filter; 53 __u8 cmsg_mask; 54 unsigned short channel; 55 unsigned long flags; 56 __u32 cookie; 57 char comm[TASK_COMM_LEN]; 58 __u16 mtu; 59 }; 60 61 static struct hci_dev *hci_hdev_from_sock(struct sock *sk) 62 { 63 struct hci_dev *hdev = hci_pi(sk)->hdev; 64 65 if (!hdev) 66 return ERR_PTR(-EBADFD); 67 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) 68 return ERR_PTR(-EPIPE); 69 return hdev; 70 } 71 72 void hci_sock_set_flag(struct sock *sk, int nr) 73 { 74 set_bit(nr, &hci_pi(sk)->flags); 75 } 76 77 void hci_sock_clear_flag(struct sock *sk, int nr) 78 { 79 clear_bit(nr, &hci_pi(sk)->flags); 80 } 81 82 int hci_sock_test_flag(struct sock *sk, int nr) 83 { 84 return test_bit(nr, &hci_pi(sk)->flags); 85 } 86 87 unsigned short hci_sock_get_channel(struct sock *sk) 88 { 89 return hci_pi(sk)->channel; 90 } 91 92 u32 hci_sock_get_cookie(struct sock *sk) 93 { 94 return hci_pi(sk)->cookie; 95 } 96 97 static bool hci_sock_gen_cookie(struct sock *sk) 98 { 99 int id = hci_pi(sk)->cookie; 100 101 if (!id) { 102 id = ida_alloc_min(&sock_cookie_ida, 1, GFP_KERNEL); 103 if (id < 0) 104 id = 0xffffffff; 105 106 hci_pi(sk)->cookie = id; 107 get_task_comm(hci_pi(sk)->comm, current); 108 return true; 109 } 110 111 return false; 112 } 113 114 static void hci_sock_free_cookie(struct sock *sk) 115 { 116 int id = hci_pi(sk)->cookie; 117 118 if (id) { 119 hci_pi(sk)->cookie = 0; 120 ida_free(&sock_cookie_ida, id); 121 } 122 } 123 124 static inline int hci_test_bit(int nr, const void *addr) 125 { 126 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 127 } 128 129 /* Security filter */ 130 #define HCI_SFLT_MAX_OGF 5 131 132 struct hci_sec_filter { 133 __u32 type_mask; 134 __u32 event_mask[2]; 135 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4]; 136 }; 137 138 static const struct hci_sec_filter hci_sec_filter = { 139 /* Packet types */ 140 0x10, 141 /* Events */ 142 { 0x1000d9fe, 0x0000b00c }, 143 /* Commands */ 144 { 145 { 0x0 }, 146 /* OGF_LINK_CTL */ 147 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 148 /* OGF_LINK_POLICY */ 149 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 150 /* OGF_HOST_CTL */ 151 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 152 /* OGF_INFO_PARAM */ 153 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 154 /* OGF_STATUS_PARAM */ 155 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 156 } 157 }; 158 159 static struct bt_sock_list hci_sk_list = { 160 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 161 }; 162 163 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) 164 { 165 struct hci_filter *flt; 166 int flt_type, flt_event; 167 168 /* Apply filter */ 169 flt = &hci_pi(sk)->filter; 170 171 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS; 172 173 if (!test_bit(flt_type, &flt->type_mask)) 174 return true; 175 176 /* Extra filter for event packets only */ 177 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT) 178 return false; 179 180 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 181 182 if (!hci_test_bit(flt_event, &flt->event_mask)) 183 return true; 184 185 /* Check filter only when opcode is set */ 186 if (!flt->opcode) 187 return false; 188 189 if (flt_event == HCI_EV_CMD_COMPLETE && 190 flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) 191 return true; 192 193 if (flt_event == HCI_EV_CMD_STATUS && 194 flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) 195 return true; 196 197 return false; 198 } 199 200 /* Send frame to RAW socket */ 201 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 202 { 203 struct sock *sk; 204 struct sk_buff *skb_copy = NULL; 205 206 BT_DBG("hdev %p len %d", hdev, skb->len); 207 208 read_lock(&hci_sk_list.lock); 209 210 sk_for_each(sk, &hci_sk_list.head) { 211 struct sk_buff *nskb; 212 213 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 214 continue; 215 216 /* Don't send frame to the socket it came from */ 217 if (skb->sk == sk) 218 continue; 219 220 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { 221 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 222 hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 223 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 224 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 225 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) 226 continue; 227 if (is_filtered_packet(sk, skb)) 228 continue; 229 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 230 if (!bt_cb(skb)->incoming) 231 continue; 232 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 233 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 234 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 235 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT && 236 hci_skb_pkt_type(skb) != HCI_DRV_PKT) 237 continue; 238 } else { 239 /* Don't send frame to other channel types */ 240 continue; 241 } 242 243 if (!skb_copy) { 244 /* Create a private copy with headroom */ 245 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true); 246 if (!skb_copy) 247 continue; 248 249 /* Put type byte before the data */ 250 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1); 251 } 252 253 nskb = skb_clone(skb_copy, GFP_ATOMIC); 254 if (!nskb) 255 continue; 256 257 if (sock_queue_rcv_skb(sk, nskb)) 258 kfree_skb(nskb); 259 } 260 261 read_unlock(&hci_sk_list.lock); 262 263 kfree_skb(skb_copy); 264 } 265 266 static void hci_sock_copy_creds(struct sock *sk, struct sk_buff *skb) 267 { 268 struct scm_creds *creds; 269 270 if (!sk || WARN_ON(!skb)) 271 return; 272 273 creds = &bt_cb(skb)->creds; 274 275 /* Check if peer credentials is set */ 276 if (!sk->sk_peer_pid) { 277 /* Check if parent peer credentials is set */ 278 if (bt_sk(sk)->parent && bt_sk(sk)->parent->sk_peer_pid) 279 sk = bt_sk(sk)->parent; 280 else 281 return; 282 } 283 284 /* Check if scm_creds already set */ 285 if (creds->pid == pid_vnr(sk->sk_peer_pid)) 286 return; 287 288 memset(creds, 0, sizeof(*creds)); 289 290 creds->pid = pid_vnr(sk->sk_peer_pid); 291 if (sk->sk_peer_cred) { 292 creds->uid = sk->sk_peer_cred->uid; 293 creds->gid = sk->sk_peer_cred->gid; 294 } 295 } 296 297 static struct sk_buff *hci_skb_clone(struct sk_buff *skb) 298 { 299 struct sk_buff *nskb; 300 301 if (!skb) 302 return NULL; 303 304 nskb = skb_clone(skb, GFP_ATOMIC); 305 if (!nskb) 306 return NULL; 307 308 hci_sock_copy_creds(skb->sk, nskb); 309 310 return nskb; 311 } 312 313 /* Send frame to sockets with specific channel */ 314 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 315 int flag, struct sock *skip_sk) 316 { 317 struct sock *sk; 318 319 BT_DBG("channel %u len %d", channel, skb->len); 320 321 sk_for_each(sk, &hci_sk_list.head) { 322 struct sk_buff *nskb; 323 324 /* Ignore socket without the flag set */ 325 if (!hci_sock_test_flag(sk, flag)) 326 continue; 327 328 /* Skip the original socket */ 329 if (sk == skip_sk) 330 continue; 331 332 if (sk->sk_state != BT_BOUND) 333 continue; 334 335 if (hci_pi(sk)->channel != channel) 336 continue; 337 338 nskb = hci_skb_clone(skb); 339 if (!nskb) 340 continue; 341 342 if (sock_queue_rcv_skb(sk, nskb)) 343 kfree_skb(nskb); 344 } 345 346 } 347 348 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 349 int flag, struct sock *skip_sk) 350 { 351 read_lock(&hci_sk_list.lock); 352 __hci_send_to_channel(channel, skb, flag, skip_sk); 353 read_unlock(&hci_sk_list.lock); 354 } 355 356 /* Send frame to monitor socket */ 357 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) 358 { 359 struct sk_buff *skb_copy = NULL; 360 struct hci_mon_hdr *hdr; 361 __le16 opcode; 362 363 if (!atomic_read(&monitor_promisc)) 364 return; 365 366 BT_DBG("hdev %p len %d", hdev, skb->len); 367 368 switch (hci_skb_pkt_type(skb)) { 369 case HCI_COMMAND_PKT: 370 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); 371 break; 372 case HCI_EVENT_PKT: 373 opcode = cpu_to_le16(HCI_MON_EVENT_PKT); 374 break; 375 case HCI_ACLDATA_PKT: 376 if (bt_cb(skb)->incoming) 377 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); 378 else 379 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); 380 break; 381 case HCI_SCODATA_PKT: 382 if (bt_cb(skb)->incoming) 383 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); 384 else 385 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); 386 break; 387 case HCI_ISODATA_PKT: 388 if (bt_cb(skb)->incoming) 389 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT); 390 else 391 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT); 392 break; 393 case HCI_DRV_PKT: 394 if (bt_cb(skb)->incoming) 395 opcode = cpu_to_le16(HCI_MON_DRV_RX_PKT); 396 else 397 opcode = cpu_to_le16(HCI_MON_DRV_TX_PKT); 398 break; 399 case HCI_DIAG_PKT: 400 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG); 401 break; 402 default: 403 return; 404 } 405 406 /* Create a private copy with headroom */ 407 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true); 408 if (!skb_copy) 409 return; 410 411 hci_sock_copy_creds(skb->sk, skb_copy); 412 413 /* Put header before the data */ 414 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE); 415 hdr->opcode = opcode; 416 hdr->index = cpu_to_le16(hdev->id); 417 hdr->len = cpu_to_le16(skb->len); 418 419 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy, 420 HCI_SOCK_TRUSTED, NULL); 421 kfree_skb(skb_copy); 422 } 423 424 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event, 425 void *data, u16 data_len, ktime_t tstamp, 426 int flag, struct sock *skip_sk) 427 { 428 struct sock *sk; 429 __le16 index; 430 431 if (hdev) 432 index = cpu_to_le16(hdev->id); 433 else 434 index = cpu_to_le16(MGMT_INDEX_NONE); 435 436 read_lock(&hci_sk_list.lock); 437 438 sk_for_each(sk, &hci_sk_list.head) { 439 struct hci_mon_hdr *hdr; 440 struct sk_buff *skb; 441 442 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) 443 continue; 444 445 /* Ignore socket without the flag set */ 446 if (!hci_sock_test_flag(sk, flag)) 447 continue; 448 449 /* Skip the original socket */ 450 if (sk == skip_sk) 451 continue; 452 453 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC); 454 if (!skb) 455 continue; 456 457 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 458 put_unaligned_le16(event, skb_put(skb, 2)); 459 460 if (data) 461 skb_put_data(skb, data, data_len); 462 463 skb->tstamp = tstamp; 464 465 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 466 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT); 467 hdr->index = index; 468 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 469 470 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 471 HCI_SOCK_TRUSTED, NULL); 472 kfree_skb(skb); 473 } 474 475 read_unlock(&hci_sk_list.lock); 476 } 477 478 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) 479 { 480 struct hci_mon_hdr *hdr; 481 struct hci_mon_new_index *ni; 482 struct hci_mon_index_info *ii; 483 struct sk_buff *skb; 484 __le16 opcode; 485 486 switch (event) { 487 case HCI_DEV_REG: 488 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); 489 if (!skb) 490 return NULL; 491 492 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE); 493 ni->type = 0x00; /* Old hdev->dev_type */ 494 ni->bus = hdev->bus; 495 bacpy(&ni->bdaddr, &hdev->bdaddr); 496 memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name, 497 strnlen(hdev->name, sizeof(ni->name)), '\0'); 498 499 opcode = cpu_to_le16(HCI_MON_NEW_INDEX); 500 break; 501 502 case HCI_DEV_UNREG: 503 skb = bt_skb_alloc(0, GFP_ATOMIC); 504 if (!skb) 505 return NULL; 506 507 opcode = cpu_to_le16(HCI_MON_DEL_INDEX); 508 break; 509 510 case HCI_DEV_SETUP: 511 if (hdev->manufacturer == 0xffff) 512 return NULL; 513 fallthrough; 514 515 case HCI_DEV_UP: 516 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC); 517 if (!skb) 518 return NULL; 519 520 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE); 521 bacpy(&ii->bdaddr, &hdev->bdaddr); 522 ii->manufacturer = cpu_to_le16(hdev->manufacturer); 523 524 opcode = cpu_to_le16(HCI_MON_INDEX_INFO); 525 break; 526 527 case HCI_DEV_OPEN: 528 skb = bt_skb_alloc(0, GFP_ATOMIC); 529 if (!skb) 530 return NULL; 531 532 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX); 533 break; 534 535 case HCI_DEV_CLOSE: 536 skb = bt_skb_alloc(0, GFP_ATOMIC); 537 if (!skb) 538 return NULL; 539 540 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX); 541 break; 542 543 default: 544 return NULL; 545 } 546 547 __net_timestamp(skb); 548 549 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 550 hdr->opcode = opcode; 551 hdr->index = cpu_to_le16(hdev->id); 552 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 553 554 return skb; 555 } 556 557 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk) 558 { 559 struct hci_mon_hdr *hdr; 560 struct sk_buff *skb; 561 u16 format; 562 u8 ver[3]; 563 u32 flags; 564 565 /* No message needed when cookie is not present */ 566 if (!hci_pi(sk)->cookie) 567 return NULL; 568 569 switch (hci_pi(sk)->channel) { 570 case HCI_CHANNEL_RAW: 571 format = 0x0000; 572 ver[0] = BT_SUBSYS_VERSION; 573 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 574 break; 575 case HCI_CHANNEL_USER: 576 format = 0x0001; 577 ver[0] = BT_SUBSYS_VERSION; 578 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 579 break; 580 case HCI_CHANNEL_CONTROL: 581 format = 0x0002; 582 mgmt_fill_version_info(ver); 583 break; 584 default: 585 /* No message for unsupported format */ 586 return NULL; 587 } 588 589 skb = bt_skb_alloc(14 + TASK_COMM_LEN, GFP_ATOMIC); 590 if (!skb) 591 return NULL; 592 593 hci_sock_copy_creds(sk, skb); 594 595 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0; 596 597 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 598 put_unaligned_le16(format, skb_put(skb, 2)); 599 skb_put_data(skb, ver, sizeof(ver)); 600 put_unaligned_le32(flags, skb_put(skb, 4)); 601 skb_put_u8(skb, TASK_COMM_LEN); 602 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN); 603 604 __net_timestamp(skb); 605 606 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 607 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN); 608 if (hci_pi(sk)->hdev) 609 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 610 else 611 hdr->index = cpu_to_le16(HCI_DEV_NONE); 612 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 613 614 return skb; 615 } 616 617 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk) 618 { 619 struct hci_mon_hdr *hdr; 620 struct sk_buff *skb; 621 622 /* No message needed when cookie is not present */ 623 if (!hci_pi(sk)->cookie) 624 return NULL; 625 626 switch (hci_pi(sk)->channel) { 627 case HCI_CHANNEL_RAW: 628 case HCI_CHANNEL_USER: 629 case HCI_CHANNEL_CONTROL: 630 break; 631 default: 632 /* No message for unsupported format */ 633 return NULL; 634 } 635 636 skb = bt_skb_alloc(4, GFP_ATOMIC); 637 if (!skb) 638 return NULL; 639 640 hci_sock_copy_creds(sk, skb); 641 642 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 643 644 __net_timestamp(skb); 645 646 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 647 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE); 648 if (hci_pi(sk)->hdev) 649 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 650 else 651 hdr->index = cpu_to_le16(HCI_DEV_NONE); 652 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 653 654 return skb; 655 } 656 657 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index, 658 u16 opcode, u16 len, 659 const void *buf) 660 { 661 struct hci_mon_hdr *hdr; 662 struct sk_buff *skb; 663 664 skb = bt_skb_alloc(6 + len, GFP_ATOMIC); 665 if (!skb) 666 return NULL; 667 668 hci_sock_copy_creds(sk, skb); 669 670 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 671 put_unaligned_le16(opcode, skb_put(skb, 2)); 672 673 if (buf) 674 skb_put_data(skb, buf, len); 675 676 __net_timestamp(skb); 677 678 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 679 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND); 680 hdr->index = cpu_to_le16(index); 681 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 682 683 return skb; 684 } 685 686 static void __printf(2, 3) 687 send_monitor_note(struct sock *sk, const char *fmt, ...) 688 { 689 size_t len; 690 struct hci_mon_hdr *hdr; 691 struct sk_buff *skb; 692 va_list args; 693 694 va_start(args, fmt); 695 len = vsnprintf(NULL, 0, fmt, args); 696 va_end(args); 697 698 skb = bt_skb_alloc(len + 1, GFP_ATOMIC); 699 if (!skb) 700 return; 701 702 hci_sock_copy_creds(sk, skb); 703 704 va_start(args, fmt); 705 vsprintf(skb_put(skb, len), fmt, args); 706 *(u8 *)skb_put(skb, 1) = 0; 707 va_end(args); 708 709 __net_timestamp(skb); 710 711 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); 712 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE); 713 hdr->index = cpu_to_le16(HCI_DEV_NONE); 714 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 715 716 if (sock_queue_rcv_skb(sk, skb)) 717 kfree_skb(skb); 718 } 719 720 static void send_monitor_replay(struct sock *sk) 721 { 722 struct hci_dev *hdev; 723 724 read_lock(&hci_dev_list_lock); 725 726 list_for_each_entry(hdev, &hci_dev_list, list) { 727 struct sk_buff *skb; 728 729 skb = create_monitor_event(hdev, HCI_DEV_REG); 730 if (!skb) 731 continue; 732 733 if (sock_queue_rcv_skb(sk, skb)) 734 kfree_skb(skb); 735 736 if (!test_bit(HCI_RUNNING, &hdev->flags)) 737 continue; 738 739 skb = create_monitor_event(hdev, HCI_DEV_OPEN); 740 if (!skb) 741 continue; 742 743 if (sock_queue_rcv_skb(sk, skb)) 744 kfree_skb(skb); 745 746 if (test_bit(HCI_UP, &hdev->flags)) 747 skb = create_monitor_event(hdev, HCI_DEV_UP); 748 else if (hci_dev_test_flag(hdev, HCI_SETUP)) 749 skb = create_monitor_event(hdev, HCI_DEV_SETUP); 750 else 751 skb = NULL; 752 753 if (skb) { 754 if (sock_queue_rcv_skb(sk, skb)) 755 kfree_skb(skb); 756 } 757 } 758 759 read_unlock(&hci_dev_list_lock); 760 } 761 762 static void send_monitor_control_replay(struct sock *mon_sk) 763 { 764 struct sock *sk; 765 766 read_lock(&hci_sk_list.lock); 767 768 sk_for_each(sk, &hci_sk_list.head) { 769 struct sk_buff *skb; 770 771 skb = create_monitor_ctrl_open(sk); 772 if (!skb) 773 continue; 774 775 if (sock_queue_rcv_skb(mon_sk, skb)) 776 kfree_skb(skb); 777 } 778 779 read_unlock(&hci_sk_list.lock); 780 } 781 782 /* Generate internal stack event */ 783 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) 784 { 785 struct hci_event_hdr *hdr; 786 struct hci_ev_stack_internal *ev; 787 struct sk_buff *skb; 788 789 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); 790 if (!skb) 791 return; 792 793 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE); 794 hdr->evt = HCI_EV_STACK_INTERNAL; 795 hdr->plen = sizeof(*ev) + dlen; 796 797 ev = skb_put(skb, sizeof(*ev) + dlen); 798 ev->type = type; 799 memcpy(ev->data, data, dlen); 800 801 bt_cb(skb)->incoming = 1; 802 __net_timestamp(skb); 803 804 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 805 hci_send_to_sock(hdev, skb); 806 kfree_skb(skb); 807 } 808 809 void hci_sock_dev_event(struct hci_dev *hdev, int event) 810 { 811 BT_DBG("hdev %s event %d", hdev->name, event); 812 813 if (atomic_read(&monitor_promisc)) { 814 struct sk_buff *skb; 815 816 /* Send event to monitor */ 817 skb = create_monitor_event(hdev, event); 818 if (skb) { 819 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 820 HCI_SOCK_TRUSTED, NULL); 821 kfree_skb(skb); 822 } 823 } 824 825 if (event <= HCI_DEV_DOWN) { 826 struct hci_ev_si_device ev; 827 828 /* Send event to sockets */ 829 ev.event = event; 830 ev.dev_id = hdev->id; 831 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 832 } 833 834 if (event == HCI_DEV_UNREG) { 835 struct sock *sk; 836 837 /* Wake up sockets using this dead device */ 838 read_lock(&hci_sk_list.lock); 839 sk_for_each(sk, &hci_sk_list.head) { 840 if (hci_pi(sk)->hdev == hdev) { 841 sk->sk_err = EPIPE; 842 sk->sk_state_change(sk); 843 } 844 } 845 read_unlock(&hci_sk_list.lock); 846 } 847 } 848 849 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel) 850 { 851 struct hci_mgmt_chan *c; 852 853 list_for_each_entry(c, &mgmt_chan_list, list) { 854 if (c->channel == channel) 855 return c; 856 } 857 858 return NULL; 859 } 860 861 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel) 862 { 863 struct hci_mgmt_chan *c; 864 865 mutex_lock(&mgmt_chan_list_lock); 866 c = __hci_mgmt_chan_find(channel); 867 mutex_unlock(&mgmt_chan_list_lock); 868 869 return c; 870 } 871 872 int hci_mgmt_chan_register(struct hci_mgmt_chan *c) 873 { 874 if (c->channel < HCI_CHANNEL_CONTROL) 875 return -EINVAL; 876 877 mutex_lock(&mgmt_chan_list_lock); 878 if (__hci_mgmt_chan_find(c->channel)) { 879 mutex_unlock(&mgmt_chan_list_lock); 880 return -EALREADY; 881 } 882 883 list_add_tail(&c->list, &mgmt_chan_list); 884 885 mutex_unlock(&mgmt_chan_list_lock); 886 887 return 0; 888 } 889 EXPORT_SYMBOL(hci_mgmt_chan_register); 890 891 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c) 892 { 893 mutex_lock(&mgmt_chan_list_lock); 894 list_del(&c->list); 895 mutex_unlock(&mgmt_chan_list_lock); 896 } 897 EXPORT_SYMBOL(hci_mgmt_chan_unregister); 898 899 static int hci_sock_release(struct socket *sock) 900 { 901 struct sock *sk = sock->sk; 902 struct hci_dev *hdev; 903 struct sk_buff *skb; 904 905 BT_DBG("sock %p sk %p", sock, sk); 906 907 if (!sk) 908 return 0; 909 910 lock_sock(sk); 911 912 switch (hci_pi(sk)->channel) { 913 case HCI_CHANNEL_MONITOR: 914 atomic_dec(&monitor_promisc); 915 break; 916 case HCI_CHANNEL_RAW: 917 case HCI_CHANNEL_USER: 918 case HCI_CHANNEL_CONTROL: 919 /* Send event to monitor */ 920 skb = create_monitor_ctrl_close(sk); 921 if (skb) { 922 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 923 HCI_SOCK_TRUSTED, NULL); 924 kfree_skb(skb); 925 } 926 927 hci_sock_free_cookie(sk); 928 break; 929 } 930 931 bt_sock_unlink(&hci_sk_list, sk); 932 933 hdev = hci_pi(sk)->hdev; 934 if (hdev) { 935 if (hci_pi(sk)->channel == HCI_CHANNEL_USER && 936 !hci_dev_test_flag(hdev, HCI_UNREGISTER)) { 937 /* When releasing a user channel exclusive access, 938 * call hci_dev_do_close directly instead of calling 939 * hci_dev_close to ensure the exclusive access will 940 * be released and the controller brought back down. 941 * 942 * The checking of HCI_AUTO_OFF is not needed in this 943 * case since it will have been cleared already when 944 * opening the user channel. 945 * 946 * Make sure to also check that we haven't already 947 * unregistered since all the cleanup will have already 948 * been complete and hdev will get released when we put 949 * below. 950 */ 951 hci_dev_do_close(hdev); 952 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 953 mgmt_index_added(hdev); 954 } 955 956 atomic_dec(&hdev->promisc); 957 hci_dev_put(hdev); 958 } 959 960 sock_orphan(sk); 961 release_sock(sk); 962 sock_put(sk); 963 return 0; 964 } 965 966 static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg) 967 { 968 bdaddr_t bdaddr; 969 int err; 970 971 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 972 return -EFAULT; 973 974 hci_dev_lock(hdev); 975 976 err = hci_bdaddr_list_add(&hdev->reject_list, &bdaddr, BDADDR_BREDR); 977 978 hci_dev_unlock(hdev); 979 980 return err; 981 } 982 983 static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg) 984 { 985 bdaddr_t bdaddr; 986 int err; 987 988 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 989 return -EFAULT; 990 991 hci_dev_lock(hdev); 992 993 err = hci_bdaddr_list_del(&hdev->reject_list, &bdaddr, BDADDR_BREDR); 994 995 hci_dev_unlock(hdev); 996 997 return err; 998 } 999 1000 /* Ioctls that require bound socket */ 1001 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, 1002 unsigned long arg) 1003 { 1004 struct hci_dev *hdev = hci_hdev_from_sock(sk); 1005 1006 if (IS_ERR(hdev)) 1007 return PTR_ERR(hdev); 1008 1009 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 1010 return -EBUSY; 1011 1012 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 1013 return -EOPNOTSUPP; 1014 1015 switch (cmd) { 1016 case HCISETRAW: 1017 if (!capable(CAP_NET_ADMIN)) 1018 return -EPERM; 1019 return -EOPNOTSUPP; 1020 1021 case HCIGETCONNINFO: 1022 return hci_get_conn_info(hdev, (void __user *)arg); 1023 1024 case HCIGETAUTHINFO: 1025 return hci_get_auth_info(hdev, (void __user *)arg); 1026 1027 case HCIBLOCKADDR: 1028 if (!capable(CAP_NET_ADMIN)) 1029 return -EPERM; 1030 return hci_sock_reject_list_add(hdev, (void __user *)arg); 1031 1032 case HCIUNBLOCKADDR: 1033 if (!capable(CAP_NET_ADMIN)) 1034 return -EPERM; 1035 return hci_sock_reject_list_del(hdev, (void __user *)arg); 1036 } 1037 1038 return -ENOIOCTLCMD; 1039 } 1040 1041 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, 1042 unsigned long arg) 1043 { 1044 void __user *argp = (void __user *)arg; 1045 struct sock *sk = sock->sk; 1046 int err; 1047 1048 BT_DBG("cmd %x arg %lx", cmd, arg); 1049 1050 /* Make sure the cmd is valid before doing anything */ 1051 switch (cmd) { 1052 case HCIGETDEVLIST: 1053 case HCIGETDEVINFO: 1054 case HCIGETCONNLIST: 1055 case HCIDEVUP: 1056 case HCIDEVDOWN: 1057 case HCIDEVRESET: 1058 case HCIDEVRESTAT: 1059 case HCISETSCAN: 1060 case HCISETAUTH: 1061 case HCISETENCRYPT: 1062 case HCISETPTYPE: 1063 case HCISETLINKPOL: 1064 case HCISETLINKMODE: 1065 case HCISETACLMTU: 1066 case HCISETSCOMTU: 1067 case HCIINQUIRY: 1068 case HCISETRAW: 1069 case HCIGETCONNINFO: 1070 case HCIGETAUTHINFO: 1071 case HCIBLOCKADDR: 1072 case HCIUNBLOCKADDR: 1073 break; 1074 default: 1075 return -ENOIOCTLCMD; 1076 } 1077 1078 lock_sock(sk); 1079 1080 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1081 err = -EBADFD; 1082 goto done; 1083 } 1084 1085 /* When calling an ioctl on an unbound raw socket, then ensure 1086 * that the monitor gets informed. Ensure that the resulting event 1087 * is only send once by checking if the cookie exists or not. The 1088 * socket cookie will be only ever generated once for the lifetime 1089 * of a given socket. 1090 */ 1091 if (hci_sock_gen_cookie(sk)) { 1092 struct sk_buff *skb; 1093 1094 /* Perform careful checks before setting the HCI_SOCK_TRUSTED 1095 * flag. Make sure that not only the current task but also 1096 * the socket opener has the required capability, since 1097 * privileged programs can be tricked into making ioctl calls 1098 * on HCI sockets, and the socket should not be marked as 1099 * trusted simply because the ioctl caller is privileged. 1100 */ 1101 if (sk_capable(sk, CAP_NET_ADMIN)) 1102 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1103 1104 /* Send event to monitor */ 1105 skb = create_monitor_ctrl_open(sk); 1106 if (skb) { 1107 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1108 HCI_SOCK_TRUSTED, NULL); 1109 kfree_skb(skb); 1110 } 1111 } 1112 1113 release_sock(sk); 1114 1115 switch (cmd) { 1116 case HCIGETDEVLIST: 1117 return hci_get_dev_list(argp); 1118 1119 case HCIGETDEVINFO: 1120 return hci_get_dev_info(argp); 1121 1122 case HCIGETCONNLIST: 1123 return hci_get_conn_list(argp); 1124 1125 case HCIDEVUP: 1126 if (!capable(CAP_NET_ADMIN)) 1127 return -EPERM; 1128 return hci_dev_open(arg); 1129 1130 case HCIDEVDOWN: 1131 if (!capable(CAP_NET_ADMIN)) 1132 return -EPERM; 1133 return hci_dev_close(arg); 1134 1135 case HCIDEVRESET: 1136 if (!capable(CAP_NET_ADMIN)) 1137 return -EPERM; 1138 return hci_dev_reset(arg); 1139 1140 case HCIDEVRESTAT: 1141 if (!capable(CAP_NET_ADMIN)) 1142 return -EPERM; 1143 return hci_dev_reset_stat(arg); 1144 1145 case HCISETSCAN: 1146 case HCISETAUTH: 1147 case HCISETENCRYPT: 1148 case HCISETPTYPE: 1149 case HCISETLINKPOL: 1150 case HCISETLINKMODE: 1151 case HCISETACLMTU: 1152 case HCISETSCOMTU: 1153 if (!capable(CAP_NET_ADMIN)) 1154 return -EPERM; 1155 return hci_dev_cmd(cmd, argp); 1156 1157 case HCIINQUIRY: 1158 return hci_inquiry(argp); 1159 } 1160 1161 lock_sock(sk); 1162 1163 err = hci_sock_bound_ioctl(sk, cmd, arg); 1164 1165 done: 1166 release_sock(sk); 1167 return err; 1168 } 1169 1170 #ifdef CONFIG_COMPAT 1171 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd, 1172 unsigned long arg) 1173 { 1174 switch (cmd) { 1175 case HCIDEVUP: 1176 case HCIDEVDOWN: 1177 case HCIDEVRESET: 1178 case HCIDEVRESTAT: 1179 return hci_sock_ioctl(sock, cmd, arg); 1180 } 1181 1182 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 1183 } 1184 #endif 1185 1186 static int hci_sock_bind(struct socket *sock, struct sockaddr_unsized *addr, 1187 int addr_len) 1188 { 1189 struct sockaddr_hci haddr; 1190 struct sock *sk = sock->sk; 1191 struct hci_dev *hdev = NULL; 1192 struct sk_buff *skb; 1193 int len, err = 0; 1194 1195 BT_DBG("sock %p sk %p", sock, sk); 1196 1197 if (!addr) 1198 return -EINVAL; 1199 1200 memset(&haddr, 0, sizeof(haddr)); 1201 len = min_t(unsigned int, sizeof(haddr), addr_len); 1202 memcpy(&haddr, addr, len); 1203 1204 if (haddr.hci_family != AF_BLUETOOTH) 1205 return -EINVAL; 1206 1207 lock_sock(sk); 1208 1209 /* Allow detaching from dead device and attaching to alive device, if 1210 * the caller wants to re-bind (instead of close) this socket in 1211 * response to hci_sock_dev_event(HCI_DEV_UNREG) notification. 1212 */ 1213 hdev = hci_pi(sk)->hdev; 1214 if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) { 1215 hci_pi(sk)->hdev = NULL; 1216 sk->sk_state = BT_OPEN; 1217 hci_dev_put(hdev); 1218 } 1219 hdev = NULL; 1220 1221 if (sk->sk_state == BT_BOUND) { 1222 err = -EALREADY; 1223 goto done; 1224 } 1225 1226 switch (haddr.hci_channel) { 1227 case HCI_CHANNEL_RAW: 1228 if (hci_pi(sk)->hdev) { 1229 err = -EALREADY; 1230 goto done; 1231 } 1232 1233 if (haddr.hci_dev != HCI_DEV_NONE) { 1234 hdev = hci_dev_get(haddr.hci_dev); 1235 if (!hdev) { 1236 err = -ENODEV; 1237 goto done; 1238 } 1239 1240 atomic_inc(&hdev->promisc); 1241 } 1242 1243 hci_pi(sk)->channel = haddr.hci_channel; 1244 1245 if (!hci_sock_gen_cookie(sk)) { 1246 /* In the case when a cookie has already been assigned, 1247 * then there has been already an ioctl issued against 1248 * an unbound socket and with that triggered an open 1249 * notification. Send a close notification first to 1250 * allow the state transition to bounded. 1251 */ 1252 skb = create_monitor_ctrl_close(sk); 1253 if (skb) { 1254 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1255 HCI_SOCK_TRUSTED, NULL); 1256 kfree_skb(skb); 1257 } 1258 } 1259 1260 if (capable(CAP_NET_ADMIN)) 1261 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1262 1263 hci_pi(sk)->hdev = hdev; 1264 1265 /* Send event to monitor */ 1266 skb = create_monitor_ctrl_open(sk); 1267 if (skb) { 1268 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1269 HCI_SOCK_TRUSTED, NULL); 1270 kfree_skb(skb); 1271 } 1272 break; 1273 1274 case HCI_CHANNEL_USER: 1275 if (hci_pi(sk)->hdev) { 1276 err = -EALREADY; 1277 goto done; 1278 } 1279 1280 if (haddr.hci_dev == HCI_DEV_NONE) { 1281 err = -EINVAL; 1282 goto done; 1283 } 1284 1285 if (!capable(CAP_NET_ADMIN)) { 1286 err = -EPERM; 1287 goto done; 1288 } 1289 1290 hdev = hci_dev_get(haddr.hci_dev); 1291 if (!hdev) { 1292 err = -ENODEV; 1293 goto done; 1294 } 1295 1296 if (test_bit(HCI_INIT, &hdev->flags) || 1297 hci_dev_test_flag(hdev, HCI_SETUP) || 1298 hci_dev_test_flag(hdev, HCI_CONFIG) || 1299 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) && 1300 test_bit(HCI_UP, &hdev->flags))) { 1301 err = -EBUSY; 1302 hci_dev_put(hdev); 1303 goto done; 1304 } 1305 1306 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) { 1307 err = -EUSERS; 1308 hci_dev_put(hdev); 1309 goto done; 1310 } 1311 1312 hci_dev_lock(hdev); 1313 mgmt_index_removed(hdev); 1314 hci_dev_unlock(hdev); 1315 1316 err = hci_dev_open(hdev->id); 1317 if (err) { 1318 if (err == -EALREADY) { 1319 /* In case the transport is already up and 1320 * running, clear the error here. 1321 * 1322 * This can happen when opening a user 1323 * channel and HCI_AUTO_OFF grace period 1324 * is still active. 1325 */ 1326 err = 0; 1327 } else { 1328 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 1329 mgmt_index_added(hdev); 1330 hci_dev_put(hdev); 1331 goto done; 1332 } 1333 } 1334 1335 hci_pi(sk)->channel = haddr.hci_channel; 1336 1337 if (!hci_sock_gen_cookie(sk)) { 1338 /* In the case when a cookie has already been assigned, 1339 * this socket will transition from a raw socket into 1340 * a user channel socket. For a clean transition, send 1341 * the close notification first. 1342 */ 1343 skb = create_monitor_ctrl_close(sk); 1344 if (skb) { 1345 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1346 HCI_SOCK_TRUSTED, NULL); 1347 kfree_skb(skb); 1348 } 1349 } 1350 1351 /* The user channel is restricted to CAP_NET_ADMIN 1352 * capabilities and with that implicitly trusted. 1353 */ 1354 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1355 1356 hci_pi(sk)->hdev = hdev; 1357 1358 /* Send event to monitor */ 1359 skb = create_monitor_ctrl_open(sk); 1360 if (skb) { 1361 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1362 HCI_SOCK_TRUSTED, NULL); 1363 kfree_skb(skb); 1364 } 1365 1366 atomic_inc(&hdev->promisc); 1367 break; 1368 1369 case HCI_CHANNEL_MONITOR: 1370 if (haddr.hci_dev != HCI_DEV_NONE) { 1371 err = -EINVAL; 1372 goto done; 1373 } 1374 1375 if (!capable(CAP_NET_RAW)) { 1376 err = -EPERM; 1377 goto done; 1378 } 1379 1380 hci_pi(sk)->channel = haddr.hci_channel; 1381 1382 /* The monitor interface is restricted to CAP_NET_RAW 1383 * capabilities and with that implicitly trusted. 1384 */ 1385 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1386 1387 send_monitor_note(sk, "Linux version %s (%s)", 1388 init_utsname()->release, 1389 init_utsname()->machine); 1390 send_monitor_note(sk, "Bluetooth subsystem version %u.%u", 1391 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION); 1392 send_monitor_replay(sk); 1393 send_monitor_control_replay(sk); 1394 1395 atomic_inc(&monitor_promisc); 1396 break; 1397 1398 case HCI_CHANNEL_LOGGING: 1399 if (haddr.hci_dev != HCI_DEV_NONE) { 1400 err = -EINVAL; 1401 goto done; 1402 } 1403 1404 if (!capable(CAP_NET_ADMIN)) { 1405 err = -EPERM; 1406 goto done; 1407 } 1408 1409 hci_pi(sk)->channel = haddr.hci_channel; 1410 break; 1411 1412 default: 1413 if (!hci_mgmt_chan_find(haddr.hci_channel)) { 1414 err = -EINVAL; 1415 goto done; 1416 } 1417 1418 if (haddr.hci_dev != HCI_DEV_NONE) { 1419 err = -EINVAL; 1420 goto done; 1421 } 1422 1423 /* Users with CAP_NET_ADMIN capabilities are allowed 1424 * access to all management commands and events. For 1425 * untrusted users the interface is restricted and 1426 * also only untrusted events are sent. 1427 */ 1428 if (capable(CAP_NET_ADMIN)) 1429 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1430 1431 hci_pi(sk)->channel = haddr.hci_channel; 1432 1433 /* At the moment the index and unconfigured index events 1434 * are enabled unconditionally. Setting them on each 1435 * socket when binding keeps this functionality. They 1436 * however might be cleared later and then sending of these 1437 * events will be disabled, but that is then intentional. 1438 * 1439 * This also enables generic events that are safe to be 1440 * received by untrusted users. Example for such events 1441 * are changes to settings, class of device, name etc. 1442 */ 1443 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) { 1444 if (!hci_sock_gen_cookie(sk)) { 1445 /* In the case when a cookie has already been 1446 * assigned, this socket will transition from 1447 * a raw socket into a control socket. To 1448 * allow for a clean transition, send the 1449 * close notification first. 1450 */ 1451 skb = create_monitor_ctrl_close(sk); 1452 if (skb) { 1453 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1454 HCI_SOCK_TRUSTED, NULL); 1455 kfree_skb(skb); 1456 } 1457 } 1458 1459 /* Send event to monitor */ 1460 skb = create_monitor_ctrl_open(sk); 1461 if (skb) { 1462 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1463 HCI_SOCK_TRUSTED, NULL); 1464 kfree_skb(skb); 1465 } 1466 1467 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS); 1468 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS); 1469 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS); 1470 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS); 1471 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS); 1472 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS); 1473 } 1474 break; 1475 } 1476 1477 /* Default MTU to HCI_MAX_FRAME_SIZE if not set */ 1478 if (!hci_pi(sk)->mtu) 1479 hci_pi(sk)->mtu = HCI_MAX_FRAME_SIZE; 1480 1481 sk->sk_state = BT_BOUND; 1482 1483 done: 1484 release_sock(sk); 1485 return err; 1486 } 1487 1488 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, 1489 int peer) 1490 { 1491 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr; 1492 struct sock *sk = sock->sk; 1493 struct hci_dev *hdev; 1494 int err = 0; 1495 1496 BT_DBG("sock %p sk %p", sock, sk); 1497 1498 if (peer) 1499 return -EOPNOTSUPP; 1500 1501 lock_sock(sk); 1502 1503 hdev = hci_hdev_from_sock(sk); 1504 if (IS_ERR(hdev)) { 1505 err = PTR_ERR(hdev); 1506 goto done; 1507 } 1508 1509 haddr->hci_family = AF_BLUETOOTH; 1510 haddr->hci_dev = hdev->id; 1511 haddr->hci_channel= hci_pi(sk)->channel; 1512 err = sizeof(*haddr); 1513 1514 done: 1515 release_sock(sk); 1516 return err; 1517 } 1518 1519 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, 1520 struct sk_buff *skb) 1521 { 1522 __u8 mask = hci_pi(sk)->cmsg_mask; 1523 1524 if (mask & HCI_CMSG_DIR) { 1525 int incoming = bt_cb(skb)->incoming; 1526 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), 1527 &incoming); 1528 } 1529 1530 if (mask & HCI_CMSG_TSTAMP) { 1531 #ifdef CONFIG_COMPAT 1532 struct old_timeval32 ctv; 1533 #endif 1534 struct __kernel_old_timeval tv; 1535 void *data; 1536 int len; 1537 1538 skb_get_timestamp(skb, &tv); 1539 1540 data = &tv; 1541 len = sizeof(tv); 1542 #ifdef CONFIG_COMPAT 1543 if (!COMPAT_USE_64BIT_TIME && 1544 (msg->msg_flags & MSG_CMSG_COMPAT)) { 1545 ctv.tv_sec = tv.tv_sec; 1546 ctv.tv_usec = tv.tv_usec; 1547 data = &ctv; 1548 len = sizeof(ctv); 1549 } 1550 #endif 1551 1552 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 1553 } 1554 } 1555 1556 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1557 size_t len, int flags) 1558 { 1559 struct scm_cookie scm; 1560 struct sock *sk = sock->sk; 1561 struct sk_buff *skb; 1562 int copied, err; 1563 unsigned int skblen; 1564 1565 BT_DBG("sock %p, sk %p", sock, sk); 1566 1567 if (flags & MSG_OOB) 1568 return -EOPNOTSUPP; 1569 1570 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING) 1571 return -EOPNOTSUPP; 1572 1573 if (sk->sk_state == BT_CLOSED) 1574 return 0; 1575 1576 skb = skb_recv_datagram(sk, flags, &err); 1577 if (!skb) 1578 return err; 1579 1580 skblen = skb->len; 1581 copied = skb->len; 1582 if (len < copied) { 1583 msg->msg_flags |= MSG_TRUNC; 1584 copied = len; 1585 } 1586 1587 skb_reset_transport_header(skb); 1588 err = skb_copy_datagram_msg(skb, 0, msg, copied); 1589 1590 switch (hci_pi(sk)->channel) { 1591 case HCI_CHANNEL_RAW: 1592 hci_sock_cmsg(sk, msg, skb); 1593 break; 1594 case HCI_CHANNEL_USER: 1595 case HCI_CHANNEL_MONITOR: 1596 sock_recv_timestamp(msg, sk, skb); 1597 break; 1598 default: 1599 if (hci_mgmt_chan_find(hci_pi(sk)->channel)) 1600 sock_recv_timestamp(msg, sk, skb); 1601 break; 1602 } 1603 1604 memset(&scm, 0, sizeof(scm)); 1605 scm.creds = bt_cb(skb)->creds; 1606 1607 skb_free_datagram(sk, skb); 1608 1609 if (flags & MSG_TRUNC) 1610 copied = skblen; 1611 1612 scm_recv(sock, msg, &scm, flags); 1613 1614 return err ? : copied; 1615 } 1616 1617 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk, 1618 struct sk_buff *skb) 1619 { 1620 u8 *cp; 1621 struct mgmt_hdr *hdr; 1622 u16 opcode, index, len; 1623 struct hci_dev *hdev = NULL; 1624 const struct hci_mgmt_handler *handler; 1625 bool var_len, no_hdev; 1626 int err; 1627 1628 BT_DBG("got %d bytes", skb->len); 1629 1630 if (skb->len < sizeof(*hdr)) 1631 return -EINVAL; 1632 1633 hdr = (void *)skb->data; 1634 opcode = __le16_to_cpu(hdr->opcode); 1635 index = __le16_to_cpu(hdr->index); 1636 len = __le16_to_cpu(hdr->len); 1637 1638 if (len != skb->len - sizeof(*hdr)) { 1639 err = -EINVAL; 1640 goto done; 1641 } 1642 1643 if (chan->channel == HCI_CHANNEL_CONTROL) { 1644 struct sk_buff *cmd; 1645 1646 /* Send event to monitor */ 1647 cmd = create_monitor_ctrl_command(sk, index, opcode, len, 1648 skb->data + sizeof(*hdr)); 1649 if (cmd) { 1650 hci_send_to_channel(HCI_CHANNEL_MONITOR, cmd, 1651 HCI_SOCK_TRUSTED, NULL); 1652 kfree_skb(cmd); 1653 } 1654 } 1655 1656 if (opcode >= chan->handler_count || 1657 chan->handlers[opcode].func == NULL) { 1658 BT_DBG("Unknown op %u", opcode); 1659 err = mgmt_cmd_status(sk, index, opcode, 1660 MGMT_STATUS_UNKNOWN_COMMAND); 1661 goto done; 1662 } 1663 1664 handler = &chan->handlers[opcode]; 1665 1666 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) && 1667 !(handler->flags & HCI_MGMT_UNTRUSTED)) { 1668 err = mgmt_cmd_status(sk, index, opcode, 1669 MGMT_STATUS_PERMISSION_DENIED); 1670 goto done; 1671 } 1672 1673 if (index != MGMT_INDEX_NONE) { 1674 hdev = hci_dev_get(index); 1675 if (!hdev) { 1676 err = mgmt_cmd_status(sk, index, opcode, 1677 MGMT_STATUS_INVALID_INDEX); 1678 goto done; 1679 } 1680 1681 if (hci_dev_test_flag(hdev, HCI_SETUP) || 1682 hci_dev_test_flag(hdev, HCI_CONFIG) || 1683 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 1684 err = mgmt_cmd_status(sk, index, opcode, 1685 MGMT_STATUS_INVALID_INDEX); 1686 goto done; 1687 } 1688 1689 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && 1690 !(handler->flags & HCI_MGMT_UNCONFIGURED)) { 1691 err = mgmt_cmd_status(sk, index, opcode, 1692 MGMT_STATUS_INVALID_INDEX); 1693 goto done; 1694 } 1695 } 1696 1697 if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) { 1698 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV); 1699 if (no_hdev != !hdev) { 1700 err = mgmt_cmd_status(sk, index, opcode, 1701 MGMT_STATUS_INVALID_INDEX); 1702 goto done; 1703 } 1704 } 1705 1706 var_len = (handler->flags & HCI_MGMT_VAR_LEN); 1707 if ((var_len && len < handler->data_len) || 1708 (!var_len && len != handler->data_len)) { 1709 err = mgmt_cmd_status(sk, index, opcode, 1710 MGMT_STATUS_INVALID_PARAMS); 1711 goto done; 1712 } 1713 1714 if (hdev && chan->hdev_init) 1715 chan->hdev_init(sk, hdev); 1716 1717 cp = skb->data + sizeof(*hdr); 1718 1719 err = handler->func(sk, hdev, cp, len); 1720 if (err < 0) 1721 goto done; 1722 1723 err = skb->len; 1724 1725 done: 1726 if (hdev) 1727 hci_dev_put(hdev); 1728 1729 return err; 1730 } 1731 1732 static int hci_logging_frame(struct sock *sk, struct sk_buff *skb, 1733 unsigned int flags) 1734 { 1735 struct hci_mon_hdr *hdr; 1736 struct hci_dev *hdev; 1737 u16 index; 1738 int err; 1739 1740 /* The logging frame consists at minimum of the standard header, 1741 * the priority byte, the ident length byte and at least one string 1742 * terminator NUL byte. Anything shorter are invalid packets. 1743 */ 1744 if (skb->len < sizeof(*hdr) + 3) 1745 return -EINVAL; 1746 1747 hdr = (void *)skb->data; 1748 1749 if (__le16_to_cpu(hdr->len) != skb->len - sizeof(*hdr)) 1750 return -EINVAL; 1751 1752 if (__le16_to_cpu(hdr->opcode) == 0x0000) { 1753 __u8 priority = skb->data[sizeof(*hdr)]; 1754 __u8 ident_len = skb->data[sizeof(*hdr) + 1]; 1755 1756 /* Only the priorities 0-7 are valid and with that any other 1757 * value results in an invalid packet. 1758 * 1759 * The priority byte is followed by an ident length byte and 1760 * the NUL terminated ident string. Check that the ident 1761 * length is not overflowing the packet and also that the 1762 * ident string itself is NUL terminated. In case the ident 1763 * length is zero, the length value actually doubles as NUL 1764 * terminator identifier. 1765 * 1766 * The message follows the ident string (if present) and 1767 * must be NUL terminated. Otherwise it is not a valid packet. 1768 */ 1769 if (priority > 7 || skb->data[skb->len - 1] != 0x00 || 1770 ident_len > skb->len - sizeof(*hdr) - 3 || 1771 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) 1772 return -EINVAL; 1773 } else { 1774 return -EINVAL; 1775 } 1776 1777 index = __le16_to_cpu(hdr->index); 1778 1779 if (index != MGMT_INDEX_NONE) { 1780 hdev = hci_dev_get(index); 1781 if (!hdev) 1782 return -ENODEV; 1783 } else { 1784 hdev = NULL; 1785 } 1786 1787 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING); 1788 1789 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL); 1790 err = skb->len; 1791 1792 if (hdev) 1793 hci_dev_put(hdev); 1794 1795 return err; 1796 } 1797 1798 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1799 size_t len) 1800 { 1801 struct sock *sk = sock->sk; 1802 struct hci_mgmt_chan *chan; 1803 struct hci_dev *hdev; 1804 struct sk_buff *skb; 1805 int err; 1806 const unsigned int flags = msg->msg_flags; 1807 1808 BT_DBG("sock %p sk %p", sock, sk); 1809 1810 if (flags & MSG_OOB) 1811 return -EOPNOTSUPP; 1812 1813 if (flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL | MSG_ERRQUEUE | MSG_CMSG_COMPAT)) 1814 return -EINVAL; 1815 1816 if (len < 4 || len > hci_pi(sk)->mtu) 1817 return -EINVAL; 1818 1819 skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0); 1820 if (IS_ERR(skb)) 1821 return PTR_ERR(skb); 1822 1823 lock_sock(sk); 1824 1825 switch (hci_pi(sk)->channel) { 1826 case HCI_CHANNEL_RAW: 1827 case HCI_CHANNEL_USER: 1828 break; 1829 case HCI_CHANNEL_MONITOR: 1830 err = -EOPNOTSUPP; 1831 goto drop; 1832 case HCI_CHANNEL_LOGGING: 1833 err = hci_logging_frame(sk, skb, flags); 1834 goto drop; 1835 default: 1836 mutex_lock(&mgmt_chan_list_lock); 1837 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel); 1838 if (chan) 1839 err = hci_mgmt_cmd(chan, sk, skb); 1840 else 1841 err = -EINVAL; 1842 1843 mutex_unlock(&mgmt_chan_list_lock); 1844 goto drop; 1845 } 1846 1847 hdev = hci_hdev_from_sock(sk); 1848 if (IS_ERR(hdev)) { 1849 err = PTR_ERR(hdev); 1850 goto drop; 1851 } 1852 1853 if (!test_bit(HCI_UP, &hdev->flags)) { 1854 err = -ENETDOWN; 1855 goto drop; 1856 } 1857 1858 hci_skb_pkt_type(skb) = skb->data[0]; 1859 skb_pull(skb, 1); 1860 1861 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 1862 /* No permission check is needed for user channel 1863 * since that gets enforced when binding the socket. 1864 * 1865 * However check that the packet type is valid. 1866 */ 1867 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 1868 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1869 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 1870 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT && 1871 hci_skb_pkt_type(skb) != HCI_DRV_PKT) { 1872 err = -EINVAL; 1873 goto drop; 1874 } 1875 1876 skb_queue_tail(&hdev->raw_q, skb); 1877 queue_work(hdev->workqueue, &hdev->tx_work); 1878 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) { 1879 u16 opcode = get_unaligned_le16(skb->data); 1880 u16 ogf = hci_opcode_ogf(opcode); 1881 u16 ocf = hci_opcode_ocf(opcode); 1882 1883 if (((ogf > HCI_SFLT_MAX_OGF) || 1884 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, 1885 &hci_sec_filter.ocf_mask[ogf])) && 1886 !capable(CAP_NET_RAW)) { 1887 err = -EPERM; 1888 goto drop; 1889 } 1890 1891 /* Since the opcode has already been extracted here, store 1892 * a copy of the value for later use by the drivers. 1893 */ 1894 hci_skb_opcode(skb) = opcode; 1895 1896 if (ogf == 0x3f) { 1897 skb_queue_tail(&hdev->raw_q, skb); 1898 queue_work(hdev->workqueue, &hdev->tx_work); 1899 } else { 1900 /* Stand-alone HCI commands must be flagged as 1901 * single-command requests. 1902 */ 1903 bt_cb(skb)->hci.req_flags |= HCI_REQ_START; 1904 1905 skb_queue_tail(&hdev->cmd_q, skb); 1906 queue_work(hdev->workqueue, &hdev->cmd_work); 1907 } 1908 } else { 1909 if (!capable(CAP_NET_RAW)) { 1910 err = -EPERM; 1911 goto drop; 1912 } 1913 1914 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1915 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 1916 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) { 1917 err = -EINVAL; 1918 goto drop; 1919 } 1920 1921 skb_queue_tail(&hdev->raw_q, skb); 1922 queue_work(hdev->workqueue, &hdev->tx_work); 1923 } 1924 1925 err = len; 1926 1927 done: 1928 release_sock(sk); 1929 return err; 1930 1931 drop: 1932 kfree_skb(skb); 1933 goto done; 1934 } 1935 1936 static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, 1937 sockptr_t optval, unsigned int optlen) 1938 { 1939 struct hci_ufilter uf = { .opcode = 0 }; 1940 struct sock *sk = sock->sk; 1941 int err = 0, opt = 0; 1942 1943 BT_DBG("sk %p, opt %d", sk, optname); 1944 1945 lock_sock(sk); 1946 1947 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1948 err = -EBADFD; 1949 goto done; 1950 } 1951 1952 switch (optname) { 1953 case HCI_DATA_DIR: 1954 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1955 if (err) 1956 break; 1957 1958 if (opt) 1959 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 1960 else 1961 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 1962 break; 1963 1964 case HCI_TIME_STAMP: 1965 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1966 if (err) 1967 break; 1968 1969 if (opt) 1970 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 1971 else 1972 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 1973 break; 1974 1975 case HCI_FILTER: 1976 { 1977 struct hci_filter *f = &hci_pi(sk)->filter; 1978 1979 uf.type_mask = f->type_mask; 1980 uf.opcode = f->opcode; 1981 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1982 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1983 } 1984 1985 err = copy_safe_from_sockptr(&uf, sizeof(uf), optval, optlen); 1986 if (err) 1987 break; 1988 1989 if (!capable(CAP_NET_RAW)) { 1990 uf.type_mask &= hci_sec_filter.type_mask; 1991 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 1992 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 1993 } 1994 1995 { 1996 struct hci_filter *f = &hci_pi(sk)->filter; 1997 1998 f->type_mask = uf.type_mask; 1999 f->opcode = uf.opcode; 2000 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 2001 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 2002 } 2003 break; 2004 2005 default: 2006 err = -ENOPROTOOPT; 2007 break; 2008 } 2009 2010 done: 2011 release_sock(sk); 2012 return err; 2013 } 2014 2015 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 2016 sockptr_t optval, unsigned int optlen) 2017 { 2018 struct sock *sk = sock->sk; 2019 int err = 0; 2020 u16 opt; 2021 2022 BT_DBG("sk %p, opt %d", sk, optname); 2023 2024 if (level == SOL_HCI) 2025 return hci_sock_setsockopt_old(sock, level, optname, optval, 2026 optlen); 2027 2028 if (level != SOL_BLUETOOTH) 2029 return -ENOPROTOOPT; 2030 2031 lock_sock(sk); 2032 2033 switch (optname) { 2034 case BT_SNDMTU: 2035 case BT_RCVMTU: 2036 switch (hci_pi(sk)->channel) { 2037 /* Don't allow changing MTU for channels that are meant for HCI 2038 * traffic only. 2039 */ 2040 case HCI_CHANNEL_RAW: 2041 case HCI_CHANNEL_USER: 2042 err = -ENOPROTOOPT; 2043 goto done; 2044 } 2045 2046 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 2047 if (err) 2048 break; 2049 2050 hci_pi(sk)->mtu = opt; 2051 break; 2052 2053 default: 2054 err = -ENOPROTOOPT; 2055 break; 2056 } 2057 2058 done: 2059 release_sock(sk); 2060 return err; 2061 } 2062 2063 static int hci_sock_getsockopt_old(struct socket *sock, int level, int optname, 2064 sockopt_t *sopt) 2065 { 2066 struct hci_ufilter uf; 2067 struct sock *sk = sock->sk; 2068 int len, opt, err = 0; 2069 2070 BT_DBG("sk %p, opt %d", sk, optname); 2071 2072 len = sopt->optlen; 2073 2074 lock_sock(sk); 2075 2076 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 2077 err = -EBADFD; 2078 goto done; 2079 } 2080 2081 switch (optname) { 2082 case HCI_DATA_DIR: 2083 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 2084 opt = 1; 2085 else 2086 opt = 0; 2087 2088 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 2089 sizeof(opt)) 2090 err = -EFAULT; 2091 break; 2092 2093 case HCI_TIME_STAMP: 2094 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 2095 opt = 1; 2096 else 2097 opt = 0; 2098 2099 if (copy_to_iter(&opt, sizeof(opt), &sopt->iter_out) != 2100 sizeof(opt)) 2101 err = -EFAULT; 2102 break; 2103 2104 case HCI_FILTER: 2105 { 2106 struct hci_filter *f = &hci_pi(sk)->filter; 2107 2108 memset(&uf, 0, sizeof(uf)); 2109 uf.type_mask = f->type_mask; 2110 uf.opcode = f->opcode; 2111 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 2112 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 2113 } 2114 2115 len = min_t(unsigned int, len, sizeof(uf)); 2116 if (copy_to_iter(&uf, len, &sopt->iter_out) != len) 2117 err = -EFAULT; 2118 break; 2119 2120 default: 2121 err = -ENOPROTOOPT; 2122 break; 2123 } 2124 2125 done: 2126 release_sock(sk); 2127 return err; 2128 } 2129 2130 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, 2131 sockopt_t *sopt) 2132 { 2133 struct sock *sk = sock->sk; 2134 int err = 0; 2135 u16 mtu; 2136 2137 BT_DBG("sk %p, opt %d", sk, optname); 2138 2139 if (level == SOL_HCI) 2140 return hci_sock_getsockopt_old(sock, level, optname, sopt); 2141 2142 if (level != SOL_BLUETOOTH) 2143 return -ENOPROTOOPT; 2144 2145 lock_sock(sk); 2146 2147 switch (optname) { 2148 case BT_SNDMTU: 2149 case BT_RCVMTU: 2150 mtu = hci_pi(sk)->mtu; 2151 if (copy_to_iter(&mtu, sizeof(mtu), &sopt->iter_out) != 2152 sizeof(mtu)) 2153 err = -EFAULT; 2154 break; 2155 2156 default: 2157 err = -ENOPROTOOPT; 2158 break; 2159 } 2160 2161 release_sock(sk); 2162 return err; 2163 } 2164 2165 static void hci_sock_destruct(struct sock *sk) 2166 { 2167 mgmt_cleanup(sk); 2168 skb_queue_purge(&sk->sk_receive_queue); 2169 skb_queue_purge(&sk->sk_write_queue); 2170 skb_queue_purge(&sk->sk_error_queue); 2171 } 2172 2173 static const struct proto_ops hci_sock_ops = { 2174 .family = PF_BLUETOOTH, 2175 .owner = THIS_MODULE, 2176 .release = hci_sock_release, 2177 .bind = hci_sock_bind, 2178 .getname = hci_sock_getname, 2179 .sendmsg = hci_sock_sendmsg, 2180 .recvmsg = hci_sock_recvmsg, 2181 .ioctl = hci_sock_ioctl, 2182 #ifdef CONFIG_COMPAT 2183 .compat_ioctl = hci_sock_compat_ioctl, 2184 #endif 2185 .poll = datagram_poll, 2186 .listen = sock_no_listen, 2187 .shutdown = sock_no_shutdown, 2188 .setsockopt = hci_sock_setsockopt, 2189 .getsockopt_iter = hci_sock_getsockopt, 2190 .connect = sock_no_connect, 2191 .socketpair = sock_no_socketpair, 2192 .accept = sock_no_accept, 2193 .mmap = sock_no_mmap 2194 }; 2195 2196 static struct proto hci_sk_proto = { 2197 .name = "HCI", 2198 .owner = THIS_MODULE, 2199 .obj_size = sizeof(struct hci_pinfo) 2200 }; 2201 2202 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 2203 int kern) 2204 { 2205 struct sock *sk; 2206 2207 BT_DBG("sock %p", sock); 2208 2209 if (sock->type != SOCK_RAW) 2210 return -ESOCKTNOSUPPORT; 2211 2212 sock->ops = &hci_sock_ops; 2213 2214 sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC, 2215 kern); 2216 if (!sk) 2217 return -ENOMEM; 2218 2219 sock->state = SS_UNCONNECTED; 2220 sk->sk_destruct = hci_sock_destruct; 2221 2222 bt_sock_link(&hci_sk_list, sk); 2223 return 0; 2224 } 2225 2226 static const struct net_proto_family hci_sock_family_ops = { 2227 .family = PF_BLUETOOTH, 2228 .owner = THIS_MODULE, 2229 .create = hci_sock_create, 2230 }; 2231 2232 int __init hci_sock_init(void) 2233 { 2234 int err; 2235 2236 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr)); 2237 2238 err = proto_register(&hci_sk_proto, 0); 2239 if (err < 0) 2240 return err; 2241 2242 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 2243 if (err < 0) { 2244 BT_ERR("HCI socket registration failed"); 2245 goto error; 2246 } 2247 2248 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); 2249 if (err < 0) { 2250 BT_ERR("Failed to create HCI proc file"); 2251 bt_sock_unregister(BTPROTO_HCI); 2252 goto error; 2253 } 2254 2255 BT_INFO("HCI socket layer initialized"); 2256 2257 return 0; 2258 2259 error: 2260 proto_unregister(&hci_sk_proto); 2261 return err; 2262 } 2263 2264 void hci_sock_cleanup(void) 2265 { 2266 bt_procfs_cleanup(&init_net, "hci"); 2267 bt_sock_unregister(BTPROTO_HCI); 2268 proto_unregister(&hci_sk_proto); 2269 } 2270